Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Heim (phreak)" <phreak@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] hardened r90 - hardened-sources/2.6/trunk/2.6.23
Date: Wed, 30 Apr 2008 11:23:58
Message-Id: E1JrAO7-0000zh-Ga@stork.gentoo.org
1 Author: phreak
2 Date: 2008-04-30 11:22:14 +0000 (Wed, 30 Apr 2008)
3 New Revision: 90
4
5 Added:
6 hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch
7 hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch
8 hardened-sources/2.6/trunk/2.6.23/4425_grsec-2.1.10-mute-warnings.patch
9 hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.10-pax_curr_ip-fixes.patch
10 hardened-sources/2.6/trunk/2.6.23/4435_grsec-kconfig-gentoo.patch
11 hardened-sources/2.6/trunk/2.6.23/4440_selinux-avc_audit-log-curr_ip.patch
12 hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-default-gids.patch
13 hardened-sources/2.6/trunk/2.6.23/4450_disable-compat_vdso.patch
14 hardened-sources/2.6/trunk/2.6.23/4455_pax-hook-build-error.patch
15 hardened-sources/2.6/trunk/2.6.23/4460_acct_stack_growth-null-deref.patch
16 hardened-sources/2.6/trunk/2.6.23/4465_pax-vma-mirroring-fixes.patch
17 hardened-sources/2.6/trunk/2.6.23/4470_vesafb-pmi-kernexec-fix.patch
18 hardened-sources/2.6/trunk/2.6.23/4475_deselect-kernexec-on-unsupported-arches.patch
19 hardened-sources/2.6/trunk/2.6.23/4480_ia64-modular-kernel-compile-fix.patch
20 hardened-sources/2.6/trunk/2.6.23/4485_grsec-ptrace-recursive-lock-fix.patch
21 hardened-sources/2.6/trunk/2.6.23/4490_grsec-netlink-security-fixes.patch
22 hardened-sources/2.6/trunk/2.6.23/4495_pax-hang-when-coredump-disabled-fix.patch
23 hardened-sources/2.6/trunk/2.6.23/4500_grsec-user_transition-bypass-fix.patch
24 Removed:
25 hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.11-2.6.23.15-20080210.patch
26 hardened-sources/2.6/trunk/2.6.23/4435_grsec-2.1.10-mute-warnings.patch
27 hardened-sources/2.6/trunk/2.6.23/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
28 hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-gentoo.patch
29 hardened-sources/2.6/trunk/2.6.23/4450_selinux-avc_audit-log-curr_ip.patch
30 hardened-sources/2.6/trunk/2.6.23/4455_grsec-kconfig-default-gids.patch
31 hardened-sources/2.6/trunk/2.6.23/4460_disable-compat_vdso.patch
32 hardened-sources/2.6/trunk/2.6.23/4465_pax-hook-build-error.patch
33 hardened-sources/2.6/trunk/2.6.23/4470_acct_stack_growth-null-deref.patch
34 hardened-sources/2.6/trunk/2.6.23/4475_pax-vma-mirroring-fixes.patch
35 hardened-sources/2.6/trunk/2.6.23/4480_vesafb-pmi-kernexec-fix.patch
36 hardened-sources/2.6/trunk/2.6.23/4485_deselect-kernexec-on-unsupported-arches.patch
37 hardened-sources/2.6/trunk/2.6.23/4490_ia64-modular-kernel-compile-fix.patch
38 hardened-sources/2.6/trunk/2.6.23/4495_grsec-ptrace-recursive-lock-fix.patch
39 hardened-sources/2.6/trunk/2.6.23/4500_grsec-netlink-security-fixes.patch
40 hardened-sources/2.6/trunk/2.6.23/4505_grsec-pax_emutramp.patch
41 Log:
42 Import an updated patchset from Kerin and Gordon (this should be tagged 2.6.23-r10).
43
44 Added: hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch
45 ===================================================================
46 --- hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch (rev 0)
47 +++ hardened-sources/2.6/trunk/2.6.23/1701_x86-signal-setup_frame-clear-df.patch 2008-04-30 11:22:14 UTC (rev 90)
48 @@ -0,0 +1,78 @@
49 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
50 +
51 +x86: Clear DF before calling signal handler
52 +
53 +Linux 2.6-series kernels < 2.6.24.4 do not clear the direction flag
54 +before calling a signal handler, which is required by the x86/x86-64
55 +ABI.
56 +
57 +This bug has come to light as GCC 4.3 assumes that the direction flag
58 +is correctly cleared at the entry of a function.
59 +
60 +This patches changes the setup_frame() functions to clear the
61 +direction before entering the signal handler.
62 +
63 +This is a backport to kernel 2.6.23 of mainline kernel git commit:
64 +e40cd10ccff3d9fbffd57b93780bee4b7b9bff51
65 +
66 +Originally From: Aurelien Jarno <aurelien@×××××××.net>
67 +Originally Signed-off-by: Aurelien Jarno <aurelien@×××××××.net>
68 +Originally Signed-off-by: Chris Wright <chrisw@××××××××.org>
69 +Originally Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
70 +
71 +For more information, view:
72 +https://bugs.gentoo.org/show_bug.cgi?id=213811
73 +http://lkml.org/lkml/2008/3/5/207
74 +http://lwn.net/Articles/272203/
75 +
76 +--- a/arch/i386/kernel/signal.c
77 ++++ b/arch/i386/kernel/signal.c
78 +@@ -399,7 +399,7 @@ static int setup_frame(int sig, struct k
79 + * The tracer may want to single-step inside the
80 + * handler too.
81 + */
82 +- regs->eflags &= ~TF_MASK;
83 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
84 + if (test_thread_flag(TIF_SINGLESTEP))
85 + ptrace_notify(SIGTRAP);
86 +
87 +@@ -494,7 +494,7 @@ static int setup_rt_frame(int sig, struc
88 + * The tracer may want to single-step inside the
89 + * handler too.
90 + */
91 +- regs->eflags &= ~TF_MASK;
92 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
93 + if (test_thread_flag(TIF_SINGLESTEP))
94 + ptrace_notify(SIGTRAP);
95 +
96 +--- a/arch/x86_64/ia32/ia32_signal.c
97 ++++ b/arch/x86_64/ia32/ia32_signal.c
98 +@@ -494,7 +494,7 @@ int ia32_setup_frame(int sig, struct k_s
99 + regs->ss = __USER32_DS;
100 +
101 + set_fs(USER_DS);
102 +- regs->eflags &= ~TF_MASK;
103 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
104 + if (test_thread_flag(TIF_SINGLESTEP))
105 + ptrace_notify(SIGTRAP);
106 +
107 +@@ -601,7 +601,7 @@ int ia32_setup_rt_frame(int sig, struct
108 + regs->ss = __USER32_DS;
109 +
110 + set_fs(USER_DS);
111 +- regs->eflags &= ~TF_MASK;
112 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
113 + if (test_thread_flag(TIF_SINGLESTEP))
114 + ptrace_notify(SIGTRAP);
115 +
116 +--- a/arch/x86_64/kernel/signal.c
117 ++++ b/arch/x86_64/kernel/signal.c
118 +@@ -297,7 +297,7 @@ static int setup_rt_frame(int sig, struc
119 + see include/asm-x86_64/uaccess.h for details. */
120 + set_fs(USER_DS);
121 +
122 +- regs->eflags &= ~TF_MASK;
123 ++ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
124 + if (test_thread_flag(TIF_SINGLESTEP))
125 + ptrace_notify(SIGTRAP);
126 + #ifdef DEBUG_SIG
127
128 Added: hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch
129 ===================================================================
130 --- hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch (rev 0)
131 +++ hardened-sources/2.6/trunk/2.6.23/4420_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:22:14 UTC (rev 90)
132 @@ -0,0 +1,35665 @@
133 +From: Kerin Millar <kerframil@×××××.com>
134 +
135 +grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
136 +the Hardened Gentoo project. Thanks to pipacs for some advice concerning
137 +mmap.c changes.
138 +
139 +diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
140 +--- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
141 ++++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
142 +@@ -176,14 +176,18 @@ times.h*
143 + tkparse
144 + trix_boot.h
145 + utsrelease.h*
146 ++vdso.lds
147 + version.h*
148 + vmlinux
149 + vmlinux-*
150 + vmlinux.aout
151 ++vmlinux.bin.all
152 + vmlinux.lds
153 ++vmlinux.relocs
154 + vsyscall.lds
155 + wanxlfw.inc
156 + uImage
157 + unifdef
158 ++utsrelease.h
159 + zImage*
160 + zconf.hash.c
161 +diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
162 +--- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
163 ++++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
164 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
165 +
166 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
167 +
168 +-CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
169 ++CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
170 + -fno-strict-aliasing -fno-common \
171 + -Werror-implicit-function-declaration
172 + AFLAGS := -D__ASSEMBLY__
173 +@@ -560,7 +560,7 @@ export mod_strip_cmd
174 +
175 +
176 + ifeq ($(KBUILD_EXTMOD),)
177 +-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
178 ++core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
179 +
180 + vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
181 + $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
182 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
183 +--- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
184 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
185 +@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
186 +
187 + /* The small sections were sorted to the end of the segment.
188 + The following should definitely cover them. */
189 +- gp = (u64)me->module_core + me->core_size - 0x8000;
190 ++ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
191 + got = sechdrs[me->arch.gotsecindex].sh_addr;
192 +
193 + for (i = 0; i < n; i++) {
194 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
195 +--- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
196 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
197 +@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
198 + merely specific addresses, but regions of memory -- perhaps
199 + this feature should be incorporated into all ports? */
200 +
201 ++#ifdef CONFIG_PAX_RANDMMAP
202 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
203 ++#endif
204 ++
205 + if (addr) {
206 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
207 + if (addr != (unsigned long) -ENOMEM)
208 +@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
209 + }
210 +
211 + /* Next, try allocating at TASK_UNMAPPED_BASE. */
212 +- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
213 +- len, limit);
214 ++ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
215 ++
216 + if (addr != (unsigned long) -ENOMEM)
217 + return addr;
218 +
219 +diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
220 +--- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
221 ++++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
222 +@@ -15,6 +15,7 @@
223 + #include <linux/slab.h>
224 + #include <linux/security.h>
225 + #include <linux/signal.h>
226 ++#include <linux/grsecurity.h>
227 +
228 + #include <asm/uaccess.h>
229 + #include <asm/pgtable.h>
230 +@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
231 + goto out_notsk;
232 + }
233 +
234 ++ if (gr_handle_ptrace(child, request)) {
235 ++ ret = -EPERM;
236 ++ goto out;
237 ++ }
238 ++
239 + if (request == PTRACE_ATTACH) {
240 + ret = ptrace_attach(child);
241 + goto out;
242 +diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
243 +--- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
244 ++++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
245 +@@ -23,6 +23,7 @@
246 + #include <linux/smp.h>
247 + #include <linux/interrupt.h>
248 + #include <linux/module.h>
249 ++#include <linux/binfmts.h>
250 +
251 + #include <asm/system.h>
252 + #include <asm/uaccess.h>
253 +@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
254 + __reload_thread(pcb);
255 + }
256 +
257 ++#ifdef CONFIG_PAX_PAGEEXEC
258 ++/*
259 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
260 ++ *
261 ++ * returns 1 when task should be killed
262 ++ * 2 when patched PLT trampoline was detected
263 ++ * 3 when unpatched PLT trampoline was detected
264 ++ */
265 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
266 ++{
267 ++
268 ++#ifdef CONFIG_PAX_EMUPLT
269 ++ int err;
270 ++
271 ++ do { /* PaX: patched PLT emulation #1 */
272 ++ unsigned int ldah, ldq, jmp;
273 ++
274 ++ err = get_user(ldah, (unsigned int *)regs->pc);
275 ++ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
276 ++ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
277 ++
278 ++ if (err)
279 ++ break;
280 ++
281 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
282 ++ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
283 ++ jmp == 0x6BFB0000U)
284 ++ {
285 ++ unsigned long r27, addr;
286 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
287 ++ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
288 ++
289 ++ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
290 ++ err = get_user(r27, (unsigned long *)addr);
291 ++ if (err)
292 ++ break;
293 ++
294 ++ regs->r27 = r27;
295 ++ regs->pc = r27;
296 ++ return 2;
297 ++ }
298 ++ } while (0);
299 ++
300 ++ do { /* PaX: patched PLT emulation #2 */
301 ++ unsigned int ldah, lda, br;
302 ++
303 ++ err = get_user(ldah, (unsigned int *)regs->pc);
304 ++ err |= get_user(lda, (unsigned int *)(regs->pc+4));
305 ++ err |= get_user(br, (unsigned int *)(regs->pc+8));
306 ++
307 ++ if (err)
308 ++ break;
309 ++
310 ++ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
311 ++ (lda & 0xFFFF0000U) == 0xA77B0000U &&
312 ++ (br & 0xFFE00000U) == 0xC3E00000U)
313 ++ {
314 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
315 ++ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
316 ++ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
317 ++
318 ++ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
319 ++ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
320 ++ return 2;
321 ++ }
322 ++ } while (0);
323 ++
324 ++ do { /* PaX: unpatched PLT emulation */
325 ++ unsigned int br;
326 ++
327 ++ err = get_user(br, (unsigned int *)regs->pc);
328 ++
329 ++ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
330 ++ unsigned int br2, ldq, nop, jmp;
331 ++ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
332 ++
333 ++ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
334 ++ err = get_user(br2, (unsigned int *)addr);
335 ++ err |= get_user(ldq, (unsigned int *)(addr+4));
336 ++ err |= get_user(nop, (unsigned int *)(addr+8));
337 ++ err |= get_user(jmp, (unsigned int *)(addr+12));
338 ++ err |= get_user(resolver, (unsigned long *)(addr+16));
339 ++
340 ++ if (err)
341 ++ break;
342 ++
343 ++ if (br2 == 0xC3600000U &&
344 ++ ldq == 0xA77B000CU &&
345 ++ nop == 0x47FF041FU &&
346 ++ jmp == 0x6B7B0000U)
347 ++ {
348 ++ regs->r28 = regs->pc+4;
349 ++ regs->r27 = addr+16;
350 ++ regs->pc = resolver;
351 ++ return 3;
352 ++ }
353 ++ }
354 ++ } while (0);
355 ++#endif
356 ++
357 ++ return 1;
358 ++}
359 ++
360 ++void pax_report_insns(void *pc, void *sp)
361 ++{
362 ++ unsigned long i;
363 ++
364 ++ printk(KERN_ERR "PAX: bytes at PC: ");
365 ++ for (i = 0; i < 5; i++) {
366 ++ unsigned int c;
367 ++ if (get_user(c, (unsigned int *)pc+i))
368 ++ printk("???????? ");
369 ++ else
370 ++ printk("%08x ", c);
371 ++ }
372 ++ printk("\n");
373 ++}
374 ++#endif
375 +
376 + /*
377 + * This routine handles page faults. It determines the address,
378 +@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
379 + good_area:
380 + si_code = SEGV_ACCERR;
381 + if (cause < 0) {
382 +- if (!(vma->vm_flags & VM_EXEC))
383 ++ if (!(vma->vm_flags & VM_EXEC)) {
384 ++
385 ++#ifdef CONFIG_PAX_PAGEEXEC
386 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
387 ++ goto bad_area;
388 ++
389 ++ up_read(&mm->mmap_sem);
390 ++ switch (pax_handle_fetch_fault(regs)) {
391 ++
392 ++#ifdef CONFIG_PAX_EMUPLT
393 ++ case 2:
394 ++ case 3:
395 ++ return;
396 ++#endif
397 ++
398 ++ }
399 ++ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
400 ++ do_exit(SIGKILL);
401 ++#else
402 + goto bad_area;
403 ++#endif
404 ++
405 ++ }
406 + } else if (!cause) {
407 + /* Allow reads even for write-only mappings */
408 + if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
409 +diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
410 +--- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
411 ++++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
412 +@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
413 + if (len > TASK_SIZE)
414 + return -ENOMEM;
415 +
416 ++#ifdef CONFIG_PAX_RANDMMAP
417 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
418 ++#endif
419 ++
420 + if (addr) {
421 + if (do_align)
422 + addr = COLOUR_ALIGN(addr, pgoff);
423 +@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
424 + return addr;
425 + }
426 + if (len > mm->cached_hole_size) {
427 +- start_addr = addr = mm->free_area_cache;
428 ++ start_addr = addr = mm->free_area_cache;
429 + } else {
430 +- start_addr = addr = TASK_UNMAPPED_BASE;
431 +- mm->cached_hole_size = 0;
432 ++ start_addr = addr = mm->mmap_base;
433 ++ mm->cached_hole_size = 0;
434 + }
435 +
436 + full_search:
437 +@@ -91,8 +95,8 @@ full_search:
438 + * Start a new search - just in case we missed
439 + * some holes.
440 + */
441 +- if (start_addr != TASK_UNMAPPED_BASE) {
442 +- start_addr = addr = TASK_UNMAPPED_BASE;
443 ++ if (start_addr != mm->mmap_base) {
444 ++ start_addr = addr = mm->mmap_base;
445 + mm->cached_hole_size = 0;
446 + goto full_search;
447 + }
448 +diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
449 +--- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
450 ++++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
451 +@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
452 +
453 + int exception_trace = 1;
454 +
455 ++#ifdef CONFIG_PAX_PAGEEXEC
456 ++void pax_report_insns(void *pc, void *sp)
457 ++{
458 ++ unsigned long i;
459 ++
460 ++ printk(KERN_ERR "PAX: bytes at PC: ");
461 ++ for (i = 0; i < 20; i++) {
462 ++ unsigned char c;
463 ++ if (get_user(c, (unsigned char *)pc+i))
464 ++ printk("???????? ");
465 ++ else
466 ++ printk("%02x ", c);
467 ++ }
468 ++ printk("\n");
469 ++}
470 ++#endif
471 ++
472 + /*
473 + * This routine handles page faults. It determines the address and the
474 + * problem, and then passes it off to one of the appropriate routines.
475 +@@ -157,6 +174,16 @@ bad_area:
476 + up_read(&mm->mmap_sem);
477 +
478 + if (user_mode(regs)) {
479 ++
480 ++#ifdef CONFIG_PAX_PAGEEXEC
481 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
482 ++ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
483 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
484 ++ do_exit(SIGKILL);
485 ++ }
486 ++ }
487 ++#endif
488 ++
489 + if (exception_trace && printk_ratelimit())
490 + printk("%s%s[%d]: segfault at %08lx pc %08lx "
491 + "sp %08lx ecr %lu\n",
492 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
493 +--- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
494 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
495 +@@ -592,7 +592,7 @@ config PAGE_OFFSET
496 + hex
497 + default 0xB0000000 if VMSPLIT_3G_OPT
498 + default 0x80000000 if VMSPLIT_2G
499 +- default 0x78000000 if VMSPLIT_2G_OPT
500 ++ default 0x70000000 if VMSPLIT_2G_OPT
501 + default 0x40000000 if VMSPLIT_1G
502 + default 0xC0000000
503 +
504 +@@ -831,7 +831,7 @@ config CRASH_DUMP
505 + config PHYSICAL_START
506 + hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
507 + default "0x1000000" if X86_NUMAQ
508 +- default "0x100000"
509 ++ default "0x200000"
510 + help
511 + This gives the physical address where the kernel is loaded.
512 +
513 +@@ -916,7 +916,7 @@ config HOTPLUG_CPU
514 +
515 + config COMPAT_VDSO
516 + bool "Compat VDSO support"
517 +- default y
518 ++ default n
519 + help
520 + Map the VDSO to the predictable old-style address too.
521 + ---help---
522 +@@ -1092,7 +1092,7 @@ config PCI
523 + choice
524 + prompt "PCI access mode"
525 + depends on PCI && !X86_VISWS
526 +- default PCI_GOANY
527 ++ default PCI_GODIRECT
528 + ---help---
529 + On PCI systems, the BIOS can be used to detect the PCI devices and
530 + determine their configuration. However, some old PCI motherboards
531 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
532 +--- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
533 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
534 +@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
535 +
536 + config X86_F00F_BUG
537 + bool
538 +- depends on M586MMX || M586TSC || M586 || M486 || M386
539 ++ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
540 + default y
541 +
542 + config X86_WP_WORKS_OK
543 +@@ -299,7 +299,7 @@ config X86_POPAD_OK
544 +
545 + config X86_ALIGNMENT_16
546 + bool
547 +- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
548 ++ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
549 + default y
550 +
551 + config X86_GOOD_APIC
552 +diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
553 +--- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
554 ++++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
555 +@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
556 + This results in a large slowdown, but helps to find certain types
557 + of memory corruptions.
558 +
559 +-config DEBUG_RODATA
560 +- bool "Write protect kernel read-only data structures"
561 +- depends on DEBUG_KERNEL
562 +- help
563 +- Mark the kernel read-only data as write-protected in the pagetables,
564 +- in order to catch accidental (and incorrect) writes to such const
565 +- data. This option may have a slight performance impact because a
566 +- portion of the kernel code won't be covered by a 2MB TLB anymore.
567 +- If in doubt, say "N".
568 +-
569 + config 4KSTACKS
570 + bool "Use 4Kb for kernel stacks instead of 8Kb"
571 + depends on DEBUG_KERNEL
572 +diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
573 +--- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
574 ++++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
575 +@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
576 + u8 v;
577 + const u32 *p = (const u32 *)addr;
578 +
579 +- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
580 ++ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
581 + return v;
582 + }
583 +
584 +@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
585 +
586 + static inline void set_bit(int nr, void *addr)
587 + {
588 +- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
589 ++ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
590 + }
591 +
592 + #endif /* BOOT_BITOPS_H */
593 +diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
594 +--- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
595 ++++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
596 +@@ -78,7 +78,7 @@ static inline void io_delay(void)
597 + static inline u16 ds(void)
598 + {
599 + u16 seg;
600 +- asm("movw %%ds,%0" : "=rm" (seg));
601 ++ asm volatile("movw %%ds,%0" : "=rm" (seg));
602 + return seg;
603 + }
604 +
605 +@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
606 + static inline int memcmp(const void *s1, const void *s2, size_t len)
607 + {
608 + u8 diff;
609 +- asm("repe; cmpsb; setnz %0"
610 ++ asm volatile("repe; cmpsb; setnz %0"
611 + : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
612 + return diff;
613 + }
614 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
615 +--- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
616 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
617 +@@ -159,9 +159,8 @@ relocated:
618 + */
619 +
620 + 1: subl $4, %edi
621 +- movl 0(%edi), %ecx
622 +- testl %ecx, %ecx
623 +- jz 2f
624 ++ movl (%edi), %ecx
625 ++ jecxz 2f
626 + addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
627 + jmp 1b
628 + 2:
629 +diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
630 +--- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
631 ++++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
632 +@@ -10,9 +10,13 @@
633 + #define USE_BSD
634 + #include <endian.h>
635 +
636 ++#include "../../../../include/linux/autoconf.h"
637 ++
638 ++#define MAX_PHDRS 100
639 + #define MAX_SHDRS 100
640 + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
641 + static Elf32_Ehdr ehdr;
642 ++static Elf32_Phdr phdr[MAX_PHDRS];
643 + static Elf32_Shdr shdr[MAX_SHDRS];
644 + static Elf32_Sym *symtab[MAX_SHDRS];
645 + static Elf32_Rel *reltab[MAX_SHDRS];
646 +@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
647 + }
648 + }
649 +
650 ++static void read_phdrs(FILE *fp)
651 ++{
652 ++ int i;
653 ++ if (ehdr.e_phnum > MAX_PHDRS) {
654 ++ die("%d program headers supported: %d\n",
655 ++ ehdr.e_phnum, MAX_PHDRS);
656 ++ }
657 ++ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
658 ++ die("Seek to %d failed: %s\n",
659 ++ ehdr.e_phoff, strerror(errno));
660 ++ }
661 ++ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
662 ++ die("Cannot read ELF program headers: %s\n",
663 ++ strerror(errno));
664 ++ }
665 ++ for(i = 0; i < ehdr.e_phnum; i++) {
666 ++ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
667 ++ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
668 ++ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
669 ++ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
670 ++ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
671 ++ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
672 ++ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
673 ++ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
674 ++ }
675 ++
676 ++}
677 ++
678 + static void read_shdrs(FILE *fp)
679 + {
680 + int i;
681 +@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
682 + static void read_relocs(FILE *fp)
683 + {
684 + int i,j;
685 ++ uint32_t base;
686 ++
687 + for(i = 0; i < ehdr.e_shnum; i++) {
688 + if (shdr[i].sh_type != SHT_REL) {
689 + continue;
690 +@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
691 + die("Cannot read symbol table: %s\n",
692 + strerror(errno));
693 + }
694 ++ base = 0;
695 ++ for (j = 0; j < ehdr.e_phnum; j++) {
696 ++ if (phdr[j].p_type != PT_LOAD )
697 ++ continue;
698 ++ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
699 ++ continue;
700 ++ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
701 ++ break;
702 ++ }
703 + for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
704 +- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
705 ++ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
706 + reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
707 + }
708 + }
709 +@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
710 + if (sym->st_shndx == SHN_ABS) {
711 + continue;
712 + }
713 ++ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
714 ++ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
715 ++ continue;
716 ++ }
717 ++#ifdef CONFIG_PAX_KERNEXEC
718 ++ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
719 ++ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
720 ++ continue;
721 ++ }
722 ++ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
723 ++ continue;
724 ++ }
725 ++ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
726 ++ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
727 ++ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
728 ++ continue;
729 ++ }
730 ++ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
731 ++ continue;
732 ++ }
733 ++#endif
734 + if (r_type == R_386_PC32) {
735 + /* PC relative relocations don't need to be adjusted */
736 + }
737 +@@ -614,6 +678,7 @@ int main(int argc, char **argv)
738 + fname, strerror(errno));
739 + }
740 + read_ehdr(fp);
741 ++ read_phdrs(fp);
742 + read_shdrs(fp);
743 + read_strtabs(fp);
744 + read_symtabs(fp);
745 +diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
746 +--- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
747 ++++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
748 +@@ -90,7 +90,7 @@ static int has_fpu(void)
749 + u16 fcw = -1, fsw = -1;
750 + u32 cr0;
751 +
752 +- asm("movl %%cr0,%0" : "=r" (cr0));
753 ++ asm volatile("movl %%cr0,%0" : "=r" (cr0));
754 + if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
755 + cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
756 + asm volatile("movl %0,%%cr0" : : "r" (cr0));
757 +@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
758 + {
759 + u32 f0, f1;
760 +
761 +- asm("pushfl ; "
762 ++ asm volatile("pushfl ; "
763 + "pushfl ; "
764 + "popl %0 ; "
765 + "movl %0,%1 ; "
766 +@@ -131,7 +131,7 @@ static void get_flags(void)
767 + set_bit(X86_FEATURE_FPU, cpu.flags);
768 +
769 + if (has_eflag(X86_EFLAGS_ID)) {
770 +- asm("cpuid"
771 ++ asm volatile("cpuid"
772 + : "=a" (max_intel_level),
773 + "=b" (cpu_vendor[0]),
774 + "=d" (cpu_vendor[1]),
775 +@@ -140,7 +140,7 @@ static void get_flags(void)
776 +
777 + if (max_intel_level >= 0x00000001 &&
778 + max_intel_level <= 0x0000ffff) {
779 +- asm("cpuid"
780 ++ asm volatile("cpuid"
781 + : "=a" (tfms),
782 + "=c" (cpu.flags[4]),
783 + "=d" (cpu.flags[0])
784 +@@ -152,7 +152,7 @@ static void get_flags(void)
785 + cpu.model += ((tfms >> 16) & 0xf) << 4;
786 + }
787 +
788 +- asm("cpuid"
789 ++ asm volatile("cpuid"
790 + : "=a" (max_amd_level)
791 + : "a" (0x80000000)
792 + : "ebx", "ecx", "edx");
793 +@@ -160,7 +160,7 @@ static void get_flags(void)
794 + if (max_amd_level >= 0x80000001 &&
795 + max_amd_level <= 0x8000ffff) {
796 + u32 eax = 0x80000001;
797 +- asm("cpuid"
798 ++ asm volatile("cpuid"
799 + : "+a" (eax),
800 + "=c" (cpu.flags[6]),
801 + "=d" (cpu.flags[1])
802 +@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
803 + u32 ecx = MSR_K7_HWCR;
804 + u32 eax, edx;
805 +
806 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
807 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
808 + eax &= ~(1 << 15);
809 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
810 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
811 +
812 + get_flags(); /* Make sure it really did something */
813 + err = check_flags();
814 +@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
815 + u32 ecx = MSR_VIA_FCR;
816 + u32 eax, edx;
817 +
818 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
819 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
820 + eax |= (1<<1)|(1<<7);
821 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
822 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
823 +
824 + set_bit(X86_FEATURE_CX8, cpu.flags);
825 + err = check_flags();
826 +@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
827 + u32 eax, edx;
828 + u32 level = 1;
829 +
830 +- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
831 +- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
832 +- asm("cpuid"
833 ++ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
834 ++ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
835 ++ asm volatile("cpuid"
836 + : "+a" (level), "=d" (cpu.flags[0])
837 + : : "ecx", "ebx");
838 +- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
839 ++ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
840 +
841 + err = check_flags();
842 + }
843 +diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
844 +--- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
845 ++++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
846 +@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
847 + ax = 0x4100;
848 + bx = EDDMAGIC1;
849 + dx = devno;
850 +- asm("pushfl; stc; int $0x13; setc %%al; popfl"
851 ++ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
852 + : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
853 + : : "esi", "edi");
854 +
855 +@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
856 + ei->params.length = sizeof(ei->params);
857 + ax = 0x4800;
858 + dx = devno;
859 +- asm("pushfl; int $0x13; popfl"
860 ++ asm volatile("pushfl; int $0x13; popfl"
861 + : "+a" (ax), "+d" (dx), "=m" (ei->params)
862 + : "S" (&ei->params)
863 + : "ebx", "ecx", "edi");
864 +@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
865 + ax = 0x0800;
866 + dx = devno;
867 + di = 0;
868 +- asm("pushw %%es; "
869 ++ asm volatile("pushw %%es; "
870 + "movw %%di,%%es; "
871 + "pushfl; stc; int $0x13; setc %%al; popfl; "
872 + "popw %%es"
873 +diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
874 +--- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
875 ++++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
876 +@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
877 + */
878 + static void query_ist(void)
879 + {
880 +- asm("int $0x15"
881 ++ asm volatile("int $0x15"
882 + : "=a" (boot_params.ist_info.signature),
883 + "=b" (boot_params.ist_info.command),
884 + "=c" (boot_params.ist_info.event),
885 +diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
886 +--- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
887 ++++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
888 +@@ -21,7 +21,7 @@ int query_mca(void)
889 + u8 err;
890 + u16 es, bx, len;
891 +
892 +- asm("pushw %%es ; "
893 ++ asm volatile("pushw %%es ; "
894 + "int $0x15 ; "
895 + "setc %0 ; "
896 + "movw %%es, %1 ; "
897 +diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
898 +--- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
899 ++++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
900 +@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
901 + /* Important: %edx is clobbered by some BIOSes,
902 + so it must be either used for the error output
903 + or explicitly marked clobbered. */
904 +- asm("int $0x15; setc %0"
905 ++ asm volatile("int $0x15; setc %0"
906 + : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
907 + "=m" (*desc)
908 + : "D" (desc), "d" (SMAP), "a" (0xe820));
909 +@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
910 +
911 + bx = cx = dx = 0;
912 + ax = 0xe801;
913 +- asm("stc; int $0x15; setc %0"
914 ++ asm volatile("stc; int $0x15; setc %0"
915 + : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
916 +
917 + if (err)
918 +@@ -94,7 +94,7 @@ static int detect_memory_88(void)
919 + u8 err;
920 +
921 + ax = 0x8800;
922 +- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
923 ++ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
924 +
925 + boot_params.screen_info.ext_mem_k = ax;
926 +
927 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
928 +--- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
929 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
930 +@@ -41,7 +41,7 @@ static int vesa_probe(void)
931 +
932 + ax = 0x4f00;
933 + di = (size_t)&vginfo;
934 +- asm(INT10
935 ++ asm volatile(INT10
936 + : "+a" (ax), "+D" (di), "=m" (vginfo)
937 + : : "ebx", "ecx", "edx", "esi");
938 +
939 +@@ -68,7 +68,7 @@ static int vesa_probe(void)
940 + ax = 0x4f01;
941 + cx = mode;
942 + di = (size_t)&vminfo;
943 +- asm(INT10
944 ++ asm volatile(INT10
945 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
946 + : : "ebx", "edx", "esi");
947 +
948 +@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
949 + ax = 0x4f01;
950 + cx = vesa_mode;
951 + di = (size_t)&vminfo;
952 +- asm(INT10
953 ++ asm volatile(INT10
954 + : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
955 + : : "ebx", "edx", "esi");
956 +
957 +@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
958 + /* Save the VESA protected mode info */
959 + static void vesa_store_pm_info(void)
960 + {
961 +- u16 ax, bx, di, es;
962 ++ u16 ax, bx, cx, di, es;
963 +
964 + ax = 0x4f0a;
965 +- bx = di = 0;
966 +- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
967 +- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
968 +- : : "ecx", "esi");
969 ++ bx = cx = di = 0;
970 ++ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
971 ++ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
972 ++ : : "esi");
973 +
974 + if (ax != 0x004f)
975 + return;
976 +
977 + boot_params.screen_info.vesapm_seg = es;
978 + boot_params.screen_info.vesapm_off = di;
979 ++ boot_params.screen_info.vesapm_size = cx;
980 + }
981 +
982 + /*
983 +@@ -259,7 +260,7 @@ void vesa_store_edid(void)
984 + /* Note: The VBE DDC spec is different from the main VESA spec;
985 + we genuinely have to assume all registers are destroyed here. */
986 +
987 +- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
988 ++ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
989 + : "+a" (ax), "+b" (bx)
990 + : "c" (cx), "D" (di)
991 + : "esi");
992 +@@ -275,7 +276,7 @@ void vesa_store_edid(void)
993 + cx = 0; /* Controller 0 */
994 + dx = 0; /* EDID block number */
995 + di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
996 +- asm(INT10
997 ++ asm volatile(INT10
998 + : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
999 + : "c" (cx), "D" (di)
1000 + : "esi");
1001 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
1002 +--- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
1003 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
1004 +@@ -225,7 +225,7 @@ static int vga_probe(void)
1005 + };
1006 + u8 vga_flag;
1007 +
1008 +- asm(INT10
1009 ++ asm volatile(INT10
1010 + : "=b" (boot_params.screen_info.orig_video_ega_bx)
1011 + : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
1012 + : "ecx", "edx", "esi", "edi");
1013 +@@ -233,7 +233,7 @@ static int vga_probe(void)
1014 + /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
1015 + if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
1016 + /* EGA/VGA */
1017 +- asm(INT10
1018 ++ asm volatile(INT10
1019 + : "=a" (vga_flag)
1020 + : "a" (0x1a00)
1021 + : "ebx", "ecx", "edx", "esi", "edi");
1022 +diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
1023 +--- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
1024 ++++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
1025 +@@ -40,7 +40,7 @@ static void store_cursor_position(void)
1026 +
1027 + ax = 0x0300;
1028 + bx = 0;
1029 +- asm(INT10
1030 ++ asm volatile(INT10
1031 + : "=d" (curpos), "+a" (ax), "+b" (bx)
1032 + : : "ecx", "esi", "edi");
1033 +
1034 +@@ -55,7 +55,7 @@ static void store_video_mode(void)
1035 + /* N.B.: the saving of the video page here is a bit silly,
1036 + since we pretty much assume page 0 everywhere. */
1037 + ax = 0x0f00;
1038 +- asm(INT10
1039 ++ asm volatile(INT10
1040 + : "+a" (ax), "=b" (page)
1041 + : : "ecx", "edx", "esi", "edi");
1042 +
1043 +diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
1044 +--- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
1045 ++++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
1046 +@@ -27,7 +27,7 @@ int query_voyager(void)
1047 +
1048 + data_ptr[0] = 0xff; /* Flag on config not found(?) */
1049 +
1050 +- asm("pushw %%es ; "
1051 ++ asm volatile("pushw %%es ; "
1052 + "int $0x15 ; "
1053 + "setc %0 ; "
1054 + "movw %%es, %1 ; "
1055 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
1056 +--- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
1057 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
1058 +@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
1059 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
1060 + },
1061 + },
1062 +- {}
1063 ++ { NULL, NULL, {{0, NULL}}, NULL}
1064 + };
1065 +
1066 + #endif /* __i386__ */
1067 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
1068 +--- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
1069 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
1070 +@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
1071 + DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
1072 + },
1073 + },
1074 +- {}
1075 ++ { NULL, NULL, {{0, NULL}}, NULL}
1076 + };
1077 +
1078 + static int __init acpisleep_dmi_init(void)
1079 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
1080 +--- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
1081 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
1082 +@@ -2,6 +2,7 @@
1083 + #include <linux/linkage.h>
1084 + #include <asm/segment.h>
1085 + #include <asm/page.h>
1086 ++#include <asm/msr-index.h>
1087 +
1088 + #
1089 + # wakeup_code runs in real mode, and at unknown address (determined at run-time).
1090 +@@ -84,7 +85,7 @@ wakeup_code:
1091 + # restore efer setting
1092 + movl real_save_efer_edx - wakeup_code, %edx
1093 + movl real_save_efer_eax - wakeup_code, %eax
1094 +- mov $0xc0000080, %ecx
1095 ++ mov $MSR_EFER, %ecx
1096 + wrmsr
1097 + 4:
1098 + # make sure %cr4 is set correctly (features, etc)
1099 +@@ -209,13 +210,11 @@ wakeup_pmode_return:
1100 + # and restore the stack ... but you need gdt for this to work
1101 + movl saved_context_esp, %esp
1102 +
1103 +- movl %cs:saved_magic, %eax
1104 +- cmpl $0x12345678, %eax
1105 ++ cmpl $0x12345678, saved_magic
1106 + jne bogus_magic
1107 +
1108 + # jump to place where we left off
1109 +- movl saved_eip,%eax
1110 +- jmp *%eax
1111 ++ jmp *(saved_eip)
1112 +
1113 + bogus_magic:
1114 + movw $0x0e00 + 'B', 0xb8018
1115 +@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
1116 + # save efer setting
1117 + pushl %eax
1118 + movl %eax, %ebx
1119 +- mov $0xc0000080, %ecx
1120 ++ mov $MSR_EFER, %ecx
1121 + rdmsr
1122 + movl %edx, real_save_efer_edx - wakeup_start (%ebx)
1123 + movl %eax, real_save_efer_eax - wakeup_start (%ebx)
1124 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
1125 +--- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
1126 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
1127 +@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
1128 + */
1129 + void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
1130 + {
1131 ++
1132 ++#ifdef CONFIG_PAX_KERNEXEC
1133 ++ unsigned long cr0;
1134 ++
1135 ++ pax_open_kernel(cr0);
1136 ++#endif
1137 ++
1138 ++ addr += __KERNEL_TEXT_OFFSET;
1139 + memcpy(addr, opcode, len);
1140 ++
1141 ++#ifdef CONFIG_PAX_KERNEXEC
1142 ++ pax_close_kernel(cr0);
1143 ++#endif
1144 ++
1145 + sync_core();
1146 + /* Could also do a CLFLUSH here to speed up CPU recovery; but
1147 + that causes hangs on some VIA CPUs. */
1148 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
1149 +--- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
1150 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
1151 +@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
1152 + static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
1153 + static struct apm_user * user_list;
1154 + static DEFINE_SPINLOCK(user_list_lock);
1155 +-static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
1156 ++static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
1157 +
1158 + static const char driver_version[] = "1.16ac"; /* no spaces */
1159 +
1160 +@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
1161 + struct desc_struct save_desc_40;
1162 + struct desc_struct *gdt;
1163 +
1164 ++#ifdef CONFIG_PAX_KERNEXEC
1165 ++ unsigned long cr0;
1166 ++#endif
1167 ++
1168 + cpus = apm_save_cpus();
1169 +
1170 + cpu = get_cpu();
1171 + gdt = get_cpu_gdt_table(cpu);
1172 + save_desc_40 = gdt[0x40 / 8];
1173 ++
1174 ++#ifdef CONFIG_PAX_KERNEXEC
1175 ++ pax_open_kernel(cr0);
1176 ++#endif
1177 ++
1178 + gdt[0x40 / 8] = bad_bios_desc;
1179 +
1180 ++#ifdef CONFIG_PAX_KERNEXEC
1181 ++ pax_close_kernel(cr0);
1182 ++#endif
1183 ++
1184 + apm_irq_save(flags);
1185 + APM_DO_SAVE_SEGS;
1186 + apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
1187 + APM_DO_RESTORE_SEGS;
1188 + apm_irq_restore(flags);
1189 ++
1190 ++#ifdef CONFIG_PAX_KERNEXEC
1191 ++ pax_open_kernel(cr0);
1192 ++#endif
1193 ++
1194 + gdt[0x40 / 8] = save_desc_40;
1195 ++
1196 ++#ifdef CONFIG_PAX_KERNEXEC
1197 ++ pax_close_kernel(cr0);
1198 ++#endif
1199 ++
1200 + put_cpu();
1201 + apm_restore_cpus(cpus);
1202 +
1203 +@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
1204 + struct desc_struct save_desc_40;
1205 + struct desc_struct *gdt;
1206 +
1207 ++#ifdef CONFIG_PAX_KERNEXEC
1208 ++ unsigned long cr0;
1209 ++#endif
1210 ++
1211 + cpus = apm_save_cpus();
1212 +
1213 + cpu = get_cpu();
1214 + gdt = get_cpu_gdt_table(cpu);
1215 + save_desc_40 = gdt[0x40 / 8];
1216 ++
1217 ++#ifdef CONFIG_PAX_KERNEXEC
1218 ++ pax_open_kernel(cr0);
1219 ++#endif
1220 ++
1221 + gdt[0x40 / 8] = bad_bios_desc;
1222 +
1223 ++#ifdef CONFIG_PAX_KERNEXEC
1224 ++ pax_close_kernel(cr0);
1225 ++#endif
1226 ++
1227 + apm_irq_save(flags);
1228 + APM_DO_SAVE_SEGS;
1229 + error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
1230 + APM_DO_RESTORE_SEGS;
1231 + apm_irq_restore(flags);
1232 ++
1233 ++#ifdef CONFIG_PAX_KERNEXEC
1234 ++ pax_open_kernel(cr0);
1235 ++#endif
1236 ++
1237 + gdt[0x40 / 8] = save_desc_40;
1238 ++
1239 ++#ifdef CONFIG_PAX_KERNEXEC
1240 ++ pax_close_kernel(cr0);
1241 ++#endif
1242 ++
1243 + put_cpu();
1244 + apm_restore_cpus(cpus);
1245 + return error;
1246 +@@ -924,7 +970,7 @@ recalc:
1247 +
1248 + static void apm_power_off(void)
1249 + {
1250 +- unsigned char po_bios_call[] = {
1251 ++ const unsigned char po_bios_call[] = {
1252 + 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
1253 + 0x8e, 0xd0, /* movw ax,ss */
1254 + 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
1255 +@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
1256 + static struct miscdevice apm_device = {
1257 + APM_MINOR_DEV,
1258 + "apm_bios",
1259 +- &apm_bios_fops
1260 ++ &apm_bios_fops,
1261 ++ {NULL, NULL},
1262 ++ NULL,
1263 ++ NULL
1264 + };
1265 +
1266 +
1267 +@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
1268 + print_if_true,
1269 + KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
1270 + { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
1271 +- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
1272 ++ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
1273 + },
1274 + { /* Handle problems with APM on the C600 */
1275 + broken_ps2_resume, "Dell Latitude C600",
1276 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
1277 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
1278 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
1279 + },
1280 + { /* Allow interrupts during suspend on Dell Latitude laptops*/
1281 + set_apm_ints, "Dell Latitude",
1282 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1283 +- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
1284 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
1285 + },
1286 + { /* APM crashes */
1287 + apm_is_horked, "Dell Inspiron 2500",
1288 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1289 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1290 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1291 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1292 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1293 + },
1294 + { /* Allow interrupts during suspend on Dell Inspiron laptops*/
1295 + set_apm_ints, "Dell Inspiron", {
1296 + DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1297 +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
1298 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
1299 + },
1300 + { /* Handle problems with APM on Inspiron 5000e */
1301 + broken_apm_power, "Dell Inspiron 5000e",
1302 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1303 + DMI_MATCH(DMI_BIOS_VERSION, "A04"),
1304 +- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
1305 ++ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
1306 + },
1307 + { /* Handle problems with APM on Inspiron 2500 */
1308 + broken_apm_power, "Dell Inspiron 2500",
1309 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1310 + DMI_MATCH(DMI_BIOS_VERSION, "A12"),
1311 +- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
1312 ++ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
1313 + },
1314 + { /* APM crashes */
1315 + apm_is_horked, "Dell Dimension 4100",
1316 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1317 + DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
1318 + DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
1319 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1320 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1321 + },
1322 + { /* Allow interrupts during suspend on Compaq Laptops*/
1323 + set_apm_ints, "Compaq 12XL125",
1324 + { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
1325 + DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
1326 + DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1327 +- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
1328 ++ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
1329 + },
1330 + { /* Allow interrupts during APM or the clock goes slow */
1331 + set_apm_ints, "ASUSTeK",
1332 + { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
1333 +- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
1334 ++ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
1335 + },
1336 + { /* APM blows on shutdown */
1337 + apm_is_horked, "ABIT KX7-333[R]",
1338 + { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
1339 +- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
1340 ++ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
1341 + },
1342 + { /* APM crashes */
1343 + apm_is_horked, "Trigem Delhi3",
1344 + { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
1345 +- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
1346 ++ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
1347 + },
1348 + { /* APM crashes */
1349 + apm_is_horked, "Fujitsu-Siemens",
1350 + { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
1351 +- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
1352 ++ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
1353 + },
1354 + { /* APM crashes */
1355 + apm_is_horked_d850md, "Intel D850MD",
1356 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1357 +- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
1358 ++ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
1359 + },
1360 + { /* APM crashes */
1361 + apm_is_horked, "Intel D810EMO",
1362 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1363 +- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
1364 ++ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
1365 + },
1366 + { /* APM crashes */
1367 + apm_is_horked, "Dell XPS-Z",
1368 + { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
1369 + DMI_MATCH(DMI_BIOS_VERSION, "A11"),
1370 +- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
1371 ++ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
1372 + },
1373 + { /* APM crashes */
1374 + apm_is_horked, "Sharp PC-PJ/AX",
1375 + { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
1376 + DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
1377 + DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
1378 +- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
1379 ++ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
1380 + },
1381 + { /* APM crashes */
1382 + apm_is_horked, "Dell Inspiron 2500",
1383 + { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
1384 + DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
1385 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
1386 +- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
1387 ++ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
1388 + },
1389 + { /* APM idle hangs */
1390 + apm_likes_to_melt, "Jabil AMD",
1391 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1392 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
1393 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
1394 + },
1395 + { /* APM idle hangs */
1396 + apm_likes_to_melt, "AMI Bios",
1397 + { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
1398 +- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
1399 ++ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
1400 + },
1401 + { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
1402 + swab_apm_power_in_minutes, "Sony VAIO",
1403 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1404 + DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
1405 +- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
1406 ++ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
1407 + },
1408 + { /* Handle problems with APM on Sony Vaio PCG-N505VX */
1409 + swab_apm_power_in_minutes, "Sony VAIO",
1410 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1411 + DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
1412 +- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
1413 ++ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
1414 + },
1415 + { /* Handle problems with APM on Sony Vaio PCG-XG29 */
1416 + swab_apm_power_in_minutes, "Sony VAIO",
1417 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1418 + DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
1419 +- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
1420 ++ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
1421 + },
1422 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1423 + swab_apm_power_in_minutes, "Sony VAIO",
1424 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1425 + DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
1426 +- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
1427 ++ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
1428 + },
1429 + { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
1430 + swab_apm_power_in_minutes, "Sony VAIO",
1431 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1432 + DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
1433 +- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
1434 ++ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
1435 + },
1436 + { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
1437 + swab_apm_power_in_minutes, "Sony VAIO",
1438 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1439 + DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
1440 +- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
1441 ++ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
1442 + },
1443 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1444 + swab_apm_power_in_minutes, "Sony VAIO",
1445 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1446 + DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
1447 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
1448 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
1449 + },
1450 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
1451 + swab_apm_power_in_minutes, "Sony VAIO",
1452 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1453 + DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
1454 +- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
1455 ++ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
1456 + },
1457 + { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
1458 + swab_apm_power_in_minutes, "Sony VAIO",
1459 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1460 + DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
1461 +- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
1462 ++ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
1463 + },
1464 + { /* Handle problems with APM on Sony Vaio PCG-F104K */
1465 + swab_apm_power_in_minutes, "Sony VAIO",
1466 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1467 + DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
1468 +- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
1469 ++ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
1470 + },
1471 +
1472 + { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
1473 + swab_apm_power_in_minutes, "Sony VAIO",
1474 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1475 + DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
1476 +- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
1477 ++ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
1478 + },
1479 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1480 + swab_apm_power_in_minutes, "Sony VAIO",
1481 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1482 + DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
1483 +- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
1484 ++ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
1485 + },
1486 + { /* Handle problems with APM on Sony Vaio PCG-C1VE */
1487 + swab_apm_power_in_minutes, "Sony VAIO",
1488 + { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
1489 + DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
1490 +- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
1491 ++ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
1492 + },
1493 + { /* broken PM poweroff bios */
1494 + set_realmode_power_off, "Award Software v4.60 PGMA",
1495 + { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
1496 + DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
1497 +- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
1498 ++ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
1499 + },
1500 +
1501 + /* Generic per vendor APM settings */
1502 +
1503 + { /* Allow interrupts during suspend on IBM laptops */
1504 + set_apm_ints, "IBM",
1505 +- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
1506 ++ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
1507 + },
1508 +
1509 +- { }
1510 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
1511 + };
1512 +
1513 + /*
1514 +@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
1515 + struct desc_struct *gdt;
1516 + int err;
1517 +
1518 ++#ifdef CONFIG_PAX_KERNEXEC
1519 ++ unsigned long cr0;
1520 ++#endif
1521 ++
1522 + dmi_check_system(apm_dmi_table);
1523 +
1524 + if (apm_info.bios.version == 0 || paravirt_enabled()) {
1525 +@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
1526 + * This is for buggy BIOS's that refer to (real mode) segment 0x40
1527 + * even though they are called in protected mode.
1528 + */
1529 ++
1530 ++#ifdef CONFIG_PAX_KERNEXEC
1531 ++ pax_open_kernel(cr0);
1532 ++#endif
1533 ++
1534 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
1535 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
1536 +
1537 ++#ifdef CONFIG_PAX_KERNEXEC
1538 ++ pax_close_kernel(cr0);
1539 ++#endif
1540 ++
1541 + /*
1542 + * Set up the long jump entry point to the APM BIOS, which is called
1543 + * from inline assembly.
1544 +@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
1545 + * code to that CPU.
1546 + */
1547 + gdt = get_cpu_gdt_table(0);
1548 ++
1549 ++#ifdef CONFIG_PAX_KERNEXEC
1550 ++ pax_open_kernel(cr0);
1551 ++#endif
1552 ++
1553 + set_base(gdt[APM_CS >> 3],
1554 + __va((unsigned long)apm_info.bios.cseg << 4));
1555 + set_base(gdt[APM_CS_16 >> 3],
1556 +@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
1557 + set_base(gdt[APM_DS >> 3],
1558 + __va((unsigned long)apm_info.bios.dseg << 4));
1559 +
1560 ++#ifdef CONFIG_PAX_KERNEXEC
1561 ++ pax_close_kernel(cr0);
1562 ++#endif
1563 ++
1564 + apm_proc = create_proc_entry("apm", 0, NULL);
1565 + if (apm_proc)
1566 + apm_proc->proc_fops = &apm_file_ops;
1567 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
1568 +--- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
1569 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
1570 +@@ -109,6 +109,7 @@ void foo(void)
1571 + DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
1572 + DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
1573 + DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
1574 ++ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
1575 +
1576 + DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
1577 +
1578 +@@ -122,6 +123,7 @@ void foo(void)
1579 + OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
1580 + OFFSET(PARAVIRT_iret, paravirt_ops, iret);
1581 + OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
1582 ++ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
1583 + #endif
1584 +
1585 + #ifdef CONFIG_XEN
1586 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
1587 +--- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
1588 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
1589 +@@ -4,7 +4,6 @@
1590 + #include <linux/smp.h>
1591 + #include <linux/module.h>
1592 + #include <linux/percpu.h>
1593 +-#include <linux/bootmem.h>
1594 + #include <asm/semaphore.h>
1595 + #include <asm/processor.h>
1596 + #include <asm/i387.h>
1597 +@@ -21,39 +20,15 @@
1598 +
1599 + #include "cpu.h"
1600 +
1601 +-DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
1602 +- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
1603 +- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
1604 +- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
1605 +- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
1606 +- /*
1607 +- * Segments used for calling PnP BIOS have byte granularity.
1608 +- * They code segments and data segments have fixed 64k limits,
1609 +- * the transfer segment sizes are set at run time.
1610 +- */
1611 +- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1612 +- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
1613 +- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
1614 +- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
1615 +- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
1616 +- /*
1617 +- * The APM segments have byte granularity and their bases
1618 +- * are set at run time. All have 64k limits.
1619 +- */
1620 +- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
1621 +- /* 16-bit code */
1622 +- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
1623 +- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
1624 +-
1625 +- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
1626 +- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
1627 +-} };
1628 +-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
1629 +-
1630 + static int cachesize_override __cpuinitdata = -1;
1631 + static int disable_x86_fxsr __cpuinitdata;
1632 + static int disable_x86_serial_nr __cpuinitdata = 1;
1633 +-static int disable_x86_sep __cpuinitdata;
1634 ++
1635 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1636 ++int disable_x86_sep __cpuinitdata = 1;
1637 ++#else
1638 ++int disable_x86_sep __cpuinitdata;
1639 ++#endif
1640 +
1641 + struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
1642 +
1643 +@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
1644 + void __init cpu_detect(struct cpuinfo_x86 *c)
1645 + {
1646 + /* Get vendor name */
1647 +- cpuid(0x00000000, &c->cpuid_level,
1648 +- (int *)&c->x86_vendor_id[0],
1649 +- (int *)&c->x86_vendor_id[8],
1650 +- (int *)&c->x86_vendor_id[4]);
1651 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1652 ++ (unsigned int *)&c->x86_vendor_id[0],
1653 ++ (unsigned int *)&c->x86_vendor_id[8],
1654 ++ (unsigned int *)&c->x86_vendor_id[4]);
1655 +
1656 + c->x86 = 4;
1657 + if (c->cpuid_level >= 0x00000001) {
1658 +@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
1659 +
1660 + static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
1661 + {
1662 +- u32 tfms, xlvl;
1663 +- int ebx;
1664 ++ u32 tfms, xlvl, ebx;
1665 +
1666 + if (have_cpuid_p()) {
1667 + /* Get vendor name */
1668 +- cpuid(0x00000000, &c->cpuid_level,
1669 +- (int *)&c->x86_vendor_id[0],
1670 +- (int *)&c->x86_vendor_id[8],
1671 +- (int *)&c->x86_vendor_id[4]);
1672 ++ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
1673 ++ (unsigned int *)&c->x86_vendor_id[0],
1674 ++ (unsigned int *)&c->x86_vendor_id[8],
1675 ++ (unsigned int *)&c->x86_vendor_id[4]);
1676 +
1677 + get_cpu_vendor(c, 0);
1678 + /* Initialize the standard set of capabilities */
1679 +@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
1680 + {
1681 + struct Xgt_desc_struct gdt_descr;
1682 +
1683 +- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
1684 ++ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
1685 + gdt_descr.size = GDT_SIZE - 1;
1686 + load_gdt(&gdt_descr);
1687 + asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
1688 +@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
1689 + {
1690 + int cpu = smp_processor_id();
1691 + struct task_struct *curr = current;
1692 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
1693 ++ struct tss_struct *t = init_tss + cpu;
1694 + struct thread_struct *thread = &curr->thread;
1695 +
1696 + if (cpu_test_and_set(cpu, cpu_initialized)) {
1697 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
1698 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
1699 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
1700 +@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
1701 + DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
1702 + },
1703 + },
1704 +- { }
1705 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
1706 + };
1707 + #endif
1708 +
1709 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
1710 +--- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
1711 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
1712 +@@ -223,7 +223,7 @@ static struct cpu_model models[] =
1713 + { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
1714 + { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
1715 +
1716 +- { NULL, }
1717 ++ { NULL, NULL, 0, NULL}
1718 + };
1719 + #undef _BANIAS
1720 + #undef BANIAS
1721 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
1722 +--- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
1723 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
1724 +@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
1725 + */
1726 + if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
1727 + /* supports eax=2 call */
1728 +- int i, j, n;
1729 +- int regs[4];
1730 ++ int j, n;
1731 ++ unsigned int regs[4];
1732 + unsigned char *dp = (unsigned char *)regs;
1733 + int only_trace = 0;
1734 +
1735 +@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
1736 +
1737 + /* If bit 31 is set, this is an unknown format */
1738 + for ( j = 0 ; j < 3 ; j++ ) {
1739 +- if ( regs[j] < 0 ) regs[j] = 0;
1740 ++ if ( (int)regs[j] < 0 ) regs[j] = 0;
1741 + }
1742 +
1743 + /* Byte 0 is level count, not a descriptor */
1744 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
1745 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
1746 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
1747 +@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
1748 + return NOTIFY_OK;
1749 + }
1750 +
1751 +-static struct notifier_block thermal_throttle_cpu_notifier =
1752 ++static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
1753 + {
1754 + .notifier_call = thermal_throttle_cpu_callback,
1755 + };
1756 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
1757 +--- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
1758 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
1759 +@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
1760 + { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
1761 + { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
1762 + { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
1763 +- {}
1764 ++ { 0, 0 }
1765 + };
1766 +
1767 + static unsigned long smp_changes_mask;
1768 +-static struct mtrr_state mtrr_state = {};
1769 ++static struct mtrr_state mtrr_state;
1770 +
1771 + #undef MODULE_PARAM_PREFIX
1772 + #define MODULE_PARAM_PREFIX "mtrr."
1773 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
1774 +--- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
1775 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
1776 +@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
1777 + return NOTIFY_STOP;
1778 + local_irq_disable();
1779 +
1780 +- if (!user_mode_vm(regs)) {
1781 ++ if (!user_mode(regs)) {
1782 + crash_fixup_ss_esp(&fixed_regs, regs);
1783 + regs = &fixed_regs;
1784 + }
1785 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
1786 +--- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
1787 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
1788 +@@ -11,17 +11,17 @@
1789 +
1790 + #define DOUBLEFAULT_STACKSIZE (1024)
1791 + static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
1792 +-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
1793 ++#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
1794 +
1795 + #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
1796 +
1797 + static void doublefault_fn(void)
1798 + {
1799 +- struct Xgt_desc_struct gdt_desc = {0, 0};
1800 ++ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
1801 + unsigned long gdt, tss;
1802 +
1803 + store_gdt(&gdt_desc);
1804 +- gdt = gdt_desc.address;
1805 ++ gdt = (unsigned long)gdt_desc.address;
1806 +
1807 + printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
1808 +
1809 +@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
1810 + /* 0x2 bit is always set */
1811 + .eflags = X86_EFLAGS_SF | 0x2,
1812 + .esp = STACK_START,
1813 +- .es = __USER_DS,
1814 ++ .es = __KERNEL_DS,
1815 + .cs = __KERNEL_CS,
1816 + .ss = __KERNEL_DS,
1817 +- .ds = __USER_DS,
1818 ++ .ds = __KERNEL_DS,
1819 + .fs = __KERNEL_PERCPU,
1820 +
1821 + .__cr3 = __pa(swapper_pg_dir)
1822 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
1823 +--- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
1824 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
1825 +@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
1826 +
1827 + static unsigned long efi_rt_eflags;
1828 + static DEFINE_SPINLOCK(efi_rt_lock);
1829 +-static pgd_t efi_bak_pg_dir_pointer[2];
1830 ++static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
1831 +
1832 + static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
1833 + {
1834 +- unsigned long cr4;
1835 +- unsigned long temp;
1836 + struct Xgt_desc_struct gdt_descr;
1837 +
1838 + spin_lock(&efi_rt_lock);
1839 + local_irq_save(efi_rt_eflags);
1840 +
1841 +- /*
1842 +- * If I don't have PSE, I should just duplicate two entries in page
1843 +- * directory. If I have PSE, I just need to duplicate one entry in
1844 +- * page directory.
1845 +- */
1846 +- cr4 = read_cr4();
1847 +-
1848 +- if (cr4 & X86_CR4_PSE) {
1849 +- efi_bak_pg_dir_pointer[0].pgd =
1850 +- swapper_pg_dir[pgd_index(0)].pgd;
1851 +- swapper_pg_dir[0].pgd =
1852 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1853 +- } else {
1854 +- efi_bak_pg_dir_pointer[0].pgd =
1855 +- swapper_pg_dir[pgd_index(0)].pgd;
1856 +- efi_bak_pg_dir_pointer[1].pgd =
1857 +- swapper_pg_dir[pgd_index(0x400000)].pgd;
1858 +- swapper_pg_dir[pgd_index(0)].pgd =
1859 +- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
1860 +- temp = PAGE_OFFSET + 0x400000;
1861 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1862 +- swapper_pg_dir[pgd_index(temp)].pgd;
1863 +- }
1864 ++ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
1865 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
1866 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
1867 +
1868 + /*
1869 + * After the lock is released, the original page table is restored.
1870 + */
1871 +- local_flush_tlb();
1872 ++ __flush_tlb_all();
1873 +
1874 + gdt_descr.address = __pa(get_cpu_gdt_table(0));
1875 + gdt_descr.size = GDT_SIZE - 1;
1876 +@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
1877 +
1878 + static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
1879 + {
1880 +- unsigned long cr4;
1881 + struct Xgt_desc_struct gdt_descr;
1882 +
1883 +- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
1884 ++ gdt_descr.address = get_cpu_gdt_table(0);
1885 + gdt_descr.size = GDT_SIZE - 1;
1886 + load_gdt(&gdt_descr);
1887 +-
1888 +- cr4 = read_cr4();
1889 +-
1890 +- if (cr4 & X86_CR4_PSE) {
1891 +- swapper_pg_dir[pgd_index(0)].pgd =
1892 +- efi_bak_pg_dir_pointer[0].pgd;
1893 +- } else {
1894 +- swapper_pg_dir[pgd_index(0)].pgd =
1895 +- efi_bak_pg_dir_pointer[0].pgd;
1896 +- swapper_pg_dir[pgd_index(0x400000)].pgd =
1897 +- efi_bak_pg_dir_pointer[1].pgd;
1898 +- }
1899 ++ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
1900 +
1901 + /*
1902 + * After the lock is released, the original page table is restored.
1903 + */
1904 +- local_flush_tlb();
1905 ++ __flush_tlb_all();
1906 +
1907 + local_irq_restore(efi_rt_eflags);
1908 + spin_unlock(&efi_rt_lock);
1909 + }
1910 +
1911 +-static efi_status_t
1912 ++static efi_status_t __init
1913 + phys_efi_set_virtual_address_map(unsigned long memory_map_size,
1914 + unsigned long descriptor_size,
1915 + u32 descriptor_version,
1916 +@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
1917 + return status;
1918 + }
1919 +
1920 +-static efi_status_t
1921 ++static efi_status_t __init
1922 + phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
1923 + {
1924 + efi_status_t status;
1925 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
1926 +--- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
1927 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
1928 +@@ -6,6 +6,7 @@
1929 + */
1930 +
1931 + #include <linux/linkage.h>
1932 ++#include <linux/init.h>
1933 + #include <asm/page.h>
1934 +
1935 + /*
1936 +@@ -20,7 +21,7 @@
1937 + * service functions will comply with gcc calling convention, too.
1938 + */
1939 +
1940 +-.text
1941 ++__INIT
1942 + ENTRY(efi_call_phys)
1943 + /*
1944 + * 0. The function can only be called in Linux kernel. So CS has been
1945 +@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
1946 + * The mapping of lower virtual memory has been created in prelog and
1947 + * epilog.
1948 + */
1949 +- movl $1f, %edx
1950 +- subl $__PAGE_OFFSET, %edx
1951 +- jmp *%edx
1952 ++ jmp 1f-__PAGE_OFFSET
1953 + 1:
1954 +
1955 + /*
1956 +@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
1957 + * parameter 2, ..., param n. To make things easy, we save the return
1958 + * address of efi_call_phys in a global variable.
1959 + */
1960 +- popl %edx
1961 +- movl %edx, saved_return_addr
1962 +- /* get the function pointer into ECX*/
1963 +- popl %ecx
1964 +- movl %ecx, efi_rt_function_ptr
1965 +- movl $2f, %edx
1966 +- subl $__PAGE_OFFSET, %edx
1967 +- pushl %edx
1968 ++ popl (saved_return_addr)
1969 ++ popl (efi_rt_function_ptr)
1970 +
1971 + /*
1972 + * 3. Clear PG bit in %CR0.
1973 +@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
1974 + /*
1975 + * 5. Call the physical function.
1976 + */
1977 +- jmp *%ecx
1978 ++ call *(efi_rt_function_ptr-__PAGE_OFFSET)
1979 +
1980 +-2:
1981 + /*
1982 + * 6. After EFI runtime service returns, control will return to
1983 + * following instruction. We'd better readjust stack pointer first.
1984 +@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
1985 + movl %cr0, %edx
1986 + orl $0x80000000, %edx
1987 + movl %edx, %cr0
1988 +- jmp 1f
1989 +-1:
1990 ++
1991 + /*
1992 + * 8. Now restore the virtual mode from flat mode by
1993 + * adding EIP with PAGE_OFFSET.
1994 + */
1995 +- movl $1f, %edx
1996 +- jmp *%edx
1997 ++ jmp 1f+__PAGE_OFFSET
1998 + 1:
1999 +
2000 + /*
2001 + * 9. Balance the stack. And because EAX contain the return value,
2002 + * we'd better not clobber it.
2003 + */
2004 +- leal efi_rt_function_ptr, %edx
2005 +- movl (%edx), %ecx
2006 +- pushl %ecx
2007 ++ pushl (efi_rt_function_ptr)
2008 +
2009 + /*
2010 +- * 10. Push the saved return address onto the stack and return.
2011 ++ * 10. Return to the saved return address.
2012 + */
2013 +- leal saved_return_addr, %edx
2014 +- movl (%edx), %ecx
2015 +- pushl %ecx
2016 +- ret
2017 ++ jmpl *(saved_return_addr)
2018 + .previous
2019 +
2020 +-.data
2021 ++__INITDATA
2022 + saved_return_addr:
2023 + .long 0
2024 + efi_rt_function_ptr:
2025 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
2026 +--- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
2027 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
2028 +@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
2029 + #define resume_userspace_sig resume_userspace
2030 + #endif
2031 +
2032 +-#define SAVE_ALL \
2033 ++#define __SAVE_ALL(_DS) \
2034 + cld; \
2035 + pushl %fs; \
2036 + CFI_ADJUST_CFA_OFFSET 4;\
2037 +@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
2038 + pushl %ebx; \
2039 + CFI_ADJUST_CFA_OFFSET 4;\
2040 + CFI_REL_OFFSET ebx, 0;\
2041 +- movl $(__USER_DS), %edx; \
2042 ++ movl $(_DS), %edx; \
2043 + movl %edx, %ds; \
2044 + movl %edx, %es; \
2045 + movl $(__KERNEL_PERCPU), %edx; \
2046 + movl %edx, %fs
2047 +
2048 ++#ifdef CONFIG_PAX_KERNEXEC
2049 ++#define SAVE_ALL \
2050 ++ __SAVE_ALL(__KERNEL_DS); \
2051 ++ GET_CR0_INTO_EDX; \
2052 ++ movl %edx, %esi; \
2053 ++ orl $X86_CR0_WP, %edx; \
2054 ++ xorl %edx, %esi; \
2055 ++ SET_CR0_FROM_EDX
2056 ++#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2057 ++#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
2058 ++#else
2059 ++#define SAVE_ALL __SAVE_ALL(__USER_DS)
2060 ++#endif
2061 ++
2062 + #define RESTORE_INT_REGS \
2063 + popl %ebx; \
2064 + CFI_ADJUST_CFA_OFFSET -4;\
2065 +@@ -248,7 +262,17 @@ check_userspace:
2066 + movb PT_CS(%esp), %al
2067 + andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
2068 + cmpl $USER_RPL, %eax
2069 ++
2070 ++#ifdef CONFIG_PAX_KERNEXEC
2071 ++ jae resume_userspace
2072 ++
2073 ++ GET_CR0_INTO_EDX
2074 ++ xorl %esi, %edx
2075 ++ SET_CR0_FROM_EDX
2076 ++ jmp resume_kernel
2077 ++#else
2078 + jb resume_kernel # not returning to v8086 or userspace
2079 ++#endif
2080 +
2081 + ENTRY(resume_userspace)
2082 + DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
2083 +@@ -307,10 +331,9 @@ sysenter_past_esp:
2084 + /*CFI_REL_OFFSET cs, 0*/
2085 + /*
2086 + * Push current_thread_info()->sysenter_return to the stack.
2087 +- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
2088 +- * pushed above; +8 corresponds to copy_thread's esp0 setting.
2089 + */
2090 +- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
2091 ++ GET_THREAD_INFO(%ebp)
2092 ++ pushl TI_sysenter_return(%ebp)
2093 + CFI_ADJUST_CFA_OFFSET 4
2094 + CFI_REL_OFFSET eip, 0
2095 +
2096 +@@ -318,9 +341,17 @@ sysenter_past_esp:
2097 + * Load the potential sixth argument from user stack.
2098 + * Careful about security.
2099 + */
2100 ++ movl 12(%esp),%ebp
2101 ++
2102 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2103 ++ mov 16(%esp),%ds
2104 ++1: movl %ds:(%ebp),%ebp
2105 ++#else
2106 + cmpl $__PAGE_OFFSET-3,%ebp
2107 + jae syscall_fault
2108 + 1: movl (%ebp),%ebp
2109 ++#endif
2110 ++
2111 + .section __ex_table,"a"
2112 + .align 4
2113 + .long 1b,syscall_fault
2114 +@@ -343,20 +374,37 @@ sysenter_past_esp:
2115 + movl TI_flags(%ebp), %ecx
2116 + testw $_TIF_ALLWORK_MASK, %cx
2117 + jne syscall_exit_work
2118 ++
2119 ++#ifdef CONFIG_PAX_RANDKSTACK
2120 ++ pushl %eax
2121 ++ CFI_ADJUST_CFA_OFFSET 4
2122 ++ call pax_randomize_kstack
2123 ++ popl %eax
2124 ++ CFI_ADJUST_CFA_OFFSET -4
2125 ++#endif
2126 ++
2127 + /* if something modifies registers it must also disable sysexit */
2128 + movl PT_EIP(%esp), %edx
2129 + movl PT_OLDESP(%esp), %ecx
2130 + xorl %ebp,%ebp
2131 + TRACE_IRQS_ON
2132 + 1: mov PT_FS(%esp), %fs
2133 ++2: mov PT_DS(%esp), %ds
2134 ++3: mov PT_ES(%esp), %es
2135 + ENABLE_INTERRUPTS_SYSEXIT
2136 + CFI_ENDPROC
2137 + .pushsection .fixup,"ax"
2138 +-2: movl $0,PT_FS(%esp)
2139 ++4: movl $0,PT_FS(%esp)
2140 + jmp 1b
2141 ++5: movl $0,PT_DS(%esp)
2142 ++ jmp 2b
2143 ++6: movl $0,PT_ES(%esp)
2144 ++ jmp 3b
2145 + .section __ex_table,"a"
2146 + .align 4
2147 +- .long 1b,2b
2148 ++ .long 1b,4b
2149 ++ .long 2b,5b
2150 ++ .long 3b,6b
2151 + .popsection
2152 + ENDPROC(sysenter_entry)
2153 +
2154 +@@ -389,6 +437,10 @@ no_singlestep:
2155 + testw $_TIF_ALLWORK_MASK, %cx # current->work
2156 + jne syscall_exit_work
2157 +
2158 ++#ifdef CONFIG_PAX_RANDKSTACK
2159 ++ call pax_randomize_kstack
2160 ++#endif
2161 ++
2162 + restore_all:
2163 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
2164 + # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
2165 +@@ -552,17 +604,24 @@ syscall_badsys:
2166 + END(syscall_badsys)
2167 + CFI_ENDPROC
2168 +
2169 +-#define FIXUP_ESPFIX_STACK \
2170 +- /* since we are on a wrong stack, we cant make it a C code :( */ \
2171 +- PER_CPU(gdt_page, %ebx); \
2172 +- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
2173 +- addl %esp, %eax; \
2174 +- pushl $__KERNEL_DS; \
2175 +- CFI_ADJUST_CFA_OFFSET 4; \
2176 +- pushl %eax; \
2177 +- CFI_ADJUST_CFA_OFFSET 4; \
2178 +- lss (%esp), %esp; \
2179 ++.macro FIXUP_ESPFIX_STACK
2180 ++ /* since we are on a wrong stack, we cant make it a C code :( */
2181 ++#ifdef CONFIG_SMP
2182 ++ movl PER_CPU_VAR(cpu_number), %ebx;
2183 ++ shll $PAGE_SHIFT_asm, %ebx;
2184 ++ addl $cpu_gdt_table, %ebx;
2185 ++#else
2186 ++ movl $cpu_gdt_table, %ebx;
2187 ++#endif
2188 ++ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
2189 ++ addl %esp, %eax;
2190 ++ pushl $__KERNEL_DS;
2191 ++ CFI_ADJUST_CFA_OFFSET 4;
2192 ++ pushl %eax;
2193 ++ CFI_ADJUST_CFA_OFFSET 4;
2194 ++ lss (%esp), %esp;
2195 + CFI_ADJUST_CFA_OFFSET -8;
2196 ++.endm
2197 + #define UNWIND_ESPFIX_STACK \
2198 + movl %ss, %eax; \
2199 + /* see if on espfix stack */ \
2200 +@@ -579,7 +638,7 @@ END(syscall_badsys)
2201 + * Build the entry stubs and pointer table with
2202 + * some assembler magic.
2203 + */
2204 +-.data
2205 ++.section .rodata,"a",@progbits
2206 + ENTRY(interrupt)
2207 + .text
2208 +
2209 +@@ -679,12 +738,21 @@ error_code:
2210 + popl %ecx
2211 + CFI_ADJUST_CFA_OFFSET -4
2212 + /*CFI_REGISTER es, ecx*/
2213 ++
2214 ++#ifdef CONFIG_PAX_KERNEXEC
2215 ++ GET_CR0_INTO_EDX
2216 ++ movl %edx, %esi
2217 ++ orl $X86_CR0_WP, %edx
2218 ++ xorl %edx, %esi
2219 ++ SET_CR0_FROM_EDX
2220 ++#endif
2221 ++
2222 + movl PT_FS(%esp), %edi # get the function address
2223 + movl PT_ORIG_EAX(%esp), %edx # get the error code
2224 + movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
2225 + mov %ecx, PT_FS(%esp)
2226 + /*CFI_REL_OFFSET fs, ES*/
2227 +- movl $(__USER_DS), %ecx
2228 ++ movl $(__KERNEL_DS), %ecx
2229 + movl %ecx, %ds
2230 + movl %ecx, %es
2231 + movl %esp,%eax # pt_regs pointer
2232 +@@ -818,6 +886,13 @@ nmi_stack_correct:
2233 + xorl %edx,%edx # zero error code
2234 + movl %esp,%eax # pt_regs pointer
2235 + call do_nmi
2236 ++
2237 ++#ifdef CONFIG_PAX_KERNEXEC
2238 ++ GET_CR0_INTO_EDX
2239 ++ xorl %esi, %edx
2240 ++ SET_CR0_FROM_EDX
2241 ++#endif
2242 ++
2243 + jmp restore_nocheck_notrace
2244 + CFI_ENDPROC
2245 +
2246 +@@ -858,6 +933,13 @@ nmi_espfix_stack:
2247 + FIXUP_ESPFIX_STACK # %eax == %esp
2248 + xorl %edx,%edx # zero error code
2249 + call do_nmi
2250 ++
2251 ++#ifdef CONFIG_PAX_KERNEXEC
2252 ++ GET_CR0_INTO_EDX
2253 ++ xorl %esi, %edx
2254 ++ SET_CR0_FROM_EDX
2255 ++#endif
2256 ++
2257 + RESTORE_REGS
2258 + lss 12+4(%esp), %esp # back to espfix stack
2259 + CFI_ADJUST_CFA_OFFSET -24
2260 +@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
2261 +
2262 + #endif /* CONFIG_XEN */
2263 +
2264 +-.section .rodata,"a"
2265 + #include "syscall_table.S"
2266 +
2267 + syscall_table_size=(.-sys_call_table)
2268 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
2269 +--- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
2270 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
2271 +@@ -18,6 +18,7 @@
2272 + #include <asm/thread_info.h>
2273 + #include <asm/asm-offsets.h>
2274 + #include <asm/setup.h>
2275 ++#include <asm/msr-index.h>
2276 +
2277 + /*
2278 + * References to members of the new_cpu_data structure.
2279 +@@ -51,17 +52,22 @@
2280 + */
2281 + LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
2282 +
2283 +-#if PTRS_PER_PMD > 1
2284 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
2285 +-#else
2286 +-PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
2287 +-#endif
2288 ++PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
2289 + BOOTBITMAP_SIZE = LOW_PAGES / 8
2290 + ALLOCATOR_SLOP = 4
2291 +
2292 + INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
2293 +
2294 + /*
2295 ++ * Real beginning of normal "text" segment
2296 ++ */
2297 ++ENTRY(stext)
2298 ++ENTRY(_stext)
2299 ++
2300 ++.section .text.startup,"ax",@progbits
2301 ++ ljmp $(__BOOT_CS),$phys_startup_32
2302 ++
2303 ++/*
2304 + * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
2305 + * %esi points to the real-mode code as a 32-bit pointer.
2306 + * CS and DS must be 4 GB flat segments, but we don't depend on
2307 +@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
2308 + * can.
2309 + */
2310 + .section .text.head,"ax",@progbits
2311 ++
2312 ++#ifdef CONFIG_PAX_KERNEXEC
2313 ++/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
2314 ++.fill 4096,1,0xcc
2315 ++#endif
2316 ++
2317 + ENTRY(startup_32)
2318 +
2319 + /*
2320 +@@ -82,6 +94,43 @@ ENTRY(startup_32)
2321 + movl %eax,%fs
2322 + movl %eax,%gs
2323 +
2324 ++ movl $__per_cpu_start,%eax
2325 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
2326 ++ rorl $16,%eax
2327 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
2328 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
2329 ++ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
2330 ++ subl $__per_cpu_start,%eax
2331 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
2332 ++
2333 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
2334 ++ /* check for VMware */
2335 ++ movl $0x564d5868,%eax
2336 ++ xorl %ebx,%ebx
2337 ++ movl $0xa,%ecx
2338 ++ movl $0x5658,%edx
2339 ++ in (%dx),%eax
2340 ++ cmpl $0x564d5868,%ebx
2341 ++ jz 1f
2342 ++
2343 ++ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
2344 ++ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
2345 ++1:
2346 ++#endif
2347 ++
2348 ++#ifdef CONFIG_PAX_KERNEXEC
2349 ++ movl $KERNEL_TEXT_OFFSET,%eax
2350 ++ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
2351 ++ rorl $16,%eax
2352 ++ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
2353 ++ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
2354 ++
2355 ++ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
2356 ++ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
2357 ++ rorl $16,%eax
2358 ++ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
2359 ++#endif
2360 ++
2361 + /*
2362 + * Clear BSS first so that there are no surprises...
2363 + * No need to cld as DF is already clear from cld above...
2364 +@@ -129,24 +178,42 @@ ENTRY(startup_32)
2365 + * Warning: don't use %esi or the stack in this code. However, %esp
2366 + * can be used as a GPR if you really need it...
2367 + */
2368 +-page_pde_offset = (__PAGE_OFFSET >> 20);
2369 +-
2370 ++#ifdef CONFIG_X86_PAE
2371 ++page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2372 ++#else
2373 ++page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
2374 ++#endif
2375 + movl $(pg0 - __PAGE_OFFSET), %edi
2376 ++#ifdef CONFIG_X86_PAE
2377 ++ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
2378 ++#else
2379 + movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2380 +- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2381 ++#endif
2382 ++ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
2383 + 10:
2384 +- leal 0x007(%edi),%ecx /* Create PDE entry */
2385 ++ leal 0x063(%edi),%ecx /* Create PDE entry */
2386 + movl %ecx,(%edx) /* Store identity PDE entry */
2387 + movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
2388 ++#ifdef CONFIG_X86_PAE
2389 ++ movl $0,4(%edx)
2390 ++ movl $0,page_pde_offset+4(%edx)
2391 ++ addl $8,%edx
2392 ++ movl $512, %ecx
2393 ++#else
2394 + addl $4,%edx
2395 + movl $1024, %ecx
2396 ++#endif
2397 + 11:
2398 + stosl
2399 ++#ifdef CONFIG_X86_PAE
2400 ++ movl $0,(%edi)
2401 ++ addl $4,%edi
2402 ++#endif
2403 + addl $0x1000,%eax
2404 + loop 11b
2405 + /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
2406 +- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
2407 +- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
2408 ++ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
2409 ++ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
2410 + cmpl %ebp,%eax
2411 + jb 10b
2412 + movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
2413 +@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
2414 + #endif
2415 +
2416 + /* Do an early initialization of the fixmap area */
2417 +- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
2418 +- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
2419 +- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
2420 +- movl %eax, 4092(%edx)
2421 ++ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
2422 ++#ifdef CONFIG_X86_PAE
2423 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
2424 ++#else
2425 ++ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
2426 ++#endif
2427 +
2428 + #ifdef CONFIG_SMP
2429 + ENTRY(startup_32_smp)
2430 +@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
2431 + movl %eax,%fs
2432 + movl %eax,%gs
2433 +
2434 ++ /* This is a secondary processor (AP) */
2435 ++ xorl %ebx,%ebx
2436 ++ incl %ebx
2437 ++#endif /* CONFIG_SMP */
2438 ++
2439 + /*
2440 + * New page tables may be in 4Mbyte page mode and may
2441 + * be using the global pages.
2442 +@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
2443 + * not yet offset PAGE_OFFSET..
2444 + */
2445 + #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
2446 ++3:
2447 + movl cr4_bits,%edx
2448 + andl %edx,%edx
2449 +- jz 6f
2450 ++ jz 5f
2451 + movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
2452 + orl %edx,%eax
2453 + movl %eax,%cr4
2454 +
2455 +- btl $5, %eax # check if PAE is enabled
2456 +- jnc 6f
2457 ++#ifdef CONFIG_X86_PAE
2458 ++ movl %ebx,%edi
2459 +
2460 + /* Check if extended functions are implemented */
2461 + movl $0x80000000, %eax
2462 + cpuid
2463 + cmpl $0x80000000, %eax
2464 +- jbe 6f
2465 ++ jbe 4f
2466 + mov $0x80000001, %eax
2467 + cpuid
2468 + /* Execute Disable bit supported? */
2469 + btl $20, %edx
2470 +- jnc 6f
2471 ++ jnc 4f
2472 +
2473 + /* Setup EFER (Extended Feature Enable Register) */
2474 +- movl $0xc0000080, %ecx
2475 ++ movl $MSR_EFER, %ecx
2476 + rdmsr
2477 +
2478 + btsl $11, %eax
2479 + /* Make changes effective */
2480 + wrmsr
2481 +
2482 +-6:
2483 +- /* This is a secondary processor (AP) */
2484 +- xorl %ebx,%ebx
2485 +- incl %ebx
2486 ++ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
2487 ++ movl $1,nx_enabled-__PAGE_OFFSET
2488 +
2489 +-#endif /* CONFIG_SMP */
2490 +-3:
2491 ++#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
2492 ++ movl $0,disable_x86_sep-__PAGE_OFFSET
2493 ++#endif
2494 ++
2495 ++4:
2496 ++ movl %edi,%ebx
2497 ++#endif
2498 ++5:
2499 +
2500 + /*
2501 + * Enable paging
2502 +@@ -256,9 +335,7 @@ ENTRY(startup_32_smp)
2503 +
2504 + #ifdef CONFIG_SMP
2505 + andl %ebx,%ebx
2506 +- jz 1f /* Initial CPU cleans BSS */
2507 +- jmp checkCPUtype
2508 +-1:
2509 ++ jnz checkCPUtype /* Initial CPU cleans BSS */
2510 + #endif /* CONFIG_SMP */
2511 +
2512 + /*
2513 +@@ -335,12 +412,12 @@ is386: movl $2,%ecx # set MP
2514 + ljmp $(__KERNEL_CS),$1f
2515 + 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
2516 + movl %eax,%ss # after changing gdt.
2517 +- movl %eax,%fs # gets reset once there's real percpu
2518 +-
2519 +- movl $(__USER_DS),%eax # DS/ES contains default USER segment
2520 + movl %eax,%ds
2521 + movl %eax,%es
2522 +
2523 ++ movl $(__KERNEL_PERCPU), %eax
2524 ++ movl %eax,%fs # set this cpu's percpu
2525 ++
2526 + xorl %eax,%eax # Clear GS and LDT
2527 + movl %eax,%gs
2528 + lldt %ax
2529 +@@ -351,11 +428,7 @@ is386: movl $2,%ecx # set MP
2530 + movb ready, %cl
2531 + movb $1, ready
2532 + cmpb $0,%cl # the first CPU calls start_kernel
2533 +- je 1f
2534 +- movl $(__KERNEL_PERCPU), %eax
2535 +- movl %eax,%fs # set this cpu's percpu
2536 +- jmp initialize_secondary # all other CPUs call initialize_secondary
2537 +-1:
2538 ++ jne initialize_secondary # all other CPUs call initialize_secondary
2539 + #endif /* CONFIG_SMP */
2540 + jmp start_kernel
2541 +
2542 +@@ -441,8 +514,8 @@ early_page_fault:
2543 + jmp early_fault
2544 +
2545 + early_fault:
2546 +- cld
2547 + #ifdef CONFIG_PRINTK
2548 ++ cld
2549 + movl $(__KERNEL_DS),%eax
2550 + movl %eax,%ds
2551 + movl %eax,%es
2552 +@@ -466,8 +539,8 @@ hlt_loop:
2553 + /* This is the default interrupt "handler" :-) */
2554 + ALIGN
2555 + ignore_int:
2556 +- cld
2557 + #ifdef CONFIG_PRINTK
2558 ++ cld
2559 + pushl %eax
2560 + pushl %ecx
2561 + pushl %edx
2562 +@@ -498,31 +571,58 @@ ignore_int:
2563 + #endif
2564 + iret
2565 +
2566 +-.section .text
2567 +-/*
2568 +- * Real beginning of normal "text" segment
2569 +- */
2570 +-ENTRY(stext)
2571 +-ENTRY(_stext)
2572 +-
2573 + /*
2574 + * BSS section
2575 + */
2576 +-.section ".bss.page_aligned","wa"
2577 ++.section .swapper_pg_dir,"a",@progbits
2578 + .align PAGE_SIZE_asm
2579 + ENTRY(swapper_pg_dir)
2580 ++#ifdef CONFIG_X86_PAE
2581 ++ .long swapper_pm_dir-__PAGE_OFFSET+1
2582 ++ .long 0
2583 ++ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
2584 ++ .long 0
2585 ++ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
2586 ++ .long 0
2587 ++ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
2588 ++ .long 0
2589 ++#else
2590 + .fill 1024,4,0
2591 ++#endif
2592 ++
2593 ++.section .swapper_pm_dir,"a",@progbits
2594 ++#ifdef CONFIG_X86_PAE
2595 ++ENTRY(swapper_pm_dir)
2596 ++ .fill 512,8,0
2597 ++ .fill 512,8,0
2598 ++ .fill 512,8,0
2599 ++ .fill 512,8,0
2600 ++#endif
2601 ++
2602 + ENTRY(swapper_pg_pmd)
2603 + .fill 1024,4,0
2604 ++
2605 ++.section .empty_zero_page,"a",@progbits
2606 + ENTRY(empty_zero_page)
2607 + .fill 4096,1,0
2608 +
2609 + /*
2610 ++ * The IDT has to be page-aligned to simplify the Pentium
2611 ++ * F0 0F bug workaround.. We have a special link segment
2612 ++ * for this.
2613 ++ */
2614 ++.section .idt,"a",@progbits
2615 ++ENTRY(idt_table)
2616 ++ .fill 256,8,0
2617 ++
2618 ++/*
2619 + * This starts the data section.
2620 + */
2621 + .data
2622 ++
2623 ++.section .rodata,"a",@progbits
2624 + ENTRY(stack_start)
2625 +- .long init_thread_union+THREAD_SIZE
2626 ++ .long init_thread_union+THREAD_SIZE-8
2627 + .long __BOOT_DS
2628 +
2629 + ready: .byte 0
2630 +@@ -565,7 +665,7 @@ idt_descr:
2631 + .word 0 # 32 bit align gdt_desc.address
2632 + ENTRY(early_gdt_descr)
2633 + .word GDT_ENTRIES*8-1
2634 +- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
2635 ++ .long cpu_gdt_table /* Overwritten for secondary CPUs */
2636 +
2637 + /*
2638 + * The boot_gdt must mirror the equivalent in setup.S and is
2639 +@@ -574,5 +674,61 @@ ENTRY(early_gdt_descr)
2640 + .align L1_CACHE_BYTES
2641 + ENTRY(boot_gdt)
2642 + .fill GDT_ENTRY_BOOT_CS,8,0
2643 +- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
2644 +- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
2645 ++ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
2646 ++ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
2647 ++
2648 ++ .align PAGE_SIZE_asm
2649 ++ENTRY(cpu_gdt_table)
2650 ++ .quad 0x0000000000000000 /* NULL descriptor */
2651 ++ .quad 0x0000000000000000 /* 0x0b reserved */
2652 ++ .quad 0x0000000000000000 /* 0x13 reserved */
2653 ++ .quad 0x0000000000000000 /* 0x1b reserved */
2654 ++ .quad 0x0000000000000000 /* 0x20 unused */
2655 ++ .quad 0x0000000000000000 /* 0x28 unused */
2656 ++ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
2657 ++ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
2658 ++ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
2659 ++ .quad 0x0000000000000000 /* 0x4b reserved */
2660 ++ .quad 0x0000000000000000 /* 0x53 reserved */
2661 ++ .quad 0x0000000000000000 /* 0x5b reserved */
2662 ++
2663 ++ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
2664 ++ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
2665 ++ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
2666 ++ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
2667 ++
2668 ++ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
2669 ++ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
2670 ++
2671 ++ /*
2672 ++ * Segments used for calling PnP BIOS have byte granularity.
2673 ++ * The code segments and data segments have fixed 64k limits,
2674 ++ * the transfer segment sizes are set at run time.
2675 ++ */
2676 ++ .quad 0x00409b000000ffff /* 0x90 32-bit code */
2677 ++ .quad 0x00009b000000ffff /* 0x98 16-bit code */
2678 ++ .quad 0x000093000000ffff /* 0xa0 16-bit data */
2679 ++ .quad 0x0000930000000000 /* 0xa8 16-bit data */
2680 ++ .quad 0x0000930000000000 /* 0xb0 16-bit data */
2681 ++
2682 ++ /*
2683 ++ * The APM segments have byte granularity and their bases
2684 ++ * are set at run time. All have 64k limits.
2685 ++ */
2686 ++ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
2687 ++ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
2688 ++ .quad 0x004093000000ffff /* 0xc8 APM DS data */
2689 ++
2690 ++ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
2691 ++ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
2692 ++ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
2693 ++ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
2694 ++ .quad 0x0000000000000000 /* 0xf0 - unused */
2695 ++ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
2696 ++
2697 ++ /* Be sure this is zeroed to avoid false validations in Xen */
2698 ++ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
2699 ++
2700 ++#ifdef CONFIG_SMP
2701 ++ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
2702 ++#endif
2703 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/hpet.c linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c
2704 +--- linux-2.6.23.15/arch/i386/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
2705 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
2706 +@@ -96,7 +96,7 @@ static void hpet_reserve_platform_timers
2707 + hd.hd_irq[1] = HPET_LEGACY_RTC;
2708 +
2709 + for (i = 2; i < nrtimers; timer++, i++)
2710 +- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
2711 ++ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
2712 + Tn_INT_ROUTE_CNF_SHIFT;
2713 +
2714 + hpet_alloc(&hd);
2715 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c
2716 +--- linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c 2007-10-09 21:31:38.000000000 +0100
2717 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c 2008-02-11 10:37:44.000000000 +0000
2718 +@@ -2,12 +2,16 @@
2719 + #include <asm/checksum.h>
2720 + #include <asm/desc.h>
2721 +
2722 ++EXPORT_SYMBOL_GPL(cpu_gdt_table);
2723 ++
2724 + EXPORT_SYMBOL(__down_failed);
2725 + EXPORT_SYMBOL(__down_failed_interruptible);
2726 + EXPORT_SYMBOL(__down_failed_trylock);
2727 + EXPORT_SYMBOL(__up_wakeup);
2728 + /* Networking helper routines. */
2729 + EXPORT_SYMBOL(csum_partial_copy_generic);
2730 ++EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
2731 ++EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
2732 +
2733 + EXPORT_SYMBOL(__get_user_1);
2734 + EXPORT_SYMBOL(__get_user_2);
2735 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/i8259.c linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c
2736 +--- linux-2.6.23.15/arch/i386/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
2737 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
2738 +@@ -350,7 +350,7 @@ static irqreturn_t math_error_irq(int cp
2739 + * New motherboards sometimes make IRQ 13 be a PCI interrupt,
2740 + * so allow interrupt sharing.
2741 + */
2742 +-static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL };
2743 ++static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL, 0, NULL };
2744 +
2745 + void __init init_ISA_irqs (void)
2746 + {
2747 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/init_task.c linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c
2748 +--- linux-2.6.23.15/arch/i386/kernel/init_task.c 2007-10-09 21:31:38.000000000 +0100
2749 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c 2008-02-11 10:37:44.000000000 +0000
2750 +@@ -42,5 +42,5 @@ EXPORT_SYMBOL(init_task);
2751 + * per-CPU TSS segments. Threads are completely 'soft' on Linux,
2752 + * no more per-task TSS's.
2753 + */
2754 +-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
2755 ++struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
2756 +
2757 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/ioport.c linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c
2758 +--- linux-2.6.23.15/arch/i386/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
2759 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
2760 +@@ -16,6 +16,7 @@
2761 + #include <linux/slab.h>
2762 + #include <linux/thread_info.h>
2763 + #include <linux/syscalls.h>
2764 ++#include <linux/grsecurity.h>
2765 +
2766 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
2767 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
2768 +@@ -64,9 +65,16 @@ asmlinkage long sys_ioperm(unsigned long
2769 +
2770 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
2771 + return -EINVAL;
2772 ++#ifdef CONFIG_GRKERNSEC_IO
2773 ++ if (turn_on) {
2774 ++ gr_handle_ioperm();
2775 ++#else
2776 + if (turn_on && !capable(CAP_SYS_RAWIO))
2777 ++#endif
2778 + return -EPERM;
2779 +-
2780 ++#ifdef CONFIG_GRKERNSEC_IO
2781 ++ }
2782 ++#endif
2783 + /*
2784 + * If it's the first ioperm() call in this thread's lifetime, set the
2785 + * IO bitmap up. ioperm() is much less timing critical than clone(),
2786 +@@ -89,7 +97,7 @@ asmlinkage long sys_ioperm(unsigned long
2787 + * because the ->io_bitmap_max value must match the bitmap
2788 + * contents:
2789 + */
2790 +- tss = &per_cpu(init_tss, get_cpu());
2791 ++ tss = init_tss + get_cpu();
2792 +
2793 + set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
2794 +
2795 +@@ -143,8 +151,13 @@ asmlinkage long sys_iopl(unsigned long u
2796 + return -EINVAL;
2797 + /* Trying to gain more privileges? */
2798 + if (level > old) {
2799 ++#ifdef CONFIG_GRKERNSEC_IO
2800 ++ gr_handle_iopl();
2801 ++ return -EPERM;
2802 ++#else
2803 + if (!capable(CAP_SYS_RAWIO))
2804 + return -EPERM;
2805 ++#endif
2806 + }
2807 + t->iopl = level << 12;
2808 + regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
2809 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/irq.c linux-2.6.23.15-grsec/arch/i386/kernel/irq.c
2810 +--- linux-2.6.23.15/arch/i386/kernel/irq.c 2007-10-09 21:31:38.000000000 +0100
2811 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/irq.c 2008-02-11 10:37:44.000000000 +0000
2812 +@@ -117,7 +117,7 @@ fastcall unsigned int do_IRQ(struct pt_r
2813 + int arg1, arg2, ebx;
2814 +
2815 + /* build the stack frame on the IRQ stack */
2816 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
2817 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
2818 + irqctx->tinfo.task = curctx->tinfo.task;
2819 + irqctx->tinfo.previous_esp = current_stack_pointer;
2820 +
2821 +@@ -213,7 +213,7 @@ asmlinkage void do_softirq(void)
2822 + irqctx->tinfo.previous_esp = current_stack_pointer;
2823 +
2824 + /* build the stack frame on the softirq stack */
2825 +- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
2826 ++ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
2827 +
2828 + asm volatile(
2829 + " xchgl %%ebx,%%esp \n"
2830 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/kprobes.c linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c
2831 +--- linux-2.6.23.15/arch/i386/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
2832 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c 2008-02-11 10:37:44.000000000 +0000
2833 +@@ -49,9 +49,24 @@ static __always_inline void set_jmp_op(v
2834 + char op;
2835 + long raddr;
2836 + } __attribute__((packed)) *jop;
2837 +- jop = (struct __arch_jmp_op *)from;
2838 ++
2839 ++#ifdef CONFIG_PAX_KERNEXEC
2840 ++ unsigned long cr0;
2841 ++#endif
2842 ++
2843 ++ jop = (struct __arch_jmp_op *)(from + __KERNEL_TEXT_OFFSET);
2844 ++
2845 ++#ifdef CONFIG_PAX_KERNEXEC
2846 ++ pax_open_kernel(cr0);
2847 ++#endif
2848 ++
2849 + jop->raddr = (long)(to) - ((long)(from) + 5);
2850 + jop->op = RELATIVEJUMP_INSTRUCTION;
2851 ++
2852 ++#ifdef CONFIG_PAX_KERNEXEC
2853 ++ pax_close_kernel(cr0);
2854 ++#endif
2855 ++
2856 + }
2857 +
2858 + /*
2859 +@@ -153,14 +168,28 @@ static int __kprobes is_IF_modifier(kpro
2860 +
2861 + int __kprobes arch_prepare_kprobe(struct kprobe *p)
2862 + {
2863 ++
2864 ++#ifdef CONFIG_PAX_KERNEXEC
2865 ++ unsigned long cr0;
2866 ++#endif
2867 ++
2868 + /* insn: must be on special executable page on i386. */
2869 + p->ainsn.insn = get_insn_slot();
2870 + if (!p->ainsn.insn)
2871 + return -ENOMEM;
2872 +
2873 +- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
2874 +- p->opcode = *p->addr;
2875 +- if (can_boost(p->addr)) {
2876 ++#ifdef CONFIG_PAX_KERNEXEC
2877 ++ pax_open_kernel(cr0);
2878 ++#endif
2879 ++
2880 ++ memcpy(p->ainsn.insn, p->addr + __KERNEL_TEXT_OFFSET, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
2881 ++
2882 ++#ifdef CONFIG_PAX_KERNEXEC
2883 ++ pax_close_kernel(cr0);
2884 ++#endif
2885 ++
2886 ++ p->opcode = *(p->addr + __KERNEL_TEXT_OFFSET);
2887 ++ if (can_boost(p->addr + __KERNEL_TEXT_OFFSET)) {
2888 + p->ainsn.boostable = 0;
2889 + } else {
2890 + p->ainsn.boostable = -1;
2891 +@@ -219,7 +248,7 @@ static void __kprobes prepare_singlestep
2892 + if (p->opcode == BREAKPOINT_INSTRUCTION)
2893 + regs->eip = (unsigned long)p->addr;
2894 + else
2895 +- regs->eip = (unsigned long)p->ainsn.insn;
2896 ++ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
2897 + }
2898 +
2899 + /* Called with kretprobe_lock held */
2900 +@@ -325,7 +354,7 @@ ss_probe:
2901 + if (p->ainsn.boostable == 1 && !p->post_handler){
2902 + /* Boost up -- we can execute copied instructions directly */
2903 + reset_current_kprobe();
2904 +- regs->eip = (unsigned long)p->ainsn.insn;
2905 ++ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
2906 + preempt_enable_no_resched();
2907 + return 1;
2908 + }
2909 +@@ -475,7 +504,7 @@ static void __kprobes resume_execution(s
2910 + struct pt_regs *regs, struct kprobe_ctlblk *kcb)
2911 + {
2912 + unsigned long *tos = (unsigned long *)&regs->esp;
2913 +- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
2914 ++ unsigned long copy_eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
2915 + unsigned long orig_eip = (unsigned long)p->addr;
2916 +
2917 + regs->eflags &= ~TF_MASK;
2918 +@@ -648,7 +677,7 @@ int __kprobes kprobe_exceptions_notify(s
2919 + struct die_args *args = (struct die_args *)data;
2920 + int ret = NOTIFY_DONE;
2921 +
2922 +- if (args->regs && user_mode_vm(args->regs))
2923 ++ if (args->regs && user_mode(args->regs))
2924 + return ret;
2925 +
2926 + switch (val) {
2927 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/ldt.c linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c
2928 +--- linux-2.6.23.15/arch/i386/kernel/ldt.c 2007-10-09 21:31:38.000000000 +0100
2929 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c 2008-02-11 10:37:44.000000000 +0000
2930 +@@ -58,7 +58,7 @@ static int alloc_ldt(mm_context_t *pc, i
2931 + #ifdef CONFIG_SMP
2932 + cpumask_t mask;
2933 + preempt_disable();
2934 +- load_LDT(pc);
2935 ++ load_LDT_nolock(pc);
2936 + mask = cpumask_of_cpu(smp_processor_id());
2937 + if (!cpus_equal(current->mm->cpu_vm_mask, mask))
2938 + smp_call_function(flush_ldt, NULL, 1, 1);
2939 +@@ -102,6 +102,22 @@ int init_new_context(struct task_struct
2940 + retval = copy_ldt(&mm->context, &old_mm->context);
2941 + up(&old_mm->context.sem);
2942 + }
2943 ++
2944 ++ if (tsk == current) {
2945 ++ mm->context.vdso = ~0UL;
2946 ++
2947 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
2948 ++ mm->context.user_cs_base = 0UL;
2949 ++ mm->context.user_cs_limit = ~0UL;
2950 ++
2951 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
2952 ++ cpus_clear(mm->context.cpu_user_cs_mask);
2953 ++#endif
2954 ++
2955 ++#endif
2956 ++
2957 ++ }
2958 ++
2959 + return retval;
2960 + }
2961 +
2962 +@@ -212,6 +228,13 @@ static int write_ldt(void __user * ptr,
2963 + }
2964 + }
2965 +
2966 ++#ifdef CONFIG_PAX_SEGMEXEC
2967 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
2968 ++ error = -EINVAL;
2969 ++ goto out_unlock;
2970 ++ }
2971 ++#endif
2972 ++
2973 + entry_1 = LDT_entry_a(&ldt_info);
2974 + entry_2 = LDT_entry_b(&ldt_info);
2975 + if (oldmode)
2976 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/machine_kexec.c linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c
2977 +--- linux-2.6.23.15/arch/i386/kernel/machine_kexec.c 2007-10-09 21:31:38.000000000 +0100
2978 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c 2008-02-11 10:37:44.000000000 +0000
2979 +@@ -29,25 +29,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
2980 + static u32 kexec_pte0[1024] PAGE_ALIGNED;
2981 + static u32 kexec_pte1[1024] PAGE_ALIGNED;
2982 +
2983 +-static void set_idt(void *newidt, __u16 limit)
2984 ++static void set_idt(struct desc_struct *newidt, __u16 limit)
2985 + {
2986 + struct Xgt_desc_struct curidt;
2987 +
2988 + /* ia32 supports unaliged loads & stores */
2989 + curidt.size = limit;
2990 +- curidt.address = (unsigned long)newidt;
2991 ++ curidt.address = newidt;
2992 +
2993 + load_idt(&curidt);
2994 + };
2995 +
2996 +
2997 +-static void set_gdt(void *newgdt, __u16 limit)
2998 ++static void set_gdt(struct desc_struct *newgdt, __u16 limit)
2999 + {
3000 + struct Xgt_desc_struct curgdt;
3001 +
3002 + /* ia32 supports unaligned loads & stores */
3003 + curgdt.size = limit;
3004 +- curgdt.address = (unsigned long)newgdt;
3005 ++ curgdt.address = newgdt;
3006 +
3007 + load_gdt(&curgdt);
3008 + };
3009 +@@ -110,10 +110,10 @@ NORET_TYPE void machine_kexec(struct kim
3010 + local_irq_disable();
3011 +
3012 + control_page = page_address(image->control_code_page);
3013 +- memcpy(control_page, relocate_kernel, PAGE_SIZE);
3014 ++ memcpy(control_page, relocate_kernel + __KERNEL_TEXT_OFFSET, PAGE_SIZE);
3015 +
3016 + page_list[PA_CONTROL_PAGE] = __pa(control_page);
3017 +- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
3018 ++ page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel + __KERNEL_TEXT_OFFSET;
3019 + page_list[PA_PGD] = __pa(kexec_pgd);
3020 + page_list[VA_PGD] = (unsigned long)kexec_pgd;
3021 + #ifdef CONFIG_X86_PAE
3022 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/module.c linux-2.6.23.15-grsec/arch/i386/kernel/module.c
3023 +--- linux-2.6.23.15/arch/i386/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
3024 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
3025 +@@ -23,6 +23,8 @@
3026 + #include <linux/kernel.h>
3027 + #include <linux/bug.h>
3028 +
3029 ++#include <asm/desc.h>
3030 ++
3031 + #if 0
3032 + #define DEBUGP printk
3033 + #else
3034 +@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
3035 + {
3036 + if (size == 0)
3037 + return NULL;
3038 ++
3039 ++#ifdef CONFIG_PAX_KERNEXEC
3040 ++ return vmalloc(size);
3041 ++#else
3042 + return vmalloc_exec(size);
3043 ++#endif
3044 ++
3045 + }
3046 +
3047 ++#ifdef CONFIG_PAX_KERNEXEC
3048 ++void *module_alloc_exec(unsigned long size)
3049 ++{
3050 ++ struct vm_struct *area;
3051 ++
3052 ++ if (size == 0)
3053 ++ return NULL;
3054 ++
3055 ++ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
3056 ++ if (area)
3057 ++ return area->addr;
3058 ++
3059 ++ return NULL;
3060 ++}
3061 ++#endif
3062 +
3063 + /* Free memory returned from module_alloc */
3064 + void module_free(struct module *mod, void *module_region)
3065 +@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
3066 + table entries. */
3067 + }
3068 +
3069 ++#ifdef CONFIG_PAX_KERNEXEC
3070 ++void module_free_exec(struct module *mod, void *module_region)
3071 ++{
3072 ++ struct vm_struct **p, *tmp;
3073 ++
3074 ++ if (!module_region)
3075 ++ return;
3076 ++
3077 ++ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
3078 ++ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
3079 ++ WARN_ON(1);
3080 ++ return;
3081 ++ }
3082 ++
3083 ++ write_lock(&vmlist_lock);
3084 ++ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
3085 ++ if (tmp->addr == module_region)
3086 ++ break;
3087 ++
3088 ++ if (tmp) {
3089 ++ unsigned long cr0;
3090 ++
3091 ++ pax_open_kernel(cr0);
3092 ++ memset(tmp->addr, 0xCC, tmp->size);
3093 ++ pax_close_kernel(cr0);
3094 ++
3095 ++ *p = tmp->next;
3096 ++ kfree(tmp);
3097 ++ }
3098 ++ write_unlock(&vmlist_lock);
3099 ++
3100 ++ if (!tmp) {
3101 ++ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
3102 ++ module_region);
3103 ++ WARN_ON(1);
3104 ++ }
3105 ++}
3106 ++#endif
3107 ++
3108 + /* We don't need anything special. */
3109 + int module_frob_arch_sections(Elf_Ehdr *hdr,
3110 + Elf_Shdr *sechdrs,
3111 +@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
3112 + unsigned int i;
3113 + Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
3114 + Elf32_Sym *sym;
3115 +- uint32_t *location;
3116 ++ uint32_t *plocation, location;
3117 ++
3118 ++#ifdef CONFIG_PAX_KERNEXEC
3119 ++ unsigned long cr0;
3120 ++#endif
3121 +
3122 + DEBUGP("Applying relocate section %u to %u\n", relsec,
3123 + sechdrs[relsec].sh_info);
3124 + for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
3125 + /* This is where to make the change */
3126 +- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
3127 +- + rel[i].r_offset;
3128 ++ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
3129 ++ location = (uint32_t)plocation;
3130 ++ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
3131 ++ plocation = (void *)plocation + __KERNEL_TEXT_OFFSET;
3132 + /* This is the symbol it is referring to. Note that all
3133 + undefined symbols have been resolved. */
3134 + sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
3135 +@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
3136 +
3137 + switch (ELF32_R_TYPE(rel[i].r_info)) {
3138 + case R_386_32:
3139 ++
3140 ++#ifdef CONFIG_PAX_KERNEXEC
3141 ++ pax_open_kernel(cr0);
3142 ++#endif
3143 ++
3144 + /* We add the value into the location given */
3145 +- *location += sym->st_value;
3146 ++ *plocation += sym->st_value;
3147 ++
3148 ++#ifdef CONFIG_PAX_KERNEXEC
3149 ++ pax_close_kernel(cr0);
3150 ++#endif
3151 ++
3152 + break;
3153 + case R_386_PC32:
3154 ++
3155 ++#ifdef CONFIG_PAX_KERNEXEC
3156 ++ pax_open_kernel(cr0);
3157 ++#endif
3158 ++
3159 + /* Add the value, subtract its postition */
3160 +- *location += sym->st_value - (uint32_t)location;
3161 ++ *plocation += sym->st_value - location;
3162 ++
3163 ++#ifdef CONFIG_PAX_KERNEXEC
3164 ++ pax_close_kernel(cr0);
3165 ++#endif
3166 ++
3167 + break;
3168 + default:
3169 + printk(KERN_ERR "module %s: Unknown relocation: %u\n",
3170 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/paravirt.c linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c
3171 +--- linux-2.6.23.15/arch/i386/kernel/paravirt.c 2007-10-09 21:31:38.000000000 +0100
3172 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c 2008-02-11 10:37:44.000000000 +0000
3173 +@@ -198,7 +198,7 @@ unsigned paravirt_patch_insns(void *insn
3174 + if (insn_len > len || start == NULL)
3175 + insn_len = len;
3176 + else
3177 +- memcpy(insnbuf, start, insn_len);
3178 ++ memcpy(insnbuf, start + __KERNEL_TEXT_OFFSET, insn_len);
3179 +
3180 + return insn_len;
3181 + }
3182 +@@ -273,7 +273,7 @@ int paravirt_disable_iospace(void)
3183 + return ret;
3184 + }
3185 +
3186 +-struct paravirt_ops paravirt_ops = {
3187 ++struct paravirt_ops paravirt_ops __read_only = {
3188 + .name = "bare hardware",
3189 + .paravirt_enabled = 0,
3190 + .kernel_rpl = 0,
3191 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/process.c linux-2.6.23.15-grsec/arch/i386/kernel/process.c
3192 +--- linux-2.6.23.15/arch/i386/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
3193 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
3194 +@@ -68,15 +68,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
3195 + DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
3196 + EXPORT_PER_CPU_SYMBOL(current_task);
3197 +
3198 ++#ifdef CONFIG_SMP
3199 + DEFINE_PER_CPU(int, cpu_number);
3200 + EXPORT_PER_CPU_SYMBOL(cpu_number);
3201 ++#endif
3202 +
3203 + /*
3204 + * Return saved PC of a blocked thread.
3205 + */
3206 + unsigned long thread_saved_pc(struct task_struct *tsk)
3207 + {
3208 +- return ((unsigned long *)tsk->thread.esp)[3];
3209 ++ return tsk->thread.eip;
3210 + }
3211 +
3212 + /*
3213 +@@ -307,7 +309,7 @@ void show_regs(struct pt_regs * regs)
3214 + printk("EIP: %04x:[<%08lx>] CPU: %d\n",0xffff & regs->xcs,regs->eip, smp_processor_id());
3215 + print_symbol("EIP is at %s\n", regs->eip);
3216 +
3217 +- if (user_mode_vm(regs))
3218 ++ if (user_mode(regs))
3219 + printk(" ESP: %04x:%08lx",0xffff & regs->xss,regs->esp);
3220 + printk(" EFLAGS: %08lx %s (%s %.*s)\n",
3221 + regs->eflags, print_tainted(), init_utsname()->release,
3222 +@@ -358,8 +360,8 @@ int kernel_thread(int (*fn)(void *), voi
3223 + regs.ebx = (unsigned long) fn;
3224 + regs.edx = (unsigned long) arg;
3225 +
3226 +- regs.xds = __USER_DS;
3227 +- regs.xes = __USER_DS;
3228 ++ regs.xds = __KERNEL_DS;
3229 ++ regs.xes = __KERNEL_DS;
3230 + regs.xfs = __KERNEL_PERCPU;
3231 + regs.orig_eax = -1;
3232 + regs.eip = (unsigned long) kernel_thread_helper;
3233 +@@ -381,7 +383,7 @@ void exit_thread(void)
3234 + struct task_struct *tsk = current;
3235 + struct thread_struct *t = &tsk->thread;
3236 + int cpu = get_cpu();
3237 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
3238 ++ struct tss_struct *tss = init_tss + cpu;
3239 +
3240 + kfree(t->io_bitmap_ptr);
3241 + t->io_bitmap_ptr = NULL;
3242 +@@ -402,6 +404,7 @@ void flush_thread(void)
3243 + {
3244 + struct task_struct *tsk = current;
3245 +
3246 ++ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
3247 + memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
3248 + memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
3249 + clear_tsk_thread_flag(tsk, TIF_DEBUG);
3250 +@@ -435,7 +438,7 @@ int copy_thread(int nr, unsigned long cl
3251 + struct task_struct *tsk;
3252 + int err;
3253 +
3254 +- childregs = task_pt_regs(p);
3255 ++ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
3256 + *childregs = *regs;
3257 + childregs->eax = 0;
3258 + childregs->esp = esp;
3259 +@@ -477,6 +480,11 @@ int copy_thread(int nr, unsigned long cl
3260 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
3261 + goto out;
3262 +
3263 ++#ifdef CONFIG_PAX_SEGMEXEC
3264 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
3265 ++ goto out;
3266 ++#endif
3267 ++
3268 + desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
3269 + desc->a = LDT_entry_a(&info);
3270 + desc->b = LDT_entry_b(&info);
3271 +@@ -663,7 +671,7 @@ struct task_struct fastcall * __switch_t
3272 + struct thread_struct *prev = &prev_p->thread,
3273 + *next = &next_p->thread;
3274 + int cpu = smp_processor_id();
3275 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
3276 ++ struct tss_struct *tss = init_tss + cpu;
3277 +
3278 + /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
3279 +
3280 +@@ -691,6 +699,11 @@ struct task_struct fastcall * __switch_t
3281 + */
3282 + savesegment(gs, prev->gs);
3283 +
3284 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
3285 ++ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
3286 ++ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
3287 ++#endif
3288 ++
3289 + /*
3290 + * Load the per-thread Thread-Local Storage descriptor.
3291 + */
3292 +@@ -855,6 +868,12 @@ asmlinkage int sys_set_thread_area(struc
3293 +
3294 + if (copy_from_user(&info, u_info, sizeof(info)))
3295 + return -EFAULT;
3296 ++
3297 ++#ifdef CONFIG_PAX_SEGMEXEC
3298 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
3299 ++ return -EINVAL;
3300 ++#endif
3301 ++
3302 + idx = info.entry_number;
3303 +
3304 + /*
3305 +@@ -943,9 +962,28 @@ asmlinkage int sys_get_thread_area(struc
3306 + return 0;
3307 + }
3308 +
3309 +-unsigned long arch_align_stack(unsigned long sp)
3310 ++#ifdef CONFIG_PAX_RANDKSTACK
3311 ++asmlinkage void pax_randomize_kstack(void)
3312 + {
3313 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3314 +- sp -= get_random_int() % 8192;
3315 +- return sp & ~0xf;
3316 ++ struct tss_struct *tss;
3317 ++ unsigned long time;
3318 ++
3319 ++ if (!randomize_va_space)
3320 ++ return;
3321 ++
3322 ++ tss = init_tss + smp_processor_id();
3323 ++ rdtscl(time);
3324 ++
3325 ++ /* P4 seems to return a 0 LSB, ignore it */
3326 ++#ifdef CONFIG_MPENTIUM4
3327 ++ time &= 0x1EUL;
3328 ++ time <<= 2;
3329 ++#else
3330 ++ time &= 0xFUL;
3331 ++ time <<= 3;
3332 ++#endif
3333 ++
3334 ++ tss->x86_tss.esp0 ^= time;
3335 ++ current->thread.esp0 = tss->x86_tss.esp0;
3336 + }
3337 ++#endif
3338 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/ptrace.c linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c
3339 +--- linux-2.6.23.15/arch/i386/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
3340 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
3341 +@@ -161,22 +161,20 @@ static unsigned long convert_eip_to_line
3342 + * and APM bios ones we just ignore here.
3343 + */
3344 + if (seg & LDT_SEGMENT) {
3345 +- u32 *desc;
3346 ++ struct desc_struct *desc;
3347 + unsigned long base;
3348 +
3349 + seg &= ~7UL;
3350 +
3351 + down(&child->mm->context.sem);
3352 + if (unlikely((seg >> 3) >= child->mm->context.size))
3353 +- addr = -1L; /* bogus selector, access would fault */
3354 ++ addr = -EINVAL;
3355 + else {
3356 +- desc = child->mm->context.ldt + seg;
3357 +- base = ((desc[0] >> 16) |
3358 +- ((desc[1] & 0xff) << 16) |
3359 +- (desc[1] & 0xff000000));
3360 ++ desc = &child->mm->context.ldt[seg >> 3];
3361 ++ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
3362 +
3363 + /* 16-bit code segment? */
3364 +- if (!((desc[1] >> 22) & 1))
3365 ++ if (!((desc->b >> 22) & 1))
3366 + addr &= 0xffff;
3367 + addr += base;
3368 + }
3369 +@@ -191,6 +189,9 @@ static inline int is_setting_trap_flag(s
3370 + unsigned char opcode[15];
3371 + unsigned long addr = convert_eip_to_linear(child, regs);
3372 +
3373 ++ if (addr == -EINVAL)
3374 ++ return 0;
3375 ++
3376 + copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
3377 + for (i = 0; i < copied; i++) {
3378 + switch (opcode[i]) {
3379 +@@ -341,6 +342,11 @@ ptrace_set_thread_area(struct task_struc
3380 + if (copy_from_user(&info, user_desc, sizeof(info)))
3381 + return -EFAULT;
3382 +
3383 ++#ifdef CONFIG_PAX_SEGMEXEC
3384 ++ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
3385 ++ return -EINVAL;
3386 ++#endif
3387 ++
3388 + if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
3389 + return -EINVAL;
3390 +
3391 +@@ -420,6 +426,17 @@ long arch_ptrace(struct task_struct *chi
3392 + if(addr == (long) &dummy->u_debugreg[5]) break;
3393 + if(addr < (long) &dummy->u_debugreg[4] &&
3394 + ((unsigned long) data) >= TASK_SIZE-3) break;
3395 ++
3396 ++#ifdef CONFIG_GRKERNSEC
3397 ++ if(addr >= (long) &dummy->u_debugreg[0] &&
3398 ++ addr <= (long) &dummy->u_debugreg[3]){
3399 ++ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
3400 ++ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
3401 ++ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
3402 ++ if((type & 1) && (data & align))
3403 ++ break;
3404 ++ }
3405 ++#endif
3406 +
3407 + /* Sanity-check data. Take one half-byte at once with
3408 + * check = (val >> (16 + 4*i)) & 0xf. It contains the
3409 +@@ -636,7 +653,7 @@ void send_sigtrap(struct task_struct *ts
3410 + info.si_code = TRAP_BRKPT;
3411 +
3412 + /* User-mode eip? */
3413 +- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
3414 ++ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
3415 +
3416 + /* Send us the fakey SIGTRAP */
3417 + force_sig_info(SIGTRAP, &info, tsk);
3418 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/reboot.c linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c
3419 +--- linux-2.6.23.15/arch/i386/kernel/reboot.c 2007-10-09 21:31:38.000000000 +0100
3420 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c 2008-02-11 10:37:44.000000000 +0000
3421 +@@ -26,7 +26,7 @@
3422 + void (*pm_power_off)(void);
3423 + EXPORT_SYMBOL(pm_power_off);
3424 +
3425 +-static int reboot_mode;
3426 ++static unsigned short reboot_mode;
3427 + static int reboot_thru_bios;
3428 +
3429 + #ifdef CONFIG_SMP
3430 +@@ -138,7 +138,7 @@ static struct dmi_system_id __initdata r
3431 + DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
3432 + },
3433 + },
3434 +- { }
3435 ++ { NULL, NULL, {{0, NULL}}, NULL}
3436 + };
3437 +
3438 + static int __init reboot_init(void)
3439 +@@ -156,18 +156,18 @@ core_initcall(reboot_init);
3440 + doesn't work with at least one type of 486 motherboard. It is easy
3441 + to stop this code working; hence the copious comments. */
3442 +
3443 +-static unsigned long long
3444 +-real_mode_gdt_entries [3] =
3445 ++static struct desc_struct
3446 ++real_mode_gdt_entries [3] __read_only =
3447 + {
3448 +- 0x0000000000000000ULL, /* Null descriptor */
3449 +- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
3450 +- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
3451 ++ {0x00000000, 0x00000000}, /* Null descriptor */
3452 ++ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
3453 ++ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
3454 + };
3455 +
3456 +-static struct Xgt_desc_struct
3457 +-real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
3458 +-real_mode_idt = { 0x3ff, 0 },
3459 +-no_idt = { 0, 0 };
3460 ++static const struct Xgt_desc_struct
3461 ++real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
3462 ++real_mode_idt = { 0x3ff, NULL, 0 },
3463 ++no_idt = { 0, NULL, 0 };
3464 +
3465 +
3466 + /* This is 16-bit protected mode code to disable paging and the cache,
3467 +@@ -189,7 +189,7 @@ no_idt = { 0, 0 };
3468 + More could be done here to set up the registers as if a CPU reset had
3469 + occurred; hopefully real BIOSs don't assume much. */
3470 +
3471 +-static unsigned char real_mode_switch [] =
3472 ++static const unsigned char real_mode_switch [] =
3473 + {
3474 + 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
3475 + 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
3476 +@@ -203,7 +203,7 @@ static unsigned char real_mode_switch []
3477 + 0x24, 0x10, /* f: andb $0x10,al */
3478 + 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
3479 + };
3480 +-static unsigned char jump_to_bios [] =
3481 ++static const unsigned char jump_to_bios [] =
3482 + {
3483 + 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
3484 + };
3485 +@@ -213,7 +213,7 @@ static unsigned char jump_to_bios [] =
3486 + * specified by the code and length parameters.
3487 + * We assume that length will aways be less that 100!
3488 + */
3489 +-void machine_real_restart(unsigned char *code, int length)
3490 ++void machine_real_restart(const unsigned char *code, unsigned int length)
3491 + {
3492 + local_irq_disable();
3493 +
3494 +@@ -234,9 +234,8 @@ void machine_real_restart(unsigned char
3495 + /* Remap the kernel at virtual address zero, as well as offset zero
3496 + from the kernel segment. This assumes the kernel segment starts at
3497 + virtual address PAGE_OFFSET. */
3498 +-
3499 +- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
3500 +- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
3501 ++ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
3502 ++ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
3503 +
3504 + /*
3505 + * Use `swapper_pg_dir' as our page directory.
3506 +@@ -249,7 +248,7 @@ void machine_real_restart(unsigned char
3507 + REBOOT.COM programs, and the previous reset routine did this
3508 + too. */
3509 +
3510 +- *((unsigned short *)0x472) = reboot_mode;
3511 ++ *(unsigned short *)(__va(0x472)) = reboot_mode;
3512 +
3513 + /* For the switch to real mode, copy some code to low memory. It has
3514 + to be in the first 64k because it is running in 16-bit mode, and it
3515 +@@ -257,9 +256,8 @@ void machine_real_restart(unsigned char
3516 + off paging. Copy it near the end of the first page, out of the way
3517 + of BIOS variables. */
3518 +
3519 +- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
3520 +- real_mode_switch, sizeof (real_mode_switch));
3521 +- memcpy ((void *) (0x1000 - 100), code, length);
3522 ++ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
3523 ++ memcpy(__va(0x1000 - 100), code, length);
3524 +
3525 + /* Set up the IDT for real mode. */
3526 +
3527 +@@ -345,7 +343,7 @@ static void native_machine_emergency_res
3528 + __asm__ __volatile__("int3");
3529 + }
3530 + /* rebooting needs to touch the page at absolute addr 0 */
3531 +- *((unsigned short *)__va(0x472)) = reboot_mode;
3532 ++ *(unsigned short *)(__va(0x472)) = reboot_mode;
3533 + for (;;) {
3534 + mach_reboot_fixups(); /* for board specific fixups */
3535 + mach_reboot();
3536 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/setup.c linux-2.6.23.15-grsec/arch/i386/kernel/setup.c
3537 +--- linux-2.6.23.15/arch/i386/kernel/setup.c 2007-10-09 21:31:38.000000000 +0100
3538 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/setup.c 2008-02-11 10:37:44.000000000 +0000
3539 +@@ -82,7 +82,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
3540 + struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
3541 + EXPORT_SYMBOL(boot_cpu_data);
3542 +
3543 ++#ifdef CONFIG_X86_PAE
3544 ++unsigned long mmu_cr4_features = X86_CR4_PAE;
3545 ++#else
3546 + unsigned long mmu_cr4_features;
3547 ++#endif
3548 +
3549 + /* for MCA, but anyone else can use it if they want */
3550 + unsigned int machine_id;
3551 +@@ -395,8 +399,8 @@ void __init setup_bootmem_allocator(void
3552 + * the (very unlikely) case of us accidentally initializing the
3553 + * bootmem allocator with an invalid RAM area.
3554 + */
3555 +- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
3556 +- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
3557 ++ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
3558 ++ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
3559 +
3560 + /*
3561 + * reserve physical page 0 - it's a special BIOS page on many boxes,
3562 +@@ -549,14 +553,14 @@ void __init setup_arch(char **cmdline_p)
3563 +
3564 + if (!MOUNT_ROOT_RDONLY)
3565 + root_mountflags &= ~MS_RDONLY;
3566 +- init_mm.start_code = (unsigned long) _text;
3567 +- init_mm.end_code = (unsigned long) _etext;
3568 ++ init_mm.start_code = (unsigned long) _text + __KERNEL_TEXT_OFFSET;
3569 ++ init_mm.end_code = (unsigned long) _etext + __KERNEL_TEXT_OFFSET;
3570 + init_mm.end_data = (unsigned long) _edata;
3571 + init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
3572 +
3573 +- code_resource.start = virt_to_phys(_text);
3574 +- code_resource.end = virt_to_phys(_etext)-1;
3575 +- data_resource.start = virt_to_phys(_etext);
3576 ++ code_resource.start = virt_to_phys(_text + __KERNEL_TEXT_OFFSET);
3577 ++ code_resource.end = virt_to_phys(_etext + __KERNEL_TEXT_OFFSET)-1;
3578 ++ data_resource.start = virt_to_phys(_data);
3579 + data_resource.end = virt_to_phys(_edata)-1;
3580 +
3581 + parse_early_param();
3582 +@@ -651,3 +655,23 @@ void __init setup_arch(char **cmdline_p)
3583 + #endif
3584 + #endif
3585 + }
3586 ++
3587 ++unsigned long __per_cpu_offset[NR_CPUS] __read_only;
3588 ++
3589 ++EXPORT_SYMBOL(__per_cpu_offset);
3590 ++
3591 ++void __init setup_per_cpu_areas(void)
3592 ++{
3593 ++ unsigned long size, i;
3594 ++ char *ptr;
3595 ++
3596 ++ /* Copy section for each CPU (we discard the original) */
3597 ++ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
3598 ++ ptr = alloc_bootmem_pages(size * num_possible_cpus());
3599 ++
3600 ++ for_each_possible_cpu(i) {
3601 ++ __per_cpu_offset[i] = (unsigned long)ptr;
3602 ++ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
3603 ++ ptr += size;
3604 ++ }
3605 ++}
3606 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/signal.c linux-2.6.23.15-grsec/arch/i386/kernel/signal.c
3607 +--- linux-2.6.23.15/arch/i386/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
3608 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
3609 +@@ -357,9 +357,9 @@ static int setup_frame(int sig, struct k
3610 + }
3611 +
3612 + if (current->binfmt->hasvdso)
3613 +- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
3614 ++ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
3615 + else
3616 +- restorer = (void *)&frame->retcode;
3617 ++ restorer = (void __user *)&frame->retcode;
3618 + if (ka->sa.sa_flags & SA_RESTORER)
3619 + restorer = ka->sa.sa_restorer;
3620 +
3621 +@@ -455,7 +455,8 @@ static int setup_rt_frame(int sig, struc
3622 + goto give_sigsegv;
3623 +
3624 + /* Set up to return from userspace. */
3625 +- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
3626 ++
3627 ++ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
3628 + if (ka->sa.sa_flags & SA_RESTORER)
3629 + restorer = ka->sa.sa_restorer;
3630 + err |= __put_user(restorer, &frame->pretcode);
3631 +@@ -588,7 +589,7 @@ static void fastcall do_signal(struct pt
3632 + * before reaching here, so testing against kernel
3633 + * CS suffices.
3634 + */
3635 +- if (!user_mode(regs))
3636 ++ if (!user_mode_novm(regs))
3637 + return;
3638 +
3639 + if (test_thread_flag(TIF_RESTORE_SIGMASK))
3640 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/smp.c linux-2.6.23.15-grsec/arch/i386/kernel/smp.c
3641 +--- linux-2.6.23.15/arch/i386/kernel/smp.c 2007-10-09 21:31:38.000000000 +0100
3642 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/smp.c 2008-02-11 10:37:44.000000000 +0000
3643 +@@ -104,7 +104,7 @@
3644 + * about nothing of note with C stepping upwards.
3645 + */
3646 +
3647 +-DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
3648 ++DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
3649 +
3650 + /*
3651 + * the following functions deal with sending IPIs between CPUs.
3652 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpboot.c linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c
3653 +--- linux-2.6.23.15/arch/i386/kernel/smpboot.c 2007-10-09 21:31:38.000000000 +0100
3654 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c 2008-02-11 10:37:44.000000000 +0000
3655 +@@ -118,7 +118,7 @@ DEFINE_PER_CPU(int, cpu_state) = { 0 };
3656 + * has made sure it's suitably aligned.
3657 + */
3658 +
3659 +-static unsigned long __devinit setup_trampoline(void)
3660 ++static unsigned long __cpuinit setup_trampoline(void)
3661 + {
3662 + memcpy(trampoline_base, trampoline_data, trampoline_end - trampoline_data);
3663 + return virt_to_phys(trampoline_base);
3664 +@@ -772,6 +772,10 @@ static int __cpuinit do_boot_cpu(int api
3665 + unsigned long start_eip;
3666 + unsigned short nmi_high = 0, nmi_low = 0;
3667 +
3668 ++#ifdef CONFIG_PAX_KERNEXEC
3669 ++ unsigned long cr0;
3670 ++#endif
3671 ++
3672 + /*
3673 + * Save current MTRR state in case it was changed since early boot
3674 + * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
3675 +@@ -788,7 +792,16 @@ static int __cpuinit do_boot_cpu(int api
3676 +
3677 + init_gdt(cpu);
3678 + per_cpu(current_task, cpu) = idle;
3679 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
3680 ++
3681 ++#ifdef CONFIG_PAX_KERNEXEC
3682 ++ pax_open_kernel(cr0);
3683 ++#endif
3684 ++
3685 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
3686 ++
3687 ++#ifdef CONFIG_PAX_KERNEXEC
3688 ++ pax_close_kernel(cr0);
3689 ++#endif
3690 +
3691 + idle->thread.eip = (unsigned long) start_secondary;
3692 + /* start_eip had better be page-aligned! */
3693 +@@ -1105,7 +1118,7 @@ static void __init smp_boot_cpus(unsigne
3694 + * construct cpu_sibling_map[], so that we can tell sibling CPUs
3695 + * efficiently.
3696 + */
3697 +- for (cpu = 0; cpu < NR_CPUS; cpu++) {
3698 ++ for_each_possible_cpu(cpu) {
3699 + cpus_clear(cpu_sibling_map[cpu]);
3700 + cpus_clear(cpu_core_map[cpu]);
3701 + }
3702 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpcommon.c linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c
3703 +--- linux-2.6.23.15/arch/i386/kernel/smpcommon.c 2007-10-09 21:31:38.000000000 +0100
3704 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c 2008-02-11 10:37:44.000000000 +0000
3705 +@@ -3,6 +3,7 @@
3706 + */
3707 + #include <linux/module.h>
3708 + #include <asm/smp.h>
3709 ++#include <asm/sections.h>
3710 +
3711 + DEFINE_PER_CPU(unsigned long, this_cpu_off);
3712 + EXPORT_PER_CPU_SYMBOL(this_cpu_off);
3713 +@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
3714 + {
3715 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
3716 +
3717 +- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
3718 +- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
3719 +- __per_cpu_offset[cpu], 0xFFFFF,
3720 +- 0x80 | DESCTYPE_S | 0x2, 0x8);
3721 ++#ifdef CONFIG_PAX_KERNEXEC
3722 ++ unsigned long cr0;
3723 ++
3724 ++ pax_open_kernel(cr0);
3725 ++#endif
3726 ++
3727 ++ if (cpu)
3728 ++ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
3729 ++
3730 ++ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
3731 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
3732 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
3733 ++ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
3734 ++ 0x80 | DESCTYPE_S | 0x3, 0x4);
3735 ++ else
3736 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
3737 ++ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
3738 ++ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
3739 ++ 0x80 | DESCTYPE_S | 0x3, 0xC);
3740 ++
3741 ++#ifdef CONFIG_PAX_KERNEXEC
3742 ++ pax_close_kernel(cr0);
3743 ++#endif
3744 +
3745 + per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
3746 + per_cpu(cpu_number, cpu) = cpu;
3747 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/sys_i386.c linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c
3748 +--- linux-2.6.23.15/arch/i386/kernel/sys_i386.c 2007-10-09 21:31:38.000000000 +0100
3749 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c 2008-02-11 10:37:44.000000000 +0000
3750 +@@ -41,6 +41,21 @@ asmlinkage int sys_pipe(unsigned long __
3751 + return error;
3752 + }
3753 +
3754 ++int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
3755 ++{
3756 ++ unsigned long task_size = TASK_SIZE;
3757 ++
3758 ++#ifdef CONFIG_PAX_SEGMEXEC
3759 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
3760 ++ task_size = SEGMEXEC_TASK_SIZE;
3761 ++#endif
3762 ++
3763 ++ if (len > task_size || addr > task_size - len)
3764 ++ return -EINVAL;
3765 ++
3766 ++ return 0;
3767 ++}
3768 ++
3769 + asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
3770 + unsigned long prot, unsigned long flags,
3771 + unsigned long fd, unsigned long pgoff)
3772 +@@ -100,6 +115,205 @@ out:
3773 + return err;
3774 + }
3775 +
3776 ++unsigned long
3777 ++arch_get_unmapped_area(struct file *filp, unsigned long addr,
3778 ++ unsigned long len, unsigned long pgoff, unsigned long flags)
3779 ++{
3780 ++ struct mm_struct *mm = current->mm;
3781 ++ struct vm_area_struct *vma;
3782 ++ unsigned long start_addr, task_size = TASK_SIZE;
3783 ++
3784 ++#ifdef CONFIG_PAX_SEGMEXEC
3785 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
3786 ++ task_size = SEGMEXEC_TASK_SIZE;
3787 ++#endif
3788 ++
3789 ++ if (len > task_size)
3790 ++ return -ENOMEM;
3791 ++
3792 ++ if (flags & MAP_FIXED)
3793 ++ return addr;
3794 ++
3795 ++#ifdef CONFIG_PAX_RANDMMAP
3796 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
3797 ++#endif
3798 ++
3799 ++ if (addr) {
3800 ++ addr = PAGE_ALIGN(addr);
3801 ++ vma = find_vma(mm, addr);
3802 ++ if (task_size - len >= addr &&
3803 ++ (!vma || addr + len <= vma->vm_start))
3804 ++ return addr;
3805 ++ }
3806 ++ if (len > mm->cached_hole_size) {
3807 ++ start_addr = addr = mm->free_area_cache;
3808 ++ } else {
3809 ++ start_addr = addr = mm->mmap_base;
3810 ++ mm->cached_hole_size = 0;
3811 ++ }
3812 ++
3813 ++#ifdef CONFIG_PAX_PAGEEXEC
3814 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
3815 ++ start_addr = 0x00110000UL;
3816 ++
3817 ++#ifdef CONFIG_PAX_RANDMMAP
3818 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
3819 ++ start_addr += mm->delta_mmap & 0x03FFF000UL;
3820 ++#endif
3821 ++
3822 ++ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
3823 ++ start_addr = addr = mm->mmap_base;
3824 ++ else
3825 ++ addr = start_addr;
3826 ++ }
3827 ++#endif
3828 ++
3829 ++full_search:
3830 ++ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
3831 ++ /* At this point: (!vma || addr < vma->vm_end). */
3832 ++ if (task_size - len < addr) {
3833 ++ /*
3834 ++ * Start a new search - just in case we missed
3835 ++ * some holes.
3836 ++ */
3837 ++ if (start_addr != mm->mmap_base) {
3838 ++ start_addr = addr = mm->mmap_base;
3839 ++ mm->cached_hole_size = 0;
3840 ++ goto full_search;
3841 ++ }
3842 ++ return -ENOMEM;
3843 ++ }
3844 ++ if (!vma || addr + len <= vma->vm_start) {
3845 ++ /*
3846 ++ * Remember the place where we stopped the search:
3847 ++ */
3848 ++ mm->free_area_cache = addr + len;
3849 ++ return addr;
3850 ++ }
3851 ++ if (addr + mm->cached_hole_size < vma->vm_start)
3852 ++ mm->cached_hole_size = vma->vm_start - addr;
3853 ++ addr = vma->vm_end;
3854 ++ if (mm->start_brk <= addr && addr < mm->mmap_base) {
3855 ++ start_addr = addr = mm->mmap_base;
3856 ++ mm->cached_hole_size = 0;
3857 ++ goto full_search;
3858 ++ }
3859 ++ }
3860 ++}
3861 ++
3862 ++unsigned long
3863 ++arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
3864 ++ const unsigned long len, const unsigned long pgoff,
3865 ++ const unsigned long flags)
3866 ++{
3867 ++ struct vm_area_struct *vma;
3868 ++ struct mm_struct *mm = current->mm;
3869 ++ unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
3870 ++
3871 ++#ifdef CONFIG_PAX_SEGMEXEC
3872 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
3873 ++ task_size = SEGMEXEC_TASK_SIZE;
3874 ++#endif
3875 ++
3876 ++ /* requested length too big for entire address space */
3877 ++ if (len > task_size)
3878 ++ return -ENOMEM;
3879 ++
3880 ++ if (flags & MAP_FIXED)
3881 ++ return addr;
3882 ++
3883 ++#ifdef CONFIG_PAX_PAGEEXEC
3884 ++ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
3885 ++ goto bottomup;
3886 ++#endif
3887 ++
3888 ++#ifdef CONFIG_PAX_RANDMMAP
3889 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
3890 ++#endif
3891 ++
3892 ++ /* requesting a specific address */
3893 ++ if (addr) {
3894 ++ addr = PAGE_ALIGN(addr);
3895 ++ vma = find_vma(mm, addr);
3896 ++ if (task_size - len >= addr &&
3897 ++ (!vma || addr + len <= vma->vm_start))
3898 ++ return addr;
3899 ++ }
3900 ++
3901 ++ /* check if free_area_cache is useful for us */
3902 ++ if (len <= mm->cached_hole_size) {
3903 ++ mm->cached_hole_size = 0;
3904 ++ mm->free_area_cache = mm->mmap_base;
3905 ++ }
3906 ++
3907 ++ /* either no address requested or can't fit in requested address hole */
3908 ++ addr = mm->free_area_cache;
3909 ++
3910 ++ /* make sure it can fit in the remaining address space */
3911 ++ if (addr > len) {
3912 ++ vma = find_vma(mm, addr-len);
3913 ++ if (!vma || addr <= vma->vm_start)
3914 ++ /* remember the address as a hint for next time */
3915 ++ return (mm->free_area_cache = addr-len);
3916 ++ }
3917 ++
3918 ++ if (mm->mmap_base < len)
3919 ++ goto bottomup;
3920 ++
3921 ++ addr = mm->mmap_base-len;
3922 ++
3923 ++ do {
3924 ++ /*
3925 ++ * Lookup failure means no vma is above this address,
3926 ++ * else if new region fits below vma->vm_start,
3927 ++ * return with success:
3928 ++ */
3929 ++ vma = find_vma(mm, addr);
3930 ++ if (!vma || addr+len <= vma->vm_start)
3931 ++ /* remember the address as a hint for next time */
3932 ++ return (mm->free_area_cache = addr);
3933 ++
3934 ++ /* remember the largest hole we saw so far */
3935 ++ if (addr + mm->cached_hole_size < vma->vm_start)
3936 ++ mm->cached_hole_size = vma->vm_start - addr;
3937 ++
3938 ++ /* try just below the current vma->vm_start */
3939 ++ addr = vma->vm_start-len;
3940 ++ } while (len < vma->vm_start);
3941 ++
3942 ++bottomup:
3943 ++ /*
3944 ++ * A failed mmap() very likely causes application failure,
3945 ++ * so fall back to the bottom-up function here. This scenario
3946 ++ * can happen with large stack limits and large mmap()
3947 ++ * allocations.
3948 ++ */
3949 ++
3950 ++#ifdef CONFIG_PAX_SEGMEXEC
3951 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
3952 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
3953 ++ else
3954 ++#endif
3955 ++
3956 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
3957 ++
3958 ++#ifdef CONFIG_PAX_RANDMMAP
3959 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
3960 ++ mm->mmap_base += mm->delta_mmap;
3961 ++#endif
3962 ++
3963 ++ mm->free_area_cache = mm->mmap_base;
3964 ++ mm->cached_hole_size = ~0UL;
3965 ++ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
3966 ++ /*
3967 ++ * Restore the topdown base:
3968 ++ */
3969 ++ mm->mmap_base = base;
3970 ++ mm->free_area_cache = base;
3971 ++ mm->cached_hole_size = ~0UL;
3972 ++
3973 ++ return addr;
3974 ++}
3975 +
3976 + struct sel_arg_struct {
3977 + unsigned long n;
3978 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/syscall_table.S linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S
3979 +--- linux-2.6.23.15/arch/i386/kernel/syscall_table.S 2007-10-09 21:31:38.000000000 +0100
3980 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S 2008-02-11 10:37:44.000000000 +0000
3981 +@@ -1,3 +1,4 @@
3982 ++.section .rodata,"a",@progbits
3983 + ENTRY(sys_call_table)
3984 + .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
3985 + .long sys_exit
3986 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/sysenter.c linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c
3987 +--- linux-2.6.23.15/arch/i386/kernel/sysenter.c 2007-10-09 21:31:38.000000000 +0100
3988 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c 2008-02-11 10:37:44.000000000 +0000
3989 +@@ -177,7 +177,7 @@ static __init void relocate_vdso(Elf32_E
3990 + void enable_sep_cpu(void)
3991 + {
3992 + int cpu = get_cpu();
3993 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
3994 ++ struct tss_struct *tss = init_tss + cpu;
3995 +
3996 + if (!boot_cpu_has(X86_FEATURE_SEP)) {
3997 + put_cpu();
3998 +@@ -200,7 +200,7 @@ static int __init gate_vma_init(void)
3999 + gate_vma.vm_start = FIXADDR_USER_START;
4000 + gate_vma.vm_end = FIXADDR_USER_END;
4001 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
4002 +- gate_vma.vm_page_prot = __P101;
4003 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
4004 + /*
4005 + * Make sure the vDSO gets into every core dump.
4006 + * Dumping its contents makes post-mortem fully interpretable later
4007 +@@ -283,7 +283,7 @@ int arch_setup_additional_pages(struct l
4008 + if (compat)
4009 + addr = VDSO_HIGH_BASE;
4010 + else {
4011 +- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
4012 ++ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
4013 + if (IS_ERR_VALUE(addr)) {
4014 + ret = addr;
4015 + goto up_fail;
4016 +@@ -308,7 +308,7 @@ int arch_setup_additional_pages(struct l
4017 + goto up_fail;
4018 + }
4019 +
4020 +- current->mm->context.vdso = (void *)addr;
4021 ++ current->mm->context.vdso = addr;
4022 + current_thread_info()->sysenter_return =
4023 + (void *)VDSO_SYM(&SYSENTER_RETURN);
4024 +
4025 +@@ -320,8 +320,14 @@ int arch_setup_additional_pages(struct l
4026 +
4027 + const char *arch_vma_name(struct vm_area_struct *vma)
4028 + {
4029 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
4030 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
4031 + return "[vdso]";
4032 ++
4033 ++#ifdef CONFIG_PAX_SEGMEXEC
4034 ++ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
4035 ++ return "[vdso]";
4036 ++#endif
4037 ++
4038 + return NULL;
4039 + }
4040 +
4041 +@@ -330,7 +336,7 @@ struct vm_area_struct *get_gate_vma(stru
4042 + struct mm_struct *mm = tsk->mm;
4043 +
4044 + /* Check to see if this task was created in compat vdso mode */
4045 +- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
4046 ++ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
4047 + return &gate_vma;
4048 + return NULL;
4049 + }
4050 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/time.c linux-2.6.23.15-grsec/arch/i386/kernel/time.c
4051 +--- linux-2.6.23.15/arch/i386/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
4052 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/time.c 2008-02-11 10:37:44.000000000 +0000
4053 +@@ -132,20 +132,30 @@ unsigned long profile_pc(struct pt_regs
4054 + if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
4055 + in_lock_functions(pc)) {
4056 + #ifdef CONFIG_FRAME_POINTER
4057 +- return *(unsigned long *)(regs->ebp + 4);
4058 ++ return *(unsigned long *)(regs->ebp + 4) + __KERNEL_TEXT_OFFSET;
4059 + #else
4060 + unsigned long *sp = (unsigned long *)&regs->esp;
4061 +
4062 + /* Return address is either directly at stack pointer
4063 + or above a saved eflags. Eflags has bits 22-31 zero,
4064 + kernel addresses don't. */
4065 ++
4066 ++#ifdef CONFIG_PAX_KERNEXEC
4067 ++ return sp[0] + __KERNEL_TEXT_OFFSET;
4068 ++#else
4069 + if (sp[0] >> 22)
4070 + return sp[0];
4071 + if (sp[1] >> 22)
4072 + return sp[1];
4073 + #endif
4074 ++
4075 ++#endif
4076 + }
4077 + #endif
4078 ++
4079 ++ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
4080 ++ pc += __KERNEL_TEXT_OFFSET;
4081 ++
4082 + return pc;
4083 + }
4084 + EXPORT_SYMBOL(profile_pc);
4085 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/traps.c linux-2.6.23.15-grsec/arch/i386/kernel/traps.c
4086 +--- linux-2.6.23.15/arch/i386/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
4087 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
4088 +@@ -31,6 +31,7 @@
4089 + #include <linux/uaccess.h>
4090 + #include <linux/nmi.h>
4091 + #include <linux/bug.h>
4092 ++#include <linux/binfmts.h>
4093 +
4094 + #ifdef CONFIG_EISA
4095 + #include <linux/ioport.h>
4096 +@@ -70,12 +71,7 @@ asmlinkage int system_call(void);
4097 + /* Do we ignore FPU interrupts ? */
4098 + char ignore_fpu_irq = 0;
4099 +
4100 +-/*
4101 +- * The IDT has to be page-aligned to simplify the Pentium
4102 +- * F0 0F bug workaround.. We have a special link segment
4103 +- * for this.
4104 +- */
4105 +-struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
4106 ++extern struct desc_struct idt_table[256];
4107 +
4108 + asmlinkage void divide_error(void);
4109 + asmlinkage void debug(void);
4110 +@@ -297,7 +293,7 @@ void show_registers(struct pt_regs *regs
4111 + esp = (unsigned long) (&regs->esp);
4112 + savesegment(ss, ss);
4113 + savesegment(gs, gs);
4114 +- if (user_mode_vm(regs)) {
4115 ++ if (user_mode(regs)) {
4116 + in_kernel = 0;
4117 + esp = regs->esp;
4118 + ss = regs->xss & 0xffff;
4119 +@@ -329,17 +325,18 @@ void show_registers(struct pt_regs *regs
4120 + unsigned int code_prologue = code_bytes * 43 / 64;
4121 + unsigned int code_len = code_bytes;
4122 + unsigned char c;
4123 ++ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
4124 +
4125 + printk("\n" KERN_EMERG "Stack: ");
4126 + show_stack_log_lvl(NULL, regs, (unsigned long *)esp, KERN_EMERG);
4127 +
4128 + printk(KERN_EMERG "Code: ");
4129 +
4130 +- eip = (u8 *)regs->eip - code_prologue;
4131 ++ eip = (u8 *)regs->eip - code_prologue + cs_base;
4132 + if (eip < (u8 *)PAGE_OFFSET ||
4133 + probe_kernel_address(eip, c)) {
4134 + /* try starting at EIP */
4135 +- eip = (u8 *)regs->eip;
4136 ++ eip = (u8 *)regs->eip + cs_base;
4137 + code_len = code_len - code_prologue + 1;
4138 + }
4139 + for (i = 0; i < code_len; i++, eip++) {
4140 +@@ -348,7 +345,7 @@ void show_registers(struct pt_regs *regs
4141 + printk(" Bad EIP value.");
4142 + break;
4143 + }
4144 +- if (eip == (u8 *)regs->eip)
4145 ++ if (eip == (u8 *)regs->eip + cs_base)
4146 + printk("<%02x> ", c);
4147 + else
4148 + printk("%02x ", c);
4149 +@@ -361,6 +358,7 @@ int is_valid_bugaddr(unsigned long eip)
4150 + {
4151 + unsigned short ud2;
4152 +
4153 ++ eip += __KERNEL_TEXT_OFFSET;
4154 + if (eip < PAGE_OFFSET)
4155 + return 0;
4156 + if (probe_kernel_address((unsigned short *)eip, ud2))
4157 +@@ -468,7 +466,7 @@ void die(const char * str, struct pt_reg
4158 +
4159 + static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
4160 + {
4161 +- if (!user_mode_vm(regs))
4162 ++ if (!user_mode(regs))
4163 + die(str, regs, err);
4164 + }
4165 +
4166 +@@ -484,7 +482,7 @@ static void __kprobes do_trap(int trapnr
4167 + goto trap_signal;
4168 + }
4169 +
4170 +- if (!user_mode(regs))
4171 ++ if (!user_mode_novm(regs))
4172 + goto kernel_trap;
4173 +
4174 + trap_signal: {
4175 +@@ -589,7 +587,7 @@ fastcall void __kprobes do_general_prote
4176 + long error_code)
4177 + {
4178 + int cpu = get_cpu();
4179 +- struct tss_struct *tss = &per_cpu(init_tss, cpu);
4180 ++ struct tss_struct *tss = &init_tss[cpu];
4181 + struct thread_struct *thread = &current->thread;
4182 +
4183 + /*
4184 +@@ -622,9 +620,25 @@ fastcall void __kprobes do_general_prote
4185 + if (regs->eflags & VM_MASK)
4186 + goto gp_in_vm86;
4187 +
4188 +- if (!user_mode(regs))
4189 ++ if (!user_mode_novm(regs))
4190 + goto gp_in_kernel;
4191 +
4192 ++#ifdef CONFIG_PAX_PAGEEXEC
4193 ++ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
4194 ++ struct mm_struct *mm = current->mm;
4195 ++ unsigned long limit;
4196 ++
4197 ++ down_write(&mm->mmap_sem);
4198 ++ limit = mm->context.user_cs_limit;
4199 ++ if (limit < TASK_SIZE) {
4200 ++ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
4201 ++ up_write(&mm->mmap_sem);
4202 ++ return;
4203 ++ }
4204 ++ up_write(&mm->mmap_sem);
4205 ++ }
4206 ++#endif
4207 ++
4208 + current->thread.error_code = error_code;
4209 + current->thread.trap_no = 13;
4210 + if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
4211 +@@ -649,6 +663,13 @@ gp_in_kernel:
4212 + if (notify_die(DIE_GPF, "general protection fault", regs,
4213 + error_code, 13, SIGSEGV) == NOTIFY_STOP)
4214 + return;
4215 ++
4216 ++#ifdef CONFIG_PAX_KERNEXEC
4217 ++ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
4218 ++ die("PAX: suspicious general protection fault", regs, error_code);
4219 ++ else
4220 ++#endif
4221 ++
4222 + die("general protection fault", regs, error_code);
4223 + }
4224 + }
4225 +@@ -738,7 +759,7 @@ void __kprobes die_nmi(struct pt_regs *r
4226 + /* If we are in kernel we are probably nested up pretty bad
4227 + * and might aswell get out now while we still can.
4228 + */
4229 +- if (!user_mode_vm(regs)) {
4230 ++ if (!user_mode(regs)) {
4231 + current->thread.trap_no = 2;
4232 + crash_kexec(regs);
4233 + }
4234 +@@ -885,7 +906,7 @@ fastcall void __kprobes do_debug(struct
4235 + * check for kernel mode by just checking the CPL
4236 + * of CS.
4237 + */
4238 +- if (!user_mode(regs))
4239 ++ if (!user_mode_novm(regs))
4240 + goto clear_TF_reenable;
4241 + }
4242 +
4243 +@@ -1063,18 +1084,14 @@ fastcall void do_spurious_interrupt_bug(
4244 + fastcall unsigned long patch_espfix_desc(unsigned long uesp,
4245 + unsigned long kesp)
4246 + {
4247 +- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
4248 + unsigned long base = (kesp - uesp) & -THREAD_SIZE;
4249 + unsigned long new_kesp = kesp - base;
4250 + unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
4251 +- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
4252 ++ __u32 a, b;
4253 ++
4254 + /* Set up base for espfix segment */
4255 +- desc &= 0x00f0ff0000000000ULL;
4256 +- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
4257 +- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
4258 +- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
4259 +- (lim_pages & 0xffff);
4260 +- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
4261 ++ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
4262 ++ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
4263 + return new_kesp;
4264 + }
4265 +
4266 +@@ -1123,7 +1140,7 @@ void __init trap_init_f00f_bug(void)
4267 + * Update the IDT descriptor and reload the IDT so that
4268 + * it uses the read-only mapped virtual address.
4269 + */
4270 +- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
4271 ++ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
4272 + load_idt(&idt_descr);
4273 + }
4274 + #endif
4275 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/tsc.c linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c
4276 +--- linux-2.6.23.15/arch/i386/kernel/tsc.c 2008-02-11 10:36:03.000000000 +0000
4277 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c 2008-02-11 10:37:44.000000000 +0000
4278 +@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
4279 + DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
4280 + },
4281 + },
4282 +- {}
4283 ++ { NULL, NULL, {{0, NULL}}, NULL}
4284 + };
4285 +
4286 + /*
4287 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/vm86.c linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c
4288 +--- linux-2.6.23.15/arch/i386/kernel/vm86.c 2007-10-09 21:31:38.000000000 +0100
4289 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c 2008-02-11 10:37:44.000000000 +0000
4290 +@@ -148,7 +148,7 @@ struct pt_regs * fastcall save_v86_state
4291 + do_exit(SIGSEGV);
4292 + }
4293 +
4294 +- tss = &per_cpu(init_tss, get_cpu());
4295 ++ tss = init_tss + get_cpu();
4296 + current->thread.esp0 = current->thread.saved_esp0;
4297 + current->thread.sysenter_cs = __KERNEL_CS;
4298 + load_esp0(tss, &current->thread);
4299 +@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
4300 + tsk->thread.saved_fs = info->regs32->xfs;
4301 + savesegment(gs, tsk->thread.saved_gs);
4302 +
4303 +- tss = &per_cpu(init_tss, get_cpu());
4304 ++ tss = init_tss + get_cpu();
4305 + tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
4306 + if (cpu_has_sep)
4307 + tsk->thread.sysenter_cs = 0;
4308 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmi.c linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c
4309 +--- linux-2.6.23.15/arch/i386/kernel/vmi.c 2007-10-09 21:31:38.000000000 +0100
4310 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c 2008-02-11 10:37:44.000000000 +0000
4311 +@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
4312 + {
4313 + u64 reloc;
4314 + struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
4315 ++
4316 ++#ifdef CONFIG_PAX_KERNEXEC
4317 ++ unsigned long cr0;
4318 ++#endif
4319 ++
4320 + reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
4321 + switch(rel->type) {
4322 + case VMI_RELOCATION_CALL_REL:
4323 + BUG_ON(len < 5);
4324 ++
4325 ++#ifdef CONFIG_PAX_KERNEXEC
4326 ++ pax_open_kernel(cr0);
4327 ++#endif
4328 ++
4329 + *(char *)insnbuf = MNEM_CALL;
4330 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
4331 ++
4332 ++#ifdef CONFIG_PAX_KERNEXEC
4333 ++ pax_close_kernel(cr0);
4334 ++#endif
4335 ++
4336 + return 5;
4337 +
4338 + case VMI_RELOCATION_JUMP_REL:
4339 + BUG_ON(len < 5);
4340 ++
4341 ++#ifdef CONFIG_PAX_KERNEXEC
4342 ++ pax_open_kernel(cr0);
4343 ++#endif
4344 ++
4345 + *(char *)insnbuf = MNEM_JMP;
4346 + patch_offset(insnbuf, eip, (unsigned long)rel->eip);
4347 ++
4348 ++#ifdef CONFIG_PAX_KERNEXEC
4349 ++ pax_close_kernel(cr0);
4350 ++#endif
4351 ++
4352 + return 5;
4353 +
4354 + case VMI_RELOCATION_NOP:
4355 +@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
4356 +
4357 + static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
4358 + {
4359 +- const pte_t pte = { 0 };
4360 ++ const pte_t pte = __pte(0ULL);
4361 + vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
4362 + vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
4363 + }
4364 +
4365 + static void vmi_pmd_clear(pmd_t *pmd)
4366 + {
4367 +- const pte_t pte = { 0 };
4368 ++ const pte_t pte = __pte(0ULL);
4369 + vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
4370 + vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
4371 + }
4372 +@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
4373 + ap.ss = __KERNEL_DS;
4374 + ap.esp = (unsigned long) start_esp;
4375 +
4376 +- ap.ds = __USER_DS;
4377 +- ap.es = __USER_DS;
4378 ++ ap.ds = __KERNEL_DS;
4379 ++ ap.es = __KERNEL_DS;
4380 + ap.fs = __KERNEL_PERCPU;
4381 + ap.gs = 0;
4382 +
4383 +@@ -726,12 +751,20 @@ static inline int __init activate_vmi(vo
4384 + u64 reloc;
4385 + const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
4386 +
4387 ++#ifdef CONFIG_PAX_KERNEXEC
4388 ++ unsigned long cr0;
4389 ++#endif
4390 ++
4391 + if (call_vrom_func(vmi_rom, vmi_init) != 0) {
4392 + printk(KERN_ERR "VMI ROM failed to initialize!");
4393 + return 0;
4394 + }
4395 + savesegment(cs, kernel_cs);
4396 +
4397 ++#ifdef CONFIG_PAX_KERNEXEC
4398 ++ pax_open_kernel(cr0);
4399 ++#endif
4400 ++
4401 + paravirt_ops.paravirt_enabled = 1;
4402 + paravirt_ops.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
4403 +
4404 +@@ -910,6 +943,10 @@ static inline int __init activate_vmi(vo
4405 +
4406 + para_fill(safe_halt, Halt);
4407 +
4408 ++#ifdef CONFIG_PAX_KERNEXEC
4409 ++ pax_close_kernel(cr0);
4410 ++#endif
4411 ++
4412 + /*
4413 + * Alternative instruction rewriting doesn't happen soon enough
4414 + * to convert VMI_IRET to a call instead of a jump; so we have
4415 +diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S
4416 +--- linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S 2007-10-09 21:31:38.000000000 +0100
4417 ++++ linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S 2008-02-11 10:37:44.000000000 +0000
4418 +@@ -21,6 +21,13 @@
4419 + #include <asm/page.h>
4420 + #include <asm/cache.h>
4421 + #include <asm/boot.h>
4422 ++#include <asm/segment.h>
4423 ++
4424 ++#ifdef CONFIG_X86_PAE
4425 ++#define PMD_SHIFT 21
4426 ++#else
4427 ++#define PMD_SHIFT 22
4428 ++#endif
4429 +
4430 + OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
4431 + OUTPUT_ARCH(i386)
4432 +@@ -28,22 +35,124 @@ ENTRY(phys_startup_32)
4433 + jiffies = jiffies_64;
4434 +
4435 + PHDRS {
4436 +- text PT_LOAD FLAGS(5); /* R_E */
4437 +- data PT_LOAD FLAGS(7); /* RWE */
4438 +- note PT_NOTE FLAGS(0); /* ___ */
4439 ++ initdata PT_LOAD FLAGS(6); /* RW_ */
4440 ++ percpu PT_LOAD FLAGS(6); /* RW_ */
4441 ++ inittext PT_LOAD FLAGS(5); /* R_E */
4442 ++ text PT_LOAD FLAGS(5); /* R_E */
4443 ++ rodata PT_LOAD FLAGS(4); /* R__ */
4444 ++ data PT_LOAD FLAGS(6); /* RW_ */
4445 ++ note PT_NOTE FLAGS(0); /* ___ */
4446 + }
4447 + SECTIONS
4448 + {
4449 + . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
4450 +- phys_startup_32 = startup_32 - LOAD_OFFSET;
4451 +
4452 +- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
4453 +- _text = .; /* Text and read-only data */
4454 ++ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
4455 ++ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
4456 ++ *(.text.startup)
4457 ++ } :initdata
4458 ++
4459 ++ /* might get freed after init */
4460 ++ . = ALIGN(4096);
4461 ++ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
4462 ++ __smp_locks = .;
4463 ++ *(.smp_locks)
4464 ++ __smp_locks_end = .;
4465 ++ }
4466 ++ /* will be freed after init
4467 ++ * Following ALIGN() is required to make sure no other data falls on the
4468 ++ * same page where __smp_alt_end is pointing as that page might be freed
4469 ++ * after boot. Always make sure that ALIGN() directive is present after
4470 ++ * the section which contains __smp_alt_end.
4471 ++ */
4472 ++ . = ALIGN(4096);
4473 ++
4474 ++ /* will be freed after init */
4475 ++ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
4476 ++ __init_begin = .;
4477 ++ *(.init.data)
4478 ++ }
4479 ++ . = ALIGN(16);
4480 ++ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
4481 ++ __setup_start = .;
4482 ++ *(.init.setup)
4483 ++ __setup_end = .;
4484 ++ }
4485 ++ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
4486 ++ __initcall_start = .;
4487 ++ INITCALLS
4488 ++ __initcall_end = .;
4489 ++ }
4490 ++ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
4491 ++ __con_initcall_start = .;
4492 ++ *(.con_initcall.init)
4493 ++ __con_initcall_end = .;
4494 ++ }
4495 ++ SECURITY_INIT
4496 ++ . = ALIGN(4);
4497 ++ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
4498 ++ __alt_instructions = .;
4499 ++ *(.altinstructions)
4500 ++ __alt_instructions_end = .;
4501 ++ }
4502 ++ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
4503 ++ *(.altinstr_replacement)
4504 ++ }
4505 ++ . = ALIGN(4);
4506 ++ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
4507 ++ __parainstructions = .;
4508 ++ *(.parainstructions)
4509 ++ __parainstructions_end = .;
4510 ++ }
4511 ++ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
4512 ++#if defined(CONFIG_BLK_DEV_INITRD)
4513 ++ . = ALIGN(4096);
4514 ++ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
4515 ++ __initramfs_start = .;
4516 ++ *(.init.ramfs)
4517 ++ __initramfs_end = .;
4518 ++ }
4519 ++#endif
4520 ++ . = ALIGN(4096);
4521 ++ per_cpu_start = .;
4522 ++ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
4523 ++ __per_cpu_start = . + per_cpu_start;
4524 ++ LONG(0)
4525 ++ *(.data.percpu)
4526 ++ *(.data.percpu.shared_aligned)
4527 ++ __per_cpu_end = . + per_cpu_start;
4528 ++ } :percpu
4529 ++ . += per_cpu_start;
4530 ++
4531 ++ /* read-only */
4532 ++
4533 ++ . = ALIGN(4096); /* Init code and data */
4534 ++ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4535 ++ _sinittext = .;
4536 ++ *(.init.text)
4537 ++ _einittext = .;
4538 ++ } :inittext
4539 ++
4540 ++ /* .exit.text is discard at runtime, not link time, to deal with references
4541 ++ from .altinstructions and .eh_frame */
4542 ++ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
4543 ++
4544 ++ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4545 ++ BYTE(0)
4546 ++ . = ALIGN(4*1024*1024) - 1;
4547 ++ }
4548 ++
4549 ++ /* freed after init ends here */
4550 ++
4551 ++ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4552 ++ __init_end = . + __KERNEL_TEXT_OFFSET;
4553 ++ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
4554 ++ _text = .; /* Text and read-only data */
4555 + *(.text.head)
4556 + } :text = 0x9090
4557 +
4558 + /* read-only */
4559 +- .text : AT(ADDR(.text) - LOAD_OFFSET) {
4560 ++ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
4561 + TEXT_TEXT
4562 + SCHED_TEXT
4563 + LOCK_TEXT
4564 +@@ -53,16 +162,17 @@ SECTIONS
4565 + _etext = .; /* End of text section */
4566 + } :text = 0x9090
4567 +
4568 +- . = ALIGN(16); /* Exception table */
4569 ++ . += __KERNEL_TEXT_OFFSET;
4570 ++ . = ALIGN(4096); /* Exception table */
4571 + __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
4572 + __start___ex_table = .;
4573 + *(__ex_table)
4574 + __stop___ex_table = .;
4575 +- }
4576 ++ } :rodata
4577 +
4578 +- NOTES :text :note
4579 ++ NOTES :rodata :note
4580 +
4581 +- BUG_TABLE :text
4582 ++ BUG_TABLE :rodata
4583 +
4584 + . = ALIGN(4);
4585 + .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
4586 +@@ -73,9 +183,36 @@ SECTIONS
4587 +
4588 + RODATA
4589 +
4590 ++ . = ALIGN(4096);
4591 ++ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
4592 ++ *(.idt)
4593 ++ . = ALIGN(4096);
4594 ++ *(.empty_zero_page)
4595 ++ *(.swapper_pm_dir)
4596 ++ *(.swapper_pg_dir)
4597 ++ }
4598 ++
4599 ++#ifdef CONFIG_PAX_KERNEXEC
4600 ++
4601 ++#ifdef CONFIG_MODULES
4602 ++ . = ALIGN(4096);
4603 ++ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
4604 ++ MODULES_VADDR = .;
4605 ++ BYTE(0)
4606 ++ . += (6 * 1024 * 1024);
4607 ++ . = ALIGN(1 << PMD_SHIFT) - 1;
4608 ++ MODULES_END = .;
4609 ++ }
4610 ++#else
4611 ++ . = ALIGN(1 << PMD_SHIFT) - 1;
4612 ++#endif
4613 ++
4614 ++#endif
4615 ++
4616 + /* writeable */
4617 + . = ALIGN(4096);
4618 + .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
4619 ++ _data = .;
4620 + DATA_DATA
4621 + CONSTRUCTORS
4622 + } :data
4623 +@@ -91,7 +228,6 @@ SECTIONS
4624 + . = ALIGN(4096);
4625 + .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
4626 + *(.data.page_aligned)
4627 +- *(.data.idt)
4628 + }
4629 +
4630 + . = ALIGN(32);
4631 +@@ -111,86 +247,7 @@ SECTIONS
4632 + *(.data.init_task)
4633 + }
4634 +
4635 +- /* might get freed after init */
4636 +- . = ALIGN(4096);
4637 +- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
4638 +- __smp_locks = .;
4639 +- *(.smp_locks)
4640 +- __smp_locks_end = .;
4641 +- }
4642 +- /* will be freed after init
4643 +- * Following ALIGN() is required to make sure no other data falls on the
4644 +- * same page where __smp_alt_end is pointing as that page might be freed
4645 +- * after boot. Always make sure that ALIGN() directive is present after
4646 +- * the section which contains __smp_alt_end.
4647 +- */
4648 +- . = ALIGN(4096);
4649 +-
4650 +- /* will be freed after init */
4651 +- . = ALIGN(4096); /* Init code and data */
4652 +- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
4653 +- __init_begin = .;
4654 +- _sinittext = .;
4655 +- *(.init.text)
4656 +- _einittext = .;
4657 +- }
4658 +- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
4659 +- . = ALIGN(16);
4660 +- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
4661 +- __setup_start = .;
4662 +- *(.init.setup)
4663 +- __setup_end = .;
4664 +- }
4665 +- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
4666 +- __initcall_start = .;
4667 +- INITCALLS
4668 +- __initcall_end = .;
4669 +- }
4670 +- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
4671 +- __con_initcall_start = .;
4672 +- *(.con_initcall.init)
4673 +- __con_initcall_end = .;
4674 +- }
4675 +- SECURITY_INIT
4676 +- . = ALIGN(4);
4677 +- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
4678 +- __alt_instructions = .;
4679 +- *(.altinstructions)
4680 +- __alt_instructions_end = .;
4681 +- }
4682 +- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
4683 +- *(.altinstr_replacement)
4684 +- }
4685 +- . = ALIGN(4);
4686 +- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
4687 +- __parainstructions = .;
4688 +- *(.parainstructions)
4689 +- __parainstructions_end = .;
4690 +- }
4691 +- /* .exit.text is discard at runtime, not link time, to deal with references
4692 +- from .altinstructions and .eh_frame */
4693 +- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
4694 +- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
4695 +-#if defined(CONFIG_BLK_DEV_INITRD)
4696 +- . = ALIGN(4096);
4697 +- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
4698 +- __initramfs_start = .;
4699 +- *(.init.ramfs)
4700 +- __initramfs_end = .;
4701 +- }
4702 +-#endif
4703 +- . = ALIGN(4096);
4704 +- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
4705 +- __per_cpu_start = .;
4706 +- *(.data.percpu)
4707 +- *(.data.percpu.shared_aligned)
4708 +- __per_cpu_end = .;
4709 +- }
4710 +- . = ALIGN(4096);
4711 +- /* freed after init ends here */
4712 +-
4713 + .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
4714 +- __init_end = .;
4715 + __bss_start = .; /* BSS */
4716 + *(.bss.page_aligned)
4717 + *(.bss)
4718 +diff -Nurp linux-2.6.23.15/arch/i386/lib/checksum.S linux-2.6.23.15-grsec/arch/i386/lib/checksum.S
4719 +--- linux-2.6.23.15/arch/i386/lib/checksum.S 2007-10-09 21:31:38.000000000 +0100
4720 ++++ linux-2.6.23.15-grsec/arch/i386/lib/checksum.S 2008-02-11 10:37:44.000000000 +0000
4721 +@@ -28,7 +28,8 @@
4722 + #include <linux/linkage.h>
4723 + #include <asm/dwarf2.h>
4724 + #include <asm/errno.h>
4725 +-
4726 ++#include <asm/segment.h>
4727 ++
4728 + /*
4729 + * computes a partial checksum, e.g. for TCP/UDP fragments
4730 + */
4731 +@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
4732 +
4733 + #define ARGBASE 16
4734 + #define FP 12
4735 +-
4736 +-ENTRY(csum_partial_copy_generic)
4737 ++
4738 ++ENTRY(csum_partial_copy_generic_to_user)
4739 + CFI_STARTPROC
4740 ++ pushl $(__USER_DS)
4741 ++ CFI_ADJUST_CFA_OFFSET 4
4742 ++ popl %es
4743 ++ CFI_ADJUST_CFA_OFFSET -4
4744 ++ jmp csum_partial_copy_generic
4745 ++
4746 ++ENTRY(csum_partial_copy_generic_from_user)
4747 ++ pushl $(__USER_DS)
4748 ++ CFI_ADJUST_CFA_OFFSET 4
4749 ++ popl %ds
4750 ++ CFI_ADJUST_CFA_OFFSET -4
4751 ++
4752 ++ENTRY(csum_partial_copy_generic)
4753 + subl $4,%esp
4754 + CFI_ADJUST_CFA_OFFSET 4
4755 + pushl %edi
4756 +@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
4757 + jmp 4f
4758 + SRC(1: movw (%esi), %bx )
4759 + addl $2, %esi
4760 +-DST( movw %bx, (%edi) )
4761 ++DST( movw %bx, %es:(%edi) )
4762 + addl $2, %edi
4763 + addw %bx, %ax
4764 + adcl $0, %eax
4765 +@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
4766 + SRC(1: movl (%esi), %ebx )
4767 + SRC( movl 4(%esi), %edx )
4768 + adcl %ebx, %eax
4769 +-DST( movl %ebx, (%edi) )
4770 ++DST( movl %ebx, %es:(%edi) )
4771 + adcl %edx, %eax
4772 +-DST( movl %edx, 4(%edi) )
4773 ++DST( movl %edx, %es:4(%edi) )
4774 +
4775 + SRC( movl 8(%esi), %ebx )
4776 + SRC( movl 12(%esi), %edx )
4777 + adcl %ebx, %eax
4778 +-DST( movl %ebx, 8(%edi) )
4779 ++DST( movl %ebx, %es:8(%edi) )
4780 + adcl %edx, %eax
4781 +-DST( movl %edx, 12(%edi) )
4782 ++DST( movl %edx, %es:12(%edi) )
4783 +
4784 + SRC( movl 16(%esi), %ebx )
4785 + SRC( movl 20(%esi), %edx )
4786 + adcl %ebx, %eax
4787 +-DST( movl %ebx, 16(%edi) )
4788 ++DST( movl %ebx, %es:16(%edi) )
4789 + adcl %edx, %eax
4790 +-DST( movl %edx, 20(%edi) )
4791 ++DST( movl %edx, %es:20(%edi) )
4792 +
4793 + SRC( movl 24(%esi), %ebx )
4794 + SRC( movl 28(%esi), %edx )
4795 + adcl %ebx, %eax
4796 +-DST( movl %ebx, 24(%edi) )
4797 ++DST( movl %ebx, %es:24(%edi) )
4798 + adcl %edx, %eax
4799 +-DST( movl %edx, 28(%edi) )
4800 ++DST( movl %edx, %es:28(%edi) )
4801 +
4802 + lea 32(%esi), %esi
4803 + lea 32(%edi), %edi
4804 +@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
4805 + shrl $2, %edx # This clears CF
4806 + SRC(3: movl (%esi), %ebx )
4807 + adcl %ebx, %eax
4808 +-DST( movl %ebx, (%edi) )
4809 ++DST( movl %ebx, %es:(%edi) )
4810 + lea 4(%esi), %esi
4811 + lea 4(%edi), %edi
4812 + dec %edx
4813 +@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
4814 + jb 5f
4815 + SRC( movw (%esi), %cx )
4816 + leal 2(%esi), %esi
4817 +-DST( movw %cx, (%edi) )
4818 ++DST( movw %cx, %es:(%edi) )
4819 + leal 2(%edi), %edi
4820 + je 6f
4821 + shll $16,%ecx
4822 + SRC(5: movb (%esi), %cl )
4823 +-DST( movb %cl, (%edi) )
4824 ++DST( movb %cl, %es:(%edi) )
4825 + 6: addl %ecx, %eax
4826 + adcl $0, %eax
4827 + 7:
4828 +@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
4829 +
4830 + 6001:
4831 + movl ARGBASE+20(%esp), %ebx # src_err_ptr
4832 +- movl $-EFAULT, (%ebx)
4833 ++ movl $-EFAULT, %ss:(%ebx)
4834 +
4835 + # zero the complete destination - computing the rest
4836 + # is too much work
4837 +@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
4838 +
4839 + 6002:
4840 + movl ARGBASE+24(%esp), %ebx # dst_err_ptr
4841 +- movl $-EFAULT,(%ebx)
4842 ++ movl $-EFAULT,%ss:(%ebx)
4843 + jmp 5000b
4844 +
4845 + .previous
4846 +
4847 ++ pushl %ss
4848 ++ CFI_ADJUST_CFA_OFFSET 4
4849 ++ popl %ds
4850 ++ CFI_ADJUST_CFA_OFFSET -4
4851 ++ pushl %ss
4852 ++ CFI_ADJUST_CFA_OFFSET 4
4853 ++ popl %es
4854 ++ CFI_ADJUST_CFA_OFFSET -4
4855 + popl %ebx
4856 + CFI_ADJUST_CFA_OFFSET -4
4857 + CFI_RESTORE ebx
4858 +@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
4859 + CFI_ADJUST_CFA_OFFSET -4
4860 + ret
4861 + CFI_ENDPROC
4862 +-ENDPROC(csum_partial_copy_generic)
4863 ++ENDPROC(csum_partial_copy_generic_to_user)
4864 +
4865 + #else
4866 +
4867 + /* Version for PentiumII/PPro */
4868 +
4869 + #define ROUND1(x) \
4870 ++ nop; nop; nop; \
4871 + SRC(movl x(%esi), %ebx ) ; \
4872 + addl %ebx, %eax ; \
4873 +- DST(movl %ebx, x(%edi) ) ;
4874 ++ DST(movl %ebx, %es:x(%edi)) ;
4875 +
4876 + #define ROUND(x) \
4877 ++ nop; nop; nop; \
4878 + SRC(movl x(%esi), %ebx ) ; \
4879 + adcl %ebx, %eax ; \
4880 +- DST(movl %ebx, x(%edi) ) ;
4881 ++ DST(movl %ebx, %es:x(%edi)) ;
4882 +
4883 + #define ARGBASE 12
4884 +-
4885 +-ENTRY(csum_partial_copy_generic)
4886 ++
4887 ++ENTRY(csum_partial_copy_generic_to_user)
4888 + CFI_STARTPROC
4889 ++ pushl $(__USER_DS)
4890 ++ CFI_ADJUST_CFA_OFFSET 4
4891 ++ popl %es
4892 ++ CFI_ADJUST_CFA_OFFSET -4
4893 ++ jmp csum_partial_copy_generic
4894 ++
4895 ++ENTRY(csum_partial_copy_generic_from_user)
4896 ++ pushl $(__USER_DS)
4897 ++ CFI_ADJUST_CFA_OFFSET 4
4898 ++ popl %ds
4899 ++ CFI_ADJUST_CFA_OFFSET -4
4900 ++
4901 ++ENTRY(csum_partial_copy_generic)
4902 + pushl %ebx
4903 + CFI_ADJUST_CFA_OFFSET 4
4904 + CFI_REL_OFFSET ebx, 0
4905 +@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
4906 + subl %ebx, %edi
4907 + lea -1(%esi),%edx
4908 + andl $-32,%edx
4909 +- lea 3f(%ebx,%ebx), %ebx
4910 ++ lea 3f(%ebx,%ebx,2), %ebx
4911 + testl %esi, %esi
4912 + jmp *%ebx
4913 + 1: addl $64,%esi
4914 +@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
4915 + jb 5f
4916 + SRC( movw (%esi), %dx )
4917 + leal 2(%esi), %esi
4918 +-DST( movw %dx, (%edi) )
4919 ++DST( movw %dx, %es:(%edi) )
4920 + leal 2(%edi), %edi
4921 + je 6f
4922 + shll $16,%edx
4923 + 5:
4924 + SRC( movb (%esi), %dl )
4925 +-DST( movb %dl, (%edi) )
4926 ++DST( movb %dl, %es:(%edi) )
4927 + 6: addl %edx, %eax
4928 + adcl $0, %eax
4929 + 7:
4930 + .section .fixup, "ax"
4931 + 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
4932 +- movl $-EFAULT, (%ebx)
4933 ++ movl $-EFAULT, %ss:(%ebx)
4934 + # zero the complete destination (computing the rest is too much work)
4935 + movl ARGBASE+8(%esp),%edi # dst
4936 + movl ARGBASE+12(%esp),%ecx # len
4937 +@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
4938 + rep; stosb
4939 + jmp 7b
4940 + 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
4941 +- movl $-EFAULT, (%ebx)
4942 ++ movl $-EFAULT, %ss:(%ebx)
4943 + jmp 7b
4944 + .previous
4945 +
4946 ++ pushl %ss
4947 ++ CFI_ADJUST_CFA_OFFSET 4
4948 ++ popl %ds
4949 ++ CFI_ADJUST_CFA_OFFSET -4
4950 ++ pushl %ss
4951 ++ CFI_ADJUST_CFA_OFFSET 4
4952 ++ popl %es
4953 ++ CFI_ADJUST_CFA_OFFSET -4
4954 + popl %esi
4955 + CFI_ADJUST_CFA_OFFSET -4
4956 + CFI_RESTORE esi
4957 +@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
4958 + CFI_RESTORE ebx
4959 + ret
4960 + CFI_ENDPROC
4961 +-ENDPROC(csum_partial_copy_generic)
4962 ++ENDPROC(csum_partial_copy_generic_to_user)
4963 +
4964 + #undef ROUND
4965 + #undef ROUND1
4966 +diff -Nurp linux-2.6.23.15/arch/i386/lib/getuser.S linux-2.6.23.15-grsec/arch/i386/lib/getuser.S
4967 +--- linux-2.6.23.15/arch/i386/lib/getuser.S 2007-10-09 21:31:38.000000000 +0100
4968 ++++ linux-2.6.23.15-grsec/arch/i386/lib/getuser.S 2008-02-11 10:37:44.000000000 +0000
4969 +@@ -11,7 +11,7 @@
4970 + #include <linux/linkage.h>
4971 + #include <asm/dwarf2.h>
4972 + #include <asm/thread_info.h>
4973 +-
4974 ++#include <asm/segment.h>
4975 +
4976 + /*
4977 + * __get_user_X
4978 +@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
4979 + GET_THREAD_INFO(%edx)
4980 + cmpl TI_addr_limit(%edx),%eax
4981 + jae bad_get_user
4982 ++ pushl $(__USER_DS)
4983 ++ popl %ds
4984 + 1: movzbl (%eax),%edx
4985 ++ pushl %ss
4986 ++ pop %ds
4987 + xorl %eax,%eax
4988 + ret
4989 + CFI_ENDPROC
4990 +@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
4991 + GET_THREAD_INFO(%edx)
4992 + cmpl TI_addr_limit(%edx),%eax
4993 + jae bad_get_user
4994 ++ pushl $(__USER_DS)
4995 ++ popl %ds
4996 + 2: movzwl -1(%eax),%edx
4997 ++ pushl %ss
4998 ++ pop %ds
4999 + xorl %eax,%eax
5000 + ret
5001 + CFI_ENDPROC
5002 +@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
5003 + GET_THREAD_INFO(%edx)
5004 + cmpl TI_addr_limit(%edx),%eax
5005 + jae bad_get_user
5006 ++ pushl $(__USER_DS)
5007 ++ popl %ds
5008 + 3: movl -3(%eax),%edx
5009 ++ pushl %ss
5010 ++ pop %ds
5011 + xorl %eax,%eax
5012 + ret
5013 + CFI_ENDPROC
5014 +@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
5015 +
5016 + bad_get_user:
5017 + CFI_STARTPROC
5018 ++ pushl %ss
5019 ++ pop %ds
5020 + xorl %edx,%edx
5021 + movl $-14,%eax
5022 + ret
5023 +diff -Nurp linux-2.6.23.15/arch/i386/lib/mmx.c linux-2.6.23.15-grsec/arch/i386/lib/mmx.c
5024 +--- linux-2.6.23.15/arch/i386/lib/mmx.c 2007-10-09 21:31:38.000000000 +0100
5025 ++++ linux-2.6.23.15-grsec/arch/i386/lib/mmx.c 2008-02-11 10:37:44.000000000 +0000
5026 +@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
5027 + {
5028 + void *p;
5029 + int i;
5030 ++ unsigned long cr0;
5031 +
5032 + if (unlikely(in_interrupt()))
5033 + return __memcpy(to, from, len);
5034 +@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
5035 + kernel_fpu_begin();
5036 +
5037 + __asm__ __volatile__ (
5038 +- "1: prefetch (%0)\n" /* This set is 28 bytes */
5039 +- " prefetch 64(%0)\n"
5040 +- " prefetch 128(%0)\n"
5041 +- " prefetch 192(%0)\n"
5042 +- " prefetch 256(%0)\n"
5043 ++ "1: prefetch (%1)\n" /* This set is 28 bytes */
5044 ++ " prefetch 64(%1)\n"
5045 ++ " prefetch 128(%1)\n"
5046 ++ " prefetch 192(%1)\n"
5047 ++ " prefetch 256(%1)\n"
5048 + "2: \n"
5049 + ".section .fixup, \"ax\"\n"
5050 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5051 ++ "3: \n"
5052 ++
5053 ++#ifdef CONFIG_PAX_KERNEXEC
5054 ++ " movl %%cr0, %0\n"
5055 ++ " movl %0, %%eax\n"
5056 ++ " andl $0xFFFEFFFF, %%eax\n"
5057 ++ " movl %%eax, %%cr0\n"
5058 ++#endif
5059 ++
5060 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5061 ++
5062 ++#ifdef CONFIG_PAX_KERNEXEC
5063 ++ " movl %0, %%cr0\n"
5064 ++#endif
5065 ++
5066 + " jmp 2b\n"
5067 + ".previous\n"
5068 + ".section __ex_table,\"a\"\n"
5069 + " .align 4\n"
5070 + " .long 1b, 3b\n"
5071 + ".previous"
5072 +- : : "r" (from) );
5073 ++ : "=&r" (cr0) : "r" (from) : "ax");
5074 +
5075 +
5076 + for(; i>5; i--)
5077 + {
5078 + __asm__ __volatile__ (
5079 +- "1: prefetch 320(%0)\n"
5080 +- "2: movq (%0), %%mm0\n"
5081 +- " movq 8(%0), %%mm1\n"
5082 +- " movq 16(%0), %%mm2\n"
5083 +- " movq 24(%0), %%mm3\n"
5084 +- " movq %%mm0, (%1)\n"
5085 +- " movq %%mm1, 8(%1)\n"
5086 +- " movq %%mm2, 16(%1)\n"
5087 +- " movq %%mm3, 24(%1)\n"
5088 +- " movq 32(%0), %%mm0\n"
5089 +- " movq 40(%0), %%mm1\n"
5090 +- " movq 48(%0), %%mm2\n"
5091 +- " movq 56(%0), %%mm3\n"
5092 +- " movq %%mm0, 32(%1)\n"
5093 +- " movq %%mm1, 40(%1)\n"
5094 +- " movq %%mm2, 48(%1)\n"
5095 +- " movq %%mm3, 56(%1)\n"
5096 ++ "1: prefetch 320(%1)\n"
5097 ++ "2: movq (%1), %%mm0\n"
5098 ++ " movq 8(%1), %%mm1\n"
5099 ++ " movq 16(%1), %%mm2\n"
5100 ++ " movq 24(%1), %%mm3\n"
5101 ++ " movq %%mm0, (%2)\n"
5102 ++ " movq %%mm1, 8(%2)\n"
5103 ++ " movq %%mm2, 16(%2)\n"
5104 ++ " movq %%mm3, 24(%2)\n"
5105 ++ " movq 32(%1), %%mm0\n"
5106 ++ " movq 40(%1), %%mm1\n"
5107 ++ " movq 48(%1), %%mm2\n"
5108 ++ " movq 56(%1), %%mm3\n"
5109 ++ " movq %%mm0, 32(%2)\n"
5110 ++ " movq %%mm1, 40(%2)\n"
5111 ++ " movq %%mm2, 48(%2)\n"
5112 ++ " movq %%mm3, 56(%2)\n"
5113 + ".section .fixup, \"ax\"\n"
5114 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5115 ++ "3:\n"
5116 ++
5117 ++#ifdef CONFIG_PAX_KERNEXEC
5118 ++ " movl %%cr0, %0\n"
5119 ++ " movl %0, %%eax\n"
5120 ++ " andl $0xFFFEFFFF, %%eax\n"
5121 ++ " movl %%eax, %%cr0\n"
5122 ++#endif
5123 ++
5124 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5125 ++
5126 ++#ifdef CONFIG_PAX_KERNEXEC
5127 ++ " movl %0, %%cr0\n"
5128 ++#endif
5129 ++
5130 + " jmp 2b\n"
5131 + ".previous\n"
5132 + ".section __ex_table,\"a\"\n"
5133 + " .align 4\n"
5134 + " .long 1b, 3b\n"
5135 + ".previous"
5136 +- : : "r" (from), "r" (to) : "memory");
5137 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
5138 + from+=64;
5139 + to+=64;
5140 + }
5141 +@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
5142 + static void fast_copy_page(void *to, void *from)
5143 + {
5144 + int i;
5145 ++ unsigned long cr0;
5146 +
5147 + kernel_fpu_begin();
5148 +
5149 +@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
5150 + * but that is for later. -AV
5151 + */
5152 + __asm__ __volatile__ (
5153 +- "1: prefetch (%0)\n"
5154 +- " prefetch 64(%0)\n"
5155 +- " prefetch 128(%0)\n"
5156 +- " prefetch 192(%0)\n"
5157 +- " prefetch 256(%0)\n"
5158 ++ "1: prefetch (%1)\n"
5159 ++ " prefetch 64(%1)\n"
5160 ++ " prefetch 128(%1)\n"
5161 ++ " prefetch 192(%1)\n"
5162 ++ " prefetch 256(%1)\n"
5163 + "2: \n"
5164 + ".section .fixup, \"ax\"\n"
5165 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5166 ++ "3: \n"
5167 ++
5168 ++#ifdef CONFIG_PAX_KERNEXEC
5169 ++ " movl %%cr0, %0\n"
5170 ++ " movl %0, %%eax\n"
5171 ++ " andl $0xFFFEFFFF, %%eax\n"
5172 ++ " movl %%eax, %%cr0\n"
5173 ++#endif
5174 ++
5175 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5176 ++
5177 ++#ifdef CONFIG_PAX_KERNEXEC
5178 ++ " movl %0, %%cr0\n"
5179 ++#endif
5180 ++
5181 + " jmp 2b\n"
5182 + ".previous\n"
5183 + ".section __ex_table,\"a\"\n"
5184 + " .align 4\n"
5185 + " .long 1b, 3b\n"
5186 + ".previous"
5187 +- : : "r" (from) );
5188 ++ : "=&r" (cr0) : "r" (from) : "ax");
5189 +
5190 + for(i=0; i<(4096-320)/64; i++)
5191 + {
5192 + __asm__ __volatile__ (
5193 +- "1: prefetch 320(%0)\n"
5194 +- "2: movq (%0), %%mm0\n"
5195 +- " movntq %%mm0, (%1)\n"
5196 +- " movq 8(%0), %%mm1\n"
5197 +- " movntq %%mm1, 8(%1)\n"
5198 +- " movq 16(%0), %%mm2\n"
5199 +- " movntq %%mm2, 16(%1)\n"
5200 +- " movq 24(%0), %%mm3\n"
5201 +- " movntq %%mm3, 24(%1)\n"
5202 +- " movq 32(%0), %%mm4\n"
5203 +- " movntq %%mm4, 32(%1)\n"
5204 +- " movq 40(%0), %%mm5\n"
5205 +- " movntq %%mm5, 40(%1)\n"
5206 +- " movq 48(%0), %%mm6\n"
5207 +- " movntq %%mm6, 48(%1)\n"
5208 +- " movq 56(%0), %%mm7\n"
5209 +- " movntq %%mm7, 56(%1)\n"
5210 ++ "1: prefetch 320(%1)\n"
5211 ++ "2: movq (%1), %%mm0\n"
5212 ++ " movntq %%mm0, (%2)\n"
5213 ++ " movq 8(%1), %%mm1\n"
5214 ++ " movntq %%mm1, 8(%2)\n"
5215 ++ " movq 16(%1), %%mm2\n"
5216 ++ " movntq %%mm2, 16(%2)\n"
5217 ++ " movq 24(%1), %%mm3\n"
5218 ++ " movntq %%mm3, 24(%2)\n"
5219 ++ " movq 32(%1), %%mm4\n"
5220 ++ " movntq %%mm4, 32(%2)\n"
5221 ++ " movq 40(%1), %%mm5\n"
5222 ++ " movntq %%mm5, 40(%2)\n"
5223 ++ " movq 48(%1), %%mm6\n"
5224 ++ " movntq %%mm6, 48(%2)\n"
5225 ++ " movq 56(%1), %%mm7\n"
5226 ++ " movntq %%mm7, 56(%2)\n"
5227 + ".section .fixup, \"ax\"\n"
5228 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5229 ++ "3:\n"
5230 ++
5231 ++#ifdef CONFIG_PAX_KERNEXEC
5232 ++ " movl %%cr0, %0\n"
5233 ++ " movl %0, %%eax\n"
5234 ++ " andl $0xFFFEFFFF, %%eax\n"
5235 ++ " movl %%eax, %%cr0\n"
5236 ++#endif
5237 ++
5238 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5239 ++
5240 ++#ifdef CONFIG_PAX_KERNEXEC
5241 ++ " movl %0, %%cr0\n"
5242 ++#endif
5243 ++
5244 + " jmp 2b\n"
5245 + ".previous\n"
5246 + ".section __ex_table,\"a\"\n"
5247 + " .align 4\n"
5248 + " .long 1b, 3b\n"
5249 + ".previous"
5250 +- : : "r" (from), "r" (to) : "memory");
5251 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
5252 + from+=64;
5253 + to+=64;
5254 + }
5255 +@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
5256 + static void fast_copy_page(void *to, void *from)
5257 + {
5258 + int i;
5259 +-
5260 +-
5261 ++ unsigned long cr0;
5262 ++
5263 + kernel_fpu_begin();
5264 +
5265 + __asm__ __volatile__ (
5266 +- "1: prefetch (%0)\n"
5267 +- " prefetch 64(%0)\n"
5268 +- " prefetch 128(%0)\n"
5269 +- " prefetch 192(%0)\n"
5270 +- " prefetch 256(%0)\n"
5271 ++ "1: prefetch (%1)\n"
5272 ++ " prefetch 64(%1)\n"
5273 ++ " prefetch 128(%1)\n"
5274 ++ " prefetch 192(%1)\n"
5275 ++ " prefetch 256(%1)\n"
5276 + "2: \n"
5277 + ".section .fixup, \"ax\"\n"
5278 +- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5279 ++ "3: \n"
5280 ++
5281 ++#ifdef CONFIG_PAX_KERNEXEC
5282 ++ " movl %%cr0, %0\n"
5283 ++ " movl %0, %%eax\n"
5284 ++ " andl $0xFFFEFFFF, %%eax\n"
5285 ++ " movl %%eax, %%cr0\n"
5286 ++#endif
5287 ++
5288 ++ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
5289 ++
5290 ++#ifdef CONFIG_PAX_KERNEXEC
5291 ++ " movl %0, %%cr0\n"
5292 ++#endif
5293 ++
5294 + " jmp 2b\n"
5295 + ".previous\n"
5296 + ".section __ex_table,\"a\"\n"
5297 + " .align 4\n"
5298 + " .long 1b, 3b\n"
5299 + ".previous"
5300 +- : : "r" (from) );
5301 ++ : "=&r" (cr0) : "r" (from) : "ax");
5302 +
5303 + for(i=0; i<4096/64; i++)
5304 + {
5305 + __asm__ __volatile__ (
5306 +- "1: prefetch 320(%0)\n"
5307 +- "2: movq (%0), %%mm0\n"
5308 +- " movq 8(%0), %%mm1\n"
5309 +- " movq 16(%0), %%mm2\n"
5310 +- " movq 24(%0), %%mm3\n"
5311 +- " movq %%mm0, (%1)\n"
5312 +- " movq %%mm1, 8(%1)\n"
5313 +- " movq %%mm2, 16(%1)\n"
5314 +- " movq %%mm3, 24(%1)\n"
5315 +- " movq 32(%0), %%mm0\n"
5316 +- " movq 40(%0), %%mm1\n"
5317 +- " movq 48(%0), %%mm2\n"
5318 +- " movq 56(%0), %%mm3\n"
5319 +- " movq %%mm0, 32(%1)\n"
5320 +- " movq %%mm1, 40(%1)\n"
5321 +- " movq %%mm2, 48(%1)\n"
5322 +- " movq %%mm3, 56(%1)\n"
5323 ++ "1: prefetch 320(%1)\n"
5324 ++ "2: movq (%1), %%mm0\n"
5325 ++ " movq 8(%1), %%mm1\n"
5326 ++ " movq 16(%1), %%mm2\n"
5327 ++ " movq 24(%1), %%mm3\n"
5328 ++ " movq %%mm0, (%2)\n"
5329 ++ " movq %%mm1, 8(%2)\n"
5330 ++ " movq %%mm2, 16(%2)\n"
5331 ++ " movq %%mm3, 24(%2)\n"
5332 ++ " movq 32(%1), %%mm0\n"
5333 ++ " movq 40(%1), %%mm1\n"
5334 ++ " movq 48(%1), %%mm2\n"
5335 ++ " movq 56(%1), %%mm3\n"
5336 ++ " movq %%mm0, 32(%2)\n"
5337 ++ " movq %%mm1, 40(%2)\n"
5338 ++ " movq %%mm2, 48(%2)\n"
5339 ++ " movq %%mm3, 56(%2)\n"
5340 + ".section .fixup, \"ax\"\n"
5341 +- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5342 ++ "3:\n"
5343 ++
5344 ++#ifdef CONFIG_PAX_KERNEXEC
5345 ++ " movl %%cr0, %0\n"
5346 ++ " movl %0, %%eax\n"
5347 ++ " andl $0xFFFEFFFF, %%eax\n"
5348 ++ " movl %%eax, %%cr0\n"
5349 ++#endif
5350 ++
5351 ++ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
5352 ++
5353 ++#ifdef CONFIG_PAX_KERNEXEC
5354 ++ " movl %0, %%cr0\n"
5355 ++#endif
5356 ++
5357 + " jmp 2b\n"
5358 + ".previous\n"
5359 + ".section __ex_table,\"a\"\n"
5360 + " .align 4\n"
5361 + " .long 1b, 3b\n"
5362 + ".previous"
5363 +- : : "r" (from), "r" (to) : "memory");
5364 ++ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
5365 + from+=64;
5366 + to+=64;
5367 + }
5368 +diff -Nurp linux-2.6.23.15/arch/i386/lib/putuser.S linux-2.6.23.15-grsec/arch/i386/lib/putuser.S
5369 +--- linux-2.6.23.15/arch/i386/lib/putuser.S 2007-10-09 21:31:38.000000000 +0100
5370 ++++ linux-2.6.23.15-grsec/arch/i386/lib/putuser.S 2008-02-11 10:37:44.000000000 +0000
5371 +@@ -11,7 +11,7 @@
5372 + #include <linux/linkage.h>
5373 + #include <asm/dwarf2.h>
5374 + #include <asm/thread_info.h>
5375 +-
5376 ++#include <asm/segment.h>
5377 +
5378 + /*
5379 + * __put_user_X
5380 +@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
5381 + ENTER
5382 + cmpl TI_addr_limit(%ebx),%ecx
5383 + jae bad_put_user
5384 ++ pushl $(__USER_DS)
5385 ++ popl %ds
5386 + 1: movb %al,(%ecx)
5387 ++ pushl %ss
5388 ++ popl %ds
5389 + xorl %eax,%eax
5390 + EXIT
5391 + ENDPROC(__put_user_1)
5392 +@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
5393 + subl $1,%ebx
5394 + cmpl %ebx,%ecx
5395 + jae bad_put_user
5396 ++ pushl $(__USER_DS)
5397 ++ popl %ds
5398 + 2: movw %ax,(%ecx)
5399 ++ pushl %ss
5400 ++ popl %ds
5401 + xorl %eax,%eax
5402 + EXIT
5403 + ENDPROC(__put_user_2)
5404 +@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
5405 + subl $3,%ebx
5406 + cmpl %ebx,%ecx
5407 + jae bad_put_user
5408 ++ pushl $(__USER_DS)
5409 ++ popl %ds
5410 + 3: movl %eax,(%ecx)
5411 ++ pushl %ss
5412 ++ popl %ds
5413 + xorl %eax,%eax
5414 + EXIT
5415 + ENDPROC(__put_user_4)
5416 +@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
5417 + subl $7,%ebx
5418 + cmpl %ebx,%ecx
5419 + jae bad_put_user
5420 ++ pushl $(__USER_DS)
5421 ++ popl %ds
5422 + 4: movl %eax,(%ecx)
5423 + 5: movl %edx,4(%ecx)
5424 ++ pushl %ss
5425 ++ popl %ds
5426 + xorl %eax,%eax
5427 + EXIT
5428 + ENDPROC(__put_user_8)
5429 +@@ -85,6 +101,10 @@ bad_put_user:
5430 + CFI_DEF_CFA esp, 2*4
5431 + CFI_OFFSET eip, -1*4
5432 + CFI_OFFSET ebx, -2*4
5433 ++ pushl %ss
5434 ++ CFI_ADJUST_CFA_OFFSET 4
5435 ++ popl %ds
5436 ++ CFI_ADJUST_CFA_OFFSET -4
5437 + movl $-14,%eax
5438 + EXIT
5439 + END(bad_put_user)
5440 +diff -Nurp linux-2.6.23.15/arch/i386/lib/usercopy.c linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c
5441 +--- linux-2.6.23.15/arch/i386/lib/usercopy.c 2007-10-09 21:31:38.000000000 +0100
5442 ++++ linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c 2008-02-11 10:37:44.000000000 +0000
5443 +@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
5444 + * Copy a null terminated string from userspace.
5445 + */
5446 +
5447 +-#define __do_strncpy_from_user(dst,src,count,res) \
5448 +-do { \
5449 +- int __d0, __d1, __d2; \
5450 +- might_sleep(); \
5451 +- __asm__ __volatile__( \
5452 +- " testl %1,%1\n" \
5453 +- " jz 2f\n" \
5454 +- "0: lodsb\n" \
5455 +- " stosb\n" \
5456 +- " testb %%al,%%al\n" \
5457 +- " jz 1f\n" \
5458 +- " decl %1\n" \
5459 +- " jnz 0b\n" \
5460 +- "1: subl %1,%0\n" \
5461 +- "2:\n" \
5462 +- ".section .fixup,\"ax\"\n" \
5463 +- "3: movl %5,%0\n" \
5464 +- " jmp 2b\n" \
5465 +- ".previous\n" \
5466 +- ".section __ex_table,\"a\"\n" \
5467 +- " .align 4\n" \
5468 +- " .long 0b,3b\n" \
5469 +- ".previous" \
5470 +- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
5471 +- "=&D" (__d2) \
5472 +- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
5473 +- : "memory"); \
5474 +-} while (0)
5475 ++static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
5476 ++{
5477 ++ int __d0, __d1, __d2;
5478 ++ long res = -EFAULT;
5479 ++
5480 ++ might_sleep();
5481 ++ __asm__ __volatile__(
5482 ++ " movw %w10,%%ds\n"
5483 ++ " testl %1,%1\n"
5484 ++ " jz 2f\n"
5485 ++ "0: lodsb\n"
5486 ++ " stosb\n"
5487 ++ " testb %%al,%%al\n"
5488 ++ " jz 1f\n"
5489 ++ " decl %1\n"
5490 ++ " jnz 0b\n"
5491 ++ "1: subl %1,%0\n"
5492 ++ "2:\n"
5493 ++ " pushl %%ss\n"
5494 ++ " popl %%ds\n"
5495 ++ ".section .fixup,\"ax\"\n"
5496 ++ "3: movl %5,%0\n"
5497 ++ " jmp 2b\n"
5498 ++ ".previous\n"
5499 ++ ".section __ex_table,\"a\"\n"
5500 ++ " .align 4\n"
5501 ++ " .long 0b,3b\n"
5502 ++ ".previous"
5503 ++ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
5504 ++ "=&D" (__d2)
5505 ++ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
5506 ++ "r"(__USER_DS)
5507 ++ : "memory");
5508 ++ return res;
5509 ++}
5510 +
5511 + /**
5512 + * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
5513 +@@ -81,9 +88,7 @@ do { \
5514 + long
5515 + __strncpy_from_user(char *dst, const char __user *src, long count)
5516 + {
5517 +- long res;
5518 +- __do_strncpy_from_user(dst, src, count, res);
5519 +- return res;
5520 ++ return __do_strncpy_from_user(dst, src, count);
5521 + }
5522 + EXPORT_SYMBOL(__strncpy_from_user);
5523 +
5524 +@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
5525 + {
5526 + long res = -EFAULT;
5527 + if (access_ok(VERIFY_READ, src, 1))
5528 +- __do_strncpy_from_user(dst, src, count, res);
5529 ++ res = __do_strncpy_from_user(dst, src, count);
5530 + return res;
5531 + }
5532 + EXPORT_SYMBOL(strncpy_from_user);
5533 +@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
5534 + * Zero Userspace
5535 + */
5536 +
5537 +-#define __do_clear_user(addr,size) \
5538 +-do { \
5539 +- int __d0; \
5540 +- might_sleep(); \
5541 +- __asm__ __volatile__( \
5542 +- "0: rep; stosl\n" \
5543 +- " movl %2,%0\n" \
5544 +- "1: rep; stosb\n" \
5545 +- "2:\n" \
5546 +- ".section .fixup,\"ax\"\n" \
5547 +- "3: lea 0(%2,%0,4),%0\n" \
5548 +- " jmp 2b\n" \
5549 +- ".previous\n" \
5550 +- ".section __ex_table,\"a\"\n" \
5551 +- " .align 4\n" \
5552 +- " .long 0b,3b\n" \
5553 +- " .long 1b,2b\n" \
5554 +- ".previous" \
5555 +- : "=&c"(size), "=&D" (__d0) \
5556 +- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
5557 +-} while (0)
5558 ++static unsigned long __do_clear_user(void __user *addr, unsigned long size)
5559 ++{
5560 ++ int __d0;
5561 ++
5562 ++ might_sleep();
5563 ++ __asm__ __volatile__(
5564 ++ " movw %w6,%%es\n"
5565 ++ "0: rep; stosl\n"
5566 ++ " movl %2,%0\n"
5567 ++ "1: rep; stosb\n"
5568 ++ "2:\n"
5569 ++ " pushl %%ss\n"
5570 ++ " popl %%es\n"
5571 ++ ".section .fixup,\"ax\"\n"
5572 ++ "3: lea 0(%2,%0,4),%0\n"
5573 ++ " jmp 2b\n"
5574 ++ ".previous\n"
5575 ++ ".section __ex_table,\"a\"\n"
5576 ++ " .align 4\n"
5577 ++ " .long 0b,3b\n"
5578 ++ " .long 1b,2b\n"
5579 ++ ".previous"
5580 ++ : "=&c"(size), "=&D" (__d0)
5581 ++ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
5582 ++ "r"(__USER_DS));
5583 ++ return size;
5584 ++}
5585 +
5586 + /**
5587 + * clear_user: - Zero a block of memory in user space.
5588 +@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
5589 + {
5590 + might_sleep();
5591 + if (access_ok(VERIFY_WRITE, to, n))
5592 +- __do_clear_user(to, n);
5593 ++ n = __do_clear_user(to, n);
5594 + return n;
5595 + }
5596 + EXPORT_SYMBOL(clear_user);
5597 +@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
5598 + unsigned long
5599 + __clear_user(void __user *to, unsigned long n)
5600 + {
5601 +- __do_clear_user(to, n);
5602 +- return n;
5603 ++ return __do_clear_user(to, n);
5604 + }
5605 + EXPORT_SYMBOL(__clear_user);
5606 +
5607 +@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
5608 + might_sleep();
5609 +
5610 + __asm__ __volatile__(
5611 ++ " movw %w8,%%es\n"
5612 + " testl %0, %0\n"
5613 + " jz 3f\n"
5614 +- " andl %0,%%ecx\n"
5615 ++ " movl %0,%%ecx\n"
5616 + "0: repne; scasb\n"
5617 + " setne %%al\n"
5618 + " subl %%ecx,%0\n"
5619 + " addl %0,%%eax\n"
5620 + "1:\n"
5621 ++ " pushl %%ss\n"
5622 ++ " popl %%es\n"
5623 + ".section .fixup,\"ax\"\n"
5624 + "2: xorl %%eax,%%eax\n"
5625 + " jmp 1b\n"
5626 +@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
5627 + " .long 0b,2b\n"
5628 + ".previous"
5629 + :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
5630 +- :"0" (n), "1" (s), "2" (0), "3" (mask)
5631 ++ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
5632 + :"cc");
5633 + return res & mask;
5634 + }
5635 +@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
5636 +
5637 + #ifdef CONFIG_X86_INTEL_USERCOPY
5638 + static unsigned long
5639 +-__copy_user_intel(void __user *to, const void *from, unsigned long size)
5640 ++__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
5641 ++{
5642 ++ int d0, d1;
5643 ++ __asm__ __volatile__(
5644 ++ " movw %w6, %%es\n"
5645 ++ " .align 2,0x90\n"
5646 ++ "1: movl 32(%4), %%eax\n"
5647 ++ " cmpl $67, %0\n"
5648 ++ " jbe 3f\n"
5649 ++ "2: movl 64(%4), %%eax\n"
5650 ++ " .align 2,0x90\n"
5651 ++ "3: movl 0(%4), %%eax\n"
5652 ++ "4: movl 4(%4), %%edx\n"
5653 ++ "5: movl %%eax, %%es:0(%3)\n"
5654 ++ "6: movl %%edx, %%es:4(%3)\n"
5655 ++ "7: movl 8(%4), %%eax\n"
5656 ++ "8: movl 12(%4),%%edx\n"
5657 ++ "9: movl %%eax, %%es:8(%3)\n"
5658 ++ "10: movl %%edx, %%es:12(%3)\n"
5659 ++ "11: movl 16(%4), %%eax\n"
5660 ++ "12: movl 20(%4), %%edx\n"
5661 ++ "13: movl %%eax, %%es:16(%3)\n"
5662 ++ "14: movl %%edx, %%es:20(%3)\n"
5663 ++ "15: movl 24(%4), %%eax\n"
5664 ++ "16: movl 28(%4), %%edx\n"
5665 ++ "17: movl %%eax, %%es:24(%3)\n"
5666 ++ "18: movl %%edx, %%es:28(%3)\n"
5667 ++ "19: movl 32(%4), %%eax\n"
5668 ++ "20: movl 36(%4), %%edx\n"
5669 ++ "21: movl %%eax, %%es:32(%3)\n"
5670 ++ "22: movl %%edx, %%es:36(%3)\n"
5671 ++ "23: movl 40(%4), %%eax\n"
5672 ++ "24: movl 44(%4), %%edx\n"
5673 ++ "25: movl %%eax, %%es:40(%3)\n"
5674 ++ "26: movl %%edx, %%es:44(%3)\n"
5675 ++ "27: movl 48(%4), %%eax\n"
5676 ++ "28: movl 52(%4), %%edx\n"
5677 ++ "29: movl %%eax, %%es:48(%3)\n"
5678 ++ "30: movl %%edx, %%es:52(%3)\n"
5679 ++ "31: movl 56(%4), %%eax\n"
5680 ++ "32: movl 60(%4), %%edx\n"
5681 ++ "33: movl %%eax, %%es:56(%3)\n"
5682 ++ "34: movl %%edx, %%es:60(%3)\n"
5683 ++ " addl $-64, %0\n"
5684 ++ " addl $64, %4\n"
5685 ++ " addl $64, %3\n"
5686 ++ " cmpl $63, %0\n"
5687 ++ " ja 1b\n"
5688 ++ "35: movl %0, %%eax\n"
5689 ++ " shrl $2, %0\n"
5690 ++ " andl $3, %%eax\n"
5691 ++ " cld\n"
5692 ++ "99: rep; movsl\n"
5693 ++ "36: movl %%eax, %0\n"
5694 ++ "37: rep; movsb\n"
5695 ++ "100:\n"
5696 ++ " pushl %%ss\n"
5697 ++ " popl %%es\n"
5698 ++ ".section .fixup,\"ax\"\n"
5699 ++ "101: lea 0(%%eax,%0,4),%0\n"
5700 ++ " jmp 100b\n"
5701 ++ ".previous\n"
5702 ++ ".section __ex_table,\"a\"\n"
5703 ++ " .align 4\n"
5704 ++ " .long 1b,100b\n"
5705 ++ " .long 2b,100b\n"
5706 ++ " .long 3b,100b\n"
5707 ++ " .long 4b,100b\n"
5708 ++ " .long 5b,100b\n"
5709 ++ " .long 6b,100b\n"
5710 ++ " .long 7b,100b\n"
5711 ++ " .long 8b,100b\n"
5712 ++ " .long 9b,100b\n"
5713 ++ " .long 10b,100b\n"
5714 ++ " .long 11b,100b\n"
5715 ++ " .long 12b,100b\n"
5716 ++ " .long 13b,100b\n"
5717 ++ " .long 14b,100b\n"
5718 ++ " .long 15b,100b\n"
5719 ++ " .long 16b,100b\n"
5720 ++ " .long 17b,100b\n"
5721 ++ " .long 18b,100b\n"
5722 ++ " .long 19b,100b\n"
5723 ++ " .long 20b,100b\n"
5724 ++ " .long 21b,100b\n"
5725 ++ " .long 22b,100b\n"
5726 ++ " .long 23b,100b\n"
5727 ++ " .long 24b,100b\n"
5728 ++ " .long 25b,100b\n"
5729 ++ " .long 26b,100b\n"
5730 ++ " .long 27b,100b\n"
5731 ++ " .long 28b,100b\n"
5732 ++ " .long 29b,100b\n"
5733 ++ " .long 30b,100b\n"
5734 ++ " .long 31b,100b\n"
5735 ++ " .long 32b,100b\n"
5736 ++ " .long 33b,100b\n"
5737 ++ " .long 34b,100b\n"
5738 ++ " .long 35b,100b\n"
5739 ++ " .long 36b,100b\n"
5740 ++ " .long 37b,100b\n"
5741 ++ " .long 99b,101b\n"
5742 ++ ".previous"
5743 ++ : "=&c"(size), "=&D" (d0), "=&S" (d1)
5744 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5745 ++ : "eax", "edx", "memory");
5746 ++ return size;
5747 ++}
5748 ++
5749 ++static unsigned long
5750 ++__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
5751 + {
5752 + int d0, d1;
5753 + __asm__ __volatile__(
5754 ++ " movw %w6, %%ds\n"
5755 + " .align 2,0x90\n"
5756 + "1: movl 32(%4), %%eax\n"
5757 + " cmpl $67, %0\n"
5758 +@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
5759 + " .align 2,0x90\n"
5760 + "3: movl 0(%4), %%eax\n"
5761 + "4: movl 4(%4), %%edx\n"
5762 +- "5: movl %%eax, 0(%3)\n"
5763 +- "6: movl %%edx, 4(%3)\n"
5764 ++ "5: movl %%eax, %%es:0(%3)\n"
5765 ++ "6: movl %%edx, %%es:4(%3)\n"
5766 + "7: movl 8(%4), %%eax\n"
5767 + "8: movl 12(%4),%%edx\n"
5768 +- "9: movl %%eax, 8(%3)\n"
5769 +- "10: movl %%edx, 12(%3)\n"
5770 ++ "9: movl %%eax, %%es:8(%3)\n"
5771 ++ "10: movl %%edx, %%es:12(%3)\n"
5772 + "11: movl 16(%4), %%eax\n"
5773 + "12: movl 20(%4), %%edx\n"
5774 +- "13: movl %%eax, 16(%3)\n"
5775 +- "14: movl %%edx, 20(%3)\n"
5776 ++ "13: movl %%eax, %%es:16(%3)\n"
5777 ++ "14: movl %%edx, %%es:20(%3)\n"
5778 + "15: movl 24(%4), %%eax\n"
5779 + "16: movl 28(%4), %%edx\n"
5780 +- "17: movl %%eax, 24(%3)\n"
5781 +- "18: movl %%edx, 28(%3)\n"
5782 ++ "17: movl %%eax, %%es:24(%3)\n"
5783 ++ "18: movl %%edx, %%es:28(%3)\n"
5784 + "19: movl 32(%4), %%eax\n"
5785 + "20: movl 36(%4), %%edx\n"
5786 +- "21: movl %%eax, 32(%3)\n"
5787 +- "22: movl %%edx, 36(%3)\n"
5788 ++ "21: movl %%eax, %%es:32(%3)\n"
5789 ++ "22: movl %%edx, %%es:36(%3)\n"
5790 + "23: movl 40(%4), %%eax\n"
5791 + "24: movl 44(%4), %%edx\n"
5792 +- "25: movl %%eax, 40(%3)\n"
5793 +- "26: movl %%edx, 44(%3)\n"
5794 ++ "25: movl %%eax, %%es:40(%3)\n"
5795 ++ "26: movl %%edx, %%es:44(%3)\n"
5796 + "27: movl 48(%4), %%eax\n"
5797 + "28: movl 52(%4), %%edx\n"
5798 +- "29: movl %%eax, 48(%3)\n"
5799 +- "30: movl %%edx, 52(%3)\n"
5800 ++ "29: movl %%eax, %%es:48(%3)\n"
5801 ++ "30: movl %%edx, %%es:52(%3)\n"
5802 + "31: movl 56(%4), %%eax\n"
5803 + "32: movl 60(%4), %%edx\n"
5804 +- "33: movl %%eax, 56(%3)\n"
5805 +- "34: movl %%edx, 60(%3)\n"
5806 ++ "33: movl %%eax, %%es:56(%3)\n"
5807 ++ "34: movl %%edx, %%es:60(%3)\n"
5808 + " addl $-64, %0\n"
5809 + " addl $64, %4\n"
5810 + " addl $64, %3\n"
5811 +@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
5812 + "36: movl %%eax, %0\n"
5813 + "37: rep; movsb\n"
5814 + "100:\n"
5815 ++ " pushl %%ss\n"
5816 ++ " popl %%ds\n"
5817 + ".section .fixup,\"ax\"\n"
5818 + "101: lea 0(%%eax,%0,4),%0\n"
5819 + " jmp 100b\n"
5820 +@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
5821 + " .long 99b,101b\n"
5822 + ".previous"
5823 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
5824 +- : "1"(to), "2"(from), "0"(size)
5825 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5826 + : "eax", "edx", "memory");
5827 + return size;
5828 + }
5829 +@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
5830 + {
5831 + int d0, d1;
5832 + __asm__ __volatile__(
5833 ++ " movw %w6, %%ds\n"
5834 + " .align 2,0x90\n"
5835 + "0: movl 32(%4), %%eax\n"
5836 + " cmpl $67, %0\n"
5837 +@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
5838 + " .align 2,0x90\n"
5839 + "2: movl 0(%4), %%eax\n"
5840 + "21: movl 4(%4), %%edx\n"
5841 +- " movl %%eax, 0(%3)\n"
5842 +- " movl %%edx, 4(%3)\n"
5843 ++ " movl %%eax, %%es:0(%3)\n"
5844 ++ " movl %%edx, %%es:4(%3)\n"
5845 + "3: movl 8(%4), %%eax\n"
5846 + "31: movl 12(%4),%%edx\n"
5847 +- " movl %%eax, 8(%3)\n"
5848 +- " movl %%edx, 12(%3)\n"
5849 ++ " movl %%eax, %%es:8(%3)\n"
5850 ++ " movl %%edx, %%es:12(%3)\n"
5851 + "4: movl 16(%4), %%eax\n"
5852 + "41: movl 20(%4), %%edx\n"
5853 +- " movl %%eax, 16(%3)\n"
5854 +- " movl %%edx, 20(%3)\n"
5855 ++ " movl %%eax, %%es:16(%3)\n"
5856 ++ " movl %%edx, %%es:20(%3)\n"
5857 + "10: movl 24(%4), %%eax\n"
5858 + "51: movl 28(%4), %%edx\n"
5859 +- " movl %%eax, 24(%3)\n"
5860 +- " movl %%edx, 28(%3)\n"
5861 ++ " movl %%eax, %%es:24(%3)\n"
5862 ++ " movl %%edx, %%es:28(%3)\n"
5863 + "11: movl 32(%4), %%eax\n"
5864 + "61: movl 36(%4), %%edx\n"
5865 +- " movl %%eax, 32(%3)\n"
5866 +- " movl %%edx, 36(%3)\n"
5867 ++ " movl %%eax, %%es:32(%3)\n"
5868 ++ " movl %%edx, %%es:36(%3)\n"
5869 + "12: movl 40(%4), %%eax\n"
5870 + "71: movl 44(%4), %%edx\n"
5871 +- " movl %%eax, 40(%3)\n"
5872 +- " movl %%edx, 44(%3)\n"
5873 ++ " movl %%eax, %%es:40(%3)\n"
5874 ++ " movl %%edx, %%es:44(%3)\n"
5875 + "13: movl 48(%4), %%eax\n"
5876 + "81: movl 52(%4), %%edx\n"
5877 +- " movl %%eax, 48(%3)\n"
5878 +- " movl %%edx, 52(%3)\n"
5879 ++ " movl %%eax, %%es:48(%3)\n"
5880 ++ " movl %%edx, %%es:52(%3)\n"
5881 + "14: movl 56(%4), %%eax\n"
5882 + "91: movl 60(%4), %%edx\n"
5883 +- " movl %%eax, 56(%3)\n"
5884 +- " movl %%edx, 60(%3)\n"
5885 ++ " movl %%eax, %%es:56(%3)\n"
5886 ++ " movl %%edx, %%es:60(%3)\n"
5887 + " addl $-64, %0\n"
5888 + " addl $64, %4\n"
5889 + " addl $64, %3\n"
5890 +@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
5891 + " movl %%eax,%0\n"
5892 + "7: rep; movsb\n"
5893 + "8:\n"
5894 ++ " pushl %%ss\n"
5895 ++ " popl %%ds\n"
5896 + ".section .fixup,\"ax\"\n"
5897 + "9: lea 0(%%eax,%0,4),%0\n"
5898 + "16: pushl %0\n"
5899 +@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
5900 + " .long 7b,16b\n"
5901 + ".previous"
5902 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
5903 +- : "1"(to), "2"(from), "0"(size)
5904 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5905 + : "eax", "edx", "memory");
5906 + return size;
5907 + }
5908 +@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
5909 + int d0, d1;
5910 +
5911 + __asm__ __volatile__(
5912 ++ " movw %w6, %%ds\n"
5913 + " .align 2,0x90\n"
5914 + "0: movl 32(%4), %%eax\n"
5915 + " cmpl $67, %0\n"
5916 +@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
5917 + " .align 2,0x90\n"
5918 + "2: movl 0(%4), %%eax\n"
5919 + "21: movl 4(%4), %%edx\n"
5920 +- " movnti %%eax, 0(%3)\n"
5921 +- " movnti %%edx, 4(%3)\n"
5922 ++ " movnti %%eax, %%es:0(%3)\n"
5923 ++ " movnti %%edx, %%es:4(%3)\n"
5924 + "3: movl 8(%4), %%eax\n"
5925 + "31: movl 12(%4),%%edx\n"
5926 +- " movnti %%eax, 8(%3)\n"
5927 +- " movnti %%edx, 12(%3)\n"
5928 ++ " movnti %%eax, %%es:8(%3)\n"
5929 ++ " movnti %%edx, %%es:12(%3)\n"
5930 + "4: movl 16(%4), %%eax\n"
5931 + "41: movl 20(%4), %%edx\n"
5932 +- " movnti %%eax, 16(%3)\n"
5933 +- " movnti %%edx, 20(%3)\n"
5934 ++ " movnti %%eax, %%es:16(%3)\n"
5935 ++ " movnti %%edx, %%es:20(%3)\n"
5936 + "10: movl 24(%4), %%eax\n"
5937 + "51: movl 28(%4), %%edx\n"
5938 +- " movnti %%eax, 24(%3)\n"
5939 +- " movnti %%edx, 28(%3)\n"
5940 ++ " movnti %%eax, %%es:24(%3)\n"
5941 ++ " movnti %%edx, %%es:28(%3)\n"
5942 + "11: movl 32(%4), %%eax\n"
5943 + "61: movl 36(%4), %%edx\n"
5944 +- " movnti %%eax, 32(%3)\n"
5945 +- " movnti %%edx, 36(%3)\n"
5946 ++ " movnti %%eax, %%es:32(%3)\n"
5947 ++ " movnti %%edx, %%es:36(%3)\n"
5948 + "12: movl 40(%4), %%eax\n"
5949 + "71: movl 44(%4), %%edx\n"
5950 +- " movnti %%eax, 40(%3)\n"
5951 +- " movnti %%edx, 44(%3)\n"
5952 ++ " movnti %%eax, %%es:40(%3)\n"
5953 ++ " movnti %%edx, %%es:44(%3)\n"
5954 + "13: movl 48(%4), %%eax\n"
5955 + "81: movl 52(%4), %%edx\n"
5956 +- " movnti %%eax, 48(%3)\n"
5957 +- " movnti %%edx, 52(%3)\n"
5958 ++ " movnti %%eax, %%es:48(%3)\n"
5959 ++ " movnti %%edx, %%es:52(%3)\n"
5960 + "14: movl 56(%4), %%eax\n"
5961 + "91: movl 60(%4), %%edx\n"
5962 +- " movnti %%eax, 56(%3)\n"
5963 +- " movnti %%edx, 60(%3)\n"
5964 ++ " movnti %%eax, %%es:56(%3)\n"
5965 ++ " movnti %%edx, %%es:60(%3)\n"
5966 + " addl $-64, %0\n"
5967 + " addl $64, %4\n"
5968 + " addl $64, %3\n"
5969 +@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
5970 + " movl %%eax,%0\n"
5971 + "7: rep; movsb\n"
5972 + "8:\n"
5973 ++ " pushl %%ss\n"
5974 ++ " popl %%ds\n"
5975 + ".section .fixup,\"ax\"\n"
5976 + "9: lea 0(%%eax,%0,4),%0\n"
5977 + "16: pushl %0\n"
5978 +@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
5979 + " .long 7b,16b\n"
5980 + ".previous"
5981 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
5982 +- : "1"(to), "2"(from), "0"(size)
5983 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
5984 + : "eax", "edx", "memory");
5985 + return size;
5986 + }
5987 +@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
5988 + int d0, d1;
5989 +
5990 + __asm__ __volatile__(
5991 ++ " movw %w6, %%ds\n"
5992 + " .align 2,0x90\n"
5993 + "0: movl 32(%4), %%eax\n"
5994 + " cmpl $67, %0\n"
5995 +@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
5996 + " .align 2,0x90\n"
5997 + "2: movl 0(%4), %%eax\n"
5998 + "21: movl 4(%4), %%edx\n"
5999 +- " movnti %%eax, 0(%3)\n"
6000 +- " movnti %%edx, 4(%3)\n"
6001 ++ " movnti %%eax, %%es:0(%3)\n"
6002 ++ " movnti %%edx, %%es:4(%3)\n"
6003 + "3: movl 8(%4), %%eax\n"
6004 + "31: movl 12(%4),%%edx\n"
6005 +- " movnti %%eax, 8(%3)\n"
6006 +- " movnti %%edx, 12(%3)\n"
6007 ++ " movnti %%eax, %%es:8(%3)\n"
6008 ++ " movnti %%edx, %%es:12(%3)\n"
6009 + "4: movl 16(%4), %%eax\n"
6010 + "41: movl 20(%4), %%edx\n"
6011 +- " movnti %%eax, 16(%3)\n"
6012 +- " movnti %%edx, 20(%3)\n"
6013 ++ " movnti %%eax, %%es:16(%3)\n"
6014 ++ " movnti %%edx, %%es:20(%3)\n"
6015 + "10: movl 24(%4), %%eax\n"
6016 + "51: movl 28(%4), %%edx\n"
6017 +- " movnti %%eax, 24(%3)\n"
6018 +- " movnti %%edx, 28(%3)\n"
6019 ++ " movnti %%eax, %%es:24(%3)\n"
6020 ++ " movnti %%edx, %%es:28(%3)\n"
6021 + "11: movl 32(%4), %%eax\n"
6022 + "61: movl 36(%4), %%edx\n"
6023 +- " movnti %%eax, 32(%3)\n"
6024 +- " movnti %%edx, 36(%3)\n"
6025 ++ " movnti %%eax, %%es:32(%3)\n"
6026 ++ " movnti %%edx, %%es:36(%3)\n"
6027 + "12: movl 40(%4), %%eax\n"
6028 + "71: movl 44(%4), %%edx\n"
6029 +- " movnti %%eax, 40(%3)\n"
6030 +- " movnti %%edx, 44(%3)\n"
6031 ++ " movnti %%eax, %%es:40(%3)\n"
6032 ++ " movnti %%edx, %%es:44(%3)\n"
6033 + "13: movl 48(%4), %%eax\n"
6034 + "81: movl 52(%4), %%edx\n"
6035 +- " movnti %%eax, 48(%3)\n"
6036 +- " movnti %%edx, 52(%3)\n"
6037 ++ " movnti %%eax, %%es:48(%3)\n"
6038 ++ " movnti %%edx, %%es:52(%3)\n"
6039 + "14: movl 56(%4), %%eax\n"
6040 + "91: movl 60(%4), %%edx\n"
6041 +- " movnti %%eax, 56(%3)\n"
6042 +- " movnti %%edx, 60(%3)\n"
6043 ++ " movnti %%eax, %%es:56(%3)\n"
6044 ++ " movnti %%edx, %%es:60(%3)\n"
6045 + " addl $-64, %0\n"
6046 + " addl $64, %4\n"
6047 + " addl $64, %3\n"
6048 +@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
6049 + " movl %%eax,%0\n"
6050 + "7: rep; movsb\n"
6051 + "8:\n"
6052 ++ " pushl %%ss\n"
6053 ++ " popl %%ds\n"
6054 + ".section .fixup,\"ax\"\n"
6055 + "9: lea 0(%%eax,%0,4),%0\n"
6056 + "16: jmp 8b\n"
6057 +@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
6058 + " .long 7b,16b\n"
6059 + ".previous"
6060 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
6061 +- : "1"(to), "2"(from), "0"(size)
6062 ++ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
6063 + : "eax", "edx", "memory");
6064 + return size;
6065 + }
6066 +@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
6067 + */
6068 + unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
6069 + unsigned long size);
6070 +-unsigned long __copy_user_intel(void __user *to, const void *from,
6071 ++unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
6072 ++ unsigned long size);
6073 ++unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
6074 + unsigned long size);
6075 + unsigned long __copy_user_zeroing_intel_nocache(void *to,
6076 + const void __user *from, unsigned long size);
6077 + #endif /* CONFIG_X86_INTEL_USERCOPY */
6078 +
6079 + /* Generic arbitrary sized copy. */
6080 +-#define __copy_user(to,from,size) \
6081 +-do { \
6082 +- int __d0, __d1, __d2; \
6083 +- __asm__ __volatile__( \
6084 +- " cmp $7,%0\n" \
6085 +- " jbe 1f\n" \
6086 +- " movl %1,%0\n" \
6087 +- " negl %0\n" \
6088 +- " andl $7,%0\n" \
6089 +- " subl %0,%3\n" \
6090 +- "4: rep; movsb\n" \
6091 +- " movl %3,%0\n" \
6092 +- " shrl $2,%0\n" \
6093 +- " andl $3,%3\n" \
6094 +- " .align 2,0x90\n" \
6095 +- "0: rep; movsl\n" \
6096 +- " movl %3,%0\n" \
6097 +- "1: rep; movsb\n" \
6098 +- "2:\n" \
6099 +- ".section .fixup,\"ax\"\n" \
6100 +- "5: addl %3,%0\n" \
6101 +- " jmp 2b\n" \
6102 +- "3: lea 0(%3,%0,4),%0\n" \
6103 +- " jmp 2b\n" \
6104 +- ".previous\n" \
6105 +- ".section __ex_table,\"a\"\n" \
6106 +- " .align 4\n" \
6107 +- " .long 4b,5b\n" \
6108 +- " .long 0b,3b\n" \
6109 +- " .long 1b,2b\n" \
6110 +- ".previous" \
6111 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
6112 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
6113 +- : "memory"); \
6114 +-} while (0)
6115 +-
6116 +-#define __copy_user_zeroing(to,from,size) \
6117 +-do { \
6118 +- int __d0, __d1, __d2; \
6119 +- __asm__ __volatile__( \
6120 +- " cmp $7,%0\n" \
6121 +- " jbe 1f\n" \
6122 +- " movl %1,%0\n" \
6123 +- " negl %0\n" \
6124 +- " andl $7,%0\n" \
6125 +- " subl %0,%3\n" \
6126 +- "4: rep; movsb\n" \
6127 +- " movl %3,%0\n" \
6128 +- " shrl $2,%0\n" \
6129 +- " andl $3,%3\n" \
6130 +- " .align 2,0x90\n" \
6131 +- "0: rep; movsl\n" \
6132 +- " movl %3,%0\n" \
6133 +- "1: rep; movsb\n" \
6134 +- "2:\n" \
6135 +- ".section .fixup,\"ax\"\n" \
6136 +- "5: addl %3,%0\n" \
6137 +- " jmp 6f\n" \
6138 +- "3: lea 0(%3,%0,4),%0\n" \
6139 +- "6: pushl %0\n" \
6140 +- " pushl %%eax\n" \
6141 +- " xorl %%eax,%%eax\n" \
6142 +- " rep; stosb\n" \
6143 +- " popl %%eax\n" \
6144 +- " popl %0\n" \
6145 +- " jmp 2b\n" \
6146 +- ".previous\n" \
6147 +- ".section __ex_table,\"a\"\n" \
6148 +- " .align 4\n" \
6149 +- " .long 4b,5b\n" \
6150 +- " .long 0b,3b\n" \
6151 +- " .long 1b,6b\n" \
6152 +- ".previous" \
6153 +- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
6154 +- : "3"(size), "0"(size), "1"(to), "2"(from) \
6155 +- : "memory"); \
6156 +-} while (0)
6157 ++static unsigned long
6158 ++__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
6159 ++{
6160 ++ int __d0, __d1, __d2;
6161 ++
6162 ++ __asm__ __volatile__(
6163 ++ " movw %w8,%%es\n"
6164 ++ " cmp $7,%0\n"
6165 ++ " jbe 1f\n"
6166 ++ " movl %1,%0\n"
6167 ++ " negl %0\n"
6168 ++ " andl $7,%0\n"
6169 ++ " subl %0,%3\n"
6170 ++ "4: rep; movsb\n"
6171 ++ " movl %3,%0\n"
6172 ++ " shrl $2,%0\n"
6173 ++ " andl $3,%3\n"
6174 ++ " .align 2,0x90\n"
6175 ++ "0: rep; movsl\n"
6176 ++ " movl %3,%0\n"
6177 ++ "1: rep; movsb\n"
6178 ++ "2:\n"
6179 ++ " pushl %%ss\n"
6180 ++ " popl %%es\n"
6181 ++ ".section .fixup,\"ax\"\n"
6182 ++ "5: addl %3,%0\n"
6183 ++ " jmp 2b\n"
6184 ++ "3: lea 0(%3,%0,4),%0\n"
6185 ++ " jmp 2b\n"
6186 ++ ".previous\n"
6187 ++ ".section __ex_table,\"a\"\n"
6188 ++ " .align 4\n"
6189 ++ " .long 4b,5b\n"
6190 ++ " .long 0b,3b\n"
6191 ++ " .long 1b,2b\n"
6192 ++ ".previous"
6193 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
6194 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
6195 ++ : "memory");
6196 ++ return size;
6197 ++}
6198 ++
6199 ++static unsigned long
6200 ++__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
6201 ++{
6202 ++ int __d0, __d1, __d2;
6203 ++
6204 ++ __asm__ __volatile__(
6205 ++ " movw %w8,%%ds\n"
6206 ++ " cmp $7,%0\n"
6207 ++ " jbe 1f\n"
6208 ++ " movl %1,%0\n"
6209 ++ " negl %0\n"
6210 ++ " andl $7,%0\n"
6211 ++ " subl %0,%3\n"
6212 ++ "4: rep; movsb\n"
6213 ++ " movl %3,%0\n"
6214 ++ " shrl $2,%0\n"
6215 ++ " andl $3,%3\n"
6216 ++ " .align 2,0x90\n"
6217 ++ "0: rep; movsl\n"
6218 ++ " movl %3,%0\n"
6219 ++ "1: rep; movsb\n"
6220 ++ "2:\n"
6221 ++ " pushl %%ss\n"
6222 ++ " popl %%ds\n"
6223 ++ ".section .fixup,\"ax\"\n"
6224 ++ "5: addl %3,%0\n"
6225 ++ " jmp 2b\n"
6226 ++ "3: lea 0(%3,%0,4),%0\n"
6227 ++ " jmp 2b\n"
6228 ++ ".previous\n"
6229 ++ ".section __ex_table,\"a\"\n"
6230 ++ " .align 4\n"
6231 ++ " .long 4b,5b\n"
6232 ++ " .long 0b,3b\n"
6233 ++ " .long 1b,2b\n"
6234 ++ ".previous"
6235 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
6236 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
6237 ++ : "memory");
6238 ++ return size;
6239 ++}
6240 ++
6241 ++static unsigned long
6242 ++__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
6243 ++{
6244 ++ int __d0, __d1, __d2;
6245 ++
6246 ++ __asm__ __volatile__(
6247 ++ " movw %w8,%%ds\n"
6248 ++ " cmp $7,%0\n"
6249 ++ " jbe 1f\n"
6250 ++ " movl %1,%0\n"
6251 ++ " negl %0\n"
6252 ++ " andl $7,%0\n"
6253 ++ " subl %0,%3\n"
6254 ++ "4: rep; movsb\n"
6255 ++ " movl %3,%0\n"
6256 ++ " shrl $2,%0\n"
6257 ++ " andl $3,%3\n"
6258 ++ " .align 2,0x90\n"
6259 ++ "0: rep; movsl\n"
6260 ++ " movl %3,%0\n"
6261 ++ "1: rep; movsb\n"
6262 ++ "2:\n"
6263 ++ " pushl %%ss\n"
6264 ++ " popl %%ds\n"
6265 ++ ".section .fixup,\"ax\"\n"
6266 ++ "5: addl %3,%0\n"
6267 ++ " jmp 6f\n"
6268 ++ "3: lea 0(%3,%0,4),%0\n"
6269 ++ "6: pushl %0\n"
6270 ++ " pushl %%eax\n"
6271 ++ " xorl %%eax,%%eax\n"
6272 ++ " rep; stosb\n"
6273 ++ " popl %%eax\n"
6274 ++ " popl %0\n"
6275 ++ " jmp 2b\n"
6276 ++ ".previous\n"
6277 ++ ".section __ex_table,\"a\"\n"
6278 ++ " .align 4\n"
6279 ++ " .long 4b,5b\n"
6280 ++ " .long 0b,3b\n"
6281 ++ " .long 1b,6b\n"
6282 ++ ".previous"
6283 ++ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
6284 ++ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
6285 ++ : "memory");
6286 ++ return size;
6287 ++}
6288 +
6289 + unsigned long __copy_to_user_ll(void __user *to, const void *from,
6290 + unsigned long n)
6291 +@@ -774,9 +965,9 @@ survive:
6292 + }
6293 + #endif
6294 + if (movsl_is_ok(to, from, n))
6295 +- __copy_user(to, from, n);
6296 ++ n = __generic_copy_to_user(to, from, n);
6297 + else
6298 +- n = __copy_user_intel(to, from, n);
6299 ++ n = __generic_copy_to_user_intel(to, from, n);
6300 + return n;
6301 + }
6302 + EXPORT_SYMBOL(__copy_to_user_ll);
6303 +@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
6304 + unsigned long n)
6305 + {
6306 + if (movsl_is_ok(to, from, n))
6307 +- __copy_user_zeroing(to, from, n);
6308 ++ n = __copy_user_zeroing(to, from, n);
6309 + else
6310 + n = __copy_user_zeroing_intel(to, from, n);
6311 + return n;
6312 +@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
6313 + unsigned long n)
6314 + {
6315 + if (movsl_is_ok(to, from, n))
6316 +- __copy_user(to, from, n);
6317 ++ n = __generic_copy_from_user(to, from, n);
6318 + else
6319 +- n = __copy_user_intel((void __user *)to,
6320 ++ n = __generic_copy_from_user_intel((void __user *)to,
6321 + (const void *)from, n);
6322 + return n;
6323 + }
6324 +@@ -809,11 +1000,11 @@ unsigned long __copy_from_user_ll_nocach
6325 + {
6326 + #ifdef CONFIG_X86_INTEL_USERCOPY
6327 + if ( n > 64 && cpu_has_xmm2)
6328 +- n = __copy_user_zeroing_intel_nocache(to, from, n);
6329 ++ n = __copy_user_zeroing_intel_nocache(to, from, n);
6330 + else
6331 +- __copy_user_zeroing(to, from, n);
6332 ++ n = __copy_user_zeroing(to, from, n);
6333 + #else
6334 +- __copy_user_zeroing(to, from, n);
6335 ++ n = __copy_user_zeroing(to, from, n);
6336 + #endif
6337 + return n;
6338 + }
6339 +@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
6340 + {
6341 + #ifdef CONFIG_X86_INTEL_USERCOPY
6342 + if ( n > 64 && cpu_has_xmm2)
6343 +- n = __copy_user_intel_nocache(to, from, n);
6344 ++ n = __copy_user_intel_nocache(to, from, n);
6345 + else
6346 +- __copy_user(to, from, n);
6347 ++ n = __generic_copy_from_user(to, from, n);
6348 + #else
6349 +- __copy_user(to, from, n);
6350 ++ n = __generic_copy_from_user(to, from, n);
6351 + #endif
6352 + return n;
6353 + }
6354 +@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
6355 + return n;
6356 + }
6357 + EXPORT_SYMBOL(copy_from_user);
6358 ++
6359 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
6360 ++void __set_fs(mm_segment_t x, int cpu)
6361 ++{
6362 ++ unsigned long limit = x.seg;
6363 ++ __u32 a, b;
6364 ++
6365 ++ current_thread_info()->addr_limit = x;
6366 ++ if (likely(limit))
6367 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
6368 ++ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
6369 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
6370 ++}
6371 ++
6372 ++void set_fs(mm_segment_t x)
6373 ++{
6374 ++ __set_fs(x, get_cpu());
6375 ++ put_cpu_no_resched();
6376 ++}
6377 ++#else
6378 ++void set_fs(mm_segment_t x)
6379 ++{
6380 ++ current_thread_info()->addr_limit = x;
6381 ++}
6382 ++#endif
6383 ++
6384 ++EXPORT_SYMBOL(set_fs);
6385 +diff -Nurp linux-2.6.23.15/arch/i386/mach-default/setup.c linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c
6386 +--- linux-2.6.23.15/arch/i386/mach-default/setup.c 2007-10-09 21:31:38.000000000 +0100
6387 ++++ linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c 2008-02-11 10:37:44.000000000 +0000
6388 +@@ -35,7 +35,7 @@ void __init pre_intr_init_hook(void)
6389 + /*
6390 + * IRQ2 is cascade interrupt to second interrupt controller
6391 + */
6392 +-static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
6393 ++static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
6394 +
6395 + /**
6396 + * intr_init_hook - post gate setup interrupt initialisation
6397 +diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c
6398 +--- linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c 2007-10-09 21:31:38.000000000 +0100
6399 ++++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c 2008-02-11 10:37:44.000000000 +0000
6400 +@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
6401 + __u8 cmos[4];
6402 + ClickMap_t *map;
6403 + unsigned long map_addr;
6404 +- unsigned long old;
6405 ++ pte_t old;
6406 +
6407 + if(region >= CLICK_ENTRIES) {
6408 + printk("Voyager: Illegal ClickMap region %d\n", region);
6409 +@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
6410 +
6411 + /* steal page 0 for this */
6412 + old = pg0[0];
6413 +- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
6414 ++ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
6415 + local_flush_tlb();
6416 + /* now clear everything out but page 0 */
6417 + map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
6418 +diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c
6419 +--- linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c 2007-10-09 21:31:38.000000000 +0100
6420 ++++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c 2008-02-11 10:37:44.000000000 +0000
6421 +@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
6422 + __u32 *hijack_vector;
6423 + __u32 start_phys_address = setup_trampoline();
6424 +
6425 ++#ifdef CONFIG_PAX_KERNEXEC
6426 ++ unsigned long cr0;
6427 ++#endif
6428 ++
6429 + /* There's a clever trick to this: The linux trampoline is
6430 + * compiled to begin at absolute location zero, so make the
6431 + * address zero but have the data segment selector compensate
6432 +@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
6433 +
6434 + init_gdt(cpu);
6435 + per_cpu(current_task, cpu) = idle;
6436 +- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
6437 ++
6438 ++#ifdef CONFIG_PAX_KERNEXEC
6439 ++ pax_open_kernel(cr0);
6440 ++#endif
6441 ++
6442 ++ early_gdt_descr.address = get_cpu_gdt_table(cpu);
6443 ++
6444 ++#ifdef CONFIG_PAX_KERNEXEC
6445 ++ pax_close_kernel(cr0);
6446 ++#endif
6447 ++
6448 + irq_ctx_init(cpu);
6449 +
6450 + /* Note: Don't modify initial ss override */
6451 +@@ -1276,7 +1290,7 @@ smp_local_timer_interrupt(void)
6452 + per_cpu(prof_counter, cpu);
6453 + }
6454 +
6455 +- update_process_times(user_mode_vm(get_irq_regs()));
6456 ++ update_process_times(user_mode(get_irq_regs()));
6457 + }
6458 +
6459 + if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
6460 +diff -Nurp linux-2.6.23.15/arch/i386/mm/boot_ioremap.c linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c
6461 +--- linux-2.6.23.15/arch/i386/mm/boot_ioremap.c 2007-10-09 21:31:38.000000000 +0100
6462 ++++ linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c 2008-02-11 10:37:44.000000000 +0000
6463 +@@ -7,57 +7,37 @@
6464 + * Written by Dave Hansen <haveblue@××××××.com>
6465 + */
6466 +
6467 +-
6468 +-/*
6469 +- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
6470 +- * keeps that from happenning. If anyone has a better way, I'm listening.
6471 +- *
6472 +- * boot_pte_t is defined only if this all works correctly
6473 +- */
6474 +-
6475 +-#undef CONFIG_X86_PAE
6476 + #undef CONFIG_PARAVIRT
6477 + #include <asm/page.h>
6478 + #include <asm/pgtable.h>
6479 + #include <asm/tlbflush.h>
6480 + #include <linux/init.h>
6481 + #include <linux/stddef.h>
6482 +-
6483 +-/*
6484 +- * I'm cheating here. It is known that the two boot PTE pages are
6485 +- * allocated next to each other. I'm pretending that they're just
6486 +- * one big array.
6487 +- */
6488 +-
6489 +-#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
6490 +-
6491 +-static unsigned long boot_pte_index(unsigned long vaddr)
6492 +-{
6493 +- return __pa(vaddr) >> PAGE_SHIFT;
6494 +-}
6495 +-
6496 +-static inline boot_pte_t* boot_vaddr_to_pte(void *address)
6497 +-{
6498 +- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
6499 +- return &boot_pg[boot_pte_index((unsigned long)address)];
6500 +-}
6501 ++#include <linux/sched.h>
6502 +
6503 + /*
6504 + * This is only for a caller who is clever enough to page-align
6505 + * phys_addr and virtual_source, and who also has a preference
6506 + * about which virtual address from which to steal ptes
6507 + */
6508 +-static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
6509 +- void* virtual_source)
6510 ++static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
6511 ++ char* virtual_source)
6512 + {
6513 +- boot_pte_t* pte;
6514 +- int i;
6515 +- char *vaddr = virtual_source;
6516 ++ pgd_t *pgd;
6517 ++ pud_t *pud;
6518 ++ pmd_t *pmd;
6519 ++ pte_t* pte;
6520 ++ unsigned int i;
6521 ++ unsigned long vaddr = (unsigned long)virtual_source;
6522 ++
6523 ++ pgd = pgd_offset_k(vaddr);
6524 ++ pud = pud_offset(pgd, vaddr);
6525 ++ pmd = pmd_offset(pud, vaddr);
6526 ++ pte = pte_offset_kernel(pmd, vaddr);
6527 +
6528 +- pte = boot_vaddr_to_pte(virtual_source);
6529 + for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
6530 + set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
6531 +- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
6532 ++ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
6533 + }
6534 + }
6535 +
6536 +diff -Nurp linux-2.6.23.15/arch/i386/mm/extable.c linux-2.6.23.15-grsec/arch/i386/mm/extable.c
6537 +--- linux-2.6.23.15/arch/i386/mm/extable.c 2007-10-09 21:31:38.000000000 +0100
6538 ++++ linux-2.6.23.15-grsec/arch/i386/mm/extable.c 2008-02-11 10:37:44.000000000 +0000
6539 +@@ -4,14 +4,63 @@
6540 +
6541 + #include <linux/module.h>
6542 + #include <linux/spinlock.h>
6543 ++#include <linux/sort.h>
6544 + #include <asm/uaccess.h>
6545 +
6546 ++/*
6547 ++ * The exception table needs to be sorted so that the binary
6548 ++ * search that we use to find entries in it works properly.
6549 ++ * This is used both for the kernel exception table and for
6550 ++ * the exception tables of modules that get loaded.
6551 ++ */
6552 ++static int cmp_ex(const void *a, const void *b)
6553 ++{
6554 ++ const struct exception_table_entry *x = a, *y = b;
6555 ++
6556 ++ /* avoid overflow */
6557 ++ if (x->insn > y->insn)
6558 ++ return 1;
6559 ++ if (x->insn < y->insn)
6560 ++ return -1;
6561 ++ return 0;
6562 ++}
6563 ++
6564 ++static void swap_ex(void *a, void *b, int size)
6565 ++{
6566 ++ struct exception_table_entry t, *x = a, *y = b;
6567 ++
6568 ++#ifdef CONFIG_PAX_KERNEXEC
6569 ++ unsigned long cr0;
6570 ++#endif
6571 ++
6572 ++ t = *x;
6573 ++
6574 ++#ifdef CONFIG_PAX_KERNEXEC
6575 ++ pax_open_kernel(cr0);
6576 ++#endif
6577 ++
6578 ++ *x = *y;
6579 ++ *y = t;
6580 ++
6581 ++#ifdef CONFIG_PAX_KERNEXEC
6582 ++ pax_close_kernel(cr0);
6583 ++#endif
6584 ++
6585 ++}
6586 ++
6587 ++void sort_extable(struct exception_table_entry *start,
6588 ++ struct exception_table_entry *finish)
6589 ++{
6590 ++ sort(start, finish - start, sizeof(struct exception_table_entry),
6591 ++ cmp_ex, swap_ex);
6592 ++}
6593 ++
6594 + int fixup_exception(struct pt_regs *regs)
6595 + {
6596 + const struct exception_table_entry *fixup;
6597 +
6598 + #ifdef CONFIG_PNPBIOS
6599 +- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
6600 ++ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
6601 + {
6602 + extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
6603 + extern u32 pnp_bios_is_utter_crap;
6604 +diff -Nurp linux-2.6.23.15/arch/i386/mm/fault.c linux-2.6.23.15-grsec/arch/i386/mm/fault.c
6605 +--- linux-2.6.23.15/arch/i386/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
6606 ++++ linux-2.6.23.15-grsec/arch/i386/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
6607 +@@ -25,10 +25,14 @@
6608 + #include <linux/kprobes.h>
6609 + #include <linux/uaccess.h>
6610 + #include <linux/kdebug.h>
6611 ++#include <linux/unistd.h>
6612 ++#include <linux/compiler.h>
6613 ++#include <linux/binfmts.h>
6614 +
6615 + #include <asm/system.h>
6616 + #include <asm/desc.h>
6617 + #include <asm/segment.h>
6618 ++#include <asm/tlbflush.h>
6619 +
6620 + extern void die(const char *,struct pt_regs *,long);
6621 +
6622 +@@ -79,7 +83,8 @@ static inline unsigned long get_segment_
6623 + {
6624 + unsigned long eip = regs->eip;
6625 + unsigned seg = regs->xcs & 0xffff;
6626 +- u32 seg_ar, seg_limit, base, *desc;
6627 ++ u32 seg_ar, seg_limit, base;
6628 ++ struct desc_struct *desc;
6629 +
6630 + /* Unlikely, but must come before segment checks. */
6631 + if (unlikely(regs->eflags & VM_MASK)) {
6632 +@@ -93,7 +98,7 @@ static inline unsigned long get_segment_
6633 +
6634 + /* By far the most common cases. */
6635 + if (likely(SEGMENT_IS_FLAT_CODE(seg)))
6636 +- return eip;
6637 ++ return eip + (seg == __KERNEL_CS ? __KERNEL_TEXT_OFFSET : 0);
6638 +
6639 + /* Check the segment exists, is within the current LDT/GDT size,
6640 + that kernel/user (ring 0..3) has the appropriate privilege,
6641 +@@ -111,16 +116,19 @@ static inline unsigned long get_segment_
6642 + if (seg & (1<<2)) {
6643 + /* Must lock the LDT while reading it. */
6644 + down(&current->mm->context.sem);
6645 +- desc = current->mm->context.ldt;
6646 +- desc = (void *)desc + (seg & ~7);
6647 ++ if ((seg >> 3) >= current->mm->context.size) {
6648 ++ up(&current->mm->context.sem);
6649 ++ *eip_limit = 0;
6650 ++ return 1; /* So that returned eip > *eip_limit. */
6651 ++ }
6652 ++ desc = &current->mm->context.ldt[seg >> 3];
6653 + } else {
6654 + /* Must disable preemption while reading the GDT. */
6655 +- desc = (u32 *)get_cpu_gdt_table(get_cpu());
6656 +- desc = (void *)desc + (seg & ~7);
6657 ++ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
6658 + }
6659 +
6660 + /* Decode the code segment base from the descriptor */
6661 +- base = get_desc_base((unsigned long *)desc);
6662 ++ base = get_desc_base(desc);
6663 +
6664 + if (seg & (1<<2)) {
6665 + up(&current->mm->context.sem);
6666 +@@ -221,6 +229,30 @@ static noinline void force_sig_info_faul
6667 +
6668 + fastcall void do_invalid_op(struct pt_regs *, unsigned long);
6669 +
6670 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6671 ++static int pax_handle_fetch_fault(struct pt_regs *regs);
6672 ++#endif
6673 ++
6674 ++#ifdef CONFIG_PAX_PAGEEXEC
6675 ++static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
6676 ++{
6677 ++ pgd_t *pgd;
6678 ++ pud_t *pud;
6679 ++ pmd_t *pmd;
6680 ++
6681 ++ pgd = pgd_offset(mm, address);
6682 ++ if (!pgd_present(*pgd))
6683 ++ return NULL;
6684 ++ pud = pud_offset(pgd, address);
6685 ++ if (!pud_present(*pud))
6686 ++ return NULL;
6687 ++ pmd = pmd_offset(pud, address);
6688 ++ if (!pmd_present(*pmd))
6689 ++ return NULL;
6690 ++ return pmd;
6691 ++}
6692 ++#endif
6693 ++
6694 + static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
6695 + {
6696 + unsigned index = pgd_index(address);
6697 +@@ -304,14 +336,21 @@ fastcall void __kprobes do_page_fault(st
6698 + struct task_struct *tsk;
6699 + struct mm_struct *mm;
6700 + struct vm_area_struct * vma;
6701 +- unsigned long address;
6702 + int write, si_code;
6703 + int fault;
6704 ++ pte_t *pte;
6705 ++
6706 ++#ifdef CONFIG_PAX_PAGEEXEC
6707 ++ pmd_t *pmd;
6708 ++ spinlock_t *ptl;
6709 ++ unsigned char pte_mask;
6710 ++#endif
6711 +
6712 + /* get the address */
6713 +- address = read_cr2();
6714 ++ const unsigned long address = read_cr2();
6715 +
6716 + tsk = current;
6717 ++ mm = tsk->mm;
6718 +
6719 + si_code = SEGV_MAPERR;
6720 +
6721 +@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
6722 + if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
6723 + local_irq_enable();
6724 +
6725 +- mm = tsk->mm;
6726 +-
6727 + /*
6728 + * If we're in an interrupt, have no user context or are running in an
6729 + * atomic region then we must not take the fault..
6730 + */
6731 + if (in_atomic() || !mm)
6732 +- goto bad_area_nosemaphore;
6733 ++ goto bad_area_nopax;
6734 +
6735 + /* When running in the kernel we expect faults to occur only to
6736 + * addresses in user space. All other faults represent errors in the
6737 +@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
6738 + if (!down_read_trylock(&mm->mmap_sem)) {
6739 + if ((error_code & 4) == 0 &&
6740 + !search_exception_tables(regs->eip))
6741 +- goto bad_area_nosemaphore;
6742 ++ goto bad_area_nopax;
6743 + down_read(&mm->mmap_sem);
6744 + }
6745 +
6746 ++#ifdef CONFIG_PAX_PAGEEXEC
6747 ++ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
6748 ++ !(mm->pax_flags & MF_PAX_PAGEEXEC))
6749 ++ goto not_pax_fault;
6750 ++
6751 ++ /* PaX: it's our fault, let's handle it if we can */
6752 ++
6753 ++ /* PaX: take a look at read faults before acquiring any locks */
6754 ++ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
6755 ++ /* instruction fetch attempt from a protected page in user mode */
6756 ++ up_read(&mm->mmap_sem);
6757 ++
6758 ++#ifdef CONFIG_PAX_EMUTRAMP
6759 ++ switch (pax_handle_fetch_fault(regs)) {
6760 ++ case 2:
6761 ++ return;
6762 ++ }
6763 ++#endif
6764 ++
6765 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
6766 ++ do_exit(SIGKILL);
6767 ++ }
6768 ++
6769 ++ pmd = pax_get_pmd(mm, address);
6770 ++ if (unlikely(!pmd))
6771 ++ goto not_pax_fault;
6772 ++
6773 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
6774 ++ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
6775 ++ pte_unmap_unlock(pte, ptl);
6776 ++ goto not_pax_fault;
6777 ++ }
6778 ++
6779 ++ if (unlikely((error_code & 2) && !pte_write(*pte))) {
6780 ++ /* write attempt to a protected page in user mode */
6781 ++ pte_unmap_unlock(pte, ptl);
6782 ++ goto not_pax_fault;
6783 ++ }
6784 ++
6785 ++#ifdef CONFIG_SMP
6786 ++ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
6787 ++#else
6788 ++ if (likely(address > get_limit(regs->xcs)))
6789 ++#endif
6790 ++ {
6791 ++ set_pte(pte, pte_mkread(*pte));
6792 ++ __flush_tlb_one(address);
6793 ++ pte_unmap_unlock(pte, ptl);
6794 ++ up_read(&mm->mmap_sem);
6795 ++ return;
6796 ++ }
6797 ++
6798 ++ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
6799 ++
6800 ++ /*
6801 ++ * PaX: fill DTLB with user rights and retry
6802 ++ */
6803 ++ __asm__ __volatile__ (
6804 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
6805 ++ "movw %w4,%%es\n"
6806 ++#endif
6807 ++ "orb %2,(%1)\n"
6808 ++#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
6809 ++/*
6810 ++ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
6811 ++ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
6812 ++ * page fault when examined during a TLB load attempt. this is true not only
6813 ++ * for PTEs holding a non-present entry but also present entries that will
6814 ++ * raise a page fault (such as those set up by PaX, or the copy-on-write
6815 ++ * mechanism). in effect it means that we do *not* need to flush the TLBs
6816 ++ * for our target pages since their PTEs are simply not in the TLBs at all.
6817 ++
6818 ++ * the best thing in omitting it is that we gain around 15-20% speed in the
6819 ++ * fast path of the page fault handler and can get rid of tracing since we
6820 ++ * can no longer flush unintended entries.
6821 ++ */
6822 ++ "invlpg (%0)\n"
6823 ++#endif
6824 ++ "testb $0,%%es:(%0)\n"
6825 ++ "xorb %3,(%1)\n"
6826 ++#ifdef CONFIG_PAX_MEMORY_UDEREF
6827 ++ "pushl %%ss\n"
6828 ++ "popl %%es\n"
6829 ++#endif
6830 ++ :
6831 ++ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
6832 ++ : "memory", "cc");
6833 ++ pte_unmap_unlock(pte, ptl);
6834 ++ up_read(&mm->mmap_sem);
6835 ++ return;
6836 ++
6837 ++not_pax_fault:
6838 ++#endif
6839 ++
6840 + vma = find_vma(mm, address);
6841 + if (!vma)
6842 + goto bad_area;
6843 +@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
6844 + if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
6845 + goto bad_area;
6846 + }
6847 ++
6848 ++#ifdef CONFIG_PAX_SEGMEXEC
6849 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
6850 ++ goto bad_area;
6851 ++#endif
6852 ++
6853 + if (expand_stack(vma, address))
6854 + goto bad_area;
6855 + /*
6856 +@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
6857 + good_area:
6858 + si_code = SEGV_ACCERR;
6859 + write = 0;
6860 ++ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
6861 ++ goto bad_area;
6862 + switch (error_code & 3) {
6863 + default: /* 3: write, present */
6864 + /* fall through */
6865 +@@ -458,6 +597,41 @@ bad_area:
6866 + up_read(&mm->mmap_sem);
6867 +
6868 + bad_area_nosemaphore:
6869 ++
6870 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
6871 ++ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
6872 ++ /*
6873 ++ * It's possible to have interrupts off here.
6874 ++ */
6875 ++ local_irq_enable();
6876 ++
6877 ++#ifdef CONFIG_PAX_PAGEEXEC
6878 ++ if ((nx_enabled && (error_code & 16)) ||
6879 ++ ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address))) {
6880 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
6881 ++ do_exit(SIGKILL);
6882 ++ }
6883 ++#endif
6884 ++
6885 ++#ifdef CONFIG_PAX_SEGMEXEC
6886 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
6887 ++
6888 ++#ifdef CONFIG_PAX_EMUTRAMP
6889 ++ switch (pax_handle_fetch_fault(regs)) {
6890 ++ case 2:
6891 ++ return;
6892 ++ }
6893 ++#endif
6894 ++
6895 ++ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
6896 ++ do_exit(SIGKILL);
6897 ++ }
6898 ++#endif
6899 ++
6900 ++ }
6901 ++#endif
6902 ++
6903 ++bad_area_nopax:
6904 + /* User mode accesses just cause a SIGSEGV */
6905 + if (error_code & 4) {
6906 + /*
6907 +@@ -495,7 +669,7 @@ bad_area_nosemaphore:
6908 + if (boot_cpu_data.f00f_bug) {
6909 + unsigned long nr;
6910 +
6911 +- nr = (address - idt_descr.address) >> 3;
6912 ++ nr = (address - (unsigned long)idt_descr.address) >> 3;
6913 +
6914 + if (nr == 6) {
6915 + do_invalid_op(regs, 0);
6916 +@@ -528,18 +702,34 @@ no_context:
6917 + __typeof__(pte_val(__pte(0))) page;
6918 +
6919 + #ifdef CONFIG_X86_PAE
6920 +- if (error_code & 16) {
6921 +- pte_t *pte = lookup_address(address);
6922 ++ if (nx_enabled && (error_code & 16)) {
6923 ++ pte = lookup_address(address);
6924 +
6925 + if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
6926 + printk(KERN_CRIT "kernel tried to execute "
6927 + "NX-protected page - exploit attempt? "
6928 +- "(uid: %d)\n", current->uid);
6929 ++ "(uid: %d, task: %s, pid: %d)\n",
6930 ++ current->uid, current->comm, current->pid);
6931 + }
6932 + #endif
6933 + if (address < PAGE_SIZE)
6934 + printk(KERN_ALERT "BUG: unable to handle kernel NULL "
6935 + "pointer dereference");
6936 ++
6937 ++#ifdef CONFIG_PAX_KERNEXEC
6938 ++#ifdef CONFIG_MODULES
6939 ++ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
6940 ++#else
6941 ++ else if (init_mm.start_code <= address && address < init_mm.end_code)
6942 ++#endif
6943 ++ if (tsk->signal->curr_ip)
6944 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
6945 ++ NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
6946 ++ else
6947 ++ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
6948 ++ tsk->comm, tsk->pid, tsk->uid, tsk->euid);
6949 ++#endif
6950 ++
6951 + else
6952 + printk(KERN_ALERT "BUG: unable to handle kernel paging"
6953 + " request");
6954 +@@ -570,7 +760,7 @@ no_context:
6955 + * it's allocated already.
6956 + */
6957 + if ((page >> PAGE_SHIFT) < max_low_pfn
6958 +- && (page & _PAGE_PRESENT)) {
6959 ++ && (page & (_PAGE_PRESENT | _PAGE_PSE)) == _PAGE_PRESENT) {
6960 + page &= PAGE_MASK;
6961 + page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
6962 + & (PTRS_PER_PTE - 1)];
6963 +@@ -655,3 +845,92 @@ void vmalloc_sync_all(void)
6964 + start = address + PGDIR_SIZE;
6965 + }
6966 + }
6967 ++
6968 ++#ifdef CONFIG_PAX_EMUTRAMP
6969 ++/*
6970 ++ * PaX: decide what to do with offenders (regs->eip = fault address)
6971 ++ *
6972 ++ * returns 1 when task should be killed
6973 ++ * 2 when gcc trampoline was detected
6974 ++ */
6975 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
6976 ++{
6977 ++ int err;
6978 ++
6979 ++ if (regs->eflags & X86_EFLAGS_VM)
6980 ++ return 1;
6981 ++
6982 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
6983 ++ return 1;
6984 ++
6985 ++ do { /* PaX: gcc trampoline emulation #1 */
6986 ++ unsigned char mov1, mov2;
6987 ++ unsigned short jmp;
6988 ++ unsigned long addr1, addr2;
6989 ++
6990 ++ err = get_user(mov1, (unsigned char __user *)regs->eip);
6991 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
6992 ++ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
6993 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
6994 ++ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
6995 ++
6996 ++ if (err)
6997 ++ break;
6998 ++
6999 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
7000 ++ regs->ecx = addr1;
7001 ++ regs->eax = addr2;
7002 ++ regs->eip = addr2;
7003 ++ return 2;
7004 ++ }
7005 ++ } while (0);
7006 ++
7007 ++ do { /* PaX: gcc trampoline emulation #2 */
7008 ++ unsigned char mov, jmp;
7009 ++ unsigned long addr1, addr2;
7010 ++
7011 ++ err = get_user(mov, (unsigned char __user *)regs->eip);
7012 ++ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
7013 ++ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
7014 ++ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
7015 ++
7016 ++ if (err)
7017 ++ break;
7018 ++
7019 ++ if (mov == 0xB9 && jmp == 0xE9) {
7020 ++ regs->ecx = addr1;
7021 ++ regs->eip += addr2 + 10;
7022 ++ return 2;
7023 ++ }
7024 ++ } while (0);
7025 ++
7026 ++ return 1; /* PaX in action */
7027 ++}
7028 ++#endif
7029 ++
7030 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7031 ++void pax_report_insns(void *pc, void *sp)
7032 ++{
7033 ++ long i;
7034 ++
7035 ++ printk(KERN_ERR "PAX: bytes at PC: ");
7036 ++ for (i = 0; i < 20; i++) {
7037 ++ unsigned char c;
7038 ++ if (get_user(c, (unsigned char __user *)pc+i))
7039 ++ printk("?? ");
7040 ++ else
7041 ++ printk("%02x ", c);
7042 ++ }
7043 ++ printk("\n");
7044 ++
7045 ++ printk(KERN_ERR "PAX: bytes at SP-4: ");
7046 ++ for (i = -1; i < 20; i++) {
7047 ++ unsigned long c;
7048 ++ if (get_user(c, (unsigned long __user *)sp+i))
7049 ++ printk("???????? ");
7050 ++ else
7051 ++ printk("%08lx ", c);
7052 ++ }
7053 ++ printk("\n");
7054 ++}
7055 ++#endif
7056 +diff -Nurp linux-2.6.23.15/arch/i386/mm/hugetlbpage.c linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c
7057 +--- linux-2.6.23.15/arch/i386/mm/hugetlbpage.c 2007-10-09 21:31:38.000000000 +0100
7058 ++++ linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c 2008-02-11 10:37:44.000000000 +0000
7059 +@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
7060 + {
7061 + struct mm_struct *mm = current->mm;
7062 + struct vm_area_struct *vma;
7063 +- unsigned long start_addr;
7064 ++ unsigned long start_addr, task_size = TASK_SIZE;
7065 ++
7066 ++#ifdef CONFIG_PAX_SEGMEXEC
7067 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7068 ++ task_size = SEGMEXEC_TASK_SIZE;
7069 ++#endif
7070 +
7071 + if (len > mm->cached_hole_size) {
7072 +- start_addr = mm->free_area_cache;
7073 ++ start_addr = mm->free_area_cache;
7074 + } else {
7075 +- start_addr = TASK_UNMAPPED_BASE;
7076 +- mm->cached_hole_size = 0;
7077 ++ start_addr = mm->mmap_base;
7078 ++ mm->cached_hole_size = 0;
7079 + }
7080 +
7081 + full_search:
7082 +@@ -243,13 +248,13 @@ full_search:
7083 +
7084 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
7085 + /* At this point: (!vma || addr < vma->vm_end). */
7086 +- if (TASK_SIZE - len < addr) {
7087 ++ if (task_size - len < addr) {
7088 + /*
7089 + * Start a new search - just in case we missed
7090 + * some holes.
7091 + */
7092 +- if (start_addr != TASK_UNMAPPED_BASE) {
7093 +- start_addr = TASK_UNMAPPED_BASE;
7094 ++ if (start_addr != mm->mmap_base) {
7095 ++ start_addr = mm->mmap_base;
7096 + mm->cached_hole_size = 0;
7097 + goto full_search;
7098 + }
7099 +@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
7100 + {
7101 + struct mm_struct *mm = current->mm;
7102 + struct vm_area_struct *vma, *prev_vma;
7103 +- unsigned long base = mm->mmap_base, addr = addr0;
7104 ++ unsigned long base = mm->mmap_base, addr;
7105 + unsigned long largest_hole = mm->cached_hole_size;
7106 +- int first_time = 1;
7107 +
7108 + /* don't allow allocations above current base */
7109 + if (mm->free_area_cache > base)
7110 +@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
7111 + largest_hole = 0;
7112 + mm->free_area_cache = base;
7113 + }
7114 +-try_again:
7115 ++
7116 + /* make sure it can fit in the remaining address space */
7117 + if (mm->free_area_cache < len)
7118 + goto fail;
7119 +@@ -325,22 +329,26 @@ try_again:
7120 +
7121 + fail:
7122 + /*
7123 +- * if hint left us with no space for the requested
7124 +- * mapping then try again:
7125 +- */
7126 +- if (first_time) {
7127 +- mm->free_area_cache = base;
7128 +- largest_hole = 0;
7129 +- first_time = 0;
7130 +- goto try_again;
7131 +- }
7132 +- /*
7133 + * A failed mmap() very likely causes application failure,
7134 + * so fall back to the bottom-up function here. This scenario
7135 + * can happen with large stack limits and large mmap()
7136 + * allocations.
7137 + */
7138 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
7139 ++
7140 ++#ifdef CONFIG_PAX_SEGMEXEC
7141 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7142 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
7143 ++ else
7144 ++#endif
7145 ++
7146 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
7147 ++
7148 ++#ifdef CONFIG_PAX_RANDMMAP
7149 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
7150 ++ mm->mmap_base += mm->delta_mmap;
7151 ++#endif
7152 ++
7153 ++ mm->free_area_cache = mm->mmap_base;
7154 + mm->cached_hole_size = ~0UL;
7155 + addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
7156 + len, pgoff, flags);
7157 +@@ -348,6 +356,7 @@ fail:
7158 + /*
7159 + * Restore the topdown base:
7160 + */
7161 ++ mm->mmap_base = base;
7162 + mm->free_area_cache = base;
7163 + mm->cached_hole_size = ~0UL;
7164 +
7165 +@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
7166 + {
7167 + struct mm_struct *mm = current->mm;
7168 + struct vm_area_struct *vma;
7169 ++ unsigned long task_size = TASK_SIZE;
7170 +
7171 + if (len & ~HPAGE_MASK)
7172 + return -EINVAL;
7173 +- if (len > TASK_SIZE)
7174 ++
7175 ++#ifdef CONFIG_PAX_SEGMEXEC
7176 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7177 ++ task_size = SEGMEXEC_TASK_SIZE;
7178 ++#endif
7179 ++
7180 ++ if (len > task_size)
7181 + return -ENOMEM;
7182 +
7183 + if (flags & MAP_FIXED) {
7184 +@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
7185 + if (addr) {
7186 + addr = ALIGN(addr, HPAGE_SIZE);
7187 + vma = find_vma(mm, addr);
7188 +- if (TASK_SIZE - len >= addr &&
7189 ++ if (task_size - len >= addr &&
7190 + (!vma || addr + len <= vma->vm_start))
7191 + return addr;
7192 + }
7193 +diff -Nurp linux-2.6.23.15/arch/i386/mm/init.c linux-2.6.23.15-grsec/arch/i386/mm/init.c
7194 +--- linux-2.6.23.15/arch/i386/mm/init.c 2007-10-09 21:31:38.000000000 +0100
7195 ++++ linux-2.6.23.15-grsec/arch/i386/mm/init.c 2008-02-11 10:37:44.000000000 +0000
7196 +@@ -44,6 +44,7 @@
7197 + #include <asm/tlbflush.h>
7198 + #include <asm/sections.h>
7199 + #include <asm/paravirt.h>
7200 ++#include <asm/desc.h>
7201 +
7202 + unsigned int __VMALLOC_RESERVE = 128 << 20;
7203 +
7204 +@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
7205 + static int noinline do_test_wp_bit(void);
7206 +
7207 + /*
7208 +- * Creates a middle page table and puts a pointer to it in the
7209 +- * given global directory entry. This only returns the gd entry
7210 +- * in non-PAE compilation mode, since the middle layer is folded.
7211 +- */
7212 +-static pmd_t * __init one_md_table_init(pgd_t *pgd)
7213 +-{
7214 +- pud_t *pud;
7215 +- pmd_t *pmd_table;
7216 +-
7217 +-#ifdef CONFIG_X86_PAE
7218 +- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
7219 +- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
7220 +-
7221 +- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
7222 +- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
7223 +- pud = pud_offset(pgd, 0);
7224 +- if (pmd_table != pmd_offset(pud, 0))
7225 +- BUG();
7226 +- }
7227 +-#endif
7228 +- pud = pud_offset(pgd, 0);
7229 +- pmd_table = pmd_offset(pud, 0);
7230 +- return pmd_table;
7231 +-}
7232 +-
7233 +-/*
7234 + * Create a page table and place a pointer to it in a middle page
7235 + * directory entry.
7236 + */
7237 +@@ -88,7 +63,11 @@ static pte_t * __init one_page_table_ini
7238 + pte_t *page_table = (pte_t *) alloc_bootmem_low_pages(PAGE_SIZE);
7239 +
7240 + paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
7241 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7242 ++ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
7243 ++#else
7244 + set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
7245 ++#endif
7246 + BUG_ON(page_table != pte_offset_kernel(pmd, 0));
7247 + }
7248 +
7249 +@@ -109,6 +88,7 @@ static pte_t * __init one_page_table_ini
7250 + static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
7251 + {
7252 + pgd_t *pgd;
7253 ++ pud_t *pud;
7254 + pmd_t *pmd;
7255 + int pgd_idx, pmd_idx;
7256 + unsigned long vaddr;
7257 +@@ -119,8 +99,13 @@ static void __init page_table_range_init
7258 + pgd = pgd_base + pgd_idx;
7259 +
7260 + for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
7261 +- pmd = one_md_table_init(pgd);
7262 +- pmd = pmd + pmd_index(vaddr);
7263 ++ pud = pud_offset(pgd, vaddr);
7264 ++ pmd = pmd_offset(pud, vaddr);
7265 ++
7266 ++#ifdef CONFIG_X86_PAE
7267 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
7268 ++#endif
7269 ++
7270 + for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
7271 + one_page_table_init(pmd);
7272 +
7273 +@@ -130,11 +115,23 @@ static void __init page_table_range_init
7274 + }
7275 + }
7276 +
7277 +-static inline int is_kernel_text(unsigned long addr)
7278 ++static inline int is_kernel_text(unsigned long start, unsigned long end)
7279 + {
7280 +- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
7281 +- return 1;
7282 +- return 0;
7283 ++ unsigned long etext;
7284 ++
7285 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
7286 ++ etext = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
7287 ++#else
7288 ++ etext = (unsigned long)&_etext;
7289 ++#endif
7290 ++
7291 ++ if ((start > etext + __KERNEL_TEXT_OFFSET ||
7292 ++ end <= (unsigned long)_stext + __KERNEL_TEXT_OFFSET) &&
7293 ++ (start > (unsigned long)_einittext + __KERNEL_TEXT_OFFSET ||
7294 ++ end <= (unsigned long)_sinittext + __KERNEL_TEXT_OFFSET) &&
7295 ++ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
7296 ++ return 0;
7297 ++ return 1;
7298 + }
7299 +
7300 + /*
7301 +@@ -146,25 +143,29 @@ static void __init kernel_physical_mappi
7302 + {
7303 + unsigned long pfn;
7304 + pgd_t *pgd;
7305 ++ pud_t *pud;
7306 + pmd_t *pmd;
7307 + pte_t *pte;
7308 +- int pgd_idx, pmd_idx, pte_ofs;
7309 ++ unsigned int pgd_idx, pmd_idx, pte_ofs;
7310 +
7311 + pgd_idx = pgd_index(PAGE_OFFSET);
7312 + pgd = pgd_base + pgd_idx;
7313 + pfn = 0;
7314 +
7315 +- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
7316 +- pmd = one_md_table_init(pgd);
7317 +- if (pfn >= max_low_pfn)
7318 +- continue;
7319 ++ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
7320 ++ pud = pud_offset(pgd, 0);
7321 ++ pmd = pmd_offset(pud, 0);
7322 ++
7323 ++#ifdef CONFIG_X86_PAE
7324 ++ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
7325 ++#endif
7326 ++
7327 + for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
7328 +- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
7329 ++ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
7330 +
7331 + /* Map with big pages if possible, otherwise create normal page tables. */
7332 +- if (cpu_has_pse) {
7333 +- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
7334 +- if (is_kernel_text(address) || is_kernel_text(address2))
7335 ++ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
7336 ++ if (is_kernel_text(address, address + PMD_SIZE))
7337 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
7338 + else
7339 + set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
7340 +@@ -176,7 +177,7 @@ static void __init kernel_physical_mappi
7341 + for (pte_ofs = 0;
7342 + pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
7343 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
7344 +- if (is_kernel_text(address))
7345 ++ if (is_kernel_text(address, address + PAGE_SIZE))
7346 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
7347 + else
7348 + set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
7349 +@@ -326,9 +327,9 @@ static void __init set_highmem_pages_ini
7350 + #define set_highmem_pages_init(bad_ppro) do { } while (0)
7351 + #endif /* CONFIG_HIGHMEM */
7352 +
7353 +-unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
7354 ++unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
7355 + EXPORT_SYMBOL(__PAGE_KERNEL);
7356 +-unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
7357 ++unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
7358 +
7359 + #ifdef CONFIG_NUMA
7360 + extern void __init remap_numa_kva(void);
7361 +@@ -339,26 +340,10 @@ extern void __init remap_numa_kva(void);
7362 + void __init native_pagetable_setup_start(pgd_t *base)
7363 + {
7364 + #ifdef CONFIG_X86_PAE
7365 +- int i;
7366 ++ unsigned int i;
7367 +
7368 +- /*
7369 +- * Init entries of the first-level page table to the
7370 +- * zero page, if they haven't already been set up.
7371 +- *
7372 +- * In a normal native boot, we'll be running on a
7373 +- * pagetable rooted in swapper_pg_dir, but not in PAE
7374 +- * mode, so this will end up clobbering the mappings
7375 +- * for the lower 24Mbytes of the address space,
7376 +- * without affecting the kernel address space.
7377 +- */
7378 +- for (i = 0; i < USER_PTRS_PER_PGD; i++)
7379 +- set_pgd(&base[i],
7380 +- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
7381 +-
7382 +- /* Make sure kernel address space is empty so that a pagetable
7383 +- will be allocated for it. */
7384 +- memset(&base[USER_PTRS_PER_PGD], 0,
7385 +- KERNEL_PGD_PTRS * sizeof(pgd_t));
7386 ++ for (i = 0; i < PTRS_PER_PGD; i++)
7387 ++ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
7388 + #else
7389 + paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
7390 + #endif
7391 +@@ -366,16 +351,6 @@ void __init native_pagetable_setup_start
7392 +
7393 + void __init native_pagetable_setup_done(pgd_t *base)
7394 + {
7395 +-#ifdef CONFIG_X86_PAE
7396 +- /*
7397 +- * Add low memory identity-mappings - SMP needs it when
7398 +- * starting up on an AP from real-mode. In the non-PAE
7399 +- * case we already have these mappings through head.S.
7400 +- * All user-space mappings are explicitly cleared after
7401 +- * SMP startup.
7402 +- */
7403 +- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
7404 +-#endif
7405 + }
7406 +
7407 + /*
7408 +@@ -437,12 +412,12 @@ static void __init pagetable_init (void)
7409 + * Swap suspend & friends need this for resume because things like the intel-agp
7410 + * driver might have split up a kernel 4MB mapping.
7411 + */
7412 +-char __nosavedata swsusp_pg_dir[PAGE_SIZE]
7413 ++pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
7414 + __attribute__ ((aligned (PAGE_SIZE)));
7415 +
7416 + static inline void save_pg_dir(void)
7417 + {
7418 +- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
7419 ++ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
7420 + }
7421 + #else
7422 + static inline void save_pg_dir(void)
7423 +@@ -471,12 +446,11 @@ void zap_low_mappings (void)
7424 + flush_tlb_all();
7425 + }
7426 +
7427 +-int nx_enabled = 0;
7428 ++int nx_enabled;
7429 +
7430 + #ifdef CONFIG_X86_PAE
7431 +
7432 +-static int disable_nx __initdata = 0;
7433 +-u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
7434 ++u64 __supported_pte_mask __read_only = ~_PAGE_NX;
7435 + EXPORT_SYMBOL_GPL(__supported_pte_mask);
7436 +
7437 + /*
7438 +@@ -487,36 +461,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
7439 + * on Enable
7440 + * off Disable
7441 + */
7442 ++#if !defined(CONFIG_PAX_PAGEEXEC)
7443 + static int __init noexec_setup(char *str)
7444 + {
7445 + if (!str || !strcmp(str, "on")) {
7446 +- if (cpu_has_nx) {
7447 +- __supported_pte_mask |= _PAGE_NX;
7448 +- disable_nx = 0;
7449 +- }
7450 ++ if (cpu_has_nx)
7451 ++ nx_enabled = 1;
7452 + } else if (!strcmp(str,"off")) {
7453 +- disable_nx = 1;
7454 +- __supported_pte_mask &= ~_PAGE_NX;
7455 ++ nx_enabled = 0;
7456 + } else
7457 + return -EINVAL;
7458 +
7459 + return 0;
7460 + }
7461 + early_param("noexec", noexec_setup);
7462 ++#endif
7463 +
7464 + static void __init set_nx(void)
7465 + {
7466 +- unsigned int v[4], l, h;
7467 ++ if (!nx_enabled && cpu_has_nx) {
7468 ++ unsigned l, h;
7469 +
7470 +- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
7471 +- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
7472 +- if ((v[3] & (1 << 20)) && !disable_nx) {
7473 +- rdmsr(MSR_EFER, l, h);
7474 +- l |= EFER_NX;
7475 +- wrmsr(MSR_EFER, l, h);
7476 +- nx_enabled = 1;
7477 +- __supported_pte_mask |= _PAGE_NX;
7478 +- }
7479 ++ __supported_pte_mask &= ~_PAGE_NX;
7480 ++ rdmsr(MSR_EFER, l, h);
7481 ++ l &= ~EFER_NX;
7482 ++ wrmsr(MSR_EFER, l, h);
7483 + }
7484 + }
7485 +
7486 +@@ -569,14 +538,6 @@ void __init paging_init(void)
7487 +
7488 + load_cr3(swapper_pg_dir);
7489 +
7490 +-#ifdef CONFIG_X86_PAE
7491 +- /*
7492 +- * We will bail out later - printk doesn't work right now so
7493 +- * the user would just see a hanging kernel.
7494 +- */
7495 +- if (cpu_has_pae)
7496 +- set_in_cr4(X86_CR4_PAE);
7497 +-#endif
7498 + __flush_tlb_all();
7499 +
7500 + kmap_init();
7501 +@@ -647,7 +608,7 @@ void __init mem_init(void)
7502 + set_highmem_pages_init(bad_ppro);
7503 +
7504 + codesize = (unsigned long) &_etext - (unsigned long) &_text;
7505 +- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
7506 ++ datasize = (unsigned long) &_edata - (unsigned long) &_data;
7507 + initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
7508 +
7509 + kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
7510 +@@ -692,10 +653,10 @@ void __init mem_init(void)
7511 + (unsigned long)&__init_begin, (unsigned long)&__init_end,
7512 + ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
7513 +
7514 +- (unsigned long)&_etext, (unsigned long)&_edata,
7515 +- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
7516 ++ (unsigned long)&_data, (unsigned long)&_edata,
7517 ++ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
7518 +
7519 +- (unsigned long)&_text, (unsigned long)&_etext,
7520 ++ (unsigned long)&_text + __KERNEL_TEXT_OFFSET, (unsigned long)&_etext + __KERNEL_TEXT_OFFSET,
7521 + ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
7522 +
7523 + #ifdef CONFIG_HIGHMEM
7524 +@@ -706,10 +667,6 @@ void __init mem_init(void)
7525 + BUG_ON((unsigned long)high_memory > VMALLOC_START);
7526 + #endif /* double-sanity-check paranoia */
7527 +
7528 +-#ifdef CONFIG_X86_PAE
7529 +- if (!cpu_has_pae)
7530 +- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
7531 +-#endif
7532 + if (boot_cpu_data.wp_works_ok < 0)
7533 + test_wp_bit();
7534 +
7535 +@@ -844,6 +801,38 @@ void free_init_pages(char *what, unsigne
7536 +
7537 + void free_initmem(void)
7538 + {
7539 ++
7540 ++#ifdef CONFIG_PAX_KERNEXEC
7541 ++ /* PaX: limit KERNEL_CS to actual size */
7542 ++ unsigned long addr, limit;
7543 ++ __u32 a, b;
7544 ++ int cpu;
7545 ++ pgd_t *pgd;
7546 ++ pud_t *pud;
7547 ++ pmd_t *pmd;
7548 ++
7549 ++#ifdef CONFIG_MODULES
7550 ++ limit = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
7551 ++#else
7552 ++ limit = (unsigned long)&_etext;
7553 ++#endif
7554 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
7555 ++
7556 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
7557 ++ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
7558 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
7559 ++ }
7560 ++
7561 ++ /* PaX: make KERNEL_CS read-only */
7562 ++ for (addr = __KERNEL_TEXT_OFFSET; addr < (unsigned long)&_data; addr += PMD_SIZE) {
7563 ++ pgd = pgd_offset_k(addr);
7564 ++ pud = pud_offset(pgd, addr);
7565 ++ pmd = pmd_offset(pud, addr);
7566 ++ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
7567 ++ }
7568 ++ flush_tlb_all();
7569 ++#endif
7570 ++
7571 + free_init_pages("unused kernel memory",
7572 + (unsigned long)(&__init_begin),
7573 + (unsigned long)(&__init_end));
7574 +diff -Nurp linux-2.6.23.15/arch/i386/mm/mmap.c linux-2.6.23.15-grsec/arch/i386/mm/mmap.c
7575 +--- linux-2.6.23.15/arch/i386/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
7576 ++++ linux-2.6.23.15-grsec/arch/i386/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
7577 +@@ -35,12 +35,18 @@
7578 + * Leave an at least ~128 MB hole.
7579 + */
7580 + #define MIN_GAP (128*1024*1024)
7581 +-#define MAX_GAP (TASK_SIZE/6*5)
7582 ++#define MAX_GAP (task_size/6*5)
7583 +
7584 + static inline unsigned long mmap_base(struct mm_struct *mm)
7585 + {
7586 + unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
7587 + unsigned long random_factor = 0;
7588 ++ unsigned long task_size = TASK_SIZE;
7589 ++
7590 ++#ifdef CONFIG_PAX_SEGMEXEC
7591 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7592 ++ task_size = SEGMEXEC_TASK_SIZE;
7593 ++#endif
7594 +
7595 + if (current->flags & PF_RANDOMIZE)
7596 + random_factor = get_random_int() % (1024*1024);
7597 +@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
7598 + else if (gap > MAX_GAP)
7599 + gap = MAX_GAP;
7600 +
7601 +- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
7602 ++ return PAGE_ALIGN(task_size - gap - random_factor);
7603 + }
7604 +
7605 + /*
7606 +@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
7607 + if (sysctl_legacy_va_layout ||
7608 + (current->personality & ADDR_COMPAT_LAYOUT) ||
7609 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
7610 ++
7611 ++#ifdef CONFIG_PAX_SEGMEXEC
7612 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC)
7613 ++ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
7614 ++ else
7615 ++#endif
7616 ++
7617 + mm->mmap_base = TASK_UNMAPPED_BASE;
7618 ++
7619 ++#ifdef CONFIG_PAX_RANDMMAP
7620 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
7621 ++ mm->mmap_base += mm->delta_mmap;
7622 ++#endif
7623 ++
7624 + mm->get_unmapped_area = arch_get_unmapped_area;
7625 + mm->unmap_area = arch_unmap_area;
7626 + } else {
7627 + mm->mmap_base = mmap_base(mm);
7628 ++
7629 ++#ifdef CONFIG_PAX_RANDMMAP
7630 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
7631 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7632 ++#endif
7633 ++
7634 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7635 + mm->unmap_area = arch_unmap_area_topdown;
7636 + }
7637 +diff -Nurp linux-2.6.23.15/arch/i386/mm/pageattr.c linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c
7638 +--- linux-2.6.23.15/arch/i386/mm/pageattr.c 2007-10-09 21:31:38.000000000 +0100
7639 ++++ linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c 2008-02-11 10:37:44.000000000 +0000
7640 +@@ -13,6 +13,7 @@
7641 + #include <asm/tlbflush.h>
7642 + #include <asm/pgalloc.h>
7643 + #include <asm/sections.h>
7644 ++#include <asm/desc.h>
7645 +
7646 + static DEFINE_SPINLOCK(cpa_lock);
7647 + static struct list_head df_list = LIST_HEAD_INIT(df_list);
7648 +@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
7649 + }
7650 +
7651 + static struct page *split_large_page(unsigned long address, pgprot_t prot,
7652 +- pgprot_t ref_prot)
7653 ++ pgprot_t ref_prot, unsigned long flags)
7654 + {
7655 + int i;
7656 + unsigned long addr;
7657 + struct page *base;
7658 + pte_t *pbase;
7659 +
7660 +- spin_unlock_irq(&cpa_lock);
7661 ++ spin_unlock_irqrestore(&cpa_lock, flags);
7662 + base = alloc_pages(GFP_KERNEL, 0);
7663 +- spin_lock_irq(&cpa_lock);
7664 ++ spin_lock_irqsave(&cpa_lock, flags);
7665 + if (!base)
7666 + return NULL;
7667 +
7668 +@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
7669 + struct page *page;
7670 + unsigned long flags;
7671 +
7672 ++#ifdef CONFIG_PAX_KERNEXEC
7673 ++ unsigned long cr0;
7674 ++
7675 ++ pax_open_kernel(cr0);
7676 ++#endif
7677 ++
7678 + set_pte_atomic(kpte, pte); /* change init_mm */
7679 ++
7680 ++#ifdef CONFIG_PAX_KERNEXEC
7681 ++ pax_close_kernel(cr0);
7682 ++#endif
7683 ++
7684 + if (SHARED_KERNEL_PMD)
7685 + return;
7686 +
7687 +@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
7688 + pte_t *linear;
7689 +
7690 + ref_prot =
7691 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
7692 ++ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
7693 + ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
7694 +
7695 + linear = (pte_t *)
7696 +@@ -143,7 +155,7 @@ static inline void save_page(struct page
7697 + }
7698 +
7699 + static int
7700 +-__change_page_attr(struct page *page, pgprot_t prot)
7701 ++__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
7702 + {
7703 + pte_t *kpte;
7704 + unsigned long address;
7705 +@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
7706 + struct page *split;
7707 +
7708 + ref_prot =
7709 +- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
7710 ++ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
7711 + ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
7712 +- split = split_large_page(address, prot, ref_prot);
7713 ++ split = split_large_page(address, prot, ref_prot, flags);
7714 + if (!split)
7715 + return -ENOMEM;
7716 +- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
7717 +- kpte_page = split;
7718 ++ if (pte_huge(*kpte)) {
7719 ++ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
7720 ++ kpte_page = split;
7721 ++ } else {
7722 ++ __free_pages(split, 0);
7723 ++ kpte = lookup_address(address);
7724 ++ kpte_page = virt_to_page(kpte);
7725 ++ set_pte_atomic(kpte, mk_pte(page, prot));
7726 ++ }
7727 + }
7728 + page_private(kpte_page)++;
7729 + } else if (!pte_huge(*kpte)) {
7730 +@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
7731 +
7732 + spin_lock_irqsave(&cpa_lock, flags);
7733 + for (i = 0; i < numpages; i++, page++) {
7734 +- err = __change_page_attr(page, prot);
7735 ++ err = __change_page_attr(page, prot, flags);
7736 + if (err)
7737 + break;
7738 + }
7739 +diff -Nurp linux-2.6.23.15/arch/i386/oprofile/backtrace.c linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c
7740 +--- linux-2.6.23.15/arch/i386/oprofile/backtrace.c 2007-10-09 21:31:38.000000000 +0100
7741 ++++ linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c 2008-02-11 10:37:44.000000000 +0000
7742 +@@ -22,7 +22,7 @@ struct frame_head {
7743 + static struct frame_head *
7744 + dump_kernel_backtrace(struct frame_head * head)
7745 + {
7746 +- oprofile_add_trace(head->ret);
7747 ++ oprofile_add_trace(head->ret + __KERNEL_TEXT_OFFSET);
7748 +
7749 + /* frame pointers should strictly progress back up the stack
7750 + * (towards higher addresses) */
7751 +@@ -116,7 +116,7 @@ x86_backtrace(struct pt_regs * const reg
7752 + head = (struct frame_head *)regs->ebp;
7753 + #endif
7754 +
7755 +- if (!user_mode_vm(regs)) {
7756 ++ if (!user_mode(regs)) {
7757 + while (depth-- && valid_kernel_stack(head, regs))
7758 + head = dump_kernel_backtrace(head);
7759 + return;
7760 +diff -Nurp linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c
7761 +--- linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c 2007-10-09 21:31:38.000000000 +0100
7762 ++++ linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c 2008-02-11 10:37:44.000000000 +0000
7763 +@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
7764 + #endif
7765 + }
7766 +
7767 +-static int inline addr_increment(void)
7768 ++static inline int addr_increment(void)
7769 + {
7770 + #ifdef CONFIG_SMP
7771 + return smp_num_siblings == 2 ? 2 : 1;
7772 +diff -Nurp linux-2.6.23.15/arch/i386/pci/common.c linux-2.6.23.15-grsec/arch/i386/pci/common.c
7773 +--- linux-2.6.23.15/arch/i386/pci/common.c 2007-10-09 21:31:38.000000000 +0100
7774 ++++ linux-2.6.23.15-grsec/arch/i386/pci/common.c 2008-02-11 10:37:44.000000000 +0000
7775 +@@ -287,7 +287,7 @@ static struct dmi_system_id __devinitdat
7776 + DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant BL685c G1"),
7777 + },
7778 + },
7779 +- {}
7780 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
7781 + };
7782 +
7783 + struct pci_bus * __devinit pcibios_scan_root(int busnum)
7784 +diff -Nurp linux-2.6.23.15/arch/i386/pci/early.c linux-2.6.23.15-grsec/arch/i386/pci/early.c
7785 +--- linux-2.6.23.15/arch/i386/pci/early.c 2007-10-09 21:31:38.000000000 +0100
7786 ++++ linux-2.6.23.15-grsec/arch/i386/pci/early.c 2008-02-11 10:37:44.000000000 +0000
7787 +@@ -7,7 +7,7 @@
7788 + /* Direct PCI access. This is used for PCI accesses in early boot before
7789 + the PCI subsystem works. */
7790 +
7791 +-#define PDprintk(x...)
7792 ++#define PDprintk(x...) do {} while (0)
7793 +
7794 + u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
7795 + {
7796 +diff -Nurp linux-2.6.23.15/arch/i386/pci/fixup.c linux-2.6.23.15-grsec/arch/i386/pci/fixup.c
7797 +--- linux-2.6.23.15/arch/i386/pci/fixup.c 2007-10-09 21:31:38.000000000 +0100
7798 ++++ linux-2.6.23.15-grsec/arch/i386/pci/fixup.c 2008-02-11 10:37:44.000000000 +0000
7799 +@@ -386,7 +386,7 @@ static struct dmi_system_id __devinitdat
7800 + DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
7801 + },
7802 + },
7803 +- { }
7804 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
7805 + };
7806 +
7807 + static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
7808 +diff -Nurp linux-2.6.23.15/arch/i386/pci/irq.c linux-2.6.23.15-grsec/arch/i386/pci/irq.c
7809 +--- linux-2.6.23.15/arch/i386/pci/irq.c 2007-10-09 21:31:38.000000000 +0100
7810 ++++ linux-2.6.23.15-grsec/arch/i386/pci/irq.c 2008-02-11 10:37:44.000000000 +0000
7811 +@@ -508,7 +508,7 @@ static __init int intel_router_probe(str
7812 + static struct pci_device_id __initdata pirq_440gx[] = {
7813 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
7814 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
7815 +- { },
7816 ++ { PCI_DEVICE(0, 0) }
7817 + };
7818 +
7819 + /* 440GX has a proprietary PIRQ router -- don't use it */
7820 +@@ -1051,7 +1051,7 @@ static struct dmi_system_id __initdata p
7821 + DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
7822 + },
7823 + },
7824 +- { }
7825 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
7826 + };
7827 +
7828 + static int __init pcibios_irq_init(void)
7829 +diff -Nurp linux-2.6.23.15/arch/i386/pci/pcbios.c linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c
7830 +--- linux-2.6.23.15/arch/i386/pci/pcbios.c 2007-10-09 21:31:38.000000000 +0100
7831 ++++ linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c 2008-02-11 10:37:44.000000000 +0000
7832 +@@ -57,50 +57,124 @@ union bios32 {
7833 + static struct {
7834 + unsigned long address;
7835 + unsigned short segment;
7836 +-} bios32_indirect = { 0, __KERNEL_CS };
7837 ++} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
7838 +
7839 + /*
7840 + * Returns the entry point for the given service, NULL on error
7841 + */
7842 +
7843 +-static unsigned long bios32_service(unsigned long service)
7844 ++static unsigned long __devinit bios32_service(unsigned long service)
7845 + {
7846 + unsigned char return_code; /* %al */
7847 + unsigned long address; /* %ebx */
7848 + unsigned long length; /* %ecx */
7849 + unsigned long entry; /* %edx */
7850 + unsigned long flags;
7851 ++ struct desc_struct *gdt;
7852 ++
7853 ++#ifdef CONFIG_PAX_KERNEXEC
7854 ++ unsigned long cr0;
7855 ++#endif
7856 +
7857 + local_irq_save(flags);
7858 +- __asm__("lcall *(%%edi); cld"
7859 ++
7860 ++ gdt = get_cpu_gdt_table(smp_processor_id());
7861 ++
7862 ++#ifdef CONFIG_PAX_KERNEXEC
7863 ++ pax_open_kernel(cr0);
7864 ++#endif
7865 ++
7866 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
7867 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
7868 ++ 0UL, 0xFFFFFUL, 0x9B, 0xC);
7869 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
7870 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
7871 ++ 0UL, 0xFFFFFUL, 0x93, 0xC);
7872 ++
7873 ++#ifdef CONFIG_PAX_KERNEXEC
7874 ++ pax_close_kernel(cr0);
7875 ++#endif
7876 ++
7877 ++ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
7878 + : "=a" (return_code),
7879 + "=b" (address),
7880 + "=c" (length),
7881 + "=d" (entry)
7882 + : "0" (service),
7883 + "1" (0),
7884 +- "D" (&bios32_indirect));
7885 ++ "D" (&bios32_indirect),
7886 ++ "r"(__PCIBIOS_DS)
7887 ++ : "memory");
7888 ++
7889 ++#ifdef CONFIG_PAX_KERNEXEC
7890 ++ pax_open_kernel(cr0);
7891 ++#endif
7892 ++
7893 ++ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
7894 ++ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
7895 ++ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
7896 ++ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
7897 ++
7898 ++#ifdef CONFIG_PAX_KERNEXEC
7899 ++ pax_close_kernel(cr0);
7900 ++#endif
7901 ++
7902 + local_irq_restore(flags);
7903 +
7904 + switch (return_code) {
7905 +- case 0:
7906 +- return address + entry;
7907 +- case 0x80: /* Not present */
7908 +- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
7909 +- return 0;
7910 +- default: /* Shouldn't happen */
7911 +- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
7912 +- service, return_code);
7913 ++ case 0: {
7914 ++ int cpu;
7915 ++ unsigned char flags;
7916 ++
7917 ++ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
7918 ++ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
7919 ++ printk(KERN_WARNING "bios32_service: not valid\n");
7920 + return 0;
7921 ++ }
7922 ++ address = address + PAGE_OFFSET;
7923 ++ length += 16UL; /* some BIOSs underreport this... */
7924 ++ flags = 4;
7925 ++ if (length >= 64*1024*1024) {
7926 ++ length >>= PAGE_SHIFT;
7927 ++ flags |= 8;
7928 ++ }
7929 ++
7930 ++#ifdef CONFIG_PAX_KERNEXEC
7931 ++ pax_open_kernel(cr0);
7932 ++#endif
7933 ++
7934 ++ for (cpu = 0; cpu < NR_CPUS; cpu++) {
7935 ++ gdt = get_cpu_gdt_table(cpu);
7936 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
7937 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
7938 ++ address, length, 0x9b, flags);
7939 ++ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
7940 ++ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
7941 ++ address, length, 0x93, flags);
7942 ++ }
7943 ++
7944 ++#ifdef CONFIG_PAX_KERNEXEC
7945 ++ pax_close_kernel(cr0);
7946 ++#endif
7947 ++
7948 ++ return entry;
7949 ++ }
7950 ++ case 0x80: /* Not present */
7951 ++ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
7952 ++ return 0;
7953 ++ default: /* Shouldn't happen */
7954 ++ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
7955 ++ service, return_code);
7956 ++ return 0;
7957 + }
7958 + }
7959 +
7960 + static struct {
7961 + unsigned long address;
7962 + unsigned short segment;
7963 +-} pci_indirect = { 0, __KERNEL_CS };
7964 ++} pci_indirect __read_only = { 0, __PCIBIOS_CS };
7965 +
7966 +-static int pci_bios_present;
7967 ++static int pci_bios_present __read_only;
7968 +
7969 + static int __devinit check_pcibios(void)
7970 + {
7971 +@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
7972 + unsigned long flags, pcibios_entry;
7973 +
7974 + if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
7975 +- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
7976 ++ pci_indirect.address = pcibios_entry;
7977 +
7978 + local_irq_save(flags);
7979 +- __asm__(
7980 +- "lcall *(%%edi); cld\n\t"
7981 ++ __asm__("movw %w6, %%ds\n\t"
7982 ++ "lcall *%%ss:(%%edi); cld\n\t"
7983 ++ "push %%ss\n\t"
7984 ++ "pop %%ds\n\t"
7985 + "jc 1f\n\t"
7986 + "xor %%ah, %%ah\n"
7987 + "1:"
7988 +@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
7989 + "=b" (ebx),
7990 + "=c" (ecx)
7991 + : "1" (PCIBIOS_PCI_BIOS_PRESENT),
7992 +- "D" (&pci_indirect)
7993 ++ "D" (&pci_indirect),
7994 ++ "r" (__PCIBIOS_DS)
7995 + : "memory");
7996 + local_irq_restore(flags);
7997 +
7998 +@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
7999 + unsigned short bx;
8000 + unsigned short ret;
8001 +
8002 +- __asm__("lcall *(%%edi); cld\n\t"
8003 ++ __asm__("movw %w7, %%ds\n\t"
8004 ++ "lcall *%%ss:(%%edi); cld\n\t"
8005 ++ "push %%ss\n\t"
8006 ++ "pop %%ds\n\t"
8007 + "jc 1f\n\t"
8008 + "xor %%ah, %%ah\n"
8009 + "1:"
8010 +@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
8011 + "c" (device_id),
8012 + "d" (vendor),
8013 + "S" ((int) index),
8014 +- "D" (&pci_indirect));
8015 ++ "D" (&pci_indirect),
8016 ++ "r" (__PCIBIOS_DS));
8017 + *bus = (bx >> 8) & 0xff;
8018 + *device_fn = bx & 0xff;
8019 + return (int) (ret & 0xff00) >> 8;
8020 +@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
8021 +
8022 + switch (len) {
8023 + case 1:
8024 +- __asm__("lcall *(%%esi); cld\n\t"
8025 ++ __asm__("movw %w6, %%ds\n\t"
8026 ++ "lcall *%%ss:(%%esi); cld\n\t"
8027 ++ "push %%ss\n\t"
8028 ++ "pop %%ds\n\t"
8029 + "jc 1f\n\t"
8030 + "xor %%ah, %%ah\n"
8031 + "1:"
8032 +@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
8033 + : "1" (PCIBIOS_READ_CONFIG_BYTE),
8034 + "b" (bx),
8035 + "D" ((long)reg),
8036 +- "S" (&pci_indirect));
8037 ++ "S" (&pci_indirect),
8038 ++ "r" (__PCIBIOS_DS));
8039 + break;
8040 + case 2:
8041 +- __asm__("lcall *(%%esi); cld\n\t"
8042 ++ __asm__("movw %w6, %%ds\n\t"
8043 ++ "lcall *%%ss:(%%esi); cld\n\t"
8044 ++ "push %%ss\n\t"
8045 ++ "pop %%ds\n\t"
8046 + "jc 1f\n\t"
8047 + "xor %%ah, %%ah\n"
8048 + "1:"
8049 +@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
8050 + : "1" (PCIBIOS_READ_CONFIG_WORD),
8051 + "b" (bx),
8052 + "D" ((long)reg),
8053 +- "S" (&pci_indirect));
8054 ++ "S" (&pci_indirect),
8055 ++ "r" (__PCIBIOS_DS));
8056 + break;
8057 + case 4:
8058 +- __asm__("lcall *(%%esi); cld\n\t"
8059 ++ __asm__("movw %w6, %%ds\n\t"
8060 ++ "lcall *%%ss:(%%esi); cld\n\t"
8061 ++ "push %%ss\n\t"
8062 ++ "pop %%ds\n\t"
8063 + "jc 1f\n\t"
8064 + "xor %%ah, %%ah\n"
8065 + "1:"
8066 +@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
8067 + : "1" (PCIBIOS_READ_CONFIG_DWORD),
8068 + "b" (bx),
8069 + "D" ((long)reg),
8070 +- "S" (&pci_indirect));
8071 ++ "S" (&pci_indirect),
8072 ++ "r" (__PCIBIOS_DS));
8073 + break;
8074 + }
8075 +
8076 +@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
8077 +
8078 + switch (len) {
8079 + case 1:
8080 +- __asm__("lcall *(%%esi); cld\n\t"
8081 ++ __asm__("movw %w6, %%ds\n\t"
8082 ++ "lcall *%%ss:(%%esi); cld\n\t"
8083 ++ "push %%ss\n\t"
8084 ++ "pop %%ds\n\t"
8085 + "jc 1f\n\t"
8086 + "xor %%ah, %%ah\n"
8087 + "1:"
8088 +@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
8089 + "c" (value),
8090 + "b" (bx),
8091 + "D" ((long)reg),
8092 +- "S" (&pci_indirect));
8093 ++ "S" (&pci_indirect),
8094 ++ "r" (__PCIBIOS_DS));
8095 + break;
8096 + case 2:
8097 +- __asm__("lcall *(%%esi); cld\n\t"
8098 ++ __asm__("movw %w6, %%ds\n\t"
8099 ++ "lcall *%%ss:(%%esi); cld\n\t"
8100 ++ "push %%ss\n\t"
8101 ++ "pop %%ds\n\t"
8102 + "jc 1f\n\t"
8103 + "xor %%ah, %%ah\n"
8104 + "1:"
8105 +@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
8106 + "c" (value),
8107 + "b" (bx),
8108 + "D" ((long)reg),
8109 +- "S" (&pci_indirect));
8110 ++ "S" (&pci_indirect),
8111 ++ "r" (__PCIBIOS_DS));
8112 + break;
8113 + case 4:
8114 +- __asm__("lcall *(%%esi); cld\n\t"
8115 ++ __asm__("movw %w6, %%ds\n\t"
8116 ++ "lcall *%%ss:(%%esi); cld\n\t"
8117 ++ "push %%ss\n\t"
8118 ++ "pop %%ds\n\t"
8119 + "jc 1f\n\t"
8120 + "xor %%ah, %%ah\n"
8121 + "1:"
8122 +@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
8123 + "c" (value),
8124 + "b" (bx),
8125 + "D" ((long)reg),
8126 +- "S" (&pci_indirect));
8127 ++ "S" (&pci_indirect),
8128 ++ "r" (__PCIBIOS_DS));
8129 + break;
8130 + }
8131 +
8132 +@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
8133 +
8134 + DBG("PCI: Fetching IRQ routing table... ");
8135 + __asm__("push %%es\n\t"
8136 ++ "movw %w8, %%ds\n\t"
8137 + "push %%ds\n\t"
8138 + "pop %%es\n\t"
8139 +- "lcall *(%%esi); cld\n\t"
8140 ++ "lcall *%%ss:(%%esi); cld\n\t"
8141 + "pop %%es\n\t"
8142 ++ "push %%ss\n\t"
8143 ++ "pop %%ds\n"
8144 + "jc 1f\n\t"
8145 + "xor %%ah, %%ah\n"
8146 + "1:"
8147 +@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
8148 + "1" (0),
8149 + "D" ((long) &opt),
8150 + "S" (&pci_indirect),
8151 +- "m" (opt)
8152 ++ "m" (opt),
8153 ++ "r" (__PCIBIOS_DS)
8154 + : "memory");
8155 + DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
8156 + if (ret & 0xff00)
8157 +@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
8158 + {
8159 + int ret;
8160 +
8161 +- __asm__("lcall *(%%esi); cld\n\t"
8162 ++ __asm__("movw %w5, %%ds\n\t"
8163 ++ "lcall *%%ss:(%%esi); cld\n\t"
8164 ++ "push %%ss\n\t"
8165 ++ "pop %%ds\n"
8166 + "jc 1f\n\t"
8167 + "xor %%ah, %%ah\n"
8168 + "1:"
8169 +@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
8170 + : "0" (PCIBIOS_SET_PCI_HW_INT),
8171 + "b" ((dev->bus->number << 8) | dev->devfn),
8172 + "c" ((irq << 8) | (pin + 10)),
8173 +- "S" (&pci_indirect));
8174 ++ "S" (&pci_indirect),
8175 ++ "r" (__PCIBIOS_DS));
8176 + return !(ret & 0xff00);
8177 + }
8178 + EXPORT_SYMBOL(pcibios_set_irq_routing);
8179 +diff -Nurp linux-2.6.23.15/arch/i386/power/cpu.c linux-2.6.23.15-grsec/arch/i386/power/cpu.c
8180 +--- linux-2.6.23.15/arch/i386/power/cpu.c 2007-10-09 21:31:38.000000000 +0100
8181 ++++ linux-2.6.23.15-grsec/arch/i386/power/cpu.c 2008-02-11 10:37:44.000000000 +0000
8182 +@@ -64,7 +64,7 @@ static void do_fpu_end(void)
8183 + static void fix_processor_context(void)
8184 + {
8185 + int cpu = smp_processor_id();
8186 +- struct tss_struct * t = &per_cpu(init_tss, cpu);
8187 ++ struct tss_struct *t = init_tss + cpu;
8188 +
8189 + set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
8190 +
8191 +diff -Nurp linux-2.6.23.15/arch/i386/xen/enlighten.c linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c
8192 +--- linux-2.6.23.15/arch/i386/xen/enlighten.c 2008-02-11 10:36:03.000000000 +0000
8193 ++++ linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c 2008-02-11 10:37:44.000000000 +0000
8194 +@@ -320,7 +320,7 @@ static void xen_set_ldt(const void *addr
8195 + static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
8196 + {
8197 + unsigned long *frames;
8198 +- unsigned long va = dtr->address;
8199 ++ unsigned long va = (unsigned long)dtr->address;
8200 + unsigned int size = dtr->size + 1;
8201 + unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
8202 + int f;
8203 +@@ -335,7 +335,7 @@ static void xen_load_gdt(const struct Xg
8204 + mcs = xen_mc_entry(sizeof(*frames) * pages);
8205 + frames = mcs.args;
8206 +
8207 +- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
8208 ++ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
8209 + frames[f] = virt_to_mfn(va);
8210 + make_lowmem_page_readonly((void *)va);
8211 + }
8212 +@@ -429,7 +429,7 @@ static void xen_write_idt_entry(struct d
8213 +
8214 + preempt_disable();
8215 +
8216 +- start = __get_cpu_var(idt_desc).address;
8217 ++ start = (unsigned long)__get_cpu_var(idt_desc).address;
8218 + end = start + __get_cpu_var(idt_desc).size + 1;
8219 +
8220 + xen_mc_flush();
8221 +diff -Nurp linux-2.6.23.15/arch/i386/xen/smp.c linux-2.6.23.15-grsec/arch/i386/xen/smp.c
8222 +--- linux-2.6.23.15/arch/i386/xen/smp.c 2007-10-09 21:31:38.000000000 +0100
8223 ++++ linux-2.6.23.15-grsec/arch/i386/xen/smp.c 2008-02-11 10:37:44.000000000 +0000
8224 +@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
8225 +
8226 + /* We've switched to the "real" per-cpu gdt, so make sure the
8227 + old memory can be recycled */
8228 +- make_lowmem_page_readwrite(&per_cpu__gdt_page);
8229 ++ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
8230 +
8231 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
8232 + cpus_clear(cpu_sibling_map[cpu]);
8233 +@@ -198,7 +198,7 @@ static __cpuinit int
8234 + cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
8235 + {
8236 + struct vcpu_guest_context *ctxt;
8237 +- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
8238 ++ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8239 +
8240 + if (cpu_test_and_set(cpu, cpu_initialized_map))
8241 + return 0;
8242 +@@ -222,11 +222,11 @@ cpu_initialize_context(unsigned int cpu,
8243 +
8244 + ctxt->ldt_ents = 0;
8245 +
8246 +- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
8247 +- make_lowmem_page_readonly(gdt->gdt);
8248 ++ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
8249 ++ make_lowmem_page_readonly(gdt);
8250 +
8251 +- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
8252 +- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
8253 ++ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
8254 ++ ctxt->gdt_ents = GDT_ENTRIES;
8255 +
8256 + ctxt->user_regs.cs = __KERNEL_CS;
8257 + ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
8258 +diff -Nurp linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c
8259 +--- linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c 2007-10-09 21:31:38.000000000 +0100
8260 ++++ linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c 2008-02-11 10:37:44.000000000 +0000
8261 +@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
8262 +
8263 + #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
8264 +
8265 ++#ifdef CONFIG_PAX_ASLR
8266 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
8267 ++
8268 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
8269 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
8270 ++#endif
8271 ++
8272 + /* Ugly but avoids duplication */
8273 + #include "../../../fs/binfmt_elf.c"
8274 +
8275 +diff -Nurp linux-2.6.23.15/arch/ia64/ia32/ia32priv.h linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h
8276 +--- linux-2.6.23.15/arch/ia64/ia32/ia32priv.h 2007-10-09 21:31:38.000000000 +0100
8277 ++++ linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h 2008-02-11 10:37:44.000000000 +0000
8278 +@@ -304,7 +304,14 @@ struct old_linux32_dirent {
8279 + #define ELF_DATA ELFDATA2LSB
8280 + #define ELF_ARCH EM_386
8281 +
8282 +-#define IA32_STACK_TOP IA32_PAGE_OFFSET
8283 ++#ifdef CONFIG_PAX_RANDUSTACK
8284 ++#define __IA32_DELTA_STACK (current->mm->delta_stack)
8285 ++#else
8286 ++#define __IA32_DELTA_STACK 0UL
8287 ++#endif
8288 ++
8289 ++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
8290 ++
8291 + #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
8292 + #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
8293 +
8294 +diff -Nurp linux-2.6.23.15/arch/ia64/kernel/module.c linux-2.6.23.15-grsec/arch/ia64/kernel/module.c
8295 +--- linux-2.6.23.15/arch/ia64/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
8296 ++++ linux-2.6.23.15-grsec/arch/ia64/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
8297 +@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
8298 + void
8299 + module_free (struct module *mod, void *module_region)
8300 + {
8301 +- if (mod->arch.init_unw_table && module_region == mod->module_init) {
8302 ++ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
8303 + unw_remove_unwind_table(mod->arch.init_unw_table);
8304 + mod->arch.init_unw_table = NULL;
8305 + }
8306 +@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
8307 + }
8308 +
8309 + static inline int
8310 ++in_init_rx (const struct module *mod, uint64_t addr)
8311 ++{
8312 ++ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
8313 ++}
8314 ++
8315 ++static inline int
8316 ++in_init_rw (const struct module *mod, uint64_t addr)
8317 ++{
8318 ++ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
8319 ++}
8320 ++
8321 ++static inline int
8322 + in_init (const struct module *mod, uint64_t addr)
8323 + {
8324 +- return addr - (uint64_t) mod->module_init < mod->init_size;
8325 ++ return in_init_rx(mod, value) || in_init_rw(mod, value);
8326 ++}
8327 ++
8328 ++static inline int
8329 ++in_core_rx (const struct module *mod, uint64_t addr)
8330 ++{
8331 ++ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
8332 ++}
8333 ++
8334 ++static inline int
8335 ++in_core_rw (const struct module *mod, uint64_t addr)
8336 ++{
8337 ++ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
8338 + }
8339 +
8340 + static inline int
8341 + in_core (const struct module *mod, uint64_t addr)
8342 + {
8343 +- return addr - (uint64_t) mod->module_core < mod->core_size;
8344 ++ return in_core_rx(mod, value) || in_core_rw(mod, value);
8345 + }
8346 +
8347 + static inline int
8348 +@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
8349 + break;
8350 +
8351 + case RV_BDREL:
8352 +- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
8353 ++ if (in_init_rx(mod, val))
8354 ++ val -= (uint64_t) mod->module_init_rx;
8355 ++ else if (in_init_rw(mod, val))
8356 ++ val -= (uint64_t) mod->module_init_rw;
8357 ++ else if (in_core_rx(mod, val))
8358 ++ val -= (uint64_t) mod->module_core_rx;
8359 ++ else if (in_core_rw(mod, val))
8360 ++ val -= (uint64_t) mod->module_core_rw;
8361 + break;
8362 +
8363 + case RV_LTV:
8364 +@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
8365 + * addresses have been selected...
8366 + */
8367 + uint64_t gp;
8368 +- if (mod->core_size > MAX_LTOFF)
8369 ++ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
8370 + /*
8371 + * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
8372 + * at the end of the module.
8373 + */
8374 +- gp = mod->core_size - MAX_LTOFF / 2;
8375 ++ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
8376 + else
8377 +- gp = mod->core_size / 2;
8378 +- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
8379 ++ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
8380 ++ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
8381 + mod->arch.gp = gp;
8382 + DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
8383 + }
8384 +diff -Nurp linux-2.6.23.15/arch/ia64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c
8385 +--- linux-2.6.23.15/arch/ia64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
8386 ++++ linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
8387 +@@ -17,6 +17,7 @@
8388 + #include <linux/security.h>
8389 + #include <linux/audit.h>
8390 + #include <linux/signal.h>
8391 ++#include <linux/grsecurity.h>
8392 +
8393 + #include <asm/pgtable.h>
8394 + #include <asm/processor.h>
8395 +@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
8396 + if (pid == 1) /* no messing around with init! */
8397 + goto out_tsk;
8398 +
8399 ++ if (gr_handle_ptrace(child, request))
8400 ++ goto out_tsk;
8401 ++
8402 + if (request == PTRACE_ATTACH) {
8403 + ret = ptrace_attach(child);
8404 + goto out_tsk;
8405 +diff -Nurp linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c
8406 +--- linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c 2007-10-09 21:31:38.000000000 +0100
8407 ++++ linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c 2008-02-11 10:37:44.000000000 +0000
8408 +@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
8409 + if (REGION_NUMBER(addr) == RGN_HPAGE)
8410 + addr = 0;
8411 + #endif
8412 ++
8413 ++#ifdef CONFIG_PAX_RANDMMAP
8414 ++ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
8415 ++ addr = mm->free_area_cache;
8416 ++ else
8417 ++#endif
8418 ++
8419 + if (!addr)
8420 + addr = mm->free_area_cache;
8421 +
8422 +@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
8423 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
8424 + /* At this point: (!vma || addr < vma->vm_end). */
8425 + if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
8426 +- if (start_addr != TASK_UNMAPPED_BASE) {
8427 ++ if (start_addr != mm->mmap_base) {
8428 + /* Start a new search --- just in case we missed some holes. */
8429 +- addr = TASK_UNMAPPED_BASE;
8430 ++ addr = mm->mmap_base;
8431 + goto full_search;
8432 + }
8433 + return -ENOMEM;
8434 +diff -Nurp linux-2.6.23.15/arch/ia64/mm/fault.c linux-2.6.23.15-grsec/arch/ia64/mm/fault.c
8435 +--- linux-2.6.23.15/arch/ia64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
8436 ++++ linux-2.6.23.15-grsec/arch/ia64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
8437 +@@ -10,6 +10,7 @@
8438 + #include <linux/interrupt.h>
8439 + #include <linux/kprobes.h>
8440 + #include <linux/kdebug.h>
8441 ++#include <linux/binfmts.h>
8442 +
8443 + #include <asm/pgtable.h>
8444 + #include <asm/processor.h>
8445 +@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
8446 + return pte_present(pte);
8447 + }
8448 +
8449 ++#ifdef CONFIG_PAX_PAGEEXEC
8450 ++void pax_report_insns(void *pc, void *sp)
8451 ++{
8452 ++ unsigned long i;
8453 ++
8454 ++ printk(KERN_ERR "PAX: bytes at PC: ");
8455 ++ for (i = 0; i < 8; i++) {
8456 ++ unsigned int c;
8457 ++ if (get_user(c, (unsigned int *)pc+i))
8458 ++ printk("???????? ");
8459 ++ else
8460 ++ printk("%08x ", c);
8461 ++ }
8462 ++ printk("\n");
8463 ++}
8464 ++#endif
8465 ++
8466 + void __kprobes
8467 + ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
8468 + {
8469 +@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
8470 + mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
8471 + | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
8472 +
8473 +- if ((vma->vm_flags & mask) != mask)
8474 ++ if ((vma->vm_flags & mask) != mask) {
8475 ++
8476 ++#ifdef CONFIG_PAX_PAGEEXEC
8477 ++ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
8478 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
8479 ++ goto bad_area;
8480 ++
8481 ++ up_read(&mm->mmap_sem);
8482 ++ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
8483 ++ do_exit(SIGKILL);
8484 ++ }
8485 ++#endif
8486 ++
8487 + goto bad_area;
8488 +
8489 ++ }
8490 ++
8491 + survive:
8492 + /*
8493 + * If for any reason at all we couldn't handle the fault, make
8494 +diff -Nurp linux-2.6.23.15/arch/ia64/mm/init.c linux-2.6.23.15-grsec/arch/ia64/mm/init.c
8495 +--- linux-2.6.23.15/arch/ia64/mm/init.c 2007-10-09 21:31:38.000000000 +0100
8496 ++++ linux-2.6.23.15-grsec/arch/ia64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
8497 +@@ -20,8 +20,8 @@
8498 + #include <linux/proc_fs.h>
8499 + #include <linux/bitops.h>
8500 + #include <linux/kexec.h>
8501 ++#include <linux/a.out.h>
8502 +
8503 +-#include <asm/a.out.h>
8504 + #include <asm/dma.h>
8505 + #include <asm/ia32.h>
8506 + #include <asm/io.h>
8507 +@@ -130,8 +130,21 @@ ia64_init_addr_space (void)
8508 + vma->vm_mm = current->mm;
8509 + vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
8510 + vma->vm_end = vma->vm_start + PAGE_SIZE;
8511 +- vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7];
8512 + vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
8513 ++
8514 ++#ifdef CONFIG_PAX_PAGEEXEC
8515 ++ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
8516 ++ vm->vm_flags &= ~VM_EXEC;
8517 ++
8518 ++#ifdef CONFIG_PAX_MPROTECT
8519 ++ if (current->mm->pax_flags & MF_PAX_MPROTECT)
8520 ++ vma->vm_flags &= ~VM_MAYEXEC;
8521 ++#endif
8522 ++
8523 ++ }
8524 ++#endif
8525 ++
8526 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
8527 + down_write(&current->mm->mmap_sem);
8528 + if (insert_vm_struct(current->mm, vma)) {
8529 + up_write(&current->mm->mmap_sem);
8530 +diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c
8531 +--- linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c 2007-10-09 21:31:38.000000000 +0100
8532 ++++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c 2008-02-11 10:37:44.000000000 +0000
8533 +@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
8534 + #undef ELF_ET_DYN_BASE
8535 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
8536 +
8537 ++#ifdef CONFIG_PAX_ASLR
8538 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
8539 ++
8540 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8541 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8542 ++#endif
8543 ++
8544 + #include <asm/processor.h>
8545 + #include <linux/module.h>
8546 + #include <linux/elfcore.h>
8547 +diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c
8548 +--- linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c 2007-10-09 21:31:38.000000000 +0100
8549 ++++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c 2008-02-11 10:37:44.000000000 +0000
8550 +@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
8551 + #undef ELF_ET_DYN_BASE
8552 + #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
8553 +
8554 ++#ifdef CONFIG_PAX_ASLR
8555 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
8556 ++
8557 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8558 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
8559 ++#endif
8560 ++
8561 + #include <asm/processor.h>
8562 + #include <linux/module.h>
8563 + #include <linux/elfcore.h>
8564 +diff -Nurp linux-2.6.23.15/arch/mips/kernel/syscall.c linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c
8565 +--- linux-2.6.23.15/arch/mips/kernel/syscall.c 2007-10-09 21:31:38.000000000 +0100
8566 ++++ linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c 2008-02-11 10:37:44.000000000 +0000
8567 +@@ -88,6 +88,11 @@ unsigned long arch_get_unmapped_area(str
8568 + do_color_align = 0;
8569 + if (filp || (flags & MAP_SHARED))
8570 + do_color_align = 1;
8571 ++
8572 ++#ifdef CONFIG_PAX_RANDMMAP
8573 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
8574 ++#endif
8575 ++
8576 + if (addr) {
8577 + if (do_color_align)
8578 + addr = COLOUR_ALIGN(addr, pgoff);
8579 +@@ -98,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
8580 + (!vmm || addr + len <= vmm->vm_start))
8581 + return addr;
8582 + }
8583 +- addr = TASK_UNMAPPED_BASE;
8584 ++ addr = current->mm->mmap_base;
8585 + if (do_color_align)
8586 + addr = COLOUR_ALIGN(addr, pgoff);
8587 + else
8588 +diff -Nurp linux-2.6.23.15/arch/mips/mm/fault.c linux-2.6.23.15-grsec/arch/mips/mm/fault.c
8589 +--- linux-2.6.23.15/arch/mips/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
8590 ++++ linux-2.6.23.15-grsec/arch/mips/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
8591 +@@ -26,6 +26,23 @@
8592 + #include <asm/ptrace.h>
8593 + #include <asm/highmem.h> /* For VMALLOC_END */
8594 +
8595 ++#ifdef CONFIG_PAX_PAGEEXEC
8596 ++void pax_report_insns(void *pc)
8597 ++{
8598 ++ unsigned long i;
8599 ++
8600 ++ printk(KERN_ERR "PAX: bytes at PC: ");
8601 ++ for (i = 0; i < 5; i++) {
8602 ++ unsigned int c;
8603 ++ if (get_user(c, (unsigned int *)pc+i))
8604 ++ printk("???????? ");
8605 ++ else
8606 ++ printk("%08x ", c);
8607 ++ }
8608 ++ printk("\n");
8609 ++}
8610 ++#endif
8611 ++
8612 + /*
8613 + * This routine handles page faults. It determines the address,
8614 + * and the problem, and then passes it off to one of the appropriate
8615 +diff -Nurp linux-2.6.23.15/arch/parisc/kernel/module.c linux-2.6.23.15-grsec/arch/parisc/kernel/module.c
8616 +--- linux-2.6.23.15/arch/parisc/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
8617 ++++ linux-2.6.23.15-grsec/arch/parisc/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
8618 +@@ -73,16 +73,38 @@
8619 +
8620 + /* three functions to determine where in the module core
8621 + * or init pieces the location is */
8622 ++static inline int in_init_rx(struct module *me, void *loc)
8623 ++{
8624 ++ return (loc >= me->module_init_rx &&
8625 ++ loc < (me->module_init_rx + me->init_size_rx));
8626 ++}
8627 ++
8628 ++static inline int in_init_rw(struct module *me, void *loc)
8629 ++{
8630 ++ return (loc >= me->module_init_rw &&
8631 ++ loc < (me->module_init_rw + me->init_size_rw));
8632 ++}
8633 ++
8634 + static inline int in_init(struct module *me, void *loc)
8635 + {
8636 +- return (loc >= me->module_init &&
8637 +- loc <= (me->module_init + me->init_size));
8638 ++ return in_init_rx(me, loc) || in_init_rw(me, loc);
8639 ++}
8640 ++
8641 ++static inline int in_core_rx(struct module *me, void *loc)
8642 ++{
8643 ++ return (loc >= me->module_core_rx &&
8644 ++ loc < (me->module_core_rx + me->core_size_rx));
8645 ++}
8646 ++
8647 ++static inline int in_core_rw(struct module *me, void *loc)
8648 ++{
8649 ++ return (loc >= me->module_core_rw &&
8650 ++ loc < (me->module_core_rw + me->core_size_rw));
8651 + }
8652 +
8653 + static inline int in_core(struct module *me, void *loc)
8654 + {
8655 +- return (loc >= me->module_core &&
8656 +- loc <= (me->module_core + me->core_size));
8657 ++ return in_core_rx(me, loc) || in_core_rw(me, loc);
8658 + }
8659 +
8660 + static inline int in_local(struct module *me, void *loc)
8661 +@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
8662 + }
8663 +
8664 + /* align things a bit */
8665 +- me->core_size = ALIGN(me->core_size, 16);
8666 +- me->arch.got_offset = me->core_size;
8667 +- me->core_size += gots * sizeof(struct got_entry);
8668 +-
8669 +- me->core_size = ALIGN(me->core_size, 16);
8670 +- me->arch.fdesc_offset = me->core_size;
8671 +- me->core_size += fdescs * sizeof(Elf_Fdesc);
8672 +-
8673 +- me->core_size = ALIGN(me->core_size, 16);
8674 +- me->arch.stub_offset = me->core_size;
8675 +- me->core_size += stubs * sizeof(struct stub_entry);
8676 +-
8677 +- me->init_size = ALIGN(me->init_size, 16);
8678 +- me->arch.init_stub_offset = me->init_size;
8679 +- me->init_size += init_stubs * sizeof(struct stub_entry);
8680 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
8681 ++ me->arch.got_offset = me->core_size_rw;
8682 ++ me->core_size_rw += gots * sizeof(struct got_entry);
8683 ++
8684 ++ me->core_size_rw = ALIGN(me->core_size_rw, 16);
8685 ++ me->arch.fdesc_offset = me->core_size_rw;
8686 ++ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
8687 ++
8688 ++ me->core_size_rx = ALIGN(me->core_size_rx, 16);
8689 ++ me->arch.stub_offset = me->core_size_rx;
8690 ++ me->core_size_rx += stubs * sizeof(struct stub_entry);
8691 ++
8692 ++ me->init_size_rx = ALIGN(me->init_size_rx, 16);
8693 ++ me->arch.init_stub_offset = me->init_size_rx;
8694 ++ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
8695 +
8696 + me->arch.got_max = gots;
8697 + me->arch.fdesc_max = fdescs;
8698 +@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
8699 +
8700 + BUG_ON(value == 0);
8701 +
8702 +- got = me->module_core + me->arch.got_offset;
8703 ++ got = me->module_core_rw + me->arch.got_offset;
8704 + for (i = 0; got[i].addr; i++)
8705 + if (got[i].addr == value)
8706 + goto out;
8707 +@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
8708 + #ifdef CONFIG_64BIT
8709 + static Elf_Addr get_fdesc(struct module *me, unsigned long value)
8710 + {
8711 +- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
8712 ++ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
8713 +
8714 + if (!value) {
8715 + printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
8716 +@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
8717 +
8718 + /* Create new one */
8719 + fdesc->addr = value;
8720 +- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
8721 ++ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
8722 + return (Elf_Addr)fdesc;
8723 + }
8724 + #endif /* CONFIG_64BIT */
8725 +@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
8726 + if(init_section) {
8727 + i = me->arch.init_stub_count++;
8728 + BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
8729 +- stub = me->module_init + me->arch.init_stub_offset +
8730 ++ stub = me->module_init_rx + me->arch.init_stub_offset +
8731 + i * sizeof(struct stub_entry);
8732 + } else {
8733 + i = me->arch.stub_count++;
8734 + BUG_ON(me->arch.stub_count > me->arch.stub_max);
8735 +- stub = me->module_core + me->arch.stub_offset +
8736 ++ stub = me->module_core_rx + me->arch.stub_offset +
8737 + i * sizeof(struct stub_entry);
8738 + }
8739 +
8740 +@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
8741 +
8742 + table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
8743 + end = table + sechdrs[me->arch.unwind_section].sh_size;
8744 +- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
8745 ++ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
8746 +
8747 + DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
8748 + me->arch.unwind_section, table, end, gp);
8749 +diff -Nurp linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c
8750 +--- linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c 2007-10-09 21:31:38.000000000 +0100
8751 ++++ linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c 2008-02-11 10:37:44.000000000 +0000
8752 +@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
8753 + if (flags & MAP_FIXED)
8754 + return addr;
8755 + if (!addr)
8756 +- addr = TASK_UNMAPPED_BASE;
8757 ++ addr = current->mm->mmap_base;
8758 +
8759 + if (filp) {
8760 + addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
8761 +diff -Nurp linux-2.6.23.15/arch/parisc/kernel/traps.c linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c
8762 +--- linux-2.6.23.15/arch/parisc/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
8763 ++++ linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
8764 +@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
8765 +
8766 + down_read(&current->mm->mmap_sem);
8767 + vma = find_vma(current->mm,regs->iaoq[0]);
8768 +- if (vma && (regs->iaoq[0] >= vma->vm_start)
8769 +- && (vma->vm_flags & VM_EXEC)) {
8770 +-
8771 ++ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
8772 + fault_address = regs->iaoq[0];
8773 + fault_space = regs->iasq[0];
8774 +
8775 +diff -Nurp linux-2.6.23.15/arch/parisc/mm/fault.c linux-2.6.23.15-grsec/arch/parisc/mm/fault.c
8776 +--- linux-2.6.23.15/arch/parisc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
8777 ++++ linux-2.6.23.15-grsec/arch/parisc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
8778 +@@ -16,6 +16,8 @@
8779 + #include <linux/sched.h>
8780 + #include <linux/interrupt.h>
8781 + #include <linux/module.h>
8782 ++#include <linux/unistd.h>
8783 ++#include <linux/binfmts.h>
8784 +
8785 + #include <asm/uaccess.h>
8786 + #include <asm/traps.h>
8787 +@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
8788 + static unsigned long
8789 + parisc_acctyp(unsigned long code, unsigned int inst)
8790 + {
8791 +- if (code == 6 || code == 16)
8792 ++ if (code == 6 || code == 7 || code == 16)
8793 + return VM_EXEC;
8794 +
8795 + switch (inst & 0xf0000000) {
8796 +@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
8797 + }
8798 + #endif
8799 +
8800 ++#ifdef CONFIG_PAX_PAGEEXEC
8801 ++/*
8802 ++ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
8803 ++ *
8804 ++ * returns 1 when task should be killed
8805 ++ * 2 when rt_sigreturn trampoline was detected
8806 ++ * 3 when unpatched PLT trampoline was detected
8807 ++ */
8808 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
8809 ++{
8810 ++
8811 ++#ifdef CONFIG_PAX_EMUPLT
8812 ++ int err;
8813 ++
8814 ++ do { /* PaX: unpatched PLT emulation */
8815 ++ unsigned int bl, depwi;
8816 ++
8817 ++ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
8818 ++ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
8819 ++
8820 ++ if (err)
8821 ++ break;
8822 ++
8823 ++ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
8824 ++ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
8825 ++
8826 ++ err = get_user(ldw, (unsigned int *)addr);
8827 ++ err |= get_user(bv, (unsigned int *)(addr+4));
8828 ++ err |= get_user(ldw2, (unsigned int *)(addr+8));
8829 ++
8830 ++ if (err)
8831 ++ break;
8832 ++
8833 ++ if (ldw == 0x0E801096U &&
8834 ++ bv == 0xEAC0C000U &&
8835 ++ ldw2 == 0x0E881095U)
8836 ++ {
8837 ++ unsigned int resolver, map;
8838 ++
8839 ++ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
8840 ++ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
8841 ++ if (err)
8842 ++ break;
8843 ++
8844 ++ regs->gr[20] = instruction_pointer(regs)+8;
8845 ++ regs->gr[21] = map;
8846 ++ regs->gr[22] = resolver;
8847 ++ regs->iaoq[0] = resolver | 3UL;
8848 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
8849 ++ return 3;
8850 ++ }
8851 ++ }
8852 ++ } while (0);
8853 ++#endif
8854 ++
8855 ++#ifdef CONFIG_PAX_EMUTRAMP
8856 ++
8857 ++#ifndef CONFIG_PAX_EMUSIGRT
8858 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
8859 ++ return 1;
8860 ++#endif
8861 ++
8862 ++ do { /* PaX: rt_sigreturn emulation */
8863 ++ unsigned int ldi1, ldi2, bel, nop;
8864 ++
8865 ++ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
8866 ++ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
8867 ++ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
8868 ++ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
8869 ++
8870 ++ if (err)
8871 ++ break;
8872 ++
8873 ++ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
8874 ++ ldi2 == 0x3414015AU &&
8875 ++ bel == 0xE4008200U &&
8876 ++ nop == 0x08000240U)
8877 ++ {
8878 ++ regs->gr[25] = (ldi1 & 2) >> 1;
8879 ++ regs->gr[20] = __NR_rt_sigreturn;
8880 ++ regs->gr[31] = regs->iaoq[1] + 16;
8881 ++ regs->sr[0] = regs->iasq[1];
8882 ++ regs->iaoq[0] = 0x100UL;
8883 ++ regs->iaoq[1] = regs->iaoq[0] + 4;
8884 ++ regs->iasq[0] = regs->sr[2];
8885 ++ regs->iasq[1] = regs->sr[2];
8886 ++ return 2;
8887 ++ }
8888 ++ } while (0);
8889 ++#endif
8890 ++
8891 ++ return 1;
8892 ++}
8893 ++
8894 ++void pax_report_insns(void *pc, void *sp)
8895 ++{
8896 ++ unsigned long i;
8897 ++
8898 ++ printk(KERN_ERR "PAX: bytes at PC: ");
8899 ++ for (i = 0; i < 5; i++) {
8900 ++ unsigned int c;
8901 ++ if (get_user(c, (unsigned int *)pc+i))
8902 ++ printk("???????? ");
8903 ++ else
8904 ++ printk("%08x ", c);
8905 ++ }
8906 ++ printk("\n");
8907 ++}
8908 ++#endif
8909 ++
8910 + void do_page_fault(struct pt_regs *regs, unsigned long code,
8911 + unsigned long address)
8912 + {
8913 +@@ -165,8 +277,33 @@ good_area:
8914 +
8915 + acc_type = parisc_acctyp(code,regs->iir);
8916 +
8917 +- if ((vma->vm_flags & acc_type) != acc_type)
8918 ++ if ((vma->vm_flags & acc_type) != acc_type) {
8919 ++
8920 ++#ifdef CONFIG_PAX_PAGEEXEC
8921 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
8922 ++ (address & ~3UL) == instruction_pointer(regs))
8923 ++ {
8924 ++ up_read(&mm->mmap_sem);
8925 ++ switch (pax_handle_fetch_fault(regs)) {
8926 ++
8927 ++#ifdef CONFIG_PAX_EMUPLT
8928 ++ case 3:
8929 ++ return;
8930 ++#endif
8931 ++
8932 ++#ifdef CONFIG_PAX_EMUTRAMP
8933 ++ case 2:
8934 ++ return;
8935 ++#endif
8936 ++
8937 ++ }
8938 ++ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
8939 ++ do_exit(SIGKILL);
8940 ++ }
8941 ++#endif
8942 ++
8943 + goto bad_area;
8944 ++ }
8945 +
8946 + /*
8947 + * If for any reason at all we couldn't handle the fault, make
8948 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/module_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c
8949 +--- linux-2.6.23.15/arch/powerpc/kernel/module_32.c 2007-10-09 21:31:38.000000000 +0100
8950 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c 2008-02-11 10:37:44.000000000 +0000
8951 +@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
8952 + me->arch.core_plt_section = i;
8953 + }
8954 + if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
8955 +- printk("Module doesn't contain .plt or .init.plt sections.\n");
8956 ++ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
8957 + return -ENOEXEC;
8958 + }
8959 +
8960 +@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
8961 +
8962 + DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
8963 + /* Init, or core PLT? */
8964 +- if (location >= mod->module_core
8965 +- && location < mod->module_core + mod->core_size)
8966 ++ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
8967 ++ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
8968 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
8969 +- else
8970 ++ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
8971 ++ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
8972 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
8973 ++ else {
8974 ++ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
8975 ++ return ~0UL;
8976 ++ }
8977 +
8978 + /* Find this entry, or if that fails, the next avail. entry */
8979 + while (entry->jump[0]) {
8980 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c
8981 +--- linux-2.6.23.15/arch/powerpc/kernel/signal_32.c 2007-10-09 21:31:38.000000000 +0100
8982 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c 2008-02-11 10:37:44.000000000 +0000
8983 +@@ -728,7 +728,7 @@ int handle_rt_signal32(unsigned long sig
8984 +
8985 + /* Save user registers on the stack */
8986 + frame = &rt_sf->uc.uc_mcontext;
8987 +- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
8988 ++ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
8989 + if (save_user_regs(regs, frame, 0))
8990 + goto badframe;
8991 + regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
8992 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_64.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c
8993 +--- linux-2.6.23.15/arch/powerpc/kernel/signal_64.c 2007-10-09 21:31:38.000000000 +0100
8994 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c 2008-02-11 10:37:44.000000000 +0000
8995 +@@ -359,7 +359,7 @@ int handle_rt_signal64(int signr, struct
8996 + current->thread.fpscr.val = 0;
8997 +
8998 + /* Set up to return from userspace. */
8999 +- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
9000 ++ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9001 + regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
9002 + } else {
9003 + err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
9004 +diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/vdso.c linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c
9005 +--- linux-2.6.23.15/arch/powerpc/kernel/vdso.c 2007-10-09 21:31:38.000000000 +0100
9006 ++++ linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c 2008-02-11 10:37:44.000000000 +0000
9007 +@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
9008 + vdso_base = VDSO32_MBASE;
9009 + #endif
9010 +
9011 +- current->mm->context.vdso_base = 0;
9012 ++ current->mm->context.vdso_base = ~0UL;
9013 +
9014 + /* vDSO has a problem and was disabled, just don't "enable" it for the
9015 + * process
9016 +@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
9017 + */
9018 + down_write(&mm->mmap_sem);
9019 + vdso_base = get_unmapped_area(NULL, vdso_base,
9020 +- vdso_pages << PAGE_SHIFT, 0, 0);
9021 ++ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
9022 + if (IS_ERR_VALUE(vdso_base)) {
9023 + rc = vdso_base;
9024 + goto fail_mmapsem;
9025 +diff -Nurp linux-2.6.23.15/arch/powerpc/mm/fault.c linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c
9026 +--- linux-2.6.23.15/arch/powerpc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
9027 ++++ linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
9028 +@@ -29,6 +29,12 @@
9029 + #include <linux/module.h>
9030 + #include <linux/kprobes.h>
9031 + #include <linux/kdebug.h>
9032 ++#include <linux/binfmts.h>
9033 ++#include <linux/slab.h>
9034 ++#include <linux/pagemap.h>
9035 ++#include <linux/compiler.h>
9036 ++#include <linux/binfmts.h>
9037 ++#include <linux/unistd.h>
9038 +
9039 + #include <asm/page.h>
9040 + #include <asm/pgtable.h>
9041 +@@ -62,6 +68,364 @@ static inline int notify_page_fault(stru
9042 + }
9043 + #endif
9044 +
9045 ++#ifdef CONFIG_PAX_EMUSIGRT
9046 ++void pax_syscall_close(struct vm_area_struct *vma)
9047 ++{
9048 ++ vma->vm_mm->call_syscall = 0UL;
9049 ++}
9050 ++
9051 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
9052 ++{
9053 ++ struct page *page;
9054 ++ unsigned int *kaddr;
9055 ++
9056 ++ page = alloc_page(GFP_HIGHUSER);
9057 ++ if (!page)
9058 ++ return NOPAGE_OOM;
9059 ++
9060 ++ kaddr = kmap(page);
9061 ++ memset(kaddr, 0, PAGE_SIZE);
9062 ++ kaddr[0] = 0x44000002U; /* sc */
9063 ++ __flush_dcache_icache(kaddr);
9064 ++ kunmap(page);
9065 ++ if (type)
9066 ++ *type = VM_FAULT_MAJOR;
9067 ++ return page;
9068 ++}
9069 ++
9070 ++static struct vm_operations_struct pax_vm_ops = {
9071 ++ .close = pax_syscall_close,
9072 ++ .nopage = pax_syscall_nopage,
9073 ++};
9074 ++
9075 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
9076 ++{
9077 ++ int ret;
9078 ++
9079 ++ memset(vma, 0, sizeof(*vma));
9080 ++ vma->vm_mm = current->mm;
9081 ++ vma->vm_start = addr;
9082 ++ vma->vm_end = addr + PAGE_SIZE;
9083 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
9084 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
9085 ++ vma->vm_ops = &pax_vm_ops;
9086 ++
9087 ++ ret = insert_vm_struct(current->mm, vma);
9088 ++ if (ret)
9089 ++ return ret;
9090 ++
9091 ++ ++current->mm->total_vm;
9092 ++ return 0;
9093 ++}
9094 ++#endif
9095 ++
9096 ++#ifdef CONFIG_PAX_PAGEEXEC
9097 ++/*
9098 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
9099 ++ *
9100 ++ * returns 1 when task should be killed
9101 ++ * 2 when patched GOT trampoline was detected
9102 ++ * 3 when patched PLT trampoline was detected
9103 ++ * 4 when unpatched PLT trampoline was detected
9104 ++ * 5 when sigreturn trampoline was detected
9105 ++ * 6 when rt_sigreturn trampoline was detected
9106 ++ */
9107 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
9108 ++{
9109 ++
9110 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
9111 ++ int err;
9112 ++#endif
9113 ++
9114 ++#ifdef CONFIG_PAX_EMUPLT
9115 ++ do { /* PaX: patched GOT emulation */
9116 ++ unsigned int blrl;
9117 ++
9118 ++ err = get_user(blrl, (unsigned int *)regs->nip);
9119 ++
9120 ++ if (!err && blrl == 0x4E800021U) {
9121 ++ unsigned long temp = regs->nip;
9122 ++
9123 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
9124 ++ regs->link = temp + 4UL;
9125 ++ return 2;
9126 ++ }
9127 ++ } while (0);
9128 ++
9129 ++ do { /* PaX: patched PLT emulation #1 */
9130 ++ unsigned int b;
9131 ++
9132 ++ err = get_user(b, (unsigned int *)regs->nip);
9133 ++
9134 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
9135 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
9136 ++ return 3;
9137 ++ }
9138 ++ } while (0);
9139 ++
9140 ++ do { /* PaX: unpatched PLT emulation #1 */
9141 ++ unsigned int li, b;
9142 ++
9143 ++ err = get_user(li, (unsigned int *)regs->nip);
9144 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9145 ++
9146 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9147 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9148 ++ unsigned long addr = b | 0xFC000000UL;
9149 ++
9150 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9151 ++ err = get_user(rlwinm, (unsigned int *)addr);
9152 ++ err |= get_user(add, (unsigned int *)(addr+4));
9153 ++ err |= get_user(li2, (unsigned int *)(addr+8));
9154 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
9155 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
9156 ++ err |= get_user(li3, (unsigned int *)(addr+20));
9157 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
9158 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
9159 ++
9160 ++ if (err)
9161 ++ break;
9162 ++
9163 ++ if (rlwinm == 0x556C083CU &&
9164 ++ add == 0x7D6C5A14U &&
9165 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9166 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9167 ++ mtctr == 0x7D8903A6U &&
9168 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9169 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9170 ++ bctr == 0x4E800420U)
9171 ++ {
9172 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9173 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9174 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9175 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9176 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9177 ++ regs->nip = regs->ctr;
9178 ++ return 4;
9179 ++ }
9180 ++ }
9181 ++ } while (0);
9182 ++
9183 ++#if 0
9184 ++ do { /* PaX: unpatched PLT emulation #2 */
9185 ++ unsigned int lis, lwzu, b, bctr;
9186 ++
9187 ++ err = get_user(lis, (unsigned int *)regs->nip);
9188 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
9189 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
9190 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
9191 ++
9192 ++ if (err)
9193 ++ break;
9194 ++
9195 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
9196 ++ (lwzu & 0xU) == 0xU &&
9197 ++ (b & 0xFC000003U) == 0x48000000U &&
9198 ++ bctr == 0x4E800420U)
9199 ++ {
9200 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9201 ++ unsigned long addr = b | 0xFC000000UL;
9202 ++
9203 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9204 ++ err = get_user(addis, (unsigned int*)addr);
9205 ++ err |= get_user(addi, (unsigned int*)(addr+4));
9206 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
9207 ++ err |= get_user(add, (unsigned int*)(addr+12));
9208 ++ err |= get_user(li2, (unsigned int*)(addr+16));
9209 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
9210 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
9211 ++ err |= get_user(li3, (unsigned int*)(addr+28));
9212 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
9213 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
9214 ++
9215 ++ if (err)
9216 ++ break;
9217 ++
9218 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9219 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
9220 ++ rlwinm == 0x556C083CU &&
9221 ++ add == 0x7D6C5A14U &&
9222 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9223 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9224 ++ mtctr == 0x7D8903A6U &&
9225 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9226 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9227 ++ bctr == 0x4E800420U)
9228 ++ {
9229 ++ regs->gpr[PT_R11] =
9230 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9231 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9232 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9233 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9234 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9235 ++ regs->nip = regs->ctr;
9236 ++ return 4;
9237 ++ }
9238 ++ }
9239 ++ } while (0);
9240 ++#endif
9241 ++
9242 ++ do { /* PaX: unpatched PLT emulation #3 */
9243 ++ unsigned int li, b;
9244 ++
9245 ++ err = get_user(li, (unsigned int *)regs->nip);
9246 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9247 ++
9248 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9249 ++ unsigned int addis, lwz, mtctr, bctr;
9250 ++ unsigned long addr = b | 0xFC000000UL;
9251 ++
9252 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9253 ++ err = get_user(addis, (unsigned int *)addr);
9254 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
9255 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
9256 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
9257 ++
9258 ++ if (err)
9259 ++ break;
9260 ++
9261 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9262 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
9263 ++ mtctr == 0x7D6903A6U &&
9264 ++ bctr == 0x4E800420U)
9265 ++ {
9266 ++ unsigned int r11;
9267 ++
9268 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9269 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9270 ++
9271 ++ err = get_user(r11, (unsigned int *)addr);
9272 ++ if (err)
9273 ++ break;
9274 ++
9275 ++ regs->gpr[PT_R11] = r11;
9276 ++ regs->ctr = r11;
9277 ++ regs->nip = r11;
9278 ++ return 4;
9279 ++ }
9280 ++ }
9281 ++ } while (0);
9282 ++#endif
9283 ++
9284 ++#ifdef CONFIG_PAX_EMUSIGRT
9285 ++ do { /* PaX: sigreturn emulation */
9286 ++ unsigned int li, sc;
9287 ++
9288 ++ err = get_user(li, (unsigned int *)regs->nip);
9289 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9290 ++
9291 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
9292 ++ struct vm_area_struct *vma;
9293 ++ unsigned long call_syscall;
9294 ++
9295 ++ down_read(&current->mm->mmap_sem);
9296 ++ call_syscall = current->mm->call_syscall;
9297 ++ up_read(&current->mm->mmap_sem);
9298 ++ if (likely(call_syscall))
9299 ++ goto emulate;
9300 ++
9301 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9302 ++
9303 ++ down_write(&current->mm->mmap_sem);
9304 ++ if (current->mm->call_syscall) {
9305 ++ call_syscall = current->mm->call_syscall;
9306 ++ up_write(&current->mm->mmap_sem);
9307 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9308 ++ goto emulate;
9309 ++ }
9310 ++
9311 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9312 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9313 ++ up_write(&current->mm->mmap_sem);
9314 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9315 ++ return 1;
9316 ++ }
9317 ++
9318 ++ if (pax_insert_vma(vma, call_syscall)) {
9319 ++ up_write(&current->mm->mmap_sem);
9320 ++ kmem_cache_free(vm_area_cachep, vma);
9321 ++ return 1;
9322 ++ }
9323 ++
9324 ++ current->mm->call_syscall = call_syscall;
9325 ++ up_write(&current->mm->mmap_sem);
9326 ++
9327 ++emulate:
9328 ++ regs->gpr[PT_R0] = __NR_sigreturn;
9329 ++ regs->nip = call_syscall;
9330 ++ return 5;
9331 ++ }
9332 ++ } while (0);
9333 ++
9334 ++ do { /* PaX: rt_sigreturn emulation */
9335 ++ unsigned int li, sc;
9336 ++
9337 ++ err = get_user(li, (unsigned int *)regs->nip);
9338 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9339 ++
9340 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
9341 ++ struct vm_area_struct *vma;
9342 ++ unsigned int call_syscall;
9343 ++
9344 ++ down_read(&current->mm->mmap_sem);
9345 ++ call_syscall = current->mm->call_syscall;
9346 ++ up_read(&current->mm->mmap_sem);
9347 ++ if (likely(call_syscall))
9348 ++ goto rt_emulate;
9349 ++
9350 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9351 ++
9352 ++ down_write(&current->mm->mmap_sem);
9353 ++ if (current->mm->call_syscall) {
9354 ++ call_syscall = current->mm->call_syscall;
9355 ++ up_write(&current->mm->mmap_sem);
9356 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9357 ++ goto rt_emulate;
9358 ++ }
9359 ++
9360 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9361 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9362 ++ up_write(&current->mm->mmap_sem);
9363 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9364 ++ return 1;
9365 ++ }
9366 ++
9367 ++ if (pax_insert_vma(vma, call_syscall)) {
9368 ++ up_write(&current->mm->mmap_sem);
9369 ++ kmem_cache_free(vm_area_cachep, vma);
9370 ++ return 1;
9371 ++ }
9372 ++
9373 ++ current->mm->call_syscall = call_syscall;
9374 ++ up_write(&current->mm->mmap_sem);
9375 ++
9376 ++rt_emulate:
9377 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
9378 ++ regs->nip = call_syscall;
9379 ++ return 6;
9380 ++ }
9381 ++ } while (0);
9382 ++#endif
9383 ++
9384 ++ return 1;
9385 ++}
9386 ++
9387 ++void pax_report_insns(void *pc, void *sp)
9388 ++{
9389 ++ unsigned long i;
9390 ++
9391 ++ printk(KERN_ERR "PAX: bytes at PC: ");
9392 ++ for (i = 0; i < 5; i++) {
9393 ++ unsigned int c;
9394 ++ if (get_user(c, (unsigned int *)pc+i))
9395 ++ printk("???????? ");
9396 ++ else
9397 ++ printk("%08x ", c);
9398 ++ }
9399 ++ printk("\n");
9400 ++}
9401 ++#endif
9402 ++
9403 + /*
9404 + * Check whether the instruction at regs->nip is a store using
9405 + * an update addressing form which will update r1.
9406 +@@ -157,7 +521,7 @@ int __kprobes do_page_fault(struct pt_re
9407 + * indicate errors in DSISR but can validly be set in SRR1.
9408 + */
9409 + if (trap == 0x400)
9410 +- error_code &= 0x48200000;
9411 ++ error_code &= 0x58200000;
9412 + else
9413 + is_write = error_code & DSISR_ISSTORE;
9414 + #else
9415 +@@ -357,6 +721,37 @@ bad_area:
9416 + bad_area_nosemaphore:
9417 + /* User mode accesses cause a SIGSEGV */
9418 + if (user_mode(regs)) {
9419 ++
9420 ++#ifdef CONFIG_PAX_PAGEEXEC
9421 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9422 ++#ifdef CONFIG_PPC64
9423 ++ if (is_exec && (error_code & DSISR_PROTFAULT)) {
9424 ++#else
9425 ++ if (is_exec && regs->nip == address) {
9426 ++#endif
9427 ++ switch (pax_handle_fetch_fault(regs)) {
9428 ++
9429 ++#ifdef CONFIG_PAX_EMUPLT
9430 ++ case 2:
9431 ++ case 3:
9432 ++ case 4:
9433 ++ return 0;
9434 ++#endif
9435 ++
9436 ++#ifdef CONFIG_PAX_EMUSIGRT
9437 ++ case 5:
9438 ++ case 6:
9439 ++ return 0;
9440 ++#endif
9441 ++
9442 ++ }
9443 ++
9444 ++ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
9445 ++ do_exit(SIGKILL);
9446 ++ }
9447 ++ }
9448 ++#endif
9449 ++
9450 + _exception(SIGSEGV, regs, code, address);
9451 + return 0;
9452 + }
9453 +diff -Nurp linux-2.6.23.15/arch/powerpc/mm/mmap.c linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c
9454 +--- linux-2.6.23.15/arch/powerpc/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
9455 ++++ linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
9456 +@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
9457 + */
9458 + if (mmap_is_legacy()) {
9459 + mm->mmap_base = TASK_UNMAPPED_BASE;
9460 ++
9461 ++#ifdef CONFIG_PAX_RANDMMAP
9462 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
9463 ++ mm->mmap_base += mm->delta_mmap;
9464 ++#endif
9465 ++
9466 + mm->get_unmapped_area = arch_get_unmapped_area;
9467 + mm->unmap_area = arch_unmap_area;
9468 + } else {
9469 + mm->mmap_base = mmap_base();
9470 ++
9471 ++#ifdef CONFIG_PAX_RANDMMAP
9472 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
9473 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9474 ++#endif
9475 ++
9476 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
9477 + mm->unmap_area = arch_unmap_area_topdown;
9478 + }
9479 +diff -Nurp linux-2.6.23.15/arch/ppc/mm/fault.c linux-2.6.23.15-grsec/arch/ppc/mm/fault.c
9480 +--- linux-2.6.23.15/arch/ppc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
9481 ++++ linux-2.6.23.15-grsec/arch/ppc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
9482 +@@ -25,6 +25,11 @@
9483 + #include <linux/interrupt.h>
9484 + #include <linux/highmem.h>
9485 + #include <linux/module.h>
9486 ++#include <linux/slab.h>
9487 ++#include <linux/pagemap.h>
9488 ++#include <linux/compiler.h>
9489 ++#include <linux/binfmts.h>
9490 ++#include <linux/unistd.h>
9491 +
9492 + #include <asm/page.h>
9493 + #include <asm/pgtable.h>
9494 +@@ -48,6 +53,364 @@ unsigned long pte_misses; /* updated by
9495 + unsigned long pte_errors; /* updated by do_page_fault() */
9496 + unsigned int probingmem;
9497 +
9498 ++#ifdef CONFIG_PAX_EMUSIGRT
9499 ++void pax_syscall_close(struct vm_area_struct *vma)
9500 ++{
9501 ++ vma->vm_mm->call_syscall = 0UL;
9502 ++}
9503 ++
9504 ++static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
9505 ++{
9506 ++ struct page *page;
9507 ++ unsigned int *kaddr;
9508 ++
9509 ++ page = alloc_page(GFP_HIGHUSER);
9510 ++ if (!page)
9511 ++ return NOPAGE_OOM;
9512 ++
9513 ++ kaddr = kmap(page);
9514 ++ memset(kaddr, 0, PAGE_SIZE);
9515 ++ kaddr[0] = 0x44000002U; /* sc */
9516 ++ __flush_dcache_icache(kaddr);
9517 ++ kunmap(page);
9518 ++ if (type)
9519 ++ *type = VM_FAULT_MAJOR;
9520 ++ return page;
9521 ++}
9522 ++
9523 ++static struct vm_operations_struct pax_vm_ops = {
9524 ++ .close = pax_syscall_close,
9525 ++ .nopage = pax_syscall_nopage,
9526 ++};
9527 ++
9528 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
9529 ++{
9530 ++ int ret;
9531 ++
9532 ++ memset(vma, 0, sizeof(*vma));
9533 ++ vma->vm_mm = current->mm;
9534 ++ vma->vm_start = addr;
9535 ++ vma->vm_end = addr + PAGE_SIZE;
9536 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
9537 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
9538 ++ vma->vm_ops = &pax_vm_ops;
9539 ++
9540 ++ ret = insert_vm_struct(current->mm, vma);
9541 ++ if (ret)
9542 ++ return ret;
9543 ++
9544 ++ ++current->mm->total_vm;
9545 ++ return 0;
9546 ++}
9547 ++#endif
9548 ++
9549 ++#ifdef CONFIG_PAX_PAGEEXEC
9550 ++/*
9551 ++ * PaX: decide what to do with offenders (regs->nip = fault address)
9552 ++ *
9553 ++ * returns 1 when task should be killed
9554 ++ * 2 when patched GOT trampoline was detected
9555 ++ * 3 when patched PLT trampoline was detected
9556 ++ * 4 when unpatched PLT trampoline was detected
9557 ++ * 5 when sigreturn trampoline was detected
9558 ++ * 6 when rt_sigreturn trampoline was detected
9559 ++ */
9560 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
9561 ++{
9562 ++
9563 ++#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
9564 ++ int err;
9565 ++#endif
9566 ++
9567 ++#ifdef CONFIG_PAX_EMUPLT
9568 ++ do { /* PaX: patched GOT emulation */
9569 ++ unsigned int blrl;
9570 ++
9571 ++ err = get_user(blrl, (unsigned int *)regs->nip);
9572 ++
9573 ++ if (!err && blrl == 0x4E800021U) {
9574 ++ unsigned long temp = regs->nip;
9575 ++
9576 ++ regs->nip = regs->link & 0xFFFFFFFCUL;
9577 ++ regs->link = temp + 4UL;
9578 ++ return 2;
9579 ++ }
9580 ++ } while (0);
9581 ++
9582 ++ do { /* PaX: patched PLT emulation #1 */
9583 ++ unsigned int b;
9584 ++
9585 ++ err = get_user(b, (unsigned int *)regs->nip);
9586 ++
9587 ++ if (!err && (b & 0xFC000003U) == 0x48000000U) {
9588 ++ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
9589 ++ return 3;
9590 ++ }
9591 ++ } while (0);
9592 ++
9593 ++ do { /* PaX: unpatched PLT emulation #1 */
9594 ++ unsigned int li, b;
9595 ++
9596 ++ err = get_user(li, (unsigned int *)regs->nip);
9597 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9598 ++
9599 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9600 ++ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9601 ++ unsigned long addr = b | 0xFC000000UL;
9602 ++
9603 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9604 ++ err = get_user(rlwinm, (unsigned int *)addr);
9605 ++ err |= get_user(add, (unsigned int *)(addr+4));
9606 ++ err |= get_user(li2, (unsigned int *)(addr+8));
9607 ++ err |= get_user(addis2, (unsigned int *)(addr+12));
9608 ++ err |= get_user(mtctr, (unsigned int *)(addr+16));
9609 ++ err |= get_user(li3, (unsigned int *)(addr+20));
9610 ++ err |= get_user(addis3, (unsigned int *)(addr+24));
9611 ++ err |= get_user(bctr, (unsigned int *)(addr+28));
9612 ++
9613 ++ if (err)
9614 ++ break;
9615 ++
9616 ++ if (rlwinm == 0x556C083CU &&
9617 ++ add == 0x7D6C5A14U &&
9618 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9619 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9620 ++ mtctr == 0x7D8903A6U &&
9621 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9622 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9623 ++ bctr == 0x4E800420U)
9624 ++ {
9625 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9626 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9627 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9628 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9629 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9630 ++ regs->nip = regs->ctr;
9631 ++ return 4;
9632 ++ }
9633 ++ }
9634 ++ } while (0);
9635 ++
9636 ++#if 0
9637 ++ do { /* PaX: unpatched PLT emulation #2 */
9638 ++ unsigned int lis, lwzu, b, bctr;
9639 ++
9640 ++ err = get_user(lis, (unsigned int *)regs->nip);
9641 ++ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
9642 ++ err |= get_user(b, (unsigned int *)(regs->nip+8));
9643 ++ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
9644 ++
9645 ++ if (err)
9646 ++ break;
9647 ++
9648 ++ if ((lis & 0xFFFF0000U) == 0x39600000U &&
9649 ++ (lwzu & 0xU) == 0xU &&
9650 ++ (b & 0xFC000003U) == 0x48000000U &&
9651 ++ bctr == 0x4E800420U)
9652 ++ {
9653 ++ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
9654 ++ unsigned long addr = b | 0xFC000000UL;
9655 ++
9656 ++ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9657 ++ err = get_user(addis, (unsigned int*)addr);
9658 ++ err |= get_user(addi, (unsigned int*)(addr+4));
9659 ++ err |= get_user(rlwinm, (unsigned int*)(addr+8));
9660 ++ err |= get_user(add, (unsigned int*)(addr+12));
9661 ++ err |= get_user(li2, (unsigned int*)(addr+16));
9662 ++ err |= get_user(addis2, (unsigned int*)(addr+20));
9663 ++ err |= get_user(mtctr, (unsigned int*)(addr+24));
9664 ++ err |= get_user(li3, (unsigned int*)(addr+28));
9665 ++ err |= get_user(addis3, (unsigned int*)(addr+32));
9666 ++ err |= get_user(bctr, (unsigned int*)(addr+36));
9667 ++
9668 ++ if (err)
9669 ++ break;
9670 ++
9671 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9672 ++ (addi & 0xFFFF0000U) == 0x396B0000U &&
9673 ++ rlwinm == 0x556C083CU &&
9674 ++ add == 0x7D6C5A14U &&
9675 ++ (li2 & 0xFFFF0000U) == 0x39800000U &&
9676 ++ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
9677 ++ mtctr == 0x7D8903A6U &&
9678 ++ (li3 & 0xFFFF0000U) == 0x39800000U &&
9679 ++ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
9680 ++ bctr == 0x4E800420U)
9681 ++ {
9682 ++ regs->gpr[PT_R11] =
9683 ++ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9684 ++ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9685 ++ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
9686 ++ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9687 ++ regs->ctr += (addis2 & 0xFFFFU) << 16;
9688 ++ regs->nip = regs->ctr;
9689 ++ return 4;
9690 ++ }
9691 ++ }
9692 ++ } while (0);
9693 ++#endif
9694 ++
9695 ++ do { /* PaX: unpatched PLT emulation #3 */
9696 ++ unsigned int li, b;
9697 ++
9698 ++ err = get_user(li, (unsigned int *)regs->nip);
9699 ++ err |= get_user(b, (unsigned int *)(regs->nip+4));
9700 ++
9701 ++ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
9702 ++ unsigned int addis, lwz, mtctr, bctr;
9703 ++ unsigned long addr = b | 0xFC000000UL;
9704 ++
9705 ++ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
9706 ++ err = get_user(addis, (unsigned int *)addr);
9707 ++ err |= get_user(lwz, (unsigned int *)(addr+4));
9708 ++ err |= get_user(mtctr, (unsigned int *)(addr+8));
9709 ++ err |= get_user(bctr, (unsigned int *)(addr+12));
9710 ++
9711 ++ if (err)
9712 ++ break;
9713 ++
9714 ++ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
9715 ++ (lwz & 0xFFFF0000U) == 0x816B0000U &&
9716 ++ mtctr == 0x7D6903A6U &&
9717 ++ bctr == 0x4E800420U)
9718 ++ {
9719 ++ unsigned int r11;
9720 ++
9721 ++ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9722 ++ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
9723 ++
9724 ++ err = get_user(r11, (unsigned int *)addr);
9725 ++ if (err)
9726 ++ break;
9727 ++
9728 ++ regs->gpr[PT_R11] = r11;
9729 ++ regs->ctr = r11;
9730 ++ regs->nip = r11;
9731 ++ return 4;
9732 ++ }
9733 ++ }
9734 ++ } while (0);
9735 ++#endif
9736 ++
9737 ++#ifdef CONFIG_PAX_EMUSIGRT
9738 ++ do { /* PaX: sigreturn emulation */
9739 ++ unsigned int li, sc;
9740 ++
9741 ++ err = get_user(li, (unsigned int *)regs->nip);
9742 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9743 ++
9744 ++ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
9745 ++ struct vm_area_struct *vma;
9746 ++ unsigned long call_syscall;
9747 ++
9748 ++ down_read(&current->mm->mmap_sem);
9749 ++ call_syscall = current->mm->call_syscall;
9750 ++ up_read(&current->mm->mmap_sem);
9751 ++ if (likely(call_syscall))
9752 ++ goto emulate;
9753 ++
9754 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9755 ++
9756 ++ down_write(&current->mm->mmap_sem);
9757 ++ if (current->mm->call_syscall) {
9758 ++ call_syscall = current->mm->call_syscall;
9759 ++ up_write(&current->mm->mmap_sem);
9760 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9761 ++ goto emulate;
9762 ++ }
9763 ++
9764 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9765 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9766 ++ up_write(&current->mm->mmap_sem);
9767 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9768 ++ return 1;
9769 ++ }
9770 ++
9771 ++ if (pax_insert_vma(vma, call_syscall)) {
9772 ++ up_write(&current->mm->mmap_sem);
9773 ++ kmem_cache_free(vm_area_cachep, vma);
9774 ++ return 1;
9775 ++ }
9776 ++
9777 ++ current->mm->call_syscall = call_syscall;
9778 ++ up_write(&current->mm->mmap_sem);
9779 ++
9780 ++emulate:
9781 ++ regs->gpr[PT_R0] = __NR_sigreturn;
9782 ++ regs->nip = call_syscall;
9783 ++ return 5;
9784 ++ }
9785 ++ } while (0);
9786 ++
9787 ++ do { /* PaX: rt_sigreturn emulation */
9788 ++ unsigned int li, sc;
9789 ++
9790 ++ err = get_user(li, (unsigned int *)regs->nip);
9791 ++ err |= get_user(sc, (unsigned int *)(regs->nip+4));
9792 ++
9793 ++ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
9794 ++ struct vm_area_struct *vma;
9795 ++ unsigned int call_syscall;
9796 ++
9797 ++ down_read(&current->mm->mmap_sem);
9798 ++ call_syscall = current->mm->call_syscall;
9799 ++ up_read(&current->mm->mmap_sem);
9800 ++ if (likely(call_syscall))
9801 ++ goto rt_emulate;
9802 ++
9803 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
9804 ++
9805 ++ down_write(&current->mm->mmap_sem);
9806 ++ if (current->mm->call_syscall) {
9807 ++ call_syscall = current->mm->call_syscall;
9808 ++ up_write(&current->mm->mmap_sem);
9809 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9810 ++ goto rt_emulate;
9811 ++ }
9812 ++
9813 ++ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
9814 ++ if (!vma || (call_syscall & ~PAGE_MASK)) {
9815 ++ up_write(&current->mm->mmap_sem);
9816 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
9817 ++ return 1;
9818 ++ }
9819 ++
9820 ++ if (pax_insert_vma(vma, call_syscall)) {
9821 ++ up_write(&current->mm->mmap_sem);
9822 ++ kmem_cache_free(vm_area_cachep, vma);
9823 ++ return 1;
9824 ++ }
9825 ++
9826 ++ current->mm->call_syscall = call_syscall;
9827 ++ up_write(&current->mm->mmap_sem);
9828 ++
9829 ++rt_emulate:
9830 ++ regs->gpr[PT_R0] = __NR_rt_sigreturn;
9831 ++ regs->nip = call_syscall;
9832 ++ return 6;
9833 ++ }
9834 ++ } while (0);
9835 ++#endif
9836 ++
9837 ++ return 1;
9838 ++}
9839 ++
9840 ++void pax_report_insns(void *pc, void *sp)
9841 ++{
9842 ++ unsigned long i;
9843 ++
9844 ++ printk(KERN_ERR "PAX: bytes at PC: ");
9845 ++ for (i = 0; i < 5; i++) {
9846 ++ unsigned int c;
9847 ++ if (get_user(c, (unsigned int *)pc+i))
9848 ++ printk("???????? ");
9849 ++ else
9850 ++ printk("%08x ", c);
9851 ++ }
9852 ++ printk("\n");
9853 ++}
9854 ++#endif
9855 ++
9856 + /*
9857 + * Check whether the instruction at regs->nip is a store using
9858 + * an update addressing form which will update r1.
9859 +@@ -109,7 +472,7 @@ int do_page_fault(struct pt_regs *regs,
9860 + * indicate errors in DSISR but can validly be set in SRR1.
9861 + */
9862 + if (TRAP(regs) == 0x400)
9863 +- error_code &= 0x48200000;
9864 ++ error_code &= 0x58200000;
9865 + else
9866 + is_write = error_code & 0x02000000;
9867 + #endif /* CONFIG_4xx || CONFIG_BOOKE */
9868 +@@ -204,15 +567,14 @@ good_area:
9869 + pte_t *ptep;
9870 + pmd_t *pmdp;
9871 +
9872 +-#if 0
9873 ++#if 1
9874 + /* It would be nice to actually enforce the VM execute
9875 + permission on CPUs which can do so, but far too
9876 + much stuff in userspace doesn't get the permissions
9877 + right, so we let any page be executed for now. */
9878 + if (! (vma->vm_flags & VM_EXEC))
9879 + goto bad_area;
9880 +-#endif
9881 +-
9882 ++#else
9883 + /* Since 4xx/Book-E supports per-page execute permission,
9884 + * we lazily flush dcache to icache. */
9885 + ptep = NULL;
9886 +@@ -235,6 +597,7 @@ good_area:
9887 + pte_unmap_unlock(ptep, ptl);
9888 + }
9889 + #endif
9890 ++#endif
9891 + /* a read */
9892 + } else {
9893 + /* protection fault */
9894 +@@ -278,6 +641,33 @@ bad_area:
9895 +
9896 + /* User mode accesses cause a SIGSEGV */
9897 + if (user_mode(regs)) {
9898 ++
9899 ++#ifdef CONFIG_PAX_PAGEEXEC
9900 ++ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9901 ++ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
9902 ++ switch (pax_handle_fetch_fault(regs)) {
9903 ++
9904 ++#ifdef CONFIG_PAX_EMUPLT
9905 ++ case 2:
9906 ++ case 3:
9907 ++ case 4:
9908 ++ return 0;
9909 ++#endif
9910 ++
9911 ++#ifdef CONFIG_PAX_EMUSIGRT
9912 ++ case 5:
9913 ++ case 6:
9914 ++ return 0;
9915 ++#endif
9916 ++
9917 ++ }
9918 ++
9919 ++ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
9920 ++ do_exit(SIGKILL);
9921 ++ }
9922 ++ }
9923 ++#endif
9924 ++
9925 + _exception(SIGSEGV, regs, code, address);
9926 + return 0;
9927 + }
9928 +diff -Nurp linux-2.6.23.15/arch/s390/kernel/module.c linux-2.6.23.15-grsec/arch/s390/kernel/module.c
9929 +--- linux-2.6.23.15/arch/s390/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
9930 ++++ linux-2.6.23.15-grsec/arch/s390/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
9931 +@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
9932 +
9933 + /* Increase core size by size of got & plt and set start
9934 + offsets for got and plt. */
9935 +- me->core_size = ALIGN(me->core_size, 4);
9936 +- me->arch.got_offset = me->core_size;
9937 +- me->core_size += me->arch.got_size;
9938 +- me->arch.plt_offset = me->core_size;
9939 +- me->core_size += me->arch.plt_size;
9940 ++ me->core_size_rw = ALIGN(me->core_size_rw, 4);
9941 ++ me->arch.got_offset = me->core_size_rw;
9942 ++ me->core_size_rw += me->arch.got_size;
9943 ++ me->arch.plt_offset = me->core_size_rx;
9944 ++ me->core_size_rx += me->arch.plt_size;
9945 + return 0;
9946 + }
9947 +
9948 +@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9949 + if (info->got_initialized == 0) {
9950 + Elf_Addr *gotent;
9951 +
9952 +- gotent = me->module_core + me->arch.got_offset +
9953 ++ gotent = me->module_core_rw + me->arch.got_offset +
9954 + info->got_offset;
9955 + *gotent = val;
9956 + info->got_initialized = 1;
9957 +@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9958 + else if (r_type == R_390_GOTENT ||
9959 + r_type == R_390_GOTPLTENT)
9960 + *(unsigned int *) loc =
9961 +- (val + (Elf_Addr) me->module_core - loc) >> 1;
9962 ++ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
9963 + else if (r_type == R_390_GOT64 ||
9964 + r_type == R_390_GOTPLT64)
9965 + *(unsigned long *) loc = val;
9966 +@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9967 + case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
9968 + if (info->plt_initialized == 0) {
9969 + unsigned int *ip;
9970 +- ip = me->module_core + me->arch.plt_offset +
9971 ++ ip = me->module_core_rx + me->arch.plt_offset +
9972 + info->plt_offset;
9973 + #ifndef CONFIG_64BIT
9974 + ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
9975 +@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9976 + val = me->arch.plt_offset - me->arch.got_offset +
9977 + info->plt_offset + rela->r_addend;
9978 + else
9979 +- val = (Elf_Addr) me->module_core +
9980 ++ val = (Elf_Addr) me->module_core_rx +
9981 + me->arch.plt_offset + info->plt_offset +
9982 + rela->r_addend - loc;
9983 + if (r_type == R_390_PLT16DBL)
9984 +@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9985 + case R_390_GOTOFF32: /* 32 bit offset to GOT. */
9986 + case R_390_GOTOFF64: /* 64 bit offset to GOT. */
9987 + val = val + rela->r_addend -
9988 +- ((Elf_Addr) me->module_core + me->arch.got_offset);
9989 ++ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
9990 + if (r_type == R_390_GOTOFF16)
9991 + *(unsigned short *) loc = val;
9992 + else if (r_type == R_390_GOTOFF32)
9993 +@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
9994 + break;
9995 + case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
9996 + case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
9997 +- val = (Elf_Addr) me->module_core + me->arch.got_offset +
9998 ++ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
9999 + rela->r_addend - loc;
10000 + if (r_type == R_390_GOTPC)
10001 + *(unsigned int *) loc = val;
10002 +diff -Nurp linux-2.6.23.15/arch/sparc/Makefile linux-2.6.23.15-grsec/arch/sparc/Makefile
10003 +--- linux-2.6.23.15/arch/sparc/Makefile 2007-10-09 21:31:38.000000000 +0100
10004 ++++ linux-2.6.23.15-grsec/arch/sparc/Makefile 2008-02-11 10:37:44.000000000 +0000
10005 +@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
10006 + # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
10007 + INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
10008 + CORE_Y := $(core-y)
10009 +-CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
10010 ++CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
10011 + CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
10012 + DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
10013 + NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
10014 +diff -Nurp linux-2.6.23.15/arch/sparc/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c
10015 +--- linux-2.6.23.15/arch/sparc/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
10016 ++++ linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
10017 +@@ -19,6 +19,7 @@
10018 + #include <linux/smp_lock.h>
10019 + #include <linux/security.h>
10020 + #include <linux/signal.h>
10021 ++#include <linux/grsecurity.h>
10022 +
10023 + #include <asm/pgtable.h>
10024 + #include <asm/system.h>
10025 +@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
10026 + goto out;
10027 + }
10028 +
10029 ++ if (gr_handle_ptrace(child, request)) {
10030 ++ pt_error_return(regs, EPERM);
10031 ++ goto out_tsk;
10032 ++ }
10033 ++
10034 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
10035 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
10036 + if (ptrace_attach(child)) {
10037 +diff -Nurp linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c
10038 +--- linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c 2007-10-09 21:31:38.000000000 +0100
10039 ++++ linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
10040 +@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
10041 + if (ARCH_SUN4C_SUN4 && len > 0x20000000)
10042 + return -ENOMEM;
10043 + if (!addr)
10044 +- addr = TASK_UNMAPPED_BASE;
10045 ++ addr = current->mm->mmap_base;
10046 +
10047 + if (flags & MAP_SHARED)
10048 + addr = COLOUR_ALIGN(addr);
10049 +diff -Nurp linux-2.6.23.15/arch/sparc/mm/fault.c linux-2.6.23.15-grsec/arch/sparc/mm/fault.c
10050 +--- linux-2.6.23.15/arch/sparc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
10051 ++++ linux-2.6.23.15-grsec/arch/sparc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
10052 +@@ -21,6 +21,10 @@
10053 + #include <linux/interrupt.h>
10054 + #include <linux/module.h>
10055 + #include <linux/kdebug.h>
10056 ++#include <linux/slab.h>
10057 ++#include <linux/pagemap.h>
10058 ++#include <linux/compiler.h>
10059 ++#include <linux/binfmts.h>
10060 +
10061 + #include <asm/system.h>
10062 + #include <asm/page.h>
10063 +@@ -216,6 +220,252 @@ static unsigned long compute_si_addr(str
10064 + return safe_compute_effective_address(regs, insn);
10065 + }
10066 +
10067 ++#ifdef CONFIG_PAX_PAGEEXEC
10068 ++void pax_emuplt_close(struct vm_area_struct *vma)
10069 ++{
10070 ++ vma->vm_mm->call_dl_resolve = 0UL;
10071 ++}
10072 ++
10073 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
10074 ++{
10075 ++ struct page *page;
10076 ++ unsigned int *kaddr;
10077 ++
10078 ++ page = alloc_page(GFP_HIGHUSER);
10079 ++ if (!page)
10080 ++ return NOPAGE_OOM;
10081 ++
10082 ++ kaddr = kmap(page);
10083 ++ memset(kaddr, 0, PAGE_SIZE);
10084 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
10085 ++ flush_dcache_page(page);
10086 ++ kunmap(page);
10087 ++ if (type)
10088 ++ *type = VM_FAULT_MAJOR;
10089 ++
10090 ++ return page;
10091 ++}
10092 ++
10093 ++static struct vm_operations_struct pax_vm_ops = {
10094 ++ .close = pax_emuplt_close,
10095 ++ .nopage = pax_emuplt_nopage,
10096 ++};
10097 ++
10098 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
10099 ++{
10100 ++ int ret;
10101 ++
10102 ++ memset(vma, 0, sizeof(*vma));
10103 ++ vma->vm_mm = current->mm;
10104 ++ vma->vm_start = addr;
10105 ++ vma->vm_end = addr + PAGE_SIZE;
10106 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
10107 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
10108 ++ vma->vm_ops = &pax_vm_ops;
10109 ++
10110 ++ ret = insert_vm_struct(current->mm, vma);
10111 ++ if (ret)
10112 ++ return ret;
10113 ++
10114 ++ ++current->mm->total_vm;
10115 ++ return 0;
10116 ++}
10117 ++
10118 ++/*
10119 ++ * PaX: decide what to do with offenders (regs->pc = fault address)
10120 ++ *
10121 ++ * returns 1 when task should be killed
10122 ++ * 2 when patched PLT trampoline was detected
10123 ++ * 3 when unpatched PLT trampoline was detected
10124 ++ */
10125 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
10126 ++{
10127 ++
10128 ++#ifdef CONFIG_PAX_EMUPLT
10129 ++ int err;
10130 ++
10131 ++ do { /* PaX: patched PLT emulation #1 */
10132 ++ unsigned int sethi1, sethi2, jmpl;
10133 ++
10134 ++ err = get_user(sethi1, (unsigned int *)regs->pc);
10135 ++ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
10136 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
10137 ++
10138 ++ if (err)
10139 ++ break;
10140 ++
10141 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10142 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
10143 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
10144 ++ {
10145 ++ unsigned int addr;
10146 ++
10147 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
10148 ++ addr = regs->u_regs[UREG_G1];
10149 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
10150 ++ regs->pc = addr;
10151 ++ regs->npc = addr+4;
10152 ++ return 2;
10153 ++ }
10154 ++ } while (0);
10155 ++
10156 ++ { /* PaX: patched PLT emulation #2 */
10157 ++ unsigned int ba;
10158 ++
10159 ++ err = get_user(ba, (unsigned int *)regs->pc);
10160 ++
10161 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
10162 ++ unsigned int addr;
10163 ++
10164 ++ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
10165 ++ regs->pc = addr;
10166 ++ regs->npc = addr+4;
10167 ++ return 2;
10168 ++ }
10169 ++ }
10170 ++
10171 ++ do { /* PaX: patched PLT emulation #3 */
10172 ++ unsigned int sethi, jmpl, nop;
10173 ++
10174 ++ err = get_user(sethi, (unsigned int *)regs->pc);
10175 ++ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
10176 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
10177 ++
10178 ++ if (err)
10179 ++ break;
10180 ++
10181 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10182 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
10183 ++ nop == 0x01000000U)
10184 ++ {
10185 ++ unsigned int addr;
10186 ++
10187 ++ addr = (sethi & 0x003FFFFFU) << 10;
10188 ++ regs->u_regs[UREG_G1] = addr;
10189 ++ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
10190 ++ regs->pc = addr;
10191 ++ regs->npc = addr+4;
10192 ++ return 2;
10193 ++ }
10194 ++ } while (0);
10195 ++
10196 ++ do { /* PaX: unpatched PLT emulation step 1 */
10197 ++ unsigned int sethi, ba, nop;
10198 ++
10199 ++ err = get_user(sethi, (unsigned int *)regs->pc);
10200 ++ err |= get_user(ba, (unsigned int *)(regs->pc+4));
10201 ++ err |= get_user(nop, (unsigned int *)(regs->pc+8));
10202 ++
10203 ++ if (err)
10204 ++ break;
10205 ++
10206 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10207 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
10208 ++ nop == 0x01000000U)
10209 ++ {
10210 ++ unsigned int addr, save, call;
10211 ++
10212 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
10213 ++ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
10214 ++ else
10215 ++ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
10216 ++
10217 ++ err = get_user(save, (unsigned int *)addr);
10218 ++ err |= get_user(call, (unsigned int *)(addr+4));
10219 ++ err |= get_user(nop, (unsigned int *)(addr+8));
10220 ++ if (err)
10221 ++ break;
10222 ++
10223 ++ if (save == 0x9DE3BFA8U &&
10224 ++ (call & 0xC0000000U) == 0x40000000U &&
10225 ++ nop == 0x01000000U)
10226 ++ {
10227 ++ struct vm_area_struct *vma;
10228 ++ unsigned long call_dl_resolve;
10229 ++
10230 ++ down_read(&current->mm->mmap_sem);
10231 ++ call_dl_resolve = current->mm->call_dl_resolve;
10232 ++ up_read(&current->mm->mmap_sem);
10233 ++ if (likely(call_dl_resolve))
10234 ++ goto emulate;
10235 ++
10236 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
10237 ++
10238 ++ down_write(&current->mm->mmap_sem);
10239 ++ if (current->mm->call_dl_resolve) {
10240 ++ call_dl_resolve = current->mm->call_dl_resolve;
10241 ++ up_write(&current->mm->mmap_sem);
10242 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10243 ++ goto emulate;
10244 ++ }
10245 ++
10246 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
10247 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
10248 ++ up_write(&current->mm->mmap_sem);
10249 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10250 ++ return 1;
10251 ++ }
10252 ++
10253 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
10254 ++ up_write(&current->mm->mmap_sem);
10255 ++ kmem_cache_free(vm_area_cachep, vma);
10256 ++ return 1;
10257 ++ }
10258 ++
10259 ++ current->mm->call_dl_resolve = call_dl_resolve;
10260 ++ up_write(&current->mm->mmap_sem);
10261 ++
10262 ++emulate:
10263 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
10264 ++ regs->pc = call_dl_resolve;
10265 ++ regs->npc = addr+4;
10266 ++ return 3;
10267 ++ }
10268 ++ }
10269 ++ } while (0);
10270 ++
10271 ++ do { /* PaX: unpatched PLT emulation step 2 */
10272 ++ unsigned int save, call, nop;
10273 ++
10274 ++ err = get_user(save, (unsigned int *)(regs->pc-4));
10275 ++ err |= get_user(call, (unsigned int *)regs->pc);
10276 ++ err |= get_user(nop, (unsigned int *)(regs->pc+4));
10277 ++ if (err)
10278 ++ break;
10279 ++
10280 ++ if (save == 0x9DE3BFA8U &&
10281 ++ (call & 0xC0000000U) == 0x40000000U &&
10282 ++ nop == 0x01000000U)
10283 ++ {
10284 ++ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
10285 ++
10286 ++ regs->u_regs[UREG_RETPC] = regs->pc;
10287 ++ regs->pc = dl_resolve;
10288 ++ regs->npc = dl_resolve+4;
10289 ++ return 3;
10290 ++ }
10291 ++ } while (0);
10292 ++#endif
10293 ++
10294 ++ return 1;
10295 ++}
10296 ++
10297 ++void pax_report_insns(void *pc, void *sp)
10298 ++{
10299 ++ unsigned long i;
10300 ++
10301 ++ printk(KERN_ERR "PAX: bytes at PC: ");
10302 ++ for (i = 0; i < 5; i++) {
10303 ++ unsigned int c;
10304 ++ if (get_user(c, (unsigned int *)pc+i))
10305 ++ printk("???????? ");
10306 ++ else
10307 ++ printk("%08x ", c);
10308 ++ }
10309 ++ printk("\n");
10310 ++}
10311 ++#endif
10312 ++
10313 + asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
10314 + unsigned long address)
10315 + {
10316 +@@ -280,6 +530,24 @@ good_area:
10317 + if(!(vma->vm_flags & VM_WRITE))
10318 + goto bad_area;
10319 + } else {
10320 ++
10321 ++#ifdef CONFIG_PAX_PAGEEXEC
10322 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
10323 ++ up_read(&mm->mmap_sem);
10324 ++ switch (pax_handle_fetch_fault(regs)) {
10325 ++
10326 ++#ifdef CONFIG_PAX_EMUPLT
10327 ++ case 2:
10328 ++ case 3:
10329 ++ return;
10330 ++#endif
10331 ++
10332 ++ }
10333 ++ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
10334 ++ do_exit(SIGKILL);
10335 ++ }
10336 ++#endif
10337 ++
10338 + /* Allow reads even for write-only mappings */
10339 + if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
10340 + goto bad_area;
10341 +diff -Nurp linux-2.6.23.15/arch/sparc/mm/init.c linux-2.6.23.15-grsec/arch/sparc/mm/init.c
10342 +--- linux-2.6.23.15/arch/sparc/mm/init.c 2007-10-09 21:31:38.000000000 +0100
10343 ++++ linux-2.6.23.15-grsec/arch/sparc/mm/init.c 2008-02-11 10:37:44.000000000 +0000
10344 +@@ -336,17 +336,17 @@ void __init paging_init(void)
10345 +
10346 + /* Initialize the protection map with non-constant, MMU dependent values. */
10347 + protection_map[0] = PAGE_NONE;
10348 +- protection_map[1] = PAGE_READONLY;
10349 +- protection_map[2] = PAGE_COPY;
10350 +- protection_map[3] = PAGE_COPY;
10351 ++ protection_map[1] = PAGE_READONLY_NOEXEC;
10352 ++ protection_map[2] = PAGE_COPY_NOEXEC;
10353 ++ protection_map[3] = PAGE_COPY_NOEXEC;
10354 + protection_map[4] = PAGE_READONLY;
10355 + protection_map[5] = PAGE_READONLY;
10356 + protection_map[6] = PAGE_COPY;
10357 + protection_map[7] = PAGE_COPY;
10358 + protection_map[8] = PAGE_NONE;
10359 +- protection_map[9] = PAGE_READONLY;
10360 +- protection_map[10] = PAGE_SHARED;
10361 +- protection_map[11] = PAGE_SHARED;
10362 ++ protection_map[9] = PAGE_READONLY_NOEXEC;
10363 ++ protection_map[10] = PAGE_SHARED_NOEXEC;
10364 ++ protection_map[11] = PAGE_SHARED_NOEXEC;
10365 + protection_map[12] = PAGE_READONLY;
10366 + protection_map[13] = PAGE_READONLY;
10367 + protection_map[14] = PAGE_SHARED;
10368 +diff -Nurp linux-2.6.23.15/arch/sparc/mm/srmmu.c linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c
10369 +--- linux-2.6.23.15/arch/sparc/mm/srmmu.c 2007-10-09 21:31:38.000000000 +0100
10370 ++++ linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c 2008-02-11 10:37:44.000000000 +0000
10371 +@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
10372 + PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
10373 + BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
10374 + BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
10375 ++
10376 ++#ifdef CONFIG_PAX_PAGEEXEC
10377 ++ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
10378 ++ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
10379 ++ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
10380 ++#endif
10381 ++
10382 + BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
10383 + page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
10384 +
10385 +diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/Makefile linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile
10386 +--- linux-2.6.23.15/arch/sparc64/kernel/Makefile 2007-10-09 21:31:38.000000000 +0100
10387 ++++ linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile 2008-02-11 10:37:44.000000000 +0000
10388 +@@ -3,7 +3,7 @@
10389 + #
10390 +
10391 + EXTRA_AFLAGS := -ansi
10392 +-EXTRA_CFLAGS := -Werror
10393 ++#EXTRA_CFLAGS := -Werror
10394 +
10395 + extra-y := head.o init_task.o vmlinux.lds
10396 +
10397 +diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c
10398 +--- linux-2.6.23.15/arch/sparc64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
10399 ++++ linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
10400 +@@ -22,6 +22,7 @@
10401 + #include <linux/seccomp.h>
10402 + #include <linux/audit.h>
10403 + #include <linux/signal.h>
10404 ++#include <linux/grsecurity.h>
10405 +
10406 + #include <asm/asi.h>
10407 + #include <asm/pgtable.h>
10408 +@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
10409 + goto out;
10410 + }
10411 +
10412 ++ if (gr_handle_ptrace(child, (long)request)) {
10413 ++ pt_error_return(regs, EPERM);
10414 ++ goto out_tsk;
10415 ++ }
10416 ++
10417 + if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
10418 + || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
10419 + if (ptrace_attach(child)) {
10420 +diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c
10421 +--- linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:36:03.000000000 +0000
10422 ++++ linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
10423 +@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
10424 + /* We do not accept a shared mapping if it would violate
10425 + * cache aliasing constraints.
10426 + */
10427 +- if ((flags & MAP_SHARED) &&
10428 ++ if ((filp || (flags & MAP_SHARED)) &&
10429 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10430 + return -EINVAL;
10431 + return addr;
10432 +@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
10433 + if (filp || (flags & MAP_SHARED))
10434 + do_color_align = 1;
10435 +
10436 ++#ifdef CONFIG_PAX_RANDMMAP
10437 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
10438 ++#endif
10439 ++
10440 + if (addr) {
10441 + if (do_color_align)
10442 + addr = COLOUR_ALIGN(addr, pgoff);
10443 +@@ -152,9 +156,9 @@ unsigned long arch_get_unmapped_area(str
10444 + }
10445 +
10446 + if (len > mm->cached_hole_size) {
10447 +- start_addr = addr = mm->free_area_cache;
10448 ++ start_addr = addr = mm->free_area_cache;
10449 + } else {
10450 +- start_addr = addr = TASK_UNMAPPED_BASE;
10451 ++ start_addr = addr = mm->mmap_base;
10452 + mm->cached_hole_size = 0;
10453 + }
10454 +
10455 +@@ -174,8 +178,8 @@ full_search:
10456 + vma = find_vma(mm, VA_EXCLUDE_END);
10457 + }
10458 + if (unlikely(task_size < addr)) {
10459 +- if (start_addr != TASK_UNMAPPED_BASE) {
10460 +- start_addr = addr = TASK_UNMAPPED_BASE;
10461 ++ if (start_addr != mm->mmap_base) {
10462 ++ start_addr = addr = mm->mmap_base;
10463 + mm->cached_hole_size = 0;
10464 + goto full_search;
10465 + }
10466 +@@ -215,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
10467 + /* We do not accept a shared mapping if it would violate
10468 + * cache aliasing constraints.
10469 + */
10470 +- if ((flags & MAP_SHARED) &&
10471 ++ if ((filp || (flags & MAP_SHARED)) &&
10472 + ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10473 + return -EINVAL;
10474 + return addr;
10475 +@@ -378,6 +382,12 @@ void arch_pick_mmap_layout(struct mm_str
10476 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
10477 + sysctl_legacy_va_layout) {
10478 + mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
10479 ++
10480 ++#ifdef CONFIG_PAX_RANDMMAP
10481 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
10482 ++ mm->mmap_base += mm->delta_mmap;
10483 ++#endif
10484 ++
10485 + mm->get_unmapped_area = arch_get_unmapped_area;
10486 + mm->unmap_area = arch_unmap_area;
10487 + } else {
10488 +@@ -392,6 +402,12 @@ void arch_pick_mmap_layout(struct mm_str
10489 + gap = (task_size / 6 * 5);
10490 +
10491 + mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
10492 ++
10493 ++#ifdef CONFIG_PAX_RANDMMAP
10494 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
10495 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
10496 ++#endif
10497 ++
10498 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
10499 + mm->unmap_area = arch_unmap_area_topdown;
10500 + }
10501 +diff -Nurp linux-2.6.23.15/arch/sparc64/mm/Makefile linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile
10502 +--- linux-2.6.23.15/arch/sparc64/mm/Makefile 2007-10-09 21:31:38.000000000 +0100
10503 ++++ linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile 2008-02-11 10:37:44.000000000 +0000
10504 +@@ -3,7 +3,7 @@
10505 + #
10506 +
10507 + EXTRA_AFLAGS := -ansi
10508 +-EXTRA_CFLAGS := -Werror
10509 ++#EXTRA_CFLAGS := -Werror
10510 +
10511 + obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
10512 +
10513 +diff -Nurp linux-2.6.23.15/arch/sparc64/mm/fault.c linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c
10514 +--- linux-2.6.23.15/arch/sparc64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
10515 ++++ linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
10516 +@@ -20,6 +20,10 @@
10517 + #include <linux/kprobes.h>
10518 + #include <linux/kallsyms.h>
10519 + #include <linux/kdebug.h>
10520 ++#include <linux/slab.h>
10521 ++#include <linux/pagemap.h>
10522 ++#include <linux/compiler.h>
10523 ++#include <linux/binfmts.h>
10524 +
10525 + #include <asm/page.h>
10526 + #include <asm/pgtable.h>
10527 +@@ -270,6 +274,369 @@ cannot_handle:
10528 + unhandled_fault (address, current, regs);
10529 + }
10530 +
10531 ++#ifdef CONFIG_PAX_PAGEEXEC
10532 ++#ifdef CONFIG_PAX_EMUPLT
10533 ++static void pax_emuplt_close(struct vm_area_struct *vma)
10534 ++{
10535 ++ vma->vm_mm->call_dl_resolve = 0UL;
10536 ++}
10537 ++
10538 ++static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
10539 ++{
10540 ++ struct page *page;
10541 ++ unsigned int *kaddr;
10542 ++
10543 ++ page = alloc_page(GFP_HIGHUSER);
10544 ++ if (!page)
10545 ++ return NOPAGE_OOM;
10546 ++
10547 ++ kaddr = kmap(page);
10548 ++ memset(kaddr, 0, PAGE_SIZE);
10549 ++ kaddr[0] = 0x9DE3BFA8U; /* save */
10550 ++ flush_dcache_page(page);
10551 ++ kunmap(page);
10552 ++ if (type)
10553 ++ *type = VM_FAULT_MAJOR;
10554 ++ return page;
10555 ++}
10556 ++
10557 ++static struct vm_operations_struct pax_vm_ops = {
10558 ++ .close = pax_emuplt_close,
10559 ++ .nopage = pax_emuplt_nopage,
10560 ++};
10561 ++
10562 ++static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
10563 ++{
10564 ++ int ret;
10565 ++
10566 ++ memset(vma, 0, sizeof(*vma));
10567 ++ vma->vm_mm = current->mm;
10568 ++ vma->vm_start = addr;
10569 ++ vma->vm_end = addr + PAGE_SIZE;
10570 ++ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
10571 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
10572 ++ vma->vm_ops = &pax_vm_ops;
10573 ++
10574 ++ ret = insert_vm_struct(current->mm, vma);
10575 ++ if (ret)
10576 ++ return ret;
10577 ++
10578 ++ ++current->mm->total_vm;
10579 ++ return 0;
10580 ++}
10581 ++#endif
10582 ++
10583 ++/*
10584 ++ * PaX: decide what to do with offenders (regs->tpc = fault address)
10585 ++ *
10586 ++ * returns 1 when task should be killed
10587 ++ * 2 when patched PLT trampoline was detected
10588 ++ * 3 when unpatched PLT trampoline was detected
10589 ++ */
10590 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
10591 ++{
10592 ++
10593 ++#ifdef CONFIG_PAX_EMUPLT
10594 ++ int err;
10595 ++
10596 ++ do { /* PaX: patched PLT emulation #1 */
10597 ++ unsigned int sethi1, sethi2, jmpl;
10598 ++
10599 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
10600 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
10601 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
10602 ++
10603 ++ if (err)
10604 ++ break;
10605 ++
10606 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10607 ++ (sethi2 & 0xFFC00000U) == 0x03000000U &&
10608 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U)
10609 ++ {
10610 ++ unsigned long addr;
10611 ++
10612 ++ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
10613 ++ addr = regs->u_regs[UREG_G1];
10614 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
10615 ++ regs->tpc = addr;
10616 ++ regs->tnpc = addr+4;
10617 ++ return 2;
10618 ++ }
10619 ++ } while (0);
10620 ++
10621 ++ { /* PaX: patched PLT emulation #2 */
10622 ++ unsigned int ba;
10623 ++
10624 ++ err = get_user(ba, (unsigned int *)regs->tpc);
10625 ++
10626 ++ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
10627 ++ unsigned long addr;
10628 ++
10629 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
10630 ++ regs->tpc = addr;
10631 ++ regs->tnpc = addr+4;
10632 ++ return 2;
10633 ++ }
10634 ++ }
10635 ++
10636 ++ do { /* PaX: patched PLT emulation #3 */
10637 ++ unsigned int sethi, jmpl, nop;
10638 ++
10639 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
10640 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
10641 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10642 ++
10643 ++ if (err)
10644 ++ break;
10645 ++
10646 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10647 ++ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
10648 ++ nop == 0x01000000U)
10649 ++ {
10650 ++ unsigned long addr;
10651 ++
10652 ++ addr = (sethi & 0x003FFFFFU) << 10;
10653 ++ regs->u_regs[UREG_G1] = addr;
10654 ++ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
10655 ++ regs->tpc = addr;
10656 ++ regs->tnpc = addr+4;
10657 ++ return 2;
10658 ++ }
10659 ++ } while (0);
10660 ++
10661 ++ do { /* PaX: patched PLT emulation #4 */
10662 ++ unsigned int mov1, call, mov2;
10663 ++
10664 ++ err = get_user(mov1, (unsigned int *)regs->tpc);
10665 ++ err |= get_user(call, (unsigned int *)(regs->tpc+4));
10666 ++ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
10667 ++
10668 ++ if (err)
10669 ++ break;
10670 ++
10671 ++ if (mov1 == 0x8210000FU &&
10672 ++ (call & 0xC0000000U) == 0x40000000U &&
10673 ++ mov2 == 0x9E100001U)
10674 ++ {
10675 ++ unsigned long addr;
10676 ++
10677 ++ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
10678 ++ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
10679 ++ regs->tpc = addr;
10680 ++ regs->tnpc = addr+4;
10681 ++ return 2;
10682 ++ }
10683 ++ } while (0);
10684 ++
10685 ++ do { /* PaX: patched PLT emulation #5 */
10686 ++ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
10687 ++
10688 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
10689 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
10690 ++ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
10691 ++ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
10692 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
10693 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
10694 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
10695 ++
10696 ++ if (err)
10697 ++ break;
10698 ++
10699 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10700 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
10701 ++ (or1 & 0xFFFFE000U) == 0x82106000U &&
10702 ++ (or2 & 0xFFFFE000U) == 0x8A116000U &&
10703 ++ sllx == 0x83287020 &&
10704 ++ jmpl == 0x81C04005U &&
10705 ++ nop == 0x01000000U)
10706 ++ {
10707 ++ unsigned long addr;
10708 ++
10709 ++ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
10710 ++ regs->u_regs[UREG_G1] <<= 32;
10711 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
10712 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
10713 ++ regs->tpc = addr;
10714 ++ regs->tnpc = addr+4;
10715 ++ return 2;
10716 ++ }
10717 ++ } while (0);
10718 ++
10719 ++ do { /* PaX: patched PLT emulation #6 */
10720 ++ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
10721 ++
10722 ++ err = get_user(sethi1, (unsigned int *)regs->tpc);
10723 ++ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
10724 ++ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
10725 ++ err |= get_user(or, (unsigned int *)(regs->tpc+12));
10726 ++ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
10727 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
10728 ++
10729 ++ if (err)
10730 ++ break;
10731 ++
10732 ++ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
10733 ++ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
10734 ++ sllx == 0x83287020 &&
10735 ++ (or & 0xFFFFE000U) == 0x8A116000U &&
10736 ++ jmpl == 0x81C04005U &&
10737 ++ nop == 0x01000000U)
10738 ++ {
10739 ++ unsigned long addr;
10740 ++
10741 ++ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
10742 ++ regs->u_regs[UREG_G1] <<= 32;
10743 ++ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
10744 ++ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
10745 ++ regs->tpc = addr;
10746 ++ regs->tnpc = addr+4;
10747 ++ return 2;
10748 ++ }
10749 ++ } while (0);
10750 ++
10751 ++ do { /* PaX: patched PLT emulation #7 */
10752 ++ unsigned int sethi, ba, nop;
10753 ++
10754 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
10755 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
10756 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10757 ++
10758 ++ if (err)
10759 ++ break;
10760 ++
10761 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10762 ++ (ba & 0xFFF00000U) == 0x30600000U &&
10763 ++ nop == 0x01000000U)
10764 ++ {
10765 ++ unsigned long addr;
10766 ++
10767 ++ addr = (sethi & 0x003FFFFFU) << 10;
10768 ++ regs->u_regs[UREG_G1] = addr;
10769 ++ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
10770 ++ regs->tpc = addr;
10771 ++ regs->tnpc = addr+4;
10772 ++ return 2;
10773 ++ }
10774 ++ } while (0);
10775 ++
10776 ++ do { /* PaX: unpatched PLT emulation step 1 */
10777 ++ unsigned int sethi, ba, nop;
10778 ++
10779 ++ err = get_user(sethi, (unsigned int *)regs->tpc);
10780 ++ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
10781 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
10782 ++
10783 ++ if (err)
10784 ++ break;
10785 ++
10786 ++ if ((sethi & 0xFFC00000U) == 0x03000000U &&
10787 ++ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
10788 ++ nop == 0x01000000U)
10789 ++ {
10790 ++ unsigned long addr;
10791 ++ unsigned int save, call;
10792 ++
10793 ++ if ((ba & 0xFFC00000U) == 0x30800000U)
10794 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
10795 ++ else
10796 ++ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
10797 ++
10798 ++ err = get_user(save, (unsigned int *)addr);
10799 ++ err |= get_user(call, (unsigned int *)(addr+4));
10800 ++ err |= get_user(nop, (unsigned int *)(addr+8));
10801 ++ if (err)
10802 ++ break;
10803 ++
10804 ++ if (save == 0x9DE3BFA8U &&
10805 ++ (call & 0xC0000000U) == 0x40000000U &&
10806 ++ nop == 0x01000000U)
10807 ++ {
10808 ++ struct vm_area_struct *vma;
10809 ++ unsigned long call_dl_resolve;
10810 ++
10811 ++ down_read(&current->mm->mmap_sem);
10812 ++ call_dl_resolve = current->mm->call_dl_resolve;
10813 ++ up_read(&current->mm->mmap_sem);
10814 ++ if (likely(call_dl_resolve))
10815 ++ goto emulate;
10816 ++
10817 ++ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
10818 ++
10819 ++ down_write(&current->mm->mmap_sem);
10820 ++ if (current->mm->call_dl_resolve) {
10821 ++ call_dl_resolve = current->mm->call_dl_resolve;
10822 ++ up_write(&current->mm->mmap_sem);
10823 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10824 ++ goto emulate;
10825 ++ }
10826 ++
10827 ++ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
10828 ++ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
10829 ++ up_write(&current->mm->mmap_sem);
10830 ++ if (vma) kmem_cache_free(vm_area_cachep, vma);
10831 ++ return 1;
10832 ++ }
10833 ++
10834 ++ if (pax_insert_vma(vma, call_dl_resolve)) {
10835 ++ up_write(&current->mm->mmap_sem);
10836 ++ kmem_cache_free(vm_area_cachep, vma);
10837 ++ return 1;
10838 ++ }
10839 ++
10840 ++ current->mm->call_dl_resolve = call_dl_resolve;
10841 ++ up_write(&current->mm->mmap_sem);
10842 ++
10843 ++emulate:
10844 ++ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
10845 ++ regs->tpc = call_dl_resolve;
10846 ++ regs->tnpc = addr+4;
10847 ++ return 3;
10848 ++ }
10849 ++ }
10850 ++ } while (0);
10851 ++
10852 ++ do { /* PaX: unpatched PLT emulation step 2 */
10853 ++ unsigned int save, call, nop;
10854 ++
10855 ++ err = get_user(save, (unsigned int *)(regs->tpc-4));
10856 ++ err |= get_user(call, (unsigned int *)regs->tpc);
10857 ++ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
10858 ++ if (err)
10859 ++ break;
10860 ++
10861 ++ if (save == 0x9DE3BFA8U &&
10862 ++ (call & 0xC0000000U) == 0x40000000U &&
10863 ++ nop == 0x01000000U)
10864 ++ {
10865 ++ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
10866 ++
10867 ++ regs->u_regs[UREG_RETPC] = regs->tpc;
10868 ++ regs->tpc = dl_resolve;
10869 ++ regs->tnpc = dl_resolve+4;
10870 ++ return 3;
10871 ++ }
10872 ++ } while (0);
10873 ++#endif
10874 ++
10875 ++ return 1;
10876 ++}
10877 ++
10878 ++void pax_report_insns(void *pc, void *sp)
10879 ++{
10880 ++ unsigned long i;
10881 ++
10882 ++ printk(KERN_ERR "PAX: bytes at PC: ");
10883 ++ for (i = 0; i < 5; i++) {
10884 ++ unsigned int c;
10885 ++ if (get_user(c, (unsigned int *)pc+i))
10886 ++ printk("???????? ");
10887 ++ else
10888 ++ printk("%08x ", c);
10889 ++ }
10890 ++ printk("\n");
10891 ++}
10892 ++#endif
10893 ++
10894 + asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
10895 + {
10896 + struct mm_struct *mm = current->mm;
10897 +@@ -311,8 +678,10 @@ asmlinkage void __kprobes do_sparc64_fau
10898 + goto intr_or_no_mm;
10899 +
10900 + if (test_thread_flag(TIF_32BIT)) {
10901 +- if (!(regs->tstate & TSTATE_PRIV))
10902 ++ if (!(regs->tstate & TSTATE_PRIV)) {
10903 + regs->tpc &= 0xffffffff;
10904 ++ regs->tnpc &= 0xffffffff;
10905 ++ }
10906 + address &= 0xffffffff;
10907 + }
10908 +
10909 +@@ -329,6 +698,29 @@ asmlinkage void __kprobes do_sparc64_fau
10910 + if (!vma)
10911 + goto bad_area;
10912 +
10913 ++#ifdef CONFIG_PAX_PAGEEXEC
10914 ++ /* PaX: detect ITLB misses on non-exec pages */
10915 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
10916 ++ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
10917 ++ {
10918 ++ if (address != regs->tpc)
10919 ++ goto good_area;
10920 ++
10921 ++ up_read(&mm->mmap_sem);
10922 ++ switch (pax_handle_fetch_fault(regs)) {
10923 ++
10924 ++#ifdef CONFIG_PAX_EMUPLT
10925 ++ case 2:
10926 ++ case 3:
10927 ++ return;
10928 ++#endif
10929 ++
10930 ++ }
10931 ++ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
10932 ++ do_exit(SIGKILL);
10933 ++ }
10934 ++#endif
10935 ++
10936 + /* Pure DTLB misses do not tell us whether the fault causing
10937 + * load/store/atomic was a write or not, it only says that there
10938 + * was no match. So in such a case we (carefully) read the
10939 +diff -Nurp linux-2.6.23.15/arch/v850/kernel/module.c linux-2.6.23.15-grsec/arch/v850/kernel/module.c
10940 +--- linux-2.6.23.15/arch/v850/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
10941 ++++ linux-2.6.23.15-grsec/arch/v850/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
10942 +@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
10943 + tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
10944 +
10945 + /* Init, or core PLT? */
10946 +- if (location >= mod->module_core
10947 +- && location < mod->module_core + mod->core_size)
10948 ++ if (location >= mod->module_core_rx
10949 ++ && location < mod->module_core_rx + mod->core_size_rx)
10950 + entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
10951 + else
10952 + entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
10953 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c
10954 +--- linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c 2007-10-09 21:31:38.000000000 +0100
10955 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c 2008-02-11 10:37:44.000000000 +0000
10956 +@@ -36,12 +36,12 @@
10957 + #define AT_SYSINFO 32
10958 + #define AT_SYSINFO_EHDR 33
10959 +
10960 +-int sysctl_vsyscall32 = 1;
10961 ++int sysctl_vsyscall32;
10962 +
10963 + #undef ARCH_DLINFO
10964 + #define ARCH_DLINFO do { \
10965 + if (sysctl_vsyscall32) { \
10966 +- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
10967 ++ current->mm->context.vdso = VSYSCALL32_BASE; \
10968 + NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
10969 + NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
10970 + } \
10971 +@@ -145,6 +145,13 @@ struct elf_prpsinfo
10972 + //#include <asm/ia32.h>
10973 + #include <linux/elf.h>
10974 +
10975 ++#ifdef CONFIG_PAX_ASLR
10976 ++#define PAX_ELF_ET_DYN_BASE 0x08048000UL
10977 ++
10978 ++#define PAX_DELTA_MMAP_LEN 16
10979 ++#define PAX_DELTA_STACK_LEN 16
10980 ++#endif
10981 ++
10982 + typedef struct user_i387_ia32_struct elf_fpregset_t;
10983 + typedef struct user32_fxsr_struct elf_fpxregset_t;
10984 +
10985 +@@ -298,7 +305,7 @@ static ctl_table abi_table2[] = {
10986 + .mode = 0644,
10987 + .proc_handler = proc_dointvec
10988 + },
10989 +- {}
10990 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
10991 + };
10992 +
10993 + static ctl_table abi_root_table2[] = {
10994 +@@ -308,7 +315,7 @@ static ctl_table abi_root_table2[] = {
10995 + .mode = 0555,
10996 + .child = abi_table2
10997 + },
10998 +- {}
10999 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
11000 + };
11001 +
11002 + static __init int ia32_binfmt_init(void)
11003 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c
11004 +--- linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c 2007-10-09 21:31:38.000000000 +0100
11005 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c 2008-02-11 10:37:44.000000000 +0000
11006 +@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
11007 + __NR_ia32_rt_sigreturn,
11008 + 0x80cd,
11009 + 0,
11010 ++ 0
11011 + };
11012 + err |= __copy_to_user(frame->retcode, &code, 8);
11013 + }
11014 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/mmap32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c
11015 +--- linux-2.6.23.15/arch/x86_64/ia32/mmap32.c 2007-10-09 21:31:38.000000000 +0100
11016 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c 2008-02-11 10:37:44.000000000 +0000
11017 +@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
11018 + (current->personality & ADDR_COMPAT_LAYOUT) ||
11019 + current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
11020 + mm->mmap_base = TASK_UNMAPPED_BASE;
11021 ++
11022 ++#ifdef CONFIG_PAX_RANDMMAP
11023 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
11024 ++ mm->mmap_base += mm->delta_mmap;
11025 ++#endif
11026 ++
11027 + mm->get_unmapped_area = arch_get_unmapped_area;
11028 + mm->unmap_area = arch_unmap_area;
11029 + } else {
11030 + mm->mmap_base = mmap_base(mm);
11031 ++
11032 ++#ifdef CONFIG_PAX_RANDMMAP
11033 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
11034 ++ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
11035 ++#endif
11036 ++
11037 + mm->get_unmapped_area = arch_get_unmapped_area_topdown;
11038 + mm->unmap_area = arch_unmap_area_topdown;
11039 + }
11040 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c
11041 +--- linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c 2007-10-09 21:31:38.000000000 +0100
11042 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c 2008-02-11 10:37:44.000000000 +0000
11043 +@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
11044 + /* no checking to be bug-to-bug compatible with i386. */
11045 + /* but silence warning */
11046 + if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
11047 +- ;
11048 ++ {}
11049 + set_stopped_child_used_math(child);
11050 + child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
11051 + ret = 0;
11052 +diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/syscall32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c
11053 +--- linux-2.6.23.15/arch/x86_64/ia32/syscall32.c 2007-10-09 21:31:38.000000000 +0100
11054 ++++ linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c 2008-02-11 10:37:44.000000000 +0000
11055 +@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
11056 + struct mm_struct *mm = current->mm;
11057 + int ret;
11058 +
11059 ++ if (!sysctl_vsyscall32)
11060 ++ return 0;
11061 ++
11062 + down_write(&mm->mmap_sem);
11063 + /*
11064 + * MAYWRITE to allow gdb to COW and set breakpoints
11065 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/hpet.c linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c
11066 +--- linux-2.6.23.15/arch/x86_64/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
11067 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
11068 +@@ -65,7 +65,7 @@ static __init int late_hpet_init(void)
11069 + hpet = (struct hpet *) fix_to_virt(FIX_HPET_BASE);
11070 + timer = &hpet->hpet_timers[2];
11071 + for (i = 2; i < ntimer; timer++, i++)
11072 +- hd.hd_irq[i] = (timer->hpet_config &
11073 ++ hd.hd_irq[i] = (readl(&timer->hpet_config) &
11074 + Tn_INT_ROUTE_CNF_MASK) >>
11075 + Tn_INT_ROUTE_CNF_SHIFT;
11076 +
11077 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/i8259.c linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c
11078 +--- linux-2.6.23.15/arch/x86_64/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
11079 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
11080 +@@ -395,7 +395,7 @@ device_initcall(i8259A_init_sysfs);
11081 + * IRQ2 is cascade interrupt to second interrupt controller
11082 + */
11083 +
11084 +-static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
11085 ++static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
11086 + DEFINE_PER_CPU(vector_irq_t, vector_irq) = {
11087 + [0 ... IRQ0_VECTOR - 1] = -1,
11088 + [IRQ0_VECTOR] = 0,
11089 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/ioport.c linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c
11090 +--- linux-2.6.23.15/arch/x86_64/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
11091 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
11092 +@@ -16,6 +16,7 @@
11093 + #include <linux/slab.h>
11094 + #include <linux/thread_info.h>
11095 + #include <linux/syscalls.h>
11096 ++#include <linux/grsecurity.h>
11097 +
11098 + /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
11099 + static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
11100 +@@ -41,8 +42,16 @@ asmlinkage long sys_ioperm(unsigned long
11101 +
11102 + if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
11103 + return -EINVAL;
11104 ++
11105 ++#ifdef CONFIG_GRKERNSEC_IO
11106 ++ if (turn_on) {
11107 ++ gr_handle_ioperm();
11108 ++ return -EPERM;
11109 ++ }
11110 ++#else
11111 + if (turn_on && !capable(CAP_SYS_RAWIO))
11112 + return -EPERM;
11113 ++#endif
11114 +
11115 + /*
11116 + * If it's the first ioperm() call in this thread's lifetime, set the
11117 +@@ -111,8 +120,13 @@ asmlinkage long sys_iopl(unsigned int le
11118 + return -EINVAL;
11119 + /* Trying to gain more privileges? */
11120 + if (level > old) {
11121 ++#ifdef CONFIG_GRKERNSEC_IO
11122 ++ gr_handle_iopl();
11123 ++ return -EPERM;
11124 ++#else
11125 + if (!capable(CAP_SYS_RAWIO))
11126 + return -EPERM;
11127 ++#endif
11128 + }
11129 + regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
11130 + return 0;
11131 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/mce.c linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c
11132 +--- linux-2.6.23.15/arch/x86_64/kernel/mce.c 2007-10-09 21:31:38.000000000 +0100
11133 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c 2008-02-11 10:37:44.000000000 +0000
11134 +@@ -665,6 +665,7 @@ static struct miscdevice mce_log_device
11135 + MISC_MCELOG_MINOR,
11136 + "mcelog",
11137 + &mce_chrdev_ops,
11138 ++ {NULL, NULL}, NULL, NULL
11139 + };
11140 +
11141 + static unsigned long old_cr4 __initdata;
11142 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/process.c linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c
11143 +--- linux-2.6.23.15/arch/x86_64/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
11144 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
11145 +@@ -894,10 +894,3 @@ int dump_task_regs(struct task_struct *t
11146 +
11147 + return 1;
11148 + }
11149 +-
11150 +-unsigned long arch_align_stack(unsigned long sp)
11151 +-{
11152 +- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
11153 +- sp -= get_random_int() % 8192;
11154 +- return sp & ~0xf;
11155 +-}
11156 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/setup64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c
11157 +--- linux-2.6.23.15/arch/x86_64/kernel/setup64.c 2007-10-09 21:31:38.000000000 +0100
11158 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c 2008-02-11 10:37:44.000000000 +0000
11159 +@@ -37,7 +37,7 @@ struct desc_ptr idt_descr = { 256 * 16 -
11160 + char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
11161 +
11162 + unsigned long __supported_pte_mask __read_mostly = ~0UL;
11163 +-static int do_not_nx __cpuinitdata = 0;
11164 ++EXPORT_SYMBOL(__supported_pte_mask);
11165 +
11166 + /* noexec=on|off
11167 + Control non executable mappings for 64bit processes.
11168 +@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
11169 + return -EINVAL;
11170 + if (!strncmp(str, "on", 2)) {
11171 + __supported_pte_mask |= _PAGE_NX;
11172 +- do_not_nx = 0;
11173 + } else if (!strncmp(str, "off", 3)) {
11174 +- do_not_nx = 1;
11175 + __supported_pte_mask &= ~_PAGE_NX;
11176 + }
11177 + return 0;
11178 + }
11179 + early_param("noexec", nonx_setup);
11180 +
11181 +-int force_personality32 = 0;
11182 ++int force_personality32;
11183 +
11184 + /* noexec32=on|off
11185 + Control non executable heap for 32bit processes.
11186 +@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
11187 + unsigned long efer;
11188 +
11189 + rdmsrl(MSR_EFER, efer);
11190 +- if (!(efer & EFER_NX) || do_not_nx) {
11191 ++ if (!(efer & EFER_NX)) {
11192 + __supported_pte_mask &= ~_PAGE_NX;
11193 + }
11194 + }
11195 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/signal.c linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c
11196 +--- linux-2.6.23.15/arch/x86_64/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
11197 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
11198 +@@ -254,8 +254,8 @@ static int setup_rt_frame(int sig, struc
11199 + err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
11200 + err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
11201 + if (sizeof(*set) == 16) {
11202 +- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
11203 +- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
11204 ++ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
11205 ++ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
11206 + } else
11207 + err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
11208 +
11209 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c
11210 +--- linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c 2007-10-09 21:31:38.000000000 +0100
11211 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c 2008-02-11 10:37:44.000000000 +0000
11212 +@@ -65,8 +65,8 @@ out:
11213 + return error;
11214 + }
11215 +
11216 +-static void find_start_end(unsigned long flags, unsigned long *begin,
11217 +- unsigned long *end)
11218 ++static void find_start_end(struct mm_struct *mm, unsigned long flags,
11219 ++ unsigned long *begin, unsigned long *end)
11220 + {
11221 + if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
11222 + /* This is usually used needed to map code in small
11223 +@@ -79,7 +79,7 @@ static void find_start_end(unsigned long
11224 + *begin = 0x40000000;
11225 + *end = 0x80000000;
11226 + } else {
11227 +- *begin = TASK_UNMAPPED_BASE;
11228 ++ *begin = mm->mmap_base;
11229 + *end = TASK_SIZE;
11230 + }
11231 + }
11232 +@@ -96,11 +96,15 @@ arch_get_unmapped_area(struct file *filp
11233 + if (flags & MAP_FIXED)
11234 + return addr;
11235 +
11236 +- find_start_end(flags, &begin, &end);
11237 ++ find_start_end(mm, flags, &begin, &end);
11238 +
11239 + if (len > end)
11240 + return -ENOMEM;
11241 +
11242 ++#ifdef CONFIG_PAX_RANDMMAP
11243 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
11244 ++#endif
11245 ++
11246 + if (addr) {
11247 + addr = PAGE_ALIGN(addr);
11248 + vma = find_vma(mm, addr);
11249 +diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c
11250 +--- linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c 2007-10-09 21:31:38.000000000 +0100
11251 ++++ linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c 2008-02-11 10:37:44.000000000 +0000
11252 +@@ -273,13 +273,13 @@ static ctl_table kernel_table2[] = {
11253 + .mode = 0644,
11254 + .strategy = vsyscall_sysctl_nostrat,
11255 + .proc_handler = vsyscall_sysctl_change },
11256 +- {}
11257 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
11258 + };
11259 +
11260 + static ctl_table kernel_root_table2[] = {
11261 + { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
11262 + .child = kernel_table2 },
11263 +- {}
11264 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
11265 + };
11266 +
11267 + #endif
11268 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/fault.c linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c
11269 +--- linux-2.6.23.15/arch/x86_64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
11270 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
11271 +@@ -25,6 +25,7 @@
11272 + #include <linux/kprobes.h>
11273 + #include <linux/uaccess.h>
11274 + #include <linux/kdebug.h>
11275 ++#include <linux/binfmts.h>
11276 +
11277 + #include <asm/system.h>
11278 + #include <asm/pgalloc.h>
11279 +@@ -291,6 +292,163 @@ static int vmalloc_fault(unsigned long a
11280 + return 0;
11281 + }
11282 +
11283 ++#ifdef CONFIG_PAX_EMUTRAMP
11284 ++static int pax_handle_fetch_fault_32(struct pt_regs *regs)
11285 ++{
11286 ++ int err;
11287 ++
11288 ++ do { /* PaX: gcc trampoline emulation #1 */
11289 ++ unsigned char mov1, mov2;
11290 ++ unsigned short jmp;
11291 ++ unsigned int addr1, addr2;
11292 ++
11293 ++ if ((regs->rip + 11) >> 32)
11294 ++ break;
11295 ++
11296 ++ err = get_user(mov1, (unsigned char __user *)regs->rip);
11297 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
11298 ++ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
11299 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
11300 ++ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
11301 ++
11302 ++ if (err)
11303 ++ break;
11304 ++
11305 ++ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
11306 ++ regs->rcx = addr1;
11307 ++ regs->rax = addr2;
11308 ++ regs->rip = addr2;
11309 ++ return 2;
11310 ++ }
11311 ++ } while (0);
11312 ++
11313 ++ do { /* PaX: gcc trampoline emulation #2 */
11314 ++ unsigned char mov, jmp;
11315 ++ unsigned int addr1, addr2;
11316 ++
11317 ++ if ((regs->rip + 9) >> 32)
11318 ++ break;
11319 ++
11320 ++ err = get_user(mov, (unsigned char __user *)regs->rip);
11321 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
11322 ++ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
11323 ++ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
11324 ++
11325 ++ if (err)
11326 ++ break;
11327 ++
11328 ++ if (mov == 0xB9 && jmp == 0xE9) {
11329 ++ regs->rcx = addr1;
11330 ++ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
11331 ++ return 2;
11332 ++ }
11333 ++ } while (0);
11334 ++
11335 ++ return 1; /* PaX in action */
11336 ++}
11337 ++
11338 ++static int pax_handle_fetch_fault_64(struct pt_regs *regs)
11339 ++{
11340 ++ int err;
11341 ++
11342 ++ do { /* PaX: gcc trampoline emulation #1 */
11343 ++ unsigned short mov1, mov2, jmp1;
11344 ++ unsigned char jmp2;
11345 ++ unsigned int addr1;
11346 ++ unsigned long addr2;
11347 ++
11348 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
11349 ++ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
11350 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
11351 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
11352 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
11353 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
11354 ++
11355 ++ if (err)
11356 ++ break;
11357 ++
11358 ++ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
11359 ++ regs->r11 = addr1;
11360 ++ regs->r10 = addr2;
11361 ++ regs->rip = addr1;
11362 ++ return 2;
11363 ++ }
11364 ++ } while (0);
11365 ++
11366 ++ do { /* PaX: gcc trampoline emulation #2 */
11367 ++ unsigned short mov1, mov2, jmp1;
11368 ++ unsigned char jmp2;
11369 ++ unsigned long addr1, addr2;
11370 ++
11371 ++ err = get_user(mov1, (unsigned short __user *)regs->rip);
11372 ++ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
11373 ++ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
11374 ++ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
11375 ++ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
11376 ++ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
11377 ++
11378 ++ if (err)
11379 ++ break;
11380 ++
11381 ++ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
11382 ++ regs->r11 = addr1;
11383 ++ regs->r10 = addr2;
11384 ++ regs->rip = addr1;
11385 ++ return 2;
11386 ++ }
11387 ++ } while (0);
11388 ++
11389 ++ return 1; /* PaX in action */
11390 ++}
11391 ++
11392 ++/*
11393 ++ * PaX: decide what to do with offenders (regs->rip = fault address)
11394 ++ *
11395 ++ * returns 1 when task should be killed
11396 ++ * 2 when gcc trampoline was detected
11397 ++ */
11398 ++static int pax_handle_fetch_fault(struct pt_regs *regs)
11399 ++{
11400 ++ if (regs->eflags & X86_EFLAGS_VM)
11401 ++ return 1;
11402 ++
11403 ++ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
11404 ++ return 1;
11405 ++
11406 ++ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
11407 ++ return pax_handle_fetch_fault_32(regs);
11408 ++ else
11409 ++ return pax_handle_fetch_fault_64(regs);
11410 ++}
11411 ++#endif
11412 ++
11413 ++#ifdef CONFIG_PAX_PAGEEXEC
11414 ++void pax_report_insns(void *pc, void *sp)
11415 ++{
11416 ++ long i;
11417 ++
11418 ++ printk(KERN_ERR "PAX: bytes at PC: ");
11419 ++ for (i = 0; i < 20; i++) {
11420 ++ unsigned char c;
11421 ++ if (get_user(c, (unsigned char __user *)pc+i))
11422 ++ printk("?? ");
11423 ++ else
11424 ++ printk("%02x ", c);
11425 ++ }
11426 ++ printk("\n");
11427 ++
11428 ++ printk(KERN_ERR "PAX: bytes at SP-8: ");
11429 ++ for (i = -1; i < 10; i++) {
11430 ++ unsigned long c;
11431 ++ if (get_user(c, (unsigned long __user *)sp+i))
11432 ++ printk("???????????????? ");
11433 ++ else
11434 ++ printk("%016lx ", c);
11435 ++ }
11436 ++ printk("\n");
11437 ++}
11438 ++#endif
11439 ++
11440 + static int page_fault_trace;
11441 + int show_unhandled_signals = 1;
11442 +
11443 +@@ -427,6 +585,8 @@ asmlinkage void __kprobes do_page_fault(
11444 + good_area:
11445 + info.si_code = SEGV_ACCERR;
11446 + write = 0;
11447 ++ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
11448 ++ goto bad_area;
11449 + switch (error_code & (PF_PROT|PF_WRITE)) {
11450 + default: /* 3: write, present */
11451 + /* fall through */
11452 +@@ -478,6 +638,21 @@ bad_area_nosemaphore:
11453 + */
11454 + local_irq_enable();
11455 +
11456 ++#ifdef CONFIG_PAX_PAGEEXEC
11457 ++ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & 16)) {
11458 ++
11459 ++#ifdef CONFIG_PAX_EMUTRAMP
11460 ++ switch (pax_handle_fetch_fault(regs)) {
11461 ++ case 2:
11462 ++ return;
11463 ++ }
11464 ++#endif
11465 ++
11466 ++ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
11467 ++ do_exit(SIGKILL);
11468 ++ }
11469 ++#endif
11470 ++
11471 + if (is_prefetch(regs, address, error_code))
11472 + return;
11473 +
11474 +@@ -499,7 +674,7 @@ bad_area_nosemaphore:
11475 + tsk->comm, tsk->pid, address, regs->rip,
11476 + regs->rsp, error_code);
11477 + }
11478 +-
11479 ++
11480 + tsk->thread.cr2 = address;
11481 + /* Kernel addresses are always protection faults */
11482 + tsk->thread.error_code = error_code | (address >= TASK_SIZE);
11483 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/init.c linux-2.6.23.15-grsec/arch/x86_64/mm/init.c
11484 +--- linux-2.6.23.15/arch/x86_64/mm/init.c 2008-02-11 10:36:03.000000000 +0000
11485 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
11486 +@@ -45,7 +45,7 @@
11487 + #include <asm/sections.h>
11488 +
11489 + #ifndef Dprintk
11490 +-#define Dprintk(x...)
11491 ++#define Dprintk(x...) do {} while (0)
11492 + #endif
11493 +
11494 + const struct dma_mapping_ops* dma_ops;
11495 +@@ -736,7 +736,7 @@ int in_gate_area_no_task(unsigned long a
11496 +
11497 + const char *arch_vma_name(struct vm_area_struct *vma)
11498 + {
11499 +- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
11500 ++ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
11501 + return "[vdso]";
11502 + if (vma == &gate_vma)
11503 + return "[vsyscall]";
11504 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/mmap.c linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c
11505 +--- linux-2.6.23.15/arch/x86_64/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
11506 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
11507 +@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
11508 + unsigned rnd = get_random_int() & 0xfffffff;
11509 + mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
11510 + }
11511 ++
11512 ++#ifdef CONFIG_PAX_RANDMMAP
11513 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
11514 ++ mm->mmap_base += mm->delta_mmap;
11515 ++#endif
11516 ++
11517 + mm->get_unmapped_area = arch_get_unmapped_area;
11518 + mm->unmap_area = arch_unmap_area;
11519 + }
11520 +diff -Nurp linux-2.6.23.15/arch/x86_64/mm/numa.c linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c
11521 +--- linux-2.6.23.15/arch/x86_64/mm/numa.c 2007-10-09 21:31:38.000000000 +0100
11522 ++++ linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c 2008-02-11 10:37:44.000000000 +0000
11523 +@@ -19,7 +19,7 @@
11524 + #include <asm/acpi.h>
11525 +
11526 + #ifndef Dprintk
11527 +-#define Dprintk(x...)
11528 ++#define Dprintk(x...) do {} while (0)
11529 + #endif
11530 +
11531 + struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
11532 +diff -Nurp linux-2.6.23.15/arch/x86_64/vdso/vma.c linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c
11533 +--- linux-2.6.23.15/arch/x86_64/vdso/vma.c 2007-10-09 21:31:38.000000000 +0100
11534 ++++ linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c 2008-02-11 10:37:44.000000000 +0000
11535 +@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
11536 + if (ret)
11537 + goto up_fail;
11538 +
11539 +- current->mm->context.vdso = (void *)addr;
11540 ++ current->mm->context.vdso = addr;
11541 + up_fail:
11542 + up_write(&mm->mmap_sem);
11543 + return ret;
11544 +diff -Nurp linux-2.6.23.15/crypto/async_tx/async_tx.c linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c
11545 +--- linux-2.6.23.15/crypto/async_tx/async_tx.c 2007-10-09 21:31:38.000000000 +0100
11546 ++++ linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c 2008-02-11 10:37:44.000000000 +0000
11547 +@@ -342,8 +342,8 @@ async_tx_init(void)
11548 + err:
11549 + printk(KERN_ERR "async_tx: initialization failure\n");
11550 +
11551 +- while (--cap >= 0)
11552 +- free_percpu(channel_table[cap]);
11553 ++ while (cap)
11554 ++ free_percpu(channel_table[--cap]);
11555 +
11556 + return 1;
11557 + }
11558 +diff -Nurp linux-2.6.23.15/crypto/lrw.c linux-2.6.23.15-grsec/crypto/lrw.c
11559 +--- linux-2.6.23.15/crypto/lrw.c 2007-10-09 21:31:38.000000000 +0100
11560 ++++ linux-2.6.23.15-grsec/crypto/lrw.c 2008-02-11 10:37:44.000000000 +0000
11561 +@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
11562 + struct priv *ctx = crypto_tfm_ctx(parent);
11563 + struct crypto_cipher *child = ctx->child;
11564 + int err, i;
11565 +- be128 tmp = { 0 };
11566 ++ be128 tmp = { 0, 0 };
11567 + int bsize = crypto_cipher_blocksize(child);
11568 +
11569 + crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
11570 +diff -Nurp linux-2.6.23.15/drivers/acpi/blacklist.c linux-2.6.23.15-grsec/drivers/acpi/blacklist.c
11571 +--- linux-2.6.23.15/drivers/acpi/blacklist.c 2008-02-11 10:36:03.000000000 +0000
11572 ++++ linux-2.6.23.15-grsec/drivers/acpi/blacklist.c 2008-02-11 10:37:44.000000000 +0000
11573 +@@ -71,7 +71,7 @@ static struct acpi_blacklist_item acpi_b
11574 + {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
11575 + "Incorrect _ADR", 1},
11576 +
11577 +- {""}
11578 ++ {"", "", 0, 0, 0, all_versions, 0}
11579 + };
11580 +
11581 + #if CONFIG_ACPI_BLACKLIST_YEAR
11582 +diff -Nurp linux-2.6.23.15/drivers/acpi/processor_core.c linux-2.6.23.15-grsec/drivers/acpi/processor_core.c
11583 +--- linux-2.6.23.15/drivers/acpi/processor_core.c 2007-10-09 21:31:38.000000000 +0100
11584 ++++ linux-2.6.23.15-grsec/drivers/acpi/processor_core.c 2008-02-11 10:37:44.000000000 +0000
11585 +@@ -643,7 +643,7 @@ static int __cpuinit acpi_processor_star
11586 + return 0;
11587 + }
11588 +
11589 +- BUG_ON((pr->id >= NR_CPUS) || (pr->id < 0));
11590 ++ BUG_ON(pr->id >= NR_CPUS);
11591 +
11592 + /*
11593 + * Buggy BIOS check
11594 +diff -Nurp linux-2.6.23.15/drivers/acpi/processor_idle.c linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c
11595 +--- linux-2.6.23.15/drivers/acpi/processor_idle.c 2007-10-09 21:31:38.000000000 +0100
11596 ++++ linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c 2008-02-11 10:37:44.000000000 +0000
11597 +@@ -164,7 +164,7 @@ static struct dmi_system_id __cpuinitdat
11598 + DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
11599 + DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
11600 + (void *)2},
11601 +- {},
11602 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
11603 + };
11604 +
11605 + static inline u32 ticks_elapsed(u32 t1, u32 t2)
11606 +diff -Nurp linux-2.6.23.15/drivers/acpi/sleep/main.c linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c
11607 +--- linux-2.6.23.15/drivers/acpi/sleep/main.c 2008-02-11 10:36:03.000000000 +0000
11608 ++++ linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c 2008-02-11 10:37:44.000000000 +0000
11609 +@@ -228,7 +228,7 @@ static struct dmi_system_id __initdata a
11610 + .ident = "Toshiba Satellite 4030cdt",
11611 + .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
11612 + },
11613 +- {},
11614 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
11615 + };
11616 + #endif /* CONFIG_SUSPEND */
11617 +
11618 +diff -Nurp linux-2.6.23.15/drivers/acpi/tables/tbfadt.c linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c
11619 +--- linux-2.6.23.15/drivers/acpi/tables/tbfadt.c 2007-10-09 21:31:38.000000000 +0100
11620 ++++ linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c 2008-02-11 10:37:44.000000000 +0000
11621 +@@ -48,7 +48,7 @@
11622 + ACPI_MODULE_NAME("tbfadt")
11623 +
11624 + /* Local prototypes */
11625 +-static void inline
11626 ++static inline void
11627 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
11628 + u8 bit_width, u64 address);
11629 +
11630 +@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
11631 + *
11632 + ******************************************************************************/
11633 +
11634 +-static void inline
11635 ++static inline void
11636 + acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
11637 + u8 bit_width, u64 address)
11638 + {
11639 +diff -Nurp linux-2.6.23.15/drivers/ata/ahci.c linux-2.6.23.15-grsec/drivers/ata/ahci.c
11640 +--- linux-2.6.23.15/drivers/ata/ahci.c 2008-02-11 10:36:03.000000000 +0000
11641 ++++ linux-2.6.23.15-grsec/drivers/ata/ahci.c 2008-02-11 10:37:44.000000000 +0000
11642 +@@ -523,7 +523,7 @@ static const struct pci_device_id ahci_p
11643 + { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
11644 + PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
11645 +
11646 +- { } /* terminate list */
11647 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
11648 + };
11649 +
11650 +
11651 +diff -Nurp linux-2.6.23.15/drivers/ata/ata_piix.c linux-2.6.23.15-grsec/drivers/ata/ata_piix.c
11652 +--- linux-2.6.23.15/drivers/ata/ata_piix.c 2007-10-09 21:31:38.000000000 +0100
11653 ++++ linux-2.6.23.15-grsec/drivers/ata/ata_piix.c 2008-02-11 10:37:44.000000000 +0000
11654 +@@ -257,7 +257,7 @@ static const struct pci_device_id piix_p
11655 + /* SATA Controller IDE (Tolapai) */
11656 + { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
11657 +
11658 +- { } /* terminate list */
11659 ++ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
11660 + };
11661 +
11662 + static struct pci_driver piix_pci_driver = {
11663 +@@ -617,7 +617,7 @@ static const struct ich_laptop ich_lapto
11664 + { 0x27DF, 0x1043, 0x1267 }, /* ICH7 on Asus W5F */
11665 + { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
11666 + /* end marker */
11667 +- { 0, }
11668 ++ { 0, 0, 0 }
11669 + };
11670 +
11671 + /**
11672 +@@ -963,7 +963,7 @@ static int piix_broken_suspend(void)
11673 + },
11674 + },
11675 +
11676 +- { } /* terminate list */
11677 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
11678 + };
11679 + static const char *oemstrs[] = {
11680 + "Tecra M3,",
11681 +diff -Nurp linux-2.6.23.15/drivers/ata/libata-core.c linux-2.6.23.15-grsec/drivers/ata/libata-core.c
11682 +--- linux-2.6.23.15/drivers/ata/libata-core.c 2008-02-11 10:36:03.000000000 +0000
11683 ++++ linux-2.6.23.15-grsec/drivers/ata/libata-core.c 2008-02-11 10:37:44.000000000 +0000
11684 +@@ -472,7 +472,7 @@ static const struct ata_xfer_ent {
11685 + { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
11686 + { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
11687 + { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
11688 +- { -1, },
11689 ++ { -1, 0, 0 },
11690 + };
11691 +
11692 + /**
11693 +@@ -2546,7 +2546,7 @@ static const struct ata_timing ata_timin
11694 +
11695 + /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
11696 +
11697 +- { 0xFF }
11698 ++ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
11699 + };
11700 +
11701 + #define ENOUGH(v,unit) (((v)-1)/(unit)+1)
11702 +@@ -3799,7 +3799,7 @@ static const struct ata_blacklist_entry
11703 + { "MAXTOR 6L080L4", "A93.0500", ATA_HORKAGE_BROKEN_HPA },
11704 +
11705 + /* End Marker */
11706 +- { }
11707 ++ { NULL, NULL, 0 }
11708 + };
11709 +
11710 + static unsigned long ata_dev_blacklisted(const struct ata_device *dev)
11711 +diff -Nurp linux-2.6.23.15/drivers/char/agp/frontend.c linux-2.6.23.15-grsec/drivers/char/agp/frontend.c
11712 +--- linux-2.6.23.15/drivers/char/agp/frontend.c 2007-10-09 21:31:38.000000000 +0100
11713 ++++ linux-2.6.23.15-grsec/drivers/char/agp/frontend.c 2008-02-11 10:37:44.000000000 +0000
11714 +@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
11715 + if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
11716 + return -EFAULT;
11717 +
11718 +- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
11719 ++ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
11720 + return -EFAULT;
11721 +
11722 + client = agp_find_client_by_pid(reserve.pid);
11723 +diff -Nurp linux-2.6.23.15/drivers/char/agp/intel-agp.c linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c
11724 +--- linux-2.6.23.15/drivers/char/agp/intel-agp.c 2007-10-09 21:31:38.000000000 +0100
11725 ++++ linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c 2008-02-11 10:37:44.000000000 +0000
11726 +@@ -2071,7 +2071,7 @@ static struct pci_device_id agp_intel_pc
11727 + ID(PCI_DEVICE_ID_INTEL_G33_HB),
11728 + ID(PCI_DEVICE_ID_INTEL_Q35_HB),
11729 + ID(PCI_DEVICE_ID_INTEL_Q33_HB),
11730 +- { }
11731 ++ { 0, 0, 0, 0, 0, 0, 0 }
11732 + };
11733 +
11734 + MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
11735 +diff -Nurp linux-2.6.23.15/drivers/char/drm/drm_pciids.h linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h
11736 +--- linux-2.6.23.15/drivers/char/drm/drm_pciids.h 2007-10-09 21:31:38.000000000 +0100
11737 ++++ linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h 2008-02-11 10:37:44.000000000 +0000
11738 +@@ -251,7 +251,7 @@
11739 + {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11740 + {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11741 + {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11742 +- {0, 0, 0}
11743 ++ {0, 0, 0, 0, 0, 0, 0 }
11744 +
11745 + #define i830_PCI_IDS \
11746 + {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
11747 +diff -Nurp linux-2.6.23.15/drivers/char/hpet.c linux-2.6.23.15-grsec/drivers/char/hpet.c
11748 +--- linux-2.6.23.15/drivers/char/hpet.c 2007-10-09 21:31:38.000000000 +0100
11749 ++++ linux-2.6.23.15-grsec/drivers/char/hpet.c 2008-02-11 10:37:44.000000000 +0000
11750 +@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
11751 + },
11752 + };
11753 +
11754 +-static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
11755 ++static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
11756 +
11757 + static int __init hpet_init(void)
11758 + {
11759 +diff -Nurp linux-2.6.23.15/drivers/char/keyboard.c linux-2.6.23.15-grsec/drivers/char/keyboard.c
11760 +--- linux-2.6.23.15/drivers/char/keyboard.c 2007-10-09 21:31:38.000000000 +0100
11761 ++++ linux-2.6.23.15-grsec/drivers/char/keyboard.c 2008-02-11 10:37:44.000000000 +0000
11762 +@@ -605,6 +605,16 @@ static void k_spec(struct vc_data *vc, u
11763 + kbd->kbdmode == VC_MEDIUMRAW) &&
11764 + value != KVAL(K_SAK))
11765 + return; /* SAK is allowed even in raw mode */
11766 ++
11767 ++#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
11768 ++ {
11769 ++ void *func = fn_handler[value];
11770 ++ if (func == fn_show_state || func == fn_show_ptregs ||
11771 ++ func == fn_show_mem)
11772 ++ return;
11773 ++ }
11774 ++#endif
11775 ++
11776 + fn_handler[value](vc);
11777 + }
11778 +
11779 +@@ -1340,7 +1350,7 @@ static const struct input_device_id kbd_
11780 + .evbit = { BIT(EV_SND) },
11781 + },
11782 +
11783 +- { }, /* Terminating entry */
11784 ++ { 0 }, /* Terminating entry */
11785 + };
11786 +
11787 + MODULE_DEVICE_TABLE(input, kbd_ids);
11788 +diff -Nurp linux-2.6.23.15/drivers/char/mem.c linux-2.6.23.15-grsec/drivers/char/mem.c
11789 +--- linux-2.6.23.15/drivers/char/mem.c 2007-10-09 21:31:38.000000000 +0100
11790 ++++ linux-2.6.23.15-grsec/drivers/char/mem.c 2008-02-11 10:37:44.000000000 +0000
11791 +@@ -26,6 +26,7 @@
11792 + #include <linux/bootmem.h>
11793 + #include <linux/splice.h>
11794 + #include <linux/pfn.h>
11795 ++#include <linux/grsecurity.h>
11796 +
11797 + #include <asm/uaccess.h>
11798 + #include <asm/io.h>
11799 +@@ -34,6 +35,10 @@
11800 + # include <linux/efi.h>
11801 + #endif
11802 +
11803 ++#ifdef CONFIG_GRKERNSEC
11804 ++extern struct file_operations grsec_fops;
11805 ++#endif
11806 ++
11807 + /*
11808 + * Architectures vary in how they handle caching for addresses
11809 + * outside of main memory.
11810 +@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
11811 + if (!valid_phys_addr_range(p, count))
11812 + return -EFAULT;
11813 +
11814 ++#ifdef CONFIG_GRKERNSEC_KMEM
11815 ++ gr_handle_mem_write();
11816 ++ return -EPERM;
11817 ++#endif
11818 ++
11819 + written = 0;
11820 +
11821 + #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
11822 +@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
11823 + if (!private_mapping_ok(vma))
11824 + return -ENOSYS;
11825 +
11826 ++#ifdef CONFIG_GRKERNSEC_KMEM
11827 ++ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
11828 ++ return -EPERM;
11829 ++#endif
11830 ++
11831 + vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
11832 + size,
11833 + vma->vm_page_prot);
11834 +@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
11835 + ssize_t written;
11836 + char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
11837 +
11838 ++#ifdef CONFIG_GRKERNSEC_KMEM
11839 ++ gr_handle_kmem_write();
11840 ++ return -EPERM;
11841 ++#endif
11842 ++
11843 + if (p < (unsigned long) high_memory) {
11844 +
11845 + wrote = count;
11846 +@@ -635,6 +655,10 @@ static inline size_t read_zero_pagealign
11847 + struct vm_area_struct * vma;
11848 + unsigned long addr=(unsigned long)buf;
11849 +
11850 ++#ifdef CONFIG_PAX_SEGMEXEC
11851 ++ struct vm_area_struct *vma_m;
11852 ++#endif
11853 ++
11854 + mm = current->mm;
11855 + /* Oops, this was forgotten before. -ben */
11856 + down_read(&mm->mmap_sem);
11857 +@@ -651,8 +675,14 @@ static inline size_t read_zero_pagealign
11858 + if (count > size)
11859 + count = size;
11860 +
11861 ++#ifdef CONFIG_PAX_SEGMEXEC
11862 ++ vma_m = pax_find_mirror_vma(vma);
11863 ++ if (vma_m)
11864 ++ zap_page_range(vma_m, addr + SEGMEXEC_TASK_SIZE, count, NULL);
11865 ++#endif
11866 ++
11867 + zap_page_range(vma, addr, count, NULL);
11868 +- if (zeromap_page_range(vma, addr, count, PAGE_COPY))
11869 ++ if (zeromap_page_range(vma, addr, count, vma->vm_page_prot))
11870 + break;
11871 +
11872 + size -= count;
11873 +@@ -805,6 +835,16 @@ static loff_t memory_lseek(struct file *
11874 +
11875 + static int open_port(struct inode * inode, struct file * filp)
11876 + {
11877 ++#ifdef CONFIG_GRKERNSEC_KMEM
11878 ++ gr_handle_open_port();
11879 ++ return -EPERM;
11880 ++#endif
11881 ++
11882 ++ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
11883 ++}
11884 ++
11885 ++static int open_mem(struct inode * inode, struct file * filp)
11886 ++{
11887 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
11888 + }
11889 +
11890 +@@ -812,7 +852,6 @@ static int open_port(struct inode * inod
11891 + #define full_lseek null_lseek
11892 + #define write_zero write_null
11893 + #define read_full read_zero
11894 +-#define open_mem open_port
11895 + #define open_kmem open_mem
11896 + #define open_oldmem open_mem
11897 +
11898 +@@ -945,6 +984,11 @@ static int memory_open(struct inode * in
11899 + filp->f_op = &oldmem_fops;
11900 + break;
11901 + #endif
11902 ++#ifdef CONFIG_GRKERNSEC
11903 ++ case 13:
11904 ++ filp->f_op = &grsec_fops;
11905 ++ break;
11906 ++#endif
11907 + default:
11908 + return -ENXIO;
11909 + }
11910 +@@ -977,6 +1021,9 @@ static const struct {
11911 + #ifdef CONFIG_CRASH_DUMP
11912 + {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
11913 + #endif
11914 ++#ifdef CONFIG_GRKERNSEC
11915 ++ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
11916 ++#endif
11917 + };
11918 +
11919 + static struct class *mem_class;
11920 +diff -Nurp linux-2.6.23.15/drivers/char/nvram.c linux-2.6.23.15-grsec/drivers/char/nvram.c
11921 +--- linux-2.6.23.15/drivers/char/nvram.c 2007-10-09 21:31:38.000000000 +0100
11922 ++++ linux-2.6.23.15-grsec/drivers/char/nvram.c 2008-02-11 10:37:44.000000000 +0000
11923 +@@ -430,7 +430,10 @@ static const struct file_operations nvra
11924 + static struct miscdevice nvram_dev = {
11925 + NVRAM_MINOR,
11926 + "nvram",
11927 +- &nvram_fops
11928 ++ &nvram_fops,
11929 ++ {NULL, NULL},
11930 ++ NULL,
11931 ++ NULL
11932 + };
11933 +
11934 + static int __init
11935 +diff -Nurp linux-2.6.23.15/drivers/char/random.c linux-2.6.23.15-grsec/drivers/char/random.c
11936 +--- linux-2.6.23.15/drivers/char/random.c 2008-02-11 10:36:03.000000000 +0000
11937 ++++ linux-2.6.23.15-grsec/drivers/char/random.c 2008-02-11 10:37:44.000000000 +0000
11938 +@@ -248,8 +248,13 @@
11939 + /*
11940 + * Configuration information
11941 + */
11942 ++#ifdef CONFIG_GRKERNSEC_RANDNET
11943 ++#define INPUT_POOL_WORDS 512
11944 ++#define OUTPUT_POOL_WORDS 128
11945 ++#else
11946 + #define INPUT_POOL_WORDS 128
11947 + #define OUTPUT_POOL_WORDS 32
11948 ++#endif
11949 + #define SEC_XFER_SIZE 512
11950 +
11951 + /*
11952 +@@ -286,10 +291,17 @@ static struct poolinfo {
11953 + int poolwords;
11954 + int tap1, tap2, tap3, tap4, tap5;
11955 + } poolinfo_table[] = {
11956 ++#ifdef CONFIG_GRKERNSEC_RANDNET
11957 ++ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
11958 ++ { 512, 411, 308, 208, 104, 1 },
11959 ++ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
11960 ++ { 128, 103, 76, 51, 25, 1 },
11961 ++#else
11962 + /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
11963 + { 128, 103, 76, 51, 25, 1 },
11964 + /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
11965 + { 32, 26, 20, 14, 7, 1 },
11966 ++#endif
11967 + #if 0
11968 + /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
11969 + { 2048, 1638, 1231, 819, 411, 1 },
11970 +@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
11971 + #include <linux/sysctl.h>
11972 +
11973 + static int min_read_thresh = 8, min_write_thresh;
11974 +-static int max_read_thresh = INPUT_POOL_WORDS * 32;
11975 ++static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
11976 + static int max_write_thresh = INPUT_POOL_WORDS * 32;
11977 + static char sysctl_bootid[16];
11978 +
11979 +diff -Nurp linux-2.6.23.15/drivers/char/vt_ioctl.c linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c
11980 +--- linux-2.6.23.15/drivers/char/vt_ioctl.c 2007-10-09 21:31:38.000000000 +0100
11981 ++++ linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c 2008-02-11 10:37:44.000000000 +0000
11982 +@@ -95,6 +95,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
11983 + case KDSKBENT:
11984 + if (!perm)
11985 + return -EPERM;
11986 ++
11987 ++#ifdef CONFIG_GRKERNSEC
11988 ++ if (!capable(CAP_SYS_TTY_CONFIG))
11989 ++ return -EPERM;
11990 ++#endif
11991 ++
11992 + if (!i && v == K_NOSUCHMAP) {
11993 + /* deallocate map */
11994 + key_map = key_maps[s];
11995 +@@ -235,6 +241,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
11996 + goto reterr;
11997 + }
11998 +
11999 ++#ifdef CONFIG_GRKERNSEC
12000 ++ if (!capable(CAP_SYS_TTY_CONFIG)) {
12001 ++ ret = -EPERM;
12002 ++ goto reterr;
12003 ++ }
12004 ++#endif
12005 ++
12006 + q = func_table[i];
12007 + first_free = funcbufptr + (funcbufsize - funcbufleft);
12008 + for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
12009 +diff -Nurp linux-2.6.23.15/drivers/dma/ioatdma.c linux-2.6.23.15-grsec/drivers/dma/ioatdma.c
12010 +--- linux-2.6.23.15/drivers/dma/ioatdma.c 2007-10-09 21:31:38.000000000 +0100
12011 ++++ linux-2.6.23.15-grsec/drivers/dma/ioatdma.c 2008-02-11 10:37:44.000000000 +0000
12012 +@@ -244,7 +244,6 @@ static void ioat_dma_free_chan_resources
12013 + struct ioat_dma_chan *ioat_chan = to_ioat_chan(chan);
12014 + struct ioat_device *ioat_device = to_ioat_device(chan->device);
12015 + struct ioat_desc_sw *desc, *_desc;
12016 +- u16 chanctrl;
12017 + int in_use_descs = 0;
12018 +
12019 + ioat_dma_memcpy_cleanup(ioat_chan);
12020 +diff -Nurp linux-2.6.23.15/drivers/edac/edac_core.h linux-2.6.23.15-grsec/drivers/edac/edac_core.h
12021 +--- linux-2.6.23.15/drivers/edac/edac_core.h 2007-10-09 21:31:38.000000000 +0100
12022 ++++ linux-2.6.23.15-grsec/drivers/edac/edac_core.h 2008-02-11 10:37:44.000000000 +0000
12023 +@@ -86,11 +86,11 @@ extern int edac_debug_level;
12024 +
12025 + #else /* !CONFIG_EDAC_DEBUG */
12026 +
12027 +-#define debugf0( ... )
12028 +-#define debugf1( ... )
12029 +-#define debugf2( ... )
12030 +-#define debugf3( ... )
12031 +-#define debugf4( ... )
12032 ++#define debugf0( ... ) do {} while (0)
12033 ++#define debugf1( ... ) do {} while (0)
12034 ++#define debugf2( ... ) do {} while (0)
12035 ++#define debugf3( ... ) do {} while (0)
12036 ++#define debugf4( ... ) do {} while (0)
12037 +
12038 + #endif /* !CONFIG_EDAC_DEBUG */
12039 +
12040 +diff -Nurp linux-2.6.23.15/drivers/hwmon/fscpos.c linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c
12041 +--- linux-2.6.23.15/drivers/hwmon/fscpos.c 2007-10-09 21:31:38.000000000 +0100
12042 ++++ linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c 2008-02-11 10:37:44.000000000 +0000
12043 +@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
12044 + unsigned long v = simple_strtoul(buf, NULL, 10);
12045 +
12046 + /* Range: 0..255 */
12047 +- if (v < 0) v = 0;
12048 + if (v > 255) v = 255;
12049 +
12050 + mutex_lock(&data->update_lock);
12051 +diff -Nurp linux-2.6.23.15/drivers/hwmon/k8temp.c linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c
12052 +--- linux-2.6.23.15/drivers/hwmon/k8temp.c 2007-10-09 21:31:38.000000000 +0100
12053 ++++ linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c 2008-02-11 10:37:44.000000000 +0000
12054 +@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
12055 +
12056 + static struct pci_device_id k8temp_ids[] = {
12057 + { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
12058 +- { 0 },
12059 ++ { 0, 0, 0, 0, 0, 0, 0 },
12060 + };
12061 +
12062 + MODULE_DEVICE_TABLE(pci, k8temp_ids);
12063 +diff -Nurp linux-2.6.23.15/drivers/hwmon/sis5595.c linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c
12064 +--- linux-2.6.23.15/drivers/hwmon/sis5595.c 2007-10-09 21:31:38.000000000 +0100
12065 ++++ linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c 2008-02-11 10:37:44.000000000 +0000
12066 +@@ -673,7 +673,7 @@ static struct sis5595_data *sis5595_upda
12067 +
12068 + static struct pci_device_id sis5595_pci_ids[] = {
12069 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
12070 +- { 0, }
12071 ++ { 0, 0, 0, 0, 0, 0, 0 }
12072 + };
12073 +
12074 + MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
12075 +diff -Nurp linux-2.6.23.15/drivers/hwmon/thmc50.c linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c
12076 +--- linux-2.6.23.15/drivers/hwmon/thmc50.c 2007-10-09 21:31:38.000000000 +0100
12077 ++++ linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c 2008-02-11 10:37:44.000000000 +0000
12078 +@@ -47,9 +47,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
12079 + #define THMC50_REG_DIE_CODE 0x3F
12080 + #define THMC50_REG_ANALOG_OUT 0x19
12081 +
12082 +-const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
12083 +-const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
12084 +-const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
12085 ++static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
12086 ++static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
12087 ++static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
12088 +
12089 + #define THMC50_REG_CONF_nFANOFF 0x20
12090 +
12091 +diff -Nurp linux-2.6.23.15/drivers/hwmon/via686a.c linux-2.6.23.15-grsec/drivers/hwmon/via686a.c
12092 +--- linux-2.6.23.15/drivers/hwmon/via686a.c 2007-10-09 21:31:38.000000000 +0100
12093 ++++ linux-2.6.23.15-grsec/drivers/hwmon/via686a.c 2008-02-11 10:37:44.000000000 +0000
12094 +@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
12095 +
12096 + static struct pci_device_id via686a_pci_ids[] = {
12097 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
12098 +- { 0, }
12099 ++ { 0, 0, 0, 0, 0, 0, 0 }
12100 + };
12101 +
12102 + MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
12103 +diff -Nurp linux-2.6.23.15/drivers/hwmon/vt8231.c linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c
12104 +--- linux-2.6.23.15/drivers/hwmon/vt8231.c 2007-10-09 21:31:38.000000000 +0100
12105 ++++ linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c 2008-02-11 10:37:44.000000000 +0000
12106 +@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
12107 +
12108 + static struct pci_device_id vt8231_pci_ids[] = {
12109 + { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
12110 +- { 0, }
12111 ++ { 0, 0, 0, 0, 0, 0, 0 }
12112 + };
12113 +
12114 + MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
12115 +diff -Nurp linux-2.6.23.15/drivers/hwmon/w83791d.c linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c
12116 +--- linux-2.6.23.15/drivers/hwmon/w83791d.c 2007-10-09 21:31:38.000000000 +0100
12117 ++++ linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c 2008-02-11 10:37:44.000000000 +0000
12118 +@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
12119 + static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
12120 + static int w83791d_detach_client(struct i2c_client *client);
12121 +
12122 +-static int w83791d_read(struct i2c_client *client, u8 register);
12123 +-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
12124 ++static int w83791d_read(struct i2c_client *client, u8 reg);
12125 ++static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
12126 + static struct w83791d_data *w83791d_update_device(struct device *dev);
12127 +
12128 + #ifdef DEBUG
12129 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c
12130 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c 2007-10-09 21:31:38.000000000 +0100
12131 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c 2008-02-11 10:37:44.000000000 +0000
12132 +@@ -543,7 +543,7 @@ static struct pci_device_id i801_ids[] =
12133 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ESB2_17) },
12134 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
12135 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
12136 +- { 0, }
12137 ++ { 0, 0, 0, 0, 0, 0, 0 }
12138 + };
12139 +
12140 + MODULE_DEVICE_TABLE (pci, i801_ids);
12141 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c
12142 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c 2007-10-09 21:31:38.000000000 +0100
12143 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c 2008-02-11 10:37:44.000000000 +0000
12144 +@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
12145 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
12146 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
12147 + { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
12148 +- { 0, },
12149 ++ { 0, 0, 0, 0, 0, 0, 0 },
12150 + };
12151 +
12152 + MODULE_DEVICE_TABLE (pci, i810_ids);
12153 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c
12154 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c 2007-10-09 21:31:38.000000000 +0100
12155 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c 2008-02-11 10:37:44.000000000 +0000
12156 +@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
12157 + .ident = "IBM",
12158 + .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
12159 + },
12160 +- { },
12161 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
12162 + };
12163 +
12164 + static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
12165 +@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
12166 + .driver_data = 3 },
12167 + { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
12168 + .driver_data = 0 },
12169 +- { 0, }
12170 ++ { 0, 0, 0, 0, 0, 0, 0 }
12171 + };
12172 +
12173 + MODULE_DEVICE_TABLE (pci, piix4_ids);
12174 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c
12175 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c 2007-10-09 21:31:38.000000000 +0100
12176 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c 2008-02-11 10:37:44.000000000 +0000
12177 +@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
12178 + static struct pci_device_id sis630_ids[] __devinitdata = {
12179 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
12180 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
12181 +- { 0, }
12182 ++ { PCI_DEVICE(0, 0) }
12183 + };
12184 +
12185 + MODULE_DEVICE_TABLE (pci, sis630_ids);
12186 +diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c
12187 +--- linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c 2007-10-09 21:31:38.000000000 +0100
12188 ++++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c 2008-02-11 10:37:44.000000000 +0000
12189 +@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
12190 +
12191 + static struct pci_device_id sis96x_ids[] = {
12192 + { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
12193 +- { 0, }
12194 ++ { PCI_DEVICE(0, 0) }
12195 + };
12196 +
12197 + MODULE_DEVICE_TABLE (pci, sis96x_ids);
12198 +diff -Nurp linux-2.6.23.15/drivers/ide/ide-cd.c linux-2.6.23.15-grsec/drivers/ide/ide-cd.c
12199 +--- linux-2.6.23.15/drivers/ide/ide-cd.c 2007-10-09 21:31:38.000000000 +0100
12200 ++++ linux-2.6.23.15-grsec/drivers/ide/ide-cd.c 2008-02-11 10:37:44.000000000 +0000
12201 +@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
12202 + sector &= ~(bio_sectors -1);
12203 + valid = (sector - failed_command->sector) << 9;
12204 +
12205 +- if (valid < 0)
12206 +- valid = 0;
12207 + if (sector < get_capacity(info->disk) &&
12208 + drive->probed_capacity - sector < 4 * 75) {
12209 + set_capacity(info->disk, sector);
12210 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/dv1394.c linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c
12211 +--- linux-2.6.23.15/drivers/ieee1394/dv1394.c 2007-10-09 21:31:38.000000000 +0100
12212 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c 2008-02-11 10:37:44.000000000 +0000
12213 +@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
12214 + based upon DIF section and sequence
12215 + */
12216 +
12217 +-static void inline
12218 ++static inline void
12219 + frame_put_packet (struct frame *f, struct packet *p)
12220 + {
12221 + int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
12222 +@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
12223 + /* default SYT offset is 3 cycles */
12224 + init->syt_offset = 3;
12225 +
12226 +- if ( (init->channel > 63) || (init->channel < 0) )
12227 ++ if (init->channel > 63)
12228 + init->channel = 63;
12229 +
12230 + chan_mask = (u64)1 << init->channel;
12231 +@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
12232 + .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
12233 + .version = AVC_SW_VERSION_ENTRY & 0xffffff
12234 + },
12235 +- { }
12236 ++ { 0, 0, 0, 0, 0, 0 }
12237 + };
12238 +
12239 + MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
12240 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/eth1394.c linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c
12241 +--- linux-2.6.23.15/drivers/ieee1394/eth1394.c 2007-10-09 21:31:38.000000000 +0100
12242 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c 2008-02-11 10:37:44.000000000 +0000
12243 +@@ -449,7 +449,7 @@ static struct ieee1394_device_id eth1394
12244 + .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
12245 + .version = ETHER1394_GASP_VERSION,
12246 + },
12247 +- {}
12248 ++ { 0, 0, 0, 0, 0, 0 }
12249 + };
12250 +
12251 + MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
12252 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/hosts.c linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c
12253 +--- linux-2.6.23.15/drivers/ieee1394/hosts.c 2007-10-09 21:31:38.000000000 +0100
12254 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c 2008-02-11 10:37:44.000000000 +0000
12255 +@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
12256 + }
12257 +
12258 + static struct hpsb_host_driver dummy_driver = {
12259 ++ .name = "dummy",
12260 + .transmit_packet = dummy_transmit_packet,
12261 + .devctl = dummy_devctl,
12262 + .isoctl = dummy_isoctl
12263 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/ohci1394.c linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c
12264 +--- linux-2.6.23.15/drivers/ieee1394/ohci1394.c 2007-10-09 21:31:38.000000000 +0100
12265 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c 2008-02-11 10:37:44.000000000 +0000
12266 +@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
12267 + printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
12268 +
12269 + /* Module Parameters */
12270 +-static int phys_dma = 1;
12271 ++static int phys_dma;
12272 + module_param(phys_dma, int, 0444);
12273 +-MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
12274 ++MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
12275 +
12276 + static void dma_trm_tasklet(unsigned long data);
12277 + static void dma_trm_reset(struct dma_trm_ctx *d);
12278 +@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
12279 + .subvendor = PCI_ANY_ID,
12280 + .subdevice = PCI_ANY_ID,
12281 + },
12282 +- { 0, },
12283 ++ { 0, 0, 0, 0, 0, 0, 0 },
12284 + };
12285 +
12286 + MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
12287 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/raw1394.c linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c
12288 +--- linux-2.6.23.15/drivers/ieee1394/raw1394.c 2007-10-09 21:31:38.000000000 +0100
12289 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c 2008-02-11 10:37:44.000000000 +0000
12290 +@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
12291 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
12292 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
12293 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
12294 +- {}
12295 ++ { 0, 0, 0, 0, 0, 0 }
12296 + };
12297 +
12298 + MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
12299 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/sbp2.c linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c
12300 +--- linux-2.6.23.15/drivers/ieee1394/sbp2.c 2007-10-09 21:31:38.000000000 +0100
12301 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c 2008-02-11 10:37:44.000000000 +0000
12302 +@@ -272,7 +272,7 @@ static struct ieee1394_device_id sbp2_id
12303 + .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
12304 + .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
12305 + .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
12306 +- {}
12307 ++ { 0, 0, 0, 0, 0, 0 }
12308 + };
12309 + MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
12310 +
12311 +@@ -2063,7 +2063,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
12312 + MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
12313 + MODULE_LICENSE("GPL");
12314 +
12315 +-static int sbp2_module_init(void)
12316 ++static int __init sbp2_module_init(void)
12317 + {
12318 + int ret;
12319 +
12320 +diff -Nurp linux-2.6.23.15/drivers/ieee1394/video1394.c linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c
12321 +--- linux-2.6.23.15/drivers/ieee1394/video1394.c 2007-10-09 21:31:38.000000000 +0100
12322 ++++ linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c 2008-02-11 10:37:44.000000000 +0000
12323 +@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
12324 + if (unlikely(d == NULL))
12325 + return -EFAULT;
12326 +
12327 +- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
12328 ++ if (unlikely(v.buffer>=d->num_desc - 1)) {
12329 + PRINT(KERN_ERR, ohci->host->id,
12330 + "Buffer %d out of range",v.buffer);
12331 + return -EINVAL;
12332 +@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
12333 + if (unlikely(d == NULL))
12334 + return -EFAULT;
12335 +
12336 +- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
12337 ++ if (unlikely(v.buffer>d->num_desc - 1)) {
12338 + PRINT(KERN_ERR, ohci->host->id,
12339 + "Buffer %d out of range",v.buffer);
12340 + return -EINVAL;
12341 +@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
12342 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
12343 + if (d == NULL) return -EFAULT;
12344 +
12345 +- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
12346 ++ if (v.buffer>=d->num_desc - 1) {
12347 + PRINT(KERN_ERR, ohci->host->id,
12348 + "Buffer %d out of range",v.buffer);
12349 + return -EINVAL;
12350 +@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
12351 + d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
12352 + if (d == NULL) return -EFAULT;
12353 +
12354 +- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
12355 ++ if (v.buffer>=d->num_desc-1) {
12356 + PRINT(KERN_ERR, ohci->host->id,
12357 + "Buffer %d out of range",v.buffer);
12358 + return -EINVAL;
12359 +@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
12360 + .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
12361 + .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
12362 + },
12363 +- { }
12364 ++ { 0, 0, 0, 0, 0, 0 }
12365 + };
12366 +
12367 + MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
12368 +diff -Nurp linux-2.6.23.15/drivers/input/keyboard/atkbd.c linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c
12369 +--- linux-2.6.23.15/drivers/input/keyboard/atkbd.c 2007-10-09 21:31:38.000000000 +0100
12370 ++++ linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c 2008-02-11 10:37:44.000000000 +0000
12371 +@@ -1075,7 +1075,7 @@ static struct serio_device_id atkbd_seri
12372 + .id = SERIO_ANY,
12373 + .extra = SERIO_ANY,
12374 + },
12375 +- { 0 }
12376 ++ { 0, 0, 0, 0 }
12377 + };
12378 +
12379 + MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
12380 +diff -Nurp linux-2.6.23.15/drivers/input/mouse/lifebook.c linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c
12381 +--- linux-2.6.23.15/drivers/input/mouse/lifebook.c 2007-10-09 21:31:38.000000000 +0100
12382 ++++ linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c 2008-02-11 10:37:44.000000000 +0000
12383 +@@ -102,7 +102,7 @@ static struct dmi_system_id lifebook_dmi
12384 + DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
12385 + },
12386 + },
12387 +- { }
12388 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
12389 + };
12390 +
12391 + static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
12392 +diff -Nurp linux-2.6.23.15/drivers/input/mouse/psmouse-base.c linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c
12393 +--- linux-2.6.23.15/drivers/input/mouse/psmouse-base.c 2007-10-09 21:31:38.000000000 +0100
12394 ++++ linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c 2008-02-11 10:37:44.000000000 +0000
12395 +@@ -1325,7 +1325,7 @@ static struct serio_device_id psmouse_se
12396 + .id = SERIO_ANY,
12397 + .extra = SERIO_ANY,
12398 + },
12399 +- { 0 }
12400 ++ { 0, 0, 0, 0 }
12401 + };
12402 +
12403 + MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
12404 +diff -Nurp linux-2.6.23.15/drivers/input/mouse/synaptics.c linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c
12405 +--- linux-2.6.23.15/drivers/input/mouse/synaptics.c 2007-10-09 21:31:38.000000000 +0100
12406 ++++ linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c 2008-02-11 10:37:44.000000000 +0000
12407 +@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
12408 + break;
12409 + case 2:
12410 + if (SYN_MODEL_PEN(priv->model_id))
12411 +- ; /* Nothing, treat a pen as a single finger */
12412 ++ break; /* Nothing, treat a pen as a single finger */
12413 + break;
12414 + case 4 ... 15:
12415 + if (SYN_CAP_PALMDETECT(priv->capabilities))
12416 +@@ -624,7 +624,7 @@ static struct dmi_system_id toshiba_dmi_
12417 + DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
12418 + },
12419 + },
12420 +- { }
12421 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12422 + };
12423 + #endif
12424 +
12425 +diff -Nurp linux-2.6.23.15/drivers/input/mousedev.c linux-2.6.23.15-grsec/drivers/input/mousedev.c
12426 +--- linux-2.6.23.15/drivers/input/mousedev.c 2008-02-11 10:36:03.000000000 +0000
12427 ++++ linux-2.6.23.15-grsec/drivers/input/mousedev.c 2008-02-11 10:37:44.000000000 +0000
12428 +@@ -1048,7 +1048,7 @@ static struct input_handler mousedev_han
12429 +
12430 + #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
12431 + static struct miscdevice psaux_mouse = {
12432 +- PSMOUSE_MINOR, "psaux", &mousedev_fops
12433 ++ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
12434 + };
12435 + static int psaux_registered;
12436 + #endif
12437 +diff -Nurp linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h
12438 +--- linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h 2007-10-09 21:31:38.000000000 +0100
12439 ++++ linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h 2008-02-11 10:37:44.000000000 +0000
12440 +@@ -110,7 +110,7 @@ static struct dmi_system_id __initdata i
12441 + DMI_MATCH(DMI_PRODUCT_VERSION, "5a"),
12442 + },
12443 + },
12444 +- { }
12445 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12446 + };
12447 +
12448 + /*
12449 +@@ -262,7 +262,7 @@ static struct dmi_system_id __initdata i
12450 + DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
12451 + },
12452 + },
12453 +- { }
12454 ++ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
12455 + };
12456 +
12457 +
12458 +diff -Nurp linux-2.6.23.15/drivers/input/serio/serio_raw.c linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c
12459 +--- linux-2.6.23.15/drivers/input/serio/serio_raw.c 2007-10-09 21:31:38.000000000 +0100
12460 ++++ linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c 2008-02-11 10:37:44.000000000 +0000
12461 +@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
12462 + .id = SERIO_ANY,
12463 + .extra = SERIO_ANY,
12464 + },
12465 +- { 0 }
12466 ++ { 0, 0, 0, 0 }
12467 + };
12468 +
12469 + MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
12470 +diff -Nurp linux-2.6.23.15/drivers/kvm/kvm_main.c linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c
12471 +--- linux-2.6.23.15/drivers/kvm/kvm_main.c 2008-02-11 10:36:03.000000000 +0000
12472 ++++ linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c 2008-02-11 10:37:44.000000000 +0000
12473 +@@ -63,21 +63,21 @@ static struct kvm_stats_debugfs_item {
12474 + int offset;
12475 + struct dentry *dentry;
12476 + } debugfs_entries[] = {
12477 +- { "pf_fixed", STAT_OFFSET(pf_fixed) },
12478 +- { "pf_guest", STAT_OFFSET(pf_guest) },
12479 +- { "tlb_flush", STAT_OFFSET(tlb_flush) },
12480 +- { "invlpg", STAT_OFFSET(invlpg) },
12481 +- { "exits", STAT_OFFSET(exits) },
12482 +- { "io_exits", STAT_OFFSET(io_exits) },
12483 +- { "mmio_exits", STAT_OFFSET(mmio_exits) },
12484 +- { "signal_exits", STAT_OFFSET(signal_exits) },
12485 +- { "irq_window", STAT_OFFSET(irq_window_exits) },
12486 +- { "halt_exits", STAT_OFFSET(halt_exits) },
12487 +- { "request_irq", STAT_OFFSET(request_irq_exits) },
12488 +- { "irq_exits", STAT_OFFSET(irq_exits) },
12489 +- { "light_exits", STAT_OFFSET(light_exits) },
12490 +- { "efer_reload", STAT_OFFSET(efer_reload) },
12491 +- { NULL }
12492 ++ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
12493 ++ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
12494 ++ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
12495 ++ { "invlpg", STAT_OFFSET(invlpg), NULL },
12496 ++ { "exits", STAT_OFFSET(exits), NULL },
12497 ++ { "io_exits", STAT_OFFSET(io_exits), NULL },
12498 ++ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
12499 ++ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
12500 ++ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
12501 ++ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
12502 ++ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
12503 ++ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
12504 ++ { "light_exits", STAT_OFFSET(light_exits), NULL },
12505 ++ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
12506 ++ { NULL, 0, NULL }
12507 + };
12508 +
12509 + static struct dentry *debugfs_dir;
12510 +@@ -2255,7 +2255,7 @@ static int kvm_vcpu_ioctl_translate(stru
12511 + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
12512 + struct kvm_interrupt *irq)
12513 + {
12514 +- if (irq->irq < 0 || irq->irq >= 256)
12515 ++ if (irq->irq >= 256)
12516 + return -EINVAL;
12517 + vcpu_load(vcpu);
12518 +
12519 +@@ -2895,6 +2895,9 @@ static struct miscdevice kvm_dev = {
12520 + KVM_MINOR,
12521 + "kvm",
12522 + &kvm_chardev_ops,
12523 ++ {NULL, NULL},
12524 ++ NULL,
12525 ++ NULL
12526 + };
12527 +
12528 + static int kvm_reboot(struct notifier_block *notifier, unsigned long val,
12529 +diff -Nurp linux-2.6.23.15/drivers/kvm/vmx.c linux-2.6.23.15-grsec/drivers/kvm/vmx.c
12530 +--- linux-2.6.23.15/drivers/kvm/vmx.c 2008-02-11 10:36:03.000000000 +0000
12531 ++++ linux-2.6.23.15-grsec/drivers/kvm/vmx.c 2008-02-11 10:37:44.000000000 +0000
12532 +@@ -2148,7 +2148,7 @@ again:
12533 +
12534 + vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
12535 +
12536 +- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
12537 ++ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
12538 +
12539 + if (unlikely(fail)) {
12540 + kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
12541 +diff -Nurp linux-2.6.23.15/drivers/kvm/x86_emulate.c linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c
12542 +--- linux-2.6.23.15/drivers/kvm/x86_emulate.c 2008-02-11 10:36:03.000000000 +0000
12543 ++++ linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c 2008-02-11 10:37:44.000000000 +0000
12544 +@@ -823,7 +823,7 @@ done_prefixes:
12545 + case DstReg:
12546 + dst.type = OP_REG;
12547 + if ((d & ByteOp)
12548 +- && !(twobyte_table && (b == 0xb6 || b == 0xb7))) {
12549 ++ && !(twobyte && (b == 0xb6 || b == 0xb7))) {
12550 + dst.ptr = decode_register(modrm_reg, _regs,
12551 + (rex_prefix == 0));
12552 + dst.val = *(u8 *) dst.ptr;
12553 +diff -Nurp linux-2.6.23.15/drivers/md/bitmap.c linux-2.6.23.15-grsec/drivers/md/bitmap.c
12554 +--- linux-2.6.23.15/drivers/md/bitmap.c 2008-02-11 10:36:03.000000000 +0000
12555 ++++ linux-2.6.23.15-grsec/drivers/md/bitmap.c 2008-02-11 10:37:44.000000000 +0000
12556 +@@ -57,7 +57,7 @@
12557 + # if DEBUG > 0
12558 + # define PRINTK(x...) printk(KERN_DEBUG x)
12559 + # else
12560 +-# define PRINTK(x...)
12561 ++# define PRINTK(x...) do {} while (0)
12562 + # endif
12563 + #endif
12564 +
12565 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2000.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c
12566 +--- linux-2.6.23.15/drivers/mtd/devices/doc2000.c 2007-10-09 21:31:38.000000000 +0100
12567 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c 2008-02-11 10:37:44.000000000 +0000
12568 +@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
12569 + len = ((from | 0x1ff) + 1) - from;
12570 +
12571 + /* The ECC will not be calculated correctly if less than 512 is read */
12572 +- if (len != 0x200 && eccbuf)
12573 ++ if (len != 0x200)
12574 + printk(KERN_WARNING
12575 + "ECC needs a full sector read (adr: %lx size %lx)\n",
12576 + (long) from, (long) len);
12577 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c
12578 +--- linux-2.6.23.15/drivers/mtd/devices/doc2001.c 2007-10-09 21:31:38.000000000 +0100
12579 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c 2008-02-11 10:37:44.000000000 +0000
12580 +@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
12581 + /* Don't allow read past end of device */
12582 + if (from >= this->totlen)
12583 + return -EINVAL;
12584 ++ if (!len)
12585 ++ return -EINVAL;
12586 +
12587 + /* Don't allow a single read to cross a 512-byte block boundary */
12588 + if (from + len > ((from | 0x1ff) + 1))
12589 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c
12590 +--- linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c 2007-10-09 21:31:38.000000000 +0100
12591 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c 2008-02-11 10:37:44.000000000 +0000
12592 +@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
12593 + WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
12594 +
12595 + /* On interleaved devices the flags for 2nd half 512 are before data */
12596 +- if (eccbuf && before)
12597 ++ if (before)
12598 + fto -= 2;
12599 +
12600 + /* issue the Serial Data In command to initial the Page Program process */
12601 +diff -Nurp linux-2.6.23.15/drivers/mtd/devices/slram.c linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c
12602 +--- linux-2.6.23.15/drivers/mtd/devices/slram.c 2007-10-09 21:31:38.000000000 +0100
12603 ++++ linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c 2008-02-11 10:37:44.000000000 +0000
12604 +@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
12605 + }
12606 + T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
12607 + devname, devstart, devlength);
12608 +- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
12609 ++ if (devlength % SLRAM_BLK_SZ != 0) {
12610 + E("slram: Illegal start / length parameter.\n");
12611 + return(-EINVAL);
12612 + }
12613 +diff -Nurp linux-2.6.23.15/drivers/mtd/ubi/build.c linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c
12614 +--- linux-2.6.23.15/drivers/mtd/ubi/build.c 2007-10-09 21:31:38.000000000 +0100
12615 ++++ linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c 2008-02-11 10:37:44.000000000 +0000
12616 +@@ -727,7 +727,7 @@ static int __init bytes_str_to_int(const
12617 + unsigned long result;
12618 +
12619 + result = simple_strtoul(str, &endp, 0);
12620 +- if (str == endp || result < 0) {
12621 ++ if (str == endp) {
12622 + printk("UBI error: incorrect bytes count: \"%s\"\n", str);
12623 + return -EINVAL;
12624 + }
12625 +diff -Nurp linux-2.6.23.15/drivers/net/eepro100.c linux-2.6.23.15-grsec/drivers/net/eepro100.c
12626 +--- linux-2.6.23.15/drivers/net/eepro100.c 2007-10-09 21:31:38.000000000 +0100
12627 ++++ linux-2.6.23.15-grsec/drivers/net/eepro100.c 2008-02-11 10:37:44.000000000 +0000
12628 +@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
12629 + # define rx_align(skb) skb_reserve((skb), 2)
12630 + # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
12631 + #else
12632 +-# define rx_align(skb)
12633 ++# define rx_align(skb) do {} while (0)
12634 + # define RxFD_ALIGNMENT
12635 + #endif
12636 +
12637 +@@ -2344,33 +2344,33 @@ static void __devexit eepro100_remove_on
12638 + }
12639 +
12640 + static struct pci_device_id eepro100_pci_tbl[] = {
12641 +- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
12642 +- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
12643 +- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
12644 +- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
12645 +- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
12646 +- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
12647 +- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
12648 +- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
12649 +- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
12650 +- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
12651 +- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
12652 +- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
12653 +- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
12654 +- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
12655 +- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
12656 +- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
12657 +- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
12658 +- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
12659 +- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
12660 +- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
12661 +- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
12662 +- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
12663 +- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
12664 +- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
12665 +- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
12666 +- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
12667 +- { 0,}
12668 ++ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12669 ++ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12670 ++ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12671 ++ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12672 ++ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12673 ++ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12674 ++ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12675 ++ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12676 ++ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12677 ++ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12678 ++ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12679 ++ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12680 ++ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12681 ++ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12682 ++ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12683 ++ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12684 ++ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12685 ++ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12686 ++ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12687 ++ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12688 ++ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12689 ++ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12690 ++ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12691 ++ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12692 ++ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12693 ++ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
12694 ++ { 0, 0, 0, 0, 0, 0, 0 }
12695 + };
12696 + MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
12697 +
12698 +diff -Nurp linux-2.6.23.15/drivers/net/irda/vlsi_ir.c linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c
12699 +--- linux-2.6.23.15/drivers/net/irda/vlsi_ir.c 2007-10-09 21:31:38.000000000 +0100
12700 ++++ linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c 2008-02-11 10:37:44.000000000 +0000
12701 +@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
12702 + /* no race - tx-ring already empty */
12703 + vlsi_set_baud(idev, iobase);
12704 + netif_wake_queue(ndev);
12705 +- }
12706 +- else
12707 +- ;
12708 ++ } else {
12709 + /* keep the speed change pending like it would
12710 + * for any len>0 packet. tx completion interrupt
12711 + * will apply it when the tx ring becomes empty.
12712 + */
12713 ++ }
12714 + spin_unlock_irqrestore(&idev->lock, flags);
12715 + dev_kfree_skb_any(skb);
12716 + return 0;
12717 +diff -Nurp linux-2.6.23.15/drivers/net/pcnet32.c linux-2.6.23.15-grsec/drivers/net/pcnet32.c
12718 +--- linux-2.6.23.15/drivers/net/pcnet32.c 2007-10-09 21:31:38.000000000 +0100
12719 ++++ linux-2.6.23.15-grsec/drivers/net/pcnet32.c 2008-02-11 10:37:44.000000000 +0000
12720 +@@ -82,7 +82,7 @@ static int cards_found;
12721 + /*
12722 + * VLB I/O addresses
12723 + */
12724 +-static unsigned int pcnet32_portlist[] __initdata =
12725 ++static unsigned int pcnet32_portlist[] __devinitdata =
12726 + { 0x300, 0x320, 0x340, 0x360, 0 };
12727 +
12728 + static int pcnet32_debug = 0;
12729 +diff -Nurp linux-2.6.23.15/drivers/net/tg3.h linux-2.6.23.15-grsec/drivers/net/tg3.h
12730 +--- linux-2.6.23.15/drivers/net/tg3.h 2007-10-09 21:31:38.000000000 +0100
12731 ++++ linux-2.6.23.15-grsec/drivers/net/tg3.h 2008-02-11 10:37:44.000000000 +0000
12732 +@@ -127,6 +127,7 @@
12733 + #define CHIPREV_ID_5750_A0 0x4000
12734 + #define CHIPREV_ID_5750_A1 0x4001
12735 + #define CHIPREV_ID_5750_A3 0x4003
12736 ++#define CHIPREV_ID_5750_C1 0x4201
12737 + #define CHIPREV_ID_5750_C2 0x4202
12738 + #define CHIPREV_ID_5752_A0_HW 0x5000
12739 + #define CHIPREV_ID_5752_A0 0x6000
12740 +diff -Nurp linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c
12741 +--- linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c 2007-10-09 21:31:38.000000000 +0100
12742 ++++ linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c 2008-02-11 10:37:44.000000000 +0000
12743 +@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
12744 +
12745 + void compaq_nvram_init (void __iomem *rom_start)
12746 + {
12747 ++
12748 ++#ifndef CONFIG_PAX_KERNEXEC
12749 + if (rom_start) {
12750 + compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
12751 + }
12752 ++#endif
12753 ++
12754 + dbg("int15 entry = %p\n", compaq_int15_entry_point);
12755 +
12756 + /* initialize our int15 lock */
12757 +diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c
12758 +--- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c 2007-10-09 21:31:38.000000000 +0100
12759 ++++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c 2008-02-11 10:37:44.000000000 +0000
12760 +@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
12761 + .port_type = PCIE_RC_PORT,
12762 + .service_type = PCIE_PORT_SERVICE_AER,
12763 + },
12764 +- { /* end: all zeroes */ }
12765 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
12766 + };
12767 +
12768 + static struct pci_error_handlers aer_error_handlers = {
12769 +diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c
12770 +--- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c 2007-10-09 21:31:38.000000000 +0100
12771 ++++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c 2008-02-11 10:37:44.000000000 +0000
12772 +@@ -660,7 +660,7 @@ static void aer_isr_one_error(struct pci
12773 + struct aer_err_source *e_src)
12774 + {
12775 + struct device *s_device;
12776 +- struct aer_err_info e_info = {0, 0, 0,};
12777 ++ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
12778 + int i;
12779 + u16 id;
12780 +
12781 +diff -Nurp linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c
12782 +--- linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c 2007-10-09 21:31:38.000000000 +0100
12783 ++++ linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c 2008-02-11 10:37:44.000000000 +0000
12784 +@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
12785 + static const struct pci_device_id port_pci_ids[] = { {
12786 + /* handle any PCI-Express port */
12787 + PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
12788 +- }, { /* end: all zeroes */ }
12789 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
12790 + };
12791 + MODULE_DEVICE_TABLE(pci, port_pci_ids);
12792 +
12793 +diff -Nurp linux-2.6.23.15/drivers/pci/proc.c linux-2.6.23.15-grsec/drivers/pci/proc.c
12794 +--- linux-2.6.23.15/drivers/pci/proc.c 2007-10-09 21:31:38.000000000 +0100
12795 ++++ linux-2.6.23.15-grsec/drivers/pci/proc.c 2008-02-11 10:37:44.000000000 +0000
12796 +@@ -466,7 +466,15 @@ static int __init pci_proc_init(void)
12797 + {
12798 + struct proc_dir_entry *entry;
12799 + struct pci_dev *dev = NULL;
12800 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
12801 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
12802 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
12803 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
12804 ++ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
12805 ++#endif
12806 ++#else
12807 + proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
12808 ++#endif
12809 + entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
12810 + if (entry)
12811 + entry->proc_fops = &proc_bus_pci_dev_operations;
12812 +diff -Nurp linux-2.6.23.15/drivers/pcmcia/ti113x.h linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h
12813 +--- linux-2.6.23.15/drivers/pcmcia/ti113x.h 2007-10-09 21:31:38.000000000 +0100
12814 ++++ linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h 2008-02-11 10:37:44.000000000 +0000
12815 +@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
12816 + DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
12817 + ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
12818 +
12819 +- {}
12820 ++ { 0, 0, 0, 0, 0, 0, 0 }
12821 + };
12822 +
12823 + static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
12824 +diff -Nurp linux-2.6.23.15/drivers/pcmcia/yenta_socket.c linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c
12825 +--- linux-2.6.23.15/drivers/pcmcia/yenta_socket.c 2007-10-09 21:31:38.000000000 +0100
12826 ++++ linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c 2008-02-11 10:37:44.000000000 +0000
12827 +@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
12828 +
12829 + /* match any cardbus bridge */
12830 + CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
12831 +- { /* all zeroes */ }
12832 ++ { 0, 0, 0, 0, 0, 0, 0 }
12833 + };
12834 + MODULE_DEVICE_TABLE(pci, yenta_table);
12835 +
12836 +diff -Nurp linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c
12837 +--- linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c 2007-10-09 21:31:38.000000000 +0100
12838 ++++ linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c 2008-02-11 10:37:44.000000000 +0000
12839 +@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
12840 + set_limit(gdt[(selname) >> 3], size); \
12841 + } while(0)
12842 +
12843 +-static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
12844 ++static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
12845 +
12846 + /*
12847 + * At some point we want to use this stack frame pointer to unwind
12848 +@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
12849 + struct desc_struct save_desc_40;
12850 + int cpu;
12851 +
12852 ++#ifdef CONFIG_PAX_KERNEXEC
12853 ++ unsigned long cr0;
12854 ++#endif
12855 ++
12856 + /*
12857 + * PnP BIOSes are generally not terribly re-entrant.
12858 + * Also, don't rely on them to save everything correctly.
12859 +@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
12860 +
12861 + cpu = get_cpu();
12862 + save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
12863 ++
12864 ++#ifdef CONFIG_PAX_KERNEXEC
12865 ++ pax_open_kernel(cr0);
12866 ++#endif
12867 ++
12868 + get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
12869 +
12870 ++#ifdef CONFIG_PAX_KERNEXEC
12871 ++ pax_close_kernel(cr0);
12872 ++#endif
12873 ++
12874 + /* On some boxes IRQ's during PnP BIOS calls are deadly. */
12875 + spin_lock_irqsave(&pnp_bios_lock, flags);
12876 +
12877 +@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
12878 + :"memory");
12879 + spin_unlock_irqrestore(&pnp_bios_lock, flags);
12880 +
12881 ++#ifdef CONFIG_PAX_KERNEXEC
12882 ++ pax_open_kernel(cr0);
12883 ++#endif
12884 ++
12885 + get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
12886 ++
12887 ++#ifdef CONFIG_PAX_KERNEXEC
12888 ++ pax_close_kernel(cr0);
12889 ++#endif
12890 ++
12891 + put_cpu();
12892 +
12893 + /* If we get here and this is set then the PnP BIOS faulted on us. */
12894 +@@ -469,16 +491,25 @@ int pnp_bios_read_escd(char *data, u32 n
12895 + return status;
12896 + }
12897 +
12898 +-void pnpbios_calls_init(union pnp_bios_install_struct *header)
12899 ++void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
12900 + {
12901 + int i;
12902 +
12903 ++#ifdef CONFIG_PAX_KERNEXEC
12904 ++ unsigned long cr0;
12905 ++#endif
12906 ++
12907 + spin_lock_init(&pnp_bios_lock);
12908 + pnp_bios_callpoint.offset = header->fields.pm16offset;
12909 + pnp_bios_callpoint.segment = PNP_CS16;
12910 +
12911 + set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
12912 + _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
12913 ++
12914 ++#ifdef CONFIG_PAX_KERNEXEC
12915 ++ pax_open_kernel(cr0);
12916 ++#endif
12917 ++
12918 + for (i = 0; i < NR_CPUS; i++) {
12919 + struct desc_struct *gdt = get_cpu_gdt_table(i);
12920 + if (!gdt)
12921 +@@ -489,4 +520,9 @@ void pnpbios_calls_init(union pnp_bios_i
12922 + set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
12923 + __va(header->fields.pm16dseg));
12924 + }
12925 ++
12926 ++#ifdef CONFIG_PAX_KERNEXEC
12927 ++ pax_close_kernel(cr0);
12928 ++#endif
12929 ++
12930 + }
12931 +diff -Nurp linux-2.6.23.15/drivers/pnp/quirks.c linux-2.6.23.15-grsec/drivers/pnp/quirks.c
12932 +--- linux-2.6.23.15/drivers/pnp/quirks.c 2007-10-09 21:31:38.000000000 +0100
12933 ++++ linux-2.6.23.15-grsec/drivers/pnp/quirks.c 2008-02-11 10:37:44.000000000 +0000
12934 +@@ -127,7 +127,7 @@ static struct pnp_fixup pnp_fixups[] = {
12935 + {"CTL0043", quirk_sb16audio_resources},
12936 + {"CTL0044", quirk_sb16audio_resources},
12937 + {"CTL0045", quirk_sb16audio_resources},
12938 +- {""}
12939 ++ {"", NULL}
12940 + };
12941 +
12942 + void pnp_fixup_device(struct pnp_dev *dev)
12943 +diff -Nurp linux-2.6.23.15/drivers/pnp/resource.c linux-2.6.23.15-grsec/drivers/pnp/resource.c
12944 +--- linux-2.6.23.15/drivers/pnp/resource.c 2007-10-09 21:31:38.000000000 +0100
12945 ++++ linux-2.6.23.15-grsec/drivers/pnp/resource.c 2008-02-11 10:37:44.000000000 +0000
12946 +@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
12947 + return 1;
12948 +
12949 + /* check if the resource is valid */
12950 +- if (*irq < 0 || *irq > 15)
12951 ++ if (*irq > 15)
12952 + return 0;
12953 +
12954 + /* check if the resource is reserved */
12955 +@@ -412,7 +412,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
12956 + return 1;
12957 +
12958 + /* check if the resource is valid */
12959 +- if (*dma < 0 || *dma == 4 || *dma > 7)
12960 ++ if (*dma == 4 || *dma > 7)
12961 + return 0;
12962 +
12963 + /* check if the resource is reserved */
12964 +diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_lib.c linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c
12965 +--- linux-2.6.23.15/drivers/scsi/scsi_lib.c 2007-10-09 21:31:38.000000000 +0100
12966 ++++ linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c 2008-02-11 10:37:44.000000000 +0000
12967 +@@ -44,7 +44,7 @@ struct scsi_host_sg_pool {
12968 + #error SCSI_MAX_PHYS_SEGMENTS is too small
12969 + #endif
12970 +
12971 +-#define SP(x) { x, "sgpool-" #x }
12972 ++#define SP(x) { x, "sgpool-" #x, NULL, NULL }
12973 + static struct scsi_host_sg_pool scsi_sg_pools[] = {
12974 + SP(8),
12975 + SP(16),
12976 +diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_logging.h linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h
12977 +--- linux-2.6.23.15/drivers/scsi/scsi_logging.h 2007-10-09 21:31:38.000000000 +0100
12978 ++++ linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h 2008-02-11 10:37:44.000000000 +0000
12979 +@@ -51,7 +51,7 @@ do { \
12980 + } while (0); \
12981 + } while (0)
12982 + #else
12983 +-#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
12984 ++#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
12985 + #endif /* CONFIG_SCSI_LOGGING */
12986 +
12987 + /*
12988 +diff -Nurp linux-2.6.23.15/drivers/serial/8250_pci.c linux-2.6.23.15-grsec/drivers/serial/8250_pci.c
12989 +--- linux-2.6.23.15/drivers/serial/8250_pci.c 2007-10-09 21:31:38.000000000 +0100
12990 ++++ linux-2.6.23.15-grsec/drivers/serial/8250_pci.c 2008-02-11 10:37:44.000000000 +0000
12991 +@@ -2589,7 +2589,7 @@ static struct pci_device_id serial_pci_t
12992 + PCI_ANY_ID, PCI_ANY_ID,
12993 + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
12994 + 0xffff00, pbn_default },
12995 +- { 0, }
12996 ++ { 0, 0, 0, 0, 0, 0, 0 }
12997 + };
12998 +
12999 + static struct pci_driver serial_pci_driver = {
13000 +diff -Nurp linux-2.6.23.15/drivers/usb/class/cdc-acm.c linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c
13001 +--- linux-2.6.23.15/drivers/usb/class/cdc-acm.c 2007-10-09 21:31:38.000000000 +0100
13002 ++++ linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c 2008-02-11 10:37:44.000000000 +0000
13003 +@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
13004 + USB_CDC_ACM_PROTO_AT_CDMA) },
13005 +
13006 + /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
13007 +- { }
13008 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
13009 + };
13010 +
13011 + MODULE_DEVICE_TABLE (usb, acm_ids);
13012 +diff -Nurp linux-2.6.23.15/drivers/usb/class/usblp.c linux-2.6.23.15-grsec/drivers/usb/class/usblp.c
13013 +--- linux-2.6.23.15/drivers/usb/class/usblp.c 2007-10-09 21:31:38.000000000 +0100
13014 ++++ linux-2.6.23.15-grsec/drivers/usb/class/usblp.c 2008-02-11 10:37:44.000000000 +0000
13015 +@@ -225,7 +225,7 @@ static const struct quirk_printer_struct
13016 + { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
13017 + { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
13018 + { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
13019 +- { 0, 0 }
13020 ++ { 0, 0, 0 }
13021 + };
13022 +
13023 + static int usblp_wwait(struct usblp *usblp, int nonblock);
13024 +@@ -1376,7 +1376,7 @@ static struct usb_device_id usblp_ids []
13025 + { USB_INTERFACE_INFO(7, 1, 2) },
13026 + { USB_INTERFACE_INFO(7, 1, 3) },
13027 + { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
13028 +- { } /* Terminating entry */
13029 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
13030 + };
13031 +
13032 + MODULE_DEVICE_TABLE (usb, usblp_ids);
13033 +diff -Nurp linux-2.6.23.15/drivers/usb/core/hub.c linux-2.6.23.15-grsec/drivers/usb/core/hub.c
13034 +--- linux-2.6.23.15/drivers/usb/core/hub.c 2008-02-11 10:36:03.000000000 +0000
13035 ++++ linux-2.6.23.15-grsec/drivers/usb/core/hub.c 2008-02-11 10:37:44.000000000 +0000
13036 +@@ -2762,7 +2762,7 @@ static struct usb_device_id hub_id_table
13037 + .bDeviceClass = USB_CLASS_HUB},
13038 + { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
13039 + .bInterfaceClass = USB_CLASS_HUB},
13040 +- { } /* Terminating entry */
13041 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
13042 + };
13043 +
13044 + MODULE_DEVICE_TABLE (usb, hub_id_table);
13045 +diff -Nurp linux-2.6.23.15/drivers/usb/host/ehci-pci.c linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c
13046 +--- linux-2.6.23.15/drivers/usb/host/ehci-pci.c 2007-10-09 21:31:38.000000000 +0100
13047 ++++ linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c 2008-02-11 10:37:44.000000000 +0000
13048 +@@ -377,7 +377,7 @@ static const struct pci_device_id pci_id
13049 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
13050 + .driver_data = (unsigned long) &ehci_pci_hc_driver,
13051 + },
13052 +- { /* end: all zeroes */ }
13053 ++ { 0, 0, 0, 0, 0, 0, 0 }
13054 + };
13055 + MODULE_DEVICE_TABLE(pci, pci_ids);
13056 +
13057 +diff -Nurp linux-2.6.23.15/drivers/usb/host/uhci-hcd.c linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c
13058 +--- linux-2.6.23.15/drivers/usb/host/uhci-hcd.c 2007-10-09 21:31:38.000000000 +0100
13059 ++++ linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c 2008-02-11 10:37:44.000000000 +0000
13060 +@@ -894,7 +894,7 @@ static const struct pci_device_id uhci_p
13061 + /* handle any USB UHCI controller */
13062 + PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
13063 + .driver_data = (unsigned long) &uhci_driver,
13064 +- }, { /* end: all zeroes */ }
13065 ++ }, { 0, 0, 0, 0, 0, 0, 0 }
13066 + };
13067 +
13068 + MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
13069 +diff -Nurp linux-2.6.23.15/drivers/usb/storage/debug.h linux-2.6.23.15-grsec/drivers/usb/storage/debug.h
13070 +--- linux-2.6.23.15/drivers/usb/storage/debug.h 2007-10-09 21:31:38.000000000 +0100
13071 ++++ linux-2.6.23.15-grsec/drivers/usb/storage/debug.h 2008-02-11 10:37:44.000000000 +0000
13072 +@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
13073 + #define US_DEBUGPX(x...) printk( x )
13074 + #define US_DEBUG(x) x
13075 + #else
13076 +-#define US_DEBUGP(x...)
13077 +-#define US_DEBUGPX(x...)
13078 +-#define US_DEBUG(x)
13079 ++#define US_DEBUGP(x...) do {} while (0)
13080 ++#define US_DEBUGPX(x...) do {} while (0)
13081 ++#define US_DEBUG(x) do {} while (0)
13082 + #endif
13083 +
13084 + #endif
13085 +diff -Nurp linux-2.6.23.15/drivers/usb/storage/usb.c linux-2.6.23.15-grsec/drivers/usb/storage/usb.c
13086 +--- linux-2.6.23.15/drivers/usb/storage/usb.c 2007-10-09 21:31:38.000000000 +0100
13087 ++++ linux-2.6.23.15-grsec/drivers/usb/storage/usb.c 2008-02-11 10:37:44.000000000 +0000
13088 +@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
13089 + #undef UNUSUAL_DEV
13090 + #undef USUAL_DEV
13091 + /* Terminating entry */
13092 +- { }
13093 ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
13094 + };
13095 +
13096 + MODULE_DEVICE_TABLE (usb, storage_usb_ids);
13097 +@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
13098 + # undef USUAL_DEV
13099 +
13100 + /* Terminating entry */
13101 +- { NULL }
13102 ++ { NULL, NULL, 0, 0, NULL }
13103 + };
13104 +
13105 +
13106 +diff -Nurp linux-2.6.23.15/drivers/video/fbcmap.c linux-2.6.23.15-grsec/drivers/video/fbcmap.c
13107 +--- linux-2.6.23.15/drivers/video/fbcmap.c 2007-10-09 21:31:38.000000000 +0100
13108 ++++ linux-2.6.23.15-grsec/drivers/video/fbcmap.c 2008-02-11 10:37:44.000000000 +0000
13109 +@@ -251,8 +251,7 @@ int fb_set_user_cmap(struct fb_cmap_user
13110 + int rc, size = cmap->len * sizeof(u16);
13111 + struct fb_cmap umap;
13112 +
13113 +- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
13114 +- !info->fbops->fb_setcmap))
13115 ++ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
13116 + return -EINVAL;
13117 +
13118 + memset(&umap, 0, sizeof(struct fb_cmap));
13119 +diff -Nurp linux-2.6.23.15/drivers/video/fbmem.c linux-2.6.23.15-grsec/drivers/video/fbmem.c
13120 +--- linux-2.6.23.15/drivers/video/fbmem.c 2007-10-09 21:31:38.000000000 +0100
13121 ++++ linux-2.6.23.15-grsec/drivers/video/fbmem.c 2008-02-11 10:37:44.000000000 +0000
13122 +@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
13123 + image->dx += image->width + 8;
13124 + }
13125 + } else if (rotate == FB_ROTATE_UD) {
13126 +- for (x = 0; x < num && image->dx >= 0; x++) {
13127 ++ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
13128 + info->fbops->fb_imageblit(info, image);
13129 + image->dx -= image->width + 8;
13130 + }
13131 +@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
13132 + image->dy += image->height + 8;
13133 + }
13134 + } else if (rotate == FB_ROTATE_CCW) {
13135 +- for (x = 0; x < num && image->dy >= 0; x++) {
13136 ++ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
13137 + info->fbops->fb_imageblit(info, image);
13138 + image->dy -= image->height + 8;
13139 + }
13140 +@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
13141 + case FBIOPUT_CON2FBMAP:
13142 + if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
13143 + return - EFAULT;
13144 +- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
13145 ++ if (con2fb.console > MAX_NR_CONSOLES)
13146 + return -EINVAL;
13147 +- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
13148 ++ if (con2fb.framebuffer >= FB_MAX)
13149 + return -EINVAL;
13150 + #ifdef CONFIG_KMOD
13151 + if (!registered_fb[con2fb.framebuffer])
13152 +diff -Nurp linux-2.6.23.15/drivers/video/fbmon.c linux-2.6.23.15-grsec/drivers/video/fbmon.c
13153 +--- linux-2.6.23.15/drivers/video/fbmon.c 2007-10-09 21:31:38.000000000 +0100
13154 ++++ linux-2.6.23.15-grsec/drivers/video/fbmon.c 2008-02-11 10:37:44.000000000 +0000
13155 +@@ -45,7 +45,7 @@
13156 + #ifdef DEBUG
13157 + #define DPRINTK(fmt, args...) printk(fmt,## args)
13158 + #else
13159 +-#define DPRINTK(fmt, args...)
13160 ++#define DPRINTK(fmt, args...) do {} while (0)
13161 + #endif
13162 +
13163 + #define FBMON_FIX_HEADER 1
13164 +diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_accel.c linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c
13165 +--- linux-2.6.23.15/drivers/video/i810/i810_accel.c 2007-10-09 21:31:38.000000000 +0100
13166 ++++ linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c 2008-02-11 10:37:44.000000000 +0000
13167 +@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
13168 + }
13169 + }
13170 + printk("ringbuffer lockup!!!\n");
13171 ++ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
13172 + i810_report_error(mmio);
13173 + par->dev_flags |= LOCKUP;
13174 + info->pixmap.scan_align = 1;
13175 +diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_main.c linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c
13176 +--- linux-2.6.23.15/drivers/video/i810/i810_main.c 2007-10-09 21:31:38.000000000 +0100
13177 ++++ linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c 2008-02-11 10:37:44.000000000 +0000
13178 +@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
13179 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
13180 + { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
13181 + PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
13182 +- { 0 },
13183 ++ { 0, 0, 0, 0, 0, 0, 0 },
13184 + };
13185 +
13186 + static struct pci_driver i810fb_driver = {
13187 +@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
13188 + int size = ((cursor->image.width + 7) >> 3) *
13189 + cursor->image.height;
13190 + int i;
13191 +- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
13192 ++ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
13193 +
13194 + if (data == NULL)
13195 + return -ENOMEM;
13196 +diff -Nurp linux-2.6.23.15/drivers/video/modedb.c linux-2.6.23.15-grsec/drivers/video/modedb.c
13197 +--- linux-2.6.23.15/drivers/video/modedb.c 2007-10-09 21:31:38.000000000 +0100
13198 ++++ linux-2.6.23.15-grsec/drivers/video/modedb.c 2008-02-11 10:37:44.000000000 +0000
13199 +@@ -37,228 +37,228 @@ static const struct fb_videomode modedb[
13200 + {
13201 + /* 640x400 @ 70 Hz, 31.5 kHz hsync */
13202 + NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
13203 +- 0, FB_VMODE_NONINTERLACED
13204 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13205 + }, {
13206 + /* 640x480 @ 60 Hz, 31.5 kHz hsync */
13207 + NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
13208 +- 0, FB_VMODE_NONINTERLACED
13209 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13210 + }, {
13211 + /* 800x600 @ 56 Hz, 35.15 kHz hsync */
13212 + NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
13213 +- 0, FB_VMODE_NONINTERLACED
13214 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13215 + }, {
13216 + /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
13217 + NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
13218 +- 0, FB_VMODE_INTERLACED
13219 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
13220 + }, {
13221 + /* 640x400 @ 85 Hz, 37.86 kHz hsync */
13222 + NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
13223 +- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13224 ++ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13225 + }, {
13226 + /* 640x480 @ 72 Hz, 36.5 kHz hsync */
13227 + NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
13228 +- 0, FB_VMODE_NONINTERLACED
13229 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13230 + }, {
13231 + /* 640x480 @ 75 Hz, 37.50 kHz hsync */
13232 + NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
13233 +- 0, FB_VMODE_NONINTERLACED
13234 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13235 + }, {
13236 + /* 800x600 @ 60 Hz, 37.8 kHz hsync */
13237 + NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
13238 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13239 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13240 + }, {
13241 + /* 640x480 @ 85 Hz, 43.27 kHz hsync */
13242 + NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
13243 +- 0, FB_VMODE_NONINTERLACED
13244 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13245 + }, {
13246 + /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
13247 + NULL, 69, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
13248 +- 0, FB_VMODE_INTERLACED
13249 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
13250 + }, {
13251 + /* 800x600 @ 72 Hz, 48.0 kHz hsync */
13252 + NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
13253 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13254 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13255 + }, {
13256 + /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
13257 + NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
13258 +- 0, FB_VMODE_NONINTERLACED
13259 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13260 + }, {
13261 + /* 640x480 @ 100 Hz, 53.01 kHz hsync */
13262 + NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
13263 +- 0, FB_VMODE_NONINTERLACED
13264 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13265 + }, {
13266 + /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
13267 + NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
13268 +- 0, FB_VMODE_NONINTERLACED
13269 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13270 + }, {
13271 + /* 800x600 @ 85 Hz, 55.84 kHz hsync */
13272 + NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
13273 +- 0, FB_VMODE_NONINTERLACED
13274 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13275 + }, {
13276 + /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
13277 + NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
13278 +- 0, FB_VMODE_NONINTERLACED
13279 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13280 + }, {
13281 + /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
13282 + NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
13283 +- 0, FB_VMODE_INTERLACED
13284 ++ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
13285 + }, {
13286 + /* 800x600 @ 100 Hz, 64.02 kHz hsync */
13287 + NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
13288 +- 0, FB_VMODE_NONINTERLACED
13289 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13290 + }, {
13291 + /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
13292 + NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
13293 +- 0, FB_VMODE_NONINTERLACED
13294 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13295 + }, {
13296 + /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
13297 + NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
13298 +- 0, FB_VMODE_NONINTERLACED
13299 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13300 + }, {
13301 + /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
13302 + NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
13303 +- 0, FB_VMODE_NONINTERLACED
13304 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13305 + }, {
13306 + /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
13307 + NULL, 68, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
13308 +- 0, FB_VMODE_NONINTERLACED
13309 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13310 + }, {
13311 + /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
13312 + NULL, 75, 1400, 1050, 9271, 120, 56, 13, 0, 112, 3,
13313 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13314 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13315 + }, {
13316 + /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
13317 + NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
13318 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13319 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13320 + }, {
13321 + /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
13322 + NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
13323 +- 0, FB_VMODE_NONINTERLACED
13324 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13325 + }, {
13326 + /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
13327 + NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
13328 +- 0, FB_VMODE_NONINTERLACED
13329 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13330 + }, {
13331 + /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
13332 + NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
13333 +- 0, FB_VMODE_NONINTERLACED
13334 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13335 + }, {
13336 + /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
13337 + NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
13338 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13339 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13340 + }, {
13341 + /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
13342 + NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
13343 +- 0, FB_VMODE_NONINTERLACED
13344 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13345 + }, {
13346 + /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
13347 + NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
13348 +- 0, FB_VMODE_NONINTERLACED
13349 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13350 + }, {
13351 + /* 1024x768 @ 100Hz, 80.21 kHz hsync */
13352 + NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
13353 +- 0, FB_VMODE_NONINTERLACED
13354 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13355 + }, {
13356 + /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
13357 + NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
13358 +- 0, FB_VMODE_NONINTERLACED
13359 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13360 + }, {
13361 + /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
13362 + NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
13363 +- 0, FB_VMODE_NONINTERLACED
13364 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13365 + }, {
13366 + /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
13367 + NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
13368 +- 0, FB_VMODE_NONINTERLACED
13369 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13370 + }, {
13371 + /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
13372 + NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
13373 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13374 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13375 + }, {
13376 + /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
13377 + NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
13378 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13379 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13380 + }, {
13381 + /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
13382 + NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
13383 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13384 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13385 + }, {
13386 + /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
13387 + NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
13388 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13389 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13390 + }, {
13391 + /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
13392 + NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
13393 +- 0, FB_VMODE_NONINTERLACED
13394 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13395 + }, {
13396 + /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
13397 + NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
13398 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13399 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13400 + }, {
13401 + /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
13402 + NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
13403 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13404 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13405 + }, {
13406 + /* 512x384 @ 78 Hz, 31.50 kHz hsync */
13407 + NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
13408 +- 0, FB_VMODE_NONINTERLACED
13409 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13410 + }, {
13411 + /* 512x384 @ 85 Hz, 34.38 kHz hsync */
13412 + NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
13413 +- 0, FB_VMODE_NONINTERLACED
13414 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13415 + }, {
13416 + /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
13417 + NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
13418 +- 0, FB_VMODE_DOUBLE
13419 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13420 + }, {
13421 + /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
13422 + NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
13423 +- 0, FB_VMODE_DOUBLE
13424 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13425 + }, {
13426 + /* 320x240 @ 72 Hz, 36.5 kHz hsync */
13427 + NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
13428 +- 0, FB_VMODE_DOUBLE
13429 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13430 + }, {
13431 + /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
13432 + NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
13433 +- 0, FB_VMODE_DOUBLE
13434 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13435 + }, {
13436 + /* 400x300 @ 60 Hz, 37.8 kHz hsync */
13437 + NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
13438 +- 0, FB_VMODE_DOUBLE
13439 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13440 + }, {
13441 + /* 400x300 @ 72 Hz, 48.0 kHz hsync */
13442 + NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
13443 +- 0, FB_VMODE_DOUBLE
13444 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13445 + }, {
13446 + /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
13447 + NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
13448 +- 0, FB_VMODE_DOUBLE
13449 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13450 + }, {
13451 + /* 480x300 @ 60 Hz, 37.8 kHz hsync */
13452 + NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
13453 +- 0, FB_VMODE_DOUBLE
13454 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13455 + }, {
13456 + /* 480x300 @ 63 Hz, 39.6 kHz hsync */
13457 + NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
13458 +- 0, FB_VMODE_DOUBLE
13459 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13460 + }, {
13461 + /* 480x300 @ 72 Hz, 48.0 kHz hsync */
13462 + NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
13463 +- 0, FB_VMODE_DOUBLE
13464 ++ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
13465 + }, {
13466 + /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
13467 + NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
13468 + FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
13469 +- FB_VMODE_NONINTERLACED
13470 ++ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13471 + }, {
13472 + /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
13473 + NULL, 60, 1152, 768, 15386, 158, 26, 29, 3, 136, 6,
13474 +- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
13475 ++ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13476 + }, {
13477 + /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
13478 + NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
13479 +- 0, FB_VMODE_NONINTERLACED
13480 ++ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
13481 + },
13482 + };
13483 +
13484 +diff -Nurp linux-2.6.23.15/drivers/video/vesafb.c linux-2.6.23.15-grsec/drivers/video/vesafb.c
13485 +--- linux-2.6.23.15/drivers/video/vesafb.c 2007-10-09 21:31:38.000000000 +0100
13486 ++++ linux-2.6.23.15-grsec/drivers/video/vesafb.c 2008-02-11 10:37:44.000000000 +0000
13487 +@@ -9,6 +9,7 @@
13488 + */
13489 +
13490 + #include <linux/module.h>
13491 ++#include <linux/moduleloader.h>
13492 + #include <linux/kernel.h>
13493 + #include <linux/errno.h>
13494 + #include <linux/string.h>
13495 +@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
13496 + unsigned int size_vmode;
13497 + unsigned int size_remap;
13498 + unsigned int size_total;
13499 ++ void *pmi_code = NULL;
13500 +
13501 + if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
13502 + return -ENODEV;
13503 +@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
13504 + size_remap = size_total;
13505 + vesafb_fix.smem_len = size_remap;
13506 +
13507 +-#ifndef __i386__
13508 +- screen_info.vesapm_seg = 0;
13509 +-#endif
13510 +-
13511 + if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
13512 + printk(KERN_WARNING
13513 + "vesafb: cannot reserve video memory at 0x%lx\n",
13514 +@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
13515 + printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
13516 + vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
13517 +
13518 ++#ifdef __i386__
13519 ++
13520 ++#ifdef CONFIG_PAX_KERNEXEC
13521 ++ pmi_code = module_alloc_exec(screen_info.vesapm_size);
13522 ++ if (!pmi_code)
13523 ++#else
13524 ++ if (0)
13525 ++#endif
13526 ++
13527 ++#endif
13528 ++ screen_info.vesapm_seg = 0;
13529 ++
13530 + if (screen_info.vesapm_seg) {
13531 +- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
13532 +- screen_info.vesapm_seg,screen_info.vesapm_off);
13533 ++ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
13534 ++ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
13535 + }
13536 +
13537 + if (screen_info.vesapm_seg < 0xc000)
13538 +@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
13539 +
13540 + if (ypan || pmi_setpal) {
13541 + unsigned short *pmi_base;
13542 +- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
13543 +- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
13544 +- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
13545 ++
13546 ++#ifdef CONFIG_PAX_KERNEXEC
13547 ++ unsigned long cr0;
13548 ++#endif
13549 ++
13550 ++ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
13551 ++
13552 ++#ifdef CONFIG_PAX_KERNEXEC
13553 ++ pax_open_kernel(cr0);
13554 ++ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
13555 ++ pax_close_kernel(cr0);
13556 ++#else
13557 ++ pmi_code = pmi_base;
13558 ++#endif
13559 ++
13560 ++ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
13561 ++ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
13562 ++
13563 ++#ifdef CONFIG_PAX_KERNEXEC
13564 ++ pmi_start -= __KERNEL_TEXT_OFFSET;
13565 ++ pmi_pal -= __KERNEL_TEXT_OFFSET;
13566 ++#endif
13567 ++
13568 + printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
13569 + if (pmi_base[3]) {
13570 + printk(KERN_INFO "vesafb: pmi: ports = ");
13571 +@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
13572 + info->node, info->fix.id);
13573 + return 0;
13574 + err:
13575 ++
13576 ++#ifdef CONFIG_PAX_KERNEXEC
13577 ++ module_free_exec(NULL, pmi_code);
13578 ++#endif
13579 ++
13580 + if (info->screen_base)
13581 + iounmap(info->screen_base);
13582 + framebuffer_release(info);
13583 +diff -Nurp linux-2.6.23.15/fs/Kconfig linux-2.6.23.15-grsec/fs/Kconfig
13584 +--- linux-2.6.23.15/fs/Kconfig 2007-10-09 21:31:38.000000000 +0100
13585 ++++ linux-2.6.23.15-grsec/fs/Kconfig 2008-02-11 10:37:44.000000000 +0000
13586 +@@ -909,7 +909,7 @@ config PROC_FS
13587 +
13588 + config PROC_KCORE
13589 + bool "/proc/kcore support" if !ARM
13590 +- depends on PROC_FS && MMU
13591 ++ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
13592 +
13593 + config PROC_VMCORE
13594 + bool "/proc/vmcore support (EXPERIMENTAL)"
13595 +diff -Nurp linux-2.6.23.15/fs/binfmt_aout.c linux-2.6.23.15-grsec/fs/binfmt_aout.c
13596 +--- linux-2.6.23.15/fs/binfmt_aout.c 2007-10-09 21:31:38.000000000 +0100
13597 ++++ linux-2.6.23.15-grsec/fs/binfmt_aout.c 2008-02-11 10:37:44.000000000 +0000
13598 +@@ -24,6 +24,7 @@
13599 + #include <linux/binfmts.h>
13600 + #include <linux/personality.h>
13601 + #include <linux/init.h>
13602 ++#include <linux/grsecurity.h>
13603 +
13604 + #include <asm/system.h>
13605 + #include <asm/uaccess.h>
13606 +@@ -123,10 +124,12 @@ static int aout_core_dump(long signr, st
13607 + /* If the size of the dump file exceeds the rlimit, then see what would happen
13608 + if we wrote the stack, but not the data area. */
13609 + #ifdef __sparc__
13610 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1);
13611 + if ((dump.u_dsize+dump.u_ssize) >
13612 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13613 + dump.u_dsize = 0;
13614 + #else
13615 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1);
13616 + if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
13617 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13618 + dump.u_dsize = 0;
13619 +@@ -134,10 +137,12 @@ static int aout_core_dump(long signr, st
13620 +
13621 + /* Make sure we have enough room to write the stack and data areas. */
13622 + #ifdef __sparc__
13623 ++ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
13624 + if ((dump.u_ssize) >
13625 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13626 + dump.u_ssize = 0;
13627 + #else
13628 ++ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1);
13629 + if ((dump.u_ssize+1) * PAGE_SIZE >
13630 + current->signal->rlim[RLIMIT_CORE].rlim_cur)
13631 + dump.u_ssize = 0;
13632 +@@ -294,6 +299,8 @@ static int load_aout_binary(struct linux
13633 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
13634 + if (rlim >= RLIM_INFINITY)
13635 + rlim = ~0;
13636 ++
13637 ++ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
13638 + if (ex.a_data + ex.a_bss > rlim)
13639 + return -ENOMEM;
13640 +
13641 +@@ -326,6 +333,28 @@ static int load_aout_binary(struct linux
13642 + current->mm->mmap = NULL;
13643 + compute_creds(bprm);
13644 + current->flags &= ~PF_FORKNOEXEC;
13645 ++
13646 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
13647 ++ current->mm->pax_flags = 0UL;
13648 ++#endif
13649 ++
13650 ++#ifdef CONFIG_PAX_PAGEEXEC
13651 ++ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
13652 ++ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
13653 ++
13654 ++#ifdef CONFIG_PAX_EMUTRAMP
13655 ++ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
13656 ++ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
13657 ++#endif
13658 ++
13659 ++#ifdef CONFIG_PAX_MPROTECT
13660 ++ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
13661 ++ current->mm->pax_flags |= MF_PAX_MPROTECT;
13662 ++#endif
13663 ++
13664 ++ }
13665 ++#endif
13666 ++
13667 + #ifdef __sparc__
13668 + if (N_MAGIC(ex) == NMAGIC) {
13669 + loff_t pos = fd_offset;
13670 +@@ -421,7 +450,7 @@ static int load_aout_binary(struct linux
13671 +
13672 + down_write(&current->mm->mmap_sem);
13673 + error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
13674 +- PROT_READ | PROT_WRITE | PROT_EXEC,
13675 ++ PROT_READ | PROT_WRITE,
13676 + MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
13677 + fd_offset + ex.a_text);
13678 + up_write(&current->mm->mmap_sem);
13679 +diff -Nurp linux-2.6.23.15/fs/binfmt_elf.c linux-2.6.23.15-grsec/fs/binfmt_elf.c
13680 +--- linux-2.6.23.15/fs/binfmt_elf.c 2007-10-09 21:31:38.000000000 +0100
13681 ++++ linux-2.6.23.15-grsec/fs/binfmt_elf.c 2008-02-11 10:37:44.000000000 +0000
13682 +@@ -39,10 +39,21 @@
13683 + #include <linux/random.h>
13684 + #include <linux/elf.h>
13685 + #include <linux/utsname.h>
13686 ++#include <linux/grsecurity.h>
13687 ++
13688 + #include <asm/uaccess.h>
13689 + #include <asm/param.h>
13690 + #include <asm/page.h>
13691 +
13692 ++#ifdef CONFIG_PAX_SEGMEXEC
13693 ++#include <asm/desc.h>
13694 ++#endif
13695 ++
13696 ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
13697 ++void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
13698 ++EXPORT_SYMBOL(pax_set_initial_flags_func);
13699 ++#endif
13700 ++
13701 + static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
13702 + static int load_elf_library(struct file *);
13703 + static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
13704 +@@ -84,6 +95,8 @@ static struct linux_binfmt elf_format =
13705 +
13706 + static int set_brk(unsigned long start, unsigned long end)
13707 + {
13708 ++ unsigned long e = end;
13709 ++
13710 + start = ELF_PAGEALIGN(start);
13711 + end = ELF_PAGEALIGN(end);
13712 + if (end > start) {
13713 +@@ -94,7 +107,7 @@ static int set_brk(unsigned long start,
13714 + if (BAD_ADDR(addr))
13715 + return addr;
13716 + }
13717 +- current->mm->start_brk = current->mm->brk = end;
13718 ++ current->mm->start_brk = current->mm->brk = e;
13719 + return 0;
13720 + }
13721 +
13722 +@@ -325,10 +338,9 @@ static unsigned long load_elf_interp(str
13723 + {
13724 + struct elf_phdr *elf_phdata;
13725 + struct elf_phdr *eppnt;
13726 +- unsigned long load_addr = 0;
13727 +- int load_addr_set = 0;
13728 ++ unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
13729 + unsigned long last_bss = 0, elf_bss = 0;
13730 +- unsigned long error = ~0UL;
13731 ++ unsigned long error = -EINVAL;
13732 + int retval, i, size;
13733 +
13734 + /* First of all, some simple consistency checks */
13735 +@@ -367,66 +379,86 @@ static unsigned long load_elf_interp(str
13736 + goto out_close;
13737 + }
13738 +
13739 ++#ifdef CONFIG_PAX_SEGMEXEC
13740 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13741 ++ task_size = SEGMEXEC_TASK_SIZE;
13742 ++#endif
13743 ++
13744 + eppnt = elf_phdata;
13745 ++ min_addr = task_size;
13746 ++ max_addr = 0;
13747 ++ error = -ENOMEM;
13748 ++
13749 + for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
13750 +- if (eppnt->p_type == PT_LOAD) {
13751 +- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
13752 +- int elf_prot = 0;
13753 +- unsigned long vaddr = 0;
13754 +- unsigned long k, map_addr;
13755 +-
13756 +- if (eppnt->p_flags & PF_R)
13757 +- elf_prot = PROT_READ;
13758 +- if (eppnt->p_flags & PF_W)
13759 +- elf_prot |= PROT_WRITE;
13760 +- if (eppnt->p_flags & PF_X)
13761 +- elf_prot |= PROT_EXEC;
13762 +- vaddr = eppnt->p_vaddr;
13763 +- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
13764 +- elf_type |= MAP_FIXED;
13765 +-
13766 +- map_addr = elf_map(interpreter, load_addr + vaddr,
13767 +- eppnt, elf_prot, elf_type);
13768 +- error = map_addr;
13769 +- if (BAD_ADDR(map_addr))
13770 +- goto out_close;
13771 +-
13772 +- if (!load_addr_set &&
13773 +- interp_elf_ex->e_type == ET_DYN) {
13774 +- load_addr = map_addr - ELF_PAGESTART(vaddr);
13775 +- load_addr_set = 1;
13776 +- }
13777 ++ if (eppnt->p_type != PT_LOAD)
13778 ++ continue;
13779 +
13780 +- /*
13781 +- * Check to see if the section's size will overflow the
13782 +- * allowed task size. Note that p_filesz must always be
13783 +- * <= p_memsize so it's only necessary to check p_memsz.
13784 +- */
13785 +- k = load_addr + eppnt->p_vaddr;
13786 +- if (BAD_ADDR(k) ||
13787 +- eppnt->p_filesz > eppnt->p_memsz ||
13788 +- eppnt->p_memsz > TASK_SIZE ||
13789 +- TASK_SIZE - eppnt->p_memsz < k) {
13790 +- error = -ENOMEM;
13791 +- goto out_close;
13792 +- }
13793 ++ /*
13794 ++ * Check to see if the section's size will overflow the
13795 ++ * allowed task size. Note that p_filesz must always be
13796 ++ * <= p_memsize so it is only necessary to check p_memsz.
13797 ++ */
13798 ++ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
13799 ++ goto out_close;
13800 +
13801 +- /*
13802 +- * Find the end of the file mapping for this phdr, and
13803 +- * keep track of the largest address we see for this.
13804 +- */
13805 +- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
13806 +- if (k > elf_bss)
13807 +- elf_bss = k;
13808 ++ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
13809 ++ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
13810 ++ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
13811 ++ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
13812 ++ }
13813 ++ if (min_addr >= max_addr || max_addr > task_size)
13814 ++ goto out_close;
13815 +
13816 +- /*
13817 +- * Do the same thing for the memory mapping - between
13818 +- * elf_bss and last_bss is the bss section.
13819 +- */
13820 +- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
13821 +- if (k > last_bss)
13822 +- last_bss = k;
13823 +- }
13824 ++ if (interp_elf_ex->e_type == ET_DYN) {
13825 ++ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
13826 ++
13827 ++ if (load_addr >= task_size)
13828 ++ goto out_close;
13829 ++
13830 ++ load_addr -= min_addr;
13831 ++ }
13832 ++
13833 ++ eppnt = elf_phdata;
13834 ++ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
13835 ++ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
13836 ++ int elf_prot = 0;
13837 ++ unsigned long vaddr = 0;
13838 ++ unsigned long k, map_addr;
13839 ++
13840 ++ if (eppnt->p_type != PT_LOAD)
13841 ++ continue;
13842 ++
13843 ++ if (eppnt->p_flags & PF_R)
13844 ++ elf_prot = PROT_READ;
13845 ++ if (eppnt->p_flags & PF_W)
13846 ++ elf_prot |= PROT_WRITE;
13847 ++ if (eppnt->p_flags & PF_X)
13848 ++ elf_prot |= PROT_EXEC;
13849 ++ vaddr = eppnt->p_vaddr;
13850 ++
13851 ++ map_addr = elf_map(interpreter, load_addr + vaddr,
13852 ++ eppnt, elf_prot, elf_type);
13853 ++ error = map_addr;
13854 ++ if (BAD_ADDR(map_addr))
13855 ++ goto out_close;
13856 ++
13857 ++ k = load_addr + eppnt->p_vaddr;
13858 ++
13859 ++ /*
13860 ++ * Find the end of the file mapping for this phdr, and
13861 ++ * keep track of the largest address we see for this.
13862 ++ */
13863 ++ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
13864 ++ if (k > elf_bss)
13865 ++ elf_bss = k;
13866 ++
13867 ++ /*
13868 ++ * Do the same thing for the memory mapping - between
13869 ++ * elf_bss and last_bss is the bss section.
13870 ++ */
13871 ++ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
13872 ++ if (k > last_bss)
13873 ++ last_bss = k;
13874 + }
13875 +
13876 + /*
13877 +@@ -454,6 +486,8 @@ static unsigned long load_elf_interp(str
13878 +
13879 + *interp_load_addr = load_addr;
13880 + error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
13881 ++ if (BAD_ADDR(error))
13882 ++ error = -EFAULT;
13883 +
13884 + out_close:
13885 + kfree(elf_phdata);
13886 +@@ -464,7 +498,7 @@ out:
13887 + static unsigned long load_aout_interp(struct exec *interp_ex,
13888 + struct file *interpreter)
13889 + {
13890 +- unsigned long text_data, elf_entry = ~0UL;
13891 ++ unsigned long text_data, elf_entry = -EINVAL;
13892 + char __user * addr;
13893 + loff_t offset;
13894 +
13895 +@@ -507,6 +541,177 @@ out:
13896 + return elf_entry;
13897 + }
13898 +
13899 ++#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
13900 ++static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
13901 ++{
13902 ++ unsigned long pax_flags = 0UL;
13903 ++
13904 ++#ifdef CONFIG_PAX_PAGEEXEC
13905 ++ if (elf_phdata->p_flags & PF_PAGEEXEC)
13906 ++ pax_flags |= MF_PAX_PAGEEXEC;
13907 ++#endif
13908 ++
13909 ++#ifdef CONFIG_PAX_SEGMEXEC
13910 ++ if (elf_phdata->p_flags & PF_SEGMEXEC)
13911 ++ pax_flags |= MF_PAX_SEGMEXEC;
13912 ++#endif
13913 ++
13914 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
13915 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
13916 ++ if (nx_enabled)
13917 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
13918 ++ else
13919 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
13920 ++ }
13921 ++#endif
13922 ++
13923 ++#ifdef CONFIG_PAX_EMUTRAMP
13924 ++ if (elf_phdata->p_flags & PF_EMUTRAMP)
13925 ++ pax_flags |= MF_PAX_EMUTRAMP;
13926 ++#endif
13927 ++
13928 ++#ifdef CONFIG_PAX_MPROTECT
13929 ++ if (elf_phdata->p_flags & PF_MPROTECT)
13930 ++ pax_flags |= MF_PAX_MPROTECT;
13931 ++#endif
13932 ++
13933 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
13934 ++ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
13935 ++ pax_flags |= MF_PAX_RANDMMAP;
13936 ++#endif
13937 ++
13938 ++ return pax_flags;
13939 ++}
13940 ++#endif
13941 ++
13942 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
13943 ++static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
13944 ++{
13945 ++ unsigned long pax_flags = 0UL;
13946 ++
13947 ++#ifdef CONFIG_PAX_PAGEEXEC
13948 ++ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
13949 ++ pax_flags |= MF_PAX_PAGEEXEC;
13950 ++#endif
13951 ++
13952 ++#ifdef CONFIG_PAX_SEGMEXEC
13953 ++ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
13954 ++ pax_flags |= MF_PAX_SEGMEXEC;
13955 ++#endif
13956 ++
13957 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
13958 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
13959 ++ if (nx_enabled)
13960 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
13961 ++ else
13962 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
13963 ++ }
13964 ++#endif
13965 ++
13966 ++#ifdef CONFIG_PAX_EMUTRAMP
13967 ++ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
13968 ++ pax_flags |= MF_PAX_EMUTRAMP;
13969 ++#endif
13970 ++
13971 ++#ifdef CONFIG_PAX_MPROTECT
13972 ++ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
13973 ++ pax_flags |= MF_PAX_MPROTECT;
13974 ++#endif
13975 ++
13976 ++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
13977 ++ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
13978 ++ pax_flags |= MF_PAX_RANDMMAP;
13979 ++#endif
13980 ++
13981 ++ return pax_flags;
13982 ++}
13983 ++#endif
13984 ++
13985 ++#ifdef CONFIG_PAX_EI_PAX
13986 ++static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
13987 ++{
13988 ++ unsigned long pax_flags = 0UL;
13989 ++
13990 ++#ifdef CONFIG_PAX_PAGEEXEC
13991 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
13992 ++ pax_flags |= MF_PAX_PAGEEXEC;
13993 ++#endif
13994 ++
13995 ++#ifdef CONFIG_PAX_SEGMEXEC
13996 ++ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
13997 ++ pax_flags |= MF_PAX_SEGMEXEC;
13998 ++#endif
13999 ++
14000 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
14001 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
14002 ++ if (nx_enabled)
14003 ++ pax_flags &= ~MF_PAX_SEGMEXEC;
14004 ++ else
14005 ++ pax_flags &= ~MF_PAX_PAGEEXEC;
14006 ++ }
14007 ++#endif
14008 ++
14009 ++#ifdef CONFIG_PAX_EMUTRAMP
14010 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
14011 ++ pax_flags |= MF_PAX_EMUTRAMP;
14012 ++#endif
14013 ++
14014 ++#ifdef CONFIG_PAX_MPROTECT
14015 ++ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
14016 ++ pax_flags |= MF_PAX_MPROTECT;
14017 ++#endif
14018 ++
14019 ++#ifdef CONFIG_PAX_ASLR
14020 ++ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
14021 ++ pax_flags |= MF_PAX_RANDMMAP;
14022 ++#endif
14023 ++
14024 ++ return pax_flags;
14025 ++}
14026 ++#endif
14027 ++
14028 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
14029 ++static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
14030 ++{
14031 ++ unsigned long pax_flags = 0UL;
14032 ++
14033 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
14034 ++ unsigned long i;
14035 ++#endif
14036 ++
14037 ++#ifdef CONFIG_PAX_EI_PAX
14038 ++ pax_flags = pax_parse_ei_pax(elf_ex);
14039 ++#endif
14040 ++
14041 ++#ifdef CONFIG_PAX_PT_PAX_FLAGS
14042 ++ for (i = 0UL; i < elf_ex->e_phnum; i++)
14043 ++ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
14044 ++ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
14045 ++ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
14046 ++ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
14047 ++ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
14048 ++ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
14049 ++ return -EINVAL;
14050 ++
14051 ++#ifdef CONFIG_PAX_SOFTMODE
14052 ++ if (pax_softmode)
14053 ++ pax_flags = pax_parse_softmode(&elf_phdata[i]);
14054 ++ else
14055 ++#endif
14056 ++
14057 ++ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
14058 ++ break;
14059 ++ }
14060 ++#endif
14061 ++
14062 ++ if (0 > pax_check_flags(&pax_flags))
14063 ++ return -EINVAL;
14064 ++
14065 ++ current->mm->pax_flags = pax_flags;
14066 ++ return 0;
14067 ++}
14068 ++#endif
14069 ++
14070 + /*
14071 + * These are the functions used to load ELF style executables and shared
14072 + * libraries. There is no binary dependent code anywhere else.
14073 +@@ -544,7 +749,7 @@ static int load_elf_binary(struct linux_
14074 + char * elf_interpreter = NULL;
14075 + unsigned int interpreter_type = INTERPRETER_NONE;
14076 + unsigned char ibcs2_interpreter = 0;
14077 +- unsigned long error;
14078 ++ unsigned long error = 0;
14079 + struct elf_phdr *elf_ppnt, *elf_phdata;
14080 + unsigned long elf_bss, elf_brk;
14081 + int elf_exec_fileno;
14082 +@@ -556,12 +761,12 @@ static int load_elf_binary(struct linux_
14083 + char passed_fileno[6];
14084 + struct files_struct *files;
14085 + int executable_stack = EXSTACK_DEFAULT;
14086 +- unsigned long def_flags = 0;
14087 + struct {
14088 + struct elfhdr elf_ex;
14089 + struct elfhdr interp_elf_ex;
14090 + struct exec interp_ex;
14091 + } *loc;
14092 ++ unsigned long task_size = TASK_SIZE;
14093 +
14094 + loc = kmalloc(sizeof(*loc), GFP_KERNEL);
14095 + if (!loc) {
14096 +@@ -788,14 +993,89 @@ static int load_elf_binary(struct linux_
14097 +
14098 + /* OK, This is the point of no return */
14099 + current->flags &= ~PF_FORKNOEXEC;
14100 +- current->mm->def_flags = def_flags;
14101 ++
14102 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
14103 ++ current->mm->pax_flags = 0UL;
14104 ++#endif
14105 ++
14106 ++#ifdef CONFIG_PAX_DLRESOLVE
14107 ++ current->mm->call_dl_resolve = 0UL;
14108 ++#endif
14109 ++
14110 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
14111 ++ current->mm->call_syscall = 0UL;
14112 ++#endif
14113 ++
14114 ++#ifdef CONFIG_PAX_ASLR
14115 ++ current->mm->delta_mmap = 0UL;
14116 ++ current->mm->delta_stack = 0UL;
14117 ++#endif
14118 ++
14119 ++ current->mm->def_flags = 0;
14120 ++
14121 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
14122 ++ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
14123 ++ send_sig(SIGKILL, current, 0);
14124 ++ goto out_free_dentry;
14125 ++ }
14126 ++#endif
14127 ++
14128 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
14129 ++ pax_set_initial_flags(bprm);
14130 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
14131 ++ if (pax_set_initial_flags_func)
14132 ++ (pax_set_initial_flags_func)(bprm);
14133 ++#endif
14134 ++
14135 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
14136 ++ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
14137 ++ current->mm->context.user_cs_limit = PAGE_SIZE;
14138 ++ current->mm->def_flags |= VM_PAGEEXEC;
14139 ++ }
14140 ++#endif
14141 ++
14142 ++#ifdef CONFIG_PAX_SEGMEXEC
14143 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
14144 ++ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
14145 ++ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
14146 ++ task_size = SEGMEXEC_TASK_SIZE;
14147 ++ }
14148 ++#endif
14149 ++
14150 ++#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
14151 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
14152 ++ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
14153 ++ put_cpu_no_resched();
14154 ++ }
14155 ++#endif
14156 ++
14157 ++#ifdef CONFIG_PAX_ASLR
14158 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
14159 ++ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
14160 ++ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
14161 ++ }
14162 ++#endif
14163 ++
14164 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14165 ++ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
14166 ++ executable_stack = EXSTACK_DEFAULT;
14167 ++#endif
14168 +
14169 + /* Do this immediately, since STACK_TOP as used in setup_arg_pages
14170 + may depend on the personality. */
14171 + SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
14172 ++
14173 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14174 ++ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
14175 ++#endif
14176 ++
14177 + if (elf_read_implies_exec(loc->elf_ex, executable_stack))
14178 + current->personality |= READ_IMPLIES_EXEC;
14179 +
14180 ++#ifdef CONFIG_PAX_ASLR
14181 ++ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
14182 ++#endif
14183 ++
14184 + if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
14185 + current->flags |= PF_RANDOMIZE;
14186 + arch_pick_mmap_layout(current->mm);
14187 +@@ -871,6 +1151,20 @@ static int load_elf_binary(struct linux_
14188 + * might try to exec. This is because the brk will
14189 + * follow the loader, and is not movable. */
14190 + load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
14191 ++
14192 ++#ifdef CONFIG_PAX_RANDMMAP
14193 ++ /* PaX: randomize base address at the default exe base if requested */
14194 ++ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
14195 ++#ifdef CONFIG_SPARC64
14196 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
14197 ++#else
14198 ++ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
14199 ++#endif
14200 ++ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
14201 ++ elf_flags |= MAP_FIXED;
14202 ++ }
14203 ++#endif
14204 ++
14205 + }
14206 +
14207 + error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
14208 +@@ -903,9 +1197,9 @@ static int load_elf_binary(struct linux_
14209 + * allowed task size. Note that p_filesz must always be
14210 + * <= p_memsz so it is only necessary to check p_memsz.
14211 + */
14212 +- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
14213 +- elf_ppnt->p_memsz > TASK_SIZE ||
14214 +- TASK_SIZE - elf_ppnt->p_memsz < k) {
14215 ++ if (k >= task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
14216 ++ elf_ppnt->p_memsz > task_size ||
14217 ++ task_size - elf_ppnt->p_memsz < k) {
14218 + /* set_brk can never work. Avoid overflows. */
14219 + send_sig(SIGKILL, current, 0);
14220 + retval = -EINVAL;
14221 +@@ -933,6 +1227,11 @@ static int load_elf_binary(struct linux_
14222 + start_data += load_bias;
14223 + end_data += load_bias;
14224 +
14225 ++#ifdef CONFIG_PAX_RANDMMAP
14226 ++ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
14227 ++ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
14228 ++#endif
14229 ++
14230 + /* Calling set_brk effectively mmaps the pages that we need
14231 + * for the bss and break sections. We must do this before
14232 + * mapping in the interpreter, to make sure it doesn't wind
14233 +@@ -944,9 +1243,11 @@ static int load_elf_binary(struct linux_
14234 + goto out_free_dentry;
14235 + }
14236 + if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
14237 +- send_sig(SIGSEGV, current, 0);
14238 +- retval = -EFAULT; /* Nobody gets to see this, but.. */
14239 +- goto out_free_dentry;
14240 ++ /*
14241 ++ * This bss-zeroing can fail if the ELF
14242 ++ * file specifies odd protections. So
14243 ++ * we don't check the return value
14244 ++ */
14245 + }
14246 +
14247 + if (elf_interpreter) {
14248 +@@ -1183,8 +1484,10 @@ static int dump_seek(struct file *file,
14249 + unsigned long n = off;
14250 + if (n > PAGE_SIZE)
14251 + n = PAGE_SIZE;
14252 +- if (!dump_write(file, buf, n))
14253 ++ if (!dump_write(file, buf, n)) {
14254 ++ free_page((unsigned long)buf);
14255 + return 0;
14256 ++ }
14257 + off -= n;
14258 + }
14259 + free_page((unsigned long)buf);
14260 +@@ -1199,7 +1502,7 @@ static int dump_seek(struct file *file,
14261 + *
14262 + * I think we should skip something. But I am not sure how. H.J.
14263 + */
14264 +-static int maydump(struct vm_area_struct *vma, unsigned long mm_flags)
14265 ++static int maydump(struct vm_area_struct *vma, unsigned long mm_flags, long signr)
14266 + {
14267 + /* The vma can be set up to tell us the answer directly. */
14268 + if (vma->vm_flags & VM_ALWAYSDUMP)
14269 +@@ -1218,7 +1521,7 @@ static int maydump(struct vm_area_struct
14270 + }
14271 +
14272 + /* By default, if it hasn't been written to, don't write it out. */
14273 +- if (!vma->anon_vma)
14274 ++ if (signr != SIGKILL && !vma->anon_vma)
14275 + return test_bit(MMF_DUMP_MAPPED_PRIVATE, &mm_flags);
14276 +
14277 + return test_bit(MMF_DUMP_ANON_PRIVATE, &mm_flags);
14278 +@@ -1275,8 +1578,11 @@ static int writenote(struct memelfnote *
14279 + #undef DUMP_WRITE
14280 +
14281 + #define DUMP_WRITE(addr, nr) \
14282 ++ do { \
14283 ++ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
14284 + if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
14285 +- goto end_coredump;
14286 ++ goto end_coredump; \
14287 ++ } while (0);
14288 + #define DUMP_SEEK(off) \
14289 + if (!dump_seek(file, (off))) \
14290 + goto end_coredump;
14291 +@@ -1676,7 +1982,7 @@ static int elf_core_dump(long signr, str
14292 + phdr.p_offset = offset;
14293 + phdr.p_vaddr = vma->vm_start;
14294 + phdr.p_paddr = 0;
14295 +- phdr.p_filesz = maydump(vma, mm_flags) ? sz : 0;
14296 ++ phdr.p_filesz = maydump(vma, mm_flags, signr) ? sz : 0;
14297 + phdr.p_memsz = sz;
14298 + offset += phdr.p_filesz;
14299 + phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
14300 +@@ -1720,7 +2026,7 @@ static int elf_core_dump(long signr, str
14301 + vma = next_vma(vma, gate_vma)) {
14302 + unsigned long addr;
14303 +
14304 +- if (!maydump(vma, mm_flags))
14305 ++ if (!maydump(vma, mm_flags, signr))
14306 + continue;
14307 +
14308 + for (addr = vma->vm_start;
14309 +@@ -1743,6 +2049,7 @@ static int elf_core_dump(long signr, str
14310 + flush_cache_page(vma, addr,
14311 + page_to_pfn(page));
14312 + kaddr = kmap(page);
14313 ++ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
14314 + if ((size += PAGE_SIZE) > limit ||
14315 + !dump_write(file, kaddr,
14316 + PAGE_SIZE)) {
14317 +diff -Nurp linux-2.6.23.15/fs/binfmt_flat.c linux-2.6.23.15-grsec/fs/binfmt_flat.c
14318 +--- linux-2.6.23.15/fs/binfmt_flat.c 2007-10-09 21:31:38.000000000 +0100
14319 ++++ linux-2.6.23.15-grsec/fs/binfmt_flat.c 2008-02-11 10:37:44.000000000 +0000
14320 +@@ -559,7 +559,9 @@ static int load_flat_file(struct linux_b
14321 + realdatastart = (unsigned long) -ENOMEM;
14322 + printk("Unable to allocate RAM for process data, errno %d\n",
14323 + (int)-realdatastart);
14324 ++ down_write(&current->mm->mmap_sem);
14325 + do_munmap(current->mm, textpos, text_len);
14326 ++ up_write(&current->mm->mmap_sem);
14327 + ret = realdatastart;
14328 + goto err;
14329 + }
14330 +@@ -581,8 +583,10 @@ static int load_flat_file(struct linux_b
14331 + }
14332 + if (result >= (unsigned long)-4096) {
14333 + printk("Unable to read data+bss, errno %d\n", (int)-result);
14334 ++ down_write(&current->mm->mmap_sem);
14335 + do_munmap(current->mm, textpos, text_len);
14336 + do_munmap(current->mm, realdatastart, data_len + extra);
14337 ++ up_write(&current->mm->mmap_sem);
14338 + ret = result;
14339 + goto err;
14340 + }
14341 +@@ -655,8 +659,10 @@ static int load_flat_file(struct linux_b
14342 + }
14343 + if (result >= (unsigned long)-4096) {
14344 + printk("Unable to read code+data+bss, errno %d\n",(int)-result);
14345 ++ down_write(&current->mm->mmap_sem);
14346 + do_munmap(current->mm, textpos, text_len + data_len + extra +
14347 + MAX_SHARED_LIBS * sizeof(unsigned long));
14348 ++ up_write(&current->mm->mmap_sem);
14349 + ret = result;
14350 + goto err;
14351 + }
14352 +diff -Nurp linux-2.6.23.15/fs/binfmt_misc.c linux-2.6.23.15-grsec/fs/binfmt_misc.c
14353 +--- linux-2.6.23.15/fs/binfmt_misc.c 2007-10-09 21:31:38.000000000 +0100
14354 ++++ linux-2.6.23.15-grsec/fs/binfmt_misc.c 2008-02-11 10:37:44.000000000 +0000
14355 +@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
14356 + struct files_struct *files = NULL;
14357 +
14358 + retval = -ENOEXEC;
14359 +- if (!enabled)
14360 ++ if (!enabled || bprm->misc)
14361 + goto _ret;
14362 +
14363 ++ bprm->misc++;
14364 ++
14365 + /* to keep locking time low, we copy the interpreter string */
14366 + read_lock(&entries_lock);
14367 + fmt = check_file(bprm);
14368 +@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
14369 + static struct tree_descr bm_files[] = {
14370 + [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
14371 + [3] = {"register", &bm_register_operations, S_IWUSR},
14372 +- /* last one */ {""}
14373 ++ /* last one */ {"", NULL, 0}
14374 + };
14375 + int err = simple_fill_super(sb, 0x42494e4d, bm_files);
14376 + if (!err)
14377 +diff -Nurp linux-2.6.23.15/fs/buffer.c linux-2.6.23.15-grsec/fs/buffer.c
14378 +--- linux-2.6.23.15/fs/buffer.c 2007-10-09 21:31:38.000000000 +0100
14379 ++++ linux-2.6.23.15-grsec/fs/buffer.c 2008-02-11 10:37:44.000000000 +0000
14380 +@@ -41,6 +41,7 @@
14381 + #include <linux/bitops.h>
14382 + #include <linux/mpage.h>
14383 + #include <linux/bit_spinlock.h>
14384 ++#include <linux/grsecurity.h>
14385 +
14386 + static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
14387 +
14388 +@@ -2017,6 +2018,7 @@ static int __generic_cont_expand(struct
14389 +
14390 + err = -EFBIG;
14391 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
14392 ++ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
14393 + if (limit != RLIM_INFINITY && size > (loff_t)limit) {
14394 + send_sig(SIGXFSZ, current, 0);
14395 + goto out;
14396 +diff -Nurp linux-2.6.23.15/fs/cifs/cifs_uniupr.h linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h
14397 +--- linux-2.6.23.15/fs/cifs/cifs_uniupr.h 2007-10-09 21:31:38.000000000 +0100
14398 ++++ linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h 2008-02-11 10:37:44.000000000 +0000
14399 +@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
14400 + {0x0490, 0x04cc, UniCaseRangeU0490},
14401 + {0x1e00, 0x1ffc, UniCaseRangeU1e00},
14402 + {0xff40, 0xff5a, UniCaseRangeUff40},
14403 +- {0}
14404 ++ {0, 0, NULL}
14405 + };
14406 + #endif
14407 +
14408 +diff -Nurp linux-2.6.23.15/fs/cifs/dir.c linux-2.6.23.15-grsec/fs/cifs/dir.c
14409 +--- linux-2.6.23.15/fs/cifs/dir.c 2007-10-09 21:31:38.000000000 +0100
14410 ++++ linux-2.6.23.15-grsec/fs/cifs/dir.c 2008-02-11 10:37:44.000000000 +0000
14411 +@@ -397,7 +397,7 @@ int cifs_mknod(struct inode *inode, stru
14412 + /* BB Do not bother to decode buf since no
14413 + local inode yet to put timestamps in,
14414 + but we can reuse it safely */
14415 +- int bytes_written;
14416 ++ unsigned int bytes_written;
14417 + struct win_dev *pdev;
14418 + pdev = (struct win_dev *)buf;
14419 + if (S_ISCHR(mode)) {
14420 +diff -Nurp linux-2.6.23.15/fs/cifs/inode.c linux-2.6.23.15-grsec/fs/cifs/inode.c
14421 +--- linux-2.6.23.15/fs/cifs/inode.c 2008-02-11 10:36:03.000000000 +0000
14422 ++++ linux-2.6.23.15-grsec/fs/cifs/inode.c 2008-02-11 10:37:44.000000000 +0000
14423 +@@ -1470,7 +1470,7 @@ int cifs_setattr(struct dentry *direntry
14424 + atomic_dec(&open_file->wrtPending);
14425 + cFYI(1, ("SetFSize for attrs rc = %d", rc));
14426 + if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
14427 +- int bytes_written;
14428 ++ unsigned int bytes_written;
14429 + rc = CIFSSMBWrite(xid, pTcon,
14430 + nfid, 0, attrs->ia_size,
14431 + &bytes_written, NULL, NULL,
14432 +@@ -1503,7 +1503,7 @@ int cifs_setattr(struct dentry *direntry
14433 + cifs_sb->mnt_cifs_flags &
14434 + CIFS_MOUNT_MAP_SPECIAL_CHR);
14435 + if (rc == 0) {
14436 +- int bytes_written;
14437 ++ unsigned int bytes_written;
14438 + rc = CIFSSMBWrite(xid, pTcon,
14439 + netfid, 0,
14440 + attrs->ia_size,
14441 +diff -Nurp linux-2.6.23.15/fs/compat.c linux-2.6.23.15-grsec/fs/compat.c
14442 +--- linux-2.6.23.15/fs/compat.c 2007-10-09 21:31:38.000000000 +0100
14443 ++++ linux-2.6.23.15-grsec/fs/compat.c 2008-02-11 10:37:44.000000000 +0000
14444 +@@ -50,6 +50,7 @@
14445 + #include <linux/poll.h>
14446 + #include <linux/mm.h>
14447 + #include <linux/eventpoll.h>
14448 ++#include <linux/grsecurity.h>
14449 +
14450 + #include <asm/uaccess.h>
14451 + #include <asm/mmu_context.h>
14452 +@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
14453 + if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
14454 + struct page *page;
14455 +
14456 +-#ifdef CONFIG_STACK_GROWSUP
14457 + ret = expand_stack_downwards(bprm->vma, pos);
14458 + if (ret < 0) {
14459 + /* We've exceed the stack rlimit. */
14460 + ret = -E2BIG;
14461 + goto out;
14462 + }
14463 +-#endif
14464 + ret = get_user_pages(current, bprm->mm, pos,
14465 + 1, 1, 1, &page, NULL);
14466 + if (ret <= 0) {
14467 +@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
14468 + compat_uptr_t __user *envp,
14469 + struct pt_regs * regs)
14470 + {
14471 ++#ifdef CONFIG_GRKERNSEC
14472 ++ struct file *old_exec_file;
14473 ++ struct acl_subject_label *old_acl;
14474 ++ struct rlimit old_rlim[RLIM_NLIMITS];
14475 ++#endif
14476 + struct linux_binprm *bprm;
14477 + struct file *file;
14478 + int retval;
14479 +@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
14480 + bprm->filename = filename;
14481 + bprm->interp = filename;
14482 +
14483 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
14484 ++ retval = -EAGAIN;
14485 ++ if (gr_handle_nproc())
14486 ++ goto out_file;
14487 ++ retval = -EACCES;
14488 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
14489 ++ goto out_file;
14490 ++
14491 + retval = bprm_mm_init(bprm);
14492 + if (retval)
14493 + goto out_file;
14494 +@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
14495 + if (retval < 0)
14496 + goto out;
14497 +
14498 ++ if (!gr_tpe_allow(file)) {
14499 ++ retval = -EACCES;
14500 ++ goto out;
14501 ++ }
14502 ++
14503 ++ if (gr_check_crash_exec(file)) {
14504 ++ retval = -EACCES;
14505 ++ goto out;
14506 ++ }
14507 ++
14508 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
14509 ++
14510 ++ gr_handle_exec_args(bprm, (char __user * __user *)argv);
14511 ++
14512 ++#ifdef CONFIG_GRKERNSEC
14513 ++ old_acl = current->acl;
14514 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
14515 ++ old_exec_file = current->exec_file;
14516 ++ get_file(file);
14517 ++ current->exec_file = file;
14518 ++#endif
14519 ++
14520 ++ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
14521 ++
14522 + retval = search_binary_handler(bprm, regs);
14523 + if (retval >= 0) {
14524 ++#ifdef CONFIG_GRKERNSEC
14525 ++ if (old_exec_file)
14526 ++ fput(old_exec_file);
14527 ++#endif
14528 + /* execve success */
14529 + security_bprm_free(bprm);
14530 + acct_update_integrals(current);
14531 +@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
14532 + return retval;
14533 + }
14534 +
14535 ++#ifdef CONFIG_GRKERNSEC
14536 ++ current->acl = old_acl;
14537 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
14538 ++ fput(current->exec_file);
14539 ++ current->exec_file = old_exec_file;
14540 ++#endif
14541 ++
14542 + out:
14543 + if (bprm->security)
14544 + security_bprm_free(bprm);
14545 +diff -Nurp linux-2.6.23.15/fs/compat_ioctl.c linux-2.6.23.15-grsec/fs/compat_ioctl.c
14546 +--- linux-2.6.23.15/fs/compat_ioctl.c 2007-10-09 21:31:38.000000000 +0100
14547 ++++ linux-2.6.23.15-grsec/fs/compat_ioctl.c 2008-02-11 10:37:44.000000000 +0000
14548 +@@ -2431,15 +2431,15 @@ struct ioctl_trans {
14549 + };
14550 +
14551 + #define HANDLE_IOCTL(cmd,handler) \
14552 +- { (cmd), (ioctl_trans_handler_t)(handler) },
14553 ++ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
14554 +
14555 + /* pointer to compatible structure or no argument */
14556 + #define COMPATIBLE_IOCTL(cmd) \
14557 +- { (cmd), do_ioctl32_pointer },
14558 ++ { (cmd), do_ioctl32_pointer, NULL },
14559 +
14560 + /* argument is an unsigned long integer, not a pointer */
14561 + #define ULONG_IOCTL(cmd) \
14562 +- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
14563 ++ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
14564 +
14565 + /* ioctl should not be warned about even if it's not implemented.
14566 + Valid reasons to use this:
14567 +diff -Nurp linux-2.6.23.15/fs/debugfs/inode.c linux-2.6.23.15-grsec/fs/debugfs/inode.c
14568 +--- linux-2.6.23.15/fs/debugfs/inode.c 2007-10-09 21:31:38.000000000 +0100
14569 ++++ linux-2.6.23.15-grsec/fs/debugfs/inode.c 2008-02-11 10:37:44.000000000 +0000
14570 +@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
14571 +
14572 + static int debug_fill_super(struct super_block *sb, void *data, int silent)
14573 + {
14574 +- static struct tree_descr debug_files[] = {{""}};
14575 ++ static struct tree_descr debug_files[] = {{"", NULL, 0}};
14576 +
14577 + return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
14578 + }
14579 +diff -Nurp linux-2.6.23.15/fs/exec.c linux-2.6.23.15-grsec/fs/exec.c
14580 +--- linux-2.6.23.15/fs/exec.c 2008-02-11 10:36:03.000000000 +0000
14581 ++++ linux-2.6.23.15-grsec/fs/exec.c 2008-02-11 10:37:44.000000000 +0000
14582 +@@ -50,6 +50,8 @@
14583 + #include <linux/tsacct_kern.h>
14584 + #include <linux/cn_proc.h>
14585 + #include <linux/audit.h>
14586 ++#include <linux/random.h>
14587 ++#include <linux/grsecurity.h>
14588 +
14589 + #include <asm/uaccess.h>
14590 + #include <asm/mmu_context.h>
14591 +@@ -184,18 +186,10 @@ static struct page *get_arg_page(struct
14592 + int write)
14593 + {
14594 + struct page *page;
14595 +- int ret;
14596 +
14597 +-#ifdef CONFIG_STACK_GROWSUP
14598 +- if (write) {
14599 +- ret = expand_stack_downwards(bprm->vma, pos);
14600 +- if (ret < 0)
14601 +- return NULL;
14602 +- }
14603 +-#endif
14604 +- ret = get_user_pages(current, bprm->mm, pos,
14605 +- 1, write, 1, &page, NULL);
14606 +- if (ret <= 0)
14607 ++ if (0 > expand_stack_downwards(bprm->vma, pos))
14608 ++ return NULL;
14609 ++ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
14610 + return NULL;
14611 +
14612 + if (write) {
14613 +@@ -260,7 +254,12 @@ static int __bprm_mm_init(struct linux_b
14614 + vma->vm_start = vma->vm_end - PAGE_SIZE;
14615 +
14616 + vma->vm_flags = VM_STACK_FLAGS;
14617 +- vma->vm_page_prot = protection_map[vma->vm_flags & 0x7];
14618 ++
14619 ++#ifdef CONFIG_PAX_SEGMEXEC
14620 ++ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
14621 ++#endif
14622 ++
14623 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
14624 + err = insert_vm_struct(mm, vma);
14625 + if (err) {
14626 + up_write(&mm->mmap_sem);
14627 +@@ -272,6 +271,11 @@ static int __bprm_mm_init(struct linux_b
14628 +
14629 + bprm->p = vma->vm_end - sizeof(void *);
14630 +
14631 ++#ifdef CONFIG_PAX_RANDUSTACK
14632 ++ if (randomize_va_space)
14633 ++ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
14634 ++#endif
14635 ++
14636 + return 0;
14637 +
14638 + err:
14639 +@@ -395,7 +399,7 @@ static int count(char __user * __user *
14640 + if (!p)
14641 + break;
14642 + argv++;
14643 +- if(++i > max)
14644 ++ if (++i > max)
14645 + return -E2BIG;
14646 + cond_resched();
14647 + }
14648 +@@ -535,6 +539,10 @@ static int shift_arg_pages(struct vm_are
14649 + if (vma != find_vma(mm, new_start))
14650 + return -EFAULT;
14651 +
14652 ++#ifdef CONFIG_PAX_SEGMEXEC
14653 ++ BUG_ON(pax_find_mirror_vma(vma));
14654 ++#endif
14655 ++
14656 + /*
14657 + * cover the whole range: [new_start, old_end)
14658 + */
14659 +@@ -623,6 +631,14 @@ int setup_arg_pages(struct linux_binprm
14660 + bprm->exec -= stack_shift;
14661 +
14662 + down_write(&mm->mmap_sem);
14663 ++
14664 ++ /* Move stack pages down in memory. */
14665 ++ if (stack_shift) {
14666 ++ ret = shift_arg_pages(vma, stack_shift);
14667 ++ if (ret)
14668 ++ goto out_unlock;
14669 ++ }
14670 ++
14671 + vm_flags = vma->vm_flags;
14672 +
14673 + /*
14674 +@@ -634,23 +650,28 @@ int setup_arg_pages(struct linux_binprm
14675 + vm_flags |= VM_EXEC;
14676 + else if (executable_stack == EXSTACK_DISABLE_X)
14677 + vm_flags &= ~VM_EXEC;
14678 ++ else
14679 ++ vm_flags = VM_STACK_FLAGS;
14680 + vm_flags |= mm->def_flags;
14681 +
14682 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14683 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
14684 ++ vm_flags &= ~VM_EXEC;
14685 ++
14686 ++#ifdef CONFIG_PAX_MPROTECT
14687 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
14688 ++ vm_flags &= ~VM_MAYEXEC;
14689 ++#endif
14690 ++
14691 ++ }
14692 ++#endif
14693 ++
14694 + ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
14695 + vm_flags);
14696 + if (ret)
14697 + goto out_unlock;
14698 + BUG_ON(prev != vma);
14699 +
14700 +- /* Move stack pages down in memory. */
14701 +- if (stack_shift) {
14702 +- ret = shift_arg_pages(vma, stack_shift);
14703 +- if (ret) {
14704 +- up_write(&mm->mmap_sem);
14705 +- return ret;
14706 +- }
14707 +- }
14708 +-
14709 + #ifdef CONFIG_STACK_GROWSUP
14710 + stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
14711 + #else
14712 +@@ -662,7 +683,7 @@ int setup_arg_pages(struct linux_binprm
14713 +
14714 + out_unlock:
14715 + up_write(&mm->mmap_sem);
14716 +- return 0;
14717 ++ return ret;
14718 + }
14719 + EXPORT_SYMBOL(setup_arg_pages);
14720 +
14721 +@@ -682,7 +703,7 @@ struct file *open_exec(const char *name)
14722 + file = ERR_PTR(-EACCES);
14723 + if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
14724 + S_ISREG(inode->i_mode)) {
14725 +- int err = vfs_permission(&nd, MAY_EXEC);
14726 ++ err = vfs_permission(&nd, MAY_EXEC);
14727 + file = ERR_PTR(err);
14728 + if (!err) {
14729 + file = nameidata_to_filp(&nd, O_RDONLY);
14730 +@@ -1339,6 +1360,11 @@ int do_execve(char * filename,
14731 + char __user *__user *envp,
14732 + struct pt_regs * regs)
14733 + {
14734 ++#ifdef CONFIG_GRKERNSEC
14735 ++ struct file *old_exec_file;
14736 ++ struct acl_subject_label *old_acl;
14737 ++ struct rlimit old_rlim[RLIM_NLIMITS];
14738 ++#endif
14739 + struct linux_binprm *bprm;
14740 + struct file *file;
14741 + unsigned long env_p;
14742 +@@ -1354,6 +1380,20 @@ int do_execve(char * filename,
14743 + if (IS_ERR(file))
14744 + goto out_kfree;
14745 +
14746 ++ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
14747 ++
14748 ++ if (gr_handle_nproc()) {
14749 ++ allow_write_access(file);
14750 ++ fput(file);
14751 ++ return -EAGAIN;
14752 ++ }
14753 ++
14754 ++ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
14755 ++ allow_write_access(file);
14756 ++ fput(file);
14757 ++ return -EACCES;
14758 ++ }
14759 ++
14760 + sched_exec();
14761 +
14762 + bprm->file = file;
14763 +@@ -1395,8 +1435,38 @@ int do_execve(char * filename,
14764 + goto out;
14765 + bprm->argv_len = env_p - bprm->p;
14766 +
14767 ++ if (!gr_tpe_allow(file)) {
14768 ++ retval = -EACCES;
14769 ++ goto out;
14770 ++ }
14771 ++
14772 ++ if (gr_check_crash_exec(file)) {
14773 ++ retval = -EACCES;
14774 ++ goto out;
14775 ++ }
14776 ++
14777 ++ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
14778 ++
14779 ++ gr_handle_exec_args(bprm, argv);
14780 ++
14781 ++#ifdef CONFIG_GRKERNSEC
14782 ++ old_acl = current->acl;
14783 ++ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
14784 ++ old_exec_file = current->exec_file;
14785 ++ get_file(file);
14786 ++ current->exec_file = file;
14787 ++#endif
14788 ++
14789 ++ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
14790 ++ if (retval < 0)
14791 ++ goto out_fail;
14792 ++
14793 + retval = search_binary_handler(bprm,regs);
14794 + if (retval >= 0) {
14795 ++#ifdef CONFIG_GRKERNSEC
14796 ++ if (old_exec_file)
14797 ++ fput(old_exec_file);
14798 ++#endif
14799 + /* execve success */
14800 + free_arg_pages(bprm);
14801 + security_bprm_free(bprm);
14802 +@@ -1405,6 +1475,14 @@ int do_execve(char * filename,
14803 + return retval;
14804 + }
14805 +
14806 ++out_fail:
14807 ++#ifdef CONFIG_GRKERNSEC
14808 ++ current->acl = old_acl;
14809 ++ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
14810 ++ fput(current->exec_file);
14811 ++ current->exec_file = old_exec_file;
14812 ++#endif
14813 ++
14814 + out:
14815 + free_arg_pages(bprm);
14816 + if (bprm->security)
14817 +@@ -1561,6 +1639,114 @@ out:
14818 + return ispipe;
14819 + }
14820 +
14821 ++int pax_check_flags(unsigned long *flags)
14822 ++{
14823 ++ int retval = 0;
14824 ++
14825 ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
14826 ++ if (*flags & MF_PAX_SEGMEXEC)
14827 ++ {
14828 ++ *flags &= ~MF_PAX_SEGMEXEC;
14829 ++ retval = -EINVAL;
14830 ++ }
14831 ++#endif
14832 ++
14833 ++ if ((*flags & MF_PAX_PAGEEXEC)
14834 ++
14835 ++#ifdef CONFIG_PAX_PAGEEXEC
14836 ++ && (*flags & MF_PAX_SEGMEXEC)
14837 ++#endif
14838 ++
14839 ++ )
14840 ++ {
14841 ++ *flags &= ~MF_PAX_PAGEEXEC;
14842 ++ retval = -EINVAL;
14843 ++ }
14844 ++
14845 ++ if ((*flags & MF_PAX_MPROTECT)
14846 ++
14847 ++#ifdef CONFIG_PAX_MPROTECT
14848 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
14849 ++#endif
14850 ++
14851 ++ )
14852 ++ {
14853 ++ *flags &= ~MF_PAX_MPROTECT;
14854 ++ retval = -EINVAL;
14855 ++ }
14856 ++
14857 ++ if ((*flags & MF_PAX_EMUTRAMP)
14858 ++
14859 ++#ifdef CONFIG_PAX_EMUTRAMP
14860 ++ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
14861 ++#endif
14862 ++
14863 ++ )
14864 ++ {
14865 ++ *flags &= ~MF_PAX_EMUTRAMP;
14866 ++ retval = -EINVAL;
14867 ++ }
14868 ++
14869 ++ return retval;
14870 ++}
14871 ++
14872 ++EXPORT_SYMBOL(pax_check_flags);
14873 ++
14874 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14875 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
14876 ++{
14877 ++ struct task_struct *tsk = current;
14878 ++ struct mm_struct *mm = current->mm;
14879 ++ char *buffer_exec = (char *)__get_free_page(GFP_ATOMIC);
14880 ++ char *buffer_fault = (char *)__get_free_page(GFP_ATOMIC);
14881 ++ char *path_exec = NULL;
14882 ++ char *path_fault = NULL;
14883 ++ unsigned long start = 0UL, end = 0UL, offset = 0UL;
14884 ++
14885 ++ if (buffer_exec && buffer_fault) {
14886 ++ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
14887 ++
14888 ++ down_read(&mm->mmap_sem);
14889 ++ vma = mm->mmap;
14890 ++ while (vma && (!vma_exec || !vma_fault)) {
14891 ++ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
14892 ++ vma_exec = vma;
14893 ++ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
14894 ++ vma_fault = vma;
14895 ++ vma = vma->vm_next;
14896 ++ }
14897 ++ if (vma_exec) {
14898 ++ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
14899 ++ if (IS_ERR(path_exec))
14900 ++ path_exec = "<path too long>";
14901 ++ }
14902 ++ if (vma_fault) {
14903 ++ start = vma_fault->vm_start;
14904 ++ end = vma_fault->vm_end;
14905 ++ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
14906 ++ if (vma_fault->vm_file) {
14907 ++ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
14908 ++ if (IS_ERR(path_fault))
14909 ++ path_fault = "<path too long>";
14910 ++ } else
14911 ++ path_fault = "<anonymous mapping>";
14912 ++ }
14913 ++ up_read(&mm->mmap_sem);
14914 ++ }
14915 ++ if (tsk->signal->curr_ip)
14916 ++ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
14917 ++ else
14918 ++ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
14919 ++ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
14920 ++ "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
14921 ++ tsk->uid, tsk->euid, pc, sp);
14922 ++ free_page((unsigned long)buffer_exec);
14923 ++ free_page((unsigned long)buffer_fault);
14924 ++ pax_report_insns(pc, sp);
14925 ++ do_coredump(SIGKILL, SIGKILL, regs);
14926 ++}
14927 ++#endif
14928 ++
14929 + static void zap_process(struct task_struct *start)
14930 + {
14931 + struct task_struct *t;
14932 +@@ -1753,6 +1939,10 @@ int do_coredump(long signr, int exit_cod
14933 + */
14934 + clear_thread_flag(TIF_SIGPENDING);
14935 +
14936 ++ if (signr == SIGKILL || signr == SIGILL)
14937 ++ gr_handle_brute_attach(current);
14938 ++
14939 ++ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
14940 + if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
14941 + goto fail_unlock;
14942 +
14943 +diff -Nurp linux-2.6.23.15/fs/ext2/balloc.c linux-2.6.23.15-grsec/fs/ext2/balloc.c
14944 +--- linux-2.6.23.15/fs/ext2/balloc.c 2007-10-09 21:31:38.000000000 +0100
14945 ++++ linux-2.6.23.15-grsec/fs/ext2/balloc.c 2008-02-11 10:37:44.000000000 +0000
14946 +@@ -111,7 +111,7 @@ static int reserve_blocks(struct super_b
14947 + if (free_blocks < count)
14948 + count = free_blocks;
14949 +
14950 +- if (free_blocks < root_blocks + count && !capable(CAP_SYS_RESOURCE) &&
14951 ++ if (free_blocks < root_blocks + count && !capable_nolog(CAP_SYS_RESOURCE) &&
14952 + sbi->s_resuid != current->fsuid &&
14953 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
14954 + /*
14955 +diff -Nurp linux-2.6.23.15/fs/ext3/balloc.c linux-2.6.23.15-grsec/fs/ext3/balloc.c
14956 +--- linux-2.6.23.15/fs/ext3/balloc.c 2007-10-09 21:31:38.000000000 +0100
14957 ++++ linux-2.6.23.15-grsec/fs/ext3/balloc.c 2008-02-11 10:37:44.000000000 +0000
14958 +@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
14959 +
14960 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
14961 + root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
14962 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
14963 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
14964 + sbi->s_resuid != current->fsuid &&
14965 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
14966 + return 0;
14967 +diff -Nurp linux-2.6.23.15/fs/ext3/namei.c linux-2.6.23.15-grsec/fs/ext3/namei.c
14968 +--- linux-2.6.23.15/fs/ext3/namei.c 2007-10-09 21:31:38.000000000 +0100
14969 ++++ linux-2.6.23.15-grsec/fs/ext3/namei.c 2008-02-11 10:37:44.000000000 +0000
14970 +@@ -1188,9 +1188,9 @@ static struct ext3_dir_entry_2 *do_split
14971 + u32 hash2;
14972 + struct dx_map_entry *map;
14973 + char *data1 = (*bh)->b_data, *data2;
14974 +- unsigned split, move, size, i;
14975 ++ unsigned split, move, size;
14976 + struct ext3_dir_entry_2 *de = NULL, *de2;
14977 +- int err = 0;
14978 ++ int i, err = 0;
14979 +
14980 + bh2 = ext3_append (handle, dir, &newblock, &err);
14981 + if (!(bh2)) {
14982 +diff -Nurp linux-2.6.23.15/fs/ext3/xattr.c linux-2.6.23.15-grsec/fs/ext3/xattr.c
14983 +--- linux-2.6.23.15/fs/ext3/xattr.c 2007-10-09 21:31:38.000000000 +0100
14984 ++++ linux-2.6.23.15-grsec/fs/ext3/xattr.c 2008-02-11 10:37:44.000000000 +0000
14985 +@@ -89,8 +89,8 @@
14986 + printk("\n"); \
14987 + } while (0)
14988 + #else
14989 +-# define ea_idebug(f...)
14990 +-# define ea_bdebug(f...)
14991 ++# define ea_idebug(f...) do {} while (0)
14992 ++# define ea_bdebug(f...) do {} while (0)
14993 + #endif
14994 +
14995 + static void ext3_xattr_cache_insert(struct buffer_head *);
14996 +diff -Nurp linux-2.6.23.15/fs/ext4/balloc.c linux-2.6.23.15-grsec/fs/ext4/balloc.c
14997 +--- linux-2.6.23.15/fs/ext4/balloc.c 2007-10-09 21:31:38.000000000 +0100
14998 ++++ linux-2.6.23.15-grsec/fs/ext4/balloc.c 2008-02-11 10:37:44.000000000 +0000
14999 +@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
15000 +
15001 + free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
15002 + root_blocks = ext4_r_blocks_count(sbi->s_es);
15003 +- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
15004 ++ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
15005 + sbi->s_resuid != current->fsuid &&
15006 + (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
15007 + return 0;
15008 +diff -Nurp linux-2.6.23.15/fs/ext4/namei.c linux-2.6.23.15-grsec/fs/ext4/namei.c
15009 +--- linux-2.6.23.15/fs/ext4/namei.c 2007-10-09 21:31:38.000000000 +0100
15010 ++++ linux-2.6.23.15-grsec/fs/ext4/namei.c 2008-02-11 10:37:44.000000000 +0000
15011 +@@ -1186,9 +1186,9 @@ static struct ext4_dir_entry_2 *do_split
15012 + u32 hash2;
15013 + struct dx_map_entry *map;
15014 + char *data1 = (*bh)->b_data, *data2;
15015 +- unsigned split, move, size, i;
15016 ++ unsigned split, move, size;
15017 + struct ext4_dir_entry_2 *de = NULL, *de2;
15018 +- int err = 0;
15019 ++ int i, err = 0;
15020 +
15021 + bh2 = ext4_append (handle, dir, &newblock, &err);
15022 + if (!(bh2)) {
15023 +diff -Nurp linux-2.6.23.15/fs/fcntl.c linux-2.6.23.15-grsec/fs/fcntl.c
15024 +--- linux-2.6.23.15/fs/fcntl.c 2007-10-09 21:31:38.000000000 +0100
15025 ++++ linux-2.6.23.15-grsec/fs/fcntl.c 2008-02-11 10:37:44.000000000 +0000
15026 +@@ -18,6 +18,7 @@
15027 + #include <linux/ptrace.h>
15028 + #include <linux/signal.h>
15029 + #include <linux/rcupdate.h>
15030 ++#include <linux/grsecurity.h>
15031 +
15032 + #include <asm/poll.h>
15033 + #include <asm/siginfo.h>
15034 +@@ -63,6 +64,7 @@ static int locate_fd(struct files_struct
15035 + struct fdtable *fdt;
15036 +
15037 + error = -EINVAL;
15038 ++ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
15039 + if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
15040 + goto out;
15041 +
15042 +@@ -82,6 +84,7 @@ repeat:
15043 + fdt->max_fds, start);
15044 +
15045 + error = -EMFILE;
15046 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
15047 + if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
15048 + goto out;
15049 +
15050 +@@ -140,6 +143,8 @@ asmlinkage long sys_dup2(unsigned int ol
15051 + struct files_struct * files = current->files;
15052 + struct fdtable *fdt;
15053 +
15054 ++ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
15055 ++
15056 + spin_lock(&files->file_lock);
15057 + if (!(file = fcheck(oldfd)))
15058 + goto out_unlock;
15059 +@@ -458,7 +463,8 @@ static inline int sigio_perm(struct task
15060 + return (((fown->euid == 0) ||
15061 + (fown->euid == p->suid) || (fown->euid == p->uid) ||
15062 + (fown->uid == p->suid) || (fown->uid == p->uid)) &&
15063 +- !security_file_send_sigiotask(p, fown, sig));
15064 ++ !security_file_send_sigiotask(p, fown, sig) &&
15065 ++ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
15066 + }
15067 +
15068 + static void send_sigio_to_task(struct task_struct *p,
15069 +diff -Nurp linux-2.6.23.15/fs/fuse/control.c linux-2.6.23.15-grsec/fs/fuse/control.c
15070 +--- linux-2.6.23.15/fs/fuse/control.c 2007-10-09 21:31:38.000000000 +0100
15071 ++++ linux-2.6.23.15-grsec/fs/fuse/control.c 2008-02-11 10:37:44.000000000 +0000
15072 +@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
15073 +
15074 + static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
15075 + {
15076 +- struct tree_descr empty_descr = {""};
15077 ++ struct tree_descr empty_descr = {"", NULL, 0};
15078 + struct fuse_conn *fc;
15079 + int err;
15080 +
15081 +diff -Nurp linux-2.6.23.15/fs/hfs/inode.c linux-2.6.23.15-grsec/fs/hfs/inode.c
15082 +--- linux-2.6.23.15/fs/hfs/inode.c 2007-10-09 21:31:38.000000000 +0100
15083 ++++ linux-2.6.23.15-grsec/fs/hfs/inode.c 2008-02-11 10:37:44.000000000 +0000
15084 +@@ -415,7 +415,7 @@ int hfs_write_inode(struct inode *inode,
15085 +
15086 + if (S_ISDIR(main_inode->i_mode)) {
15087 + if (fd.entrylength < sizeof(struct hfs_cat_dir))
15088 +- /* panic? */;
15089 ++ {/* panic? */}
15090 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
15091 + sizeof(struct hfs_cat_dir));
15092 + if (rec.type != HFS_CDR_DIR ||
15093 +@@ -436,7 +436,7 @@ int hfs_write_inode(struct inode *inode,
15094 + sizeof(struct hfs_cat_file));
15095 + } else {
15096 + if (fd.entrylength < sizeof(struct hfs_cat_file))
15097 +- /* panic? */;
15098 ++ {/* panic? */}
15099 + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
15100 + sizeof(struct hfs_cat_file));
15101 + if (rec.type != HFS_CDR_FIL ||
15102 +diff -Nurp linux-2.6.23.15/fs/hfsplus/inode.c linux-2.6.23.15-grsec/fs/hfsplus/inode.c
15103 +--- linux-2.6.23.15/fs/hfsplus/inode.c 2007-10-09 21:31:38.000000000 +0100
15104 ++++ linux-2.6.23.15-grsec/fs/hfsplus/inode.c 2008-02-11 10:37:44.000000000 +0000
15105 +@@ -418,7 +418,7 @@ int hfsplus_cat_read_inode(struct inode
15106 + struct hfsplus_cat_folder *folder = &entry.folder;
15107 +
15108 + if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
15109 +- /* panic? */;
15110 ++ {/* panic? */}
15111 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
15112 + sizeof(struct hfsplus_cat_folder));
15113 + hfsplus_get_perms(inode, &folder->permissions, 1);
15114 +@@ -435,7 +435,7 @@ int hfsplus_cat_read_inode(struct inode
15115 + struct hfsplus_cat_file *file = &entry.file;
15116 +
15117 + if (fd->entrylength < sizeof(struct hfsplus_cat_file))
15118 +- /* panic? */;
15119 ++ {/* panic? */}
15120 + hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
15121 + sizeof(struct hfsplus_cat_file));
15122 +
15123 +@@ -491,7 +491,7 @@ int hfsplus_cat_write_inode(struct inode
15124 + struct hfsplus_cat_folder *folder = &entry.folder;
15125 +
15126 + if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
15127 +- /* panic? */;
15128 ++ {/* panic? */}
15129 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
15130 + sizeof(struct hfsplus_cat_folder));
15131 + /* simple node checks? */
15132 +@@ -513,7 +513,7 @@ int hfsplus_cat_write_inode(struct inode
15133 + struct hfsplus_cat_file *file = &entry.file;
15134 +
15135 + if (fd.entrylength < sizeof(struct hfsplus_cat_file))
15136 +- /* panic? */;
15137 ++ {/* panic? */}
15138 + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
15139 + sizeof(struct hfsplus_cat_file));
15140 + hfsplus_inode_write_fork(inode, &file->data_fork);
15141 +diff -Nurp linux-2.6.23.15/fs/jffs2/debug.h linux-2.6.23.15-grsec/fs/jffs2/debug.h
15142 +--- linux-2.6.23.15/fs/jffs2/debug.h 2007-10-09 21:31:38.000000000 +0100
15143 ++++ linux-2.6.23.15-grsec/fs/jffs2/debug.h 2008-02-11 10:37:44.000000000 +0000
15144 +@@ -51,13 +51,13 @@
15145 + #if CONFIG_JFFS2_FS_DEBUG > 0
15146 + #define D1(x) x
15147 + #else
15148 +-#define D1(x)
15149 ++#define D1(x) do {} while (0);
15150 + #endif
15151 +
15152 + #if CONFIG_JFFS2_FS_DEBUG > 1
15153 + #define D2(x) x
15154 + #else
15155 +-#define D2(x)
15156 ++#define D2(x) do {} while (0);
15157 + #endif
15158 +
15159 + /* The prefixes of JFFS2 messages */
15160 +@@ -113,68 +113,68 @@
15161 + #ifdef JFFS2_DBG_READINODE_MESSAGES
15162 + #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15163 + #else
15164 +-#define dbg_readinode(fmt, ...)
15165 ++#define dbg_readinode(fmt, ...) do {} while (0)
15166 + #endif
15167 +
15168 + /* Fragtree build debugging messages */
15169 + #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
15170 + #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15171 + #else
15172 +-#define dbg_fragtree(fmt, ...)
15173 ++#define dbg_fragtree(fmt, ...) do {} while (0)
15174 + #endif
15175 + #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
15176 + #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15177 + #else
15178 +-#define dbg_fragtree2(fmt, ...)
15179 ++#define dbg_fragtree2(fmt, ...) do {} while (0)
15180 + #endif
15181 +
15182 + /* Directory entry list manilulation debugging messages */
15183 + #ifdef JFFS2_DBG_DENTLIST_MESSAGES
15184 + #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15185 + #else
15186 +-#define dbg_dentlist(fmt, ...)
15187 ++#define dbg_dentlist(fmt, ...) do {} while (0)
15188 + #endif
15189 +
15190 + /* Print the messages about manipulating node_refs */
15191 + #ifdef JFFS2_DBG_NODEREF_MESSAGES
15192 + #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15193 + #else
15194 +-#define dbg_noderef(fmt, ...)
15195 ++#define dbg_noderef(fmt, ...) do {} while (0)
15196 + #endif
15197 +
15198 + /* Manipulations with the list of inodes (JFFS2 inocache) */
15199 + #ifdef JFFS2_DBG_INOCACHE_MESSAGES
15200 + #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15201 + #else
15202 +-#define dbg_inocache(fmt, ...)
15203 ++#define dbg_inocache(fmt, ...) do {} while (0)
15204 + #endif
15205 +
15206 + /* Summary debugging messages */
15207 + #ifdef JFFS2_DBG_SUMMARY_MESSAGES
15208 + #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15209 + #else
15210 +-#define dbg_summary(fmt, ...)
15211 ++#define dbg_summary(fmt, ...) do {} while (0)
15212 + #endif
15213 +
15214 + /* File system build messages */
15215 + #ifdef JFFS2_DBG_FSBUILD_MESSAGES
15216 + #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15217 + #else
15218 +-#define dbg_fsbuild(fmt, ...)
15219 ++#define dbg_fsbuild(fmt, ...) do {} while (0)
15220 + #endif
15221 +
15222 + /* Watch the object allocations */
15223 + #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
15224 + #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15225 + #else
15226 +-#define dbg_memalloc(fmt, ...)
15227 ++#define dbg_memalloc(fmt, ...) do {} while (0)
15228 + #endif
15229 +
15230 + /* Watch the XATTR subsystem */
15231 + #ifdef JFFS2_DBG_XATTR_MESSAGES
15232 + #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
15233 + #else
15234 +-#define dbg_xattr(fmt, ...)
15235 ++#define dbg_xattr(fmt, ...) do {} while (0)
15236 + #endif
15237 +
15238 + /* "Sanity" checks */
15239 +diff -Nurp linux-2.6.23.15/fs/jffs2/erase.c linux-2.6.23.15-grsec/fs/jffs2/erase.c
15240 +--- linux-2.6.23.15/fs/jffs2/erase.c 2007-10-09 21:31:38.000000000 +0100
15241 ++++ linux-2.6.23.15-grsec/fs/jffs2/erase.c 2008-02-11 10:37:44.000000000 +0000
15242 +@@ -389,7 +389,8 @@ static void jffs2_mark_erased_block(stru
15243 + struct jffs2_unknown_node marker = {
15244 + .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
15245 + .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
15246 +- .totlen = cpu_to_je32(c->cleanmarker_size)
15247 ++ .totlen = cpu_to_je32(c->cleanmarker_size),
15248 ++ .hdr_crc = cpu_to_je32(0)
15249 + };
15250 +
15251 + jffs2_prealloc_raw_node_refs(c, jeb, 1);
15252 +diff -Nurp linux-2.6.23.15/fs/jffs2/summary.h linux-2.6.23.15-grsec/fs/jffs2/summary.h
15253 +--- linux-2.6.23.15/fs/jffs2/summary.h 2007-10-09 21:31:38.000000000 +0100
15254 ++++ linux-2.6.23.15-grsec/fs/jffs2/summary.h 2008-02-11 10:37:44.000000000 +0000
15255 +@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
15256 +
15257 + #define jffs2_sum_active() (0)
15258 + #define jffs2_sum_init(a) (0)
15259 +-#define jffs2_sum_exit(a)
15260 +-#define jffs2_sum_disable_collecting(a)
15261 ++#define jffs2_sum_exit(a) do {} while (0)
15262 ++#define jffs2_sum_disable_collecting(a) do {} while (0)
15263 + #define jffs2_sum_is_disabled(a) (0)
15264 +-#define jffs2_sum_reset_collected(a)
15265 ++#define jffs2_sum_reset_collected(a) do {} while (0)
15266 + #define jffs2_sum_add_kvec(a,b,c,d) (0)
15267 +-#define jffs2_sum_move_collected(a,b)
15268 ++#define jffs2_sum_move_collected(a,b) do {} while (0)
15269 + #define jffs2_sum_write_sumnode(a) (0)
15270 +-#define jffs2_sum_add_padding_mem(a,b)
15271 +-#define jffs2_sum_add_inode_mem(a,b,c)
15272 +-#define jffs2_sum_add_dirent_mem(a,b,c)
15273 +-#define jffs2_sum_add_xattr_mem(a,b,c)
15274 +-#define jffs2_sum_add_xref_mem(a,b,c)
15275 ++#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
15276 ++#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
15277 ++#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
15278 ++#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
15279 ++#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
15280 + #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
15281 +
15282 + #endif /* CONFIG_JFFS2_SUMMARY */
15283 +diff -Nurp linux-2.6.23.15/fs/jffs2/wbuf.c linux-2.6.23.15-grsec/fs/jffs2/wbuf.c
15284 +--- linux-2.6.23.15/fs/jffs2/wbuf.c 2007-10-09 21:31:38.000000000 +0100
15285 ++++ linux-2.6.23.15-grsec/fs/jffs2/wbuf.c 2008-02-11 10:37:44.000000000 +0000
15286 +@@ -973,7 +973,8 @@ static const struct jffs2_unknown_node o
15287 + {
15288 + .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
15289 + .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
15290 +- .totlen = constant_cpu_to_je32(8)
15291 ++ .totlen = constant_cpu_to_je32(8),
15292 ++ .hdr_crc = constant_cpu_to_je32(0)
15293 + };
15294 +
15295 + /*
15296 +diff -Nurp linux-2.6.23.15/fs/namei.c linux-2.6.23.15-grsec/fs/namei.c
15297 +--- linux-2.6.23.15/fs/namei.c 2008-02-11 10:36:03.000000000 +0000
15298 ++++ linux-2.6.23.15-grsec/fs/namei.c 2008-02-11 10:37:44.000000000 +0000
15299 +@@ -31,6 +31,7 @@
15300 + #include <linux/file.h>
15301 + #include <linux/fcntl.h>
15302 + #include <linux/namei.h>
15303 ++#include <linux/grsecurity.h>
15304 + #include <asm/namei.h>
15305 + #include <asm/uaccess.h>
15306 +
15307 +@@ -638,6 +639,13 @@ static inline int do_follow_link(struct
15308 + err = security_inode_follow_link(path->dentry, nd);
15309 + if (err)
15310 + goto loop;
15311 ++
15312 ++ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
15313 ++ path->dentry->d_inode, path->dentry, nd->mnt)) {
15314 ++ err = -EACCES;
15315 ++ goto loop;
15316 ++ }
15317 ++
15318 + current->link_count++;
15319 + current->total_link_count++;
15320 + nd->depth++;
15321 +@@ -983,11 +991,18 @@ return_reval:
15322 + break;
15323 + }
15324 + return_base:
15325 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
15326 ++ path_release(nd);
15327 ++ return -ENOENT;
15328 ++ }
15329 + return 0;
15330 + out_dput:
15331 + dput_path(&next, nd);
15332 + break;
15333 + }
15334 ++ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
15335 ++ err = -ENOENT;
15336 ++
15337 + path_release(nd);
15338 + return_err:
15339 + return err;
15340 +@@ -1649,9 +1664,17 @@ static int open_namei_create(struct name
15341 + int error;
15342 + struct dentry *dir = nd->dentry;
15343 +
15344 ++ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
15345 ++ error = -EACCES;
15346 ++ goto out_unlock_dput;
15347 ++ }
15348 ++
15349 + if (!IS_POSIXACL(dir->d_inode))
15350 + mode &= ~current->fs->umask;
15351 + error = vfs_create(dir->d_inode, path->dentry, mode, nd);
15352 ++ if (!error)
15353 ++ gr_handle_create(path->dentry, nd->mnt);
15354 ++out_unlock_dput:
15355 + mutex_unlock(&dir->d_inode->i_mutex);
15356 + dput(nd->dentry);
15357 + nd->dentry = path->dentry;
15358 +@@ -1702,6 +1725,17 @@ int open_namei(int dfd, const char *path
15359 + nd, flag);
15360 + if (error)
15361 + return error;
15362 ++
15363 ++ if (gr_handle_rawio(nd->dentry->d_inode)) {
15364 ++ error = -EPERM;
15365 ++ goto exit;
15366 ++ }
15367 ++
15368 ++ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
15369 ++ error = -EACCES;
15370 ++ goto exit;
15371 ++ }
15372 ++
15373 + goto ok;
15374 + }
15375 +
15376 +@@ -1751,6 +1785,23 @@ do_last:
15377 + /*
15378 + * It already exists.
15379 + */
15380 ++
15381 ++ if (gr_handle_rawio(path.dentry->d_inode)) {
15382 ++ mutex_unlock(&dir->d_inode->i_mutex);
15383 ++ error = -EPERM;
15384 ++ goto exit_dput;
15385 ++ }
15386 ++ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
15387 ++ mutex_unlock(&dir->d_inode->i_mutex);
15388 ++ error = -EACCES;
15389 ++ goto exit_dput;
15390 ++ }
15391 ++ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
15392 ++ mutex_unlock(&dir->d_inode->i_mutex);
15393 ++ error = -EACCES;
15394 ++ goto exit_dput;
15395 ++ }
15396 ++
15397 + mutex_unlock(&dir->d_inode->i_mutex);
15398 + audit_inode(pathname, path.dentry->d_inode);
15399 +
15400 +@@ -1806,6 +1857,13 @@ do_link:
15401 + error = security_inode_follow_link(path.dentry, nd);
15402 + if (error)
15403 + goto exit_dput;
15404 ++
15405 ++ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
15406 ++ path.dentry, nd->mnt)) {
15407 ++ error = -EACCES;
15408 ++ goto exit_dput;
15409 ++ }
15410 ++
15411 + error = __do_follow_link(&path, nd);
15412 + if (error) {
15413 + /* Does someone understand code flow here? Or it is only
15414 +@@ -1934,6 +1992,22 @@ asmlinkage long sys_mknodat(int dfd, con
15415 + if (!IS_POSIXACL(nd.dentry->d_inode))
15416 + mode &= ~current->fs->umask;
15417 + if (!IS_ERR(dentry)) {
15418 ++ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
15419 ++ error = -EPERM;
15420 ++ dput(dentry);
15421 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
15422 ++ path_release(&nd);
15423 ++ goto out;
15424 ++ }
15425 ++
15426 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
15427 ++ error = -EACCES;
15428 ++ dput(dentry);
15429 ++ mutex_unlock(&nd.dentry->d_inode->i_mutex);
15430 ++ path_release(&nd);
15431 ++ goto out;
15432 ++ }
15433 ++
15434 + switch (mode & S_IFMT) {
15435 + case 0: case S_IFREG:
15436 + error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
15437 +@@ -1951,6 +2025,10 @@ asmlinkage long sys_mknodat(int dfd, con
15438 + default:
15439 + error = -EINVAL;
15440 + }
15441 ++
15442 ++ if (!error)
15443 ++ gr_handle_create(dentry, nd.mnt);
15444 ++
15445 + dput(dentry);
15446 + }
15447 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15448 +@@ -2008,9 +2086,18 @@ asmlinkage long sys_mkdirat(int dfd, con
15449 + if (IS_ERR(dentry))
15450 + goto out_unlock;
15451 +
15452 ++ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
15453 ++ error = -EACCES;
15454 ++ goto out_unlock_dput;
15455 ++ }
15456 ++
15457 + if (!IS_POSIXACL(nd.dentry->d_inode))
15458 + mode &= ~current->fs->umask;
15459 + error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
15460 ++
15461 ++ if (!error)
15462 ++ gr_handle_create(dentry, nd.mnt);
15463 ++out_unlock_dput:
15464 + dput(dentry);
15465 + out_unlock:
15466 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15467 +@@ -2092,6 +2179,8 @@ static long do_rmdir(int dfd, const char
15468 + char * name;
15469 + struct dentry *dentry;
15470 + struct nameidata nd;
15471 ++ ino_t saved_ino = 0;
15472 ++ dev_t saved_dev = 0;
15473 +
15474 + name = getname(pathname);
15475 + if(IS_ERR(name))
15476 +@@ -2117,7 +2206,22 @@ static long do_rmdir(int dfd, const char
15477 + error = PTR_ERR(dentry);
15478 + if (IS_ERR(dentry))
15479 + goto exit2;
15480 ++
15481 ++ if (dentry->d_inode != NULL) {
15482 ++ if (dentry->d_inode->i_nlink <= 1) {
15483 ++ saved_ino = dentry->d_inode->i_ino;
15484 ++ saved_dev = dentry->d_inode->i_sb->s_dev;
15485 ++ }
15486 ++
15487 ++ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
15488 ++ error = -EACCES;
15489 ++ goto dput_exit2;
15490 ++ }
15491 ++ }
15492 + error = vfs_rmdir(nd.dentry->d_inode, dentry);
15493 ++ if (!error && (saved_dev || saved_ino))
15494 ++ gr_handle_delete(saved_ino, saved_dev);
15495 ++dput_exit2:
15496 + dput(dentry);
15497 + exit2:
15498 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15499 +@@ -2176,6 +2280,8 @@ static long do_unlinkat(int dfd, const c
15500 + struct dentry *dentry;
15501 + struct nameidata nd;
15502 + struct inode *inode = NULL;
15503 ++ ino_t saved_ino = 0;
15504 ++ dev_t saved_dev = 0;
15505 +
15506 + name = getname(pathname);
15507 + if(IS_ERR(name))
15508 +@@ -2191,13 +2297,26 @@ static long do_unlinkat(int dfd, const c
15509 + dentry = lookup_hash(&nd);
15510 + error = PTR_ERR(dentry);
15511 + if (!IS_ERR(dentry)) {
15512 ++ error = 0;
15513 + /* Why not before? Because we want correct error value */
15514 + if (nd.last.name[nd.last.len])
15515 + goto slashes;
15516 + inode = dentry->d_inode;
15517 +- if (inode)
15518 ++ if (inode) {
15519 ++ if (inode->i_nlink <= 1) {
15520 ++ saved_ino = inode->i_ino;
15521 ++ saved_dev = inode->i_sb->s_dev;
15522 ++ }
15523 ++
15524 ++ if (!gr_acl_handle_unlink(dentry, nd.mnt))
15525 ++ error = -EACCES;
15526 ++
15527 + atomic_inc(&inode->i_count);
15528 +- error = vfs_unlink(nd.dentry->d_inode, dentry);
15529 ++ }
15530 ++ if (!error)
15531 ++ error = vfs_unlink(nd.dentry->d_inode, dentry);
15532 ++ if (!error && (saved_ino || saved_dev))
15533 ++ gr_handle_delete(saved_ino, saved_dev);
15534 + exit2:
15535 + dput(dentry);
15536 + }
15537 +@@ -2278,7 +2397,16 @@ asmlinkage long sys_symlinkat(const char
15538 + if (IS_ERR(dentry))
15539 + goto out_unlock;
15540 +
15541 ++ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
15542 ++ error = -EACCES;
15543 ++ goto out_dput_unlock;
15544 ++ }
15545 ++
15546 + error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
15547 ++
15548 ++ if (!error)
15549 ++ gr_handle_create(dentry, nd.mnt);
15550 ++out_dput_unlock:
15551 + dput(dentry);
15552 + out_unlock:
15553 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15554 +@@ -2373,7 +2501,25 @@ asmlinkage long sys_linkat(int olddfd, c
15555 + error = PTR_ERR(new_dentry);
15556 + if (IS_ERR(new_dentry))
15557 + goto out_unlock;
15558 ++
15559 ++ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
15560 ++ old_nd.dentry->d_inode,
15561 ++ old_nd.dentry->d_inode->i_mode, to)) {
15562 ++ error = -EACCES;
15563 ++ goto out_unlock_dput;
15564 ++ }
15565 ++
15566 ++ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
15567 ++ old_nd.dentry, old_nd.mnt, to)) {
15568 ++ error = -EACCES;
15569 ++ goto out_unlock_dput;
15570 ++ }
15571 ++
15572 + error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
15573 ++
15574 ++ if (!error)
15575 ++ gr_handle_create(new_dentry, nd.mnt);
15576 ++out_unlock_dput:
15577 + dput(new_dentry);
15578 + out_unlock:
15579 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
15580 +@@ -2599,8 +2745,16 @@ static int do_rename(int olddfd, const c
15581 + if (new_dentry == trap)
15582 + goto exit5;
15583 +
15584 +- error = vfs_rename(old_dir->d_inode, old_dentry,
15585 ++ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
15586 ++ old_dentry, old_dir->d_inode, oldnd.mnt,
15587 ++ newname);
15588 ++
15589 ++ if (!error)
15590 ++ error = vfs_rename(old_dir->d_inode, old_dentry,
15591 + new_dir->d_inode, new_dentry);
15592 ++ if (!error)
15593 ++ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
15594 ++ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
15595 + exit5:
15596 + dput(new_dentry);
15597 + exit4:
15598 +diff -Nurp linux-2.6.23.15/fs/namespace.c linux-2.6.23.15-grsec/fs/namespace.c
15599 +--- linux-2.6.23.15/fs/namespace.c 2007-10-09 21:31:38.000000000 +0100
15600 ++++ linux-2.6.23.15-grsec/fs/namespace.c 2008-02-11 10:37:44.000000000 +0000
15601 +@@ -25,6 +25,7 @@
15602 + #include <linux/security.h>
15603 + #include <linux/mount.h>
15604 + #include <linux/ramfs.h>
15605 ++#include <linux/grsecurity.h>
15606 + #include <asm/uaccess.h>
15607 + #include <asm/unistd.h>
15608 + #include "pnode.h"
15609 +@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
15610 + DQUOT_OFF(sb);
15611 + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
15612 + unlock_kernel();
15613 ++
15614 ++ gr_log_remount(mnt->mnt_devname, retval);
15615 + }
15616 + up_write(&sb->s_umount);
15617 + return retval;
15618 +@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
15619 + security_sb_umount_busy(mnt);
15620 + up_write(&namespace_sem);
15621 + release_mounts(&umount_list);
15622 ++
15623 ++ gr_log_unmount(mnt->mnt_devname, retval);
15624 ++
15625 + return retval;
15626 + }
15627 +
15628 +@@ -1422,6 +1428,11 @@ long do_mount(char *dev_name, char *dir_
15629 + if (retval)
15630 + goto dput_out;
15631 +
15632 ++ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
15633 ++ retval = -EPERM;
15634 ++ goto dput_out;
15635 ++ }
15636 ++
15637 + if (flags & MS_REMOUNT)
15638 + retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
15639 + data_page);
15640 +@@ -1436,6 +1447,9 @@ long do_mount(char *dev_name, char *dir_
15641 + dev_name, data_page);
15642 + dput_out:
15643 + path_release(&nd);
15644 ++
15645 ++ gr_log_mount(dev_name, dir_name, retval);
15646 ++
15647 + return retval;
15648 + }
15649 +
15650 +@@ -1673,6 +1687,9 @@ asmlinkage long sys_pivot_root(const cha
15651 + if (!capable(CAP_SYS_ADMIN))
15652 + return -EPERM;
15653 +
15654 ++ if (gr_handle_chroot_pivot())
15655 ++ return -EPERM;
15656 ++
15657 + lock_kernel();
15658 +
15659 + error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
15660 +diff -Nurp linux-2.6.23.15/fs/nfs/callback_xdr.c linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c
15661 +--- linux-2.6.23.15/fs/nfs/callback_xdr.c 2007-10-09 21:31:38.000000000 +0100
15662 ++++ linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c 2008-02-11 10:37:44.000000000 +0000
15663 +@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
15664 + if (unlikely(status != 0))
15665 + return status;
15666 + /* We do not like overly long tags! */
15667 +- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
15668 ++ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
15669 + printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
15670 + __FUNCTION__, hdr->taglen);
15671 + return htonl(NFS4ERR_RESOURCE);
15672 +diff -Nurp linux-2.6.23.15/fs/nfs/nfs4proc.c linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c
15673 +--- linux-2.6.23.15/fs/nfs/nfs4proc.c 2007-10-09 21:31:38.000000000 +0100
15674 ++++ linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c 2008-02-11 10:37:44.000000000 +0000
15675 +@@ -657,7 +657,7 @@ static int _nfs4_do_open_reclaim(struct
15676 + static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
15677 + {
15678 + struct nfs_server *server = NFS_SERVER(state->inode);
15679 +- struct nfs4_exception exception = { };
15680 ++ struct nfs4_exception exception = {0, 0};
15681 + int err;
15682 + do {
15683 + err = _nfs4_do_open_reclaim(ctx, state);
15684 +@@ -699,7 +699,7 @@ static int _nfs4_open_delegation_recall(
15685 +
15686 + int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
15687 + {
15688 +- struct nfs4_exception exception = { };
15689 ++ struct nfs4_exception exception = {0, 0};
15690 + struct nfs_server *server = NFS_SERVER(state->inode);
15691 + int err;
15692 + do {
15693 +@@ -1020,7 +1020,7 @@ static int _nfs4_open_expired(struct nfs
15694 + static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
15695 + {
15696 + struct nfs_server *server = NFS_SERVER(state->inode);
15697 +- struct nfs4_exception exception = { };
15698 ++ struct nfs4_exception exception = {0, 0};
15699 + int err;
15700 +
15701 + do {
15702 +@@ -1122,7 +1122,7 @@ out_err:
15703 +
15704 + static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
15705 + {
15706 +- struct nfs4_exception exception = { };
15707 ++ struct nfs4_exception exception = {0, 0};
15708 + struct nfs4_state *res;
15709 + int status;
15710 +
15711 +@@ -1211,7 +1211,7 @@ static int nfs4_do_setattr(struct inode
15712 + struct iattr *sattr, struct nfs4_state *state)
15713 + {
15714 + struct nfs_server *server = NFS_SERVER(inode);
15715 +- struct nfs4_exception exception = { };
15716 ++ struct nfs4_exception exception = {0, 0};
15717 + int err;
15718 + do {
15719 + err = nfs4_handle_exception(server,
15720 +@@ -1504,7 +1504,7 @@ static int _nfs4_server_capabilities(str
15721 +
15722 + int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
15723 + {
15724 +- struct nfs4_exception exception = { };
15725 ++ struct nfs4_exception exception = {0, 0};
15726 + int err;
15727 + do {
15728 + err = nfs4_handle_exception(server,
15729 +@@ -1537,7 +1537,7 @@ static int _nfs4_lookup_root(struct nfs_
15730 + static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
15731 + struct nfs_fsinfo *info)
15732 + {
15733 +- struct nfs4_exception exception = { };
15734 ++ struct nfs4_exception exception = {0, 0};
15735 + int err;
15736 + do {
15737 + err = nfs4_handle_exception(server,
15738 +@@ -1626,7 +1626,7 @@ static int _nfs4_proc_getattr(struct nfs
15739 +
15740 + static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
15741 + {
15742 +- struct nfs4_exception exception = { };
15743 ++ struct nfs4_exception exception = {0, 0};
15744 + int err;
15745 + do {
15746 + err = nfs4_handle_exception(server,
15747 +@@ -1716,7 +1716,7 @@ static int nfs4_proc_lookupfh(struct nfs
15748 + struct qstr *name, struct nfs_fh *fhandle,
15749 + struct nfs_fattr *fattr)
15750 + {
15751 +- struct nfs4_exception exception = { };
15752 ++ struct nfs4_exception exception = {0, 0};
15753 + int err;
15754 + do {
15755 + err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
15756 +@@ -1745,7 +1745,7 @@ static int _nfs4_proc_lookup(struct inod
15757 +
15758 + static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
15759 + {
15760 +- struct nfs4_exception exception = { };
15761 ++ struct nfs4_exception exception = {0, 0};
15762 + int err;
15763 + do {
15764 + err = nfs4_handle_exception(NFS_SERVER(dir),
15765 +@@ -1801,7 +1801,7 @@ static int _nfs4_proc_access(struct inod
15766 +
15767 + static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
15768 + {
15769 +- struct nfs4_exception exception = { };
15770 ++ struct nfs4_exception exception = {0, 0};
15771 + int err;
15772 + do {
15773 + err = nfs4_handle_exception(NFS_SERVER(inode),
15774 +@@ -1856,7 +1856,7 @@ static int _nfs4_proc_readlink(struct in
15775 + static int nfs4_proc_readlink(struct inode *inode, struct page *page,
15776 + unsigned int pgbase, unsigned int pglen)
15777 + {
15778 +- struct nfs4_exception exception = { };
15779 ++ struct nfs4_exception exception = {0, 0};
15780 + int err;
15781 + do {
15782 + err = nfs4_handle_exception(NFS_SERVER(inode),
15783 +@@ -1950,7 +1950,7 @@ static int _nfs4_proc_remove(struct inod
15784 +
15785 + static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
15786 + {
15787 +- struct nfs4_exception exception = { };
15788 ++ struct nfs4_exception exception = {0, 0};
15789 + int err;
15790 + do {
15791 + err = nfs4_handle_exception(NFS_SERVER(dir),
15792 +@@ -2022,7 +2022,7 @@ static int _nfs4_proc_rename(struct inod
15793 + static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
15794 + struct inode *new_dir, struct qstr *new_name)
15795 + {
15796 +- struct nfs4_exception exception = { };
15797 ++ struct nfs4_exception exception = {0, 0};
15798 + int err;
15799 + do {
15800 + err = nfs4_handle_exception(NFS_SERVER(old_dir),
15801 +@@ -2069,7 +2069,7 @@ static int _nfs4_proc_link(struct inode
15802 +
15803 + static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
15804 + {
15805 +- struct nfs4_exception exception = { };
15806 ++ struct nfs4_exception exception = {0, 0};
15807 + int err;
15808 + do {
15809 + err = nfs4_handle_exception(NFS_SERVER(inode),
15810 +@@ -2126,7 +2126,7 @@ static int _nfs4_proc_symlink(struct ino
15811 + static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
15812 + struct page *page, unsigned int len, struct iattr *sattr)
15813 + {
15814 +- struct nfs4_exception exception = { };
15815 ++ struct nfs4_exception exception = {0, 0};
15816 + int err;
15817 + do {
15818 + err = nfs4_handle_exception(NFS_SERVER(dir),
15819 +@@ -2179,7 +2179,7 @@ static int _nfs4_proc_mkdir(struct inode
15820 + static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
15821 + struct iattr *sattr)
15822 + {
15823 +- struct nfs4_exception exception = { };
15824 ++ struct nfs4_exception exception = {0, 0};
15825 + int err;
15826 + do {
15827 + err = nfs4_handle_exception(NFS_SERVER(dir),
15828 +@@ -2225,7 +2225,7 @@ static int _nfs4_proc_readdir(struct den
15829 + static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
15830 + u64 cookie, struct page *page, unsigned int count, int plus)
15831 + {
15832 +- struct nfs4_exception exception = { };
15833 ++ struct nfs4_exception exception = {0, 0};
15834 + int err;
15835 + do {
15836 + err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
15837 +@@ -2295,7 +2295,7 @@ static int _nfs4_proc_mknod(struct inode
15838 + static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
15839 + struct iattr *sattr, dev_t rdev)
15840 + {
15841 +- struct nfs4_exception exception = { };
15842 ++ struct nfs4_exception exception = {0, 0};
15843 + int err;
15844 + do {
15845 + err = nfs4_handle_exception(NFS_SERVER(dir),
15846 +@@ -2324,7 +2324,7 @@ static int _nfs4_proc_statfs(struct nfs_
15847 +
15848 + static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
15849 + {
15850 +- struct nfs4_exception exception = { };
15851 ++ struct nfs4_exception exception = {0, 0};
15852 + int err;
15853 + do {
15854 + err = nfs4_handle_exception(server,
15855 +@@ -2352,7 +2352,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
15856 +
15857 + static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
15858 + {
15859 +- struct nfs4_exception exception = { };
15860 ++ struct nfs4_exception exception = {0, 0};
15861 + int err;
15862 +
15863 + do {
15864 +@@ -2395,7 +2395,7 @@ static int _nfs4_proc_pathconf(struct nf
15865 + static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
15866 + struct nfs_pathconf *pathconf)
15867 + {
15868 +- struct nfs4_exception exception = { };
15869 ++ struct nfs4_exception exception = {0, 0};
15870 + int err;
15871 +
15872 + do {
15873 +@@ -2714,7 +2714,7 @@ out_free:
15874 +
15875 + static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
15876 + {
15877 +- struct nfs4_exception exception = { };
15878 ++ struct nfs4_exception exception = {0, 0};
15879 + ssize_t ret;
15880 + do {
15881 + ret = __nfs4_get_acl_uncached(inode, buf, buflen);
15882 +@@ -2768,7 +2768,7 @@ static int __nfs4_proc_set_acl(struct in
15883 +
15884 + static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
15885 + {
15886 +- struct nfs4_exception exception = { };
15887 ++ struct nfs4_exception exception = {0, 0};
15888 + int err;
15889 + do {
15890 + err = nfs4_handle_exception(NFS_SERVER(inode),
15891 +@@ -3065,7 +3065,7 @@ static int _nfs4_proc_delegreturn(struct
15892 + int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
15893 + {
15894 + struct nfs_server *server = NFS_SERVER(inode);
15895 +- struct nfs4_exception exception = { };
15896 ++ struct nfs4_exception exception = {0, 0};
15897 + int err;
15898 + do {
15899 + err = _nfs4_proc_delegreturn(inode, cred, stateid);
15900 +@@ -3140,7 +3140,7 @@ out:
15901 +
15902 + static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
15903 + {
15904 +- struct nfs4_exception exception = { };
15905 ++ struct nfs4_exception exception = {0, 0};
15906 + int err;
15907 +
15908 + do {
15909 +@@ -3474,7 +3474,7 @@ static int _nfs4_do_setlk(struct nfs4_st
15910 + static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
15911 + {
15912 + struct nfs_server *server = NFS_SERVER(state->inode);
15913 +- struct nfs4_exception exception = { };
15914 ++ struct nfs4_exception exception = {0, 0};
15915 + int err;
15916 +
15917 + do {
15918 +@@ -3492,7 +3492,7 @@ static int nfs4_lock_reclaim(struct nfs4
15919 + static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
15920 + {
15921 + struct nfs_server *server = NFS_SERVER(state->inode);
15922 +- struct nfs4_exception exception = { };
15923 ++ struct nfs4_exception exception = {0, 0};
15924 + int err;
15925 +
15926 + err = nfs4_set_lock_state(state, request);
15927 +@@ -3553,7 +3553,7 @@ out:
15928 +
15929 + static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
15930 + {
15931 +- struct nfs4_exception exception = { };
15932 ++ struct nfs4_exception exception = {0, 0};
15933 + int err;
15934 +
15935 + do {
15936 +@@ -3603,7 +3603,7 @@ nfs4_proc_lock(struct file *filp, int cm
15937 + int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
15938 + {
15939 + struct nfs_server *server = NFS_SERVER(state->inode);
15940 +- struct nfs4_exception exception = { };
15941 ++ struct nfs4_exception exception = {0, 0};
15942 + int err;
15943 +
15944 + err = nfs4_set_lock_state(state, fl);
15945 +diff -Nurp linux-2.6.23.15/fs/nfsd/export.c linux-2.6.23.15-grsec/fs/nfsd/export.c
15946 +--- linux-2.6.23.15/fs/nfsd/export.c 2007-10-09 21:31:38.000000000 +0100
15947 ++++ linux-2.6.23.15-grsec/fs/nfsd/export.c 2008-02-11 10:37:44.000000000 +0000
15948 +@@ -478,7 +478,7 @@ static int secinfo_parse(char **mesg, ch
15949 + * probably discover the problem when someone fails to
15950 + * authenticate.
15951 + */
15952 +- if (f->pseudoflavor < 0)
15953 ++ if ((s32)f->pseudoflavor < 0)
15954 + return -EINVAL;
15955 + err = get_int(mesg, &f->flags);
15956 + if (err)
15957 +diff -Nurp linux-2.6.23.15/fs/nfsd/nfs4state.c linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c
15958 +--- linux-2.6.23.15/fs/nfsd/nfs4state.c 2007-10-09 21:31:38.000000000 +0100
15959 ++++ linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c 2008-02-11 10:37:44.000000000 +0000
15960 +@@ -1248,7 +1248,7 @@ static int access_valid(u32 x)
15961 +
15962 + static int deny_valid(u32 x)
15963 + {
15964 +- return (x >= 0 && x < 5);
15965 ++ return (x < 5);
15966 + }
15967 +
15968 + static void
15969 +diff -Nurp linux-2.6.23.15/fs/nls/nls_base.c linux-2.6.23.15-grsec/fs/nls/nls_base.c
15970 +--- linux-2.6.23.15/fs/nls/nls_base.c 2007-10-09 21:31:38.000000000 +0100
15971 ++++ linux-2.6.23.15-grsec/fs/nls/nls_base.c 2008-02-11 10:37:44.000000000 +0000
15972 +@@ -42,7 +42,7 @@ static struct utf8_table utf8_table[] =
15973 + {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
15974 + {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
15975 + {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
15976 +- {0, /* end of table */}
15977 ++ {0, 0, 0, 0, 0, /* end of table */}
15978 + };
15979 +
15980 + int
15981 +diff -Nurp linux-2.6.23.15/fs/ntfs/file.c linux-2.6.23.15-grsec/fs/ntfs/file.c
15982 +--- linux-2.6.23.15/fs/ntfs/file.c 2007-10-09 21:31:38.000000000 +0100
15983 ++++ linux-2.6.23.15-grsec/fs/ntfs/file.c 2008-02-11 10:37:44.000000000 +0000
15984 +@@ -2295,6 +2295,6 @@ const struct inode_operations ntfs_file_
15985 + #endif /* NTFS_RW */
15986 + };
15987 +
15988 +-const struct file_operations ntfs_empty_file_ops = {};
15989 ++const struct file_operations ntfs_empty_file_ops;
15990 +
15991 +-const struct inode_operations ntfs_empty_inode_ops = {};
15992 ++const struct inode_operations ntfs_empty_inode_ops;
15993 +diff -Nurp linux-2.6.23.15/fs/open.c linux-2.6.23.15-grsec/fs/open.c
15994 +--- linux-2.6.23.15/fs/open.c 2007-10-09 21:31:38.000000000 +0100
15995 ++++ linux-2.6.23.15-grsec/fs/open.c 2008-02-11 10:37:44.000000000 +0000
15996 +@@ -27,6 +27,7 @@
15997 + #include <linux/rcupdate.h>
15998 + #include <linux/audit.h>
15999 + #include <linux/falloc.h>
16000 ++#include <linux/grsecurity.h>
16001 +
16002 + int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
16003 + {
16004 +@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
16005 + if (length < 0)
16006 + return -EINVAL;
16007 +
16008 ++ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
16009 ++ return -EACCES;
16010 ++
16011 + newattrs.ia_size = length;
16012 + newattrs.ia_valid = ATTR_SIZE | time_attrs;
16013 + if (filp) {
16014 +@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
16015 + if(IS_RDONLY(nd.dentry->d_inode))
16016 + res = -EROFS;
16017 +
16018 ++ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
16019 ++ res = -EACCES;
16020 ++
16021 + out_path_release:
16022 + path_release(&nd);
16023 + out:
16024 +@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
16025 + if (error)
16026 + goto dput_and_out;
16027 +
16028 ++ gr_log_chdir(nd.dentry, nd.mnt);
16029 ++
16030 + set_fs_pwd(current->fs, nd.mnt, nd.dentry);
16031 +
16032 + dput_and_out:
16033 +@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
16034 + goto out_putf;
16035 +
16036 + error = file_permission(file, MAY_EXEC);
16037 ++
16038 ++ if (!error && !gr_chroot_fchdir(dentry, mnt))
16039 ++ error = -EPERM;
16040 ++
16041 ++ if (!error)
16042 ++ gr_log_chdir(dentry, mnt);
16043 ++
16044 + if (!error)
16045 + set_fs_pwd(current->fs, mnt, dentry);
16046 + out_putf:
16047 +@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
16048 + if (!capable(CAP_SYS_CHROOT))
16049 + goto dput_and_out;
16050 +
16051 ++ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
16052 ++ goto dput_and_out;
16053 ++
16054 + set_fs_root(current->fs, nd.mnt, nd.dentry);
16055 + set_fs_altroot();
16056 ++
16057 ++ gr_handle_chroot_caps(current);
16058 ++
16059 ++ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
16060 ++
16061 + error = 0;
16062 + dput_and_out:
16063 + path_release(&nd);
16064 +@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
16065 + err = -EPERM;
16066 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
16067 + goto out_putf;
16068 ++
16069 ++ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
16070 ++ err = -EACCES;
16071 ++ goto out_putf;
16072 ++ }
16073 ++
16074 + mutex_lock(&inode->i_mutex);
16075 + if (mode == (mode_t) -1)
16076 + mode = inode->i_mode;
16077 ++
16078 ++ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
16079 ++ err = -EPERM;
16080 ++ mutex_unlock(&inode->i_mutex);
16081 ++ goto out_putf;
16082 ++ }
16083 ++
16084 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
16085 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
16086 + err = notify_change(dentry, &newattrs);
16087 +@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
16088 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
16089 + goto dput_and_out;
16090 +
16091 ++ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
16092 ++ error = -EACCES;
16093 ++ goto dput_and_out;
16094 ++ };
16095 ++
16096 + mutex_lock(&inode->i_mutex);
16097 + if (mode == (mode_t) -1)
16098 + mode = inode->i_mode;
16099 ++
16100 ++ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
16101 ++ error = -EACCES;
16102 ++ mutex_unlock(&inode->i_mutex);
16103 ++ goto dput_and_out;
16104 ++ }
16105 ++
16106 + newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
16107 + newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
16108 + error = notify_change(nd.dentry, &newattrs);
16109 +@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
16110 + return sys_fchmodat(AT_FDCWD, filename, mode);
16111 + }
16112 +
16113 +-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
16114 ++static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
16115 + {
16116 + struct inode * inode;
16117 + int error;
16118 +@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
16119 + error = -EPERM;
16120 + if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
16121 + goto out;
16122 ++
16123 ++ if (!gr_acl_handle_chown(dentry, mnt)) {
16124 ++ error = -EACCES;
16125 ++ goto out;
16126 ++ }
16127 ++
16128 + newattrs.ia_valid = ATTR_CTIME;
16129 + if (user != (uid_t) -1) {
16130 + newattrs.ia_valid |= ATTR_UID;
16131 +@@ -674,7 +729,7 @@ asmlinkage long sys_chown(const char __u
16132 + error = user_path_walk(filename, &nd);
16133 + if (error)
16134 + goto out;
16135 +- error = chown_common(nd.dentry, user, group);
16136 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
16137 + path_release(&nd);
16138 + out:
16139 + return error;
16140 +@@ -694,7 +749,7 @@ asmlinkage long sys_fchownat(int dfd, co
16141 + error = __user_walk_fd(dfd, filename, follow, &nd);
16142 + if (error)
16143 + goto out;
16144 +- error = chown_common(nd.dentry, user, group);
16145 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
16146 + path_release(&nd);
16147 + out:
16148 + return error;
16149 +@@ -708,7 +763,7 @@ asmlinkage long sys_lchown(const char __
16150 + error = user_path_walk_link(filename, &nd);
16151 + if (error)
16152 + goto out;
16153 +- error = chown_common(nd.dentry, user, group);
16154 ++ error = chown_common(nd.dentry, user, group, nd.mnt);
16155 + path_release(&nd);
16156 + out:
16157 + return error;
16158 +@@ -727,7 +782,7 @@ asmlinkage long sys_fchown(unsigned int
16159 +
16160 + dentry = file->f_path.dentry;
16161 + audit_inode(NULL, dentry->d_inode);
16162 +- error = chown_common(dentry, user, group);
16163 ++ error = chown_common(dentry, user, group, file->f_vfsmnt);
16164 + fput(file);
16165 + out:
16166 + return error;
16167 +@@ -934,6 +989,7 @@ repeat:
16168 + * N.B. For clone tasks sharing a files structure, this test
16169 + * will limit the total number of files that can be opened.
16170 + */
16171 ++ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
16172 + if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
16173 + goto out;
16174 +
16175 +diff -Nurp linux-2.6.23.15/fs/partitions/efi.c linux-2.6.23.15-grsec/fs/partitions/efi.c
16176 +--- linux-2.6.23.15/fs/partitions/efi.c 2007-10-09 21:31:38.000000000 +0100
16177 ++++ linux-2.6.23.15-grsec/fs/partitions/efi.c 2008-02-11 10:37:44.000000000 +0000
16178 +@@ -99,7 +99,7 @@
16179 + #ifdef EFI_DEBUG
16180 + #define Dprintk(x...) printk(KERN_DEBUG x)
16181 + #else
16182 +-#define Dprintk(x...)
16183 ++#define Dprintk(x...) do {} while (0)
16184 + #endif
16185 +
16186 + /* This allows a kernel command line option 'gpt' to override
16187 +diff -Nurp linux-2.6.23.15/fs/pipe.c linux-2.6.23.15-grsec/fs/pipe.c
16188 +--- linux-2.6.23.15/fs/pipe.c 2007-10-09 21:31:38.000000000 +0100
16189 ++++ linux-2.6.23.15-grsec/fs/pipe.c 2008-02-11 10:37:44.000000000 +0000
16190 +@@ -888,7 +888,7 @@ void free_pipe_info(struct inode *inode)
16191 + inode->i_pipe = NULL;
16192 + }
16193 +
16194 +-static struct vfsmount *pipe_mnt __read_mostly;
16195 ++struct vfsmount *pipe_mnt __read_mostly;
16196 + static int pipefs_delete_dentry(struct dentry *dentry)
16197 + {
16198 + /*
16199 +diff -Nurp linux-2.6.23.15/fs/proc/array.c linux-2.6.23.15-grsec/fs/proc/array.c
16200 +--- linux-2.6.23.15/fs/proc/array.c 2008-02-11 10:36:03.000000000 +0000
16201 ++++ linux-2.6.23.15-grsec/fs/proc/array.c 2008-02-11 10:37:44.000000000 +0000
16202 +@@ -298,6 +298,21 @@ static inline char *task_context_switch_
16203 + p->nivcsw);
16204 + }
16205 +
16206 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
16207 ++static inline char *task_pax(struct task_struct *p, char *buffer)
16208 ++{
16209 ++ if (p->mm)
16210 ++ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
16211 ++ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
16212 ++ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
16213 ++ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
16214 ++ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
16215 ++ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
16216 ++ else
16217 ++ return buffer + sprintf(buffer, "PaX:\t-----\n");
16218 ++}
16219 ++#endif
16220 ++
16221 + int proc_pid_status(struct task_struct *task, char *buffer)
16222 + {
16223 + char *orig = buffer;
16224 +@@ -317,6 +332,11 @@ int proc_pid_status(struct task_struct *
16225 + buffer = task_show_regs(task, buffer);
16226 + #endif
16227 + buffer = task_context_switch_counts(task, buffer);
16228 ++
16229 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
16230 ++ buffer = task_pax(task, buffer);
16231 ++#endif
16232 ++
16233 + return buffer - orig;
16234 + }
16235 +
16236 +@@ -372,6 +392,12 @@ static cputime_t task_stime(struct task_
16237 + }
16238 + #endif
16239 +
16240 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16241 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
16242 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
16243 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
16244 ++#endif
16245 ++
16246 + static int do_task_stat(struct task_struct *task, char *buffer, int whole)
16247 + {
16248 + unsigned long vsize, eip, esp, wchan = ~0UL;
16249 +@@ -458,6 +484,19 @@ static int do_task_stat(struct task_stru
16250 + stime = task_stime(task);
16251 + }
16252 +
16253 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16254 ++ if (PAX_RAND_FLAGS(mm)) {
16255 ++ eip = 0;
16256 ++ esp = 0;
16257 ++ wchan = 0;
16258 ++ }
16259 ++#endif
16260 ++#ifdef CONFIG_GRKERNSEC_HIDESYM
16261 ++ wchan = 0;
16262 ++ eip =0;
16263 ++ esp =0;
16264 ++#endif
16265 ++
16266 + /* scale priority and nice values from timeslices to -20..20 */
16267 + /* to make it look like a "normal" Unix priority/nice value */
16268 + priority = task_prio(task);
16269 +@@ -498,9 +537,15 @@ static int do_task_stat(struct task_stru
16270 + vsize,
16271 + mm ? get_mm_rss(mm) : 0,
16272 + rsslim,
16273 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16274 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
16275 ++ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
16276 ++ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
16277 ++#else
16278 + mm ? mm->start_code : 0,
16279 + mm ? mm->end_code : 0,
16280 + mm ? mm->start_stack : 0,
16281 ++#endif
16282 + esp,
16283 + eip,
16284 + /* The signal information here is obsolete.
16285 +@@ -547,3 +592,14 @@ int proc_pid_statm(struct task_struct *t
16286 + return sprintf(buffer, "%d %d %d %d %d %d %d\n",
16287 + size, resident, shared, text, lib, data, 0);
16288 + }
16289 ++
16290 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
16291 ++int proc_pid_ipaddr(struct task_struct *task, char * buffer)
16292 ++{
16293 ++ int len;
16294 ++
16295 ++ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
16296 ++ return len;
16297 ++}
16298 ++#endif
16299 ++
16300 +diff -Nurp linux-2.6.23.15/fs/proc/base.c linux-2.6.23.15-grsec/fs/proc/base.c
16301 +--- linux-2.6.23.15/fs/proc/base.c 2007-10-09 21:31:38.000000000 +0100
16302 ++++ linux-2.6.23.15-grsec/fs/proc/base.c 2008-02-11 10:37:44.000000000 +0000
16303 +@@ -73,6 +73,7 @@
16304 + #include <linux/nsproxy.h>
16305 + #include <linux/oom.h>
16306 + #include <linux/elf.h>
16307 ++#include <linux/grsecurity.h>
16308 + #include "internal.h"
16309 +
16310 + /* NOTE:
16311 +@@ -123,7 +124,7 @@ struct pid_entry {
16312 + NULL, &proc_info_file_operations, \
16313 + { .proc_read = &proc_##OTYPE } )
16314 +
16315 +-int maps_protect;
16316 ++int maps_protect = 1;
16317 + EXPORT_SYMBOL(maps_protect);
16318 +
16319 + static struct fs_struct *get_fs_struct(struct task_struct *task)
16320 +@@ -197,7 +198,7 @@ static int proc_root_link(struct inode *
16321 + (task->parent == current && \
16322 + (task->ptrace & PT_PTRACED) && \
16323 + (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
16324 +- security_ptrace(current,task) == 0))
16325 ++ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
16326 +
16327 + static int proc_pid_environ(struct task_struct *task, char * buffer)
16328 + {
16329 +@@ -263,9 +264,9 @@ static int proc_pid_auxv(struct task_str
16330 + struct mm_struct *mm = get_task_mm(task);
16331 + if (mm) {
16332 + unsigned int nwords = 0;
16333 +- do
16334 ++ do {
16335 + nwords += 2;
16336 +- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
16337 ++ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
16338 + res = nwords * sizeof(mm->saved_auxv[0]);
16339 + if (res > PAGE_SIZE)
16340 + res = PAGE_SIZE;
16341 +@@ -338,6 +339,8 @@ static int proc_fd_access_allowed(struct
16342 + task = get_proc_task(inode);
16343 + if (task) {
16344 + allowed = ptrace_may_attach(task);
16345 ++ if (allowed != 0)
16346 ++ allowed = !gr_acl_handle_procpidmem(task);
16347 + put_task_struct(task);
16348 + }
16349 + return allowed;
16350 +@@ -528,7 +531,7 @@ static ssize_t mem_read(struct file * fi
16351 + if (!task)
16352 + goto out_no_task;
16353 +
16354 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
16355 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
16356 + goto out;
16357 +
16358 + ret = -ENOMEM;
16359 +@@ -598,7 +601,7 @@ static ssize_t mem_write(struct file * f
16360 + if (!task)
16361 + goto out_no_task;
16362 +
16363 +- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
16364 ++ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
16365 + goto out;
16366 +
16367 + copied = -ENOMEM;
16368 +@@ -1050,7 +1053,11 @@ static struct inode *proc_pid_make_inode
16369 + inode->i_gid = 0;
16370 + if (task_dumpable(task)) {
16371 + inode->i_uid = task->euid;
16372 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16373 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16374 ++#else
16375 + inode->i_gid = task->egid;
16376 ++#endif
16377 + }
16378 + security_task_to_inode(task, inode);
16379 +
16380 +@@ -1066,17 +1073,45 @@ static int pid_getattr(struct vfsmount *
16381 + {
16382 + struct inode *inode = dentry->d_inode;
16383 + struct task_struct *task;
16384 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16385 ++ struct task_struct *tmp = current;
16386 ++#endif
16387 ++
16388 + generic_fillattr(inode, stat);
16389 +
16390 + rcu_read_lock();
16391 + stat->uid = 0;
16392 + stat->gid = 0;
16393 + task = pid_task(proc_pid(inode), PIDTYPE_PID);
16394 +- if (task) {
16395 ++
16396 ++ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
16397 ++ rcu_read_unlock();
16398 ++ return -ENOENT;
16399 ++ }
16400 ++
16401 ++
16402 ++ if (task
16403 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16404 ++ && (!tmp->uid || (tmp->uid == task->uid)
16405 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16406 ++ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
16407 ++#endif
16408 ++ )
16409 ++#endif
16410 ++ ) {
16411 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
16412 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16413 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
16414 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
16415 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
16416 ++#endif
16417 + task_dumpable(task)) {
16418 + stat->uid = task->euid;
16419 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16420 ++ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
16421 ++#else
16422 + stat->gid = task->egid;
16423 ++#endif
16424 + }
16425 + }
16426 + rcu_read_unlock();
16427 +@@ -1104,11 +1139,21 @@ static int pid_revalidate(struct dentry
16428 + {
16429 + struct inode *inode = dentry->d_inode;
16430 + struct task_struct *task = get_proc_task(inode);
16431 ++
16432 + if (task) {
16433 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
16434 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16435 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
16436 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
16437 ++ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
16438 ++#endif
16439 + task_dumpable(task)) {
16440 + inode->i_uid = task->euid;
16441 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16442 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16443 ++#else
16444 + inode->i_gid = task->egid;
16445 ++#endif
16446 + } else {
16447 + inode->i_uid = 0;
16448 + inode->i_gid = 0;
16449 +@@ -1118,6 +1163,7 @@ static int pid_revalidate(struct dentry
16450 + put_task_struct(task);
16451 + return 1;
16452 + }
16453 ++out:
16454 + d_drop(dentry);
16455 + return 0;
16456 + }
16457 +@@ -1374,6 +1420,9 @@ static struct dentry *proc_lookupfd_comm
16458 + if (fd == ~0U)
16459 + goto out;
16460 +
16461 ++ if (gr_acl_handle_procpidmem(task))
16462 ++ goto out;
16463 ++
16464 + result = instantiate(dir, dentry, task, &fd);
16465 + out:
16466 + put_task_struct(task);
16467 +@@ -1410,6 +1459,8 @@ static int proc_readfd_common(struct fil
16468 + goto out;
16469 + filp->f_pos++;
16470 + default:
16471 ++ if (gr_acl_handle_procpidmem(p))
16472 ++ goto out;
16473 + files = get_files_struct(p);
16474 + if (!files)
16475 + goto out;
16476 +@@ -1598,6 +1649,9 @@ static struct dentry *proc_pident_lookup
16477 + if (!task)
16478 + goto out_no_task;
16479 +
16480 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
16481 ++ goto out;
16482 ++
16483 + /*
16484 + * Yes, it does not scale. And it should not. Don't add
16485 + * new entries into /proc/<tgid>/ without very good reasons.
16486 +@@ -1643,6 +1697,9 @@ static int proc_pident_readdir(struct fi
16487 + if (!task)
16488 + goto out_no_task;
16489 +
16490 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
16491 ++ goto out;
16492 ++
16493 + ret = 0;
16494 + pid = task->pid;
16495 + i = filp->f_pos;
16496 +@@ -1998,6 +2055,9 @@ static struct dentry *proc_base_lookup(s
16497 + if (p > last)
16498 + goto out;
16499 +
16500 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
16501 ++ goto out;
16502 ++
16503 + error = proc_base_instantiate(dir, dentry, task, p);
16504 +
16505 + out:
16506 +@@ -2097,6 +2157,9 @@ static const struct pid_entry tgid_base_
16507 + #ifdef CONFIG_TASK_IO_ACCOUNTING
16508 + INF("io", S_IRUGO, pid_io_accounting),
16509 + #endif
16510 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
16511 ++ INF("ipaddr", S_IRUSR, pid_ipaddr),
16512 ++#endif
16513 + };
16514 +
16515 + static int proc_tgid_base_readdir(struct file * filp,
16516 +@@ -2200,7 +2263,14 @@ static struct dentry *proc_pid_instantia
16517 + if (!inode)
16518 + goto out;
16519 +
16520 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16521 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
16522 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
16523 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16524 ++ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
16525 ++#else
16526 + inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
16527 ++#endif
16528 + inode->i_op = &proc_tgid_base_inode_operations;
16529 + inode->i_fop = &proc_tgid_base_operations;
16530 + inode->i_flags|=S_IMMUTABLE;
16531 +@@ -2241,7 +2311,11 @@ struct dentry *proc_pid_lookup(struct in
16532 + if (!task)
16533 + goto out;
16534 +
16535 ++ if (gr_check_hidden_task(task))
16536 ++ goto out_put_task;
16537 ++
16538 + result = proc_pid_instantiate(dir, dentry, task, NULL);
16539 ++out_put_task:
16540 + put_task_struct(task);
16541 + out:
16542 + return result;
16543 +@@ -2299,6 +2373,9 @@ int proc_pid_readdir(struct file * filp,
16544 + {
16545 + unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
16546 + struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
16547 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16548 ++ struct task_struct *tmp = current;
16549 ++#endif
16550 + struct task_struct *task;
16551 + int tgid;
16552 +
16553 +@@ -2316,6 +2393,18 @@ int proc_pid_readdir(struct file * filp,
16554 + task;
16555 + put_task_struct(task), task = next_tgid(tgid + 1)) {
16556 + tgid = task->pid;
16557 ++
16558 ++ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task)
16559 ++#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16560 ++ || (tmp->uid && (task->uid != tmp->uid)
16561 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16562 ++ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
16563 ++#endif
16564 ++ )
16565 ++#endif
16566 ++ )
16567 ++ continue;
16568 ++
16569 + filp->f_pos = tgid + TGID_OFFSET;
16570 + if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
16571 + put_task_struct(task);
16572 +diff -Nurp linux-2.6.23.15/fs/proc/inode.c linux-2.6.23.15-grsec/fs/proc/inode.c
16573 +--- linux-2.6.23.15/fs/proc/inode.c 2007-10-09 21:31:38.000000000 +0100
16574 ++++ linux-2.6.23.15-grsec/fs/proc/inode.c 2008-02-11 10:37:44.000000000 +0000
16575 +@@ -418,7 +418,11 @@ struct inode *proc_get_inode(struct supe
16576 + if (de->mode) {
16577 + inode->i_mode = de->mode;
16578 + inode->i_uid = de->uid;
16579 ++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
16580 ++ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
16581 ++#else
16582 + inode->i_gid = de->gid;
16583 ++#endif
16584 + }
16585 + if (de->size)
16586 + inode->i_size = de->size;
16587 +diff -Nurp linux-2.6.23.15/fs/proc/internal.h linux-2.6.23.15-grsec/fs/proc/internal.h
16588 +--- linux-2.6.23.15/fs/proc/internal.h 2007-10-09 21:31:38.000000000 +0100
16589 ++++ linux-2.6.23.15-grsec/fs/proc/internal.h 2008-02-11 10:37:44.000000000 +0000
16590 +@@ -45,6 +45,9 @@ extern int proc_tid_stat(struct task_str
16591 + extern int proc_tgid_stat(struct task_struct *, char *);
16592 + extern int proc_pid_status(struct task_struct *, char *);
16593 + extern int proc_pid_statm(struct task_struct *, char *);
16594 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
16595 ++extern int proc_pid_ipaddr(struct task_struct*,char*);
16596 ++#endif
16597 +
16598 + extern const struct file_operations proc_maps_operations;
16599 + extern const struct file_operations proc_numa_maps_operations;
16600 +diff -Nurp linux-2.6.23.15/fs/proc/proc_misc.c linux-2.6.23.15-grsec/fs/proc/proc_misc.c
16601 +--- linux-2.6.23.15/fs/proc/proc_misc.c 2007-10-09 21:31:38.000000000 +0100
16602 ++++ linux-2.6.23.15-grsec/fs/proc/proc_misc.c 2008-02-11 10:37:44.000000000 +0000
16603 +@@ -668,6 +668,8 @@ void create_seq_entry(char *name, mode_t
16604 +
16605 + void __init proc_misc_init(void)
16606 + {
16607 ++ int gr_mode = 0;
16608 ++
16609 + static struct {
16610 + char *name;
16611 + int (*read_proc)(char*,char**,off_t,int,int*,void*);
16612 +@@ -683,7 +685,9 @@ void __init proc_misc_init(void)
16613 + {"stram", stram_read_proc},
16614 + #endif
16615 + {"filesystems", filesystems_read_proc},
16616 ++#ifndef CONFIG_GRKERNSEC_PROC_ADD
16617 + {"cmdline", cmdline_read_proc},
16618 ++#endif
16619 + {"locks", locks_read_proc},
16620 + {"execdomains", execdomains_read_proc},
16621 + {NULL,}
16622 +@@ -691,6 +695,15 @@ void __init proc_misc_init(void)
16623 + for (p = simple_ones; p->name; p++)
16624 + create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
16625 +
16626 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16627 ++ gr_mode = S_IRUSR;
16628 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16629 ++ gr_mode = S_IRUSR | S_IRGRP;
16630 ++#endif
16631 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16632 ++ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
16633 ++#endif
16634 ++
16635 + proc_symlink("mounts", NULL, "self/mounts");
16636 +
16637 + /* And now for trickier ones */
16638 +@@ -702,7 +715,11 @@ void __init proc_misc_init(void)
16639 + entry->proc_fops = &proc_kmsg_operations;
16640 + }
16641 + #endif
16642 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16643 ++ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
16644 ++#else
16645 + create_seq_entry("devices", 0, &proc_devinfo_operations);
16646 ++#endif
16647 + create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
16648 + #ifdef CONFIG_BLOCK
16649 + create_seq_entry("partitions", 0, &proc_partitions_operations);
16650 +@@ -710,7 +727,11 @@ void __init proc_misc_init(void)
16651 + create_seq_entry("stat", 0, &proc_stat_operations);
16652 + create_seq_entry("interrupts", 0, &proc_interrupts_operations);
16653 + #ifdef CONFIG_SLAB
16654 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16655 ++ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
16656 ++#else
16657 + create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
16658 ++#endif
16659 + #ifdef CONFIG_DEBUG_SLAB_LEAK
16660 + create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
16661 + #endif
16662 +@@ -727,7 +748,7 @@ void __init proc_misc_init(void)
16663 + #ifdef CONFIG_SCHEDSTATS
16664 + create_seq_entry("schedstat", 0, &proc_schedstat_operations);
16665 + #endif
16666 +-#ifdef CONFIG_PROC_KCORE
16667 ++#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
16668 + proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
16669 + if (proc_root_kcore) {
16670 + proc_root_kcore->proc_fops = &proc_kcore_operations;
16671 +diff -Nurp linux-2.6.23.15/fs/proc/proc_sysctl.c linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c
16672 +--- linux-2.6.23.15/fs/proc/proc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
16673 ++++ linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c 2008-02-11 10:37:44.000000000 +0000
16674 +@@ -7,6 +7,8 @@
16675 + #include <linux/security.h>
16676 + #include "internal.h"
16677 +
16678 ++extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
16679 ++
16680 + static struct dentry_operations proc_sys_dentry_operations;
16681 + static const struct file_operations proc_sys_file_operations;
16682 + static struct inode_operations proc_sys_inode_operations;
16683 +@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
16684 + if (!table)
16685 + goto out;
16686 +
16687 ++ if (gr_handle_sysctl(table, 001))
16688 ++ goto out;
16689 ++
16690 + err = ERR_PTR(-ENOMEM);
16691 + inode = proc_sys_make_inode(dir, table);
16692 + if (!inode)
16693 +@@ -358,6 +363,9 @@ static int proc_sys_readdir(struct file
16694 + if (pos < filp->f_pos)
16695 + continue;
16696 +
16697 ++ if (gr_handle_sysctl(table, 0))
16698 ++ continue;
16699 ++
16700 + if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
16701 + goto out;
16702 + filp->f_pos = pos + 1;
16703 +@@ -420,6 +428,30 @@ out:
16704 + return error;
16705 + }
16706 +
16707 ++/* Eric Biederman is to blame */
16708 ++static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
16709 ++{
16710 ++ int error = 0;
16711 ++ struct ctl_table_header *head;
16712 ++ struct ctl_table *table;
16713 ++
16714 ++ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
16715 ++ /* Has the sysctl entry disappeared on us? */
16716 ++ if (!table)
16717 ++ goto out;
16718 ++
16719 ++ if (gr_handle_sysctl(table, 001)) {
16720 ++ error = -ENOENT;
16721 ++ goto out;
16722 ++ }
16723 ++
16724 ++out:
16725 ++ sysctl_head_finish(head);
16726 ++
16727 ++ generic_fillattr(dentry->d_inode, stat);
16728 ++
16729 ++ return error;
16730 ++}
16731 + static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
16732 + {
16733 + struct inode *inode = dentry->d_inode;
16734 +@@ -448,6 +480,7 @@ static struct inode_operations proc_sys_
16735 + .lookup = proc_sys_lookup,
16736 + .permission = proc_sys_permission,
16737 + .setattr = proc_sys_setattr,
16738 ++ .getattr = proc_sys_getattr,
16739 + };
16740 +
16741 + static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
16742 +diff -Nurp linux-2.6.23.15/fs/proc/root.c linux-2.6.23.15-grsec/fs/proc/root.c
16743 +--- linux-2.6.23.15/fs/proc/root.c 2007-10-09 21:31:38.000000000 +0100
16744 ++++ linux-2.6.23.15-grsec/fs/proc/root.c 2008-02-11 10:37:44.000000000 +0000
16745 +@@ -61,7 +61,13 @@ void __init proc_root_init(void)
16746 + return;
16747 + }
16748 + proc_misc_init();
16749 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16750 ++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
16751 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16752 ++ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
16753 ++#else
16754 + proc_net = proc_mkdir("net", NULL);
16755 ++#endif
16756 + proc_net_stat = proc_mkdir("net/stat", NULL);
16757 +
16758 + #ifdef CONFIG_SYSVIPC
16759 +@@ -78,7 +84,15 @@ void __init proc_root_init(void)
16760 + #ifdef CONFIG_PROC_DEVICETREE
16761 + proc_device_tree_init();
16762 + #endif
16763 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
16764 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
16765 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
16766 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
16767 ++ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
16768 ++#endif
16769 ++#else
16770 + proc_bus = proc_mkdir("bus", NULL);
16771 ++#endif
16772 + proc_sys_init();
16773 + }
16774 +
16775 +diff -Nurp linux-2.6.23.15/fs/proc/task_mmu.c linux-2.6.23.15-grsec/fs/proc/task_mmu.c
16776 +--- linux-2.6.23.15/fs/proc/task_mmu.c 2007-10-09 21:31:38.000000000 +0100
16777 ++++ linux-2.6.23.15-grsec/fs/proc/task_mmu.c 2008-02-11 10:37:44.000000000 +0000
16778 +@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
16779 + "VmStk:\t%8lu kB\n"
16780 + "VmExe:\t%8lu kB\n"
16781 + "VmLib:\t%8lu kB\n"
16782 +- "VmPTE:\t%8lu kB\n",
16783 +- hiwater_vm << (PAGE_SHIFT-10),
16784 ++ "VmPTE:\t%8lu kB\n"
16785 ++
16786 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
16787 ++ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
16788 ++#endif
16789 ++
16790 ++ ,hiwater_vm << (PAGE_SHIFT-10),
16791 + (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
16792 + mm->locked_vm << (PAGE_SHIFT-10),
16793 + hiwater_rss << (PAGE_SHIFT-10),
16794 + total_rss << (PAGE_SHIFT-10),
16795 + data << (PAGE_SHIFT-10),
16796 + mm->stack_vm << (PAGE_SHIFT-10), text, lib,
16797 +- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
16798 ++ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
16799 ++
16800 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
16801 ++ , mm->context.user_cs_base, mm->context.user_cs_limit
16802 ++#endif
16803 ++
16804 ++ );
16805 ++
16806 + return buffer;
16807 + }
16808 +
16809 +@@ -131,6 +143,12 @@ struct pmd_walker {
16810 + unsigned long, void *);
16811 + };
16812 +
16813 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16814 ++#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
16815 ++ (_mm->pax_flags & MF_PAX_RANDMMAP || \
16816 ++ _mm->pax_flags & MF_PAX_SEGMEXEC))
16817 ++#endif
16818 ++
16819 + static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
16820 + {
16821 + struct proc_maps_private *priv = m->private;
16822 +@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
16823 + }
16824 +
16825 + seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
16826 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16827 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
16828 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
16829 ++#else
16830 + vma->vm_start,
16831 + vma->vm_end,
16832 ++#endif
16833 + flags & VM_READ ? 'r' : '-',
16834 + flags & VM_WRITE ? 'w' : '-',
16835 + flags & VM_EXEC ? 'x' : '-',
16836 + flags & VM_MAYSHARE ? 's' : 'p',
16837 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16838 ++ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
16839 ++#else
16840 + vma->vm_pgoff << PAGE_SHIFT,
16841 ++#endif
16842 + MAJOR(dev), MINOR(dev), ino, &len);
16843 +
16844 + /*
16845 +@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
16846 + const char *name = arch_vma_name(vma);
16847 + if (!name) {
16848 + if (mm) {
16849 +- if (vma->vm_start <= mm->start_brk &&
16850 +- vma->vm_end >= mm->brk) {
16851 ++ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
16852 + name = "[heap]";
16853 +- } else if (vma->vm_start <= mm->start_stack &&
16854 +- vma->vm_end >= mm->start_stack) {
16855 ++ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
16856 ++ (vma->vm_start <= mm->start_stack &&
16857 ++ vma->vm_end >= mm->start_stack)) {
16858 + name = "[stack]";
16859 + }
16860 + } else {
16861 +@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
16862 + }
16863 + seq_putc(m, '\n');
16864 +
16865 +- if (mss)
16866 ++
16867 ++ if (mss) {
16868 ++#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
16869 ++ if (PAX_RAND_FLAGS(mm))
16870 ++ seq_printf(m,
16871 ++ "Size: %8lu kB\n"
16872 ++ "Rss: %8lu kB\n"
16873 ++ "Shared_Clean: %8lu kB\n"
16874 ++ "Shared_Dirty: %8lu kB\n"
16875 ++ "Private_Clean: %8lu kB\n"
16876 ++ "Private_Dirty: %8lu kB\n",
16877 ++ "Referenced: %8lu kB\n",
16878 ++ 0UL,
16879 ++ 0UL,
16880 ++ 0UL,
16881 ++ 0UL,
16882 ++ 0UL,
16883 ++ 0UL,
16884 ++ 0UL);
16885 ++ else
16886 ++#endif
16887 + seq_printf(m,
16888 + "Size: %8lu kB\n"
16889 + "Rss: %8lu kB\n"
16890 +@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
16891 + mss->private_clean >> 10,
16892 + mss->private_dirty >> 10,
16893 + mss->referenced >> 10);
16894 ++ }
16895 +
16896 + if (m->count < m->size) /* vma is copied successfully */
16897 + m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
16898 +diff -Nurp linux-2.6.23.15/fs/readdir.c linux-2.6.23.15-grsec/fs/readdir.c
16899 +--- linux-2.6.23.15/fs/readdir.c 2007-10-09 21:31:38.000000000 +0100
16900 ++++ linux-2.6.23.15-grsec/fs/readdir.c 2008-02-11 10:37:44.000000000 +0000
16901 +@@ -16,6 +16,8 @@
16902 + #include <linux/security.h>
16903 + #include <linux/syscalls.h>
16904 + #include <linux/unistd.h>
16905 ++#include <linux/namei.h>
16906 ++#include <linux/grsecurity.h>
16907 +
16908 + #include <asm/uaccess.h>
16909 +
16910 +@@ -64,6 +66,7 @@ struct old_linux_dirent {
16911 +
16912 + struct readdir_callback {
16913 + struct old_linux_dirent __user * dirent;
16914 ++ struct file * file;
16915 + int result;
16916 + };
16917 +
16918 +@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
16919 + d_ino = ino;
16920 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
16921 + return -EOVERFLOW;
16922 ++
16923 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
16924 ++ return 0;
16925 ++
16926 + buf->result++;
16927 + dirent = buf->dirent;
16928 + if (!access_ok(VERIFY_WRITE, dirent,
16929 +@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
16930 +
16931 + buf.result = 0;
16932 + buf.dirent = dirent;
16933 ++ buf.file = file;
16934 +
16935 + error = vfs_readdir(file, fillonedir, &buf);
16936 + if (error >= 0)
16937 +@@ -136,6 +144,7 @@ struct linux_dirent {
16938 + struct getdents_callback {
16939 + struct linux_dirent __user * current_dir;
16940 + struct linux_dirent __user * previous;
16941 ++ struct file * file;
16942 + int count;
16943 + int error;
16944 + };
16945 +@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
16946 + d_ino = ino;
16947 + if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
16948 + return -EOVERFLOW;
16949 ++
16950 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
16951 ++ return 0;
16952 ++
16953 + dirent = buf->previous;
16954 + if (dirent) {
16955 + if (__put_user(offset, &dirent->d_off))
16956 +@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
16957 + buf.previous = NULL;
16958 + buf.count = count;
16959 + buf.error = 0;
16960 ++ buf.file = file;
16961 +
16962 + error = vfs_readdir(file, filldir, &buf);
16963 + if (error < 0)
16964 +@@ -222,6 +236,7 @@ out:
16965 + struct getdents_callback64 {
16966 + struct linux_dirent64 __user * current_dir;
16967 + struct linux_dirent64 __user * previous;
16968 ++ struct file *file;
16969 + int count;
16970 + int error;
16971 + };
16972 +@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
16973 + buf->error = -EINVAL; /* only used if we fail.. */
16974 + if (reclen > buf->count)
16975 + return -EINVAL;
16976 ++
16977 ++ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
16978 ++ return 0;
16979 ++
16980 + dirent = buf->previous;
16981 + if (dirent) {
16982 + if (__put_user(offset, &dirent->d_off))
16983 +@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
16984 +
16985 + buf.current_dir = dirent;
16986 + buf.previous = NULL;
16987 ++ buf.file = file;
16988 + buf.count = count;
16989 + buf.error = 0;
16990 +
16991 +diff -Nurp linux-2.6.23.15/fs/udf/balloc.c linux-2.6.23.15-grsec/fs/udf/balloc.c
16992 +--- linux-2.6.23.15/fs/udf/balloc.c 2007-10-09 21:31:38.000000000 +0100
16993 ++++ linux-2.6.23.15-grsec/fs/udf/balloc.c 2008-02-11 10:37:44.000000000 +0000
16994 +@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
16995 + unsigned long overflow;
16996 +
16997 + mutex_lock(&sbi->s_alloc_mutex);
16998 +- if (bloc.logicalBlockNum < 0 ||
16999 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17000 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17001 + udf_debug("%d < %d || %d + %d > %d\n",
17002 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
17003 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
17004 +@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
17005 + struct buffer_head *bh;
17006 +
17007 + mutex_lock(&sbi->s_alloc_mutex);
17008 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
17009 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
17010 + goto out;
17011 +
17012 + if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
17013 +@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
17014 + mutex_lock(&sbi->s_alloc_mutex);
17015 +
17016 + repeat:
17017 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
17018 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
17019 + goal = 0;
17020 +
17021 + nr_groups = bitmap->s_nr_groups;
17022 +@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
17023 + int i;
17024 +
17025 + mutex_lock(&sbi->s_alloc_mutex);
17026 +- if (bloc.logicalBlockNum < 0 ||
17027 +- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17028 ++ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
17029 + udf_debug("%d < %d || %d + %d > %d\n",
17030 + bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
17031 + UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
17032 +@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
17033 + struct extent_position epos;
17034 + int8_t etype = -1;
17035 +
17036 +- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
17037 ++ if (first_block >= UDF_SB_PARTLEN(sb, partition))
17038 + return 0;
17039 +
17040 + if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
17041 +@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
17042 + return newblock;
17043 +
17044 + mutex_lock(&sbi->s_alloc_mutex);
17045 +- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
17046 ++ if (goal >= UDF_SB_PARTLEN(sb, partition))
17047 + goal = 0;
17048 +
17049 + /* We search for the closest matching block to goal. If we find a exact hit,
17050 +diff -Nurp linux-2.6.23.15/fs/udf/inode.c linux-2.6.23.15-grsec/fs/udf/inode.c
17051 +--- linux-2.6.23.15/fs/udf/inode.c 2007-10-09 21:31:38.000000000 +0100
17052 ++++ linux-2.6.23.15-grsec/fs/udf/inode.c 2008-02-11 10:37:44.000000000 +0000
17053 +@@ -308,9 +308,6 @@ static int udf_get_block(struct inode *i
17054 +
17055 + lock_kernel();
17056 +
17057 +- if (block < 0)
17058 +- goto abort_negative;
17059 +-
17060 + if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
17061 + UDF_I_NEXT_ALLOC_BLOCK(inode)++;
17062 + UDF_I_NEXT_ALLOC_GOAL(inode)++;
17063 +@@ -331,10 +328,6 @@ static int udf_get_block(struct inode *i
17064 + abort:
17065 + unlock_kernel();
17066 + return err;
17067 +-
17068 +-abort_negative:
17069 +- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
17070 +- goto abort;
17071 + }
17072 +
17073 + static struct buffer_head *udf_getblk(struct inode *inode, long block,
17074 +diff -Nurp linux-2.6.23.15/fs/ufs/inode.c linux-2.6.23.15-grsec/fs/ufs/inode.c
17075 +--- linux-2.6.23.15/fs/ufs/inode.c 2007-10-09 21:31:38.000000000 +0100
17076 ++++ linux-2.6.23.15-grsec/fs/ufs/inode.c 2008-02-11 10:37:44.000000000 +0000
17077 +@@ -55,9 +55,7 @@ static int ufs_block_to_path(struct inod
17078 +
17079 +
17080 + UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
17081 +- if (i_block < 0) {
17082 +- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
17083 +- } else if (i_block < direct_blocks) {
17084 ++ if (i_block < direct_blocks) {
17085 + offsets[n++] = i_block;
17086 + } else if ((i_block -= direct_blocks) < indirect_blocks) {
17087 + offsets[n++] = UFS_IND_BLOCK;
17088 +@@ -439,8 +437,6 @@ int ufs_getfrag_block(struct inode *inod
17089 + lock_kernel();
17090 +
17091 + UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
17092 +- if (fragment < 0)
17093 +- goto abort_negative;
17094 + if (fragment >
17095 + ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
17096 + << uspi->s_fpbshift))
17097 +@@ -503,10 +499,6 @@ abort:
17098 + unlock_kernel();
17099 + return err;
17100 +
17101 +-abort_negative:
17102 +- ufs_warning(sb, "ufs_get_block", "block < 0");
17103 +- goto abort;
17104 +-
17105 + abort_too_big:
17106 + ufs_warning(sb, "ufs_get_block", "block > big");
17107 + goto abort;
17108 +diff -Nurp linux-2.6.23.15/fs/utimes.c linux-2.6.23.15-grsec/fs/utimes.c
17109 +--- linux-2.6.23.15/fs/utimes.c 2007-10-09 21:31:38.000000000 +0100
17110 ++++ linux-2.6.23.15-grsec/fs/utimes.c 2008-02-11 10:37:44.000000000 +0000
17111 +@@ -6,6 +6,7 @@
17112 + #include <linux/sched.h>
17113 + #include <linux/stat.h>
17114 + #include <linux/utime.h>
17115 ++#include <linux/grsecurity.h>
17116 + #include <asm/uaccess.h>
17117 + #include <asm/unistd.h>
17118 +
17119 +@@ -47,6 +48,7 @@ long do_utimes(int dfd, char __user *fil
17120 + int error;
17121 + struct nameidata nd;
17122 + struct dentry *dentry;
17123 ++ struct vfsmount *mnt;
17124 + struct inode *inode;
17125 + struct iattr newattrs;
17126 + struct file *f = NULL;
17127 +@@ -65,12 +67,14 @@ long do_utimes(int dfd, char __user *fil
17128 + if (!f)
17129 + goto out;
17130 + dentry = f->f_path.dentry;
17131 ++ mnt = f->f_path.mnt;
17132 + } else {
17133 + error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
17134 + if (error)
17135 + goto out;
17136 +
17137 + dentry = nd.dentry;
17138 ++ mnt = nd.mnt;
17139 + }
17140 +
17141 + inode = dentry->d_inode;
17142 +@@ -117,6 +121,12 @@ long do_utimes(int dfd, char __user *fil
17143 + }
17144 + }
17145 + }
17146 ++
17147 ++ if (!gr_acl_handle_utime(dentry, mnt)) {
17148 ++ error = -EACCES;
17149 ++ goto dput_and_out;
17150 ++ }
17151 ++
17152 + mutex_lock(&inode->i_mutex);
17153 + error = notify_change(dentry, &newattrs);
17154 + mutex_unlock(&inode->i_mutex);
17155 +diff -Nurp linux-2.6.23.15/fs/xfs/xfs_bmap.c linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c
17156 +--- linux-2.6.23.15/fs/xfs/xfs_bmap.c 2007-10-09 21:31:38.000000000 +0100
17157 ++++ linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c 2008-02-11 10:37:44.000000000 +0000
17158 +@@ -374,7 +374,7 @@ xfs_bmap_validate_ret(
17159 + int nmap,
17160 + int ret_nmap);
17161 + #else
17162 +-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
17163 ++#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
17164 + #endif /* DEBUG */
17165 +
17166 + #if defined(XFS_RW_TRACE)
17167 +diff -Nurp linux-2.6.23.15/grsecurity/Kconfig linux-2.6.23.15-grsec/grsecurity/Kconfig
17168 +--- linux-2.6.23.15/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
17169 ++++ linux-2.6.23.15-grsec/grsecurity/Kconfig 2008-02-11 10:37:44.000000000 +0000
17170 +@@ -0,0 +1,873 @@
17171 ++#
17172 ++# grecurity configuration
17173 ++#
17174 ++
17175 ++menu "Grsecurity"
17176 ++
17177 ++config GRKERNSEC
17178 ++ bool "Grsecurity"
17179 ++ select CRYPTO
17180 ++ select CRYPTO_SHA256
17181 ++ help
17182 ++ If you say Y here, you will be able to configure many features
17183 ++ that will enhance the security of your system. It is highly
17184 ++ recommended that you say Y here and read through the help
17185 ++ for each option so that you fully understand the features and
17186 ++ can evaluate their usefulness for your machine.
17187 ++
17188 ++choice
17189 ++ prompt "Security Level"
17190 ++ depends GRKERNSEC
17191 ++ default GRKERNSEC_CUSTOM
17192 ++
17193 ++config GRKERNSEC_LOW
17194 ++ bool "Low"
17195 ++ select GRKERNSEC_LINK
17196 ++ select GRKERNSEC_FIFO
17197 ++ select GRKERNSEC_EXECVE
17198 ++ select GRKERNSEC_RANDNET
17199 ++ select GRKERNSEC_DMESG
17200 ++ select GRKERNSEC_CHROOT_CHDIR
17201 ++ select GRKERNSEC_MODSTOP if (MODULES)
17202 ++
17203 ++ help
17204 ++ If you choose this option, several of the grsecurity options will
17205 ++ be enabled that will give you greater protection against a number
17206 ++ of attacks, while assuring that none of your software will have any
17207 ++ conflicts with the additional security measures. If you run a lot
17208 ++ of unusual software, or you are having problems with the higher
17209 ++ security levels, you should say Y here. With this option, the
17210 ++ following features are enabled:
17211 ++
17212 ++ - Linking restrictions
17213 ++ - FIFO restrictions
17214 ++ - Enforcing RLIMIT_NPROC on execve
17215 ++ - Restricted dmesg
17216 ++ - Enforced chdir("/") on chroot
17217 ++ - Runtime module disabling
17218 ++
17219 ++config GRKERNSEC_MEDIUM
17220 ++ bool "Medium"
17221 ++ select PAX
17222 ++ select PAX_EI_PAX
17223 ++ select PAX_PT_PAX_FLAGS
17224 ++ select PAX_HAVE_ACL_FLAGS
17225 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
17226 ++ select GRKERNSEC_CHROOT_SYSCTL
17227 ++ select GRKERNSEC_LINK
17228 ++ select GRKERNSEC_FIFO
17229 ++ select GRKERNSEC_EXECVE
17230 ++ select GRKERNSEC_DMESG
17231 ++ select GRKERNSEC_RANDNET
17232 ++ select GRKERNSEC_FORKFAIL
17233 ++ select GRKERNSEC_TIME
17234 ++ select GRKERNSEC_SIGNAL
17235 ++ select GRKERNSEC_CHROOT
17236 ++ select GRKERNSEC_CHROOT_UNIX
17237 ++ select GRKERNSEC_CHROOT_MOUNT
17238 ++ select GRKERNSEC_CHROOT_PIVOT
17239 ++ select GRKERNSEC_CHROOT_DOUBLE
17240 ++ select GRKERNSEC_CHROOT_CHDIR
17241 ++ select GRKERNSEC_CHROOT_MKNOD
17242 ++ select GRKERNSEC_PROC
17243 ++ select GRKERNSEC_PROC_USERGROUP
17244 ++ select GRKERNSEC_MODSTOP if (MODULES)
17245 ++ select PAX_RANDUSTACK
17246 ++ select PAX_ASLR
17247 ++ select PAX_RANDMMAP
17248 ++
17249 ++ help
17250 ++ If you say Y here, several features in addition to those included
17251 ++ in the low additional security level will be enabled. These
17252 ++ features provide even more security to your system, though in rare
17253 ++ cases they may be incompatible with very old or poorly written
17254 ++ software. If you enable this option, make sure that your auth
17255 ++ service (identd) is running as gid 1001. With this option,
17256 ++ the following features (in addition to those provided in the
17257 ++ low additional security level) will be enabled:
17258 ++
17259 ++ - Randomized TCP source ports
17260 ++ - Failed fork logging
17261 ++ - Time change logging
17262 ++ - Signal logging
17263 ++ - Deny mounts in chroot
17264 ++ - Deny double chrooting
17265 ++ - Deny sysctl writes in chroot
17266 ++ - Deny mknod in chroot
17267 ++ - Deny access to abstract AF_UNIX sockets out of chroot
17268 ++ - Deny pivot_root in chroot
17269 ++ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
17270 ++ - /proc restrictions with special GID set to 10 (usually wheel)
17271 ++ - Address Space Layout Randomization (ASLR)
17272 ++
17273 ++config GRKERNSEC_HIGH
17274 ++ bool "High"
17275 ++ select GRKERNSEC_LINK
17276 ++ select GRKERNSEC_FIFO
17277 ++ select GRKERNSEC_EXECVE
17278 ++ select GRKERNSEC_DMESG
17279 ++ select GRKERNSEC_FORKFAIL
17280 ++ select GRKERNSEC_TIME
17281 ++ select GRKERNSEC_SIGNAL
17282 ++ select GRKERNSEC_CHROOT_SHMAT
17283 ++ select GRKERNSEC_CHROOT_UNIX
17284 ++ select GRKERNSEC_CHROOT_MOUNT
17285 ++ select GRKERNSEC_CHROOT_FCHDIR
17286 ++ select GRKERNSEC_CHROOT_PIVOT
17287 ++ select GRKERNSEC_CHROOT_DOUBLE
17288 ++ select GRKERNSEC_CHROOT_CHDIR
17289 ++ select GRKERNSEC_CHROOT_MKNOD
17290 ++ select GRKERNSEC_CHROOT_CAPS
17291 ++ select GRKERNSEC_CHROOT_SYSCTL
17292 ++ select GRKERNSEC_CHROOT_FINDTASK
17293 ++ select GRKERNSEC_PROC
17294 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
17295 ++ select GRKERNSEC_HIDESYM
17296 ++ select GRKERNSEC_BRUTE
17297 ++ select GRKERNSEC_SHM if (SYSVIPC)
17298 ++ select GRKERNSEC_PROC_USERGROUP
17299 ++ select GRKERNSEC_KMEM
17300 ++ select GRKERNSEC_RESLOG
17301 ++ select GRKERNSEC_RANDNET
17302 ++ select GRKERNSEC_PROC_ADD
17303 ++ select GRKERNSEC_CHROOT_CHMOD
17304 ++ select GRKERNSEC_CHROOT_NICE
17305 ++ select GRKERNSEC_AUDIT_MOUNT
17306 ++ select GRKERNSEC_MODSTOP if (MODULES)
17307 ++ select PAX
17308 ++ select PAX_RANDUSTACK
17309 ++ select PAX_ASLR
17310 ++ select PAX_RANDMMAP
17311 ++ select PAX_NOEXEC
17312 ++ select PAX_MPROTECT
17313 ++ select PAX_EI_PAX
17314 ++ select PAX_PT_PAX_FLAGS
17315 ++ select PAX_HAVE_ACL_FLAGS
17316 ++ select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
17317 ++ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
17318 ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
17319 ++ select PAX_SEGMEXEC if (X86 && !X86_64)
17320 ++ select PAX_PAGEEXEC if (!X86)
17321 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
17322 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
17323 ++ select PAX_SYSCALL if (PPC32)
17324 ++ select PAX_EMUTRAMP if (PARISC)
17325 ++ select PAX_EMUSIGRT if (PARISC)
17326 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
17327 ++ help
17328 ++ If you say Y here, many of the features of grsecurity will be
17329 ++ enabled, which will protect you against many kinds of attacks
17330 ++ against your system. The heightened security comes at a cost
17331 ++ of an increased chance of incompatibilities with rare software
17332 ++ on your machine. Since this security level enables PaX, you should
17333 ++ view <http://pax.grsecurity.net> and read about the PaX
17334 ++ project. While you are there, download chpax and run it on
17335 ++ binaries that cause problems with PaX. Also remember that
17336 ++ since the /proc restrictions are enabled, you must run your
17337 ++ identd as gid 1001. This security level enables the following
17338 ++ features in addition to those listed in the low and medium
17339 ++ security levels:
17340 ++
17341 ++ - Additional /proc restrictions
17342 ++ - Chmod restrictions in chroot
17343 ++ - No signals, ptrace, or viewing of processes outside of chroot
17344 ++ - Capability restrictions in chroot
17345 ++ - Deny fchdir out of chroot
17346 ++ - Priority restrictions in chroot
17347 ++ - Segmentation-based implementation of PaX
17348 ++ - Mprotect restrictions
17349 ++ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
17350 ++ - Kernel stack randomization
17351 ++ - Mount/unmount/remount logging
17352 ++ - Kernel symbol hiding
17353 ++ - Destroy unused shared memory
17354 ++ - Prevention of memory exhaustion-based exploits
17355 ++config GRKERNSEC_CUSTOM
17356 ++ bool "Custom"
17357 ++ help
17358 ++ If you say Y here, you will be able to configure every grsecurity
17359 ++ option, which allows you to enable many more features that aren't
17360 ++ covered in the basic security levels. These additional features
17361 ++ include TPE, socket restrictions, and the sysctl system for
17362 ++ grsecurity. It is advised that you read through the help for
17363 ++ each option to determine its usefulness in your situation.
17364 ++
17365 ++endchoice
17366 ++
17367 ++menu "Address Space Protection"
17368 ++depends on GRKERNSEC
17369 ++
17370 ++config GRKERNSEC_KMEM
17371 ++ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
17372 ++ help
17373 ++ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
17374 ++ be written to via mmap or otherwise to modify the running kernel.
17375 ++ /dev/port will also not be allowed to be opened. If you have module
17376 ++ support disabled, enabling this will close up four ways that are
17377 ++ currently used to insert malicious code into the running kernel.
17378 ++ Even with all these features enabled, we still highly recommend that
17379 ++ you use the RBAC system, as it is still possible for an attacker to
17380 ++ modify the running kernel through privileged I/O granted by ioperm/iopl.
17381 ++ If you are not using XFree86, you may be able to stop this additional
17382 ++ case by enabling the 'Disable privileged I/O' option. Though nothing
17383 ++ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
17384 ++ but only to video memory, which is the only writing we allow in this
17385 ++ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
17386 ++ not be allowed to mprotect it with PROT_WRITE later.
17387 ++ It is highly recommended that you say Y here if you meet all the
17388 ++ conditions above.
17389 ++
17390 ++config GRKERNSEC_IO
17391 ++ bool "Disable privileged I/O"
17392 ++ depends on X86
17393 ++ select RTC
17394 ++ help
17395 ++ If you say Y here, all ioperm and iopl calls will return an error.
17396 ++ Ioperm and iopl can be used to modify the running kernel.
17397 ++ Unfortunately, some programs need this access to operate properly,
17398 ++ the most notable of which are XFree86 and hwclock. hwclock can be
17399 ++ remedied by having RTC support in the kernel, so CONFIG_RTC is
17400 ++ enabled if this option is enabled, to ensure that hwclock operates
17401 ++ correctly. XFree86 still will not operate correctly with this option
17402 ++ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
17403 ++ and you still want to protect your kernel against modification,
17404 ++ use the RBAC system.
17405 ++
17406 ++config GRKERNSEC_PROC_MEMMAP
17407 ++ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
17408 ++ depends on PAX_NOEXEC || PAX_ASLR
17409 ++ help
17410 ++ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
17411 ++ give no information about the addresses of its mappings if
17412 ++ PaX features that rely on random addresses are enabled on the task.
17413 ++ If you use PaX it is greatly recommended that you say Y here as it
17414 ++ closes up a hole that makes the full ASLR useless for suid
17415 ++ binaries.
17416 ++
17417 ++config GRKERNSEC_BRUTE
17418 ++ bool "Deter exploit bruteforcing"
17419 ++ help
17420 ++ If you say Y here, attempts to bruteforce exploits against forking
17421 ++ daemons such as apache or sshd will be deterred. When a child of a
17422 ++ forking daemon is killed by PaX or crashes due to an illegal
17423 ++ instruction, the parent process will be delayed 30 seconds upon every
17424 ++ subsequent fork until the administrator is able to assess the
17425 ++ situation and restart the daemon. It is recommended that you also
17426 ++ enable signal logging in the auditing section so that logs are
17427 ++ generated when a process performs an illegal instruction.
17428 ++
17429 ++config GRKERNSEC_MODSTOP
17430 ++ bool "Runtime module disabling"
17431 ++ depends on MODULES
17432 ++ help
17433 ++ If you say Y here, you will be able to disable the ability to (un)load
17434 ++ modules at runtime. This feature is useful if you need the ability
17435 ++ to load kernel modules at boot time, but do not want to allow an
17436 ++ attacker to load a rootkit kernel module into the system, or to remove
17437 ++ a loaded kernel module important to system functioning. You should
17438 ++ enable the /dev/mem protection feature as well, since rootkits can be
17439 ++ inserted into the kernel via other methods than kernel modules. Since
17440 ++ an untrusted module could still be loaded by modifying init scripts and
17441 ++ rebooting the system, it is also recommended that you enable the RBAC
17442 ++ system. If you enable this option, a sysctl option with name
17443 ++ "disable_modules" will be created. Setting this option to "1" disables
17444 ++ module loading. After this option is set, no further writes to it are
17445 ++ allowed until the system is rebooted.
17446 ++
17447 ++config GRKERNSEC_HIDESYM
17448 ++ bool "Hide kernel symbols"
17449 ++ help
17450 ++ If you say Y here, getting information on loaded modules, and
17451 ++ displaying all kernel symbols through a syscall will be restricted
17452 ++ to users with CAP_SYS_MODULE. This option is only effective
17453 ++ provided the following conditions are met:
17454 ++ 1) The kernel using grsecurity is not precompiled by some distribution
17455 ++ 2) You are using the RBAC system and hiding other files such as your
17456 ++ kernel image and System.map
17457 ++ 3) You have the additional /proc restrictions enabled, which removes
17458 ++ /proc/kcore
17459 ++ If the above conditions are met, this option will aid to provide a
17460 ++ useful protection against local and remote kernel exploitation of
17461 ++ overflows and arbitrary read/write vulnerabilities.
17462 ++
17463 ++endmenu
17464 ++menu "Role Based Access Control Options"
17465 ++depends on GRKERNSEC
17466 ++
17467 ++config GRKERNSEC_ACL_HIDEKERN
17468 ++ bool "Hide kernel processes"
17469 ++ help
17470 ++ If you say Y here, all kernel threads will be hidden to all
17471 ++ processes but those whose subject has the "view hidden processes"
17472 ++ flag.
17473 ++
17474 ++config GRKERNSEC_ACL_MAXTRIES
17475 ++ int "Maximum tries before password lockout"
17476 ++ default 3
17477 ++ help
17478 ++ This option enforces the maximum number of times a user can attempt
17479 ++ to authorize themselves with the grsecurity RBAC system before being
17480 ++ denied the ability to attempt authorization again for a specified time.
17481 ++ The lower the number, the harder it will be to brute-force a password.
17482 ++
17483 ++config GRKERNSEC_ACL_TIMEOUT
17484 ++ int "Time to wait after max password tries, in seconds"
17485 ++ default 30
17486 ++ help
17487 ++ This option specifies the time the user must wait after attempting to
17488 ++ authorize to the RBAC system with the maximum number of invalid
17489 ++ passwords. The higher the number, the harder it will be to brute-force
17490 ++ a password.
17491 ++
17492 ++endmenu
17493 ++menu "Filesystem Protections"
17494 ++depends on GRKERNSEC
17495 ++
17496 ++config GRKERNSEC_PROC
17497 ++ bool "Proc restrictions"
17498 ++ help
17499 ++ If you say Y here, the permissions of the /proc filesystem
17500 ++ will be altered to enhance system security and privacy. You MUST
17501 ++ choose either a user only restriction or a user and group restriction.
17502 ++ Depending upon the option you choose, you can either restrict users to
17503 ++ see only the processes they themselves run, or choose a group that can
17504 ++ view all processes and files normally restricted to root if you choose
17505 ++ the "restrict to user only" option. NOTE: If you're running identd as
17506 ++ a non-root user, you will have to run it as the group you specify here.
17507 ++
17508 ++config GRKERNSEC_PROC_USER
17509 ++ bool "Restrict /proc to user only"
17510 ++ depends on GRKERNSEC_PROC
17511 ++ help
17512 ++ If you say Y here, non-root users will only be able to view their own
17513 ++ processes, and restricts them from viewing network-related information,
17514 ++ and viewing kernel symbol and module information.
17515 ++
17516 ++config GRKERNSEC_PROC_USERGROUP
17517 ++ bool "Allow special group"
17518 ++ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
17519 ++ help
17520 ++ If you say Y here, you will be able to select a group that will be
17521 ++ able to view all processes, network-related information, and
17522 ++ kernel and symbol information. This option is useful if you want
17523 ++ to run identd as a non-root user.
17524 ++
17525 ++config GRKERNSEC_PROC_GID
17526 ++ int "GID for special group"
17527 ++ depends on GRKERNSEC_PROC_USERGROUP
17528 ++ default 1001
17529 ++
17530 ++config GRKERNSEC_PROC_ADD
17531 ++ bool "Additional restrictions"
17532 ++ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
17533 ++ help
17534 ++ If you say Y here, additional restrictions will be placed on
17535 ++ /proc that keep normal users from viewing device information and
17536 ++ slabinfo information that could be useful for exploits.
17537 ++
17538 ++config GRKERNSEC_LINK
17539 ++ bool "Linking restrictions"
17540 ++ help
17541 ++ If you say Y here, /tmp race exploits will be prevented, since users
17542 ++ will no longer be able to follow symlinks owned by other users in
17543 ++ world-writable +t directories (i.e. /tmp), unless the owner of the
17544 ++ symlink is the owner of the directory. users will also not be
17545 ++ able to hardlink to files they do not own. If the sysctl option is
17546 ++ enabled, a sysctl option with name "linking_restrictions" is created.
17547 ++
17548 ++config GRKERNSEC_FIFO
17549 ++ bool "FIFO restrictions"
17550 ++ help
17551 ++ If you say Y here, users will not be able to write to FIFOs they don't
17552 ++ own in world-writable +t directories (i.e. /tmp), unless the owner of
17553 ++ the FIFO is the same owner of the directory it's held in. If the sysctl
17554 ++ option is enabled, a sysctl option with name "fifo_restrictions" is
17555 ++ created.
17556 ++
17557 ++config GRKERNSEC_CHROOT
17558 ++ bool "Chroot jail restrictions"
17559 ++ help
17560 ++ If you say Y here, you will be able to choose several options that will
17561 ++ make breaking out of a chrooted jail much more difficult. If you
17562 ++ encounter no software incompatibilities with the following options, it
17563 ++ is recommended that you enable each one.
17564 ++
17565 ++config GRKERNSEC_CHROOT_MOUNT
17566 ++ bool "Deny mounts"
17567 ++ depends on GRKERNSEC_CHROOT
17568 ++ help
17569 ++ If you say Y here, processes inside a chroot will not be able to
17570 ++ mount or remount filesystems. If the sysctl option is enabled, a
17571 ++ sysctl option with name "chroot_deny_mount" is created.
17572 ++
17573 ++config GRKERNSEC_CHROOT_DOUBLE
17574 ++ bool "Deny double-chroots"
17575 ++ depends on GRKERNSEC_CHROOT
17576 ++ help
17577 ++ If you say Y here, processes inside a chroot will not be able to chroot
17578 ++ again outside the chroot. This is a widely used method of breaking
17579 ++ out of a chroot jail and should not be allowed. If the sysctl
17580 ++ option is enabled, a sysctl option with name
17581 ++ "chroot_deny_chroot" is created.
17582 ++
17583 ++config GRKERNSEC_CHROOT_PIVOT
17584 ++ bool "Deny pivot_root in chroot"
17585 ++ depends on GRKERNSEC_CHROOT
17586 ++ help
17587 ++ If you say Y here, processes inside a chroot will not be able to use
17588 ++ a function called pivot_root() that was introduced in Linux 2.3.41. It
17589 ++ works similar to chroot in that it changes the root filesystem. This
17590 ++ function could be misused in a chrooted process to attempt to break out
17591 ++ of the chroot, and therefore should not be allowed. If the sysctl
17592 ++ option is enabled, a sysctl option with name "chroot_deny_pivot" is
17593 ++ created.
17594 ++
17595 ++config GRKERNSEC_CHROOT_CHDIR
17596 ++ bool "Enforce chdir(\"/\") on all chroots"
17597 ++ depends on GRKERNSEC_CHROOT
17598 ++ help
17599 ++ If you say Y here, the current working directory of all newly-chrooted
17600 ++ applications will be set to the the root directory of the chroot.
17601 ++ The man page on chroot(2) states:
17602 ++ Note that this call does not change the current working
17603 ++ directory, so that `.' can be outside the tree rooted at
17604 ++ `/'. In particular, the super-user can escape from a
17605 ++ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
17606 ++
17607 ++ It is recommended that you say Y here, since it's not known to break
17608 ++ any software. If the sysctl option is enabled, a sysctl option with
17609 ++ name "chroot_enforce_chdir" is created.
17610 ++
17611 ++config GRKERNSEC_CHROOT_CHMOD
17612 ++ bool "Deny (f)chmod +s"
17613 ++ depends on GRKERNSEC_CHROOT
17614 ++ help
17615 ++ If you say Y here, processes inside a chroot will not be able to chmod
17616 ++ or fchmod files to make them have suid or sgid bits. This protects
17617 ++ against another published method of breaking a chroot. If the sysctl
17618 ++ option is enabled, a sysctl option with name "chroot_deny_chmod" is
17619 ++ created.
17620 ++
17621 ++config GRKERNSEC_CHROOT_FCHDIR
17622 ++ bool "Deny fchdir out of chroot"
17623 ++ depends on GRKERNSEC_CHROOT
17624 ++ help
17625 ++ If you say Y here, a well-known method of breaking chroots by fchdir'ing
17626 ++ to a file descriptor of the chrooting process that points to a directory
17627 ++ outside the filesystem will be stopped. If the sysctl option
17628 ++ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
17629 ++
17630 ++config GRKERNSEC_CHROOT_MKNOD
17631 ++ bool "Deny mknod"
17632 ++ depends on GRKERNSEC_CHROOT
17633 ++ help
17634 ++ If you say Y here, processes inside a chroot will not be allowed to
17635 ++ mknod. The problem with using mknod inside a chroot is that it
17636 ++ would allow an attacker to create a device entry that is the same
17637 ++ as one on the physical root of your system, which could range from
17638 ++ anything from the console device to a device for your harddrive (which
17639 ++ they could then use to wipe the drive or steal data). It is recommended
17640 ++ that you say Y here, unless you run into software incompatibilities.
17641 ++ If the sysctl option is enabled, a sysctl option with name
17642 ++ "chroot_deny_mknod" is created.
17643 ++
17644 ++config GRKERNSEC_CHROOT_SHMAT
17645 ++ bool "Deny shmat() out of chroot"
17646 ++ depends on GRKERNSEC_CHROOT
17647 ++ help
17648 ++ If you say Y here, processes inside a chroot will not be able to attach
17649 ++ to shared memory segments that were created outside of the chroot jail.
17650 ++ It is recommended that you say Y here. If the sysctl option is enabled,
17651 ++ a sysctl option with name "chroot_deny_shmat" is created.
17652 ++
17653 ++config GRKERNSEC_CHROOT_UNIX
17654 ++ bool "Deny access to abstract AF_UNIX sockets out of chroot"
17655 ++ depends on GRKERNSEC_CHROOT
17656 ++ help
17657 ++ If you say Y here, processes inside a chroot will not be able to
17658 ++ connect to abstract (meaning not belonging to a filesystem) Unix
17659 ++ domain sockets that were bound outside of a chroot. It is recommended
17660 ++ that you say Y here. If the sysctl option is enabled, a sysctl option
17661 ++ with name "chroot_deny_unix" is created.
17662 ++
17663 ++config GRKERNSEC_CHROOT_FINDTASK
17664 ++ bool "Protect outside processes"
17665 ++ depends on GRKERNSEC_CHROOT
17666 ++ help
17667 ++ If you say Y here, processes inside a chroot will not be able to
17668 ++ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
17669 ++ or view any process outside of the chroot. If the sysctl
17670 ++ option is enabled, a sysctl option with name "chroot_findtask" is
17671 ++ created.
17672 ++
17673 ++config GRKERNSEC_CHROOT_NICE
17674 ++ bool "Restrict priority changes"
17675 ++ depends on GRKERNSEC_CHROOT
17676 ++ help
17677 ++ If you say Y here, processes inside a chroot will not be able to raise
17678 ++ the priority of processes in the chroot, or alter the priority of
17679 ++ processes outside the chroot. This provides more security than simply
17680 ++ removing CAP_SYS_NICE from the process' capability set. If the
17681 ++ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
17682 ++ is created.
17683 ++
17684 ++config GRKERNSEC_CHROOT_SYSCTL
17685 ++ bool "Deny sysctl writes"
17686 ++ depends on GRKERNSEC_CHROOT
17687 ++ help
17688 ++ If you say Y here, an attacker in a chroot will not be able to
17689 ++ write to sysctl entries, either by sysctl(2) or through a /proc
17690 ++ interface. It is strongly recommended that you say Y here. If the
17691 ++ sysctl option is enabled, a sysctl option with name
17692 ++ "chroot_deny_sysctl" is created.
17693 ++
17694 ++config GRKERNSEC_CHROOT_CAPS
17695 ++ bool "Capability restrictions"
17696 ++ depends on GRKERNSEC_CHROOT
17697 ++ help
17698 ++ If you say Y here, the capabilities on all root processes within a
17699 ++ chroot jail will be lowered to stop module insertion, raw i/o,
17700 ++ system and net admin tasks, rebooting the system, modifying immutable
17701 ++ files, modifying IPC owned by another, and changing the system time.
17702 ++ This is left an option because it can break some apps. Disable this
17703 ++ if your chrooted apps are having problems performing those kinds of
17704 ++ tasks. If the sysctl option is enabled, a sysctl option with
17705 ++ name "chroot_caps" is created.
17706 ++
17707 ++endmenu
17708 ++menu "Kernel Auditing"
17709 ++depends on GRKERNSEC
17710 ++
17711 ++config GRKERNSEC_AUDIT_GROUP
17712 ++ bool "Single group for auditing"
17713 ++ help
17714 ++ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
17715 ++ will only operate on a group you specify. This option is recommended
17716 ++ if you only want to watch certain users instead of having a large
17717 ++ amount of logs from the entire system. If the sysctl option is enabled,
17718 ++ a sysctl option with name "audit_group" is created.
17719 ++
17720 ++config GRKERNSEC_AUDIT_GID
17721 ++ int "GID for auditing"
17722 ++ depends on GRKERNSEC_AUDIT_GROUP
17723 ++ default 1007
17724 ++
17725 ++config GRKERNSEC_EXECLOG
17726 ++ bool "Exec logging"
17727 ++ help
17728 ++ If you say Y here, all execve() calls will be logged (since the
17729 ++ other exec*() calls are frontends to execve(), all execution
17730 ++ will be logged). Useful for shell-servers that like to keep track
17731 ++ of their users. If the sysctl option is enabled, a sysctl option with
17732 ++ name "exec_logging" is created.
17733 ++ WARNING: This option when enabled will produce a LOT of logs, especially
17734 ++ on an active system.
17735 ++
17736 ++config GRKERNSEC_RESLOG
17737 ++ bool "Resource logging"
17738 ++ help
17739 ++ If you say Y here, all attempts to overstep resource limits will
17740 ++ be logged with the resource name, the requested size, and the current
17741 ++ limit. It is highly recommended that you say Y here. If the sysctl
17742 ++ option is enabled, a sysctl option with name "resource_logging" is
17743 ++ created. If the RBAC system is enabled, the sysctl value is ignored.
17744 ++
17745 ++config GRKERNSEC_CHROOT_EXECLOG
17746 ++ bool "Log execs within chroot"
17747 ++ help
17748 ++ If you say Y here, all executions inside a chroot jail will be logged
17749 ++ to syslog. This can cause a large amount of logs if certain
17750 ++ applications (eg. djb's daemontools) are installed on the system, and
17751 ++ is therefore left as an option. If the sysctl option is enabled, a
17752 ++ sysctl option with name "chroot_execlog" is created.
17753 ++
17754 ++config GRKERNSEC_AUDIT_CHDIR
17755 ++ bool "Chdir logging"
17756 ++ help
17757 ++ If you say Y here, all chdir() calls will be logged. If the sysctl
17758 ++ option is enabled, a sysctl option with name "audit_chdir" is created.
17759 ++
17760 ++config GRKERNSEC_AUDIT_MOUNT
17761 ++ bool "(Un)Mount logging"
17762 ++ help
17763 ++ If you say Y here, all mounts and unmounts will be logged. If the
17764 ++ sysctl option is enabled, a sysctl option with name "audit_mount" is
17765 ++ created.
17766 ++
17767 ++config GRKERNSEC_AUDIT_IPC
17768 ++ bool "IPC logging"
17769 ++ help
17770 ++ If you say Y here, creation and removal of message queues, semaphores,
17771 ++ and shared memory will be logged. If the sysctl option is enabled, a
17772 ++ sysctl option with name "audit_ipc" is created.
17773 ++
17774 ++config GRKERNSEC_SIGNAL
17775 ++ bool "Signal logging"
17776 ++ help
17777 ++ If you say Y here, certain important signals will be logged, such as
17778 ++ SIGSEGV, which will as a result inform you of when a error in a program
17779 ++ occurred, which in some cases could mean a possible exploit attempt.
17780 ++ If the sysctl option is enabled, a sysctl option with name
17781 ++ "signal_logging" is created.
17782 ++
17783 ++config GRKERNSEC_FORKFAIL
17784 ++ bool "Fork failure logging"
17785 ++ help
17786 ++ If you say Y here, all failed fork() attempts will be logged.
17787 ++ This could suggest a fork bomb, or someone attempting to overstep
17788 ++ their process limit. If the sysctl option is enabled, a sysctl option
17789 ++ with name "forkfail_logging" is created.
17790 ++
17791 ++config GRKERNSEC_TIME
17792 ++ bool "Time change logging"
17793 ++ help
17794 ++ If you say Y here, any changes of the system clock will be logged.
17795 ++ If the sysctl option is enabled, a sysctl option with name
17796 ++ "timechange_logging" is created.
17797 ++
17798 ++config GRKERNSEC_PROC_IPADDR
17799 ++ bool "/proc/<pid>/ipaddr support"
17800 ++ help
17801 ++ If you say Y here, a new entry will be added to each /proc/<pid>
17802 ++ directory that contains the IP address of the person using the task.
17803 ++ The IP is carried across local TCP and AF_UNIX stream sockets.
17804 ++ This information can be useful for IDS/IPSes to perform remote response
17805 ++ to a local attack. The entry is readable by only the owner of the
17806 ++ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
17807 ++ the RBAC system), and thus does not create privacy concerns.
17808 ++
17809 ++config GRKERNSEC_AUDIT_TEXTREL
17810 ++ bool 'ELF text relocations logging (READ HELP)'
17811 ++ depends on PAX_MPROTECT
17812 ++ help
17813 ++ If you say Y here, text relocations will be logged with the filename
17814 ++ of the offending library or binary. The purpose of the feature is
17815 ++ to help Linux distribution developers get rid of libraries and
17816 ++ binaries that need text relocations which hinder the future progress
17817 ++ of PaX. Only Linux distribution developers should say Y here, and
17818 ++ never on a production machine, as this option creates an information
17819 ++ leak that could aid an attacker in defeating the randomization of
17820 ++ a single memory region. If the sysctl option is enabled, a sysctl
17821 ++ option with name "audit_textrel" is created.
17822 ++
17823 ++endmenu
17824 ++
17825 ++menu "Executable Protections"
17826 ++depends on GRKERNSEC
17827 ++
17828 ++config GRKERNSEC_EXECVE
17829 ++ bool "Enforce RLIMIT_NPROC on execs"
17830 ++ help
17831 ++ If you say Y here, users with a resource limit on processes will
17832 ++ have the value checked during execve() calls. The current system
17833 ++ only checks the system limit during fork() calls. If the sysctl option
17834 ++ is enabled, a sysctl option with name "execve_limiting" is created.
17835 ++
17836 ++config GRKERNSEC_SHM
17837 ++ bool "Destroy unused shared memory"
17838 ++ depends on SYSVIPC
17839 ++ help
17840 ++ If you say Y here, shared memory will be destroyed when no one is
17841 ++ attached to it. Otherwise, resources involved with the shared
17842 ++ memory can be used up and not be associated with any process (as the
17843 ++ shared memory still exists, and the creating process has exited). If
17844 ++ the sysctl option is enabled, a sysctl option with name
17845 ++ "destroy_unused_shm" is created.
17846 ++
17847 ++config GRKERNSEC_DMESG
17848 ++ bool "Dmesg(8) restriction"
17849 ++ help
17850 ++ If you say Y here, non-root users will not be able to use dmesg(8)
17851 ++ to view up to the last 4kb of messages in the kernel's log buffer.
17852 ++ If the sysctl option is enabled, a sysctl option with name "dmesg" is
17853 ++ created.
17854 ++
17855 ++config GRKERNSEC_TPE
17856 ++ bool "Trusted Path Execution (TPE)"
17857 ++ help
17858 ++ If you say Y here, you will be able to choose a gid to add to the
17859 ++ supplementary groups of users you want to mark as "untrusted."
17860 ++ These users will not be able to execute any files that are not in
17861 ++ root-owned directories writable only by root. If the sysctl option
17862 ++ is enabled, a sysctl option with name "tpe" is created.
17863 ++
17864 ++config GRKERNSEC_TPE_ALL
17865 ++ bool "Partially restrict non-root users"
17866 ++ depends on GRKERNSEC_TPE
17867 ++ help
17868 ++ If you say Y here, All non-root users other than the ones in the
17869 ++ group specified in the main TPE option will only be allowed to
17870 ++ execute files in directories they own that are not group or
17871 ++ world-writable, or in directories owned by root and writable only by
17872 ++ root. If the sysctl option is enabled, a sysctl option with name
17873 ++ "tpe_restrict_all" is created.
17874 ++
17875 ++config GRKERNSEC_TPE_INVERT
17876 ++ bool "Invert GID option"
17877 ++ depends on GRKERNSEC_TPE
17878 ++ help
17879 ++ If you say Y here, the group you specify in the TPE configuration will
17880 ++ decide what group TPE restrictions will be *disabled* for. This
17881 ++ option is useful if you want TPE restrictions to be applied to most
17882 ++ users on the system.
17883 ++
17884 ++config GRKERNSEC_TPE_GID
17885 ++ int "GID for untrusted users"
17886 ++ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
17887 ++ default 1005
17888 ++ help
17889 ++ If you have selected the "Invert GID option" above, setting this
17890 ++ GID determines what group TPE restrictions will be *disabled* for.
17891 ++ If you have not selected the "Invert GID option" above, setting this
17892 ++ GID determines what group TPE restrictions will be *enabled* for.
17893 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
17894 ++ is created.
17895 ++
17896 ++config GRKERNSEC_TPE_GID
17897 ++ int "GID for trusted users"
17898 ++ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
17899 ++ default 1005
17900 ++ help
17901 ++ If you have selected the "Invert GID option" above, setting this
17902 ++ GID determines what group TPE restrictions will be *disabled* for.
17903 ++ If you have not selected the "Invert GID option" above, setting this
17904 ++ GID determines what group TPE restrictions will be *enabled* for.
17905 ++ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
17906 ++ is created.
17907 ++
17908 ++endmenu
17909 ++menu "Network Protections"
17910 ++depends on GRKERNSEC
17911 ++
17912 ++config GRKERNSEC_RANDNET
17913 ++ bool "Larger entropy pools"
17914 ++ help
17915 ++ If you say Y here, the entropy pools used for many features of Linux
17916 ++ and grsecurity will be doubled in size. Since several grsecurity
17917 ++ features use additional randomness, it is recommended that you say Y
17918 ++ here. Saying Y here has a similar effect as modifying
17919 ++ /proc/sys/kernel/random/poolsize.
17920 ++
17921 ++config GRKERNSEC_SOCKET
17922 ++ bool "Socket restrictions"
17923 ++ help
17924 ++ If you say Y here, you will be able to choose from several options.
17925 ++ If you assign a GID on your system and add it to the supplementary
17926 ++ groups of users you want to restrict socket access to, this patch
17927 ++ will perform up to three things, based on the option(s) you choose.
17928 ++
17929 ++config GRKERNSEC_SOCKET_ALL
17930 ++ bool "Deny any sockets to group"
17931 ++ depends on GRKERNSEC_SOCKET
17932 ++ help
17933 ++ If you say Y here, you will be able to choose a GID of whose users will
17934 ++ be unable to connect to other hosts from your machine or run server
17935 ++ applications from your machine. If the sysctl option is enabled, a
17936 ++ sysctl option with name "socket_all" is created.
17937 ++
17938 ++config GRKERNSEC_SOCKET_ALL_GID
17939 ++ int "GID to deny all sockets for"
17940 ++ depends on GRKERNSEC_SOCKET_ALL
17941 ++ default 1004
17942 ++ help
17943 ++ Here you can choose the GID to disable socket access for. Remember to
17944 ++ add the users you want socket access disabled for to the GID
17945 ++ specified here. If the sysctl option is enabled, a sysctl option
17946 ++ with name "socket_all_gid" is created.
17947 ++
17948 ++config GRKERNSEC_SOCKET_CLIENT
17949 ++ bool "Deny client sockets to group"
17950 ++ depends on GRKERNSEC_SOCKET
17951 ++ help
17952 ++ If you say Y here, you will be able to choose a GID of whose users will
17953 ++ be unable to connect to other hosts from your machine, but will be
17954 ++ able to run servers. If this option is enabled, all users in the group
17955 ++ you specify will have to use passive mode when initiating ftp transfers
17956 ++ from the shell on your machine. If the sysctl option is enabled, a
17957 ++ sysctl option with name "socket_client" is created.
17958 ++
17959 ++config GRKERNSEC_SOCKET_CLIENT_GID
17960 ++ int "GID to deny client sockets for"
17961 ++ depends on GRKERNSEC_SOCKET_CLIENT
17962 ++ default 1003
17963 ++ help
17964 ++ Here you can choose the GID to disable client socket access for.
17965 ++ Remember to add the users you want client socket access disabled for to
17966 ++ the GID specified here. If the sysctl option is enabled, a sysctl
17967 ++ option with name "socket_client_gid" is created.
17968 ++
17969 ++config GRKERNSEC_SOCKET_SERVER
17970 ++ bool "Deny server sockets to group"
17971 ++ depends on GRKERNSEC_SOCKET
17972 ++ help
17973 ++ If you say Y here, you will be able to choose a GID of whose users will
17974 ++ be unable to run server applications from your machine. If the sysctl
17975 ++ option is enabled, a sysctl option with name "socket_server" is created.
17976 ++
17977 ++config GRKERNSEC_SOCKET_SERVER_GID
17978 ++ int "GID to deny server sockets for"
17979 ++ depends on GRKERNSEC_SOCKET_SERVER
17980 ++ default 1002
17981 ++ help
17982 ++ Here you can choose the GID to disable server socket access for.
17983 ++ Remember to add the users you want server socket access disabled for to
17984 ++ the GID specified here. If the sysctl option is enabled, a sysctl
17985 ++ option with name "socket_server_gid" is created.
17986 ++
17987 ++endmenu
17988 ++menu "Sysctl support"
17989 ++depends on GRKERNSEC && SYSCTL
17990 ++
17991 ++config GRKERNSEC_SYSCTL
17992 ++ bool "Sysctl support"
17993 ++ help
17994 ++ If you say Y here, you will be able to change the options that
17995 ++ grsecurity runs with at bootup, without having to recompile your
17996 ++ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
17997 ++ to enable (1) or disable (0) various features. All the sysctl entries
17998 ++ are mutable until the "grsec_lock" entry is set to a non-zero value.
17999 ++ All features enabled in the kernel configuration are disabled at boot
18000 ++ if you do not say Y to the "Turn on features by default" option.
18001 ++ All options should be set at startup, and the grsec_lock entry should
18002 ++ be set to a non-zero value after all the options are set.
18003 ++ *THIS IS EXTREMELY IMPORTANT*
18004 ++
18005 ++config GRKERNSEC_SYSCTL_ON
18006 ++ bool "Turn on features by default"
18007 ++ depends on GRKERNSEC_SYSCTL
18008 ++ help
18009 ++ If you say Y here, instead of having all features enabled in the
18010 ++ kernel configuration disabled at boot time, the features will be
18011 ++ enabled at boot time. It is recommended you say Y here unless
18012 ++ there is some reason you would want all sysctl-tunable features to
18013 ++ be disabled by default. As mentioned elsewhere, it is important
18014 ++ to enable the grsec_lock entry once you have finished modifying
18015 ++ the sysctl entries.
18016 ++
18017 ++endmenu
18018 ++menu "Logging Options"
18019 ++depends on GRKERNSEC
18020 ++
18021 ++config GRKERNSEC_FLOODTIME
18022 ++ int "Seconds in between log messages (minimum)"
18023 ++ default 10
18024 ++ help
18025 ++ This option allows you to enforce the number of seconds between
18026 ++ grsecurity log messages. The default should be suitable for most
18027 ++ people, however, if you choose to change it, choose a value small enough
18028 ++ to allow informative logs to be produced, but large enough to
18029 ++ prevent flooding.
18030 ++
18031 ++config GRKERNSEC_FLOODBURST
18032 ++ int "Number of messages in a burst (maximum)"
18033 ++ default 4
18034 ++ help
18035 ++ This option allows you to choose the maximum number of messages allowed
18036 ++ within the flood time interval you chose in a separate option. The
18037 ++ default should be suitable for most people, however if you find that
18038 ++ many of your logs are being interpreted as flooding, you may want to
18039 ++ raise this value.
18040 ++
18041 ++endmenu
18042 ++
18043 ++endmenu
18044 +diff -Nurp linux-2.6.23.15/grsecurity/Makefile linux-2.6.23.15-grsec/grsecurity/Makefile
18045 +--- linux-2.6.23.15/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
18046 ++++ linux-2.6.23.15-grsec/grsecurity/Makefile 2008-02-11 10:37:44.000000000 +0000
18047 +@@ -0,0 +1,20 @@
18048 ++# grsecurity's ACL system was originally written in 2001 by Michael Dalton
18049 ++# during 2001-2005 it has been completely redesigned by Brad Spengler
18050 ++# into an RBAC system
18051 ++#
18052 ++# All code in this directory and various hooks inserted throughout the kernel
18053 ++# are copyright Brad Spengler, and released under the GPL v2 or higher
18054 ++
18055 ++obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
18056 ++ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
18057 ++ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
18058 ++
18059 ++obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
18060 ++ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
18061 ++ gracl_learn.o grsec_log.o
18062 ++obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
18063 ++
18064 ++ifndef CONFIG_GRKERNSEC
18065 ++obj-y += grsec_disabled.o
18066 ++endif
18067 ++
18068 +diff -Nurp linux-2.6.23.15/grsecurity/gracl.c linux-2.6.23.15-grsec/grsecurity/gracl.c
18069 +--- linux-2.6.23.15/grsecurity/gracl.c 1970-01-01 01:00:00.000000000 +0100
18070 ++++ linux-2.6.23.15-grsec/grsecurity/gracl.c 2008-02-11 10:37:44.000000000 +0000
18071 +@@ -0,0 +1,3722 @@
18072 ++#include <linux/kernel.h>
18073 ++#include <linux/module.h>
18074 ++#include <linux/sched.h>
18075 ++#include <linux/mm.h>
18076 ++#include <linux/file.h>
18077 ++#include <linux/fs.h>
18078 ++#include <linux/namei.h>
18079 ++#include <linux/mount.h>
18080 ++#include <linux/tty.h>
18081 ++#include <linux/proc_fs.h>
18082 ++#include <linux/smp_lock.h>
18083 ++#include <linux/slab.h>
18084 ++#include <linux/vmalloc.h>
18085 ++#include <linux/types.h>
18086 ++#include <linux/capability.h>
18087 ++#include <linux/sysctl.h>
18088 ++#include <linux/netdevice.h>
18089 ++#include <linux/ptrace.h>
18090 ++#include <linux/gracl.h>
18091 ++#include <linux/gralloc.h>
18092 ++#include <linux/grsecurity.h>
18093 ++#include <linux/grinternal.h>
18094 ++#include <linux/pid_namespace.h>
18095 ++#include <linux/percpu.h>
18096 ++
18097 ++#include <asm/uaccess.h>
18098 ++#include <asm/errno.h>
18099 ++#include <asm/mman.h>
18100 ++
18101 ++static struct acl_role_db acl_role_set;
18102 ++static struct name_db name_set;
18103 ++static struct inodev_db inodev_set;
18104 ++
18105 ++/* for keeping track of userspace pointers used for subjects, so we
18106 ++ can share references in the kernel as well
18107 ++*/
18108 ++
18109 ++static struct dentry *real_root;
18110 ++static struct vfsmount *real_root_mnt;
18111 ++
18112 ++static struct acl_subj_map_db subj_map_set;
18113 ++
18114 ++static struct acl_role_label *default_role;
18115 ++
18116 ++static u16 acl_sp_role_value;
18117 ++
18118 ++extern char *gr_shared_page[4];
18119 ++static DECLARE_MUTEX(gr_dev_sem);
18120 ++rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
18121 ++
18122 ++struct gr_arg *gr_usermode;
18123 ++
18124 ++static unsigned int gr_status = GR_STATUS_INIT;
18125 ++
18126 ++extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
18127 ++extern void gr_clear_learn_entries(void);
18128 ++
18129 ++#ifdef CONFIG_GRKERNSEC_RESLOG
18130 ++extern void gr_log_resource(const struct task_struct *task,
18131 ++ const int res, const unsigned long wanted, const int gt);
18132 ++#endif
18133 ++
18134 ++unsigned char *gr_system_salt;
18135 ++unsigned char *gr_system_sum;
18136 ++
18137 ++static struct sprole_pw **acl_special_roles = NULL;
18138 ++static __u16 num_sprole_pws = 0;
18139 ++
18140 ++static struct acl_role_label *kernel_role = NULL;
18141 ++
18142 ++static unsigned int gr_auth_attempts = 0;
18143 ++static unsigned long gr_auth_expires = 0UL;
18144 ++
18145 ++extern struct vfsmount *sock_mnt;
18146 ++extern struct vfsmount *pipe_mnt;
18147 ++extern struct vfsmount *shm_mnt;
18148 ++static struct acl_object_label *fakefs_obj;
18149 ++
18150 ++extern int gr_init_uidset(void);
18151 ++extern void gr_free_uidset(void);
18152 ++extern void gr_remove_uid(uid_t uid);
18153 ++extern int gr_find_uid(uid_t uid);
18154 ++
18155 ++__inline__ int
18156 ++gr_acl_is_enabled(void)
18157 ++{
18158 ++ return (gr_status & GR_READY);
18159 ++}
18160 ++
18161 ++char gr_roletype_to_char(void)
18162 ++{
18163 ++ switch (current->role->roletype &
18164 ++ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
18165 ++ GR_ROLE_SPECIAL)) {
18166 ++ case GR_ROLE_DEFAULT:
18167 ++ return 'D';
18168 ++ case GR_ROLE_USER:
18169 ++ return 'U';
18170 ++ case GR_ROLE_GROUP:
18171 ++ return 'G';
18172 ++ case GR_ROLE_SPECIAL:
18173 ++ return 'S';
18174 ++ }
18175 ++
18176 ++ return 'X';
18177 ++}
18178 ++
18179 ++__inline__ int
18180 ++gr_acl_tpe_check(void)
18181 ++{
18182 ++ if (unlikely(!(gr_status & GR_READY)))
18183 ++ return 0;
18184 ++ if (current->role->roletype & GR_ROLE_TPE)
18185 ++ return 1;
18186 ++ else
18187 ++ return 0;
18188 ++}
18189 ++
18190 ++int
18191 ++gr_handle_rawio(const struct inode *inode)
18192 ++{
18193 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
18194 ++ if (inode && S_ISBLK(inode->i_mode) &&
18195 ++ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
18196 ++ !capable(CAP_SYS_RAWIO))
18197 ++ return 1;
18198 ++#endif
18199 ++ return 0;
18200 ++}
18201 ++
18202 ++static int
18203 ++gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
18204 ++{
18205 ++ int i;
18206 ++ unsigned long *l1;
18207 ++ unsigned long *l2;
18208 ++ unsigned char *c1;
18209 ++ unsigned char *c2;
18210 ++ int num_longs;
18211 ++
18212 ++ if (likely(lena != lenb))
18213 ++ return 0;
18214 ++
18215 ++ l1 = (unsigned long *)a;
18216 ++ l2 = (unsigned long *)b;
18217 ++
18218 ++ num_longs = lena / sizeof(unsigned long);
18219 ++
18220 ++ for (i = num_longs; i--; l1++, l2++) {
18221 ++ if (unlikely(*l1 != *l2))
18222 ++ return 0;
18223 ++ }
18224 ++
18225 ++ c1 = (unsigned char *) l1;
18226 ++ c2 = (unsigned char *) l2;
18227 ++
18228 ++ i = lena - (num_longs * sizeof(unsigned long));
18229 ++
18230 ++ for (; i--; c1++, c2++) {
18231 ++ if (unlikely(*c1 != *c2))
18232 ++ return 0;
18233 ++ }
18234 ++
18235 ++ return 1;
18236 ++}
18237 ++
18238 ++static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18239 ++ struct dentry *root, struct vfsmount *rootmnt,
18240 ++ char *buffer, int buflen)
18241 ++{
18242 ++ char * end = buffer+buflen;
18243 ++ char * retval;
18244 ++ int namelen;
18245 ++
18246 ++ *--end = '\0';
18247 ++ buflen--;
18248 ++
18249 ++ if (buflen < 1)
18250 ++ goto Elong;
18251 ++ /* Get '/' right */
18252 ++ retval = end-1;
18253 ++ *retval = '/';
18254 ++
18255 ++ for (;;) {
18256 ++ struct dentry * parent;
18257 ++
18258 ++ if (dentry == root && vfsmnt == rootmnt)
18259 ++ break;
18260 ++ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
18261 ++ /* Global root? */
18262 ++ spin_lock(&vfsmount_lock);
18263 ++ if (vfsmnt->mnt_parent == vfsmnt) {
18264 ++ spin_unlock(&vfsmount_lock);
18265 ++ goto global_root;
18266 ++ }
18267 ++ dentry = vfsmnt->mnt_mountpoint;
18268 ++ vfsmnt = vfsmnt->mnt_parent;
18269 ++ spin_unlock(&vfsmount_lock);
18270 ++ continue;
18271 ++ }
18272 ++ parent = dentry->d_parent;
18273 ++ prefetch(parent);
18274 ++ namelen = dentry->d_name.len;
18275 ++ buflen -= namelen + 1;
18276 ++ if (buflen < 0)
18277 ++ goto Elong;
18278 ++ end -= namelen;
18279 ++ memcpy(end, dentry->d_name.name, namelen);
18280 ++ *--end = '/';
18281 ++ retval = end;
18282 ++ dentry = parent;
18283 ++ }
18284 ++
18285 ++ return retval;
18286 ++
18287 ++global_root:
18288 ++ namelen = dentry->d_name.len;
18289 ++ buflen -= namelen;
18290 ++ if (buflen < 0)
18291 ++ goto Elong;
18292 ++ retval -= namelen-1; /* hit the slash */
18293 ++ memcpy(retval, dentry->d_name.name, namelen);
18294 ++ return retval;
18295 ++Elong:
18296 ++ return ERR_PTR(-ENAMETOOLONG);
18297 ++}
18298 ++
18299 ++static char *
18300 ++gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
18301 ++ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
18302 ++{
18303 ++ char *retval;
18304 ++
18305 ++ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
18306 ++ if (unlikely(IS_ERR(retval)))
18307 ++ retval = strcpy(buf, "<path too long>");
18308 ++ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
18309 ++ retval[1] = '\0';
18310 ++
18311 ++ return retval;
18312 ++}
18313 ++
18314 ++static char *
18315 ++__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18316 ++ char *buf, int buflen)
18317 ++{
18318 ++ char *res;
18319 ++
18320 ++ /* we can use real_root, real_root_mnt, because this is only called
18321 ++ by the RBAC system */
18322 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
18323 ++
18324 ++ return res;
18325 ++}
18326 ++
18327 ++static char *
18328 ++d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
18329 ++ char *buf, int buflen)
18330 ++{
18331 ++ char *res;
18332 ++ struct dentry *root;
18333 ++ struct vfsmount *rootmnt;
18334 ++ struct task_struct *reaper = child_reaper(current);
18335 ++
18336 ++ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
18337 ++ read_lock(&reaper->fs->lock);
18338 ++ root = dget(reaper->fs->root);
18339 ++ rootmnt = mntget(reaper->fs->rootmnt);
18340 ++ read_unlock(&reaper->fs->lock);
18341 ++
18342 ++ spin_lock(&dcache_lock);
18343 ++ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
18344 ++ spin_unlock(&dcache_lock);
18345 ++
18346 ++ dput(root);
18347 ++ mntput(rootmnt);
18348 ++ return res;
18349 ++}
18350 ++
18351 ++static char *
18352 ++gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
18353 ++{
18354 ++ char *ret;
18355 ++ spin_lock(&dcache_lock);
18356 ++ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18357 ++ PAGE_SIZE);
18358 ++ spin_unlock(&dcache_lock);
18359 ++ return ret;
18360 ++}
18361 ++
18362 ++char *
18363 ++gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
18364 ++{
18365 ++ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
18366 ++ PAGE_SIZE);
18367 ++}
18368 ++
18369 ++char *
18370 ++gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
18371 ++{
18372 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
18373 ++ PAGE_SIZE);
18374 ++}
18375 ++
18376 ++char *
18377 ++gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
18378 ++{
18379 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
18380 ++ PAGE_SIZE);
18381 ++}
18382 ++
18383 ++char *
18384 ++gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
18385 ++{
18386 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
18387 ++ PAGE_SIZE);
18388 ++}
18389 ++
18390 ++char *
18391 ++gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
18392 ++{
18393 ++ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
18394 ++ PAGE_SIZE);
18395 ++}
18396 ++
18397 ++__inline__ __u32
18398 ++to_gr_audit(const __u32 reqmode)
18399 ++{
18400 ++ /* masks off auditable permission flags, then shifts them to create
18401 ++ auditing flags, and adds the special case of append auditing if
18402 ++ we're requesting write */
18403 ++ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
18404 ++}
18405 ++
18406 ++struct acl_subject_label *
18407 ++lookup_subject_map(const struct acl_subject_label *userp)
18408 ++{
18409 ++ unsigned int index = shash(userp, subj_map_set.s_size);
18410 ++ struct subject_map *match;
18411 ++
18412 ++ match = subj_map_set.s_hash[index];
18413 ++
18414 ++ while (match && match->user != userp)
18415 ++ match = match->next;
18416 ++
18417 ++ if (match != NULL)
18418 ++ return match->kernel;
18419 ++ else
18420 ++ return NULL;
18421 ++}
18422 ++
18423 ++static void
18424 ++insert_subj_map_entry(struct subject_map *subjmap)
18425 ++{
18426 ++ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
18427 ++ struct subject_map **curr;
18428 ++
18429 ++ subjmap->prev = NULL;
18430 ++
18431 ++ curr = &subj_map_set.s_hash[index];
18432 ++ if (*curr != NULL)
18433 ++ (*curr)->prev = subjmap;
18434 ++
18435 ++ subjmap->next = *curr;
18436 ++ *curr = subjmap;
18437 ++
18438 ++ return;
18439 ++}
18440 ++
18441 ++static struct acl_role_label *
18442 ++lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
18443 ++ const gid_t gid)
18444 ++{
18445 ++ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
18446 ++ struct acl_role_label *match;
18447 ++ struct role_allowed_ip *ipp;
18448 ++ unsigned int x;
18449 ++
18450 ++ match = acl_role_set.r_hash[index];
18451 ++
18452 ++ while (match) {
18453 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
18454 ++ for (x = 0; x < match->domain_child_num; x++) {
18455 ++ if (match->domain_children[x] == uid)
18456 ++ goto found;
18457 ++ }
18458 ++ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
18459 ++ break;
18460 ++ match = match->next;
18461 ++ }
18462 ++found:
18463 ++ if (match == NULL) {
18464 ++ try_group:
18465 ++ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
18466 ++ match = acl_role_set.r_hash[index];
18467 ++
18468 ++ while (match) {
18469 ++ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
18470 ++ for (x = 0; x < match->domain_child_num; x++) {
18471 ++ if (match->domain_children[x] == gid)
18472 ++ goto found2;
18473 ++ }
18474 ++ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
18475 ++ break;
18476 ++ match = match->next;
18477 ++ }
18478 ++found2:
18479 ++ if (match == NULL)
18480 ++ match = default_role;
18481 ++ if (match->allowed_ips == NULL)
18482 ++ return match;
18483 ++ else {
18484 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
18485 ++ if (likely
18486 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
18487 ++ (ntohl(ipp->addr) & ipp->netmask)))
18488 ++ return match;
18489 ++ }
18490 ++ match = default_role;
18491 ++ }
18492 ++ } else if (match->allowed_ips == NULL) {
18493 ++ return match;
18494 ++ } else {
18495 ++ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
18496 ++ if (likely
18497 ++ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
18498 ++ (ntohl(ipp->addr) & ipp->netmask)))
18499 ++ return match;
18500 ++ }
18501 ++ goto try_group;
18502 ++ }
18503 ++
18504 ++ return match;
18505 ++}
18506 ++
18507 ++struct acl_subject_label *
18508 ++lookup_acl_subj_label(const ino_t ino, const dev_t dev,
18509 ++ const struct acl_role_label *role)
18510 ++{
18511 ++ unsigned int index = fhash(ino, dev, role->subj_hash_size);
18512 ++ struct acl_subject_label *match;
18513 ++
18514 ++ match = role->subj_hash[index];
18515 ++
18516 ++ while (match && (match->inode != ino || match->device != dev ||
18517 ++ (match->mode & GR_DELETED))) {
18518 ++ match = match->next;
18519 ++ }
18520 ++
18521 ++ if (match && !(match->mode & GR_DELETED))
18522 ++ return match;
18523 ++ else
18524 ++ return NULL;
18525 ++}
18526 ++
18527 ++static struct acl_object_label *
18528 ++lookup_acl_obj_label(const ino_t ino, const dev_t dev,
18529 ++ const struct acl_subject_label *subj)
18530 ++{
18531 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
18532 ++ struct acl_object_label *match;
18533 ++
18534 ++ match = subj->obj_hash[index];
18535 ++
18536 ++ while (match && (match->inode != ino || match->device != dev ||
18537 ++ (match->mode & GR_DELETED))) {
18538 ++ match = match->next;
18539 ++ }
18540 ++
18541 ++ if (match && !(match->mode & GR_DELETED))
18542 ++ return match;
18543 ++ else
18544 ++ return NULL;
18545 ++}
18546 ++
18547 ++static struct acl_object_label *
18548 ++lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
18549 ++ const struct acl_subject_label *subj)
18550 ++{
18551 ++ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
18552 ++ struct acl_object_label *match;
18553 ++
18554 ++ match = subj->obj_hash[index];
18555 ++
18556 ++ while (match && (match->inode != ino || match->device != dev ||
18557 ++ !(match->mode & GR_DELETED))) {
18558 ++ match = match->next;
18559 ++ }
18560 ++
18561 ++ if (match && (match->mode & GR_DELETED))
18562 ++ return match;
18563 ++
18564 ++ match = subj->obj_hash[index];
18565 ++
18566 ++ while (match && (match->inode != ino || match->device != dev ||
18567 ++ (match->mode & GR_DELETED))) {
18568 ++ match = match->next;
18569 ++ }
18570 ++
18571 ++ if (match && !(match->mode & GR_DELETED))
18572 ++ return match;
18573 ++ else
18574 ++ return NULL;
18575 ++}
18576 ++
18577 ++static struct name_entry *
18578 ++lookup_name_entry(const char *name)
18579 ++{
18580 ++ unsigned int len = strlen(name);
18581 ++ unsigned int key = full_name_hash(name, len);
18582 ++ unsigned int index = key % name_set.n_size;
18583 ++ struct name_entry *match;
18584 ++
18585 ++ match = name_set.n_hash[index];
18586 ++
18587 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
18588 ++ match = match->next;
18589 ++
18590 ++ return match;
18591 ++}
18592 ++
18593 ++static struct name_entry *
18594 ++lookup_name_entry_create(const char *name)
18595 ++{
18596 ++ unsigned int len = strlen(name);
18597 ++ unsigned int key = full_name_hash(name, len);
18598 ++ unsigned int index = key % name_set.n_size;
18599 ++ struct name_entry *match;
18600 ++
18601 ++ match = name_set.n_hash[index];
18602 ++
18603 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
18604 ++ !match->deleted))
18605 ++ match = match->next;
18606 ++
18607 ++ if (match && match->deleted)
18608 ++ return match;
18609 ++
18610 ++ match = name_set.n_hash[index];
18611 ++
18612 ++ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
18613 ++ match->deleted))
18614 ++ match = match->next;
18615 ++
18616 ++ if (match && !match->deleted)
18617 ++ return match;
18618 ++ else
18619 ++ return NULL;
18620 ++}
18621 ++
18622 ++static struct inodev_entry *
18623 ++lookup_inodev_entry(const ino_t ino, const dev_t dev)
18624 ++{
18625 ++ unsigned int index = fhash(ino, dev, inodev_set.i_size);
18626 ++ struct inodev_entry *match;
18627 ++
18628 ++ match = inodev_set.i_hash[index];
18629 ++
18630 ++ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
18631 ++ match = match->next;
18632 ++
18633 ++ return match;
18634 ++}
18635 ++
18636 ++static void
18637 ++insert_inodev_entry(struct inodev_entry *entry)
18638 ++{
18639 ++ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
18640 ++ inodev_set.i_size);
18641 ++ struct inodev_entry **curr;
18642 ++
18643 ++ entry->prev = NULL;
18644 ++
18645 ++ curr = &inodev_set.i_hash[index];
18646 ++ if (*curr != NULL)
18647 ++ (*curr)->prev = entry;
18648 ++
18649 ++ entry->next = *curr;
18650 ++ *curr = entry;
18651 ++
18652 ++ return;
18653 ++}
18654 ++
18655 ++static void
18656 ++__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
18657 ++{
18658 ++ unsigned int index =
18659 ++ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
18660 ++ struct acl_role_label **curr;
18661 ++
18662 ++ role->prev = NULL;
18663 ++
18664 ++ curr = &acl_role_set.r_hash[index];
18665 ++ if (*curr != NULL)
18666 ++ (*curr)->prev = role;
18667 ++
18668 ++ role->next = *curr;
18669 ++ *curr = role;
18670 ++
18671 ++ return;
18672 ++}
18673 ++
18674 ++static void
18675 ++insert_acl_role_label(struct acl_role_label *role)
18676 ++{
18677 ++ int i;
18678 ++
18679 ++ if (role->roletype & GR_ROLE_DOMAIN) {
18680 ++ for (i = 0; i < role->domain_child_num; i++)
18681 ++ __insert_acl_role_label(role, role->domain_children[i]);
18682 ++ } else
18683 ++ __insert_acl_role_label(role, role->uidgid);
18684 ++}
18685 ++
18686 ++static int
18687 ++insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
18688 ++{
18689 ++ struct name_entry **curr, *nentry;
18690 ++ struct inodev_entry *ientry;
18691 ++ unsigned int len = strlen(name);
18692 ++ unsigned int key = full_name_hash(name, len);
18693 ++ unsigned int index = key % name_set.n_size;
18694 ++
18695 ++ curr = &name_set.n_hash[index];
18696 ++
18697 ++ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
18698 ++ curr = &((*curr)->next);
18699 ++
18700 ++ if (*curr != NULL)
18701 ++ return 1;
18702 ++
18703 ++ nentry = acl_alloc(sizeof (struct name_entry));
18704 ++ if (nentry == NULL)
18705 ++ return 0;
18706 ++ ientry = acl_alloc(sizeof (struct inodev_entry));
18707 ++ if (ientry == NULL)
18708 ++ return 0;
18709 ++ ientry->nentry = nentry;
18710 ++
18711 ++ nentry->key = key;
18712 ++ nentry->name = name;
18713 ++ nentry->inode = inode;
18714 ++ nentry->device = device;
18715 ++ nentry->len = len;
18716 ++ nentry->deleted = deleted;
18717 ++
18718 ++ nentry->prev = NULL;
18719 ++ curr = &name_set.n_hash[index];
18720 ++ if (*curr != NULL)
18721 ++ (*curr)->prev = nentry;
18722 ++ nentry->next = *curr;
18723 ++ *curr = nentry;
18724 ++
18725 ++ /* insert us into the table searchable by inode/dev */
18726 ++ insert_inodev_entry(ientry);
18727 ++
18728 ++ return 1;
18729 ++}
18730 ++
18731 ++static void
18732 ++insert_acl_obj_label(struct acl_object_label *obj,
18733 ++ struct acl_subject_label *subj)
18734 ++{
18735 ++ unsigned int index =
18736 ++ fhash(obj->inode, obj->device, subj->obj_hash_size);
18737 ++ struct acl_object_label **curr;
18738 ++
18739 ++
18740 ++ obj->prev = NULL;
18741 ++
18742 ++ curr = &subj->obj_hash[index];
18743 ++ if (*curr != NULL)
18744 ++ (*curr)->prev = obj;
18745 ++
18746 ++ obj->next = *curr;
18747 ++ *curr = obj;
18748 ++
18749 ++ return;
18750 ++}
18751 ++
18752 ++static void
18753 ++insert_acl_subj_label(struct acl_subject_label *obj,
18754 ++ struct acl_role_label *role)
18755 ++{
18756 ++ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
18757 ++ struct acl_subject_label **curr;
18758 ++
18759 ++ obj->prev = NULL;
18760 ++
18761 ++ curr = &role->subj_hash[index];
18762 ++ if (*curr != NULL)
18763 ++ (*curr)->prev = obj;
18764 ++
18765 ++ obj->next = *curr;
18766 ++ *curr = obj;
18767 ++
18768 ++ return;
18769 ++}
18770 ++
18771 ++/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
18772 ++
18773 ++static void *
18774 ++create_table(__u32 * len, int elementsize)
18775 ++{
18776 ++ unsigned int table_sizes[] = {
18777 ++ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
18778 ++ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
18779 ++ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
18780 ++ 268435399, 536870909, 1073741789, 2147483647
18781 ++ };
18782 ++ void *newtable = NULL;
18783 ++ unsigned int pwr = 0;
18784 ++
18785 ++ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
18786 ++ table_sizes[pwr] <= *len)
18787 ++ pwr++;
18788 ++
18789 ++ if (table_sizes[pwr] <= *len)
18790 ++ return newtable;
18791 ++
18792 ++ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
18793 ++ newtable =
18794 ++ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
18795 ++ else
18796 ++ newtable = vmalloc(table_sizes[pwr] * elementsize);
18797 ++
18798 ++ *len = table_sizes[pwr];
18799 ++
18800 ++ return newtable;
18801 ++}
18802 ++
18803 ++static int
18804 ++init_variables(const struct gr_arg *arg)
18805 ++{
18806 ++ struct task_struct *reaper = child_reaper(current);
18807 ++ unsigned int stacksize;
18808 ++
18809 ++ subj_map_set.s_size = arg->role_db.num_subjects;
18810 ++ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
18811 ++ name_set.n_size = arg->role_db.num_objects;
18812 ++ inodev_set.i_size = arg->role_db.num_objects;
18813 ++
18814 ++ if (!subj_map_set.s_size || !acl_role_set.r_size ||
18815 ++ !name_set.n_size || !inodev_set.i_size)
18816 ++ return 1;
18817 ++
18818 ++ if (!gr_init_uidset())
18819 ++ return 1;
18820 ++
18821 ++ /* set up the stack that holds allocation info */
18822 ++
18823 ++ stacksize = arg->role_db.num_pointers + 5;
18824 ++
18825 ++ if (!acl_alloc_stack_init(stacksize))
18826 ++ return 1;
18827 ++
18828 ++ /* grab reference for the real root dentry and vfsmount */
18829 ++ read_lock(&reaper->fs->lock);
18830 ++ real_root_mnt = mntget(reaper->fs->rootmnt);
18831 ++ real_root = dget(reaper->fs->root);
18832 ++ read_unlock(&reaper->fs->lock);
18833 ++
18834 ++ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
18835 ++ if (fakefs_obj == NULL)
18836 ++ return 1;
18837 ++ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
18838 ++
18839 ++ subj_map_set.s_hash =
18840 ++ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
18841 ++ acl_role_set.r_hash =
18842 ++ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
18843 ++ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
18844 ++ inodev_set.i_hash =
18845 ++ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
18846 ++
18847 ++ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
18848 ++ !name_set.n_hash || !inodev_set.i_hash)
18849 ++ return 1;
18850 ++
18851 ++ memset(subj_map_set.s_hash, 0,
18852 ++ sizeof(struct subject_map *) * subj_map_set.s_size);
18853 ++ memset(acl_role_set.r_hash, 0,
18854 ++ sizeof (struct acl_role_label *) * acl_role_set.r_size);
18855 ++ memset(name_set.n_hash, 0,
18856 ++ sizeof (struct name_entry *) * name_set.n_size);
18857 ++ memset(inodev_set.i_hash, 0,
18858 ++ sizeof (struct inodev_entry *) * inodev_set.i_size);
18859 ++
18860 ++ return 0;
18861 ++}
18862 ++
18863 ++/* free information not needed after startup
18864 ++ currently contains user->kernel pointer mappings for subjects
18865 ++*/
18866 ++
18867 ++static void
18868 ++free_init_variables(void)
18869 ++{
18870 ++ __u32 i;
18871 ++
18872 ++ if (subj_map_set.s_hash) {
18873 ++ for (i = 0; i < subj_map_set.s_size; i++) {
18874 ++ if (subj_map_set.s_hash[i]) {
18875 ++ kfree(subj_map_set.s_hash[i]);
18876 ++ subj_map_set.s_hash[i] = NULL;
18877 ++ }
18878 ++ }
18879 ++
18880 ++ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
18881 ++ PAGE_SIZE)
18882 ++ kfree(subj_map_set.s_hash);
18883 ++ else
18884 ++ vfree(subj_map_set.s_hash);
18885 ++ }
18886 ++
18887 ++ return;
18888 ++}
18889 ++
18890 ++static void
18891 ++free_variables(void)
18892 ++{
18893 ++ struct acl_subject_label *s;
18894 ++ struct acl_role_label *r;
18895 ++ struct task_struct *task, *task2;
18896 ++ unsigned int i, x;
18897 ++
18898 ++ gr_clear_learn_entries();
18899 ++
18900 ++ read_lock(&tasklist_lock);
18901 ++ do_each_thread(task2, task) {
18902 ++ task->acl_sp_role = 0;
18903 ++ task->acl_role_id = 0;
18904 ++ task->acl = NULL;
18905 ++ task->role = NULL;
18906 ++ } while_each_thread(task2, task);
18907 ++ read_unlock(&tasklist_lock);
18908 ++
18909 ++ /* release the reference to the real root dentry and vfsmount */
18910 ++ if (real_root)
18911 ++ dput(real_root);
18912 ++ real_root = NULL;
18913 ++ if (real_root_mnt)
18914 ++ mntput(real_root_mnt);
18915 ++ real_root_mnt = NULL;
18916 ++
18917 ++ /* free all object hash tables */
18918 ++
18919 ++ FOR_EACH_ROLE_START(r, i)
18920 ++ if (r->subj_hash == NULL)
18921 ++ break;
18922 ++ FOR_EACH_SUBJECT_START(r, s, x)
18923 ++ if (s->obj_hash == NULL)
18924 ++ break;
18925 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
18926 ++ kfree(s->obj_hash);
18927 ++ else
18928 ++ vfree(s->obj_hash);
18929 ++ FOR_EACH_SUBJECT_END(s, x)
18930 ++ FOR_EACH_NESTED_SUBJECT_START(r, s)
18931 ++ if (s->obj_hash == NULL)
18932 ++ break;
18933 ++ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
18934 ++ kfree(s->obj_hash);
18935 ++ else
18936 ++ vfree(s->obj_hash);
18937 ++ FOR_EACH_NESTED_SUBJECT_END(s)
18938 ++ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
18939 ++ kfree(r->subj_hash);
18940 ++ else
18941 ++ vfree(r->subj_hash);
18942 ++ r->subj_hash = NULL;
18943 ++ FOR_EACH_ROLE_END(r,i)
18944 ++
18945 ++ acl_free_all();
18946 ++
18947 ++ if (acl_role_set.r_hash) {
18948 ++ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
18949 ++ PAGE_SIZE)
18950 ++ kfree(acl_role_set.r_hash);
18951 ++ else
18952 ++ vfree(acl_role_set.r_hash);
18953 ++ }
18954 ++ if (name_set.n_hash) {
18955 ++ if ((name_set.n_size * sizeof (struct name_entry *)) <=
18956 ++ PAGE_SIZE)
18957 ++ kfree(name_set.n_hash);
18958 ++ else
18959 ++ vfree(name_set.n_hash);
18960 ++ }
18961 ++
18962 ++ if (inodev_set.i_hash) {
18963 ++ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
18964 ++ PAGE_SIZE)
18965 ++ kfree(inodev_set.i_hash);
18966 ++ else
18967 ++ vfree(inodev_set.i_hash);
18968 ++ }
18969 ++
18970 ++ gr_free_uidset();
18971 ++
18972 ++ memset(&name_set, 0, sizeof (struct name_db));
18973 ++ memset(&inodev_set, 0, sizeof (struct inodev_db));
18974 ++ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
18975 ++ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
18976 ++
18977 ++ default_role = NULL;
18978 ++
18979 ++ return;
18980 ++}
18981 ++
18982 ++static __u32
18983 ++count_user_objs(struct acl_object_label *userp)
18984 ++{
18985 ++ struct acl_object_label o_tmp;
18986 ++ __u32 num = 0;
18987 ++
18988 ++ while (userp) {
18989 ++ if (copy_from_user(&o_tmp, userp,
18990 ++ sizeof (struct acl_object_label)))
18991 ++ break;
18992 ++
18993 ++ userp = o_tmp.prev;
18994 ++ num++;
18995 ++ }
18996 ++
18997 ++ return num;
18998 ++}
18999 ++
19000 ++static struct acl_subject_label *
19001 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
19002 ++
19003 ++static int
19004 ++copy_user_glob(struct acl_object_label *obj)
19005 ++{
19006 ++ struct acl_object_label *g_tmp, **guser;
19007 ++ unsigned int len;
19008 ++ char *tmp;
19009 ++
19010 ++ if (obj->globbed == NULL)
19011 ++ return 0;
19012 ++
19013 ++ guser = &obj->globbed;
19014 ++ while (*guser) {
19015 ++ g_tmp = (struct acl_object_label *)
19016 ++ acl_alloc(sizeof (struct acl_object_label));
19017 ++ if (g_tmp == NULL)
19018 ++ return -ENOMEM;
19019 ++
19020 ++ if (copy_from_user(g_tmp, *guser,
19021 ++ sizeof (struct acl_object_label)))
19022 ++ return -EFAULT;
19023 ++
19024 ++ len = strnlen_user(g_tmp->filename, PATH_MAX);
19025 ++
19026 ++ if (!len || len >= PATH_MAX)
19027 ++ return -EINVAL;
19028 ++
19029 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19030 ++ return -ENOMEM;
19031 ++
19032 ++ if (copy_from_user(tmp, g_tmp->filename, len))
19033 ++ return -EFAULT;
19034 ++
19035 ++ g_tmp->filename = tmp;
19036 ++
19037 ++ *guser = g_tmp;
19038 ++ guser = &(g_tmp->next);
19039 ++ }
19040 ++
19041 ++ return 0;
19042 ++}
19043 ++
19044 ++static int
19045 ++copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
19046 ++ struct acl_role_label *role)
19047 ++{
19048 ++ struct acl_object_label *o_tmp;
19049 ++ unsigned int len;
19050 ++ int ret;
19051 ++ char *tmp;
19052 ++
19053 ++ while (userp) {
19054 ++ if ((o_tmp = (struct acl_object_label *)
19055 ++ acl_alloc(sizeof (struct acl_object_label))) == NULL)
19056 ++ return -ENOMEM;
19057 ++
19058 ++ if (copy_from_user(o_tmp, userp,
19059 ++ sizeof (struct acl_object_label)))
19060 ++ return -EFAULT;
19061 ++
19062 ++ userp = o_tmp->prev;
19063 ++
19064 ++ len = strnlen_user(o_tmp->filename, PATH_MAX);
19065 ++
19066 ++ if (!len || len >= PATH_MAX)
19067 ++ return -EINVAL;
19068 ++
19069 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19070 ++ return -ENOMEM;
19071 ++
19072 ++ if (copy_from_user(tmp, o_tmp->filename, len))
19073 ++ return -EFAULT;
19074 ++
19075 ++ o_tmp->filename = tmp;
19076 ++
19077 ++ insert_acl_obj_label(o_tmp, subj);
19078 ++ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
19079 ++ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
19080 ++ return -ENOMEM;
19081 ++
19082 ++ ret = copy_user_glob(o_tmp);
19083 ++ if (ret)
19084 ++ return ret;
19085 ++
19086 ++ if (o_tmp->nested) {
19087 ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
19088 ++ if (IS_ERR(o_tmp->nested))
19089 ++ return PTR_ERR(o_tmp->nested);
19090 ++
19091 ++ /* insert into nested subject list */
19092 ++ o_tmp->nested->next = role->hash->first;
19093 ++ role->hash->first = o_tmp->nested;
19094 ++ }
19095 ++ }
19096 ++
19097 ++ return 0;
19098 ++}
19099 ++
19100 ++static __u32
19101 ++count_user_subjs(struct acl_subject_label *userp)
19102 ++{
19103 ++ struct acl_subject_label s_tmp;
19104 ++ __u32 num = 0;
19105 ++
19106 ++ while (userp) {
19107 ++ if (copy_from_user(&s_tmp, userp,
19108 ++ sizeof (struct acl_subject_label)))
19109 ++ break;
19110 ++
19111 ++ userp = s_tmp.prev;
19112 ++ /* do not count nested subjects against this count, since
19113 ++ they are not included in the hash table, but are
19114 ++ attached to objects. We have already counted
19115 ++ the subjects in userspace for the allocation
19116 ++ stack
19117 ++ */
19118 ++ if (!(s_tmp.mode & GR_NESTED))
19119 ++ num++;
19120 ++ }
19121 ++
19122 ++ return num;
19123 ++}
19124 ++
19125 ++static int
19126 ++copy_user_allowedips(struct acl_role_label *rolep)
19127 ++{
19128 ++ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
19129 ++
19130 ++ ruserip = rolep->allowed_ips;
19131 ++
19132 ++ while (ruserip) {
19133 ++ rlast = rtmp;
19134 ++
19135 ++ if ((rtmp = (struct role_allowed_ip *)
19136 ++ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
19137 ++ return -ENOMEM;
19138 ++
19139 ++ if (copy_from_user(rtmp, ruserip,
19140 ++ sizeof (struct role_allowed_ip)))
19141 ++ return -EFAULT;
19142 ++
19143 ++ ruserip = rtmp->prev;
19144 ++
19145 ++ if (!rlast) {
19146 ++ rtmp->prev = NULL;
19147 ++ rolep->allowed_ips = rtmp;
19148 ++ } else {
19149 ++ rlast->next = rtmp;
19150 ++ rtmp->prev = rlast;
19151 ++ }
19152 ++
19153 ++ if (!ruserip)
19154 ++ rtmp->next = NULL;
19155 ++ }
19156 ++
19157 ++ return 0;
19158 ++}
19159 ++
19160 ++static int
19161 ++copy_user_transitions(struct acl_role_label *rolep)
19162 ++{
19163 ++ struct role_transition *rusertp, *rtmp = NULL, *rlast;
19164 ++
19165 ++ unsigned int len;
19166 ++ char *tmp;
19167 ++
19168 ++ rusertp = rolep->transitions;
19169 ++
19170 ++ while (rusertp) {
19171 ++ rlast = rtmp;
19172 ++
19173 ++ if ((rtmp = (struct role_transition *)
19174 ++ acl_alloc(sizeof (struct role_transition))) == NULL)
19175 ++ return -ENOMEM;
19176 ++
19177 ++ if (copy_from_user(rtmp, rusertp,
19178 ++ sizeof (struct role_transition)))
19179 ++ return -EFAULT;
19180 ++
19181 ++ rusertp = rtmp->prev;
19182 ++
19183 ++ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
19184 ++
19185 ++ if (!len || len >= GR_SPROLE_LEN)
19186 ++ return -EINVAL;
19187 ++
19188 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19189 ++ return -ENOMEM;
19190 ++
19191 ++ if (copy_from_user(tmp, rtmp->rolename, len))
19192 ++ return -EFAULT;
19193 ++
19194 ++ rtmp->rolename = tmp;
19195 ++
19196 ++ if (!rlast) {
19197 ++ rtmp->prev = NULL;
19198 ++ rolep->transitions = rtmp;
19199 ++ } else {
19200 ++ rlast->next = rtmp;
19201 ++ rtmp->prev = rlast;
19202 ++ }
19203 ++
19204 ++ if (!rusertp)
19205 ++ rtmp->next = NULL;
19206 ++ }
19207 ++
19208 ++ return 0;
19209 ++}
19210 ++
19211 ++static struct acl_subject_label *
19212 ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
19213 ++{
19214 ++ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
19215 ++ unsigned int len;
19216 ++ char *tmp;
19217 ++ __u32 num_objs;
19218 ++ struct acl_ip_label **i_tmp, *i_utmp2;
19219 ++ struct gr_hash_struct ghash;
19220 ++ struct subject_map *subjmap;
19221 ++ unsigned int i_num;
19222 ++ int err;
19223 ++
19224 ++ s_tmp = lookup_subject_map(userp);
19225 ++
19226 ++ /* we've already copied this subject into the kernel, just return
19227 ++ the reference to it, and don't copy it over again
19228 ++ */
19229 ++ if (s_tmp)
19230 ++ return(s_tmp);
19231 ++
19232 ++ if ((s_tmp = (struct acl_subject_label *)
19233 ++ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
19234 ++ return ERR_PTR(-ENOMEM);
19235 ++
19236 ++ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
19237 ++ if (subjmap == NULL)
19238 ++ return ERR_PTR(-ENOMEM);
19239 ++
19240 ++ subjmap->user = userp;
19241 ++ subjmap->kernel = s_tmp;
19242 ++ insert_subj_map_entry(subjmap);
19243 ++
19244 ++ if (copy_from_user(s_tmp, userp,
19245 ++ sizeof (struct acl_subject_label)))
19246 ++ return ERR_PTR(-EFAULT);
19247 ++
19248 ++ len = strnlen_user(s_tmp->filename, PATH_MAX);
19249 ++
19250 ++ if (!len || len >= PATH_MAX)
19251 ++ return ERR_PTR(-EINVAL);
19252 ++
19253 ++ if ((tmp = (char *) acl_alloc(len)) == NULL)
19254 ++ return ERR_PTR(-ENOMEM);
19255 ++
19256 ++ if (copy_from_user(tmp, s_tmp->filename, len))
19257 ++ return ERR_PTR(-EFAULT);
19258 ++
19259 ++ s_tmp->filename = tmp;
19260 ++
19261 ++ if (!strcmp(s_tmp->filename, "/"))
19262 ++ role->root_label = s_tmp;
19263 ++
19264 ++ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
19265 ++ return ERR_PTR(-EFAULT);
19266 ++
19267 ++ /* copy user and group transition tables */
19268 ++
19269 ++ if (s_tmp->user_trans_num) {
19270 ++ uid_t *uidlist;
19271 ++
19272 ++ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
19273 ++ if (uidlist == NULL)
19274 ++ return ERR_PTR(-ENOMEM);
19275 ++ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
19276 ++ return ERR_PTR(-EFAULT);
19277 ++
19278 ++ s_tmp->user_transitions = uidlist;
19279 ++ }
19280 ++
19281 ++ if (s_tmp->group_trans_num) {
19282 ++ gid_t *gidlist;
19283 ++
19284 ++ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
19285 ++ if (gidlist == NULL)
19286 ++ return ERR_PTR(-ENOMEM);
19287 ++ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
19288 ++ return ERR_PTR(-EFAULT);
19289 ++
19290 ++ s_tmp->group_transitions = gidlist;
19291 ++ }
19292 ++
19293 ++ /* set up object hash table */
19294 ++ num_objs = count_user_objs(ghash.first);
19295 ++
19296 ++ s_tmp->obj_hash_size = num_objs;
19297 ++ s_tmp->obj_hash =
19298 ++ (struct acl_object_label **)
19299 ++ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
19300 ++
19301 ++ if (!s_tmp->obj_hash)
19302 ++ return ERR_PTR(-ENOMEM);
19303 ++
19304 ++ memset(s_tmp->obj_hash, 0,
19305 ++ s_tmp->obj_hash_size *
19306 ++ sizeof (struct acl_object_label *));
19307 ++
19308 ++ /* add in objects */
19309 ++ err = copy_user_objs(ghash.first, s_tmp, role);
19310 ++
19311 ++ if (err)
19312 ++ return ERR_PTR(err);
19313 ++
19314 ++ /* set pointer for parent subject */
19315 ++ if (s_tmp->parent_subject) {
19316 ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
19317 ++
19318 ++ if (IS_ERR(s_tmp2))
19319 ++ return s_tmp2;
19320 ++
19321 ++ s_tmp->parent_subject = s_tmp2;
19322 ++ }
19323 ++
19324 ++ /* add in ip acls */
19325 ++
19326 ++ if (!s_tmp->ip_num) {
19327 ++ s_tmp->ips = NULL;
19328 ++ goto insert;
19329 ++ }
19330 ++
19331 ++ i_tmp =
19332 ++ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
19333 ++ sizeof (struct
19334 ++ acl_ip_label *));
19335 ++
19336 ++ if (!i_tmp)
19337 ++ return ERR_PTR(-ENOMEM);
19338 ++
19339 ++ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
19340 ++ *(i_tmp + i_num) =
19341 ++ (struct acl_ip_label *)
19342 ++ acl_alloc(sizeof (struct acl_ip_label));
19343 ++ if (!*(i_tmp + i_num))
19344 ++ return ERR_PTR(-ENOMEM);
19345 ++
19346 ++ if (copy_from_user
19347 ++ (&i_utmp2, s_tmp->ips + i_num,
19348 ++ sizeof (struct acl_ip_label *)))
19349 ++ return ERR_PTR(-EFAULT);
19350 ++
19351 ++ if (copy_from_user
19352 ++ (*(i_tmp + i_num), i_utmp2,
19353 ++ sizeof (struct acl_ip_label)))
19354 ++ return ERR_PTR(-EFAULT);
19355 ++
19356 ++ if ((*(i_tmp + i_num))->iface == NULL)
19357 ++ continue;
19358 ++
19359 ++ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
19360 ++ if (!len || len >= IFNAMSIZ)
19361 ++ return ERR_PTR(-EINVAL);
19362 ++ tmp = acl_alloc(len);
19363 ++ if (tmp == NULL)
19364 ++ return ERR_PTR(-ENOMEM);
19365 ++ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
19366 ++ return ERR_PTR(-EFAULT);
19367 ++ (*(i_tmp + i_num))->iface = tmp;
19368 ++ }
19369 ++
19370 ++ s_tmp->ips = i_tmp;
19371 ++
19372 ++insert:
19373 ++ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
19374 ++ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
19375 ++ return ERR_PTR(-ENOMEM);
19376 ++
19377 ++ return s_tmp;
19378 ++}
19379 ++
19380 ++static int
19381 ++copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
19382 ++{
19383 ++ struct acl_subject_label s_pre;
19384 ++ struct acl_subject_label * ret;
19385 ++ int err;
19386 ++
19387 ++ while (userp) {
19388 ++ if (copy_from_user(&s_pre, userp,
19389 ++ sizeof (struct acl_subject_label)))
19390 ++ return -EFAULT;
19391 ++
19392 ++ /* do not add nested subjects here, add
19393 ++ while parsing objects
19394 ++ */
19395 ++
19396 ++ if (s_pre.mode & GR_NESTED) {
19397 ++ userp = s_pre.prev;
19398 ++ continue;
19399 ++ }
19400 ++
19401 ++ ret = do_copy_user_subj(userp, role);
19402 ++
19403 ++ err = PTR_ERR(ret);
19404 ++ if (IS_ERR(ret))
19405 ++ return err;
19406 ++
19407 ++ insert_acl_subj_label(ret, role);
19408 ++
19409 ++ userp = s_pre.prev;
19410 ++ }
19411 ++
19412 ++ return 0;
19413 ++}
19414 ++
19415 ++static int
19416 ++copy_user_acl(struct gr_arg *arg)
19417 ++{
19418 ++ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
19419 ++ struct sprole_pw *sptmp;
19420 ++ struct gr_hash_struct *ghash;
19421 ++ uid_t *domainlist;
19422 ++ unsigned int r_num;
19423 ++ unsigned int len;
19424 ++ char *tmp;
19425 ++ int err = 0;
19426 ++ __u16 i;
19427 ++ __u32 num_subjs;
19428 ++
19429 ++ /* we need a default and kernel role */
19430 ++ if (arg->role_db.num_roles < 2)
19431 ++ return -EINVAL;
19432 ++
19433 ++ /* copy special role authentication info from userspace */
19434 ++
19435 ++ num_sprole_pws = arg->num_sprole_pws;
19436 ++ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
19437 ++
19438 ++ if (!acl_special_roles) {
19439 ++ err = -ENOMEM;
19440 ++ goto cleanup;
19441 ++ }
19442 ++
19443 ++ for (i = 0; i < num_sprole_pws; i++) {
19444 ++ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
19445 ++ if (!sptmp) {
19446 ++ err = -ENOMEM;
19447 ++ goto cleanup;
19448 ++ }
19449 ++ if (copy_from_user(sptmp, arg->sprole_pws + i,
19450 ++ sizeof (struct sprole_pw))) {
19451 ++ err = -EFAULT;
19452 ++ goto cleanup;
19453 ++ }
19454 ++
19455 ++ len =
19456 ++ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
19457 ++
19458 ++ if (!len || len >= GR_SPROLE_LEN) {
19459 ++ err = -EINVAL;
19460 ++ goto cleanup;
19461 ++ }
19462 ++
19463 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
19464 ++ err = -ENOMEM;
19465 ++ goto cleanup;
19466 ++ }
19467 ++
19468 ++ if (copy_from_user(tmp, sptmp->rolename, len)) {
19469 ++ err = -EFAULT;
19470 ++ goto cleanup;
19471 ++ }
19472 ++
19473 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
19474 ++ printk(KERN_ALERT "Copying special role %s\n", tmp);
19475 ++#endif
19476 ++ sptmp->rolename = tmp;
19477 ++ acl_special_roles[i] = sptmp;
19478 ++ }
19479 ++
19480 ++ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
19481 ++
19482 ++ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
19483 ++ r_tmp = acl_alloc(sizeof (struct acl_role_label));
19484 ++
19485 ++ if (!r_tmp) {
19486 ++ err = -ENOMEM;
19487 ++ goto cleanup;
19488 ++ }
19489 ++
19490 ++ if (copy_from_user(&r_utmp2, r_utmp + r_num,
19491 ++ sizeof (struct acl_role_label *))) {
19492 ++ err = -EFAULT;
19493 ++ goto cleanup;
19494 ++ }
19495 ++
19496 ++ if (copy_from_user(r_tmp, r_utmp2,
19497 ++ sizeof (struct acl_role_label))) {
19498 ++ err = -EFAULT;
19499 ++ goto cleanup;
19500 ++ }
19501 ++
19502 ++ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
19503 ++
19504 ++ if (!len || len >= PATH_MAX) {
19505 ++ err = -EINVAL;
19506 ++ goto cleanup;
19507 ++ }
19508 ++
19509 ++ if ((tmp = (char *) acl_alloc(len)) == NULL) {
19510 ++ err = -ENOMEM;
19511 ++ goto cleanup;
19512 ++ }
19513 ++ if (copy_from_user(tmp, r_tmp->rolename, len)) {
19514 ++ err = -EFAULT;
19515 ++ goto cleanup;
19516 ++ }
19517 ++ r_tmp->rolename = tmp;
19518 ++
19519 ++ if (!strcmp(r_tmp->rolename, "default")
19520 ++ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
19521 ++ default_role = r_tmp;
19522 ++ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
19523 ++ kernel_role = r_tmp;
19524 ++ }
19525 ++
19526 ++ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
19527 ++ err = -ENOMEM;
19528 ++ goto cleanup;
19529 ++ }
19530 ++ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
19531 ++ err = -EFAULT;
19532 ++ goto cleanup;
19533 ++ }
19534 ++
19535 ++ r_tmp->hash = ghash;
19536 ++
19537 ++ num_subjs = count_user_subjs(r_tmp->hash->first);
19538 ++
19539 ++ r_tmp->subj_hash_size = num_subjs;
19540 ++ r_tmp->subj_hash =
19541 ++ (struct acl_subject_label **)
19542 ++ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
19543 ++
19544 ++ if (!r_tmp->subj_hash) {
19545 ++ err = -ENOMEM;
19546 ++ goto cleanup;
19547 ++ }
19548 ++
19549 ++ err = copy_user_allowedips(r_tmp);
19550 ++ if (err)
19551 ++ goto cleanup;
19552 ++
19553 ++ /* copy domain info */
19554 ++ if (r_tmp->domain_children != NULL) {
19555 ++ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
19556 ++ if (domainlist == NULL) {
19557 ++ err = -ENOMEM;
19558 ++ goto cleanup;
19559 ++ }
19560 ++ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
19561 ++ err = -EFAULT;
19562 ++ goto cleanup;
19563 ++ }
19564 ++ r_tmp->domain_children = domainlist;
19565 ++ }
19566 ++
19567 ++ err = copy_user_transitions(r_tmp);
19568 ++ if (err)
19569 ++ goto cleanup;
19570 ++
19571 ++ memset(r_tmp->subj_hash, 0,
19572 ++ r_tmp->subj_hash_size *
19573 ++ sizeof (struct acl_subject_label *));
19574 ++
19575 ++ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
19576 ++
19577 ++ if (err)
19578 ++ goto cleanup;
19579 ++
19580 ++ /* set nested subject list to null */
19581 ++ r_tmp->hash->first = NULL;
19582 ++
19583 ++ insert_acl_role_label(r_tmp);
19584 ++ }
19585 ++
19586 ++ goto return_err;
19587 ++ cleanup:
19588 ++ free_variables();
19589 ++ return_err:
19590 ++ return err;
19591 ++
19592 ++}
19593 ++
19594 ++static int
19595 ++gracl_init(struct gr_arg *args)
19596 ++{
19597 ++ int error = 0;
19598 ++
19599 ++ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
19600 ++ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
19601 ++
19602 ++ if (init_variables(args)) {
19603 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
19604 ++ error = -ENOMEM;
19605 ++ free_variables();
19606 ++ goto out;
19607 ++ }
19608 ++
19609 ++ error = copy_user_acl(args);
19610 ++ free_init_variables();
19611 ++ if (error) {
19612 ++ free_variables();
19613 ++ goto out;
19614 ++ }
19615 ++
19616 ++ if ((error = gr_set_acls(0))) {
19617 ++ free_variables();
19618 ++ goto out;
19619 ++ }
19620 ++
19621 ++ gr_status |= GR_READY;
19622 ++ out:
19623 ++ return error;
19624 ++}
19625 ++
19626 ++/* derived from glibc fnmatch() 0: match, 1: no match*/
19627 ++
19628 ++static int
19629 ++glob_match(const char *p, const char *n)
19630 ++{
19631 ++ char c;
19632 ++
19633 ++ while ((c = *p++) != '\0') {
19634 ++ switch (c) {
19635 ++ case '?':
19636 ++ if (*n == '\0')
19637 ++ return 1;
19638 ++ else if (*n == '/')
19639 ++ return 1;
19640 ++ break;
19641 ++ case '\\':
19642 ++ if (*n != c)
19643 ++ return 1;
19644 ++ break;
19645 ++ case '*':
19646 ++ for (c = *p++; c == '?' || c == '*'; c = *p++) {
19647 ++ if (*n == '/')
19648 ++ return 1;
19649 ++ else if (c == '?') {
19650 ++ if (*n == '\0')
19651 ++ return 1;
19652 ++ else
19653 ++ ++n;
19654 ++ }
19655 ++ }
19656 ++ if (c == '\0') {
19657 ++ return 0;
19658 ++ } else {
19659 ++ const char *endp;
19660 ++
19661 ++ if ((endp = strchr(n, '/')) == NULL)
19662 ++ endp = n + strlen(n);
19663 ++
19664 ++ if (c == '[') {
19665 ++ for (--p; n < endp; ++n)
19666 ++ if (!glob_match(p, n))
19667 ++ return 0;
19668 ++ } else if (c == '/') {
19669 ++ while (*n != '\0' && *n != '/')
19670 ++ ++n;
19671 ++ if (*n == '/' && !glob_match(p, n + 1))
19672 ++ return 0;
19673 ++ } else {
19674 ++ for (--p; n < endp; ++n)
19675 ++ if (*n == c && !glob_match(p, n))
19676 ++ return 0;
19677 ++ }
19678 ++
19679 ++ return 1;
19680 ++ }
19681 ++ case '[':
19682 ++ {
19683 ++ int not;
19684 ++ char cold;
19685 ++
19686 ++ if (*n == '\0' || *n == '/')
19687 ++ return 1;
19688 ++
19689 ++ not = (*p == '!' || *p == '^');
19690 ++ if (not)
19691 ++ ++p;
19692 ++
19693 ++ c = *p++;
19694 ++ for (;;) {
19695 ++ unsigned char fn = (unsigned char)*n;
19696 ++
19697 ++ if (c == '\0')
19698 ++ return 1;
19699 ++ else {
19700 ++ if (c == fn)
19701 ++ goto matched;
19702 ++ cold = c;
19703 ++ c = *p++;
19704 ++
19705 ++ if (c == '-' && *p != ']') {
19706 ++ unsigned char cend = *p++;
19707 ++
19708 ++ if (cend == '\0')
19709 ++ return 1;
19710 ++
19711 ++ if (cold <= fn && fn <= cend)
19712 ++ goto matched;
19713 ++
19714 ++ c = *p++;
19715 ++ }
19716 ++ }
19717 ++
19718 ++ if (c == ']')
19719 ++ break;
19720 ++ }
19721 ++ if (!not)
19722 ++ return 1;
19723 ++ break;
19724 ++ matched:
19725 ++ while (c != ']') {
19726 ++ if (c == '\0')
19727 ++ return 1;
19728 ++
19729 ++ c = *p++;
19730 ++ }
19731 ++ if (not)
19732 ++ return 1;
19733 ++ }
19734 ++ break;
19735 ++ default:
19736 ++ if (c != *n)
19737 ++ return 1;
19738 ++ }
19739 ++
19740 ++ ++n;
19741 ++ }
19742 ++
19743 ++ if (*n == '\0')
19744 ++ return 0;
19745 ++
19746 ++ if (*n == '/')
19747 ++ return 0;
19748 ++
19749 ++ return 1;
19750 ++}
19751 ++
19752 ++static struct acl_object_label *
19753 ++chk_glob_label(struct acl_object_label *globbed,
19754 ++ struct dentry *dentry, struct vfsmount *mnt, char **path)
19755 ++{
19756 ++ struct acl_object_label *tmp;
19757 ++
19758 ++ if (*path == NULL)
19759 ++ *path = gr_to_filename_nolock(dentry, mnt);
19760 ++
19761 ++ tmp = globbed;
19762 ++
19763 ++ while (tmp) {
19764 ++ if (!glob_match(tmp->filename, *path))
19765 ++ return tmp;
19766 ++ tmp = tmp->next;
19767 ++ }
19768 ++
19769 ++ return NULL;
19770 ++}
19771 ++
19772 ++static struct acl_object_label *
19773 ++__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
19774 ++ const ino_t curr_ino, const dev_t curr_dev,
19775 ++ const struct acl_subject_label *subj, char **path)
19776 ++{
19777 ++ struct acl_subject_label *tmpsubj;
19778 ++ struct acl_object_label *retval;
19779 ++ struct acl_object_label *retval2;
19780 ++
19781 ++ tmpsubj = (struct acl_subject_label *) subj;
19782 ++ read_lock(&gr_inode_lock);
19783 ++ do {
19784 ++ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
19785 ++ if (retval) {
19786 ++ if (retval->globbed) {
19787 ++ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
19788 ++ (struct vfsmount *)orig_mnt, path);
19789 ++ if (retval2)
19790 ++ retval = retval2;
19791 ++ }
19792 ++ break;
19793 ++ }
19794 ++ } while ((tmpsubj = tmpsubj->parent_subject));
19795 ++ read_unlock(&gr_inode_lock);
19796 ++
19797 ++ return retval;
19798 ++}
19799 ++
19800 ++static __inline__ struct acl_object_label *
19801 ++full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
19802 ++ const struct dentry *curr_dentry,
19803 ++ const struct acl_subject_label *subj, char **path)
19804 ++{
19805 ++ return __full_lookup(orig_dentry, orig_mnt,
19806 ++ curr_dentry->d_inode->i_ino,
19807 ++ curr_dentry->d_inode->i_sb->s_dev, subj, path);
19808 ++}
19809 ++
19810 ++static struct acl_object_label *
19811 ++__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19812 ++ const struct acl_subject_label *subj, char *path)
19813 ++{
19814 ++ struct dentry *dentry = (struct dentry *) l_dentry;
19815 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
19816 ++ struct acl_object_label *retval;
19817 ++
19818 ++ spin_lock(&dcache_lock);
19819 ++
19820 ++ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
19821 ++ /* ignore Eric Biederman */
19822 ++ IS_PRIVATE(l_dentry->d_inode))) {
19823 ++ retval = fakefs_obj;
19824 ++ goto out;
19825 ++ }
19826 ++
19827 ++ for (;;) {
19828 ++ if (dentry == real_root && mnt == real_root_mnt)
19829 ++ break;
19830 ++
19831 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
19832 ++ if (mnt->mnt_parent == mnt)
19833 ++ break;
19834 ++
19835 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
19836 ++ if (retval != NULL)
19837 ++ goto out;
19838 ++
19839 ++ dentry = mnt->mnt_mountpoint;
19840 ++ mnt = mnt->mnt_parent;
19841 ++ continue;
19842 ++ }
19843 ++
19844 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
19845 ++ if (retval != NULL)
19846 ++ goto out;
19847 ++
19848 ++ dentry = dentry->d_parent;
19849 ++ }
19850 ++
19851 ++ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
19852 ++
19853 ++ if (retval == NULL)
19854 ++ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
19855 ++out:
19856 ++ spin_unlock(&dcache_lock);
19857 ++ return retval;
19858 ++}
19859 ++
19860 ++static __inline__ struct acl_object_label *
19861 ++chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19862 ++ const struct acl_subject_label *subj)
19863 ++{
19864 ++ char *path = NULL;
19865 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
19866 ++}
19867 ++
19868 ++static __inline__ struct acl_object_label *
19869 ++chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19870 ++ const struct acl_subject_label *subj, char *path)
19871 ++{
19872 ++ return __chk_obj_label(l_dentry, l_mnt, subj, path);
19873 ++}
19874 ++
19875 ++static struct acl_subject_label *
19876 ++chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
19877 ++ const struct acl_role_label *role)
19878 ++{
19879 ++ struct dentry *dentry = (struct dentry *) l_dentry;
19880 ++ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
19881 ++ struct acl_subject_label *retval;
19882 ++
19883 ++ spin_lock(&dcache_lock);
19884 ++
19885 ++ for (;;) {
19886 ++ if (dentry == real_root && mnt == real_root_mnt)
19887 ++ break;
19888 ++ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
19889 ++ if (mnt->mnt_parent == mnt)
19890 ++ break;
19891 ++
19892 ++ read_lock(&gr_inode_lock);
19893 ++ retval =
19894 ++ lookup_acl_subj_label(dentry->d_inode->i_ino,
19895 ++ dentry->d_inode->i_sb->s_dev, role);
19896 ++ read_unlock(&gr_inode_lock);
19897 ++ if (retval != NULL)
19898 ++ goto out;
19899 ++
19900 ++ dentry = mnt->mnt_mountpoint;
19901 ++ mnt = mnt->mnt_parent;
19902 ++ continue;
19903 ++ }
19904 ++
19905 ++ read_lock(&gr_inode_lock);
19906 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
19907 ++ dentry->d_inode->i_sb->s_dev, role);
19908 ++ read_unlock(&gr_inode_lock);
19909 ++ if (retval != NULL)
19910 ++ goto out;
19911 ++
19912 ++ dentry = dentry->d_parent;
19913 ++ }
19914 ++
19915 ++ read_lock(&gr_inode_lock);
19916 ++ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
19917 ++ dentry->d_inode->i_sb->s_dev, role);
19918 ++ read_unlock(&gr_inode_lock);
19919 ++
19920 ++ if (unlikely(retval == NULL)) {
19921 ++ read_lock(&gr_inode_lock);
19922 ++ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
19923 ++ real_root->d_inode->i_sb->s_dev, role);
19924 ++ read_unlock(&gr_inode_lock);
19925 ++ }
19926 ++out:
19927 ++ spin_unlock(&dcache_lock);
19928 ++
19929 ++ return retval;
19930 ++}
19931 ++
19932 ++static void
19933 ++gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
19934 ++{
19935 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
19936 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
19937 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
19938 ++ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
19939 ++
19940 ++ return;
19941 ++}
19942 ++
19943 ++static void
19944 ++gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
19945 ++{
19946 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
19947 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
19948 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
19949 ++ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
19950 ++
19951 ++ return;
19952 ++}
19953 ++
19954 ++static void
19955 ++gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
19956 ++ const unsigned int effective, const unsigned int fs)
19957 ++{
19958 ++ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
19959 ++ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
19960 ++ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
19961 ++ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
19962 ++
19963 ++ return;
19964 ++}
19965 ++
19966 ++__u32
19967 ++gr_check_link(const struct dentry * new_dentry,
19968 ++ const struct dentry * parent_dentry,
19969 ++ const struct vfsmount * parent_mnt,
19970 ++ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
19971 ++{
19972 ++ struct acl_object_label *obj;
19973 ++ __u32 oldmode, newmode;
19974 ++ __u32 needmode;
19975 ++
19976 ++ if (unlikely(!(gr_status & GR_READY)))
19977 ++ return (GR_CREATE | GR_LINK);
19978 ++
19979 ++ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
19980 ++ oldmode = obj->mode;
19981 ++
19982 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
19983 ++ oldmode |= (GR_CREATE | GR_LINK);
19984 ++
19985 ++ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
19986 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
19987 ++ needmode |= GR_SETID | GR_AUDIT_SETID;
19988 ++
19989 ++ newmode =
19990 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
19991 ++ oldmode | needmode);
19992 ++
19993 ++ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
19994 ++ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
19995 ++ GR_INHERIT | GR_AUDIT_INHERIT);
19996 ++
19997 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
19998 ++ goto bad;
19999 ++
20000 ++ if ((oldmode & needmode) != needmode)
20001 ++ goto bad;
20002 ++
20003 ++ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
20004 ++ if ((newmode & needmode) != needmode)
20005 ++ goto bad;
20006 ++
20007 ++ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
20008 ++ return newmode;
20009 ++bad:
20010 ++ needmode = oldmode;
20011 ++ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
20012 ++ needmode |= GR_SETID;
20013 ++
20014 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20015 ++ gr_log_learn(current, old_dentry, old_mnt, needmode);
20016 ++ return (GR_CREATE | GR_LINK);
20017 ++ } else if (newmode & GR_SUPPRESS)
20018 ++ return GR_SUPPRESS;
20019 ++ else
20020 ++ return 0;
20021 ++}
20022 ++
20023 ++__u32
20024 ++gr_search_file(const struct dentry * dentry, const __u32 mode,
20025 ++ const struct vfsmount * mnt)
20026 ++{
20027 ++ __u32 retval = mode;
20028 ++ struct acl_subject_label *curracl;
20029 ++ struct acl_object_label *currobj;
20030 ++
20031 ++ if (unlikely(!(gr_status & GR_READY)))
20032 ++ return (mode & ~GR_AUDITS);
20033 ++
20034 ++ curracl = current->acl;
20035 ++
20036 ++ currobj = chk_obj_label(dentry, mnt, curracl);
20037 ++ retval = currobj->mode & mode;
20038 ++
20039 ++ if (unlikely
20040 ++ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
20041 ++ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
20042 ++ __u32 new_mode = mode;
20043 ++
20044 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20045 ++
20046 ++ retval = new_mode;
20047 ++
20048 ++ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
20049 ++ new_mode |= GR_INHERIT;
20050 ++
20051 ++ if (!(mode & GR_NOLEARN))
20052 ++ gr_log_learn(current, dentry, mnt, new_mode);
20053 ++ }
20054 ++
20055 ++ return retval;
20056 ++}
20057 ++
20058 ++__u32
20059 ++gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
20060 ++ const struct vfsmount * mnt, const __u32 mode)
20061 ++{
20062 ++ struct name_entry *match;
20063 ++ struct acl_object_label *matchpo;
20064 ++ struct acl_subject_label *curracl;
20065 ++ char *path;
20066 ++ __u32 retval;
20067 ++
20068 ++ if (unlikely(!(gr_status & GR_READY)))
20069 ++ return (mode & ~GR_AUDITS);
20070 ++
20071 ++ preempt_disable();
20072 ++ path = gr_to_filename_rbac(new_dentry, mnt);
20073 ++ match = lookup_name_entry_create(path);
20074 ++
20075 ++ if (!match)
20076 ++ goto check_parent;
20077 ++
20078 ++ curracl = current->acl;
20079 ++
20080 ++ read_lock(&gr_inode_lock);
20081 ++ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
20082 ++ read_unlock(&gr_inode_lock);
20083 ++
20084 ++ if (matchpo) {
20085 ++ if ((matchpo->mode & mode) !=
20086 ++ (mode & ~(GR_AUDITS | GR_SUPPRESS))
20087 ++ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
20088 ++ __u32 new_mode = mode;
20089 ++
20090 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20091 ++
20092 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
20093 ++
20094 ++ preempt_enable();
20095 ++ return new_mode;
20096 ++ }
20097 ++ preempt_enable();
20098 ++ return (matchpo->mode & mode);
20099 ++ }
20100 ++
20101 ++ check_parent:
20102 ++ curracl = current->acl;
20103 ++
20104 ++ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
20105 ++ retval = matchpo->mode & mode;
20106 ++
20107 ++ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
20108 ++ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
20109 ++ __u32 new_mode = mode;
20110 ++
20111 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
20112 ++
20113 ++ gr_log_learn(current, new_dentry, mnt, new_mode);
20114 ++ preempt_enable();
20115 ++ return new_mode;
20116 ++ }
20117 ++
20118 ++ preempt_enable();
20119 ++ return retval;
20120 ++}
20121 ++
20122 ++int
20123 ++gr_check_hidden_task(const struct task_struct *task)
20124 ++{
20125 ++ if (unlikely(!(gr_status & GR_READY)))
20126 ++ return 0;
20127 ++
20128 ++ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
20129 ++ return 1;
20130 ++
20131 ++ return 0;
20132 ++}
20133 ++
20134 ++int
20135 ++gr_check_protected_task(const struct task_struct *task)
20136 ++{
20137 ++ if (unlikely(!(gr_status & GR_READY) || !task))
20138 ++ return 0;
20139 ++
20140 ++ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
20141 ++ task->acl != current->acl)
20142 ++ return 1;
20143 ++
20144 ++ return 0;
20145 ++}
20146 ++
20147 ++void
20148 ++gr_copy_label(struct task_struct *tsk)
20149 ++{
20150 ++ tsk->signal->used_accept = 0;
20151 ++ tsk->acl_sp_role = 0;
20152 ++ tsk->acl_role_id = current->acl_role_id;
20153 ++ tsk->acl = current->acl;
20154 ++ tsk->role = current->role;
20155 ++ tsk->signal->curr_ip = current->signal->curr_ip;
20156 ++ if (current->exec_file)
20157 ++ get_file(current->exec_file);
20158 ++ tsk->exec_file = current->exec_file;
20159 ++ tsk->is_writable = current->is_writable;
20160 ++ if (unlikely(current->signal->used_accept))
20161 ++ current->signal->curr_ip = 0;
20162 ++
20163 ++ return;
20164 ++}
20165 ++
20166 ++static void
20167 ++gr_set_proc_res(struct task_struct *task)
20168 ++{
20169 ++ struct acl_subject_label *proc;
20170 ++ unsigned short i;
20171 ++
20172 ++ proc = task->acl;
20173 ++
20174 ++ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
20175 ++ return;
20176 ++
20177 ++ for (i = 0; i < (GR_NLIMITS - 1); i++) {
20178 ++ if (!(proc->resmask & (1 << i)))
20179 ++ continue;
20180 ++
20181 ++ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
20182 ++ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
20183 ++ }
20184 ++
20185 ++ return;
20186 ++}
20187 ++
20188 ++int
20189 ++gr_check_user_change(int real, int effective, int fs)
20190 ++{
20191 ++ unsigned int i;
20192 ++ __u16 num;
20193 ++ uid_t *uidlist;
20194 ++ int curuid;
20195 ++ int realok = 0;
20196 ++ int effectiveok = 0;
20197 ++ int fsok = 0;
20198 ++
20199 ++ if (unlikely(!(gr_status & GR_READY)))
20200 ++ return 0;
20201 ++
20202 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20203 ++ gr_log_learn_id_change(current, 'u', real, effective, fs);
20204 ++
20205 ++ num = current->acl->user_trans_num;
20206 ++ uidlist = current->acl->user_transitions;
20207 ++
20208 ++ if (uidlist == NULL)
20209 ++ return 0;
20210 ++
20211 ++ if (real == -1)
20212 ++ realok = 1;
20213 ++ if (effective == -1)
20214 ++ effectiveok = 1;
20215 ++ if (fs == -1)
20216 ++ fsok = 1;
20217 ++
20218 ++ if (current->acl->user_trans_type & GR_ID_ALLOW) {
20219 ++ for (i = 0; i < num; i++) {
20220 ++ curuid = (int)uidlist[i];
20221 ++ if (real == curuid)
20222 ++ realok = 1;
20223 ++ if (effective == curuid)
20224 ++ effectiveok = 1;
20225 ++ if (fs == curuid)
20226 ++ fsok = 1;
20227 ++ }
20228 ++ } else if (current->acl->user_trans_type & GR_ID_DENY) {
20229 ++ for (i = 0; i < num; i++) {
20230 ++ curuid = (int)uidlist[i];
20231 ++ if (real == curuid)
20232 ++ break;
20233 ++ if (effective == curuid)
20234 ++ break;
20235 ++ if (fs == curuid)
20236 ++ break;
20237 ++ }
20238 ++ /* not in deny list */
20239 ++ if (i == num) {
20240 ++ realok = 1;
20241 ++ effectiveok = 1;
20242 ++ fsok = 1;
20243 ++ }
20244 ++ }
20245 ++
20246 ++ if (realok && effectiveok && fsok)
20247 ++ return 0;
20248 ++ else {
20249 ++ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20250 ++ return 1;
20251 ++ }
20252 ++}
20253 ++
20254 ++int
20255 ++gr_check_group_change(int real, int effective, int fs)
20256 ++{
20257 ++ unsigned int i;
20258 ++ __u16 num;
20259 ++ gid_t *gidlist;
20260 ++ int curgid;
20261 ++ int realok = 0;
20262 ++ int effectiveok = 0;
20263 ++ int fsok = 0;
20264 ++
20265 ++ if (unlikely(!(gr_status & GR_READY)))
20266 ++ return 0;
20267 ++
20268 ++ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
20269 ++ gr_log_learn_id_change(current, 'g', real, effective, fs);
20270 ++
20271 ++ num = current->acl->group_trans_num;
20272 ++ gidlist = current->acl->group_transitions;
20273 ++
20274 ++ if (gidlist == NULL)
20275 ++ return 0;
20276 ++
20277 ++ if (real == -1)
20278 ++ realok = 1;
20279 ++ if (effective == -1)
20280 ++ effectiveok = 1;
20281 ++ if (fs == -1)
20282 ++ fsok = 1;
20283 ++
20284 ++ if (current->acl->group_trans_type & GR_ID_ALLOW) {
20285 ++ for (i = 0; i < num; i++) {
20286 ++ curgid = (int)gidlist[i];
20287 ++ if (real == curgid)
20288 ++ realok = 1;
20289 ++ if (effective == curgid)
20290 ++ effectiveok = 1;
20291 ++ if (fs == curgid)
20292 ++ fsok = 1;
20293 ++ }
20294 ++ } else if (current->acl->group_trans_type & GR_ID_DENY) {
20295 ++ for (i = 0; i < num; i++) {
20296 ++ curgid = (int)gidlist[i];
20297 ++ if (real == curgid)
20298 ++ break;
20299 ++ if (effective == curgid)
20300 ++ break;
20301 ++ if (fs == curgid)
20302 ++ break;
20303 ++ }
20304 ++ /* not in deny list */
20305 ++ if (i == num) {
20306 ++ realok = 1;
20307 ++ effectiveok = 1;
20308 ++ fsok = 1;
20309 ++ }
20310 ++ }
20311 ++
20312 ++ if (realok && effectiveok && fsok)
20313 ++ return 0;
20314 ++ else {
20315 ++ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
20316 ++ return 1;
20317 ++ }
20318 ++}
20319 ++
20320 ++void
20321 ++gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
20322 ++{
20323 ++ struct acl_role_label *role = task->role;
20324 ++ struct acl_subject_label *subj = NULL;
20325 ++ struct acl_object_label *obj;
20326 ++ struct file *filp;
20327 ++
20328 ++ if (unlikely(!(gr_status & GR_READY)))
20329 ++ return;
20330 ++
20331 ++ filp = task->exec_file;
20332 ++
20333 ++ /* kernel process, we'll give them the kernel role */
20334 ++ if (unlikely(!filp)) {
20335 ++ task->role = kernel_role;
20336 ++ task->acl = kernel_role->root_label;
20337 ++ return;
20338 ++ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
20339 ++ role = lookup_acl_role_label(task, uid, gid);
20340 ++
20341 ++ /* perform subject lookup in possibly new role
20342 ++ we can use this result below in the case where role == task->role
20343 ++ */
20344 ++ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
20345 ++
20346 ++ /* if we changed uid/gid, but result in the same role
20347 ++ and are using inheritance, don't lose the inherited subject
20348 ++ if current subject is other than what normal lookup
20349 ++ would result in, we arrived via inheritance, don't
20350 ++ lose subject
20351 ++ */
20352 ++ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
20353 ++ (subj == task->acl)))
20354 ++ task->acl = subj;
20355 ++
20356 ++ task->role = role;
20357 ++
20358 ++ task->is_writable = 0;
20359 ++
20360 ++ /* ignore additional mmap checks for processes that are writable
20361 ++ by the default ACL */
20362 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
20363 ++ if (unlikely(obj->mode & GR_WRITE))
20364 ++ task->is_writable = 1;
20365 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
20366 ++ if (unlikely(obj->mode & GR_WRITE))
20367 ++ task->is_writable = 1;
20368 ++
20369 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20370 ++ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
20371 ++#endif
20372 ++
20373 ++ gr_set_proc_res(task);
20374 ++
20375 ++ return;
20376 ++}
20377 ++
20378 ++int
20379 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
20380 ++{
20381 ++ struct task_struct *task = current;
20382 ++ struct acl_subject_label *newacl;
20383 ++ struct acl_object_label *obj;
20384 ++ __u32 retmode;
20385 ++
20386 ++ if (unlikely(!(gr_status & GR_READY)))
20387 ++ return 0;
20388 ++
20389 ++ newacl = chk_subj_label(dentry, mnt, task->role);
20390 ++
20391 ++ task_lock(task);
20392 ++ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
20393 ++ GR_POVERRIDE) && (task->acl != newacl) &&
20394 ++ !(task->role->roletype & GR_ROLE_GOD) &&
20395 ++ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
20396 ++ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
20397 ++ (atomic_read(&task->fs->count) > 1 ||
20398 ++ atomic_read(&task->files->count) > 1 ||
20399 ++ atomic_read(&task->sighand->count) > 1)) {
20400 ++ task_unlock(task);
20401 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
20402 ++ return -EACCES;
20403 ++ }
20404 ++ task_unlock(task);
20405 ++
20406 ++ obj = chk_obj_label(dentry, mnt, task->acl);
20407 ++ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
20408 ++
20409 ++ if (!(task->acl->mode & GR_INHERITLEARN) &&
20410 ++ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
20411 ++ if (obj->nested)
20412 ++ task->acl = obj->nested;
20413 ++ else
20414 ++ task->acl = newacl;
20415 ++ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
20416 ++ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
20417 ++
20418 ++ task->is_writable = 0;
20419 ++
20420 ++ /* ignore additional mmap checks for processes that are writable
20421 ++ by the default ACL */
20422 ++ obj = chk_obj_label(dentry, mnt, default_role->root_label);
20423 ++ if (unlikely(obj->mode & GR_WRITE))
20424 ++ task->is_writable = 1;
20425 ++ obj = chk_obj_label(dentry, mnt, task->role->root_label);
20426 ++ if (unlikely(obj->mode & GR_WRITE))
20427 ++ task->is_writable = 1;
20428 ++
20429 ++ gr_set_proc_res(task);
20430 ++
20431 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20432 ++ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
20433 ++#endif
20434 ++ return 0;
20435 ++}
20436 ++
20437 ++/* always called with valid inodev ptr */
20438 ++static void
20439 ++do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
20440 ++{
20441 ++ struct acl_object_label *matchpo;
20442 ++ struct acl_subject_label *matchps;
20443 ++ struct acl_subject_label *subj;
20444 ++ struct acl_role_label *role;
20445 ++ unsigned int i, x;
20446 ++
20447 ++ FOR_EACH_ROLE_START(role, i)
20448 ++ FOR_EACH_SUBJECT_START(role, subj, x)
20449 ++ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
20450 ++ matchpo->mode |= GR_DELETED;
20451 ++ FOR_EACH_SUBJECT_END(subj,x)
20452 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
20453 ++ if (subj->inode == ino && subj->device == dev)
20454 ++ subj->mode |= GR_DELETED;
20455 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
20456 ++ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
20457 ++ matchps->mode |= GR_DELETED;
20458 ++ FOR_EACH_ROLE_END(role,i)
20459 ++
20460 ++ inodev->nentry->deleted = 1;
20461 ++
20462 ++ return;
20463 ++}
20464 ++
20465 ++void
20466 ++gr_handle_delete(const ino_t ino, const dev_t dev)
20467 ++{
20468 ++ struct inodev_entry *inodev;
20469 ++
20470 ++ if (unlikely(!(gr_status & GR_READY)))
20471 ++ return;
20472 ++
20473 ++ write_lock(&gr_inode_lock);
20474 ++ inodev = lookup_inodev_entry(ino, dev);
20475 ++ if (inodev != NULL)
20476 ++ do_handle_delete(inodev, ino, dev);
20477 ++ write_unlock(&gr_inode_lock);
20478 ++
20479 ++ return;
20480 ++}
20481 ++
20482 ++static void
20483 ++update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
20484 ++ const ino_t newinode, const dev_t newdevice,
20485 ++ struct acl_subject_label *subj)
20486 ++{
20487 ++ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
20488 ++ struct acl_object_label *match;
20489 ++
20490 ++ match = subj->obj_hash[index];
20491 ++
20492 ++ while (match && (match->inode != oldinode ||
20493 ++ match->device != olddevice ||
20494 ++ !(match->mode & GR_DELETED)))
20495 ++ match = match->next;
20496 ++
20497 ++ if (match && (match->inode == oldinode)
20498 ++ && (match->device == olddevice)
20499 ++ && (match->mode & GR_DELETED)) {
20500 ++ if (match->prev == NULL) {
20501 ++ subj->obj_hash[index] = match->next;
20502 ++ if (match->next != NULL)
20503 ++ match->next->prev = NULL;
20504 ++ } else {
20505 ++ match->prev->next = match->next;
20506 ++ if (match->next != NULL)
20507 ++ match->next->prev = match->prev;
20508 ++ }
20509 ++ match->prev = NULL;
20510 ++ match->next = NULL;
20511 ++ match->inode = newinode;
20512 ++ match->device = newdevice;
20513 ++ match->mode &= ~GR_DELETED;
20514 ++
20515 ++ insert_acl_obj_label(match, subj);
20516 ++ }
20517 ++
20518 ++ return;
20519 ++}
20520 ++
20521 ++static void
20522 ++update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
20523 ++ const ino_t newinode, const dev_t newdevice,
20524 ++ struct acl_role_label *role)
20525 ++{
20526 ++ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
20527 ++ struct acl_subject_label *match;
20528 ++
20529 ++ match = role->subj_hash[index];
20530 ++
20531 ++ while (match && (match->inode != oldinode ||
20532 ++ match->device != olddevice ||
20533 ++ !(match->mode & GR_DELETED)))
20534 ++ match = match->next;
20535 ++
20536 ++ if (match && (match->inode == oldinode)
20537 ++ && (match->device == olddevice)
20538 ++ && (match->mode & GR_DELETED)) {
20539 ++ if (match->prev == NULL) {
20540 ++ role->subj_hash[index] = match->next;
20541 ++ if (match->next != NULL)
20542 ++ match->next->prev = NULL;
20543 ++ } else {
20544 ++ match->prev->next = match->next;
20545 ++ if (match->next != NULL)
20546 ++ match->next->prev = match->prev;
20547 ++ }
20548 ++ match->prev = NULL;
20549 ++ match->next = NULL;
20550 ++ match->inode = newinode;
20551 ++ match->device = newdevice;
20552 ++ match->mode &= ~GR_DELETED;
20553 ++
20554 ++ insert_acl_subj_label(match, role);
20555 ++ }
20556 ++
20557 ++ return;
20558 ++}
20559 ++
20560 ++static void
20561 ++update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
20562 ++ const ino_t newinode, const dev_t newdevice)
20563 ++{
20564 ++ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
20565 ++ struct inodev_entry *match;
20566 ++
20567 ++ match = inodev_set.i_hash[index];
20568 ++
20569 ++ while (match && (match->nentry->inode != oldinode ||
20570 ++ match->nentry->device != olddevice || !match->nentry->deleted))
20571 ++ match = match->next;
20572 ++
20573 ++ if (match && (match->nentry->inode == oldinode)
20574 ++ && (match->nentry->device == olddevice) &&
20575 ++ match->nentry->deleted) {
20576 ++ if (match->prev == NULL) {
20577 ++ inodev_set.i_hash[index] = match->next;
20578 ++ if (match->next != NULL)
20579 ++ match->next->prev = NULL;
20580 ++ } else {
20581 ++ match->prev->next = match->next;
20582 ++ if (match->next != NULL)
20583 ++ match->next->prev = match->prev;
20584 ++ }
20585 ++ match->prev = NULL;
20586 ++ match->next = NULL;
20587 ++ match->nentry->inode = newinode;
20588 ++ match->nentry->device = newdevice;
20589 ++ match->nentry->deleted = 0;
20590 ++
20591 ++ insert_inodev_entry(match);
20592 ++ }
20593 ++
20594 ++ return;
20595 ++}
20596 ++
20597 ++static void
20598 ++do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
20599 ++ const struct vfsmount *mnt)
20600 ++{
20601 ++ struct acl_subject_label *subj;
20602 ++ struct acl_role_label *role;
20603 ++ unsigned int i, x;
20604 ++
20605 ++ FOR_EACH_ROLE_START(role, i)
20606 ++ update_acl_subj_label(matchn->inode, matchn->device,
20607 ++ dentry->d_inode->i_ino,
20608 ++ dentry->d_inode->i_sb->s_dev, role);
20609 ++
20610 ++ FOR_EACH_NESTED_SUBJECT_START(role, subj)
20611 ++ if ((subj->inode == dentry->d_inode->i_ino) &&
20612 ++ (subj->device == dentry->d_inode->i_sb->s_dev)) {
20613 ++ subj->inode = dentry->d_inode->i_ino;
20614 ++ subj->device = dentry->d_inode->i_sb->s_dev;
20615 ++ }
20616 ++ FOR_EACH_NESTED_SUBJECT_END(subj)
20617 ++ FOR_EACH_SUBJECT_START(role, subj, x)
20618 ++ update_acl_obj_label(matchn->inode, matchn->device,
20619 ++ dentry->d_inode->i_ino,
20620 ++ dentry->d_inode->i_sb->s_dev, subj);
20621 ++ FOR_EACH_SUBJECT_END(subj,x)
20622 ++ FOR_EACH_ROLE_END(role,i)
20623 ++
20624 ++ update_inodev_entry(matchn->inode, matchn->device,
20625 ++ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
20626 ++
20627 ++ return;
20628 ++}
20629 ++
20630 ++void
20631 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
20632 ++{
20633 ++ struct name_entry *matchn;
20634 ++
20635 ++ if (unlikely(!(gr_status & GR_READY)))
20636 ++ return;
20637 ++
20638 ++ preempt_disable();
20639 ++ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
20640 ++
20641 ++ if (unlikely((unsigned long)matchn)) {
20642 ++ write_lock(&gr_inode_lock);
20643 ++ do_handle_create(matchn, dentry, mnt);
20644 ++ write_unlock(&gr_inode_lock);
20645 ++ }
20646 ++ preempt_enable();
20647 ++
20648 ++ return;
20649 ++}
20650 ++
20651 ++void
20652 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
20653 ++ struct dentry *old_dentry,
20654 ++ struct dentry *new_dentry,
20655 ++ struct vfsmount *mnt, const __u8 replace)
20656 ++{
20657 ++ struct name_entry *matchn;
20658 ++ struct inodev_entry *inodev;
20659 ++
20660 ++ /* vfs_rename swaps the name and parent link for old_dentry and
20661 ++ new_dentry
20662 ++ at this point, old_dentry has the new name, parent link, and inode
20663 ++ for the renamed file
20664 ++ if a file is being replaced by a rename, new_dentry has the inode
20665 ++ and name for the replaced file
20666 ++ */
20667 ++
20668 ++ if (unlikely(!(gr_status & GR_READY)))
20669 ++ return;
20670 ++
20671 ++ preempt_disable();
20672 ++ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
20673 ++
20674 ++ /* we wouldn't have to check d_inode if it weren't for
20675 ++ NFS silly-renaming
20676 ++ */
20677 ++
20678 ++ write_lock(&gr_inode_lock);
20679 ++ if (unlikely(replace && new_dentry->d_inode)) {
20680 ++ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
20681 ++ new_dentry->d_inode->i_sb->s_dev);
20682 ++ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
20683 ++ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
20684 ++ new_dentry->d_inode->i_sb->s_dev);
20685 ++ }
20686 ++
20687 ++ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
20688 ++ old_dentry->d_inode->i_sb->s_dev);
20689 ++ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
20690 ++ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
20691 ++ old_dentry->d_inode->i_sb->s_dev);
20692 ++
20693 ++ if (unlikely((unsigned long)matchn))
20694 ++ do_handle_create(matchn, old_dentry, mnt);
20695 ++
20696 ++ write_unlock(&gr_inode_lock);
20697 ++ preempt_enable();
20698 ++
20699 ++ return;
20700 ++}
20701 ++
20702 ++static int
20703 ++lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
20704 ++ unsigned char **sum)
20705 ++{
20706 ++ struct acl_role_label *r;
20707 ++ struct role_allowed_ip *ipp;
20708 ++ struct role_transition *trans;
20709 ++ unsigned int i;
20710 ++ int found = 0;
20711 ++
20712 ++ /* check transition table */
20713 ++
20714 ++ for (trans = current->role->transitions; trans; trans = trans->next) {
20715 ++ if (!strcmp(rolename, trans->rolename)) {
20716 ++ found = 1;
20717 ++ break;
20718 ++ }
20719 ++ }
20720 ++
20721 ++ if (!found)
20722 ++ return 0;
20723 ++
20724 ++ /* handle special roles that do not require authentication
20725 ++ and check ip */
20726 ++
20727 ++ FOR_EACH_ROLE_START(r, i)
20728 ++ if (!strcmp(rolename, r->rolename) &&
20729 ++ (r->roletype & GR_ROLE_SPECIAL)) {
20730 ++ found = 0;
20731 ++ if (r->allowed_ips != NULL) {
20732 ++ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
20733 ++ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
20734 ++ (ntohl(ipp->addr) & ipp->netmask))
20735 ++ found = 1;
20736 ++ }
20737 ++ } else
20738 ++ found = 2;
20739 ++ if (!found)
20740 ++ return 0;
20741 ++
20742 ++ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
20743 ++ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
20744 ++ *salt = NULL;
20745 ++ *sum = NULL;
20746 ++ return 1;
20747 ++ }
20748 ++ }
20749 ++ FOR_EACH_ROLE_END(r,i)
20750 ++
20751 ++ for (i = 0; i < num_sprole_pws; i++) {
20752 ++ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
20753 ++ *salt = acl_special_roles[i]->salt;
20754 ++ *sum = acl_special_roles[i]->sum;
20755 ++ return 1;
20756 ++ }
20757 ++ }
20758 ++
20759 ++ return 0;
20760 ++}
20761 ++
20762 ++static void
20763 ++assign_special_role(char *rolename)
20764 ++{
20765 ++ struct acl_object_label *obj;
20766 ++ struct acl_role_label *r;
20767 ++ struct acl_role_label *assigned = NULL;
20768 ++ struct task_struct *tsk;
20769 ++ struct file *filp;
20770 ++ unsigned int i;
20771 ++
20772 ++ FOR_EACH_ROLE_START(r, i)
20773 ++ if (!strcmp(rolename, r->rolename) &&
20774 ++ (r->roletype & GR_ROLE_SPECIAL))
20775 ++ assigned = r;
20776 ++ FOR_EACH_ROLE_END(r,i)
20777 ++
20778 ++ if (!assigned)
20779 ++ return;
20780 ++
20781 ++ read_lock(&tasklist_lock);
20782 ++ read_lock(&grsec_exec_file_lock);
20783 ++
20784 ++ tsk = current->parent;
20785 ++ if (tsk == NULL)
20786 ++ goto out_unlock;
20787 ++
20788 ++ filp = tsk->exec_file;
20789 ++ if (filp == NULL)
20790 ++ goto out_unlock;
20791 ++
20792 ++ tsk->is_writable = 0;
20793 ++
20794 ++ tsk->acl_sp_role = 1;
20795 ++ tsk->acl_role_id = ++acl_sp_role_value;
20796 ++ tsk->role = assigned;
20797 ++ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
20798 ++
20799 ++ /* ignore additional mmap checks for processes that are writable
20800 ++ by the default ACL */
20801 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
20802 ++ if (unlikely(obj->mode & GR_WRITE))
20803 ++ tsk->is_writable = 1;
20804 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
20805 ++ if (unlikely(obj->mode & GR_WRITE))
20806 ++ tsk->is_writable = 1;
20807 ++
20808 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
20809 ++ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
20810 ++#endif
20811 ++
20812 ++out_unlock:
20813 ++ read_unlock(&grsec_exec_file_lock);
20814 ++ read_unlock(&tasklist_lock);
20815 ++ return;
20816 ++}
20817 ++
20818 ++int gr_check_secure_terminal(struct task_struct *task)
20819 ++{
20820 ++ struct task_struct *p, *p2, *p3;
20821 ++ struct files_struct *files;
20822 ++ struct fdtable *fdt;
20823 ++ struct file *our_file = NULL, *file;
20824 ++ int i;
20825 ++
20826 ++ if (task->signal->tty == NULL)
20827 ++ return 1;
20828 ++
20829 ++ files = get_files_struct(task);
20830 ++ if (files != NULL) {
20831 ++ rcu_read_lock();
20832 ++ fdt = files_fdtable(files);
20833 ++ for (i=0; i < fdt->max_fds; i++) {
20834 ++ file = fcheck_files(files, i);
20835 ++ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
20836 ++ get_file(file);
20837 ++ our_file = file;
20838 ++ }
20839 ++ }
20840 ++ rcu_read_unlock();
20841 ++ put_files_struct(files);
20842 ++ }
20843 ++
20844 ++ if (our_file == NULL)
20845 ++ return 1;
20846 ++
20847 ++ read_lock(&tasklist_lock);
20848 ++ do_each_thread(p2, p) {
20849 ++ files = get_files_struct(p);
20850 ++ if (files == NULL ||
20851 ++ (p->signal && p->signal->tty == task->signal->tty)) {
20852 ++ if (files != NULL)
20853 ++ put_files_struct(files);
20854 ++ continue;
20855 ++ }
20856 ++ rcu_read_lock();
20857 ++ fdt = files_fdtable(files);
20858 ++ for (i=0; i < fdt->max_fds; i++) {
20859 ++ file = fcheck_files(files, i);
20860 ++ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
20861 ++ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
20862 ++ p3 = task;
20863 ++ while (p3->pid > 0) {
20864 ++ if (p3 == p)
20865 ++ break;
20866 ++ p3 = p3->parent;
20867 ++ }
20868 ++ if (p3 == p)
20869 ++ break;
20870 ++ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
20871 ++ gr_handle_alertkill(p);
20872 ++ rcu_read_unlock();
20873 ++ put_files_struct(files);
20874 ++ read_unlock(&tasklist_lock);
20875 ++ fput(our_file);
20876 ++ return 0;
20877 ++ }
20878 ++ }
20879 ++ rcu_read_unlock();
20880 ++ put_files_struct(files);
20881 ++ } while_each_thread(p2, p);
20882 ++ read_unlock(&tasklist_lock);
20883 ++
20884 ++ fput(our_file);
20885 ++ return 1;
20886 ++}
20887 ++
20888 ++ssize_t
20889 ++write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
20890 ++{
20891 ++ struct gr_arg_wrapper uwrap;
20892 ++ unsigned char *sprole_salt;
20893 ++ unsigned char *sprole_sum;
20894 ++ int error = sizeof (struct gr_arg_wrapper);
20895 ++ int error2 = 0;
20896 ++
20897 ++ down(&gr_dev_sem);
20898 ++
20899 ++ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
20900 ++ error = -EPERM;
20901 ++ goto out;
20902 ++ }
20903 ++
20904 ++ if (count != sizeof (struct gr_arg_wrapper)) {
20905 ++ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
20906 ++ error = -EINVAL;
20907 ++ goto out;
20908 ++ }
20909 ++
20910 ++
20911 ++ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
20912 ++ gr_auth_expires = 0;
20913 ++ gr_auth_attempts = 0;
20914 ++ }
20915 ++
20916 ++ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
20917 ++ error = -EFAULT;
20918 ++ goto out;
20919 ++ }
20920 ++
20921 ++ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
20922 ++ error = -EINVAL;
20923 ++ goto out;
20924 ++ }
20925 ++
20926 ++ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
20927 ++ error = -EFAULT;
20928 ++ goto out;
20929 ++ }
20930 ++
20931 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
20932 ++ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
20933 ++ time_after(gr_auth_expires, get_seconds())) {
20934 ++ error = -EBUSY;
20935 ++ goto out;
20936 ++ }
20937 ++
20938 ++ /* if non-root trying to do anything other than use a special role,
20939 ++ do not attempt authentication, do not count towards authentication
20940 ++ locking
20941 ++ */
20942 ++
20943 ++ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
20944 ++ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
20945 ++ current->uid) {
20946 ++ error = -EPERM;
20947 ++ goto out;
20948 ++ }
20949 ++
20950 ++ /* ensure pw and special role name are null terminated */
20951 ++
20952 ++ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
20953 ++ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
20954 ++
20955 ++ /* Okay.
20956 ++ * We have our enough of the argument structure..(we have yet
20957 ++ * to copy_from_user the tables themselves) . Copy the tables
20958 ++ * only if we need them, i.e. for loading operations. */
20959 ++
20960 ++ switch (gr_usermode->mode) {
20961 ++ case STATUS:
20962 ++ if (gr_status & GR_READY) {
20963 ++ error = 1;
20964 ++ if (!gr_check_secure_terminal(current))
20965 ++ error = 3;
20966 ++ } else
20967 ++ error = 2;
20968 ++ goto out;
20969 ++ case SHUTDOWN:
20970 ++ if ((gr_status & GR_READY)
20971 ++ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
20972 ++ gr_status &= ~GR_READY;
20973 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
20974 ++ free_variables();
20975 ++ memset(gr_usermode, 0, sizeof (struct gr_arg));
20976 ++ memset(gr_system_salt, 0, GR_SALT_LEN);
20977 ++ memset(gr_system_sum, 0, GR_SHA_LEN);
20978 ++ } else if (gr_status & GR_READY) {
20979 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
20980 ++ error = -EPERM;
20981 ++ } else {
20982 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
20983 ++ error = -EAGAIN;
20984 ++ }
20985 ++ break;
20986 ++ case ENABLE:
20987 ++ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
20988 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
20989 ++ else {
20990 ++ if (gr_status & GR_READY)
20991 ++ error = -EAGAIN;
20992 ++ else
20993 ++ error = error2;
20994 ++ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
20995 ++ }
20996 ++ break;
20997 ++ case RELOAD:
20998 ++ if (!(gr_status & GR_READY)) {
20999 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
21000 ++ error = -EAGAIN;
21001 ++ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21002 ++ lock_kernel();
21003 ++ gr_status &= ~GR_READY;
21004 ++ free_variables();
21005 ++ if (!(error2 = gracl_init(gr_usermode))) {
21006 ++ unlock_kernel();
21007 ++ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
21008 ++ } else {
21009 ++ unlock_kernel();
21010 ++ error = error2;
21011 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21012 ++ }
21013 ++ } else {
21014 ++ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
21015 ++ error = -EPERM;
21016 ++ }
21017 ++ break;
21018 ++ case SEGVMOD:
21019 ++ if (unlikely(!(gr_status & GR_READY))) {
21020 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
21021 ++ error = -EAGAIN;
21022 ++ break;
21023 ++ }
21024 ++
21025 ++ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
21026 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
21027 ++ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
21028 ++ struct acl_subject_label *segvacl;
21029 ++ segvacl =
21030 ++ lookup_acl_subj_label(gr_usermode->segv_inode,
21031 ++ gr_usermode->segv_device,
21032 ++ current->role);
21033 ++ if (segvacl) {
21034 ++ segvacl->crashes = 0;
21035 ++ segvacl->expires = 0;
21036 ++ }
21037 ++ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
21038 ++ gr_remove_uid(gr_usermode->segv_uid);
21039 ++ }
21040 ++ } else {
21041 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
21042 ++ error = -EPERM;
21043 ++ }
21044 ++ break;
21045 ++ case SPROLE:
21046 ++ case SPROLEPAM:
21047 ++ if (unlikely(!(gr_status & GR_READY))) {
21048 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
21049 ++ error = -EAGAIN;
21050 ++ break;
21051 ++ }
21052 ++
21053 ++ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
21054 ++ current->role->expires = 0;
21055 ++ current->role->auth_attempts = 0;
21056 ++ }
21057 ++
21058 ++ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
21059 ++ time_after(current->role->expires, get_seconds())) {
21060 ++ error = -EBUSY;
21061 ++ goto out;
21062 ++ }
21063 ++
21064 ++ if (lookup_special_role_auth
21065 ++ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
21066 ++ && ((!sprole_salt && !sprole_sum)
21067 ++ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
21068 ++ char *p = "";
21069 ++ assign_special_role(gr_usermode->sp_role);
21070 ++ read_lock(&tasklist_lock);
21071 ++ if (current->parent)
21072 ++ p = current->parent->role->rolename;
21073 ++ read_unlock(&tasklist_lock);
21074 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
21075 ++ p, acl_sp_role_value);
21076 ++ } else {
21077 ++ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
21078 ++ error = -EPERM;
21079 ++ if(!(current->role->auth_attempts++))
21080 ++ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21081 ++
21082 ++ goto out;
21083 ++ }
21084 ++ break;
21085 ++ case UNSPROLE:
21086 ++ if (unlikely(!(gr_status & GR_READY))) {
21087 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
21088 ++ error = -EAGAIN;
21089 ++ break;
21090 ++ }
21091 ++
21092 ++ if (current->role->roletype & GR_ROLE_SPECIAL) {
21093 ++ char *p = "";
21094 ++ int i = 0;
21095 ++
21096 ++ read_lock(&tasklist_lock);
21097 ++ if (current->parent) {
21098 ++ p = current->parent->role->rolename;
21099 ++ i = current->parent->acl_role_id;
21100 ++ }
21101 ++ read_unlock(&tasklist_lock);
21102 ++
21103 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
21104 ++ gr_set_acls(1);
21105 ++ } else {
21106 ++ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
21107 ++ error = -EPERM;
21108 ++ goto out;
21109 ++ }
21110 ++ break;
21111 ++ default:
21112 ++ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
21113 ++ error = -EINVAL;
21114 ++ break;
21115 ++ }
21116 ++
21117 ++ if (error != -EPERM)
21118 ++ goto out;
21119 ++
21120 ++ if(!(gr_auth_attempts++))
21121 ++ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
21122 ++
21123 ++ out:
21124 ++ up(&gr_dev_sem);
21125 ++ return error;
21126 ++}
21127 ++
21128 ++int
21129 ++gr_set_acls(const int type)
21130 ++{
21131 ++ struct acl_object_label *obj;
21132 ++ struct task_struct *task, *task2;
21133 ++ struct file *filp;
21134 ++ struct acl_role_label *role = current->role;
21135 ++ __u16 acl_role_id = current->acl_role_id;
21136 ++
21137 ++ read_lock(&tasklist_lock);
21138 ++ read_lock(&grsec_exec_file_lock);
21139 ++ do_each_thread(task2, task) {
21140 ++ /* check to see if we're called from the exit handler,
21141 ++ if so, only replace ACLs that have inherited the admin
21142 ++ ACL */
21143 ++
21144 ++ if (type && (task->role != role ||
21145 ++ task->acl_role_id != acl_role_id))
21146 ++ continue;
21147 ++
21148 ++ task->acl_role_id = 0;
21149 ++ task->acl_sp_role = 0;
21150 ++
21151 ++ if ((filp = task->exec_file)) {
21152 ++ task->role = lookup_acl_role_label(task, task->uid, task->gid);
21153 ++
21154 ++ task->acl =
21155 ++ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
21156 ++ task->role);
21157 ++ if (task->acl) {
21158 ++ struct acl_subject_label *curr;
21159 ++ curr = task->acl;
21160 ++
21161 ++ task->is_writable = 0;
21162 ++ /* ignore additional mmap checks for processes that are writable
21163 ++ by the default ACL */
21164 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21165 ++ if (unlikely(obj->mode & GR_WRITE))
21166 ++ task->is_writable = 1;
21167 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
21168 ++ if (unlikely(obj->mode & GR_WRITE))
21169 ++ task->is_writable = 1;
21170 ++
21171 ++ gr_set_proc_res(task);
21172 ++
21173 ++#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
21174 ++ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
21175 ++#endif
21176 ++ } else {
21177 ++ read_unlock(&grsec_exec_file_lock);
21178 ++ read_unlock(&tasklist_lock);
21179 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
21180 ++ return 1;
21181 ++ }
21182 ++ } else {
21183 ++ // it's a kernel process
21184 ++ task->role = kernel_role;
21185 ++ task->acl = kernel_role->root_label;
21186 ++#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
21187 ++ task->acl->mode &= ~GR_PROCFIND;
21188 ++#endif
21189 ++ }
21190 ++ } while_each_thread(task2, task);
21191 ++ read_unlock(&grsec_exec_file_lock);
21192 ++ read_unlock(&tasklist_lock);
21193 ++ return 0;
21194 ++}
21195 ++
21196 ++void
21197 ++gr_learn_resource(const struct task_struct *task,
21198 ++ const int res, const unsigned long wanted, const int gt)
21199 ++{
21200 ++ struct acl_subject_label *acl;
21201 ++
21202 ++ if (unlikely((gr_status & GR_READY) &&
21203 ++ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
21204 ++ goto skip_reslog;
21205 ++
21206 ++#ifdef CONFIG_GRKERNSEC_RESLOG
21207 ++ gr_log_resource(task, res, wanted, gt);
21208 ++#endif
21209 ++ skip_reslog:
21210 ++
21211 ++ if (unlikely(!(gr_status & GR_READY) || !wanted))
21212 ++ return;
21213 ++
21214 ++ acl = task->acl;
21215 ++
21216 ++ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
21217 ++ !(acl->resmask & (1 << (unsigned short) res))))
21218 ++ return;
21219 ++
21220 ++ if (wanted >= acl->res[res].rlim_cur) {
21221 ++ unsigned long res_add;
21222 ++
21223 ++ res_add = wanted;
21224 ++ switch (res) {
21225 ++ case RLIMIT_CPU:
21226 ++ res_add += GR_RLIM_CPU_BUMP;
21227 ++ break;
21228 ++ case RLIMIT_FSIZE:
21229 ++ res_add += GR_RLIM_FSIZE_BUMP;
21230 ++ break;
21231 ++ case RLIMIT_DATA:
21232 ++ res_add += GR_RLIM_DATA_BUMP;
21233 ++ break;
21234 ++ case RLIMIT_STACK:
21235 ++ res_add += GR_RLIM_STACK_BUMP;
21236 ++ break;
21237 ++ case RLIMIT_CORE:
21238 ++ res_add += GR_RLIM_CORE_BUMP;
21239 ++ break;
21240 ++ case RLIMIT_RSS:
21241 ++ res_add += GR_RLIM_RSS_BUMP;
21242 ++ break;
21243 ++ case RLIMIT_NPROC:
21244 ++ res_add += GR_RLIM_NPROC_BUMP;
21245 ++ break;
21246 ++ case RLIMIT_NOFILE:
21247 ++ res_add += GR_RLIM_NOFILE_BUMP;
21248 ++ break;
21249 ++ case RLIMIT_MEMLOCK:
21250 ++ res_add += GR_RLIM_MEMLOCK_BUMP;
21251 ++ break;
21252 ++ case RLIMIT_AS:
21253 ++ res_add += GR_RLIM_AS_BUMP;
21254 ++ break;
21255 ++ case RLIMIT_LOCKS:
21256 ++ res_add += GR_RLIM_LOCKS_BUMP;
21257 ++ break;
21258 ++ }
21259 ++
21260 ++ acl->res[res].rlim_cur = res_add;
21261 ++
21262 ++ if (wanted > acl->res[res].rlim_max)
21263 ++ acl->res[res].rlim_max = res_add;
21264 ++
21265 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
21266 ++ task->role->roletype, acl->filename,
21267 ++ acl->res[res].rlim_cur, acl->res[res].rlim_max,
21268 ++ "", (unsigned long) res);
21269 ++ }
21270 ++
21271 ++ return;
21272 ++}
21273 ++
21274 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
21275 ++void
21276 ++pax_set_initial_flags(struct linux_binprm *bprm)
21277 ++{
21278 ++ struct task_struct *task = current;
21279 ++ struct acl_subject_label *proc;
21280 ++ unsigned long flags;
21281 ++
21282 ++ if (unlikely(!(gr_status & GR_READY)))
21283 ++ return;
21284 ++
21285 ++ flags = pax_get_flags(task);
21286 ++
21287 ++ proc = task->acl;
21288 ++
21289 ++ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
21290 ++ flags &= ~MF_PAX_PAGEEXEC;
21291 ++ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
21292 ++ flags &= ~MF_PAX_SEGMEXEC;
21293 ++ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
21294 ++ flags &= ~MF_PAX_RANDMMAP;
21295 ++ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
21296 ++ flags &= ~MF_PAX_EMUTRAMP;
21297 ++ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
21298 ++ flags &= ~MF_PAX_MPROTECT;
21299 ++
21300 ++ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
21301 ++ flags |= MF_PAX_PAGEEXEC;
21302 ++ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
21303 ++ flags |= MF_PAX_SEGMEXEC;
21304 ++ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
21305 ++ flags |= MF_PAX_RANDMMAP;
21306 ++ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
21307 ++ flags |= MF_PAX_EMUTRAMP;
21308 ++ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
21309 ++ flags |= MF_PAX_MPROTECT;
21310 ++
21311 ++ pax_set_flags(task, flags);
21312 ++
21313 ++ return;
21314 ++}
21315 ++#endif
21316 ++
21317 ++#ifdef CONFIG_SYSCTL
21318 ++/* Eric Biederman likes breaking userland ABI and every inode-based security
21319 ++ system to save 35kb of memory */
21320 ++
21321 ++/* we modify the passed in filename, but adjust it back before returning */
21322 ++static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
21323 ++{
21324 ++ struct name_entry *nmatch;
21325 ++ char *p, *lastp = NULL;
21326 ++ struct acl_object_label *obj = NULL, *tmp;
21327 ++ struct acl_subject_label *tmpsubj;
21328 ++ int done = 0;
21329 ++ char c = '\0';
21330 ++
21331 ++ read_lock(&gr_inode_lock);
21332 ++
21333 ++ p = name + len - 1;
21334 ++ do {
21335 ++ nmatch = lookup_name_entry(name);
21336 ++ if (lastp != NULL)
21337 ++ *lastp = c;
21338 ++
21339 ++ if (nmatch == NULL)
21340 ++ goto next_component;
21341 ++ tmpsubj = current->acl;
21342 ++ do {
21343 ++ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
21344 ++ if (obj != NULL) {
21345 ++ tmp = obj->globbed;
21346 ++ while (tmp) {
21347 ++ if (!glob_match(tmp->filename, name)) {
21348 ++ obj = tmp;
21349 ++ goto found_obj;
21350 ++ }
21351 ++ tmp = tmp->next;
21352 ++ }
21353 ++ goto found_obj;
21354 ++ }
21355 ++ } while ((tmpsubj = tmpsubj->parent_subject));
21356 ++next_component:
21357 ++ /* end case */
21358 ++ if (p == name)
21359 ++ break;
21360 ++
21361 ++ while (*p != '/')
21362 ++ p--;
21363 ++ if (p == name)
21364 ++ lastp = p + 1;
21365 ++ else {
21366 ++ lastp = p;
21367 ++ p--;
21368 ++ }
21369 ++ c = *lastp;
21370 ++ *lastp = '\0';
21371 ++ } while (1);
21372 ++found_obj:
21373 ++ read_unlock(&gr_inode_lock);
21374 ++ /* obj returned will always be non-null */
21375 ++ return obj;
21376 ++}
21377 ++
21378 ++/* returns 0 when allowing, non-zero on error
21379 ++ op of 0 is used for readdir, so we don't log the names of hidden files
21380 ++*/
21381 ++__u32
21382 ++gr_handle_sysctl(const struct ctl_table *table, const int op)
21383 ++{
21384 ++ ctl_table *tmp;
21385 ++ struct nameidata nd;
21386 ++ const char *proc_sys = "/proc/sys";
21387 ++ char *path;
21388 ++ struct acl_object_label *obj;
21389 ++ unsigned short len = 0, pos = 0, depth = 0, i;
21390 ++ __u32 err = 0;
21391 ++ __u32 mode = 0;
21392 ++
21393 ++ if (unlikely(!(gr_status & GR_READY)))
21394 ++ return 0;
21395 ++
21396 ++ /* for now, ignore operations on non-sysctl entries if it's not a
21397 ++ readdir*/
21398 ++ if (table->child != NULL && op != 0)
21399 ++ return 0;
21400 ++
21401 ++ mode |= GR_FIND;
21402 ++ /* it's only a read if it's an entry, read on dirs is for readdir */
21403 ++ if (op & 004)
21404 ++ mode |= GR_READ;
21405 ++ if (op & 002)
21406 ++ mode |= GR_WRITE;
21407 ++
21408 ++ preempt_disable();
21409 ++
21410 ++ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
21411 ++
21412 ++ /* it's only a read/write if it's an actual entry, not a dir
21413 ++ (which are opened for readdir)
21414 ++ */
21415 ++
21416 ++ /* convert the requested sysctl entry into a pathname */
21417 ++
21418 ++ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
21419 ++ len += strlen(tmp->procname);
21420 ++ len++;
21421 ++ depth++;
21422 ++ }
21423 ++
21424 ++ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
21425 ++ /* deny */
21426 ++ goto out;
21427 ++ }
21428 ++
21429 ++ memset(path, 0, PAGE_SIZE);
21430 ++
21431 ++ memcpy(path, proc_sys, strlen(proc_sys));
21432 ++
21433 ++ pos += strlen(proc_sys);
21434 ++
21435 ++ for (; depth > 0; depth--) {
21436 ++ path[pos] = '/';
21437 ++ pos++;
21438 ++ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
21439 ++ if (depth == i) {
21440 ++ memcpy(path + pos, tmp->procname,
21441 ++ strlen(tmp->procname));
21442 ++ pos += strlen(tmp->procname);
21443 ++ }
21444 ++ i++;
21445 ++ }
21446 ++ }
21447 ++
21448 ++ obj = gr_lookup_by_name(path, pos);
21449 ++ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
21450 ++
21451 ++ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
21452 ++ ((err & mode) != mode))) {
21453 ++ __u32 new_mode = mode;
21454 ++
21455 ++ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
21456 ++
21457 ++ err = 0;
21458 ++ gr_log_learn_sysctl(current, path, new_mode);
21459 ++ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
21460 ++ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
21461 ++ err = -ENOENT;
21462 ++ } else if (!(err & GR_FIND)) {
21463 ++ err = -ENOENT;
21464 ++ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
21465 ++ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
21466 ++ path, (mode & GR_READ) ? " reading" : "",
21467 ++ (mode & GR_WRITE) ? " writing" : "");
21468 ++ err = -EACCES;
21469 ++ } else if ((err & mode) != mode) {
21470 ++ err = -EACCES;
21471 ++ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
21472 ++ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
21473 ++ path, (mode & GR_READ) ? " reading" : "",
21474 ++ (mode & GR_WRITE) ? " writing" : "");
21475 ++ err = 0;
21476 ++ } else
21477 ++ err = 0;
21478 ++
21479 ++ out:
21480 ++ preempt_enable();
21481 ++
21482 ++ return err;
21483 ++}
21484 ++#endif
21485 ++
21486 ++int
21487 ++gr_handle_proc_ptrace(struct task_struct *task)
21488 ++{
21489 ++ struct file *filp;
21490 ++ struct task_struct *tmp = task;
21491 ++ struct task_struct *curtemp = current;
21492 ++ __u32 retmode;
21493 ++
21494 ++ if (unlikely(!(gr_status & GR_READY)))
21495 ++ return 0;
21496 ++
21497 ++ read_lock(&tasklist_lock);
21498 ++ read_lock(&grsec_exec_file_lock);
21499 ++ filp = task->exec_file;
21500 ++
21501 ++ while (tmp->pid > 0) {
21502 ++ if (tmp == curtemp)
21503 ++ break;
21504 ++ tmp = tmp->parent;
21505 ++ }
21506 ++
21507 ++ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
21508 ++ read_unlock(&grsec_exec_file_lock);
21509 ++ read_unlock(&tasklist_lock);
21510 ++ return 1;
21511 ++ }
21512 ++
21513 ++ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
21514 ++ read_unlock(&grsec_exec_file_lock);
21515 ++ read_unlock(&tasklist_lock);
21516 ++
21517 ++ if (retmode & GR_NOPTRACE)
21518 ++ return 1;
21519 ++
21520 ++ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
21521 ++ && (current->acl != task->acl || (current->acl != current->role->root_label
21522 ++ && current->pid != task->pid)))
21523 ++ return 1;
21524 ++
21525 ++ return 0;
21526 ++}
21527 ++
21528 ++int
21529 ++gr_handle_ptrace(struct task_struct *task, const long request)
21530 ++{
21531 ++ struct task_struct *tmp = task;
21532 ++ struct task_struct *curtemp = current;
21533 ++ __u32 retmode;
21534 ++
21535 ++ if (unlikely(!(gr_status & GR_READY)))
21536 ++ return 0;
21537 ++
21538 ++ read_lock(&tasklist_lock);
21539 ++ while (tmp->pid > 0) {
21540 ++ if (tmp == curtemp)
21541 ++ break;
21542 ++ tmp = tmp->parent;
21543 ++ }
21544 ++
21545 ++ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
21546 ++ read_unlock(&tasklist_lock);
21547 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
21548 ++ return 1;
21549 ++ }
21550 ++ read_unlock(&tasklist_lock);
21551 ++
21552 ++ read_lock(&grsec_exec_file_lock);
21553 ++ if (unlikely(!task->exec_file)) {
21554 ++ read_unlock(&grsec_exec_file_lock);
21555 ++ return 0;
21556 ++ }
21557 ++
21558 ++ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
21559 ++ read_unlock(&grsec_exec_file_lock);
21560 ++
21561 ++ if (retmode & GR_NOPTRACE) {
21562 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
21563 ++ return 1;
21564 ++ }
21565 ++
21566 ++ if (retmode & GR_PTRACERD) {
21567 ++ switch (request) {
21568 ++ case PTRACE_POKETEXT:
21569 ++ case PTRACE_POKEDATA:
21570 ++ case PTRACE_POKEUSR:
21571 ++#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
21572 ++ case PTRACE_SETREGS:
21573 ++ case PTRACE_SETFPREGS:
21574 ++#endif
21575 ++#ifdef CONFIG_X86
21576 ++ case PTRACE_SETFPXREGS:
21577 ++#endif
21578 ++#ifdef CONFIG_ALTIVEC
21579 ++ case PTRACE_SETVRREGS:
21580 ++#endif
21581 ++ return 1;
21582 ++ default:
21583 ++ return 0;
21584 ++ }
21585 ++ } else if (!(current->acl->mode & GR_POVERRIDE) &&
21586 ++ !(current->role->roletype & GR_ROLE_GOD) &&
21587 ++ (current->acl != task->acl)) {
21588 ++ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
21589 ++ return 1;
21590 ++ }
21591 ++
21592 ++ return 0;
21593 ++}
21594 ++
21595 ++static int is_writable_mmap(const struct file *filp)
21596 ++{
21597 ++ struct task_struct *task = current;
21598 ++ struct acl_object_label *obj, *obj2;
21599 ++
21600 ++ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
21601 ++ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
21602 ++ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
21603 ++ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
21604 ++ task->role->root_label);
21605 ++ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
21606 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
21607 ++ return 1;
21608 ++ }
21609 ++ }
21610 ++ return 0;
21611 ++}
21612 ++
21613 ++int
21614 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
21615 ++{
21616 ++ __u32 mode;
21617 ++
21618 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
21619 ++ return 1;
21620 ++
21621 ++ if (is_writable_mmap(file))
21622 ++ return 0;
21623 ++
21624 ++ mode =
21625 ++ gr_search_file(file->f_dentry,
21626 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
21627 ++ file->f_vfsmnt);
21628 ++
21629 ++ if (!gr_tpe_allow(file))
21630 ++ return 0;
21631 ++
21632 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
21633 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21634 ++ return 0;
21635 ++ } else if (unlikely(!(mode & GR_EXEC))) {
21636 ++ return 0;
21637 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
21638 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21639 ++ return 1;
21640 ++ }
21641 ++
21642 ++ return 1;
21643 ++}
21644 ++
21645 ++int
21646 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
21647 ++{
21648 ++ __u32 mode;
21649 ++
21650 ++ if (unlikely(!file || !(prot & PROT_EXEC)))
21651 ++ return 1;
21652 ++
21653 ++ if (is_writable_mmap(file))
21654 ++ return 0;
21655 ++
21656 ++ mode =
21657 ++ gr_search_file(file->f_dentry,
21658 ++ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
21659 ++ file->f_vfsmnt);
21660 ++
21661 ++ if (!gr_tpe_allow(file))
21662 ++ return 0;
21663 ++
21664 ++ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
21665 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21666 ++ return 0;
21667 ++ } else if (unlikely(!(mode & GR_EXEC))) {
21668 ++ return 0;
21669 ++ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
21670 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
21671 ++ return 1;
21672 ++ }
21673 ++
21674 ++ return 1;
21675 ++}
21676 ++
21677 ++void
21678 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
21679 ++{
21680 ++ unsigned long runtime;
21681 ++ unsigned long cputime;
21682 ++ unsigned int wday, cday;
21683 ++ __u8 whr, chr;
21684 ++ __u8 wmin, cmin;
21685 ++ __u8 wsec, csec;
21686 ++
21687 ++ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
21688 ++ !(task->acl->mode & GR_PROCACCT)))
21689 ++ return;
21690 ++
21691 ++ runtime = xtime.tv_sec - task->start_time.tv_sec;
21692 ++ wday = runtime / (3600 * 24);
21693 ++ runtime -= wday * (3600 * 24);
21694 ++ whr = runtime / 3600;
21695 ++ runtime -= whr * 3600;
21696 ++ wmin = runtime / 60;
21697 ++ runtime -= wmin * 60;
21698 ++ wsec = runtime;
21699 ++
21700 ++ cputime = (task->utime + task->stime) / HZ;
21701 ++ cday = cputime / (3600 * 24);
21702 ++ cputime -= cday * (3600 * 24);
21703 ++ chr = cputime / 3600;
21704 ++ cputime -= chr * 3600;
21705 ++ cmin = cputime / 60;
21706 ++ cputime -= cmin * 60;
21707 ++ csec = cputime;
21708 ++
21709 ++ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
21710 ++
21711 ++ return;
21712 ++}
21713 ++
21714 ++void gr_set_kernel_label(struct task_struct *task)
21715 ++{
21716 ++ if (gr_status & GR_READY) {
21717 ++ task->role = kernel_role;
21718 ++ task->acl = kernel_role->root_label;
21719 ++ }
21720 ++ return;
21721 ++}
21722 ++
21723 ++int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
21724 ++{
21725 ++ struct task_struct *task = current;
21726 ++ struct dentry *dentry = file->f_dentry;
21727 ++ struct vfsmount *mnt = file->f_vfsmnt;
21728 ++ struct acl_object_label *obj, *tmp;
21729 ++ struct acl_subject_label *subj;
21730 ++ unsigned int bufsize;
21731 ++ int is_not_root;
21732 ++ char *path;
21733 ++
21734 ++ if (unlikely(!(gr_status & GR_READY)))
21735 ++ return 1;
21736 ++
21737 ++ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
21738 ++ return 1;
21739 ++
21740 ++ /* ignore Eric Biederman */
21741 ++ if (IS_PRIVATE(dentry->d_inode))
21742 ++ return 1;
21743 ++
21744 ++ subj = task->acl;
21745 ++ do {
21746 ++ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
21747 ++ if (obj != NULL)
21748 ++ return (obj->mode & GR_FIND) ? 1 : 0;
21749 ++ } while ((subj = subj->parent_subject));
21750 ++
21751 ++ obj = chk_obj_label(dentry, mnt, task->acl);
21752 ++ if (obj->globbed == NULL)
21753 ++ return (obj->mode & GR_FIND) ? 1 : 0;
21754 ++
21755 ++ is_not_root = ((obj->filename[0] == '/') &&
21756 ++ (obj->filename[1] == '\0')) ? 0 : 1;
21757 ++ bufsize = PAGE_SIZE - namelen - is_not_root;
21758 ++
21759 ++ /* check bufsize > PAGE_SIZE || bufsize == 0 */
21760 ++ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
21761 ++ return 1;
21762 ++
21763 ++ preempt_disable();
21764 ++ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
21765 ++ bufsize);
21766 ++
21767 ++ bufsize = strlen(path);
21768 ++
21769 ++ /* if base is "/", don't append an additional slash */
21770 ++ if (is_not_root)
21771 ++ *(path + bufsize) = '/';
21772 ++ memcpy(path + bufsize + is_not_root, name, namelen);
21773 ++ *(path + bufsize + namelen + is_not_root) = '\0';
21774 ++
21775 ++ tmp = obj->globbed;
21776 ++ while (tmp) {
21777 ++ if (!glob_match(tmp->filename, path)) {
21778 ++ preempt_enable();
21779 ++ return (tmp->mode & GR_FIND) ? 1 : 0;
21780 ++ }
21781 ++ tmp = tmp->next;
21782 ++ }
21783 ++ preempt_enable();
21784 ++ return (obj->mode & GR_FIND) ? 1 : 0;
21785 ++}
21786 ++
21787 ++EXPORT_SYMBOL(gr_learn_resource);
21788 ++EXPORT_SYMBOL(gr_set_kernel_label);
21789 ++#ifdef CONFIG_SECURITY
21790 ++EXPORT_SYMBOL(gr_check_user_change);
21791 ++EXPORT_SYMBOL(gr_check_group_change);
21792 ++#endif
21793 ++
21794 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_alloc.c linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c
21795 +--- linux-2.6.23.15/grsecurity/gracl_alloc.c 1970-01-01 01:00:00.000000000 +0100
21796 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c 2008-02-11 10:37:44.000000000 +0000
21797 +@@ -0,0 +1,91 @@
21798 ++#include <linux/kernel.h>
21799 ++#include <linux/mm.h>
21800 ++#include <linux/slab.h>
21801 ++#include <linux/vmalloc.h>
21802 ++#include <linux/gracl.h>
21803 ++#include <linux/grsecurity.h>
21804 ++
21805 ++static unsigned long alloc_stack_next = 1;
21806 ++static unsigned long alloc_stack_size = 1;
21807 ++static void **alloc_stack;
21808 ++
21809 ++static __inline__ int
21810 ++alloc_pop(void)
21811 ++{
21812 ++ if (alloc_stack_next == 1)
21813 ++ return 0;
21814 ++
21815 ++ kfree(alloc_stack[alloc_stack_next - 2]);
21816 ++
21817 ++ alloc_stack_next--;
21818 ++
21819 ++ return 1;
21820 ++}
21821 ++
21822 ++static __inline__ void
21823 ++alloc_push(void *buf)
21824 ++{
21825 ++ if (alloc_stack_next >= alloc_stack_size)
21826 ++ BUG();
21827 ++
21828 ++ alloc_stack[alloc_stack_next - 1] = buf;
21829 ++
21830 ++ alloc_stack_next++;
21831 ++
21832 ++ return;
21833 ++}
21834 ++
21835 ++void *
21836 ++acl_alloc(unsigned long len)
21837 ++{
21838 ++ void *ret;
21839 ++
21840 ++ if (len > PAGE_SIZE)
21841 ++ BUG();
21842 ++
21843 ++ ret = kmalloc(len, GFP_KERNEL);
21844 ++
21845 ++ if (ret)
21846 ++ alloc_push(ret);
21847 ++
21848 ++ return ret;
21849 ++}
21850 ++
21851 ++void
21852 ++acl_free_all(void)
21853 ++{
21854 ++ if (gr_acl_is_enabled() || !alloc_stack)
21855 ++ return;
21856 ++
21857 ++ while (alloc_pop()) ;
21858 ++
21859 ++ if (alloc_stack) {
21860 ++ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
21861 ++ kfree(alloc_stack);
21862 ++ else
21863 ++ vfree(alloc_stack);
21864 ++ }
21865 ++
21866 ++ alloc_stack = NULL;
21867 ++ alloc_stack_size = 1;
21868 ++ alloc_stack_next = 1;
21869 ++
21870 ++ return;
21871 ++}
21872 ++
21873 ++int
21874 ++acl_alloc_stack_init(unsigned long size)
21875 ++{
21876 ++ if ((size * sizeof (void *)) <= PAGE_SIZE)
21877 ++ alloc_stack =
21878 ++ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
21879 ++ else
21880 ++ alloc_stack = (void **) vmalloc(size * sizeof (void *));
21881 ++
21882 ++ alloc_stack_size = size;
21883 ++
21884 ++ if (!alloc_stack)
21885 ++ return 0;
21886 ++ else
21887 ++ return 1;
21888 ++}
21889 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_cap.c linux-2.6.23.15-grsec/grsecurity/gracl_cap.c
21890 +--- linux-2.6.23.15/grsecurity/gracl_cap.c 1970-01-01 01:00:00.000000000 +0100
21891 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_cap.c 2008-02-11 10:37:44.000000000 +0000
21892 +@@ -0,0 +1,112 @@
21893 ++#include <linux/kernel.h>
21894 ++#include <linux/module.h>
21895 ++#include <linux/sched.h>
21896 ++#include <linux/capability.h>
21897 ++#include <linux/gracl.h>
21898 ++#include <linux/grsecurity.h>
21899 ++#include <linux/grinternal.h>
21900 ++
21901 ++static const char *captab_log[] = {
21902 ++ "CAP_CHOWN",
21903 ++ "CAP_DAC_OVERRIDE",
21904 ++ "CAP_DAC_READ_SEARCH",
21905 ++ "CAP_FOWNER",
21906 ++ "CAP_FSETID",
21907 ++ "CAP_KILL",
21908 ++ "CAP_SETGID",
21909 ++ "CAP_SETUID",
21910 ++ "CAP_SETPCAP",
21911 ++ "CAP_LINUX_IMMUTABLE",
21912 ++ "CAP_NET_BIND_SERVICE",
21913 ++ "CAP_NET_BROADCAST",
21914 ++ "CAP_NET_ADMIN",
21915 ++ "CAP_NET_RAW",
21916 ++ "CAP_IPC_LOCK",
21917 ++ "CAP_IPC_OWNER",
21918 ++ "CAP_SYS_MODULE",
21919 ++ "CAP_SYS_RAWIO",
21920 ++ "CAP_SYS_CHROOT",
21921 ++ "CAP_SYS_PTRACE",
21922 ++ "CAP_SYS_PACCT",
21923 ++ "CAP_SYS_ADMIN",
21924 ++ "CAP_SYS_BOOT",
21925 ++ "CAP_SYS_NICE",
21926 ++ "CAP_SYS_RESOURCE",
21927 ++ "CAP_SYS_TIME",
21928 ++ "CAP_SYS_TTY_CONFIG",
21929 ++ "CAP_MKNOD",
21930 ++ "CAP_LEASE",
21931 ++ "CAP_AUDIT_WRITE",
21932 ++ "CAP_AUDIT_CONTROL"
21933 ++};
21934 ++
21935 ++EXPORT_SYMBOL(gr_task_is_capable);
21936 ++EXPORT_SYMBOL(gr_is_capable_nolog);
21937 ++
21938 ++int
21939 ++gr_task_is_capable(struct task_struct *task, const int cap)
21940 ++{
21941 ++ struct acl_subject_label *curracl;
21942 ++ __u32 cap_drop = 0, cap_mask = 0;
21943 ++
21944 ++ if (!gr_acl_is_enabled())
21945 ++ return 1;
21946 ++
21947 ++ curracl = task->acl;
21948 ++
21949 ++ cap_drop = curracl->cap_lower;
21950 ++ cap_mask = curracl->cap_mask;
21951 ++
21952 ++ while ((curracl = curracl->parent_subject)) {
21953 ++ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
21954 ++ cap_drop |= curracl->cap_lower & (1 << cap);
21955 ++ cap_mask |= curracl->cap_mask;
21956 ++ }
21957 ++
21958 ++ if (!cap_raised(cap_drop, cap))
21959 ++ return 1;
21960 ++
21961 ++ curracl = task->acl;
21962 ++
21963 ++ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
21964 ++ && cap_raised(task->cap_effective, cap)) {
21965 ++ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
21966 ++ task->role->roletype, task->uid,
21967 ++ task->gid, task->exec_file ?
21968 ++ gr_to_filename(task->exec_file->f_dentry,
21969 ++ task->exec_file->f_vfsmnt) : curracl->filename,
21970 ++ curracl->filename, 0UL,
21971 ++ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
21972 ++ return 1;
21973 ++ }
21974 ++
21975 ++ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
21976 ++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
21977 ++ return 0;
21978 ++}
21979 ++
21980 ++int
21981 ++gr_is_capable_nolog(const int cap)
21982 ++{
21983 ++ struct acl_subject_label *curracl;
21984 ++ __u32 cap_drop = 0, cap_mask = 0;
21985 ++
21986 ++ if (!gr_acl_is_enabled())
21987 ++ return 1;
21988 ++
21989 ++ curracl = current->acl;
21990 ++
21991 ++ cap_drop = curracl->cap_lower;
21992 ++ cap_mask = curracl->cap_mask;
21993 ++
21994 ++ while ((curracl = curracl->parent_subject)) {
21995 ++ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
21996 ++ cap_mask |= curracl->cap_mask;
21997 ++ }
21998 ++
21999 ++ if (!cap_raised(cap_drop, cap))
22000 ++ return 1;
22001 ++
22002 ++ return 0;
22003 ++}
22004 ++
22005 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_fs.c linux-2.6.23.15-grsec/grsecurity/gracl_fs.c
22006 +--- linux-2.6.23.15/grsecurity/gracl_fs.c 1970-01-01 01:00:00.000000000 +0100
22007 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_fs.c 2008-02-11 10:37:44.000000000 +0000
22008 +@@ -0,0 +1,423 @@
22009 ++#include <linux/kernel.h>
22010 ++#include <linux/sched.h>
22011 ++#include <linux/types.h>
22012 ++#include <linux/fs.h>
22013 ++#include <linux/file.h>
22014 ++#include <linux/stat.h>
22015 ++#include <linux/grsecurity.h>
22016 ++#include <linux/grinternal.h>
22017 ++#include <linux/gracl.h>
22018 ++
22019 ++__u32
22020 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
22021 ++ const struct vfsmount * mnt)
22022 ++{
22023 ++ __u32 mode;
22024 ++
22025 ++ if (unlikely(!dentry->d_inode))
22026 ++ return GR_FIND;
22027 ++
22028 ++ mode =
22029 ++ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
22030 ++
22031 ++ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
22032 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22033 ++ return mode;
22034 ++ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
22035 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
22036 ++ return 0;
22037 ++ } else if (unlikely(!(mode & GR_FIND)))
22038 ++ return 0;
22039 ++
22040 ++ return GR_FIND;
22041 ++}
22042 ++
22043 ++__u32
22044 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
22045 ++ const int fmode)
22046 ++{
22047 ++ __u32 reqmode = GR_FIND;
22048 ++ __u32 mode;
22049 ++
22050 ++ if (unlikely(!dentry->d_inode))
22051 ++ return reqmode;
22052 ++
22053 ++ if (unlikely(fmode & O_APPEND))
22054 ++ reqmode |= GR_APPEND;
22055 ++ else if (unlikely(fmode & FMODE_WRITE))
22056 ++ reqmode |= GR_WRITE;
22057 ++ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22058 ++ reqmode |= GR_READ;
22059 ++
22060 ++ mode =
22061 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22062 ++ mnt);
22063 ++
22064 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22065 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22066 ++ reqmode & GR_READ ? " reading" : "",
22067 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22068 ++ GR_APPEND ? " appending" : "");
22069 ++ return reqmode;
22070 ++ } else
22071 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22072 ++ {
22073 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
22074 ++ reqmode & GR_READ ? " reading" : "",
22075 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22076 ++ GR_APPEND ? " appending" : "");
22077 ++ return 0;
22078 ++ } else if (unlikely((mode & reqmode) != reqmode))
22079 ++ return 0;
22080 ++
22081 ++ return reqmode;
22082 ++}
22083 ++
22084 ++__u32
22085 ++gr_acl_handle_creat(const struct dentry * dentry,
22086 ++ const struct dentry * p_dentry,
22087 ++ const struct vfsmount * p_mnt, const int fmode,
22088 ++ const int imode)
22089 ++{
22090 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
22091 ++ __u32 mode;
22092 ++
22093 ++ if (unlikely(fmode & O_APPEND))
22094 ++ reqmode |= GR_APPEND;
22095 ++ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
22096 ++ reqmode |= GR_READ;
22097 ++ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
22098 ++ reqmode |= GR_SETID;
22099 ++
22100 ++ mode =
22101 ++ gr_check_create(dentry, p_dentry, p_mnt,
22102 ++ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22103 ++
22104 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22105 ++ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22106 ++ reqmode & GR_READ ? " reading" : "",
22107 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22108 ++ GR_APPEND ? " appending" : "");
22109 ++ return reqmode;
22110 ++ } else
22111 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22112 ++ {
22113 ++ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
22114 ++ reqmode & GR_READ ? " reading" : "",
22115 ++ reqmode & GR_WRITE ? " writing" : reqmode &
22116 ++ GR_APPEND ? " appending" : "");
22117 ++ return 0;
22118 ++ } else if (unlikely((mode & reqmode) != reqmode))
22119 ++ return 0;
22120 ++
22121 ++ return reqmode;
22122 ++}
22123 ++
22124 ++__u32
22125 ++gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
22126 ++ const int fmode)
22127 ++{
22128 ++ __u32 mode, reqmode = GR_FIND;
22129 ++
22130 ++ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
22131 ++ reqmode |= GR_EXEC;
22132 ++ if (fmode & S_IWOTH)
22133 ++ reqmode |= GR_WRITE;
22134 ++ if (fmode & S_IROTH)
22135 ++ reqmode |= GR_READ;
22136 ++
22137 ++ mode =
22138 ++ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
22139 ++ mnt);
22140 ++
22141 ++ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
22142 ++ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22143 ++ reqmode & GR_READ ? " reading" : "",
22144 ++ reqmode & GR_WRITE ? " writing" : "",
22145 ++ reqmode & GR_EXEC ? " executing" : "");
22146 ++ return reqmode;
22147 ++ } else
22148 ++ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
22149 ++ {
22150 ++ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
22151 ++ reqmode & GR_READ ? " reading" : "",
22152 ++ reqmode & GR_WRITE ? " writing" : "",
22153 ++ reqmode & GR_EXEC ? " executing" : "");
22154 ++ return 0;
22155 ++ } else if (unlikely((mode & reqmode) != reqmode))
22156 ++ return 0;
22157 ++
22158 ++ return reqmode;
22159 ++}
22160 ++
22161 ++static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
22162 ++{
22163 ++ __u32 mode;
22164 ++
22165 ++ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
22166 ++
22167 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22168 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
22169 ++ return mode;
22170 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22171 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
22172 ++ return 0;
22173 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22174 ++ return 0;
22175 ++
22176 ++ return (reqmode);
22177 ++}
22178 ++
22179 ++__u32
22180 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
22181 ++{
22182 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
22183 ++}
22184 ++
22185 ++__u32
22186 ++gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
22187 ++{
22188 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
22189 ++}
22190 ++
22191 ++__u32
22192 ++gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
22193 ++{
22194 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
22195 ++}
22196 ++
22197 ++__u32
22198 ++gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
22199 ++{
22200 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
22201 ++}
22202 ++
22203 ++__u32
22204 ++gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
22205 ++ mode_t mode)
22206 ++{
22207 ++ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
22208 ++ return 1;
22209 ++
22210 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22211 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22212 ++ GR_FCHMOD_ACL_MSG);
22213 ++ } else {
22214 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
22215 ++ }
22216 ++}
22217 ++
22218 ++__u32
22219 ++gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
22220 ++ mode_t mode)
22221 ++{
22222 ++ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
22223 ++ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
22224 ++ GR_CHMOD_ACL_MSG);
22225 ++ } else {
22226 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
22227 ++ }
22228 ++}
22229 ++
22230 ++__u32
22231 ++gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
22232 ++{
22233 ++ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
22234 ++}
22235 ++
22236 ++__u32
22237 ++gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
22238 ++{
22239 ++ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
22240 ++}
22241 ++
22242 ++__u32
22243 ++gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
22244 ++{
22245 ++ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
22246 ++ GR_UNIXCONNECT_ACL_MSG);
22247 ++}
22248 ++
22249 ++/* hardlinks require at minimum create permission,
22250 ++ any additional privilege required is based on the
22251 ++ privilege of the file being linked to
22252 ++*/
22253 ++__u32
22254 ++gr_acl_handle_link(const struct dentry * new_dentry,
22255 ++ const struct dentry * parent_dentry,
22256 ++ const struct vfsmount * parent_mnt,
22257 ++ const struct dentry * old_dentry,
22258 ++ const struct vfsmount * old_mnt, const char *to)
22259 ++{
22260 ++ __u32 mode;
22261 ++ __u32 needmode = GR_CREATE | GR_LINK;
22262 ++ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
22263 ++
22264 ++ mode =
22265 ++ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
22266 ++ old_mnt);
22267 ++
22268 ++ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
22269 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22270 ++ return mode;
22271 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22272 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
22273 ++ return 0;
22274 ++ } else if (unlikely((mode & needmode) != needmode))
22275 ++ return 0;
22276 ++
22277 ++ return 1;
22278 ++}
22279 ++
22280 ++__u32
22281 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
22282 ++ const struct dentry * parent_dentry,
22283 ++ const struct vfsmount * parent_mnt, const char *from)
22284 ++{
22285 ++ __u32 needmode = GR_WRITE | GR_CREATE;
22286 ++ __u32 mode;
22287 ++
22288 ++ mode =
22289 ++ gr_check_create(new_dentry, parent_dentry, parent_mnt,
22290 ++ GR_CREATE | GR_AUDIT_CREATE |
22291 ++ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
22292 ++
22293 ++ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
22294 ++ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22295 ++ return mode;
22296 ++ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
22297 ++ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
22298 ++ return 0;
22299 ++ } else if (unlikely((mode & needmode) != needmode))
22300 ++ return 0;
22301 ++
22302 ++ return (GR_WRITE | GR_CREATE);
22303 ++}
22304 ++
22305 ++static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
22306 ++{
22307 ++ __u32 mode;
22308 ++
22309 ++ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
22310 ++
22311 ++ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
22312 ++ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
22313 ++ return mode;
22314 ++ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
22315 ++ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
22316 ++ return 0;
22317 ++ } else if (unlikely((mode & (reqmode)) != (reqmode)))
22318 ++ return 0;
22319 ++
22320 ++ return (reqmode);
22321 ++}
22322 ++
22323 ++__u32
22324 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
22325 ++ const struct dentry * parent_dentry,
22326 ++ const struct vfsmount * parent_mnt,
22327 ++ const int mode)
22328 ++{
22329 ++ __u32 reqmode = GR_WRITE | GR_CREATE;
22330 ++ if (unlikely(mode & (S_ISUID | S_ISGID)))
22331 ++ reqmode |= GR_SETID;
22332 ++
22333 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22334 ++ reqmode, GR_MKNOD_ACL_MSG);
22335 ++}
22336 ++
22337 ++__u32
22338 ++gr_acl_handle_mkdir(const struct dentry *new_dentry,
22339 ++ const struct dentry *parent_dentry,
22340 ++ const struct vfsmount *parent_mnt)
22341 ++{
22342 ++ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
22343 ++ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
22344 ++}
22345 ++
22346 ++#define RENAME_CHECK_SUCCESS(old, new) \
22347 ++ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
22348 ++ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
22349 ++
22350 ++int
22351 ++gr_acl_handle_rename(struct dentry *new_dentry,
22352 ++ struct dentry *parent_dentry,
22353 ++ const struct vfsmount *parent_mnt,
22354 ++ struct dentry *old_dentry,
22355 ++ struct inode *old_parent_inode,
22356 ++ struct vfsmount *old_mnt, const char *newname)
22357 ++{
22358 ++ __u32 comp1, comp2;
22359 ++ int error = 0;
22360 ++
22361 ++ if (unlikely(!gr_acl_is_enabled()))
22362 ++ return 0;
22363 ++
22364 ++ if (!new_dentry->d_inode) {
22365 ++ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
22366 ++ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
22367 ++ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
22368 ++ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
22369 ++ GR_DELETE | GR_AUDIT_DELETE |
22370 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
22371 ++ GR_SUPPRESS, old_mnt);
22372 ++ } else {
22373 ++ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
22374 ++ GR_CREATE | GR_DELETE |
22375 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
22376 ++ GR_AUDIT_READ | GR_AUDIT_WRITE |
22377 ++ GR_SUPPRESS, parent_mnt);
22378 ++ comp2 =
22379 ++ gr_search_file(old_dentry,
22380 ++ GR_READ | GR_WRITE | GR_AUDIT_READ |
22381 ++ GR_DELETE | GR_AUDIT_DELETE |
22382 ++ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
22383 ++ }
22384 ++
22385 ++ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
22386 ++ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
22387 ++ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22388 ++ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
22389 ++ && !(comp2 & GR_SUPPRESS)) {
22390 ++ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
22391 ++ error = -EACCES;
22392 ++ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
22393 ++ error = -EACCES;
22394 ++
22395 ++ return error;
22396 ++}
22397 ++
22398 ++void
22399 ++gr_acl_handle_exit(void)
22400 ++{
22401 ++ u16 id;
22402 ++ char *rolename;
22403 ++ struct file *exec_file;
22404 ++
22405 ++ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
22406 ++ id = current->acl_role_id;
22407 ++ rolename = current->role->rolename;
22408 ++ gr_set_acls(1);
22409 ++ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
22410 ++ }
22411 ++
22412 ++ write_lock(&grsec_exec_file_lock);
22413 ++ exec_file = current->exec_file;
22414 ++ current->exec_file = NULL;
22415 ++ write_unlock(&grsec_exec_file_lock);
22416 ++
22417 ++ if (exec_file)
22418 ++ fput(exec_file);
22419 ++}
22420 ++
22421 ++int
22422 ++gr_acl_handle_procpidmem(const struct task_struct *task)
22423 ++{
22424 ++ if (unlikely(!gr_acl_is_enabled()))
22425 ++ return 0;
22426 ++
22427 ++ if (task->acl->mode & GR_PROTPROCFD)
22428 ++ return -EACCES;
22429 ++
22430 ++ return 0;
22431 ++}
22432 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_ip.c linux-2.6.23.15-grsec/grsecurity/gracl_ip.c
22433 +--- linux-2.6.23.15/grsecurity/gracl_ip.c 1970-01-01 01:00:00.000000000 +0100
22434 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_ip.c 2008-02-11 10:37:44.000000000 +0000
22435 +@@ -0,0 +1,313 @@
22436 ++#include <linux/kernel.h>
22437 ++#include <asm/uaccess.h>
22438 ++#include <asm/errno.h>
22439 ++#include <net/sock.h>
22440 ++#include <linux/file.h>
22441 ++#include <linux/fs.h>
22442 ++#include <linux/net.h>
22443 ++#include <linux/in.h>
22444 ++#include <linux/skbuff.h>
22445 ++#include <linux/ip.h>
22446 ++#include <linux/udp.h>
22447 ++#include <linux/smp_lock.h>
22448 ++#include <linux/types.h>
22449 ++#include <linux/sched.h>
22450 ++#include <linux/netdevice.h>
22451 ++#include <linux/inetdevice.h>
22452 ++#include <linux/gracl.h>
22453 ++#include <linux/grsecurity.h>
22454 ++#include <linux/grinternal.h>
22455 ++
22456 ++#define GR_BIND 0x01
22457 ++#define GR_CONNECT 0x02
22458 ++#define GR_INVERT 0x04
22459 ++
22460 ++static const char * gr_protocols[256] = {
22461 ++ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
22462 ++ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
22463 ++ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
22464 ++ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
22465 ++ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
22466 ++ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
22467 ++ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
22468 ++ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
22469 ++ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
22470 ++ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
22471 ++ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
22472 ++ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
22473 ++ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
22474 ++ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
22475 ++ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
22476 ++ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
22477 ++ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
22478 ++ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
22479 ++ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
22480 ++ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
22481 ++ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
22482 ++ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
22483 ++ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
22484 ++ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
22485 ++ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
22486 ++ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
22487 ++ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
22488 ++ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
22489 ++ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
22490 ++ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
22491 ++ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
22492 ++ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
22493 ++ };
22494 ++
22495 ++static const char * gr_socktypes[11] = {
22496 ++ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
22497 ++ "unknown:7", "unknown:8", "unknown:9", "packet"
22498 ++ };
22499 ++
22500 ++const char *
22501 ++gr_proto_to_name(unsigned char proto)
22502 ++{
22503 ++ return gr_protocols[proto];
22504 ++}
22505 ++
22506 ++const char *
22507 ++gr_socktype_to_name(unsigned char type)
22508 ++{
22509 ++ return gr_socktypes[type];
22510 ++}
22511 ++
22512 ++int
22513 ++gr_search_socket(const int domain, const int type, const int protocol)
22514 ++{
22515 ++ struct acl_subject_label *curr;
22516 ++
22517 ++ if (unlikely(!gr_acl_is_enabled()))
22518 ++ goto exit;
22519 ++
22520 ++ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
22521 ++ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
22522 ++ goto exit; // let the kernel handle it
22523 ++
22524 ++ curr = current->acl;
22525 ++
22526 ++ if (!curr->ips)
22527 ++ goto exit;
22528 ++
22529 ++ if ((curr->ip_type & (1 << type)) &&
22530 ++ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
22531 ++ goto exit;
22532 ++
22533 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
22534 ++ /* we don't place acls on raw sockets , and sometimes
22535 ++ dgram/ip sockets are opened for ioctl and not
22536 ++ bind/connect, so we'll fake a bind learn log */
22537 ++ if (type == SOCK_RAW || type == SOCK_PACKET) {
22538 ++ __u32 fakeip = 0;
22539 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
22540 ++ current->role->roletype, current->uid,
22541 ++ current->gid, current->exec_file ?
22542 ++ gr_to_filename(current->exec_file->f_dentry,
22543 ++ current->exec_file->f_vfsmnt) :
22544 ++ curr->filename, curr->filename,
22545 ++ NIPQUAD(fakeip), 0, type,
22546 ++ protocol, GR_CONNECT,
22547 ++NIPQUAD(current->signal->curr_ip));
22548 ++ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
22549 ++ __u32 fakeip = 0;
22550 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
22551 ++ current->role->roletype, current->uid,
22552 ++ current->gid, current->exec_file ?
22553 ++ gr_to_filename(current->exec_file->f_dentry,
22554 ++ current->exec_file->f_vfsmnt) :
22555 ++ curr->filename, curr->filename,
22556 ++ NIPQUAD(fakeip), 0, type,
22557 ++ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
22558 ++ }
22559 ++ /* we'll log when they use connect or bind */
22560 ++ goto exit;
22561 ++ }
22562 ++
22563 ++ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
22564 ++ gr_socktype_to_name(type), gr_proto_to_name(protocol));
22565 ++
22566 ++ return 0;
22567 ++ exit:
22568 ++ return 1;
22569 ++}
22570 ++
22571 ++int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
22572 ++{
22573 ++ if ((ip->mode & mode) &&
22574 ++ (ip_port >= ip->low) &&
22575 ++ (ip_port <= ip->high) &&
22576 ++ ((ntohl(ip_addr) & our_netmask) ==
22577 ++ (ntohl(our_addr) & our_netmask))
22578 ++ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
22579 ++ && (ip->type & (1 << type))) {
22580 ++ if (ip->mode & GR_INVERT)
22581 ++ return 2; // specifically denied
22582 ++ else
22583 ++ return 1; // allowed
22584 ++ }
22585 ++
22586 ++ return 0; // not specifically allowed, may continue parsing
22587 ++}
22588 ++
22589 ++static int
22590 ++gr_search_connectbind(const int mode, const struct sock *sk,
22591 ++ const struct sockaddr_in *addr, const int type)
22592 ++{
22593 ++ char iface[IFNAMSIZ] = {0};
22594 ++ struct acl_subject_label *curr;
22595 ++ struct acl_ip_label *ip;
22596 ++ struct net_device *dev;
22597 ++ struct in_device *idev;
22598 ++ unsigned long i;
22599 ++ int ret;
22600 ++ __u32 ip_addr = 0;
22601 ++ __u32 our_addr;
22602 ++ __u32 our_netmask;
22603 ++ char *p;
22604 ++ __u16 ip_port = 0;
22605 ++
22606 ++ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
22607 ++ return 1;
22608 ++
22609 ++ curr = current->acl;
22610 ++
22611 ++ if (!curr->ips)
22612 ++ return 1;
22613 ++
22614 ++ ip_addr = addr->sin_addr.s_addr;
22615 ++ ip_port = ntohs(addr->sin_port);
22616 ++
22617 ++ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
22618 ++ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
22619 ++ current->role->roletype, current->uid,
22620 ++ current->gid, current->exec_file ?
22621 ++ gr_to_filename(current->exec_file->f_dentry,
22622 ++ current->exec_file->f_vfsmnt) :
22623 ++ curr->filename, curr->filename,
22624 ++ NIPQUAD(ip_addr), ip_port, type,
22625 ++ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
22626 ++ return 1;
22627 ++ }
22628 ++
22629 ++ for (i = 0; i < curr->ip_num; i++) {
22630 ++ ip = *(curr->ips + i);
22631 ++ if (ip->iface != NULL) {
22632 ++ strncpy(iface, ip->iface, IFNAMSIZ - 1);
22633 ++ p = strchr(iface, ':');
22634 ++ if (p != NULL)
22635 ++ *p = '\0';
22636 ++ dev = dev_get_by_name(iface);
22637 ++ if (dev == NULL)
22638 ++ continue;
22639 ++ idev = in_dev_get(dev);
22640 ++ if (idev == NULL) {
22641 ++ dev_put(dev);
22642 ++ continue;
22643 ++ }
22644 ++ rcu_read_lock();
22645 ++ for_ifa(idev) {
22646 ++ if (!strcmp(ip->iface, ifa->ifa_label)) {
22647 ++ our_addr = ifa->ifa_address;
22648 ++ our_netmask = 0xffffffff;
22649 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
22650 ++ if (ret == 1) {
22651 ++ rcu_read_unlock();
22652 ++ in_dev_put(idev);
22653 ++ dev_put(dev);
22654 ++ return 1;
22655 ++ } else if (ret == 2) {
22656 ++ rcu_read_unlock();
22657 ++ in_dev_put(idev);
22658 ++ dev_put(dev);
22659 ++ goto denied;
22660 ++ }
22661 ++ }
22662 ++ } endfor_ifa(idev);
22663 ++ rcu_read_unlock();
22664 ++ in_dev_put(idev);
22665 ++ dev_put(dev);
22666 ++ } else {
22667 ++ our_addr = ip->addr;
22668 ++ our_netmask = ip->netmask;
22669 ++ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
22670 ++ if (ret == 1)
22671 ++ return 1;
22672 ++ else if (ret == 2)
22673 ++ goto denied;
22674 ++ }
22675 ++ }
22676 ++
22677 ++denied:
22678 ++ if (mode == GR_BIND)
22679 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
22680 ++ else if (mode == GR_CONNECT)
22681 ++ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
22682 ++
22683 ++ return 0;
22684 ++}
22685 ++
22686 ++int
22687 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
22688 ++{
22689 ++ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
22690 ++}
22691 ++
22692 ++int
22693 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
22694 ++{
22695 ++ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
22696 ++}
22697 ++
22698 ++int gr_search_listen(const struct socket *sock)
22699 ++{
22700 ++ struct sock *sk = sock->sk;
22701 ++ struct sockaddr_in addr;
22702 ++
22703 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
22704 ++ addr.sin_port = inet_sk(sk)->sport;
22705 ++
22706 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
22707 ++}
22708 ++
22709 ++int gr_search_accept(const struct socket *sock)
22710 ++{
22711 ++ struct sock *sk = sock->sk;
22712 ++ struct sockaddr_in addr;
22713 ++
22714 ++ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
22715 ++ addr.sin_port = inet_sk(sk)->sport;
22716 ++
22717 ++ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
22718 ++}
22719 ++
22720 ++int
22721 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
22722 ++{
22723 ++ if (addr)
22724 ++ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
22725 ++ else {
22726 ++ struct sockaddr_in sin;
22727 ++ const struct inet_sock *inet = inet_sk(sk);
22728 ++
22729 ++ sin.sin_addr.s_addr = inet->daddr;
22730 ++ sin.sin_port = inet->dport;
22731 ++
22732 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
22733 ++ }
22734 ++}
22735 ++
22736 ++int
22737 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
22738 ++{
22739 ++ struct sockaddr_in sin;
22740 ++
22741 ++ if (unlikely(skb->len < sizeof (struct udphdr)))
22742 ++ return 1; // skip this packet
22743 ++
22744 ++ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
22745 ++ sin.sin_port = udp_hdr(skb)->source;
22746 ++
22747 ++ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
22748 ++}
22749 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_learn.c linux-2.6.23.15-grsec/grsecurity/gracl_learn.c
22750 +--- linux-2.6.23.15/grsecurity/gracl_learn.c 1970-01-01 01:00:00.000000000 +0100
22751 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_learn.c 2008-02-11 10:37:44.000000000 +0000
22752 +@@ -0,0 +1,211 @@
22753 ++#include <linux/kernel.h>
22754 ++#include <linux/mm.h>
22755 ++#include <linux/sched.h>
22756 ++#include <linux/poll.h>
22757 ++#include <linux/smp_lock.h>
22758 ++#include <linux/string.h>
22759 ++#include <linux/file.h>
22760 ++#include <linux/types.h>
22761 ++#include <linux/vmalloc.h>
22762 ++#include <linux/grinternal.h>
22763 ++
22764 ++extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
22765 ++ size_t count, loff_t *ppos);
22766 ++extern int gr_acl_is_enabled(void);
22767 ++
22768 ++static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
22769 ++static int gr_learn_attached;
22770 ++
22771 ++/* use a 512k buffer */
22772 ++#define LEARN_BUFFER_SIZE (512 * 1024)
22773 ++
22774 ++static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
22775 ++static DECLARE_MUTEX(gr_learn_user_sem);
22776 ++
22777 ++/* we need to maintain two buffers, so that the kernel context of grlearn
22778 ++ uses a semaphore around the userspace copying, and the other kernel contexts
22779 ++ use a spinlock when copying into the buffer, since they cannot sleep
22780 ++*/
22781 ++static char *learn_buffer;
22782 ++static char *learn_buffer_user;
22783 ++static int learn_buffer_len;
22784 ++static int learn_buffer_user_len;
22785 ++
22786 ++static ssize_t
22787 ++read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
22788 ++{
22789 ++ DECLARE_WAITQUEUE(wait, current);
22790 ++ ssize_t retval = 0;
22791 ++
22792 ++ add_wait_queue(&learn_wait, &wait);
22793 ++ set_current_state(TASK_INTERRUPTIBLE);
22794 ++ do {
22795 ++ down(&gr_learn_user_sem);
22796 ++ spin_lock(&gr_learn_lock);
22797 ++ if (learn_buffer_len)
22798 ++ break;
22799 ++ spin_unlock(&gr_learn_lock);
22800 ++ up(&gr_learn_user_sem);
22801 ++ if (file->f_flags & O_NONBLOCK) {
22802 ++ retval = -EAGAIN;
22803 ++ goto out;
22804 ++ }
22805 ++ if (signal_pending(current)) {
22806 ++ retval = -ERESTARTSYS;
22807 ++ goto out;
22808 ++ }
22809 ++
22810 ++ schedule();
22811 ++ } while (1);
22812 ++
22813 ++ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
22814 ++ learn_buffer_user_len = learn_buffer_len;
22815 ++ retval = learn_buffer_len;
22816 ++ learn_buffer_len = 0;
22817 ++
22818 ++ spin_unlock(&gr_learn_lock);
22819 ++
22820 ++ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
22821 ++ retval = -EFAULT;
22822 ++
22823 ++ up(&gr_learn_user_sem);
22824 ++out:
22825 ++ set_current_state(TASK_RUNNING);
22826 ++ remove_wait_queue(&learn_wait, &wait);
22827 ++ return retval;
22828 ++}
22829 ++
22830 ++static unsigned int
22831 ++poll_learn(struct file * file, poll_table * wait)
22832 ++{
22833 ++ poll_wait(file, &learn_wait, wait);
22834 ++
22835 ++ if (learn_buffer_len)
22836 ++ return (POLLIN | POLLRDNORM);
22837 ++
22838 ++ return 0;
22839 ++}
22840 ++
22841 ++void
22842 ++gr_clear_learn_entries(void)
22843 ++{
22844 ++ char *tmp;
22845 ++
22846 ++ down(&gr_learn_user_sem);
22847 ++ if (learn_buffer != NULL) {
22848 ++ spin_lock(&gr_learn_lock);
22849 ++ tmp = learn_buffer;
22850 ++ learn_buffer = NULL;
22851 ++ spin_unlock(&gr_learn_lock);
22852 ++ vfree(learn_buffer);
22853 ++ }
22854 ++ if (learn_buffer_user != NULL) {
22855 ++ vfree(learn_buffer_user);
22856 ++ learn_buffer_user = NULL;
22857 ++ }
22858 ++ learn_buffer_len = 0;
22859 ++ up(&gr_learn_user_sem);
22860 ++
22861 ++ return;
22862 ++}
22863 ++
22864 ++void
22865 ++gr_add_learn_entry(const char *fmt, ...)
22866 ++{
22867 ++ va_list args;
22868 ++ unsigned int len;
22869 ++
22870 ++ if (!gr_learn_attached)
22871 ++ return;
22872 ++
22873 ++ spin_lock(&gr_learn_lock);
22874 ++
22875 ++ /* leave a gap at the end so we know when it's "full" but don't have to
22876 ++ compute the exact length of the string we're trying to append
22877 ++ */
22878 ++ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
22879 ++ spin_unlock(&gr_learn_lock);
22880 ++ wake_up_interruptible(&learn_wait);
22881 ++ return;
22882 ++ }
22883 ++ if (learn_buffer == NULL) {
22884 ++ spin_unlock(&gr_learn_lock);
22885 ++ return;
22886 ++ }
22887 ++
22888 ++ va_start(args, fmt);
22889 ++ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
22890 ++ va_end(args);
22891 ++
22892 ++ learn_buffer_len += len + 1;
22893 ++
22894 ++ spin_unlock(&gr_learn_lock);
22895 ++ wake_up_interruptible(&learn_wait);
22896 ++
22897 ++ return;
22898 ++}
22899 ++
22900 ++static int
22901 ++open_learn(struct inode *inode, struct file *file)
22902 ++{
22903 ++ if (file->f_mode & FMODE_READ && gr_learn_attached)
22904 ++ return -EBUSY;
22905 ++ if (file->f_mode & FMODE_READ) {
22906 ++ int retval = 0;
22907 ++ down(&gr_learn_user_sem);
22908 ++ if (learn_buffer == NULL)
22909 ++ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
22910 ++ if (learn_buffer_user == NULL)
22911 ++ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
22912 ++ if (learn_buffer == NULL) {
22913 ++ retval = -ENOMEM;
22914 ++ goto out_error;
22915 ++ }
22916 ++ if (learn_buffer_user == NULL) {
22917 ++ retval = -ENOMEM;
22918 ++ goto out_error;
22919 ++ }
22920 ++ learn_buffer_len = 0;
22921 ++ learn_buffer_user_len = 0;
22922 ++ gr_learn_attached = 1;
22923 ++out_error:
22924 ++ up(&gr_learn_user_sem);
22925 ++ return retval;
22926 ++ }
22927 ++ return 0;
22928 ++}
22929 ++
22930 ++static int
22931 ++close_learn(struct inode *inode, struct file *file)
22932 ++{
22933 ++ char *tmp;
22934 ++
22935 ++ if (file->f_mode & FMODE_READ) {
22936 ++ down(&gr_learn_user_sem);
22937 ++ if (learn_buffer != NULL) {
22938 ++ spin_lock(&gr_learn_lock);
22939 ++ tmp = learn_buffer;
22940 ++ learn_buffer = NULL;
22941 ++ spin_unlock(&gr_learn_lock);
22942 ++ vfree(tmp);
22943 ++ }
22944 ++ if (learn_buffer_user != NULL) {
22945 ++ vfree(learn_buffer_user);
22946 ++ learn_buffer_user = NULL;
22947 ++ }
22948 ++ learn_buffer_len = 0;
22949 ++ learn_buffer_user_len = 0;
22950 ++ gr_learn_attached = 0;
22951 ++ up(&gr_learn_user_sem);
22952 ++ }
22953 ++
22954 ++ return 0;
22955 ++}
22956 ++
22957 ++struct file_operations grsec_fops = {
22958 ++ .read = read_learn,
22959 ++ .write = write_grsec_handler,
22960 ++ .open = open_learn,
22961 ++ .release = close_learn,
22962 ++ .poll = poll_learn,
22963 ++};
22964 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_res.c linux-2.6.23.15-grsec/grsecurity/gracl_res.c
22965 +--- linux-2.6.23.15/grsecurity/gracl_res.c 1970-01-01 01:00:00.000000000 +0100
22966 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_res.c 2008-02-11 10:37:44.000000000 +0000
22967 +@@ -0,0 +1,45 @@
22968 ++#include <linux/kernel.h>
22969 ++#include <linux/sched.h>
22970 ++#include <linux/gracl.h>
22971 ++#include <linux/grinternal.h>
22972 ++
22973 ++static const char *restab_log[] = {
22974 ++ [RLIMIT_CPU] = "RLIMIT_CPU",
22975 ++ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
22976 ++ [RLIMIT_DATA] = "RLIMIT_DATA",
22977 ++ [RLIMIT_STACK] = "RLIMIT_STACK",
22978 ++ [RLIMIT_CORE] = "RLIMIT_CORE",
22979 ++ [RLIMIT_RSS] = "RLIMIT_RSS",
22980 ++ [RLIMIT_NPROC] = "RLIMIT_NPROC",
22981 ++ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
22982 ++ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
22983 ++ [RLIMIT_AS] = "RLIMIT_AS",
22984 ++ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
22985 ++ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
22986 ++};
22987 ++
22988 ++void
22989 ++gr_log_resource(const struct task_struct *task,
22990 ++ const int res, const unsigned long wanted, const int gt)
22991 ++{
22992 ++ if (res == RLIMIT_NPROC &&
22993 ++ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
22994 ++ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
22995 ++ return;
22996 ++ else if (res == RLIMIT_MEMLOCK &&
22997 ++ cap_raised(task->cap_effective, CAP_IPC_LOCK))
22998 ++ return;
22999 ++
23000 ++ if (!gr_acl_is_enabled() && !grsec_resource_logging)
23001 ++ return;
23002 ++
23003 ++ preempt_disable();
23004 ++
23005 ++ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
23006 ++ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
23007 ++ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
23008 ++ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
23009 ++ preempt_enable_no_resched();
23010 ++
23011 ++ return;
23012 ++}
23013 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_segv.c linux-2.6.23.15-grsec/grsecurity/gracl_segv.c
23014 +--- linux-2.6.23.15/grsecurity/gracl_segv.c 1970-01-01 01:00:00.000000000 +0100
23015 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_segv.c 2008-02-11 10:37:44.000000000 +0000
23016 +@@ -0,0 +1,301 @@
23017 ++#include <linux/kernel.h>
23018 ++#include <linux/mm.h>
23019 ++#include <asm/uaccess.h>
23020 ++#include <asm/errno.h>
23021 ++#include <asm/mman.h>
23022 ++#include <net/sock.h>
23023 ++#include <linux/file.h>
23024 ++#include <linux/fs.h>
23025 ++#include <linux/net.h>
23026 ++#include <linux/in.h>
23027 ++#include <linux/smp_lock.h>
23028 ++#include <linux/slab.h>
23029 ++#include <linux/types.h>
23030 ++#include <linux/sched.h>
23031 ++#include <linux/timer.h>
23032 ++#include <linux/gracl.h>
23033 ++#include <linux/grsecurity.h>
23034 ++#include <linux/grinternal.h>
23035 ++
23036 ++static struct crash_uid *uid_set;
23037 ++static unsigned short uid_used;
23038 ++static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
23039 ++extern rwlock_t gr_inode_lock;
23040 ++extern struct acl_subject_label *
23041 ++ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
23042 ++ struct acl_role_label *role);
23043 ++extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
23044 ++
23045 ++int
23046 ++gr_init_uidset(void)
23047 ++{
23048 ++ uid_set =
23049 ++ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
23050 ++ uid_used = 0;
23051 ++
23052 ++ return uid_set ? 1 : 0;
23053 ++}
23054 ++
23055 ++void
23056 ++gr_free_uidset(void)
23057 ++{
23058 ++ if (uid_set)
23059 ++ kfree(uid_set);
23060 ++
23061 ++ return;
23062 ++}
23063 ++
23064 ++int
23065 ++gr_find_uid(const uid_t uid)
23066 ++{
23067 ++ struct crash_uid *tmp = uid_set;
23068 ++ uid_t buid;
23069 ++ int low = 0, high = uid_used - 1, mid;
23070 ++
23071 ++ while (high >= low) {
23072 ++ mid = (low + high) >> 1;
23073 ++ buid = tmp[mid].uid;
23074 ++ if (buid == uid)
23075 ++ return mid;
23076 ++ if (buid > uid)
23077 ++ high = mid - 1;
23078 ++ if (buid < uid)
23079 ++ low = mid + 1;
23080 ++ }
23081 ++
23082 ++ return -1;
23083 ++}
23084 ++
23085 ++static __inline__ void
23086 ++gr_insertsort(void)
23087 ++{
23088 ++ unsigned short i, j;
23089 ++ struct crash_uid index;
23090 ++
23091 ++ for (i = 1; i < uid_used; i++) {
23092 ++ index = uid_set[i];
23093 ++ j = i;
23094 ++ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
23095 ++ uid_set[j] = uid_set[j - 1];
23096 ++ j--;
23097 ++ }
23098 ++ uid_set[j] = index;
23099 ++ }
23100 ++
23101 ++ return;
23102 ++}
23103 ++
23104 ++static __inline__ void
23105 ++gr_insert_uid(const uid_t uid, const unsigned long expires)
23106 ++{
23107 ++ int loc;
23108 ++
23109 ++ if (uid_used == GR_UIDTABLE_MAX)
23110 ++ return;
23111 ++
23112 ++ loc = gr_find_uid(uid);
23113 ++
23114 ++ if (loc >= 0) {
23115 ++ uid_set[loc].expires = expires;
23116 ++ return;
23117 ++ }
23118 ++
23119 ++ uid_set[uid_used].uid = uid;
23120 ++ uid_set[uid_used].expires = expires;
23121 ++ uid_used++;
23122 ++
23123 ++ gr_insertsort();
23124 ++
23125 ++ return;
23126 ++}
23127 ++
23128 ++void
23129 ++gr_remove_uid(const unsigned short loc)
23130 ++{
23131 ++ unsigned short i;
23132 ++
23133 ++ for (i = loc + 1; i < uid_used; i++)
23134 ++ uid_set[i - 1] = uid_set[i];
23135 ++
23136 ++ uid_used--;
23137 ++
23138 ++ return;
23139 ++}
23140 ++
23141 ++int
23142 ++gr_check_crash_uid(const uid_t uid)
23143 ++{
23144 ++ int loc;
23145 ++ int ret = 0;
23146 ++
23147 ++ if (unlikely(!gr_acl_is_enabled()))
23148 ++ return 0;
23149 ++
23150 ++ spin_lock(&gr_uid_lock);
23151 ++ loc = gr_find_uid(uid);
23152 ++
23153 ++ if (loc < 0)
23154 ++ goto out_unlock;
23155 ++
23156 ++ if (time_before_eq(uid_set[loc].expires, get_seconds()))
23157 ++ gr_remove_uid(loc);
23158 ++ else
23159 ++ ret = 1;
23160 ++
23161 ++out_unlock:
23162 ++ spin_unlock(&gr_uid_lock);
23163 ++ return ret;
23164 ++}
23165 ++
23166 ++static __inline__ int
23167 ++proc_is_setxid(const struct task_struct *task)
23168 ++{
23169 ++ if (task->uid != task->euid || task->uid != task->suid ||
23170 ++ task->uid != task->fsuid)
23171 ++ return 1;
23172 ++ if (task->gid != task->egid || task->gid != task->sgid ||
23173 ++ task->gid != task->fsgid)
23174 ++ return 1;
23175 ++
23176 ++ return 0;
23177 ++}
23178 ++static __inline__ int
23179 ++gr_fake_force_sig(int sig, struct task_struct *t)
23180 ++{
23181 ++ unsigned long int flags;
23182 ++ int ret, blocked, ignored;
23183 ++ struct k_sigaction *action;
23184 ++
23185 ++ spin_lock_irqsave(&t->sighand->siglock, flags);
23186 ++ action = &t->sighand->action[sig-1];
23187 ++ ignored = action->sa.sa_handler == SIG_IGN;
23188 ++ blocked = sigismember(&t->blocked, sig);
23189 ++ if (blocked || ignored) {
23190 ++ action->sa.sa_handler = SIG_DFL;
23191 ++ if (blocked) {
23192 ++ sigdelset(&t->blocked, sig);
23193 ++ recalc_sigpending_and_wake(t);
23194 ++ }
23195 ++ }
23196 ++ ret = specific_send_sig_info(sig, (void*)1L, t);
23197 ++ spin_unlock_irqrestore(&t->sighand->siglock, flags);
23198 ++
23199 ++ return ret;
23200 ++}
23201 ++
23202 ++void
23203 ++gr_handle_crash(struct task_struct *task, const int sig)
23204 ++{
23205 ++ struct acl_subject_label *curr;
23206 ++ struct acl_subject_label *curr2;
23207 ++ struct task_struct *tsk, *tsk2;
23208 ++
23209 ++ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
23210 ++ return;
23211 ++
23212 ++ if (unlikely(!gr_acl_is_enabled()))
23213 ++ return;
23214 ++
23215 ++ curr = task->acl;
23216 ++
23217 ++ if (!(curr->resmask & (1 << GR_CRASH_RES)))
23218 ++ return;
23219 ++
23220 ++ if (time_before_eq(curr->expires, get_seconds())) {
23221 ++ curr->expires = 0;
23222 ++ curr->crashes = 0;
23223 ++ }
23224 ++
23225 ++ curr->crashes++;
23226 ++
23227 ++ if (!curr->expires)
23228 ++ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
23229 ++
23230 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23231 ++ time_after(curr->expires, get_seconds())) {
23232 ++ if (task->uid && proc_is_setxid(task)) {
23233 ++ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23234 ++ spin_lock(&gr_uid_lock);
23235 ++ gr_insert_uid(task->uid, curr->expires);
23236 ++ spin_unlock(&gr_uid_lock);
23237 ++ curr->expires = 0;
23238 ++ curr->crashes = 0;
23239 ++ read_lock(&tasklist_lock);
23240 ++ do_each_thread(tsk2, tsk) {
23241 ++ if (tsk != task && tsk->uid == task->uid)
23242 ++ gr_fake_force_sig(SIGKILL, tsk);
23243 ++ } while_each_thread(tsk2, tsk);
23244 ++ read_unlock(&tasklist_lock);
23245 ++ } else {
23246 ++ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
23247 ++ read_lock(&tasklist_lock);
23248 ++ do_each_thread(tsk2, tsk) {
23249 ++ if (likely(tsk != task)) {
23250 ++ curr2 = tsk->acl;
23251 ++
23252 ++ if (curr2->device == curr->device &&
23253 ++ curr2->inode == curr->inode)
23254 ++ gr_fake_force_sig(SIGKILL, tsk);
23255 ++ }
23256 ++ } while_each_thread(tsk2, tsk);
23257 ++ read_unlock(&tasklist_lock);
23258 ++ }
23259 ++ }
23260 ++
23261 ++ return;
23262 ++}
23263 ++
23264 ++int
23265 ++gr_check_crash_exec(const struct file *filp)
23266 ++{
23267 ++ struct acl_subject_label *curr;
23268 ++
23269 ++ if (unlikely(!gr_acl_is_enabled()))
23270 ++ return 0;
23271 ++
23272 ++ read_lock(&gr_inode_lock);
23273 ++ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
23274 ++ filp->f_dentry->d_inode->i_sb->s_dev,
23275 ++ current->role);
23276 ++ read_unlock(&gr_inode_lock);
23277 ++
23278 ++ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
23279 ++ (!curr->crashes && !curr->expires))
23280 ++ return 0;
23281 ++
23282 ++ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
23283 ++ time_after(curr->expires, get_seconds()))
23284 ++ return 1;
23285 ++ else if (time_before_eq(curr->expires, get_seconds())) {
23286 ++ curr->crashes = 0;
23287 ++ curr->expires = 0;
23288 ++ }
23289 ++
23290 ++ return 0;
23291 ++}
23292 ++
23293 ++void
23294 ++gr_handle_alertkill(struct task_struct *task)
23295 ++{
23296 ++ struct acl_subject_label *curracl;
23297 ++ __u32 curr_ip;
23298 ++ struct task_struct *p, *p2;
23299 ++
23300 ++ if (unlikely(!gr_acl_is_enabled()))
23301 ++ return;
23302 ++
23303 ++ curracl = task->acl;
23304 ++ curr_ip = task->signal->curr_ip;
23305 ++
23306 ++ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
23307 ++ read_lock(&tasklist_lock);
23308 ++ do_each_thread(p2, p) {
23309 ++ if (p->signal->curr_ip == curr_ip)
23310 ++ gr_fake_force_sig(SIGKILL, p);
23311 ++ } while_each_thread(p2, p);
23312 ++ read_unlock(&tasklist_lock);
23313 ++ } else if (curracl->mode & GR_KILLPROC)
23314 ++ gr_fake_force_sig(SIGKILL, task);
23315 ++
23316 ++ return;
23317 ++}
23318 +diff -Nurp linux-2.6.23.15/grsecurity/gracl_shm.c linux-2.6.23.15-grsec/grsecurity/gracl_shm.c
23319 +--- linux-2.6.23.15/grsecurity/gracl_shm.c 1970-01-01 01:00:00.000000000 +0100
23320 ++++ linux-2.6.23.15-grsec/grsecurity/gracl_shm.c 2008-02-11 10:37:44.000000000 +0000
23321 +@@ -0,0 +1,33 @@
23322 ++#include <linux/kernel.h>
23323 ++#include <linux/mm.h>
23324 ++#include <linux/sched.h>
23325 ++#include <linux/file.h>
23326 ++#include <linux/ipc.h>
23327 ++#include <linux/gracl.h>
23328 ++#include <linux/grsecurity.h>
23329 ++#include <linux/grinternal.h>
23330 ++
23331 ++int
23332 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
23333 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
23334 ++{
23335 ++ struct task_struct *task;
23336 ++
23337 ++ if (!gr_acl_is_enabled())
23338 ++ return 1;
23339 ++
23340 ++ task = find_task_by_pid(shm_cprid);
23341 ++
23342 ++ if (unlikely(!task))
23343 ++ task = find_task_by_pid(shm_lapid);
23344 ++
23345 ++ if (unlikely(task && (time_before((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
23346 ++ (task->pid == shm_lapid)) &&
23347 ++ (task->acl->mode & GR_PROTSHM) &&
23348 ++ (task->acl != current->acl))) {
23349 ++ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
23350 ++ return 0;
23351 ++ }
23352 ++
23353 ++ return 1;
23354 ++}
23355 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_chdir.c linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c
23356 +--- linux-2.6.23.15/grsecurity/grsec_chdir.c 1970-01-01 01:00:00.000000000 +0100
23357 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c 2008-02-11 10:37:44.000000000 +0000
23358 +@@ -0,0 +1,19 @@
23359 ++#include <linux/kernel.h>
23360 ++#include <linux/sched.h>
23361 ++#include <linux/fs.h>
23362 ++#include <linux/file.h>
23363 ++#include <linux/grsecurity.h>
23364 ++#include <linux/grinternal.h>
23365 ++
23366 ++void
23367 ++gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
23368 ++{
23369 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
23370 ++ if ((grsec_enable_chdir && grsec_enable_group &&
23371 ++ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
23372 ++ !grsec_enable_group)) {
23373 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
23374 ++ }
23375 ++#endif
23376 ++ return;
23377 ++}
23378 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_chroot.c linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c
23379 +--- linux-2.6.23.15/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100
23380 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c 2008-02-11 10:37:44.000000000 +0000
23381 +@@ -0,0 +1,335 @@
23382 ++#include <linux/kernel.h>
23383 ++#include <linux/module.h>
23384 ++#include <linux/sched.h>
23385 ++#include <linux/file.h>
23386 ++#include <linux/fs.h>
23387 ++#include <linux/mount.h>
23388 ++#include <linux/types.h>
23389 ++#include <linux/pid_namespace.h>
23390 ++#include <linux/grsecurity.h>
23391 ++#include <linux/grinternal.h>
23392 ++
23393 ++int
23394 ++gr_handle_chroot_unix(const pid_t pid)
23395 ++{
23396 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
23397 ++ struct pid *spid = NULL;
23398 ++
23399 ++ if (unlikely(!grsec_enable_chroot_unix))
23400 ++ return 1;
23401 ++
23402 ++ if (likely(!proc_is_chrooted(current)))
23403 ++ return 1;
23404 ++
23405 ++ read_lock(&tasklist_lock);
23406 ++
23407 ++ spid = find_pid(pid);
23408 ++ if (spid) {
23409 ++ struct task_struct *p;
23410 ++ p = pid_task(spid, PIDTYPE_PID);
23411 ++ task_lock(p);
23412 ++ if (unlikely(!have_same_root(current, p))) {
23413 ++ task_unlock(p);
23414 ++ read_unlock(&tasklist_lock);
23415 ++ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
23416 ++ return 0;
23417 ++ }
23418 ++ task_unlock(p);
23419 ++ }
23420 ++ read_unlock(&tasklist_lock);
23421 ++#endif
23422 ++ return 1;
23423 ++}
23424 ++
23425 ++int
23426 ++gr_handle_chroot_nice(void)
23427 ++{
23428 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23429 ++ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
23430 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
23431 ++ return -EPERM;
23432 ++ }
23433 ++#endif
23434 ++ return 0;
23435 ++}
23436 ++
23437 ++int
23438 ++gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
23439 ++{
23440 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
23441 ++ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
23442 ++ && proc_is_chrooted(current)) {
23443 ++ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
23444 ++ return -EACCES;
23445 ++ }
23446 ++#endif
23447 ++ return 0;
23448 ++}
23449 ++
23450 ++int
23451 ++gr_handle_chroot_rawio(const struct inode *inode)
23452 ++{
23453 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
23454 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
23455 ++ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
23456 ++ return 1;
23457 ++#endif
23458 ++ return 0;
23459 ++}
23460 ++
23461 ++int
23462 ++gr_pid_is_chrooted(struct task_struct *p)
23463 ++{
23464 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
23465 ++ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
23466 ++ return 0;
23467 ++
23468 ++ task_lock(p);
23469 ++ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
23470 ++ !have_same_root(current, p)) {
23471 ++ task_unlock(p);
23472 ++ return 1;
23473 ++ }
23474 ++ task_unlock(p);
23475 ++#endif
23476 ++ return 0;
23477 ++}
23478 ++
23479 ++EXPORT_SYMBOL(gr_pid_is_chrooted);
23480 ++
23481 ++#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
23482 ++int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
23483 ++{
23484 ++ struct dentry *dentry = (struct dentry *)u_dentry;
23485 ++ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
23486 ++ struct dentry *realroot;
23487 ++ struct vfsmount *realrootmnt;
23488 ++ struct dentry *currentroot;
23489 ++ struct vfsmount *currentmnt;
23490 ++ struct task_struct *reaper = child_reaper(current);
23491 ++ int ret = 1;
23492 ++
23493 ++ read_lock(&reaper->fs->lock);
23494 ++ realrootmnt = mntget(reaper->fs->rootmnt);
23495 ++ realroot = dget(reaper->fs->root);
23496 ++ read_unlock(&reaper->fs->lock);
23497 ++
23498 ++ read_lock(&current->fs->lock);
23499 ++ currentmnt = mntget(current->fs->rootmnt);
23500 ++ currentroot = dget(current->fs->root);
23501 ++ read_unlock(&current->fs->lock);
23502 ++
23503 ++ spin_lock(&dcache_lock);
23504 ++ for (;;) {
23505 ++ if (unlikely((dentry == realroot && mnt == realrootmnt)
23506 ++ || (dentry == currentroot && mnt == currentmnt)))
23507 ++ break;
23508 ++ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
23509 ++ if (mnt->mnt_parent == mnt)
23510 ++ break;
23511 ++ dentry = mnt->mnt_mountpoint;
23512 ++ mnt = mnt->mnt_parent;
23513 ++ continue;
23514 ++ }
23515 ++ dentry = dentry->d_parent;
23516 ++ }
23517 ++ spin_unlock(&dcache_lock);
23518 ++
23519 ++ dput(currentroot);
23520 ++ mntput(currentmnt);
23521 ++
23522 ++ /* access is outside of chroot */
23523 ++ if (dentry == realroot && mnt == realrootmnt)
23524 ++ ret = 0;
23525 ++
23526 ++ dput(realroot);
23527 ++ mntput(realrootmnt);
23528 ++ return ret;
23529 ++}
23530 ++#endif
23531 ++
23532 ++int
23533 ++gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
23534 ++{
23535 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
23536 ++ if (!grsec_enable_chroot_fchdir)
23537 ++ return 1;
23538 ++
23539 ++ if (!proc_is_chrooted(current))
23540 ++ return 1;
23541 ++ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
23542 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
23543 ++ return 0;
23544 ++ }
23545 ++#endif
23546 ++ return 1;
23547 ++}
23548 ++
23549 ++int
23550 ++gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
23551 ++ const time_t shm_createtime)
23552 ++{
23553 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
23554 ++ struct pid *pid = NULL;
23555 ++ time_t starttime;
23556 ++
23557 ++ if (unlikely(!grsec_enable_chroot_shmat))
23558 ++ return 1;
23559 ++
23560 ++ if (likely(!proc_is_chrooted(current)))
23561 ++ return 1;
23562 ++
23563 ++ read_lock(&tasklist_lock);
23564 ++
23565 ++ pid = find_pid(shm_cprid);
23566 ++ if (pid) {
23567 ++ struct task_struct *p;
23568 ++ p = pid_task(pid, PIDTYPE_PID);
23569 ++ task_lock(p);
23570 ++ starttime = p->start_time.tv_sec;
23571 ++ if (unlikely(!have_same_root(current, p) &&
23572 ++ time_before((unsigned long)starttime, (unsigned long)shm_createtime))) {
23573 ++ task_unlock(p);
23574 ++ read_unlock(&tasklist_lock);
23575 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
23576 ++ return 0;
23577 ++ }
23578 ++ task_unlock(p);
23579 ++ } else {
23580 ++ pid = find_pid(shm_lapid);
23581 ++ if (pid) {
23582 ++ struct task_struct *p;
23583 ++ p = pid_task(pid, PIDTYPE_PID);
23584 ++ task_lock(p);
23585 ++ if (unlikely(!have_same_root(current, p))) {
23586 ++ task_unlock(p);
23587 ++ read_unlock(&tasklist_lock);
23588 ++ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
23589 ++ return 0;
23590 ++ }
23591 ++ task_unlock(p);
23592 ++ }
23593 ++ }
23594 ++
23595 ++ read_unlock(&tasklist_lock);
23596 ++#endif
23597 ++ return 1;
23598 ++}
23599 ++
23600 ++void
23601 ++gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
23602 ++{
23603 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
23604 ++ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
23605 ++ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
23606 ++#endif
23607 ++ return;
23608 ++}
23609 ++
23610 ++int
23611 ++gr_handle_chroot_mknod(const struct dentry *dentry,
23612 ++ const struct vfsmount *mnt, const int mode)
23613 ++{
23614 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
23615 ++ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
23616 ++ proc_is_chrooted(current)) {
23617 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
23618 ++ return -EPERM;
23619 ++ }
23620 ++#endif
23621 ++ return 0;
23622 ++}
23623 ++
23624 ++int
23625 ++gr_handle_chroot_mount(const struct dentry *dentry,
23626 ++ const struct vfsmount *mnt, const char *dev_name)
23627 ++{
23628 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
23629 ++ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
23630 ++ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
23631 ++ return -EPERM;
23632 ++ }
23633 ++#endif
23634 ++ return 0;
23635 ++}
23636 ++
23637 ++int
23638 ++gr_handle_chroot_pivot(void)
23639 ++{
23640 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
23641 ++ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
23642 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
23643 ++ return -EPERM;
23644 ++ }
23645 ++#endif
23646 ++ return 0;
23647 ++}
23648 ++
23649 ++int
23650 ++gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
23651 ++{
23652 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
23653 ++ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
23654 ++ !gr_is_outside_chroot(dentry, mnt)) {
23655 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
23656 ++ return -EPERM;
23657 ++ }
23658 ++#endif
23659 ++ return 0;
23660 ++}
23661 ++
23662 ++void
23663 ++gr_handle_chroot_caps(struct task_struct *task)
23664 ++{
23665 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
23666 ++ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
23667 ++ task->cap_permitted =
23668 ++ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
23669 ++ task->cap_inheritable =
23670 ++ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
23671 ++ task->cap_effective =
23672 ++ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
23673 ++ }
23674 ++#endif
23675 ++ return;
23676 ++}
23677 ++
23678 ++int
23679 ++gr_handle_chroot_sysctl(const int op)
23680 ++{
23681 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
23682 ++ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
23683 ++ && (op & 002))
23684 ++ return -EACCES;
23685 ++#endif
23686 ++ return 0;
23687 ++}
23688 ++
23689 ++void
23690 ++gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
23691 ++{
23692 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
23693 ++ if (grsec_enable_chroot_chdir)
23694 ++ set_fs_pwd(current->fs, mnt, dentry);
23695 ++#endif
23696 ++ return;
23697 ++}
23698 ++
23699 ++int
23700 ++gr_handle_chroot_chmod(const struct dentry *dentry,
23701 ++ const struct vfsmount *mnt, const int mode)
23702 ++{
23703 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
23704 ++ if (grsec_enable_chroot_chmod &&
23705 ++ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
23706 ++ proc_is_chrooted(current)) {
23707 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
23708 ++ return -EPERM;
23709 ++ }
23710 ++#endif
23711 ++ return 0;
23712 ++}
23713 ++
23714 ++#ifdef CONFIG_SECURITY
23715 ++EXPORT_SYMBOL(gr_handle_chroot_caps);
23716 ++#endif
23717 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_disabled.c linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c
23718 +--- linux-2.6.23.15/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
23719 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c 2008-02-11 10:37:44.000000000 +0000
23720 +@@ -0,0 +1,418 @@
23721 ++#include <linux/kernel.h>
23722 ++#include <linux/module.h>
23723 ++#include <linux/sched.h>
23724 ++#include <linux/file.h>
23725 ++#include <linux/fs.h>
23726 ++#include <linux/kdev_t.h>
23727 ++#include <linux/net.h>
23728 ++#include <linux/in.h>
23729 ++#include <linux/ip.h>
23730 ++#include <linux/skbuff.h>
23731 ++#include <linux/sysctl.h>
23732 ++
23733 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
23734 ++void
23735 ++pax_set_initial_flags(struct linux_binprm *bprm)
23736 ++{
23737 ++ return;
23738 ++}
23739 ++#endif
23740 ++
23741 ++#ifdef CONFIG_SYSCTL
23742 ++__u32
23743 ++gr_handle_sysctl(const struct ctl_table * table, const int op)
23744 ++{
23745 ++ return 0;
23746 ++}
23747 ++#endif
23748 ++
23749 ++int
23750 ++gr_acl_is_enabled(void)
23751 ++{
23752 ++ return 0;
23753 ++}
23754 ++
23755 ++int
23756 ++gr_handle_rawio(const struct inode *inode)
23757 ++{
23758 ++ return 0;
23759 ++}
23760 ++
23761 ++void
23762 ++gr_acl_handle_psacct(struct task_struct *task, const long code)
23763 ++{
23764 ++ return;
23765 ++}
23766 ++
23767 ++int
23768 ++gr_handle_ptrace(struct task_struct *task, const long request)
23769 ++{
23770 ++ return 0;
23771 ++}
23772 ++
23773 ++int
23774 ++gr_handle_proc_ptrace(struct task_struct *task)
23775 ++{
23776 ++ return 0;
23777 ++}
23778 ++
23779 ++void
23780 ++gr_learn_resource(const struct task_struct *task,
23781 ++ const int res, const unsigned long wanted, const int gt)
23782 ++{
23783 ++ return;
23784 ++}
23785 ++
23786 ++int
23787 ++gr_set_acls(const int type)
23788 ++{
23789 ++ return 0;
23790 ++}
23791 ++
23792 ++int
23793 ++gr_check_hidden_task(const struct task_struct *tsk)
23794 ++{
23795 ++ return 0;
23796 ++}
23797 ++
23798 ++int
23799 ++gr_check_protected_task(const struct task_struct *task)
23800 ++{
23801 ++ return 0;
23802 ++}
23803 ++
23804 ++void
23805 ++gr_copy_label(struct task_struct *tsk)
23806 ++{
23807 ++ return;
23808 ++}
23809 ++
23810 ++void
23811 ++gr_set_pax_flags(struct task_struct *task)
23812 ++{
23813 ++ return;
23814 ++}
23815 ++
23816 ++int
23817 ++gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
23818 ++{
23819 ++ return 0;
23820 ++}
23821 ++
23822 ++void
23823 ++gr_handle_delete(const ino_t ino, const dev_t dev)
23824 ++{
23825 ++ return;
23826 ++}
23827 ++
23828 ++void
23829 ++gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
23830 ++{
23831 ++ return;
23832 ++}
23833 ++
23834 ++void
23835 ++gr_handle_crash(struct task_struct *task, const int sig)
23836 ++{
23837 ++ return;
23838 ++}
23839 ++
23840 ++int
23841 ++gr_check_crash_exec(const struct file *filp)
23842 ++{
23843 ++ return 0;
23844 ++}
23845 ++
23846 ++int
23847 ++gr_check_crash_uid(const uid_t uid)
23848 ++{
23849 ++ return 0;
23850 ++}
23851 ++
23852 ++void
23853 ++gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
23854 ++ struct dentry *old_dentry,
23855 ++ struct dentry *new_dentry,
23856 ++ struct vfsmount *mnt, const __u8 replace)
23857 ++{
23858 ++ return;
23859 ++}
23860 ++
23861 ++int
23862 ++gr_search_socket(const int family, const int type, const int protocol)
23863 ++{
23864 ++ return 1;
23865 ++}
23866 ++
23867 ++int
23868 ++gr_search_connectbind(const int mode, const struct socket *sock,
23869 ++ const struct sockaddr_in *addr)
23870 ++{
23871 ++ return 1;
23872 ++}
23873 ++
23874 ++int
23875 ++gr_task_is_capable(struct task_struct *task, const int cap)
23876 ++{
23877 ++ return 1;
23878 ++}
23879 ++
23880 ++int
23881 ++gr_is_capable_nolog(const int cap)
23882 ++{
23883 ++ return 1;
23884 ++}
23885 ++
23886 ++void
23887 ++gr_handle_alertkill(struct task_struct *task)
23888 ++{
23889 ++ return;
23890 ++}
23891 ++
23892 ++__u32
23893 ++gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
23894 ++{
23895 ++ return 1;
23896 ++}
23897 ++
23898 ++__u32
23899 ++gr_acl_handle_hidden_file(const struct dentry * dentry,
23900 ++ const struct vfsmount * mnt)
23901 ++{
23902 ++ return 1;
23903 ++}
23904 ++
23905 ++__u32
23906 ++gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
23907 ++ const int fmode)
23908 ++{
23909 ++ return 1;
23910 ++}
23911 ++
23912 ++__u32
23913 ++gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
23914 ++{
23915 ++ return 1;
23916 ++}
23917 ++
23918 ++__u32
23919 ++gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
23920 ++{
23921 ++ return 1;
23922 ++}
23923 ++
23924 ++int
23925 ++gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
23926 ++ unsigned int *vm_flags)
23927 ++{
23928 ++ return 1;
23929 ++}
23930 ++
23931 ++__u32
23932 ++gr_acl_handle_truncate(const struct dentry * dentry,
23933 ++ const struct vfsmount * mnt)
23934 ++{
23935 ++ return 1;
23936 ++}
23937 ++
23938 ++__u32
23939 ++gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
23940 ++{
23941 ++ return 1;
23942 ++}
23943 ++
23944 ++__u32
23945 ++gr_acl_handle_access(const struct dentry * dentry,
23946 ++ const struct vfsmount * mnt, const int fmode)
23947 ++{
23948 ++ return 1;
23949 ++}
23950 ++
23951 ++__u32
23952 ++gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
23953 ++ mode_t mode)
23954 ++{
23955 ++ return 1;
23956 ++}
23957 ++
23958 ++__u32
23959 ++gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
23960 ++ mode_t mode)
23961 ++{
23962 ++ return 1;
23963 ++}
23964 ++
23965 ++__u32
23966 ++gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
23967 ++{
23968 ++ return 1;
23969 ++}
23970 ++
23971 ++void
23972 ++grsecurity_init(void)
23973 ++{
23974 ++ return;
23975 ++}
23976 ++
23977 ++__u32
23978 ++gr_acl_handle_mknod(const struct dentry * new_dentry,
23979 ++ const struct dentry * parent_dentry,
23980 ++ const struct vfsmount * parent_mnt,
23981 ++ const int mode)
23982 ++{
23983 ++ return 1;
23984 ++}
23985 ++
23986 ++__u32
23987 ++gr_acl_handle_mkdir(const struct dentry * new_dentry,
23988 ++ const struct dentry * parent_dentry,
23989 ++ const struct vfsmount * parent_mnt)
23990 ++{
23991 ++ return 1;
23992 ++}
23993 ++
23994 ++__u32
23995 ++gr_acl_handle_symlink(const struct dentry * new_dentry,
23996 ++ const struct dentry * parent_dentry,
23997 ++ const struct vfsmount * parent_mnt, const char *from)
23998 ++{
23999 ++ return 1;
24000 ++}
24001 ++
24002 ++__u32
24003 ++gr_acl_handle_link(const struct dentry * new_dentry,
24004 ++ const struct dentry * parent_dentry,
24005 ++ const struct vfsmount * parent_mnt,
24006 ++ const struct dentry * old_dentry,
24007 ++ const struct vfsmount * old_mnt, const char *to)
24008 ++{
24009 ++ return 1;
24010 ++}
24011 ++
24012 ++int
24013 ++gr_acl_handle_rename(const struct dentry *new_dentry,
24014 ++ const struct dentry *parent_dentry,
24015 ++ const struct vfsmount *parent_mnt,
24016 ++ const struct dentry *old_dentry,
24017 ++ const struct inode *old_parent_inode,
24018 ++ const struct vfsmount *old_mnt, const char *newname)
24019 ++{
24020 ++ return 0;
24021 ++}
24022 ++
24023 ++int
24024 ++gr_acl_handle_filldir(const struct file *file, const char *name,
24025 ++ const int namelen, const ino_t ino)
24026 ++{
24027 ++ return 1;
24028 ++}
24029 ++
24030 ++int
24031 ++gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
24032 ++ const time_t shm_createtime, const uid_t cuid, const int shmid)
24033 ++{
24034 ++ return 1;
24035 ++}
24036 ++
24037 ++int
24038 ++gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
24039 ++{
24040 ++ return 1;
24041 ++}
24042 ++
24043 ++int
24044 ++gr_search_accept(const struct socket *sock)
24045 ++{
24046 ++ return 1;
24047 ++}
24048 ++
24049 ++int
24050 ++gr_search_listen(const struct socket *sock)
24051 ++{
24052 ++ return 1;
24053 ++}
24054 ++
24055 ++int
24056 ++gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
24057 ++{
24058 ++ return 1;
24059 ++}
24060 ++
24061 ++__u32
24062 ++gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
24063 ++{
24064 ++ return 1;
24065 ++}
24066 ++
24067 ++__u32
24068 ++gr_acl_handle_creat(const struct dentry * dentry,
24069 ++ const struct dentry * p_dentry,
24070 ++ const struct vfsmount * p_mnt, const int fmode,
24071 ++ const int imode)
24072 ++{
24073 ++ return 1;
24074 ++}
24075 ++
24076 ++void
24077 ++gr_acl_handle_exit(void)
24078 ++{
24079 ++ return;
24080 ++}
24081 ++
24082 ++int
24083 ++gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
24084 ++{
24085 ++ return 1;
24086 ++}
24087 ++
24088 ++void
24089 ++gr_set_role_label(const uid_t uid, const gid_t gid)
24090 ++{
24091 ++ return;
24092 ++}
24093 ++
24094 ++int
24095 ++gr_acl_handle_procpidmem(const struct task_struct *task)
24096 ++{
24097 ++ return 0;
24098 ++}
24099 ++
24100 ++int
24101 ++gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
24102 ++{
24103 ++ return 1;
24104 ++}
24105 ++
24106 ++int
24107 ++gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
24108 ++{
24109 ++ return 1;
24110 ++}
24111 ++
24112 ++void
24113 ++gr_set_kernel_label(struct task_struct *task)
24114 ++{
24115 ++ return;
24116 ++}
24117 ++
24118 ++int
24119 ++gr_check_user_change(int real, int effective, int fs)
24120 ++{
24121 ++ return 0;
24122 ++}
24123 ++
24124 ++int
24125 ++gr_check_group_change(int real, int effective, int fs)
24126 ++{
24127 ++ return 0;
24128 ++}
24129 ++
24130 ++
24131 ++EXPORT_SYMBOL(gr_task_is_capable);
24132 ++EXPORT_SYMBOL(gr_is_capable_nolog);
24133 ++EXPORT_SYMBOL(gr_learn_resource);
24134 ++EXPORT_SYMBOL(gr_set_kernel_label);
24135 ++#ifdef CONFIG_SECURITY
24136 ++EXPORT_SYMBOL(gr_check_user_change);
24137 ++EXPORT_SYMBOL(gr_check_group_change);
24138 ++#endif
24139 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_exec.c linux-2.6.23.15-grsec/grsecurity/grsec_exec.c
24140 +--- linux-2.6.23.15/grsecurity/grsec_exec.c 1970-01-01 01:00:00.000000000 +0100
24141 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_exec.c 2008-02-11 10:37:44.000000000 +0000
24142 +@@ -0,0 +1,88 @@
24143 ++#include <linux/kernel.h>
24144 ++#include <linux/sched.h>
24145 ++#include <linux/file.h>
24146 ++#include <linux/binfmts.h>
24147 ++#include <linux/smp_lock.h>
24148 ++#include <linux/fs.h>
24149 ++#include <linux/types.h>
24150 ++#include <linux/grdefs.h>
24151 ++#include <linux/grinternal.h>
24152 ++#include <linux/capability.h>
24153 ++
24154 ++#include <asm/uaccess.h>
24155 ++
24156 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
24157 ++static char gr_exec_arg_buf[132];
24158 ++static DECLARE_MUTEX(gr_exec_arg_sem);
24159 ++#endif
24160 ++
24161 ++int
24162 ++gr_handle_nproc(void)
24163 ++{
24164 ++#ifdef CONFIG_GRKERNSEC_EXECVE
24165 ++ if (grsec_enable_execve && current->user &&
24166 ++ (atomic_read(&current->user->processes) >
24167 ++ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
24168 ++ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
24169 ++ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
24170 ++ return -EAGAIN;
24171 ++ }
24172 ++#endif
24173 ++ return 0;
24174 ++}
24175 ++
24176 ++void
24177 ++gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
24178 ++{
24179 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
24180 ++ char *grarg = gr_exec_arg_buf;
24181 ++ unsigned int i, x, execlen = 0;
24182 ++ char c;
24183 ++
24184 ++ if (!((grsec_enable_execlog && grsec_enable_group &&
24185 ++ in_group_p(grsec_audit_gid))
24186 ++ || (grsec_enable_execlog && !grsec_enable_group)))
24187 ++ return;
24188 ++
24189 ++ down(&gr_exec_arg_sem);
24190 ++ memset(grarg, 0, sizeof(gr_exec_arg_buf));
24191 ++
24192 ++ if (unlikely(argv == NULL))
24193 ++ goto log;
24194 ++
24195 ++ for (i = 0; i < bprm->argc && execlen < 128; i++) {
24196 ++ const char __user *p;
24197 ++ unsigned int len;
24198 ++
24199 ++ if (copy_from_user(&p, argv + i, sizeof(p)))
24200 ++ goto log;
24201 ++ if (!p)
24202 ++ goto log;
24203 ++ len = strnlen_user(p, 128 - execlen);
24204 ++ if (len > 128 - execlen)
24205 ++ len = 128 - execlen;
24206 ++ else if (len > 0)
24207 ++ len--;
24208 ++ if (copy_from_user(grarg + execlen, p, len))
24209 ++ goto log;
24210 ++
24211 ++ /* rewrite unprintable characters */
24212 ++ for (x = 0; x < len; x++) {
24213 ++ c = *(grarg + execlen + x);
24214 ++ if (c < 32 || c > 126)
24215 ++ *(grarg + execlen + x) = ' ';
24216 ++ }
24217 ++
24218 ++ execlen += len;
24219 ++ *(grarg + execlen) = ' ';
24220 ++ *(grarg + execlen + 1) = '\0';
24221 ++ execlen++;
24222 ++ }
24223 ++
24224 ++ log:
24225 ++ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
24226 ++ bprm->file->f_vfsmnt, grarg);
24227 ++ up(&gr_exec_arg_sem);
24228 ++#endif
24229 ++ return;
24230 ++}
24231 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_fifo.c linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c
24232 +--- linux-2.6.23.15/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
24233 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c 2008-02-11 10:37:44.000000000 +0000
24234 +@@ -0,0 +1,22 @@
24235 ++#include <linux/kernel.h>
24236 ++#include <linux/sched.h>
24237 ++#include <linux/fs.h>
24238 ++#include <linux/file.h>
24239 ++#include <linux/grinternal.h>
24240 ++
24241 ++int
24242 ++gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
24243 ++ const struct dentry *dir, const int flag, const int acc_mode)
24244 ++{
24245 ++#ifdef CONFIG_GRKERNSEC_FIFO
24246 ++ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
24247 ++ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
24248 ++ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
24249 ++ (current->fsuid != dentry->d_inode->i_uid)) {
24250 ++ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
24251 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
24252 ++ return -EACCES;
24253 ++ }
24254 ++#endif
24255 ++ return 0;
24256 ++}
24257 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_fork.c linux-2.6.23.15-grsec/grsecurity/grsec_fork.c
24258 +--- linux-2.6.23.15/grsecurity/grsec_fork.c 1970-01-01 01:00:00.000000000 +0100
24259 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_fork.c 2008-02-11 10:37:44.000000000 +0000
24260 +@@ -0,0 +1,15 @@
24261 ++#include <linux/kernel.h>
24262 ++#include <linux/sched.h>
24263 ++#include <linux/grsecurity.h>
24264 ++#include <linux/grinternal.h>
24265 ++#include <linux/errno.h>
24266 ++
24267 ++void
24268 ++gr_log_forkfail(const int retval)
24269 ++{
24270 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
24271 ++ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
24272 ++ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
24273 ++#endif
24274 ++ return;
24275 ++}
24276 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_init.c linux-2.6.23.15-grsec/grsecurity/grsec_init.c
24277 +--- linux-2.6.23.15/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
24278 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_init.c 2008-02-11 10:37:44.000000000 +0000
24279 +@@ -0,0 +1,230 @@
24280 ++#include <linux/kernel.h>
24281 ++#include <linux/sched.h>
24282 ++#include <linux/mm.h>
24283 ++#include <linux/smp_lock.h>
24284 ++#include <linux/gracl.h>
24285 ++#include <linux/slab.h>
24286 ++#include <linux/vmalloc.h>
24287 ++#include <linux/percpu.h>
24288 ++
24289 ++int grsec_enable_shm;
24290 ++int grsec_enable_link;
24291 ++int grsec_enable_dmesg;
24292 ++int grsec_enable_fifo;
24293 ++int grsec_enable_execve;
24294 ++int grsec_enable_execlog;
24295 ++int grsec_enable_signal;
24296 ++int grsec_enable_forkfail;
24297 ++int grsec_enable_time;
24298 ++int grsec_enable_audit_textrel;
24299 ++int grsec_enable_group;
24300 ++int grsec_audit_gid;
24301 ++int grsec_enable_chdir;
24302 ++int grsec_enable_audit_ipc;
24303 ++int grsec_enable_mount;
24304 ++int grsec_enable_chroot_findtask;
24305 ++int grsec_enable_chroot_mount;
24306 ++int grsec_enable_chroot_shmat;
24307 ++int grsec_enable_chroot_fchdir;
24308 ++int grsec_enable_chroot_double;
24309 ++int grsec_enable_chroot_pivot;
24310 ++int grsec_enable_chroot_chdir;
24311 ++int grsec_enable_chroot_chmod;
24312 ++int grsec_enable_chroot_mknod;
24313 ++int grsec_enable_chroot_nice;
24314 ++int grsec_enable_chroot_execlog;
24315 ++int grsec_enable_chroot_caps;
24316 ++int grsec_enable_chroot_sysctl;
24317 ++int grsec_enable_chroot_unix;
24318 ++int grsec_enable_tpe;
24319 ++int grsec_tpe_gid;
24320 ++int grsec_enable_tpe_all;
24321 ++int grsec_enable_socket_all;
24322 ++int grsec_socket_all_gid;
24323 ++int grsec_enable_socket_client;
24324 ++int grsec_socket_client_gid;
24325 ++int grsec_enable_socket_server;
24326 ++int grsec_socket_server_gid;
24327 ++int grsec_resource_logging;
24328 ++int grsec_lock;
24329 ++
24330 ++spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
24331 ++unsigned long grsec_alert_wtime = 0;
24332 ++unsigned long grsec_alert_fyet = 0;
24333 ++
24334 ++spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
24335 ++
24336 ++rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
24337 ++
24338 ++char *gr_shared_page[4];
24339 ++
24340 ++char *gr_alert_log_fmt;
24341 ++char *gr_audit_log_fmt;
24342 ++char *gr_alert_log_buf;
24343 ++char *gr_audit_log_buf;
24344 ++
24345 ++extern struct gr_arg *gr_usermode;
24346 ++extern unsigned char *gr_system_salt;
24347 ++extern unsigned char *gr_system_sum;
24348 ++
24349 ++void
24350 ++grsecurity_init(void)
24351 ++{
24352 ++ int j;
24353 ++ /* create the per-cpu shared pages */
24354 ++
24355 ++ for (j = 0; j < 4; j++) {
24356 ++ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
24357 ++ if (gr_shared_page[j] == NULL) {
24358 ++ panic("Unable to allocate grsecurity shared page");
24359 ++ return;
24360 ++ }
24361 ++ }
24362 ++
24363 ++ /* allocate log buffers */
24364 ++ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
24365 ++ if (!gr_alert_log_fmt) {
24366 ++ panic("Unable to allocate grsecurity alert log format buffer");
24367 ++ return;
24368 ++ }
24369 ++ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
24370 ++ if (!gr_audit_log_fmt) {
24371 ++ panic("Unable to allocate grsecurity audit log format buffer");
24372 ++ return;
24373 ++ }
24374 ++ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24375 ++ if (!gr_alert_log_buf) {
24376 ++ panic("Unable to allocate grsecurity alert log buffer");
24377 ++ return;
24378 ++ }
24379 ++ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
24380 ++ if (!gr_audit_log_buf) {
24381 ++ panic("Unable to allocate grsecurity audit log buffer");
24382 ++ return;
24383 ++ }
24384 ++
24385 ++ /* allocate memory for authentication structure */
24386 ++ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
24387 ++ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
24388 ++ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
24389 ++
24390 ++ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
24391 ++ panic("Unable to allocate grsecurity authentication structure");
24392 ++ return;
24393 ++ }
24394 ++
24395 ++#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
24396 ++#ifndef CONFIG_GRKERNSEC_SYSCTL
24397 ++ grsec_lock = 1;
24398 ++#endif
24399 ++#ifdef CONFIG_GRKERNSEC_SHM
24400 ++ grsec_enable_shm = 1;
24401 ++#endif
24402 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
24403 ++ grsec_enable_audit_textrel = 1;
24404 ++#endif
24405 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
24406 ++ grsec_enable_group = 1;
24407 ++ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
24408 ++#endif
24409 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
24410 ++ grsec_enable_chdir = 1;
24411 ++#endif
24412 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24413 ++ grsec_enable_audit_ipc = 1;
24414 ++#endif
24415 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
24416 ++ grsec_enable_mount = 1;
24417 ++#endif
24418 ++#ifdef CONFIG_GRKERNSEC_LINK
24419 ++ grsec_enable_link = 1;
24420 ++#endif
24421 ++#ifdef CONFIG_GRKERNSEC_DMESG
24422 ++ grsec_enable_dmesg = 1;
24423 ++#endif
24424 ++#ifdef CONFIG_GRKERNSEC_FIFO
24425 ++ grsec_enable_fifo = 1;
24426 ++#endif
24427 ++#ifdef CONFIG_GRKERNSEC_EXECVE
24428 ++ grsec_enable_execve = 1;
24429 ++#endif
24430 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
24431 ++ grsec_enable_execlog = 1;
24432 ++#endif
24433 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
24434 ++ grsec_enable_signal = 1;
24435 ++#endif
24436 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
24437 ++ grsec_enable_forkfail = 1;
24438 ++#endif
24439 ++#ifdef CONFIG_GRKERNSEC_TIME
24440 ++ grsec_enable_time = 1;
24441 ++#endif
24442 ++#ifdef CONFIG_GRKERNSEC_RESLOG
24443 ++ grsec_resource_logging = 1;
24444 ++#endif
24445 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
24446 ++ grsec_enable_chroot_findtask = 1;
24447 ++#endif
24448 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
24449 ++ grsec_enable_chroot_unix = 1;
24450 ++#endif
24451 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
24452 ++ grsec_enable_chroot_mount = 1;
24453 ++#endif
24454 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
24455 ++ grsec_enable_chroot_fchdir = 1;
24456 ++#endif
24457 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
24458 ++ grsec_enable_chroot_shmat = 1;
24459 ++#endif
24460 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
24461 ++ grsec_enable_chroot_double = 1;
24462 ++#endif
24463 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
24464 ++ grsec_enable_chroot_pivot = 1;
24465 ++#endif
24466 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
24467 ++ grsec_enable_chroot_chdir = 1;
24468 ++#endif
24469 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
24470 ++ grsec_enable_chroot_chmod = 1;
24471 ++#endif
24472 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
24473 ++ grsec_enable_chroot_mknod = 1;
24474 ++#endif
24475 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
24476 ++ grsec_enable_chroot_nice = 1;
24477 ++#endif
24478 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
24479 ++ grsec_enable_chroot_execlog = 1;
24480 ++#endif
24481 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
24482 ++ grsec_enable_chroot_caps = 1;
24483 ++#endif
24484 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
24485 ++ grsec_enable_chroot_sysctl = 1;
24486 ++#endif
24487 ++#ifdef CONFIG_GRKERNSEC_TPE
24488 ++ grsec_enable_tpe = 1;
24489 ++ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
24490 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
24491 ++ grsec_enable_tpe_all = 1;
24492 ++#endif
24493 ++#endif
24494 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
24495 ++ grsec_enable_socket_all = 1;
24496 ++ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
24497 ++#endif
24498 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
24499 ++ grsec_enable_socket_client = 1;
24500 ++ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
24501 ++#endif
24502 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
24503 ++ grsec_enable_socket_server = 1;
24504 ++ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
24505 ++#endif
24506 ++#endif
24507 ++
24508 ++ return;
24509 ++}
24510 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_ipc.c linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c
24511 +--- linux-2.6.23.15/grsecurity/grsec_ipc.c 1970-01-01 01:00:00.000000000 +0100
24512 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c 2008-02-11 10:37:44.000000000 +0000
24513 +@@ -0,0 +1,81 @@
24514 ++#include <linux/kernel.h>
24515 ++#include <linux/sched.h>
24516 ++#include <linux/types.h>
24517 ++#include <linux/ipc.h>
24518 ++#include <linux/grsecurity.h>
24519 ++#include <linux/grinternal.h>
24520 ++
24521 ++void
24522 ++gr_log_msgget(const int ret, const int msgflg)
24523 ++{
24524 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24525 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24526 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
24527 ++ !grsec_enable_group)) && (ret >= 0)
24528 ++ && (msgflg & IPC_CREAT))
24529 ++ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
24530 ++#endif
24531 ++ return;
24532 ++}
24533 ++
24534 ++void
24535 ++gr_log_msgrm(const uid_t uid, const uid_t cuid)
24536 ++{
24537 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24538 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24539 ++ grsec_enable_audit_ipc) ||
24540 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
24541 ++ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
24542 ++#endif
24543 ++ return;
24544 ++}
24545 ++
24546 ++void
24547 ++gr_log_semget(const int err, const int semflg)
24548 ++{
24549 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24550 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24551 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
24552 ++ !grsec_enable_group)) && (err >= 0)
24553 ++ && (semflg & IPC_CREAT))
24554 ++ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
24555 ++#endif
24556 ++ return;
24557 ++}
24558 ++
24559 ++void
24560 ++gr_log_semrm(const uid_t uid, const uid_t cuid)
24561 ++{
24562 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24563 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24564 ++ grsec_enable_audit_ipc) ||
24565 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
24566 ++ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
24567 ++#endif
24568 ++ return;
24569 ++}
24570 ++
24571 ++void
24572 ++gr_log_shmget(const int err, const int shmflg, const size_t size)
24573 ++{
24574 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24575 ++ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24576 ++ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
24577 ++ !grsec_enable_group)) && (err >= 0)
24578 ++ && (shmflg & IPC_CREAT))
24579 ++ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
24580 ++#endif
24581 ++ return;
24582 ++}
24583 ++
24584 ++void
24585 ++gr_log_shmrm(const uid_t uid, const uid_t cuid)
24586 ++{
24587 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
24588 ++ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
24589 ++ grsec_enable_audit_ipc) ||
24590 ++ (grsec_enable_audit_ipc && !grsec_enable_group))
24591 ++ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
24592 ++#endif
24593 ++ return;
24594 ++}
24595 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_link.c linux-2.6.23.15-grsec/grsecurity/grsec_link.c
24596 +--- linux-2.6.23.15/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
24597 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_link.c 2008-02-11 10:37:44.000000000 +0000
24598 +@@ -0,0 +1,39 @@
24599 ++#include <linux/kernel.h>
24600 ++#include <linux/sched.h>
24601 ++#include <linux/fs.h>
24602 ++#include <linux/file.h>
24603 ++#include <linux/grinternal.h>
24604 ++
24605 ++int
24606 ++gr_handle_follow_link(const struct inode *parent,
24607 ++ const struct inode *inode,
24608 ++ const struct dentry *dentry, const struct vfsmount *mnt)
24609 ++{
24610 ++#ifdef CONFIG_GRKERNSEC_LINK
24611 ++ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
24612 ++ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
24613 ++ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
24614 ++ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
24615 ++ return -EACCES;
24616 ++ }
24617 ++#endif
24618 ++ return 0;
24619 ++}
24620 ++
24621 ++int
24622 ++gr_handle_hardlink(const struct dentry *dentry,
24623 ++ const struct vfsmount *mnt,
24624 ++ struct inode *inode, const int mode, const char *to)
24625 ++{
24626 ++#ifdef CONFIG_GRKERNSEC_LINK
24627 ++ if (grsec_enable_link && current->fsuid != inode->i_uid &&
24628 ++ (!S_ISREG(mode) || (mode & S_ISUID) ||
24629 ++ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
24630 ++ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
24631 ++ !capable(CAP_FOWNER) && current->uid) {
24632 ++ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
24633 ++ return -EPERM;
24634 ++ }
24635 ++#endif
24636 ++ return 0;
24637 ++}
24638 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_log.c linux-2.6.23.15-grsec/grsecurity/grsec_log.c
24639 +--- linux-2.6.23.15/grsecurity/grsec_log.c 1970-01-01 01:00:00.000000000 +0100
24640 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_log.c 2008-02-11 10:37:44.000000000 +0000
24641 +@@ -0,0 +1,269 @@
24642 ++#include <linux/kernel.h>
24643 ++#include <linux/sched.h>
24644 ++#include <linux/file.h>
24645 ++#include <linux/tty.h>
24646 ++#include <linux/fs.h>
24647 ++#include <linux/grinternal.h>
24648 ++
24649 ++#define BEGIN_LOCKS(x) \
24650 ++ read_lock(&tasklist_lock); \
24651 ++ read_lock(&grsec_exec_file_lock); \
24652 ++ if (x != GR_DO_AUDIT) \
24653 ++ spin_lock(&grsec_alert_lock); \
24654 ++ else \
24655 ++ spin_lock(&grsec_audit_lock)
24656 ++
24657 ++#define END_LOCKS(x) \
24658 ++ if (x != GR_DO_AUDIT) \
24659 ++ spin_unlock(&grsec_alert_lock); \
24660 ++ else \
24661 ++ spin_unlock(&grsec_audit_lock); \
24662 ++ read_unlock(&grsec_exec_file_lock); \
24663 ++ read_unlock(&tasklist_lock); \
24664 ++ if (x == GR_DONT_AUDIT) \
24665 ++ gr_handle_alertkill(current)
24666 ++
24667 ++enum {
24668 ++ FLOODING,
24669 ++ NO_FLOODING
24670 ++};
24671 ++
24672 ++extern char *gr_alert_log_fmt;
24673 ++extern char *gr_audit_log_fmt;
24674 ++extern char *gr_alert_log_buf;
24675 ++extern char *gr_audit_log_buf;
24676 ++
24677 ++static int gr_log_start(int audit)
24678 ++{
24679 ++ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
24680 ++ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
24681 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24682 ++
24683 ++ if (audit == GR_DO_AUDIT)
24684 ++ goto set_fmt;
24685 ++
24686 ++ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
24687 ++ grsec_alert_wtime = jiffies;
24688 ++ grsec_alert_fyet = 0;
24689 ++ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
24690 ++ grsec_alert_fyet++;
24691 ++ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
24692 ++ grsec_alert_wtime = jiffies;
24693 ++ grsec_alert_fyet++;
24694 ++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
24695 ++ return FLOODING;
24696 ++ } else return FLOODING;
24697 ++
24698 ++set_fmt:
24699 ++ memset(buf, 0, PAGE_SIZE);
24700 ++ if (current->signal->curr_ip && gr_acl_is_enabled()) {
24701 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
24702 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
24703 ++ } else if (current->signal->curr_ip) {
24704 ++ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
24705 ++ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
24706 ++ } else if (gr_acl_is_enabled()) {
24707 ++ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
24708 ++ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
24709 ++ } else {
24710 ++ sprintf(fmt, "%s%s", loglevel, "grsec: ");
24711 ++ strcpy(buf, fmt);
24712 ++ }
24713 ++
24714 ++ return NO_FLOODING;
24715 ++}
24716 ++
24717 ++static void gr_log_middle(int audit, const char *msg, va_list ap)
24718 ++{
24719 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24720 ++ unsigned int len = strlen(buf);
24721 ++
24722 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
24723 ++
24724 ++ return;
24725 ++}
24726 ++
24727 ++static void gr_log_middle_varargs(int audit, const char *msg, ...)
24728 ++{
24729 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24730 ++ unsigned int len = strlen(buf);
24731 ++ va_list ap;
24732 ++
24733 ++ va_start(ap, msg);
24734 ++ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
24735 ++ va_end(ap);
24736 ++
24737 ++ return;
24738 ++}
24739 ++
24740 ++static void gr_log_end(int audit)
24741 ++{
24742 ++ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
24743 ++ unsigned int len = strlen(buf);
24744 ++
24745 ++ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
24746 ++ printk("%s\n", buf);
24747 ++
24748 ++ return;
24749 ++}
24750 ++
24751 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
24752 ++{
24753 ++ int logtype;
24754 ++ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
24755 ++ char *str1, *str2, *str3;
24756 ++ int num1, num2;
24757 ++ unsigned long ulong1, ulong2;
24758 ++ struct dentry *dentry;
24759 ++ struct vfsmount *mnt;
24760 ++ struct file *file;
24761 ++ struct task_struct *task;
24762 ++ va_list ap;
24763 ++
24764 ++ BEGIN_LOCKS(audit);
24765 ++ logtype = gr_log_start(audit);
24766 ++ if (logtype == FLOODING) {
24767 ++ END_LOCKS(audit);
24768 ++ return;
24769 ++ }
24770 ++ va_start(ap, argtypes);
24771 ++ switch (argtypes) {
24772 ++ case GR_TTYSNIFF:
24773 ++ task = va_arg(ap, struct task_struct *);
24774 ++ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
24775 ++ break;
24776 ++ case GR_SYSCTL_HIDDEN:
24777 ++ str1 = va_arg(ap, char *);
24778 ++ gr_log_middle_varargs(audit, msg, result, str1);
24779 ++ break;
24780 ++ case GR_RBAC:
24781 ++ dentry = va_arg(ap, struct dentry *);
24782 ++ mnt = va_arg(ap, struct vfsmount *);
24783 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
24784 ++ break;
24785 ++ case GR_RBAC_STR:
24786 ++ dentry = va_arg(ap, struct dentry *);
24787 ++ mnt = va_arg(ap, struct vfsmount *);
24788 ++ str1 = va_arg(ap, char *);
24789 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
24790 ++ break;
24791 ++ case GR_STR_RBAC:
24792 ++ str1 = va_arg(ap, char *);
24793 ++ dentry = va_arg(ap, struct dentry *);
24794 ++ mnt = va_arg(ap, struct vfsmount *);
24795 ++ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
24796 ++ break;
24797 ++ case GR_RBAC_MODE2:
24798 ++ dentry = va_arg(ap, struct dentry *);
24799 ++ mnt = va_arg(ap, struct vfsmount *);
24800 ++ str1 = va_arg(ap, char *);
24801 ++ str2 = va_arg(ap, char *);
24802 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
24803 ++ break;
24804 ++ case GR_RBAC_MODE3:
24805 ++ dentry = va_arg(ap, struct dentry *);
24806 ++ mnt = va_arg(ap, struct vfsmount *);
24807 ++ str1 = va_arg(ap, char *);
24808 ++ str2 = va_arg(ap, char *);
24809 ++ str3 = va_arg(ap, char *);
24810 ++ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
24811 ++ break;
24812 ++ case GR_FILENAME:
24813 ++ dentry = va_arg(ap, struct dentry *);
24814 ++ mnt = va_arg(ap, struct vfsmount *);
24815 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
24816 ++ break;
24817 ++ case GR_STR_FILENAME:
24818 ++ str1 = va_arg(ap, char *);
24819 ++ dentry = va_arg(ap, struct dentry *);
24820 ++ mnt = va_arg(ap, struct vfsmount *);
24821 ++ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
24822 ++ break;
24823 ++ case GR_FILENAME_STR:
24824 ++ dentry = va_arg(ap, struct dentry *);
24825 ++ mnt = va_arg(ap, struct vfsmount *);
24826 ++ str1 = va_arg(ap, char *);
24827 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
24828 ++ break;
24829 ++ case GR_FILENAME_TWO_INT:
24830 ++ dentry = va_arg(ap, struct dentry *);
24831 ++ mnt = va_arg(ap, struct vfsmount *);
24832 ++ num1 = va_arg(ap, int);
24833 ++ num2 = va_arg(ap, int);
24834 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
24835 ++ break;
24836 ++ case GR_FILENAME_TWO_INT_STR:
24837 ++ dentry = va_arg(ap, struct dentry *);
24838 ++ mnt = va_arg(ap, struct vfsmount *);
24839 ++ num1 = va_arg(ap, int);
24840 ++ num2 = va_arg(ap, int);
24841 ++ str1 = va_arg(ap, char *);
24842 ++ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
24843 ++ break;
24844 ++ case GR_TEXTREL:
24845 ++ file = va_arg(ap, struct file *);
24846 ++ ulong1 = va_arg(ap, unsigned long);
24847 ++ ulong2 = va_arg(ap, unsigned long);
24848 ++ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
24849 ++ break;
24850 ++ case GR_PTRACE:
24851 ++ task = va_arg(ap, struct task_struct *);
24852 ++ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
24853 ++ break;
24854 ++ case GR_RESOURCE:
24855 ++ task = va_arg(ap, struct task_struct *);
24856 ++ ulong1 = va_arg(ap, unsigned long);
24857 ++ str1 = va_arg(ap, char *);
24858 ++ ulong2 = va_arg(ap, unsigned long);
24859 ++ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24860 ++ break;
24861 ++ case GR_CAP:
24862 ++ task = va_arg(ap, struct task_struct *);
24863 ++ str1 = va_arg(ap, char *);
24864 ++ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24865 ++ break;
24866 ++ case GR_SIG:
24867 ++ task = va_arg(ap, struct task_struct *);
24868 ++ num1 = va_arg(ap, int);
24869 ++ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24870 ++ break;
24871 ++ case GR_CRASH1:
24872 ++ task = va_arg(ap, struct task_struct *);
24873 ++ ulong1 = va_arg(ap, unsigned long);
24874 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
24875 ++ break;
24876 ++ case GR_CRASH2:
24877 ++ task = va_arg(ap, struct task_struct *);
24878 ++ ulong1 = va_arg(ap, unsigned long);
24879 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
24880 ++ break;
24881 ++ case GR_PSACCT:
24882 ++ {
24883 ++ unsigned int wday, cday;
24884 ++ __u8 whr, chr;
24885 ++ __u8 wmin, cmin;
24886 ++ __u8 wsec, csec;
24887 ++ char cur_tty[64] = { 0 };
24888 ++ char parent_tty[64] = { 0 };
24889 ++
24890 ++ task = va_arg(ap, struct task_struct *);
24891 ++ wday = va_arg(ap, unsigned int);
24892 ++ cday = va_arg(ap, unsigned int);
24893 ++ whr = va_arg(ap, int);
24894 ++ chr = va_arg(ap, int);
24895 ++ wmin = va_arg(ap, int);
24896 ++ cmin = va_arg(ap, int);
24897 ++ wsec = va_arg(ap, int);
24898 ++ csec = va_arg(ap, int);
24899 ++ ulong1 = va_arg(ap, unsigned long);
24900 ++
24901 ++ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
24902 ++ }
24903 ++ break;
24904 ++ default:
24905 ++ gr_log_middle(audit, msg, ap);
24906 ++ }
24907 ++ va_end(ap);
24908 ++ gr_log_end(audit);
24909 ++ END_LOCKS(audit);
24910 ++}
24911 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_mem.c linux-2.6.23.15-grsec/grsecurity/grsec_mem.c
24912 +--- linux-2.6.23.15/grsecurity/grsec_mem.c 1970-01-01 01:00:00.000000000 +0100
24913 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_mem.c 2008-02-11 10:37:44.000000000 +0000
24914 +@@ -0,0 +1,71 @@
24915 ++#include <linux/kernel.h>
24916 ++#include <linux/sched.h>
24917 ++#include <linux/mm.h>
24918 ++#include <linux/mman.h>
24919 ++#include <linux/grinternal.h>
24920 ++
24921 ++void
24922 ++gr_handle_ioperm(void)
24923 ++{
24924 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
24925 ++ return;
24926 ++}
24927 ++
24928 ++void
24929 ++gr_handle_iopl(void)
24930 ++{
24931 ++ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
24932 ++ return;
24933 ++}
24934 ++
24935 ++void
24936 ++gr_handle_mem_write(void)
24937 ++{
24938 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
24939 ++ return;
24940 ++}
24941 ++
24942 ++void
24943 ++gr_handle_kmem_write(void)
24944 ++{
24945 ++ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
24946 ++ return;
24947 ++}
24948 ++
24949 ++void
24950 ++gr_handle_open_port(void)
24951 ++{
24952 ++ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
24953 ++ return;
24954 ++}
24955 ++
24956 ++int
24957 ++gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
24958 ++{
24959 ++ unsigned long start, end;
24960 ++
24961 ++ start = offset;
24962 ++ end = start + vma->vm_end - vma->vm_start;
24963 ++
24964 ++ if (start > end) {
24965 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
24966 ++ return -EPERM;
24967 ++ }
24968 ++
24969 ++ /* allowed ranges : ISA I/O BIOS */
24970 ++ if ((start >= __pa(high_memory))
24971 ++#ifdef CONFIG_X86
24972 ++ || (start >= 0x000a0000 && end <= 0x00100000)
24973 ++ || (start >= 0x00000000 && end <= 0x00001000)
24974 ++#endif
24975 ++ )
24976 ++ return 0;
24977 ++
24978 ++ if (vma->vm_flags & VM_WRITE) {
24979 ++ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
24980 ++ return -EPERM;
24981 ++ } else
24982 ++ vma->vm_flags &= ~VM_MAYWRITE;
24983 ++
24984 ++ return 0;
24985 ++}
24986 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_mount.c linux-2.6.23.15-grsec/grsecurity/grsec_mount.c
24987 +--- linux-2.6.23.15/grsecurity/grsec_mount.c 1970-01-01 01:00:00.000000000 +0100
24988 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_mount.c 2008-02-11 10:37:44.000000000 +0000
24989 +@@ -0,0 +1,34 @@
24990 ++#include <linux/kernel.h>
24991 ++#include <linux/sched.h>
24992 ++#include <linux/grsecurity.h>
24993 ++#include <linux/grinternal.h>
24994 ++
24995 ++void
24996 ++gr_log_remount(const char *devname, const int retval)
24997 ++{
24998 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
24999 ++ if (grsec_enable_mount && (retval >= 0))
25000 ++ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
25001 ++#endif
25002 ++ return;
25003 ++}
25004 ++
25005 ++void
25006 ++gr_log_unmount(const char *devname, const int retval)
25007 ++{
25008 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25009 ++ if (grsec_enable_mount && (retval >= 0))
25010 ++ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
25011 ++#endif
25012 ++ return;
25013 ++}
25014 ++
25015 ++void
25016 ++gr_log_mount(const char *from, const char *to, const int retval)
25017 ++{
25018 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25019 ++ if (grsec_enable_mount && (retval >= 0))
25020 ++ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
25021 ++#endif
25022 ++ return;
25023 ++}
25024 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_sig.c linux-2.6.23.15-grsec/grsecurity/grsec_sig.c
25025 +--- linux-2.6.23.15/grsecurity/grsec_sig.c 1970-01-01 01:00:00.000000000 +0100
25026 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_sig.c 2008-02-11 10:37:44.000000000 +0000
25027 +@@ -0,0 +1,59 @@
25028 ++#include <linux/kernel.h>
25029 ++#include <linux/sched.h>
25030 ++#include <linux/grsecurity.h>
25031 ++#include <linux/grinternal.h>
25032 ++
25033 ++void
25034 ++gr_log_signal(const int sig, const struct task_struct *t)
25035 ++{
25036 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
25037 ++ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
25038 ++ (sig == SIGABRT) || (sig == SIGBUS))) {
25039 ++ if (t->pid == current->pid) {
25040 ++ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
25041 ++ } else {
25042 ++ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
25043 ++ }
25044 ++ }
25045 ++#endif
25046 ++ return;
25047 ++}
25048 ++
25049 ++int
25050 ++gr_handle_signal(const struct task_struct *p, const int sig)
25051 ++{
25052 ++#ifdef CONFIG_GRKERNSEC
25053 ++ if (current->pid > 1 && gr_check_protected_task(p)) {
25054 ++ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
25055 ++ return -EPERM;
25056 ++ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
25057 ++ return -EPERM;
25058 ++ }
25059 ++#endif
25060 ++ return 0;
25061 ++}
25062 ++
25063 ++void gr_handle_brute_attach(struct task_struct *p)
25064 ++{
25065 ++#ifdef CONFIG_GRKERNSEC_BRUTE
25066 ++ read_lock(&tasklist_lock);
25067 ++ read_lock(&grsec_exec_file_lock);
25068 ++ if (p->parent && p->parent->exec_file == p->exec_file)
25069 ++ p->parent->brute = 1;
25070 ++ read_unlock(&grsec_exec_file_lock);
25071 ++ read_unlock(&tasklist_lock);
25072 ++#endif
25073 ++ return;
25074 ++}
25075 ++
25076 ++void gr_handle_brute_check(void)
25077 ++{
25078 ++#ifdef CONFIG_GRKERNSEC_BRUTE
25079 ++ if (current->brute) {
25080 ++ set_current_state(TASK_UNINTERRUPTIBLE);
25081 ++ schedule_timeout(30 * HZ);
25082 ++ }
25083 ++#endif
25084 ++ return;
25085 ++}
25086 ++
25087 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_sock.c linux-2.6.23.15-grsec/grsecurity/grsec_sock.c
25088 +--- linux-2.6.23.15/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
25089 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_sock.c 2008-02-11 10:37:44.000000000 +0000
25090 +@@ -0,0 +1,263 @@
25091 ++#include <linux/kernel.h>
25092 ++#include <linux/module.h>
25093 ++#include <linux/sched.h>
25094 ++#include <linux/file.h>
25095 ++#include <linux/net.h>
25096 ++#include <linux/in.h>
25097 ++#include <linux/ip.h>
25098 ++#include <net/sock.h>
25099 ++#include <net/inet_sock.h>
25100 ++#include <linux/grsecurity.h>
25101 ++#include <linux/grinternal.h>
25102 ++#include <linux/gracl.h>
25103 ++
25104 ++#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
25105 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
25106 ++EXPORT_SYMBOL(udp_v4_lookup);
25107 ++#endif
25108 ++
25109 ++EXPORT_SYMBOL(gr_cap_rtnetlink);
25110 ++
25111 ++extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
25112 ++extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
25113 ++
25114 ++EXPORT_SYMBOL(gr_search_udp_recvmsg);
25115 ++EXPORT_SYMBOL(gr_search_udp_sendmsg);
25116 ++
25117 ++#ifdef CONFIG_UNIX_MODULE
25118 ++EXPORT_SYMBOL(gr_acl_handle_unix);
25119 ++EXPORT_SYMBOL(gr_acl_handle_mknod);
25120 ++EXPORT_SYMBOL(gr_handle_chroot_unix);
25121 ++EXPORT_SYMBOL(gr_handle_create);
25122 ++#endif
25123 ++
25124 ++#ifdef CONFIG_GRKERNSEC
25125 ++#define gr_conn_table_size 32749
25126 ++struct conn_table_entry {
25127 ++ struct conn_table_entry *next;
25128 ++ struct signal_struct *sig;
25129 ++};
25130 ++
25131 ++struct conn_table_entry *gr_conn_table[gr_conn_table_size];
25132 ++spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
25133 ++
25134 ++extern const char * gr_socktype_to_name(unsigned char type);
25135 ++extern const char * gr_proto_to_name(unsigned char proto);
25136 ++
25137 ++static __inline__ int
25138 ++conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
25139 ++{
25140 ++ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
25141 ++}
25142 ++
25143 ++static __inline__ int
25144 ++conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
25145 ++ __u16 sport, __u16 dport)
25146 ++{
25147 ++ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
25148 ++ sig->gr_sport == sport && sig->gr_dport == dport))
25149 ++ return 1;
25150 ++ else
25151 ++ return 0;
25152 ++}
25153 ++
25154 ++static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
25155 ++{
25156 ++ struct conn_table_entry **match;
25157 ++ unsigned int index;
25158 ++
25159 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25160 ++ sig->gr_sport, sig->gr_dport,
25161 ++ gr_conn_table_size);
25162 ++
25163 ++ newent->sig = sig;
25164 ++
25165 ++ match = &gr_conn_table[index];
25166 ++ newent->next = *match;
25167 ++ *match = newent;
25168 ++
25169 ++ return;
25170 ++}
25171 ++
25172 ++static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
25173 ++{
25174 ++ struct conn_table_entry *match, *last = NULL;
25175 ++ unsigned int index;
25176 ++
25177 ++ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
25178 ++ sig->gr_sport, sig->gr_dport,
25179 ++ gr_conn_table_size);
25180 ++
25181 ++ match = gr_conn_table[index];
25182 ++ while (match && !conn_match(match->sig,
25183 ++ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
25184 ++ sig->gr_dport)) {
25185 ++ last = match;
25186 ++ match = match->next;
25187 ++ }
25188 ++
25189 ++ if (match) {
25190 ++ if (last)
25191 ++ last->next = match->next;
25192 ++ else
25193 ++ gr_conn_table[index] = NULL;
25194 ++ kfree(match);
25195 ++ }
25196 ++
25197 ++ return;
25198 ++}
25199 ++
25200 ++static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
25201 ++ __u16 sport, __u16 dport)
25202 ++{
25203 ++ struct conn_table_entry *match;
25204 ++ unsigned int index;
25205 ++
25206 ++ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
25207 ++
25208 ++ match = gr_conn_table[index];
25209 ++ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
25210 ++ match = match->next;
25211 ++
25212 ++ if (match)
25213 ++ return match->sig;
25214 ++ else
25215 ++ return NULL;
25216 ++}
25217 ++
25218 ++#endif
25219 ++
25220 ++void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
25221 ++{
25222 ++#ifdef CONFIG_GRKERNSEC
25223 ++ struct signal_struct *sig = task->signal;
25224 ++ struct conn_table_entry *newent;
25225 ++
25226 ++ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
25227 ++ if (newent == NULL)
25228 ++ return;
25229 ++ /* no bh lock needed since we are called with bh disabled */
25230 ++ spin_lock(&gr_conn_table_lock);
25231 ++ gr_del_task_from_ip_table_nolock(sig);
25232 ++ sig->gr_saddr = inet->rcv_saddr;
25233 ++ sig->gr_daddr = inet->daddr;
25234 ++ sig->gr_sport = inet->sport;
25235 ++ sig->gr_dport = inet->dport;
25236 ++ gr_add_to_task_ip_table_nolock(sig, newent);
25237 ++ spin_unlock(&gr_conn_table_lock);
25238 ++#endif
25239 ++ return;
25240 ++}
25241 ++
25242 ++void gr_del_task_from_ip_table(struct task_struct *task)
25243 ++{
25244 ++#ifdef CONFIG_GRKERNSEC
25245 ++ spin_lock(&gr_conn_table_lock);
25246 ++ gr_del_task_from_ip_table_nolock(task->signal);
25247 ++ spin_unlock(&gr_conn_table_lock);
25248 ++#endif
25249 ++ return;
25250 ++}
25251 ++
25252 ++void
25253 ++gr_attach_curr_ip(const struct sock *sk)
25254 ++{
25255 ++#ifdef CONFIG_GRKERNSEC
25256 ++ struct signal_struct *p, *set;
25257 ++ const struct inet_sock *inet = inet_sk(sk);
25258 ++
25259 ++ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
25260 ++ return;
25261 ++
25262 ++ set = current->signal;
25263 ++
25264 ++ spin_lock_bh(&gr_conn_table_lock);
25265 ++ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
25266 ++ inet->dport, inet->sport);
25267 ++ if (unlikely(p != NULL)) {
25268 ++ set->curr_ip = p->curr_ip;
25269 ++ set->used_accept = 1;
25270 ++ gr_del_task_from_ip_table_nolock(p);
25271 ++ spin_unlock_bh(&gr_conn_table_lock);
25272 ++ return;
25273 ++ }
25274 ++ spin_unlock_bh(&gr_conn_table_lock);
25275 ++
25276 ++ set->curr_ip = inet->daddr;
25277 ++ set->used_accept = 1;
25278 ++#endif
25279 ++ return;
25280 ++}
25281 ++
25282 ++int
25283 ++gr_handle_sock_all(const int family, const int type, const int protocol)
25284 ++{
25285 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25286 ++ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
25287 ++ (family != AF_UNIX) && (family != AF_LOCAL)) {
25288 ++ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
25289 ++ return -EACCES;
25290 ++ }
25291 ++#endif
25292 ++ return 0;
25293 ++}
25294 ++
25295 ++int
25296 ++gr_handle_sock_server(const struct sockaddr *sck)
25297 ++{
25298 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25299 ++ if (grsec_enable_socket_server &&
25300 ++ in_group_p(grsec_socket_server_gid) &&
25301 ++ sck && (sck->sa_family != AF_UNIX) &&
25302 ++ (sck->sa_family != AF_LOCAL)) {
25303 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25304 ++ return -EACCES;
25305 ++ }
25306 ++#endif
25307 ++ return 0;
25308 ++}
25309 ++
25310 ++int
25311 ++gr_handle_sock_server_other(const struct sock *sck)
25312 ++{
25313 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25314 ++ if (grsec_enable_socket_server &&
25315 ++ in_group_p(grsec_socket_server_gid) &&
25316 ++ sck && (sck->sk_family != AF_UNIX) &&
25317 ++ (sck->sk_family != AF_LOCAL)) {
25318 ++ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
25319 ++ return -EACCES;
25320 ++ }
25321 ++#endif
25322 ++ return 0;
25323 ++}
25324 ++
25325 ++int
25326 ++gr_handle_sock_client(const struct sockaddr *sck)
25327 ++{
25328 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25329 ++ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
25330 ++ sck && (sck->sa_family != AF_UNIX) &&
25331 ++ (sck->sa_family != AF_LOCAL)) {
25332 ++ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
25333 ++ return -EACCES;
25334 ++ }
25335 ++#endif
25336 ++ return 0;
25337 ++}
25338 ++
25339 ++__u32
25340 ++gr_cap_rtnetlink(void)
25341 ++{
25342 ++#ifdef CONFIG_GRKERNSEC
25343 ++ if (!gr_acl_is_enabled())
25344 ++ return current->cap_effective;
25345 ++ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
25346 ++ gr_task_is_capable(current, CAP_NET_ADMIN))
25347 ++ return current->cap_effective;
25348 ++ else
25349 ++ return 0;
25350 ++#else
25351 ++ return current->cap_effective;
25352 ++#endif
25353 ++}
25354 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_sysctl.c linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c
25355 +--- linux-2.6.23.15/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
25356 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c 2008-02-11 10:37:44.000000000 +0000
25357 +@@ -0,0 +1,456 @@
25358 ++#include <linux/kernel.h>
25359 ++#include <linux/sched.h>
25360 ++#include <linux/sysctl.h>
25361 ++#include <linux/grsecurity.h>
25362 ++#include <linux/grinternal.h>
25363 ++
25364 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25365 ++int grsec_modstop;
25366 ++#endif
25367 ++
25368 ++int
25369 ++gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
25370 ++{
25371 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
25372 ++ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
25373 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25374 ++ return -EACCES;
25375 ++ }
25376 ++#endif
25377 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25378 ++ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
25379 ++ grsec_modstop && (op & 002)) {
25380 ++ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
25381 ++ return -EACCES;
25382 ++ }
25383 ++#endif
25384 ++ return 0;
25385 ++}
25386 ++
25387 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
25388 ++enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL,
25389 ++GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
25390 ++GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
25391 ++GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
25392 ++GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS,
25393 ++GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
25394 ++GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
25395 ++GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
25396 ++GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
25397 ++
25398 ++
25399 ++ctl_table grsecurity_table[] = {
25400 ++#ifdef CONFIG_GRKERNSEC_SYSCTL
25401 ++#ifdef CONFIG_GRKERNSEC_LINK
25402 ++ {
25403 ++ .ctl_name = GS_LINK,
25404 ++ .procname = "linking_restrictions",
25405 ++ .data = &grsec_enable_link,
25406 ++ .maxlen = sizeof(int),
25407 ++ .mode = 0600,
25408 ++ .proc_handler = &proc_dointvec,
25409 ++ },
25410 ++#endif
25411 ++#ifdef CONFIG_GRKERNSEC_FIFO
25412 ++ {
25413 ++ .ctl_name = GS_FIFO,
25414 ++ .procname = "fifo_restrictions",
25415 ++ .data = &grsec_enable_fifo,
25416 ++ .maxlen = sizeof(int),
25417 ++ .mode = 0600,
25418 ++ .proc_handler = &proc_dointvec,
25419 ++ },
25420 ++#endif
25421 ++#ifdef CONFIG_GRKERNSEC_EXECVE
25422 ++ {
25423 ++ .ctl_name = GS_EXECVE,
25424 ++ .procname = "execve_limiting",
25425 ++ .data = &grsec_enable_execve,
25426 ++ .maxlen = sizeof(int),
25427 ++ .mode = 0600,
25428 ++ .proc_handler = &proc_dointvec,
25429 ++ },
25430 ++#endif
25431 ++#ifdef CONFIG_GRKERNSEC_EXECLOG
25432 ++ {
25433 ++ .ctl_name = GS_EXECLOG,
25434 ++ .procname = "exec_logging",
25435 ++ .data = &grsec_enable_execlog,
25436 ++ .maxlen = sizeof(int),
25437 ++ .mode = 0600,
25438 ++ .proc_handler = &proc_dointvec,
25439 ++ },
25440 ++#endif
25441 ++#ifdef CONFIG_GRKERNSEC_SIGNAL
25442 ++ {
25443 ++ .ctl_name = GS_SIGNAL,
25444 ++ .procname = "signal_logging",
25445 ++ .data = &grsec_enable_signal,
25446 ++ .maxlen = sizeof(int),
25447 ++ .mode = 0600,
25448 ++ .proc_handler = &proc_dointvec,
25449 ++ },
25450 ++#endif
25451 ++#ifdef CONFIG_GRKERNSEC_FORKFAIL
25452 ++ {
25453 ++ .ctl_name = GS_FORKFAIL,
25454 ++ .procname = "forkfail_logging",
25455 ++ .data = &grsec_enable_forkfail,
25456 ++ .maxlen = sizeof(int),
25457 ++ .mode = 0600,
25458 ++ .proc_handler = &proc_dointvec,
25459 ++ },
25460 ++#endif
25461 ++#ifdef CONFIG_GRKERNSEC_TIME
25462 ++ {
25463 ++ .ctl_name = GS_TIME,
25464 ++ .procname = "timechange_logging",
25465 ++ .data = &grsec_enable_time,
25466 ++ .maxlen = sizeof(int),
25467 ++ .mode = 0600,
25468 ++ .proc_handler = &proc_dointvec,
25469 ++ },
25470 ++#endif
25471 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
25472 ++ {
25473 ++ .ctl_name = GS_CHROOT_SHMAT,
25474 ++ .procname = "chroot_deny_shmat",
25475 ++ .data = &grsec_enable_chroot_shmat,
25476 ++ .maxlen = sizeof(int),
25477 ++ .mode = 0600,
25478 ++ .proc_handler = &proc_dointvec,
25479 ++ },
25480 ++#endif
25481 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
25482 ++ {
25483 ++ .ctl_name = GS_CHROOT_UNIX,
25484 ++ .procname = "chroot_deny_unix",
25485 ++ .data = &grsec_enable_chroot_unix,
25486 ++ .maxlen = sizeof(int),
25487 ++ .mode = 0600,
25488 ++ .proc_handler = &proc_dointvec,
25489 ++ },
25490 ++#endif
25491 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
25492 ++ {
25493 ++ .ctl_name = GS_CHROOT_MNT,
25494 ++ .procname = "chroot_deny_mount",
25495 ++ .data = &grsec_enable_chroot_mount,
25496 ++ .maxlen = sizeof(int),
25497 ++ .mode = 0600,
25498 ++ .proc_handler = &proc_dointvec,
25499 ++ },
25500 ++#endif
25501 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
25502 ++ {
25503 ++ .ctl_name = GS_CHROOT_FCHDIR,
25504 ++ .procname = "chroot_deny_fchdir",
25505 ++ .data = &grsec_enable_chroot_fchdir,
25506 ++ .maxlen = sizeof(int),
25507 ++ .mode = 0600,
25508 ++ .proc_handler = &proc_dointvec,
25509 ++ },
25510 ++#endif
25511 ++#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
25512 ++ {
25513 ++ .ctl_name = GS_CHROOT_DBL,
25514 ++ .procname = "chroot_deny_chroot",
25515 ++ .data = &grsec_enable_chroot_double,
25516 ++ .maxlen = sizeof(int),
25517 ++ .mode = 0600,
25518 ++ .proc_handler = &proc_dointvec,
25519 ++ },
25520 ++#endif
25521 ++#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
25522 ++ {
25523 ++ .ctl_name = GS_CHROOT_PVT,
25524 ++ .procname = "chroot_deny_pivot",
25525 ++ .data = &grsec_enable_chroot_pivot,
25526 ++ .maxlen = sizeof(int),
25527 ++ .mode = 0600,
25528 ++ .proc_handler = &proc_dointvec,
25529 ++ },
25530 ++#endif
25531 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
25532 ++ {
25533 ++ .ctl_name = GS_CHROOT_CD,
25534 ++ .procname = "chroot_enforce_chdir",
25535 ++ .data = &grsec_enable_chroot_chdir,
25536 ++ .maxlen = sizeof(int),
25537 ++ .mode = 0600,
25538 ++ .proc_handler = &proc_dointvec,
25539 ++ },
25540 ++#endif
25541 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
25542 ++ {
25543 ++ .ctl_name = GS_CHROOT_CM,
25544 ++ .procname = "chroot_deny_chmod",
25545 ++ .data = &grsec_enable_chroot_chmod,
25546 ++ .maxlen = sizeof(int),
25547 ++ .mode = 0600,
25548 ++ .proc_handler = &proc_dointvec,
25549 ++ },
25550 ++#endif
25551 ++#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
25552 ++ {
25553 ++ .ctl_name = GS_CHROOT_MK,
25554 ++ .procname = "chroot_deny_mknod",
25555 ++ .data = &grsec_enable_chroot_mknod,
25556 ++ .maxlen = sizeof(int),
25557 ++ .mode = 0600,
25558 ++ .proc_handler = &proc_dointvec,
25559 ++ },
25560 ++#endif
25561 ++#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
25562 ++ {
25563 ++ .ctl_name = GS_CHROOT_NI,
25564 ++ .procname = "chroot_restrict_nice",
25565 ++ .data = &grsec_enable_chroot_nice,
25566 ++ .maxlen = sizeof(int),
25567 ++ .mode = 0600,
25568 ++ .proc_handler = &proc_dointvec,
25569 ++ },
25570 ++#endif
25571 ++#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
25572 ++ {
25573 ++ .ctl_name = GS_CHROOT_EXECLOG,
25574 ++ .procname = "chroot_execlog",
25575 ++ .data = &grsec_enable_chroot_execlog,
25576 ++ .maxlen = sizeof(int),
25577 ++ .mode = 0600,
25578 ++ .proc_handler = &proc_dointvec,
25579 ++ },
25580 ++#endif
25581 ++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
25582 ++ {
25583 ++ .ctl_name = GS_CHROOT_CAPS,
25584 ++ .procname = "chroot_caps",
25585 ++ .data = &grsec_enable_chroot_caps,
25586 ++ .maxlen = sizeof(int),
25587 ++ .mode = 0600,
25588 ++ .proc_handler = &proc_dointvec,
25589 ++ },
25590 ++#endif
25591 ++#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
25592 ++ {
25593 ++ .ctl_name = GS_CHROOT_SYSCTL,
25594 ++ .procname = "chroot_deny_sysctl",
25595 ++ .data = &grsec_enable_chroot_sysctl,
25596 ++ .maxlen = sizeof(int),
25597 ++ .mode = 0600,
25598 ++ .proc_handler = &proc_dointvec,
25599 ++ },
25600 ++#endif
25601 ++#ifdef CONFIG_GRKERNSEC_TPE
25602 ++ {
25603 ++ .ctl_name = GS_TPE,
25604 ++ .procname = "tpe",
25605 ++ .data = &grsec_enable_tpe,
25606 ++ .maxlen = sizeof(int),
25607 ++ .mode = 0600,
25608 ++ .proc_handler = &proc_dointvec,
25609 ++ },
25610 ++ {
25611 ++ .ctl_name = GS_TPE_GID,
25612 ++ .procname = "tpe_gid",
25613 ++ .data = &grsec_tpe_gid,
25614 ++ .maxlen = sizeof(int),
25615 ++ .mode = 0600,
25616 ++ .proc_handler = &proc_dointvec,
25617 ++ },
25618 ++#endif
25619 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
25620 ++ {
25621 ++ .ctl_name = GS_TPE_ALL,
25622 ++ .procname = "tpe_restrict_all",
25623 ++ .data = &grsec_enable_tpe_all,
25624 ++ .maxlen = sizeof(int),
25625 ++ .mode = 0600,
25626 ++ .proc_handler = &proc_dointvec,
25627 ++ },
25628 ++#endif
25629 ++#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
25630 ++ {
25631 ++ .ctl_name = GS_SOCKET_ALL,
25632 ++ .procname = "socket_all",
25633 ++ .data = &grsec_enable_socket_all,
25634 ++ .maxlen = sizeof(int),
25635 ++ .mode = 0600,
25636 ++ .proc_handler = &proc_dointvec,
25637 ++ },
25638 ++ {
25639 ++ .ctl_name = GS_SOCKET_ALL_GID,
25640 ++ .procname = "socket_all_gid",
25641 ++ .data = &grsec_socket_all_gid,
25642 ++ .maxlen = sizeof(int),
25643 ++ .mode = 0600,
25644 ++ .proc_handler = &proc_dointvec,
25645 ++ },
25646 ++#endif
25647 ++#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
25648 ++ {
25649 ++ .ctl_name = GS_SOCKET_CLIENT,
25650 ++ .procname = "socket_client",
25651 ++ .data = &grsec_enable_socket_client,
25652 ++ .maxlen = sizeof(int),
25653 ++ .mode = 0600,
25654 ++ .proc_handler = &proc_dointvec,
25655 ++ },
25656 ++ {
25657 ++ .ctl_name = GS_SOCKET_CLIENT_GID,
25658 ++ .procname = "socket_client_gid",
25659 ++ .data = &grsec_socket_client_gid,
25660 ++ .maxlen = sizeof(int),
25661 ++ .mode = 0600,
25662 ++ .proc_handler = &proc_dointvec,
25663 ++ },
25664 ++#endif
25665 ++#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
25666 ++ {
25667 ++ .ctl_name = GS_SOCKET_SERVER,
25668 ++ .procname = "socket_server",
25669 ++ .data = &grsec_enable_socket_server,
25670 ++ .maxlen = sizeof(int),
25671 ++ .mode = 0600,
25672 ++ .proc_handler = &proc_dointvec,
25673 ++ },
25674 ++ {
25675 ++ .ctl_name = GS_SOCKET_SERVER_GID,
25676 ++ .procname = "socket_server_gid",
25677 ++ .data = &grsec_socket_server_gid,
25678 ++ .maxlen = sizeof(int),
25679 ++ .mode = 0600,
25680 ++ .proc_handler = &proc_dointvec,
25681 ++ },
25682 ++#endif
25683 ++#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
25684 ++ {
25685 ++ .ctl_name = GS_GROUP,
25686 ++ .procname = "audit_group",
25687 ++ .data = &grsec_enable_group,
25688 ++ .maxlen = sizeof(int),
25689 ++ .mode = 0600,
25690 ++ .proc_handler = &proc_dointvec,
25691 ++ },
25692 ++ {
25693 ++ .ctl_name = GS_GID,
25694 ++ .procname = "audit_gid",
25695 ++ .data = &grsec_audit_gid,
25696 ++ .maxlen = sizeof(int),
25697 ++ .mode = 0600,
25698 ++ .proc_handler = &proc_dointvec,
25699 ++ },
25700 ++#endif
25701 ++#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
25702 ++ {
25703 ++ .ctl_name = GS_ACHDIR,
25704 ++ .procname = "audit_chdir",
25705 ++ .data = &grsec_enable_chdir,
25706 ++ .maxlen = sizeof(int),
25707 ++ .mode = 0600,
25708 ++ .proc_handler = &proc_dointvec,
25709 ++ },
25710 ++#endif
25711 ++#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
25712 ++ {
25713 ++ .ctl_name = GS_AMOUNT,
25714 ++ .procname = "audit_mount",
25715 ++ .data = &grsec_enable_mount,
25716 ++ .maxlen = sizeof(int),
25717 ++ .mode = 0600,
25718 ++ .proc_handler = &proc_dointvec,
25719 ++ },
25720 ++#endif
25721 ++#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
25722 ++ {
25723 ++ .ctl_name = GS_AIPC,
25724 ++ .procname = "audit_ipc",
25725 ++ .data = &grsec_enable_audit_ipc,
25726 ++ .maxlen = sizeof(int),
25727 ++ .mode = 0600,
25728 ++ .proc_handler = &proc_dointvec,
25729 ++ },
25730 ++#endif
25731 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
25732 ++ {
25733 ++ .ctl_name = GS_TEXTREL,
25734 ++ .procname = "audit_textrel",
25735 ++ .data = &grsec_enable_audit_textrel,
25736 ++ .maxlen = sizeof(int),
25737 ++ .mode = 0600,
25738 ++ .proc_handler = &proc_dointvec,
25739 ++ },
25740 ++#endif
25741 ++#ifdef CONFIG_GRKERNSEC_DMESG
25742 ++ {
25743 ++ .ctl_name = GS_DMSG,
25744 ++ .procname = "dmesg",
25745 ++ .data = &grsec_enable_dmesg,
25746 ++ .maxlen = sizeof(int),
25747 ++ .mode = 0600,
25748 ++ .proc_handler = &proc_dointvec,
25749 ++ },
25750 ++#endif
25751 ++#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
25752 ++ {
25753 ++ .ctl_name = GS_FINDTASK,
25754 ++ .procname = "chroot_findtask",
25755 ++ .data = &grsec_enable_chroot_findtask,
25756 ++ .maxlen = sizeof(int),
25757 ++ .mode = 0600,
25758 ++ .proc_handler = &proc_dointvec,
25759 ++ },
25760 ++#endif
25761 ++#ifdef CONFIG_GRKERNSEC_SHM
25762 ++ {
25763 ++ .ctl_name = GS_SHM,
25764 ++ .procname = "destroy_unused_shm",
25765 ++ .data = &grsec_enable_shm,
25766 ++ .maxlen = sizeof(int),
25767 ++ .mode = 0600,
25768 ++ .proc_handler = &proc_dointvec,
25769 ++ },
25770 ++#endif
25771 ++#ifdef CONFIG_GRKERNSEC_RESLOG
25772 ++ {
25773 ++ .ctl_name = GS_RESLOG,
25774 ++ .procname = "resource_logging",
25775 ++ .data = &grsec_resource_logging,
25776 ++ .maxlen = sizeof(int),
25777 ++ .mode = 0600,
25778 ++ .proc_handler = &proc_dointvec,
25779 ++ },
25780 ++#endif
25781 ++ {
25782 ++ .ctl_name = GS_LOCK,
25783 ++ .procname = "grsec_lock",
25784 ++ .data = &grsec_lock,
25785 ++ .maxlen = sizeof(int),
25786 ++ .mode = 0600,
25787 ++ .proc_handler = &proc_dointvec,
25788 ++ },
25789 ++#endif
25790 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25791 ++ {
25792 ++ .ctl_name = GS_MODSTOP,
25793 ++ .procname = "disable_modules",
25794 ++ .data = &grsec_modstop,
25795 ++ .maxlen = sizeof(int),
25796 ++ .mode = 0600,
25797 ++ .proc_handler = &proc_dointvec,
25798 ++ },
25799 ++#endif
25800 ++ { .ctl_name = 0 }
25801 ++};
25802 ++#endif
25803 ++
25804 ++int gr_check_modstop(void)
25805 ++{
25806 ++#ifdef CONFIG_GRKERNSEC_MODSTOP
25807 ++ if (grsec_modstop == 1) {
25808 ++ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
25809 ++ return 1;
25810 ++ }
25811 ++#endif
25812 ++ return 0;
25813 ++}
25814 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_textrel.c linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c
25815 +--- linux-2.6.23.15/grsecurity/grsec_textrel.c 1970-01-01 01:00:00.000000000 +0100
25816 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c 2008-02-11 10:37:44.000000000 +0000
25817 +@@ -0,0 +1,16 @@
25818 ++#include <linux/kernel.h>
25819 ++#include <linux/sched.h>
25820 ++#include <linux/mm.h>
25821 ++#include <linux/file.h>
25822 ++#include <linux/grinternal.h>
25823 ++#include <linux/grsecurity.h>
25824 ++
25825 ++void
25826 ++gr_log_textrel(struct vm_area_struct * vma)
25827 ++{
25828 ++#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
25829 ++ if (grsec_enable_audit_textrel)
25830 ++ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
25831 ++#endif
25832 ++ return;
25833 ++}
25834 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_time.c linux-2.6.23.15-grsec/grsecurity/grsec_time.c
25835 +--- linux-2.6.23.15/grsecurity/grsec_time.c 1970-01-01 01:00:00.000000000 +0100
25836 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_time.c 2008-02-11 10:37:44.000000000 +0000
25837 +@@ -0,0 +1,13 @@
25838 ++#include <linux/kernel.h>
25839 ++#include <linux/sched.h>
25840 ++#include <linux/grinternal.h>
25841 ++
25842 ++void
25843 ++gr_log_timechange(void)
25844 ++{
25845 ++#ifdef CONFIG_GRKERNSEC_TIME
25846 ++ if (grsec_enable_time)
25847 ++ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
25848 ++#endif
25849 ++ return;
25850 ++}
25851 +diff -Nurp linux-2.6.23.15/grsecurity/grsec_tpe.c linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c
25852 +--- linux-2.6.23.15/grsecurity/grsec_tpe.c 1970-01-01 01:00:00.000000000 +0100
25853 ++++ linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c 2008-02-11 10:37:44.000000000 +0000
25854 +@@ -0,0 +1,37 @@
25855 ++#include <linux/kernel.h>
25856 ++#include <linux/sched.h>
25857 ++#include <linux/file.h>
25858 ++#include <linux/fs.h>
25859 ++#include <linux/grinternal.h>
25860 ++
25861 ++extern int gr_acl_tpe_check(void);
25862 ++
25863 ++int
25864 ++gr_tpe_allow(const struct file *file)
25865 ++{
25866 ++#ifdef CONFIG_GRKERNSEC
25867 ++ struct inode *inode = file->f_dentry->d_parent->d_inode;
25868 ++
25869 ++ if (current->uid && ((grsec_enable_tpe &&
25870 ++#ifdef CONFIG_GRKERNSEC_TPE_INVERT
25871 ++ !in_group_p(grsec_tpe_gid)
25872 ++#else
25873 ++ in_group_p(grsec_tpe_gid)
25874 ++#endif
25875 ++ ) || gr_acl_tpe_check()) &&
25876 ++ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
25877 ++ (inode->i_mode & S_IWOTH))))) {
25878 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
25879 ++ return 0;
25880 ++ }
25881 ++#ifdef CONFIG_GRKERNSEC_TPE_ALL
25882 ++ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
25883 ++ ((inode->i_uid && (inode->i_uid != current->uid)) ||
25884 ++ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
25885 ++ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
25886 ++ return 0;
25887 ++ }
25888 ++#endif
25889 ++#endif
25890 ++ return 1;
25891 ++}
25892 +diff -Nurp linux-2.6.23.15/grsecurity/grsum.c linux-2.6.23.15-grsec/grsecurity/grsum.c
25893 +--- linux-2.6.23.15/grsecurity/grsum.c 1970-01-01 01:00:00.000000000 +0100
25894 ++++ linux-2.6.23.15-grsec/grsecurity/grsum.c 2008-02-11 10:37:44.000000000 +0000
25895 +@@ -0,0 +1,59 @@
25896 ++#include <linux/err.h>
25897 ++#include <linux/kernel.h>
25898 ++#include <linux/sched.h>
25899 ++#include <linux/mm.h>
25900 ++#include <linux/scatterlist.h>
25901 ++#include <linux/crypto.h>
25902 ++#include <linux/gracl.h>
25903 ++
25904 ++
25905 ++#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
25906 ++#error "crypto and sha256 must be built into the kernel"
25907 ++#endif
25908 ++
25909 ++int
25910 ++chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
25911 ++{
25912 ++ char *p;
25913 ++ struct crypto_hash *tfm;
25914 ++ struct hash_desc desc;
25915 ++ struct scatterlist sg;
25916 ++ unsigned char temp_sum[GR_SHA_LEN];
25917 ++ volatile int retval = 0;
25918 ++ volatile int dummy = 0;
25919 ++ unsigned int i;
25920 ++
25921 ++ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
25922 ++ if (IS_ERR(tfm)) {
25923 ++ /* should never happen, since sha256 should be built in */
25924 ++ return 1;
25925 ++ }
25926 ++
25927 ++ desc.tfm = tfm;
25928 ++ desc.flags = 0;
25929 ++
25930 ++ crypto_hash_init(&desc);
25931 ++
25932 ++ p = salt;
25933 ++ sg_set_buf(&sg, p, GR_SALT_LEN);
25934 ++ crypto_hash_update(&desc, &sg, sg.length);
25935 ++
25936 ++ p = entry->pw;
25937 ++ sg_set_buf(&sg, p, strlen(p));
25938 ++
25939 ++ crypto_hash_update(&desc, &sg, sg.length);
25940 ++
25941 ++ crypto_hash_final(&desc, temp_sum);
25942 ++
25943 ++ memset(entry->pw, 0, GR_PW_LEN);
25944 ++
25945 ++ for (i = 0; i < GR_SHA_LEN; i++)
25946 ++ if (sum[i] != temp_sum[i])
25947 ++ retval = 1;
25948 ++ else
25949 ++ dummy = 1; // waste a cycle
25950 ++
25951 ++ crypto_free_hash(tfm);
25952 ++
25953 ++ return retval;
25954 ++}
25955 +diff -Nurp linux-2.6.23.15/include/asm-alpha/a.out.h linux-2.6.23.15-grsec/include/asm-alpha/a.out.h
25956 +--- linux-2.6.23.15/include/asm-alpha/a.out.h 2007-10-09 21:31:38.000000000 +0100
25957 ++++ linux-2.6.23.15-grsec/include/asm-alpha/a.out.h 2008-02-11 10:37:44.000000000 +0000
25958 +@@ -98,7 +98,7 @@ struct exec
25959 + set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
25960 + ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
25961 +
25962 +-#define STACK_TOP \
25963 ++#define __STACK_TOP \
25964 + (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
25965 +
25966 + #define STACK_TOP_MAX 0x00120000000UL
25967 +diff -Nurp linux-2.6.23.15/include/asm-alpha/elf.h linux-2.6.23.15-grsec/include/asm-alpha/elf.h
25968 +--- linux-2.6.23.15/include/asm-alpha/elf.h 2007-10-09 21:31:38.000000000 +0100
25969 ++++ linux-2.6.23.15-grsec/include/asm-alpha/elf.h 2008-02-11 10:37:44.000000000 +0000
25970 +@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
25971 +
25972 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
25973 +
25974 ++#ifdef CONFIG_PAX_ASLR
25975 ++#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
25976 ++
25977 ++#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
25978 ++#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
25979 ++#endif
25980 ++
25981 + /* $0 is set by ld.so to a pointer to a function which might be
25982 + registered using atexit. This provides a mean for the dynamic
25983 + linker to call DT_FINI functions for shared libraries that have
25984 +diff -Nurp linux-2.6.23.15/include/asm-alpha/kmap_types.h linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h
25985 +--- linux-2.6.23.15/include/asm-alpha/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
25986 ++++ linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
25987 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
25988 + D(10) KM_IRQ1,
25989 + D(11) KM_SOFTIRQ0,
25990 + D(12) KM_SOFTIRQ1,
25991 +-D(13) KM_TYPE_NR
25992 ++D(13) KM_CLEARPAGE,
25993 ++D(14) KM_TYPE_NR
25994 + };
25995 +
25996 + #undef D
25997 +diff -Nurp linux-2.6.23.15/include/asm-alpha/pgtable.h linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h
25998 +--- linux-2.6.23.15/include/asm-alpha/pgtable.h 2007-10-09 21:31:38.000000000 +0100
25999 ++++ linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h 2008-02-11 10:37:44.000000000 +0000
26000 +@@ -101,6 +101,17 @@ struct vm_area_struct;
26001 + #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
26002 + #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26003 + #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26004 ++
26005 ++#ifdef CONFIG_PAX_PAGEEXEC
26006 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
26007 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
26008 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
26009 ++#else
26010 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
26011 ++# define PAGE_COPY_NOEXEC PAGE_COPY
26012 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
26013 ++#endif
26014 ++
26015 + #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
26016 +
26017 + #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
26018 +diff -Nurp linux-2.6.23.15/include/asm-arm/a.out.h linux-2.6.23.15-grsec/include/asm-arm/a.out.h
26019 +--- linux-2.6.23.15/include/asm-arm/a.out.h 2007-10-09 21:31:38.000000000 +0100
26020 ++++ linux-2.6.23.15-grsec/include/asm-arm/a.out.h 2008-02-11 10:37:44.000000000 +0000
26021 +@@ -28,7 +28,7 @@ struct exec
26022 + #define M_ARM 103
26023 +
26024 + #ifdef __KERNEL__
26025 +-#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
26026 ++#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
26027 + TASK_SIZE : TASK_SIZE_26)
26028 + #define STACK_TOP_MAX TASK_SIZE
26029 + #endif
26030 +diff -Nurp linux-2.6.23.15/include/asm-arm/elf.h linux-2.6.23.15-grsec/include/asm-arm/elf.h
26031 +--- linux-2.6.23.15/include/asm-arm/elf.h 2007-10-09 21:31:38.000000000 +0100
26032 ++++ linux-2.6.23.15-grsec/include/asm-arm/elf.h 2008-02-11 10:37:44.000000000 +0000
26033 +@@ -90,6 +90,13 @@ extern char elf_platform[];
26034 +
26035 + #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
26036 +
26037 ++#ifdef CONFIG_PAX_ASLR
26038 ++#define PAX_ELF_ET_DYN_BASE 0x00008000UL
26039 ++
26040 ++#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
26041 ++#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
26042 ++#endif
26043 ++
26044 + /* When the program starts, a1 contains a pointer to a function to be
26045 + registered with atexit, as per the SVR4 ABI. A value of 0 means we
26046 + have no such handler. */
26047 +diff -Nurp linux-2.6.23.15/include/asm-arm/kmap_types.h linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h
26048 +--- linux-2.6.23.15/include/asm-arm/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26049 ++++ linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26050 +@@ -18,6 +18,7 @@ enum km_type {
26051 + KM_IRQ1,
26052 + KM_SOFTIRQ0,
26053 + KM_SOFTIRQ1,
26054 ++ KM_CLEARPAGE,
26055 + KM_TYPE_NR
26056 + };
26057 +
26058 +diff -Nurp linux-2.6.23.15/include/asm-avr32/a.out.h linux-2.6.23.15-grsec/include/asm-avr32/a.out.h
26059 +--- linux-2.6.23.15/include/asm-avr32/a.out.h 2007-10-09 21:31:38.000000000 +0100
26060 ++++ linux-2.6.23.15-grsec/include/asm-avr32/a.out.h 2008-02-11 10:37:44.000000000 +0000
26061 +@@ -19,8 +19,8 @@ struct exec
26062 +
26063 + #ifdef __KERNEL__
26064 +
26065 +-#define STACK_TOP TASK_SIZE
26066 +-#define STACK_TOP_MAX STACK_TOP
26067 ++#define __STACK_TOP TASK_SIZE
26068 ++#define STACK_TOP_MAX __STACK_TOP
26069 +
26070 + #endif
26071 +
26072 +diff -Nurp linux-2.6.23.15/include/asm-avr32/elf.h linux-2.6.23.15-grsec/include/asm-avr32/elf.h
26073 +--- linux-2.6.23.15/include/asm-avr32/elf.h 2007-10-09 21:31:38.000000000 +0100
26074 ++++ linux-2.6.23.15-grsec/include/asm-avr32/elf.h 2008-02-11 10:37:44.000000000 +0000
26075 +@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
26076 + the loader. We need to make sure that it is out of the way of the program
26077 + that it will "exec", and that there is sufficient room for the brk. */
26078 +
26079 +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
26080 ++#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
26081 +
26082 ++#ifdef CONFIG_PAX_ASLR
26083 ++#define PAX_ELF_ET_DYN_BASE 0x00001000UL
26084 ++
26085 ++#define PAX_DELTA_MMAP_LEN 15
26086 ++#define PAX_DELTA_STACK_LEN 15
26087 ++#endif
26088 +
26089 + /* This yields a mask that user programs can use to figure out what
26090 + instruction set this CPU supports. This could be done in user space,
26091 +diff -Nurp linux-2.6.23.15/include/asm-avr32/kmap_types.h linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h
26092 +--- linux-2.6.23.15/include/asm-avr32/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26093 ++++ linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26094 +@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
26095 + D(11) KM_IRQ1,
26096 + D(12) KM_SOFTIRQ0,
26097 + D(13) KM_SOFTIRQ1,
26098 +-D(14) KM_TYPE_NR
26099 ++D(14) KM_CLEARPAGE,
26100 ++D(15) KM_TYPE_NR
26101 + };
26102 +
26103 + #undef D
26104 +diff -Nurp linux-2.6.23.15/include/asm-blackfin/kmap_types.h linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h
26105 +--- linux-2.6.23.15/include/asm-blackfin/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26106 ++++ linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26107 +@@ -15,6 +15,7 @@ enum km_type {
26108 + KM_IRQ1,
26109 + KM_SOFTIRQ0,
26110 + KM_SOFTIRQ1,
26111 ++ KM_CLEARPAGE,
26112 + KM_TYPE_NR
26113 + };
26114 +
26115 +diff -Nurp linux-2.6.23.15/include/asm-cris/kmap_types.h linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h
26116 +--- linux-2.6.23.15/include/asm-cris/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26117 ++++ linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26118 +@@ -19,6 +19,7 @@ enum km_type {
26119 + KM_IRQ1,
26120 + KM_SOFTIRQ0,
26121 + KM_SOFTIRQ1,
26122 ++ KM_CLEARPAGE,
26123 + KM_TYPE_NR
26124 + };
26125 +
26126 +diff -Nurp linux-2.6.23.15/include/asm-frv/kmap_types.h linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h
26127 +--- linux-2.6.23.15/include/asm-frv/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26128 ++++ linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26129 +@@ -23,6 +23,7 @@ enum km_type {
26130 + KM_IRQ1,
26131 + KM_SOFTIRQ0,
26132 + KM_SOFTIRQ1,
26133 ++ KM_CLEARPAGE,
26134 + KM_TYPE_NR
26135 + };
26136 +
26137 +diff -Nurp linux-2.6.23.15/include/asm-generic/futex.h linux-2.6.23.15-grsec/include/asm-generic/futex.h
26138 +--- linux-2.6.23.15/include/asm-generic/futex.h 2007-10-09 21:31:38.000000000 +0100
26139 ++++ linux-2.6.23.15-grsec/include/asm-generic/futex.h 2008-02-11 10:37:44.000000000 +0000
26140 +@@ -8,7 +8,7 @@
26141 + #include <asm/uaccess.h>
26142 +
26143 + static inline int
26144 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
26145 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
26146 + {
26147 + int op = (encoded_op >> 28) & 7;
26148 + int cmp = (encoded_op >> 24) & 15;
26149 +@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
26150 + }
26151 +
26152 + static inline int
26153 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
26154 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
26155 + {
26156 + return -ENOSYS;
26157 + }
26158 +diff -Nurp linux-2.6.23.15/include/asm-generic/vmlinux.lds.h linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h
26159 +--- linux-2.6.23.15/include/asm-generic/vmlinux.lds.h 2007-10-09 21:31:38.000000000 +0100
26160 ++++ linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h 2008-02-11 10:37:44.000000000 +0000
26161 +@@ -19,6 +19,7 @@
26162 + .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
26163 + VMLINUX_SYMBOL(__start_rodata) = .; \
26164 + *(.rodata) *(.rodata.*) \
26165 ++ *(.data.read_only) \
26166 + *(__vermagic) /* Kernel version magic */ \
26167 + } \
26168 + \
26169 +diff -Nurp linux-2.6.23.15/include/asm-h8300/kmap_types.h linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h
26170 +--- linux-2.6.23.15/include/asm-h8300/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26171 ++++ linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26172 +@@ -15,6 +15,7 @@ enum km_type {
26173 + KM_IRQ1,
26174 + KM_SOFTIRQ0,
26175 + KM_SOFTIRQ1,
26176 ++ KM_CLEARPAGE,
26177 + KM_TYPE_NR
26178 + };
26179 +
26180 +diff -Nurp linux-2.6.23.15/include/asm-i386/a.out.h linux-2.6.23.15-grsec/include/asm-i386/a.out.h
26181 +--- linux-2.6.23.15/include/asm-i386/a.out.h 2007-10-09 21:31:38.000000000 +0100
26182 ++++ linux-2.6.23.15-grsec/include/asm-i386/a.out.h 2008-02-11 10:37:44.000000000 +0000
26183 +@@ -19,8 +19,13 @@ struct exec
26184 +
26185 + #ifdef __KERNEL__
26186 +
26187 +-#define STACK_TOP TASK_SIZE
26188 +-#define STACK_TOP_MAX STACK_TOP
26189 ++#ifdef CONFIG_PAX_SEGMEXEC
26190 ++#define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
26191 ++#else
26192 ++#define __STACK_TOP TASK_SIZE
26193 ++#endif
26194 ++
26195 ++#define STACK_TOP_MAX TASK_SIZE
26196 +
26197 + #endif
26198 +
26199 +diff -Nurp linux-2.6.23.15/include/asm-i386/alternative.h linux-2.6.23.15-grsec/include/asm-i386/alternative.h
26200 +--- linux-2.6.23.15/include/asm-i386/alternative.h 2007-10-09 21:31:38.000000000 +0100
26201 ++++ linux-2.6.23.15-grsec/include/asm-i386/alternative.h 2008-02-11 10:37:44.000000000 +0000
26202 +@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
26203 + " .byte 662b-661b\n" /* sourcelen */ \
26204 + " .byte 664f-663f\n" /* replacementlen */ \
26205 + ".previous\n" \
26206 +- ".section .altinstr_replacement,\"ax\"\n" \
26207 ++ ".section .altinstr_replacement,\"a\"\n" \
26208 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
26209 + ".previous" :: "i" (feature) : "memory")
26210 +
26211 +@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
26212 + " .byte 662b-661b\n" /* sourcelen */ \
26213 + " .byte 664f-663f\n" /* replacementlen */ \
26214 + ".previous\n" \
26215 +- ".section .altinstr_replacement,\"ax\"\n" \
26216 ++ ".section .altinstr_replacement,\"a\"\n" \
26217 + "663:\n\t" newinstr "\n664:\n" /* replacement */\
26218 + ".previous" :: "i" (feature), ##input)
26219 +
26220 +@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
26221 + " .byte 662b-661b\n" /* sourcelen */ \
26222 + " .byte 664f-663f\n" /* replacementlen */ \
26223 + ".previous\n" \
26224 +- ".section .altinstr_replacement,\"ax\"\n" \
26225 ++ ".section .altinstr_replacement,\"a\"\n" \
26226 + "663:\n\t" newinstr "\n664:\n" /* replacement */ \
26227 + ".previous" : output : [feat] "i" (feature), ##input)
26228 +
26229 +diff -Nurp linux-2.6.23.15/include/asm-i386/apic.h linux-2.6.23.15-grsec/include/asm-i386/apic.h
26230 +--- linux-2.6.23.15/include/asm-i386/apic.h 2007-10-09 21:31:38.000000000 +0100
26231 ++++ linux-2.6.23.15-grsec/include/asm-i386/apic.h 2008-02-11 10:37:44.000000000 +0000
26232 +@@ -8,7 +8,7 @@
26233 + #include <asm/processor.h>
26234 + #include <asm/system.h>
26235 +
26236 +-#define Dprintk(x...)
26237 ++#define Dprintk(x...) do {} while (0)
26238 +
26239 + /*
26240 + * Debugging macros
26241 +diff -Nurp linux-2.6.23.15/include/asm-i386/cache.h linux-2.6.23.15-grsec/include/asm-i386/cache.h
26242 +--- linux-2.6.23.15/include/asm-i386/cache.h 2007-10-09 21:31:38.000000000 +0100
26243 ++++ linux-2.6.23.15-grsec/include/asm-i386/cache.h 2008-02-11 10:37:44.000000000 +0000
26244 +@@ -10,5 +10,6 @@
26245 + #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
26246 +
26247 + #define __read_mostly __attribute__((__section__(".data.read_mostly")))
26248 ++#define __read_only __attribute__((__section__(".data.read_only")))
26249 +
26250 + #endif
26251 +diff -Nurp linux-2.6.23.15/include/asm-i386/checksum.h linux-2.6.23.15-grsec/include/asm-i386/checksum.h
26252 +--- linux-2.6.23.15/include/asm-i386/checksum.h 2007-10-09 21:31:38.000000000 +0100
26253 ++++ linux-2.6.23.15-grsec/include/asm-i386/checksum.h 2008-02-11 10:37:44.000000000 +0000
26254 +@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
26255 + asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
26256 + int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
26257 +
26258 ++asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
26259 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
26260 ++
26261 ++asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
26262 ++ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
26263 ++
26264 + /*
26265 + * Note: when you get a NULL pointer exception here this means someone
26266 + * passed in an incorrect kernel address to one of these functions.
26267 +@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
26268 + int len, __wsum sum, int *err_ptr)
26269 + {
26270 + might_sleep();
26271 +- return csum_partial_copy_generic((__force void *)src, dst,
26272 ++ return csum_partial_copy_generic_from_user((__force void *)src, dst,
26273 + len, sum, err_ptr, NULL);
26274 + }
26275 +
26276 +@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
26277 + {
26278 + might_sleep();
26279 + if (access_ok(VERIFY_WRITE, dst, len))
26280 +- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
26281 ++ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
26282 +
26283 + if (len)
26284 + *err_ptr = -EFAULT;
26285 +diff -Nurp linux-2.6.23.15/include/asm-i386/desc.h linux-2.6.23.15-grsec/include/asm-i386/desc.h
26286 +--- linux-2.6.23.15/include/asm-i386/desc.h 2007-10-09 21:31:38.000000000 +0100
26287 ++++ linux-2.6.23.15-grsec/include/asm-i386/desc.h 2008-02-11 10:37:44.000000000 +0000
26288 +@@ -7,26 +7,22 @@
26289 + #ifndef __ASSEMBLY__
26290 +
26291 + #include <linux/preempt.h>
26292 +-#include <linux/smp.h>
26293 + #include <linux/percpu.h>
26294 ++#include <linux/smp.h>
26295 +
26296 + #include <asm/mmu.h>
26297 +
26298 ++extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
26299 ++
26300 + struct Xgt_desc_struct {
26301 + unsigned short size;
26302 +- unsigned long address __attribute__((packed));
26303 ++ struct desc_struct *address __attribute__((packed));
26304 + unsigned short pad;
26305 + } __attribute__ ((packed));
26306 +
26307 +-struct gdt_page
26308 +-{
26309 +- struct desc_struct gdt[GDT_ENTRIES];
26310 +-} __attribute__((aligned(PAGE_SIZE)));
26311 +-DECLARE_PER_CPU(struct gdt_page, gdt_page);
26312 +-
26313 + static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
26314 + {
26315 +- return per_cpu(gdt_page, cpu).gdt;
26316 ++ return cpu_gdt_table[cpu];
26317 + }
26318 +
26319 + extern struct Xgt_desc_struct idt_descr;
26320 +@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
26321 + static inline void write_dt_entry(struct desc_struct *dt,
26322 + int entry, u32 entry_low, u32 entry_high)
26323 + {
26324 ++
26325 ++#ifdef CONFIG_PAX_KERNEXEC
26326 ++ unsigned long cr0;
26327 ++
26328 ++ pax_open_kernel(cr0);
26329 ++#endif
26330 ++
26331 + dt[entry].a = entry_low;
26332 + dt[entry].b = entry_high;
26333 ++
26334 ++#ifdef CONFIG_PAX_KERNEXEC
26335 ++ pax_close_kernel(cr0);
26336 ++#endif
26337 ++
26338 + }
26339 +
26340 + static inline void native_set_ldt(const void *addr, unsigned int entries)
26341 +@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
26342 + unsigned int i;
26343 + struct desc_struct *gdt = get_cpu_gdt_table(cpu);
26344 +
26345 ++#ifdef CONFIG_PAX_KERNEXEC
26346 ++ unsigned long cr0;
26347 ++
26348 ++ pax_open_kernel(cr0);
26349 ++#endif
26350 ++
26351 + for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
26352 + gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
26353 ++
26354 ++#ifdef CONFIG_PAX_KERNEXEC
26355 ++ pax_close_kernel(cr0);
26356 ++#endif
26357 ++
26358 + }
26359 +
26360 + static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
26361 +@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
26362 + ((info)->seg_32bit << 22) | \
26363 + ((info)->limit_in_pages << 23) | \
26364 + ((info)->useable << 20) | \
26365 +- 0x7000)
26366 ++ 0x7100)
26367 +
26368 + #define LDT_empty(info) (\
26369 + (info)->base_addr == 0 && \
26370 +@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
26371 + preempt_enable();
26372 + }
26373 +
26374 +-static inline unsigned long get_desc_base(unsigned long *desc)
26375 ++static inline unsigned long get_desc_base(struct desc_struct *desc)
26376 + {
26377 + unsigned long base;
26378 +- base = ((desc[0] >> 16) & 0x0000ffff) |
26379 +- ((desc[1] << 16) & 0x00ff0000) |
26380 +- (desc[1] & 0xff000000);
26381 ++ base = ((desc->a >> 16) & 0x0000ffff) |
26382 ++ ((desc->b << 16) & 0x00ff0000) |
26383 ++ (desc->b & 0xff000000);
26384 + return base;
26385 + }
26386 +
26387 ++static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
26388 ++{
26389 ++ __u32 a, b;
26390 ++
26391 ++ if (likely(limit))
26392 ++ limit = (limit - 1UL) >> PAGE_SHIFT;
26393 ++ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
26394 ++ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
26395 ++}
26396 ++
26397 + #else /* __ASSEMBLY__ */
26398 +
26399 + /*
26400 +diff -Nurp linux-2.6.23.15/include/asm-i386/elf.h linux-2.6.23.15-grsec/include/asm-i386/elf.h
26401 +--- linux-2.6.23.15/include/asm-i386/elf.h 2007-10-09 21:31:38.000000000 +0100
26402 ++++ linux-2.6.23.15-grsec/include/asm-i386/elf.h 2008-02-11 10:37:44.000000000 +0000
26403 +@@ -73,7 +73,18 @@ typedef struct user_fxsr_struct elf_fpxr
26404 + the loader. We need to make sure that it is out of the way of the program
26405 + that it will "exec", and that there is sufficient room for the brk. */
26406 +
26407 ++#ifdef CONFIG_PAX_SEGMEXEC
26408 ++#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
26409 ++#else
26410 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
26411 ++#endif
26412 ++
26413 ++#ifdef CONFIG_PAX_ASLR
26414 ++#define PAX_ELF_ET_DYN_BASE 0x10000000UL
26415 ++
26416 ++#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
26417 ++#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
26418 ++#endif
26419 +
26420 + /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
26421 + now struct_user_regs, they are different) */
26422 +@@ -131,7 +142,7 @@ extern int dump_task_extended_fpu (struc
26423 + #define ELF_CORE_COPY_XFPREGS(tsk, elf_xfpregs) dump_task_extended_fpu(tsk, elf_xfpregs)
26424 +
26425 + #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
26426 +-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
26427 ++#define VDSO_CURRENT_BASE (current->mm->context.vdso)
26428 + #define VDSO_PRELINK 0
26429 +
26430 + #define VDSO_SYM(x) \
26431 +diff -Nurp linux-2.6.23.15/include/asm-i386/futex.h linux-2.6.23.15-grsec/include/asm-i386/futex.h
26432 +--- linux-2.6.23.15/include/asm-i386/futex.h 2007-10-09 21:31:38.000000000 +0100
26433 ++++ linux-2.6.23.15-grsec/include/asm-i386/futex.h 2008-02-11 10:37:44.000000000 +0000
26434 +@@ -11,8 +11,11 @@
26435 +
26436 + #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
26437 + __asm__ __volatile ( \
26438 ++ "movw %w6, %%ds\n"\
26439 + "1: " insn "\n" \
26440 +-"2: .section .fixup,\"ax\"\n\
26441 ++"2: pushl %%ss\n\
26442 ++ popl %%ds\n\
26443 ++ .section .fixup,\"ax\"\n\
26444 + 3: mov %3, %1\n\
26445 + jmp 2b\n\
26446 + .previous\n\
26447 +@@ -21,16 +24,19 @@
26448 + .long 1b,3b\n\
26449 + .previous" \
26450 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
26451 +- : "i" (-EFAULT), "0" (oparg), "1" (0))
26452 ++ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
26453 +
26454 + #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
26455 + __asm__ __volatile ( \
26456 +-"1: movl %2, %0\n\
26457 ++" movw %w7, %%es\n\
26458 ++1: movl %%es:%2, %0\n\
26459 + movl %0, %3\n" \
26460 + insn "\n" \
26461 +-"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
26462 ++"2: " LOCK_PREFIX "cmpxchgl %3, %%es:%2\n\
26463 + jnz 1b\n\
26464 +-3: .section .fixup,\"ax\"\n\
26465 ++3: pushl %%ss\n\
26466 ++ popl %%es\n\
26467 ++ .section .fixup,\"ax\"\n\
26468 + 4: mov %5, %1\n\
26469 + jmp 3b\n\
26470 + .previous\n\
26471 +@@ -40,10 +46,10 @@
26472 + .previous" \
26473 + : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
26474 + "=&r" (tem) \
26475 +- : "r" (oparg), "i" (-EFAULT), "1" (0))
26476 ++ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
26477 +
26478 + static inline int
26479 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
26480 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
26481 + {
26482 + int op = (encoded_op >> 28) & 7;
26483 + int cmp = (encoded_op >> 24) & 15;
26484 +@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
26485 + pagefault_disable();
26486 +
26487 + if (op == FUTEX_OP_SET)
26488 +- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
26489 ++ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
26490 + else {
26491 + #ifndef CONFIG_X86_BSWAP
26492 + if (boot_cpu_data.x86 == 3)
26493 +@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
26494 + #endif
26495 + switch (op) {
26496 + case FUTEX_OP_ADD:
26497 +- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret,
26498 ++ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret,
26499 + oldval, uaddr, oparg);
26500 + break;
26501 + case FUTEX_OP_OR:
26502 +@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
26503 + }
26504 +
26505 + static inline int
26506 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
26507 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
26508 + {
26509 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
26510 + return -EFAULT;
26511 +
26512 + __asm__ __volatile__(
26513 +- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
26514 +-
26515 +- "2: .section .fixup, \"ax\" \n"
26516 ++ " movw %w5, %%ds \n"
26517 ++ "1: " LOCK_PREFIX "cmpxchgl %3, %%ds:%1 \n"
26518 ++ "2: pushl %%ss \n"
26519 ++ " popl %%ds \n"
26520 ++ " .section .fixup, \"ax\" \n"
26521 + "3: mov %2, %0 \n"
26522 + " jmp 2b \n"
26523 + " .previous \n"
26524 +@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
26525 + " .previous \n"
26526 +
26527 + : "=a" (oldval), "+m" (*uaddr)
26528 +- : "i" (-EFAULT), "r" (newval), "0" (oldval)
26529 ++ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
26530 + : "memory"
26531 + );
26532 +
26533 +diff -Nurp linux-2.6.23.15/include/asm-i386/i387.h linux-2.6.23.15-grsec/include/asm-i386/i387.h
26534 +--- linux-2.6.23.15/include/asm-i386/i387.h 2007-10-09 21:31:38.000000000 +0100
26535 ++++ linux-2.6.23.15-grsec/include/asm-i386/i387.h 2008-02-11 10:37:44.000000000 +0000
26536 +@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
26537 + #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
26538 +
26539 + /* We need a safe address that is cheap to find and that is already
26540 +- in L1 during context switch. The best choices are unfortunately
26541 +- different for UP and SMP */
26542 +-#ifdef CONFIG_SMP
26543 +-#define safe_address (__per_cpu_offset[0])
26544 +-#else
26545 +-#define safe_address (kstat_cpu(0).cpustat.user)
26546 +-#endif
26547 ++ in L1 during context switch. */
26548 ++#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
26549 +
26550 + /*
26551 + * These must be called with preempt disabled
26552 +diff -Nurp linux-2.6.23.15/include/asm-i386/irqflags.h linux-2.6.23.15-grsec/include/asm-i386/irqflags.h
26553 +--- linux-2.6.23.15/include/asm-i386/irqflags.h 2007-10-09 21:31:38.000000000 +0100
26554 ++++ linux-2.6.23.15-grsec/include/asm-i386/irqflags.h 2008-02-11 10:37:44.000000000 +0000
26555 +@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
26556 + #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
26557 + #define INTERRUPT_RETURN iret
26558 + #define GET_CR0_INTO_EAX movl %cr0, %eax
26559 ++#define GET_CR0_INTO_EDX movl %cr0, %edx
26560 ++#define SET_CR0_FROM_EDX movl %edx, %cr0
26561 + #endif /* __ASSEMBLY__ */
26562 + #endif /* CONFIG_PARAVIRT */
26563 +
26564 +diff -Nurp linux-2.6.23.15/include/asm-i386/kmap_types.h linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h
26565 +--- linux-2.6.23.15/include/asm-i386/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
26566 ++++ linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
26567 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
26568 + D(10) KM_IRQ1,
26569 + D(11) KM_SOFTIRQ0,
26570 + D(12) KM_SOFTIRQ1,
26571 +-D(13) KM_TYPE_NR
26572 ++D(13) KM_CLEARPAGE,
26573 ++D(14) KM_TYPE_NR
26574 + };
26575 +
26576 + #undef D
26577 +diff -Nurp linux-2.6.23.15/include/asm-i386/mach-default/apm.h linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h
26578 +--- linux-2.6.23.15/include/asm-i386/mach-default/apm.h 2007-10-09 21:31:38.000000000 +0100
26579 ++++ linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h 2008-02-11 10:37:44.000000000 +0000
26580 +@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
26581 + __asm__ __volatile__(APM_DO_ZERO_SEGS
26582 + "pushl %%edi\n\t"
26583 + "pushl %%ebp\n\t"
26584 +- "lcall *%%cs:apm_bios_entry\n\t"
26585 ++ "lcall *%%ss:apm_bios_entry\n\t"
26586 + "setc %%al\n\t"
26587 + "popl %%ebp\n\t"
26588 + "popl %%edi\n\t"
26589 +@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
26590 + __asm__ __volatile__(APM_DO_ZERO_SEGS
26591 + "pushl %%edi\n\t"
26592 + "pushl %%ebp\n\t"
26593 +- "lcall *%%cs:apm_bios_entry\n\t"
26594 ++ "lcall *%%ss:apm_bios_entry\n\t"
26595 + "setc %%bl\n\t"
26596 + "popl %%ebp\n\t"
26597 + "popl %%edi\n\t"
26598 +diff -Nurp linux-2.6.23.15/include/asm-i386/mman.h linux-2.6.23.15-grsec/include/asm-i386/mman.h
26599 +--- linux-2.6.23.15/include/asm-i386/mman.h 2007-10-09 21:31:38.000000000 +0100
26600 ++++ linux-2.6.23.15-grsec/include/asm-i386/mman.h 2008-02-11 10:37:44.000000000 +0000
26601 +@@ -14,4 +14,12 @@
26602 + #define MCL_CURRENT 1 /* lock all current mappings */
26603 + #define MCL_FUTURE 2 /* lock all future mappings */
26604 +
26605 ++#ifdef __KERNEL__
26606 ++#ifndef __ASSEMBLY__
26607 ++#define arch_mmap_check i386_mmap_check
26608 ++int i386_mmap_check(unsigned long addr, unsigned long len,
26609 ++ unsigned long flags);
26610 ++#endif
26611 ++#endif
26612 ++
26613 + #endif /* __I386_MMAN_H__ */
26614 +diff -Nurp linux-2.6.23.15/include/asm-i386/mmu.h linux-2.6.23.15-grsec/include/asm-i386/mmu.h
26615 +--- linux-2.6.23.15/include/asm-i386/mmu.h 2007-10-09 21:31:38.000000000 +0100
26616 ++++ linux-2.6.23.15-grsec/include/asm-i386/mmu.h 2008-02-11 10:37:44.000000000 +0000
26617 +@@ -11,8 +11,19 @@
26618 + typedef struct {
26619 + int size;
26620 + struct semaphore sem;
26621 +- void *ldt;
26622 +- void *vdso;
26623 ++ struct desc_struct *ldt;
26624 ++ unsigned long vdso;
26625 ++
26626 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26627 ++ unsigned long user_cs_base;
26628 ++ unsigned long user_cs_limit;
26629 ++
26630 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
26631 ++ cpumask_t cpu_user_cs_mask;
26632 ++#endif
26633 ++
26634 ++#endif
26635 ++
26636 + } mm_context_t;
26637 +
26638 + #endif
26639 +diff -Nurp linux-2.6.23.15/include/asm-i386/mmu_context.h linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h
26640 +--- linux-2.6.23.15/include/asm-i386/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
26641 ++++ linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
26642 +@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
26643 + */
26644 + if (unlikely(prev->context.ldt != next->context.ldt))
26645 + load_LDT_nolock(&next->context);
26646 ++
26647 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
26648 ++ if (!nx_enabled) {
26649 ++ smp_mb__before_clear_bit();
26650 ++ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
26651 ++ smp_mb__after_clear_bit();
26652 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
26653 ++ }
26654 ++#endif
26655 ++
26656 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26657 ++ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
26658 ++ prev->context.user_cs_limit != next->context.user_cs_limit))
26659 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
26660 ++#endif
26661 ++
26662 + }
26663 + #ifdef CONFIG_SMP
26664 + else {
26665 +@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
26666 + */
26667 + load_cr3(next->pgd);
26668 + load_LDT_nolock(&next->context);
26669 ++
26670 ++#ifdef CONFIG_PAX_PAGEEXEC
26671 ++ if (!nx_enabled)
26672 ++ cpu_set(cpu, next->context.cpu_user_cs_mask);
26673 ++#endif
26674 ++
26675 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
26676 ++#ifdef CONFIG_PAX_PAGEEXEC
26677 ++ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
26678 ++#endif
26679 ++ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
26680 ++#endif
26681 ++
26682 + }
26683 + }
26684 + #endif
26685 +diff -Nurp linux-2.6.23.15/include/asm-i386/module.h linux-2.6.23.15-grsec/include/asm-i386/module.h
26686 +--- linux-2.6.23.15/include/asm-i386/module.h 2007-10-09 21:31:38.000000000 +0100
26687 ++++ linux-2.6.23.15-grsec/include/asm-i386/module.h 2008-02-11 10:37:44.000000000 +0000
26688 +@@ -70,6 +70,12 @@ struct mod_arch_specific
26689 + #define MODULE_STACKSIZE ""
26690 + #endif
26691 +
26692 +-#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
26693 ++#ifdef CONFIG_GRKERNSEC
26694 ++#define MODULE_GRSEC "GRSECURTY "
26695 ++#else
26696 ++#define MODULE_GRSEC ""
26697 ++#endif
26698 ++
26699 ++#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
26700 +
26701 + #endif /* _ASM_I386_MODULE_H */
26702 +diff -Nurp linux-2.6.23.15/include/asm-i386/page.h linux-2.6.23.15-grsec/include/asm-i386/page.h
26703 +--- linux-2.6.23.15/include/asm-i386/page.h 2007-10-09 21:31:38.000000000 +0100
26704 ++++ linux-2.6.23.15-grsec/include/asm-i386/page.h 2008-02-11 10:37:44.000000000 +0000
26705 +@@ -10,6 +10,7 @@
26706 + #define LARGE_PAGE_SIZE (1UL << PMD_SHIFT)
26707 +
26708 + #ifdef __KERNEL__
26709 ++#include <asm/boot.h>
26710 + #ifndef __ASSEMBLY__
26711 +
26712 + #ifdef CONFIG_X86_USE_3DNOW
26713 +@@ -90,7 +91,6 @@ static inline pte_t native_make_pte(unsi
26714 + typedef struct { unsigned long pte_low; } pte_t;
26715 + typedef struct { unsigned long pgd; } pgd_t;
26716 + typedef struct { unsigned long pgprot; } pgprot_t;
26717 +-#define boot_pte_t pte_t /* or would you rather have a typedef */
26718 +
26719 + static inline unsigned long native_pgd_val(pgd_t pgd)
26720 + {
26721 +@@ -175,6 +175,18 @@ extern int page_is_ram(unsigned long pag
26722 + #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
26723 + #endif
26724 +
26725 ++#ifdef CONFIG_PAX_KERNEXEC
26726 ++#ifdef __ASSEMBLY__
26727 ++#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + ((LOAD_PHYSICAL_ADDR + 6*1024*1024 - 1) & ~(4*1024*1024 - 1)))
26728 ++#else
26729 ++extern unsigned char KERNEL_TEXT_OFFSET[];
26730 ++#define __KERNEL_TEXT_OFFSET ((unsigned long)KERNEL_TEXT_OFFSET)
26731 ++extern unsigned char MODULES_VADDR[];
26732 ++extern unsigned char MODULES_END[];
26733 ++#endif
26734 ++#else
26735 ++#define __KERNEL_TEXT_OFFSET (0)
26736 ++#endif
26737 +
26738 + #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
26739 + #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
26740 +@@ -197,6 +209,10 @@ extern int page_is_ram(unsigned long pag
26741 + ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
26742 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
26743 +
26744 ++#ifdef CONFIG_PAX_PAGEEXEC
26745 ++#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
26746 ++#endif
26747 ++
26748 + #include <asm-generic/memory_model.h>
26749 + #include <asm-generic/page.h>
26750 +
26751 +diff -Nurp linux-2.6.23.15/include/asm-i386/paravirt.h linux-2.6.23.15-grsec/include/asm-i386/paravirt.h
26752 +--- linux-2.6.23.15/include/asm-i386/paravirt.h 2007-10-09 21:31:38.000000000 +0100
26753 ++++ linux-2.6.23.15-grsec/include/asm-i386/paravirt.h 2008-02-11 10:37:44.000000000 +0000
26754 +@@ -1057,23 +1057,23 @@ static inline unsigned long __raw_local_
26755 +
26756 + #define INTERRUPT_RETURN \
26757 + PARA_SITE(PARA_PATCH(PARAVIRT_iret), CLBR_NONE, \
26758 +- jmp *%cs:paravirt_ops+PARAVIRT_iret)
26759 ++ jmp *%ss:paravirt_ops+PARAVIRT_iret)
26760 +
26761 + #define DISABLE_INTERRUPTS(clobbers) \
26762 + PARA_SITE(PARA_PATCH(PARAVIRT_irq_disable), clobbers, \
26763 + pushl %eax; pushl %ecx; pushl %edx; \
26764 +- call *%cs:paravirt_ops+PARAVIRT_irq_disable; \
26765 ++ call *%ss:paravirt_ops+PARAVIRT_irq_disable; \
26766 + popl %edx; popl %ecx; popl %eax) \
26767 +
26768 + #define ENABLE_INTERRUPTS(clobbers) \
26769 + PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable), clobbers, \
26770 + pushl %eax; pushl %ecx; pushl %edx; \
26771 +- call *%cs:paravirt_ops+PARAVIRT_irq_enable; \
26772 ++ call *%ss:paravirt_ops+PARAVIRT_irq_enable; \
26773 + popl %edx; popl %ecx; popl %eax)
26774 +
26775 + #define ENABLE_INTERRUPTS_SYSEXIT \
26776 + PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable_sysexit), CLBR_NONE, \
26777 +- jmp *%cs:paravirt_ops+PARAVIRT_irq_enable_sysexit)
26778 ++ jmp *%ss:paravirt_ops+PARAVIRT_irq_enable_sysexit)
26779 +
26780 + #define GET_CR0_INTO_EAX \
26781 + push %ecx; push %edx; \
26782 +diff -Nurp linux-2.6.23.15/include/asm-i386/percpu.h linux-2.6.23.15-grsec/include/asm-i386/percpu.h
26783 +--- linux-2.6.23.15/include/asm-i386/percpu.h 2007-10-09 21:31:38.000000000 +0100
26784 ++++ linux-2.6.23.15-grsec/include/asm-i386/percpu.h 2008-02-11 10:37:44.000000000 +0000
26785 +@@ -22,7 +22,7 @@
26786 + #define PER_CPU_VAR(var) %fs:per_cpu__##var
26787 + #else /* ! SMP */
26788 + #define PER_CPU(var, reg) \
26789 +- movl $per_cpu__##var, reg
26790 ++ movl per_cpu__##var, reg
26791 + #define PER_CPU_VAR(var) per_cpu__##var
26792 + #endif /* SMP */
26793 +
26794 +@@ -42,12 +42,12 @@
26795 + */
26796 + #ifdef CONFIG_SMP
26797 + /* Same as generic implementation except for optimized local access. */
26798 +-#define __GENERIC_PER_CPU
26799 +
26800 + /* This is used for other cpus to find our section. */
26801 + extern unsigned long __per_cpu_offset[];
26802 ++extern void setup_per_cpu_areas(void);
26803 +
26804 +-#define per_cpu_offset(x) (__per_cpu_offset[x])
26805 ++#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
26806 +
26807 + /* Separate out the type, so (int[3], foo) works. */
26808 + #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
26809 +@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
26810 +
26811 + /* var is in discarded region: offset to particular copy we want */
26812 + #define per_cpu(var, cpu) (*({ \
26813 +- extern int simple_indentifier_##var(void); \
26814 ++ extern int simple_identifier_##var(void); \
26815 + RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
26816 +
26817 + #define __raw_get_cpu_var(var) (*({ \
26818 +- extern int simple_indentifier_##var(void); \
26819 ++ extern int simple_identifier_##var(void); \
26820 + RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
26821 + }))
26822 +
26823 +@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
26824 + do { \
26825 + unsigned int __i; \
26826 + for_each_possible_cpu(__i) \
26827 +- memcpy((pcpudst)+__per_cpu_offset[__i], \
26828 ++ memcpy((pcpudst)+per_cpu_offset(__i), \
26829 + (src), (size)); \
26830 + } while (0)
26831 +
26832 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgalloc.h linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h
26833 +--- linux-2.6.23.15/include/asm-i386/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
26834 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h 2008-02-11 10:37:44.000000000 +0000
26835 +@@ -15,11 +15,19 @@
26836 + #define paravirt_release_pd(pfn) do { } while (0)
26837 + #endif
26838 +
26839 ++#ifdef CONFIG_COMPAT_VDSO
26840 + #define pmd_populate_kernel(mm, pmd, pte) \
26841 + do { \
26842 + paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
26843 + set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
26844 + } while (0)
26845 ++#else
26846 ++#define pmd_populate_kernel(mm, pmd, pte) \
26847 ++do { \
26848 ++ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
26849 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
26850 ++} while (0)
26851 ++#endif
26852 +
26853 + #define pmd_populate(mm, pmd, pte) \
26854 + do { \
26855 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-2level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h
26856 +--- linux-2.6.23.15/include/asm-i386/pgtable-2level.h 2007-10-09 21:31:38.000000000 +0100
26857 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h 2008-02-11 10:37:44.000000000 +0000
26858 +@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
26859 + }
26860 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
26861 + {
26862 ++
26863 ++#ifdef CONFIG_PAX_KERNEXEC
26864 ++ unsigned long cr0;
26865 ++
26866 ++ pax_open_kernel(cr0);
26867 ++#endif
26868 ++
26869 + *pmdp = pmd;
26870 ++
26871 ++#ifdef CONFIG_PAX_KERNEXEC
26872 ++ pax_close_kernel(cr0);
26873 ++#endif
26874 ++
26875 + }
26876 + #ifndef CONFIG_PARAVIRT
26877 + #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
26878 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-3level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h
26879 +--- linux-2.6.23.15/include/asm-i386/pgtable-3level.h 2007-10-09 21:31:38.000000000 +0100
26880 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h 2008-02-11 10:37:44.000000000 +0000
26881 +@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
26882 + }
26883 + static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
26884 + {
26885 ++
26886 ++#ifdef CONFIG_PAX_KERNEXEC
26887 ++ unsigned long cr0;
26888 ++
26889 ++ pax_open_kernel(cr0);
26890 ++#endif
26891 ++
26892 + set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
26893 ++
26894 ++#ifdef CONFIG_PAX_KERNEXEC
26895 ++ pax_close_kernel(cr0);
26896 ++#endif
26897 ++
26898 + }
26899 + static inline void native_set_pud(pud_t *pudp, pud_t pud)
26900 + {
26901 ++
26902 ++#ifdef CONFIG_PAX_KERNEXEC
26903 ++ unsigned long cr0;
26904 ++
26905 ++ pax_open_kernel(cr0);
26906 ++#endif
26907 ++
26908 + *pudp = pud;
26909 ++
26910 ++#ifdef CONFIG_PAX_KERNEXEC
26911 ++ pax_close_kernel(cr0);
26912 ++#endif
26913 ++
26914 + }
26915 +
26916 + /*
26917 +diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable.h linux-2.6.23.15-grsec/include/asm-i386/pgtable.h
26918 +--- linux-2.6.23.15/include/asm-i386/pgtable.h 2007-10-09 21:31:38.000000000 +0100
26919 ++++ linux-2.6.23.15-grsec/include/asm-i386/pgtable.h 2008-02-11 10:37:44.000000000 +0000
26920 +@@ -34,7 +34,6 @@ struct vm_area_struct;
26921 + */
26922 + #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
26923 + extern unsigned long empty_zero_page[1024];
26924 +-extern pgd_t swapper_pg_dir[1024];
26925 + extern struct kmem_cache *pmd_cache;
26926 + extern spinlock_t pgd_lock;
26927 + extern struct page *pgd_list;
26928 +@@ -58,6 +57,11 @@ void paging_init(void);
26929 + # include <asm/pgtable-2level-defs.h>
26930 + #endif
26931 +
26932 ++extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
26933 ++#ifdef CONFIG_X86_PAE
26934 ++extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
26935 ++#endif
26936 ++
26937 + #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
26938 + #define PGDIR_MASK (~(PGDIR_SIZE-1))
26939 +
26940 +@@ -67,9 +71,11 @@ void paging_init(void);
26941 + #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
26942 + #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
26943 +
26944 ++#ifndef CONFIG_X86_PAE
26945 + #define TWOLEVEL_PGDIR_SHIFT 22
26946 + #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
26947 + #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
26948 ++#endif
26949 +
26950 + /* Just any arbitrary offset to the start of the vmalloc VM area: the
26951 + * current 8MB value just means that there will be a 8MB "hole" after the
26952 +@@ -136,7 +142,7 @@ void paging_init(void);
26953 + #define PAGE_NONE \
26954 + __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
26955 + #define PAGE_SHARED \
26956 +- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
26957 ++ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
26958 +
26959 + #define PAGE_SHARED_EXEC \
26960 + __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
26961 +@@ -202,7 +208,7 @@ extern unsigned long long __PAGE_KERNEL,
26962 + #undef TEST_ACCESS_OK
26963 +
26964 + /* The boot page tables (all created as a single array) */
26965 +-extern unsigned long pg0[];
26966 ++extern pte_t pg0[];
26967 +
26968 + #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
26969 +
26970 +@@ -218,30 +224,55 @@ extern unsigned long pg0[];
26971 + * The following only work if pte_present() is true.
26972 + * Undefined behaviour if not..
26973 + */
26974 ++static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
26975 + static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
26976 + static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
26977 + static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
26978 + static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
26979 +
26980 ++#ifdef CONFIG_X86_PAE
26981 ++# include <asm/pgtable-3level.h>
26982 ++#else
26983 ++# include <asm/pgtable-2level.h>
26984 ++#endif
26985 ++
26986 + /*
26987 + * The following only works if pte_present() is not true.
26988 + */
26989 + static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
26990 +
26991 ++static inline pte_t pte_exprotect(pte_t pte)
26992 ++{
26993 ++#ifdef CONFIG_X86_PAE
26994 ++ if (__supported_pte_mask & _PAGE_NX)
26995 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
26996 ++ else
26997 ++#endif
26998 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
26999 ++ return pte;
27000 ++}
27001 ++
27002 + static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
27003 + static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
27004 + static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
27005 ++static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
27006 ++
27007 ++static inline pte_t pte_mkexec(pte_t pte)
27008 ++{
27009 ++#ifdef CONFIG_X86_PAE
27010 ++ if (__supported_pte_mask & _PAGE_NX)
27011 ++ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
27012 ++ else
27013 ++#endif
27014 ++ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
27015 ++ return pte;
27016 ++}
27017 ++
27018 + static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
27019 + static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
27020 + static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
27021 + static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
27022 +
27023 +-#ifdef CONFIG_X86_PAE
27024 +-# include <asm/pgtable-3level.h>
27025 +-#else
27026 +-# include <asm/pgtable-2level.h>
27027 +-#endif
27028 +-
27029 + #ifndef CONFIG_PARAVIRT
27030 + /*
27031 + * Rules for using pte_update - it must be called after any PTE update which
27032 +@@ -353,7 +384,19 @@ static inline void ptep_set_wrprotect(st
27033 + */
27034 + static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
27035 + {
27036 +- memcpy(dst, src, count * sizeof(pgd_t));
27037 ++
27038 ++#ifdef CONFIG_PAX_KERNEXEC
27039 ++ unsigned long cr0;
27040 ++
27041 ++ pax_open_kernel(cr0);
27042 ++#endif
27043 ++
27044 ++ memcpy(dst, src, count * sizeof(pgd_t));
27045 ++
27046 ++#ifdef CONFIG_PAX_KERNEXEC
27047 ++ pax_close_kernel(cr0);
27048 ++#endif
27049 ++
27050 + }
27051 +
27052 + /*
27053 +@@ -500,6 +543,9 @@ static inline void paravirt_pagetable_se
27054 +
27055 + #endif /* !__ASSEMBLY__ */
27056 +
27057 ++#define HAVE_ARCH_UNMAPPED_AREA
27058 ++#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
27059 ++
27060 + #ifdef CONFIG_FLATMEM
27061 + #define kern_addr_valid(addr) (1)
27062 + #endif /* CONFIG_FLATMEM */
27063 +diff -Nurp linux-2.6.23.15/include/asm-i386/processor.h linux-2.6.23.15-grsec/include/asm-i386/processor.h
27064 +--- linux-2.6.23.15/include/asm-i386/processor.h 2007-10-09 21:31:38.000000000 +0100
27065 ++++ linux-2.6.23.15-grsec/include/asm-i386/processor.h 2008-02-11 10:37:44.000000000 +0000
27066 +@@ -99,8 +99,6 @@ struct cpuinfo_x86 {
27067 +
27068 + extern struct cpuinfo_x86 boot_cpu_data;
27069 + extern struct cpuinfo_x86 new_cpu_data;
27070 +-extern struct tss_struct doublefault_tss;
27071 +-DECLARE_PER_CPU(struct tss_struct, init_tss);
27072 +
27073 + #ifdef CONFIG_SMP
27074 + extern struct cpuinfo_x86 cpu_data[];
27075 +@@ -209,11 +207,19 @@ extern int bootloader_type;
27076 + */
27077 + #define TASK_SIZE (PAGE_OFFSET)
27078 +
27079 ++#ifdef CONFIG_PAX_SEGMEXEC
27080 ++#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
27081 ++#endif
27082 ++
27083 + /* This decides where the kernel will search for a free chunk of vm
27084 + * space during mmap's.
27085 + */
27086 + #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
27087 +
27088 ++#ifdef CONFIG_PAX_SEGMEXEC
27089 ++#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
27090 ++#endif
27091 ++
27092 + #define HAVE_ARCH_PICK_MMAP_LAYOUT
27093 +
27094 + extern void hard_disable_TSC(void);
27095 +@@ -338,6 +344,9 @@ struct tss_struct {
27096 +
27097 + #define ARCH_MIN_TASKALIGN 16
27098 +
27099 ++extern struct tss_struct doublefault_tss;
27100 ++extern struct tss_struct init_tss[NR_CPUS];
27101 ++
27102 + struct thread_struct {
27103 + /* cached TLS descriptors. */
27104 + struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
27105 +@@ -366,7 +375,7 @@ struct thread_struct {
27106 + };
27107 +
27108 + #define INIT_THREAD { \
27109 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
27110 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
27111 + .vm86_info = NULL, \
27112 + .sysenter_cs = __KERNEL_CS, \
27113 + .io_bitmap_ptr = NULL, \
27114 +@@ -381,7 +390,7 @@ struct thread_struct {
27115 + */
27116 + #define INIT_TSS { \
27117 + .x86_tss = { \
27118 +- .esp0 = sizeof(init_stack) + (long)&init_stack, \
27119 ++ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
27120 + .ss0 = __KERNEL_DS, \
27121 + .ss1 = __KERNEL_CS, \
27122 + .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
27123 +@@ -422,11 +431,7 @@ void show_trace(struct task_struct *task
27124 + unsigned long get_wchan(struct task_struct *p);
27125 +
27126 + #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
27127 +-#define KSTK_TOP(info) \
27128 +-({ \
27129 +- unsigned long *__ptr = (unsigned long *)(info); \
27130 +- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
27131 +-})
27132 ++#define KSTK_TOP(info) ((info)->task.thread.esp0)
27133 +
27134 + /*
27135 + * The below -8 is to reserve 8 bytes on top of the ring0 stack.
27136 +@@ -441,7 +446,7 @@ unsigned long get_wchan(struct task_stru
27137 + #define task_pt_regs(task) \
27138 + ({ \
27139 + struct pt_regs *__regs__; \
27140 +- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
27141 ++ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
27142 + __regs__ - 1; \
27143 + })
27144 +
27145 +@@ -603,8 +608,8 @@ static inline void cpuid(unsigned int op
27146 + }
27147 +
27148 + /* Some CPUID calls want 'count' to be placed in ecx */
27149 +-static inline void cpuid_count(int op, int count, int *eax, int *ebx, int *ecx,
27150 +- int *edx)
27151 ++static inline void cpuid_count(unsigned int op, unsigned int count, unsigned int *eax, unsigned int *ebx, unsigned int *ecx,
27152 ++ unsigned int *edx)
27153 + {
27154 + *eax = op;
27155 + *ecx = count;
27156 +diff -Nurp linux-2.6.23.15/include/asm-i386/ptrace.h linux-2.6.23.15-grsec/include/asm-i386/ptrace.h
27157 +--- linux-2.6.23.15/include/asm-i386/ptrace.h 2007-10-09 21:31:38.000000000 +0100
27158 ++++ linux-2.6.23.15-grsec/include/asm-i386/ptrace.h 2008-02-11 10:37:44.000000000 +0000
27159 +@@ -35,17 +35,18 @@ struct task_struct;
27160 + extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
27161 +
27162 + /*
27163 +- * user_mode_vm(regs) determines whether a register set came from user mode.
27164 ++ * user_mode(regs) determines whether a register set came from user mode.
27165 + * This is true if V8086 mode was enabled OR if the register set was from
27166 + * protected mode with RPL-3 CS value. This tricky test checks that with
27167 + * one comparison. Many places in the kernel can bypass this full check
27168 +- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
27169 ++ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
27170 ++ * be used.
27171 + */
27172 +-static inline int user_mode(struct pt_regs *regs)
27173 ++static inline int user_mode_novm(struct pt_regs *regs)
27174 + {
27175 + return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
27176 + }
27177 +-static inline int user_mode_vm(struct pt_regs *regs)
27178 ++static inline int user_mode(struct pt_regs *regs)
27179 + {
27180 + return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
27181 + }
27182 +diff -Nurp linux-2.6.23.15/include/asm-i386/reboot.h linux-2.6.23.15-grsec/include/asm-i386/reboot.h
27183 +--- linux-2.6.23.15/include/asm-i386/reboot.h 2007-10-09 21:31:38.000000000 +0100
27184 ++++ linux-2.6.23.15-grsec/include/asm-i386/reboot.h 2008-02-11 10:37:44.000000000 +0000
27185 +@@ -15,6 +15,6 @@ struct machine_ops
27186 +
27187 + extern struct machine_ops machine_ops;
27188 +
27189 +-void machine_real_restart(unsigned char *code, int length);
27190 ++void machine_real_restart(const unsigned char *code, unsigned int length);
27191 +
27192 + #endif /* _ASM_REBOOT_H */
27193 +diff -Nurp linux-2.6.23.15/include/asm-i386/segment.h linux-2.6.23.15-grsec/include/asm-i386/segment.h
27194 +--- linux-2.6.23.15/include/asm-i386/segment.h 2007-10-09 21:31:38.000000000 +0100
27195 ++++ linux-2.6.23.15-grsec/include/asm-i386/segment.h 2008-02-11 10:37:44.000000000 +0000
27196 +@@ -81,6 +81,12 @@
27197 + #define __KERNEL_PERCPU 0
27198 + #endif
27199 +
27200 ++#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
27201 ++#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
27202 ++
27203 ++#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
27204 ++#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
27205 ++
27206 + #define GDT_ENTRY_DOUBLEFAULT_TSS 31
27207 +
27208 + /*
27209 +@@ -140,9 +146,9 @@
27210 + #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
27211 +
27212 + /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
27213 +-#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
27214 ++#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
27215 +
27216 + /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
27217 +-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
27218 ++#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
27219 +
27220 + #endif
27221 +diff -Nurp linux-2.6.23.15/include/asm-i386/system.h linux-2.6.23.15-grsec/include/asm-i386/system.h
27222 +--- linux-2.6.23.15/include/asm-i386/system.h 2008-02-11 10:36:03.000000000 +0000
27223 ++++ linux-2.6.23.15-grsec/include/asm-i386/system.h 2008-02-11 10:37:44.000000000 +0000
27224 +@@ -183,6 +183,21 @@ static inline void native_wbinvd(void)
27225 + /* Set the 'TS' bit */
27226 + #define stts() write_cr0(8 | read_cr0())
27227 +
27228 ++#define pax_open_kernel(cr0) \
27229 ++do { \
27230 ++ typecheck(unsigned long, cr0); \
27231 ++ preempt_disable(); \
27232 ++ cr0 = read_cr0(); \
27233 ++ write_cr0(cr0 & ~X86_CR0_WP); \
27234 ++} while (0)
27235 ++
27236 ++#define pax_close_kernel(cr0) \
27237 ++do { \
27238 ++ typecheck(unsigned long, cr0); \
27239 ++ write_cr0(cr0); \
27240 ++ preempt_enable_no_resched(); \
27241 ++} while (0)
27242 ++
27243 + #endif /* __KERNEL__ */
27244 +
27245 + static inline unsigned long get_limit(unsigned long segment)
27246 +@@ -190,7 +205,7 @@ static inline unsigned long get_limit(un
27247 + unsigned long __limit;
27248 + __asm__("lsll %1,%0"
27249 + :"=r" (__limit):"r" (segment));
27250 +- return __limit+1;
27251 ++ return __limit;
27252 + }
27253 +
27254 + #define nop() __asm__ __volatile__ ("nop")
27255 +@@ -305,7 +320,7 @@ void enable_hlt(void);
27256 + extern int es7000_plat;
27257 + void cpu_idle_wait(void);
27258 +
27259 +-extern unsigned long arch_align_stack(unsigned long sp);
27260 ++#define arch_align_stack(x) (x)
27261 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
27262 +
27263 + void default_idle(void);
27264 +diff -Nurp linux-2.6.23.15/include/asm-i386/uaccess.h linux-2.6.23.15-grsec/include/asm-i386/uaccess.h
27265 +--- linux-2.6.23.15/include/asm-i386/uaccess.h 2007-10-09 21:31:38.000000000 +0100
27266 ++++ linux-2.6.23.15-grsec/include/asm-i386/uaccess.h 2008-02-11 10:37:44.000000000 +0000
27267 +@@ -9,6 +9,7 @@
27268 + #include <linux/prefetch.h>
27269 + #include <linux/string.h>
27270 + #include <asm/page.h>
27271 ++#include <asm/segment.h>
27272 +
27273 + #define VERIFY_READ 0
27274 + #define VERIFY_WRITE 1
27275 +@@ -29,7 +30,8 @@
27276 +
27277 + #define get_ds() (KERNEL_DS)
27278 + #define get_fs() (current_thread_info()->addr_limit)
27279 +-#define set_fs(x) (current_thread_info()->addr_limit = (x))
27280 ++void __set_fs(mm_segment_t x, int cpu);
27281 ++void set_fs(mm_segment_t x);
27282 +
27283 + #define segment_eq(a,b) ((a).seg == (b).seg)
27284 +
27285 +@@ -101,6 +103,7 @@ struct exception_table_entry
27286 + };
27287 +
27288 + extern int fixup_exception(struct pt_regs *regs);
27289 ++#define ARCH_HAS_SORT_EXTABLE
27290 +
27291 + /*
27292 + * These are the main single-value transfer routines. They automatically
27293 +@@ -280,9 +283,12 @@ extern void __put_user_8(void);
27294 +
27295 + #define __put_user_u64(x, addr, err) \
27296 + __asm__ __volatile__( \
27297 +- "1: movl %%eax,0(%2)\n" \
27298 +- "2: movl %%edx,4(%2)\n" \
27299 ++ " movw %w5,%%ds\n" \
27300 ++ "1: movl %%eax,%%ds:0(%2)\n" \
27301 ++ "2: movl %%edx,%%ds:4(%2)\n" \
27302 + "3:\n" \
27303 ++ " pushl %%ss\n" \
27304 ++ " popl %%ds\n" \
27305 + ".section .fixup,\"ax\"\n" \
27306 + "4: movl %3,%0\n" \
27307 + " jmp 3b\n" \
27308 +@@ -293,7 +299,8 @@ extern void __put_user_8(void);
27309 + " .long 2b,4b\n" \
27310 + ".previous" \
27311 + : "=r"(err) \
27312 +- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
27313 ++ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
27314 ++ "r"(__USER_DS))
27315 +
27316 + #ifdef CONFIG_X86_WP_WORKS_OK
27317 +
27318 +@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
27319 + */
27320 + #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
27321 + __asm__ __volatile__( \
27322 +- "1: mov"itype" %"rtype"1,%2\n" \
27323 ++ " movw %w5,%%ds\n" \
27324 ++ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
27325 + "2:\n" \
27326 ++ " pushl %%ss\n" \
27327 ++ " popl %%ds\n" \
27328 + ".section .fixup,\"ax\"\n" \
27329 + "3: movl %3,%0\n" \
27330 + " jmp 2b\n" \
27331 +@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
27332 + " .long 1b,3b\n" \
27333 + ".previous" \
27334 + : "=r"(err) \
27335 +- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
27336 ++ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
27337 ++ "r"(__USER_DS))
27338 +
27339 +
27340 + #define __get_user_nocheck(x,ptr,size) \
27341 +@@ -371,8 +382,11 @@ do { \
27342 +
27343 + #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
27344 + __asm__ __volatile__( \
27345 +- "1: mov"itype" %2,%"rtype"1\n" \
27346 ++ " movw %w5,%%ds\n" \
27347 ++ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
27348 + "2:\n" \
27349 ++ " pushl %%ss\n" \
27350 ++ " popl %%ds\n" \
27351 + ".section .fixup,\"ax\"\n" \
27352 + "3: movl %3,%0\n" \
27353 + " xor"itype" %"rtype"1,%"rtype"1\n" \
27354 +@@ -383,7 +397,7 @@ do { \
27355 + " .long 1b,3b\n" \
27356 + ".previous" \
27357 + : "=r"(err), ltype (x) \
27358 +- : "m"(__m(addr)), "i"(errret), "0"(err))
27359 ++ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
27360 +
27361 +
27362 + unsigned long __must_check __copy_to_user_ll(void __user *to,
27363 +diff -Nurp linux-2.6.23.15/include/asm-ia64/elf.h linux-2.6.23.15-grsec/include/asm-ia64/elf.h
27364 +--- linux-2.6.23.15/include/asm-ia64/elf.h 2007-10-09 21:31:38.000000000 +0100
27365 ++++ linux-2.6.23.15-grsec/include/asm-ia64/elf.h 2008-02-11 10:37:44.000000000 +0000
27366 +@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
27367 + typedef struct ia64_fpreg elf_fpreg_t;
27368 + typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
27369 +
27370 ++#ifdef CONFIG_PAX_ASLR
27371 ++#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
27372 +
27373 ++#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27374 ++#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
27375 ++#endif
27376 +
27377 + struct pt_regs; /* forward declaration... */
27378 + extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
27379 +diff -Nurp linux-2.6.23.15/include/asm-ia64/kmap_types.h linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h
27380 +--- linux-2.6.23.15/include/asm-ia64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27381 ++++ linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27382 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27383 + D(10) KM_IRQ1,
27384 + D(11) KM_SOFTIRQ0,
27385 + D(12) KM_SOFTIRQ1,
27386 +-D(13) KM_TYPE_NR
27387 ++D(13) KM_CLEARPAGE,
27388 ++D(14) KM_TYPE_NR
27389 + };
27390 +
27391 + #undef D
27392 +diff -Nurp linux-2.6.23.15/include/asm-ia64/pgtable.h linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h
27393 +--- linux-2.6.23.15/include/asm-ia64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27394 ++++ linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27395 +@@ -143,6 +143,17 @@
27396 + #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27397 + #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27398 + #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
27399 ++
27400 ++#ifdef CONFIG_PAX_PAGEEXEC
27401 ++# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
27402 ++# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27403 ++# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
27404 ++#else
27405 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27406 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27407 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27408 ++#endif
27409 ++
27410 + #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
27411 + #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
27412 + #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
27413 +diff -Nurp linux-2.6.23.15/include/asm-ia64/processor.h linux-2.6.23.15-grsec/include/asm-ia64/processor.h
27414 +--- linux-2.6.23.15/include/asm-ia64/processor.h 2007-10-09 21:31:38.000000000 +0100
27415 ++++ linux-2.6.23.15-grsec/include/asm-ia64/processor.h 2008-02-11 10:37:44.000000000 +0000
27416 +@@ -275,7 +275,7 @@ struct thread_struct {
27417 + .on_ustack = 0, \
27418 + .ksp = 0, \
27419 + .map_base = DEFAULT_MAP_BASE, \
27420 +- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27421 ++ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
27422 + .task_size = DEFAULT_TASK_SIZE, \
27423 + .last_fph_cpu = -1, \
27424 + INIT_THREAD_IA32 \
27425 +diff -Nurp linux-2.6.23.15/include/asm-ia64/ustack.h linux-2.6.23.15-grsec/include/asm-ia64/ustack.h
27426 +--- linux-2.6.23.15/include/asm-ia64/ustack.h 2007-10-09 21:31:38.000000000 +0100
27427 ++++ linux-2.6.23.15-grsec/include/asm-ia64/ustack.h 2008-02-11 10:37:44.000000000 +0000
27428 +@@ -10,8 +10,8 @@
27429 +
27430 + /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
27431 + #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
27432 +-#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27433 +-#define STACK_TOP_MAX STACK_TOP
27434 ++#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
27435 ++#define STACK_TOP_MAX __STACK_TOP
27436 + #endif
27437 +
27438 + /* Make a default stack size of 2GiB */
27439 +diff -Nurp linux-2.6.23.15/include/asm-m32r/kmap_types.h linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h
27440 +--- linux-2.6.23.15/include/asm-m32r/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27441 ++++ linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27442 +@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
27443 + D(10) KM_IRQ1,
27444 + D(11) KM_SOFTIRQ0,
27445 + D(12) KM_SOFTIRQ1,
27446 +-D(13) KM_TYPE_NR
27447 ++D(13) KM_CLEARPAGE,
27448 ++D(14) KM_TYPE_NR
27449 + };
27450 +
27451 + #undef D
27452 +diff -Nurp linux-2.6.23.15/include/asm-m68k/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h
27453 +--- linux-2.6.23.15/include/asm-m68k/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27454 ++++ linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27455 +@@ -15,6 +15,7 @@ enum km_type {
27456 + KM_IRQ1,
27457 + KM_SOFTIRQ0,
27458 + KM_SOFTIRQ1,
27459 ++ KM_CLEARPAGE,
27460 + KM_TYPE_NR
27461 + };
27462 +
27463 +diff -Nurp linux-2.6.23.15/include/asm-m68knommu/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h
27464 +--- linux-2.6.23.15/include/asm-m68knommu/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27465 ++++ linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27466 +@@ -15,6 +15,7 @@ enum km_type {
27467 + KM_IRQ1,
27468 + KM_SOFTIRQ0,
27469 + KM_SOFTIRQ1,
27470 ++ KM_CLEARPAGE,
27471 + KM_TYPE_NR
27472 + };
27473 +
27474 +diff -Nurp linux-2.6.23.15/include/asm-mips/a.out.h linux-2.6.23.15-grsec/include/asm-mips/a.out.h
27475 +--- linux-2.6.23.15/include/asm-mips/a.out.h 2007-10-09 21:31:38.000000000 +0100
27476 ++++ linux-2.6.23.15-grsec/include/asm-mips/a.out.h 2008-02-11 10:37:44.000000000 +0000
27477 +@@ -35,10 +35,10 @@ struct exec
27478 + #ifdef __KERNEL__
27479 +
27480 + #ifdef CONFIG_32BIT
27481 +-#define STACK_TOP TASK_SIZE
27482 ++#define __STACK_TOP TASK_SIZE
27483 + #endif
27484 + #ifdef CONFIG_64BIT
27485 +-#define STACK_TOP \
27486 ++#define __STACK_TOP \
27487 + (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
27488 + #endif
27489 + #define STACK_TOP_MAX TASK_SIZE
27490 +diff -Nurp linux-2.6.23.15/include/asm-mips/elf.h linux-2.6.23.15-grsec/include/asm-mips/elf.h
27491 +--- linux-2.6.23.15/include/asm-mips/elf.h 2007-10-09 21:31:38.000000000 +0100
27492 ++++ linux-2.6.23.15-grsec/include/asm-mips/elf.h 2008-02-11 10:37:44.000000000 +0000
27493 +@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
27494 + #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
27495 + #endif
27496 +
27497 ++#ifdef CONFIG_PAX_ASLR
27498 ++#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
27499 ++
27500 ++#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27501 ++#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
27502 ++#endif
27503 ++
27504 + #endif /* _ASM_ELF_H */
27505 +diff -Nurp linux-2.6.23.15/include/asm-mips/kmap_types.h linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h
27506 +--- linux-2.6.23.15/include/asm-mips/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27507 ++++ linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27508 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27509 + D(10) KM_IRQ1,
27510 + D(11) KM_SOFTIRQ0,
27511 + D(12) KM_SOFTIRQ1,
27512 +-D(13) KM_TYPE_NR
27513 ++D(13) KM_CLEARPAGE,
27514 ++D(14) KM_TYPE_NR
27515 + };
27516 +
27517 + #undef D
27518 +diff -Nurp linux-2.6.23.15/include/asm-mips/page.h linux-2.6.23.15-grsec/include/asm-mips/page.h
27519 +--- linux-2.6.23.15/include/asm-mips/page.h 2007-10-09 21:31:38.000000000 +0100
27520 ++++ linux-2.6.23.15-grsec/include/asm-mips/page.h 2008-02-11 10:37:44.000000000 +0000
27521 +@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
27522 + #ifdef CONFIG_CPU_MIPS32
27523 + typedef struct { unsigned long pte_low, pte_high; } pte_t;
27524 + #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
27525 +- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
27526 ++ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
27527 + #else
27528 + typedef struct { unsigned long long pte; } pte_t;
27529 + #define pte_val(x) ((x).pte)
27530 +diff -Nurp linux-2.6.23.15/include/asm-mips/system.h linux-2.6.23.15-grsec/include/asm-mips/system.h
27531 +--- linux-2.6.23.15/include/asm-mips/system.h 2007-10-09 21:31:38.000000000 +0100
27532 ++++ linux-2.6.23.15-grsec/include/asm-mips/system.h 2008-02-11 10:37:44.000000000 +0000
27533 +@@ -213,6 +213,6 @@ extern int stop_a_enabled;
27534 + */
27535 + #define __ARCH_WANT_UNLOCKED_CTXSW
27536 +
27537 +-extern unsigned long arch_align_stack(unsigned long sp);
27538 ++#define arch_align_stack(x) (x)
27539 +
27540 + #endif /* _ASM_SYSTEM_H */
27541 +diff -Nurp linux-2.6.23.15/include/asm-parisc/a.out.h linux-2.6.23.15-grsec/include/asm-parisc/a.out.h
27542 +--- linux-2.6.23.15/include/asm-parisc/a.out.h 2007-10-09 21:31:38.000000000 +0100
27543 ++++ linux-2.6.23.15-grsec/include/asm-parisc/a.out.h 2008-02-11 10:37:44.000000000 +0000
27544 +@@ -22,7 +22,7 @@ struct exec
27545 + /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
27546 + * prumpf */
27547 +
27548 +-#define STACK_TOP TASK_SIZE
27549 ++#define __STACK_TOP TASK_SIZE
27550 + #define STACK_TOP_MAX DEFAULT_TASK_SIZE
27551 +
27552 + #endif
27553 +diff -Nurp linux-2.6.23.15/include/asm-parisc/elf.h linux-2.6.23.15-grsec/include/asm-parisc/elf.h
27554 +--- linux-2.6.23.15/include/asm-parisc/elf.h 2007-10-09 21:31:38.000000000 +0100
27555 ++++ linux-2.6.23.15-grsec/include/asm-parisc/elf.h 2008-02-11 10:37:44.000000000 +0000
27556 +@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
27557 +
27558 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
27559 +
27560 ++#ifdef CONFIG_PAX_ASLR
27561 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
27562 ++
27563 ++#define PAX_DELTA_MMAP_LEN 16
27564 ++#define PAX_DELTA_STACK_LEN 16
27565 ++#endif
27566 ++
27567 + /* This yields a mask that user programs can use to figure out what
27568 + instruction set this CPU supports. This could be done in user space,
27569 + but it's not easy, and we've already done it here. */
27570 +diff -Nurp linux-2.6.23.15/include/asm-parisc/kmap_types.h linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h
27571 +--- linux-2.6.23.15/include/asm-parisc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27572 ++++ linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27573 +@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
27574 + D(10) KM_IRQ1,
27575 + D(11) KM_SOFTIRQ0,
27576 + D(12) KM_SOFTIRQ1,
27577 +-D(13) KM_TYPE_NR
27578 ++D(13) KM_CLEARPAGE,
27579 ++D(14) KM_TYPE_NR
27580 + };
27581 +
27582 + #undef D
27583 +diff -Nurp linux-2.6.23.15/include/asm-parisc/pgtable.h linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h
27584 +--- linux-2.6.23.15/include/asm-parisc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27585 ++++ linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27586 +@@ -218,6 +218,17 @@ extern void *vmalloc_start;
27587 + #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
27588 + #define PAGE_COPY PAGE_EXECREAD
27589 + #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
27590 ++
27591 ++#ifdef CONFIG_PAX_PAGEEXEC
27592 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
27593 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27594 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
27595 ++#else
27596 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27597 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27598 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27599 ++#endif
27600 ++
27601 + #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
27602 + #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
27603 + #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
27604 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/a.out.h linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h
27605 +--- linux-2.6.23.15/include/asm-powerpc/a.out.h 2007-10-09 21:31:38.000000000 +0100
27606 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h 2008-02-11 10:37:44.000000000 +0000
27607 +@@ -23,15 +23,15 @@ struct exec
27608 + #define STACK_TOP_USER64 TASK_SIZE_USER64
27609 + #define STACK_TOP_USER32 TASK_SIZE_USER32
27610 +
27611 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27612 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27613 + STACK_TOP_USER32 : STACK_TOP_USER64)
27614 +
27615 + #define STACK_TOP_MAX STACK_TOP_USER64
27616 +
27617 + #else /* __powerpc64__ */
27618 +
27619 +-#define STACK_TOP TASK_SIZE
27620 +-#define STACK_TOP_MAX STACK_TOP
27621 ++#define __STACK_TOP TASK_SIZE
27622 ++#define STACK_TOP_MAX __STACK_TOP
27623 +
27624 + #endif /* __powerpc64__ */
27625 + #endif /* __KERNEL__ */
27626 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/elf.h linux-2.6.23.15-grsec/include/asm-powerpc/elf.h
27627 +--- linux-2.6.23.15/include/asm-powerpc/elf.h 2007-10-09 21:31:38.000000000 +0100
27628 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/elf.h 2008-02-11 10:37:44.000000000 +0000
27629 +@@ -159,6 +159,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
27630 + typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
27631 + #endif
27632 +
27633 ++#ifdef CONFIG_PAX_ASLR
27634 ++#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
27635 ++
27636 ++#ifdef __powerpc64__
27637 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27638 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
27639 ++#else
27640 ++#define PAX_DELTA_MMAP_LEN 15
27641 ++#define PAX_DELTA_STACK_LEN 15
27642 ++#endif
27643 ++#endif
27644 ++
27645 + #ifdef __KERNEL__
27646 + /*
27647 + * This is used to ensure we don't load something for the wrong architecture.
27648 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/kmap_types.h linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h
27649 +--- linux-2.6.23.15/include/asm-powerpc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27650 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27651 +@@ -26,6 +26,7 @@ enum km_type {
27652 + KM_SOFTIRQ1,
27653 + KM_PPC_SYNC_PAGE,
27654 + KM_PPC_SYNC_ICACHE,
27655 ++ KM_CLEARPAGE,
27656 + KM_TYPE_NR
27657 + };
27658 +
27659 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/page.h linux-2.6.23.15-grsec/include/asm-powerpc/page.h
27660 +--- linux-2.6.23.15/include/asm-powerpc/page.h 2007-10-09 21:31:38.000000000 +0100
27661 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/page.h 2008-02-11 10:37:44.000000000 +0000
27662 +@@ -71,8 +71,9 @@
27663 + * and needs to be executable. This means the whole heap ends
27664 + * up being executable.
27665 + */
27666 +-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27667 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27668 ++#define VM_DATA_DEFAULT_FLAGS32 \
27669 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27670 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27671 +
27672 + #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27673 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27674 +diff -Nurp linux-2.6.23.15/include/asm-powerpc/page_64.h linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h
27675 +--- linux-2.6.23.15/include/asm-powerpc/page_64.h 2007-10-09 21:31:38.000000000 +0100
27676 ++++ linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h 2008-02-11 10:37:44.000000000 +0000
27677 +@@ -158,15 +158,18 @@ extern int is_hugepage_only_range(struct
27678 + * stack by default, so in the absense of a PT_GNU_STACK program header
27679 + * we turn execute permission off.
27680 + */
27681 +-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
27682 +- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27683 ++#define VM_STACK_DEFAULT_FLAGS32 \
27684 ++ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
27685 ++ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27686 +
27687 + #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
27688 + VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
27689 +
27690 ++#ifndef CONFIG_PAX_PAGEEXEC
27691 + #define VM_STACK_DEFAULT_FLAGS \
27692 + (test_thread_flag(TIF_32BIT) ? \
27693 + VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
27694 ++#endif
27695 +
27696 + #include <asm-generic/page.h>
27697 +
27698 +diff -Nurp linux-2.6.23.15/include/asm-ppc/mmu_context.h linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h
27699 +--- linux-2.6.23.15/include/asm-ppc/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
27700 ++++ linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
27701 +@@ -145,7 +145,8 @@ static inline void get_mmu_context(struc
27702 + static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
27703 + {
27704 + mm->context.id = NO_CONTEXT;
27705 +- mm->context.vdso_base = 0;
27706 ++ if (t == current)
27707 ++ mm->context.vdso_base = ~0UL;
27708 + return 0;
27709 + }
27710 +
27711 +diff -Nurp linux-2.6.23.15/include/asm-ppc/pgtable.h linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h
27712 +--- linux-2.6.23.15/include/asm-ppc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27713 ++++ linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27714 +@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
27715 +
27716 + #define PAGE_NONE __pgprot(_PAGE_BASE)
27717 + #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
27718 +-#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27719 ++#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27720 + #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
27721 +-#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
27722 ++#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
27723 + #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
27724 +-#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
27725 ++#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
27726 ++
27727 ++#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
27728 ++# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
27729 ++# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27730 ++# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
27731 ++#else
27732 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27733 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27734 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27735 ++#endif
27736 +
27737 + #define PAGE_KERNEL __pgprot(_PAGE_RAM)
27738 + #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
27739 +@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
27740 + * This is the closest we can get..
27741 + */
27742 + #define __P000 PAGE_NONE
27743 +-#define __P001 PAGE_READONLY_X
27744 +-#define __P010 PAGE_COPY
27745 +-#define __P011 PAGE_COPY_X
27746 +-#define __P100 PAGE_READONLY
27747 ++#define __P001 PAGE_READONLY_NOEXEC
27748 ++#define __P010 PAGE_COPY_NOEXEC
27749 ++#define __P011 PAGE_COPY_NOEXEC
27750 ++#define __P100 PAGE_READONLY_X
27751 + #define __P101 PAGE_READONLY_X
27752 +-#define __P110 PAGE_COPY
27753 ++#define __P110 PAGE_COPY_X
27754 + #define __P111 PAGE_COPY_X
27755 +
27756 + #define __S000 PAGE_NONE
27757 +-#define __S001 PAGE_READONLY_X
27758 +-#define __S010 PAGE_SHARED
27759 +-#define __S011 PAGE_SHARED_X
27760 +-#define __S100 PAGE_READONLY
27761 ++#define __S001 PAGE_READONLY_NOEXEC
27762 ++#define __S010 PAGE_SHARED_NOEXEC
27763 ++#define __S011 PAGE_SHARED_NOEXEC
27764 ++#define __S100 PAGE_READONLY_X
27765 + #define __S101 PAGE_READONLY_X
27766 +-#define __S110 PAGE_SHARED
27767 ++#define __S110 PAGE_SHARED_X
27768 + #define __S111 PAGE_SHARED_X
27769 +
27770 + #ifndef __ASSEMBLY__
27771 +diff -Nurp linux-2.6.23.15/include/asm-s390/kmap_types.h linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h
27772 +--- linux-2.6.23.15/include/asm-s390/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27773 ++++ linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27774 +@@ -16,6 +16,7 @@ enum km_type {
27775 + KM_IRQ1,
27776 + KM_SOFTIRQ0,
27777 + KM_SOFTIRQ1,
27778 ++ KM_CLEARPAGE,
27779 + KM_TYPE_NR
27780 + };
27781 +
27782 +diff -Nurp linux-2.6.23.15/include/asm-sh/kmap_types.h linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h
27783 +--- linux-2.6.23.15/include/asm-sh/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27784 ++++ linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27785 +@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
27786 + D(10) KM_IRQ1,
27787 + D(11) KM_SOFTIRQ0,
27788 + D(12) KM_SOFTIRQ1,
27789 +-D(13) KM_TYPE_NR
27790 ++D(13) KM_CLEARPAGE,
27791 ++D(14) KM_TYPE_NR
27792 + };
27793 +
27794 + #undef D
27795 +diff -Nurp linux-2.6.23.15/include/asm-sparc/a.out.h linux-2.6.23.15-grsec/include/asm-sparc/a.out.h
27796 +--- linux-2.6.23.15/include/asm-sparc/a.out.h 2007-10-09 21:31:38.000000000 +0100
27797 ++++ linux-2.6.23.15-grsec/include/asm-sparc/a.out.h 2008-02-11 10:37:44.000000000 +0000
27798 +@@ -91,8 +91,8 @@ struct relocation_info /* used when head
27799 +
27800 + #include <asm/page.h>
27801 +
27802 +-#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
27803 +-#define STACK_TOP_MAX STACK_TOP
27804 ++#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
27805 ++#define STACK_TOP_MAX __STACK_TOP
27806 +
27807 + #endif /* __KERNEL__ */
27808 +
27809 +diff -Nurp linux-2.6.23.15/include/asm-sparc/elf.h linux-2.6.23.15-grsec/include/asm-sparc/elf.h
27810 +--- linux-2.6.23.15/include/asm-sparc/elf.h 2007-10-09 21:31:38.000000000 +0100
27811 ++++ linux-2.6.23.15-grsec/include/asm-sparc/elf.h 2008-02-11 10:37:44.000000000 +0000
27812 +@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
27813 +
27814 + #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
27815 +
27816 ++#ifdef CONFIG_PAX_ASLR
27817 ++#define PAX_ELF_ET_DYN_BASE 0x10000UL
27818 ++
27819 ++#define PAX_DELTA_MMAP_LEN 16
27820 ++#define PAX_DELTA_STACK_LEN 16
27821 ++#endif
27822 ++
27823 + /* This yields a mask that user programs can use to figure out what
27824 + instruction set this cpu supports. This can NOT be done in userspace
27825 + on Sparc. */
27826 +diff -Nurp linux-2.6.23.15/include/asm-sparc/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h
27827 +--- linux-2.6.23.15/include/asm-sparc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27828 ++++ linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27829 +@@ -15,6 +15,7 @@ enum km_type {
27830 + KM_IRQ1,
27831 + KM_SOFTIRQ0,
27832 + KM_SOFTIRQ1,
27833 ++ KM_CLEARPAGE,
27834 + KM_TYPE_NR
27835 + };
27836 +
27837 +diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtable.h linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h
27838 +--- linux-2.6.23.15/include/asm-sparc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
27839 ++++ linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
27840 +@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
27841 + #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
27842 + #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
27843 +
27844 ++#ifdef CONFIG_PAX_PAGEEXEC
27845 ++extern pgprot_t PAGE_SHARED_NOEXEC;
27846 ++# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
27847 ++# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
27848 ++#else
27849 ++# define PAGE_SHARED_NOEXEC PAGE_SHARED
27850 ++# define PAGE_COPY_NOEXEC PAGE_COPY
27851 ++# define PAGE_READONLY_NOEXEC PAGE_READONLY
27852 ++#endif
27853 ++
27854 + extern unsigned long page_kernel;
27855 +
27856 + #ifdef MODULE
27857 +diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h
27858 +--- linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h 2007-10-09 21:31:38.000000000 +0100
27859 ++++ linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h 2008-02-11 10:37:44.000000000 +0000
27860 +@@ -115,6 +115,16 @@
27861 + SRMMU_EXEC | SRMMU_REF)
27862 + #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27863 + SRMMU_EXEC | SRMMU_REF)
27864 ++
27865 ++#ifdef CONFIG_PAX_PAGEEXEC
27866 ++#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27867 ++ SRMMU_WRITE | SRMMU_REF)
27868 ++#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27869 ++ SRMMU_REF)
27870 ++#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
27871 ++ SRMMU_REF)
27872 ++#endif
27873 ++
27874 + #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
27875 + SRMMU_DIRTY | SRMMU_REF)
27876 +
27877 +diff -Nurp linux-2.6.23.15/include/asm-sparc/uaccess.h linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h
27878 +--- linux-2.6.23.15/include/asm-sparc/uaccess.h 2007-10-09 21:31:38.000000000 +0100
27879 ++++ linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h 2008-02-11 10:37:44.000000000 +0000
27880 +@@ -41,7 +41,7 @@
27881 + * No one can read/write anything from userland in the kernel space by setting
27882 + * large size and address near to PAGE_OFFSET - a fault will break his intentions.
27883 + */
27884 +-#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
27885 ++#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
27886 + #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
27887 + #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
27888 + #define access_ok(type, addr, size) \
27889 +diff -Nurp linux-2.6.23.15/include/asm-sparc64/a.out.h linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h
27890 +--- linux-2.6.23.15/include/asm-sparc64/a.out.h 2007-10-09 21:31:38.000000000 +0100
27891 ++++ linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h 2008-02-11 10:37:44.000000000 +0000
27892 +@@ -98,7 +98,7 @@ struct relocation_info /* used when head
27893 + #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
27894 + #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
27895 +
27896 +-#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27897 ++#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
27898 + STACK_TOP32 : STACK_TOP64)
27899 +
27900 + #define STACK_TOP_MAX STACK_TOP64
27901 +diff -Nurp linux-2.6.23.15/include/asm-sparc64/elf.h linux-2.6.23.15-grsec/include/asm-sparc64/elf.h
27902 +--- linux-2.6.23.15/include/asm-sparc64/elf.h 2007-10-09 21:31:38.000000000 +0100
27903 ++++ linux-2.6.23.15-grsec/include/asm-sparc64/elf.h 2008-02-11 10:37:44.000000000 +0000
27904 +@@ -143,6 +143,12 @@ typedef struct {
27905 + #define ELF_ET_DYN_BASE 0x0000010000000000UL
27906 + #endif
27907 +
27908 ++#ifdef CONFIG_PAX_ASLR
27909 ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
27910 ++
27911 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
27912 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
27913 ++#endif
27914 +
27915 + /* This yields a mask that user programs can use to figure out what
27916 + instruction set this cpu supports. */
27917 +diff -Nurp linux-2.6.23.15/include/asm-sparc64/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h
27918 +--- linux-2.6.23.15/include/asm-sparc64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27919 ++++ linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27920 +@@ -19,6 +19,7 @@ enum km_type {
27921 + KM_IRQ1,
27922 + KM_SOFTIRQ0,
27923 + KM_SOFTIRQ1,
27924 ++ KM_CLEARPAGE,
27925 + KM_TYPE_NR
27926 + };
27927 +
27928 +diff -Nurp linux-2.6.23.15/include/asm-um/kmap_types.h linux-2.6.23.15-grsec/include/asm-um/kmap_types.h
27929 +--- linux-2.6.23.15/include/asm-um/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27930 ++++ linux-2.6.23.15-grsec/include/asm-um/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27931 +@@ -23,6 +23,7 @@ enum km_type {
27932 + KM_IRQ1,
27933 + KM_SOFTIRQ0,
27934 + KM_SOFTIRQ1,
27935 ++ KM_CLEARPAGE,
27936 + KM_TYPE_NR
27937 + };
27938 +
27939 +diff -Nurp linux-2.6.23.15/include/asm-v850/kmap_types.h linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h
27940 +--- linux-2.6.23.15/include/asm-v850/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
27941 ++++ linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
27942 +@@ -13,6 +13,7 @@ enum km_type {
27943 + KM_PTE1,
27944 + KM_IRQ0,
27945 + KM_IRQ1,
27946 ++ KM_CLEARPAGE,
27947 + KM_TYPE_NR
27948 + };
27949 +
27950 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/a.out.h linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h
27951 +--- linux-2.6.23.15/include/asm-x86_64/a.out.h 2007-10-09 21:31:38.000000000 +0100
27952 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h 2008-02-11 10:37:45.000000000 +0000
27953 +@@ -21,7 +21,7 @@ struct exec
27954 +
27955 + #ifdef __KERNEL__
27956 + #include <linux/thread_info.h>
27957 +-#define STACK_TOP TASK_SIZE
27958 ++#define __STACK_TOP TASK_SIZE
27959 + #define STACK_TOP_MAX TASK_SIZE64
27960 + #endif
27961 +
27962 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/apic.h linux-2.6.23.15-grsec/include/asm-x86_64/apic.h
27963 +--- linux-2.6.23.15/include/asm-x86_64/apic.h 2007-10-09 21:31:38.000000000 +0100
27964 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/apic.h 2008-02-11 10:37:45.000000000 +0000
27965 +@@ -7,7 +7,7 @@
27966 + #include <asm/apicdef.h>
27967 + #include <asm/system.h>
27968 +
27969 +-#define Dprintk(x...)
27970 ++#define Dprintk(x...) do {} while (0)
27971 +
27972 + /*
27973 + * Debugging macros
27974 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/elf.h linux-2.6.23.15-grsec/include/asm-x86_64/elf.h
27975 +--- linux-2.6.23.15/include/asm-x86_64/elf.h 2007-10-09 21:31:38.000000000 +0100
27976 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/elf.h 2008-02-11 10:37:45.000000000 +0000
27977 +@@ -92,6 +92,13 @@ typedef struct user_i387_struct elf_fpre
27978 +
27979 + #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
27980 +
27981 ++#ifdef CONFIG_PAX_ASLR
27982 ++#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
27983 ++
27984 ++#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
27985 ++#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
27986 ++#endif
27987 ++
27988 + /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
27989 + now struct_user_regs, they are different). Assumes current is the process
27990 + getting dumped. */
27991 +@@ -172,7 +179,7 @@ extern int vdso_enabled;
27992 +
27993 + #define ARCH_DLINFO \
27994 + do if (vdso_enabled) { \
27995 +- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
27996 ++ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
27997 + } while (0)
27998 +
27999 + #endif
28000 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/futex.h linux-2.6.23.15-grsec/include/asm-x86_64/futex.h
28001 +--- linux-2.6.23.15/include/asm-x86_64/futex.h 2007-10-09 21:31:38.000000000 +0100
28002 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/futex.h 2008-02-11 10:37:45.000000000 +0000
28003 +@@ -42,7 +42,7 @@
28004 + : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
28005 +
28006 + static inline int
28007 +-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
28008 ++futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
28009 + {
28010 + int op = (encoded_op >> 28) & 7;
28011 + int cmp = (encoded_op >> 24) & 15;
28012 +@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
28013 + }
28014 +
28015 + static inline int
28016 +-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
28017 ++futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
28018 + {
28019 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
28020 + return -EFAULT;
28021 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/ia32.h linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h
28022 +--- linux-2.6.23.15/include/asm-x86_64/ia32.h 2007-10-09 21:31:38.000000000 +0100
28023 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h 2008-02-11 10:37:45.000000000 +0000
28024 +@@ -156,7 +156,13 @@ struct ustat32 {
28025 + char f_fpack[6];
28026 + };
28027 +
28028 +-#define IA32_STACK_TOP IA32_PAGE_OFFSET
28029 ++#ifdef CONFIG_PAX_RANDUSTACK
28030 ++#define IA32_DELTA_STACK (current->mm->delta_stack)
28031 ++#else
28032 ++#define IA32_DELTA_STACK 0UL
28033 ++#endif
28034 ++
28035 ++#define IA32_STACK_TOP (IA32_PAGE_OFFSET - IA32_DELTA_STACK)
28036 +
28037 + #ifdef __KERNEL__
28038 + struct user_desc;
28039 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/kmap_types.h linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h
28040 +--- linux-2.6.23.15/include/asm-x86_64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
28041 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
28042 +@@ -13,6 +13,7 @@ enum km_type {
28043 + KM_IRQ1,
28044 + KM_SOFTIRQ0,
28045 + KM_SOFTIRQ1,
28046 ++ KM_CLEARPAGE,
28047 + KM_TYPE_NR
28048 + };
28049 +
28050 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/mmu.h linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h
28051 +--- linux-2.6.23.15/include/asm-x86_64/mmu.h 2007-10-09 21:31:38.000000000 +0100
28052 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h 2008-02-11 10:37:45.000000000 +0000
28053 +@@ -15,7 +15,7 @@ typedef struct {
28054 + rwlock_t ldtlock;
28055 + int size;
28056 + struct semaphore sem;
28057 +- void *vdso;
28058 ++ unsigned long vdso;
28059 + } mm_context_t;
28060 +
28061 + #endif
28062 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/page.h linux-2.6.23.15-grsec/include/asm-x86_64/page.h
28063 +--- linux-2.6.23.15/include/asm-x86_64/page.h 2007-10-09 21:31:38.000000000 +0100
28064 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/page.h 2008-02-11 10:37:45.000000000 +0000
28065 +@@ -94,6 +94,8 @@ extern unsigned long phys_base;
28066 + #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
28067 + #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
28068 +
28069 ++#define __KERNEL_TEXT_OFFSET (0)
28070 ++
28071 + /* to align the pointer to the (next) page boundary */
28072 + #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
28073 +
28074 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgalloc.h linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h
28075 +--- linux-2.6.23.15/include/asm-x86_64/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
28076 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h 2008-02-11 10:37:45.000000000 +0000
28077 +@@ -6,7 +6,7 @@
28078 + #include <linux/mm.h>
28079 +
28080 + #define pmd_populate_kernel(mm, pmd, pte) \
28081 +- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
28082 ++ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
28083 + #define pud_populate(mm, pud, pmd) \
28084 + set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
28085 + #define pgd_populate(mm, pgd, pud) \
28086 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgtable.h linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h
28087 +--- linux-2.6.23.15/include/asm-x86_64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
28088 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h 2008-02-11 10:37:45.000000000 +0000
28089 +@@ -179,6 +179,10 @@ static inline pte_t ptep_get_and_clear_f
28090 + #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
28091 + #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
28092 + #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
28093 ++
28094 ++#define PAGE_READONLY_NOEXEC PAGE_READONLY
28095 ++#define PAGE_SHARED_NOEXEC PAGE_SHARED
28096 ++
28097 + #define __PAGE_KERNEL \
28098 + (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
28099 + #define __PAGE_KERNEL_EXEC \
28100 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/processor.h linux-2.6.23.15-grsec/include/asm-x86_64/processor.h
28101 +--- linux-2.6.23.15/include/asm-x86_64/processor.h 2007-10-09 21:31:38.000000000 +0100
28102 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/processor.h 2008-02-11 10:37:45.000000000 +0000
28103 +@@ -140,7 +140,7 @@ static inline void clear_in_cr4 (unsigne
28104 + /* This decides where the kernel will search for a free chunk of vm
28105 + * space during mmap's.
28106 + */
28107 +-#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
28108 ++#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
28109 +
28110 + #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
28111 + #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
28112 +diff -Nurp linux-2.6.23.15/include/asm-x86_64/system.h linux-2.6.23.15-grsec/include/asm-x86_64/system.h
28113 +--- linux-2.6.23.15/include/asm-x86_64/system.h 2008-02-11 10:36:03.000000000 +0000
28114 ++++ linux-2.6.23.15-grsec/include/asm-x86_64/system.h 2008-02-11 10:37:45.000000000 +0000
28115 +@@ -174,7 +174,7 @@ static inline void write_cr8(unsigned lo
28116 +
28117 + void cpu_idle_wait(void);
28118 +
28119 +-extern unsigned long arch_align_stack(unsigned long sp);
28120 ++#define arch_align_stack(x) (x)
28121 + extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
28122 +
28123 + #endif
28124 +diff -Nurp linux-2.6.23.15/include/asm-xtensa/kmap_types.h linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h
28125 +--- linux-2.6.23.15/include/asm-xtensa/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
28126 ++++ linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
28127 +@@ -25,6 +25,7 @@ enum km_type {
28128 + KM_IRQ1,
28129 + KM_SOFTIRQ0,
28130 + KM_SOFTIRQ1,
28131 ++ KM_CLEARPAGE,
28132 + KM_TYPE_NR
28133 + };
28134 +
28135 +diff -Nurp linux-2.6.23.15/include/linux/a.out.h linux-2.6.23.15-grsec/include/linux/a.out.h
28136 +--- linux-2.6.23.15/include/linux/a.out.h 2007-10-09 21:31:38.000000000 +0100
28137 ++++ linux-2.6.23.15-grsec/include/linux/a.out.h 2008-02-11 10:37:45.000000000 +0000
28138 +@@ -7,6 +7,16 @@
28139 +
28140 + #include <asm/a.out.h>
28141 +
28142 ++#ifdef CONFIG_PAX_RANDUSTACK
28143 ++#define __DELTA_STACK (current->mm->delta_stack)
28144 ++#else
28145 ++#define __DELTA_STACK 0UL
28146 ++#endif
28147 ++
28148 ++#ifndef STACK_TOP
28149 ++#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
28150 ++#endif
28151 ++
28152 + #endif /* __STRUCT_EXEC_OVERRIDE__ */
28153 +
28154 + /* these go in the N_MACHTYPE field */
28155 +@@ -37,6 +47,14 @@ enum machine_type {
28156 + M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
28157 + };
28158 +
28159 ++/* Constants for the N_FLAGS field */
28160 ++#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
28161 ++#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
28162 ++#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
28163 ++#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
28164 ++/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
28165 ++#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
28166 ++
28167 + #if !defined (N_MAGIC)
28168 + #define N_MAGIC(exec) ((exec).a_info & 0xffff)
28169 + #endif
28170 +diff -Nurp linux-2.6.23.15/include/linux/binfmts.h linux-2.6.23.15-grsec/include/linux/binfmts.h
28171 +--- linux-2.6.23.15/include/linux/binfmts.h 2007-10-09 21:31:38.000000000 +0100
28172 ++++ linux-2.6.23.15-grsec/include/linux/binfmts.h 2008-02-11 10:37:45.000000000 +0000
28173 +@@ -48,6 +48,7 @@ struct linux_binprm{
28174 + unsigned interp_data;
28175 + unsigned long loader, exec;
28176 + unsigned long argv_len;
28177 ++ int misc;
28178 + };
28179 +
28180 + #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
28181 +@@ -99,5 +100,8 @@ extern void compute_creds(struct linux_b
28182 + extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
28183 + extern int set_binfmt(struct linux_binfmt *new);
28184 +
28185 ++void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
28186 ++void pax_report_insns(void *pc, void *sp);
28187 ++
28188 + #endif /* __KERNEL__ */
28189 + #endif /* _LINUX_BINFMTS_H */
28190 +diff -Nurp linux-2.6.23.15/include/linux/cache.h linux-2.6.23.15-grsec/include/linux/cache.h
28191 +--- linux-2.6.23.15/include/linux/cache.h 2007-10-09 21:31:38.000000000 +0100
28192 ++++ linux-2.6.23.15-grsec/include/linux/cache.h 2008-02-11 10:37:45.000000000 +0000
28193 +@@ -16,6 +16,10 @@
28194 + #define __read_mostly
28195 + #endif
28196 +
28197 ++#ifndef __read_only
28198 ++#define __read_only
28199 ++#endif
28200 ++
28201 + #ifndef ____cacheline_aligned
28202 + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
28203 + #endif
28204 +diff -Nurp linux-2.6.23.15/include/linux/capability.h linux-2.6.23.15-grsec/include/linux/capability.h
28205 +--- linux-2.6.23.15/include/linux/capability.h 2007-10-09 21:31:38.000000000 +0100
28206 ++++ linux-2.6.23.15-grsec/include/linux/capability.h 2008-02-11 10:37:45.000000000 +0000
28207 +@@ -359,6 +359,7 @@ static inline kernel_cap_t cap_invert(ke
28208 + #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
28209 +
28210 + int capable(int cap);
28211 ++int capable_nolog(int cap);
28212 + int __capable(struct task_struct *t, int cap);
28213 +
28214 + #endif /* __KERNEL__ */
28215 +diff -Nurp linux-2.6.23.15/include/linux/elf.h linux-2.6.23.15-grsec/include/linux/elf.h
28216 +--- linux-2.6.23.15/include/linux/elf.h 2007-10-09 21:31:38.000000000 +0100
28217 ++++ linux-2.6.23.15-grsec/include/linux/elf.h 2008-02-11 10:37:45.000000000 +0000
28218 +@@ -8,6 +8,10 @@
28219 +
28220 + struct file;
28221 +
28222 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
28223 ++#undef elf_read_implies_exec
28224 ++#endif
28225 ++
28226 + #ifndef elf_read_implies_exec
28227 + /* Executables for which elf_read_implies_exec() returns TRUE will
28228 + have the READ_IMPLIES_EXEC personality flag set automatically.
28229 +@@ -49,6 +53,16 @@ typedef __s64 Elf64_Sxword;
28230 +
28231 + #define PT_GNU_STACK (PT_LOOS + 0x474e551)
28232 +
28233 ++#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
28234 ++
28235 ++/* Constants for the e_flags field */
28236 ++#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
28237 ++#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
28238 ++#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
28239 ++#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
28240 ++/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
28241 ++#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
28242 ++
28243 + /* These constants define the different elf file types */
28244 + #define ET_NONE 0
28245 + #define ET_REL 1
28246 +@@ -83,6 +97,8 @@ typedef __s64 Elf64_Sxword;
28247 + #define DT_DEBUG 21
28248 + #define DT_TEXTREL 22
28249 + #define DT_JMPREL 23
28250 ++#define DT_FLAGS 30
28251 ++ #define DF_TEXTREL 0x00000004
28252 + #define DT_ENCODING 32
28253 + #define OLD_DT_LOOS 0x60000000
28254 + #define DT_LOOS 0x6000000d
28255 +@@ -229,6 +245,19 @@ typedef struct elf64_hdr {
28256 + #define PF_W 0x2
28257 + #define PF_X 0x1
28258 +
28259 ++#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
28260 ++#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
28261 ++#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
28262 ++#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
28263 ++#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
28264 ++#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
28265 ++/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
28266 ++/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
28267 ++#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
28268 ++#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
28269 ++#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
28270 ++#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
28271 ++
28272 + typedef struct elf32_phdr{
28273 + Elf32_Word p_type;
28274 + Elf32_Off p_offset;
28275 +@@ -321,6 +350,8 @@ typedef struct elf64_shdr {
28276 + #define EI_OSABI 7
28277 + #define EI_PAD 8
28278 +
28279 ++#define EI_PAX 14
28280 ++
28281 + #define ELFMAG0 0x7f /* EI_MAG */
28282 + #define ELFMAG1 'E'
28283 + #define ELFMAG2 'L'
28284 +@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
28285 + #define elf_phdr elf32_phdr
28286 + #define elf_note elf32_note
28287 + #define elf_addr_t Elf32_Off
28288 ++#define elf_dyn Elf32_Dyn
28289 +
28290 + #else
28291 +
28292 +@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
28293 + #define elf_phdr elf64_phdr
28294 + #define elf_note elf64_note
28295 + #define elf_addr_t Elf64_Off
28296 ++#define elf_dyn Elf64_Dyn
28297 +
28298 + #endif
28299 +
28300 +diff -Nurp linux-2.6.23.15/include/linux/ext4_fs_extents.h linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h
28301 +--- linux-2.6.23.15/include/linux/ext4_fs_extents.h 2007-10-09 21:31:38.000000000 +0100
28302 ++++ linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h 2008-02-11 10:37:45.000000000 +0000
28303 +@@ -50,7 +50,7 @@
28304 + #ifdef EXT_DEBUG
28305 + #define ext_debug(a...) printk(a)
28306 + #else
28307 +-#define ext_debug(a...)
28308 ++#define ext_debug(a...) do {} while (0)
28309 + #endif
28310 +
28311 + /*
28312 +diff -Nurp linux-2.6.23.15/include/linux/gracl.h linux-2.6.23.15-grsec/include/linux/gracl.h
28313 +--- linux-2.6.23.15/include/linux/gracl.h 1970-01-01 01:00:00.000000000 +0100
28314 ++++ linux-2.6.23.15-grsec/include/linux/gracl.h 2008-02-11 10:37:45.000000000 +0000
28315 +@@ -0,0 +1,317 @@
28316 ++#ifndef GR_ACL_H
28317 ++#define GR_ACL_H
28318 ++
28319 ++#include <linux/grdefs.h>
28320 ++#include <linux/resource.h>
28321 ++#include <linux/dcache.h>
28322 ++#include <asm/resource.h>
28323 ++
28324 ++/* Major status information */
28325 ++
28326 ++#define GR_VERSION "grsecurity 2.1.11"
28327 ++#define GRSECURITY_VERSION 0x2111
28328 ++
28329 ++enum {
28330 ++
28331 ++ SHUTDOWN = 0,
28332 ++ ENABLE = 1,
28333 ++ SPROLE = 2,
28334 ++ RELOAD = 3,
28335 ++ SEGVMOD = 4,
28336 ++ STATUS = 5,
28337 ++ UNSPROLE = 6,
28338 ++ PASSSET = 7,
28339 ++ SPROLEPAM = 8
28340 ++};
28341 ++
28342 ++/* Password setup definitions
28343 ++ * kernel/grhash.c */
28344 ++enum {
28345 ++ GR_PW_LEN = 128,
28346 ++ GR_SALT_LEN = 16,
28347 ++ GR_SHA_LEN = 32,
28348 ++};
28349 ++
28350 ++enum {
28351 ++ GR_SPROLE_LEN = 64,
28352 ++};
28353 ++
28354 ++#define GR_NLIMITS (RLIMIT_LOCKS + 2)
28355 ++
28356 ++/* Begin Data Structures */
28357 ++
28358 ++struct sprole_pw {
28359 ++ unsigned char *rolename;
28360 ++ unsigned char salt[GR_SALT_LEN];
28361 ++ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
28362 ++};
28363 ++
28364 ++struct name_entry {
28365 ++ __u32 key;
28366 ++ ino_t inode;
28367 ++ dev_t device;
28368 ++ char *name;
28369 ++ __u16 len;
28370 ++ __u8 deleted;
28371 ++ struct name_entry *prev;
28372 ++ struct name_entry *next;
28373 ++};
28374 ++
28375 ++struct inodev_entry {
28376 ++ struct name_entry *nentry;
28377 ++ struct inodev_entry *prev;
28378 ++ struct inodev_entry *next;
28379 ++};
28380 ++
28381 ++struct acl_role_db {
28382 ++ struct acl_role_label **r_hash;
28383 ++ __u32 r_size;
28384 ++};
28385 ++
28386 ++struct inodev_db {
28387 ++ struct inodev_entry **i_hash;
28388 ++ __u32 i_size;
28389 ++};
28390 ++
28391 ++struct name_db {
28392 ++ struct name_entry **n_hash;
28393 ++ __u32 n_size;
28394 ++};
28395 ++
28396 ++struct crash_uid {
28397 ++ uid_t uid;
28398 ++ unsigned long expires;
28399 ++};
28400 ++
28401 ++struct gr_hash_struct {
28402 ++ void **table;
28403 ++ void **nametable;
28404 ++ void *first;
28405 ++ __u32 table_size;
28406 ++ __u32 used_size;
28407 ++ int type;
28408 ++};
28409 ++
28410 ++/* Userspace Grsecurity ACL data structures */
28411 ++
28412 ++struct acl_subject_label {
28413 ++ char *filename;
28414 ++ ino_t inode;
28415 ++ dev_t device;
28416 ++ __u32 mode;
28417 ++ __u32 cap_mask;
28418 ++ __u32 cap_lower;
28419 ++
28420 ++ struct rlimit res[GR_NLIMITS];
28421 ++ __u16 resmask;
28422 ++
28423 ++ __u8 user_trans_type;
28424 ++ __u8 group_trans_type;
28425 ++ uid_t *user_transitions;
28426 ++ gid_t *group_transitions;
28427 ++ __u16 user_trans_num;
28428 ++ __u16 group_trans_num;
28429 ++
28430 ++ __u32 ip_proto[8];
28431 ++ __u32 ip_type;
28432 ++ struct acl_ip_label **ips;
28433 ++ __u32 ip_num;
28434 ++
28435 ++ __u32 crashes;
28436 ++ unsigned long expires;
28437 ++
28438 ++ struct acl_subject_label *parent_subject;
28439 ++ struct gr_hash_struct *hash;
28440 ++ struct acl_subject_label *prev;
28441 ++ struct acl_subject_label *next;
28442 ++
28443 ++ struct acl_object_label **obj_hash;
28444 ++ __u32 obj_hash_size;
28445 ++ __u16 pax_flags;
28446 ++};
28447 ++
28448 ++struct role_allowed_ip {
28449 ++ __u32 addr;
28450 ++ __u32 netmask;
28451 ++
28452 ++ struct role_allowed_ip *prev;
28453 ++ struct role_allowed_ip *next;
28454 ++};
28455 ++
28456 ++struct role_transition {
28457 ++ char *rolename;
28458 ++
28459 ++ struct role_transition *prev;
28460 ++ struct role_transition *next;
28461 ++};
28462 ++
28463 ++struct acl_role_label {
28464 ++ char *rolename;
28465 ++ uid_t uidgid;
28466 ++ __u16 roletype;
28467 ++
28468 ++ __u16 auth_attempts;
28469 ++ unsigned long expires;
28470 ++
28471 ++ struct acl_subject_label *root_label;
28472 ++ struct gr_hash_struct *hash;
28473 ++
28474 ++ struct acl_role_label *prev;
28475 ++ struct acl_role_label *next;
28476 ++
28477 ++ struct role_transition *transitions;
28478 ++ struct role_allowed_ip *allowed_ips;
28479 ++ uid_t *domain_children;
28480 ++ __u16 domain_child_num;
28481 ++
28482 ++ struct acl_subject_label **subj_hash;
28483 ++ __u32 subj_hash_size;
28484 ++};
28485 ++
28486 ++struct user_acl_role_db {
28487 ++ struct acl_role_label **r_table;
28488 ++ __u32 num_pointers; /* Number of allocations to track */
28489 ++ __u32 num_roles; /* Number of roles */
28490 ++ __u32 num_domain_children; /* Number of domain children */
28491 ++ __u32 num_subjects; /* Number of subjects */
28492 ++ __u32 num_objects; /* Number of objects */
28493 ++};
28494 ++
28495 ++struct acl_object_label {
28496 ++ char *filename;
28497 ++ ino_t inode;
28498 ++ dev_t device;
28499 ++ __u32 mode;
28500 ++
28501 ++ struct acl_subject_label *nested;
28502 ++ struct acl_object_label *globbed;
28503 ++
28504 ++ /* next two structures not used */
28505 ++
28506 ++ struct acl_object_label *prev;
28507 ++ struct acl_object_label *next;
28508 ++};
28509 ++
28510 ++struct acl_ip_label {
28511 ++ char *iface;
28512 ++ __u32 addr;
28513 ++ __u32 netmask;
28514 ++ __u16 low, high;
28515 ++ __u8 mode;
28516 ++ __u32 type;
28517 ++ __u32 proto[8];
28518 ++
28519 ++ /* next two structures not used */
28520 ++
28521 ++ struct acl_ip_label *prev;
28522 ++ struct acl_ip_label *next;
28523 ++};
28524 ++
28525 ++struct gr_arg {
28526 ++ struct user_acl_role_db role_db;
28527 ++ unsigned char pw[GR_PW_LEN];
28528 ++ unsigned char salt[GR_SALT_LEN];
28529 ++ unsigned char sum[GR_SHA_LEN];
28530 ++ unsigned char sp_role[GR_SPROLE_LEN];
28531 ++ struct sprole_pw *sprole_pws;
28532 ++ dev_t segv_device;
28533 ++ ino_t segv_inode;
28534 ++ uid_t segv_uid;
28535 ++ __u16 num_sprole_pws;
28536 ++ __u16 mode;
28537 ++};
28538 ++
28539 ++struct gr_arg_wrapper {
28540 ++ struct gr_arg *arg;
28541 ++ __u32 version;
28542 ++ __u32 size;
28543 ++};
28544 ++
28545 ++struct subject_map {
28546 ++ struct acl_subject_label *user;
28547 ++ struct acl_subject_label *kernel;
28548 ++ struct subject_map *prev;
28549 ++ struct subject_map *next;
28550 ++};
28551 ++
28552 ++struct acl_subj_map_db {
28553 ++ struct subject_map **s_hash;
28554 ++ __u32 s_size;
28555 ++};
28556 ++
28557 ++/* End Data Structures Section */
28558 ++
28559 ++/* Hash functions generated by empirical testing by Brad Spengler
28560 ++ Makes good use of the low bits of the inode. Generally 0-1 times
28561 ++ in loop for successful match. 0-3 for unsuccessful match.
28562 ++ Shift/add algorithm with modulus of table size and an XOR*/
28563 ++
28564 ++static __inline__ unsigned int
28565 ++rhash(const uid_t uid, const __u16 type, const unsigned int sz)
28566 ++{
28567 ++ return (((uid << type) + (uid ^ type)) % sz);
28568 ++}
28569 ++
28570 ++ static __inline__ unsigned int
28571 ++shash(const struct acl_subject_label *userp, const unsigned int sz)
28572 ++{
28573 ++ return ((const unsigned long)userp % sz);
28574 ++}
28575 ++
28576 ++static __inline__ unsigned int
28577 ++fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
28578 ++{
28579 ++ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
28580 ++}
28581 ++
28582 ++static __inline__ unsigned int
28583 ++nhash(const char *name, const __u16 len, const unsigned int sz)
28584 ++{
28585 ++ return full_name_hash(name, len) % sz;
28586 ++}
28587 ++
28588 ++#define FOR_EACH_ROLE_START(role,iter) \
28589 ++ role = NULL; \
28590 ++ iter = 0; \
28591 ++ while (iter < acl_role_set.r_size) { \
28592 ++ if (role == NULL) \
28593 ++ role = acl_role_set.r_hash[iter]; \
28594 ++ if (role == NULL) { \
28595 ++ iter++; \
28596 ++ continue; \
28597 ++ }
28598 ++
28599 ++#define FOR_EACH_ROLE_END(role,iter) \
28600 ++ role = role->next; \
28601 ++ if (role == NULL) \
28602 ++ iter++; \
28603 ++ }
28604 ++
28605 ++#define FOR_EACH_SUBJECT_START(role,subj,iter) \
28606 ++ subj = NULL; \
28607 ++ iter = 0; \
28608 ++ while (iter < role->subj_hash_size) { \
28609 ++ if (subj == NULL) \
28610 ++ subj = role->subj_hash[iter]; \
28611 ++ if (subj == NULL) { \
28612 ++ iter++; \
28613 ++ continue; \
28614 ++ }
28615 ++
28616 ++#define FOR_EACH_SUBJECT_END(subj,iter) \
28617 ++ subj = subj->next; \
28618 ++ if (subj == NULL) \
28619 ++ iter++; \
28620 ++ }
28621 ++
28622 ++
28623 ++#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
28624 ++ subj = role->hash->first; \
28625 ++ while (subj != NULL) {
28626 ++
28627 ++#define FOR_EACH_NESTED_SUBJECT_END(subj) \
28628 ++ subj = subj->next; \
28629 ++ }
28630 ++
28631 ++#endif
28632 ++
28633 +diff -Nurp linux-2.6.23.15/include/linux/gralloc.h linux-2.6.23.15-grsec/include/linux/gralloc.h
28634 +--- linux-2.6.23.15/include/linux/gralloc.h 1970-01-01 01:00:00.000000000 +0100
28635 ++++ linux-2.6.23.15-grsec/include/linux/gralloc.h 2008-02-11 10:37:45.000000000 +0000
28636 +@@ -0,0 +1,8 @@
28637 ++#ifndef __GRALLOC_H
28638 ++#define __GRALLOC_H
28639 ++
28640 ++void acl_free_all(void);
28641 ++int acl_alloc_stack_init(unsigned long size);
28642 ++void *acl_alloc(unsigned long len);
28643 ++
28644 ++#endif
28645 +diff -Nurp linux-2.6.23.15/include/linux/grdefs.h linux-2.6.23.15-grsec/include/linux/grdefs.h
28646 +--- linux-2.6.23.15/include/linux/grdefs.h 1970-01-01 01:00:00.000000000 +0100
28647 ++++ linux-2.6.23.15-grsec/include/linux/grdefs.h 2008-02-11 10:37:45.000000000 +0000
28648 +@@ -0,0 +1,131 @@
28649 ++#ifndef GRDEFS_H
28650 ++#define GRDEFS_H
28651 ++
28652 ++/* Begin grsecurity status declarations */
28653 ++
28654 ++enum {
28655 ++ GR_READY = 0x01,
28656 ++ GR_STATUS_INIT = 0x00 // disabled state
28657 ++};
28658 ++
28659 ++/* Begin ACL declarations */
28660 ++
28661 ++/* Role flags */
28662 ++
28663 ++enum {
28664 ++ GR_ROLE_USER = 0x0001,
28665 ++ GR_ROLE_GROUP = 0x0002,
28666 ++ GR_ROLE_DEFAULT = 0x0004,
28667 ++ GR_ROLE_SPECIAL = 0x0008,
28668 ++ GR_ROLE_AUTH = 0x0010,
28669 ++ GR_ROLE_NOPW = 0x0020,
28670 ++ GR_ROLE_GOD = 0x0040,
28671 ++ GR_ROLE_LEARN = 0x0080,
28672 ++ GR_ROLE_TPE = 0x0100,
28673 ++ GR_ROLE_DOMAIN = 0x0200,
28674 ++ GR_ROLE_PAM = 0x0400
28675 ++};
28676 ++
28677 ++/* ACL Subject and Object mode flags */
28678 ++enum {
28679 ++ GR_DELETED = 0x80000000
28680 ++};
28681 ++
28682 ++/* ACL Object-only mode flags */
28683 ++enum {
28684 ++ GR_READ = 0x00000001,
28685 ++ GR_APPEND = 0x00000002,
28686 ++ GR_WRITE = 0x00000004,
28687 ++ GR_EXEC = 0x00000008,
28688 ++ GR_FIND = 0x00000010,
28689 ++ GR_INHERIT = 0x00000020,
28690 ++ GR_SETID = 0x00000040,
28691 ++ GR_CREATE = 0x00000080,
28692 ++ GR_DELETE = 0x00000100,
28693 ++ GR_LINK = 0x00000200,
28694 ++ GR_AUDIT_READ = 0x00000400,
28695 ++ GR_AUDIT_APPEND = 0x00000800,
28696 ++ GR_AUDIT_WRITE = 0x00001000,
28697 ++ GR_AUDIT_EXEC = 0x00002000,
28698 ++ GR_AUDIT_FIND = 0x00004000,
28699 ++ GR_AUDIT_INHERIT= 0x00008000,
28700 ++ GR_AUDIT_SETID = 0x00010000,
28701 ++ GR_AUDIT_CREATE = 0x00020000,
28702 ++ GR_AUDIT_DELETE = 0x00040000,
28703 ++ GR_AUDIT_LINK = 0x00080000,
28704 ++ GR_PTRACERD = 0x00100000,
28705 ++ GR_NOPTRACE = 0x00200000,
28706 ++ GR_SUPPRESS = 0x00400000,
28707 ++ GR_NOLEARN = 0x00800000
28708 ++};
28709 ++
28710 ++#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
28711 ++ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
28712 ++ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
28713 ++
28714 ++/* ACL subject-only mode flags */
28715 ++enum {
28716 ++ GR_KILL = 0x00000001,
28717 ++ GR_VIEW = 0x00000002,
28718 ++ GR_PROTECTED = 0x00000004,
28719 ++ GR_LEARN = 0x00000008,
28720 ++ GR_OVERRIDE = 0x00000010,
28721 ++ /* just a placeholder, this mode is only used in userspace */
28722 ++ GR_DUMMY = 0x00000020,
28723 ++ GR_PROTSHM = 0x00000040,
28724 ++ GR_KILLPROC = 0x00000080,
28725 ++ GR_KILLIPPROC = 0x00000100,
28726 ++ /* just a placeholder, this mode is only used in userspace */
28727 ++ GR_NOTROJAN = 0x00000200,
28728 ++ GR_PROTPROCFD = 0x00000400,
28729 ++ GR_PROCACCT = 0x00000800,
28730 ++ GR_RELAXPTRACE = 0x00001000,
28731 ++ GR_NESTED = 0x00002000,
28732 ++ GR_INHERITLEARN = 0x00004000,
28733 ++ GR_PROCFIND = 0x00008000,
28734 ++ GR_POVERRIDE = 0x00010000,
28735 ++ GR_KERNELAUTH = 0x00020000,
28736 ++};
28737 ++
28738 ++enum {
28739 ++ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
28740 ++ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
28741 ++ GR_PAX_ENABLE_MPROTECT = 0x0004,
28742 ++ GR_PAX_ENABLE_RANDMMAP = 0x0008,
28743 ++ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
28744 ++ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
28745 ++ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
28746 ++ GR_PAX_DISABLE_MPROTECT = 0x0400,
28747 ++ GR_PAX_DISABLE_RANDMMAP = 0x0800,
28748 ++ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
28749 ++};
28750 ++
28751 ++enum {
28752 ++ GR_ID_USER = 0x01,
28753 ++ GR_ID_GROUP = 0x02,
28754 ++};
28755 ++
28756 ++enum {
28757 ++ GR_ID_ALLOW = 0x01,
28758 ++ GR_ID_DENY = 0x02,
28759 ++};
28760 ++
28761 ++#define GR_CRASH_RES 11
28762 ++#define GR_UIDTABLE_MAX 500
28763 ++
28764 ++/* begin resource learning section */
28765 ++enum {
28766 ++ GR_RLIM_CPU_BUMP = 60,
28767 ++ GR_RLIM_FSIZE_BUMP = 50000,
28768 ++ GR_RLIM_DATA_BUMP = 10000,
28769 ++ GR_RLIM_STACK_BUMP = 1000,
28770 ++ GR_RLIM_CORE_BUMP = 10000,
28771 ++ GR_RLIM_RSS_BUMP = 500000,
28772 ++ GR_RLIM_NPROC_BUMP = 1,
28773 ++ GR_RLIM_NOFILE_BUMP = 5,
28774 ++ GR_RLIM_MEMLOCK_BUMP = 50000,
28775 ++ GR_RLIM_AS_BUMP = 500000,
28776 ++ GR_RLIM_LOCKS_BUMP = 2
28777 ++};
28778 ++
28779 ++#endif
28780 +diff -Nurp linux-2.6.23.15/include/linux/grinternal.h linux-2.6.23.15-grsec/include/linux/grinternal.h
28781 +--- linux-2.6.23.15/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
28782 ++++ linux-2.6.23.15-grsec/include/linux/grinternal.h 2008-02-11 10:37:45.000000000 +0000
28783 +@@ -0,0 +1,210 @@
28784 ++#ifndef __GRINTERNAL_H
28785 ++#define __GRINTERNAL_H
28786 ++
28787 ++#ifdef CONFIG_GRKERNSEC
28788 ++
28789 ++#include <linux/fs.h>
28790 ++#include <linux/gracl.h>
28791 ++#include <linux/grdefs.h>
28792 ++#include <linux/grmsg.h>
28793 ++
28794 ++void gr_add_learn_entry(const char *fmt, ...);
28795 ++__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
28796 ++ const struct vfsmount *mnt);
28797 ++__u32 gr_check_create(const struct dentry *new_dentry,
28798 ++ const struct dentry *parent,
28799 ++ const struct vfsmount *mnt, const __u32 mode);
28800 ++int gr_check_protected_task(const struct task_struct *task);
28801 ++__u32 to_gr_audit(const __u32 reqmode);
28802 ++int gr_set_acls(const int type);
28803 ++
28804 ++int gr_acl_is_enabled(void);
28805 ++char gr_roletype_to_char(void);
28806 ++
28807 ++void gr_handle_alertkill(struct task_struct *task);
28808 ++char *gr_to_filename(const struct dentry *dentry,
28809 ++ const struct vfsmount *mnt);
28810 ++char *gr_to_filename1(const struct dentry *dentry,
28811 ++ const struct vfsmount *mnt);
28812 ++char *gr_to_filename2(const struct dentry *dentry,
28813 ++ const struct vfsmount *mnt);
28814 ++char *gr_to_filename3(const struct dentry *dentry,
28815 ++ const struct vfsmount *mnt);
28816 ++
28817 ++extern int grsec_enable_link;
28818 ++extern int grsec_enable_fifo;
28819 ++extern int grsec_enable_execve;
28820 ++extern int grsec_enable_shm;
28821 ++extern int grsec_enable_execlog;
28822 ++extern int grsec_enable_signal;
28823 ++extern int grsec_enable_forkfail;
28824 ++extern int grsec_enable_time;
28825 ++extern int grsec_enable_chroot_shmat;
28826 ++extern int grsec_enable_chroot_findtask;
28827 ++extern int grsec_enable_chroot_mount;
28828 ++extern int grsec_enable_chroot_double;
28829 ++extern int grsec_enable_chroot_pivot;
28830 ++extern int grsec_enable_chroot_chdir;
28831 ++extern int grsec_enable_chroot_chmod;
28832 ++extern int grsec_enable_chroot_mknod;
28833 ++extern int grsec_enable_chroot_fchdir;
28834 ++extern int grsec_enable_chroot_nice;
28835 ++extern int grsec_enable_chroot_execlog;
28836 ++extern int grsec_enable_chroot_caps;
28837 ++extern int grsec_enable_chroot_sysctl;
28838 ++extern int grsec_enable_chroot_unix;
28839 ++extern int grsec_enable_tpe;
28840 ++extern int grsec_tpe_gid;
28841 ++extern int grsec_enable_tpe_all;
28842 ++extern int grsec_enable_sidcaps;
28843 ++extern int grsec_enable_socket_all;
28844 ++extern int grsec_socket_all_gid;
28845 ++extern int grsec_enable_socket_client;
28846 ++extern int grsec_socket_client_gid;
28847 ++extern int grsec_enable_socket_server;
28848 ++extern int grsec_socket_server_gid;
28849 ++extern int grsec_audit_gid;
28850 ++extern int grsec_enable_group;
28851 ++extern int grsec_enable_audit_ipc;
28852 ++extern int grsec_enable_audit_textrel;
28853 ++extern int grsec_enable_mount;
28854 ++extern int grsec_enable_chdir;
28855 ++extern int grsec_resource_logging;
28856 ++extern int grsec_lock;
28857 ++
28858 ++extern spinlock_t grsec_alert_lock;
28859 ++extern unsigned long grsec_alert_wtime;
28860 ++extern unsigned long grsec_alert_fyet;
28861 ++
28862 ++extern spinlock_t grsec_audit_lock;
28863 ++
28864 ++extern rwlock_t grsec_exec_file_lock;
28865 ++
28866 ++#define gr_task_fullpath(tsk) (tsk->exec_file ? \
28867 ++ gr_to_filename2(tsk->exec_file->f_dentry, \
28868 ++ tsk->exec_file->f_vfsmnt) : "/")
28869 ++
28870 ++#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
28871 ++ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
28872 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
28873 ++
28874 ++#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
28875 ++ gr_to_filename(tsk->exec_file->f_dentry, \
28876 ++ tsk->exec_file->f_vfsmnt) : "/")
28877 ++
28878 ++#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
28879 ++ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
28880 ++ tsk->parent->exec_file->f_vfsmnt) : "/")
28881 ++
28882 ++#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
28883 ++ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
28884 ++ child_reaper(tsk_a)->fs->root->d_inode->i_sb->s_dev) || \
28885 ++ (tsk_a->fs->root->d_inode->i_ino != \
28886 ++ child_reaper(tsk_a)->fs->root->d_inode->i_ino)))
28887 ++
28888 ++#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
28889 ++ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
28890 ++ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
28891 ++ (tsk_a->fs->root->d_inode->i_ino == \
28892 ++ tsk_b->fs->root->d_inode->i_ino))
28893 ++
28894 ++#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
28895 ++ task->pid, task->uid, \
28896 ++ task->euid, task->gid, task->egid, \
28897 ++ gr_parent_task_fullpath(task), \
28898 ++ task->parent->comm, task->parent->pid, \
28899 ++ task->parent->uid, task->parent->euid, \
28900 ++ task->parent->gid, task->parent->egid
28901 ++
28902 ++#define GR_CHROOT_CAPS ( \
28903 ++ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
28904 ++ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
28905 ++ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
28906 ++ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
28907 ++ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
28908 ++ CAP_TO_MASK(CAP_IPC_OWNER))
28909 ++
28910 ++#define security_learn(normal_msg,args...) \
28911 ++({ \
28912 ++ read_lock(&grsec_exec_file_lock); \
28913 ++ gr_add_learn_entry(normal_msg "\n", ## args); \
28914 ++ read_unlock(&grsec_exec_file_lock); \
28915 ++})
28916 ++
28917 ++enum {
28918 ++ GR_DO_AUDIT,
28919 ++ GR_DONT_AUDIT,
28920 ++ GR_DONT_AUDIT_GOOD
28921 ++};
28922 ++
28923 ++enum {
28924 ++ GR_TTYSNIFF,
28925 ++ GR_RBAC,
28926 ++ GR_RBAC_STR,
28927 ++ GR_STR_RBAC,
28928 ++ GR_RBAC_MODE2,
28929 ++ GR_RBAC_MODE3,
28930 ++ GR_FILENAME,
28931 ++ GR_SYSCTL_HIDDEN,
28932 ++ GR_NOARGS,
28933 ++ GR_ONE_INT,
28934 ++ GR_ONE_INT_TWO_STR,
28935 ++ GR_ONE_STR,
28936 ++ GR_STR_INT,
28937 ++ GR_TWO_INT,
28938 ++ GR_THREE_INT,
28939 ++ GR_FIVE_INT_TWO_STR,
28940 ++ GR_TWO_STR,
28941 ++ GR_THREE_STR,
28942 ++ GR_FOUR_STR,
28943 ++ GR_STR_FILENAME,
28944 ++ GR_FILENAME_STR,
28945 ++ GR_FILENAME_TWO_INT,
28946 ++ GR_FILENAME_TWO_INT_STR,
28947 ++ GR_TEXTREL,
28948 ++ GR_PTRACE,
28949 ++ GR_RESOURCE,
28950 ++ GR_CAP,
28951 ++ GR_SIG,
28952 ++ GR_CRASH1,
28953 ++ GR_CRASH2,
28954 ++ GR_PSACCT
28955 ++};
28956 ++
28957 ++#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
28958 ++#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
28959 ++#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
28960 ++#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
28961 ++#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
28962 ++#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
28963 ++#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
28964 ++#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
28965 ++#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
28966 ++#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
28967 ++#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
28968 ++#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
28969 ++#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
28970 ++#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
28971 ++#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
28972 ++#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
28973 ++#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
28974 ++#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
28975 ++#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
28976 ++#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
28977 ++#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
28978 ++#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
28979 ++#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
28980 ++#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
28981 ++#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
28982 ++#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
28983 ++#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
28984 ++#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
28985 ++#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
28986 ++#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
28987 ++#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
28988 ++
28989 ++void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
28990 ++
28991 ++#endif
28992 ++
28993 ++#endif
28994 +diff -Nurp linux-2.6.23.15/include/linux/grmsg.h linux-2.6.23.15-grsec/include/linux/grmsg.h
28995 +--- linux-2.6.23.15/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100
28996 ++++ linux-2.6.23.15-grsec/include/linux/grmsg.h 2008-02-11 10:37:45.000000000 +0000
28997 +@@ -0,0 +1,108 @@
28998 ++#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
28999 ++#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
29000 ++#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
29001 ++#define GR_STOPMOD_MSG "denied modification of module state by "
29002 ++#define GR_IOPERM_MSG "denied use of ioperm() by "
29003 ++#define GR_IOPL_MSG "denied use of iopl() by "
29004 ++#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
29005 ++#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
29006 ++#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
29007 ++#define GR_KMEM_MSG "denied write of /dev/kmem by "
29008 ++#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
29009 ++#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
29010 ++#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
29011 ++#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
29012 ++#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
29013 ++#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
29014 ++#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
29015 ++#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
29016 ++#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
29017 ++#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
29018 ++#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
29019 ++#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
29020 ++#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
29021 ++#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
29022 ++#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
29023 ++#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
29024 ++#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
29025 ++#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
29026 ++#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
29027 ++#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
29028 ++#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
29029 ++#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
29030 ++#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
29031 ++#define GR_NPROC_MSG "denied overstep of process limit by "
29032 ++#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
29033 ++#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
29034 ++#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
29035 ++#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
29036 ++#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
29037 ++#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
29038 ++#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
29039 ++#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
29040 ++#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
29041 ++#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
29042 ++#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
29043 ++#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
29044 ++#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
29045 ++#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
29046 ++#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
29047 ++#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
29048 ++#define GR_INITF_ACL_MSG "init_variables() failed %s by "
29049 ++#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
29050 ++#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
29051 ++#define GR_SHUTS_ACL_MSG "shutdown auth success for "
29052 ++#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
29053 ++#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
29054 ++#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
29055 ++#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
29056 ++#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
29057 ++#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
29058 ++#define GR_ENABLEF_ACL_MSG "unable to load %s for "
29059 ++#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
29060 ++#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
29061 ++#define GR_RELOADF_ACL_MSG "failed reload of %s for "
29062 ++#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
29063 ++#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
29064 ++#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
29065 ++#define GR_SPROLEF_ACL_MSG "special role %s failure for "
29066 ++#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
29067 ++#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
29068 ++#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
29069 ++#define GR_INVMODE_ACL_MSG "invalid mode %d by "
29070 ++#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
29071 ++#define GR_FAILFORK_MSG "failed fork with errno %d by "
29072 ++#define GR_NICE_CHROOT_MSG "denied priority change by "
29073 ++#define GR_UNISIGLOG_MSG "signal %d sent to "
29074 ++#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
29075 ++#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
29076 ++#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
29077 ++#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
29078 ++#define GR_TIME_MSG "time set by "
29079 ++#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
29080 ++#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
29081 ++#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
29082 ++#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
29083 ++#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
29084 ++#define GR_BIND_MSG "denied bind() by "
29085 ++#define GR_CONNECT_MSG "denied connect() by "
29086 ++#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
29087 ++#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
29088 ++#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
29089 ++#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
29090 ++#define GR_CAP_ACL_MSG "use of %s denied for "
29091 ++#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
29092 ++#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
29093 ++#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
29094 ++#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
29095 ++#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
29096 ++#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
29097 ++#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
29098 ++#define GR_MSGQ_AUDIT_MSG "message queue created by "
29099 ++#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
29100 ++#define GR_SEM_AUDIT_MSG "semaphore created by "
29101 ++#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
29102 ++#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
29103 ++#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
29104 ++#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
29105 ++#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
29106 +diff -Nurp linux-2.6.23.15/include/linux/grsecurity.h linux-2.6.23.15-grsec/include/linux/grsecurity.h
29107 +--- linux-2.6.23.15/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
29108 ++++ linux-2.6.23.15-grsec/include/linux/grsecurity.h 2008-02-11 10:37:45.000000000 +0000
29109 +@@ -0,0 +1,193 @@
29110 ++#ifndef GR_SECURITY_H
29111 ++#define GR_SECURITY_H
29112 ++#include <linux/fs.h>
29113 ++#include <linux/binfmts.h>
29114 ++#include <linux/gracl.h>
29115 ++
29116 ++void gr_handle_brute_attach(struct task_struct *p);
29117 ++void gr_handle_brute_check(void);
29118 ++
29119 ++char gr_roletype_to_char(void);
29120 ++
29121 ++int gr_check_user_change(int real, int effective, int fs);
29122 ++int gr_check_group_change(int real, int effective, int fs);
29123 ++
29124 ++void gr_del_task_from_ip_table(struct task_struct *p);
29125 ++
29126 ++int gr_pid_is_chrooted(struct task_struct *p);
29127 ++int gr_handle_chroot_nice(void);
29128 ++int gr_handle_chroot_sysctl(const int op);
29129 ++int gr_handle_chroot_setpriority(struct task_struct *p,
29130 ++ const int niceval);
29131 ++int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
29132 ++int gr_handle_chroot_chroot(const struct dentry *dentry,
29133 ++ const struct vfsmount *mnt);
29134 ++void gr_handle_chroot_caps(struct task_struct *task);
29135 ++void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
29136 ++int gr_handle_chroot_chmod(const struct dentry *dentry,
29137 ++ const struct vfsmount *mnt, const int mode);
29138 ++int gr_handle_chroot_mknod(const struct dentry *dentry,
29139 ++ const struct vfsmount *mnt, const int mode);
29140 ++int gr_handle_chroot_mount(const struct dentry *dentry,
29141 ++ const struct vfsmount *mnt,
29142 ++ const char *dev_name);
29143 ++int gr_handle_chroot_pivot(void);
29144 ++int gr_handle_chroot_unix(const pid_t pid);
29145 ++
29146 ++int gr_handle_rawio(const struct inode *inode);
29147 ++int gr_handle_nproc(void);
29148 ++
29149 ++void gr_handle_ioperm(void);
29150 ++void gr_handle_iopl(void);
29151 ++
29152 ++int gr_tpe_allow(const struct file *file);
29153 ++
29154 ++int gr_random_pid(void);
29155 ++
29156 ++void gr_log_forkfail(const int retval);
29157 ++void gr_log_timechange(void);
29158 ++void gr_log_signal(const int sig, const struct task_struct *t);
29159 ++void gr_log_chdir(const struct dentry *dentry,
29160 ++ const struct vfsmount *mnt);
29161 ++void gr_log_chroot_exec(const struct dentry *dentry,
29162 ++ const struct vfsmount *mnt);
29163 ++void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
29164 ++void gr_log_remount(const char *devname, const int retval);
29165 ++void gr_log_unmount(const char *devname, const int retval);
29166 ++void gr_log_mount(const char *from, const char *to, const int retval);
29167 ++void gr_log_msgget(const int ret, const int msgflg);
29168 ++void gr_log_msgrm(const uid_t uid, const uid_t cuid);
29169 ++void gr_log_semget(const int err, const int semflg);
29170 ++void gr_log_semrm(const uid_t uid, const uid_t cuid);
29171 ++void gr_log_shmget(const int err, const int shmflg, const size_t size);
29172 ++void gr_log_shmrm(const uid_t uid, const uid_t cuid);
29173 ++void gr_log_textrel(struct vm_area_struct *vma);
29174 ++
29175 ++int gr_handle_follow_link(const struct inode *parent,
29176 ++ const struct inode *inode,
29177 ++ const struct dentry *dentry,
29178 ++ const struct vfsmount *mnt);
29179 ++int gr_handle_fifo(const struct dentry *dentry,
29180 ++ const struct vfsmount *mnt,
29181 ++ const struct dentry *dir, const int flag,
29182 ++ const int acc_mode);
29183 ++int gr_handle_hardlink(const struct dentry *dentry,
29184 ++ const struct vfsmount *mnt,
29185 ++ struct inode *inode,
29186 ++ const int mode, const char *to);
29187 ++
29188 ++int gr_task_is_capable(struct task_struct *task, const int cap);
29189 ++int gr_is_capable_nolog(const int cap);
29190 ++void gr_learn_resource(const struct task_struct *task, const int limit,
29191 ++ const unsigned long wanted, const int gt);
29192 ++void gr_copy_label(struct task_struct *tsk);
29193 ++void gr_handle_crash(struct task_struct *task, const int sig);
29194 ++int gr_handle_signal(const struct task_struct *p, const int sig);
29195 ++int gr_check_crash_uid(const uid_t uid);
29196 ++int gr_check_protected_task(const struct task_struct *task);
29197 ++int gr_acl_handle_mmap(const struct file *file,
29198 ++ const unsigned long prot);
29199 ++int gr_acl_handle_mprotect(const struct file *file,
29200 ++ const unsigned long prot);
29201 ++int gr_check_hidden_task(const struct task_struct *tsk);
29202 ++__u32 gr_acl_handle_truncate(const struct dentry *dentry,
29203 ++ const struct vfsmount *mnt);
29204 ++__u32 gr_acl_handle_utime(const struct dentry *dentry,
29205 ++ const struct vfsmount *mnt);
29206 ++__u32 gr_acl_handle_access(const struct dentry *dentry,
29207 ++ const struct vfsmount *mnt, const int fmode);
29208 ++__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
29209 ++ const struct vfsmount *mnt, mode_t mode);
29210 ++__u32 gr_acl_handle_chmod(const struct dentry *dentry,
29211 ++ const struct vfsmount *mnt, mode_t mode);
29212 ++__u32 gr_acl_handle_chown(const struct dentry *dentry,
29213 ++ const struct vfsmount *mnt);
29214 ++int gr_handle_ptrace(struct task_struct *task, const long request);
29215 ++int gr_handle_proc_ptrace(struct task_struct *task);
29216 ++__u32 gr_acl_handle_execve(const struct dentry *dentry,
29217 ++ const struct vfsmount *mnt);
29218 ++int gr_check_crash_exec(const struct file *filp);
29219 ++int gr_acl_is_enabled(void);
29220 ++void gr_set_kernel_label(struct task_struct *task);
29221 ++void gr_set_role_label(struct task_struct *task, const uid_t uid,
29222 ++ const gid_t gid);
29223 ++int gr_set_proc_label(const struct dentry *dentry,
29224 ++ const struct vfsmount *mnt);
29225 ++__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
29226 ++ const struct vfsmount *mnt);
29227 ++__u32 gr_acl_handle_open(const struct dentry *dentry,
29228 ++ const struct vfsmount *mnt, const int fmode);
29229 ++__u32 gr_acl_handle_creat(const struct dentry *dentry,
29230 ++ const struct dentry *p_dentry,
29231 ++ const struct vfsmount *p_mnt, const int fmode,
29232 ++ const int imode);
29233 ++void gr_handle_create(const struct dentry *dentry,
29234 ++ const struct vfsmount *mnt);
29235 ++__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
29236 ++ const struct dentry *parent_dentry,
29237 ++ const struct vfsmount *parent_mnt,
29238 ++ const int mode);
29239 ++__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
29240 ++ const struct dentry *parent_dentry,
29241 ++ const struct vfsmount *parent_mnt);
29242 ++__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
29243 ++ const struct vfsmount *mnt);
29244 ++void gr_handle_delete(const ino_t ino, const dev_t dev);
29245 ++__u32 gr_acl_handle_unlink(const struct dentry *dentry,
29246 ++ const struct vfsmount *mnt);
29247 ++__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
29248 ++ const struct dentry *parent_dentry,
29249 ++ const struct vfsmount *parent_mnt,
29250 ++ const char *from);
29251 ++__u32 gr_acl_handle_link(const struct dentry *new_dentry,
29252 ++ const struct dentry *parent_dentry,
29253 ++ const struct vfsmount *parent_mnt,
29254 ++ const struct dentry *old_dentry,
29255 ++ const struct vfsmount *old_mnt, const char *to);
29256 ++int gr_acl_handle_rename(struct dentry *new_dentry,
29257 ++ struct dentry *parent_dentry,
29258 ++ const struct vfsmount *parent_mnt,
29259 ++ struct dentry *old_dentry,
29260 ++ struct inode *old_parent_inode,
29261 ++ struct vfsmount *old_mnt, const char *newname);
29262 ++void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
29263 ++ struct dentry *old_dentry,
29264 ++ struct dentry *new_dentry,
29265 ++ struct vfsmount *mnt, const __u8 replace);
29266 ++__u32 gr_check_link(const struct dentry *new_dentry,
29267 ++ const struct dentry *parent_dentry,
29268 ++ const struct vfsmount *parent_mnt,
29269 ++ const struct dentry *old_dentry,
29270 ++ const struct vfsmount *old_mnt);
29271 ++int gr_acl_handle_filldir(const struct file *file, const char *name,
29272 ++ const unsigned int namelen, const ino_t ino);
29273 ++
29274 ++__u32 gr_acl_handle_unix(const struct dentry *dentry,
29275 ++ const struct vfsmount *mnt);
29276 ++void gr_acl_handle_exit(void);
29277 ++void gr_acl_handle_psacct(struct task_struct *task, const long code);
29278 ++int gr_acl_handle_procpidmem(const struct task_struct *task);
29279 ++__u32 gr_cap_rtnetlink(void);
29280 ++
29281 ++#ifdef CONFIG_SYSVIPC
29282 ++void gr_shm_exit(struct task_struct *task);
29283 ++#else
29284 ++static inline void gr_shm_exit(struct task_struct *task)
29285 ++{
29286 ++ return;
29287 ++}
29288 ++#endif
29289 ++
29290 ++#ifdef CONFIG_GRKERNSEC
29291 ++void gr_handle_mem_write(void);
29292 ++void gr_handle_kmem_write(void);
29293 ++void gr_handle_open_port(void);
29294 ++int gr_handle_mem_mmap(const unsigned long offset,
29295 ++ struct vm_area_struct *vma);
29296 ++
29297 ++extern int grsec_enable_dmesg;
29298 ++extern int grsec_enable_randsrc;
29299 ++extern int grsec_enable_shm;
29300 ++#endif
29301 ++
29302 ++#endif
29303 +diff -Nurp linux-2.6.23.15/include/linux/highmem.h linux-2.6.23.15-grsec/include/linux/highmem.h
29304 +--- linux-2.6.23.15/include/linux/highmem.h 2007-10-09 21:31:38.000000000 +0100
29305 ++++ linux-2.6.23.15-grsec/include/linux/highmem.h 2008-02-11 10:37:45.000000000 +0000
29306 +@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
29307 + kunmap_atomic(kaddr, KM_USER0);
29308 + }
29309 +
29310 ++static inline void sanitize_highpage(struct page *page)
29311 ++{
29312 ++ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
29313 ++ clear_page(kaddr);
29314 ++ kunmap_atomic(kaddr, KM_CLEARPAGE);
29315 ++}
29316 ++
29317 + /*
29318 + * Same but also flushes aliased cache contents to RAM.
29319 + *
29320 +@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
29321 + */
29322 + #define zero_user_page(page, offset, size, km_type) \
29323 + do { \
29324 +- void *kaddr; \
29325 ++ void *__kaddr; \
29326 + \
29327 + BUG_ON((offset) + (size) > PAGE_SIZE); \
29328 + \
29329 +- kaddr = kmap_atomic(page, km_type); \
29330 +- memset((char *)kaddr + (offset), 0, (size)); \
29331 ++ __kaddr = kmap_atomic(page, km_type); \
29332 ++ memset((char *)__kaddr + (offset), 0, (size)); \
29333 + flush_dcache_page(page); \
29334 +- kunmap_atomic(kaddr, (km_type)); \
29335 ++ kunmap_atomic(__kaddr, (km_type)); \
29336 + } while (0)
29337 +
29338 + static inline void __deprecated memclear_highpage_flush(struct page *page,
29339 +diff -Nurp linux-2.6.23.15/include/linux/irqflags.h linux-2.6.23.15-grsec/include/linux/irqflags.h
29340 +--- linux-2.6.23.15/include/linux/irqflags.h 2007-10-09 21:31:38.000000000 +0100
29341 ++++ linux-2.6.23.15-grsec/include/linux/irqflags.h 2008-02-11 10:37:45.000000000 +0000
29342 +@@ -84,10 +84,10 @@
29343 +
29344 + #define irqs_disabled() \
29345 + ({ \
29346 +- unsigned long flags; \
29347 ++ unsigned long __flags; \
29348 + \
29349 +- raw_local_save_flags(flags); \
29350 +- raw_irqs_disabled_flags(flags); \
29351 ++ raw_local_save_flags(__flags); \
29352 ++ raw_irqs_disabled_flags(__flags); \
29353 + })
29354 +
29355 + #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
29356 +diff -Nurp linux-2.6.23.15/include/linux/jbd.h linux-2.6.23.15-grsec/include/linux/jbd.h
29357 +--- linux-2.6.23.15/include/linux/jbd.h 2007-10-09 21:31:38.000000000 +0100
29358 ++++ linux-2.6.23.15-grsec/include/linux/jbd.h 2008-02-11 10:37:45.000000000 +0000
29359 +@@ -68,7 +68,7 @@ extern int journal_enable_debug;
29360 + } \
29361 + } while (0)
29362 + #else
29363 +-#define jbd_debug(f, a...) /**/
29364 ++#define jbd_debug(f, a...) do {} while (0)
29365 + #endif
29366 +
29367 + extern void * __jbd_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
29368 +diff -Nurp linux-2.6.23.15/include/linux/jbd2.h linux-2.6.23.15-grsec/include/linux/jbd2.h
29369 +--- linux-2.6.23.15/include/linux/jbd2.h 2007-10-09 21:31:38.000000000 +0100
29370 ++++ linux-2.6.23.15-grsec/include/linux/jbd2.h 2008-02-11 10:37:45.000000000 +0000
29371 +@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
29372 + } \
29373 + } while (0)
29374 + #else
29375 +-#define jbd_debug(f, a...) /**/
29376 ++#define jbd_debug(f, a...) do {} while (0)
29377 + #endif
29378 +
29379 + extern void * __jbd2_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
29380 +diff -Nurp linux-2.6.23.15/include/linux/libata.h linux-2.6.23.15-grsec/include/linux/libata.h
29381 +--- linux-2.6.23.15/include/linux/libata.h 2008-02-11 10:36:03.000000000 +0000
29382 ++++ linux-2.6.23.15-grsec/include/linux/libata.h 2008-02-11 10:37:45.000000000 +0000
29383 +@@ -63,11 +63,11 @@
29384 + #ifdef ATA_VERBOSE_DEBUG
29385 + #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
29386 + #else
29387 +-#define VPRINTK(fmt, args...)
29388 ++#define VPRINTK(fmt, args...) do {} while (0)
29389 + #endif /* ATA_VERBOSE_DEBUG */
29390 + #else
29391 +-#define DPRINTK(fmt, args...)
29392 +-#define VPRINTK(fmt, args...)
29393 ++#define DPRINTK(fmt, args...) do {} while (0)
29394 ++#define VPRINTK(fmt, args...) do {} while (0)
29395 + #endif /* ATA_DEBUG */
29396 +
29397 + #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
29398 +diff -Nurp linux-2.6.23.15/include/linux/mm.h linux-2.6.23.15-grsec/include/linux/mm.h
29399 +--- linux-2.6.23.15/include/linux/mm.h 2007-10-09 21:31:38.000000000 +0100
29400 ++++ linux-2.6.23.15-grsec/include/linux/mm.h 2008-02-11 10:37:45.000000000 +0000
29401 +@@ -38,6 +38,7 @@ extern int sysctl_legacy_va_layout;
29402 + #include <asm/page.h>
29403 + #include <asm/pgtable.h>
29404 + #include <asm/processor.h>
29405 ++#include <asm/mman.h>
29406 +
29407 + #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
29408 +
29409 +@@ -111,6 +112,8 @@ struct vm_area_struct {
29410 + #ifdef CONFIG_NUMA
29411 + struct mempolicy *vm_policy; /* NUMA policy for the VMA */
29412 + #endif
29413 ++
29414 ++ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
29415 + };
29416 +
29417 + extern struct kmem_cache *vm_area_cachep;
29418 +@@ -171,6 +174,14 @@ extern unsigned int kobjsize(const void
29419 +
29420 + #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
29421 +
29422 ++#ifdef CONFIG_PAX_PAGEEXEC
29423 ++#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
29424 ++#endif
29425 ++
29426 ++#ifdef CONFIG_PAX_MPROTECT
29427 ++#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
29428 ++#endif
29429 ++
29430 + #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
29431 + #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
29432 + #endif
29433 +@@ -862,6 +873,8 @@ struct shrinker {
29434 + extern void register_shrinker(struct shrinker *);
29435 + extern void unregister_shrinker(struct shrinker *);
29436 +
29437 ++pgprot_t vm_get_page_prot(unsigned long vm_flags);
29438 ++
29439 + int vma_wants_writenotify(struct vm_area_struct *vma);
29440 +
29441 + extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
29442 +@@ -1088,6 +1101,7 @@ out:
29443 + }
29444 +
29445 + extern int do_munmap(struct mm_struct *, unsigned long, size_t);
29446 ++extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
29447 +
29448 + extern unsigned long do_brk(unsigned long, unsigned long);
29449 +
29450 +@@ -1142,6 +1156,10 @@ extern struct vm_area_struct * find_vma(
29451 + extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
29452 + struct vm_area_struct **pprev);
29453 +
29454 ++extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
29455 ++extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
29456 ++extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
29457 ++
29458 + /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
29459 + NULL if none. Assume start_addr < end_addr. */
29460 + static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
29461 +@@ -1158,7 +1176,6 @@ static inline unsigned long vma_pages(st
29462 + return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
29463 + }
29464 +
29465 +-pgprot_t vm_get_page_prot(unsigned long vm_flags);
29466 + struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
29467 + struct page *vmalloc_to_page(void *addr);
29468 + unsigned long vmalloc_to_pfn(void *addr);
29469 +@@ -1218,5 +1235,11 @@ extern int randomize_va_space;
29470 +
29471 + const char * arch_vma_name(struct vm_area_struct *vma);
29472 +
29473 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29474 ++extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
29475 ++#else
29476 ++static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
29477 ++#endif
29478 ++
29479 + #endif /* __KERNEL__ */
29480 + #endif /* _LINUX_MM_H */
29481 +diff -Nurp linux-2.6.23.15/include/linux/module.h linux-2.6.23.15-grsec/include/linux/module.h
29482 +--- linux-2.6.23.15/include/linux/module.h 2007-10-09 21:31:38.000000000 +0100
29483 ++++ linux-2.6.23.15-grsec/include/linux/module.h 2008-02-11 10:37:45.000000000 +0000
29484 +@@ -295,16 +295,16 @@ struct module
29485 + int (*init)(void);
29486 +
29487 + /* If this is non-NULL, vfree after init() returns */
29488 +- void *module_init;
29489 ++ void *module_init_rx, *module_init_rw;
29490 +
29491 + /* Here is the actual code + data, vfree'd on unload. */
29492 +- void *module_core;
29493 ++ void *module_core_rx, *module_core_rw;
29494 +
29495 + /* Here are the sizes of the init and core sections */
29496 +- unsigned long init_size, core_size;
29497 ++ unsigned long init_size_rw, core_size_rw;
29498 +
29499 + /* The size of the executable code in each section. */
29500 +- unsigned long init_text_size, core_text_size;
29501 ++ unsigned long init_size_rx, core_size_rx;
29502 +
29503 + /* The handle returned from unwind_add_table. */
29504 + void *unwind_info;
29505 +diff -Nurp linux-2.6.23.15/include/linux/moduleloader.h linux-2.6.23.15-grsec/include/linux/moduleloader.h
29506 +--- linux-2.6.23.15/include/linux/moduleloader.h 2007-10-09 21:31:38.000000000 +0100
29507 ++++ linux-2.6.23.15-grsec/include/linux/moduleloader.h 2008-02-11 10:37:45.000000000 +0000
29508 +@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
29509 + sections. Returns NULL on failure. */
29510 + void *module_alloc(unsigned long size);
29511 +
29512 ++#ifdef CONFIG_PAX_KERNEXEC
29513 ++void *module_alloc_exec(unsigned long size);
29514 ++#else
29515 ++#define module_alloc_exec(x) module_alloc(x)
29516 ++#endif
29517 ++
29518 + /* Free memory returned from module_alloc. */
29519 + void module_free(struct module *mod, void *module_region);
29520 +
29521 ++#ifdef CONFIG_PAX_KERNEXEC
29522 ++void module_free_exec(struct module *mod, void *module_region);
29523 ++#else
29524 ++#define module_free_exec(x, y) module_free(x, y)
29525 ++#endif
29526 ++
29527 + /* Apply the given relocation to the (simplified) ELF. Return -error
29528 + or 0. */
29529 + int apply_relocate(Elf_Shdr *sechdrs,
29530 +diff -Nurp linux-2.6.23.15/include/linux/percpu.h linux-2.6.23.15-grsec/include/linux/percpu.h
29531 +--- linux-2.6.23.15/include/linux/percpu.h 2007-10-09 21:31:38.000000000 +0100
29532 ++++ linux-2.6.23.15-grsec/include/linux/percpu.h 2008-02-11 10:37:45.000000000 +0000
29533 +@@ -18,7 +18,7 @@
29534 + #endif
29535 +
29536 + #define PERCPU_ENOUGH_ROOM \
29537 +- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
29538 ++ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
29539 + #endif /* PERCPU_ENOUGH_ROOM */
29540 +
29541 + /*
29542 +diff -Nurp linux-2.6.23.15/include/linux/random.h linux-2.6.23.15-grsec/include/linux/random.h
29543 +--- linux-2.6.23.15/include/linux/random.h 2007-10-09 21:31:38.000000000 +0100
29544 ++++ linux-2.6.23.15-grsec/include/linux/random.h 2008-02-11 10:37:45.000000000 +0000
29545 +@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
29546 + u32 random32(void);
29547 + void srandom32(u32 seed);
29548 +
29549 ++static inline unsigned long pax_get_random_long(void)
29550 ++{
29551 ++ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
29552 ++}
29553 ++
29554 + #endif /* __KERNEL___ */
29555 +
29556 + #endif /* _LINUX_RANDOM_H */
29557 +diff -Nurp linux-2.6.23.15/include/linux/sched.h linux-2.6.23.15-grsec/include/linux/sched.h
29558 +--- linux-2.6.23.15/include/linux/sched.h 2008-02-11 10:36:03.000000000 +0000
29559 ++++ linux-2.6.23.15-grsec/include/linux/sched.h 2008-02-11 10:37:45.000000000 +0000
29560 +@@ -92,6 +92,7 @@ struct sched_param {
29561 + struct exec_domain;
29562 + struct futex_pi_state;
29563 + struct bio;
29564 ++struct linux_binprm;
29565 +
29566 + /*
29567 + * List of flags we want to share for kernel threads,
29568 +@@ -432,6 +433,24 @@ struct mm_struct {
29569 + /* aio bits */
29570 + rwlock_t ioctx_list_lock;
29571 + struct kioctx *ioctx_list;
29572 ++
29573 ++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29574 ++ unsigned long pax_flags;
29575 ++#endif
29576 ++
29577 ++#ifdef CONFIG_PAX_DLRESOLVE
29578 ++ unsigned long call_dl_resolve;
29579 ++#endif
29580 ++
29581 ++#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29582 ++ unsigned long call_syscall;
29583 ++#endif
29584 ++
29585 ++#ifdef CONFIG_PAX_ASLR
29586 ++ unsigned long delta_mmap; /* randomized offset */
29587 ++ unsigned long delta_stack; /* randomized offset */
29588 ++#endif
29589 ++
29590 + };
29591 +
29592 + struct sighand_struct {
29593 +@@ -556,6 +575,15 @@ struct signal_struct {
29594 + unsigned audit_tty;
29595 + struct tty_audit_buf *tty_audit_buf;
29596 + #endif
29597 ++
29598 ++#ifdef CONFIG_GRKERNSEC
29599 ++ u32 curr_ip;
29600 ++ u32 gr_saddr;
29601 ++ u32 gr_daddr;
29602 ++ u16 gr_sport;
29603 ++ u16 gr_dport;
29604 ++ u8 used_accept:1;
29605 ++#endif
29606 + };
29607 +
29608 + /* Context switch must be unlocked if interrupts are to be enabled */
29609 +@@ -1017,8 +1045,8 @@ struct task_struct {
29610 + struct list_head thread_group;
29611 +
29612 + struct completion *vfork_done; /* for vfork() */
29613 +- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
29614 +- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
29615 ++ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
29616 ++ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
29617 +
29618 + unsigned int rt_priority;
29619 + cputime_t utime, stime;
29620 +@@ -1183,6 +1211,17 @@ struct task_struct {
29621 + struct list_head pi_state_list;
29622 + struct futex_pi_state *pi_state_cache;
29623 +
29624 ++#ifdef CONFIG_GRKERNSEC
29625 ++ /* grsecurity */
29626 ++ struct acl_subject_label *acl;
29627 ++ struct acl_role_label *role;
29628 ++ struct file *exec_file;
29629 ++ u16 acl_role_id;
29630 ++ u8 acl_sp_role:1;
29631 ++ u8 is_writable:1;
29632 ++ u8 brute:1;
29633 ++#endif
29634 ++
29635 + atomic_t fs_excl; /* holding fs exclusive resources */
29636 + struct rcu_head rcu;
29637 +
29638 +@@ -1198,6 +1237,46 @@ struct task_struct {
29639 + #endif
29640 + };
29641 +
29642 ++#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
29643 ++#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
29644 ++#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
29645 ++#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
29646 ++/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
29647 ++#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
29648 ++
29649 ++#ifdef CONFIG_PAX_SOFTMODE
29650 ++extern unsigned int pax_softmode;
29651 ++#endif
29652 ++
29653 ++extern int pax_check_flags(unsigned long *);
29654 ++
29655 ++/* if tsk != current then task_lock must be held on it */
29656 ++#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29657 ++static inline unsigned long pax_get_flags(struct task_struct *tsk)
29658 ++{
29659 ++ if (likely(tsk->mm))
29660 ++ return tsk->mm->pax_flags;
29661 ++ else
29662 ++ return 0UL;
29663 ++}
29664 ++
29665 ++/* if tsk != current then task_lock must be held on it */
29666 ++static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
29667 ++{
29668 ++ if (likely(tsk->mm)) {
29669 ++ tsk->mm->pax_flags = flags;
29670 ++ return 0;
29671 ++ }
29672 ++ return -EINVAL;
29673 ++}
29674 ++#endif
29675 ++
29676 ++#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29677 ++extern void pax_set_initial_flags(struct linux_binprm *bprm);
29678 ++#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29679 ++extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
29680 ++#endif
29681 ++
29682 + /*
29683 + * Priority of a process goes from 0..MAX_PRIO-1, valid RT
29684 + * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
29685 +@@ -1831,6 +1910,12 @@ extern void arch_pick_mmap_layout(struct
29686 + static inline void arch_pick_mmap_layout(struct mm_struct *mm)
29687 + {
29688 + mm->mmap_base = TASK_UNMAPPED_BASE;
29689 ++
29690 ++#ifdef CONFIG_PAX_RANDMMAP
29691 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
29692 ++ mm->mmap_base += mm->delta_mmap;
29693 ++#endif
29694 ++
29695 + mm->get_unmapped_area = arch_get_unmapped_area;
29696 + mm->unmap_area = arch_unmap_area;
29697 + }
29698 +diff -Nurp linux-2.6.23.15/include/linux/screen_info.h linux-2.6.23.15-grsec/include/linux/screen_info.h
29699 +--- linux-2.6.23.15/include/linux/screen_info.h 2007-10-09 21:31:38.000000000 +0100
29700 ++++ linux-2.6.23.15-grsec/include/linux/screen_info.h 2008-02-11 10:37:45.000000000 +0000
29701 +@@ -42,7 +42,8 @@ struct screen_info {
29702 + u16 pages; /* 0x32 */
29703 + u16 vesa_attributes; /* 0x34 */
29704 + u32 capabilities; /* 0x36 */
29705 +- u8 _reserved[6]; /* 0x3a */
29706 ++ u16 vesapm_size; /* 0x3a */
29707 ++ u8 _reserved[4]; /* 0x3c */
29708 + } __attribute__((packed));
29709 +
29710 + extern struct screen_info screen_info;
29711 +diff -Nurp linux-2.6.23.15/include/linux/security.h linux-2.6.23.15-grsec/include/linux/security.h
29712 +--- linux-2.6.23.15/include/linux/security.h 2007-10-09 21:31:38.000000000 +0100
29713 ++++ linux-2.6.23.15-grsec/include/linux/security.h 2008-02-11 10:37:45.000000000 +0000
29714 +@@ -2796,7 +2796,7 @@ static inline struct dentry *securityfs_
29715 + mode_t mode,
29716 + struct dentry *parent,
29717 + void *data,
29718 +- struct file_operations *fops)
29719 ++ const struct file_operations *fops)
29720 + {
29721 + return ERR_PTR(-ENODEV);
29722 + }
29723 +diff -Nurp linux-2.6.23.15/include/linux/shm.h linux-2.6.23.15-grsec/include/linux/shm.h
29724 +--- linux-2.6.23.15/include/linux/shm.h 2007-10-09 21:31:38.000000000 +0100
29725 ++++ linux-2.6.23.15-grsec/include/linux/shm.h 2008-02-11 10:37:45.000000000 +0000
29726 +@@ -86,6 +86,10 @@ struct shmid_kernel /* private to the ke
29727 + pid_t shm_cprid;
29728 + pid_t shm_lprid;
29729 + struct user_struct *mlock_user;
29730 ++#ifdef CONFIG_GRKERNSEC
29731 ++ time_t shm_createtime;
29732 ++ pid_t shm_lapid;
29733 ++#endif
29734 + };
29735 +
29736 + /* shm_mode upper byte flags */
29737 +diff -Nurp linux-2.6.23.15/include/linux/skbuff.h linux-2.6.23.15-grsec/include/linux/skbuff.h
29738 +--- linux-2.6.23.15/include/linux/skbuff.h 2008-02-11 10:36:03.000000000 +0000
29739 ++++ linux-2.6.23.15-grsec/include/linux/skbuff.h 2008-02-11 10:37:45.000000000 +0000
29740 +@@ -385,7 +385,7 @@ extern void skb_truesize_bug(struc
29741 +
29742 + static inline void skb_truesize_check(struct sk_buff *skb)
29743 + {
29744 +- if (unlikely((int)skb->truesize < sizeof(struct sk_buff) + skb->len))
29745 ++ if (unlikely(skb->truesize < sizeof(struct sk_buff) + skb->len))
29746 + skb_truesize_bug(skb);
29747 + }
29748 +
29749 +diff -Nurp linux-2.6.23.15/include/linux/sysctl.h linux-2.6.23.15-grsec/include/linux/sysctl.h
29750 +--- linux-2.6.23.15/include/linux/sysctl.h 2008-02-11 10:36:24.000000000 +0000
29751 ++++ linux-2.6.23.15-grsec/include/linux/sysctl.h 2008-02-11 10:37:45.000000000 +0000
29752 +@@ -168,9 +168,22 @@ enum
29753 + #ifdef CONFIG_ALPHA_UAC_SYSCTL
29754 + KERN_UAC_POLICY=78, /* int: Alpha unaligned access control policy flags */
29755 + #endif /* CONFIG_ALPHA_UAC_SYSCTL */
29756 +-};
29757 +
29758 ++#ifdef CONFIG_GRKERNSEC
29759 ++ KERN_GRSECURITY=98, /* grsecurity */
29760 ++#endif
29761 ++
29762 ++#ifdef CONFIG_PAX_SOFTMODE
29763 ++ KERN_PAX=99, /* PaX control */
29764 ++#endif
29765 ++
29766 ++};
29767 +
29768 ++#ifdef CONFIG_PAX_SOFTMODE
29769 ++enum {
29770 ++ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
29771 ++};
29772 ++#endif
29773 +
29774 + /* CTL_VM names: */
29775 + enum
29776 +diff -Nurp linux-2.6.23.15/include/linux/uaccess.h linux-2.6.23.15-grsec/include/linux/uaccess.h
29777 +--- linux-2.6.23.15/include/linux/uaccess.h 2007-10-09 21:31:38.000000000 +0100
29778 ++++ linux-2.6.23.15-grsec/include/linux/uaccess.h 2008-02-11 10:37:45.000000000 +0000
29779 +@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
29780 + long ret; \
29781 + mm_segment_t old_fs = get_fs(); \
29782 + \
29783 +- set_fs(KERNEL_DS); \
29784 + pagefault_disable(); \
29785 ++ set_fs(KERNEL_DS); \
29786 + ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
29787 +- pagefault_enable(); \
29788 + set_fs(old_fs); \
29789 ++ pagefault_enable(); \
29790 + ret; \
29791 + })
29792 +
29793 +diff -Nurp linux-2.6.23.15/include/linux/udf_fs.h linux-2.6.23.15-grsec/include/linux/udf_fs.h
29794 +--- linux-2.6.23.15/include/linux/udf_fs.h 2007-10-09 21:31:38.000000000 +0100
29795 ++++ linux-2.6.23.15-grsec/include/linux/udf_fs.h 2008-02-11 10:37:45.000000000 +0000
29796 +@@ -45,7 +45,7 @@
29797 + printk (f, ##a); \
29798 + }
29799 + #else
29800 +-#define udf_debug(f, a...) /**/
29801 ++#define udf_debug(f, a...) do {} while (0)
29802 + #endif
29803 +
29804 + #define udf_info(f, a...) \
29805 +diff -Nurp linux-2.6.23.15/include/net/sctp/sctp.h linux-2.6.23.15-grsec/include/net/sctp/sctp.h
29806 +--- linux-2.6.23.15/include/net/sctp/sctp.h 2007-10-09 21:31:38.000000000 +0100
29807 ++++ linux-2.6.23.15-grsec/include/net/sctp/sctp.h 2008-02-11 10:37:45.000000000 +0000
29808 +@@ -317,8 +317,8 @@ extern int sctp_debug_flag;
29809 +
29810 + #else /* SCTP_DEBUG */
29811 +
29812 +-#define SCTP_DEBUG_PRINTK(whatever...)
29813 +-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
29814 ++#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
29815 ++#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
29816 + #define SCTP_ENABLE_DEBUG
29817 + #define SCTP_DISABLE_DEBUG
29818 + #define SCTP_ASSERT(expr, str, func)
29819 +diff -Nurp linux-2.6.23.15/include/sound/core.h linux-2.6.23.15-grsec/include/sound/core.h
29820 +--- linux-2.6.23.15/include/sound/core.h 2007-10-09 21:31:38.000000000 +0100
29821 ++++ linux-2.6.23.15-grsec/include/sound/core.h 2008-02-11 10:37:45.000000000 +0000
29822 +@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
29823 +
29824 + #else /* !CONFIG_SND_DEBUG */
29825 +
29826 +-#define snd_printd(fmt, args...) /* nothing */
29827 ++#define snd_printd(fmt, args...) do {} while (0)
29828 + #define snd_assert(expr, args...) (void)(expr)
29829 +-#define snd_BUG() /* nothing */
29830 ++#define snd_BUG() do {} while (0)
29831 +
29832 + #endif /* CONFIG_SND_DEBUG */
29833 +
29834 +@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
29835 + */
29836 + #define snd_printdd(format, args...) snd_printk(format, ##args)
29837 + #else
29838 +-#define snd_printdd(format, args...) /* nothing */
29839 ++#define snd_printdd(format, args...) do {} while (0)
29840 + #endif
29841 +
29842 +
29843 +diff -Nurp linux-2.6.23.15/init/Kconfig linux-2.6.23.15-grsec/init/Kconfig
29844 +--- linux-2.6.23.15/init/Kconfig 2007-10-09 21:31:38.000000000 +0100
29845 ++++ linux-2.6.23.15-grsec/init/Kconfig 2008-02-11 10:37:45.000000000 +0000
29846 +@@ -384,6 +384,7 @@ config SYSCTL_SYSCALL
29847 + config KALLSYMS
29848 + bool "Load all symbols for debugging/ksymoops" if EMBEDDED
29849 + default y
29850 ++ depends on !GRKERNSEC_HIDESYM
29851 + help
29852 + Say Y here to let the kernel print out symbolic crash information and
29853 + symbolic stack backtraces. This increases the size of the kernel
29854 +diff -Nurp linux-2.6.23.15/init/do_mounts.c linux-2.6.23.15-grsec/init/do_mounts.c
29855 +--- linux-2.6.23.15/init/do_mounts.c 2007-10-09 21:31:38.000000000 +0100
29856 ++++ linux-2.6.23.15-grsec/init/do_mounts.c 2008-02-11 10:37:45.000000000 +0000
29857 +@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
29858 +
29859 + /* read device number from .../dev */
29860 +
29861 +- sprintf(path, "/sys/block/%s/dev", name);
29862 +- fd = sys_open(path, 0, 0);
29863 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
29864 ++ goto fail;
29865 ++ fd = sys_open((char __user *)path, 0, 0);
29866 + if (fd < 0)
29867 + goto fail;
29868 +- len = sys_read(fd, buf, 32);
29869 ++ len = sys_read(fd, (char __user *)buf, 32);
29870 + sys_close(fd);
29871 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
29872 + goto fail;
29873 +@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
29874 + return res;
29875 +
29876 + /* otherwise read range from .../range */
29877 +- sprintf(path, "/sys/block/%s/range", name);
29878 +- fd = sys_open(path, 0, 0);
29879 ++ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
29880 ++ goto fail;
29881 ++ fd = sys_open((char __user *)path, 0, 0);
29882 + if (fd < 0)
29883 + goto fail;
29884 +- len = sys_read(fd, buf, 32);
29885 ++ len = sys_read(fd, (char __user *)buf, 32);
29886 + sys_close(fd);
29887 + if (len <= 0 || len == 32 || buf[len - 1] != '\n')
29888 + goto fail;
29889 +@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
29890 + int part;
29891 +
29892 + #ifdef CONFIG_SYSFS
29893 +- int mkdir_err = sys_mkdir("/sys", 0700);
29894 +- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
29895 ++ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
29896 ++ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
29897 + goto out;
29898 + #endif
29899 +
29900 +@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
29901 + res = try_name(s, part);
29902 + done:
29903 + #ifdef CONFIG_SYSFS
29904 +- sys_umount("/sys", 0);
29905 ++ sys_umount((char __user *)"/sys", 0);
29906 + out:
29907 + if (!mkdir_err)
29908 +- sys_rmdir("/sys");
29909 ++ sys_rmdir((char __user *)"/sys");
29910 + #endif
29911 + return res;
29912 + fail:
29913 +@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
29914 +
29915 + static int __init do_mount_root(char *name, char *fs, int flags, void *data)
29916 + {
29917 +- int err = sys_mount(name, "/root", fs, flags, data);
29918 ++ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
29919 + if (err)
29920 + return err;
29921 +
29922 +- sys_chdir("/root");
29923 ++ sys_chdir((char __user *)"/root");
29924 + ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
29925 + printk("VFS: Mounted root (%s filesystem)%s.\n",
29926 + current->fs->pwdmnt->mnt_sb->s_type->name,
29927 +@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
29928 + va_start(args, fmt);
29929 + vsprintf(buf, fmt, args);
29930 + va_end(args);
29931 +- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
29932 ++ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
29933 + if (fd >= 0) {
29934 + sys_ioctl(fd, FDEJECT, 0);
29935 + sys_close(fd);
29936 + }
29937 + printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
29938 +- fd = sys_open("/dev/console", O_RDWR, 0);
29939 ++ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
29940 + if (fd >= 0) {
29941 + sys_ioctl(fd, TCGETS, (long)&termios);
29942 + termios.c_lflag &= ~ICANON;
29943 + sys_ioctl(fd, TCSETSF, (long)&termios);
29944 +- sys_read(fd, &c, 1);
29945 ++ sys_read(fd, (char __user *)&c, 1);
29946 + termios.c_lflag |= ICANON;
29947 + sys_ioctl(fd, TCSETSF, (long)&termios);
29948 + sys_close(fd);
29949 +@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
29950 +
29951 + mount_root();
29952 + out:
29953 +- sys_mount(".", "/", NULL, MS_MOVE, NULL);
29954 +- sys_chroot(".");
29955 ++ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
29956 ++ sys_chroot((char __user *)".");
29957 + security_sb_post_mountroot();
29958 + }
29959 +
29960 +diff -Nurp linux-2.6.23.15/init/do_mounts.h linux-2.6.23.15-grsec/init/do_mounts.h
29961 +--- linux-2.6.23.15/init/do_mounts.h 2007-10-09 21:31:38.000000000 +0100
29962 ++++ linux-2.6.23.15-grsec/init/do_mounts.h 2008-02-11 10:37:45.000000000 +0000
29963 +@@ -15,15 +15,15 @@ extern char *root_device_name;
29964 +
29965 + static inline int create_dev(char *name, dev_t dev)
29966 + {
29967 +- sys_unlink(name);
29968 +- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
29969 ++ sys_unlink((char __user *)name);
29970 ++ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
29971 + }
29972 +
29973 + #if BITS_PER_LONG == 32
29974 + static inline u32 bstat(char *name)
29975 + {
29976 + struct stat64 stat;
29977 +- if (sys_stat64(name, &stat) != 0)
29978 ++ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
29979 + return 0;
29980 + if (!S_ISBLK(stat.st_mode))
29981 + return 0;
29982 +diff -Nurp linux-2.6.23.15/init/do_mounts_md.c linux-2.6.23.15-grsec/init/do_mounts_md.c
29983 +--- linux-2.6.23.15/init/do_mounts_md.c 2007-10-09 21:31:38.000000000 +0100
29984 ++++ linux-2.6.23.15-grsec/init/do_mounts_md.c 2008-02-11 10:37:45.000000000 +0000
29985 +@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
29986 + partitioned ? "_d" : "", minor,
29987 + md_setup_args[ent].device_names);
29988 +
29989 +- fd = sys_open(name, 0, 0);
29990 ++ fd = sys_open((char __user *)name, 0, 0);
29991 + if (fd < 0) {
29992 + printk(KERN_ERR "md: open failed - cannot start "
29993 + "array %s\n", name);
29994 +@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
29995 + * array without it
29996 + */
29997 + sys_close(fd);
29998 +- fd = sys_open(name, 0, 0);
29999 ++ fd = sys_open((char __user *)name, 0, 0);
30000 + sys_ioctl(fd, BLKRRPART, 0);
30001 + }
30002 + sys_close(fd);
30003 +@@ -271,7 +271,7 @@ void __init md_run_setup(void)
30004 + if (raid_noautodetect)
30005 + printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
30006 + else {
30007 +- int fd = sys_open("/dev/md0", 0, 0);
30008 ++ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
30009 + if (fd >= 0) {
30010 + sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
30011 + sys_close(fd);
30012 +diff -Nurp linux-2.6.23.15/init/initramfs.c linux-2.6.23.15-grsec/init/initramfs.c
30013 +--- linux-2.6.23.15/init/initramfs.c 2007-10-09 21:31:38.000000000 +0100
30014 ++++ linux-2.6.23.15-grsec/init/initramfs.c 2008-02-11 10:37:45.000000000 +0000
30015 +@@ -240,7 +240,7 @@ static int __init maybe_link(void)
30016 + if (nlink >= 2) {
30017 + char *old = find_link(major, minor, ino, mode, collected);
30018 + if (old)
30019 +- return (sys_link(old, collected) < 0) ? -1 : 1;
30020 ++ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
30021 + }
30022 + return 0;
30023 + }
30024 +@@ -249,11 +249,11 @@ static void __init clean_path(char *path
30025 + {
30026 + struct stat st;
30027 +
30028 +- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
30029 ++ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
30030 + if (S_ISDIR(st.st_mode))
30031 +- sys_rmdir(path);
30032 ++ sys_rmdir((char __user *)path);
30033 + else
30034 +- sys_unlink(path);
30035 ++ sys_unlink((char __user *)path);
30036 + }
30037 + }
30038 +
30039 +@@ -276,7 +276,7 @@ static int __init do_name(void)
30040 + int openflags = O_WRONLY|O_CREAT;
30041 + if (ml != 1)
30042 + openflags |= O_TRUNC;
30043 +- wfd = sys_open(collected, openflags, mode);
30044 ++ wfd = sys_open((char __user *)collected, openflags, mode);
30045 +
30046 + if (wfd >= 0) {
30047 + sys_fchown(wfd, uid, gid);
30048 +@@ -285,15 +285,15 @@ static int __init do_name(void)
30049 + }
30050 + }
30051 + } else if (S_ISDIR(mode)) {
30052 +- sys_mkdir(collected, mode);
30053 +- sys_chown(collected, uid, gid);
30054 +- sys_chmod(collected, mode);
30055 ++ sys_mkdir((char __user *)collected, mode);
30056 ++ sys_chown((char __user *)collected, uid, gid);
30057 ++ sys_chmod((char __user *)collected, mode);
30058 + } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
30059 + S_ISFIFO(mode) || S_ISSOCK(mode)) {
30060 + if (maybe_link() == 0) {
30061 +- sys_mknod(collected, mode, rdev);
30062 +- sys_chown(collected, uid, gid);
30063 +- sys_chmod(collected, mode);
30064 ++ sys_mknod((char __user *)collected, mode, rdev);
30065 ++ sys_chown((char __user *)collected, uid, gid);
30066 ++ sys_chmod((char __user *)collected, mode);
30067 + }
30068 + }
30069 + return 0;
30070 +@@ -302,13 +302,13 @@ static int __init do_name(void)
30071 + static int __init do_copy(void)
30072 + {
30073 + if (count >= body_len) {
30074 +- sys_write(wfd, victim, body_len);
30075 ++ sys_write(wfd, (char __user *)victim, body_len);
30076 + sys_close(wfd);
30077 + eat(body_len);
30078 + state = SkipIt;
30079 + return 0;
30080 + } else {
30081 +- sys_write(wfd, victim, count);
30082 ++ sys_write(wfd, (char __user *)victim, count);
30083 + body_len -= count;
30084 + eat(count);
30085 + return 1;
30086 +@@ -319,8 +319,8 @@ static int __init do_symlink(void)
30087 + {
30088 + collected[N_ALIGN(name_len) + body_len] = '\0';
30089 + clean_path(collected, 0);
30090 +- sys_symlink(collected + N_ALIGN(name_len), collected);
30091 +- sys_lchown(collected, uid, gid);
30092 ++ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
30093 ++ sys_lchown((char __user *)collected, uid, gid);
30094 + state = SkipIt;
30095 + next_state = Reset;
30096 + return 0;
30097 +diff -Nurp linux-2.6.23.15/init/main.c linux-2.6.23.15-grsec/init/main.c
30098 +--- linux-2.6.23.15/init/main.c 2007-10-09 21:31:38.000000000 +0100
30099 ++++ linux-2.6.23.15-grsec/init/main.c 2008-02-11 10:37:45.000000000 +0000
30100 +@@ -107,6 +107,7 @@ static inline void mark_rodata_ro(void)
30101 + #ifdef CONFIG_TC
30102 + extern void tc_init(void);
30103 + #endif
30104 ++extern void grsecurity_init(void);
30105 +
30106 + enum system_states system_state;
30107 + EXPORT_SYMBOL(system_state);
30108 +@@ -193,6 +194,17 @@ static int __init set_reset_devices(char
30109 +
30110 + __setup("reset_devices", set_reset_devices);
30111 +
30112 ++#ifdef CONFIG_PAX_SOFTMODE
30113 ++unsigned int pax_softmode;
30114 ++
30115 ++static int __init setup_pax_softmode(char *str)
30116 ++{
30117 ++ get_option(&str, &pax_softmode);
30118 ++ return 1;
30119 ++}
30120 ++__setup("pax_softmode=", setup_pax_softmode);
30121 ++#endif
30122 ++
30123 + static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
30124 + char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
30125 + static const char *panic_later, *panic_param;
30126 +@@ -854,6 +866,8 @@ static int __init kernel_init(void * unu
30127 + prepare_namespace();
30128 + }
30129 +
30130 ++ grsecurity_init();
30131 ++
30132 + /*
30133 + * Ok, we have completed the initial bootup, and
30134 + * we're essentially up and running. Get rid of the
30135 +diff -Nurp linux-2.6.23.15/init/noinitramfs.c linux-2.6.23.15-grsec/init/noinitramfs.c
30136 +--- linux-2.6.23.15/init/noinitramfs.c 2007-10-09 21:31:38.000000000 +0100
30137 ++++ linux-2.6.23.15-grsec/init/noinitramfs.c 2008-02-11 10:37:45.000000000 +0000
30138 +@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
30139 + {
30140 + int err;
30141 +
30142 +- err = sys_mkdir("/dev", 0755);
30143 ++ err = sys_mkdir((const char __user *)"/dev", 0755);
30144 + if (err < 0)
30145 + goto out;
30146 +
30147 +@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
30148 + if (err < 0)
30149 + goto out;
30150 +
30151 +- err = sys_mkdir("/root", 0700);
30152 ++ err = sys_mkdir((const char __user *)"/root", 0700);
30153 + if (err < 0)
30154 + goto out;
30155 +
30156 +diff -Nurp linux-2.6.23.15/ipc/ipc_sysctl.c linux-2.6.23.15-grsec/ipc/ipc_sysctl.c
30157 +--- linux-2.6.23.15/ipc/ipc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
30158 ++++ linux-2.6.23.15-grsec/ipc/ipc_sysctl.c 2008-02-11 10:37:45.000000000 +0000
30159 +@@ -161,7 +161,7 @@ static struct ctl_table ipc_kern_table[]
30160 + .proc_handler = proc_ipc_dointvec,
30161 + .strategy = sysctl_ipc_data,
30162 + },
30163 +- {}
30164 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
30165 + };
30166 +
30167 + static struct ctl_table ipc_root_table[] = {
30168 +@@ -171,7 +171,7 @@ static struct ctl_table ipc_root_table[]
30169 + .mode = 0555,
30170 + .child = ipc_kern_table,
30171 + },
30172 +- {}
30173 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
30174 + };
30175 +
30176 + static int __init ipc_sysctl_init(void)
30177 +diff -Nurp linux-2.6.23.15/ipc/msg.c linux-2.6.23.15-grsec/ipc/msg.c
30178 +--- linux-2.6.23.15/ipc/msg.c 2007-10-09 21:31:38.000000000 +0100
30179 ++++ linux-2.6.23.15-grsec/ipc/msg.c 2008-02-11 10:37:45.000000000 +0000
30180 +@@ -36,6 +36,7 @@
30181 + #include <linux/seq_file.h>
30182 + #include <linux/mutex.h>
30183 + #include <linux/nsproxy.h>
30184 ++#include <linux/grsecurity.h>
30185 +
30186 + #include <asm/current.h>
30187 + #include <asm/uaccess.h>
30188 +@@ -286,6 +287,8 @@ asmlinkage long sys_msgget(key_t key, in
30189 + }
30190 + mutex_unlock(&msg_ids(ns).mutex);
30191 +
30192 ++ gr_log_msgget(ret, msgflg);
30193 ++
30194 + return ret;
30195 + }
30196 +
30197 +@@ -552,6 +555,7 @@ asmlinkage long sys_msgctl(int msqid, in
30198 + break;
30199 + }
30200 + case IPC_RMID:
30201 ++ gr_log_msgrm(ipcp->uid, ipcp->cuid);
30202 + freeque(ns, msq, msqid);
30203 + break;
30204 + }
30205 +diff -Nurp linux-2.6.23.15/ipc/sem.c linux-2.6.23.15-grsec/ipc/sem.c
30206 +--- linux-2.6.23.15/ipc/sem.c 2007-10-09 21:31:38.000000000 +0100
30207 ++++ linux-2.6.23.15-grsec/ipc/sem.c 2008-02-11 10:37:45.000000000 +0000
30208 +@@ -82,6 +82,7 @@
30209 + #include <linux/seq_file.h>
30210 + #include <linux/mutex.h>
30211 + #include <linux/nsproxy.h>
30212 ++#include <linux/grsecurity.h>
30213 +
30214 + #include <asm/uaccess.h>
30215 + #include "util.h"
30216 +@@ -293,6 +294,9 @@ asmlinkage long sys_semget (key_t key, i
30217 + }
30218 +
30219 + mutex_unlock(&sem_ids(ns).mutex);
30220 ++
30221 ++ gr_log_semget(err, semflg);
30222 ++
30223 + return err;
30224 + }
30225 +
30226 +@@ -894,6 +898,7 @@ static int semctl_down(struct ipc_namesp
30227 +
30228 + switch(cmd){
30229 + case IPC_RMID:
30230 ++ gr_log_semrm(ipcp->uid, ipcp->cuid);
30231 + freeary(ns, sma, semid);
30232 + err = 0;
30233 + break;
30234 +diff -Nurp linux-2.6.23.15/ipc/shm.c linux-2.6.23.15-grsec/ipc/shm.c
30235 +--- linux-2.6.23.15/ipc/shm.c 2007-10-09 21:31:38.000000000 +0100
30236 ++++ linux-2.6.23.15-grsec/ipc/shm.c 2008-02-11 10:37:45.000000000 +0000
30237 +@@ -38,6 +38,7 @@
30238 + #include <linux/mutex.h>
30239 + #include <linux/nsproxy.h>
30240 + #include <linux/mount.h>
30241 ++#include <linux/grsecurity.h>
30242 +
30243 + #include <asm/uaccess.h>
30244 +
30245 +@@ -77,6 +78,14 @@ static void shm_destroy (struct ipc_name
30246 + static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
30247 + #endif
30248 +
30249 ++#ifdef CONFIG_GRKERNSEC
30250 ++extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
30251 ++ const time_t shm_createtime, const uid_t cuid,
30252 ++ const int shmid);
30253 ++extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
30254 ++ const time_t shm_createtime);
30255 ++#endif
30256 ++
30257 + static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
30258 + {
30259 + ns->ids[IPC_SHM_IDS] = ids;
30260 +@@ -89,6 +98,8 @@ static void __shm_init_ns(struct ipc_nam
30261 +
30262 + static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
30263 + {
30264 ++ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
30265 ++
30266 + if (shp->shm_nattch){
30267 + shp->shm_perm.mode |= SHM_DEST;
30268 + /* Do not find it any more */
30269 +@@ -216,6 +227,17 @@ static void shm_close(struct vm_area_str
30270 + shp->shm_lprid = current->tgid;
30271 + shp->shm_dtim = get_seconds();
30272 + shp->shm_nattch--;
30273 ++#ifdef CONFIG_GRKERNSEC_SHM
30274 ++ if (grsec_enable_shm) {
30275 ++ if (shp->shm_nattch == 0) {
30276 ++ shp->shm_perm.mode |= SHM_DEST;
30277 ++ shm_destroy(ns, shp);
30278 ++ } else
30279 ++ shm_unlock(shp);
30280 ++ mutex_unlock(&shm_ids(ns).mutex);
30281 ++ return;
30282 ++ }
30283 ++#endif
30284 + if(shp->shm_nattch == 0 &&
30285 + shp->shm_perm.mode & SHM_DEST)
30286 + shm_destroy(ns, shp);
30287 +@@ -395,6 +417,9 @@ static int newseg (struct ipc_namespace
30288 + shp->shm_lprid = 0;
30289 + shp->shm_atim = shp->shm_dtim = 0;
30290 + shp->shm_ctim = get_seconds();
30291 ++#ifdef CONFIG_GRKERNSEC
30292 ++ shp->shm_createtime = get_seconds();
30293 ++#endif
30294 + shp->shm_segsz = size;
30295 + shp->shm_nattch = 0;
30296 + shp->id = shm_buildid(ns, id, shp->shm_perm.seq);
30297 +@@ -452,6 +477,8 @@ asmlinkage long sys_shmget (key_t key, s
30298 + }
30299 + mutex_unlock(&shm_ids(ns).mutex);
30300 +
30301 ++ gr_log_shmget(err, shmflg, size);
30302 ++
30303 + return err;
30304 + }
30305 +
30306 +@@ -905,9 +932,21 @@ long do_shmat(int shmid, char __user *sh
30307 + if (err)
30308 + goto out_unlock;
30309 +
30310 ++#ifdef CONFIG_GRKERNSEC
30311 ++ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
30312 ++ shp->shm_perm.cuid, shmid) ||
30313 ++ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
30314 ++ err = -EACCES;
30315 ++ goto out_unlock;
30316 ++ }
30317 ++#endif
30318 ++
30319 + path.dentry = dget(shp->shm_file->f_path.dentry);
30320 + path.mnt = mntget(shp->shm_file->f_path.mnt);
30321 + shp->shm_nattch++;
30322 ++#ifdef CONFIG_GRKERNSEC
30323 ++ shp->shm_lapid = current->pid;
30324 ++#endif
30325 + size = i_size_read(path.dentry->d_inode);
30326 + shm_unlock(shp);
30327 +
30328 +@@ -1111,3 +1150,27 @@ static int sysvipc_shm_proc_show(struct
30329 + shp->shm_ctim);
30330 + }
30331 + #endif
30332 ++
30333 ++void gr_shm_exit(struct task_struct *task)
30334 ++{
30335 ++#ifdef CONFIG_GRKERNSEC_SHM
30336 ++ int i;
30337 ++ struct shmid_kernel *shp;
30338 ++ struct ipc_namespace *ns;
30339 ++
30340 ++ ns = current->nsproxy->ipc_ns;
30341 ++
30342 ++ if (!grsec_enable_shm)
30343 ++ return;
30344 ++
30345 ++ for (i = 0; i <= shm_ids(ns).max_id; i++) {
30346 ++ shp = shm_get(ns, i);
30347 ++ if (shp && (shp->shm_cprid == task->pid) &&
30348 ++ (shp->shm_nattch <= 0)) {
30349 ++ shp->shm_perm.mode |= SHM_DEST;
30350 ++ shm_destroy(ns, shp);
30351 ++ }
30352 ++ }
30353 ++#endif
30354 ++ return;
30355 ++}
30356 +diff -Nurp linux-2.6.23.15/kernel/acct.c linux-2.6.23.15-grsec/kernel/acct.c
30357 +--- linux-2.6.23.15/kernel/acct.c 2007-10-09 21:31:38.000000000 +0100
30358 ++++ linux-2.6.23.15-grsec/kernel/acct.c 2008-02-11 10:37:45.000000000 +0000
30359 +@@ -511,7 +511,7 @@ static void do_acct_process(struct file
30360 + */
30361 + flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
30362 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
30363 +- file->f_op->write(file, (char *)&ac,
30364 ++ file->f_op->write(file, (char __user *)&ac,
30365 + sizeof(acct_t), &file->f_pos);
30366 + current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
30367 + set_fs(fs);
30368 +diff -Nurp linux-2.6.23.15/kernel/capability.c linux-2.6.23.15-grsec/kernel/capability.c
30369 +--- linux-2.6.23.15/kernel/capability.c 2007-10-09 21:31:38.000000000 +0100
30370 ++++ linux-2.6.23.15-grsec/kernel/capability.c 2008-02-11 10:37:45.000000000 +0000
30371 +@@ -12,6 +12,7 @@
30372 + #include <linux/module.h>
30373 + #include <linux/security.h>
30374 + #include <linux/syscalls.h>
30375 ++#include <linux/grsecurity.h>
30376 + #include <asm/uaccess.h>
30377 +
30378 + unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
30379 +@@ -236,14 +237,25 @@ out:
30380 + return ret;
30381 + }
30382 +
30383 ++extern int gr_task_is_capable(struct task_struct *task, const int cap);
30384 ++extern int gr_is_capable_nolog(const int cap);
30385 ++
30386 + int __capable(struct task_struct *t, int cap)
30387 + {
30388 +- if (security_capable(t, cap) == 0) {
30389 ++ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
30390 + t->flags |= PF_SUPERPRIV;
30391 + return 1;
30392 + }
30393 + return 0;
30394 + }
30395 ++int capable_nolog(int cap)
30396 ++{
30397 ++ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
30398 ++ current->flags |= PF_SUPERPRIV;
30399 ++ return 1;
30400 ++ }
30401 ++ return 0;
30402 ++}
30403 + EXPORT_SYMBOL(__capable);
30404 +
30405 + int capable(int cap)
30406 +@@ -251,3 +263,4 @@ int capable(int cap)
30407 + return __capable(current, cap);
30408 + }
30409 + EXPORT_SYMBOL(capable);
30410 ++EXPORT_SYMBOL(capable_nolog);
30411 +diff -Nurp linux-2.6.23.15/kernel/configs.c linux-2.6.23.15-grsec/kernel/configs.c
30412 +--- linux-2.6.23.15/kernel/configs.c 2007-10-09 21:31:38.000000000 +0100
30413 ++++ linux-2.6.23.15-grsec/kernel/configs.c 2008-02-11 10:37:45.000000000 +0000
30414 +@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
30415 + struct proc_dir_entry *entry;
30416 +
30417 + /* create the current config file */
30418 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
30419 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
30420 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
30421 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
30422 ++ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
30423 ++#endif
30424 ++#else
30425 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
30426 + &proc_root);
30427 ++#endif
30428 + if (!entry)
30429 + return -ENOMEM;
30430 +
30431 +diff -Nurp linux-2.6.23.15/kernel/exit.c linux-2.6.23.15-grsec/kernel/exit.c
30432 +--- linux-2.6.23.15/kernel/exit.c 2008-02-11 10:36:03.000000000 +0000
30433 ++++ linux-2.6.23.15-grsec/kernel/exit.c 2008-02-11 10:37:45.000000000 +0000
30434 +@@ -45,6 +45,11 @@
30435 + #include <linux/blkdev.h>
30436 + #include <linux/task_io_accounting_ops.h>
30437 + #include <linux/freezer.h>
30438 ++#include <linux/grsecurity.h>
30439 ++
30440 ++#ifdef CONFIG_GRKERNSEC
30441 ++extern rwlock_t grsec_exec_file_lock;
30442 ++#endif
30443 +
30444 + #include <asm/uaccess.h>
30445 + #include <asm/unistd.h>
30446 +@@ -123,6 +128,7 @@ static void __exit_signal(struct task_st
30447 +
30448 + __unhash_process(tsk);
30449 +
30450 ++ gr_del_task_from_ip_table(tsk);
30451 + tsk->signal = NULL;
30452 + tsk->sighand = NULL;
30453 + spin_unlock(&sighand->siglock);
30454 +@@ -274,12 +280,23 @@ static void reparent_to_kthreadd(void)
30455 + {
30456 + write_lock_irq(&tasklist_lock);
30457 +
30458 ++#ifdef CONFIG_GRKERNSEC
30459 ++ write_lock(&grsec_exec_file_lock);
30460 ++ if (current->exec_file) {
30461 ++ fput(current->exec_file);
30462 ++ current->exec_file = NULL;
30463 ++ }
30464 ++ write_unlock(&grsec_exec_file_lock);
30465 ++#endif
30466 ++
30467 + ptrace_unlink(current);
30468 + /* Reparent to init */
30469 + remove_parent(current);
30470 + current->real_parent = current->parent = kthreadd_task;
30471 + add_parent(current);
30472 +
30473 ++ gr_set_kernel_label(current);
30474 ++
30475 + /* Set the exit signal to SIGCHLD so we signal init on exit */
30476 + current->exit_signal = SIGCHLD;
30477 +
30478 +@@ -374,6 +391,17 @@ void daemonize(const char *name, ...)
30479 + vsnprintf(current->comm, sizeof(current->comm), name, args);
30480 + va_end(args);
30481 +
30482 ++#ifdef CONFIG_GRKERNSEC
30483 ++ write_lock(&grsec_exec_file_lock);
30484 ++ if (current->exec_file) {
30485 ++ fput(current->exec_file);
30486 ++ current->exec_file = NULL;
30487 ++ }
30488 ++ write_unlock(&grsec_exec_file_lock);
30489 ++#endif
30490 ++
30491 ++ gr_set_kernel_label(current);
30492 ++
30493 + /*
30494 + * If we were started as result of loading a module, close all of the
30495 + * user space pages. We don't need them, and if we didn't close them
30496 +@@ -969,11 +997,15 @@ fastcall NORET_TYPE void do_exit(long co
30497 + tsk->exit_code = code;
30498 + taskstats_exit(tsk, group_dead);
30499 +
30500 ++ gr_acl_handle_psacct(tsk, code);
30501 ++ gr_acl_handle_exit();
30502 ++
30503 + exit_mm(tsk);
30504 +
30505 + if (group_dead)
30506 + acct_process();
30507 + exit_sem(tsk);
30508 ++ gr_shm_exit(tsk);
30509 + __exit_files(tsk);
30510 + __exit_fs(tsk);
30511 + check_stack_usage();
30512 +@@ -1174,7 +1206,7 @@ static int wait_task_zombie(struct task_
30513 + pid_t pid = p->pid;
30514 + uid_t uid = p->uid;
30515 + int exit_code = p->exit_code;
30516 +- int why, status;
30517 ++ int why;
30518 +
30519 + if (unlikely(p->exit_state != EXIT_ZOMBIE))
30520 + return 0;
30521 +diff -Nurp linux-2.6.23.15/kernel/fork.c linux-2.6.23.15-grsec/kernel/fork.c
30522 +--- linux-2.6.23.15/kernel/fork.c 2008-02-11 10:36:03.000000000 +0000
30523 ++++ linux-2.6.23.15-grsec/kernel/fork.c 2008-02-11 10:37:45.000000000 +0000
30524 +@@ -50,6 +50,7 @@
30525 + #include <linux/taskstats_kern.h>
30526 + #include <linux/random.h>
30527 + #include <linux/tty.h>
30528 ++#include <linux/grsecurity.h>
30529 +
30530 + #include <asm/pgtable.h>
30531 + #include <asm/pgalloc.h>
30532 +@@ -181,7 +182,7 @@ static struct task_struct *dup_task_stru
30533 + setup_thread_stack(tsk, orig);
30534 +
30535 + #ifdef CONFIG_CC_STACKPROTECTOR
30536 +- tsk->stack_canary = get_random_int();
30537 ++ tsk->stack_canary = pax_get_random_long();
30538 + #endif
30539 +
30540 + /* One for us, one for whoever does the "release_task()" (usually parent) */
30541 +@@ -203,6 +204,10 @@ static inline int dup_mmap(struct mm_str
30542 + unsigned long charge;
30543 + struct mempolicy *pol;
30544 +
30545 ++#ifdef CONFIG_PAX_SEGMEXEC
30546 ++ struct vm_area_struct *mpnt_m;
30547 ++#endif
30548 ++
30549 + down_write(&oldmm->mmap_sem);
30550 + flush_cache_dup_mm(oldmm);
30551 + /*
30552 +@@ -213,8 +218,8 @@ static inline int dup_mmap(struct mm_str
30553 + mm->locked_vm = 0;
30554 + mm->mmap = NULL;
30555 + mm->mmap_cache = NULL;
30556 +- mm->free_area_cache = oldmm->mmap_base;
30557 +- mm->cached_hole_size = ~0UL;
30558 ++ mm->free_area_cache = oldmm->free_area_cache;
30559 ++ mm->cached_hole_size = oldmm->cached_hole_size;
30560 + mm->map_count = 0;
30561 + cpus_clear(mm->cpu_vm_mask);
30562 + mm->mm_rb = RB_ROOT;
30563 +@@ -233,6 +238,7 @@ static inline int dup_mmap(struct mm_str
30564 + continue;
30565 + }
30566 + charge = 0;
30567 ++
30568 + if (mpnt->vm_flags & VM_ACCOUNT) {
30569 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
30570 + if (security_vm_enough_memory(len))
30571 +@@ -251,6 +257,7 @@ static inline int dup_mmap(struct mm_str
30572 + tmp->vm_flags &= ~VM_LOCKED;
30573 + tmp->vm_mm = mm;
30574 + tmp->vm_next = NULL;
30575 ++ tmp->vm_mirror = NULL;
30576 + anon_vma_link(tmp);
30577 + file = tmp->vm_file;
30578 + if (file) {
30579 +@@ -287,6 +294,29 @@ static inline int dup_mmap(struct mm_str
30580 + if (retval)
30581 + goto out;
30582 + }
30583 ++
30584 ++#ifdef CONFIG_PAX_SEGMEXEC
30585 ++ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
30586 ++ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
30587 ++ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
30588 ++
30589 ++ if (!mpnt->vm_mirror)
30590 ++ continue;
30591 ++
30592 ++ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
30593 ++ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
30594 ++ mpnt->vm_mirror = mpnt_m;
30595 ++ } else {
30596 ++ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
30597 ++ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
30598 ++ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
30599 ++ mpnt->vm_mirror->vm_mirror = mpnt;
30600 ++ }
30601 ++ }
30602 ++ BUG_ON(mpnt_m);
30603 ++ }
30604 ++#endif
30605 ++
30606 + /* a new mm has just been created */
30607 + arch_dup_mmap(oldmm, mm);
30608 + retval = 0;
30609 +@@ -464,7 +494,7 @@ void mm_release(struct task_struct *tsk,
30610 + if (tsk->clear_child_tid
30611 + && !(tsk->flags & PF_SIGNALED)
30612 + && atomic_read(&mm->mm_users) > 1) {
30613 +- u32 __user * tidptr = tsk->clear_child_tid;
30614 ++ pid_t __user * tidptr = tsk->clear_child_tid;
30615 + tsk->clear_child_tid = NULL;
30616 +
30617 + /*
30618 +@@ -472,7 +502,7 @@ void mm_release(struct task_struct *tsk,
30619 + * not set up a proper pointer then tough luck.
30620 + */
30621 + put_user(0, tidptr);
30622 +- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
30623 ++ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
30624 + }
30625 + }
30626 +
30627 +@@ -1001,6 +1031,9 @@ static struct task_struct *copy_process(
30628 + DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
30629 + #endif
30630 + retval = -EAGAIN;
30631 ++
30632 ++ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
30633 ++
30634 + if (atomic_read(&p->user->processes) >=
30635 + p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
30636 + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
30637 +@@ -1140,6 +1173,8 @@ static struct task_struct *copy_process(
30638 + if (retval)
30639 + goto bad_fork_cleanup_namespaces;
30640 +
30641 ++ gr_copy_label(p);
30642 ++
30643 + p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
30644 + /*
30645 + * Clear TID on mm_release()?
30646 +@@ -1318,6 +1353,8 @@ bad_fork_cleanup_count:
30647 + bad_fork_free:
30648 + free_task(p);
30649 + fork_out:
30650 ++ gr_log_forkfail(retval);
30651 ++
30652 + return ERR_PTR(retval);
30653 + }
30654 +
30655 +@@ -1391,6 +1428,8 @@ long do_fork(unsigned long clone_flags,
30656 + if (!IS_ERR(p)) {
30657 + struct completion vfork;
30658 +
30659 ++ gr_handle_brute_check();
30660 ++
30661 + if (clone_flags & CLONE_VFORK) {
30662 + p->vfork_done = &vfork;
30663 + init_completion(&vfork);
30664 +diff -Nurp linux-2.6.23.15/kernel/futex.c linux-2.6.23.15-grsec/kernel/futex.c
30665 +--- linux-2.6.23.15/kernel/futex.c 2008-02-11 10:36:03.000000000 +0000
30666 ++++ linux-2.6.23.15-grsec/kernel/futex.c 2008-02-11 10:37:45.000000000 +0000
30667 +@@ -186,6 +186,11 @@ int get_futex_key(u32 __user *uaddr, str
30668 + struct page *page;
30669 + int err;
30670 +
30671 ++#ifdef CONFIG_PAX_SEGMEXEC
30672 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
30673 ++ return -EFAULT;
30674 ++#endif
30675 ++
30676 + /*
30677 + * The futex address must be "naturally" aligned.
30678 + */
30679 +@@ -212,8 +217,8 @@ int get_futex_key(u32 __user *uaddr, str
30680 + * The futex is hashed differently depending on whether
30681 + * it's in a shared or private mapping. So check vma first.
30682 + */
30683 +- vma = find_extend_vma(mm, address);
30684 +- if (unlikely(!vma))
30685 ++ vma = find_vma(mm, address);
30686 ++ if (unlikely(!vma || address < vma->vm_start))
30687 + return -EFAULT;
30688 +
30689 + /*
30690 +@@ -1922,7 +1927,7 @@ retry:
30691 + */
30692 + static inline int fetch_robust_entry(struct robust_list __user **entry,
30693 + struct robust_list __user * __user *head,
30694 +- int *pi)
30695 ++ unsigned int *pi)
30696 + {
30697 + unsigned long uentry;
30698 +
30699 +diff -Nurp linux-2.6.23.15/kernel/irq/handle.c linux-2.6.23.15-grsec/kernel/irq/handle.c
30700 +--- linux-2.6.23.15/kernel/irq/handle.c 2007-10-09 21:31:38.000000000 +0100
30701 ++++ linux-2.6.23.15-grsec/kernel/irq/handle.c 2008-02-11 10:37:45.000000000 +0000
30702 +@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
30703 + .depth = 1,
30704 + .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
30705 + #ifdef CONFIG_SMP
30706 +- .affinity = CPU_MASK_ALL
30707 ++ .affinity = CPU_MASK_ALL,
30708 ++ .cpu = 0,
30709 + #endif
30710 + }
30711 + };
30712 +diff -Nurp linux-2.6.23.15/kernel/kallsyms.c linux-2.6.23.15-grsec/kernel/kallsyms.c
30713 +--- linux-2.6.23.15/kernel/kallsyms.c 2007-10-09 21:31:38.000000000 +0100
30714 ++++ linux-2.6.23.15-grsec/kernel/kallsyms.c 2008-02-11 10:37:45.000000000 +0000
30715 +@@ -65,6 +65,19 @@ static inline int is_kernel_text(unsigne
30716 +
30717 + static inline int is_kernel(unsigned long addr)
30718 + {
30719 ++
30720 ++#ifdef CONFIG_PAX_KERNEXEC
30721 ++
30722 ++#ifdef CONFIG_MODULES
30723 ++ if ((unsigned long)MODULES_VADDR <= addr + __KERNEL_TEXT_OFFSET &&
30724 ++ addr + __KERNEL_TEXT_OFFSET < (unsigned long)MODULES_END)
30725 ++ return 0;
30726 ++#endif
30727 ++
30728 ++ if (is_kernel_inittext(addr))
30729 ++ return 1;
30730 ++#endif
30731 ++
30732 + if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
30733 + return 1;
30734 + return in_gate_area_no_task(addr);
30735 +@@ -373,7 +386,6 @@ static unsigned long get_ksymbol_core(st
30736 +
30737 + static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
30738 + {
30739 +- iter->name[0] = '\0';
30740 + iter->nameoff = get_symbol_offset(new_pos);
30741 + iter->pos = new_pos;
30742 + }
30743 +@@ -457,7 +469,7 @@ static int kallsyms_open(struct inode *i
30744 + struct kallsym_iter *iter;
30745 + int ret;
30746 +
30747 +- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
30748 ++ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
30749 + if (!iter)
30750 + return -ENOMEM;
30751 + reset_iter(iter, 0);
30752 +@@ -481,7 +493,15 @@ static int __init kallsyms_init(void)
30753 + {
30754 + struct proc_dir_entry *entry;
30755 +
30756 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
30757 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
30758 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
30759 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
30760 ++ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
30761 ++#endif
30762 ++#else
30763 + entry = create_proc_entry("kallsyms", 0444, NULL);
30764 ++#endif
30765 + if (entry)
30766 + entry->proc_fops = &kallsyms_operations;
30767 + return 0;
30768 +diff -Nurp linux-2.6.23.15/kernel/kprobes.c linux-2.6.23.15-grsec/kernel/kprobes.c
30769 +--- linux-2.6.23.15/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
30770 ++++ linux-2.6.23.15-grsec/kernel/kprobes.c 2008-02-11 10:37:45.000000000 +0000
30771 +@@ -168,7 +168,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
30772 + * kernel image and loaded module images reside. This is required
30773 + * so x86_64 can correctly handle the %rip-relative fixups.
30774 + */
30775 +- kip->insns = module_alloc(PAGE_SIZE);
30776 ++ kip->insns = module_alloc_exec(PAGE_SIZE);
30777 + if (!kip->insns) {
30778 + kfree(kip);
30779 + return NULL;
30780 +@@ -200,7 +200,7 @@ static int __kprobes collect_one_slot(st
30781 + hlist_add_head(&kip->hlist,
30782 + &kprobe_insn_pages);
30783 + } else {
30784 +- module_free(NULL, kip->insns);
30785 ++ module_free_exec(NULL, kip->insns);
30786 + kfree(kip);
30787 + }
30788 + return 1;
30789 +diff -Nurp linux-2.6.23.15/kernel/module.c linux-2.6.23.15-grsec/kernel/module.c
30790 +--- linux-2.6.23.15/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
30791 ++++ linux-2.6.23.15-grsec/kernel/module.c 2008-02-11 10:37:45.000000000 +0000
30792 +@@ -44,6 +44,11 @@
30793 + #include <asm/uaccess.h>
30794 + #include <asm/semaphore.h>
30795 + #include <asm/cacheflush.h>
30796 ++
30797 ++#ifdef CONFIG_PAX_KERNEXEC
30798 ++#include <asm/desc.h>
30799 ++#endif
30800 ++
30801 + #include <linux/license.h>
30802 +
30803 + extern int module_sysfs_initialized;
30804 +@@ -68,6 +73,8 @@ static LIST_HEAD(modules);
30805 +
30806 + static BLOCKING_NOTIFIER_HEAD(module_notify_list);
30807 +
30808 ++extern int gr_check_modstop(void);
30809 ++
30810 + int register_module_notifier(struct notifier_block * nb)
30811 + {
30812 + return blocking_notifier_chain_register(&module_notify_list, nb);
30813 +@@ -347,7 +354,7 @@ static void *percpu_modalloc(unsigned lo
30814 + unsigned int i;
30815 + void *ptr;
30816 +
30817 +- if (align > PAGE_SIZE) {
30818 ++ if (align-1 >= PAGE_SIZE) {
30819 + printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
30820 + name, align, PAGE_SIZE);
30821 + align = PAGE_SIZE;
30822 +@@ -660,6 +667,9 @@ sys_delete_module(const char __user *nam
30823 + char name[MODULE_NAME_LEN];
30824 + int ret, forced = 0;
30825 +
30826 ++ if (gr_check_modstop())
30827 ++ return -EPERM;
30828 ++
30829 + if (!capable(CAP_SYS_MODULE))
30830 + return -EPERM;
30831 +
30832 +@@ -1209,16 +1219,19 @@ static void free_module(struct module *m
30833 + module_unload_free(mod);
30834 +
30835 + /* This may be NULL, but that's OK */
30836 +- module_free(mod, mod->module_init);
30837 ++ module_free(mod, mod->module_init_rw);
30838 ++ module_free_exec(mod, mod->module_init_rx);
30839 + kfree(mod->args);
30840 + if (mod->percpu)
30841 + percpu_modfree(mod->percpu);
30842 +
30843 + /* Free lock-classes: */
30844 +- lockdep_free_key_range(mod->module_core, mod->core_size);
30845 ++ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
30846 ++ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
30847 +
30848 + /* Finally, free the core (containing the module structure) */
30849 +- module_free(mod, mod->module_core);
30850 ++ module_free_exec(mod, mod->module_core_rx);
30851 ++ module_free(mod, mod->module_core_rw);
30852 + }
30853 +
30854 + void *__symbol_get(const char *symbol)
30855 +@@ -1279,10 +1292,14 @@ static int simplify_symbols(Elf_Shdr *se
30856 + struct module *mod)
30857 + {
30858 + Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
30859 +- unsigned long secbase;
30860 ++ unsigned long secbase, symbol;
30861 + unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
30862 + int ret = 0;
30863 +
30864 ++#ifdef CONFIG_PAX_KERNEXEC
30865 ++ unsigned long cr0;
30866 ++#endif
30867 ++
30868 + for (i = 1; i < n; i++) {
30869 + switch (sym[i].st_shndx) {
30870 + case SHN_COMMON:
30871 +@@ -1301,10 +1318,19 @@ static int simplify_symbols(Elf_Shdr *se
30872 + break;
30873 +
30874 + case SHN_UNDEF:
30875 +- sym[i].st_value
30876 +- = resolve_symbol(sechdrs, versindex,
30877 ++ symbol = resolve_symbol(sechdrs, versindex,
30878 + strtab + sym[i].st_name, mod);
30879 +
30880 ++#ifdef CONFIG_PAX_KERNEXEC
30881 ++ pax_open_kernel(cr0);
30882 ++#endif
30883 ++
30884 ++ sym[i].st_value = symbol;
30885 ++
30886 ++#ifdef CONFIG_PAX_KERNEXEC
30887 ++ pax_close_kernel(cr0);
30888 ++#endif
30889 ++
30890 + /* Ok if resolved. */
30891 + if (sym[i].st_value != 0)
30892 + break;
30893 +@@ -1319,11 +1345,27 @@ static int simplify_symbols(Elf_Shdr *se
30894 +
30895 + default:
30896 + /* Divert to percpu allocation if a percpu var. */
30897 +- if (sym[i].st_shndx == pcpuindex)
30898 ++ if (sym[i].st_shndx == pcpuindex) {
30899 ++
30900 ++#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
30901 ++ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
30902 ++#else
30903 + secbase = (unsigned long)mod->percpu;
30904 +- else
30905 ++#endif
30906 ++
30907 ++ } else
30908 + secbase = sechdrs[sym[i].st_shndx].sh_addr;
30909 ++
30910 ++#ifdef CONFIG_PAX_KERNEXEC
30911 ++ pax_open_kernel(cr0);
30912 ++#endif
30913 ++
30914 + sym[i].st_value += secbase;
30915 ++
30916 ++#ifdef CONFIG_PAX_KERNEXEC
30917 ++ pax_close_kernel(cr0);
30918 ++#endif
30919 ++
30920 + break;
30921 + }
30922 + }
30923 +@@ -1375,11 +1417,14 @@ static void layout_sections(struct modul
30924 + || strncmp(secstrings + s->sh_name,
30925 + ".init", 5) == 0)
30926 + continue;
30927 +- s->sh_entsize = get_offset(&mod->core_size, s);
30928 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
30929 ++ s->sh_entsize = get_offset(&mod->core_size_rw, s);
30930 ++ else
30931 ++ s->sh_entsize = get_offset(&mod->core_size_rx, s);
30932 + DEBUGP("\t%s\n", secstrings + s->sh_name);
30933 + }
30934 + if (m == 0)
30935 +- mod->core_text_size = mod->core_size;
30936 ++ mod->core_size_rx = mod->core_size_rx;
30937 + }
30938 +
30939 + DEBUGP("Init section allocation order:\n");
30940 +@@ -1393,12 +1438,15 @@ static void layout_sections(struct modul
30941 + || strncmp(secstrings + s->sh_name,
30942 + ".init", 5) != 0)
30943 + continue;
30944 +- s->sh_entsize = (get_offset(&mod->init_size, s)
30945 +- | INIT_OFFSET_MASK);
30946 ++ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
30947 ++ s->sh_entsize = get_offset(&mod->init_size_rw, s);
30948 ++ else
30949 ++ s->sh_entsize = get_offset(&mod->init_size_rx, s);
30950 ++ s->sh_entsize |= INIT_OFFSET_MASK;
30951 + DEBUGP("\t%s\n", secstrings + s->sh_name);
30952 + }
30953 + if (m == 0)
30954 +- mod->init_text_size = mod->init_size;
30955 ++ mod->init_size_rx = mod->init_size_rx;
30956 + }
30957 + }
30958 +
30959 +@@ -1525,14 +1573,31 @@ static void add_kallsyms(struct module *
30960 + {
30961 + unsigned int i;
30962 +
30963 ++#ifdef CONFIG_PAX_KERNEXEC
30964 ++ unsigned long cr0;
30965 ++#endif
30966 ++
30967 + mod->symtab = (void *)sechdrs[symindex].sh_addr;
30968 + mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
30969 + mod->strtab = (void *)sechdrs[strindex].sh_addr;
30970 +
30971 + /* Set types up while we still have access to sections. */
30972 +- for (i = 0; i < mod->num_symtab; i++)
30973 +- mod->symtab[i].st_info
30974 +- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
30975 ++
30976 ++ for (i = 0; i < mod->num_symtab; i++) {
30977 ++ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
30978 ++
30979 ++#ifdef CONFIG_PAX_KERNEXEC
30980 ++ pax_open_kernel(cr0);
30981 ++#endif
30982 ++
30983 ++ mod->symtab[i].st_info = type;
30984 ++
30985 ++#ifdef CONFIG_PAX_KERNEXEC
30986 ++ pax_close_kernel(cr0);
30987 ++#endif
30988 ++
30989 ++ }
30990 ++
30991 + }
30992 + #else
30993 + static inline void add_kallsyms(struct module *mod,
30994 +@@ -1580,6 +1645,10 @@ static struct module *load_module(void _
30995 + struct exception_table_entry *extable;
30996 + mm_segment_t old_fs;
30997 +
30998 ++#ifdef CONFIG_PAX_KERNEXEC
30999 ++ unsigned long cr0;
31000 ++#endif
31001 ++
31002 + DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
31003 + umod, len, uargs);
31004 + if (len < sizeof(*hdr))
31005 +@@ -1738,21 +1807,57 @@ static struct module *load_module(void _
31006 + layout_sections(mod, hdr, sechdrs, secstrings);
31007 +
31008 + /* Do the allocs. */
31009 +- ptr = module_alloc(mod->core_size);
31010 ++ ptr = module_alloc(mod->core_size_rw);
31011 + if (!ptr) {
31012 + err = -ENOMEM;
31013 + goto free_percpu;
31014 + }
31015 +- memset(ptr, 0, mod->core_size);
31016 +- mod->module_core = ptr;
31017 ++ memset(ptr, 0, mod->core_size_rw);
31018 ++ mod->module_core_rw = ptr;
31019 ++
31020 ++ ptr = module_alloc(mod->init_size_rw);
31021 ++ if (!ptr && mod->init_size_rw) {
31022 ++ err = -ENOMEM;
31023 ++ goto free_core_rw;
31024 ++ }
31025 ++ memset(ptr, 0, mod->init_size_rw);
31026 ++ mod->module_init_rw = ptr;
31027 ++
31028 ++ ptr = module_alloc_exec(mod->core_size_rx);
31029 ++ if (!ptr) {
31030 ++ err = -ENOMEM;
31031 ++ goto free_init_rw;
31032 ++ }
31033 ++
31034 ++#ifdef CONFIG_PAX_KERNEXEC
31035 ++ pax_open_kernel(cr0);
31036 ++#endif
31037 +
31038 +- ptr = module_alloc(mod->init_size);
31039 +- if (!ptr && mod->init_size) {
31040 ++ memset(ptr, 0, mod->core_size_rx);
31041 ++
31042 ++#ifdef CONFIG_PAX_KERNEXEC
31043 ++ pax_close_kernel(cr0);
31044 ++#endif
31045 ++
31046 ++ mod->module_core_rx = ptr;
31047 ++
31048 ++ ptr = module_alloc_exec(mod->init_size_rx);
31049 ++ if (!ptr && mod->init_size_rx) {
31050 + err = -ENOMEM;
31051 +- goto free_core;
31052 ++ goto free_core_rx;
31053 + }
31054 +- memset(ptr, 0, mod->init_size);
31055 +- mod->module_init = ptr;
31056 ++
31057 ++#ifdef CONFIG_PAX_KERNEXEC
31058 ++ pax_open_kernel(cr0);
31059 ++#endif
31060 ++
31061 ++ memset(ptr, 0, mod->init_size_rx);
31062 ++
31063 ++#ifdef CONFIG_PAX_KERNEXEC
31064 ++ pax_close_kernel(cr0);
31065 ++#endif
31066 ++
31067 ++ mod->module_init_rx = ptr;
31068 +
31069 + /* Transfer each section which specifies SHF_ALLOC */
31070 + DEBUGP("final section addresses:\n");
31071 +@@ -1762,17 +1867,41 @@ static struct module *load_module(void _
31072 + if (!(sechdrs[i].sh_flags & SHF_ALLOC))
31073 + continue;
31074 +
31075 +- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
31076 +- dest = mod->module_init
31077 +- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
31078 +- else
31079 +- dest = mod->module_core + sechdrs[i].sh_entsize;
31080 ++ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
31081 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
31082 ++ dest = mod->module_init_rw
31083 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
31084 ++ else
31085 ++ dest = mod->module_init_rx
31086 ++ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
31087 ++ } else {
31088 ++ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
31089 ++ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
31090 ++ else
31091 ++ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
31092 ++ }
31093 ++
31094 ++ if (sechdrs[i].sh_type != SHT_NOBITS) {
31095 +
31096 +- if (sechdrs[i].sh_type != SHT_NOBITS)
31097 +- memcpy(dest, (void *)sechdrs[i].sh_addr,
31098 +- sechdrs[i].sh_size);
31099 ++#ifdef CONFIG_PAX_KERNEXEC
31100 ++ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
31101 ++ pax_open_kernel(cr0);
31102 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
31103 ++ pax_close_kernel(cr0);
31104 ++ } else
31105 ++#endif
31106 ++
31107 ++ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
31108 ++ }
31109 + /* Update sh_addr to point to copy in image. */
31110 +- sechdrs[i].sh_addr = (unsigned long)dest;
31111 ++
31112 ++#ifdef CONFIG_PAX_KERNEXEC
31113 ++ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
31114 ++ sechdrs[i].sh_addr = (unsigned long)dest - __KERNEL_TEXT_OFFSET;
31115 ++ else
31116 ++#endif
31117 ++
31118 ++ sechdrs[i].sh_addr = (unsigned long)dest;
31119 + DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
31120 + }
31121 + /* Module has been moved. */
31122 +@@ -1892,12 +2021,12 @@ static struct module *load_module(void _
31123 + * Do it before processing of module parameters, so the module
31124 + * can provide parameter accessor functions of its own.
31125 + */
31126 +- if (mod->module_init)
31127 +- flush_icache_range((unsigned long)mod->module_init,
31128 +- (unsigned long)mod->module_init
31129 +- + mod->init_size);
31130 +- flush_icache_range((unsigned long)mod->module_core,
31131 +- (unsigned long)mod->module_core + mod->core_size);
31132 ++ if (mod->module_init_rx)
31133 ++ flush_icache_range((unsigned long)mod->module_init_rx,
31134 ++ (unsigned long)mod->module_init_rx
31135 ++ + mod->init_size_rx);
31136 ++ flush_icache_range((unsigned long)mod->module_core_rx,
31137 ++ (unsigned long)mod->module_core_rx + mod->core_size_rx);
31138 +
31139 + set_fs(old_fs);
31140 +
31141 +@@ -1940,9 +2069,13 @@ static struct module *load_module(void _
31142 + module_arch_cleanup(mod);
31143 + cleanup:
31144 + module_unload_free(mod);
31145 +- module_free(mod, mod->module_init);
31146 +- free_core:
31147 +- module_free(mod, mod->module_core);
31148 ++ module_free_exec(mod, mod->module_init_rx);
31149 ++ free_core_rx:
31150 ++ module_free_exec(mod, mod->module_core_rx);
31151 ++ free_init_rw:
31152 ++ module_free(mod, mod->module_init_rw);
31153 ++ free_core_rw:
31154 ++ module_free(mod, mod->module_core_rw);
31155 + free_percpu:
31156 + if (percpu)
31157 + percpu_modfree(percpu);
31158 +@@ -1978,6 +2111,9 @@ sys_init_module(void __user *umod,
31159 + struct module *mod;
31160 + int ret = 0;
31161 +
31162 ++ if (gr_check_modstop())
31163 ++ return -EPERM;
31164 ++
31165 + /* Must have permission */
31166 + if (!capable(CAP_SYS_MODULE))
31167 + return -EPERM;
31168 +@@ -2029,10 +2165,12 @@ sys_init_module(void __user *umod,
31169 + /* Drop initial reference. */
31170 + module_put(mod);
31171 + unwind_remove_table(mod->unwind_info, 1);
31172 +- module_free(mod, mod->module_init);
31173 +- mod->module_init = NULL;
31174 +- mod->init_size = 0;
31175 +- mod->init_text_size = 0;
31176 ++ module_free(mod, mod->module_init_rw);
31177 ++ module_free_exec(mod, mod->module_init_rx);
31178 ++ mod->module_init_rw = NULL;
31179 ++ mod->module_init_rx = NULL;
31180 ++ mod->init_size_rw = 0;
31181 ++ mod->init_size_rx = 0;
31182 + mutex_unlock(&module_mutex);
31183 +
31184 + return 0;
31185 +@@ -2040,6 +2178,13 @@ sys_init_module(void __user *umod,
31186 +
31187 + static inline int within(unsigned long addr, void *start, unsigned long size)
31188 + {
31189 ++
31190 ++#ifdef CONFIG_PAX_KERNEXEC
31191 ++ if (addr + __KERNEL_TEXT_OFFSET >= (unsigned long)start &&
31192 ++ addr + __KERNEL_TEXT_OFFSET < (unsigned long)start + size)
31193 ++ return 1;
31194 ++#endif
31195 ++
31196 + return ((void *)addr >= start && (void *)addr < start + size);
31197 + }
31198 +
31199 +@@ -2063,10 +2208,14 @@ static const char *get_ksymbol(struct mo
31200 + unsigned long nextval;
31201 +
31202 + /* At worse, next value is at end of module */
31203 +- if (within(addr, mod->module_init, mod->init_size))
31204 +- nextval = (unsigned long)mod->module_init+mod->init_text_size;
31205 +- else
31206 +- nextval = (unsigned long)mod->module_core+mod->core_text_size;
31207 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx))
31208 ++ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
31209 ++ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
31210 ++ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
31211 ++ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
31212 ++ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
31213 ++ else
31214 ++ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
31215 +
31216 + /* Scan for closest preceeding symbol, and next symbol. (ELF
31217 + starts real symbols at 1). */
31218 +@@ -2109,8 +2258,10 @@ const char *module_address_lookup(unsign
31219 + struct module *mod;
31220 +
31221 + list_for_each_entry(mod, &modules, list) {
31222 +- if (within(addr, mod->module_init, mod->init_size)
31223 +- || within(addr, mod->module_core, mod->core_size)) {
31224 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
31225 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
31226 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
31227 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31228 + if (modname)
31229 + *modname = mod->name;
31230 + return get_ksymbol(mod, addr, size, offset);
31231 +@@ -2125,8 +2276,10 @@ int lookup_module_symbol_name(unsigned l
31232 +
31233 + mutex_lock(&module_mutex);
31234 + list_for_each_entry(mod, &modules, list) {
31235 +- if (within(addr, mod->module_init, mod->init_size) ||
31236 +- within(addr, mod->module_core, mod->core_size)) {
31237 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
31238 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
31239 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
31240 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31241 + const char *sym;
31242 +
31243 + sym = get_ksymbol(mod, addr, NULL, NULL);
31244 +@@ -2149,8 +2302,10 @@ int lookup_module_symbol_attrs(unsigned
31245 +
31246 + mutex_lock(&module_mutex);
31247 + list_for_each_entry(mod, &modules, list) {
31248 +- if (within(addr, mod->module_init, mod->init_size) ||
31249 +- within(addr, mod->module_core, mod->core_size)) {
31250 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
31251 ++ within(addr, mod->module_init_rw, mod->init_size_rw) ||
31252 ++ within(addr, mod->module_core_rx, mod->core_size_rx) ||
31253 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31254 + const char *sym;
31255 +
31256 + sym = get_ksymbol(mod, addr, size, offset);
31257 +@@ -2270,7 +2425,7 @@ static int m_show(struct seq_file *m, vo
31258 + char buf[8];
31259 +
31260 + seq_printf(m, "%s %lu",
31261 +- mod->name, mod->init_size + mod->core_size);
31262 ++ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
31263 + print_unload_info(m, mod);
31264 +
31265 + /* Informative for users. */
31266 +@@ -2279,7 +2434,7 @@ static int m_show(struct seq_file *m, vo
31267 + mod->state == MODULE_STATE_COMING ? "Loading":
31268 + "Live");
31269 + /* Used by oprofile and other similar tools. */
31270 +- seq_printf(m, " 0x%p", mod->module_core);
31271 ++ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
31272 +
31273 + /* Taints info */
31274 + if (mod->taints)
31275 +@@ -2335,7 +2490,8 @@ int is_module_address(unsigned long addr
31276 + preempt_disable();
31277 +
31278 + list_for_each_entry(mod, &modules, list) {
31279 +- if (within(addr, mod->module_core, mod->core_size)) {
31280 ++ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
31281 ++ within(addr, mod->module_core_rw, mod->core_size_rw)) {
31282 + preempt_enable();
31283 + return 1;
31284 + }
31285 +@@ -2353,8 +2509,8 @@ struct module *__module_text_address(uns
31286 + struct module *mod;
31287 +
31288 + list_for_each_entry(mod, &modules, list)
31289 +- if (within(addr, mod->module_init, mod->init_text_size)
31290 +- || within(addr, mod->module_core, mod->core_text_size))
31291 ++ if (within(addr, mod->module_init_rx, mod->init_size_rx)
31292 ++ || within(addr, mod->module_core_rx, mod->core_size_rx))
31293 + return mod;
31294 + return NULL;
31295 + }
31296 +diff -Nurp linux-2.6.23.15/kernel/mutex.c linux-2.6.23.15-grsec/kernel/mutex.c
31297 +--- linux-2.6.23.15/kernel/mutex.c 2007-10-09 21:31:38.000000000 +0100
31298 ++++ linux-2.6.23.15-grsec/kernel/mutex.c 2008-02-11 10:37:45.000000000 +0000
31299 +@@ -81,7 +81,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
31300 + *
31301 + * This function is similar to (but not equivalent to) down().
31302 + */
31303 +-void inline fastcall __sched mutex_lock(struct mutex *lock)
31304 ++inline void fastcall __sched mutex_lock(struct mutex *lock)
31305 + {
31306 + might_sleep();
31307 + /*
31308 +diff -Nurp linux-2.6.23.15/kernel/params.c linux-2.6.23.15-grsec/kernel/params.c
31309 +--- linux-2.6.23.15/kernel/params.c 2008-02-11 10:36:03.000000000 +0000
31310 ++++ linux-2.6.23.15-grsec/kernel/params.c 2008-02-11 10:37:45.000000000 +0000
31311 +@@ -275,7 +275,7 @@ static int param_array(const char *name,
31312 + unsigned int min, unsigned int max,
31313 + void *elem, int elemsize,
31314 + int (*set)(const char *, struct kernel_param *kp),
31315 +- int *num)
31316 ++ unsigned int *num)
31317 + {
31318 + int ret;
31319 + struct kernel_param kp;
31320 +diff -Nurp linux-2.6.23.15/kernel/pid.c linux-2.6.23.15-grsec/kernel/pid.c
31321 +--- linux-2.6.23.15/kernel/pid.c 2007-10-09 21:31:38.000000000 +0100
31322 ++++ linux-2.6.23.15-grsec/kernel/pid.c 2008-02-11 10:37:45.000000000 +0000
31323 +@@ -28,6 +28,7 @@
31324 + #include <linux/hash.h>
31325 + #include <linux/pid_namespace.h>
31326 + #include <linux/init_task.h>
31327 ++#include <linux/grsecurity.h>
31328 +
31329 + #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
31330 + static struct hlist_head *pid_hash;
31331 +@@ -37,7 +38,7 @@ struct pid init_struct_pid = INIT_STRUCT
31332 +
31333 + int pid_max = PID_MAX_DEFAULT;
31334 +
31335 +-#define RESERVED_PIDS 300
31336 ++#define RESERVED_PIDS 500
31337 +
31338 + int pid_max_min = RESERVED_PIDS + 1;
31339 + int pid_max_max = PID_MAX_LIMIT;
31340 +@@ -309,7 +310,14 @@ struct task_struct * fastcall pid_task(s
31341 + */
31342 + struct task_struct *find_task_by_pid_type(int type, int nr)
31343 + {
31344 +- return pid_task(find_pid(nr), type);
31345 ++ struct task_struct *task;
31346 ++
31347 ++ task = pid_task(find_pid(nr), type);
31348 ++
31349 ++ if (gr_pid_is_chrooted(task))
31350 ++ return NULL;
31351 ++
31352 ++ return task;
31353 + }
31354 +
31355 + EXPORT_SYMBOL(find_task_by_pid_type);
31356 +diff -Nurp linux-2.6.23.15/kernel/posix-cpu-timers.c linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c
31357 +--- linux-2.6.23.15/kernel/posix-cpu-timers.c 2007-10-09 21:31:38.000000000 +0100
31358 ++++ linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c 2008-02-11 10:37:45.000000000 +0000
31359 +@@ -6,6 +6,7 @@
31360 + #include <linux/posix-timers.h>
31361 + #include <asm/uaccess.h>
31362 + #include <linux/errno.h>
31363 ++#include <linux/grsecurity.h>
31364 +
31365 + static int check_clock(const clockid_t which_clock)
31366 + {
31367 +@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
31368 + __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
31369 + return;
31370 + }
31371 ++ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
31372 + if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
31373 + /*
31374 + * At the soft limit, send a SIGXCPU every second.
31375 +diff -Nurp linux-2.6.23.15/kernel/power/poweroff.c linux-2.6.23.15-grsec/kernel/power/poweroff.c
31376 +--- linux-2.6.23.15/kernel/power/poweroff.c 2007-10-09 21:31:38.000000000 +0100
31377 ++++ linux-2.6.23.15-grsec/kernel/power/poweroff.c 2008-02-11 10:37:45.000000000 +0000
31378 +@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
31379 + .enable_mask = SYSRQ_ENABLE_BOOT,
31380 + };
31381 +
31382 +-static int pm_sysrq_init(void)
31383 ++static int __init pm_sysrq_init(void)
31384 + {
31385 + register_sysrq_key('o', &sysrq_poweroff_op);
31386 + return 0;
31387 +diff -Nurp linux-2.6.23.15/kernel/printk.c linux-2.6.23.15-grsec/kernel/printk.c
31388 +--- linux-2.6.23.15/kernel/printk.c 2007-10-09 21:31:38.000000000 +0100
31389 ++++ linux-2.6.23.15-grsec/kernel/printk.c 2008-02-11 10:37:45.000000000 +0000
31390 +@@ -31,6 +31,7 @@
31391 + #include <linux/bootmem.h>
31392 + #include <linux/syscalls.h>
31393 + #include <linux/jiffies.h>
31394 ++#include <linux/grsecurity.h>
31395 +
31396 + #include <asm/uaccess.h>
31397 +
31398 +@@ -184,6 +185,11 @@ int do_syslog(int type, char __user *buf
31399 + char c;
31400 + int error = 0;
31401 +
31402 ++#ifdef CONFIG_GRKERNSEC_DMESG
31403 ++ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
31404 ++ return -EPERM;
31405 ++#endif
31406 ++
31407 + error = security_syslog(type);
31408 + if (error)
31409 + return error;
31410 +diff -Nurp linux-2.6.23.15/kernel/ptrace.c linux-2.6.23.15-grsec/kernel/ptrace.c
31411 +--- linux-2.6.23.15/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
31412 ++++ linux-2.6.23.15-grsec/kernel/ptrace.c 2008-02-11 10:37:45.000000000 +0000
31413 +@@ -19,6 +19,7 @@
31414 + #include <linux/security.h>
31415 + #include <linux/signal.h>
31416 + #include <linux/audit.h>
31417 ++#include <linux/grsecurity.h>
31418 +
31419 + #include <asm/pgtable.h>
31420 + #include <asm/uaccess.h>
31421 +@@ -138,12 +139,12 @@ static int may_attach(struct task_struct
31422 + (current->uid != task->uid) ||
31423 + (current->gid != task->egid) ||
31424 + (current->gid != task->sgid) ||
31425 +- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
31426 ++ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
31427 + return -EPERM;
31428 + smp_rmb();
31429 + if (task->mm)
31430 + dumpable = get_dumpable(task->mm);
31431 +- if (!dumpable && !capable(CAP_SYS_PTRACE))
31432 ++ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
31433 + return -EPERM;
31434 +
31435 + return security_ptrace(current, task);
31436 +@@ -480,6 +481,11 @@ asmlinkage long sys_ptrace(long request,
31437 + if (ret < 0)
31438 + goto out_put_task_struct;
31439 +
31440 ++ if (gr_handle_ptrace(child, request)) {
31441 ++ ret = -EPERM;
31442 ++ goto out_put_task_struct;
31443 ++ }
31444 ++
31445 + ret = arch_ptrace(child, request, addr, data);
31446 + if (ret < 0)
31447 + goto out_put_task_struct;
31448 +diff -Nurp linux-2.6.23.15/kernel/rcupdate.c linux-2.6.23.15-grsec/kernel/rcupdate.c
31449 +--- linux-2.6.23.15/kernel/rcupdate.c 2007-10-09 21:31:38.000000000 +0100
31450 ++++ linux-2.6.23.15-grsec/kernel/rcupdate.c 2008-02-11 10:37:45.000000000 +0000
31451 +@@ -63,11 +63,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
31452 + .cpumask = CPU_MASK_NONE,
31453 + };
31454 +
31455 +-DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
31456 +-DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
31457 ++DEFINE_PER_CPU(struct rcu_data, rcu_data);
31458 ++DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
31459 +
31460 + /* Fake initialization required by compiler */
31461 +-static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
31462 ++static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
31463 + static int blimit = 10;
31464 + static int qhimark = 10000;
31465 + static int qlowmark = 100;
31466 +diff -Nurp linux-2.6.23.15/kernel/relay.c linux-2.6.23.15-grsec/kernel/relay.c
31467 +--- linux-2.6.23.15/kernel/relay.c 2008-02-11 10:36:03.000000000 +0000
31468 ++++ linux-2.6.23.15-grsec/kernel/relay.c 2008-02-11 10:37:45.000000000 +0000
31469 +@@ -1140,7 +1140,7 @@ static int subbuf_splice_actor(struct fi
31470 + return 0;
31471 +
31472 + ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
31473 +- if (ret < 0 || ret < total_len)
31474 ++ if ((int)ret < 0 || ret < total_len)
31475 + return ret;
31476 +
31477 + if (read_start + ret == nonpad_end)
31478 +diff -Nurp linux-2.6.23.15/kernel/resource.c linux-2.6.23.15-grsec/kernel/resource.c
31479 +--- linux-2.6.23.15/kernel/resource.c 2007-10-09 21:31:38.000000000 +0100
31480 ++++ linux-2.6.23.15-grsec/kernel/resource.c 2008-02-11 10:37:45.000000000 +0000
31481 +@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
31482 + {
31483 + struct proc_dir_entry *entry;
31484 +
31485 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
31486 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
31487 ++ entry = create_proc_entry("ioports", S_IRUSR, NULL);
31488 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
31489 ++ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
31490 ++#endif
31491 ++#else
31492 + entry = create_proc_entry("ioports", 0, NULL);
31493 ++#endif
31494 + if (entry)
31495 + entry->proc_fops = &proc_ioports_operations;
31496 ++
31497 ++#ifdef CONFIG_GRKERNSEC_PROC_ADD
31498 ++#ifdef CONFIG_GRKERNSEC_PROC_USER
31499 ++ entry = create_proc_entry("iomem", S_IRUSR, NULL);
31500 ++#elif CONFIG_GRKERNSEC_PROC_USERGROUP
31501 ++ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
31502 ++#endif
31503 ++#else
31504 + entry = create_proc_entry("iomem", 0, NULL);
31505 ++#endif
31506 + if (entry)
31507 + entry->proc_fops = &proc_iomem_operations;
31508 + return 0;
31509 +diff -Nurp linux-2.6.23.15/kernel/sched.c linux-2.6.23.15-grsec/kernel/sched.c
31510 +--- linux-2.6.23.15/kernel/sched.c 2008-02-11 10:36:03.000000000 +0000
31511 ++++ linux-2.6.23.15-grsec/kernel/sched.c 2008-02-11 10:37:45.000000000 +0000
31512 +@@ -61,6 +61,7 @@
31513 + #include <linux/delayacct.h>
31514 + #include <linux/reciprocal_div.h>
31515 + #include <linux/unistd.h>
31516 ++#include <linux/grsecurity.h>
31517 +
31518 + #include <asm/tlb.h>
31519 +
31520 +@@ -3470,7 +3471,7 @@ pick_next_task(struct rq *rq, struct tas
31521 + asmlinkage void __sched schedule(void)
31522 + {
31523 + struct task_struct *prev, *next;
31524 +- long *switch_count;
31525 ++ unsigned long *switch_count;
31526 + struct rq *rq;
31527 + int cpu;
31528 +
31529 +@@ -4079,7 +4080,8 @@ asmlinkage long sys_nice(int increment)
31530 + if (nice > 19)
31531 + nice = 19;
31532 +
31533 +- if (increment < 0 && !can_nice(current, nice))
31534 ++ if (increment < 0 && (!can_nice(current, nice) ||
31535 ++ gr_handle_chroot_nice()))
31536 + return -EPERM;
31537 +
31538 + retval = security_task_setnice(current, nice);
31539 +@@ -5267,7 +5269,7 @@ static struct ctl_table sd_ctl_dir[] = {
31540 + .procname = "sched_domain",
31541 + .mode = 0555,
31542 + },
31543 +- {0,},
31544 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
31545 + };
31546 +
31547 + static struct ctl_table sd_ctl_root[] = {
31548 +@@ -5277,7 +5279,7 @@ static struct ctl_table sd_ctl_root[] =
31549 + .mode = 0555,
31550 + .child = sd_ctl_dir,
31551 + },
31552 +- {0,},
31553 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
31554 + };
31555 +
31556 + static struct ctl_table *sd_alloc_ctl_entry(int n)
31557 +diff -Nurp linux-2.6.23.15/kernel/signal.c linux-2.6.23.15-grsec/kernel/signal.c
31558 +--- linux-2.6.23.15/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
31559 ++++ linux-2.6.23.15-grsec/kernel/signal.c 2008-02-11 10:37:45.000000000 +0000
31560 +@@ -25,6 +25,7 @@
31561 + #include <linux/capability.h>
31562 + #include <linux/freezer.h>
31563 + #include <linux/pid_namespace.h>
31564 ++#include <linux/grsecurity.h>
31565 + #include <linux/nsproxy.h>
31566 +
31567 + #include <asm/param.h>
31568 +@@ -541,7 +542,9 @@ static int check_kill_permission(int sig
31569 + && (current->euid ^ t->suid) && (current->euid ^ t->uid)
31570 + && (current->uid ^ t->suid) && (current->uid ^ t->uid)
31571 + && !capable(CAP_KILL))
31572 +- return error;
31573 ++ return error;
31574 ++ if (gr_handle_signal(t, sig))
31575 ++ return error;
31576 + }
31577 +
31578 + return security_task_kill(t, info, sig, 0);
31579 +@@ -758,7 +761,7 @@ static int __init setup_print_fatal_sign
31580 +
31581 + __setup("print-fatal-signals=", setup_print_fatal_signals);
31582 +
31583 +-static int
31584 ++int
31585 + specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
31586 + {
31587 + int ret = 0;
31588 +@@ -812,8 +815,12 @@ force_sig_info(int sig, struct siginfo *
31589 + }
31590 + }
31591 + ret = specific_send_sig_info(sig, info, t);
31592 ++
31593 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
31594 +
31595 ++ gr_log_signal(sig, t);
31596 ++ gr_handle_crash(t, sig);
31597 ++
31598 + return ret;
31599 + }
31600 +
31601 +diff -Nurp linux-2.6.23.15/kernel/softirq.c linux-2.6.23.15-grsec/kernel/softirq.c
31602 +--- linux-2.6.23.15/kernel/softirq.c 2007-10-09 21:31:38.000000000 +0100
31603 ++++ linux-2.6.23.15-grsec/kernel/softirq.c 2008-02-11 10:37:45.000000000 +0000
31604 +@@ -471,9 +471,9 @@ void tasklet_kill(struct tasklet_struct
31605 + printk("Attempt to kill tasklet from interrupt\n");
31606 +
31607 + while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
31608 +- do
31609 ++ do {
31610 + yield();
31611 +- while (test_bit(TASKLET_STATE_SCHED, &t->state));
31612 ++ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
31613 + }
31614 + tasklet_unlock_wait(t);
31615 + clear_bit(TASKLET_STATE_SCHED, &t->state);
31616 +diff -Nurp linux-2.6.23.15/kernel/sys.c linux-2.6.23.15-grsec/kernel/sys.c
31617 +--- linux-2.6.23.15/kernel/sys.c 2007-10-09 21:31:38.000000000 +0100
31618 ++++ linux-2.6.23.15-grsec/kernel/sys.c 2008-02-11 10:37:45.000000000 +0000
31619 +@@ -33,6 +33,7 @@
31620 + #include <linux/task_io_accounting_ops.h>
31621 + #include <linux/seccomp.h>
31622 + #include <linux/cpu.h>
31623 ++#include <linux/grsecurity.h>
31624 +
31625 + #include <linux/compat.h>
31626 + #include <linux/syscalls.h>
31627 +@@ -651,6 +652,12 @@ static int set_one_prio(struct task_stru
31628 + error = -EACCES;
31629 + goto out;
31630 + }
31631 ++
31632 ++ if (gr_handle_chroot_setpriority(p, niceval)) {
31633 ++ error = -EACCES;
31634 ++ goto out;
31635 ++ }
31636 ++
31637 + no_nice = security_task_setnice(p, niceval);
31638 + if (no_nice) {
31639 + error = no_nice;
31640 +@@ -707,10 +714,10 @@ asmlinkage long sys_setpriority(int whic
31641 + if ((who != current->uid) && !(user = find_user(who)))
31642 + goto out_unlock; /* No processes for this user */
31643 +
31644 +- do_each_thread(g, p)
31645 ++ do_each_thread(g, p) {
31646 + if (p->uid == who)
31647 + error = set_one_prio(p, niceval, error);
31648 +- while_each_thread(g, p);
31649 ++ } while_each_thread(g, p);
31650 + if (who != current->uid)
31651 + free_uid(user); /* For find_user() */
31652 + break;
31653 +@@ -769,13 +776,13 @@ asmlinkage long sys_getpriority(int whic
31654 + if ((who != current->uid) && !(user = find_user(who)))
31655 + goto out_unlock; /* No processes for this user */
31656 +
31657 +- do_each_thread(g, p)
31658 ++ do_each_thread(g, p) {
31659 + if (p->uid == who) {
31660 + niceval = 20 - task_nice(p);
31661 + if (niceval > retval)
31662 + retval = niceval;
31663 + }
31664 +- while_each_thread(g, p);
31665 ++ } while_each_thread(g, p);
31666 + if (who != current->uid)
31667 + free_uid(user); /* for find_user() */
31668 + break;
31669 +@@ -1047,6 +1054,9 @@ asmlinkage long sys_setregid(gid_t rgid,
31670 + if (rgid != (gid_t) -1 ||
31671 + (egid != (gid_t) -1 && egid != old_rgid))
31672 + current->sgid = new_egid;
31673 ++
31674 ++ gr_set_role_label(current, current->uid, new_rgid);
31675 ++
31676 + current->fsgid = new_egid;
31677 + current->egid = new_egid;
31678 + current->gid = new_rgid;
31679 +@@ -1074,6 +1084,9 @@ asmlinkage long sys_setgid(gid_t gid)
31680 + set_dumpable(current->mm, suid_dumpable);
31681 + smp_wmb();
31682 + }
31683 ++
31684 ++ gr_set_role_label(current, current->uid, gid);
31685 ++
31686 + current->gid = current->egid = current->sgid = current->fsgid = gid;
31687 + } else if ((gid == current->gid) || (gid == current->sgid)) {
31688 + if (old_egid != gid) {
31689 +@@ -1111,6 +1124,9 @@ static int set_user(uid_t new_ruid, int
31690 + set_dumpable(current->mm, suid_dumpable);
31691 + smp_wmb();
31692 + }
31693 ++
31694 ++ gr_set_role_label(current, new_ruid, current->gid);
31695 ++
31696 + current->uid = new_ruid;
31697 + return 0;
31698 + }
31699 +@@ -1213,6 +1229,9 @@ asmlinkage long sys_setuid(uid_t uid)
31700 + } else if ((uid != current->uid) && (uid != new_suid))
31701 + return -EPERM;
31702 +
31703 ++ if (gr_check_crash_uid(uid))
31704 ++ return -EPERM;
31705 ++
31706 + if (old_euid != uid) {
31707 + set_dumpable(current->mm, suid_dumpable);
31708 + smp_wmb();
31709 +@@ -1315,8 +1334,10 @@ asmlinkage long sys_setresgid(gid_t rgid
31710 + current->egid = egid;
31711 + }
31712 + current->fsgid = current->egid;
31713 +- if (rgid != (gid_t) -1)
31714 ++ if (rgid != (gid_t) -1) {
31715 ++ gr_set_role_label(current, current->uid, rgid);
31716 + current->gid = rgid;
31717 ++ }
31718 + if (sgid != (gid_t) -1)
31719 + current->sgid = sgid;
31720 +
31721 +@@ -1463,7 +1484,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
31722 + write_lock_irq(&tasklist_lock);
31723 +
31724 + err = -ESRCH;
31725 +- p = find_task_by_pid(pid);
31726 ++ /* grsec: replaced find_task_by_pid with equivalent call
31727 ++ which lacks the chroot restriction
31728 ++ */
31729 ++ p = pid_task(find_pid(pid), PIDTYPE_PID);
31730 + if (!p)
31731 + goto out;
31732 +
31733 +@@ -2183,7 +2207,7 @@ asmlinkage long sys_prctl(int option, un
31734 + error = get_dumpable(current->mm);
31735 + break;
31736 + case PR_SET_DUMPABLE:
31737 +- if (arg2 < 0 || arg2 > 1) {
31738 ++ if (arg2 > 1) {
31739 + error = -EINVAL;
31740 + break;
31741 + }
31742 +diff -Nurp linux-2.6.23.15/kernel/sysctl.c linux-2.6.23.15-grsec/kernel/sysctl.c
31743 +--- linux-2.6.23.15/kernel/sysctl.c 2008-02-11 10:36:24.000000000 +0000
31744 ++++ linux-2.6.23.15-grsec/kernel/sysctl.c 2008-02-11 10:37:45.000000000 +0000
31745 +@@ -56,6 +56,13 @@
31746 + #endif
31747 +
31748 + #if defined(CONFIG_SYSCTL)
31749 ++#include <linux/grsecurity.h>
31750 ++#include <linux/grinternal.h>
31751 ++
31752 ++extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
31753 ++extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
31754 ++ const int op);
31755 ++extern int gr_handle_chroot_sysctl(const int op);
31756 +
31757 + /* External variables not in a header file. */
31758 + extern int C_A_D;
31759 +@@ -141,7 +148,7 @@ static int proc_dointvec_taint(ctl_table
31760 +
31761 + static ctl_table root_table[];
31762 + static struct ctl_table_header root_table_header =
31763 +- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
31764 ++ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
31765 +
31766 + static ctl_table kern_table[];
31767 + static ctl_table vm_table[];
31768 +@@ -158,11 +165,27 @@ extern ctl_table inotify_table[];
31769 + #ifdef CONFIG_ALPHA_UAC_SYSCTL
31770 + extern ctl_table uac_table[];
31771 + #endif
31772 ++extern ctl_table grsecurity_table[];
31773 +
31774 + #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
31775 + int sysctl_legacy_va_layout;
31776 + #endif
31777 +
31778 ++#ifdef CONFIG_PAX_SOFTMODE
31779 ++static ctl_table pax_table[] = {
31780 ++ {
31781 ++ .ctl_name = CTL_UNNUMBERED,
31782 ++ .procname = "softmode",
31783 ++ .data = &pax_softmode,
31784 ++ .maxlen = sizeof(unsigned int),
31785 ++ .mode = 0600,
31786 ++ .proc_handler = &proc_dointvec,
31787 ++ },
31788 ++
31789 ++ { .ctl_name = 0 }
31790 ++};
31791 ++#endif
31792 ++
31793 + extern int prove_locking;
31794 + extern int lock_stat;
31795 +
31796 +@@ -207,6 +230,16 @@ static ctl_table root_table[] = {
31797 + .mode = 0555,
31798 + .child = dev_table,
31799 + },
31800 ++
31801 ++#ifdef CONFIG_PAX_SOFTMODE
31802 ++ {
31803 ++ .ctl_name = CTL_UNNUMBERED,
31804 ++ .procname = "pax",
31805 ++ .mode = 0500,
31806 ++ .child = pax_table,
31807 ++ },
31808 ++#endif
31809 ++
31810 + /*
31811 + * NOTE: do not add new entries to this table unless you have read
31812 + * Documentation/sysctl/ctl_unnumbered.txt
31813 +@@ -777,6 +810,14 @@ static ctl_table kern_table[] = {
31814 + .proc_handler = &proc_dostring,
31815 + .strategy = &sysctl_string,
31816 + },
31817 ++#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
31818 ++ {
31819 ++ .ctl_name = KERN_GRSECURITY,
31820 ++ .procname = "grsecurity",
31821 ++ .mode = 0500,
31822 ++ .child = grsecurity_table,
31823 ++ },
31824 ++#endif
31825 + /*
31826 + * NOTE: do not add new entries to this table unless you have read
31827 + * Documentation/sysctl/ctl_unnumbered.txt
31828 +@@ -1388,6 +1429,25 @@ static int test_perm(int mode, int op)
31829 + int sysctl_perm(ctl_table *table, int op)
31830 + {
31831 + int error;
31832 ++ if (table->parent != NULL && table->parent->procname != NULL &&
31833 ++ table->procname != NULL &&
31834 ++ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
31835 ++ return -EACCES;
31836 ++ if (gr_handle_chroot_sysctl(op))
31837 ++ return -EACCES;
31838 ++ error = gr_handle_sysctl(table, op);
31839 ++ if (error)
31840 ++ return error;
31841 ++ error = security_sysctl(table, op);
31842 ++ if (error)
31843 ++ return error;
31844 ++ return test_perm(table->mode, op);
31845 ++}
31846 ++
31847 ++int sysctl_perm_nochk(ctl_table *table, int op)
31848 ++{
31849 ++ int error;
31850 ++
31851 + error = security_sysctl(table, op);
31852 + if (error)
31853 + return error;
31854 +@@ -1412,13 +1472,14 @@ repeat:
31855 + if (n == table->ctl_name) {
31856 + int error;
31857 + if (table->child) {
31858 +- if (sysctl_perm(table, 001))
31859 ++ if (sysctl_perm_nochk(table, 001))
31860 + return -EPERM;
31861 + name++;
31862 + nlen--;
31863 + table = table->child;
31864 + goto repeat;
31865 + }
31866 ++
31867 + error = do_sysctl_strategy(table, name, nlen,
31868 + oldval, oldlenp,
31869 + newval, newlen);
31870 +diff -Nurp linux-2.6.23.15/kernel/time.c linux-2.6.23.15-grsec/kernel/time.c
31871 +--- linux-2.6.23.15/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
31872 ++++ linux-2.6.23.15-grsec/kernel/time.c 2008-02-11 10:37:45.000000000 +0000
31873 +@@ -35,6 +35,7 @@
31874 + #include <linux/security.h>
31875 + #include <linux/fs.h>
31876 + #include <linux/module.h>
31877 ++#include <linux/grsecurity.h>
31878 +
31879 + #include <asm/uaccess.h>
31880 + #include <asm/unistd.h>
31881 +@@ -92,6 +93,9 @@ asmlinkage long sys_stime(time_t __user
31882 + return err;
31883 +
31884 + do_settimeofday(&tv);
31885 ++
31886 ++ gr_log_timechange();
31887 ++
31888 + return 0;
31889 + }
31890 +
31891 +@@ -197,6 +201,8 @@ asmlinkage long sys_settimeofday(struct
31892 + return -EFAULT;
31893 + }
31894 +
31895 ++ gr_log_timechange();
31896 ++
31897 + return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
31898 + }
31899 +
31900 +@@ -235,7 +241,7 @@ EXPORT_SYMBOL(current_fs_time);
31901 + * Avoid unnecessary multiplications/divisions in the
31902 + * two most common HZ cases:
31903 + */
31904 +-unsigned int inline jiffies_to_msecs(const unsigned long j)
31905 ++inline unsigned int jiffies_to_msecs(const unsigned long j)
31906 + {
31907 + #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
31908 + return (MSEC_PER_SEC / HZ) * j;
31909 +@@ -247,7 +253,7 @@ unsigned int inline jiffies_to_msecs(con
31910 + }
31911 + EXPORT_SYMBOL(jiffies_to_msecs);
31912 +
31913 +-unsigned int inline jiffies_to_usecs(const unsigned long j)
31914 ++inline unsigned int jiffies_to_usecs(const unsigned long j)
31915 + {
31916 + #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
31917 + return (USEC_PER_SEC / HZ) * j;
31918 +diff -Nurp linux-2.6.23.15/kernel/utsname_sysctl.c linux-2.6.23.15-grsec/kernel/utsname_sysctl.c
31919 +--- linux-2.6.23.15/kernel/utsname_sysctl.c 2007-10-09 21:31:38.000000000 +0100
31920 ++++ linux-2.6.23.15-grsec/kernel/utsname_sysctl.c 2008-02-11 10:37:45.000000000 +0000
31921 +@@ -121,7 +121,7 @@ static struct ctl_table uts_kern_table[]
31922 + .proc_handler = proc_do_uts_string,
31923 + .strategy = sysctl_uts_string,
31924 + },
31925 +- {}
31926 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31927 + };
31928 +
31929 + static struct ctl_table uts_root_table[] = {
31930 +@@ -131,7 +131,7 @@ static struct ctl_table uts_root_table[]
31931 + .mode = 0555,
31932 + .child = uts_kern_table,
31933 + },
31934 +- {}
31935 ++ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
31936 + };
31937 +
31938 + static int __init utsname_sysctl_init(void)
31939 +diff -Nurp linux-2.6.23.15/lib/radix-tree.c linux-2.6.23.15-grsec/lib/radix-tree.c
31940 +--- linux-2.6.23.15/lib/radix-tree.c 2007-10-09 21:31:38.000000000 +0100
31941 ++++ linux-2.6.23.15-grsec/lib/radix-tree.c 2008-02-11 10:37:45.000000000 +0000
31942 +@@ -76,7 +76,7 @@ struct radix_tree_preload {
31943 + int nr;
31944 + struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
31945 + };
31946 +-DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
31947 ++DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
31948 +
31949 + static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
31950 + {
31951 +diff -Nurp linux-2.6.23.15/mm/filemap.c linux-2.6.23.15-grsec/mm/filemap.c
31952 +--- linux-2.6.23.15/mm/filemap.c 2008-02-11 10:36:03.000000000 +0000
31953 ++++ linux-2.6.23.15-grsec/mm/filemap.c 2008-02-11 10:37:45.000000000 +0000
31954 +@@ -30,6 +30,7 @@
31955 + #include <linux/security.h>
31956 + #include <linux/syscalls.h>
31957 + #include <linux/cpuset.h>
31958 ++#include <linux/grsecurity.h>
31959 + #include "filemap.h"
31960 + #include "internal.h"
31961 +
31962 +@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
31963 + struct address_space *mapping = file->f_mapping;
31964 +
31965 + if (!mapping->a_ops->readpage)
31966 +- return -ENOEXEC;
31967 ++ return -ENODEV;
31968 + file_accessed(file);
31969 + vma->vm_ops = &generic_file_vm_ops;
31970 + vma->vm_flags |= VM_CAN_NONLINEAR;
31971 +@@ -1726,6 +1727,7 @@ inline int generic_write_checks(struct f
31972 + *pos = i_size_read(inode);
31973 +
31974 + if (limit != RLIM_INFINITY) {
31975 ++ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
31976 + if (*pos >= limit) {
31977 + send_sig(SIGXFSZ, current, 0);
31978 + return -EFBIG;
31979 +diff -Nurp linux-2.6.23.15/mm/fremap.c linux-2.6.23.15-grsec/mm/fremap.c
31980 +--- linux-2.6.23.15/mm/fremap.c 2007-10-09 21:31:38.000000000 +0100
31981 ++++ linux-2.6.23.15-grsec/mm/fremap.c 2008-02-11 10:37:45.000000000 +0000
31982 +@@ -148,6 +148,13 @@ asmlinkage long sys_remap_file_pages(uns
31983 + retry:
31984 + vma = find_vma(mm, start);
31985 +
31986 ++#ifdef CONFIG_PAX_SEGMEXEC
31987 ++ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
31988 ++ up_read(&mm->mmap_sem);
31989 ++ return err;
31990 ++ }
31991 ++#endif
31992 ++
31993 + /*
31994 + * Make sure the vma is shared, that it supports prefaulting,
31995 + * and that the remapped range is valid and fully within
31996 +diff -Nurp linux-2.6.23.15/mm/hugetlb.c linux-2.6.23.15-grsec/mm/hugetlb.c
31997 +--- linux-2.6.23.15/mm/hugetlb.c 2007-10-09 21:31:38.000000000 +0100
31998 ++++ linux-2.6.23.15-grsec/mm/hugetlb.c 2008-02-11 10:37:45.000000000 +0000
31999 +@@ -460,6 +460,26 @@ void unmap_hugepage_range(struct vm_area
32000 + }
32001 + }
32002 +
32003 ++#ifdef CONFIG_PAX_SEGMEXEC
32004 ++static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
32005 ++{
32006 ++ struct mm_struct *mm = vma->vm_mm;
32007 ++ struct vm_area_struct *vma_m;
32008 ++ unsigned long address_m;
32009 ++ pte_t *ptep_m;
32010 ++
32011 ++ vma_m = pax_find_mirror_vma(vma);
32012 ++ if (!vma_m)
32013 ++ return;
32014 ++
32015 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32016 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32017 ++ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
32018 ++ get_page(page_m);
32019 ++ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
32020 ++}
32021 ++#endif
32022 ++
32023 + static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
32024 + unsigned long address, pte_t *ptep, pte_t pte)
32025 + {
32026 +@@ -493,6 +513,11 @@ static int hugetlb_cow(struct mm_struct
32027 + /* Break COW */
32028 + set_huge_pte_at(mm, address, ptep,
32029 + make_huge_pte(vma, new_page, 1));
32030 ++
32031 ++#ifdef CONFIG_PAX_SEGMEXEC
32032 ++ pax_mirror_huge_pte(vma, address, new_page);
32033 ++#endif
32034 ++
32035 + /* Make the old page be freed below */
32036 + new_page = old_page;
32037 + }
32038 +@@ -563,6 +588,10 @@ retry:
32039 + && (vma->vm_flags & VM_SHARED)));
32040 + set_huge_pte_at(mm, address, ptep, new_pte);
32041 +
32042 ++#ifdef CONFIG_PAX_SEGMEXEC
32043 ++ pax_mirror_huge_pte(vma, address, page);
32044 ++#endif
32045 ++
32046 + if (write_access && !(vma->vm_flags & VM_SHARED)) {
32047 + /* Optimization, do the COW without a second fault */
32048 + ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
32049 +@@ -589,6 +618,27 @@ int hugetlb_fault(struct mm_struct *mm,
32050 + int ret;
32051 + static DEFINE_MUTEX(hugetlb_instantiation_mutex);
32052 +
32053 ++#ifdef CONFIG_PAX_SEGMEXEC
32054 ++ struct vm_area_struct *vma_m;
32055 ++
32056 ++ vma_m = pax_find_mirror_vma(vma);
32057 ++ if (vma_m) {
32058 ++ unsigned long address_m;
32059 ++
32060 ++ if (vma->vm_start > vma_m->vm_start) {
32061 ++ address_m = address;
32062 ++ address -= SEGMEXEC_TASK_SIZE;
32063 ++ vma = vma_m;
32064 ++ } else
32065 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32066 ++
32067 ++ if (!huge_pte_alloc(mm, address_m))
32068 ++ return VM_FAULT_OOM;
32069 ++ address_m &= HPAGE_MASK;
32070 ++ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
32071 ++ }
32072 ++#endif
32073 ++
32074 + ptep = huge_pte_alloc(mm, address);
32075 + if (!ptep)
32076 + return VM_FAULT_OOM;
32077 +diff -Nurp linux-2.6.23.15/mm/madvise.c linux-2.6.23.15-grsec/mm/madvise.c
32078 +--- linux-2.6.23.15/mm/madvise.c 2007-10-09 21:31:38.000000000 +0100
32079 ++++ linux-2.6.23.15-grsec/mm/madvise.c 2008-02-11 10:37:45.000000000 +0000
32080 +@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
32081 + pgoff_t pgoff;
32082 + int new_flags = vma->vm_flags;
32083 +
32084 ++#ifdef CONFIG_PAX_SEGMEXEC
32085 ++ struct vm_area_struct *vma_m;
32086 ++#endif
32087 ++
32088 + switch (behavior) {
32089 + case MADV_NORMAL:
32090 + new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
32091 +@@ -92,6 +96,13 @@ success:
32092 + /*
32093 + * vm_flags is protected by the mmap_sem held in write mode.
32094 + */
32095 ++
32096 ++#ifdef CONFIG_PAX_SEGMEXEC
32097 ++ vma_m = pax_find_mirror_vma(vma);
32098 ++ if (vma_m)
32099 ++ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
32100 ++#endif
32101 ++
32102 + vma->vm_flags = new_flags;
32103 +
32104 + out:
32105 +@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
32106 +
32107 + case MADV_DONTNEED:
32108 + error = madvise_dontneed(vma, prev, start, end);
32109 ++
32110 ++#ifdef CONFIG_PAX_SEGMEXEC
32111 ++ if (!error) {
32112 ++ struct vm_area_struct *vma_m, *prev_m;
32113 ++
32114 ++ vma_m = pax_find_mirror_vma(vma);
32115 ++ if (vma_m)
32116 ++ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
32117 ++ }
32118 ++#endif
32119 ++
32120 + break;
32121 +
32122 + default:
32123 +@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
32124 + if (end < start)
32125 + goto out;
32126 +
32127 ++#ifdef CONFIG_PAX_SEGMEXEC
32128 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
32129 ++ if (end > SEGMEXEC_TASK_SIZE)
32130 ++ goto out;
32131 ++ } else
32132 ++#endif
32133 ++
32134 ++ if (end > TASK_SIZE)
32135 ++ goto out;
32136 ++
32137 + error = 0;
32138 + if (end == start)
32139 + goto out;
32140 +diff -Nurp linux-2.6.23.15/mm/memory.c linux-2.6.23.15-grsec/mm/memory.c
32141 +--- linux-2.6.23.15/mm/memory.c 2007-10-09 21:31:38.000000000 +0100
32142 ++++ linux-2.6.23.15-grsec/mm/memory.c 2008-02-11 10:37:45.000000000 +0000
32143 +@@ -50,6 +50,7 @@
32144 + #include <linux/delayacct.h>
32145 + #include <linux/init.h>
32146 + #include <linux/writeback.h>
32147 ++#include <linux/grsecurity.h>
32148 +
32149 + #include <asm/pgalloc.h>
32150 + #include <asm/uaccess.h>
32151 +@@ -993,7 +994,7 @@ int get_user_pages(struct task_struct *t
32152 + struct vm_area_struct *vma;
32153 + unsigned int foll_flags;
32154 +
32155 +- vma = find_extend_vma(mm, start);
32156 ++ vma = find_vma(mm, start);
32157 + if (!vma && in_gate_area(tsk, start)) {
32158 + unsigned long pg = start & PAGE_MASK;
32159 + struct vm_area_struct *gate_vma = get_gate_vma(tsk);
32160 +@@ -1033,7 +1034,7 @@ int get_user_pages(struct task_struct *t
32161 + continue;
32162 + }
32163 +
32164 +- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
32165 ++ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
32166 + || !(vm_flags & vma->vm_flags))
32167 + return i ? : -EFAULT;
32168 +
32169 +@@ -1614,6 +1615,195 @@ static inline void cow_user_page(struct
32170 + copy_user_highpage(dst, src, va, vma);
32171 + }
32172 +
32173 ++#ifdef CONFIG_PAX_SEGMEXEC
32174 ++static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
32175 ++{
32176 ++ struct mm_struct *mm = vma->vm_mm;
32177 ++ spinlock_t *ptl;
32178 ++ pte_t *pte, entry;
32179 ++
32180 ++ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
32181 ++ entry = *pte;
32182 ++ if (!pte_present(entry)) {
32183 ++ if (!pte_none(entry)) {
32184 ++ BUG_ON(pte_file(entry));
32185 ++ free_swap_and_cache(pte_to_swp_entry(entry));
32186 ++ pte_clear_not_present_full(mm, address, pte, 0);
32187 ++ }
32188 ++ } else {
32189 ++ struct page *page;
32190 ++
32191 ++ page = vm_normal_page(vma, address, entry);
32192 ++ if (page) {
32193 ++ flush_cache_page(vma, address, pte_pfn(entry));
32194 ++ flush_icache_page(vma, page);
32195 ++ }
32196 ++ ptep_clear_flush(vma, address, pte);
32197 ++ BUG_ON(pte_dirty(entry));
32198 ++ if (page) {
32199 ++ update_hiwater_rss(mm);
32200 ++ if (PageAnon(page))
32201 ++ dec_mm_counter(mm, anon_rss);
32202 ++ else
32203 ++ dec_mm_counter(mm, file_rss);
32204 ++ page_remove_rmap(page, vma);
32205 ++ page_cache_release(page);
32206 ++ }
32207 ++ }
32208 ++ pte_unmap_unlock(pte, ptl);
32209 ++}
32210 ++
32211 ++/* PaX: if vma is mirrored, synchronize the mirror's PTE
32212 ++ *
32213 ++ * the ptl of the lower mapped page is held on entry and is not released on exit
32214 ++ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
32215 ++ */
32216 ++static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
32217 ++{
32218 ++ struct mm_struct *mm = vma->vm_mm;
32219 ++ unsigned long address_m;
32220 ++ spinlock_t *ptl_m;
32221 ++ struct vm_area_struct *vma_m;
32222 ++ pmd_t *pmd_m;
32223 ++ pte_t *pte_m, entry_m;
32224 ++
32225 ++ BUG_ON(!page_m || !PageAnon(page_m));
32226 ++
32227 ++ vma_m = pax_find_mirror_vma(vma);
32228 ++ if (!vma_m)
32229 ++ return;
32230 ++
32231 ++ BUG_ON(!PageLocked(page_m));
32232 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32233 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32234 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
32235 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
32236 ++ ptl_m = pte_lockptr(mm, pmd_m);
32237 ++ if (ptl != ptl_m) {
32238 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
32239 ++ if (!pte_none(*pte_m)) {
32240 ++ spin_unlock(ptl_m);
32241 ++ pte_unmap_nested(pte_m);
32242 ++ unlock_page(page_m);
32243 ++ return;
32244 ++ }
32245 ++ }
32246 ++
32247 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
32248 ++ page_cache_get(page_m);
32249 ++ page_add_anon_rmap(page_m, vma_m, address_m);
32250 ++ inc_mm_counter(mm, anon_rss);
32251 ++ set_pte_at(mm, address_m, pte_m, entry_m);
32252 ++ update_mmu_cache(vma_m, address_m, entry_m);
32253 ++ lazy_mmu_prot_update(entry_m);
32254 ++ if (ptl != ptl_m)
32255 ++ spin_unlock(ptl_m);
32256 ++ pte_unmap_nested(pte_m);
32257 ++ unlock_page(page_m);
32258 ++}
32259 ++
32260 ++void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
32261 ++{
32262 ++ struct mm_struct *mm = vma->vm_mm;
32263 ++ unsigned long address_m;
32264 ++ spinlock_t *ptl_m;
32265 ++ struct vm_area_struct *vma_m;
32266 ++ pmd_t *pmd_m;
32267 ++ pte_t *pte_m, entry_m;
32268 ++
32269 ++ BUG_ON(!page_m || PageAnon(page_m));
32270 ++
32271 ++ vma_m = pax_find_mirror_vma(vma);
32272 ++ if (!vma_m)
32273 ++ return;
32274 ++
32275 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32276 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32277 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
32278 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
32279 ++ ptl_m = pte_lockptr(mm, pmd_m);
32280 ++ if (ptl != ptl_m) {
32281 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
32282 ++ if (!pte_none(*pte_m)) {
32283 ++ spin_unlock(ptl_m);
32284 ++ pte_unmap_nested(pte_m);
32285 ++ return;
32286 ++ }
32287 ++ }
32288 ++
32289 ++ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
32290 ++ page_cache_get(page_m);
32291 ++ page_add_file_rmap(page_m);
32292 ++ inc_mm_counter(mm, file_rss);
32293 ++ set_pte_at(mm, address_m, pte_m, entry_m);
32294 ++ update_mmu_cache(vma_m, address_m, entry_m);
32295 ++ lazy_mmu_prot_update(entry_m);
32296 ++ if (ptl != ptl_m)
32297 ++ spin_unlock(ptl_m);
32298 ++ pte_unmap_nested(pte_m);
32299 ++}
32300 ++
32301 ++static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
32302 ++{
32303 ++ struct mm_struct *mm = vma->vm_mm;
32304 ++ unsigned long address_m;
32305 ++ spinlock_t *ptl_m;
32306 ++ struct vm_area_struct *vma_m;
32307 ++ pmd_t *pmd_m;
32308 ++ pte_t *pte_m, entry_m;
32309 ++
32310 ++ vma_m = pax_find_mirror_vma(vma);
32311 ++ if (!vma_m)
32312 ++ return;
32313 ++
32314 ++ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
32315 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32316 ++ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
32317 ++ pte_m = pte_offset_map_nested(pmd_m, address_m);
32318 ++ ptl_m = pte_lockptr(mm, pmd_m);
32319 ++ if (ptl != ptl_m) {
32320 ++ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
32321 ++ if (!pte_none(*pte_m)) {
32322 ++ spin_unlock(ptl_m);
32323 ++ pte_unmap_nested(pte_m);
32324 ++ return;
32325 ++ }
32326 ++ }
32327 ++
32328 ++ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
32329 ++ set_pte_at(mm, address_m, pte_m, entry_m);
32330 ++ if (ptl != ptl_m)
32331 ++ spin_unlock(ptl_m);
32332 ++ pte_unmap_nested(pte_m);
32333 ++}
32334 ++
32335 ++static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
32336 ++{
32337 ++ struct page *page_m;
32338 ++ pte_t entry;
32339 ++
32340 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
32341 ++ return;
32342 ++
32343 ++ entry = *pte;
32344 ++ page_m = vm_normal_page(vma, address, entry);
32345 ++ if (!page_m)
32346 ++ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
32347 ++ else if (PageAnon(page_m)) {
32348 ++ if (pax_find_mirror_vma(vma)) {
32349 ++ spin_unlock(ptl);
32350 ++ lock_page(page_m);
32351 ++ spin_lock(ptl);
32352 ++ if (pte_same(entry, *pte))
32353 ++ pax_mirror_anon_pte(vma, address, page_m, ptl);
32354 ++ else
32355 ++ unlock_page(page_m);
32356 ++ }
32357 ++ } else
32358 ++ pax_mirror_file_pte(vma, address, page_m, ptl);
32359 ++}
32360 ++#endif
32361 ++
32362 + /*
32363 + * This routine handles present pages, when users try to write
32364 + * to a shared page. It is done by copying the page to a new address
32365 +@@ -1733,6 +1923,12 @@ gotten:
32366 + */
32367 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
32368 + if (likely(pte_same(*page_table, orig_pte))) {
32369 ++
32370 ++#ifdef CONFIG_PAX_SEGMEXEC
32371 ++ if (pax_find_mirror_vma(vma))
32372 ++ BUG_ON(TestSetPageLocked(new_page));
32373 ++#endif
32374 ++
32375 + if (old_page) {
32376 + page_remove_rmap(old_page, vma);
32377 + if (!PageAnon(old_page)) {
32378 +@@ -1757,6 +1953,10 @@ gotten:
32379 + lru_cache_add_active(new_page);
32380 + page_add_new_anon_rmap(new_page, vma, address);
32381 +
32382 ++#ifdef CONFIG_PAX_SEGMEXEC
32383 ++ pax_mirror_anon_pte(vma, address, new_page, ptl);
32384 ++#endif
32385 ++
32386 + /* Free the old page.. */
32387 + new_page = old_page;
32388 + ret |= VM_FAULT_WRITE;
32389 +@@ -2034,6 +2234,7 @@ int vmtruncate(struct inode * inode, lof
32390 +
32391 + do_expand:
32392 + limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
32393 ++ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
32394 + if (limit != RLIM_INFINITY && offset > limit)
32395 + goto out_sig;
32396 + if (offset > inode->i_sb->s_maxbytes)
32397 +@@ -2216,6 +2417,11 @@ static int do_swap_page(struct mm_struct
32398 + swap_free(entry);
32399 + if (vm_swap_full())
32400 + remove_exclusive_swap_page(page);
32401 ++
32402 ++#ifdef CONFIG_PAX_SEGMEXEC
32403 ++ if (write_access || !pax_find_mirror_vma(vma))
32404 ++#endif
32405 ++
32406 + unlock_page(page);
32407 +
32408 + if (write_access) {
32409 +@@ -2228,6 +2434,11 @@ static int do_swap_page(struct mm_struct
32410 +
32411 + /* No need to invalidate - it was non-present before */
32412 + update_mmu_cache(vma, address, pte);
32413 ++
32414 ++#ifdef CONFIG_PAX_SEGMEXEC
32415 ++ pax_mirror_anon_pte(vma, address, page, ptl);
32416 ++#endif
32417 ++
32418 + unlock:
32419 + pte_unmap_unlock(page_table, ptl);
32420 + out:
32421 +@@ -2268,6 +2479,12 @@ static int do_anonymous_page(struct mm_s
32422 + page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
32423 + if (!pte_none(*page_table))
32424 + goto release;
32425 ++
32426 ++#ifdef CONFIG_PAX_SEGMEXEC
32427 ++ if (pax_find_mirror_vma(vma))
32428 ++ BUG_ON(TestSetPageLocked(page));
32429 ++#endif
32430 ++
32431 + inc_mm_counter(mm, anon_rss);
32432 + lru_cache_add_active(page);
32433 + page_add_new_anon_rmap(page, vma, address);
32434 +@@ -2290,6 +2507,14 @@ static int do_anonymous_page(struct mm_s
32435 + /* No need to invalidate - it was non-present before */
32436 + update_mmu_cache(vma, address, entry);
32437 + lazy_mmu_prot_update(entry);
32438 ++
32439 ++#ifdef CONFIG_PAX_SEGMEXEC
32440 ++ if (write_access)
32441 ++ pax_mirror_anon_pte(vma, address, page, ptl);
32442 ++ else
32443 ++ pax_mirror_file_pte(vma, address, page, ptl);
32444 ++#endif
32445 ++
32446 + unlock:
32447 + pte_unmap_unlock(page_table, ptl);
32448 + return 0;
32449 +@@ -2422,6 +2647,12 @@ static int __do_fault(struct mm_struct *
32450 + */
32451 + /* Only go through if we didn't race with anybody else... */
32452 + if (likely(pte_same(*page_table, orig_pte))) {
32453 ++
32454 ++#ifdef CONFIG_PAX_SEGMEXEC
32455 ++ if (anon && pax_find_mirror_vma(vma))
32456 ++ BUG_ON(TestSetPageLocked(page));
32457 ++#endif
32458 ++
32459 + flush_icache_page(vma, page);
32460 + entry = mk_pte(page, vma->vm_page_prot);
32461 + if (flags & FAULT_FLAG_WRITE)
32462 +@@ -2443,6 +2674,14 @@ static int __do_fault(struct mm_struct *
32463 + /* no need to invalidate: a not-present page won't be cached */
32464 + update_mmu_cache(vma, address, entry);
32465 + lazy_mmu_prot_update(entry);
32466 ++
32467 ++#ifdef CONFIG_PAX_SEGMEXEC
32468 ++ if (anon)
32469 ++ pax_mirror_anon_pte(vma, address, page, ptl);
32470 ++ else
32471 ++ pax_mirror_file_pte(vma, address, page, ptl);
32472 ++#endif
32473 ++
32474 + } else {
32475 + if (anon)
32476 + page_cache_release(page);
32477 +@@ -2522,6 +2761,11 @@ static noinline int do_no_pfn(struct mm_
32478 + if (write_access)
32479 + entry = maybe_mkwrite(pte_mkdirty(entry), vma);
32480 + set_pte_at(mm, address, page_table, entry);
32481 ++
32482 ++#ifdef CONFIG_PAX_SEGMEXEC
32483 ++ pax_mirror_pfn_pte(vma, address, pfn, ptl);
32484 ++#endif
32485 ++
32486 + }
32487 + pte_unmap_unlock(page_table, ptl);
32488 + return 0;
32489 +@@ -2625,6 +2869,11 @@ static inline int handle_pte_fault(struc
32490 + if (write_access)
32491 + flush_tlb_page(vma, address);
32492 + }
32493 ++
32494 ++#ifdef CONFIG_PAX_SEGMEXEC
32495 ++ pax_mirror_pte(vma, address, pte, ptl);
32496 ++#endif
32497 ++
32498 + unlock:
32499 + pte_unmap_unlock(pte, ptl);
32500 + return 0;
32501 +@@ -2641,6 +2890,10 @@ int handle_mm_fault(struct mm_struct *mm
32502 + pmd_t *pmd;
32503 + pte_t *pte;
32504 +
32505 ++#ifdef CONFIG_PAX_SEGMEXEC
32506 ++ struct vm_area_struct *vma_m;
32507 ++#endif
32508 ++
32509 + __set_current_state(TASK_RUNNING);
32510 +
32511 + count_vm_event(PGFAULT);
32512 +@@ -2648,6 +2901,34 @@ int handle_mm_fault(struct mm_struct *mm
32513 + if (unlikely(is_vm_hugetlb_page(vma)))
32514 + return hugetlb_fault(mm, vma, address, write_access);
32515 +
32516 ++#ifdef CONFIG_PAX_SEGMEXEC
32517 ++ vma_m = pax_find_mirror_vma(vma);
32518 ++ if (vma_m) {
32519 ++ unsigned long address_m;
32520 ++ pgd_t *pgd_m;
32521 ++ pud_t *pud_m;
32522 ++ pmd_t *pmd_m;
32523 ++
32524 ++ if (vma->vm_start > vma_m->vm_start) {
32525 ++ address_m = address;
32526 ++ address -= SEGMEXEC_TASK_SIZE;
32527 ++ vma = vma_m;
32528 ++ } else
32529 ++ address_m = address + SEGMEXEC_TASK_SIZE;
32530 ++
32531 ++ pgd_m = pgd_offset(mm, address_m);
32532 ++ pud_m = pud_alloc(mm, pgd_m, address_m);
32533 ++ if (!pud_m)
32534 ++ return VM_FAULT_OOM;
32535 ++ pmd_m = pmd_alloc(mm, pud_m, address_m);
32536 ++ if (!pmd_m)
32537 ++ return VM_FAULT_OOM;
32538 ++ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
32539 ++ return VM_FAULT_OOM;
32540 ++ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
32541 ++ }
32542 ++#endif
32543 ++
32544 + pgd = pgd_offset(mm, address);
32545 + pud = pud_alloc(mm, pgd, address);
32546 + if (!pud)
32547 +@@ -2781,7 +3062,7 @@ static int __init gate_vma_init(void)
32548 + gate_vma.vm_start = FIXADDR_USER_START;
32549 + gate_vma.vm_end = FIXADDR_USER_END;
32550 + gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
32551 +- gate_vma.vm_page_prot = __P101;
32552 ++ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
32553 + /*
32554 + * Make sure the vDSO gets into every core dump.
32555 + * Dumping its contents makes post-mortem fully interpretable later
32556 +diff -Nurp linux-2.6.23.15/mm/mempolicy.c linux-2.6.23.15-grsec/mm/mempolicy.c
32557 +--- linux-2.6.23.15/mm/mempolicy.c 2007-10-09 21:31:38.000000000 +0100
32558 ++++ linux-2.6.23.15-grsec/mm/mempolicy.c 2008-02-11 10:37:45.000000000 +0000
32559 +@@ -401,6 +401,10 @@ static int mbind_range(struct vm_area_st
32560 + struct vm_area_struct *next;
32561 + int err;
32562 +
32563 ++#ifdef CONFIG_PAX_SEGMEXEC
32564 ++ struct vm_area_struct *vma_m;
32565 ++#endif
32566 ++
32567 + err = 0;
32568 + for (; vma && vma->vm_start < end; vma = next) {
32569 + next = vma->vm_next;
32570 +@@ -412,6 +416,16 @@ static int mbind_range(struct vm_area_st
32571 + err = policy_vma(vma, new);
32572 + if (err)
32573 + break;
32574 ++
32575 ++#ifdef CONFIG_PAX_SEGMEXEC
32576 ++ vma_m = pax_find_mirror_vma(vma);
32577 ++ if (vma_m) {
32578 ++ err = policy_vma(vma_m, new);
32579 ++ if (err)
32580 ++ break;
32581 ++ }
32582 ++#endif
32583 ++
32584 + }
32585 + return err;
32586 + }
32587 +@@ -732,7 +746,7 @@ static struct page *new_vma_page(struct
32588 + }
32589 + #endif
32590 +
32591 +-long do_mbind(unsigned long start, unsigned long len,
32592 ++static long do_mbind(unsigned long start, unsigned long len,
32593 + unsigned long mode, nodemask_t *nmask, unsigned long flags)
32594 + {
32595 + struct vm_area_struct *vma;
32596 +@@ -760,6 +774,17 @@ long do_mbind(unsigned long start, unsig
32597 +
32598 + if (end < start)
32599 + return -EINVAL;
32600 ++
32601 ++#ifdef CONFIG_PAX_SEGMEXEC
32602 ++ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
32603 ++ if (end > SEGMEXEC_TASK_SIZE)
32604 ++ return -EINVAL;
32605 ++ } else
32606 ++#endif
32607 ++
32608 ++ if (end > TASK_SIZE)
32609 ++ return -EINVAL;
32610 ++
32611 + if (end == start)
32612 + return 0;
32613 +
32614 +diff -Nurp linux-2.6.23.15/mm/mlock.c linux-2.6.23.15-grsec/mm/mlock.c
32615 +--- linux-2.6.23.15/mm/mlock.c 2007-10-09 21:31:38.000000000 +0100
32616 ++++ linux-2.6.23.15-grsec/mm/mlock.c 2008-02-11 10:37:45.000000000 +0000
32617 +@@ -12,6 +12,7 @@
32618 + #include <linux/syscalls.h>
32619 + #include <linux/sched.h>
32620 + #include <linux/module.h>
32621 ++#include <linux/grsecurity.h>
32622 +
32623 + int can_do_mlock(void)
32624 + {
32625 +@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
32626 + return -EINVAL;
32627 + if (end == start)
32628 + return 0;
32629 ++
32630 ++#ifdef CONFIG_PAX_SEGMEXEC
32631 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
32632 ++ if (end > SEGMEXEC_TASK_SIZE)
32633 ++ return -EINVAL;
32634 ++ } else
32635 ++#endif
32636 ++
32637 ++ if (end > TASK_SIZE)
32638 ++ return -EINVAL;
32639 ++
32640 + vma = find_vma_prev(current->mm, start, &prev);
32641 + if (!vma || vma->vm_start > start)
32642 + return -ENOMEM;
32643 +@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
32644 + lock_limit >>= PAGE_SHIFT;
32645 +
32646 + /* check against resource limits */
32647 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
32648 + if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
32649 + error = do_mlock(start, len, 1);
32650 + up_write(&current->mm->mmap_sem);
32651 +@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
32652 + static int do_mlockall(int flags)
32653 + {
32654 + struct vm_area_struct * vma, * prev = NULL;
32655 +- unsigned int def_flags = 0;
32656 ++ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
32657 +
32658 + if (flags & MCL_FUTURE)
32659 +- def_flags = VM_LOCKED;
32660 ++ def_flags |= VM_LOCKED;
32661 + current->mm->def_flags = def_flags;
32662 + if (flags == MCL_FUTURE)
32663 + goto out;
32664 +@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
32665 + for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
32666 + unsigned int newflags;
32667 +
32668 ++#ifdef CONFIG_PAX_SEGMEXEC
32669 ++ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
32670 ++ break;
32671 ++#endif
32672 ++
32673 ++ BUG_ON(vma->vm_end > TASK_SIZE);
32674 + newflags = vma->vm_flags | VM_LOCKED;
32675 + if (!(flags & MCL_CURRENT))
32676 + newflags &= ~VM_LOCKED;
32677 +@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
32678 + lock_limit >>= PAGE_SHIFT;
32679 +
32680 + ret = -ENOMEM;
32681 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
32682 + if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
32683 + capable(CAP_IPC_LOCK))
32684 + ret = do_mlockall(flags);
32685 +diff -Nurp linux-2.6.23.15/mm/mmap.c linux-2.6.23.15-grsec/mm/mmap.c
32686 +--- linux-2.6.23.15/mm/mmap.c 2008-02-11 10:36:03.000000000 +0000
32687 ++++ linux-2.6.23.15-grsec/mm/mmap.c 2008-02-11 10:43:32.000000000 +0000
32688 +@@ -25,6 +25,7 @@
32689 + #include <linux/mount.h>
32690 + #include <linux/mempolicy.h>
32691 + #include <linux/rmap.h>
32692 ++#include <linux/grsecurity.h>
32693 +
32694 + #include <asm/uaccess.h>
32695 + #include <asm/cacheflush.h>
32696 +@@ -35,6 +36,16 @@
32697 + #define arch_mmap_check(addr, len, flags) (0)
32698 + #endif
32699 +
32700 ++static inline void verify_mm_writelocked(struct mm_struct *mm)
32701 ++{
32702 ++#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
32703 ++ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
32704 ++ up_read(&mm->mmap_sem);
32705 ++ BUG();
32706 ++ }
32707 ++#endif
32708 ++}
32709 ++
32710 + static void unmap_region(struct mm_struct *mm,
32711 + struct vm_area_struct *vma, struct vm_area_struct *prev,
32712 + unsigned long start, unsigned long end);
32713 +@@ -60,15 +71,23 @@ static void unmap_region(struct mm_struc
32714 + * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
32715 + *
32716 + */
32717 +-pgprot_t protection_map[16] = {
32718 ++pgprot_t protection_map[16] __read_only = {
32719 + __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
32720 + __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
32721 + };
32722 +
32723 + pgprot_t vm_get_page_prot(unsigned long vm_flags)
32724 + {
32725 +- return protection_map[vm_flags &
32726 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
32727 ++ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
32728 ++
32729 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
32730 ++ if (!nx_enabled &&
32731 ++ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
32732 ++ (vm_flags & (VM_READ | VM_WRITE)))
32733 ++ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
32734 ++#endif
32735 ++
32736 ++ return prot;
32737 + }
32738 + EXPORT_SYMBOL(vm_get_page_prot);
32739 +
32740 +@@ -225,6 +244,7 @@ static struct vm_area_struct *remove_vma
32741 + struct vm_area_struct *next = vma->vm_next;
32742 +
32743 + might_sleep();
32744 ++ BUG_ON(vma->vm_mirror);
32745 + if (vma->vm_ops && vma->vm_ops->close)
32746 + vma->vm_ops->close(vma);
32747 + if (vma->vm_file)
32748 +@@ -252,6 +272,7 @@ asmlinkage unsigned long sys_brk(unsigne
32749 + * not page aligned -Ram Gupta
32750 + */
32751 + rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
32752 ++ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
32753 + if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
32754 + goto out;
32755 +
32756 +@@ -352,8 +373,12 @@ find_vma_prepare(struct mm_struct *mm, u
32757 +
32758 + if (vma_tmp->vm_end > addr) {
32759 + vma = vma_tmp;
32760 +- if (vma_tmp->vm_start <= addr)
32761 +- return vma;
32762 ++ if (vma_tmp->vm_start <= addr) {
32763 ++//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
32764 ++//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
32765 ++//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
32766 ++ break;
32767 ++ }
32768 + __rb_link = &__rb_parent->rb_left;
32769 + } else {
32770 + rb_prev = __rb_parent;
32771 +@@ -677,6 +702,12 @@ static int
32772 + can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
32773 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
32774 + {
32775 ++
32776 ++#ifdef CONFIG_PAX_SEGMEXEC
32777 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
32778 ++ return 0;
32779 ++#endif
32780 ++
32781 + if (is_mergeable_vma(vma, file, vm_flags) &&
32782 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
32783 + if (vma->vm_pgoff == vm_pgoff)
32784 +@@ -696,6 +727,12 @@ static int
32785 + can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
32786 + struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
32787 + {
32788 ++
32789 ++#ifdef CONFIG_PAX_SEGMEXEC
32790 ++ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
32791 ++ return 0;
32792 ++#endif
32793 ++
32794 + if (is_mergeable_vma(vma, file, vm_flags) &&
32795 + is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
32796 + pgoff_t vm_pglen;
32797 +@@ -738,12 +775,19 @@ can_vma_merge_after(struct vm_area_struc
32798 + struct vm_area_struct *vma_merge(struct mm_struct *mm,
32799 + struct vm_area_struct *prev, unsigned long addr,
32800 + unsigned long end, unsigned long vm_flags,
32801 +- struct anon_vma *anon_vma, struct file *file,
32802 ++ struct anon_vma *anon_vma, struct file *file,
32803 + pgoff_t pgoff, struct mempolicy *policy)
32804 + {
32805 + pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
32806 + struct vm_area_struct *area, *next;
32807 +
32808 ++#ifdef CONFIG_PAX_SEGMEXEC
32809 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
32810 ++ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
32811 ++
32812 ++ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
32813 ++#endif
32814 ++
32815 + /*
32816 + * We later require that vma->vm_flags == vm_flags,
32817 + * so this tests vma->vm_flags & VM_SPECIAL, too.
32818 +@@ -759,6 +803,15 @@ struct vm_area_struct *vma_merge(struct
32819 + if (next && next->vm_end == end) /* cases 6, 7, 8 */
32820 + next = next->vm_next;
32821 +
32822 ++#ifdef CONFIG_PAX_SEGMEXEC
32823 ++ if (prev)
32824 ++ prev_m = pax_find_mirror_vma(prev);
32825 ++ if (area)
32826 ++ area_m = pax_find_mirror_vma(area);
32827 ++ if (next)
32828 ++ next_m = pax_find_mirror_vma(next);
32829 ++#endif
32830 ++
32831 + /*
32832 + * Can it merge with the predecessor?
32833 + */
32834 +@@ -778,9 +831,24 @@ struct vm_area_struct *vma_merge(struct
32835 + /* cases 1, 6 */
32836 + vma_adjust(prev, prev->vm_start,
32837 + next->vm_end, prev->vm_pgoff, NULL);
32838 +- } else /* cases 2, 5, 7 */
32839 ++
32840 ++#ifdef CONFIG_PAX_SEGMEXEC
32841 ++ if (prev_m)
32842 ++ vma_adjust(prev_m, prev_m->vm_start,
32843 ++ next_m->vm_end, prev_m->vm_pgoff, NULL);
32844 ++#endif
32845 ++
32846 ++ } else { /* cases 2, 5, 7 */
32847 + vma_adjust(prev, prev->vm_start,
32848 + end, prev->vm_pgoff, NULL);
32849 ++
32850 ++#ifdef CONFIG_PAX_SEGMEXEC
32851 ++ if (prev_m)
32852 ++ vma_adjust(prev_m, prev_m->vm_start,
32853 ++ end_m, prev_m->vm_pgoff, NULL);
32854 ++#endif
32855 ++
32856 ++ }
32857 + return prev;
32858 + }
32859 +
32860 +@@ -791,12 +859,27 @@ struct vm_area_struct *vma_merge(struct
32861 + mpol_equal(policy, vma_policy(next)) &&
32862 + can_vma_merge_before(next, vm_flags,
32863 + anon_vma, file, pgoff+pglen)) {
32864 +- if (prev && addr < prev->vm_end) /* case 4 */
32865 ++ if (prev && addr < prev->vm_end) { /* case 4 */
32866 + vma_adjust(prev, prev->vm_start,
32867 + addr, prev->vm_pgoff, NULL);
32868 +- else /* cases 3, 8 */
32869 ++
32870 ++#ifdef CONFIG_PAX_SEGMEXEC
32871 ++ if (prev_m)
32872 ++ vma_adjust(prev_m, prev_m->vm_start,
32873 ++ addr_m, prev_m->vm_pgoff, NULL);
32874 ++#endif
32875 ++
32876 ++ } else { /* cases 3, 8 */
32877 + vma_adjust(area, addr, next->vm_end,
32878 + next->vm_pgoff - pglen, NULL);
32879 ++
32880 ++#ifdef CONFIG_PAX_SEGMEXEC
32881 ++ if (area_m)
32882 ++ vma_adjust(area_m, addr_m, next_m->vm_end,
32883 ++ next_m->vm_pgoff - pglen, NULL);
32884 ++#endif
32885 ++
32886 ++ }
32887 + return area;
32888 + }
32889 +
32890 +@@ -871,14 +954,11 @@ none:
32891 + void vm_stat_account(struct mm_struct *mm, unsigned long flags,
32892 + struct file *file, long pages)
32893 + {
32894 +- const unsigned long stack_flags
32895 +- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
32896 +-
32897 + if (file) {
32898 + mm->shared_vm += pages;
32899 + if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
32900 + mm->exec_vm += pages;
32901 +- } else if (flags & stack_flags)
32902 ++ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
32903 + mm->stack_vm += pages;
32904 + if (flags & (VM_RESERVED|VM_IO))
32905 + mm->reserved_vm += pages;
32906 +@@ -906,22 +986,22 @@ unsigned long do_mmap_pgoff(struct file
32907 + * (the exception is when the underlying filesystem is noexec
32908 + * mounted, in which case we dont add PROT_EXEC.)
32909 + */
32910 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
32911 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
32912 + if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
32913 + prot |= PROT_EXEC;
32914 +
32915 + if (!len)
32916 + return -EINVAL;
32917 +
32918 +- error = arch_mmap_check(addr, len, flags);
32919 +- if (error)
32920 +- return error;
32921 +-
32922 + /* Careful about overflows.. */
32923 + len = PAGE_ALIGN(len);
32924 + if (!len || len > TASK_SIZE)
32925 + return -ENOMEM;
32926 +
32927 ++ error = arch_mmap_check(addr, len, flags);
32928 ++ if (error)
32929 ++ return error;
32930 ++
32931 + /* offset overflow? */
32932 + if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
32933 + return -EOVERFLOW;
32934 +@@ -933,7 +1013,7 @@ unsigned long do_mmap_pgoff(struct file
32935 + /* Obtain the address to map to. we verify (or select) it and ensure
32936 + * that it represents a valid section of the address space.
32937 + */
32938 +- addr = get_unmapped_area(file, addr, len, pgoff, flags);
32939 ++ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
32940 + if (addr & ~PAGE_MASK)
32941 + return addr;
32942 +
32943 +@@ -944,6 +1024,26 @@ unsigned long do_mmap_pgoff(struct file
32944 + vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
32945 + mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
32946 +
32947 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
32948 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
32949 ++
32950 ++#ifdef CONFIG_PAX_MPROTECT
32951 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
32952 ++ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
32953 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
32954 ++ else
32955 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
32956 ++ }
32957 ++#endif
32958 ++
32959 ++ }
32960 ++#endif
32961 ++
32962 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
32963 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
32964 ++ vm_flags &= ~VM_PAGEEXEC;
32965 ++#endif
32966 ++
32967 + if (flags & MAP_LOCKED) {
32968 + if (!can_do_mlock())
32969 + return -EPERM;
32970 +@@ -956,6 +1056,7 @@ unsigned long do_mmap_pgoff(struct file
32971 + locked += mm->locked_vm;
32972 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
32973 + lock_limit >>= PAGE_SHIFT;
32974 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
32975 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
32976 + return -EAGAIN;
32977 + }
32978 +@@ -1024,6 +1125,9 @@ unsigned long do_mmap_pgoff(struct file
32979 + if (error)
32980 + return error;
32981 +
32982 ++ if (!gr_acl_handle_mmap(file, prot))
32983 ++ return -EACCES;
32984 ++
32985 + return mmap_region(file, addr, len, flags, vm_flags, pgoff,
32986 + accountable);
32987 + }
32988 +@@ -1037,10 +1141,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
32989 + */
32990 + int vma_wants_writenotify(struct vm_area_struct *vma)
32991 + {
32992 +- unsigned int vm_flags = vma->vm_flags;
32993 ++ unsigned long vm_flags = vma->vm_flags;
32994 +
32995 + /* If it was private or non-writable, the write bit is already clear */
32996 +- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
32997 ++ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
32998 + return 0;
32999 +
33000 + /* The backer wishes to know when pages are first written to? */
33001 +@@ -1049,8 +1153,7 @@ int vma_wants_writenotify(struct vm_area
33002 +
33003 + /* The open routine did something to the protections already? */
33004 + if (pgprot_val(vma->vm_page_prot) !=
33005 +- pgprot_val(protection_map[vm_flags &
33006 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]))
33007 ++ pgprot_val(vm_get_page_prot(vm_flags)))
33008 + return 0;
33009 +
33010 + /* Specialty mapping? */
33011 +@@ -1076,14 +1179,24 @@ unsigned long mmap_region(struct file *f
33012 + unsigned long charged = 0;
33013 + struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
33014 +
33015 ++#ifdef CONFIG_PAX_SEGMEXEC
33016 ++ struct vm_area_struct *vma_m = NULL;
33017 ++#endif
33018 ++
33019 ++ /*
33020 ++ * mm->mmap_sem is required to protect against another thread
33021 ++ * changing the mappings in case we sleep.
33022 ++ */
33023 ++ verify_mm_writelocked(mm);
33024 ++
33025 + /* Clear old maps */
33026 + error = -ENOMEM;
33027 +-munmap_back:
33028 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33029 + if (vma && vma->vm_start < addr + len) {
33030 + if (do_munmap(mm, addr, len))
33031 + return -ENOMEM;
33032 +- goto munmap_back;
33033 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33034 ++ BUG_ON(vma && vma->vm_start < addr + len);
33035 + }
33036 +
33037 + /* Check against address space limit. */
33038 +@@ -1127,12 +1240,22 @@ munmap_back:
33039 + goto unacct_error;
33040 + }
33041 +
33042 ++#ifdef CONFIG_PAX_SEGMEXEC
33043 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
33044 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33045 ++ if (!vma_m) {
33046 ++ kmem_cache_free(vm_area_cachep, vma);
33047 ++ error = -ENOMEM;
33048 ++ goto unacct_error;
33049 ++ }
33050 ++ }
33051 ++#endif
33052 ++
33053 + vma->vm_mm = mm;
33054 + vma->vm_start = addr;
33055 + vma->vm_end = addr + len;
33056 + vma->vm_flags = vm_flags;
33057 +- vma->vm_page_prot = protection_map[vm_flags &
33058 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
33059 ++ vma->vm_page_prot = vm_get_page_prot(vm_flags);
33060 + vma->vm_pgoff = pgoff;
33061 +
33062 + if (file) {
33063 +@@ -1150,6 +1273,14 @@ munmap_back:
33064 + error = file->f_op->mmap(file, vma);
33065 + if (error)
33066 + goto unmap_and_free_vma;
33067 ++
33068 ++#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
33069 ++ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
33070 ++ vma->vm_flags |= VM_PAGEEXEC;
33071 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
33072 ++ }
33073 ++#endif
33074 ++
33075 + } else if (vm_flags & VM_SHARED) {
33076 + error = shmem_zero_setup(vma);
33077 + if (error)
33078 +@@ -1174,13 +1305,18 @@ munmap_back:
33079 + vm_flags = vma->vm_flags;
33080 +
33081 + if (vma_wants_writenotify(vma))
33082 +- vma->vm_page_prot =
33083 +- protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC)];
33084 ++ vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
33085 +
33086 + if (!file || !vma_merge(mm, prev, addr, vma->vm_end,
33087 + vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
33088 + file = vma->vm_file;
33089 + vma_link(mm, vma, prev, rb_link, rb_parent);
33090 ++
33091 ++#ifdef CONFIG_PAX_SEGMEXEC
33092 ++ if (vma_m)
33093 ++ pax_mirror_vma(vma_m, vma);
33094 ++#endif
33095 ++
33096 + if (correct_wcount)
33097 + atomic_inc(&inode->i_writecount);
33098 + } else {
33099 +@@ -1191,10 +1327,12 @@ munmap_back:
33100 + }
33101 + mpol_free(vma_policy(vma));
33102 + kmem_cache_free(vm_area_cachep, vma);
33103 ++ vma = NULL;
33104 + }
33105 + out:
33106 + mm->total_vm += len >> PAGE_SHIFT;
33107 + vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
33108 ++ track_exec_limit(mm, addr, addr + len, vm_flags);
33109 + if (vm_flags & VM_LOCKED) {
33110 + mm->locked_vm += len >> PAGE_SHIFT;
33111 + make_pages_present(addr, addr + len);
33112 +@@ -1213,6 +1351,12 @@ unmap_and_free_vma:
33113 + unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
33114 + charged = 0;
33115 + free_vma:
33116 ++
33117 ++#ifdef CONFIG_PAX_SEGMEXEC
33118 ++ if (vma_m)
33119 ++ kmem_cache_free(vm_area_cachep, vma_m);
33120 ++#endif
33121 ++
33122 + kmem_cache_free(vm_area_cachep, vma);
33123 + unacct_error:
33124 + if (charged)
33125 +@@ -1246,6 +1390,10 @@ arch_get_unmapped_area(struct file *filp
33126 + if (flags & MAP_FIXED)
33127 + return addr;
33128 +
33129 ++#ifdef CONFIG_PAX_RANDMMAP
33130 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33131 ++#endif
33132 ++
33133 + if (addr) {
33134 + addr = PAGE_ALIGN(addr);
33135 + vma = find_vma(mm, addr);
33136 +@@ -1254,10 +1402,10 @@ arch_get_unmapped_area(struct file *filp
33137 + return addr;
33138 + }
33139 + if (len > mm->cached_hole_size) {
33140 +- start_addr = addr = mm->free_area_cache;
33141 ++ start_addr = addr = mm->free_area_cache;
33142 + } else {
33143 +- start_addr = addr = TASK_UNMAPPED_BASE;
33144 +- mm->cached_hole_size = 0;
33145 ++ start_addr = addr = mm->mmap_base;
33146 ++ mm->cached_hole_size = 0;
33147 + }
33148 +
33149 + full_search:
33150 +@@ -1268,9 +1416,8 @@ full_search:
33151 + * Start a new search - just in case we missed
33152 + * some holes.
33153 + */
33154 +- if (start_addr != TASK_UNMAPPED_BASE) {
33155 +- addr = TASK_UNMAPPED_BASE;
33156 +- start_addr = addr;
33157 ++ if (start_addr != mm->mmap_base) {
33158 ++ start_addr = addr = mm->mmap_base;
33159 + mm->cached_hole_size = 0;
33160 + goto full_search;
33161 + }
33162 +@@ -1292,10 +1439,16 @@ full_search:
33163 +
33164 + void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
33165 + {
33166 ++
33167 ++#ifdef CONFIG_PAX_SEGMEXEC
33168 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
33169 ++ return;
33170 ++#endif
33171 ++
33172 + /*
33173 + * Is this a new hole at the lowest possible address?
33174 + */
33175 +- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
33176 ++ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
33177 + mm->free_area_cache = addr;
33178 + mm->cached_hole_size = ~0UL;
33179 + }
33180 +@@ -1313,7 +1466,7 @@ arch_get_unmapped_area_topdown(struct fi
33181 + {
33182 + struct vm_area_struct *vma;
33183 + struct mm_struct *mm = current->mm;
33184 +- unsigned long addr = addr0;
33185 ++ unsigned long base = mm->mmap_base, addr = addr0;
33186 +
33187 + /* requested length too big for entire address space */
33188 + if (len > TASK_SIZE)
33189 +@@ -1322,6 +1475,10 @@ arch_get_unmapped_area_topdown(struct fi
33190 + if (flags & MAP_FIXED)
33191 + return addr;
33192 +
33193 ++#ifdef CONFIG_PAX_RANDMMAP
33194 ++ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33195 ++#endif
33196 ++
33197 + /* requesting a specific address */
33198 + if (addr) {
33199 + addr = PAGE_ALIGN(addr);
33200 +@@ -1379,13 +1536,21 @@ bottomup:
33201 + * can happen with large stack limits and large mmap()
33202 + * allocations.
33203 + */
33204 ++ mm->mmap_base = TASK_UNMAPPED_BASE;
33205 ++
33206 ++#ifdef CONFIG_PAX_RANDMMAP
33207 ++ if (mm->pax_flags & MF_PAX_RANDMMAP)
33208 ++ mm->mmap_base += mm->delta_mmap;
33209 ++#endif
33210 ++
33211 ++ mm->free_area_cache = mm->mmap_base;
33212 + mm->cached_hole_size = ~0UL;
33213 +- mm->free_area_cache = TASK_UNMAPPED_BASE;
33214 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
33215 + /*
33216 + * Restore the topdown base:
33217 + */
33218 +- mm->free_area_cache = mm->mmap_base;
33219 ++ mm->mmap_base = base;
33220 ++ mm->free_area_cache = base;
33221 + mm->cached_hole_size = ~0UL;
33222 +
33223 + return addr;
33224 +@@ -1394,6 +1559,12 @@ bottomup:
33225 +
33226 + void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
33227 + {
33228 ++
33229 ++#ifdef CONFIG_PAX_SEGMEXEC
33230 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
33231 ++ return;
33232 ++#endif
33233 ++
33234 + /*
33235 + * Is this a new hole at the highest possible address?
33236 + */
33237 +@@ -1401,8 +1572,10 @@ void arch_unmap_area_topdown(struct mm_s
33238 + mm->free_area_cache = addr;
33239 +
33240 + /* dont allow allocations above current base */
33241 +- if (mm->free_area_cache > mm->mmap_base)
33242 ++ if (mm->free_area_cache > mm->mmap_base) {
33243 + mm->free_area_cache = mm->mmap_base;
33244 ++ mm->cached_hole_size = ~0UL;
33245 ++ }
33246 + }
33247 +
33248 + unsigned long
33249 +@@ -1502,6 +1675,32 @@ out:
33250 + return prev ? prev->vm_next : vma;
33251 + }
33252 +
33253 ++#ifdef CONFIG_PAX_SEGMEXEC
33254 ++struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
33255 ++{
33256 ++ struct vm_area_struct *vma_m;
33257 ++
33258 ++ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
33259 ++ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
33260 ++ BUG_ON(vma->vm_mirror);
33261 ++ return NULL;
33262 ++ }
33263 ++ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
33264 ++ vma_m = vma->vm_mirror;
33265 ++ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
33266 ++ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
33267 ++ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
33268 ++
33269 ++#ifdef CONFIG_PAX_MPROTECT
33270 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
33271 ++#else
33272 ++ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
33273 ++#endif
33274 ++
33275 ++ return vma_m;
33276 ++}
33277 ++#endif
33278 ++
33279 + /*
33280 + * Verify that the stack growth is acceptable and
33281 + * update accounting. This is shared with both the
33282 +@@ -1518,6 +1717,7 @@ static int acct_stack_growth(struct vm_a
33283 + return -ENOMEM;
33284 +
33285 + /* Stack limit test */
33286 ++ gr_learn_resource(current, RLIMIT_STACK, size, 1);
33287 + if (size > rlim[RLIMIT_STACK].rlim_cur)
33288 + return -ENOMEM;
33289 +
33290 +@@ -1527,6 +1727,7 @@ static int acct_stack_growth(struct vm_a
33291 + unsigned long limit;
33292 + locked = mm->locked_vm + grow;
33293 + limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
33294 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
33295 + if (locked > limit && !capable(CAP_IPC_LOCK))
33296 + return -ENOMEM;
33297 + }
33298 +@@ -1562,35 +1763,40 @@ static inline
33299 + #endif
33300 + int expand_upwards(struct vm_area_struct *vma, unsigned long address)
33301 + {
33302 +- int error;
33303 ++ int error, locknext;
33304 +
33305 + if (!(vma->vm_flags & VM_GROWSUP))
33306 + return -EFAULT;
33307 +
33308 ++ /* Also guard against wrapping around to address 0. */
33309 ++ if (address < PAGE_ALIGN(address+1))
33310 ++ address = PAGE_ALIGN(address+1);
33311 ++ else
33312 ++ return -ENOMEM;
33313 ++
33314 + /*
33315 + * We must make sure the anon_vma is allocated
33316 + * so that the anon_vma locking is not a noop.
33317 + */
33318 + if (unlikely(anon_vma_prepare(vma)))
33319 + return -ENOMEM;
33320 ++ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
33321 ++ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
33322 ++ return -ENOMEM;
33323 + anon_vma_lock(vma);
33324 ++ if (locknext)
33325 ++ anon_vma_lock(vma->vm_next);
33326 +
33327 + /*
33328 + * vma->vm_start/vm_end cannot change under us because the caller
33329 + * is required to hold the mmap_sem in read mode. We need the
33330 +- * anon_vma lock to serialize against concurrent expand_stacks.
33331 +- * Also guard against wrapping around to address 0.
33332 ++ * anon_vma locks to serialize against concurrent expand_stacks
33333 ++ * and expand_upwards.
33334 + */
33335 +- if (address < PAGE_ALIGN(address+4))
33336 +- address = PAGE_ALIGN(address+4);
33337 +- else {
33338 +- anon_vma_unlock(vma);
33339 +- return -ENOMEM;
33340 +- }
33341 + error = 0;
33342 +
33343 + /* Somebody else might have raced and expanded it already */
33344 +- if (address > vma->vm_end) {
33345 ++ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
33346 + unsigned long size, grow;
33347 +
33348 + size = address - vma->vm_start;
33349 +@@ -1600,6 +1806,8 @@ int expand_upwards(struct vm_area_struct
33350 + if (!error)
33351 + vma->vm_end = address;
33352 + }
33353 ++ if (locknext)
33354 ++ anon_vma_unlock(vma->vm_next);
33355 + anon_vma_unlock(vma);
33356 + return error;
33357 + }
33358 +@@ -1611,7 +1819,8 @@ int expand_upwards(struct vm_area_struct
33359 + static inline int expand_downwards(struct vm_area_struct *vma,
33360 + unsigned long address)
33361 + {
33362 +- int error;
33363 ++ int error, lockprev = 0;
33364 ++ struct vm_area_struct *prev = NULL;
33365 +
33366 + /*
33367 + * We must make sure the anon_vma is allocated
33368 +@@ -1625,6 +1834,15 @@ static inline int expand_downwards(struc
33369 + if (error)
33370 + return error;
33371 +
33372 ++#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
33373 ++ find_vma_prev(address, &prev);
33374 ++ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
33375 ++#endif
33376 ++ if (lockprev && unlikely(anon_vma_prepare(prev)))
33377 ++ return -ENOMEM;
33378 ++ if (lockprev)
33379 ++ anon_vma_lock(prev);
33380 ++
33381 + anon_vma_lock(vma);
33382 +
33383 + /*
33384 +@@ -1634,9 +1852,15 @@ static inline int expand_downwards(struc
33385 + */
33386 +
33387 + /* Somebody else might have raced and expanded it already */
33388 +- if (address < vma->vm_start) {
33389 ++ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
33390 + unsigned long size, grow;
33391 +
33392 ++#ifdef CONFIG_PAX_SEGMEXEC
33393 ++ struct vm_area_struct *vma_m;
33394 ++
33395 ++ vma_m = pax_find_mirror_vma(vma);
33396 ++#endif
33397 ++
33398 + size = vma->vm_end - address;
33399 + grow = (vma->vm_start - address) >> PAGE_SHIFT;
33400 +
33401 +@@ -1644,9 +1868,20 @@ static inline int expand_downwards(struc
33402 + if (!error) {
33403 + vma->vm_start = address;
33404 + vma->vm_pgoff -= grow;
33405 ++ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
33406 ++
33407 ++#ifdef CONFIG_PAX_SEGMEXEC
33408 ++ if (vma_m) {
33409 ++ vma_m->vm_start -= grow << PAGE_SHIFT;
33410 ++ vma_m->vm_pgoff -= grow;
33411 ++ }
33412 ++#endif
33413 ++
33414 + }
33415 + }
33416 + anon_vma_unlock(vma);
33417 ++ if (lockprev)
33418 ++ anon_vma_unlock(prev);
33419 + return error;
33420 + }
33421 +
33422 +@@ -1718,6 +1953,13 @@ static void remove_vma_list(struct mm_st
33423 + do {
33424 + long nrpages = vma_pages(vma);
33425 +
33426 ++#ifdef CONFIG_PAX_SEGMEXEC
33427 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
33428 ++ vma = remove_vma(vma);
33429 ++ continue;
33430 ++ }
33431 ++#endif
33432 ++
33433 + mm->total_vm -= nrpages;
33434 + if (vma->vm_flags & VM_LOCKED)
33435 + mm->locked_vm -= nrpages;
33436 +@@ -1764,6 +2006,16 @@ detach_vmas_to_be_unmapped(struct mm_str
33437 +
33438 + insertion_point = (prev ? &prev->vm_next : &mm->mmap);
33439 + do {
33440 ++
33441 ++#ifdef CONFIG_PAX_SEGMEXEC
33442 ++ if (vma->vm_mirror) {
33443 ++ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
33444 ++ vma->vm_mirror->vm_mirror = NULL;
33445 ++ vma->vm_mirror->vm_flags &= ~VM_EXEC;
33446 ++ vma->vm_mirror = NULL;
33447 ++ }
33448 ++#endif
33449 ++
33450 + rb_erase(&vma->vm_rb, &mm->mm_rb);
33451 + mm->map_count--;
33452 + tail_vma = vma;
33453 +@@ -1783,6 +2035,112 @@ detach_vmas_to_be_unmapped(struct mm_str
33454 + * Split a vma into two pieces at address 'addr', a new vma is allocated
33455 + * either for the first part or the tail.
33456 + */
33457 ++
33458 ++#ifdef CONFIG_PAX_SEGMEXEC
33459 ++int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
33460 ++ unsigned long addr, int new_below)
33461 ++{
33462 ++ struct mempolicy *pol, *pol_m;
33463 ++ struct vm_area_struct *new, *vma_m, *new_m = NULL;
33464 ++ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
33465 ++
33466 ++ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
33467 ++ return -EINVAL;
33468 ++
33469 ++ vma_m = pax_find_mirror_vma(vma);
33470 ++ if (vma_m) {
33471 ++ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
33472 ++ if (mm->map_count >= sysctl_max_map_count-1)
33473 ++ return -ENOMEM;
33474 ++ } else if (mm->map_count >= sysctl_max_map_count)
33475 ++ return -ENOMEM;
33476 ++
33477 ++ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
33478 ++ if (!new)
33479 ++ return -ENOMEM;
33480 ++
33481 ++ if (vma_m) {
33482 ++ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
33483 ++ if (!new_m) {
33484 ++ kmem_cache_free(vm_area_cachep, new);
33485 ++ return -ENOMEM;
33486 ++ }
33487 ++ }
33488 ++
33489 ++ /* most fields are the same, copy all, and then fixup */
33490 ++ *new = *vma;
33491 ++
33492 ++ if (new_below)
33493 ++ new->vm_end = addr;
33494 ++ else {
33495 ++ new->vm_start = addr;
33496 ++ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
33497 ++ }
33498 ++
33499 ++ if (vma_m) {
33500 ++ *new_m = *vma_m;
33501 ++ new_m->vm_mirror = new;
33502 ++ new->vm_mirror = new_m;
33503 ++
33504 ++ if (new_below)
33505 ++ new_m->vm_end = addr_m;
33506 ++ else {
33507 ++ new_m->vm_start = addr_m;
33508 ++ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
33509 ++ }
33510 ++ }
33511 ++
33512 ++ pol = mpol_copy(vma_policy(vma));
33513 ++ if (IS_ERR(pol)) {
33514 ++ if (new_m)
33515 ++ kmem_cache_free(vm_area_cachep, new_m);
33516 ++ kmem_cache_free(vm_area_cachep, new);
33517 ++ return PTR_ERR(pol);
33518 ++ }
33519 ++
33520 ++ if (vma_m) {
33521 ++ pol_m = mpol_copy(vma_policy(vma_m));
33522 ++ if (IS_ERR(pol_m)) {
33523 ++ mpol_free(pol);
33524 ++ kmem_cache_free(vm_area_cachep, new_m);
33525 ++ kmem_cache_free(vm_area_cachep, new);
33526 ++ return PTR_ERR(pol);
33527 ++ }
33528 ++ }
33529 ++
33530 ++ vma_set_policy(new, pol);
33531 ++
33532 ++ if (new->vm_file)
33533 ++ get_file(new->vm_file);
33534 ++
33535 ++ if (new->vm_ops && new->vm_ops->open)
33536 ++ new->vm_ops->open(new);
33537 ++
33538 ++ if (new_below)
33539 ++ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
33540 ++ ((addr - new->vm_start) >> PAGE_SHIFT), new);
33541 ++ else
33542 ++ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
33543 ++
33544 ++ if (vma_m) {
33545 ++ vma_set_policy(new_m, pol_m);
33546 ++
33547 ++ if (new_m->vm_file)
33548 ++ get_file(new_m->vm_file);
33549 ++
33550 ++ if (new_m->vm_ops && new_m->vm_ops->open)
33551 ++ new_m->vm_ops->open(new_m);
33552 ++
33553 ++ if (new_below)
33554 ++ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
33555 ++ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
33556 ++ else
33557 ++ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
33558 ++ }
33559 ++
33560 ++ return 0;
33561 ++}
33562 ++#else
33563 + int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
33564 + unsigned long addr, int new_below)
33565 + {
33566 +@@ -1830,17 +2188,37 @@ int split_vma(struct mm_struct * mm, str
33567 +
33568 + return 0;
33569 + }
33570 ++#endif
33571 +
33572 + /* Munmap is split into 2 main parts -- this part which finds
33573 + * what needs doing, and the areas themselves, which do the
33574 + * work. This now handles partial unmappings.
33575 + * Jeremy Fitzhardinge <jeremy@××××.org>
33576 + */
33577 ++#ifdef CONFIG_PAX_SEGMEXEC
33578 + int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
33579 + {
33580 ++ int ret = __do_munmap(mm, start, len);
33581 ++ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
33582 ++ return ret;
33583 ++
33584 ++ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
33585 ++}
33586 ++
33587 ++int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
33588 ++#else
33589 ++int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
33590 ++#endif
33591 ++{
33592 + unsigned long end;
33593 + struct vm_area_struct *vma, *prev, *last;
33594 +
33595 ++ /*
33596 ++ * mm->mmap_sem is required to protect against another thread
33597 ++ * changing the mappings in case we sleep.
33598 ++ */
33599 ++ verify_mm_writelocked(mm);
33600 ++
33601 + if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
33602 + return -EINVAL;
33603 +
33604 +@@ -1890,6 +2268,8 @@ int do_munmap(struct mm_struct *mm, unsi
33605 + /* Fix up all other VM information */
33606 + remove_vma_list(mm, vma);
33607 +
33608 ++ track_exec_limit(mm, start, end, 0UL);
33609 ++
33610 + return 0;
33611 + }
33612 +
33613 +@@ -1902,22 +2282,18 @@ asmlinkage long sys_munmap(unsigned long
33614 +
33615 + profile_munmap(addr);
33616 +
33617 ++#ifdef CONFIG_PAX_SEGMEXEC
33618 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
33619 ++ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
33620 ++ return -EINVAL;
33621 ++#endif
33622 ++
33623 + down_write(&mm->mmap_sem);
33624 + ret = do_munmap(mm, addr, len);
33625 + up_write(&mm->mmap_sem);
33626 + return ret;
33627 + }
33628 +
33629 +-static inline void verify_mm_writelocked(struct mm_struct *mm)
33630 +-{
33631 +-#ifdef CONFIG_DEBUG_VM
33632 +- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
33633 +- WARN_ON(1);
33634 +- up_read(&mm->mmap_sem);
33635 +- }
33636 +-#endif
33637 +-}
33638 +-
33639 + /*
33640 + * this is really a simplified "do_mmap". it only handles
33641 + * anonymous maps. eventually we may be able to do some
33642 +@@ -1931,6 +2307,11 @@ unsigned long do_brk(unsigned long addr,
33643 + struct rb_node ** rb_link, * rb_parent;
33644 + pgoff_t pgoff = addr >> PAGE_SHIFT;
33645 + int error;
33646 ++ unsigned long charged;
33647 ++
33648 ++#ifdef CONFIG_PAX_SEGMEXEC
33649 ++ struct vm_area_struct *vma_m = NULL;
33650 ++#endif
33651 +
33652 + len = PAGE_ALIGN(len);
33653 + if (!len)
33654 +@@ -1948,19 +2329,34 @@ unsigned long do_brk(unsigned long addr,
33655 +
33656 + flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
33657 +
33658 ++#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33659 ++ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
33660 ++ flags &= ~VM_EXEC;
33661 ++
33662 ++#ifdef CONFIG_PAX_MPROTECT
33663 ++ if (mm->pax_flags & MF_PAX_MPROTECT)
33664 ++ flags &= ~VM_MAYEXEC;
33665 ++#endif
33666 ++
33667 ++ }
33668 ++#endif
33669 ++
33670 + error = arch_mmap_check(addr, len, flags);
33671 + if (error)
33672 + return error;
33673 +
33674 ++ charged = len >> PAGE_SHIFT;
33675 ++
33676 + /*
33677 + * mlock MCL_FUTURE?
33678 + */
33679 + if (mm->def_flags & VM_LOCKED) {
33680 + unsigned long locked, lock_limit;
33681 +- locked = len >> PAGE_SHIFT;
33682 ++ locked = charged;
33683 + locked += mm->locked_vm;
33684 + lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
33685 + lock_limit >>= PAGE_SHIFT;
33686 ++ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
33687 + if (locked > lock_limit && !capable(CAP_IPC_LOCK))
33688 + return -EAGAIN;
33689 + }
33690 +@@ -1974,22 +2370,22 @@ unsigned long do_brk(unsigned long addr,
33691 + /*
33692 + * Clear old maps. this also does some error checking for us
33693 + */
33694 +- munmap_back:
33695 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33696 + if (vma && vma->vm_start < addr + len) {
33697 + if (do_munmap(mm, addr, len))
33698 + return -ENOMEM;
33699 +- goto munmap_back;
33700 ++ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
33701 ++ BUG_ON(vma && vma->vm_start < addr + len);
33702 + }
33703 +
33704 + /* Check against address space limits *after* clearing old maps... */
33705 +- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
33706 ++ if (!may_expand_vm(mm, charged))
33707 + return -ENOMEM;
33708 +
33709 + if (mm->map_count > sysctl_max_map_count)
33710 + return -ENOMEM;
33711 +
33712 +- if (security_vm_enough_memory(len >> PAGE_SHIFT))
33713 ++ if (security_vm_enough_memory(charged))
33714 + return -ENOMEM;
33715 +
33716 + /* Can we just expand an old private anonymous mapping? */
33717 +@@ -2002,24 +2398,41 @@ unsigned long do_brk(unsigned long addr,
33718 + */
33719 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33720 + if (!vma) {
33721 +- vm_unacct_memory(len >> PAGE_SHIFT);
33722 ++ vm_unacct_memory(charged);
33723 + return -ENOMEM;
33724 + }
33725 +
33726 ++#ifdef CONFIG_PAX_SEGMEXEC
33727 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
33728 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33729 ++ if (!vma_m) {
33730 ++ kmem_cache_free(vm_area_cachep, vma);
33731 ++ vm_unacct_memory(charged);
33732 ++ return -ENOMEM;
33733 ++ }
33734 ++ }
33735 ++#endif
33736 ++
33737 + vma->vm_mm = mm;
33738 + vma->vm_start = addr;
33739 + vma->vm_end = addr + len;
33740 + vma->vm_pgoff = pgoff;
33741 + vma->vm_flags = flags;
33742 +- vma->vm_page_prot = protection_map[flags &
33743 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
33744 ++ vma->vm_page_prot = vm_get_page_prot(flags);
33745 + vma_link(mm, vma, prev, rb_link, rb_parent);
33746 ++
33747 ++#ifdef CONFIG_PAX_SEGMEXEC
33748 ++ if (vma_m)
33749 ++ pax_mirror_vma(vma_m, vma);
33750 ++#endif
33751 ++
33752 + out:
33753 +- mm->total_vm += len >> PAGE_SHIFT;
33754 ++ mm->total_vm += charged;
33755 + if (flags & VM_LOCKED) {
33756 +- mm->locked_vm += len >> PAGE_SHIFT;
33757 ++ mm->locked_vm += charged;
33758 + make_pages_present(addr, addr + len);
33759 + }
33760 ++ track_exec_limit(mm, addr, addr + len, flags);
33761 + return addr;
33762 + }
33763 +
33764 +@@ -2050,8 +2463,10 @@ void exit_mmap(struct mm_struct *mm)
33765 + * Walk the list again, actually closing and freeing it,
33766 + * with preemption enabled, without holding any MM locks.
33767 + */
33768 +- while (vma)
33769 ++ while (vma) {
33770 ++ vma->vm_mirror = NULL;
33771 + vma = remove_vma(vma);
33772 ++ }
33773 +
33774 + BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
33775 + }
33776 +@@ -2065,6 +2480,10 @@ int insert_vm_struct(struct mm_struct *
33777 + struct vm_area_struct * __vma, * prev;
33778 + struct rb_node ** rb_link, * rb_parent;
33779 +
33780 ++#ifdef CONFIG_PAX_SEGMEXEC
33781 ++ struct vm_area_struct *vma_m = NULL;
33782 ++#endif
33783 ++
33784 + /*
33785 + * The vm_pgoff of a purely anonymous vma should be irrelevant
33786 + * until its first write fault, when page's anon_vma and index
33787 +@@ -2087,7 +2506,22 @@ int insert_vm_struct(struct mm_struct *
33788 + if ((vma->vm_flags & VM_ACCOUNT) &&
33789 + security_vm_enough_memory_mm(mm, vma_pages(vma)))
33790 + return -ENOMEM;
33791 ++
33792 ++#ifdef CONFIG_PAX_SEGMEXEC
33793 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
33794 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33795 ++ if (!vma_m)
33796 ++ return -ENOMEM;
33797 ++ }
33798 ++#endif
33799 ++
33800 + vma_link(mm, vma, prev, rb_link, rb_parent);
33801 ++
33802 ++#ifdef CONFIG_PAX_SEGMEXEC
33803 ++ if (vma_m)
33804 ++ pax_mirror_vma(vma_m, vma);
33805 ++#endif
33806 ++
33807 + return 0;
33808 + }
33809 +
33810 +@@ -2145,6 +2579,30 @@ struct vm_area_struct *copy_vma(struct v
33811 + return new_vma;
33812 + }
33813 +
33814 ++#ifdef CONFIG_PAX_SEGMEXEC
33815 ++void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
33816 ++{
33817 ++ struct vm_area_struct *prev_m;
33818 ++ struct rb_node **rb_link_m, *rb_parent_m;
33819 ++
33820 ++ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
33821 ++ BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
33822 ++ *vma_m = *vma;
33823 ++ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
33824 ++ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
33825 ++ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
33826 ++ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
33827 ++ if (vma_m->vm_file)
33828 ++ get_file(vma_m->vm_file);
33829 ++ if (vma_m->vm_ops && vma_m->vm_ops->open)
33830 ++ vma_m->vm_ops->open(vma_m);
33831 ++ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
33832 ++ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
33833 ++ vma_m->vm_mirror = vma;
33834 ++ vma->vm_mirror = vma_m;
33835 ++}
33836 ++#endif
33837 ++
33838 + /*
33839 + * Return true if the calling process may expand its vm space by the passed
33840 + * number of pages
33841 +@@ -2155,7 +2613,7 @@ int may_expand_vm(struct mm_struct *mm,
33842 + unsigned long lim;
33843 +
33844 + lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
33845 +-
33846 ++ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
33847 + if (cur + npages > lim)
33848 + return 0;
33849 + return 1;
33850 +@@ -2167,7 +2625,7 @@ static struct page *special_mapping_nopa
33851 + {
33852 + struct page **pages;
33853 +
33854 +- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
33855 ++ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
33856 +
33857 + address -= vma->vm_start;
33858 + for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
33859 +@@ -2217,8 +2675,17 @@ int install_special_mapping(struct mm_st
33860 + vma->vm_start = addr;
33861 + vma->vm_end = addr + len;
33862 +
33863 ++#ifdef CONFIG_PAX_MPROTECT
33864 ++ if (mm->pax_flags & MF_PAX_MPROTECT) {
33865 ++ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
33866 ++ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
33867 ++ else
33868 ++ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
33869 ++ }
33870 ++#endif
33871 ++
33872 + vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
33873 +- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
33874 ++ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
33875 +
33876 + vma->vm_ops = &special_mapping_vmops;
33877 + vma->vm_private_data = pages;
33878 +diff -Nurp linux-2.6.23.15/mm/mprotect.c linux-2.6.23.15-grsec/mm/mprotect.c
33879 +--- linux-2.6.23.15/mm/mprotect.c 2007-10-09 21:31:38.000000000 +0100
33880 ++++ linux-2.6.23.15-grsec/mm/mprotect.c 2008-02-11 10:37:45.000000000 +0000
33881 +@@ -21,10 +21,17 @@
33882 + #include <linux/syscalls.h>
33883 + #include <linux/swap.h>
33884 + #include <linux/swapops.h>
33885 ++#include <linux/grsecurity.h>
33886 ++
33887 ++#ifdef CONFIG_PAX_MPROTECT
33888 ++#include <linux/elf.h>
33889 ++#endif
33890 ++
33891 + #include <asm/uaccess.h>
33892 + #include <asm/pgtable.h>
33893 + #include <asm/cacheflush.h>
33894 + #include <asm/tlbflush.h>
33895 ++#include <asm/mmu_context.h>
33896 +
33897 + static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
33898 + unsigned long addr, unsigned long end, pgprot_t newprot,
33899 +@@ -128,6 +135,48 @@ static void change_protection(struct vm_
33900 + flush_tlb_range(vma, start, end);
33901 + }
33902 +
33903 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33904 ++/* called while holding the mmap semaphor for writing except stack expansion */
33905 ++void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
33906 ++{
33907 ++ unsigned long oldlimit, newlimit = 0UL;
33908 ++
33909 ++ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
33910 ++ return;
33911 ++
33912 ++ spin_lock(&mm->page_table_lock);
33913 ++ oldlimit = mm->context.user_cs_limit;
33914 ++ if ((prot & VM_EXEC) && oldlimit < end)
33915 ++ /* USER_CS limit moved up */
33916 ++ newlimit = end;
33917 ++ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
33918 ++ /* USER_CS limit moved down */
33919 ++ newlimit = start;
33920 ++
33921 ++ if (newlimit) {
33922 ++ mm->context.user_cs_limit = newlimit;
33923 ++
33924 ++#ifdef CONFIG_SMP
33925 ++ wmb();
33926 ++ cpus_clear(mm->context.cpu_user_cs_mask);
33927 ++ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
33928 ++#endif
33929 ++
33930 ++ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
33931 ++ }
33932 ++ spin_unlock(&mm->page_table_lock);
33933 ++ if (newlimit == end) {
33934 ++ struct vm_area_struct *vma = find_vma(mm, oldlimit);
33935 ++
33936 ++ for (; vma && vma->vm_start < end; vma = vma->vm_next)
33937 ++ if (is_vm_hugetlb_page(vma))
33938 ++ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
33939 ++ else
33940 ++ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
33941 ++ }
33942 ++}
33943 ++#endif
33944 ++
33945 + int
33946 + mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
33947 + unsigned long start, unsigned long end, unsigned long newflags)
33948 +@@ -140,11 +189,39 @@ mprotect_fixup(struct vm_area_struct *vm
33949 + int error;
33950 + int dirty_accountable = 0;
33951 +
33952 ++#ifdef CONFIG_PAX_SEGMEXEC
33953 ++ struct vm_area_struct *vma_m = NULL;
33954 ++ unsigned long start_m, end_m;
33955 ++
33956 ++ start_m = start + SEGMEXEC_TASK_SIZE;
33957 ++ end_m = end + SEGMEXEC_TASK_SIZE;
33958 ++#endif
33959 ++
33960 + if (newflags == oldflags) {
33961 + *pprev = vma;
33962 + return 0;
33963 + }
33964 +
33965 ++#ifdef CONFIG_PAX_SEGMEXEC
33966 ++ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
33967 ++ if (start != vma->vm_start) {
33968 ++ error = split_vma(mm, vma, start, 1);
33969 ++ if (error)
33970 ++ return -ENOMEM;
33971 ++ }
33972 ++
33973 ++ if (end != vma->vm_end) {
33974 ++ error = split_vma(mm, vma, end, 0);
33975 ++ if (error)
33976 ++ return -ENOMEM;
33977 ++ }
33978 ++
33979 ++ error = __do_munmap(mm, start_m, end_m - start_m);
33980 ++ if (error)
33981 ++ return -ENOMEM;
33982 ++ }
33983 ++#endif
33984 ++
33985 + /*
33986 + * If we make a private mapping writable we increase our commit;
33987 + * but (without finer accounting) cannot reduce our commit if we
33988 +@@ -187,17 +264,25 @@ mprotect_fixup(struct vm_area_struct *vm
33989 + goto fail;
33990 + }
33991 +
33992 ++#ifdef CONFIG_PAX_SEGMEXEC
33993 ++ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
33994 ++ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
33995 ++ if (!vma_m) {
33996 ++ error = -ENOMEM;
33997 ++ goto fail;
33998 ++ }
33999 ++ }
34000 ++#endif
34001 ++
34002 + success:
34003 + /*
34004 + * vm_flags and vm_page_prot are protected by the mmap_sem
34005 + * held in write mode.
34006 + */
34007 + vma->vm_flags = newflags;
34008 +- vma->vm_page_prot = protection_map[newflags &
34009 +- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
34010 ++ vma->vm_page_prot = vm_get_page_prot(newflags);
34011 + if (vma_wants_writenotify(vma)) {
34012 +- vma->vm_page_prot = protection_map[newflags &
34013 +- (VM_READ|VM_WRITE|VM_EXEC)];
34014 ++ vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
34015 + dirty_accountable = 1;
34016 + }
34017 +
34018 +@@ -205,6 +290,12 @@ success:
34019 + hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
34020 + else
34021 + change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
34022 ++
34023 ++#ifdef CONFIG_PAX_SEGMEXEC
34024 ++ if (vma_m)
34025 ++ pax_mirror_vma(vma_m, vma);
34026 ++#endif
34027 ++
34028 + vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
34029 + vm_stat_account(mm, newflags, vma->vm_file, nrpages);
34030 + return 0;
34031 +@@ -214,6 +305,70 @@ fail:
34032 + return error;
34033 + }
34034 +
34035 ++#ifdef CONFIG_PAX_MPROTECT
34036 ++/* PaX: non-PIC ELF libraries need relocations on their executable segments
34037 ++ * therefore we'll grant them VM_MAYWRITE once during their life.
34038 ++ *
34039 ++ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
34040 ++ * basis because we want to allow the common case and not the special ones.
34041 ++ */
34042 ++static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
34043 ++{
34044 ++ struct elfhdr elf_h;
34045 ++ struct elf_phdr elf_p;
34046 ++ elf_addr_t dyn_offset = 0UL;
34047 ++ elf_dyn dyn;
34048 ++ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
34049 ++
34050 ++#ifndef CONFIG_PAX_NOELFRELOCS
34051 ++ if ((vma->vm_start != start) ||
34052 ++ !vma->vm_file ||
34053 ++ !(vma->vm_flags & VM_MAYEXEC) ||
34054 ++ (vma->vm_flags & VM_MAYNOTWRITE))
34055 ++#endif
34056 ++
34057 ++ return;
34058 ++
34059 ++ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
34060 ++ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
34061 ++
34062 ++#ifdef CONFIG_PAX_ETEXECRELOCS
34063 ++ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
34064 ++#else
34065 ++ elf_h.e_type != ET_DYN ||
34066 ++#endif
34067 ++
34068 ++ !elf_check_arch(&elf_h) ||
34069 ++ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
34070 ++ elf_h.e_phnum > j)
34071 ++ return;
34072 ++
34073 ++ for (i = 0UL; i < elf_h.e_phnum; i++) {
34074 ++ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
34075 ++ return;
34076 ++ if (elf_p.p_type == PT_DYNAMIC) {
34077 ++ dyn_offset = elf_p.p_offset;
34078 ++ j = i;
34079 ++ }
34080 ++ }
34081 ++ if (elf_h.e_phnum <= j)
34082 ++ return;
34083 ++
34084 ++ i = 0UL;
34085 ++ do {
34086 ++ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
34087 ++ return;
34088 ++ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
34089 ++ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
34090 ++ gr_log_textrel(vma);
34091 ++ return;
34092 ++ }
34093 ++ i++;
34094 ++ } while (dyn.d_tag != DT_NULL);
34095 ++ return;
34096 ++}
34097 ++#endif
34098 ++
34099 + asmlinkage long
34100 + sys_mprotect(unsigned long start, size_t len, unsigned long prot)
34101 + {
34102 +@@ -233,6 +388,17 @@ sys_mprotect(unsigned long start, size_t
34103 + end = start + len;
34104 + if (end <= start)
34105 + return -ENOMEM;
34106 ++
34107 ++#ifdef CONFIG_PAX_SEGMEXEC
34108 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
34109 ++ if (end > SEGMEXEC_TASK_SIZE)
34110 ++ return -EINVAL;
34111 ++ } else
34112 ++#endif
34113 ++
34114 ++ if (end > TASK_SIZE)
34115 ++ return -EINVAL;
34116 ++
34117 + if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
34118 + return -EINVAL;
34119 +
34120 +@@ -240,7 +406,7 @@ sys_mprotect(unsigned long start, size_t
34121 + /*
34122 + * Does the application expect PROT_READ to imply PROT_EXEC:
34123 + */
34124 +- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
34125 ++ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
34126 + prot |= PROT_EXEC;
34127 +
34128 + vm_flags = calc_vm_prot_bits(prot);
34129 +@@ -272,6 +438,16 @@ sys_mprotect(unsigned long start, size_t
34130 + if (start > vma->vm_start)
34131 + prev = vma;
34132 +
34133 ++ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
34134 ++ error = -EACCES;
34135 ++ goto out;
34136 ++ }
34137 ++
34138 ++#ifdef CONFIG_PAX_MPROTECT
34139 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
34140 ++ pax_handle_maywrite(vma, start);
34141 ++#endif
34142 ++
34143 + for (nstart = start ; ; ) {
34144 + unsigned long newflags;
34145 +
34146 +@@ -285,6 +461,12 @@ sys_mprotect(unsigned long start, size_t
34147 + goto out;
34148 + }
34149 +
34150 ++#ifdef CONFIG_PAX_MPROTECT
34151 ++ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
34152 ++ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
34153 ++ newflags &= ~VM_MAYWRITE;
34154 ++#endif
34155 ++
34156 + error = security_file_mprotect(vma, reqprot, prot);
34157 + if (error)
34158 + goto out;
34159 +@@ -295,6 +477,9 @@ sys_mprotect(unsigned long start, size_t
34160 + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
34161 + if (error)
34162 + goto out;
34163 ++
34164 ++ track_exec_limit(current->mm, nstart, tmp, vm_flags);
34165 ++
34166 + nstart = tmp;
34167 +
34168 + if (nstart < prev->vm_end)
34169 +diff -Nurp linux-2.6.23.15/mm/mremap.c linux-2.6.23.15-grsec/mm/mremap.c
34170 +--- linux-2.6.23.15/mm/mremap.c 2007-10-09 21:31:38.000000000 +0100
34171 ++++ linux-2.6.23.15-grsec/mm/mremap.c 2008-02-11 10:37:45.000000000 +0000
34172 +@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
34173 + continue;
34174 + pte = ptep_clear_flush(vma, old_addr, old_pte);
34175 + pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
34176 ++
34177 ++#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34178 ++ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
34179 ++ pte = pte_exprotect(pte);
34180 ++#endif
34181 ++
34182 + set_pte_at(mm, new_addr, new_pte, pte);
34183 + }
34184 +
34185 +@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
34186 + struct vm_area_struct *vma;
34187 + unsigned long ret = -EINVAL;
34188 + unsigned long charged = 0;
34189 ++ unsigned long task_size = TASK_SIZE;
34190 +
34191 + if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
34192 + goto out;
34193 +@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
34194 + if (!new_len)
34195 + goto out;
34196 +
34197 ++#ifdef CONFIG_PAX_SEGMEXEC
34198 ++ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
34199 ++ task_size = SEGMEXEC_TASK_SIZE;
34200 ++#endif
34201 ++
34202 ++ if (new_len > task_size || addr > task_size-new_len ||
34203 ++ old_len > task_size || addr > task_size-old_len)
34204 ++ goto out;
34205 ++
34206 + /* new_addr is only valid if MREMAP_FIXED is specified */
34207 + if (flags & MREMAP_FIXED) {
34208 + if (new_addr & ~PAGE_MASK)
34209 +@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
34210 + if (!(flags & MREMAP_MAYMOVE))
34211 + goto out;
34212 +
34213 +- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
34214 ++ if (new_addr > task_size - new_len)
34215 + goto out;
34216 +
34217 + /* Check if the location we're moving into overlaps the
34218 + * old location at all, and fail if it does.
34219 + */
34220 +- if ((new_addr <= addr) && (new_addr+new_len) > addr)
34221 +- goto out;
34222 +-
34223 +- if ((addr <= new_addr) && (addr+old_len) > new_addr)
34224 ++ if (addr + old_len > new_addr && new_addr + new_len > addr)
34225 + goto out;
34226 +
34227 + ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);
34228 +@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
34229 + ret = -EINVAL;
34230 + goto out;
34231 + }
34232 ++
34233 ++#ifdef CONFIG_PAX_SEGMEXEC
34234 ++ if (pax_find_mirror_vma(vma)) {
34235 ++ ret = -EINVAL;
34236 ++ goto out;
34237 ++ }
34238 ++#endif
34239 ++
34240 + /* We can't remap across vm area boundaries */
34241 + if (old_len > vma->vm_end - addr)
34242 + goto out;
34243 +@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
34244 + if (old_len == vma->vm_end - addr &&
34245 + !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
34246 + (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
34247 +- unsigned long max_addr = TASK_SIZE;
34248 ++ unsigned long max_addr = task_size;
34249 + if (vma->vm_next)
34250 + max_addr = vma->vm_next->vm_start;
34251 + /* can we just expand the current mapping? */
34252 +@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
34253 + addr + new_len);
34254 + }
34255 + ret = addr;
34256 ++ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
34257 + goto out;
34258 + }
34259 + }
34260 +@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
34261 + */
34262 + ret = -ENOMEM;
34263 + if (flags & MREMAP_MAYMOVE) {
34264 ++ unsigned long map_flags = 0;
34265 + if (!(flags & MREMAP_FIXED)) {
34266 +- unsigned long map_flags = 0;
34267 + if (vma->vm_flags & VM_MAYSHARE)
34268 + map_flags |= MAP_SHARED;
34269 +
34270 +@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
34271 + if (ret)
34272 + goto out;
34273 + }
34274 ++ map_flags = vma->vm_flags;
34275 + ret = move_vma(vma, addr, old_len, new_len, new_addr);
34276 ++ if (!(ret & ~PAGE_MASK)) {
34277 ++ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
34278 ++ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
34279 ++ }
34280 + }
34281 + out:
34282 + if (ret & ~PAGE_MASK)
34283 +diff -Nurp linux-2.6.23.15/mm/nommu.c linux-2.6.23.15-grsec/mm/nommu.c
34284 +--- linux-2.6.23.15/mm/nommu.c 2007-10-09 21:31:38.000000000 +0100
34285 ++++ linux-2.6.23.15-grsec/mm/nommu.c 2008-02-11 10:37:45.000000000 +0000
34286 +@@ -376,15 +376,6 @@ struct vm_area_struct *find_vma(struct m
34287 + }
34288 + EXPORT_SYMBOL(find_vma);
34289 +
34290 +-/*
34291 +- * find a VMA
34292 +- * - we don't extend stack VMAs under NOMMU conditions
34293 +- */
34294 +-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
34295 +-{
34296 +- return find_vma(mm, addr);
34297 +-}
34298 +-
34299 + int expand_stack(struct vm_area_struct *vma, unsigned long address)
34300 + {
34301 + return -ENOMEM;
34302 +diff -Nurp linux-2.6.23.15/mm/page_alloc.c linux-2.6.23.15-grsec/mm/page_alloc.c
34303 +--- linux-2.6.23.15/mm/page_alloc.c 2007-10-09 21:31:38.000000000 +0100
34304 ++++ linux-2.6.23.15-grsec/mm/page_alloc.c 2008-02-11 10:37:45.000000000 +0000
34305 +@@ -402,7 +402,7 @@ static inline int page_is_buddy(struct p
34306 + static inline void __free_one_page(struct page *page,
34307 + struct zone *zone, unsigned int order)
34308 + {
34309 +- unsigned long page_idx;
34310 ++ unsigned long page_idx, index;
34311 + int order_size = 1 << order;
34312 +
34313 + if (unlikely(PageCompound(page)))
34314 +@@ -413,6 +413,11 @@ static inline void __free_one_page(struc
34315 + VM_BUG_ON(page_idx & (order_size - 1));
34316 + VM_BUG_ON(bad_range(zone, page));
34317 +
34318 ++#ifdef CONFIG_PAX_MEMORY_SANITIZE
34319 ++ for (index = order_size; index; --index)
34320 ++ sanitize_highpage(page + index - 1);
34321 ++#endif
34322 ++
34323 + __mod_zone_page_state(zone, NR_FREE_PAGES, order_size);
34324 + while (order < MAX_ORDER-1) {
34325 + unsigned long combined_idx;
34326 +diff -Nurp linux-2.6.23.15/mm/rmap.c linux-2.6.23.15-grsec/mm/rmap.c
34327 +--- linux-2.6.23.15/mm/rmap.c 2007-10-09 21:31:38.000000000 +0100
34328 ++++ linux-2.6.23.15-grsec/mm/rmap.c 2008-02-11 10:37:45.000000000 +0000
34329 +@@ -63,6 +63,10 @@ int anon_vma_prepare(struct vm_area_stru
34330 + struct mm_struct *mm = vma->vm_mm;
34331 + struct anon_vma *allocated, *locked;
34332 +
34333 ++#ifdef CONFIG_PAX_SEGMEXEC
34334 ++ struct vm_area_struct *vma_m;
34335 ++#endif
34336 ++
34337 + anon_vma = find_mergeable_anon_vma(vma);
34338 + if (anon_vma) {
34339 + allocated = NULL;
34340 +@@ -79,6 +83,15 @@ int anon_vma_prepare(struct vm_area_stru
34341 + /* page_table_lock to protect against threads */
34342 + spin_lock(&mm->page_table_lock);
34343 + if (likely(!vma->anon_vma)) {
34344 ++
34345 ++#ifdef CONFIG_PAX_SEGMEXEC
34346 ++ vma_m = pax_find_mirror_vma(vma);
34347 ++ if (vma_m) {
34348 ++ vma_m->anon_vma = anon_vma;
34349 ++ __anon_vma_link(vma_m);
34350 ++ }
34351 ++#endif
34352 ++
34353 + vma->anon_vma = anon_vma;
34354 + list_add_tail(&vma->anon_vma_node, &anon_vma->head);
34355 + allocated = NULL;
34356 +diff -Nurp linux-2.6.23.15/mm/shmem.c linux-2.6.23.15-grsec/mm/shmem.c
34357 +--- linux-2.6.23.15/mm/shmem.c 2008-02-11 10:36:03.000000000 +0000
34358 ++++ linux-2.6.23.15-grsec/mm/shmem.c 2008-02-11 10:37:45.000000000 +0000
34359 +@@ -2452,7 +2452,7 @@ static struct file_system_type tmpfs_fs_
34360 + .get_sb = shmem_get_sb,
34361 + .kill_sb = kill_litter_super,
34362 + };
34363 +-static struct vfsmount *shm_mnt;
34364 ++struct vfsmount *shm_mnt;
34365 +
34366 + static int __init init_tmpfs(void)
34367 + {
34368 +diff -Nurp linux-2.6.23.15/mm/slab.c linux-2.6.23.15-grsec/mm/slab.c
34369 +--- linux-2.6.23.15/mm/slab.c 2007-10-09 21:31:38.000000000 +0100
34370 ++++ linux-2.6.23.15-grsec/mm/slab.c 2008-02-11 10:37:45.000000000 +0000
34371 +@@ -306,7 +306,7 @@ struct kmem_list3 {
34372 + * Need this for bootstrapping a per node allocator.
34373 + */
34374 + #define NUM_INIT_LISTS (2 * MAX_NUMNODES + 1)
34375 +-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
34376 ++struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
34377 + #define CACHE_CACHE 0
34378 + #define SIZE_AC 1
34379 + #define SIZE_L3 (1 + MAX_NUMNODES)
34380 +@@ -655,14 +655,14 @@ struct cache_names {
34381 + static struct cache_names __initdata cache_names[] = {
34382 + #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
34383 + #include <linux/kmalloc_sizes.h>
34384 +- {NULL,}
34385 ++ {NULL, NULL}
34386 + #undef CACHE
34387 + };
34388 +
34389 + static struct arraycache_init initarray_cache __initdata =
34390 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
34391 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
34392 + static struct arraycache_init initarray_generic =
34393 +- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
34394 ++ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
34395 +
34396 + /* internal cache of cache description objs */
34397 + static struct kmem_cache cache_cache = {
34398 +@@ -2980,7 +2980,7 @@ retry:
34399 + * there must be at least one object available for
34400 + * allocation.
34401 + */
34402 +- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
34403 ++ BUG_ON(slabp->inuse >= cachep->num);
34404 +
34405 + while (slabp->inuse < cachep->num && batchcount--) {
34406 + STATS_INC_ALLOCED(cachep);
34407 +diff -Nurp linux-2.6.23.15/mm/slub.c linux-2.6.23.15-grsec/mm/slub.c
34408 +--- linux-2.6.23.15/mm/slub.c 2008-02-11 10:36:03.000000000 +0000
34409 ++++ linux-2.6.23.15-grsec/mm/slub.c 2008-02-11 10:37:45.000000000 +0000
34410 +@@ -1530,7 +1530,7 @@ debug:
34411 + *
34412 + * Otherwise we can simply pick the next object from the lockless free list.
34413 + */
34414 +-static void __always_inline *slab_alloc(struct kmem_cache *s,
34415 ++static __always_inline void *slab_alloc(struct kmem_cache *s,
34416 + gfp_t gfpflags, int node, void *addr)
34417 + {
34418 + struct page *page;
34419 +@@ -1639,7 +1639,7 @@ debug:
34420 + * If fastpath is not possible then fall back to __slab_free where we deal
34421 + * with all sorts of special processing.
34422 + */
34423 +-static void __always_inline slab_free(struct kmem_cache *s,
34424 ++static __always_inline void slab_free(struct kmem_cache *s,
34425 + struct page *page, void *x, void *addr)
34426 + {
34427 + void **object = (void *)x;
34428 +diff -Nurp linux-2.6.23.15/mm/swap.c linux-2.6.23.15-grsec/mm/swap.c
34429 +--- linux-2.6.23.15/mm/swap.c 2007-10-09 21:31:38.000000000 +0100
34430 ++++ linux-2.6.23.15-grsec/mm/swap.c 2008-02-11 10:37:45.000000000 +0000
34431 +@@ -174,8 +174,8 @@ EXPORT_SYMBOL(mark_page_accessed);
34432 + * lru_cache_add: add a page to the page lists
34433 + * @page: the page to add
34434 + */
34435 +-static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
34436 +-static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
34437 ++static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
34438 ++static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
34439 +
34440 + void fastcall lru_cache_add(struct page *page)
34441 + {
34442 +diff -Nurp linux-2.6.23.15/mm/tiny-shmem.c linux-2.6.23.15-grsec/mm/tiny-shmem.c
34443 +--- linux-2.6.23.15/mm/tiny-shmem.c 2007-10-09 21:31:38.000000000 +0100
34444 ++++ linux-2.6.23.15-grsec/mm/tiny-shmem.c 2008-02-11 10:37:45.000000000 +0000
34445 +@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
34446 + .kill_sb = kill_litter_super,
34447 + };
34448 +
34449 +-static struct vfsmount *shm_mnt;
34450 ++struct vfsmount *shm_mnt;
34451 +
34452 + static int __init init_tmpfs(void)
34453 + {
34454 +diff -Nurp linux-2.6.23.15/mm/vmalloc.c linux-2.6.23.15-grsec/mm/vmalloc.c
34455 +--- linux-2.6.23.15/mm/vmalloc.c 2007-10-09 21:31:38.000000000 +0100
34456 ++++ linux-2.6.23.15-grsec/mm/vmalloc.c 2008-02-11 10:37:45.000000000 +0000
34457 +@@ -201,6 +201,8 @@ static struct vm_struct *__get_vm_area_n
34458 +
34459 + write_lock(&vmlist_lock);
34460 + for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
34461 ++ if (addr > end - size)
34462 ++ goto out;
34463 + if ((unsigned long)tmp->addr < addr) {
34464 + if((unsigned long)tmp->addr + tmp->size >= addr)
34465 + addr = ALIGN(tmp->size +
34466 +@@ -212,8 +214,6 @@ static struct vm_struct *__get_vm_area_n
34467 + if (size + addr <= (unsigned long)tmp->addr)
34468 + goto found;
34469 + addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
34470 +- if (addr > end - size)
34471 +- goto out;
34472 + }
34473 +
34474 + found:
34475 +diff -Nurp linux-2.6.23.15/net/core/flow.c linux-2.6.23.15-grsec/net/core/flow.c
34476 +--- linux-2.6.23.15/net/core/flow.c 2007-10-09 21:31:38.000000000 +0100
34477 ++++ linux-2.6.23.15-grsec/net/core/flow.c 2008-02-11 10:37:45.000000000 +0000
34478 +@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
34479 +
34480 + static u32 flow_hash_shift;
34481 + #define flow_hash_size (1 << flow_hash_shift)
34482 +-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
34483 ++static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
34484 +
34485 + #define flow_table(cpu) (per_cpu(flow_tables, cpu))
34486 +
34487 +@@ -53,7 +53,7 @@ struct flow_percpu_info {
34488 + u32 hash_rnd;
34489 + int count;
34490 + } ____cacheline_aligned;
34491 +-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
34492 ++static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
34493 +
34494 + #define flow_hash_rnd_recalc(cpu) \
34495 + (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
34496 +@@ -70,7 +70,7 @@ struct flow_flush_info {
34497 + atomic_t cpuleft;
34498 + struct completion completion;
34499 + };
34500 +-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
34501 ++static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
34502 +
34503 + #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
34504 +
34505 +diff -Nurp linux-2.6.23.15/net/dccp/ccids/ccid3.c linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c
34506 +--- linux-2.6.23.15/net/dccp/ccids/ccid3.c 2007-10-09 21:31:38.000000000 +0100
34507 ++++ linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c 2008-02-11 10:37:45.000000000 +0000
34508 +@@ -44,7 +44,7 @@
34509 + static int ccid3_debug;
34510 + #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
34511 + #else
34512 +-#define ccid3_pr_debug(format, a...)
34513 ++#define ccid3_pr_debug(format, a...) do {} while (0)
34514 + #endif
34515 +
34516 + static struct dccp_tx_hist *ccid3_tx_hist;
34517 +diff -Nurp linux-2.6.23.15/net/dccp/dccp.h linux-2.6.23.15-grsec/net/dccp/dccp.h
34518 +--- linux-2.6.23.15/net/dccp/dccp.h 2007-10-09 21:31:38.000000000 +0100
34519 ++++ linux-2.6.23.15-grsec/net/dccp/dccp.h 2008-02-11 10:37:45.000000000 +0000
34520 +@@ -42,8 +42,8 @@ extern int dccp_debug;
34521 + #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
34522 + #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
34523 + #else
34524 +-#define dccp_pr_debug(format, a...)
34525 +-#define dccp_pr_debug_cat(format, a...)
34526 ++#define dccp_pr_debug(format, a...) do {} while (0)
34527 ++#define dccp_pr_debug_cat(format, a...) do {} while (0)
34528 + #endif
34529 +
34530 + extern struct inet_hashinfo dccp_hashinfo;
34531 +diff -Nurp linux-2.6.23.15/net/ipv4/inet_connection_sock.c linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c
34532 +--- linux-2.6.23.15/net/ipv4/inet_connection_sock.c 2007-10-09 21:31:38.000000000 +0100
34533 ++++ linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c 2008-02-11 10:37:45.000000000 +0000
34534 +@@ -15,6 +15,7 @@
34535 +
34536 + #include <linux/module.h>
34537 + #include <linux/jhash.h>
34538 ++#include <linux/grsecurity.h>
34539 +
34540 + #include <net/inet_connection_sock.h>
34541 + #include <net/inet_hashtables.h>
34542 +diff -Nurp linux-2.6.23.15/net/ipv4/inet_hashtables.c linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c
34543 +--- linux-2.6.23.15/net/ipv4/inet_hashtables.c 2007-10-09 21:31:38.000000000 +0100
34544 ++++ linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c 2008-02-11 10:37:45.000000000 +0000
34545 +@@ -18,11 +18,14 @@
34546 + #include <linux/sched.h>
34547 + #include <linux/slab.h>
34548 + #include <linux/wait.h>
34549 ++#include <linux/grsecurity.h>
34550 +
34551 + #include <net/inet_connection_sock.h>
34552 + #include <net/inet_hashtables.h>
34553 + #include <net/ip.h>
34554 +
34555 ++extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
34556 ++
34557 + /*
34558 + * Allocate and initialize a new local port bind bucket.
34559 + * The bindhash mutex for snum's hash chain must be held here.
34560 +@@ -338,6 +341,8 @@ ok:
34561 + }
34562 + spin_unlock(&head->lock);
34563 +
34564 ++ gr_update_task_in_ip_table(current, inet_sk(sk));
34565 ++
34566 + if (tw) {
34567 + inet_twsk_deschedule(tw, death_row);
34568 + inet_twsk_put(tw);
34569 +diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Kconfig linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig
34570 +--- linux-2.6.23.15/net/ipv4/netfilter/Kconfig 2007-10-09 21:31:38.000000000 +0100
34571 ++++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig 2008-02-11 10:37:45.000000000 +0000
34572 +@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
34573 + If you want to compile it as a module, say M here and read
34574 + <file:Documentation/modules.txt>. If unsure, say `N'.
34575 +
34576 ++config IP_NF_MATCH_STEALTH
34577 ++ tristate "stealth match support"
34578 ++ depends on IP_NF_IPTABLES
34579 ++ help
34580 ++ Enabling this option will drop all syn packets coming to unserved tcp
34581 ++ ports as well as all packets coming to unserved udp ports. If you
34582 ++ are using your system to route any type of packets (ie. via NAT)
34583 ++ you should put this module at the end of your ruleset, since it will
34584 ++ drop packets that aren't going to ports that are listening on your
34585 ++ machine itself, it doesn't take into account that the packet might be
34586 ++ destined for someone on your internal network if you're using NAT for
34587 ++ instance.
34588 ++
34589 ++ To compile it as a module, choose M here. If unsure, say N.
34590 ++
34591 + # `filter', generic and specific targets
34592 + config IP_NF_FILTER
34593 + tristate "Packet filtering"
34594 +@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
34595 + hardware and network addresses.
34596 +
34597 + endmenu
34598 +-
34599 +diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Makefile linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile
34600 +--- linux-2.6.23.15/net/ipv4/netfilter/Makefile 2007-10-09 21:31:38.000000000 +0100
34601 ++++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile 2008-02-11 10:37:45.000000000 +0000
34602 +@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
34603 + obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
34604 + obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
34605 + obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
34606 ++obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
34607 +
34608 + # targets
34609 + obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
34610 +diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c
34611 +--- linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100
34612 ++++ linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c 2008-02-11 10:37:45.000000000 +0000
34613 +@@ -0,0 +1,114 @@
34614 ++/* Kernel module to add stealth support.
34615 ++ *
34616 ++ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
34617 ++ *
34618 ++ */
34619 ++
34620 ++#include <linux/kernel.h>
34621 ++#include <linux/module.h>
34622 ++#include <linux/skbuff.h>
34623 ++#include <linux/net.h>
34624 ++#include <linux/sched.h>
34625 ++#include <linux/inet.h>
34626 ++#include <linux/stddef.h>
34627 ++
34628 ++#include <net/ip.h>
34629 ++#include <net/sock.h>
34630 ++#include <net/tcp.h>
34631 ++#include <net/udp.h>
34632 ++#include <net/route.h>
34633 ++#include <net/inet_common.h>
34634 ++
34635 ++#include <linux/netfilter_ipv4/ip_tables.h>
34636 ++
34637 ++MODULE_LICENSE("GPL");
34638 ++
34639 ++extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
34640 ++
34641 ++static int
34642 ++match(const struct sk_buff *skb,
34643 ++ const struct net_device *in,
34644 ++ const struct net_device *out,
34645 ++ const struct xt_match *match,
34646 ++ const void *matchinfo,
34647 ++ int offset,
34648 ++ unsigned int protoff,
34649 ++ int *hotdrop)
34650 ++{
34651 ++ struct iphdr *ip = ip_hdr(skb);
34652 ++ struct tcphdr th;
34653 ++ struct udphdr uh;
34654 ++ struct sock *sk = NULL;
34655 ++
34656 ++ if (!ip || offset) return 0;
34657 ++
34658 ++ switch(ip->protocol) {
34659 ++ case IPPROTO_TCP:
34660 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
34661 ++ *hotdrop = 1;
34662 ++ return 0;
34663 ++ }
34664 ++ if (!(th.syn && !th.ack)) return 0;
34665 ++ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
34666 ++ break;
34667 ++ case IPPROTO_UDP:
34668 ++ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
34669 ++ *hotdrop = 1;
34670 ++ return 0;
34671 ++ }
34672 ++ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
34673 ++ break;
34674 ++ default:
34675 ++ return 0;
34676 ++ }
34677 ++
34678 ++ if(!sk) // port is being listened on, match this
34679 ++ return 1;
34680 ++ else {
34681 ++ sock_put(sk);
34682 ++ return 0;
34683 ++ }
34684 ++}
34685 ++
34686 ++/* Called when user tries to insert an entry of this type. */
34687 ++static int
34688 ++checkentry(const char *tablename,
34689 ++ const void *nip,
34690 ++ const struct xt_match *match,
34691 ++ void *matchinfo,
34692 ++ unsigned int hook_mask)
34693 ++{
34694 ++ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
34695 ++
34696 ++ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
34697 ++ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
34698 ++ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
34699 ++ return 1;
34700 ++
34701 ++ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
34702 ++
34703 ++ return 0;
34704 ++}
34705 ++
34706 ++
34707 ++static struct xt_match stealth_match = {
34708 ++ .name = "stealth",
34709 ++ .family = AF_INET,
34710 ++ .match = match,
34711 ++ .checkentry = checkentry,
34712 ++ .destroy = NULL,
34713 ++ .me = THIS_MODULE
34714 ++};
34715 ++
34716 ++static int __init init(void)
34717 ++{
34718 ++ return xt_register_match(&stealth_match);
34719 ++}
34720 ++
34721 ++static void __exit fini(void)
34722 ++{
34723 ++ xt_unregister_match(&stealth_match);
34724 ++}
34725 ++
34726 ++module_init(init);
34727 ++module_exit(fini);
34728 +diff -Nurp linux-2.6.23.15/net/ipv4/tcp.c linux-2.6.23.15-grsec/net/ipv4/tcp.c
34729 +--- linux-2.6.23.15/net/ipv4/tcp.c 2007-10-09 21:31:38.000000000 +0100
34730 ++++ linux-2.6.23.15-grsec/net/ipv4/tcp.c 2008-02-11 10:37:45.000000000 +0000
34731 +@@ -1053,7 +1053,8 @@ int tcp_read_sock(struct sock *sk, read_
34732 + return -ENOTCONN;
34733 + while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
34734 + if (offset < skb->len) {
34735 +- size_t used, len;
34736 ++ int used;
34737 ++ size_t len;
34738 +
34739 + len = skb->len - offset;
34740 + /* Stop reading if we hit a patch of urgent data */
34741 +diff -Nurp linux-2.6.23.15/net/ipv4/tcp_ipv4.c linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c
34742 +--- linux-2.6.23.15/net/ipv4/tcp_ipv4.c 2007-10-09 21:31:38.000000000 +0100
34743 ++++ linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c 2008-02-11 10:37:45.000000000 +0000
34744 +@@ -61,6 +61,7 @@
34745 + #include <linux/jhash.h>
34746 + #include <linux/init.h>
34747 + #include <linux/times.h>
34748 ++#include <linux/grsecurity.h>
34749 +
34750 + #include <net/icmp.h>
34751 + #include <net/inet_hashtables.h>
34752 +diff -Nurp linux-2.6.23.15/net/ipv4/udp.c linux-2.6.23.15-grsec/net/ipv4/udp.c
34753 +--- linux-2.6.23.15/net/ipv4/udp.c 2007-10-09 21:31:38.000000000 +0100
34754 ++++ linux-2.6.23.15-grsec/net/ipv4/udp.c 2008-02-11 10:37:45.000000000 +0000
34755 +@@ -98,12 +98,19 @@
34756 + #include <linux/skbuff.h>
34757 + #include <linux/proc_fs.h>
34758 + #include <linux/seq_file.h>
34759 ++#include <linux/grsecurity.h>
34760 + #include <net/icmp.h>
34761 + #include <net/route.h>
34762 + #include <net/checksum.h>
34763 + #include <net/xfrm.h>
34764 + #include "udp_impl.h"
34765 +
34766 ++extern int gr_search_udp_recvmsg(const struct sock *sk,
34767 ++ const struct sk_buff *skb);
34768 ++extern int gr_search_udp_sendmsg(const struct sock *sk,
34769 ++ const struct sockaddr_in *addr);
34770 ++
34771 ++
34772 + /*
34773 + * Snmp MIB for the UDP layer
34774 + */
34775 +@@ -287,6 +294,13 @@ static struct sock *__udp4_lib_lookup(__
34776 + return result;
34777 + }
34778 +
34779 ++struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
34780 ++ __be32 daddr, __be16 dport, int dif)
34781 ++{
34782 ++ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
34783 ++}
34784 ++
34785 ++
34786 + static inline struct sock *udp_v4_mcast_next(struct sock *sk,
34787 + __be16 loc_port, __be32 loc_addr,
34788 + __be16 rmt_port, __be32 rmt_addr,
34789 +@@ -572,9 +586,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
34790 + dport = usin->sin_port;
34791 + if (dport == 0)
34792 + return -EINVAL;
34793 ++
34794 ++ if (!gr_search_udp_sendmsg(sk, usin))
34795 ++ return -EPERM;
34796 + } else {
34797 + if (sk->sk_state != TCP_ESTABLISHED)
34798 + return -EDESTADDRREQ;
34799 ++
34800 ++ if (!gr_search_udp_sendmsg(sk, NULL))
34801 ++ return -EPERM;
34802 ++
34803 + daddr = inet->daddr;
34804 + dport = inet->dport;
34805 + /* Open fast path for connected socket.
34806 +@@ -834,6 +855,11 @@ try_again:
34807 + if (!skb)
34808 + goto out;
34809 +
34810 ++ if (!gr_search_udp_recvmsg(sk, skb)) {
34811 ++ err = -EPERM;
34812 ++ goto out_free;
34813 ++ }
34814 ++
34815 + ulen = skb->len - sizeof(struct udphdr);
34816 + copied = len;
34817 + if (copied > ulen)
34818 +diff -Nurp linux-2.6.23.15/net/ipv6/exthdrs.c linux-2.6.23.15-grsec/net/ipv6/exthdrs.c
34819 +--- linux-2.6.23.15/net/ipv6/exthdrs.c 2007-10-09 21:31:38.000000000 +0100
34820 ++++ linux-2.6.23.15-grsec/net/ipv6/exthdrs.c 2008-02-11 10:37:45.000000000 +0000
34821 +@@ -645,7 +645,7 @@ static struct tlvtype_proc tlvprochopopt
34822 + .type = IPV6_TLV_JUMBO,
34823 + .func = ipv6_hop_jumbo,
34824 + },
34825 +- { -1, }
34826 ++ { -1, NULL }
34827 + };
34828 +
34829 + int ipv6_parse_hopopts(struct sk_buff **skbp)
34830 +diff -Nurp linux-2.6.23.15/net/ipv6/raw.c linux-2.6.23.15-grsec/net/ipv6/raw.c
34831 +--- linux-2.6.23.15/net/ipv6/raw.c 2007-10-09 21:31:38.000000000 +0100
34832 ++++ linux-2.6.23.15-grsec/net/ipv6/raw.c 2008-02-11 10:37:45.000000000 +0000
34833 +@@ -577,7 +577,7 @@ out:
34834 + return err;
34835 + }
34836 +
34837 +-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
34838 ++static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
34839 + struct flowi *fl, struct rt6_info *rt,
34840 + unsigned int flags)
34841 + {
34842 +diff -Nurp linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c
34843 +--- linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c 2007-10-09 21:31:38.000000000 +0100
34844 ++++ linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c 2008-02-11 10:37:45.000000000 +0000
34845 +@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
34846 + IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
34847 +
34848 + line = tty->index;
34849 +- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
34850 ++ if (line >= IRCOMM_TTY_PORTS) {
34851 + return -ENODEV;
34852 + }
34853 +
34854 +diff -Nurp linux-2.6.23.15/net/mac80211/ieee80211.c linux-2.6.23.15-grsec/net/mac80211/ieee80211.c
34855 +--- linux-2.6.23.15/net/mac80211/ieee80211.c 2008-02-11 10:36:03.000000000 +0000
34856 ++++ linux-2.6.23.15-grsec/net/mac80211/ieee80211.c 2008-02-11 10:37:45.000000000 +0000
34857 +@@ -1260,7 +1260,7 @@ __ieee80211_parse_tx_radiotap(
34858 + }
34859 +
34860 +
34861 +-static ieee80211_txrx_result inline
34862 ++static inline ieee80211_txrx_result
34863 + __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
34864 + struct sk_buff *skb,
34865 + struct net_device *dev,
34866 +@@ -1332,7 +1332,7 @@ __ieee80211_tx_prepare(struct ieee80211_
34867 + return res;
34868 + }
34869 +
34870 +-static int inline is_ieee80211_device(struct net_device *dev,
34871 ++static inline int is_ieee80211_device(struct net_device *dev,
34872 + struct net_device *master)
34873 + {
34874 + return (wdev_priv(dev->ieee80211_ptr) ==
34875 +@@ -1341,7 +1341,7 @@ static int inline is_ieee80211_device(st
34876 +
34877 + /* Device in tx->dev has a reference added; use dev_put(tx->dev) when
34878 + * finished with it. */
34879 +-static int inline ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
34880 ++static inline int ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
34881 + struct sk_buff *skb,
34882 + struct net_device *mdev,
34883 + struct ieee80211_tx_control *control)
34884 +diff -Nurp linux-2.6.23.15/net/mac80211/regdomain.c linux-2.6.23.15-grsec/net/mac80211/regdomain.c
34885 +--- linux-2.6.23.15/net/mac80211/regdomain.c 2007-10-09 21:31:38.000000000 +0100
34886 ++++ linux-2.6.23.15-grsec/net/mac80211/regdomain.c 2008-02-11 10:37:45.000000000 +0000
34887 +@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
34888 + { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
34889 + { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
34890 + { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
34891 +- { 0 }
34892 ++ { 0, 0, 0, 0 }
34893 + };
34894 +
34895 + static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
34896 + { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
34897 + { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
34898 + { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
34899 +- { 0 }
34900 ++ { 0, 0, 0, 0 }
34901 + };
34902 +
34903 +
34904 +diff -Nurp linux-2.6.23.15/net/sctp/socket.c linux-2.6.23.15-grsec/net/sctp/socket.c
34905 +--- linux-2.6.23.15/net/sctp/socket.c 2007-10-09 21:31:38.000000000 +0100
34906 ++++ linux-2.6.23.15-grsec/net/sctp/socket.c 2008-02-11 10:37:45.000000000 +0000
34907 +@@ -1370,7 +1370,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
34908 + struct sctp_sndrcvinfo *sinfo;
34909 + struct sctp_initmsg *sinit;
34910 + sctp_assoc_t associd = 0;
34911 +- sctp_cmsgs_t cmsgs = { NULL };
34912 ++ sctp_cmsgs_t cmsgs = { NULL, NULL };
34913 + int err;
34914 + sctp_scope_t scope;
34915 + long timeo;
34916 +diff -Nurp linux-2.6.23.15/net/socket.c linux-2.6.23.15-grsec/net/socket.c
34917 +--- linux-2.6.23.15/net/socket.c 2008-02-11 10:36:03.000000000 +0000
34918 ++++ linux-2.6.23.15-grsec/net/socket.c 2008-02-11 10:37:45.000000000 +0000
34919 +@@ -84,6 +84,7 @@
34920 + #include <linux/kmod.h>
34921 + #include <linux/audit.h>
34922 + #include <linux/wireless.h>
34923 ++#include <linux/in.h>
34924 +
34925 + #include <asm/uaccess.h>
34926 + #include <asm/unistd.h>
34927 +@@ -93,6 +94,21 @@
34928 + #include <net/sock.h>
34929 + #include <linux/netfilter.h>
34930 +
34931 ++extern void gr_attach_curr_ip(const struct sock *sk);
34932 ++extern int gr_handle_sock_all(const int family, const int type,
34933 ++ const int protocol);
34934 ++extern int gr_handle_sock_server(const struct sockaddr *sck);
34935 ++extern int gr_handle_sock_server_other(const struct socket *sck);
34936 ++extern int gr_handle_sock_client(const struct sockaddr *sck);
34937 ++extern int gr_search_connect(const struct socket * sock,
34938 ++ const struct sockaddr_in * addr);
34939 ++extern int gr_search_bind(const struct socket * sock,
34940 ++ const struct sockaddr_in * addr);
34941 ++extern int gr_search_listen(const struct socket * sock);
34942 ++extern int gr_search_accept(const struct socket * sock);
34943 ++extern int gr_search_socket(const int domain, const int type,
34944 ++ const int protocol);
34945 ++
34946 + static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
34947 + static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
34948 + unsigned long nr_segs, loff_t pos);
34949 +@@ -292,7 +308,7 @@ static int sockfs_get_sb(struct file_sys
34950 + mnt);
34951 + }
34952 +
34953 +-static struct vfsmount *sock_mnt __read_mostly;
34954 ++struct vfsmount *sock_mnt __read_mostly;
34955 +
34956 + static struct file_system_type sock_fs_type = {
34957 + .name = "sockfs",
34958 +@@ -1199,6 +1215,16 @@ asmlinkage long sys_socket(int family, i
34959 + int retval;
34960 + struct socket *sock;
34961 +
34962 ++ if(!gr_search_socket(family, type, protocol)) {
34963 ++ retval = -EACCES;
34964 ++ goto out;
34965 ++ }
34966 ++
34967 ++ if (gr_handle_sock_all(family, type, protocol)) {
34968 ++ retval = -EACCES;
34969 ++ goto out;
34970 ++ }
34971 ++
34972 + retval = sock_create(family, type, protocol, &sock);
34973 + if (retval < 0)
34974 + goto out;
34975 +@@ -1329,6 +1355,12 @@ asmlinkage long sys_bind(int fd, struct
34976 + if (sock) {
34977 + err = move_addr_to_kernel(umyaddr, addrlen, address);
34978 + if (err >= 0) {
34979 ++ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
34980 ++ gr_handle_sock_server((struct sockaddr *)address)) {
34981 ++ err = -EACCES;
34982 ++ goto error;
34983 ++ }
34984 ++
34985 + err = security_socket_bind(sock,
34986 + (struct sockaddr *)address,
34987 + addrlen);
34988 +@@ -1337,6 +1369,7 @@ asmlinkage long sys_bind(int fd, struct
34989 + (struct sockaddr *)
34990 + address, addrlen);
34991 + }
34992 ++error:
34993 + fput_light(sock->file, fput_needed);
34994 + }
34995 + return err;
34996 +@@ -1360,10 +1393,17 @@ asmlinkage long sys_listen(int fd, int b
34997 + if ((unsigned)backlog > sysctl_somaxconn)
34998 + backlog = sysctl_somaxconn;
34999 +
35000 ++ if (gr_handle_sock_server_other(sock) ||
35001 ++ !gr_search_listen(sock)) {
35002 ++ err = -EPERM;
35003 ++ goto error;
35004 ++ }
35005 ++
35006 + err = security_socket_listen(sock, backlog);
35007 + if (!err)
35008 + err = sock->ops->listen(sock, backlog);
35009 +
35010 ++error:
35011 + fput_light(sock->file, fput_needed);
35012 + }
35013 + return err;
35014 +@@ -1400,6 +1440,13 @@ asmlinkage long sys_accept(int fd, struc
35015 + newsock->type = sock->type;
35016 + newsock->ops = sock->ops;
35017 +
35018 ++ if (gr_handle_sock_server_other(sock) ||
35019 ++ !gr_search_accept(sock)) {
35020 ++ err = -EPERM;
35021 ++ sock_release(newsock);
35022 ++ goto out_put;
35023 ++ }
35024 ++
35025 + /*
35026 + * We don't need try_module_get here, as the listening socket (sock)
35027 + * has the protocol module (sock->ops->owner) held.
35028 +@@ -1443,6 +1490,7 @@ asmlinkage long sys_accept(int fd, struc
35029 + err = newfd;
35030 +
35031 + security_socket_post_accept(sock, newsock);
35032 ++ gr_attach_curr_ip(newsock->sk);
35033 +
35034 + out_put:
35035 + fput_light(sock->file, fput_needed);
35036 +@@ -1476,6 +1524,7 @@ asmlinkage long sys_connect(int fd, stru
35037 + {
35038 + struct socket *sock;
35039 + char address[MAX_SOCK_ADDR];
35040 ++ struct sockaddr *sck;
35041 + int err, fput_needed;
35042 +
35043 + sock = sockfd_lookup_light(fd, &err, &fput_needed);
35044 +@@ -1485,6 +1534,13 @@ asmlinkage long sys_connect(int fd, stru
35045 + if (err < 0)
35046 + goto out_put;
35047 +
35048 ++ sck = (struct sockaddr *)address;
35049 ++ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
35050 ++ gr_handle_sock_client(sck)) {
35051 ++ err = -EACCES;
35052 ++ goto out_put;
35053 ++ }
35054 ++
35055 + err =
35056 + security_socket_connect(sock, (struct sockaddr *)address, addrlen);
35057 + if (err)
35058 +@@ -1762,6 +1818,7 @@ asmlinkage long sys_shutdown(int fd, int
35059 + err = sock->ops->shutdown(sock, how);
35060 + fput_light(sock->file, fput_needed);
35061 + }
35062 ++
35063 + return err;
35064 + }
35065 +
35066 +diff -Nurp linux-2.6.23.15/net/unix/af_unix.c linux-2.6.23.15-grsec/net/unix/af_unix.c
35067 +--- linux-2.6.23.15/net/unix/af_unix.c 2008-02-11 10:36:03.000000000 +0000
35068 ++++ linux-2.6.23.15-grsec/net/unix/af_unix.c 2008-02-11 10:37:45.000000000 +0000
35069 +@@ -115,6 +115,7 @@
35070 + #include <linux/mount.h>
35071 + #include <net/checksum.h>
35072 + #include <linux/security.h>
35073 ++#include <linux/grsecurity.h>
35074 +
35075 + int sysctl_unix_max_dgram_qlen __read_mostly = 10;
35076 +
35077 +@@ -733,6 +734,11 @@ static struct sock *unix_find_other(stru
35078 + if (err)
35079 + goto put_fail;
35080 +
35081 ++ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
35082 ++ err = -EACCES;
35083 ++ goto put_fail;
35084 ++ }
35085 ++
35086 + err = -ECONNREFUSED;
35087 + if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
35088 + goto put_fail;
35089 +@@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
35090 + if (u) {
35091 + struct dentry *dentry;
35092 + dentry = unix_sk(u)->dentry;
35093 ++
35094 ++ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
35095 ++ err = -EPERM;
35096 ++ sock_put(u);
35097 ++ goto fail;
35098 ++ }
35099 ++
35100 + if (dentry)
35101 + touch_atime(unix_sk(u)->mnt, dentry);
35102 + } else
35103 +@@ -834,9 +847,18 @@ static int unix_bind(struct socket *sock
35104 + */
35105 + mode = S_IFSOCK |
35106 + (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
35107 ++
35108 ++ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
35109 ++ err = -EACCES;
35110 ++ goto out_mknod_dput;
35111 ++ }
35112 ++
35113 + err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
35114 + if (err)
35115 + goto out_mknod_dput;
35116 ++
35117 ++ gr_handle_create(dentry, nd.mnt);
35118 ++
35119 + mutex_unlock(&nd.dentry->d_inode->i_mutex);
35120 + dput(nd.dentry);
35121 + nd.dentry = dentry;
35122 +@@ -854,6 +876,10 @@ static int unix_bind(struct socket *sock
35123 + goto out_unlock;
35124 + }
35125 +
35126 ++#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
35127 ++ sk->sk_peercred.pid = current->pid;
35128 ++#endif
35129 ++
35130 + list = &unix_socket_table[addr->hash];
35131 + } else {
35132 + list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
35133 +diff -Nurp linux-2.6.23.15/scripts/pnmtologo.c linux-2.6.23.15-grsec/scripts/pnmtologo.c
35134 +--- linux-2.6.23.15/scripts/pnmtologo.c 2007-10-09 21:31:38.000000000 +0100
35135 ++++ linux-2.6.23.15-grsec/scripts/pnmtologo.c 2008-02-11 10:37:45.000000000 +0000
35136 +@@ -237,14 +237,14 @@ static void write_header(void)
35137 + fprintf(out, " * Linux logo %s\n", logoname);
35138 + fputs(" */\n\n", out);
35139 + fputs("#include <linux/linux_logo.h>\n\n", out);
35140 +- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
35141 ++ fprintf(out, "static unsigned char %s_data[] = {\n",
35142 + logoname);
35143 + }
35144 +
35145 + static void write_footer(void)
35146 + {
35147 + fputs("\n};\n\n", out);
35148 +- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
35149 ++ fprintf(out, "struct linux_logo %s = {\n", logoname);
35150 + fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
35151 + fprintf(out, " .width\t= %d,\n", logo_width);
35152 + fprintf(out, " .height\t= %d,\n", logo_height);
35153 +@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
35154 + fputs("\n};\n\n", out);
35155 +
35156 + /* write logo clut */
35157 +- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
35158 ++ fprintf(out, "static unsigned char %s_clut[] = {\n",
35159 + logoname);
35160 + write_hex_cnt = 0;
35161 + for (i = 0; i < logo_clutsize; i++) {
35162 +diff -Nurp linux-2.6.23.15/security/Kconfig linux-2.6.23.15-grsec/security/Kconfig
35163 +--- linux-2.6.23.15/security/Kconfig 2007-10-09 21:31:38.000000000 +0100
35164 ++++ linux-2.6.23.15-grsec/security/Kconfig 2008-02-11 10:37:45.000000000 +0000
35165 +@@ -4,6 +4,429 @@
35166 +
35167 + menu "Security options"
35168 +
35169 ++source grsecurity/Kconfig
35170 ++
35171 ++menu "PaX"
35172 ++
35173 ++config PAX
35174 ++ bool "Enable various PaX features"
35175 ++ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35176 ++ help
35177 ++ This allows you to enable various PaX features. PaX adds
35178 ++ intrusion prevention mechanisms to the kernel that reduce
35179 ++ the risks posed by exploitable memory corruption bugs.
35180 ++
35181 ++menu "PaX Control"
35182 ++ depends on PAX
35183 ++
35184 ++config PAX_SOFTMODE
35185 ++ bool 'Support soft mode'
35186 ++ help
35187 ++ Enabling this option will allow you to run PaX in soft mode, that
35188 ++ is, PaX features will not be enforced by default, only on executables
35189 ++ marked explicitly. You must also enable PT_PAX_FLAGS support as it
35190 ++ is the only way to mark executables for soft mode use.
35191 ++
35192 ++ Soft mode can be activated by using the "pax_softmode=1" kernel command
35193 ++ line option on boot. Furthermore you can control various PaX features
35194 ++ at runtime via the entries in /proc/sys/kernel/pax.
35195 ++
35196 ++config PAX_EI_PAX
35197 ++ bool 'Use legacy ELF header marking'
35198 ++ help
35199 ++ Enabling this option will allow you to control PaX features on
35200 ++ a per executable basis via the 'chpax' utility available at
35201 ++ http://pax.grsecurity.net/. The control flags will be read from
35202 ++ an otherwise reserved part of the ELF header. This marking has
35203 ++ numerous drawbacks (no support for soft-mode, toolchain does not
35204 ++ know about the non-standard use of the ELF header) therefore it
35205 ++ has been deprecated in favour of PT_PAX_FLAGS support.
35206 ++
35207 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
35208 ++ program header then you MUST enable this option otherwise they
35209 ++ will not get any protection.
35210 ++
35211 ++ Note that if you enable PT_PAX_FLAGS marking support as well,
35212 ++ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
35213 ++
35214 ++config PAX_PT_PAX_FLAGS
35215 ++ bool 'Use ELF program header marking'
35216 ++ help
35217 ++ Enabling this option will allow you to control PaX features on
35218 ++ a per executable basis via the 'paxctl' utility available at
35219 ++ http://pax.grsecurity.net/. The control flags will be read from
35220 ++ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
35221 ++ has the benefits of supporting both soft mode and being fully
35222 ++ integrated into the toolchain (the binutils patch is available
35223 ++ from http://pax.grsecurity.net).
35224 ++
35225 ++ If you have applications not marked by the PT_PAX_FLAGS ELF
35226 ++ program header then you MUST enable the EI_PAX marking support
35227 ++ otherwise they will not get any protection.
35228 ++
35229 ++ Note that if you enable the legacy EI_PAX marking support as well,
35230 ++ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
35231 ++
35232 ++choice
35233 ++ prompt 'MAC system integration'
35234 ++ default PAX_HAVE_ACL_FLAGS
35235 ++ help
35236 ++ Mandatory Access Control systems have the option of controlling
35237 ++ PaX flags on a per executable basis, choose the method supported
35238 ++ by your particular system.
35239 ++
35240 ++ - "none": if your MAC system does not interact with PaX,
35241 ++ - "direct": if your MAC system defines pax_set_initial_flags() itself,
35242 ++ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
35243 ++
35244 ++ NOTE: this option is for developers/integrators only.
35245 ++
35246 ++ config PAX_NO_ACL_FLAGS
35247 ++ bool 'none'
35248 ++
35249 ++ config PAX_HAVE_ACL_FLAGS
35250 ++ bool 'direct'
35251 ++
35252 ++ config PAX_HOOK_ACL_FLAGS
35253 ++ bool 'hook'
35254 ++endchoice
35255 ++
35256 ++endmenu
35257 ++
35258 ++menu "Non-executable pages"
35259 ++ depends on PAX
35260 ++
35261 ++config PAX_NOEXEC
35262 ++ bool "Enforce non-executable pages"
35263 ++ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35264 ++ help
35265 ++ By design some architectures do not allow for protecting memory
35266 ++ pages against execution or even if they do, Linux does not make
35267 ++ use of this feature. In practice this means that if a page is
35268 ++ readable (such as the stack or heap) it is also executable.
35269 ++
35270 ++ There is a well known exploit technique that makes use of this
35271 ++ fact and a common programming mistake where an attacker can
35272 ++ introduce code of his choice somewhere in the attacked program's
35273 ++ memory (typically the stack or the heap) and then execute it.
35274 ++
35275 ++ If the attacked program was running with different (typically
35276 ++ higher) privileges than that of the attacker, then he can elevate
35277 ++ his own privilege level (e.g. get a root shell, write to files for
35278 ++ which he does not have write access to, etc).
35279 ++
35280 ++ Enabling this option will let you choose from various features
35281 ++ that prevent the injection and execution of 'foreign' code in
35282 ++ a program.
35283 ++
35284 ++ This will also break programs that rely on the old behaviour and
35285 ++ expect that dynamically allocated memory via the malloc() family
35286 ++ of functions is executable (which it is not). Notable examples
35287 ++ are the XFree86 4.x server, the java runtime and wine.
35288 ++
35289 ++config PAX_PAGEEXEC
35290 ++ bool "Paging based non-executable pages"
35291 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
35292 ++ help
35293 ++ This implementation is based on the paging feature of the CPU.
35294 ++ On i386 without hardware non-executable bit support there is a
35295 ++ variable but usually low performance impact, however on Intel's
35296 ++ P4 core based CPUs it is very high so you should not enable this
35297 ++ for kernels meant to be used on such CPUs.
35298 ++
35299 ++ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
35300 ++ with hardware non-executable bit support there is no performance
35301 ++ impact, on ppc the impact is negligible.
35302 ++
35303 ++ Note that several architectures require various emulations due to
35304 ++ badly designed userland ABIs, this will cause a performance impact
35305 ++ but will disappear as soon as userland is fixed (e.g., ppc users
35306 ++ can make use of the secure-plt feature found in binutils).
35307 ++
35308 ++config PAX_SEGMEXEC
35309 ++ bool "Segmentation based non-executable pages"
35310 ++ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
35311 ++ help
35312 ++ This implementation is based on the segmentation feature of the
35313 ++ CPU and has a very small performance impact, however applications
35314 ++ will be limited to a 1.5 GB address space instead of the normal
35315 ++ 3 GB.
35316 ++
35317 ++config PAX_EMUTRAMP
35318 ++ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
35319 ++ default y if PARISC || PPC32
35320 ++ help
35321 ++ There are some programs and libraries that for one reason or
35322 ++ another attempt to execute special small code snippets from
35323 ++ non-executable memory pages. Most notable examples are the
35324 ++ signal handler return code generated by the kernel itself and
35325 ++ the GCC trampolines.
35326 ++
35327 ++ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
35328 ++ such programs will no longer work under your kernel.
35329 ++
35330 ++ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
35331 ++ utilities to enable trampoline emulation for the affected programs
35332 ++ yet still have the protection provided by the non-executable pages.
35333 ++
35334 ++ On parisc and ppc you MUST enable this option and EMUSIGRT as
35335 ++ well, otherwise your system will not even boot.
35336 ++
35337 ++ Alternatively you can say N here and use the 'chpax' or 'paxctl'
35338 ++ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
35339 ++ for the affected files.
35340 ++
35341 ++ NOTE: enabling this feature *may* open up a loophole in the
35342 ++ protection provided by non-executable pages that an attacker
35343 ++ could abuse. Therefore the best solution is to not have any
35344 ++ files on your system that would require this option. This can
35345 ++ be achieved by not using libc5 (which relies on the kernel
35346 ++ signal handler return code) and not using or rewriting programs
35347 ++ that make use of the nested function implementation of GCC.
35348 ++ Skilled users can just fix GCC itself so that it implements
35349 ++ nested function calls in a way that does not interfere with PaX.
35350 ++
35351 ++config PAX_EMUSIGRT
35352 ++ bool "Automatically emulate sigreturn trampolines"
35353 ++ depends on PAX_EMUTRAMP && (PARISC || PPC32)
35354 ++ default y
35355 ++ help
35356 ++ Enabling this option will have the kernel automatically detect
35357 ++ and emulate signal return trampolines executing on the stack
35358 ++ that would otherwise lead to task termination.
35359 ++
35360 ++ This solution is intended as a temporary one for users with
35361 ++ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
35362 ++ Modula-3 runtime, etc) or executables linked to such, basically
35363 ++ everything that does not specify its own SA_RESTORER function in
35364 ++ normal executable memory like glibc 2.1+ does.
35365 ++
35366 ++ On parisc and ppc you MUST enable this option, otherwise your
35367 ++ system will not even boot.
35368 ++
35369 ++ NOTE: this feature cannot be disabled on a per executable basis
35370 ++ and since it *does* open up a loophole in the protection provided
35371 ++ by non-executable pages, the best solution is to not have any
35372 ++ files on your system that would require this option.
35373 ++
35374 ++config PAX_MPROTECT
35375 ++ bool "Restrict mprotect()"
35376 ++ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
35377 ++ help
35378 ++ Enabling this option will prevent programs from
35379 ++ - changing the executable status of memory pages that were
35380 ++ not originally created as executable,
35381 ++ - making read-only executable pages writable again,
35382 ++ - creating executable pages from anonymous memory.
35383 ++
35384 ++ You should say Y here to complete the protection provided by
35385 ++ the enforcement of non-executable pages.
35386 ++
35387 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
35388 ++ this feature on a per file basis.
35389 ++
35390 ++config PAX_NOELFRELOCS
35391 ++ bool "Disallow ELF text relocations"
35392 ++ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
35393 ++ help
35394 ++ Non-executable pages and mprotect() restrictions are effective
35395 ++ in preventing the introduction of new executable code into an
35396 ++ attacked task's address space. There remain only two venues
35397 ++ for this kind of attack: if the attacker can execute already
35398 ++ existing code in the attacked task then he can either have it
35399 ++ create and mmap() a file containing his code or have it mmap()
35400 ++ an already existing ELF library that does not have position
35401 ++ independent code in it and use mprotect() on it to make it
35402 ++ writable and copy his code there. While protecting against
35403 ++ the former approach is beyond PaX, the latter can be prevented
35404 ++ by having only PIC ELF libraries on one's system (which do not
35405 ++ need to relocate their code). If you are sure this is your case,
35406 ++ then enable this option otherwise be careful as you may not even
35407 ++ be able to boot or log on your system (for example, some PAM
35408 ++ modules are erroneously compiled as non-PIC by default).
35409 ++
35410 ++ NOTE: if you are using dynamic ELF executables (as suggested
35411 ++ when using ASLR) then you must have made sure that you linked
35412 ++ your files using the PIC version of crt1 (the et_dyn.tar.gz package
35413 ++ referenced there has already been updated to support this).
35414 ++
35415 ++config PAX_ETEXECRELOCS
35416 ++ bool "Allow ELF ET_EXEC text relocations"
35417 ++ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
35418 ++ default y
35419 ++ help
35420 ++ On some architectures there are incorrectly created applications
35421 ++ that require text relocations and would not work without enabling
35422 ++ this option. If you are an alpha, ia64 or parisc user, you should
35423 ++ enable this option and disable it once you have made sure that
35424 ++ none of your applications need it.
35425 ++
35426 ++config PAX_EMUPLT
35427 ++ bool "Automatically emulate ELF PLT"
35428 ++ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
35429 ++ default y
35430 ++ help
35431 ++ Enabling this option will have the kernel automatically detect
35432 ++ and emulate the Procedure Linkage Table entries in ELF files.
35433 ++ On some architectures such entries are in writable memory, and
35434 ++ become non-executable leading to task termination. Therefore
35435 ++ it is mandatory that you enable this option on alpha, parisc,
35436 ++ ppc (if secure-plt is not used throughout in userland), sparc
35437 ++ and sparc64, otherwise your system would not even boot.
35438 ++
35439 ++ NOTE: this feature *does* open up a loophole in the protection
35440 ++ provided by the non-executable pages, therefore the proper
35441 ++ solution is to modify the toolchain to produce a PLT that does
35442 ++ not need to be writable.
35443 ++
35444 ++config PAX_DLRESOLVE
35445 ++ bool
35446 ++ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
35447 ++ default y
35448 ++
35449 ++config PAX_SYSCALL
35450 ++ bool
35451 ++ depends on PAX_PAGEEXEC && PPC32
35452 ++ default y
35453 ++
35454 ++config PAX_KERNEXEC
35455 ++ bool "Enforce non-executable kernel pages"
35456 ++ depends on PAX_NOEXEC && X86_32 && !EFI && !COMPAT_VDSO && X86_WP_WORKS_OK && !PARAVIRT
35457 ++ help
35458 ++ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
35459 ++ that is, enabling this option will make it harder to inject
35460 ++ and execute 'foreign' code in kernel memory itself.
35461 ++
35462 ++endmenu
35463 ++
35464 ++menu "Address Space Layout Randomization"
35465 ++ depends on PAX
35466 ++
35467 ++config PAX_ASLR
35468 ++ bool "Address Space Layout Randomization"
35469 ++ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
35470 ++ help
35471 ++ Many if not most exploit techniques rely on the knowledge of
35472 ++ certain addresses in the attacked program. The following options
35473 ++ will allow the kernel to apply a certain amount of randomization
35474 ++ to specific parts of the program thereby forcing an attacker to
35475 ++ guess them in most cases. Any failed guess will most likely crash
35476 ++ the attacked program which allows the kernel to detect such attempts
35477 ++ and react on them. PaX itself provides no reaction mechanisms,
35478 ++ instead it is strongly encouraged that you make use of Nergal's
35479 ++ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
35480 ++ (http://www.grsecurity.net/) built-in crash detection features or
35481 ++ develop one yourself.
35482 ++
35483 ++ By saying Y here you can choose to randomize the following areas:
35484 ++ - top of the task's kernel stack
35485 ++ - top of the task's userland stack
35486 ++ - base address for mmap() requests that do not specify one
35487 ++ (this includes all libraries)
35488 ++ - base address of the main executable
35489 ++
35490 ++ It is strongly recommended to say Y here as address space layout
35491 ++ randomization has negligible impact on performance yet it provides
35492 ++ a very effective protection.
35493 ++
35494 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
35495 ++ this feature on a per file basis.
35496 ++
35497 ++config PAX_RANDKSTACK
35498 ++ bool "Randomize kernel stack base"
35499 ++ depends on PAX_ASLR && X86_TSC && X86_32
35500 ++ help
35501 ++ By saying Y here the kernel will randomize every task's kernel
35502 ++ stack on every system call. This will not only force an attacker
35503 ++ to guess it but also prevent him from making use of possible
35504 ++ leaked information about it.
35505 ++
35506 ++ Since the kernel stack is a rather scarce resource, randomization
35507 ++ may cause unexpected stack overflows, therefore you should very
35508 ++ carefully test your system. Note that once enabled in the kernel
35509 ++ configuration, this feature cannot be disabled on a per file basis.
35510 ++
35511 ++config PAX_RANDUSTACK
35512 ++ bool "Randomize user stack base"
35513 ++ depends on PAX_ASLR
35514 ++ help
35515 ++ By saying Y here the kernel will randomize every task's userland
35516 ++ stack. The randomization is done in two steps where the second
35517 ++ one may apply a big amount of shift to the top of the stack and
35518 ++ cause problems for programs that want to use lots of memory (more
35519 ++ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
35520 ++ For this reason the second step can be controlled by 'chpax' or
35521 ++ 'paxctl' on a per file basis.
35522 ++
35523 ++config PAX_RANDMMAP
35524 ++ bool "Randomize mmap() base"
35525 ++ depends on PAX_ASLR
35526 ++ help
35527 ++ By saying Y here the kernel will use a randomized base address for
35528 ++ mmap() requests that do not specify one themselves. As a result
35529 ++ all dynamically loaded libraries will appear at random addresses
35530 ++ and therefore be harder to exploit by a technique where an attacker
35531 ++ attempts to execute library code for his purposes (e.g. spawn a
35532 ++ shell from an exploited program that is running at an elevated
35533 ++ privilege level).
35534 ++
35535 ++ Furthermore, if a program is relinked as a dynamic ELF file, its
35536 ++ base address will be randomized as well, completing the full
35537 ++ randomization of the address space layout. Attacking such programs
35538 ++ becomes a guess game. You can find an example of doing this at
35539 ++ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
35540 ++ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
35541 ++
35542 ++ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
35543 ++ feature on a per file basis.
35544 ++
35545 ++endmenu
35546 ++
35547 ++menu "Miscellaneous hardening features"
35548 ++
35549 ++config PAX_MEMORY_SANITIZE
35550 ++ bool "Sanitize all freed memory"
35551 ++ help
35552 ++ By saying Y here the kernel will erase memory pages as soon as they
35553 ++ are freed. This in turn reduces the lifetime of data stored in the
35554 ++ pages, making it less likely that sensitive information such as
35555 ++ passwords, cryptographic secrets, etc stay in memory for too long.
35556 ++
35557 ++ This is especially useful for programs whose runtime is short, long
35558 ++ lived processes and the kernel itself benefit from this as long as
35559 ++ they operate on whole memory pages and ensure timely freeing of pages
35560 ++ that may hold sensitive information.
35561 ++
35562 ++ The tradeoff is performance impact, on a single CPU system kernel
35563 ++ compilation sees a 3% slowdown, other systems and workloads may vary
35564 ++ and you are advised to test this feature on your expected workload
35565 ++ before deploying it.
35566 ++
35567 ++ Note that this feature does not protect data stored in live pages,
35568 ++ e.g., process memory swapped to disk may stay there for a long time.
35569 ++
35570 ++config PAX_MEMORY_UDEREF
35571 ++ bool "Prevent invalid userland pointer dereference"
35572 ++ depends on X86_32 && !COMPAT_VDSO
35573 ++ help
35574 ++ By saying Y here the kernel will be prevented from dereferencing
35575 ++ userland pointers in contexts where the kernel expects only kernel
35576 ++ pointers. This is both a useful runtime debugging feature and a
35577 ++ security measure that prevents exploiting a class of kernel bugs.
35578 ++
35579 ++ The tradeoff is that some virtualization solutions may experience
35580 ++ a huge slowdown and therefore you should not enable this feature
35581 ++ for kernels meant to run in such environments. Whether a given VM
35582 ++ solution is affected or not is best determined by simply trying it
35583 ++ out, the performance impact will be obvious right on boot as this
35584 ++ mechanism engages from very early on. A good rule of thumb is that
35585 ++ VMs running on CPUs without hardware virtualization support (i.e.,
35586 ++ the majority of IA-32 CPUs) will likely experience the slowdown.
35587 ++
35588 ++endmenu
35589 ++
35590 ++endmenu
35591 ++
35592 + config KEYS
35593 + bool "Enable access key retention support"
35594 + help
35595 +diff -Nurp linux-2.6.23.15/security/commoncap.c linux-2.6.23.15-grsec/security/commoncap.c
35596 +--- linux-2.6.23.15/security/commoncap.c 2007-10-09 21:31:38.000000000 +0100
35597 ++++ linux-2.6.23.15-grsec/security/commoncap.c 2008-02-11 10:37:45.000000000 +0000
35598 +@@ -22,10 +22,11 @@
35599 + #include <linux/ptrace.h>
35600 + #include <linux/xattr.h>
35601 + #include <linux/hugetlb.h>
35602 ++#include <linux/grsecurity.h>
35603 +
35604 + int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
35605 + {
35606 +- NETLINK_CB(skb).eff_cap = current->cap_effective;
35607 ++ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
35608 + return 0;
35609 + }
35610 +
35611 +@@ -43,7 +44,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
35612 + int cap_capable (struct task_struct *tsk, int cap)
35613 + {
35614 + /* Derived from include/linux/sched.h:capable. */
35615 +- if (cap_raised(tsk->cap_effective, cap))
35616 ++ if (cap_raised (tsk->cap_effective, cap))
35617 ++ return 0;
35618 ++ return -EPERM;
35619 ++}
35620 ++
35621 ++int cap_capable_nolog (struct task_struct *tsk, int cap)
35622 ++{
35623 ++ /* tsk = current for all callers */
35624 ++ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
35625 + return 0;
35626 + return -EPERM;
35627 + }
35628 +@@ -162,8 +171,11 @@ void cap_bprm_apply_creds (struct linux_
35629 + }
35630 + }
35631 +
35632 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
35633 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
35634 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
35635 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
35636 ++
35637 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
35638 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
35639 +
35640 + /* For init, we want to retain the capabilities set
35641 + * in the init_task struct. Thus we skip the usual
35642 +@@ -174,6 +186,8 @@ void cap_bprm_apply_creds (struct linux_
35643 + cap_intersect (new_permitted, bprm->cap_effective);
35644 + }
35645 +
35646 ++ gr_handle_chroot_caps(current);
35647 ++
35648 + /* AUD: Audit candidate if current->cap_effective is set */
35649 +
35650 + current->keep_capabilities = 0;
35651 +@@ -319,12 +333,13 @@ int cap_vm_enough_memory(struct mm_struc
35652 + {
35653 + int cap_sys_admin = 0;
35654 +
35655 +- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
35656 ++ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
35657 + cap_sys_admin = 1;
35658 + return __vm_enough_memory(mm, pages, cap_sys_admin);
35659 + }
35660 +
35661 + EXPORT_SYMBOL(cap_capable);
35662 ++EXPORT_SYMBOL(cap_capable_nolog);
35663 + EXPORT_SYMBOL(cap_settime);
35664 + EXPORT_SYMBOL(cap_ptrace);
35665 + EXPORT_SYMBOL(cap_capget);
35666 +diff -Nurp linux-2.6.23.15/security/dummy.c linux-2.6.23.15-grsec/security/dummy.c
35667 +--- linux-2.6.23.15/security/dummy.c 2007-10-09 21:31:38.000000000 +0100
35668 ++++ linux-2.6.23.15-grsec/security/dummy.c 2008-02-11 10:37:45.000000000 +0000
35669 +@@ -28,6 +28,7 @@
35670 + #include <linux/hugetlb.h>
35671 + #include <linux/ptrace.h>
35672 + #include <linux/file.h>
35673 ++#include <linux/grsecurity.h>
35674 +
35675 + static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
35676 + {
35677 +@@ -138,8 +139,11 @@ static void dummy_bprm_apply_creds (stru
35678 + }
35679 + }
35680 +
35681 +- current->suid = current->euid = current->fsuid = bprm->e_uid;
35682 +- current->sgid = current->egid = current->fsgid = bprm->e_gid;
35683 ++ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
35684 ++ current->suid = current->euid = current->fsuid = bprm->e_uid;
35685 ++
35686 ++ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
35687 ++ current->sgid = current->egid = current->fsgid = bprm->e_gid;
35688 +
35689 + dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
35690 + }
35691 +diff -Nurp linux-2.6.23.15/sound/core/oss/pcm_oss.c linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c
35692 +--- linux-2.6.23.15/sound/core/oss/pcm_oss.c 2007-10-09 21:31:38.000000000 +0100
35693 ++++ linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c 2008-02-11 10:37:45.000000000 +0000
35694 +@@ -2880,8 +2880,8 @@ static void snd_pcm_oss_proc_done(struct
35695 + }
35696 + }
35697 + #else /* !CONFIG_SND_VERBOSE_PROCFS */
35698 +-#define snd_pcm_oss_proc_init(pcm)
35699 +-#define snd_pcm_oss_proc_done(pcm)
35700 ++#define snd_pcm_oss_proc_init(pcm) do {} while (0)
35701 ++#define snd_pcm_oss_proc_done(pcm) do {} while (0)
35702 + #endif /* CONFIG_SND_VERBOSE_PROCFS */
35703 +
35704 + /*
35705 +diff -Nurp linux-2.6.23.15/sound/core/seq/seq_lock.h linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h
35706 +--- linux-2.6.23.15/sound/core/seq/seq_lock.h 2007-10-09 21:31:38.000000000 +0100
35707 ++++ linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h 2008-02-11 10:37:45.000000000 +0000
35708 +@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
35709 + #else /* SMP || CONFIG_SND_DEBUG */
35710 +
35711 + typedef spinlock_t snd_use_lock_t; /* dummy */
35712 +-#define snd_use_lock_init(lockp) /**/
35713 +-#define snd_use_lock_use(lockp) /**/
35714 +-#define snd_use_lock_free(lockp) /**/
35715 +-#define snd_use_lock_sync(lockp) /**/
35716 ++#define snd_use_lock_init(lockp) do {} while (0)
35717 ++#define snd_use_lock_use(lockp) do {} while (0)
35718 ++#define snd_use_lock_free(lockp) do {} while (0)
35719 ++#define snd_use_lock_sync(lockp) do {} while (0)
35720 +
35721 + #endif /* SMP || CONFIG_SND_DEBUG */
35722 +
35723 +diff -Nurp linux-2.6.23.15/sound/pci/ac97/ac97_patch.c linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c
35724 +--- linux-2.6.23.15/sound/pci/ac97/ac97_patch.c 2007-10-09 21:31:38.000000000 +0100
35725 ++++ linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c 2008-02-11 10:37:45.000000000 +0000
35726 +@@ -1415,7 +1415,7 @@ static const struct snd_ac97_res_table a
35727 + { AC97_VIDEO, 0x9f1f },
35728 + { AC97_AUX, 0x9f1f },
35729 + { AC97_PCM, 0x9f1f },
35730 +- { } /* terminator */
35731 ++ { 0, 0 } /* terminator */
35732 + };
35733 +
35734 + static int patch_ad1819(struct snd_ac97 * ac97)
35735 +@@ -3489,7 +3489,7 @@ static struct snd_ac97_res_table lm4550_
35736 + { AC97_AUX, 0x1f1f },
35737 + { AC97_PCM, 0x1f1f },
35738 + { AC97_REC_GAIN, 0x0f0f },
35739 +- { } /* terminator */
35740 ++ { 0, 0 } /* terminator */
35741 + };
35742 +
35743 + static int patch_lm4550(struct snd_ac97 *ac97)
35744 +diff -Nurp linux-2.6.23.15/sound/pci/ens1370.c linux-2.6.23.15-grsec/sound/pci/ens1370.c
35745 +--- linux-2.6.23.15/sound/pci/ens1370.c 2007-10-09 21:31:38.000000000 +0100
35746 ++++ linux-2.6.23.15-grsec/sound/pci/ens1370.c 2008-02-11 10:37:45.000000000 +0000
35747 +@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
35748 + { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
35749 + { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
35750 + #endif
35751 +- { 0, }
35752 ++ { 0, 0, 0, 0, 0, 0, 0 }
35753 + };
35754 +
35755 + MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
35756 +diff -Nurp linux-2.6.23.15/sound/pci/intel8x0.c linux-2.6.23.15-grsec/sound/pci/intel8x0.c
35757 +--- linux-2.6.23.15/sound/pci/intel8x0.c 2007-10-09 21:31:38.000000000 +0100
35758 ++++ linux-2.6.23.15-grsec/sound/pci/intel8x0.c 2008-02-11 10:37:45.000000000 +0000
35759 +@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
35760 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
35761 + { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
35762 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
35763 +- { 0, }
35764 ++ { 0, 0, 0, 0, 0, 0, 0 }
35765 + };
35766 +
35767 + MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
35768 +@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
35769 + .type = AC97_TUNE_HP_ONLY
35770 + },
35771 + #endif
35772 +- { } /* terminator */
35773 ++ { 0, 0, 0, 0, NULL, 0 } /* terminator */
35774 + };
35775 +
35776 + static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
35777 +diff -Nurp linux-2.6.23.15/sound/pci/intel8x0m.c linux-2.6.23.15-grsec/sound/pci/intel8x0m.c
35778 +--- linux-2.6.23.15/sound/pci/intel8x0m.c 2007-10-09 21:31:38.000000000 +0100
35779 ++++ linux-2.6.23.15-grsec/sound/pci/intel8x0m.c 2008-02-11 10:37:45.000000000 +0000
35780 +@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
35781 + { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
35782 + { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
35783 + #endif
35784 +- { 0, }
35785 ++ { 0, 0, 0, 0, 0, 0, 0 }
35786 + };
35787 +
35788 + MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
35789 +@@ -1261,7 +1261,7 @@ static struct shortname_table {
35790 + { 0x5455, "ALi M5455" },
35791 + { 0x746d, "AMD AMD8111" },
35792 + #endif
35793 +- { 0 },
35794 ++ { 0, NULL },
35795 + };
35796 +
35797 + static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
35798
35799 Added: hardened-sources/2.6/trunk/2.6.23/4425_grsec-2.1.10-mute-warnings.patch
35800 ===================================================================
35801 --- hardened-sources/2.6/trunk/2.6.23/4425_grsec-2.1.10-mute-warnings.patch (rev 0)
35802 +++ hardened-sources/2.6/trunk/2.6.23/4425_grsec-2.1.10-mute-warnings.patch 2008-04-30 11:22:14 UTC (rev 90)
35803 @@ -0,0 +1,23 @@
35804 +From: Alexander Gabert <gaberta@××××××××.de>
35805 +
35806 +This patch removes the warnings introduced by grsec patch 2.1.9 and later.
35807 +It removes the -W options added by the patch and restores the original
35808 +warning flags of vanilla kernel versions.
35809 +
35810 +Acked-by: Christian Heim <phreak@g.o>
35811 +
35812 +---
35813 + Makefile | 5 +++--
35814 + 1 file changed, 3 insertions(+), 2 deletions(-)
35815 +
35816 +--- a/Makefile
35817 ++++ b/Makefile
35818 +@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
35819 +
35820 + CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
35821 +
35822 +-CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
35823 ++CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
35824 + -fno-strict-aliasing -fno-common \
35825 + -Werror-implicit-function-declaration
35826 + AFLAGS := -D__ASSEMBLY__
35827
35828 Added: hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.10-pax_curr_ip-fixes.patch
35829 ===================================================================
35830 --- hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.10-pax_curr_ip-fixes.patch (rev 0)
35831 +++ hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.10-pax_curr_ip-fixes.patch 2008-04-30 11:22:14 UTC (rev 90)
35832 @@ -0,0 +1,46 @@
35833 +---
35834 + arch/i386/mm/fault.c | 2 ++
35835 + fs/exec.c | 2 ++
35836 + security/Kconfig | 2 +-
35837 + 3 files changed, 5 insertions(+), 1 deletion(-)
35838 +
35839 +--- a/arch/i386/mm/fault.c
35840 ++++ b/arch/i386/mm/fault.c
35841 +@@ -722,10 +722,12 @@ no_context:
35842 + #else
35843 + else if (init_mm.start_code <= address && address < init_mm.end_code)
35844 + #endif
35845 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
35846 + if (tsk->signal->curr_ip)
35847 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
35848 + NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
35849 + else
35850 ++#endif
35851 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
35852 + tsk->comm, tsk->pid, tsk->uid, tsk->euid);
35853 + #endif
35854 +--- a/fs/exec.c
35855 ++++ b/fs/exec.c
35856 +@@ -1733,9 +1733,11 @@ void pax_report_fault(struct pt_regs *re
35857 + }
35858 + up_read(&mm->mmap_sem);
35859 + }
35860 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
35861 + if (tsk->signal->curr_ip)
35862 + printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
35863 + else
35864 ++#endif
35865 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
35866 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
35867 + "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
35868 +--- a/security/Kconfig
35869 ++++ b/security/Kconfig
35870 +@@ -10,7 +10,7 @@ menu "PaX"
35871 +
35872 + config PAX
35873 + bool "Enable various PaX features"
35874 +- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35875 ++ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
35876 + help
35877 + This allows you to enable various PaX features. PaX adds
35878 + intrusion prevention mechanisms to the kernel that reduce
35879
35880 Deleted: hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.11-2.6.23.15-20080210.patch
35881 ===================================================================
35882 --- hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-07 12:57:31 UTC (rev 89)
35883 +++ hardened-sources/2.6/trunk/2.6.23/4430_grsec-2.1.11-2.6.23.15-20080210.patch 2008-04-30 11:22:14 UTC (rev 90)
35884 @@ -1,35665 +0,0 @@
35885 -From: Kerin Millar <kerframil@×××××.com>
35886 -
35887 -grsecurity-2.1.11-2.6.23.14-200801231800 forward ported to 2.6.23.15 for
35888 -the Hardened Gentoo project. Thanks to pipacs for some advice concerning
35889 -mmap.c changes.
35890 -
35891 -diff -Nurp linux-2.6.23.15/Documentation/dontdiff linux-2.6.23.15-grsec/Documentation/dontdiff
35892 ---- linux-2.6.23.15/Documentation/dontdiff 2007-10-09 21:31:38.000000000 +0100
35893 -+++ linux-2.6.23.15-grsec/Documentation/dontdiff 2008-02-11 10:37:44.000000000 +0000
35894 -@@ -176,14 +176,18 @@ times.h*
35895 - tkparse
35896 - trix_boot.h
35897 - utsrelease.h*
35898 -+vdso.lds
35899 - version.h*
35900 - vmlinux
35901 - vmlinux-*
35902 - vmlinux.aout
35903 -+vmlinux.bin.all
35904 - vmlinux.lds
35905 -+vmlinux.relocs
35906 - vsyscall.lds
35907 - wanxlfw.inc
35908 - uImage
35909 - unifdef
35910 -+utsrelease.h
35911 - zImage*
35912 - zconf.hash.c
35913 -diff -Nurp linux-2.6.23.15/Makefile linux-2.6.23.15-grsec/Makefile
35914 ---- linux-2.6.23.15/Makefile 2008-02-11 10:36:03.000000000 +0000
35915 -+++ linux-2.6.23.15-grsec/Makefile 2008-02-11 10:37:44.000000000 +0000
35916 -@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
35917 -
35918 - CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
35919 -
35920 --CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
35921 -+CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
35922 - -fno-strict-aliasing -fno-common \
35923 - -Werror-implicit-function-declaration
35924 - AFLAGS := -D__ASSEMBLY__
35925 -@@ -560,7 +560,7 @@ export mod_strip_cmd
35926 -
35927 -
35928 - ifeq ($(KBUILD_EXTMOD),)
35929 --core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
35930 -+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
35931 -
35932 - vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
35933 - $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
35934 -diff -Nurp linux-2.6.23.15/arch/alpha/kernel/module.c linux-2.6.23.15-grsec/arch/alpha/kernel/module.c
35935 ---- linux-2.6.23.15/arch/alpha/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
35936 -+++ linux-2.6.23.15-grsec/arch/alpha/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
35937 -@@ -176,7 +176,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
35938 -
35939 - /* The small sections were sorted to the end of the segment.
35940 - The following should definitely cover them. */
35941 -- gp = (u64)me->module_core + me->core_size - 0x8000;
35942 -+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
35943 - got = sechdrs[me->arch.gotsecindex].sh_addr;
35944 -
35945 - for (i = 0; i < n; i++) {
35946 -diff -Nurp linux-2.6.23.15/arch/alpha/kernel/osf_sys.c linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c
35947 ---- linux-2.6.23.15/arch/alpha/kernel/osf_sys.c 2007-10-09 21:31:38.000000000 +0100
35948 -+++ linux-2.6.23.15-grsec/arch/alpha/kernel/osf_sys.c 2008-02-11 10:37:44.000000000 +0000
35949 -@@ -1288,6 +1288,10 @@ arch_get_unmapped_area(struct file *filp
35950 - merely specific addresses, but regions of memory -- perhaps
35951 - this feature should be incorporated into all ports? */
35952 -
35953 -+#ifdef CONFIG_PAX_RANDMMAP
35954 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
35955 -+#endif
35956 -+
35957 - if (addr) {
35958 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
35959 - if (addr != (unsigned long) -ENOMEM)
35960 -@@ -1295,8 +1299,8 @@ arch_get_unmapped_area(struct file *filp
35961 - }
35962 -
35963 - /* Next, try allocating at TASK_UNMAPPED_BASE. */
35964 -- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
35965 -- len, limit);
35966 -+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
35967 -+
35968 - if (addr != (unsigned long) -ENOMEM)
35969 - return addr;
35970 -
35971 -diff -Nurp linux-2.6.23.15/arch/alpha/kernel/ptrace.c linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c
35972 ---- linux-2.6.23.15/arch/alpha/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
35973 -+++ linux-2.6.23.15-grsec/arch/alpha/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
35974 -@@ -15,6 +15,7 @@
35975 - #include <linux/slab.h>
35976 - #include <linux/security.h>
35977 - #include <linux/signal.h>
35978 -+#include <linux/grsecurity.h>
35979 -
35980 - #include <asm/uaccess.h>
35981 - #include <asm/pgtable.h>
35982 -@@ -283,6 +284,11 @@ do_sys_ptrace(long request, long pid, lo
35983 - goto out_notsk;
35984 - }
35985 -
35986 -+ if (gr_handle_ptrace(child, request)) {
35987 -+ ret = -EPERM;
35988 -+ goto out;
35989 -+ }
35990 -+
35991 - if (request == PTRACE_ATTACH) {
35992 - ret = ptrace_attach(child);
35993 - goto out;
35994 -diff -Nurp linux-2.6.23.15/arch/alpha/mm/fault.c linux-2.6.23.15-grsec/arch/alpha/mm/fault.c
35995 ---- linux-2.6.23.15/arch/alpha/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
35996 -+++ linux-2.6.23.15-grsec/arch/alpha/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
35997 -@@ -23,6 +23,7 @@
35998 - #include <linux/smp.h>
35999 - #include <linux/interrupt.h>
36000 - #include <linux/module.h>
36001 -+#include <linux/binfmts.h>
36002 -
36003 - #include <asm/system.h>
36004 - #include <asm/uaccess.h>
36005 -@@ -54,6 +55,124 @@ __load_new_mm_context(struct mm_struct *
36006 - __reload_thread(pcb);
36007 - }
36008 -
36009 -+#ifdef CONFIG_PAX_PAGEEXEC
36010 -+/*
36011 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
36012 -+ *
36013 -+ * returns 1 when task should be killed
36014 -+ * 2 when patched PLT trampoline was detected
36015 -+ * 3 when unpatched PLT trampoline was detected
36016 -+ */
36017 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
36018 -+{
36019 -+
36020 -+#ifdef CONFIG_PAX_EMUPLT
36021 -+ int err;
36022 -+
36023 -+ do { /* PaX: patched PLT emulation #1 */
36024 -+ unsigned int ldah, ldq, jmp;
36025 -+
36026 -+ err = get_user(ldah, (unsigned int *)regs->pc);
36027 -+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
36028 -+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
36029 -+
36030 -+ if (err)
36031 -+ break;
36032 -+
36033 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
36034 -+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
36035 -+ jmp == 0x6BFB0000U)
36036 -+ {
36037 -+ unsigned long r27, addr;
36038 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
36039 -+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
36040 -+
36041 -+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
36042 -+ err = get_user(r27, (unsigned long *)addr);
36043 -+ if (err)
36044 -+ break;
36045 -+
36046 -+ regs->r27 = r27;
36047 -+ regs->pc = r27;
36048 -+ return 2;
36049 -+ }
36050 -+ } while (0);
36051 -+
36052 -+ do { /* PaX: patched PLT emulation #2 */
36053 -+ unsigned int ldah, lda, br;
36054 -+
36055 -+ err = get_user(ldah, (unsigned int *)regs->pc);
36056 -+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
36057 -+ err |= get_user(br, (unsigned int *)(regs->pc+8));
36058 -+
36059 -+ if (err)
36060 -+ break;
36061 -+
36062 -+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
36063 -+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
36064 -+ (br & 0xFFE00000U) == 0xC3E00000U)
36065 -+ {
36066 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
36067 -+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
36068 -+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
36069 -+
36070 -+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
36071 -+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
36072 -+ return 2;
36073 -+ }
36074 -+ } while (0);
36075 -+
36076 -+ do { /* PaX: unpatched PLT emulation */
36077 -+ unsigned int br;
36078 -+
36079 -+ err = get_user(br, (unsigned int *)regs->pc);
36080 -+
36081 -+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
36082 -+ unsigned int br2, ldq, nop, jmp;
36083 -+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
36084 -+
36085 -+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
36086 -+ err = get_user(br2, (unsigned int *)addr);
36087 -+ err |= get_user(ldq, (unsigned int *)(addr+4));
36088 -+ err |= get_user(nop, (unsigned int *)(addr+8));
36089 -+ err |= get_user(jmp, (unsigned int *)(addr+12));
36090 -+ err |= get_user(resolver, (unsigned long *)(addr+16));
36091 -+
36092 -+ if (err)
36093 -+ break;
36094 -+
36095 -+ if (br2 == 0xC3600000U &&
36096 -+ ldq == 0xA77B000CU &&
36097 -+ nop == 0x47FF041FU &&
36098 -+ jmp == 0x6B7B0000U)
36099 -+ {
36100 -+ regs->r28 = regs->pc+4;
36101 -+ regs->r27 = addr+16;
36102 -+ regs->pc = resolver;
36103 -+ return 3;
36104 -+ }
36105 -+ }
36106 -+ } while (0);
36107 -+#endif
36108 -+
36109 -+ return 1;
36110 -+}
36111 -+
36112 -+void pax_report_insns(void *pc, void *sp)
36113 -+{
36114 -+ unsigned long i;
36115 -+
36116 -+ printk(KERN_ERR "PAX: bytes at PC: ");
36117 -+ for (i = 0; i < 5; i++) {
36118 -+ unsigned int c;
36119 -+ if (get_user(c, (unsigned int *)pc+i))
36120 -+ printk("???????? ");
36121 -+ else
36122 -+ printk("%08x ", c);
36123 -+ }
36124 -+ printk("\n");
36125 -+}
36126 -+#endif
36127 -
36128 - /*
36129 - * This routine handles page faults. It determines the address,
36130 -@@ -131,8 +250,29 @@ do_page_fault(unsigned long address, uns
36131 - good_area:
36132 - si_code = SEGV_ACCERR;
36133 - if (cause < 0) {
36134 -- if (!(vma->vm_flags & VM_EXEC))
36135 -+ if (!(vma->vm_flags & VM_EXEC)) {
36136 -+
36137 -+#ifdef CONFIG_PAX_PAGEEXEC
36138 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
36139 -+ goto bad_area;
36140 -+
36141 -+ up_read(&mm->mmap_sem);
36142 -+ switch (pax_handle_fetch_fault(regs)) {
36143 -+
36144 -+#ifdef CONFIG_PAX_EMUPLT
36145 -+ case 2:
36146 -+ case 3:
36147 -+ return;
36148 -+#endif
36149 -+
36150 -+ }
36151 -+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
36152 -+ do_exit(SIGKILL);
36153 -+#else
36154 - goto bad_area;
36155 -+#endif
36156 -+
36157 -+ }
36158 - } else if (!cause) {
36159 - /* Allow reads even for write-only mappings */
36160 - if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
36161 -diff -Nurp linux-2.6.23.15/arch/arm/mm/mmap.c linux-2.6.23.15-grsec/arch/arm/mm/mmap.c
36162 ---- linux-2.6.23.15/arch/arm/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
36163 -+++ linux-2.6.23.15-grsec/arch/arm/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
36164 -@@ -60,6 +60,10 @@ arch_get_unmapped_area(struct file *filp
36165 - if (len > TASK_SIZE)
36166 - return -ENOMEM;
36167 -
36168 -+#ifdef CONFIG_PAX_RANDMMAP
36169 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
36170 -+#endif
36171 -+
36172 - if (addr) {
36173 - if (do_align)
36174 - addr = COLOUR_ALIGN(addr, pgoff);
36175 -@@ -72,10 +76,10 @@ arch_get_unmapped_area(struct file *filp
36176 - return addr;
36177 - }
36178 - if (len > mm->cached_hole_size) {
36179 -- start_addr = addr = mm->free_area_cache;
36180 -+ start_addr = addr = mm->free_area_cache;
36181 - } else {
36182 -- start_addr = addr = TASK_UNMAPPED_BASE;
36183 -- mm->cached_hole_size = 0;
36184 -+ start_addr = addr = mm->mmap_base;
36185 -+ mm->cached_hole_size = 0;
36186 - }
36187 -
36188 - full_search:
36189 -@@ -91,8 +95,8 @@ full_search:
36190 - * Start a new search - just in case we missed
36191 - * some holes.
36192 - */
36193 -- if (start_addr != TASK_UNMAPPED_BASE) {
36194 -- start_addr = addr = TASK_UNMAPPED_BASE;
36195 -+ if (start_addr != mm->mmap_base) {
36196 -+ start_addr = addr = mm->mmap_base;
36197 - mm->cached_hole_size = 0;
36198 - goto full_search;
36199 - }
36200 -diff -Nurp linux-2.6.23.15/arch/avr32/mm/fault.c linux-2.6.23.15-grsec/arch/avr32/mm/fault.c
36201 ---- linux-2.6.23.15/arch/avr32/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
36202 -+++ linux-2.6.23.15-grsec/arch/avr32/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
36203 -@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
36204 -
36205 - int exception_trace = 1;
36206 -
36207 -+#ifdef CONFIG_PAX_PAGEEXEC
36208 -+void pax_report_insns(void *pc, void *sp)
36209 -+{
36210 -+ unsigned long i;
36211 -+
36212 -+ printk(KERN_ERR "PAX: bytes at PC: ");
36213 -+ for (i = 0; i < 20; i++) {
36214 -+ unsigned char c;
36215 -+ if (get_user(c, (unsigned char *)pc+i))
36216 -+ printk("???????? ");
36217 -+ else
36218 -+ printk("%02x ", c);
36219 -+ }
36220 -+ printk("\n");
36221 -+}
36222 -+#endif
36223 -+
36224 - /*
36225 - * This routine handles page faults. It determines the address and the
36226 - * problem, and then passes it off to one of the appropriate routines.
36227 -@@ -157,6 +174,16 @@ bad_area:
36228 - up_read(&mm->mmap_sem);
36229 -
36230 - if (user_mode(regs)) {
36231 -+
36232 -+#ifdef CONFIG_PAX_PAGEEXEC
36233 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
36234 -+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
36235 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
36236 -+ do_exit(SIGKILL);
36237 -+ }
36238 -+ }
36239 -+#endif
36240 -+
36241 - if (exception_trace && printk_ratelimit())
36242 - printk("%s%s[%d]: segfault at %08lx pc %08lx "
36243 - "sp %08lx ecr %lu\n",
36244 -diff -Nurp linux-2.6.23.15/arch/i386/Kconfig linux-2.6.23.15-grsec/arch/i386/Kconfig
36245 ---- linux-2.6.23.15/arch/i386/Kconfig 2007-10-09 21:31:38.000000000 +0100
36246 -+++ linux-2.6.23.15-grsec/arch/i386/Kconfig 2008-02-11 10:37:44.000000000 +0000
36247 -@@ -592,7 +592,7 @@ config PAGE_OFFSET
36248 - hex
36249 - default 0xB0000000 if VMSPLIT_3G_OPT
36250 - default 0x80000000 if VMSPLIT_2G
36251 -- default 0x78000000 if VMSPLIT_2G_OPT
36252 -+ default 0x70000000 if VMSPLIT_2G_OPT
36253 - default 0x40000000 if VMSPLIT_1G
36254 - default 0xC0000000
36255 -
36256 -@@ -831,7 +831,7 @@ config CRASH_DUMP
36257 - config PHYSICAL_START
36258 - hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
36259 - default "0x1000000" if X86_NUMAQ
36260 -- default "0x100000"
36261 -+ default "0x200000"
36262 - help
36263 - This gives the physical address where the kernel is loaded.
36264 -
36265 -@@ -916,7 +916,7 @@ config HOTPLUG_CPU
36266 -
36267 - config COMPAT_VDSO
36268 - bool "Compat VDSO support"
36269 -- default y
36270 -+ default n
36271 - help
36272 - Map the VDSO to the predictable old-style address too.
36273 - ---help---
36274 -@@ -1092,7 +1092,7 @@ config PCI
36275 - choice
36276 - prompt "PCI access mode"
36277 - depends on PCI && !X86_VISWS
36278 -- default PCI_GOANY
36279 -+ default PCI_GODIRECT
36280 - ---help---
36281 - On PCI systems, the BIOS can be used to detect the PCI devices and
36282 - determine their configuration. However, some old PCI motherboards
36283 -diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.cpu linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu
36284 ---- linux-2.6.23.15/arch/i386/Kconfig.cpu 2007-10-09 21:31:38.000000000 +0100
36285 -+++ linux-2.6.23.15-grsec/arch/i386/Kconfig.cpu 2008-02-11 10:37:44.000000000 +0000
36286 -@@ -274,7 +274,7 @@ config X86_PPRO_FENCE
36287 -
36288 - config X86_F00F_BUG
36289 - bool
36290 -- depends on M586MMX || M586TSC || M586 || M486 || M386
36291 -+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
36292 - default y
36293 -
36294 - config X86_WP_WORKS_OK
36295 -@@ -299,7 +299,7 @@ config X86_POPAD_OK
36296 -
36297 - config X86_ALIGNMENT_16
36298 - bool
36299 -- depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
36300 -+ depends on MWINCHIP3D || MWINCHIP2 || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
36301 - default y
36302 -
36303 - config X86_GOOD_APIC
36304 -diff -Nurp linux-2.6.23.15/arch/i386/Kconfig.debug linux-2.6.23.15-grsec/arch/i386/Kconfig.debug
36305 ---- linux-2.6.23.15/arch/i386/Kconfig.debug 2007-10-09 21:31:38.000000000 +0100
36306 -+++ linux-2.6.23.15-grsec/arch/i386/Kconfig.debug 2008-02-11 10:37:44.000000000 +0000
36307 -@@ -46,16 +46,6 @@ config DEBUG_PAGEALLOC
36308 - This results in a large slowdown, but helps to find certain types
36309 - of memory corruptions.
36310 -
36311 --config DEBUG_RODATA
36312 -- bool "Write protect kernel read-only data structures"
36313 -- depends on DEBUG_KERNEL
36314 -- help
36315 -- Mark the kernel read-only data as write-protected in the pagetables,
36316 -- in order to catch accidental (and incorrect) writes to such const
36317 -- data. This option may have a slight performance impact because a
36318 -- portion of the kernel code won't be covered by a 2MB TLB anymore.
36319 -- If in doubt, say "N".
36320 --
36321 - config 4KSTACKS
36322 - bool "Use 4Kb for kernel stacks instead of 8Kb"
36323 - depends on DEBUG_KERNEL
36324 -diff -Nurp linux-2.6.23.15/arch/i386/boot/bitops.h linux-2.6.23.15-grsec/arch/i386/boot/bitops.h
36325 ---- linux-2.6.23.15/arch/i386/boot/bitops.h 2007-10-09 21:31:38.000000000 +0100
36326 -+++ linux-2.6.23.15-grsec/arch/i386/boot/bitops.h 2008-02-11 10:37:44.000000000 +0000
36327 -@@ -28,7 +28,7 @@ static inline int variable_test_bit(int
36328 - u8 v;
36329 - const u32 *p = (const u32 *)addr;
36330 -
36331 -- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
36332 -+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
36333 - return v;
36334 - }
36335 -
36336 -@@ -39,7 +39,7 @@ static inline int variable_test_bit(int
36337 -
36338 - static inline void set_bit(int nr, void *addr)
36339 - {
36340 -- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
36341 -+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
36342 - }
36343 -
36344 - #endif /* BOOT_BITOPS_H */
36345 -diff -Nurp linux-2.6.23.15/arch/i386/boot/boot.h linux-2.6.23.15-grsec/arch/i386/boot/boot.h
36346 ---- linux-2.6.23.15/arch/i386/boot/boot.h 2008-02-11 10:36:03.000000000 +0000
36347 -+++ linux-2.6.23.15-grsec/arch/i386/boot/boot.h 2008-02-11 10:37:44.000000000 +0000
36348 -@@ -78,7 +78,7 @@ static inline void io_delay(void)
36349 - static inline u16 ds(void)
36350 - {
36351 - u16 seg;
36352 -- asm("movw %%ds,%0" : "=rm" (seg));
36353 -+ asm volatile("movw %%ds,%0" : "=rm" (seg));
36354 - return seg;
36355 - }
36356 -
36357 -@@ -174,7 +174,7 @@ static inline void wrgs32(u32 v, addr_t
36358 - static inline int memcmp(const void *s1, const void *s2, size_t len)
36359 - {
36360 - u8 diff;
36361 -- asm("repe; cmpsb; setnz %0"
36362 -+ asm volatile("repe; cmpsb; setnz %0"
36363 - : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
36364 - return diff;
36365 - }
36366 -diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/head.S linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S
36367 ---- linux-2.6.23.15/arch/i386/boot/compressed/head.S 2007-10-09 21:31:38.000000000 +0100
36368 -+++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/head.S 2008-02-11 10:37:44.000000000 +0000
36369 -@@ -159,9 +159,8 @@ relocated:
36370 - */
36371 -
36372 - 1: subl $4, %edi
36373 -- movl 0(%edi), %ecx
36374 -- testl %ecx, %ecx
36375 -- jz 2f
36376 -+ movl (%edi), %ecx
36377 -+ jecxz 2f
36378 - addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
36379 - jmp 1b
36380 - 2:
36381 -diff -Nurp linux-2.6.23.15/arch/i386/boot/compressed/relocs.c linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c
36382 ---- linux-2.6.23.15/arch/i386/boot/compressed/relocs.c 2007-10-09 21:31:38.000000000 +0100
36383 -+++ linux-2.6.23.15-grsec/arch/i386/boot/compressed/relocs.c 2008-02-11 10:37:44.000000000 +0000
36384 -@@ -10,9 +10,13 @@
36385 - #define USE_BSD
36386 - #include <endian.h>
36387 -
36388 -+#include "../../../../include/linux/autoconf.h"
36389 -+
36390 -+#define MAX_PHDRS 100
36391 - #define MAX_SHDRS 100
36392 - #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
36393 - static Elf32_Ehdr ehdr;
36394 -+static Elf32_Phdr phdr[MAX_PHDRS];
36395 - static Elf32_Shdr shdr[MAX_SHDRS];
36396 - static Elf32_Sym *symtab[MAX_SHDRS];
36397 - static Elf32_Rel *reltab[MAX_SHDRS];
36398 -@@ -246,6 +250,34 @@ static void read_ehdr(FILE *fp)
36399 - }
36400 - }
36401 -
36402 -+static void read_phdrs(FILE *fp)
36403 -+{
36404 -+ int i;
36405 -+ if (ehdr.e_phnum > MAX_PHDRS) {
36406 -+ die("%d program headers supported: %d\n",
36407 -+ ehdr.e_phnum, MAX_PHDRS);
36408 -+ }
36409 -+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
36410 -+ die("Seek to %d failed: %s\n",
36411 -+ ehdr.e_phoff, strerror(errno));
36412 -+ }
36413 -+ if (fread(&phdr, sizeof(phdr[0]), ehdr.e_phnum, fp) != ehdr.e_phnum) {
36414 -+ die("Cannot read ELF program headers: %s\n",
36415 -+ strerror(errno));
36416 -+ }
36417 -+ for(i = 0; i < ehdr.e_phnum; i++) {
36418 -+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
36419 -+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
36420 -+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
36421 -+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
36422 -+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
36423 -+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
36424 -+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
36425 -+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
36426 -+ }
36427 -+
36428 -+}
36429 -+
36430 - static void read_shdrs(FILE *fp)
36431 - {
36432 - int i;
36433 -@@ -332,6 +364,8 @@ static void read_symtabs(FILE *fp)
36434 - static void read_relocs(FILE *fp)
36435 - {
36436 - int i,j;
36437 -+ uint32_t base;
36438 -+
36439 - for(i = 0; i < ehdr.e_shnum; i++) {
36440 - if (shdr[i].sh_type != SHT_REL) {
36441 - continue;
36442 -@@ -349,8 +383,17 @@ static void read_relocs(FILE *fp)
36443 - die("Cannot read symbol table: %s\n",
36444 - strerror(errno));
36445 - }
36446 -+ base = 0;
36447 -+ for (j = 0; j < ehdr.e_phnum; j++) {
36448 -+ if (phdr[j].p_type != PT_LOAD )
36449 -+ continue;
36450 -+ if (shdr[shdr[i].sh_info].sh_offset < phdr[j].p_offset || shdr[shdr[i].sh_info].sh_offset > phdr[j].p_offset + phdr[j].p_filesz)
36451 -+ continue;
36452 -+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
36453 -+ break;
36454 -+ }
36455 - for(j = 0; j < shdr[i].sh_size/sizeof(reltab[0][0]); j++) {
36456 -- reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset);
36457 -+ reltab[i][j].r_offset = elf32_to_cpu(reltab[i][j].r_offset) + base;
36458 - reltab[i][j].r_info = elf32_to_cpu(reltab[i][j].r_info);
36459 - }
36460 - }
36461 -@@ -487,6 +530,27 @@ static void walk_relocs(void (*visit)(El
36462 - if (sym->st_shndx == SHN_ABS) {
36463 - continue;
36464 - }
36465 -+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
36466 -+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strncmp(sym_name(sym_strtab, sym), "__per_cpu_", 10)) {
36467 -+ continue;
36468 -+ }
36469 -+#ifdef CONFIG_PAX_KERNEXEC
36470 -+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
36471 -+ if (!strcmp(sec_name(sym->st_shndx), ".init.text")) {
36472 -+ continue;
36473 -+ }
36474 -+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text")) {
36475 -+ continue;
36476 -+ }
36477 -+ if (!strcmp(sec_name(sym->st_shndx), ".text.head"))
36478 -+ if (strcmp(sym_name(sym_strtab, sym), "__init_end") &&
36479 -+ strcmp(sym_name(sym_strtab, sym), "KERNEL_TEXT_OFFSET")) {
36480 -+ continue;
36481 -+ }
36482 -+ if (!strcmp(sec_name(sym->st_shndx), ".text")) {
36483 -+ continue;
36484 -+ }
36485 -+#endif
36486 - if (r_type == R_386_PC32) {
36487 - /* PC relative relocations don't need to be adjusted */
36488 - }
36489 -@@ -614,6 +678,7 @@ int main(int argc, char **argv)
36490 - fname, strerror(errno));
36491 - }
36492 - read_ehdr(fp);
36493 -+ read_phdrs(fp);
36494 - read_shdrs(fp);
36495 - read_strtabs(fp);
36496 - read_symtabs(fp);
36497 -diff -Nurp linux-2.6.23.15/arch/i386/boot/cpucheck.c linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c
36498 ---- linux-2.6.23.15/arch/i386/boot/cpucheck.c 2007-10-09 21:31:38.000000000 +0100
36499 -+++ linux-2.6.23.15-grsec/arch/i386/boot/cpucheck.c 2008-02-11 10:37:44.000000000 +0000
36500 -@@ -90,7 +90,7 @@ static int has_fpu(void)
36501 - u16 fcw = -1, fsw = -1;
36502 - u32 cr0;
36503 -
36504 -- asm("movl %%cr0,%0" : "=r" (cr0));
36505 -+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
36506 - if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
36507 - cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
36508 - asm volatile("movl %0,%%cr0" : : "r" (cr0));
36509 -@@ -106,7 +106,7 @@ static int has_eflag(u32 mask)
36510 - {
36511 - u32 f0, f1;
36512 -
36513 -- asm("pushfl ; "
36514 -+ asm volatile("pushfl ; "
36515 - "pushfl ; "
36516 - "popl %0 ; "
36517 - "movl %0,%1 ; "
36518 -@@ -131,7 +131,7 @@ static void get_flags(void)
36519 - set_bit(X86_FEATURE_FPU, cpu.flags);
36520 -
36521 - if (has_eflag(X86_EFLAGS_ID)) {
36522 -- asm("cpuid"
36523 -+ asm volatile("cpuid"
36524 - : "=a" (max_intel_level),
36525 - "=b" (cpu_vendor[0]),
36526 - "=d" (cpu_vendor[1]),
36527 -@@ -140,7 +140,7 @@ static void get_flags(void)
36528 -
36529 - if (max_intel_level >= 0x00000001 &&
36530 - max_intel_level <= 0x0000ffff) {
36531 -- asm("cpuid"
36532 -+ asm volatile("cpuid"
36533 - : "=a" (tfms),
36534 - "=c" (cpu.flags[4]),
36535 - "=d" (cpu.flags[0])
36536 -@@ -152,7 +152,7 @@ static void get_flags(void)
36537 - cpu.model += ((tfms >> 16) & 0xf) << 4;
36538 - }
36539 -
36540 -- asm("cpuid"
36541 -+ asm volatile("cpuid"
36542 - : "=a" (max_amd_level)
36543 - : "a" (0x80000000)
36544 - : "ebx", "ecx", "edx");
36545 -@@ -160,7 +160,7 @@ static void get_flags(void)
36546 - if (max_amd_level >= 0x80000001 &&
36547 - max_amd_level <= 0x8000ffff) {
36548 - u32 eax = 0x80000001;
36549 -- asm("cpuid"
36550 -+ asm volatile("cpuid"
36551 - : "+a" (eax),
36552 - "=c" (cpu.flags[6]),
36553 - "=d" (cpu.flags[1])
36554 -@@ -219,9 +219,9 @@ int check_cpu(int *cpu_level_ptr, int *r
36555 - u32 ecx = MSR_K7_HWCR;
36556 - u32 eax, edx;
36557 -
36558 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36559 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36560 - eax &= ~(1 << 15);
36561 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36562 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36563 -
36564 - get_flags(); /* Make sure it really did something */
36565 - err = check_flags();
36566 -@@ -234,9 +234,9 @@ int check_cpu(int *cpu_level_ptr, int *r
36567 - u32 ecx = MSR_VIA_FCR;
36568 - u32 eax, edx;
36569 -
36570 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36571 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36572 - eax |= (1<<1)|(1<<7);
36573 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36574 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36575 -
36576 - set_bit(X86_FEATURE_CX8, cpu.flags);
36577 - err = check_flags();
36578 -@@ -247,12 +247,12 @@ int check_cpu(int *cpu_level_ptr, int *r
36579 - u32 eax, edx;
36580 - u32 level = 1;
36581 -
36582 -- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36583 -- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
36584 -- asm("cpuid"
36585 -+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
36586 -+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
36587 -+ asm volatile("cpuid"
36588 - : "+a" (level), "=d" (cpu.flags[0])
36589 - : : "ecx", "ebx");
36590 -- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36591 -+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
36592 -
36593 - err = check_flags();
36594 - }
36595 -diff -Nurp linux-2.6.23.15/arch/i386/boot/edd.c linux-2.6.23.15-grsec/arch/i386/boot/edd.c
36596 ---- linux-2.6.23.15/arch/i386/boot/edd.c 2007-10-09 21:31:38.000000000 +0100
36597 -+++ linux-2.6.23.15-grsec/arch/i386/boot/edd.c 2008-02-11 10:37:44.000000000 +0000
36598 -@@ -78,7 +78,7 @@ static int get_edd_info(u8 devno, struct
36599 - ax = 0x4100;
36600 - bx = EDDMAGIC1;
36601 - dx = devno;
36602 -- asm("pushfl; stc; int $0x13; setc %%al; popfl"
36603 -+ asm volatile("pushfl; stc; int $0x13; setc %%al; popfl"
36604 - : "+a" (ax), "+b" (bx), "=c" (cx), "+d" (dx)
36605 - : : "esi", "edi");
36606 -
36607 -@@ -97,7 +97,7 @@ static int get_edd_info(u8 devno, struct
36608 - ei->params.length = sizeof(ei->params);
36609 - ax = 0x4800;
36610 - dx = devno;
36611 -- asm("pushfl; int $0x13; popfl"
36612 -+ asm volatile("pushfl; int $0x13; popfl"
36613 - : "+a" (ax), "+d" (dx), "=m" (ei->params)
36614 - : "S" (&ei->params)
36615 - : "ebx", "ecx", "edi");
36616 -@@ -108,7 +108,7 @@ static int get_edd_info(u8 devno, struct
36617 - ax = 0x0800;
36618 - dx = devno;
36619 - di = 0;
36620 -- asm("pushw %%es; "
36621 -+ asm volatile("pushw %%es; "
36622 - "movw %%di,%%es; "
36623 - "pushfl; stc; int $0x13; setc %%al; popfl; "
36624 - "popw %%es"
36625 -diff -Nurp linux-2.6.23.15/arch/i386/boot/main.c linux-2.6.23.15-grsec/arch/i386/boot/main.c
36626 ---- linux-2.6.23.15/arch/i386/boot/main.c 2007-10-09 21:31:38.000000000 +0100
36627 -+++ linux-2.6.23.15-grsec/arch/i386/boot/main.c 2008-02-11 10:37:44.000000000 +0000
36628 -@@ -77,7 +77,7 @@ static void keyboard_set_repeat(void)
36629 - */
36630 - static void query_ist(void)
36631 - {
36632 -- asm("int $0x15"
36633 -+ asm volatile("int $0x15"
36634 - : "=a" (boot_params.ist_info.signature),
36635 - "=b" (boot_params.ist_info.command),
36636 - "=c" (boot_params.ist_info.event),
36637 -diff -Nurp linux-2.6.23.15/arch/i386/boot/mca.c linux-2.6.23.15-grsec/arch/i386/boot/mca.c
36638 ---- linux-2.6.23.15/arch/i386/boot/mca.c 2007-10-09 21:31:38.000000000 +0100
36639 -+++ linux-2.6.23.15-grsec/arch/i386/boot/mca.c 2008-02-11 10:37:44.000000000 +0000
36640 -@@ -21,7 +21,7 @@ int query_mca(void)
36641 - u8 err;
36642 - u16 es, bx, len;
36643 -
36644 -- asm("pushw %%es ; "
36645 -+ asm volatile("pushw %%es ; "
36646 - "int $0x15 ; "
36647 - "setc %0 ; "
36648 - "movw %%es, %1 ; "
36649 -diff -Nurp linux-2.6.23.15/arch/i386/boot/memory.c linux-2.6.23.15-grsec/arch/i386/boot/memory.c
36650 ---- linux-2.6.23.15/arch/i386/boot/memory.c 2007-10-09 21:31:38.000000000 +0100
36651 -+++ linux-2.6.23.15-grsec/arch/i386/boot/memory.c 2008-02-11 10:37:44.000000000 +0000
36652 -@@ -32,7 +32,7 @@ static int detect_memory_e820(void)
36653 - /* Important: %edx is clobbered by some BIOSes,
36654 - so it must be either used for the error output
36655 - or explicitly marked clobbered. */
36656 -- asm("int $0x15; setc %0"
36657 -+ asm volatile("int $0x15; setc %0"
36658 - : "=d" (err), "+b" (next), "=a" (id), "+c" (size),
36659 - "=m" (*desc)
36660 - : "D" (desc), "d" (SMAP), "a" (0xe820));
36661 -@@ -64,7 +64,7 @@ static int detect_memory_e801(void)
36662 -
36663 - bx = cx = dx = 0;
36664 - ax = 0xe801;
36665 -- asm("stc; int $0x15; setc %0"
36666 -+ asm volatile("stc; int $0x15; setc %0"
36667 - : "=m" (err), "+a" (ax), "+b" (bx), "+c" (cx), "+d" (dx));
36668 -
36669 - if (err)
36670 -@@ -94,7 +94,7 @@ static int detect_memory_88(void)
36671 - u8 err;
36672 -
36673 - ax = 0x8800;
36674 -- asm("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
36675 -+ asm volatile("stc; int $0x15; setc %0" : "=bcdm" (err), "+a" (ax));
36676 -
36677 - boot_params.screen_info.ext_mem_k = ax;
36678 -
36679 -diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vesa.c linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c
36680 ---- linux-2.6.23.15/arch/i386/boot/video-vesa.c 2008-02-11 10:36:03.000000000 +0000
36681 -+++ linux-2.6.23.15-grsec/arch/i386/boot/video-vesa.c 2008-02-11 10:37:44.000000000 +0000
36682 -@@ -41,7 +41,7 @@ static int vesa_probe(void)
36683 -
36684 - ax = 0x4f00;
36685 - di = (size_t)&vginfo;
36686 -- asm(INT10
36687 -+ asm volatile(INT10
36688 - : "+a" (ax), "+D" (di), "=m" (vginfo)
36689 - : : "ebx", "ecx", "edx", "esi");
36690 -
36691 -@@ -68,7 +68,7 @@ static int vesa_probe(void)
36692 - ax = 0x4f01;
36693 - cx = mode;
36694 - di = (size_t)&vminfo;
36695 -- asm(INT10
36696 -+ asm volatile(INT10
36697 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
36698 - : : "ebx", "edx", "esi");
36699 -
36700 -@@ -115,7 +115,7 @@ static int vesa_set_mode(struct mode_inf
36701 - ax = 0x4f01;
36702 - cx = vesa_mode;
36703 - di = (size_t)&vminfo;
36704 -- asm(INT10
36705 -+ asm volatile(INT10
36706 - : "+a" (ax), "+c" (cx), "+D" (di), "=m" (vminfo)
36707 - : : "ebx", "edx", "esi");
36708 -
36709 -@@ -193,19 +193,20 @@ static void vesa_dac_set_8bits(void)
36710 - /* Save the VESA protected mode info */
36711 - static void vesa_store_pm_info(void)
36712 - {
36713 -- u16 ax, bx, di, es;
36714 -+ u16 ax, bx, cx, di, es;
36715 -
36716 - ax = 0x4f0a;
36717 -- bx = di = 0;
36718 -- asm("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
36719 -- : "=d" (es), "+a" (ax), "+b" (bx), "+D" (di)
36720 -- : : "ecx", "esi");
36721 -+ bx = cx = di = 0;
36722 -+ asm volatile("pushw %%es; "INT10"; movw %%es,%0; popw %%es"
36723 -+ : "=d" (es), "+a" (ax), "+b" (bx), "+c" (cx), "+D" (di)
36724 -+ : : "esi");
36725 -
36726 - if (ax != 0x004f)
36727 - return;
36728 -
36729 - boot_params.screen_info.vesapm_seg = es;
36730 - boot_params.screen_info.vesapm_off = di;
36731 -+ boot_params.screen_info.vesapm_size = cx;
36732 - }
36733 -
36734 - /*
36735 -@@ -259,7 +260,7 @@ void vesa_store_edid(void)
36736 - /* Note: The VBE DDC spec is different from the main VESA spec;
36737 - we genuinely have to assume all registers are destroyed here. */
36738 -
36739 -- asm("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
36740 -+ asm volatile("pushw %%es; movw %2,%%es; "INT10"; popw %%es"
36741 - : "+a" (ax), "+b" (bx)
36742 - : "c" (cx), "D" (di)
36743 - : "esi");
36744 -@@ -275,7 +276,7 @@ void vesa_store_edid(void)
36745 - cx = 0; /* Controller 0 */
36746 - dx = 0; /* EDID block number */
36747 - di =(size_t) &boot_params.edid_info; /* (ES:)Pointer to block */
36748 -- asm(INT10
36749 -+ asm volatile(INT10
36750 - : "+a" (ax), "+b" (bx), "+d" (dx), "=m" (boot_params.edid_info)
36751 - : "c" (cx), "D" (di)
36752 - : "esi");
36753 -diff -Nurp linux-2.6.23.15/arch/i386/boot/video-vga.c linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c
36754 ---- linux-2.6.23.15/arch/i386/boot/video-vga.c 2007-10-09 21:31:38.000000000 +0100
36755 -+++ linux-2.6.23.15-grsec/arch/i386/boot/video-vga.c 2008-02-11 10:37:44.000000000 +0000
36756 -@@ -225,7 +225,7 @@ static int vga_probe(void)
36757 - };
36758 - u8 vga_flag;
36759 -
36760 -- asm(INT10
36761 -+ asm volatile(INT10
36762 - : "=b" (boot_params.screen_info.orig_video_ega_bx)
36763 - : "a" (0x1200), "b" (0x10) /* Check EGA/VGA */
36764 - : "ecx", "edx", "esi", "edi");
36765 -@@ -233,7 +233,7 @@ static int vga_probe(void)
36766 - /* If we have MDA/CGA/HGC then BL will be unchanged at 0x10 */
36767 - if ((u8)boot_params.screen_info.orig_video_ega_bx != 0x10) {
36768 - /* EGA/VGA */
36769 -- asm(INT10
36770 -+ asm volatile(INT10
36771 - : "=a" (vga_flag)
36772 - : "a" (0x1a00)
36773 - : "ebx", "ecx", "edx", "esi", "edi");
36774 -diff -Nurp linux-2.6.23.15/arch/i386/boot/video.c linux-2.6.23.15-grsec/arch/i386/boot/video.c
36775 ---- linux-2.6.23.15/arch/i386/boot/video.c 2008-02-11 10:36:03.000000000 +0000
36776 -+++ linux-2.6.23.15-grsec/arch/i386/boot/video.c 2008-02-11 10:37:44.000000000 +0000
36777 -@@ -40,7 +40,7 @@ static void store_cursor_position(void)
36778 -
36779 - ax = 0x0300;
36780 - bx = 0;
36781 -- asm(INT10
36782 -+ asm volatile(INT10
36783 - : "=d" (curpos), "+a" (ax), "+b" (bx)
36784 - : : "ecx", "esi", "edi");
36785 -
36786 -@@ -55,7 +55,7 @@ static void store_video_mode(void)
36787 - /* N.B.: the saving of the video page here is a bit silly,
36788 - since we pretty much assume page 0 everywhere. */
36789 - ax = 0x0f00;
36790 -- asm(INT10
36791 -+ asm volatile(INT10
36792 - : "+a" (ax), "=b" (page)
36793 - : : "ecx", "edx", "esi", "edi");
36794 -
36795 -diff -Nurp linux-2.6.23.15/arch/i386/boot/voyager.c linux-2.6.23.15-grsec/arch/i386/boot/voyager.c
36796 ---- linux-2.6.23.15/arch/i386/boot/voyager.c 2007-10-09 21:31:38.000000000 +0100
36797 -+++ linux-2.6.23.15-grsec/arch/i386/boot/voyager.c 2008-02-11 10:37:44.000000000 +0000
36798 -@@ -27,7 +27,7 @@ int query_voyager(void)
36799 -
36800 - data_ptr[0] = 0xff; /* Flag on config not found(?) */
36801 -
36802 -- asm("pushw %%es ; "
36803 -+ asm volatile("pushw %%es ; "
36804 - "int $0x15 ; "
36805 - "setc %0 ; "
36806 - "movw %%es, %1 ; "
36807 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/boot.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c
36808 ---- linux-2.6.23.15/arch/i386/kernel/acpi/boot.c 2007-10-09 21:31:38.000000000 +0100
36809 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/boot.c 2008-02-11 10:37:44.000000000 +0000
36810 -@@ -1123,7 +1123,7 @@ static struct dmi_system_id __initdata a
36811 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
36812 - },
36813 - },
36814 -- {}
36815 -+ { NULL, NULL, {{0, NULL}}, NULL}
36816 - };
36817 -
36818 - #endif /* __i386__ */
36819 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c
36820 ---- linux-2.6.23.15/arch/i386/kernel/acpi/sleep.c 2007-10-09 21:31:38.000000000 +0100
36821 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/sleep.c 2008-02-11 10:37:44.000000000 +0000
36822 -@@ -98,7 +98,7 @@ static __initdata struct dmi_system_id a
36823 - DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),
36824 - },
36825 - },
36826 -- {}
36827 -+ { NULL, NULL, {{0, NULL}}, NULL}
36828 - };
36829 -
36830 - static int __init acpisleep_dmi_init(void)
36831 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S
36832 ---- linux-2.6.23.15/arch/i386/kernel/acpi/wakeup.S 2007-10-09 21:31:38.000000000 +0100
36833 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/acpi/wakeup.S 2008-02-11 10:37:44.000000000 +0000
36834 -@@ -2,6 +2,7 @@
36835 - #include <linux/linkage.h>
36836 - #include <asm/segment.h>
36837 - #include <asm/page.h>
36838 -+#include <asm/msr-index.h>
36839 -
36840 - #
36841 - # wakeup_code runs in real mode, and at unknown address (determined at run-time).
36842 -@@ -84,7 +85,7 @@ wakeup_code:
36843 - # restore efer setting
36844 - movl real_save_efer_edx - wakeup_code, %edx
36845 - movl real_save_efer_eax - wakeup_code, %eax
36846 -- mov $0xc0000080, %ecx
36847 -+ mov $MSR_EFER, %ecx
36848 - wrmsr
36849 - 4:
36850 - # make sure %cr4 is set correctly (features, etc)
36851 -@@ -209,13 +210,11 @@ wakeup_pmode_return:
36852 - # and restore the stack ... but you need gdt for this to work
36853 - movl saved_context_esp, %esp
36854 -
36855 -- movl %cs:saved_magic, %eax
36856 -- cmpl $0x12345678, %eax
36857 -+ cmpl $0x12345678, saved_magic
36858 - jne bogus_magic
36859 -
36860 - # jump to place where we left off
36861 -- movl saved_eip,%eax
36862 -- jmp *%eax
36863 -+ jmp *(saved_eip)
36864 -
36865 - bogus_magic:
36866 - movw $0x0e00 + 'B', 0xb8018
36867 -@@ -247,7 +246,7 @@ ENTRY(acpi_copy_wakeup_routine)
36868 - # save efer setting
36869 - pushl %eax
36870 - movl %eax, %ebx
36871 -- mov $0xc0000080, %ecx
36872 -+ mov $MSR_EFER, %ecx
36873 - rdmsr
36874 - movl %edx, real_save_efer_edx - wakeup_start (%ebx)
36875 - movl %eax, real_save_efer_eax - wakeup_start (%ebx)
36876 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/alternative.c linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c
36877 ---- linux-2.6.23.15/arch/i386/kernel/alternative.c 2007-10-09 21:31:38.000000000 +0100
36878 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/alternative.c 2008-02-11 10:37:44.000000000 +0000
36879 -@@ -443,7 +443,20 @@ void __init alternative_instructions(voi
36880 - */
36881 - void __kprobes text_poke(void *addr, unsigned char *opcode, int len)
36882 - {
36883 -+
36884 -+#ifdef CONFIG_PAX_KERNEXEC
36885 -+ unsigned long cr0;
36886 -+
36887 -+ pax_open_kernel(cr0);
36888 -+#endif
36889 -+
36890 -+ addr += __KERNEL_TEXT_OFFSET;
36891 - memcpy(addr, opcode, len);
36892 -+
36893 -+#ifdef CONFIG_PAX_KERNEXEC
36894 -+ pax_close_kernel(cr0);
36895 -+#endif
36896 -+
36897 - sync_core();
36898 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
36899 - that causes hangs on some VIA CPUs. */
36900 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/apm.c linux-2.6.23.15-grsec/arch/i386/kernel/apm.c
36901 ---- linux-2.6.23.15/arch/i386/kernel/apm.c 2008-02-11 10:36:03.000000000 +0000
36902 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/apm.c 2008-02-11 10:37:44.000000000 +0000
36903 -@@ -407,7 +407,7 @@ static DECLARE_WAIT_QUEUE_HEAD(apm_waitq
36904 - static DECLARE_WAIT_QUEUE_HEAD(apm_suspend_waitqueue);
36905 - static struct apm_user * user_list;
36906 - static DEFINE_SPINLOCK(user_list_lock);
36907 --static const struct desc_struct bad_bios_desc = { 0, 0x00409200 };
36908 -+static const struct desc_struct bad_bios_desc = { 0, 0x00409300 };
36909 -
36910 - static const char driver_version[] = "1.16ac"; /* no spaces */
36911 -
36912 -@@ -601,19 +601,42 @@ static u8 apm_bios_call(u32 func, u32 eb
36913 - struct desc_struct save_desc_40;
36914 - struct desc_struct *gdt;
36915 -
36916 -+#ifdef CONFIG_PAX_KERNEXEC
36917 -+ unsigned long cr0;
36918 -+#endif
36919 -+
36920 - cpus = apm_save_cpus();
36921 -
36922 - cpu = get_cpu();
36923 - gdt = get_cpu_gdt_table(cpu);
36924 - save_desc_40 = gdt[0x40 / 8];
36925 -+
36926 -+#ifdef CONFIG_PAX_KERNEXEC
36927 -+ pax_open_kernel(cr0);
36928 -+#endif
36929 -+
36930 - gdt[0x40 / 8] = bad_bios_desc;
36931 -
36932 -+#ifdef CONFIG_PAX_KERNEXEC
36933 -+ pax_close_kernel(cr0);
36934 -+#endif
36935 -+
36936 - apm_irq_save(flags);
36937 - APM_DO_SAVE_SEGS;
36938 - apm_bios_call_asm(func, ebx_in, ecx_in, eax, ebx, ecx, edx, esi);
36939 - APM_DO_RESTORE_SEGS;
36940 - apm_irq_restore(flags);
36941 -+
36942 -+#ifdef CONFIG_PAX_KERNEXEC
36943 -+ pax_open_kernel(cr0);
36944 -+#endif
36945 -+
36946 - gdt[0x40 / 8] = save_desc_40;
36947 -+
36948 -+#ifdef CONFIG_PAX_KERNEXEC
36949 -+ pax_close_kernel(cr0);
36950 -+#endif
36951 -+
36952 - put_cpu();
36953 - apm_restore_cpus(cpus);
36954 -
36955 -@@ -644,19 +667,42 @@ static u8 apm_bios_call_simple(u32 func,
36956 - struct desc_struct save_desc_40;
36957 - struct desc_struct *gdt;
36958 -
36959 -+#ifdef CONFIG_PAX_KERNEXEC
36960 -+ unsigned long cr0;
36961 -+#endif
36962 -+
36963 - cpus = apm_save_cpus();
36964 -
36965 - cpu = get_cpu();
36966 - gdt = get_cpu_gdt_table(cpu);
36967 - save_desc_40 = gdt[0x40 / 8];
36968 -+
36969 -+#ifdef CONFIG_PAX_KERNEXEC
36970 -+ pax_open_kernel(cr0);
36971 -+#endif
36972 -+
36973 - gdt[0x40 / 8] = bad_bios_desc;
36974 -
36975 -+#ifdef CONFIG_PAX_KERNEXEC
36976 -+ pax_close_kernel(cr0);
36977 -+#endif
36978 -+
36979 - apm_irq_save(flags);
36980 - APM_DO_SAVE_SEGS;
36981 - error = apm_bios_call_simple_asm(func, ebx_in, ecx_in, eax);
36982 - APM_DO_RESTORE_SEGS;
36983 - apm_irq_restore(flags);
36984 -+
36985 -+#ifdef CONFIG_PAX_KERNEXEC
36986 -+ pax_open_kernel(cr0);
36987 -+#endif
36988 -+
36989 - gdt[0x40 / 8] = save_desc_40;
36990 -+
36991 -+#ifdef CONFIG_PAX_KERNEXEC
36992 -+ pax_close_kernel(cr0);
36993 -+#endif
36994 -+
36995 - put_cpu();
36996 - apm_restore_cpus(cpus);
36997 - return error;
36998 -@@ -924,7 +970,7 @@ recalc:
36999 -
37000 - static void apm_power_off(void)
37001 - {
37002 -- unsigned char po_bios_call[] = {
37003 -+ const unsigned char po_bios_call[] = {
37004 - 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
37005 - 0x8e, 0xd0, /* movw ax,ss */
37006 - 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
37007 -@@ -1864,7 +1910,10 @@ static const struct file_operations apm_
37008 - static struct miscdevice apm_device = {
37009 - APM_MINOR_DEV,
37010 - "apm_bios",
37011 -- &apm_bios_fops
37012 -+ &apm_bios_fops,
37013 -+ {NULL, NULL},
37014 -+ NULL,
37015 -+ NULL
37016 - };
37017 -
37018 -
37019 -@@ -1974,210 +2023,210 @@ static struct dmi_system_id __initdata a
37020 - print_if_true,
37021 - KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
37022 - { DMI_MATCH(DMI_SYS_VENDOR, "IBM"),
37023 -- DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), },
37024 -+ DMI_MATCH(DMI_BIOS_VERSION, "1AET38WW (1.01b)"), }, NULL
37025 - },
37026 - { /* Handle problems with APM on the C600 */
37027 - broken_ps2_resume, "Dell Latitude C600",
37028 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell"),
37029 -- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), },
37030 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C600"), }, NULL
37031 - },
37032 - { /* Allow interrupts during suspend on Dell Latitude laptops*/
37033 - set_apm_ints, "Dell Latitude",
37034 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37035 -- DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }
37036 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude C510"), }, NULL
37037 - },
37038 - { /* APM crashes */
37039 - apm_is_horked, "Dell Inspiron 2500",
37040 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37041 - DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
37042 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
37043 -- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
37044 -+ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
37045 - },
37046 - { /* Allow interrupts during suspend on Dell Inspiron laptops*/
37047 - set_apm_ints, "Dell Inspiron", {
37048 - DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37049 -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), },
37050 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 4000"), }, NULL
37051 - },
37052 - { /* Handle problems with APM on Inspiron 5000e */
37053 - broken_apm_power, "Dell Inspiron 5000e",
37054 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37055 - DMI_MATCH(DMI_BIOS_VERSION, "A04"),
37056 -- DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), },
37057 -+ DMI_MATCH(DMI_BIOS_DATE, "08/24/2000"), }, NULL
37058 - },
37059 - { /* Handle problems with APM on Inspiron 2500 */
37060 - broken_apm_power, "Dell Inspiron 2500",
37061 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37062 - DMI_MATCH(DMI_BIOS_VERSION, "A12"),
37063 -- DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), },
37064 -+ DMI_MATCH(DMI_BIOS_DATE, "02/04/2002"), }, NULL
37065 - },
37066 - { /* APM crashes */
37067 - apm_is_horked, "Dell Dimension 4100",
37068 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37069 - DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"),
37070 - DMI_MATCH(DMI_BIOS_VENDOR,"Intel Corp."),
37071 -- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
37072 -+ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
37073 - },
37074 - { /* Allow interrupts during suspend on Compaq Laptops*/
37075 - set_apm_ints, "Compaq 12XL125",
37076 - { DMI_MATCH(DMI_SYS_VENDOR, "Compaq"),
37077 - DMI_MATCH(DMI_PRODUCT_NAME, "Compaq PC"),
37078 - DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37079 -- DMI_MATCH(DMI_BIOS_VERSION,"4.06"), },
37080 -+ DMI_MATCH(DMI_BIOS_VERSION,"4.06"), }, NULL
37081 - },
37082 - { /* Allow interrupts during APM or the clock goes slow */
37083 - set_apm_ints, "ASUSTeK",
37084 - { DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
37085 -- DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), },
37086 -+ DMI_MATCH(DMI_PRODUCT_NAME, "L8400K series Notebook PC"), }, NULL
37087 - },
37088 - { /* APM blows on shutdown */
37089 - apm_is_horked, "ABIT KX7-333[R]",
37090 - { DMI_MATCH(DMI_BOARD_VENDOR, "ABIT"),
37091 -- DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), },
37092 -+ DMI_MATCH(DMI_BOARD_NAME, "VT8367-8233A (KX7-333[R])"), }, NULL
37093 - },
37094 - { /* APM crashes */
37095 - apm_is_horked, "Trigem Delhi3",
37096 - { DMI_MATCH(DMI_SYS_VENDOR, "TriGem Computer, Inc"),
37097 -- DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), },
37098 -+ DMI_MATCH(DMI_PRODUCT_NAME, "Delhi3"), }, NULL
37099 - },
37100 - { /* APM crashes */
37101 - apm_is_horked, "Fujitsu-Siemens",
37102 - { DMI_MATCH(DMI_BIOS_VENDOR, "hoenix/FUJITSU SIEMENS"),
37103 -- DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), },
37104 -+ DMI_MATCH(DMI_BIOS_VERSION, "Version1.01"), }, NULL
37105 - },
37106 - { /* APM crashes */
37107 - apm_is_horked_d850md, "Intel D850MD",
37108 - { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
37109 -- DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), },
37110 -+ DMI_MATCH(DMI_BIOS_VERSION, "MV85010A.86A.0016.P07.0201251536"), }, NULL
37111 - },
37112 - { /* APM crashes */
37113 - apm_is_horked, "Intel D810EMO",
37114 - { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
37115 -- DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), },
37116 -+ DMI_MATCH(DMI_BIOS_VERSION, "MO81010A.86A.0008.P04.0004170800"), }, NULL
37117 - },
37118 - { /* APM crashes */
37119 - apm_is_horked, "Dell XPS-Z",
37120 - { DMI_MATCH(DMI_BIOS_VENDOR, "Intel Corp."),
37121 - DMI_MATCH(DMI_BIOS_VERSION, "A11"),
37122 -- DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), },
37123 -+ DMI_MATCH(DMI_PRODUCT_NAME, "XPS-Z"), }, NULL
37124 - },
37125 - { /* APM crashes */
37126 - apm_is_horked, "Sharp PC-PJ/AX",
37127 - { DMI_MATCH(DMI_SYS_VENDOR, "SHARP"),
37128 - DMI_MATCH(DMI_PRODUCT_NAME, "PC-PJ/AX"),
37129 - DMI_MATCH(DMI_BIOS_VENDOR,"SystemSoft"),
37130 -- DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), },
37131 -+ DMI_MATCH(DMI_BIOS_VERSION,"Version R2.08"), }, NULL
37132 - },
37133 - { /* APM crashes */
37134 - apm_is_horked, "Dell Inspiron 2500",
37135 - { DMI_MATCH(DMI_SYS_VENDOR, "Dell Computer Corporation"),
37136 - DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 2500"),
37137 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
37138 -- DMI_MATCH(DMI_BIOS_VERSION,"A11"), },
37139 -+ DMI_MATCH(DMI_BIOS_VERSION,"A11"), }, NULL
37140 - },
37141 - { /* APM idle hangs */
37142 - apm_likes_to_melt, "Jabil AMD",
37143 - { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
37144 -- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), },
37145 -+ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP06"), }, NULL
37146 - },
37147 - { /* APM idle hangs */
37148 - apm_likes_to_melt, "AMI Bios",
37149 - { DMI_MATCH(DMI_BIOS_VENDOR, "American Megatrends Inc."),
37150 -- DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), },
37151 -+ DMI_MATCH(DMI_BIOS_VERSION, "0AASNP05"), }, NULL
37152 - },
37153 - { /* Handle problems with APM on Sony Vaio PCG-N505X(DE) */
37154 - swab_apm_power_in_minutes, "Sony VAIO",
37155 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37156 - DMI_MATCH(DMI_BIOS_VERSION, "R0206H"),
37157 -- DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), },
37158 -+ DMI_MATCH(DMI_BIOS_DATE, "08/23/99"), }, NULL
37159 - },
37160 - { /* Handle problems with APM on Sony Vaio PCG-N505VX */
37161 - swab_apm_power_in_minutes, "Sony VAIO",
37162 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37163 - DMI_MATCH(DMI_BIOS_VERSION, "W2K06H0"),
37164 -- DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), },
37165 -+ DMI_MATCH(DMI_BIOS_DATE, "02/03/00"), }, NULL
37166 - },
37167 - { /* Handle problems with APM on Sony Vaio PCG-XG29 */
37168 - swab_apm_power_in_minutes, "Sony VAIO",
37169 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37170 - DMI_MATCH(DMI_BIOS_VERSION, "R0117A0"),
37171 -- DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), },
37172 -+ DMI_MATCH(DMI_BIOS_DATE, "04/25/00"), }, NULL
37173 - },
37174 - { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
37175 - swab_apm_power_in_minutes, "Sony VAIO",
37176 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37177 - DMI_MATCH(DMI_BIOS_VERSION, "R0121Z1"),
37178 -- DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), },
37179 -+ DMI_MATCH(DMI_BIOS_DATE, "05/11/00"), }, NULL
37180 - },
37181 - { /* Handle problems with APM on Sony Vaio PCG-Z600NE */
37182 - swab_apm_power_in_minutes, "Sony VAIO",
37183 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37184 - DMI_MATCH(DMI_BIOS_VERSION, "WME01Z1"),
37185 -- DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), },
37186 -+ DMI_MATCH(DMI_BIOS_DATE, "08/11/00"), }, NULL
37187 - },
37188 - { /* Handle problems with APM on Sony Vaio PCG-Z600LEK(DE) */
37189 - swab_apm_power_in_minutes, "Sony VAIO",
37190 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37191 - DMI_MATCH(DMI_BIOS_VERSION, "R0206Z3"),
37192 -- DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), },
37193 -+ DMI_MATCH(DMI_BIOS_DATE, "12/25/00"), }, NULL
37194 - },
37195 - { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
37196 - swab_apm_power_in_minutes, "Sony VAIO",
37197 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37198 - DMI_MATCH(DMI_BIOS_VERSION, "R0203D0"),
37199 -- DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), },
37200 -+ DMI_MATCH(DMI_BIOS_DATE, "05/12/00"), }, NULL
37201 - },
37202 - { /* Handle problems with APM on Sony Vaio PCG-Z505LS */
37203 - swab_apm_power_in_minutes, "Sony VAIO",
37204 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37205 - DMI_MATCH(DMI_BIOS_VERSION, "R0203Z3"),
37206 -- DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), },
37207 -+ DMI_MATCH(DMI_BIOS_DATE, "08/25/00"), }, NULL
37208 - },
37209 - { /* Handle problems with APM on Sony Vaio PCG-Z505LS (with updated BIOS) */
37210 - swab_apm_power_in_minutes, "Sony VAIO",
37211 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37212 - DMI_MATCH(DMI_BIOS_VERSION, "R0209Z3"),
37213 -- DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), },
37214 -+ DMI_MATCH(DMI_BIOS_DATE, "05/12/01"), }, NULL
37215 - },
37216 - { /* Handle problems with APM on Sony Vaio PCG-F104K */
37217 - swab_apm_power_in_minutes, "Sony VAIO",
37218 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37219 - DMI_MATCH(DMI_BIOS_VERSION, "R0204K2"),
37220 -- DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), },
37221 -+ DMI_MATCH(DMI_BIOS_DATE, "08/28/00"), }, NULL
37222 - },
37223 -
37224 - { /* Handle problems with APM on Sony Vaio PCG-C1VN/C1VE */
37225 - swab_apm_power_in_minutes, "Sony VAIO",
37226 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37227 - DMI_MATCH(DMI_BIOS_VERSION, "R0208P1"),
37228 -- DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), },
37229 -+ DMI_MATCH(DMI_BIOS_DATE, "11/09/00"), }, NULL
37230 - },
37231 - { /* Handle problems with APM on Sony Vaio PCG-C1VE */
37232 - swab_apm_power_in_minutes, "Sony VAIO",
37233 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37234 - DMI_MATCH(DMI_BIOS_VERSION, "R0204P1"),
37235 -- DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), },
37236 -+ DMI_MATCH(DMI_BIOS_DATE, "09/12/00"), }, NULL
37237 - },
37238 - { /* Handle problems with APM on Sony Vaio PCG-C1VE */
37239 - swab_apm_power_in_minutes, "Sony VAIO",
37240 - { DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37241 - DMI_MATCH(DMI_BIOS_VERSION, "WXPO1Z3"),
37242 -- DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), },
37243 -+ DMI_MATCH(DMI_BIOS_DATE, "10/26/01"), }, NULL
37244 - },
37245 - { /* broken PM poweroff bios */
37246 - set_realmode_power_off, "Award Software v4.60 PGMA",
37247 - { DMI_MATCH(DMI_BIOS_VENDOR, "Award Software International, Inc."),
37248 - DMI_MATCH(DMI_BIOS_VERSION, "4.60 PGMA"),
37249 -- DMI_MATCH(DMI_BIOS_DATE, "134526184"), },
37250 -+ DMI_MATCH(DMI_BIOS_DATE, "134526184"), }, NULL
37251 - },
37252 -
37253 - /* Generic per vendor APM settings */
37254 -
37255 - { /* Allow interrupts during suspend on IBM laptops */
37256 - set_apm_ints, "IBM",
37257 -- { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
37258 -+ { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), }, NULL
37259 - },
37260 -
37261 -- { }
37262 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
37263 - };
37264 -
37265 - /*
37266 -@@ -2196,6 +2245,10 @@ static int __init apm_init(void)
37267 - struct desc_struct *gdt;
37268 - int err;
37269 -
37270 -+#ifdef CONFIG_PAX_KERNEXEC
37271 -+ unsigned long cr0;
37272 -+#endif
37273 -+
37274 - dmi_check_system(apm_dmi_table);
37275 -
37276 - if (apm_info.bios.version == 0 || paravirt_enabled()) {
37277 -@@ -2269,9 +2322,18 @@ static int __init apm_init(void)
37278 - * This is for buggy BIOS's that refer to (real mode) segment 0x40
37279 - * even though they are called in protected mode.
37280 - */
37281 -+
37282 -+#ifdef CONFIG_PAX_KERNEXEC
37283 -+ pax_open_kernel(cr0);
37284 -+#endif
37285 -+
37286 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
37287 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
37288 -
37289 -+#ifdef CONFIG_PAX_KERNEXEC
37290 -+ pax_close_kernel(cr0);
37291 -+#endif
37292 -+
37293 - /*
37294 - * Set up the long jump entry point to the APM BIOS, which is called
37295 - * from inline assembly.
37296 -@@ -2290,6 +2352,11 @@ static int __init apm_init(void)
37297 - * code to that CPU.
37298 - */
37299 - gdt = get_cpu_gdt_table(0);
37300 -+
37301 -+#ifdef CONFIG_PAX_KERNEXEC
37302 -+ pax_open_kernel(cr0);
37303 -+#endif
37304 -+
37305 - set_base(gdt[APM_CS >> 3],
37306 - __va((unsigned long)apm_info.bios.cseg << 4));
37307 - set_base(gdt[APM_CS_16 >> 3],
37308 -@@ -2297,6 +2364,10 @@ static int __init apm_init(void)
37309 - set_base(gdt[APM_DS >> 3],
37310 - __va((unsigned long)apm_info.bios.dseg << 4));
37311 -
37312 -+#ifdef CONFIG_PAX_KERNEXEC
37313 -+ pax_close_kernel(cr0);
37314 -+#endif
37315 -+
37316 - apm_proc = create_proc_entry("apm", 0, NULL);
37317 - if (apm_proc)
37318 - apm_proc->proc_fops = &apm_file_ops;
37319 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/asm-offsets.c linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c
37320 ---- linux-2.6.23.15/arch/i386/kernel/asm-offsets.c 2007-10-09 21:31:38.000000000 +0100
37321 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/asm-offsets.c 2008-02-11 10:37:44.000000000 +0000
37322 -@@ -109,6 +109,7 @@ void foo(void)
37323 - DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
37324 - DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
37325 - DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
37326 -+ DEFINE(PERCPU_MODULE_RESERVE, PERCPU_MODULE_RESERVE);
37327 -
37328 - DEFINE(VDSO_PRELINK_asm, VDSO_PRELINK);
37329 -
37330 -@@ -122,6 +123,7 @@ void foo(void)
37331 - OFFSET(PARAVIRT_irq_enable_sysexit, paravirt_ops, irq_enable_sysexit);
37332 - OFFSET(PARAVIRT_iret, paravirt_ops, iret);
37333 - OFFSET(PARAVIRT_read_cr0, paravirt_ops, read_cr0);
37334 -+ OFFSET(PARAVIRT_write_cr0, paravirt_ops, write_cr0);
37335 - #endif
37336 -
37337 - #ifdef CONFIG_XEN
37338 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/common.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c
37339 ---- linux-2.6.23.15/arch/i386/kernel/cpu/common.c 2007-10-09 21:31:38.000000000 +0100
37340 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/common.c 2008-02-11 10:37:44.000000000 +0000
37341 -@@ -4,7 +4,6 @@
37342 - #include <linux/smp.h>
37343 - #include <linux/module.h>
37344 - #include <linux/percpu.h>
37345 --#include <linux/bootmem.h>
37346 - #include <asm/semaphore.h>
37347 - #include <asm/processor.h>
37348 - #include <asm/i387.h>
37349 -@@ -21,39 +20,15 @@
37350 -
37351 - #include "cpu.h"
37352 -
37353 --DEFINE_PER_CPU(struct gdt_page, gdt_page) = { .gdt = {
37354 -- [GDT_ENTRY_KERNEL_CS] = { 0x0000ffff, 0x00cf9a00 },
37355 -- [GDT_ENTRY_KERNEL_DS] = { 0x0000ffff, 0x00cf9200 },
37356 -- [GDT_ENTRY_DEFAULT_USER_CS] = { 0x0000ffff, 0x00cffa00 },
37357 -- [GDT_ENTRY_DEFAULT_USER_DS] = { 0x0000ffff, 0x00cff200 },
37358 -- /*
37359 -- * Segments used for calling PnP BIOS have byte granularity.
37360 -- * They code segments and data segments have fixed 64k limits,
37361 -- * the transfer segment sizes are set at run time.
37362 -- */
37363 -- [GDT_ENTRY_PNPBIOS_CS32] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
37364 -- [GDT_ENTRY_PNPBIOS_CS16] = { 0x0000ffff, 0x00009a00 },/* 16-bit code */
37365 -- [GDT_ENTRY_PNPBIOS_DS] = { 0x0000ffff, 0x00009200 }, /* 16-bit data */
37366 -- [GDT_ENTRY_PNPBIOS_TS1] = { 0x00000000, 0x00009200 },/* 16-bit data */
37367 -- [GDT_ENTRY_PNPBIOS_TS2] = { 0x00000000, 0x00009200 },/* 16-bit data */
37368 -- /*
37369 -- * The APM segments have byte granularity and their bases
37370 -- * are set at run time. All have 64k limits.
37371 -- */
37372 -- [GDT_ENTRY_APMBIOS_BASE] = { 0x0000ffff, 0x00409a00 },/* 32-bit code */
37373 -- /* 16-bit code */
37374 -- [GDT_ENTRY_APMBIOS_BASE+1] = { 0x0000ffff, 0x00009a00 },
37375 -- [GDT_ENTRY_APMBIOS_BASE+2] = { 0x0000ffff, 0x00409200 }, /* data */
37376 --
37377 -- [GDT_ENTRY_ESPFIX_SS] = { 0x00000000, 0x00c09200 },
37378 -- [GDT_ENTRY_PERCPU] = { 0x00000000, 0x00000000 },
37379 --} };
37380 --EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
37381 --
37382 - static int cachesize_override __cpuinitdata = -1;
37383 - static int disable_x86_fxsr __cpuinitdata;
37384 - static int disable_x86_serial_nr __cpuinitdata = 1;
37385 --static int disable_x86_sep __cpuinitdata;
37386 -+
37387 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
37388 -+int disable_x86_sep __cpuinitdata = 1;
37389 -+#else
37390 -+int disable_x86_sep __cpuinitdata;
37391 -+#endif
37392 -
37393 - struct cpu_dev * cpu_devs[X86_VENDOR_NUM] = {};
37394 -
37395 -@@ -261,10 +236,10 @@ static int __cpuinit have_cpuid_p(void)
37396 - void __init cpu_detect(struct cpuinfo_x86 *c)
37397 - {
37398 - /* Get vendor name */
37399 -- cpuid(0x00000000, &c->cpuid_level,
37400 -- (int *)&c->x86_vendor_id[0],
37401 -- (int *)&c->x86_vendor_id[8],
37402 -- (int *)&c->x86_vendor_id[4]);
37403 -+ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
37404 -+ (unsigned int *)&c->x86_vendor_id[0],
37405 -+ (unsigned int *)&c->x86_vendor_id[8],
37406 -+ (unsigned int *)&c->x86_vendor_id[4]);
37407 -
37408 - c->x86 = 4;
37409 - if (c->cpuid_level >= 0x00000001) {
37410 -@@ -304,15 +279,14 @@ static void __init early_cpu_detect(void
37411 -
37412 - static void __cpuinit generic_identify(struct cpuinfo_x86 * c)
37413 - {
37414 -- u32 tfms, xlvl;
37415 -- int ebx;
37416 -+ u32 tfms, xlvl, ebx;
37417 -
37418 - if (have_cpuid_p()) {
37419 - /* Get vendor name */
37420 -- cpuid(0x00000000, &c->cpuid_level,
37421 -- (int *)&c->x86_vendor_id[0],
37422 -- (int *)&c->x86_vendor_id[8],
37423 -- (int *)&c->x86_vendor_id[4]);
37424 -+ cpuid(0x00000000, (unsigned int *)&c->cpuid_level,
37425 -+ (unsigned int *)&c->x86_vendor_id[0],
37426 -+ (unsigned int *)&c->x86_vendor_id[8],
37427 -+ (unsigned int *)&c->x86_vendor_id[4]);
37428 -
37429 - get_cpu_vendor(c, 0);
37430 - /* Initialize the standard set of capabilities */
37431 -@@ -644,7 +618,7 @@ void switch_to_new_gdt(void)
37432 - {
37433 - struct Xgt_desc_struct gdt_descr;
37434 -
37435 -- gdt_descr.address = (long)get_cpu_gdt_table(smp_processor_id());
37436 -+ gdt_descr.address = get_cpu_gdt_table(smp_processor_id());
37437 - gdt_descr.size = GDT_SIZE - 1;
37438 - load_gdt(&gdt_descr);
37439 - asm("mov %0, %%fs" : : "r" (__KERNEL_PERCPU) : "memory");
37440 -@@ -660,7 +634,7 @@ void __cpuinit cpu_init(void)
37441 - {
37442 - int cpu = smp_processor_id();
37443 - struct task_struct *curr = current;
37444 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
37445 -+ struct tss_struct *t = init_tss + cpu;
37446 - struct thread_struct *thread = &curr->thread;
37447 -
37448 - if (cpu_test_and_set(cpu, cpu_initialized)) {
37449 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c
37450 ---- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2007-10-09 21:31:38.000000000 +0100
37451 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/acpi-cpufreq.c 2008-02-11 10:37:44.000000000 +0000
37452 -@@ -549,7 +549,7 @@ static struct dmi_system_id sw_any_bug_d
37453 - DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
37454 - },
37455 - },
37456 -- { }
37457 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
37458 - };
37459 - #endif
37460 -
37461 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c
37462 ---- linux-2.6.23.15/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2007-10-09 21:31:38.000000000 +0100
37463 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/cpufreq/speedstep-centrino.c 2008-02-11 10:37:44.000000000 +0000
37464 -@@ -223,7 +223,7 @@ static struct cpu_model models[] =
37465 - { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
37466 - { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
37467 -
37468 -- { NULL, }
37469 -+ { NULL, NULL, 0, NULL}
37470 - };
37471 - #undef _BANIAS
37472 - #undef BANIAS
37473 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c
37474 ---- linux-2.6.23.15/arch/i386/kernel/cpu/intel_cacheinfo.c 2007-10-09 21:31:38.000000000 +0100
37475 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/intel_cacheinfo.c 2008-02-11 10:37:44.000000000 +0000
37476 -@@ -351,8 +351,8 @@ unsigned int __cpuinit init_intel_cachei
37477 - */
37478 - if ((num_cache_leaves == 0 || c->x86 == 15) && c->cpuid_level > 1) {
37479 - /* supports eax=2 call */
37480 -- int i, j, n;
37481 -- int regs[4];
37482 -+ int j, n;
37483 -+ unsigned int regs[4];
37484 - unsigned char *dp = (unsigned char *)regs;
37485 - int only_trace = 0;
37486 -
37487 -@@ -367,7 +367,7 @@ unsigned int __cpuinit init_intel_cachei
37488 -
37489 - /* If bit 31 is set, this is an unknown format */
37490 - for ( j = 0 ; j < 3 ; j++ ) {
37491 -- if ( regs[j] < 0 ) regs[j] = 0;
37492 -+ if ( (int)regs[j] < 0 ) regs[j] = 0;
37493 - }
37494 -
37495 - /* Byte 0 is level count, not a descriptor */
37496 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c
37497 ---- linux-2.6.23.15/arch/i386/kernel/cpu/mcheck/therm_throt.c 2007-10-09 21:31:38.000000000 +0100
37498 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mcheck/therm_throt.c 2008-02-11 10:37:44.000000000 +0000
37499 -@@ -152,7 +152,7 @@ static __cpuinit int thermal_throttle_cp
37500 - return NOTIFY_OK;
37501 - }
37502 -
37503 --static struct notifier_block thermal_throttle_cpu_notifier =
37504 -+static __cpuinitdata struct notifier_block thermal_throttle_cpu_notifier =
37505 - {
37506 - .notifier_call = thermal_throttle_cpu_callback,
37507 - };
37508 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c
37509 ---- linux-2.6.23.15/arch/i386/kernel/cpu/mtrr/generic.c 2007-10-09 21:31:38.000000000 +0100
37510 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/cpu/mtrr/generic.c 2008-02-11 10:37:44.000000000 +0000
37511 -@@ -29,11 +29,11 @@ static struct fixed_range_block fixed_ra
37512 - { MTRRfix64K_00000_MSR, 1 }, /* one 64k MTRR */
37513 - { MTRRfix16K_80000_MSR, 2 }, /* two 16k MTRRs */
37514 - { MTRRfix4K_C0000_MSR, 8 }, /* eight 4k MTRRs */
37515 -- {}
37516 -+ { 0, 0 }
37517 - };
37518 -
37519 - static unsigned long smp_changes_mask;
37520 --static struct mtrr_state mtrr_state = {};
37521 -+static struct mtrr_state mtrr_state;
37522 -
37523 - #undef MODULE_PARAM_PREFIX
37524 - #define MODULE_PARAM_PREFIX "mtrr."
37525 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/crash.c linux-2.6.23.15-grsec/arch/i386/kernel/crash.c
37526 ---- linux-2.6.23.15/arch/i386/kernel/crash.c 2007-10-09 21:31:38.000000000 +0100
37527 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/crash.c 2008-02-11 10:37:44.000000000 +0000
37528 -@@ -55,7 +55,7 @@ static int crash_nmi_callback(struct not
37529 - return NOTIFY_STOP;
37530 - local_irq_disable();
37531 -
37532 -- if (!user_mode_vm(regs)) {
37533 -+ if (!user_mode(regs)) {
37534 - crash_fixup_ss_esp(&fixed_regs, regs);
37535 - regs = &fixed_regs;
37536 - }
37537 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/doublefault.c linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c
37538 ---- linux-2.6.23.15/arch/i386/kernel/doublefault.c 2007-10-09 21:31:38.000000000 +0100
37539 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/doublefault.c 2008-02-11 10:37:44.000000000 +0000
37540 -@@ -11,17 +11,17 @@
37541 -
37542 - #define DOUBLEFAULT_STACKSIZE (1024)
37543 - static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
37544 --#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
37545 -+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
37546 -
37547 - #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
37548 -
37549 - static void doublefault_fn(void)
37550 - {
37551 -- struct Xgt_desc_struct gdt_desc = {0, 0};
37552 -+ struct Xgt_desc_struct gdt_desc = {0, NULL, 0};
37553 - unsigned long gdt, tss;
37554 -
37555 - store_gdt(&gdt_desc);
37556 -- gdt = gdt_desc.address;
37557 -+ gdt = (unsigned long)gdt_desc.address;
37558 -
37559 - printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
37560 -
37561 -@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cach
37562 - /* 0x2 bit is always set */
37563 - .eflags = X86_EFLAGS_SF | 0x2,
37564 - .esp = STACK_START,
37565 -- .es = __USER_DS,
37566 -+ .es = __KERNEL_DS,
37567 - .cs = __KERNEL_CS,
37568 - .ss = __KERNEL_DS,
37569 -- .ds = __USER_DS,
37570 -+ .ds = __KERNEL_DS,
37571 - .fs = __KERNEL_PERCPU,
37572 -
37573 - .__cr3 = __pa(swapper_pg_dir)
37574 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi.c linux-2.6.23.15-grsec/arch/i386/kernel/efi.c
37575 ---- linux-2.6.23.15/arch/i386/kernel/efi.c 2007-10-09 21:31:38.000000000 +0100
37576 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/efi.c 2008-02-11 10:37:44.000000000 +0000
37577 -@@ -63,45 +63,23 @@ extern void * boot_ioremap(unsigned long
37578 -
37579 - static unsigned long efi_rt_eflags;
37580 - static DEFINE_SPINLOCK(efi_rt_lock);
37581 --static pgd_t efi_bak_pg_dir_pointer[2];
37582 -+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS] __attribute__ ((aligned (4096)));
37583 -
37584 - static void efi_call_phys_prelog(void) __acquires(efi_rt_lock)
37585 - {
37586 -- unsigned long cr4;
37587 -- unsigned long temp;
37588 - struct Xgt_desc_struct gdt_descr;
37589 -
37590 - spin_lock(&efi_rt_lock);
37591 - local_irq_save(efi_rt_eflags);
37592 -
37593 -- /*
37594 -- * If I don't have PSE, I should just duplicate two entries in page
37595 -- * directory. If I have PSE, I just need to duplicate one entry in
37596 -- * page directory.
37597 -- */
37598 -- cr4 = read_cr4();
37599 --
37600 -- if (cr4 & X86_CR4_PSE) {
37601 -- efi_bak_pg_dir_pointer[0].pgd =
37602 -- swapper_pg_dir[pgd_index(0)].pgd;
37603 -- swapper_pg_dir[0].pgd =
37604 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
37605 -- } else {
37606 -- efi_bak_pg_dir_pointer[0].pgd =
37607 -- swapper_pg_dir[pgd_index(0)].pgd;
37608 -- efi_bak_pg_dir_pointer[1].pgd =
37609 -- swapper_pg_dir[pgd_index(0x400000)].pgd;
37610 -- swapper_pg_dir[pgd_index(0)].pgd =
37611 -- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
37612 -- temp = PAGE_OFFSET + 0x400000;
37613 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
37614 -- swapper_pg_dir[pgd_index(temp)].pgd;
37615 -- }
37616 -+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
37617 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
37618 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
37619 -
37620 - /*
37621 - * After the lock is released, the original page table is restored.
37622 - */
37623 -- local_flush_tlb();
37624 -+ __flush_tlb_all();
37625 -
37626 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
37627 - gdt_descr.size = GDT_SIZE - 1;
37628 -@@ -110,35 +88,23 @@ static void efi_call_phys_prelog(void) _
37629 -
37630 - static void efi_call_phys_epilog(void) __releases(efi_rt_lock)
37631 - {
37632 -- unsigned long cr4;
37633 - struct Xgt_desc_struct gdt_descr;
37634 -
37635 -- gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
37636 -+ gdt_descr.address = get_cpu_gdt_table(0);
37637 - gdt_descr.size = GDT_SIZE - 1;
37638 - load_gdt(&gdt_descr);
37639 --
37640 -- cr4 = read_cr4();
37641 --
37642 -- if (cr4 & X86_CR4_PSE) {
37643 -- swapper_pg_dir[pgd_index(0)].pgd =
37644 -- efi_bak_pg_dir_pointer[0].pgd;
37645 -- } else {
37646 -- swapper_pg_dir[pgd_index(0)].pgd =
37647 -- efi_bak_pg_dir_pointer[0].pgd;
37648 -- swapper_pg_dir[pgd_index(0x400000)].pgd =
37649 -- efi_bak_pg_dir_pointer[1].pgd;
37650 -- }
37651 -+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
37652 -
37653 - /*
37654 - * After the lock is released, the original page table is restored.
37655 - */
37656 -- local_flush_tlb();
37657 -+ __flush_tlb_all();
37658 -
37659 - local_irq_restore(efi_rt_eflags);
37660 - spin_unlock(&efi_rt_lock);
37661 - }
37662 -
37663 --static efi_status_t
37664 -+static efi_status_t __init
37665 - phys_efi_set_virtual_address_map(unsigned long memory_map_size,
37666 - unsigned long descriptor_size,
37667 - u32 descriptor_version,
37668 -@@ -154,7 +120,7 @@ phys_efi_set_virtual_address_map(unsigne
37669 - return status;
37670 - }
37671 -
37672 --static efi_status_t
37673 -+static efi_status_t __init
37674 - phys_efi_get_time(efi_time_t *tm, efi_time_cap_t *tc)
37675 - {
37676 - efi_status_t status;
37677 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/efi_stub.S linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S
37678 ---- linux-2.6.23.15/arch/i386/kernel/efi_stub.S 2007-10-09 21:31:38.000000000 +0100
37679 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/efi_stub.S 2008-02-11 10:37:44.000000000 +0000
37680 -@@ -6,6 +6,7 @@
37681 - */
37682 -
37683 - #include <linux/linkage.h>
37684 -+#include <linux/init.h>
37685 - #include <asm/page.h>
37686 -
37687 - /*
37688 -@@ -20,7 +21,7 @@
37689 - * service functions will comply with gcc calling convention, too.
37690 - */
37691 -
37692 --.text
37693 -+__INIT
37694 - ENTRY(efi_call_phys)
37695 - /*
37696 - * 0. The function can only be called in Linux kernel. So CS has been
37697 -@@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
37698 - * The mapping of lower virtual memory has been created in prelog and
37699 - * epilog.
37700 - */
37701 -- movl $1f, %edx
37702 -- subl $__PAGE_OFFSET, %edx
37703 -- jmp *%edx
37704 -+ jmp 1f-__PAGE_OFFSET
37705 - 1:
37706 -
37707 - /*
37708 -@@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
37709 - * parameter 2, ..., param n. To make things easy, we save the return
37710 - * address of efi_call_phys in a global variable.
37711 - */
37712 -- popl %edx
37713 -- movl %edx, saved_return_addr
37714 -- /* get the function pointer into ECX*/
37715 -- popl %ecx
37716 -- movl %ecx, efi_rt_function_ptr
37717 -- movl $2f, %edx
37718 -- subl $__PAGE_OFFSET, %edx
37719 -- pushl %edx
37720 -+ popl (saved_return_addr)
37721 -+ popl (efi_rt_function_ptr)
37722 -
37723 - /*
37724 - * 3. Clear PG bit in %CR0.
37725 -@@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
37726 - /*
37727 - * 5. Call the physical function.
37728 - */
37729 -- jmp *%ecx
37730 -+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
37731 -
37732 --2:
37733 - /*
37734 - * 6. After EFI runtime service returns, control will return to
37735 - * following instruction. We'd better readjust stack pointer first.
37736 -@@ -88,34 +80,27 @@ ENTRY(efi_call_phys)
37737 - movl %cr0, %edx
37738 - orl $0x80000000, %edx
37739 - movl %edx, %cr0
37740 -- jmp 1f
37741 --1:
37742 -+
37743 - /*
37744 - * 8. Now restore the virtual mode from flat mode by
37745 - * adding EIP with PAGE_OFFSET.
37746 - */
37747 -- movl $1f, %edx
37748 -- jmp *%edx
37749 -+ jmp 1f+__PAGE_OFFSET
37750 - 1:
37751 -
37752 - /*
37753 - * 9. Balance the stack. And because EAX contain the return value,
37754 - * we'd better not clobber it.
37755 - */
37756 -- leal efi_rt_function_ptr, %edx
37757 -- movl (%edx), %ecx
37758 -- pushl %ecx
37759 -+ pushl (efi_rt_function_ptr)
37760 -
37761 - /*
37762 -- * 10. Push the saved return address onto the stack and return.
37763 -+ * 10. Return to the saved return address.
37764 - */
37765 -- leal saved_return_addr, %edx
37766 -- movl (%edx), %ecx
37767 -- pushl %ecx
37768 -- ret
37769 -+ jmpl *(saved_return_addr)
37770 - .previous
37771 -
37772 --.data
37773 -+__INITDATA
37774 - saved_return_addr:
37775 - .long 0
37776 - efi_rt_function_ptr:
37777 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/entry.S linux-2.6.23.15-grsec/arch/i386/kernel/entry.S
37778 ---- linux-2.6.23.15/arch/i386/kernel/entry.S 2007-10-09 21:31:38.000000000 +0100
37779 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/entry.S 2008-02-11 10:37:44.000000000 +0000
37780 -@@ -97,7 +97,7 @@ VM_MASK = 0x00020000
37781 - #define resume_userspace_sig resume_userspace
37782 - #endif
37783 -
37784 --#define SAVE_ALL \
37785 -+#define __SAVE_ALL(_DS) \
37786 - cld; \
37787 - pushl %fs; \
37788 - CFI_ADJUST_CFA_OFFSET 4;\
37789 -@@ -129,12 +129,26 @@ VM_MASK = 0x00020000
37790 - pushl %ebx; \
37791 - CFI_ADJUST_CFA_OFFSET 4;\
37792 - CFI_REL_OFFSET ebx, 0;\
37793 -- movl $(__USER_DS), %edx; \
37794 -+ movl $(_DS), %edx; \
37795 - movl %edx, %ds; \
37796 - movl %edx, %es; \
37797 - movl $(__KERNEL_PERCPU), %edx; \
37798 - movl %edx, %fs
37799 -
37800 -+#ifdef CONFIG_PAX_KERNEXEC
37801 -+#define SAVE_ALL \
37802 -+ __SAVE_ALL(__KERNEL_DS); \
37803 -+ GET_CR0_INTO_EDX; \
37804 -+ movl %edx, %esi; \
37805 -+ orl $X86_CR0_WP, %edx; \
37806 -+ xorl %edx, %esi; \
37807 -+ SET_CR0_FROM_EDX
37808 -+#elif defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
37809 -+#define SAVE_ALL __SAVE_ALL(__KERNEL_DS)
37810 -+#else
37811 -+#define SAVE_ALL __SAVE_ALL(__USER_DS)
37812 -+#endif
37813 -+
37814 - #define RESTORE_INT_REGS \
37815 - popl %ebx; \
37816 - CFI_ADJUST_CFA_OFFSET -4;\
37817 -@@ -248,7 +262,17 @@ check_userspace:
37818 - movb PT_CS(%esp), %al
37819 - andl $(VM_MASK | SEGMENT_RPL_MASK), %eax
37820 - cmpl $USER_RPL, %eax
37821 -+
37822 -+#ifdef CONFIG_PAX_KERNEXEC
37823 -+ jae resume_userspace
37824 -+
37825 -+ GET_CR0_INTO_EDX
37826 -+ xorl %esi, %edx
37827 -+ SET_CR0_FROM_EDX
37828 -+ jmp resume_kernel
37829 -+#else
37830 - jb resume_kernel # not returning to v8086 or userspace
37831 -+#endif
37832 -
37833 - ENTRY(resume_userspace)
37834 - DISABLE_INTERRUPTS(CLBR_ANY) # make sure we don't miss an interrupt
37835 -@@ -307,10 +331,9 @@ sysenter_past_esp:
37836 - /*CFI_REL_OFFSET cs, 0*/
37837 - /*
37838 - * Push current_thread_info()->sysenter_return to the stack.
37839 -- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
37840 -- * pushed above; +8 corresponds to copy_thread's esp0 setting.
37841 - */
37842 -- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
37843 -+ GET_THREAD_INFO(%ebp)
37844 -+ pushl TI_sysenter_return(%ebp)
37845 - CFI_ADJUST_CFA_OFFSET 4
37846 - CFI_REL_OFFSET eip, 0
37847 -
37848 -@@ -318,9 +341,17 @@ sysenter_past_esp:
37849 - * Load the potential sixth argument from user stack.
37850 - * Careful about security.
37851 - */
37852 -+ movl 12(%esp),%ebp
37853 -+
37854 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
37855 -+ mov 16(%esp),%ds
37856 -+1: movl %ds:(%ebp),%ebp
37857 -+#else
37858 - cmpl $__PAGE_OFFSET-3,%ebp
37859 - jae syscall_fault
37860 - 1: movl (%ebp),%ebp
37861 -+#endif
37862 -+
37863 - .section __ex_table,"a"
37864 - .align 4
37865 - .long 1b,syscall_fault
37866 -@@ -343,20 +374,37 @@ sysenter_past_esp:
37867 - movl TI_flags(%ebp), %ecx
37868 - testw $_TIF_ALLWORK_MASK, %cx
37869 - jne syscall_exit_work
37870 -+
37871 -+#ifdef CONFIG_PAX_RANDKSTACK
37872 -+ pushl %eax
37873 -+ CFI_ADJUST_CFA_OFFSET 4
37874 -+ call pax_randomize_kstack
37875 -+ popl %eax
37876 -+ CFI_ADJUST_CFA_OFFSET -4
37877 -+#endif
37878 -+
37879 - /* if something modifies registers it must also disable sysexit */
37880 - movl PT_EIP(%esp), %edx
37881 - movl PT_OLDESP(%esp), %ecx
37882 - xorl %ebp,%ebp
37883 - TRACE_IRQS_ON
37884 - 1: mov PT_FS(%esp), %fs
37885 -+2: mov PT_DS(%esp), %ds
37886 -+3: mov PT_ES(%esp), %es
37887 - ENABLE_INTERRUPTS_SYSEXIT
37888 - CFI_ENDPROC
37889 - .pushsection .fixup,"ax"
37890 --2: movl $0,PT_FS(%esp)
37891 -+4: movl $0,PT_FS(%esp)
37892 - jmp 1b
37893 -+5: movl $0,PT_DS(%esp)
37894 -+ jmp 2b
37895 -+6: movl $0,PT_ES(%esp)
37896 -+ jmp 3b
37897 - .section __ex_table,"a"
37898 - .align 4
37899 -- .long 1b,2b
37900 -+ .long 1b,4b
37901 -+ .long 2b,5b
37902 -+ .long 3b,6b
37903 - .popsection
37904 - ENDPROC(sysenter_entry)
37905 -
37906 -@@ -389,6 +437,10 @@ no_singlestep:
37907 - testw $_TIF_ALLWORK_MASK, %cx # current->work
37908 - jne syscall_exit_work
37909 -
37910 -+#ifdef CONFIG_PAX_RANDKSTACK
37911 -+ call pax_randomize_kstack
37912 -+#endif
37913 -+
37914 - restore_all:
37915 - movl PT_EFLAGS(%esp), %eax # mix EFLAGS, SS and CS
37916 - # Warning: PT_OLDSS(%esp) contains the wrong/random values if we
37917 -@@ -552,17 +604,24 @@ syscall_badsys:
37918 - END(syscall_badsys)
37919 - CFI_ENDPROC
37920 -
37921 --#define FIXUP_ESPFIX_STACK \
37922 -- /* since we are on a wrong stack, we cant make it a C code :( */ \
37923 -- PER_CPU(gdt_page, %ebx); \
37924 -- GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah); \
37925 -- addl %esp, %eax; \
37926 -- pushl $__KERNEL_DS; \
37927 -- CFI_ADJUST_CFA_OFFSET 4; \
37928 -- pushl %eax; \
37929 -- CFI_ADJUST_CFA_OFFSET 4; \
37930 -- lss (%esp), %esp; \
37931 -+.macro FIXUP_ESPFIX_STACK
37932 -+ /* since we are on a wrong stack, we cant make it a C code :( */
37933 -+#ifdef CONFIG_SMP
37934 -+ movl PER_CPU_VAR(cpu_number), %ebx;
37935 -+ shll $PAGE_SHIFT_asm, %ebx;
37936 -+ addl $cpu_gdt_table, %ebx;
37937 -+#else
37938 -+ movl $cpu_gdt_table, %ebx;
37939 -+#endif
37940 -+ GET_DESC_BASE(GDT_ENTRY_ESPFIX_SS, %ebx, %eax, %ax, %al, %ah);
37941 -+ addl %esp, %eax;
37942 -+ pushl $__KERNEL_DS;
37943 -+ CFI_ADJUST_CFA_OFFSET 4;
37944 -+ pushl %eax;
37945 -+ CFI_ADJUST_CFA_OFFSET 4;
37946 -+ lss (%esp), %esp;
37947 - CFI_ADJUST_CFA_OFFSET -8;
37948 -+.endm
37949 - #define UNWIND_ESPFIX_STACK \
37950 - movl %ss, %eax; \
37951 - /* see if on espfix stack */ \
37952 -@@ -579,7 +638,7 @@ END(syscall_badsys)
37953 - * Build the entry stubs and pointer table with
37954 - * some assembler magic.
37955 - */
37956 --.data
37957 -+.section .rodata,"a",@progbits
37958 - ENTRY(interrupt)
37959 - .text
37960 -
37961 -@@ -679,12 +738,21 @@ error_code:
37962 - popl %ecx
37963 - CFI_ADJUST_CFA_OFFSET -4
37964 - /*CFI_REGISTER es, ecx*/
37965 -+
37966 -+#ifdef CONFIG_PAX_KERNEXEC
37967 -+ GET_CR0_INTO_EDX
37968 -+ movl %edx, %esi
37969 -+ orl $X86_CR0_WP, %edx
37970 -+ xorl %edx, %esi
37971 -+ SET_CR0_FROM_EDX
37972 -+#endif
37973 -+
37974 - movl PT_FS(%esp), %edi # get the function address
37975 - movl PT_ORIG_EAX(%esp), %edx # get the error code
37976 - movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
37977 - mov %ecx, PT_FS(%esp)
37978 - /*CFI_REL_OFFSET fs, ES*/
37979 -- movl $(__USER_DS), %ecx
37980 -+ movl $(__KERNEL_DS), %ecx
37981 - movl %ecx, %ds
37982 - movl %ecx, %es
37983 - movl %esp,%eax # pt_regs pointer
37984 -@@ -818,6 +886,13 @@ nmi_stack_correct:
37985 - xorl %edx,%edx # zero error code
37986 - movl %esp,%eax # pt_regs pointer
37987 - call do_nmi
37988 -+
37989 -+#ifdef CONFIG_PAX_KERNEXEC
37990 -+ GET_CR0_INTO_EDX
37991 -+ xorl %esi, %edx
37992 -+ SET_CR0_FROM_EDX
37993 -+#endif
37994 -+
37995 - jmp restore_nocheck_notrace
37996 - CFI_ENDPROC
37997 -
37998 -@@ -858,6 +933,13 @@ nmi_espfix_stack:
37999 - FIXUP_ESPFIX_STACK # %eax == %esp
38000 - xorl %edx,%edx # zero error code
38001 - call do_nmi
38002 -+
38003 -+#ifdef CONFIG_PAX_KERNEXEC
38004 -+ GET_CR0_INTO_EDX
38005 -+ xorl %esi, %edx
38006 -+ SET_CR0_FROM_EDX
38007 -+#endif
38008 -+
38009 - RESTORE_REGS
38010 - lss 12+4(%esp), %esp # back to espfix stack
38011 - CFI_ADJUST_CFA_OFFSET -24
38012 -@@ -1106,7 +1188,6 @@ ENDPROC(xen_failsafe_callback)
38013 -
38014 - #endif /* CONFIG_XEN */
38015 -
38016 --.section .rodata,"a"
38017 - #include "syscall_table.S"
38018 -
38019 - syscall_table_size=(.-sys_call_table)
38020 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/head.S linux-2.6.23.15-grsec/arch/i386/kernel/head.S
38021 ---- linux-2.6.23.15/arch/i386/kernel/head.S 2007-10-09 21:31:38.000000000 +0100
38022 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/head.S 2008-02-11 10:37:44.000000000 +0000
38023 -@@ -18,6 +18,7 @@
38024 - #include <asm/thread_info.h>
38025 - #include <asm/asm-offsets.h>
38026 - #include <asm/setup.h>
38027 -+#include <asm/msr-index.h>
38028 -
38029 - /*
38030 - * References to members of the new_cpu_data structure.
38031 -@@ -51,17 +52,22 @@
38032 - */
38033 - LOW_PAGES = 1<<(32-PAGE_SHIFT_asm)
38034 -
38035 --#if PTRS_PER_PMD > 1
38036 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PMD) + PTRS_PER_PGD
38037 --#else
38038 --PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PGD)
38039 --#endif
38040 -+PAGE_TABLE_SIZE = (LOW_PAGES / PTRS_PER_PTE)
38041 - BOOTBITMAP_SIZE = LOW_PAGES / 8
38042 - ALLOCATOR_SLOP = 4
38043 -
38044 - INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE + (PAGE_TABLE_SIZE + ALLOCATOR_SLOP)*PAGE_SIZE_asm
38045 -
38046 - /*
38047 -+ * Real beginning of normal "text" segment
38048 -+ */
38049 -+ENTRY(stext)
38050 -+ENTRY(_stext)
38051 -+
38052 -+.section .text.startup,"ax",@progbits
38053 -+ ljmp $(__BOOT_CS),$phys_startup_32
38054 -+
38055 -+/*
38056 - * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
38057 - * %esi points to the real-mode code as a 32-bit pointer.
38058 - * CS and DS must be 4 GB flat segments, but we don't depend on
38059 -@@ -69,6 +75,12 @@ INIT_MAP_BEYOND_END = BOOTBITMAP_SIZE +
38060 - * can.
38061 - */
38062 - .section .text.head,"ax",@progbits
38063 -+
38064 -+#ifdef CONFIG_PAX_KERNEXEC
38065 -+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
38066 -+.fill 4096,1,0xcc
38067 -+#endif
38068 -+
38069 - ENTRY(startup_32)
38070 -
38071 - /*
38072 -@@ -82,6 +94,43 @@ ENTRY(startup_32)
38073 - movl %eax,%fs
38074 - movl %eax,%gs
38075 -
38076 -+ movl $__per_cpu_start,%eax
38077 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 2)
38078 -+ rorl $16,%eax
38079 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 4)
38080 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 7)
38081 -+ movl $__per_cpu_end + PERCPU_MODULE_RESERVE,%eax
38082 -+ subl $__per_cpu_start,%eax
38083 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_PERCPU + 0)
38084 -+
38085 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
38086 -+ /* check for VMware */
38087 -+ movl $0x564d5868,%eax
38088 -+ xorl %ebx,%ebx
38089 -+ movl $0xa,%ecx
38090 -+ movl $0x5658,%edx
38091 -+ in (%dx),%eax
38092 -+ cmpl $0x564d5868,%ebx
38093 -+ jz 1f
38094 -+
38095 -+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),%eax
38096 -+ movl %eax,(cpu_gdt_table - __PAGE_OFFSET + GDT_ENTRY_KERNEL_DS * 8 + 4)
38097 -+1:
38098 -+#endif
38099 -+
38100 -+#ifdef CONFIG_PAX_KERNEXEC
38101 -+ movl $KERNEL_TEXT_OFFSET,%eax
38102 -+ movw %ax,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 2)
38103 -+ rorl $16,%eax
38104 -+ movb %al,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 4)
38105 -+ movb %ah,(cpu_gdt_table - __PAGE_OFFSET + __KERNEL_CS + 7)
38106 -+
38107 -+ movb %al,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 4)
38108 -+ movb %ah,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 7)
38109 -+ rorl $16,%eax
38110 -+ movw %ax,(boot_gdt - __PAGE_OFFSET + __BOOT_CS + 2)
38111 -+#endif
38112 -+
38113 - /*
38114 - * Clear BSS first so that there are no surprises...
38115 - * No need to cld as DF is already clear from cld above...
38116 -@@ -129,24 +178,42 @@ ENTRY(startup_32)
38117 - * Warning: don't use %esi or the stack in this code. However, %esp
38118 - * can be used as a GPR if you really need it...
38119 - */
38120 --page_pde_offset = (__PAGE_OFFSET >> 20);
38121 --
38122 -+#ifdef CONFIG_X86_PAE
38123 -+page_pde_offset = ((__PAGE_OFFSET >> 21) * (PAGE_SIZE_asm / PTRS_PER_PTE));
38124 -+#else
38125 -+page_pde_offset = ((__PAGE_OFFSET >> 22) * (PAGE_SIZE_asm / PTRS_PER_PTE));
38126 -+#endif
38127 - movl $(pg0 - __PAGE_OFFSET), %edi
38128 -+#ifdef CONFIG_X86_PAE
38129 -+ movl $(swapper_pm_dir - __PAGE_OFFSET), %edx
38130 -+#else
38131 - movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
38132 -- movl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
38133 -+#endif
38134 -+ movl $0x063, %eax /* 0x063 = PRESENT+RW+ACCESSED+DIRTY */
38135 - 10:
38136 -- leal 0x007(%edi),%ecx /* Create PDE entry */
38137 -+ leal 0x063(%edi),%ecx /* Create PDE entry */
38138 - movl %ecx,(%edx) /* Store identity PDE entry */
38139 - movl %ecx,page_pde_offset(%edx) /* Store kernel PDE entry */
38140 -+#ifdef CONFIG_X86_PAE
38141 -+ movl $0,4(%edx)
38142 -+ movl $0,page_pde_offset+4(%edx)
38143 -+ addl $8,%edx
38144 -+ movl $512, %ecx
38145 -+#else
38146 - addl $4,%edx
38147 - movl $1024, %ecx
38148 -+#endif
38149 - 11:
38150 - stosl
38151 -+#ifdef CONFIG_X86_PAE
38152 -+ movl $0,(%edi)
38153 -+ addl $4,%edi
38154 -+#endif
38155 - addl $0x1000,%eax
38156 - loop 11b
38157 - /* End condition: we must map up to and including INIT_MAP_BEYOND_END */
38158 -- /* bytes beyond the end of our own page tables; the +0x007 is the attribute bits */
38159 -- leal (INIT_MAP_BEYOND_END+0x007)(%edi),%ebp
38160 -+ /* bytes beyond the end of our own page tables; the +0x063 is the attribute bits */
38161 -+ leal (INIT_MAP_BEYOND_END+0x063)(%edi),%ebp
38162 - cmpl %ebp,%eax
38163 - jb 10b
38164 - movl %edi,(init_pg_tables_end - __PAGE_OFFSET)
38165 -@@ -167,10 +234,12 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
38166 - #endif
38167 -
38168 - /* Do an early initialization of the fixmap area */
38169 -- movl $(swapper_pg_dir - __PAGE_OFFSET), %edx
38170 -- movl $(swapper_pg_pmd - __PAGE_OFFSET), %eax
38171 -- addl $0x007, %eax /* 0x007 = PRESENT+RW+USER */
38172 -- movl %eax, 4092(%edx)
38173 -+ /* 0x067 = PRESENT+RW+USER+ACCESSED+DIRTY */
38174 -+#ifdef CONFIG_X86_PAE
38175 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pm_dir - __PAGE_OFFSET + 4096 - 8)
38176 -+#else
38177 -+ movl $(swapper_pg_pmd - __PAGE_OFFSET + 0x067), (swapper_pg_dir - __PAGE_OFFSET + 4096 - 4)
38178 -+#endif
38179 -
38180 - #ifdef CONFIG_SMP
38181 - ENTRY(startup_32_smp)
38182 -@@ -181,6 +250,11 @@ ENTRY(startup_32_smp)
38183 - movl %eax,%fs
38184 - movl %eax,%gs
38185 -
38186 -+ /* This is a secondary processor (AP) */
38187 -+ xorl %ebx,%ebx
38188 -+ incl %ebx
38189 -+#endif /* CONFIG_SMP */
38190 -+
38191 - /*
38192 - * New page tables may be in 4Mbyte page mode and may
38193 - * be using the global pages.
38194 -@@ -196,42 +270,47 @@ ENTRY(startup_32_smp)
38195 - * not yet offset PAGE_OFFSET..
38196 - */
38197 - #define cr4_bits mmu_cr4_features-__PAGE_OFFSET
38198 -+3:
38199 - movl cr4_bits,%edx
38200 - andl %edx,%edx
38201 -- jz 6f
38202 -+ jz 5f
38203 - movl %cr4,%eax # Turn on paging options (PSE,PAE,..)
38204 - orl %edx,%eax
38205 - movl %eax,%cr4
38206 -
38207 -- btl $5, %eax # check if PAE is enabled
38208 -- jnc 6f
38209 -+#ifdef CONFIG_X86_PAE
38210 -+ movl %ebx,%edi
38211 -
38212 - /* Check if extended functions are implemented */
38213 - movl $0x80000000, %eax
38214 - cpuid
38215 - cmpl $0x80000000, %eax
38216 -- jbe 6f
38217 -+ jbe 4f
38218 - mov $0x80000001, %eax
38219 - cpuid
38220 - /* Execute Disable bit supported? */
38221 - btl $20, %edx
38222 -- jnc 6f
38223 -+ jnc 4f
38224 -
38225 - /* Setup EFER (Extended Feature Enable Register) */
38226 -- movl $0xc0000080, %ecx
38227 -+ movl $MSR_EFER, %ecx
38228 - rdmsr
38229 -
38230 - btsl $11, %eax
38231 - /* Make changes effective */
38232 - wrmsr
38233 -
38234 --6:
38235 -- /* This is a secondary processor (AP) */
38236 -- xorl %ebx,%ebx
38237 -- incl %ebx
38238 -+ btsl $63-32,__supported_pte_mask+4-__PAGE_OFFSET
38239 -+ movl $1,nx_enabled-__PAGE_OFFSET
38240 -
38241 --#endif /* CONFIG_SMP */
38242 --3:
38243 -+#if !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
38244 -+ movl $0,disable_x86_sep-__PAGE_OFFSET
38245 -+#endif
38246 -+
38247 -+4:
38248 -+ movl %edi,%ebx
38249 -+#endif
38250 -+5:
38251 -
38252 - /*
38253 - * Enable paging
38254 -@@ -256,9 +335,7 @@ ENTRY(startup_32_smp)
38255 -
38256 - #ifdef CONFIG_SMP
38257 - andl %ebx,%ebx
38258 -- jz 1f /* Initial CPU cleans BSS */
38259 -- jmp checkCPUtype
38260 --1:
38261 -+ jnz checkCPUtype /* Initial CPU cleans BSS */
38262 - #endif /* CONFIG_SMP */
38263 -
38264 - /*
38265 -@@ -335,12 +412,12 @@ is386: movl $2,%ecx # set MP
38266 - ljmp $(__KERNEL_CS),$1f
38267 - 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
38268 - movl %eax,%ss # after changing gdt.
38269 -- movl %eax,%fs # gets reset once there's real percpu
38270 --
38271 -- movl $(__USER_DS),%eax # DS/ES contains default USER segment
38272 - movl %eax,%ds
38273 - movl %eax,%es
38274 -
38275 -+ movl $(__KERNEL_PERCPU), %eax
38276 -+ movl %eax,%fs # set this cpu's percpu
38277 -+
38278 - xorl %eax,%eax # Clear GS and LDT
38279 - movl %eax,%gs
38280 - lldt %ax
38281 -@@ -351,11 +428,7 @@ is386: movl $2,%ecx # set MP
38282 - movb ready, %cl
38283 - movb $1, ready
38284 - cmpb $0,%cl # the first CPU calls start_kernel
38285 -- je 1f
38286 -- movl $(__KERNEL_PERCPU), %eax
38287 -- movl %eax,%fs # set this cpu's percpu
38288 -- jmp initialize_secondary # all other CPUs call initialize_secondary
38289 --1:
38290 -+ jne initialize_secondary # all other CPUs call initialize_secondary
38291 - #endif /* CONFIG_SMP */
38292 - jmp start_kernel
38293 -
38294 -@@ -441,8 +514,8 @@ early_page_fault:
38295 - jmp early_fault
38296 -
38297 - early_fault:
38298 -- cld
38299 - #ifdef CONFIG_PRINTK
38300 -+ cld
38301 - movl $(__KERNEL_DS),%eax
38302 - movl %eax,%ds
38303 - movl %eax,%es
38304 -@@ -466,8 +539,8 @@ hlt_loop:
38305 - /* This is the default interrupt "handler" :-) */
38306 - ALIGN
38307 - ignore_int:
38308 -- cld
38309 - #ifdef CONFIG_PRINTK
38310 -+ cld
38311 - pushl %eax
38312 - pushl %ecx
38313 - pushl %edx
38314 -@@ -498,31 +571,58 @@ ignore_int:
38315 - #endif
38316 - iret
38317 -
38318 --.section .text
38319 --/*
38320 -- * Real beginning of normal "text" segment
38321 -- */
38322 --ENTRY(stext)
38323 --ENTRY(_stext)
38324 --
38325 - /*
38326 - * BSS section
38327 - */
38328 --.section ".bss.page_aligned","wa"
38329 -+.section .swapper_pg_dir,"a",@progbits
38330 - .align PAGE_SIZE_asm
38331 - ENTRY(swapper_pg_dir)
38332 -+#ifdef CONFIG_X86_PAE
38333 -+ .long swapper_pm_dir-__PAGE_OFFSET+1
38334 -+ .long 0
38335 -+ .long swapper_pm_dir+512*8-__PAGE_OFFSET+1
38336 -+ .long 0
38337 -+ .long swapper_pm_dir+512*16-__PAGE_OFFSET+1
38338 -+ .long 0
38339 -+ .long swapper_pm_dir+512*24-__PAGE_OFFSET+1
38340 -+ .long 0
38341 -+#else
38342 - .fill 1024,4,0
38343 -+#endif
38344 -+
38345 -+.section .swapper_pm_dir,"a",@progbits
38346 -+#ifdef CONFIG_X86_PAE
38347 -+ENTRY(swapper_pm_dir)
38348 -+ .fill 512,8,0
38349 -+ .fill 512,8,0
38350 -+ .fill 512,8,0
38351 -+ .fill 512,8,0
38352 -+#endif
38353 -+
38354 - ENTRY(swapper_pg_pmd)
38355 - .fill 1024,4,0
38356 -+
38357 -+.section .empty_zero_page,"a",@progbits
38358 - ENTRY(empty_zero_page)
38359 - .fill 4096,1,0
38360 -
38361 - /*
38362 -+ * The IDT has to be page-aligned to simplify the Pentium
38363 -+ * F0 0F bug workaround.. We have a special link segment
38364 -+ * for this.
38365 -+ */
38366 -+.section .idt,"a",@progbits
38367 -+ENTRY(idt_table)
38368 -+ .fill 256,8,0
38369 -+
38370 -+/*
38371 - * This starts the data section.
38372 - */
38373 - .data
38374 -+
38375 -+.section .rodata,"a",@progbits
38376 - ENTRY(stack_start)
38377 -- .long init_thread_union+THREAD_SIZE
38378 -+ .long init_thread_union+THREAD_SIZE-8
38379 - .long __BOOT_DS
38380 -
38381 - ready: .byte 0
38382 -@@ -565,7 +665,7 @@ idt_descr:
38383 - .word 0 # 32 bit align gdt_desc.address
38384 - ENTRY(early_gdt_descr)
38385 - .word GDT_ENTRIES*8-1
38386 -- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
38387 -+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
38388 -
38389 - /*
38390 - * The boot_gdt must mirror the equivalent in setup.S and is
38391 -@@ -574,5 +674,61 @@ ENTRY(early_gdt_descr)
38392 - .align L1_CACHE_BYTES
38393 - ENTRY(boot_gdt)
38394 - .fill GDT_ENTRY_BOOT_CS,8,0
38395 -- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
38396 -- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
38397 -+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
38398 -+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
38399 -+
38400 -+ .align PAGE_SIZE_asm
38401 -+ENTRY(cpu_gdt_table)
38402 -+ .quad 0x0000000000000000 /* NULL descriptor */
38403 -+ .quad 0x0000000000000000 /* 0x0b reserved */
38404 -+ .quad 0x0000000000000000 /* 0x13 reserved */
38405 -+ .quad 0x0000000000000000 /* 0x1b reserved */
38406 -+ .quad 0x0000000000000000 /* 0x20 unused */
38407 -+ .quad 0x0000000000000000 /* 0x28 unused */
38408 -+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
38409 -+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
38410 -+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
38411 -+ .quad 0x0000000000000000 /* 0x4b reserved */
38412 -+ .quad 0x0000000000000000 /* 0x53 reserved */
38413 -+ .quad 0x0000000000000000 /* 0x5b reserved */
38414 -+
38415 -+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
38416 -+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
38417 -+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
38418 -+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
38419 -+
38420 -+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
38421 -+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
38422 -+
38423 -+ /*
38424 -+ * Segments used for calling PnP BIOS have byte granularity.
38425 -+ * The code segments and data segments have fixed 64k limits,
38426 -+ * the transfer segment sizes are set at run time.
38427 -+ */
38428 -+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
38429 -+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
38430 -+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
38431 -+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
38432 -+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
38433 -+
38434 -+ /*
38435 -+ * The APM segments have byte granularity and their bases
38436 -+ * are set at run time. All have 64k limits.
38437 -+ */
38438 -+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
38439 -+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
38440 -+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
38441 -+
38442 -+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
38443 -+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
38444 -+ .quad 0x0000000000000000 /* 0xe0 - PCIBIOS_CS */
38445 -+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_DS */
38446 -+ .quad 0x0000000000000000 /* 0xf0 - unused */
38447 -+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
38448 -+
38449 -+ /* Be sure this is zeroed to avoid false validations in Xen */
38450 -+ .fill PAGE_SIZE_asm - GDT_ENTRIES,1,0
38451 -+
38452 -+#ifdef CONFIG_SMP
38453 -+ .fill (NR_CPUS-1) * (PAGE_SIZE_asm),1,0 /* other CPU's GDT */
38454 -+#endif
38455 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/hpet.c linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c
38456 ---- linux-2.6.23.15/arch/i386/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
38457 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
38458 -@@ -96,7 +96,7 @@ static void hpet_reserve_platform_timers
38459 - hd.hd_irq[1] = HPET_LEGACY_RTC;
38460 -
38461 - for (i = 2; i < nrtimers; timer++, i++)
38462 -- hd.hd_irq[i] = (timer->hpet_config & Tn_INT_ROUTE_CNF_MASK) >>
38463 -+ hd.hd_irq[i] = (readl(&timer->hpet_config) & Tn_INT_ROUTE_CNF_MASK) >>
38464 - Tn_INT_ROUTE_CNF_SHIFT;
38465 -
38466 - hpet_alloc(&hd);
38467 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c
38468 ---- linux-2.6.23.15/arch/i386/kernel/i386_ksyms.c 2007-10-09 21:31:38.000000000 +0100
38469 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/i386_ksyms.c 2008-02-11 10:37:44.000000000 +0000
38470 -@@ -2,12 +2,16 @@
38471 - #include <asm/checksum.h>
38472 - #include <asm/desc.h>
38473 -
38474 -+EXPORT_SYMBOL_GPL(cpu_gdt_table);
38475 -+
38476 - EXPORT_SYMBOL(__down_failed);
38477 - EXPORT_SYMBOL(__down_failed_interruptible);
38478 - EXPORT_SYMBOL(__down_failed_trylock);
38479 - EXPORT_SYMBOL(__up_wakeup);
38480 - /* Networking helper routines. */
38481 - EXPORT_SYMBOL(csum_partial_copy_generic);
38482 -+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
38483 -+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
38484 -
38485 - EXPORT_SYMBOL(__get_user_1);
38486 - EXPORT_SYMBOL(__get_user_2);
38487 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/i8259.c linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c
38488 ---- linux-2.6.23.15/arch/i386/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
38489 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
38490 -@@ -350,7 +350,7 @@ static irqreturn_t math_error_irq(int cp
38491 - * New motherboards sometimes make IRQ 13 be a PCI interrupt,
38492 - * so allow interrupt sharing.
38493 - */
38494 --static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL };
38495 -+static struct irqaction fpu_irq = { math_error_irq, 0, CPU_MASK_NONE, "fpu", NULL, NULL, 0, NULL };
38496 -
38497 - void __init init_ISA_irqs (void)
38498 - {
38499 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/init_task.c linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c
38500 ---- linux-2.6.23.15/arch/i386/kernel/init_task.c 2007-10-09 21:31:38.000000000 +0100
38501 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/init_task.c 2008-02-11 10:37:44.000000000 +0000
38502 -@@ -42,5 +42,5 @@ EXPORT_SYMBOL(init_task);
38503 - * per-CPU TSS segments. Threads are completely 'soft' on Linux,
38504 - * no more per-task TSS's.
38505 - */
38506 --DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
38507 -+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
38508 -
38509 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/ioport.c linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c
38510 ---- linux-2.6.23.15/arch/i386/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
38511 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
38512 -@@ -16,6 +16,7 @@
38513 - #include <linux/slab.h>
38514 - #include <linux/thread_info.h>
38515 - #include <linux/syscalls.h>
38516 -+#include <linux/grsecurity.h>
38517 -
38518 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
38519 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
38520 -@@ -64,9 +65,16 @@ asmlinkage long sys_ioperm(unsigned long
38521 -
38522 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
38523 - return -EINVAL;
38524 -+#ifdef CONFIG_GRKERNSEC_IO
38525 -+ if (turn_on) {
38526 -+ gr_handle_ioperm();
38527 -+#else
38528 - if (turn_on && !capable(CAP_SYS_RAWIO))
38529 -+#endif
38530 - return -EPERM;
38531 --
38532 -+#ifdef CONFIG_GRKERNSEC_IO
38533 -+ }
38534 -+#endif
38535 - /*
38536 - * If it's the first ioperm() call in this thread's lifetime, set the
38537 - * IO bitmap up. ioperm() is much less timing critical than clone(),
38538 -@@ -89,7 +97,7 @@ asmlinkage long sys_ioperm(unsigned long
38539 - * because the ->io_bitmap_max value must match the bitmap
38540 - * contents:
38541 - */
38542 -- tss = &per_cpu(init_tss, get_cpu());
38543 -+ tss = init_tss + get_cpu();
38544 -
38545 - set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
38546 -
38547 -@@ -143,8 +151,13 @@ asmlinkage long sys_iopl(unsigned long u
38548 - return -EINVAL;
38549 - /* Trying to gain more privileges? */
38550 - if (level > old) {
38551 -+#ifdef CONFIG_GRKERNSEC_IO
38552 -+ gr_handle_iopl();
38553 -+ return -EPERM;
38554 -+#else
38555 - if (!capable(CAP_SYS_RAWIO))
38556 - return -EPERM;
38557 -+#endif
38558 - }
38559 - t->iopl = level << 12;
38560 - regs->eflags = (regs->eflags & ~X86_EFLAGS_IOPL) | t->iopl;
38561 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/irq.c linux-2.6.23.15-grsec/arch/i386/kernel/irq.c
38562 ---- linux-2.6.23.15/arch/i386/kernel/irq.c 2007-10-09 21:31:38.000000000 +0100
38563 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/irq.c 2008-02-11 10:37:44.000000000 +0000
38564 -@@ -117,7 +117,7 @@ fastcall unsigned int do_IRQ(struct pt_r
38565 - int arg1, arg2, ebx;
38566 -
38567 - /* build the stack frame on the IRQ stack */
38568 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
38569 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
38570 - irqctx->tinfo.task = curctx->tinfo.task;
38571 - irqctx->tinfo.previous_esp = current_stack_pointer;
38572 -
38573 -@@ -213,7 +213,7 @@ asmlinkage void do_softirq(void)
38574 - irqctx->tinfo.previous_esp = current_stack_pointer;
38575 -
38576 - /* build the stack frame on the softirq stack */
38577 -- isp = (u32*) ((char*)irqctx + sizeof(*irqctx));
38578 -+ isp = (u32*) ((char*)irqctx + sizeof(*irqctx)) - 2;
38579 -
38580 - asm volatile(
38581 - " xchgl %%ebx,%%esp \n"
38582 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/kprobes.c linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c
38583 ---- linux-2.6.23.15/arch/i386/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
38584 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/kprobes.c 2008-02-11 10:37:44.000000000 +0000
38585 -@@ -49,9 +49,24 @@ static __always_inline void set_jmp_op(v
38586 - char op;
38587 - long raddr;
38588 - } __attribute__((packed)) *jop;
38589 -- jop = (struct __arch_jmp_op *)from;
38590 -+
38591 -+#ifdef CONFIG_PAX_KERNEXEC
38592 -+ unsigned long cr0;
38593 -+#endif
38594 -+
38595 -+ jop = (struct __arch_jmp_op *)(from + __KERNEL_TEXT_OFFSET);
38596 -+
38597 -+#ifdef CONFIG_PAX_KERNEXEC
38598 -+ pax_open_kernel(cr0);
38599 -+#endif
38600 -+
38601 - jop->raddr = (long)(to) - ((long)(from) + 5);
38602 - jop->op = RELATIVEJUMP_INSTRUCTION;
38603 -+
38604 -+#ifdef CONFIG_PAX_KERNEXEC
38605 -+ pax_close_kernel(cr0);
38606 -+#endif
38607 -+
38608 - }
38609 -
38610 - /*
38611 -@@ -153,14 +168,28 @@ static int __kprobes is_IF_modifier(kpro
38612 -
38613 - int __kprobes arch_prepare_kprobe(struct kprobe *p)
38614 - {
38615 -+
38616 -+#ifdef CONFIG_PAX_KERNEXEC
38617 -+ unsigned long cr0;
38618 -+#endif
38619 -+
38620 - /* insn: must be on special executable page on i386. */
38621 - p->ainsn.insn = get_insn_slot();
38622 - if (!p->ainsn.insn)
38623 - return -ENOMEM;
38624 -
38625 -- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
38626 -- p->opcode = *p->addr;
38627 -- if (can_boost(p->addr)) {
38628 -+#ifdef CONFIG_PAX_KERNEXEC
38629 -+ pax_open_kernel(cr0);
38630 -+#endif
38631 -+
38632 -+ memcpy(p->ainsn.insn, p->addr + __KERNEL_TEXT_OFFSET, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
38633 -+
38634 -+#ifdef CONFIG_PAX_KERNEXEC
38635 -+ pax_close_kernel(cr0);
38636 -+#endif
38637 -+
38638 -+ p->opcode = *(p->addr + __KERNEL_TEXT_OFFSET);
38639 -+ if (can_boost(p->addr + __KERNEL_TEXT_OFFSET)) {
38640 - p->ainsn.boostable = 0;
38641 - } else {
38642 - p->ainsn.boostable = -1;
38643 -@@ -219,7 +248,7 @@ static void __kprobes prepare_singlestep
38644 - if (p->opcode == BREAKPOINT_INSTRUCTION)
38645 - regs->eip = (unsigned long)p->addr;
38646 - else
38647 -- regs->eip = (unsigned long)p->ainsn.insn;
38648 -+ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
38649 - }
38650 -
38651 - /* Called with kretprobe_lock held */
38652 -@@ -325,7 +354,7 @@ ss_probe:
38653 - if (p->ainsn.boostable == 1 && !p->post_handler){
38654 - /* Boost up -- we can execute copied instructions directly */
38655 - reset_current_kprobe();
38656 -- regs->eip = (unsigned long)p->ainsn.insn;
38657 -+ regs->eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
38658 - preempt_enable_no_resched();
38659 - return 1;
38660 - }
38661 -@@ -475,7 +504,7 @@ static void __kprobes resume_execution(s
38662 - struct pt_regs *regs, struct kprobe_ctlblk *kcb)
38663 - {
38664 - unsigned long *tos = (unsigned long *)&regs->esp;
38665 -- unsigned long copy_eip = (unsigned long)p->ainsn.insn;
38666 -+ unsigned long copy_eip = (unsigned long)p->ainsn.insn - __KERNEL_TEXT_OFFSET;
38667 - unsigned long orig_eip = (unsigned long)p->addr;
38668 -
38669 - regs->eflags &= ~TF_MASK;
38670 -@@ -648,7 +677,7 @@ int __kprobes kprobe_exceptions_notify(s
38671 - struct die_args *args = (struct die_args *)data;
38672 - int ret = NOTIFY_DONE;
38673 -
38674 -- if (args->regs && user_mode_vm(args->regs))
38675 -+ if (args->regs && user_mode(args->regs))
38676 - return ret;
38677 -
38678 - switch (val) {
38679 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/ldt.c linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c
38680 ---- linux-2.6.23.15/arch/i386/kernel/ldt.c 2007-10-09 21:31:38.000000000 +0100
38681 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/ldt.c 2008-02-11 10:37:44.000000000 +0000
38682 -@@ -58,7 +58,7 @@ static int alloc_ldt(mm_context_t *pc, i
38683 - #ifdef CONFIG_SMP
38684 - cpumask_t mask;
38685 - preempt_disable();
38686 -- load_LDT(pc);
38687 -+ load_LDT_nolock(pc);
38688 - mask = cpumask_of_cpu(smp_processor_id());
38689 - if (!cpus_equal(current->mm->cpu_vm_mask, mask))
38690 - smp_call_function(flush_ldt, NULL, 1, 1);
38691 -@@ -102,6 +102,22 @@ int init_new_context(struct task_struct
38692 - retval = copy_ldt(&mm->context, &old_mm->context);
38693 - up(&old_mm->context.sem);
38694 - }
38695 -+
38696 -+ if (tsk == current) {
38697 -+ mm->context.vdso = ~0UL;
38698 -+
38699 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
38700 -+ mm->context.user_cs_base = 0UL;
38701 -+ mm->context.user_cs_limit = ~0UL;
38702 -+
38703 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
38704 -+ cpus_clear(mm->context.cpu_user_cs_mask);
38705 -+#endif
38706 -+
38707 -+#endif
38708 -+
38709 -+ }
38710 -+
38711 - return retval;
38712 - }
38713 -
38714 -@@ -212,6 +228,13 @@ static int write_ldt(void __user * ptr,
38715 - }
38716 - }
38717 -
38718 -+#ifdef CONFIG_PAX_SEGMEXEC
38719 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
38720 -+ error = -EINVAL;
38721 -+ goto out_unlock;
38722 -+ }
38723 -+#endif
38724 -+
38725 - entry_1 = LDT_entry_a(&ldt_info);
38726 - entry_2 = LDT_entry_b(&ldt_info);
38727 - if (oldmode)
38728 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/machine_kexec.c linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c
38729 ---- linux-2.6.23.15/arch/i386/kernel/machine_kexec.c 2007-10-09 21:31:38.000000000 +0100
38730 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/machine_kexec.c 2008-02-11 10:37:44.000000000 +0000
38731 -@@ -29,25 +29,25 @@ static u32 kexec_pmd1[1024] PAGE_ALIGNED
38732 - static u32 kexec_pte0[1024] PAGE_ALIGNED;
38733 - static u32 kexec_pte1[1024] PAGE_ALIGNED;
38734 -
38735 --static void set_idt(void *newidt, __u16 limit)
38736 -+static void set_idt(struct desc_struct *newidt, __u16 limit)
38737 - {
38738 - struct Xgt_desc_struct curidt;
38739 -
38740 - /* ia32 supports unaliged loads & stores */
38741 - curidt.size = limit;
38742 -- curidt.address = (unsigned long)newidt;
38743 -+ curidt.address = newidt;
38744 -
38745 - load_idt(&curidt);
38746 - };
38747 -
38748 -
38749 --static void set_gdt(void *newgdt, __u16 limit)
38750 -+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
38751 - {
38752 - struct Xgt_desc_struct curgdt;
38753 -
38754 - /* ia32 supports unaligned loads & stores */
38755 - curgdt.size = limit;
38756 -- curgdt.address = (unsigned long)newgdt;
38757 -+ curgdt.address = newgdt;
38758 -
38759 - load_gdt(&curgdt);
38760 - };
38761 -@@ -110,10 +110,10 @@ NORET_TYPE void machine_kexec(struct kim
38762 - local_irq_disable();
38763 -
38764 - control_page = page_address(image->control_code_page);
38765 -- memcpy(control_page, relocate_kernel, PAGE_SIZE);
38766 -+ memcpy(control_page, relocate_kernel + __KERNEL_TEXT_OFFSET, PAGE_SIZE);
38767 -
38768 - page_list[PA_CONTROL_PAGE] = __pa(control_page);
38769 -- page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel;
38770 -+ page_list[VA_CONTROL_PAGE] = (unsigned long)relocate_kernel + __KERNEL_TEXT_OFFSET;
38771 - page_list[PA_PGD] = __pa(kexec_pgd);
38772 - page_list[VA_PGD] = (unsigned long)kexec_pgd;
38773 - #ifdef CONFIG_X86_PAE
38774 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/module.c linux-2.6.23.15-grsec/arch/i386/kernel/module.c
38775 ---- linux-2.6.23.15/arch/i386/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
38776 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
38777 -@@ -23,6 +23,8 @@
38778 - #include <linux/kernel.h>
38779 - #include <linux/bug.h>
38780 -
38781 -+#include <asm/desc.h>
38782 -+
38783 - #if 0
38784 - #define DEBUGP printk
38785 - #else
38786 -@@ -33,9 +35,30 @@ void *module_alloc(unsigned long size)
38787 - {
38788 - if (size == 0)
38789 - return NULL;
38790 -+
38791 -+#ifdef CONFIG_PAX_KERNEXEC
38792 -+ return vmalloc(size);
38793 -+#else
38794 - return vmalloc_exec(size);
38795 -+#endif
38796 -+
38797 - }
38798 -
38799 -+#ifdef CONFIG_PAX_KERNEXEC
38800 -+void *module_alloc_exec(unsigned long size)
38801 -+{
38802 -+ struct vm_struct *area;
38803 -+
38804 -+ if (size == 0)
38805 -+ return NULL;
38806 -+
38807 -+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_VADDR, (unsigned long)&MODULES_END);
38808 -+ if (area)
38809 -+ return area->addr;
38810 -+
38811 -+ return NULL;
38812 -+}
38813 -+#endif
38814 -
38815 - /* Free memory returned from module_alloc */
38816 - void module_free(struct module *mod, void *module_region)
38817 -@@ -45,6 +68,45 @@ void module_free(struct module *mod, voi
38818 - table entries. */
38819 - }
38820 -
38821 -+#ifdef CONFIG_PAX_KERNEXEC
38822 -+void module_free_exec(struct module *mod, void *module_region)
38823 -+{
38824 -+ struct vm_struct **p, *tmp;
38825 -+
38826 -+ if (!module_region)
38827 -+ return;
38828 -+
38829 -+ if ((PAGE_SIZE-1) & (unsigned long)module_region) {
38830 -+ printk(KERN_ERR "Trying to module_free_exec() bad address (%p)\n", module_region);
38831 -+ WARN_ON(1);
38832 -+ return;
38833 -+ }
38834 -+
38835 -+ write_lock(&vmlist_lock);
38836 -+ for (p = &vmlist; (tmp = *p) != NULL; p = &tmp->next)
38837 -+ if (tmp->addr == module_region)
38838 -+ break;
38839 -+
38840 -+ if (tmp) {
38841 -+ unsigned long cr0;
38842 -+
38843 -+ pax_open_kernel(cr0);
38844 -+ memset(tmp->addr, 0xCC, tmp->size);
38845 -+ pax_close_kernel(cr0);
38846 -+
38847 -+ *p = tmp->next;
38848 -+ kfree(tmp);
38849 -+ }
38850 -+ write_unlock(&vmlist_lock);
38851 -+
38852 -+ if (!tmp) {
38853 -+ printk(KERN_ERR "Trying to module_free_exec() nonexistent vm area (%p)\n",
38854 -+ module_region);
38855 -+ WARN_ON(1);
38856 -+ }
38857 -+}
38858 -+#endif
38859 -+
38860 - /* We don't need anything special. */
38861 - int module_frob_arch_sections(Elf_Ehdr *hdr,
38862 - Elf_Shdr *sechdrs,
38863 -@@ -63,14 +125,20 @@ int apply_relocate(Elf32_Shdr *sechdrs,
38864 - unsigned int i;
38865 - Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
38866 - Elf32_Sym *sym;
38867 -- uint32_t *location;
38868 -+ uint32_t *plocation, location;
38869 -+
38870 -+#ifdef CONFIG_PAX_KERNEXEC
38871 -+ unsigned long cr0;
38872 -+#endif
38873 -
38874 - DEBUGP("Applying relocate section %u to %u\n", relsec,
38875 - sechdrs[relsec].sh_info);
38876 - for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
38877 - /* This is where to make the change */
38878 -- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
38879 -- + rel[i].r_offset;
38880 -+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
38881 -+ location = (uint32_t)plocation;
38882 -+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
38883 -+ plocation = (void *)plocation + __KERNEL_TEXT_OFFSET;
38884 - /* This is the symbol it is referring to. Note that all
38885 - undefined symbols have been resolved. */
38886 - sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
38887 -@@ -78,12 +146,32 @@ int apply_relocate(Elf32_Shdr *sechdrs,
38888 -
38889 - switch (ELF32_R_TYPE(rel[i].r_info)) {
38890 - case R_386_32:
38891 -+
38892 -+#ifdef CONFIG_PAX_KERNEXEC
38893 -+ pax_open_kernel(cr0);
38894 -+#endif
38895 -+
38896 - /* We add the value into the location given */
38897 -- *location += sym->st_value;
38898 -+ *plocation += sym->st_value;
38899 -+
38900 -+#ifdef CONFIG_PAX_KERNEXEC
38901 -+ pax_close_kernel(cr0);
38902 -+#endif
38903 -+
38904 - break;
38905 - case R_386_PC32:
38906 -+
38907 -+#ifdef CONFIG_PAX_KERNEXEC
38908 -+ pax_open_kernel(cr0);
38909 -+#endif
38910 -+
38911 - /* Add the value, subtract its postition */
38912 -- *location += sym->st_value - (uint32_t)location;
38913 -+ *plocation += sym->st_value - location;
38914 -+
38915 -+#ifdef CONFIG_PAX_KERNEXEC
38916 -+ pax_close_kernel(cr0);
38917 -+#endif
38918 -+
38919 - break;
38920 - default:
38921 - printk(KERN_ERR "module %s: Unknown relocation: %u\n",
38922 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/paravirt.c linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c
38923 ---- linux-2.6.23.15/arch/i386/kernel/paravirt.c 2007-10-09 21:31:38.000000000 +0100
38924 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/paravirt.c 2008-02-11 10:37:44.000000000 +0000
38925 -@@ -198,7 +198,7 @@ unsigned paravirt_patch_insns(void *insn
38926 - if (insn_len > len || start == NULL)
38927 - insn_len = len;
38928 - else
38929 -- memcpy(insnbuf, start, insn_len);
38930 -+ memcpy(insnbuf, start + __KERNEL_TEXT_OFFSET, insn_len);
38931 -
38932 - return insn_len;
38933 - }
38934 -@@ -273,7 +273,7 @@ int paravirt_disable_iospace(void)
38935 - return ret;
38936 - }
38937 -
38938 --struct paravirt_ops paravirt_ops = {
38939 -+struct paravirt_ops paravirt_ops __read_only = {
38940 - .name = "bare hardware",
38941 - .paravirt_enabled = 0,
38942 - .kernel_rpl = 0,
38943 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/process.c linux-2.6.23.15-grsec/arch/i386/kernel/process.c
38944 ---- linux-2.6.23.15/arch/i386/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
38945 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
38946 -@@ -68,15 +68,17 @@ EXPORT_SYMBOL(boot_option_idle_override)
38947 - DEFINE_PER_CPU(struct task_struct *, current_task) = &init_task;
38948 - EXPORT_PER_CPU_SYMBOL(current_task);
38949 -
38950 -+#ifdef CONFIG_SMP
38951 - DEFINE_PER_CPU(int, cpu_number);
38952 - EXPORT_PER_CPU_SYMBOL(cpu_number);
38953 -+#endif
38954 -
38955 - /*
38956 - * Return saved PC of a blocked thread.
38957 - */
38958 - unsigned long thread_saved_pc(struct task_struct *tsk)
38959 - {
38960 -- return ((unsigned long *)tsk->thread.esp)[3];
38961 -+ return tsk->thread.eip;
38962 - }
38963 -
38964 - /*
38965 -@@ -307,7 +309,7 @@ void show_regs(struct pt_regs * regs)
38966 - printk("EIP: %04x:[<%08lx>] CPU: %d\n",0xffff & regs->xcs,regs->eip, smp_processor_id());
38967 - print_symbol("EIP is at %s\n", regs->eip);
38968 -
38969 -- if (user_mode_vm(regs))
38970 -+ if (user_mode(regs))
38971 - printk(" ESP: %04x:%08lx",0xffff & regs->xss,regs->esp);
38972 - printk(" EFLAGS: %08lx %s (%s %.*s)\n",
38973 - regs->eflags, print_tainted(), init_utsname()->release,
38974 -@@ -358,8 +360,8 @@ int kernel_thread(int (*fn)(void *), voi
38975 - regs.ebx = (unsigned long) fn;
38976 - regs.edx = (unsigned long) arg;
38977 -
38978 -- regs.xds = __USER_DS;
38979 -- regs.xes = __USER_DS;
38980 -+ regs.xds = __KERNEL_DS;
38981 -+ regs.xes = __KERNEL_DS;
38982 - regs.xfs = __KERNEL_PERCPU;
38983 - regs.orig_eax = -1;
38984 - regs.eip = (unsigned long) kernel_thread_helper;
38985 -@@ -381,7 +383,7 @@ void exit_thread(void)
38986 - struct task_struct *tsk = current;
38987 - struct thread_struct *t = &tsk->thread;
38988 - int cpu = get_cpu();
38989 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
38990 -+ struct tss_struct *tss = init_tss + cpu;
38991 -
38992 - kfree(t->io_bitmap_ptr);
38993 - t->io_bitmap_ptr = NULL;
38994 -@@ -402,6 +404,7 @@ void flush_thread(void)
38995 - {
38996 - struct task_struct *tsk = current;
38997 -
38998 -+ __asm__("mov %0,%%gs\n" : : "r" (0) : "memory");
38999 - memset(tsk->thread.debugreg, 0, sizeof(unsigned long)*8);
39000 - memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
39001 - clear_tsk_thread_flag(tsk, TIF_DEBUG);
39002 -@@ -435,7 +438,7 @@ int copy_thread(int nr, unsigned long cl
39003 - struct task_struct *tsk;
39004 - int err;
39005 -
39006 -- childregs = task_pt_regs(p);
39007 -+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
39008 - *childregs = *regs;
39009 - childregs->eax = 0;
39010 - childregs->esp = esp;
39011 -@@ -477,6 +480,11 @@ int copy_thread(int nr, unsigned long cl
39012 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
39013 - goto out;
39014 -
39015 -+#ifdef CONFIG_PAX_SEGMEXEC
39016 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
39017 -+ goto out;
39018 -+#endif
39019 -+
39020 - desc = p->thread.tls_array + idx - GDT_ENTRY_TLS_MIN;
39021 - desc->a = LDT_entry_a(&info);
39022 - desc->b = LDT_entry_b(&info);
39023 -@@ -663,7 +671,7 @@ struct task_struct fastcall * __switch_t
39024 - struct thread_struct *prev = &prev_p->thread,
39025 - *next = &next_p->thread;
39026 - int cpu = smp_processor_id();
39027 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
39028 -+ struct tss_struct *tss = init_tss + cpu;
39029 -
39030 - /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
39031 -
39032 -@@ -691,6 +699,11 @@ struct task_struct fastcall * __switch_t
39033 - */
39034 - savesegment(gs, prev->gs);
39035 -
39036 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
39037 -+ if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
39038 -+ __set_fs(task_thread_info(next_p)->addr_limit, cpu);
39039 -+#endif
39040 -+
39041 - /*
39042 - * Load the per-thread Thread-Local Storage descriptor.
39043 - */
39044 -@@ -855,6 +868,12 @@ asmlinkage int sys_set_thread_area(struc
39045 -
39046 - if (copy_from_user(&info, u_info, sizeof(info)))
39047 - return -EFAULT;
39048 -+
39049 -+#ifdef CONFIG_PAX_SEGMEXEC
39050 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
39051 -+ return -EINVAL;
39052 -+#endif
39053 -+
39054 - idx = info.entry_number;
39055 -
39056 - /*
39057 -@@ -943,9 +962,28 @@ asmlinkage int sys_get_thread_area(struc
39058 - return 0;
39059 - }
39060 -
39061 --unsigned long arch_align_stack(unsigned long sp)
39062 -+#ifdef CONFIG_PAX_RANDKSTACK
39063 -+asmlinkage void pax_randomize_kstack(void)
39064 - {
39065 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
39066 -- sp -= get_random_int() % 8192;
39067 -- return sp & ~0xf;
39068 -+ struct tss_struct *tss;
39069 -+ unsigned long time;
39070 -+
39071 -+ if (!randomize_va_space)
39072 -+ return;
39073 -+
39074 -+ tss = init_tss + smp_processor_id();
39075 -+ rdtscl(time);
39076 -+
39077 -+ /* P4 seems to return a 0 LSB, ignore it */
39078 -+#ifdef CONFIG_MPENTIUM4
39079 -+ time &= 0x1EUL;
39080 -+ time <<= 2;
39081 -+#else
39082 -+ time &= 0xFUL;
39083 -+ time <<= 3;
39084 -+#endif
39085 -+
39086 -+ tss->x86_tss.esp0 ^= time;
39087 -+ current->thread.esp0 = tss->x86_tss.esp0;
39088 - }
39089 -+#endif
39090 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/ptrace.c linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c
39091 ---- linux-2.6.23.15/arch/i386/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
39092 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
39093 -@@ -161,22 +161,20 @@ static unsigned long convert_eip_to_line
39094 - * and APM bios ones we just ignore here.
39095 - */
39096 - if (seg & LDT_SEGMENT) {
39097 -- u32 *desc;
39098 -+ struct desc_struct *desc;
39099 - unsigned long base;
39100 -
39101 - seg &= ~7UL;
39102 -
39103 - down(&child->mm->context.sem);
39104 - if (unlikely((seg >> 3) >= child->mm->context.size))
39105 -- addr = -1L; /* bogus selector, access would fault */
39106 -+ addr = -EINVAL;
39107 - else {
39108 -- desc = child->mm->context.ldt + seg;
39109 -- base = ((desc[0] >> 16) |
39110 -- ((desc[1] & 0xff) << 16) |
39111 -- (desc[1] & 0xff000000));
39112 -+ desc = &child->mm->context.ldt[seg >> 3];
39113 -+ base = (desc->a >> 16) | ((desc->b & 0xff) << 16) | (desc->b & 0xff000000);
39114 -
39115 - /* 16-bit code segment? */
39116 -- if (!((desc[1] >> 22) & 1))
39117 -+ if (!((desc->b >> 22) & 1))
39118 - addr &= 0xffff;
39119 - addr += base;
39120 - }
39121 -@@ -191,6 +189,9 @@ static inline int is_setting_trap_flag(s
39122 - unsigned char opcode[15];
39123 - unsigned long addr = convert_eip_to_linear(child, regs);
39124 -
39125 -+ if (addr == -EINVAL)
39126 -+ return 0;
39127 -+
39128 - copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
39129 - for (i = 0; i < copied; i++) {
39130 - switch (opcode[i]) {
39131 -@@ -341,6 +342,11 @@ ptrace_set_thread_area(struct task_struc
39132 - if (copy_from_user(&info, user_desc, sizeof(info)))
39133 - return -EFAULT;
39134 -
39135 -+#ifdef CONFIG_PAX_SEGMEXEC
39136 -+ if ((child->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
39137 -+ return -EINVAL;
39138 -+#endif
39139 -+
39140 - if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
39141 - return -EINVAL;
39142 -
39143 -@@ -420,6 +426,17 @@ long arch_ptrace(struct task_struct *chi
39144 - if(addr == (long) &dummy->u_debugreg[5]) break;
39145 - if(addr < (long) &dummy->u_debugreg[4] &&
39146 - ((unsigned long) data) >= TASK_SIZE-3) break;
39147 -+
39148 -+#ifdef CONFIG_GRKERNSEC
39149 -+ if(addr >= (long) &dummy->u_debugreg[0] &&
39150 -+ addr <= (long) &dummy->u_debugreg[3]){
39151 -+ long reg = (addr - (long) &dummy->u_debugreg[0]) >> 2;
39152 -+ long type = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 4*reg)) & 3;
39153 -+ long align = (child->thread.debugreg[7] >> (DR_CONTROL_SHIFT + 2 + 4*reg)) & 3;
39154 -+ if((type & 1) && (data & align))
39155 -+ break;
39156 -+ }
39157 -+#endif
39158 -
39159 - /* Sanity-check data. Take one half-byte at once with
39160 - * check = (val >> (16 + 4*i)) & 0xf. It contains the
39161 -@@ -636,7 +653,7 @@ void send_sigtrap(struct task_struct *ts
39162 - info.si_code = TRAP_BRKPT;
39163 -
39164 - /* User-mode eip? */
39165 -- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->eip : NULL;
39166 -+ info.si_addr = user_mode(regs) ? (void __user *) regs->eip : NULL;
39167 -
39168 - /* Send us the fakey SIGTRAP */
39169 - force_sig_info(SIGTRAP, &info, tsk);
39170 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/reboot.c linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c
39171 ---- linux-2.6.23.15/arch/i386/kernel/reboot.c 2007-10-09 21:31:38.000000000 +0100
39172 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/reboot.c 2008-02-11 10:37:44.000000000 +0000
39173 -@@ -26,7 +26,7 @@
39174 - void (*pm_power_off)(void);
39175 - EXPORT_SYMBOL(pm_power_off);
39176 -
39177 --static int reboot_mode;
39178 -+static unsigned short reboot_mode;
39179 - static int reboot_thru_bios;
39180 -
39181 - #ifdef CONFIG_SMP
39182 -@@ -138,7 +138,7 @@ static struct dmi_system_id __initdata r
39183 - DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"),
39184 - },
39185 - },
39186 -- { }
39187 -+ { NULL, NULL, {{0, NULL}}, NULL}
39188 - };
39189 -
39190 - static int __init reboot_init(void)
39191 -@@ -156,18 +156,18 @@ core_initcall(reboot_init);
39192 - doesn't work with at least one type of 486 motherboard. It is easy
39193 - to stop this code working; hence the copious comments. */
39194 -
39195 --static unsigned long long
39196 --real_mode_gdt_entries [3] =
39197 -+static struct desc_struct
39198 -+real_mode_gdt_entries [3] __read_only =
39199 - {
39200 -- 0x0000000000000000ULL, /* Null descriptor */
39201 -- 0x00009a000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
39202 -- 0x000092000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
39203 -+ {0x00000000, 0x00000000}, /* Null descriptor */
39204 -+ {0x0000ffff, 0x00009b00}, /* 16-bit real-mode 64k code at 0x00000000 */
39205 -+ {0x0100ffff, 0x00009300} /* 16-bit real-mode 64k data at 0x00000100 */
39206 - };
39207 -
39208 --static struct Xgt_desc_struct
39209 --real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (long)real_mode_gdt_entries },
39210 --real_mode_idt = { 0x3ff, 0 },
39211 --no_idt = { 0, 0 };
39212 -+static const struct Xgt_desc_struct
39213 -+real_mode_gdt = { sizeof (real_mode_gdt_entries) - 1, (struct desc_struct *)__pa(real_mode_gdt_entries), 0 },
39214 -+real_mode_idt = { 0x3ff, NULL, 0 },
39215 -+no_idt = { 0, NULL, 0 };
39216 -
39217 -
39218 - /* This is 16-bit protected mode code to disable paging and the cache,
39219 -@@ -189,7 +189,7 @@ no_idt = { 0, 0 };
39220 - More could be done here to set up the registers as if a CPU reset had
39221 - occurred; hopefully real BIOSs don't assume much. */
39222 -
39223 --static unsigned char real_mode_switch [] =
39224 -+static const unsigned char real_mode_switch [] =
39225 - {
39226 - 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */
39227 - 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */
39228 -@@ -203,7 +203,7 @@ static unsigned char real_mode_switch []
39229 - 0x24, 0x10, /* f: andb $0x10,al */
39230 - 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */
39231 - };
39232 --static unsigned char jump_to_bios [] =
39233 -+static const unsigned char jump_to_bios [] =
39234 - {
39235 - 0xea, 0x00, 0x00, 0xff, 0xff /* ljmp $0xffff,$0x0000 */
39236 - };
39237 -@@ -213,7 +213,7 @@ static unsigned char jump_to_bios [] =
39238 - * specified by the code and length parameters.
39239 - * We assume that length will aways be less that 100!
39240 - */
39241 --void machine_real_restart(unsigned char *code, int length)
39242 -+void machine_real_restart(const unsigned char *code, unsigned int length)
39243 - {
39244 - local_irq_disable();
39245 -
39246 -@@ -234,9 +234,8 @@ void machine_real_restart(unsigned char
39247 - /* Remap the kernel at virtual address zero, as well as offset zero
39248 - from the kernel segment. This assumes the kernel segment starts at
39249 - virtual address PAGE_OFFSET. */
39250 --
39251 -- memcpy (swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
39252 -- sizeof (swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
39253 -+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + USER_PGD_PTRS,
39254 -+ min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
39255 -
39256 - /*
39257 - * Use `swapper_pg_dir' as our page directory.
39258 -@@ -249,7 +248,7 @@ void machine_real_restart(unsigned char
39259 - REBOOT.COM programs, and the previous reset routine did this
39260 - too. */
39261 -
39262 -- *((unsigned short *)0x472) = reboot_mode;
39263 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
39264 -
39265 - /* For the switch to real mode, copy some code to low memory. It has
39266 - to be in the first 64k because it is running in 16-bit mode, and it
39267 -@@ -257,9 +256,8 @@ void machine_real_restart(unsigned char
39268 - off paging. Copy it near the end of the first page, out of the way
39269 - of BIOS variables. */
39270 -
39271 -- memcpy ((void *) (0x1000 - sizeof (real_mode_switch) - 100),
39272 -- real_mode_switch, sizeof (real_mode_switch));
39273 -- memcpy ((void *) (0x1000 - 100), code, length);
39274 -+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
39275 -+ memcpy(__va(0x1000 - 100), code, length);
39276 -
39277 - /* Set up the IDT for real mode. */
39278 -
39279 -@@ -345,7 +343,7 @@ static void native_machine_emergency_res
39280 - __asm__ __volatile__("int3");
39281 - }
39282 - /* rebooting needs to touch the page at absolute addr 0 */
39283 -- *((unsigned short *)__va(0x472)) = reboot_mode;
39284 -+ *(unsigned short *)(__va(0x472)) = reboot_mode;
39285 - for (;;) {
39286 - mach_reboot_fixups(); /* for board specific fixups */
39287 - mach_reboot();
39288 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/setup.c linux-2.6.23.15-grsec/arch/i386/kernel/setup.c
39289 ---- linux-2.6.23.15/arch/i386/kernel/setup.c 2007-10-09 21:31:38.000000000 +0100
39290 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/setup.c 2008-02-11 10:37:44.000000000 +0000
39291 -@@ -82,7 +82,11 @@ struct cpuinfo_x86 new_cpu_data __cpuini
39292 - struct cpuinfo_x86 boot_cpu_data __read_mostly = { 0, 0, 0, 0, -1, 1, 0, 0, -1 };
39293 - EXPORT_SYMBOL(boot_cpu_data);
39294 -
39295 -+#ifdef CONFIG_X86_PAE
39296 -+unsigned long mmu_cr4_features = X86_CR4_PAE;
39297 -+#else
39298 - unsigned long mmu_cr4_features;
39299 -+#endif
39300 -
39301 - /* for MCA, but anyone else can use it if they want */
39302 - unsigned int machine_id;
39303 -@@ -395,8 +399,8 @@ void __init setup_bootmem_allocator(void
39304 - * the (very unlikely) case of us accidentally initializing the
39305 - * bootmem allocator with an invalid RAM area.
39306 - */
39307 -- reserve_bootmem(__pa_symbol(_text), (PFN_PHYS(min_low_pfn) +
39308 -- bootmap_size + PAGE_SIZE-1) - __pa_symbol(_text));
39309 -+ reserve_bootmem(LOAD_PHYSICAL_ADDR, (PFN_PHYS(min_low_pfn) +
39310 -+ bootmap_size + PAGE_SIZE-1) - LOAD_PHYSICAL_ADDR);
39311 -
39312 - /*
39313 - * reserve physical page 0 - it's a special BIOS page on many boxes,
39314 -@@ -549,14 +553,14 @@ void __init setup_arch(char **cmdline_p)
39315 -
39316 - if (!MOUNT_ROOT_RDONLY)
39317 - root_mountflags &= ~MS_RDONLY;
39318 -- init_mm.start_code = (unsigned long) _text;
39319 -- init_mm.end_code = (unsigned long) _etext;
39320 -+ init_mm.start_code = (unsigned long) _text + __KERNEL_TEXT_OFFSET;
39321 -+ init_mm.end_code = (unsigned long) _etext + __KERNEL_TEXT_OFFSET;
39322 - init_mm.end_data = (unsigned long) _edata;
39323 - init_mm.brk = init_pg_tables_end + PAGE_OFFSET;
39324 -
39325 -- code_resource.start = virt_to_phys(_text);
39326 -- code_resource.end = virt_to_phys(_etext)-1;
39327 -- data_resource.start = virt_to_phys(_etext);
39328 -+ code_resource.start = virt_to_phys(_text + __KERNEL_TEXT_OFFSET);
39329 -+ code_resource.end = virt_to_phys(_etext + __KERNEL_TEXT_OFFSET)-1;
39330 -+ data_resource.start = virt_to_phys(_data);
39331 - data_resource.end = virt_to_phys(_edata)-1;
39332 -
39333 - parse_early_param();
39334 -@@ -651,3 +655,23 @@ void __init setup_arch(char **cmdline_p)
39335 - #endif
39336 - #endif
39337 - }
39338 -+
39339 -+unsigned long __per_cpu_offset[NR_CPUS] __read_only;
39340 -+
39341 -+EXPORT_SYMBOL(__per_cpu_offset);
39342 -+
39343 -+void __init setup_per_cpu_areas(void)
39344 -+{
39345 -+ unsigned long size, i;
39346 -+ char *ptr;
39347 -+
39348 -+ /* Copy section for each CPU (we discard the original) */
39349 -+ size = ALIGN(PERCPU_ENOUGH_ROOM, PAGE_SIZE);
39350 -+ ptr = alloc_bootmem_pages(size * num_possible_cpus());
39351 -+
39352 -+ for_each_possible_cpu(i) {
39353 -+ __per_cpu_offset[i] = (unsigned long)ptr;
39354 -+ memcpy(ptr, __per_cpu_start, __per_cpu_end - __per_cpu_start);
39355 -+ ptr += size;
39356 -+ }
39357 -+}
39358 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/signal.c linux-2.6.23.15-grsec/arch/i386/kernel/signal.c
39359 ---- linux-2.6.23.15/arch/i386/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
39360 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
39361 -@@ -357,9 +357,9 @@ static int setup_frame(int sig, struct k
39362 - }
39363 -
39364 - if (current->binfmt->hasvdso)
39365 -- restorer = (void *)VDSO_SYM(&__kernel_sigreturn);
39366 -+ restorer = (void __user *)VDSO_SYM(&__kernel_sigreturn);
39367 - else
39368 -- restorer = (void *)&frame->retcode;
39369 -+ restorer = (void __user *)&frame->retcode;
39370 - if (ka->sa.sa_flags & SA_RESTORER)
39371 - restorer = ka->sa.sa_restorer;
39372 -
39373 -@@ -455,7 +455,8 @@ static int setup_rt_frame(int sig, struc
39374 - goto give_sigsegv;
39375 -
39376 - /* Set up to return from userspace. */
39377 -- restorer = (void *)VDSO_SYM(&__kernel_rt_sigreturn);
39378 -+
39379 -+ restorer = (void __user *)VDSO_SYM(&__kernel_rt_sigreturn);
39380 - if (ka->sa.sa_flags & SA_RESTORER)
39381 - restorer = ka->sa.sa_restorer;
39382 - err |= __put_user(restorer, &frame->pretcode);
39383 -@@ -588,7 +589,7 @@ static void fastcall do_signal(struct pt
39384 - * before reaching here, so testing against kernel
39385 - * CS suffices.
39386 - */
39387 -- if (!user_mode(regs))
39388 -+ if (!user_mode_novm(regs))
39389 - return;
39390 -
39391 - if (test_thread_flag(TIF_RESTORE_SIGMASK))
39392 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/smp.c linux-2.6.23.15-grsec/arch/i386/kernel/smp.c
39393 ---- linux-2.6.23.15/arch/i386/kernel/smp.c 2007-10-09 21:31:38.000000000 +0100
39394 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/smp.c 2008-02-11 10:37:44.000000000 +0000
39395 -@@ -104,7 +104,7 @@
39396 - * about nothing of note with C stepping upwards.
39397 - */
39398 -
39399 --DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, };
39400 -+DEFINE_PER_CPU(struct tlb_state, cpu_tlbstate) ____cacheline_aligned = { &init_mm, 0, {0} };
39401 -
39402 - /*
39403 - * the following functions deal with sending IPIs between CPUs.
39404 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpboot.c linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c
39405 ---- linux-2.6.23.15/arch/i386/kernel/smpboot.c 2007-10-09 21:31:38.000000000 +0100
39406 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/smpboot.c 2008-02-11 10:37:44.000000000 +0000
39407 -@@ -118,7 +118,7 @@ DEFINE_PER_CPU(int, cpu_state) = { 0 };
39408 - * has made sure it's suitably aligned.
39409 - */
39410 -
39411 --static unsigned long __devinit setup_trampoline(void)
39412 -+static unsigned long __cpuinit setup_trampoline(void)
39413 - {
39414 - memcpy(trampoline_base, trampoline_data, trampoline_end - trampoline_data);
39415 - return virt_to_phys(trampoline_base);
39416 -@@ -772,6 +772,10 @@ static int __cpuinit do_boot_cpu(int api
39417 - unsigned long start_eip;
39418 - unsigned short nmi_high = 0, nmi_low = 0;
39419 -
39420 -+#ifdef CONFIG_PAX_KERNEXEC
39421 -+ unsigned long cr0;
39422 -+#endif
39423 -+
39424 - /*
39425 - * Save current MTRR state in case it was changed since early boot
39426 - * (e.g. by the ACPI SMI) to initialize new CPUs with MTRRs in sync:
39427 -@@ -788,7 +792,16 @@ static int __cpuinit do_boot_cpu(int api
39428 -
39429 - init_gdt(cpu);
39430 - per_cpu(current_task, cpu) = idle;
39431 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
39432 -+
39433 -+#ifdef CONFIG_PAX_KERNEXEC
39434 -+ pax_open_kernel(cr0);
39435 -+#endif
39436 -+
39437 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
39438 -+
39439 -+#ifdef CONFIG_PAX_KERNEXEC
39440 -+ pax_close_kernel(cr0);
39441 -+#endif
39442 -
39443 - idle->thread.eip = (unsigned long) start_secondary;
39444 - /* start_eip had better be page-aligned! */
39445 -@@ -1105,7 +1118,7 @@ static void __init smp_boot_cpus(unsigne
39446 - * construct cpu_sibling_map[], so that we can tell sibling CPUs
39447 - * efficiently.
39448 - */
39449 -- for (cpu = 0; cpu < NR_CPUS; cpu++) {
39450 -+ for_each_possible_cpu(cpu) {
39451 - cpus_clear(cpu_sibling_map[cpu]);
39452 - cpus_clear(cpu_core_map[cpu]);
39453 - }
39454 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/smpcommon.c linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c
39455 ---- linux-2.6.23.15/arch/i386/kernel/smpcommon.c 2007-10-09 21:31:38.000000000 +0100
39456 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/smpcommon.c 2008-02-11 10:37:44.000000000 +0000
39457 -@@ -3,6 +3,7 @@
39458 - */
39459 - #include <linux/module.h>
39460 - #include <asm/smp.h>
39461 -+#include <asm/sections.h>
39462 -
39463 - DEFINE_PER_CPU(unsigned long, this_cpu_off);
39464 - EXPORT_PER_CPU_SYMBOL(this_cpu_off);
39465 -@@ -14,10 +15,29 @@ __cpuinit void init_gdt(int cpu)
39466 - {
39467 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
39468 -
39469 -- pack_descriptor((u32 *)&gdt[GDT_ENTRY_PERCPU].a,
39470 -- (u32 *)&gdt[GDT_ENTRY_PERCPU].b,
39471 -- __per_cpu_offset[cpu], 0xFFFFF,
39472 -- 0x80 | DESCTYPE_S | 0x2, 0x8);
39473 -+#ifdef CONFIG_PAX_KERNEXEC
39474 -+ unsigned long cr0;
39475 -+
39476 -+ pax_open_kernel(cr0);
39477 -+#endif
39478 -+
39479 -+ if (cpu)
39480 -+ memcpy(gdt, cpu_gdt_table, GDT_SIZE);
39481 -+
39482 -+ if (PERCPU_ENOUGH_ROOM <= 64*1024*1024)
39483 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
39484 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
39485 -+ __per_cpu_offset[cpu], PERCPU_ENOUGH_ROOM-1,
39486 -+ 0x80 | DESCTYPE_S | 0x3, 0x4);
39487 -+ else
39488 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PERCPU].a,
39489 -+ (__u32 *)&gdt[GDT_ENTRY_PERCPU].b,
39490 -+ __per_cpu_offset[cpu], ((PERCPU_ENOUGH_ROOM-1) >> PAGE_SHIFT),
39491 -+ 0x80 | DESCTYPE_S | 0x3, 0xC);
39492 -+
39493 -+#ifdef CONFIG_PAX_KERNEXEC
39494 -+ pax_close_kernel(cr0);
39495 -+#endif
39496 -
39497 - per_cpu(this_cpu_off, cpu) = __per_cpu_offset[cpu];
39498 - per_cpu(cpu_number, cpu) = cpu;
39499 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/sys_i386.c linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c
39500 ---- linux-2.6.23.15/arch/i386/kernel/sys_i386.c 2007-10-09 21:31:38.000000000 +0100
39501 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/sys_i386.c 2008-02-11 10:37:44.000000000 +0000
39502 -@@ -41,6 +41,21 @@ asmlinkage int sys_pipe(unsigned long __
39503 - return error;
39504 - }
39505 -
39506 -+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
39507 -+{
39508 -+ unsigned long task_size = TASK_SIZE;
39509 -+
39510 -+#ifdef CONFIG_PAX_SEGMEXEC
39511 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39512 -+ task_size = SEGMEXEC_TASK_SIZE;
39513 -+#endif
39514 -+
39515 -+ if (len > task_size || addr > task_size - len)
39516 -+ return -EINVAL;
39517 -+
39518 -+ return 0;
39519 -+}
39520 -+
39521 - asmlinkage long sys_mmap2(unsigned long addr, unsigned long len,
39522 - unsigned long prot, unsigned long flags,
39523 - unsigned long fd, unsigned long pgoff)
39524 -@@ -100,6 +115,205 @@ out:
39525 - return err;
39526 - }
39527 -
39528 -+unsigned long
39529 -+arch_get_unmapped_area(struct file *filp, unsigned long addr,
39530 -+ unsigned long len, unsigned long pgoff, unsigned long flags)
39531 -+{
39532 -+ struct mm_struct *mm = current->mm;
39533 -+ struct vm_area_struct *vma;
39534 -+ unsigned long start_addr, task_size = TASK_SIZE;
39535 -+
39536 -+#ifdef CONFIG_PAX_SEGMEXEC
39537 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
39538 -+ task_size = SEGMEXEC_TASK_SIZE;
39539 -+#endif
39540 -+
39541 -+ if (len > task_size)
39542 -+ return -ENOMEM;
39543 -+
39544 -+ if (flags & MAP_FIXED)
39545 -+ return addr;
39546 -+
39547 -+#ifdef CONFIG_PAX_RANDMMAP
39548 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
39549 -+#endif
39550 -+
39551 -+ if (addr) {
39552 -+ addr = PAGE_ALIGN(addr);
39553 -+ vma = find_vma(mm, addr);
39554 -+ if (task_size - len >= addr &&
39555 -+ (!vma || addr + len <= vma->vm_start))
39556 -+ return addr;
39557 -+ }
39558 -+ if (len > mm->cached_hole_size) {
39559 -+ start_addr = addr = mm->free_area_cache;
39560 -+ } else {
39561 -+ start_addr = addr = mm->mmap_base;
39562 -+ mm->cached_hole_size = 0;
39563 -+ }
39564 -+
39565 -+#ifdef CONFIG_PAX_PAGEEXEC
39566 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
39567 -+ start_addr = 0x00110000UL;
39568 -+
39569 -+#ifdef CONFIG_PAX_RANDMMAP
39570 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
39571 -+ start_addr += mm->delta_mmap & 0x03FFF000UL;
39572 -+#endif
39573 -+
39574 -+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
39575 -+ start_addr = addr = mm->mmap_base;
39576 -+ else
39577 -+ addr = start_addr;
39578 -+ }
39579 -+#endif
39580 -+
39581 -+full_search:
39582 -+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
39583 -+ /* At this point: (!vma || addr < vma->vm_end). */
39584 -+ if (task_size - len < addr) {
39585 -+ /*
39586 -+ * Start a new search - just in case we missed
39587 -+ * some holes.
39588 -+ */
39589 -+ if (start_addr != mm->mmap_base) {
39590 -+ start_addr = addr = mm->mmap_base;
39591 -+ mm->cached_hole_size = 0;
39592 -+ goto full_search;
39593 -+ }
39594 -+ return -ENOMEM;
39595 -+ }
39596 -+ if (!vma || addr + len <= vma->vm_start) {
39597 -+ /*
39598 -+ * Remember the place where we stopped the search:
39599 -+ */
39600 -+ mm->free_area_cache = addr + len;
39601 -+ return addr;
39602 -+ }
39603 -+ if (addr + mm->cached_hole_size < vma->vm_start)
39604 -+ mm->cached_hole_size = vma->vm_start - addr;
39605 -+ addr = vma->vm_end;
39606 -+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
39607 -+ start_addr = addr = mm->mmap_base;
39608 -+ mm->cached_hole_size = 0;
39609 -+ goto full_search;
39610 -+ }
39611 -+ }
39612 -+}
39613 -+
39614 -+unsigned long
39615 -+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
39616 -+ const unsigned long len, const unsigned long pgoff,
39617 -+ const unsigned long flags)
39618 -+{
39619 -+ struct vm_area_struct *vma;
39620 -+ struct mm_struct *mm = current->mm;
39621 -+ unsigned long base = mm->mmap_base, addr = addr0, task_size = TASK_SIZE;
39622 -+
39623 -+#ifdef CONFIG_PAX_SEGMEXEC
39624 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
39625 -+ task_size = SEGMEXEC_TASK_SIZE;
39626 -+#endif
39627 -+
39628 -+ /* requested length too big for entire address space */
39629 -+ if (len > task_size)
39630 -+ return -ENOMEM;
39631 -+
39632 -+ if (flags & MAP_FIXED)
39633 -+ return addr;
39634 -+
39635 -+#ifdef CONFIG_PAX_PAGEEXEC
39636 -+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
39637 -+ goto bottomup;
39638 -+#endif
39639 -+
39640 -+#ifdef CONFIG_PAX_RANDMMAP
39641 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
39642 -+#endif
39643 -+
39644 -+ /* requesting a specific address */
39645 -+ if (addr) {
39646 -+ addr = PAGE_ALIGN(addr);
39647 -+ vma = find_vma(mm, addr);
39648 -+ if (task_size - len >= addr &&
39649 -+ (!vma || addr + len <= vma->vm_start))
39650 -+ return addr;
39651 -+ }
39652 -+
39653 -+ /* check if free_area_cache is useful for us */
39654 -+ if (len <= mm->cached_hole_size) {
39655 -+ mm->cached_hole_size = 0;
39656 -+ mm->free_area_cache = mm->mmap_base;
39657 -+ }
39658 -+
39659 -+ /* either no address requested or can't fit in requested address hole */
39660 -+ addr = mm->free_area_cache;
39661 -+
39662 -+ /* make sure it can fit in the remaining address space */
39663 -+ if (addr > len) {
39664 -+ vma = find_vma(mm, addr-len);
39665 -+ if (!vma || addr <= vma->vm_start)
39666 -+ /* remember the address as a hint for next time */
39667 -+ return (mm->free_area_cache = addr-len);
39668 -+ }
39669 -+
39670 -+ if (mm->mmap_base < len)
39671 -+ goto bottomup;
39672 -+
39673 -+ addr = mm->mmap_base-len;
39674 -+
39675 -+ do {
39676 -+ /*
39677 -+ * Lookup failure means no vma is above this address,
39678 -+ * else if new region fits below vma->vm_start,
39679 -+ * return with success:
39680 -+ */
39681 -+ vma = find_vma(mm, addr);
39682 -+ if (!vma || addr+len <= vma->vm_start)
39683 -+ /* remember the address as a hint for next time */
39684 -+ return (mm->free_area_cache = addr);
39685 -+
39686 -+ /* remember the largest hole we saw so far */
39687 -+ if (addr + mm->cached_hole_size < vma->vm_start)
39688 -+ mm->cached_hole_size = vma->vm_start - addr;
39689 -+
39690 -+ /* try just below the current vma->vm_start */
39691 -+ addr = vma->vm_start-len;
39692 -+ } while (len < vma->vm_start);
39693 -+
39694 -+bottomup:
39695 -+ /*
39696 -+ * A failed mmap() very likely causes application failure,
39697 -+ * so fall back to the bottom-up function here. This scenario
39698 -+ * can happen with large stack limits and large mmap()
39699 -+ * allocations.
39700 -+ */
39701 -+
39702 -+#ifdef CONFIG_PAX_SEGMEXEC
39703 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
39704 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
39705 -+ else
39706 -+#endif
39707 -+
39708 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
39709 -+
39710 -+#ifdef CONFIG_PAX_RANDMMAP
39711 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
39712 -+ mm->mmap_base += mm->delta_mmap;
39713 -+#endif
39714 -+
39715 -+ mm->free_area_cache = mm->mmap_base;
39716 -+ mm->cached_hole_size = ~0UL;
39717 -+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
39718 -+ /*
39719 -+ * Restore the topdown base:
39720 -+ */
39721 -+ mm->mmap_base = base;
39722 -+ mm->free_area_cache = base;
39723 -+ mm->cached_hole_size = ~0UL;
39724 -+
39725 -+ return addr;
39726 -+}
39727 -
39728 - struct sel_arg_struct {
39729 - unsigned long n;
39730 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/syscall_table.S linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S
39731 ---- linux-2.6.23.15/arch/i386/kernel/syscall_table.S 2007-10-09 21:31:38.000000000 +0100
39732 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/syscall_table.S 2008-02-11 10:37:44.000000000 +0000
39733 -@@ -1,3 +1,4 @@
39734 -+.section .rodata,"a",@progbits
39735 - ENTRY(sys_call_table)
39736 - .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
39737 - .long sys_exit
39738 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/sysenter.c linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c
39739 ---- linux-2.6.23.15/arch/i386/kernel/sysenter.c 2007-10-09 21:31:38.000000000 +0100
39740 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/sysenter.c 2008-02-11 10:37:44.000000000 +0000
39741 -@@ -177,7 +177,7 @@ static __init void relocate_vdso(Elf32_E
39742 - void enable_sep_cpu(void)
39743 - {
39744 - int cpu = get_cpu();
39745 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
39746 -+ struct tss_struct *tss = init_tss + cpu;
39747 -
39748 - if (!boot_cpu_has(X86_FEATURE_SEP)) {
39749 - put_cpu();
39750 -@@ -200,7 +200,7 @@ static int __init gate_vma_init(void)
39751 - gate_vma.vm_start = FIXADDR_USER_START;
39752 - gate_vma.vm_end = FIXADDR_USER_END;
39753 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
39754 -- gate_vma.vm_page_prot = __P101;
39755 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
39756 - /*
39757 - * Make sure the vDSO gets into every core dump.
39758 - * Dumping its contents makes post-mortem fully interpretable later
39759 -@@ -283,7 +283,7 @@ int arch_setup_additional_pages(struct l
39760 - if (compat)
39761 - addr = VDSO_HIGH_BASE;
39762 - else {
39763 -- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
39764 -+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
39765 - if (IS_ERR_VALUE(addr)) {
39766 - ret = addr;
39767 - goto up_fail;
39768 -@@ -308,7 +308,7 @@ int arch_setup_additional_pages(struct l
39769 - goto up_fail;
39770 - }
39771 -
39772 -- current->mm->context.vdso = (void *)addr;
39773 -+ current->mm->context.vdso = addr;
39774 - current_thread_info()->sysenter_return =
39775 - (void *)VDSO_SYM(&SYSENTER_RETURN);
39776 -
39777 -@@ -320,8 +320,14 @@ int arch_setup_additional_pages(struct l
39778 -
39779 - const char *arch_vma_name(struct vm_area_struct *vma)
39780 - {
39781 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
39782 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
39783 - return "[vdso]";
39784 -+
39785 -+#ifdef CONFIG_PAX_SEGMEXEC
39786 -+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
39787 -+ return "[vdso]";
39788 -+#endif
39789 -+
39790 - return NULL;
39791 - }
39792 -
39793 -@@ -330,7 +336,7 @@ struct vm_area_struct *get_gate_vma(stru
39794 - struct mm_struct *mm = tsk->mm;
39795 -
39796 - /* Check to see if this task was created in compat vdso mode */
39797 -- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
39798 -+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
39799 - return &gate_vma;
39800 - return NULL;
39801 - }
39802 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/time.c linux-2.6.23.15-grsec/arch/i386/kernel/time.c
39803 ---- linux-2.6.23.15/arch/i386/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
39804 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/time.c 2008-02-11 10:37:44.000000000 +0000
39805 -@@ -132,20 +132,30 @@ unsigned long profile_pc(struct pt_regs
39806 - if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs) &&
39807 - in_lock_functions(pc)) {
39808 - #ifdef CONFIG_FRAME_POINTER
39809 -- return *(unsigned long *)(regs->ebp + 4);
39810 -+ return *(unsigned long *)(regs->ebp + 4) + __KERNEL_TEXT_OFFSET;
39811 - #else
39812 - unsigned long *sp = (unsigned long *)&regs->esp;
39813 -
39814 - /* Return address is either directly at stack pointer
39815 - or above a saved eflags. Eflags has bits 22-31 zero,
39816 - kernel addresses don't. */
39817 -+
39818 -+#ifdef CONFIG_PAX_KERNEXEC
39819 -+ return sp[0] + __KERNEL_TEXT_OFFSET;
39820 -+#else
39821 - if (sp[0] >> 22)
39822 - return sp[0];
39823 - if (sp[1] >> 22)
39824 - return sp[1];
39825 - #endif
39826 -+
39827 -+#endif
39828 - }
39829 - #endif
39830 -+
39831 -+ if (!v8086_mode(regs) && SEGMENT_IS_KERNEL_CODE(regs->xcs))
39832 -+ pc += __KERNEL_TEXT_OFFSET;
39833 -+
39834 - return pc;
39835 - }
39836 - EXPORT_SYMBOL(profile_pc);
39837 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/traps.c linux-2.6.23.15-grsec/arch/i386/kernel/traps.c
39838 ---- linux-2.6.23.15/arch/i386/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
39839 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
39840 -@@ -31,6 +31,7 @@
39841 - #include <linux/uaccess.h>
39842 - #include <linux/nmi.h>
39843 - #include <linux/bug.h>
39844 -+#include <linux/binfmts.h>
39845 -
39846 - #ifdef CONFIG_EISA
39847 - #include <linux/ioport.h>
39848 -@@ -70,12 +71,7 @@ asmlinkage int system_call(void);
39849 - /* Do we ignore FPU interrupts ? */
39850 - char ignore_fpu_irq = 0;
39851 -
39852 --/*
39853 -- * The IDT has to be page-aligned to simplify the Pentium
39854 -- * F0 0F bug workaround.. We have a special link segment
39855 -- * for this.
39856 -- */
39857 --struct desc_struct idt_table[256] __attribute__((__section__(".data.idt"))) = { {0, 0}, };
39858 -+extern struct desc_struct idt_table[256];
39859 -
39860 - asmlinkage void divide_error(void);
39861 - asmlinkage void debug(void);
39862 -@@ -297,7 +293,7 @@ void show_registers(struct pt_regs *regs
39863 - esp = (unsigned long) (&regs->esp);
39864 - savesegment(ss, ss);
39865 - savesegment(gs, gs);
39866 -- if (user_mode_vm(regs)) {
39867 -+ if (user_mode(regs)) {
39868 - in_kernel = 0;
39869 - esp = regs->esp;
39870 - ss = regs->xss & 0xffff;
39871 -@@ -329,17 +325,18 @@ void show_registers(struct pt_regs *regs
39872 - unsigned int code_prologue = code_bytes * 43 / 64;
39873 - unsigned int code_len = code_bytes;
39874 - unsigned char c;
39875 -+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->xcs) >> 3]);
39876 -
39877 - printk("\n" KERN_EMERG "Stack: ");
39878 - show_stack_log_lvl(NULL, regs, (unsigned long *)esp, KERN_EMERG);
39879 -
39880 - printk(KERN_EMERG "Code: ");
39881 -
39882 -- eip = (u8 *)regs->eip - code_prologue;
39883 -+ eip = (u8 *)regs->eip - code_prologue + cs_base;
39884 - if (eip < (u8 *)PAGE_OFFSET ||
39885 - probe_kernel_address(eip, c)) {
39886 - /* try starting at EIP */
39887 -- eip = (u8 *)regs->eip;
39888 -+ eip = (u8 *)regs->eip + cs_base;
39889 - code_len = code_len - code_prologue + 1;
39890 - }
39891 - for (i = 0; i < code_len; i++, eip++) {
39892 -@@ -348,7 +345,7 @@ void show_registers(struct pt_regs *regs
39893 - printk(" Bad EIP value.");
39894 - break;
39895 - }
39896 -- if (eip == (u8 *)regs->eip)
39897 -+ if (eip == (u8 *)regs->eip + cs_base)
39898 - printk("<%02x> ", c);
39899 - else
39900 - printk("%02x ", c);
39901 -@@ -361,6 +358,7 @@ int is_valid_bugaddr(unsigned long eip)
39902 - {
39903 - unsigned short ud2;
39904 -
39905 -+ eip += __KERNEL_TEXT_OFFSET;
39906 - if (eip < PAGE_OFFSET)
39907 - return 0;
39908 - if (probe_kernel_address((unsigned short *)eip, ud2))
39909 -@@ -468,7 +466,7 @@ void die(const char * str, struct pt_reg
39910 -
39911 - static inline void die_if_kernel(const char * str, struct pt_regs * regs, long err)
39912 - {
39913 -- if (!user_mode_vm(regs))
39914 -+ if (!user_mode(regs))
39915 - die(str, regs, err);
39916 - }
39917 -
39918 -@@ -484,7 +482,7 @@ static void __kprobes do_trap(int trapnr
39919 - goto trap_signal;
39920 - }
39921 -
39922 -- if (!user_mode(regs))
39923 -+ if (!user_mode_novm(regs))
39924 - goto kernel_trap;
39925 -
39926 - trap_signal: {
39927 -@@ -589,7 +587,7 @@ fastcall void __kprobes do_general_prote
39928 - long error_code)
39929 - {
39930 - int cpu = get_cpu();
39931 -- struct tss_struct *tss = &per_cpu(init_tss, cpu);
39932 -+ struct tss_struct *tss = &init_tss[cpu];
39933 - struct thread_struct *thread = &current->thread;
39934 -
39935 - /*
39936 -@@ -622,9 +620,25 @@ fastcall void __kprobes do_general_prote
39937 - if (regs->eflags & VM_MASK)
39938 - goto gp_in_vm86;
39939 -
39940 -- if (!user_mode(regs))
39941 -+ if (!user_mode_novm(regs))
39942 - goto gp_in_kernel;
39943 -
39944 -+#ifdef CONFIG_PAX_PAGEEXEC
39945 -+ if (!nx_enabled && current->mm && (current->mm->pax_flags & MF_PAX_PAGEEXEC)) {
39946 -+ struct mm_struct *mm = current->mm;
39947 -+ unsigned long limit;
39948 -+
39949 -+ down_write(&mm->mmap_sem);
39950 -+ limit = mm->context.user_cs_limit;
39951 -+ if (limit < TASK_SIZE) {
39952 -+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
39953 -+ up_write(&mm->mmap_sem);
39954 -+ return;
39955 -+ }
39956 -+ up_write(&mm->mmap_sem);
39957 -+ }
39958 -+#endif
39959 -+
39960 - current->thread.error_code = error_code;
39961 - current->thread.trap_no = 13;
39962 - if (show_unhandled_signals && unhandled_signal(current, SIGSEGV) &&
39963 -@@ -649,6 +663,13 @@ gp_in_kernel:
39964 - if (notify_die(DIE_GPF, "general protection fault", regs,
39965 - error_code, 13, SIGSEGV) == NOTIFY_STOP)
39966 - return;
39967 -+
39968 -+#ifdef CONFIG_PAX_KERNEXEC
39969 -+ if ((regs->xcs & 0xFFFF) == __KERNEL_CS)
39970 -+ die("PAX: suspicious general protection fault", regs, error_code);
39971 -+ else
39972 -+#endif
39973 -+
39974 - die("general protection fault", regs, error_code);
39975 - }
39976 - }
39977 -@@ -738,7 +759,7 @@ void __kprobes die_nmi(struct pt_regs *r
39978 - /* If we are in kernel we are probably nested up pretty bad
39979 - * and might aswell get out now while we still can.
39980 - */
39981 -- if (!user_mode_vm(regs)) {
39982 -+ if (!user_mode(regs)) {
39983 - current->thread.trap_no = 2;
39984 - crash_kexec(regs);
39985 - }
39986 -@@ -885,7 +906,7 @@ fastcall void __kprobes do_debug(struct
39987 - * check for kernel mode by just checking the CPL
39988 - * of CS.
39989 - */
39990 -- if (!user_mode(regs))
39991 -+ if (!user_mode_novm(regs))
39992 - goto clear_TF_reenable;
39993 - }
39994 -
39995 -@@ -1063,18 +1084,14 @@ fastcall void do_spurious_interrupt_bug(
39996 - fastcall unsigned long patch_espfix_desc(unsigned long uesp,
39997 - unsigned long kesp)
39998 - {
39999 -- struct desc_struct *gdt = __get_cpu_var(gdt_page).gdt;
40000 - unsigned long base = (kesp - uesp) & -THREAD_SIZE;
40001 - unsigned long new_kesp = kesp - base;
40002 - unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
40003 -- __u64 desc = *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS];
40004 -+ __u32 a, b;
40005 -+
40006 - /* Set up base for espfix segment */
40007 -- desc &= 0x00f0ff0000000000ULL;
40008 -- desc |= ((((__u64)base) << 16) & 0x000000ffffff0000ULL) |
40009 -- ((((__u64)base) << 32) & 0xff00000000000000ULL) |
40010 -- ((((__u64)lim_pages) << 32) & 0x000f000000000000ULL) |
40011 -- (lim_pages & 0xffff);
40012 -- *(__u64 *)&gdt[GDT_ENTRY_ESPFIX_SS] = desc;
40013 -+ pack_descriptor(&a, &b, base, lim_pages, 0x93, 0xC);
40014 -+ write_gdt_entry(get_cpu_gdt_table(smp_processor_id()), GDT_ENTRY_ESPFIX_SS, a, b);
40015 - return new_kesp;
40016 - }
40017 -
40018 -@@ -1123,7 +1140,7 @@ void __init trap_init_f00f_bug(void)
40019 - * Update the IDT descriptor and reload the IDT so that
40020 - * it uses the read-only mapped virtual address.
40021 - */
40022 -- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
40023 -+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
40024 - load_idt(&idt_descr);
40025 - }
40026 - #endif
40027 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/tsc.c linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c
40028 ---- linux-2.6.23.15/arch/i386/kernel/tsc.c 2008-02-11 10:36:03.000000000 +0000
40029 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/tsc.c 2008-02-11 10:37:44.000000000 +0000
40030 -@@ -322,7 +322,7 @@ static struct dmi_system_id __initdata b
40031 - DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
40032 - },
40033 - },
40034 -- {}
40035 -+ { NULL, NULL, {{0, NULL}}, NULL}
40036 - };
40037 -
40038 - /*
40039 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/vm86.c linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c
40040 ---- linux-2.6.23.15/arch/i386/kernel/vm86.c 2007-10-09 21:31:38.000000000 +0100
40041 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/vm86.c 2008-02-11 10:37:44.000000000 +0000
40042 -@@ -148,7 +148,7 @@ struct pt_regs * fastcall save_v86_state
40043 - do_exit(SIGSEGV);
40044 - }
40045 -
40046 -- tss = &per_cpu(init_tss, get_cpu());
40047 -+ tss = init_tss + get_cpu();
40048 - current->thread.esp0 = current->thread.saved_esp0;
40049 - current->thread.sysenter_cs = __KERNEL_CS;
40050 - load_esp0(tss, &current->thread);
40051 -@@ -324,7 +324,7 @@ static void do_sys_vm86(struct kernel_vm
40052 - tsk->thread.saved_fs = info->regs32->xfs;
40053 - savesegment(gs, tsk->thread.saved_gs);
40054 -
40055 -- tss = &per_cpu(init_tss, get_cpu());
40056 -+ tss = init_tss + get_cpu();
40057 - tsk->thread.esp0 = (unsigned long) &info->VM86_TSS_ESP0;
40058 - if (cpu_has_sep)
40059 - tsk->thread.sysenter_cs = 0;
40060 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmi.c linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c
40061 ---- linux-2.6.23.15/arch/i386/kernel/vmi.c 2007-10-09 21:31:38.000000000 +0100
40062 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/vmi.c 2008-02-11 10:37:44.000000000 +0000
40063 -@@ -98,18 +98,43 @@ static unsigned patch_internal(int call,
40064 - {
40065 - u64 reloc;
40066 - struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
40067 -+
40068 -+#ifdef CONFIG_PAX_KERNEXEC
40069 -+ unsigned long cr0;
40070 -+#endif
40071 -+
40072 - reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
40073 - switch(rel->type) {
40074 - case VMI_RELOCATION_CALL_REL:
40075 - BUG_ON(len < 5);
40076 -+
40077 -+#ifdef CONFIG_PAX_KERNEXEC
40078 -+ pax_open_kernel(cr0);
40079 -+#endif
40080 -+
40081 - *(char *)insnbuf = MNEM_CALL;
40082 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
40083 -+
40084 -+#ifdef CONFIG_PAX_KERNEXEC
40085 -+ pax_close_kernel(cr0);
40086 -+#endif
40087 -+
40088 - return 5;
40089 -
40090 - case VMI_RELOCATION_JUMP_REL:
40091 - BUG_ON(len < 5);
40092 -+
40093 -+#ifdef CONFIG_PAX_KERNEXEC
40094 -+ pax_open_kernel(cr0);
40095 -+#endif
40096 -+
40097 - *(char *)insnbuf = MNEM_JMP;
40098 - patch_offset(insnbuf, eip, (unsigned long)rel->eip);
40099 -+
40100 -+#ifdef CONFIG_PAX_KERNEXEC
40101 -+ pax_close_kernel(cr0);
40102 -+#endif
40103 -+
40104 - return 5;
40105 -
40106 - case VMI_RELOCATION_NOP:
40107 -@@ -492,14 +517,14 @@ static void vmi_set_pud(pud_t *pudp, pud
40108 -
40109 - static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
40110 - {
40111 -- const pte_t pte = { 0 };
40112 -+ const pte_t pte = __pte(0ULL);
40113 - vmi_check_page_type(__pa(ptep) >> PAGE_SHIFT, VMI_PAGE_PTE);
40114 - vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
40115 - }
40116 -
40117 - static void vmi_pmd_clear(pmd_t *pmd)
40118 - {
40119 -- const pte_t pte = { 0 };
40120 -+ const pte_t pte = __pte(0ULL);
40121 - vmi_check_page_type(__pa(pmd) >> PAGE_SHIFT, VMI_PAGE_PMD);
40122 - vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
40123 - }
40124 -@@ -528,8 +553,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
40125 - ap.ss = __KERNEL_DS;
40126 - ap.esp = (unsigned long) start_esp;
40127 -
40128 -- ap.ds = __USER_DS;
40129 -- ap.es = __USER_DS;
40130 -+ ap.ds = __KERNEL_DS;
40131 -+ ap.es = __KERNEL_DS;
40132 - ap.fs = __KERNEL_PERCPU;
40133 - ap.gs = 0;
40134 -
40135 -@@ -726,12 +751,20 @@ static inline int __init activate_vmi(vo
40136 - u64 reloc;
40137 - const struct vmi_relocation_info *rel = (struct vmi_relocation_info *)&reloc;
40138 -
40139 -+#ifdef CONFIG_PAX_KERNEXEC
40140 -+ unsigned long cr0;
40141 -+#endif
40142 -+
40143 - if (call_vrom_func(vmi_rom, vmi_init) != 0) {
40144 - printk(KERN_ERR "VMI ROM failed to initialize!");
40145 - return 0;
40146 - }
40147 - savesegment(cs, kernel_cs);
40148 -
40149 -+#ifdef CONFIG_PAX_KERNEXEC
40150 -+ pax_open_kernel(cr0);
40151 -+#endif
40152 -+
40153 - paravirt_ops.paravirt_enabled = 1;
40154 - paravirt_ops.kernel_rpl = kernel_cs & SEGMENT_RPL_MASK;
40155 -
40156 -@@ -910,6 +943,10 @@ static inline int __init activate_vmi(vo
40157 -
40158 - para_fill(safe_halt, Halt);
40159 -
40160 -+#ifdef CONFIG_PAX_KERNEXEC
40161 -+ pax_close_kernel(cr0);
40162 -+#endif
40163 -+
40164 - /*
40165 - * Alternative instruction rewriting doesn't happen soon enough
40166 - * to convert VMI_IRET to a call instead of a jump; so we have
40167 -diff -Nurp linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S
40168 ---- linux-2.6.23.15/arch/i386/kernel/vmlinux.lds.S 2007-10-09 21:31:38.000000000 +0100
40169 -+++ linux-2.6.23.15-grsec/arch/i386/kernel/vmlinux.lds.S 2008-02-11 10:37:44.000000000 +0000
40170 -@@ -21,6 +21,13 @@
40171 - #include <asm/page.h>
40172 - #include <asm/cache.h>
40173 - #include <asm/boot.h>
40174 -+#include <asm/segment.h>
40175 -+
40176 -+#ifdef CONFIG_X86_PAE
40177 -+#define PMD_SHIFT 21
40178 -+#else
40179 -+#define PMD_SHIFT 22
40180 -+#endif
40181 -
40182 - OUTPUT_FORMAT("elf32-i386", "elf32-i386", "elf32-i386")
40183 - OUTPUT_ARCH(i386)
40184 -@@ -28,22 +35,124 @@ ENTRY(phys_startup_32)
40185 - jiffies = jiffies_64;
40186 -
40187 - PHDRS {
40188 -- text PT_LOAD FLAGS(5); /* R_E */
40189 -- data PT_LOAD FLAGS(7); /* RWE */
40190 -- note PT_NOTE FLAGS(0); /* ___ */
40191 -+ initdata PT_LOAD FLAGS(6); /* RW_ */
40192 -+ percpu PT_LOAD FLAGS(6); /* RW_ */
40193 -+ inittext PT_LOAD FLAGS(5); /* R_E */
40194 -+ text PT_LOAD FLAGS(5); /* R_E */
40195 -+ rodata PT_LOAD FLAGS(4); /* R__ */
40196 -+ data PT_LOAD FLAGS(6); /* RW_ */
40197 -+ note PT_NOTE FLAGS(0); /* ___ */
40198 - }
40199 - SECTIONS
40200 - {
40201 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
40202 -- phys_startup_32 = startup_32 - LOAD_OFFSET;
40203 -
40204 -- .text.head : AT(ADDR(.text.head) - LOAD_OFFSET) {
40205 -- _text = .; /* Text and read-only data */
40206 -+ .text.startup : AT(ADDR(.text.startup) - LOAD_OFFSET) {
40207 -+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
40208 -+ *(.text.startup)
40209 -+ } :initdata
40210 -+
40211 -+ /* might get freed after init */
40212 -+ . = ALIGN(4096);
40213 -+ .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
40214 -+ __smp_locks = .;
40215 -+ *(.smp_locks)
40216 -+ __smp_locks_end = .;
40217 -+ }
40218 -+ /* will be freed after init
40219 -+ * Following ALIGN() is required to make sure no other data falls on the
40220 -+ * same page where __smp_alt_end is pointing as that page might be freed
40221 -+ * after boot. Always make sure that ALIGN() directive is present after
40222 -+ * the section which contains __smp_alt_end.
40223 -+ */
40224 -+ . = ALIGN(4096);
40225 -+
40226 -+ /* will be freed after init */
40227 -+ .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
40228 -+ __init_begin = .;
40229 -+ *(.init.data)
40230 -+ }
40231 -+ . = ALIGN(16);
40232 -+ .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
40233 -+ __setup_start = .;
40234 -+ *(.init.setup)
40235 -+ __setup_end = .;
40236 -+ }
40237 -+ .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
40238 -+ __initcall_start = .;
40239 -+ INITCALLS
40240 -+ __initcall_end = .;
40241 -+ }
40242 -+ .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
40243 -+ __con_initcall_start = .;
40244 -+ *(.con_initcall.init)
40245 -+ __con_initcall_end = .;
40246 -+ }
40247 -+ SECURITY_INIT
40248 -+ . = ALIGN(4);
40249 -+ .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
40250 -+ __alt_instructions = .;
40251 -+ *(.altinstructions)
40252 -+ __alt_instructions_end = .;
40253 -+ }
40254 -+ .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
40255 -+ *(.altinstr_replacement)
40256 -+ }
40257 -+ . = ALIGN(4);
40258 -+ .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
40259 -+ __parainstructions = .;
40260 -+ *(.parainstructions)
40261 -+ __parainstructions_end = .;
40262 -+ }
40263 -+ .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
40264 -+#if defined(CONFIG_BLK_DEV_INITRD)
40265 -+ . = ALIGN(4096);
40266 -+ .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
40267 -+ __initramfs_start = .;
40268 -+ *(.init.ramfs)
40269 -+ __initramfs_end = .;
40270 -+ }
40271 -+#endif
40272 -+ . = ALIGN(4096);
40273 -+ per_cpu_start = .;
40274 -+ .data.percpu (0) : AT(ADDR(.data.percpu) - LOAD_OFFSET + per_cpu_start) {
40275 -+ __per_cpu_start = . + per_cpu_start;
40276 -+ LONG(0)
40277 -+ *(.data.percpu)
40278 -+ *(.data.percpu.shared_aligned)
40279 -+ __per_cpu_end = . + per_cpu_start;
40280 -+ } :percpu
40281 -+ . += per_cpu_start;
40282 -+
40283 -+ /* read-only */
40284 -+
40285 -+ . = ALIGN(4096); /* Init code and data */
40286 -+ .init.text (. - __KERNEL_TEXT_OFFSET) : AT(ADDR(.init.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40287 -+ _sinittext = .;
40288 -+ *(.init.text)
40289 -+ _einittext = .;
40290 -+ } :inittext
40291 -+
40292 -+ /* .exit.text is discard at runtime, not link time, to deal with references
40293 -+ from .altinstructions and .eh_frame */
40294 -+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) { *(.exit.text) }
40295 -+
40296 -+ .filler : AT(ADDR(.filler) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40297 -+ BYTE(0)
40298 -+ . = ALIGN(4*1024*1024) - 1;
40299 -+ }
40300 -+
40301 -+ /* freed after init ends here */
40302 -+
40303 -+ .text.head : AT(ADDR(.text.head) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40304 -+ __init_end = . + __KERNEL_TEXT_OFFSET;
40305 -+ KERNEL_TEXT_OFFSET = . + __KERNEL_TEXT_OFFSET;
40306 -+ _text = .; /* Text and read-only data */
40307 - *(.text.head)
40308 - } :text = 0x9090
40309 -
40310 - /* read-only */
40311 -- .text : AT(ADDR(.text) - LOAD_OFFSET) {
40312 -+ .text : AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
40313 - TEXT_TEXT
40314 - SCHED_TEXT
40315 - LOCK_TEXT
40316 -@@ -53,16 +162,17 @@ SECTIONS
40317 - _etext = .; /* End of text section */
40318 - } :text = 0x9090
40319 -
40320 -- . = ALIGN(16); /* Exception table */
40321 -+ . += __KERNEL_TEXT_OFFSET;
40322 -+ . = ALIGN(4096); /* Exception table */
40323 - __ex_table : AT(ADDR(__ex_table) - LOAD_OFFSET) {
40324 - __start___ex_table = .;
40325 - *(__ex_table)
40326 - __stop___ex_table = .;
40327 -- }
40328 -+ } :rodata
40329 -
40330 -- NOTES :text :note
40331 -+ NOTES :rodata :note
40332 -
40333 -- BUG_TABLE :text
40334 -+ BUG_TABLE :rodata
40335 -
40336 - . = ALIGN(4);
40337 - .tracedata : AT(ADDR(.tracedata) - LOAD_OFFSET) {
40338 -@@ -73,9 +183,36 @@ SECTIONS
40339 -
40340 - RODATA
40341 -
40342 -+ . = ALIGN(4096);
40343 -+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
40344 -+ *(.idt)
40345 -+ . = ALIGN(4096);
40346 -+ *(.empty_zero_page)
40347 -+ *(.swapper_pm_dir)
40348 -+ *(.swapper_pg_dir)
40349 -+ }
40350 -+
40351 -+#ifdef CONFIG_PAX_KERNEXEC
40352 -+
40353 -+#ifdef CONFIG_MODULES
40354 -+ . = ALIGN(4096);
40355 -+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
40356 -+ MODULES_VADDR = .;
40357 -+ BYTE(0)
40358 -+ . += (6 * 1024 * 1024);
40359 -+ . = ALIGN(1 << PMD_SHIFT) - 1;
40360 -+ MODULES_END = .;
40361 -+ }
40362 -+#else
40363 -+ . = ALIGN(1 << PMD_SHIFT) - 1;
40364 -+#endif
40365 -+
40366 -+#endif
40367 -+
40368 - /* writeable */
40369 - . = ALIGN(4096);
40370 - .data : AT(ADDR(.data) - LOAD_OFFSET) { /* Data */
40371 -+ _data = .;
40372 - DATA_DATA
40373 - CONSTRUCTORS
40374 - } :data
40375 -@@ -91,7 +228,6 @@ SECTIONS
40376 - . = ALIGN(4096);
40377 - .data.page_aligned : AT(ADDR(.data.page_aligned) - LOAD_OFFSET) {
40378 - *(.data.page_aligned)
40379 -- *(.data.idt)
40380 - }
40381 -
40382 - . = ALIGN(32);
40383 -@@ -111,86 +247,7 @@ SECTIONS
40384 - *(.data.init_task)
40385 - }
40386 -
40387 -- /* might get freed after init */
40388 -- . = ALIGN(4096);
40389 -- .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
40390 -- __smp_locks = .;
40391 -- *(.smp_locks)
40392 -- __smp_locks_end = .;
40393 -- }
40394 -- /* will be freed after init
40395 -- * Following ALIGN() is required to make sure no other data falls on the
40396 -- * same page where __smp_alt_end is pointing as that page might be freed
40397 -- * after boot. Always make sure that ALIGN() directive is present after
40398 -- * the section which contains __smp_alt_end.
40399 -- */
40400 -- . = ALIGN(4096);
40401 --
40402 -- /* will be freed after init */
40403 -- . = ALIGN(4096); /* Init code and data */
40404 -- .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
40405 -- __init_begin = .;
40406 -- _sinittext = .;
40407 -- *(.init.text)
40408 -- _einittext = .;
40409 -- }
40410 -- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { *(.init.data) }
40411 -- . = ALIGN(16);
40412 -- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
40413 -- __setup_start = .;
40414 -- *(.init.setup)
40415 -- __setup_end = .;
40416 -- }
40417 -- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
40418 -- __initcall_start = .;
40419 -- INITCALLS
40420 -- __initcall_end = .;
40421 -- }
40422 -- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
40423 -- __con_initcall_start = .;
40424 -- *(.con_initcall.init)
40425 -- __con_initcall_end = .;
40426 -- }
40427 -- SECURITY_INIT
40428 -- . = ALIGN(4);
40429 -- .altinstructions : AT(ADDR(.altinstructions) - LOAD_OFFSET) {
40430 -- __alt_instructions = .;
40431 -- *(.altinstructions)
40432 -- __alt_instructions_end = .;
40433 -- }
40434 -- .altinstr_replacement : AT(ADDR(.altinstr_replacement) - LOAD_OFFSET) {
40435 -- *(.altinstr_replacement)
40436 -- }
40437 -- . = ALIGN(4);
40438 -- .parainstructions : AT(ADDR(.parainstructions) - LOAD_OFFSET) {
40439 -- __parainstructions = .;
40440 -- *(.parainstructions)
40441 -- __parainstructions_end = .;
40442 -- }
40443 -- /* .exit.text is discard at runtime, not link time, to deal with references
40444 -- from .altinstructions and .eh_frame */
40445 -- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) { *(.exit.text) }
40446 -- .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) { *(.exit.data) }
40447 --#if defined(CONFIG_BLK_DEV_INITRD)
40448 -- . = ALIGN(4096);
40449 -- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
40450 -- __initramfs_start = .;
40451 -- *(.init.ramfs)
40452 -- __initramfs_end = .;
40453 -- }
40454 --#endif
40455 -- . = ALIGN(4096);
40456 -- .data.percpu : AT(ADDR(.data.percpu) - LOAD_OFFSET) {
40457 -- __per_cpu_start = .;
40458 -- *(.data.percpu)
40459 -- *(.data.percpu.shared_aligned)
40460 -- __per_cpu_end = .;
40461 -- }
40462 -- . = ALIGN(4096);
40463 -- /* freed after init ends here */
40464 --
40465 - .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
40466 -- __init_end = .;
40467 - __bss_start = .; /* BSS */
40468 - *(.bss.page_aligned)
40469 - *(.bss)
40470 -diff -Nurp linux-2.6.23.15/arch/i386/lib/checksum.S linux-2.6.23.15-grsec/arch/i386/lib/checksum.S
40471 ---- linux-2.6.23.15/arch/i386/lib/checksum.S 2007-10-09 21:31:38.000000000 +0100
40472 -+++ linux-2.6.23.15-grsec/arch/i386/lib/checksum.S 2008-02-11 10:37:44.000000000 +0000
40473 -@@ -28,7 +28,8 @@
40474 - #include <linux/linkage.h>
40475 - #include <asm/dwarf2.h>
40476 - #include <asm/errno.h>
40477 --
40478 -+#include <asm/segment.h>
40479 -+
40480 - /*
40481 - * computes a partial checksum, e.g. for TCP/UDP fragments
40482 - */
40483 -@@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
40484 -
40485 - #define ARGBASE 16
40486 - #define FP 12
40487 --
40488 --ENTRY(csum_partial_copy_generic)
40489 -+
40490 -+ENTRY(csum_partial_copy_generic_to_user)
40491 - CFI_STARTPROC
40492 -+ pushl $(__USER_DS)
40493 -+ CFI_ADJUST_CFA_OFFSET 4
40494 -+ popl %es
40495 -+ CFI_ADJUST_CFA_OFFSET -4
40496 -+ jmp csum_partial_copy_generic
40497 -+
40498 -+ENTRY(csum_partial_copy_generic_from_user)
40499 -+ pushl $(__USER_DS)
40500 -+ CFI_ADJUST_CFA_OFFSET 4
40501 -+ popl %ds
40502 -+ CFI_ADJUST_CFA_OFFSET -4
40503 -+
40504 -+ENTRY(csum_partial_copy_generic)
40505 - subl $4,%esp
40506 - CFI_ADJUST_CFA_OFFSET 4
40507 - pushl %edi
40508 -@@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
40509 - jmp 4f
40510 - SRC(1: movw (%esi), %bx )
40511 - addl $2, %esi
40512 --DST( movw %bx, (%edi) )
40513 -+DST( movw %bx, %es:(%edi) )
40514 - addl $2, %edi
40515 - addw %bx, %ax
40516 - adcl $0, %eax
40517 -@@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
40518 - SRC(1: movl (%esi), %ebx )
40519 - SRC( movl 4(%esi), %edx )
40520 - adcl %ebx, %eax
40521 --DST( movl %ebx, (%edi) )
40522 -+DST( movl %ebx, %es:(%edi) )
40523 - adcl %edx, %eax
40524 --DST( movl %edx, 4(%edi) )
40525 -+DST( movl %edx, %es:4(%edi) )
40526 -
40527 - SRC( movl 8(%esi), %ebx )
40528 - SRC( movl 12(%esi), %edx )
40529 - adcl %ebx, %eax
40530 --DST( movl %ebx, 8(%edi) )
40531 -+DST( movl %ebx, %es:8(%edi) )
40532 - adcl %edx, %eax
40533 --DST( movl %edx, 12(%edi) )
40534 -+DST( movl %edx, %es:12(%edi) )
40535 -
40536 - SRC( movl 16(%esi), %ebx )
40537 - SRC( movl 20(%esi), %edx )
40538 - adcl %ebx, %eax
40539 --DST( movl %ebx, 16(%edi) )
40540 -+DST( movl %ebx, %es:16(%edi) )
40541 - adcl %edx, %eax
40542 --DST( movl %edx, 20(%edi) )
40543 -+DST( movl %edx, %es:20(%edi) )
40544 -
40545 - SRC( movl 24(%esi), %ebx )
40546 - SRC( movl 28(%esi), %edx )
40547 - adcl %ebx, %eax
40548 --DST( movl %ebx, 24(%edi) )
40549 -+DST( movl %ebx, %es:24(%edi) )
40550 - adcl %edx, %eax
40551 --DST( movl %edx, 28(%edi) )
40552 -+DST( movl %edx, %es:28(%edi) )
40553 -
40554 - lea 32(%esi), %esi
40555 - lea 32(%edi), %edi
40556 -@@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
40557 - shrl $2, %edx # This clears CF
40558 - SRC(3: movl (%esi), %ebx )
40559 - adcl %ebx, %eax
40560 --DST( movl %ebx, (%edi) )
40561 -+DST( movl %ebx, %es:(%edi) )
40562 - lea 4(%esi), %esi
40563 - lea 4(%edi), %edi
40564 - dec %edx
40565 -@@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
40566 - jb 5f
40567 - SRC( movw (%esi), %cx )
40568 - leal 2(%esi), %esi
40569 --DST( movw %cx, (%edi) )
40570 -+DST( movw %cx, %es:(%edi) )
40571 - leal 2(%edi), %edi
40572 - je 6f
40573 - shll $16,%ecx
40574 - SRC(5: movb (%esi), %cl )
40575 --DST( movb %cl, (%edi) )
40576 -+DST( movb %cl, %es:(%edi) )
40577 - 6: addl %ecx, %eax
40578 - adcl $0, %eax
40579 - 7:
40580 -@@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
40581 -
40582 - 6001:
40583 - movl ARGBASE+20(%esp), %ebx # src_err_ptr
40584 -- movl $-EFAULT, (%ebx)
40585 -+ movl $-EFAULT, %ss:(%ebx)
40586 -
40587 - # zero the complete destination - computing the rest
40588 - # is too much work
40589 -@@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
40590 -
40591 - 6002:
40592 - movl ARGBASE+24(%esp), %ebx # dst_err_ptr
40593 -- movl $-EFAULT,(%ebx)
40594 -+ movl $-EFAULT,%ss:(%ebx)
40595 - jmp 5000b
40596 -
40597 - .previous
40598 -
40599 -+ pushl %ss
40600 -+ CFI_ADJUST_CFA_OFFSET 4
40601 -+ popl %ds
40602 -+ CFI_ADJUST_CFA_OFFSET -4
40603 -+ pushl %ss
40604 -+ CFI_ADJUST_CFA_OFFSET 4
40605 -+ popl %es
40606 -+ CFI_ADJUST_CFA_OFFSET -4
40607 - popl %ebx
40608 - CFI_ADJUST_CFA_OFFSET -4
40609 - CFI_RESTORE ebx
40610 -@@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
40611 - CFI_ADJUST_CFA_OFFSET -4
40612 - ret
40613 - CFI_ENDPROC
40614 --ENDPROC(csum_partial_copy_generic)
40615 -+ENDPROC(csum_partial_copy_generic_to_user)
40616 -
40617 - #else
40618 -
40619 - /* Version for PentiumII/PPro */
40620 -
40621 - #define ROUND1(x) \
40622 -+ nop; nop; nop; \
40623 - SRC(movl x(%esi), %ebx ) ; \
40624 - addl %ebx, %eax ; \
40625 -- DST(movl %ebx, x(%edi) ) ;
40626 -+ DST(movl %ebx, %es:x(%edi)) ;
40627 -
40628 - #define ROUND(x) \
40629 -+ nop; nop; nop; \
40630 - SRC(movl x(%esi), %ebx ) ; \
40631 - adcl %ebx, %eax ; \
40632 -- DST(movl %ebx, x(%edi) ) ;
40633 -+ DST(movl %ebx, %es:x(%edi)) ;
40634 -
40635 - #define ARGBASE 12
40636 --
40637 --ENTRY(csum_partial_copy_generic)
40638 -+
40639 -+ENTRY(csum_partial_copy_generic_to_user)
40640 - CFI_STARTPROC
40641 -+ pushl $(__USER_DS)
40642 -+ CFI_ADJUST_CFA_OFFSET 4
40643 -+ popl %es
40644 -+ CFI_ADJUST_CFA_OFFSET -4
40645 -+ jmp csum_partial_copy_generic
40646 -+
40647 -+ENTRY(csum_partial_copy_generic_from_user)
40648 -+ pushl $(__USER_DS)
40649 -+ CFI_ADJUST_CFA_OFFSET 4
40650 -+ popl %ds
40651 -+ CFI_ADJUST_CFA_OFFSET -4
40652 -+
40653 -+ENTRY(csum_partial_copy_generic)
40654 - pushl %ebx
40655 - CFI_ADJUST_CFA_OFFSET 4
40656 - CFI_REL_OFFSET ebx, 0
40657 -@@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
40658 - subl %ebx, %edi
40659 - lea -1(%esi),%edx
40660 - andl $-32,%edx
40661 -- lea 3f(%ebx,%ebx), %ebx
40662 -+ lea 3f(%ebx,%ebx,2), %ebx
40663 - testl %esi, %esi
40664 - jmp *%ebx
40665 - 1: addl $64,%esi
40666 -@@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
40667 - jb 5f
40668 - SRC( movw (%esi), %dx )
40669 - leal 2(%esi), %esi
40670 --DST( movw %dx, (%edi) )
40671 -+DST( movw %dx, %es:(%edi) )
40672 - leal 2(%edi), %edi
40673 - je 6f
40674 - shll $16,%edx
40675 - 5:
40676 - SRC( movb (%esi), %dl )
40677 --DST( movb %dl, (%edi) )
40678 -+DST( movb %dl, %es:(%edi) )
40679 - 6: addl %edx, %eax
40680 - adcl $0, %eax
40681 - 7:
40682 - .section .fixup, "ax"
40683 - 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
40684 -- movl $-EFAULT, (%ebx)
40685 -+ movl $-EFAULT, %ss:(%ebx)
40686 - # zero the complete destination (computing the rest is too much work)
40687 - movl ARGBASE+8(%esp),%edi # dst
40688 - movl ARGBASE+12(%esp),%ecx # len
40689 -@@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
40690 - rep; stosb
40691 - jmp 7b
40692 - 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
40693 -- movl $-EFAULT, (%ebx)
40694 -+ movl $-EFAULT, %ss:(%ebx)
40695 - jmp 7b
40696 - .previous
40697 -
40698 -+ pushl %ss
40699 -+ CFI_ADJUST_CFA_OFFSET 4
40700 -+ popl %ds
40701 -+ CFI_ADJUST_CFA_OFFSET -4
40702 -+ pushl %ss
40703 -+ CFI_ADJUST_CFA_OFFSET 4
40704 -+ popl %es
40705 -+ CFI_ADJUST_CFA_OFFSET -4
40706 - popl %esi
40707 - CFI_ADJUST_CFA_OFFSET -4
40708 - CFI_RESTORE esi
40709 -@@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
40710 - CFI_RESTORE ebx
40711 - ret
40712 - CFI_ENDPROC
40713 --ENDPROC(csum_partial_copy_generic)
40714 -+ENDPROC(csum_partial_copy_generic_to_user)
40715 -
40716 - #undef ROUND
40717 - #undef ROUND1
40718 -diff -Nurp linux-2.6.23.15/arch/i386/lib/getuser.S linux-2.6.23.15-grsec/arch/i386/lib/getuser.S
40719 ---- linux-2.6.23.15/arch/i386/lib/getuser.S 2007-10-09 21:31:38.000000000 +0100
40720 -+++ linux-2.6.23.15-grsec/arch/i386/lib/getuser.S 2008-02-11 10:37:44.000000000 +0000
40721 -@@ -11,7 +11,7 @@
40722 - #include <linux/linkage.h>
40723 - #include <asm/dwarf2.h>
40724 - #include <asm/thread_info.h>
40725 --
40726 -+#include <asm/segment.h>
40727 -
40728 - /*
40729 - * __get_user_X
40730 -@@ -31,7 +31,11 @@ ENTRY(__get_user_1)
40731 - GET_THREAD_INFO(%edx)
40732 - cmpl TI_addr_limit(%edx),%eax
40733 - jae bad_get_user
40734 -+ pushl $(__USER_DS)
40735 -+ popl %ds
40736 - 1: movzbl (%eax),%edx
40737 -+ pushl %ss
40738 -+ pop %ds
40739 - xorl %eax,%eax
40740 - ret
40741 - CFI_ENDPROC
40742 -@@ -44,7 +48,11 @@ ENTRY(__get_user_2)
40743 - GET_THREAD_INFO(%edx)
40744 - cmpl TI_addr_limit(%edx),%eax
40745 - jae bad_get_user
40746 -+ pushl $(__USER_DS)
40747 -+ popl %ds
40748 - 2: movzwl -1(%eax),%edx
40749 -+ pushl %ss
40750 -+ pop %ds
40751 - xorl %eax,%eax
40752 - ret
40753 - CFI_ENDPROC
40754 -@@ -57,7 +65,11 @@ ENTRY(__get_user_4)
40755 - GET_THREAD_INFO(%edx)
40756 - cmpl TI_addr_limit(%edx),%eax
40757 - jae bad_get_user
40758 -+ pushl $(__USER_DS)
40759 -+ popl %ds
40760 - 3: movl -3(%eax),%edx
40761 -+ pushl %ss
40762 -+ pop %ds
40763 - xorl %eax,%eax
40764 - ret
40765 - CFI_ENDPROC
40766 -@@ -65,6 +77,8 @@ ENDPROC(__get_user_4)
40767 -
40768 - bad_get_user:
40769 - CFI_STARTPROC
40770 -+ pushl %ss
40771 -+ pop %ds
40772 - xorl %edx,%edx
40773 - movl $-14,%eax
40774 - ret
40775 -diff -Nurp linux-2.6.23.15/arch/i386/lib/mmx.c linux-2.6.23.15-grsec/arch/i386/lib/mmx.c
40776 ---- linux-2.6.23.15/arch/i386/lib/mmx.c 2007-10-09 21:31:38.000000000 +0100
40777 -+++ linux-2.6.23.15-grsec/arch/i386/lib/mmx.c 2008-02-11 10:37:44.000000000 +0000
40778 -@@ -30,6 +30,7 @@ void *_mmx_memcpy(void *to, const void *
40779 - {
40780 - void *p;
40781 - int i;
40782 -+ unsigned long cr0;
40783 -
40784 - if (unlikely(in_interrupt()))
40785 - return __memcpy(to, from, len);
40786 -@@ -40,52 +41,80 @@ void *_mmx_memcpy(void *to, const void *
40787 - kernel_fpu_begin();
40788 -
40789 - __asm__ __volatile__ (
40790 -- "1: prefetch (%0)\n" /* This set is 28 bytes */
40791 -- " prefetch 64(%0)\n"
40792 -- " prefetch 128(%0)\n"
40793 -- " prefetch 192(%0)\n"
40794 -- " prefetch 256(%0)\n"
40795 -+ "1: prefetch (%1)\n" /* This set is 28 bytes */
40796 -+ " prefetch 64(%1)\n"
40797 -+ " prefetch 128(%1)\n"
40798 -+ " prefetch 192(%1)\n"
40799 -+ " prefetch 256(%1)\n"
40800 - "2: \n"
40801 - ".section .fixup, \"ax\"\n"
40802 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40803 -+ "3: \n"
40804 -+
40805 -+#ifdef CONFIG_PAX_KERNEXEC
40806 -+ " movl %%cr0, %0\n"
40807 -+ " movl %0, %%eax\n"
40808 -+ " andl $0xFFFEFFFF, %%eax\n"
40809 -+ " movl %%eax, %%cr0\n"
40810 -+#endif
40811 -+
40812 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40813 -+
40814 -+#ifdef CONFIG_PAX_KERNEXEC
40815 -+ " movl %0, %%cr0\n"
40816 -+#endif
40817 -+
40818 - " jmp 2b\n"
40819 - ".previous\n"
40820 - ".section __ex_table,\"a\"\n"
40821 - " .align 4\n"
40822 - " .long 1b, 3b\n"
40823 - ".previous"
40824 -- : : "r" (from) );
40825 -+ : "=&r" (cr0) : "r" (from) : "ax");
40826 -
40827 -
40828 - for(; i>5; i--)
40829 - {
40830 - __asm__ __volatile__ (
40831 -- "1: prefetch 320(%0)\n"
40832 -- "2: movq (%0), %%mm0\n"
40833 -- " movq 8(%0), %%mm1\n"
40834 -- " movq 16(%0), %%mm2\n"
40835 -- " movq 24(%0), %%mm3\n"
40836 -- " movq %%mm0, (%1)\n"
40837 -- " movq %%mm1, 8(%1)\n"
40838 -- " movq %%mm2, 16(%1)\n"
40839 -- " movq %%mm3, 24(%1)\n"
40840 -- " movq 32(%0), %%mm0\n"
40841 -- " movq 40(%0), %%mm1\n"
40842 -- " movq 48(%0), %%mm2\n"
40843 -- " movq 56(%0), %%mm3\n"
40844 -- " movq %%mm0, 32(%1)\n"
40845 -- " movq %%mm1, 40(%1)\n"
40846 -- " movq %%mm2, 48(%1)\n"
40847 -- " movq %%mm3, 56(%1)\n"
40848 -+ "1: prefetch 320(%1)\n"
40849 -+ "2: movq (%1), %%mm0\n"
40850 -+ " movq 8(%1), %%mm1\n"
40851 -+ " movq 16(%1), %%mm2\n"
40852 -+ " movq 24(%1), %%mm3\n"
40853 -+ " movq %%mm0, (%2)\n"
40854 -+ " movq %%mm1, 8(%2)\n"
40855 -+ " movq %%mm2, 16(%2)\n"
40856 -+ " movq %%mm3, 24(%2)\n"
40857 -+ " movq 32(%1), %%mm0\n"
40858 -+ " movq 40(%1), %%mm1\n"
40859 -+ " movq 48(%1), %%mm2\n"
40860 -+ " movq 56(%1), %%mm3\n"
40861 -+ " movq %%mm0, 32(%2)\n"
40862 -+ " movq %%mm1, 40(%2)\n"
40863 -+ " movq %%mm2, 48(%2)\n"
40864 -+ " movq %%mm3, 56(%2)\n"
40865 - ".section .fixup, \"ax\"\n"
40866 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40867 -+ "3:\n"
40868 -+
40869 -+#ifdef CONFIG_PAX_KERNEXEC
40870 -+ " movl %%cr0, %0\n"
40871 -+ " movl %0, %%eax\n"
40872 -+ " andl $0xFFFEFFFF, %%eax\n"
40873 -+ " movl %%eax, %%cr0\n"
40874 -+#endif
40875 -+
40876 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40877 -+
40878 -+#ifdef CONFIG_PAX_KERNEXEC
40879 -+ " movl %0, %%cr0\n"
40880 -+#endif
40881 -+
40882 - " jmp 2b\n"
40883 - ".previous\n"
40884 - ".section __ex_table,\"a\"\n"
40885 - " .align 4\n"
40886 - " .long 1b, 3b\n"
40887 - ".previous"
40888 -- : : "r" (from), "r" (to) : "memory");
40889 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
40890 - from+=64;
40891 - to+=64;
40892 - }
40893 -@@ -164,6 +193,7 @@ static void fast_clear_page(void *page)
40894 - static void fast_copy_page(void *to, void *from)
40895 - {
40896 - int i;
40897 -+ unsigned long cr0;
40898 -
40899 - kernel_fpu_begin();
40900 -
40901 -@@ -171,51 +201,79 @@ static void fast_copy_page(void *to, voi
40902 - * but that is for later. -AV
40903 - */
40904 - __asm__ __volatile__ (
40905 -- "1: prefetch (%0)\n"
40906 -- " prefetch 64(%0)\n"
40907 -- " prefetch 128(%0)\n"
40908 -- " prefetch 192(%0)\n"
40909 -- " prefetch 256(%0)\n"
40910 -+ "1: prefetch (%1)\n"
40911 -+ " prefetch 64(%1)\n"
40912 -+ " prefetch 128(%1)\n"
40913 -+ " prefetch 192(%1)\n"
40914 -+ " prefetch 256(%1)\n"
40915 - "2: \n"
40916 - ".section .fixup, \"ax\"\n"
40917 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40918 -+ "3: \n"
40919 -+
40920 -+#ifdef CONFIG_PAX_KERNEXEC
40921 -+ " movl %%cr0, %0\n"
40922 -+ " movl %0, %%eax\n"
40923 -+ " andl $0xFFFEFFFF, %%eax\n"
40924 -+ " movl %%eax, %%cr0\n"
40925 -+#endif
40926 -+
40927 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
40928 -+
40929 -+#ifdef CONFIG_PAX_KERNEXEC
40930 -+ " movl %0, %%cr0\n"
40931 -+#endif
40932 -+
40933 - " jmp 2b\n"
40934 - ".previous\n"
40935 - ".section __ex_table,\"a\"\n"
40936 - " .align 4\n"
40937 - " .long 1b, 3b\n"
40938 - ".previous"
40939 -- : : "r" (from) );
40940 -+ : "=&r" (cr0) : "r" (from) : "ax");
40941 -
40942 - for(i=0; i<(4096-320)/64; i++)
40943 - {
40944 - __asm__ __volatile__ (
40945 -- "1: prefetch 320(%0)\n"
40946 -- "2: movq (%0), %%mm0\n"
40947 -- " movntq %%mm0, (%1)\n"
40948 -- " movq 8(%0), %%mm1\n"
40949 -- " movntq %%mm1, 8(%1)\n"
40950 -- " movq 16(%0), %%mm2\n"
40951 -- " movntq %%mm2, 16(%1)\n"
40952 -- " movq 24(%0), %%mm3\n"
40953 -- " movntq %%mm3, 24(%1)\n"
40954 -- " movq 32(%0), %%mm4\n"
40955 -- " movntq %%mm4, 32(%1)\n"
40956 -- " movq 40(%0), %%mm5\n"
40957 -- " movntq %%mm5, 40(%1)\n"
40958 -- " movq 48(%0), %%mm6\n"
40959 -- " movntq %%mm6, 48(%1)\n"
40960 -- " movq 56(%0), %%mm7\n"
40961 -- " movntq %%mm7, 56(%1)\n"
40962 -+ "1: prefetch 320(%1)\n"
40963 -+ "2: movq (%1), %%mm0\n"
40964 -+ " movntq %%mm0, (%2)\n"
40965 -+ " movq 8(%1), %%mm1\n"
40966 -+ " movntq %%mm1, 8(%2)\n"
40967 -+ " movq 16(%1), %%mm2\n"
40968 -+ " movntq %%mm2, 16(%2)\n"
40969 -+ " movq 24(%1), %%mm3\n"
40970 -+ " movntq %%mm3, 24(%2)\n"
40971 -+ " movq 32(%1), %%mm4\n"
40972 -+ " movntq %%mm4, 32(%2)\n"
40973 -+ " movq 40(%1), %%mm5\n"
40974 -+ " movntq %%mm5, 40(%2)\n"
40975 -+ " movq 48(%1), %%mm6\n"
40976 -+ " movntq %%mm6, 48(%2)\n"
40977 -+ " movq 56(%1), %%mm7\n"
40978 -+ " movntq %%mm7, 56(%2)\n"
40979 - ".section .fixup, \"ax\"\n"
40980 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40981 -+ "3:\n"
40982 -+
40983 -+#ifdef CONFIG_PAX_KERNEXEC
40984 -+ " movl %%cr0, %0\n"
40985 -+ " movl %0, %%eax\n"
40986 -+ " andl $0xFFFEFFFF, %%eax\n"
40987 -+ " movl %%eax, %%cr0\n"
40988 -+#endif
40989 -+
40990 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
40991 -+
40992 -+#ifdef CONFIG_PAX_KERNEXEC
40993 -+ " movl %0, %%cr0\n"
40994 -+#endif
40995 -+
40996 - " jmp 2b\n"
40997 - ".previous\n"
40998 - ".section __ex_table,\"a\"\n"
40999 - " .align 4\n"
41000 - " .long 1b, 3b\n"
41001 - ".previous"
41002 -- : : "r" (from), "r" (to) : "memory");
41003 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
41004 - from+=64;
41005 - to+=64;
41006 - }
41007 -@@ -296,56 +354,84 @@ static void fast_clear_page(void *page)
41008 - static void fast_copy_page(void *to, void *from)
41009 - {
41010 - int i;
41011 --
41012 --
41013 -+ unsigned long cr0;
41014 -+
41015 - kernel_fpu_begin();
41016 -
41017 - __asm__ __volatile__ (
41018 -- "1: prefetch (%0)\n"
41019 -- " prefetch 64(%0)\n"
41020 -- " prefetch 128(%0)\n"
41021 -- " prefetch 192(%0)\n"
41022 -- " prefetch 256(%0)\n"
41023 -+ "1: prefetch (%1)\n"
41024 -+ " prefetch 64(%1)\n"
41025 -+ " prefetch 128(%1)\n"
41026 -+ " prefetch 192(%1)\n"
41027 -+ " prefetch 256(%1)\n"
41028 - "2: \n"
41029 - ".section .fixup, \"ax\"\n"
41030 -- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
41031 -+ "3: \n"
41032 -+
41033 -+#ifdef CONFIG_PAX_KERNEXEC
41034 -+ " movl %%cr0, %0\n"
41035 -+ " movl %0, %%eax\n"
41036 -+ " andl $0xFFFEFFFF, %%eax\n"
41037 -+ " movl %%eax, %%cr0\n"
41038 -+#endif
41039 -+
41040 -+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
41041 -+
41042 -+#ifdef CONFIG_PAX_KERNEXEC
41043 -+ " movl %0, %%cr0\n"
41044 -+#endif
41045 -+
41046 - " jmp 2b\n"
41047 - ".previous\n"
41048 - ".section __ex_table,\"a\"\n"
41049 - " .align 4\n"
41050 - " .long 1b, 3b\n"
41051 - ".previous"
41052 -- : : "r" (from) );
41053 -+ : "=&r" (cr0) : "r" (from) : "ax");
41054 -
41055 - for(i=0; i<4096/64; i++)
41056 - {
41057 - __asm__ __volatile__ (
41058 -- "1: prefetch 320(%0)\n"
41059 -- "2: movq (%0), %%mm0\n"
41060 -- " movq 8(%0), %%mm1\n"
41061 -- " movq 16(%0), %%mm2\n"
41062 -- " movq 24(%0), %%mm3\n"
41063 -- " movq %%mm0, (%1)\n"
41064 -- " movq %%mm1, 8(%1)\n"
41065 -- " movq %%mm2, 16(%1)\n"
41066 -- " movq %%mm3, 24(%1)\n"
41067 -- " movq 32(%0), %%mm0\n"
41068 -- " movq 40(%0), %%mm1\n"
41069 -- " movq 48(%0), %%mm2\n"
41070 -- " movq 56(%0), %%mm3\n"
41071 -- " movq %%mm0, 32(%1)\n"
41072 -- " movq %%mm1, 40(%1)\n"
41073 -- " movq %%mm2, 48(%1)\n"
41074 -- " movq %%mm3, 56(%1)\n"
41075 -+ "1: prefetch 320(%1)\n"
41076 -+ "2: movq (%1), %%mm0\n"
41077 -+ " movq 8(%1), %%mm1\n"
41078 -+ " movq 16(%1), %%mm2\n"
41079 -+ " movq 24(%1), %%mm3\n"
41080 -+ " movq %%mm0, (%2)\n"
41081 -+ " movq %%mm1, 8(%2)\n"
41082 -+ " movq %%mm2, 16(%2)\n"
41083 -+ " movq %%mm3, 24(%2)\n"
41084 -+ " movq 32(%1), %%mm0\n"
41085 -+ " movq 40(%1), %%mm1\n"
41086 -+ " movq 48(%1), %%mm2\n"
41087 -+ " movq 56(%1), %%mm3\n"
41088 -+ " movq %%mm0, 32(%2)\n"
41089 -+ " movq %%mm1, 40(%2)\n"
41090 -+ " movq %%mm2, 48(%2)\n"
41091 -+ " movq %%mm3, 56(%2)\n"
41092 - ".section .fixup, \"ax\"\n"
41093 -- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
41094 -+ "3:\n"
41095 -+
41096 -+#ifdef CONFIG_PAX_KERNEXEC
41097 -+ " movl %%cr0, %0\n"
41098 -+ " movl %0, %%eax\n"
41099 -+ " andl $0xFFFEFFFF, %%eax\n"
41100 -+ " movl %%eax, %%cr0\n"
41101 -+#endif
41102 -+
41103 -+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
41104 -+
41105 -+#ifdef CONFIG_PAX_KERNEXEC
41106 -+ " movl %0, %%cr0\n"
41107 -+#endif
41108 -+
41109 - " jmp 2b\n"
41110 - ".previous\n"
41111 - ".section __ex_table,\"a\"\n"
41112 - " .align 4\n"
41113 - " .long 1b, 3b\n"
41114 - ".previous"
41115 -- : : "r" (from), "r" (to) : "memory");
41116 -+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
41117 - from+=64;
41118 - to+=64;
41119 - }
41120 -diff -Nurp linux-2.6.23.15/arch/i386/lib/putuser.S linux-2.6.23.15-grsec/arch/i386/lib/putuser.S
41121 ---- linux-2.6.23.15/arch/i386/lib/putuser.S 2007-10-09 21:31:38.000000000 +0100
41122 -+++ linux-2.6.23.15-grsec/arch/i386/lib/putuser.S 2008-02-11 10:37:44.000000000 +0000
41123 -@@ -11,7 +11,7 @@
41124 - #include <linux/linkage.h>
41125 - #include <asm/dwarf2.h>
41126 - #include <asm/thread_info.h>
41127 --
41128 -+#include <asm/segment.h>
41129 -
41130 - /*
41131 - * __put_user_X
41132 -@@ -41,7 +41,11 @@ ENTRY(__put_user_1)
41133 - ENTER
41134 - cmpl TI_addr_limit(%ebx),%ecx
41135 - jae bad_put_user
41136 -+ pushl $(__USER_DS)
41137 -+ popl %ds
41138 - 1: movb %al,(%ecx)
41139 -+ pushl %ss
41140 -+ popl %ds
41141 - xorl %eax,%eax
41142 - EXIT
41143 - ENDPROC(__put_user_1)
41144 -@@ -52,7 +56,11 @@ ENTRY(__put_user_2)
41145 - subl $1,%ebx
41146 - cmpl %ebx,%ecx
41147 - jae bad_put_user
41148 -+ pushl $(__USER_DS)
41149 -+ popl %ds
41150 - 2: movw %ax,(%ecx)
41151 -+ pushl %ss
41152 -+ popl %ds
41153 - xorl %eax,%eax
41154 - EXIT
41155 - ENDPROC(__put_user_2)
41156 -@@ -63,7 +71,11 @@ ENTRY(__put_user_4)
41157 - subl $3,%ebx
41158 - cmpl %ebx,%ecx
41159 - jae bad_put_user
41160 -+ pushl $(__USER_DS)
41161 -+ popl %ds
41162 - 3: movl %eax,(%ecx)
41163 -+ pushl %ss
41164 -+ popl %ds
41165 - xorl %eax,%eax
41166 - EXIT
41167 - ENDPROC(__put_user_4)
41168 -@@ -74,8 +86,12 @@ ENTRY(__put_user_8)
41169 - subl $7,%ebx
41170 - cmpl %ebx,%ecx
41171 - jae bad_put_user
41172 -+ pushl $(__USER_DS)
41173 -+ popl %ds
41174 - 4: movl %eax,(%ecx)
41175 - 5: movl %edx,4(%ecx)
41176 -+ pushl %ss
41177 -+ popl %ds
41178 - xorl %eax,%eax
41179 - EXIT
41180 - ENDPROC(__put_user_8)
41181 -@@ -85,6 +101,10 @@ bad_put_user:
41182 - CFI_DEF_CFA esp, 2*4
41183 - CFI_OFFSET eip, -1*4
41184 - CFI_OFFSET ebx, -2*4
41185 -+ pushl %ss
41186 -+ CFI_ADJUST_CFA_OFFSET 4
41187 -+ popl %ds
41188 -+ CFI_ADJUST_CFA_OFFSET -4
41189 - movl $-14,%eax
41190 - EXIT
41191 - END(bad_put_user)
41192 -diff -Nurp linux-2.6.23.15/arch/i386/lib/usercopy.c linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c
41193 ---- linux-2.6.23.15/arch/i386/lib/usercopy.c 2007-10-09 21:31:38.000000000 +0100
41194 -+++ linux-2.6.23.15-grsec/arch/i386/lib/usercopy.c 2008-02-11 10:37:44.000000000 +0000
41195 -@@ -29,34 +29,41 @@ static inline int __movsl_is_ok(unsigned
41196 - * Copy a null terminated string from userspace.
41197 - */
41198 -
41199 --#define __do_strncpy_from_user(dst,src,count,res) \
41200 --do { \
41201 -- int __d0, __d1, __d2; \
41202 -- might_sleep(); \
41203 -- __asm__ __volatile__( \
41204 -- " testl %1,%1\n" \
41205 -- " jz 2f\n" \
41206 -- "0: lodsb\n" \
41207 -- " stosb\n" \
41208 -- " testb %%al,%%al\n" \
41209 -- " jz 1f\n" \
41210 -- " decl %1\n" \
41211 -- " jnz 0b\n" \
41212 -- "1: subl %1,%0\n" \
41213 -- "2:\n" \
41214 -- ".section .fixup,\"ax\"\n" \
41215 -- "3: movl %5,%0\n" \
41216 -- " jmp 2b\n" \
41217 -- ".previous\n" \
41218 -- ".section __ex_table,\"a\"\n" \
41219 -- " .align 4\n" \
41220 -- " .long 0b,3b\n" \
41221 -- ".previous" \
41222 -- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \
41223 -- "=&D" (__d2) \
41224 -- : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
41225 -- : "memory"); \
41226 --} while (0)
41227 -+static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
41228 -+{
41229 -+ int __d0, __d1, __d2;
41230 -+ long res = -EFAULT;
41231 -+
41232 -+ might_sleep();
41233 -+ __asm__ __volatile__(
41234 -+ " movw %w10,%%ds\n"
41235 -+ " testl %1,%1\n"
41236 -+ " jz 2f\n"
41237 -+ "0: lodsb\n"
41238 -+ " stosb\n"
41239 -+ " testb %%al,%%al\n"
41240 -+ " jz 1f\n"
41241 -+ " decl %1\n"
41242 -+ " jnz 0b\n"
41243 -+ "1: subl %1,%0\n"
41244 -+ "2:\n"
41245 -+ " pushl %%ss\n"
41246 -+ " popl %%ds\n"
41247 -+ ".section .fixup,\"ax\"\n"
41248 -+ "3: movl %5,%0\n"
41249 -+ " jmp 2b\n"
41250 -+ ".previous\n"
41251 -+ ".section __ex_table,\"a\"\n"
41252 -+ " .align 4\n"
41253 -+ " .long 0b,3b\n"
41254 -+ ".previous"
41255 -+ : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1),
41256 -+ "=&D" (__d2)
41257 -+ : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
41258 -+ "r"(__USER_DS)
41259 -+ : "memory");
41260 -+ return res;
41261 -+}
41262 -
41263 - /**
41264 - * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
41265 -@@ -81,9 +88,7 @@ do { \
41266 - long
41267 - __strncpy_from_user(char *dst, const char __user *src, long count)
41268 - {
41269 -- long res;
41270 -- __do_strncpy_from_user(dst, src, count, res);
41271 -- return res;
41272 -+ return __do_strncpy_from_user(dst, src, count);
41273 - }
41274 - EXPORT_SYMBOL(__strncpy_from_user);
41275 -
41276 -@@ -110,7 +115,7 @@ strncpy_from_user(char *dst, const char
41277 - {
41278 - long res = -EFAULT;
41279 - if (access_ok(VERIFY_READ, src, 1))
41280 -- __do_strncpy_from_user(dst, src, count, res);
41281 -+ res = __do_strncpy_from_user(dst, src, count);
41282 - return res;
41283 - }
41284 - EXPORT_SYMBOL(strncpy_from_user);
41285 -@@ -119,27 +124,33 @@ EXPORT_SYMBOL(strncpy_from_user);
41286 - * Zero Userspace
41287 - */
41288 -
41289 --#define __do_clear_user(addr,size) \
41290 --do { \
41291 -- int __d0; \
41292 -- might_sleep(); \
41293 -- __asm__ __volatile__( \
41294 -- "0: rep; stosl\n" \
41295 -- " movl %2,%0\n" \
41296 -- "1: rep; stosb\n" \
41297 -- "2:\n" \
41298 -- ".section .fixup,\"ax\"\n" \
41299 -- "3: lea 0(%2,%0,4),%0\n" \
41300 -- " jmp 2b\n" \
41301 -- ".previous\n" \
41302 -- ".section __ex_table,\"a\"\n" \
41303 -- " .align 4\n" \
41304 -- " .long 0b,3b\n" \
41305 -- " .long 1b,2b\n" \
41306 -- ".previous" \
41307 -- : "=&c"(size), "=&D" (__d0) \
41308 -- : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
41309 --} while (0)
41310 -+static unsigned long __do_clear_user(void __user *addr, unsigned long size)
41311 -+{
41312 -+ int __d0;
41313 -+
41314 -+ might_sleep();
41315 -+ __asm__ __volatile__(
41316 -+ " movw %w6,%%es\n"
41317 -+ "0: rep; stosl\n"
41318 -+ " movl %2,%0\n"
41319 -+ "1: rep; stosb\n"
41320 -+ "2:\n"
41321 -+ " pushl %%ss\n"
41322 -+ " popl %%es\n"
41323 -+ ".section .fixup,\"ax\"\n"
41324 -+ "3: lea 0(%2,%0,4),%0\n"
41325 -+ " jmp 2b\n"
41326 -+ ".previous\n"
41327 -+ ".section __ex_table,\"a\"\n"
41328 -+ " .align 4\n"
41329 -+ " .long 0b,3b\n"
41330 -+ " .long 1b,2b\n"
41331 -+ ".previous"
41332 -+ : "=&c"(size), "=&D" (__d0)
41333 -+ : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
41334 -+ "r"(__USER_DS));
41335 -+ return size;
41336 -+}
41337 -
41338 - /**
41339 - * clear_user: - Zero a block of memory in user space.
41340 -@@ -156,7 +167,7 @@ clear_user(void __user *to, unsigned lon
41341 - {
41342 - might_sleep();
41343 - if (access_ok(VERIFY_WRITE, to, n))
41344 -- __do_clear_user(to, n);
41345 -+ n = __do_clear_user(to, n);
41346 - return n;
41347 - }
41348 - EXPORT_SYMBOL(clear_user);
41349 -@@ -175,8 +186,7 @@ EXPORT_SYMBOL(clear_user);
41350 - unsigned long
41351 - __clear_user(void __user *to, unsigned long n)
41352 - {
41353 -- __do_clear_user(to, n);
41354 -- return n;
41355 -+ return __do_clear_user(to, n);
41356 - }
41357 - EXPORT_SYMBOL(__clear_user);
41358 -
41359 -@@ -199,14 +209,17 @@ long strnlen_user(const char __user *s,
41360 - might_sleep();
41361 -
41362 - __asm__ __volatile__(
41363 -+ " movw %w8,%%es\n"
41364 - " testl %0, %0\n"
41365 - " jz 3f\n"
41366 -- " andl %0,%%ecx\n"
41367 -+ " movl %0,%%ecx\n"
41368 - "0: repne; scasb\n"
41369 - " setne %%al\n"
41370 - " subl %%ecx,%0\n"
41371 - " addl %0,%%eax\n"
41372 - "1:\n"
41373 -+ " pushl %%ss\n"
41374 -+ " popl %%es\n"
41375 - ".section .fixup,\"ax\"\n"
41376 - "2: xorl %%eax,%%eax\n"
41377 - " jmp 1b\n"
41378 -@@ -218,7 +231,7 @@ long strnlen_user(const char __user *s,
41379 - " .long 0b,2b\n"
41380 - ".previous"
41381 - :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp)
41382 -- :"0" (n), "1" (s), "2" (0), "3" (mask)
41383 -+ :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
41384 - :"cc");
41385 - return res & mask;
41386 - }
41387 -@@ -226,10 +239,121 @@ EXPORT_SYMBOL(strnlen_user);
41388 -
41389 - #ifdef CONFIG_X86_INTEL_USERCOPY
41390 - static unsigned long
41391 --__copy_user_intel(void __user *to, const void *from, unsigned long size)
41392 -+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
41393 -+{
41394 -+ int d0, d1;
41395 -+ __asm__ __volatile__(
41396 -+ " movw %w6, %%es\n"
41397 -+ " .align 2,0x90\n"
41398 -+ "1: movl 32(%4), %%eax\n"
41399 -+ " cmpl $67, %0\n"
41400 -+ " jbe 3f\n"
41401 -+ "2: movl 64(%4), %%eax\n"
41402 -+ " .align 2,0x90\n"
41403 -+ "3: movl 0(%4), %%eax\n"
41404 -+ "4: movl 4(%4), %%edx\n"
41405 -+ "5: movl %%eax, %%es:0(%3)\n"
41406 -+ "6: movl %%edx, %%es:4(%3)\n"
41407 -+ "7: movl 8(%4), %%eax\n"
41408 -+ "8: movl 12(%4),%%edx\n"
41409 -+ "9: movl %%eax, %%es:8(%3)\n"
41410 -+ "10: movl %%edx, %%es:12(%3)\n"
41411 -+ "11: movl 16(%4), %%eax\n"
41412 -+ "12: movl 20(%4), %%edx\n"
41413 -+ "13: movl %%eax, %%es:16(%3)\n"
41414 -+ "14: movl %%edx, %%es:20(%3)\n"
41415 -+ "15: movl 24(%4), %%eax\n"
41416 -+ "16: movl 28(%4), %%edx\n"
41417 -+ "17: movl %%eax, %%es:24(%3)\n"
41418 -+ "18: movl %%edx, %%es:28(%3)\n"
41419 -+ "19: movl 32(%4), %%eax\n"
41420 -+ "20: movl 36(%4), %%edx\n"
41421 -+ "21: movl %%eax, %%es:32(%3)\n"
41422 -+ "22: movl %%edx, %%es:36(%3)\n"
41423 -+ "23: movl 40(%4), %%eax\n"
41424 -+ "24: movl 44(%4), %%edx\n"
41425 -+ "25: movl %%eax, %%es:40(%3)\n"
41426 -+ "26: movl %%edx, %%es:44(%3)\n"
41427 -+ "27: movl 48(%4), %%eax\n"
41428 -+ "28: movl 52(%4), %%edx\n"
41429 -+ "29: movl %%eax, %%es:48(%3)\n"
41430 -+ "30: movl %%edx, %%es:52(%3)\n"
41431 -+ "31: movl 56(%4), %%eax\n"
41432 -+ "32: movl 60(%4), %%edx\n"
41433 -+ "33: movl %%eax, %%es:56(%3)\n"
41434 -+ "34: movl %%edx, %%es:60(%3)\n"
41435 -+ " addl $-64, %0\n"
41436 -+ " addl $64, %4\n"
41437 -+ " addl $64, %3\n"
41438 -+ " cmpl $63, %0\n"
41439 -+ " ja 1b\n"
41440 -+ "35: movl %0, %%eax\n"
41441 -+ " shrl $2, %0\n"
41442 -+ " andl $3, %%eax\n"
41443 -+ " cld\n"
41444 -+ "99: rep; movsl\n"
41445 -+ "36: movl %%eax, %0\n"
41446 -+ "37: rep; movsb\n"
41447 -+ "100:\n"
41448 -+ " pushl %%ss\n"
41449 -+ " popl %%es\n"
41450 -+ ".section .fixup,\"ax\"\n"
41451 -+ "101: lea 0(%%eax,%0,4),%0\n"
41452 -+ " jmp 100b\n"
41453 -+ ".previous\n"
41454 -+ ".section __ex_table,\"a\"\n"
41455 -+ " .align 4\n"
41456 -+ " .long 1b,100b\n"
41457 -+ " .long 2b,100b\n"
41458 -+ " .long 3b,100b\n"
41459 -+ " .long 4b,100b\n"
41460 -+ " .long 5b,100b\n"
41461 -+ " .long 6b,100b\n"
41462 -+ " .long 7b,100b\n"
41463 -+ " .long 8b,100b\n"
41464 -+ " .long 9b,100b\n"
41465 -+ " .long 10b,100b\n"
41466 -+ " .long 11b,100b\n"
41467 -+ " .long 12b,100b\n"
41468 -+ " .long 13b,100b\n"
41469 -+ " .long 14b,100b\n"
41470 -+ " .long 15b,100b\n"
41471 -+ " .long 16b,100b\n"
41472 -+ " .long 17b,100b\n"
41473 -+ " .long 18b,100b\n"
41474 -+ " .long 19b,100b\n"
41475 -+ " .long 20b,100b\n"
41476 -+ " .long 21b,100b\n"
41477 -+ " .long 22b,100b\n"
41478 -+ " .long 23b,100b\n"
41479 -+ " .long 24b,100b\n"
41480 -+ " .long 25b,100b\n"
41481 -+ " .long 26b,100b\n"
41482 -+ " .long 27b,100b\n"
41483 -+ " .long 28b,100b\n"
41484 -+ " .long 29b,100b\n"
41485 -+ " .long 30b,100b\n"
41486 -+ " .long 31b,100b\n"
41487 -+ " .long 32b,100b\n"
41488 -+ " .long 33b,100b\n"
41489 -+ " .long 34b,100b\n"
41490 -+ " .long 35b,100b\n"
41491 -+ " .long 36b,100b\n"
41492 -+ " .long 37b,100b\n"
41493 -+ " .long 99b,101b\n"
41494 -+ ".previous"
41495 -+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
41496 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41497 -+ : "eax", "edx", "memory");
41498 -+ return size;
41499 -+}
41500 -+
41501 -+static unsigned long
41502 -+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
41503 - {
41504 - int d0, d1;
41505 - __asm__ __volatile__(
41506 -+ " movw %w6, %%ds\n"
41507 - " .align 2,0x90\n"
41508 - "1: movl 32(%4), %%eax\n"
41509 - " cmpl $67, %0\n"
41510 -@@ -238,36 +362,36 @@ __copy_user_intel(void __user *to, const
41511 - " .align 2,0x90\n"
41512 - "3: movl 0(%4), %%eax\n"
41513 - "4: movl 4(%4), %%edx\n"
41514 -- "5: movl %%eax, 0(%3)\n"
41515 -- "6: movl %%edx, 4(%3)\n"
41516 -+ "5: movl %%eax, %%es:0(%3)\n"
41517 -+ "6: movl %%edx, %%es:4(%3)\n"
41518 - "7: movl 8(%4), %%eax\n"
41519 - "8: movl 12(%4),%%edx\n"
41520 -- "9: movl %%eax, 8(%3)\n"
41521 -- "10: movl %%edx, 12(%3)\n"
41522 -+ "9: movl %%eax, %%es:8(%3)\n"
41523 -+ "10: movl %%edx, %%es:12(%3)\n"
41524 - "11: movl 16(%4), %%eax\n"
41525 - "12: movl 20(%4), %%edx\n"
41526 -- "13: movl %%eax, 16(%3)\n"
41527 -- "14: movl %%edx, 20(%3)\n"
41528 -+ "13: movl %%eax, %%es:16(%3)\n"
41529 -+ "14: movl %%edx, %%es:20(%3)\n"
41530 - "15: movl 24(%4), %%eax\n"
41531 - "16: movl 28(%4), %%edx\n"
41532 -- "17: movl %%eax, 24(%3)\n"
41533 -- "18: movl %%edx, 28(%3)\n"
41534 -+ "17: movl %%eax, %%es:24(%3)\n"
41535 -+ "18: movl %%edx, %%es:28(%3)\n"
41536 - "19: movl 32(%4), %%eax\n"
41537 - "20: movl 36(%4), %%edx\n"
41538 -- "21: movl %%eax, 32(%3)\n"
41539 -- "22: movl %%edx, 36(%3)\n"
41540 -+ "21: movl %%eax, %%es:32(%3)\n"
41541 -+ "22: movl %%edx, %%es:36(%3)\n"
41542 - "23: movl 40(%4), %%eax\n"
41543 - "24: movl 44(%4), %%edx\n"
41544 -- "25: movl %%eax, 40(%3)\n"
41545 -- "26: movl %%edx, 44(%3)\n"
41546 -+ "25: movl %%eax, %%es:40(%3)\n"
41547 -+ "26: movl %%edx, %%es:44(%3)\n"
41548 - "27: movl 48(%4), %%eax\n"
41549 - "28: movl 52(%4), %%edx\n"
41550 -- "29: movl %%eax, 48(%3)\n"
41551 -- "30: movl %%edx, 52(%3)\n"
41552 -+ "29: movl %%eax, %%es:48(%3)\n"
41553 -+ "30: movl %%edx, %%es:52(%3)\n"
41554 - "31: movl 56(%4), %%eax\n"
41555 - "32: movl 60(%4), %%edx\n"
41556 -- "33: movl %%eax, 56(%3)\n"
41557 -- "34: movl %%edx, 60(%3)\n"
41558 -+ "33: movl %%eax, %%es:56(%3)\n"
41559 -+ "34: movl %%edx, %%es:60(%3)\n"
41560 - " addl $-64, %0\n"
41561 - " addl $64, %4\n"
41562 - " addl $64, %3\n"
41563 -@@ -281,6 +405,8 @@ __copy_user_intel(void __user *to, const
41564 - "36: movl %%eax, %0\n"
41565 - "37: rep; movsb\n"
41566 - "100:\n"
41567 -+ " pushl %%ss\n"
41568 -+ " popl %%ds\n"
41569 - ".section .fixup,\"ax\"\n"
41570 - "101: lea 0(%%eax,%0,4),%0\n"
41571 - " jmp 100b\n"
41572 -@@ -327,7 +453,7 @@ __copy_user_intel(void __user *to, const
41573 - " .long 99b,101b\n"
41574 - ".previous"
41575 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41576 -- : "1"(to), "2"(from), "0"(size)
41577 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41578 - : "eax", "edx", "memory");
41579 - return size;
41580 - }
41581 -@@ -337,6 +463,7 @@ __copy_user_zeroing_intel(void *to, cons
41582 - {
41583 - int d0, d1;
41584 - __asm__ __volatile__(
41585 -+ " movw %w6, %%ds\n"
41586 - " .align 2,0x90\n"
41587 - "0: movl 32(%4), %%eax\n"
41588 - " cmpl $67, %0\n"
41589 -@@ -345,36 +472,36 @@ __copy_user_zeroing_intel(void *to, cons
41590 - " .align 2,0x90\n"
41591 - "2: movl 0(%4), %%eax\n"
41592 - "21: movl 4(%4), %%edx\n"
41593 -- " movl %%eax, 0(%3)\n"
41594 -- " movl %%edx, 4(%3)\n"
41595 -+ " movl %%eax, %%es:0(%3)\n"
41596 -+ " movl %%edx, %%es:4(%3)\n"
41597 - "3: movl 8(%4), %%eax\n"
41598 - "31: movl 12(%4),%%edx\n"
41599 -- " movl %%eax, 8(%3)\n"
41600 -- " movl %%edx, 12(%3)\n"
41601 -+ " movl %%eax, %%es:8(%3)\n"
41602 -+ " movl %%edx, %%es:12(%3)\n"
41603 - "4: movl 16(%4), %%eax\n"
41604 - "41: movl 20(%4), %%edx\n"
41605 -- " movl %%eax, 16(%3)\n"
41606 -- " movl %%edx, 20(%3)\n"
41607 -+ " movl %%eax, %%es:16(%3)\n"
41608 -+ " movl %%edx, %%es:20(%3)\n"
41609 - "10: movl 24(%4), %%eax\n"
41610 - "51: movl 28(%4), %%edx\n"
41611 -- " movl %%eax, 24(%3)\n"
41612 -- " movl %%edx, 28(%3)\n"
41613 -+ " movl %%eax, %%es:24(%3)\n"
41614 -+ " movl %%edx, %%es:28(%3)\n"
41615 - "11: movl 32(%4), %%eax\n"
41616 - "61: movl 36(%4), %%edx\n"
41617 -- " movl %%eax, 32(%3)\n"
41618 -- " movl %%edx, 36(%3)\n"
41619 -+ " movl %%eax, %%es:32(%3)\n"
41620 -+ " movl %%edx, %%es:36(%3)\n"
41621 - "12: movl 40(%4), %%eax\n"
41622 - "71: movl 44(%4), %%edx\n"
41623 -- " movl %%eax, 40(%3)\n"
41624 -- " movl %%edx, 44(%3)\n"
41625 -+ " movl %%eax, %%es:40(%3)\n"
41626 -+ " movl %%edx, %%es:44(%3)\n"
41627 - "13: movl 48(%4), %%eax\n"
41628 - "81: movl 52(%4), %%edx\n"
41629 -- " movl %%eax, 48(%3)\n"
41630 -- " movl %%edx, 52(%3)\n"
41631 -+ " movl %%eax, %%es:48(%3)\n"
41632 -+ " movl %%edx, %%es:52(%3)\n"
41633 - "14: movl 56(%4), %%eax\n"
41634 - "91: movl 60(%4), %%edx\n"
41635 -- " movl %%eax, 56(%3)\n"
41636 -- " movl %%edx, 60(%3)\n"
41637 -+ " movl %%eax, %%es:56(%3)\n"
41638 -+ " movl %%edx, %%es:60(%3)\n"
41639 - " addl $-64, %0\n"
41640 - " addl $64, %4\n"
41641 - " addl $64, %3\n"
41642 -@@ -388,6 +515,8 @@ __copy_user_zeroing_intel(void *to, cons
41643 - " movl %%eax,%0\n"
41644 - "7: rep; movsb\n"
41645 - "8:\n"
41646 -+ " pushl %%ss\n"
41647 -+ " popl %%ds\n"
41648 - ".section .fixup,\"ax\"\n"
41649 - "9: lea 0(%%eax,%0,4),%0\n"
41650 - "16: pushl %0\n"
41651 -@@ -422,7 +551,7 @@ __copy_user_zeroing_intel(void *to, cons
41652 - " .long 7b,16b\n"
41653 - ".previous"
41654 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41655 -- : "1"(to), "2"(from), "0"(size)
41656 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41657 - : "eax", "edx", "memory");
41658 - return size;
41659 - }
41660 -@@ -438,6 +567,7 @@ static unsigned long __copy_user_zeroing
41661 - int d0, d1;
41662 -
41663 - __asm__ __volatile__(
41664 -+ " movw %w6, %%ds\n"
41665 - " .align 2,0x90\n"
41666 - "0: movl 32(%4), %%eax\n"
41667 - " cmpl $67, %0\n"
41668 -@@ -446,36 +576,36 @@ static unsigned long __copy_user_zeroing
41669 - " .align 2,0x90\n"
41670 - "2: movl 0(%4), %%eax\n"
41671 - "21: movl 4(%4), %%edx\n"
41672 -- " movnti %%eax, 0(%3)\n"
41673 -- " movnti %%edx, 4(%3)\n"
41674 -+ " movnti %%eax, %%es:0(%3)\n"
41675 -+ " movnti %%edx, %%es:4(%3)\n"
41676 - "3: movl 8(%4), %%eax\n"
41677 - "31: movl 12(%4),%%edx\n"
41678 -- " movnti %%eax, 8(%3)\n"
41679 -- " movnti %%edx, 12(%3)\n"
41680 -+ " movnti %%eax, %%es:8(%3)\n"
41681 -+ " movnti %%edx, %%es:12(%3)\n"
41682 - "4: movl 16(%4), %%eax\n"
41683 - "41: movl 20(%4), %%edx\n"
41684 -- " movnti %%eax, 16(%3)\n"
41685 -- " movnti %%edx, 20(%3)\n"
41686 -+ " movnti %%eax, %%es:16(%3)\n"
41687 -+ " movnti %%edx, %%es:20(%3)\n"
41688 - "10: movl 24(%4), %%eax\n"
41689 - "51: movl 28(%4), %%edx\n"
41690 -- " movnti %%eax, 24(%3)\n"
41691 -- " movnti %%edx, 28(%3)\n"
41692 -+ " movnti %%eax, %%es:24(%3)\n"
41693 -+ " movnti %%edx, %%es:28(%3)\n"
41694 - "11: movl 32(%4), %%eax\n"
41695 - "61: movl 36(%4), %%edx\n"
41696 -- " movnti %%eax, 32(%3)\n"
41697 -- " movnti %%edx, 36(%3)\n"
41698 -+ " movnti %%eax, %%es:32(%3)\n"
41699 -+ " movnti %%edx, %%es:36(%3)\n"
41700 - "12: movl 40(%4), %%eax\n"
41701 - "71: movl 44(%4), %%edx\n"
41702 -- " movnti %%eax, 40(%3)\n"
41703 -- " movnti %%edx, 44(%3)\n"
41704 -+ " movnti %%eax, %%es:40(%3)\n"
41705 -+ " movnti %%edx, %%es:44(%3)\n"
41706 - "13: movl 48(%4), %%eax\n"
41707 - "81: movl 52(%4), %%edx\n"
41708 -- " movnti %%eax, 48(%3)\n"
41709 -- " movnti %%edx, 52(%3)\n"
41710 -+ " movnti %%eax, %%es:48(%3)\n"
41711 -+ " movnti %%edx, %%es:52(%3)\n"
41712 - "14: movl 56(%4), %%eax\n"
41713 - "91: movl 60(%4), %%edx\n"
41714 -- " movnti %%eax, 56(%3)\n"
41715 -- " movnti %%edx, 60(%3)\n"
41716 -+ " movnti %%eax, %%es:56(%3)\n"
41717 -+ " movnti %%edx, %%es:60(%3)\n"
41718 - " addl $-64, %0\n"
41719 - " addl $64, %4\n"
41720 - " addl $64, %3\n"
41721 -@@ -490,6 +620,8 @@ static unsigned long __copy_user_zeroing
41722 - " movl %%eax,%0\n"
41723 - "7: rep; movsb\n"
41724 - "8:\n"
41725 -+ " pushl %%ss\n"
41726 -+ " popl %%ds\n"
41727 - ".section .fixup,\"ax\"\n"
41728 - "9: lea 0(%%eax,%0,4),%0\n"
41729 - "16: pushl %0\n"
41730 -@@ -524,7 +656,7 @@ static unsigned long __copy_user_zeroing
41731 - " .long 7b,16b\n"
41732 - ".previous"
41733 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41734 -- : "1"(to), "2"(from), "0"(size)
41735 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41736 - : "eax", "edx", "memory");
41737 - return size;
41738 - }
41739 -@@ -535,6 +667,7 @@ static unsigned long __copy_user_intel_n
41740 - int d0, d1;
41741 -
41742 - __asm__ __volatile__(
41743 -+ " movw %w6, %%ds\n"
41744 - " .align 2,0x90\n"
41745 - "0: movl 32(%4), %%eax\n"
41746 - " cmpl $67, %0\n"
41747 -@@ -543,36 +676,36 @@ static unsigned long __copy_user_intel_n
41748 - " .align 2,0x90\n"
41749 - "2: movl 0(%4), %%eax\n"
41750 - "21: movl 4(%4), %%edx\n"
41751 -- " movnti %%eax, 0(%3)\n"
41752 -- " movnti %%edx, 4(%3)\n"
41753 -+ " movnti %%eax, %%es:0(%3)\n"
41754 -+ " movnti %%edx, %%es:4(%3)\n"
41755 - "3: movl 8(%4), %%eax\n"
41756 - "31: movl 12(%4),%%edx\n"
41757 -- " movnti %%eax, 8(%3)\n"
41758 -- " movnti %%edx, 12(%3)\n"
41759 -+ " movnti %%eax, %%es:8(%3)\n"
41760 -+ " movnti %%edx, %%es:12(%3)\n"
41761 - "4: movl 16(%4), %%eax\n"
41762 - "41: movl 20(%4), %%edx\n"
41763 -- " movnti %%eax, 16(%3)\n"
41764 -- " movnti %%edx, 20(%3)\n"
41765 -+ " movnti %%eax, %%es:16(%3)\n"
41766 -+ " movnti %%edx, %%es:20(%3)\n"
41767 - "10: movl 24(%4), %%eax\n"
41768 - "51: movl 28(%4), %%edx\n"
41769 -- " movnti %%eax, 24(%3)\n"
41770 -- " movnti %%edx, 28(%3)\n"
41771 -+ " movnti %%eax, %%es:24(%3)\n"
41772 -+ " movnti %%edx, %%es:28(%3)\n"
41773 - "11: movl 32(%4), %%eax\n"
41774 - "61: movl 36(%4), %%edx\n"
41775 -- " movnti %%eax, 32(%3)\n"
41776 -- " movnti %%edx, 36(%3)\n"
41777 -+ " movnti %%eax, %%es:32(%3)\n"
41778 -+ " movnti %%edx, %%es:36(%3)\n"
41779 - "12: movl 40(%4), %%eax\n"
41780 - "71: movl 44(%4), %%edx\n"
41781 -- " movnti %%eax, 40(%3)\n"
41782 -- " movnti %%edx, 44(%3)\n"
41783 -+ " movnti %%eax, %%es:40(%3)\n"
41784 -+ " movnti %%edx, %%es:44(%3)\n"
41785 - "13: movl 48(%4), %%eax\n"
41786 - "81: movl 52(%4), %%edx\n"
41787 -- " movnti %%eax, 48(%3)\n"
41788 -- " movnti %%edx, 52(%3)\n"
41789 -+ " movnti %%eax, %%es:48(%3)\n"
41790 -+ " movnti %%edx, %%es:52(%3)\n"
41791 - "14: movl 56(%4), %%eax\n"
41792 - "91: movl 60(%4), %%edx\n"
41793 -- " movnti %%eax, 56(%3)\n"
41794 -- " movnti %%edx, 60(%3)\n"
41795 -+ " movnti %%eax, %%es:56(%3)\n"
41796 -+ " movnti %%edx, %%es:60(%3)\n"
41797 - " addl $-64, %0\n"
41798 - " addl $64, %4\n"
41799 - " addl $64, %3\n"
41800 -@@ -587,6 +720,8 @@ static unsigned long __copy_user_intel_n
41801 - " movl %%eax,%0\n"
41802 - "7: rep; movsb\n"
41803 - "8:\n"
41804 -+ " pushl %%ss\n"
41805 -+ " popl %%ds\n"
41806 - ".section .fixup,\"ax\"\n"
41807 - "9: lea 0(%%eax,%0,4),%0\n"
41808 - "16: jmp 8b\n"
41809 -@@ -615,7 +750,7 @@ static unsigned long __copy_user_intel_n
41810 - " .long 7b,16b\n"
41811 - ".previous"
41812 - : "=&c"(size), "=&D" (d0), "=&S" (d1)
41813 -- : "1"(to), "2"(from), "0"(size)
41814 -+ : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
41815 - : "eax", "edx", "memory");
41816 - return size;
41817 - }
41818 -@@ -628,90 +763,146 @@ static unsigned long __copy_user_intel_n
41819 - */
41820 - unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
41821 - unsigned long size);
41822 --unsigned long __copy_user_intel(void __user *to, const void *from,
41823 -+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
41824 -+ unsigned long size);
41825 -+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
41826 - unsigned long size);
41827 - unsigned long __copy_user_zeroing_intel_nocache(void *to,
41828 - const void __user *from, unsigned long size);
41829 - #endif /* CONFIG_X86_INTEL_USERCOPY */
41830 -
41831 - /* Generic arbitrary sized copy. */
41832 --#define __copy_user(to,from,size) \
41833 --do { \
41834 -- int __d0, __d1, __d2; \
41835 -- __asm__ __volatile__( \
41836 -- " cmp $7,%0\n" \
41837 -- " jbe 1f\n" \
41838 -- " movl %1,%0\n" \
41839 -- " negl %0\n" \
41840 -- " andl $7,%0\n" \
41841 -- " subl %0,%3\n" \
41842 -- "4: rep; movsb\n" \
41843 -- " movl %3,%0\n" \
41844 -- " shrl $2,%0\n" \
41845 -- " andl $3,%3\n" \
41846 -- " .align 2,0x90\n" \
41847 -- "0: rep; movsl\n" \
41848 -- " movl %3,%0\n" \
41849 -- "1: rep; movsb\n" \
41850 -- "2:\n" \
41851 -- ".section .fixup,\"ax\"\n" \
41852 -- "5: addl %3,%0\n" \
41853 -- " jmp 2b\n" \
41854 -- "3: lea 0(%3,%0,4),%0\n" \
41855 -- " jmp 2b\n" \
41856 -- ".previous\n" \
41857 -- ".section __ex_table,\"a\"\n" \
41858 -- " .align 4\n" \
41859 -- " .long 4b,5b\n" \
41860 -- " .long 0b,3b\n" \
41861 -- " .long 1b,2b\n" \
41862 -- ".previous" \
41863 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
41864 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
41865 -- : "memory"); \
41866 --} while (0)
41867 --
41868 --#define __copy_user_zeroing(to,from,size) \
41869 --do { \
41870 -- int __d0, __d1, __d2; \
41871 -- __asm__ __volatile__( \
41872 -- " cmp $7,%0\n" \
41873 -- " jbe 1f\n" \
41874 -- " movl %1,%0\n" \
41875 -- " negl %0\n" \
41876 -- " andl $7,%0\n" \
41877 -- " subl %0,%3\n" \
41878 -- "4: rep; movsb\n" \
41879 -- " movl %3,%0\n" \
41880 -- " shrl $2,%0\n" \
41881 -- " andl $3,%3\n" \
41882 -- " .align 2,0x90\n" \
41883 -- "0: rep; movsl\n" \
41884 -- " movl %3,%0\n" \
41885 -- "1: rep; movsb\n" \
41886 -- "2:\n" \
41887 -- ".section .fixup,\"ax\"\n" \
41888 -- "5: addl %3,%0\n" \
41889 -- " jmp 6f\n" \
41890 -- "3: lea 0(%3,%0,4),%0\n" \
41891 -- "6: pushl %0\n" \
41892 -- " pushl %%eax\n" \
41893 -- " xorl %%eax,%%eax\n" \
41894 -- " rep; stosb\n" \
41895 -- " popl %%eax\n" \
41896 -- " popl %0\n" \
41897 -- " jmp 2b\n" \
41898 -- ".previous\n" \
41899 -- ".section __ex_table,\"a\"\n" \
41900 -- " .align 4\n" \
41901 -- " .long 4b,5b\n" \
41902 -- " .long 0b,3b\n" \
41903 -- " .long 1b,6b\n" \
41904 -- ".previous" \
41905 -- : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
41906 -- : "3"(size), "0"(size), "1"(to), "2"(from) \
41907 -- : "memory"); \
41908 --} while (0)
41909 -+static unsigned long
41910 -+__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
41911 -+{
41912 -+ int __d0, __d1, __d2;
41913 -+
41914 -+ __asm__ __volatile__(
41915 -+ " movw %w8,%%es\n"
41916 -+ " cmp $7,%0\n"
41917 -+ " jbe 1f\n"
41918 -+ " movl %1,%0\n"
41919 -+ " negl %0\n"
41920 -+ " andl $7,%0\n"
41921 -+ " subl %0,%3\n"
41922 -+ "4: rep; movsb\n"
41923 -+ " movl %3,%0\n"
41924 -+ " shrl $2,%0\n"
41925 -+ " andl $3,%3\n"
41926 -+ " .align 2,0x90\n"
41927 -+ "0: rep; movsl\n"
41928 -+ " movl %3,%0\n"
41929 -+ "1: rep; movsb\n"
41930 -+ "2:\n"
41931 -+ " pushl %%ss\n"
41932 -+ " popl %%es\n"
41933 -+ ".section .fixup,\"ax\"\n"
41934 -+ "5: addl %3,%0\n"
41935 -+ " jmp 2b\n"
41936 -+ "3: lea 0(%3,%0,4),%0\n"
41937 -+ " jmp 2b\n"
41938 -+ ".previous\n"
41939 -+ ".section __ex_table,\"a\"\n"
41940 -+ " .align 4\n"
41941 -+ " .long 4b,5b\n"
41942 -+ " .long 0b,3b\n"
41943 -+ " .long 1b,2b\n"
41944 -+ ".previous"
41945 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
41946 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
41947 -+ : "memory");
41948 -+ return size;
41949 -+}
41950 -+
41951 -+static unsigned long
41952 -+__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
41953 -+{
41954 -+ int __d0, __d1, __d2;
41955 -+
41956 -+ __asm__ __volatile__(
41957 -+ " movw %w8,%%ds\n"
41958 -+ " cmp $7,%0\n"
41959 -+ " jbe 1f\n"
41960 -+ " movl %1,%0\n"
41961 -+ " negl %0\n"
41962 -+ " andl $7,%0\n"
41963 -+ " subl %0,%3\n"
41964 -+ "4: rep; movsb\n"
41965 -+ " movl %3,%0\n"
41966 -+ " shrl $2,%0\n"
41967 -+ " andl $3,%3\n"
41968 -+ " .align 2,0x90\n"
41969 -+ "0: rep; movsl\n"
41970 -+ " movl %3,%0\n"
41971 -+ "1: rep; movsb\n"
41972 -+ "2:\n"
41973 -+ " pushl %%ss\n"
41974 -+ " popl %%ds\n"
41975 -+ ".section .fixup,\"ax\"\n"
41976 -+ "5: addl %3,%0\n"
41977 -+ " jmp 2b\n"
41978 -+ "3: lea 0(%3,%0,4),%0\n"
41979 -+ " jmp 2b\n"
41980 -+ ".previous\n"
41981 -+ ".section __ex_table,\"a\"\n"
41982 -+ " .align 4\n"
41983 -+ " .long 4b,5b\n"
41984 -+ " .long 0b,3b\n"
41985 -+ " .long 1b,2b\n"
41986 -+ ".previous"
41987 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
41988 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
41989 -+ : "memory");
41990 -+ return size;
41991 -+}
41992 -+
41993 -+static unsigned long
41994 -+__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
41995 -+{
41996 -+ int __d0, __d1, __d2;
41997 -+
41998 -+ __asm__ __volatile__(
41999 -+ " movw %w8,%%ds\n"
42000 -+ " cmp $7,%0\n"
42001 -+ " jbe 1f\n"
42002 -+ " movl %1,%0\n"
42003 -+ " negl %0\n"
42004 -+ " andl $7,%0\n"
42005 -+ " subl %0,%3\n"
42006 -+ "4: rep; movsb\n"
42007 -+ " movl %3,%0\n"
42008 -+ " shrl $2,%0\n"
42009 -+ " andl $3,%3\n"
42010 -+ " .align 2,0x90\n"
42011 -+ "0: rep; movsl\n"
42012 -+ " movl %3,%0\n"
42013 -+ "1: rep; movsb\n"
42014 -+ "2:\n"
42015 -+ " pushl %%ss\n"
42016 -+ " popl %%ds\n"
42017 -+ ".section .fixup,\"ax\"\n"
42018 -+ "5: addl %3,%0\n"
42019 -+ " jmp 6f\n"
42020 -+ "3: lea 0(%3,%0,4),%0\n"
42021 -+ "6: pushl %0\n"
42022 -+ " pushl %%eax\n"
42023 -+ " xorl %%eax,%%eax\n"
42024 -+ " rep; stosb\n"
42025 -+ " popl %%eax\n"
42026 -+ " popl %0\n"
42027 -+ " jmp 2b\n"
42028 -+ ".previous\n"
42029 -+ ".section __ex_table,\"a\"\n"
42030 -+ " .align 4\n"
42031 -+ " .long 4b,5b\n"
42032 -+ " .long 0b,3b\n"
42033 -+ " .long 1b,6b\n"
42034 -+ ".previous"
42035 -+ : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
42036 -+ : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
42037 -+ : "memory");
42038 -+ return size;
42039 -+}
42040 -
42041 - unsigned long __copy_to_user_ll(void __user *to, const void *from,
42042 - unsigned long n)
42043 -@@ -774,9 +965,9 @@ survive:
42044 - }
42045 - #endif
42046 - if (movsl_is_ok(to, from, n))
42047 -- __copy_user(to, from, n);
42048 -+ n = __generic_copy_to_user(to, from, n);
42049 - else
42050 -- n = __copy_user_intel(to, from, n);
42051 -+ n = __generic_copy_to_user_intel(to, from, n);
42052 - return n;
42053 - }
42054 - EXPORT_SYMBOL(__copy_to_user_ll);
42055 -@@ -785,7 +976,7 @@ unsigned long __copy_from_user_ll(void *
42056 - unsigned long n)
42057 - {
42058 - if (movsl_is_ok(to, from, n))
42059 -- __copy_user_zeroing(to, from, n);
42060 -+ n = __copy_user_zeroing(to, from, n);
42061 - else
42062 - n = __copy_user_zeroing_intel(to, from, n);
42063 - return n;
42064 -@@ -796,9 +987,9 @@ unsigned long __copy_from_user_ll_nozero
42065 - unsigned long n)
42066 - {
42067 - if (movsl_is_ok(to, from, n))
42068 -- __copy_user(to, from, n);
42069 -+ n = __generic_copy_from_user(to, from, n);
42070 - else
42071 -- n = __copy_user_intel((void __user *)to,
42072 -+ n = __generic_copy_from_user_intel((void __user *)to,
42073 - (const void *)from, n);
42074 - return n;
42075 - }
42076 -@@ -809,11 +1000,11 @@ unsigned long __copy_from_user_ll_nocach
42077 - {
42078 - #ifdef CONFIG_X86_INTEL_USERCOPY
42079 - if ( n > 64 && cpu_has_xmm2)
42080 -- n = __copy_user_zeroing_intel_nocache(to, from, n);
42081 -+ n = __copy_user_zeroing_intel_nocache(to, from, n);
42082 - else
42083 -- __copy_user_zeroing(to, from, n);
42084 -+ n = __copy_user_zeroing(to, from, n);
42085 - #else
42086 -- __copy_user_zeroing(to, from, n);
42087 -+ n = __copy_user_zeroing(to, from, n);
42088 - #endif
42089 - return n;
42090 - }
42091 -@@ -823,11 +1014,11 @@ unsigned long __copy_from_user_ll_nocach
42092 - {
42093 - #ifdef CONFIG_X86_INTEL_USERCOPY
42094 - if ( n > 64 && cpu_has_xmm2)
42095 -- n = __copy_user_intel_nocache(to, from, n);
42096 -+ n = __copy_user_intel_nocache(to, from, n);
42097 - else
42098 -- __copy_user(to, from, n);
42099 -+ n = __generic_copy_from_user(to, from, n);
42100 - #else
42101 -- __copy_user(to, from, n);
42102 -+ n = __generic_copy_from_user(to, from, n);
42103 - #endif
42104 - return n;
42105 - }
42106 -@@ -880,3 +1071,30 @@ copy_from_user(void *to, const void __us
42107 - return n;
42108 - }
42109 - EXPORT_SYMBOL(copy_from_user);
42110 -+
42111 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
42112 -+void __set_fs(mm_segment_t x, int cpu)
42113 -+{
42114 -+ unsigned long limit = x.seg;
42115 -+ __u32 a, b;
42116 -+
42117 -+ current_thread_info()->addr_limit = x;
42118 -+ if (likely(limit))
42119 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
42120 -+ pack_descriptor(&a, &b, 0UL, limit, 0xF3, 0xC);
42121 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, a, b);
42122 -+}
42123 -+
42124 -+void set_fs(mm_segment_t x)
42125 -+{
42126 -+ __set_fs(x, get_cpu());
42127 -+ put_cpu_no_resched();
42128 -+}
42129 -+#else
42130 -+void set_fs(mm_segment_t x)
42131 -+{
42132 -+ current_thread_info()->addr_limit = x;
42133 -+}
42134 -+#endif
42135 -+
42136 -+EXPORT_SYMBOL(set_fs);
42137 -diff -Nurp linux-2.6.23.15/arch/i386/mach-default/setup.c linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c
42138 ---- linux-2.6.23.15/arch/i386/mach-default/setup.c 2007-10-09 21:31:38.000000000 +0100
42139 -+++ linux-2.6.23.15-grsec/arch/i386/mach-default/setup.c 2008-02-11 10:37:44.000000000 +0000
42140 -@@ -35,7 +35,7 @@ void __init pre_intr_init_hook(void)
42141 - /*
42142 - * IRQ2 is cascade interrupt to second interrupt controller
42143 - */
42144 --static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
42145 -+static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
42146 -
42147 - /**
42148 - * intr_init_hook - post gate setup interrupt initialisation
42149 -diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c
42150 ---- linux-2.6.23.15/arch/i386/mach-voyager/voyager_basic.c 2007-10-09 21:31:38.000000000 +0100
42151 -+++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_basic.c 2008-02-11 10:37:44.000000000 +0000
42152 -@@ -130,7 +130,7 @@ voyager_memory_detect(int region, __u32
42153 - __u8 cmos[4];
42154 - ClickMap_t *map;
42155 - unsigned long map_addr;
42156 -- unsigned long old;
42157 -+ pte_t old;
42158 -
42159 - if(region >= CLICK_ENTRIES) {
42160 - printk("Voyager: Illegal ClickMap region %d\n", region);
42161 -@@ -144,7 +144,7 @@ voyager_memory_detect(int region, __u32
42162 -
42163 - /* steal page 0 for this */
42164 - old = pg0[0];
42165 -- pg0[0] = ((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
42166 -+ pg0[0] = __pte((map_addr & PAGE_MASK) | _PAGE_RW | _PAGE_PRESENT);
42167 - local_flush_tlb();
42168 - /* now clear everything out but page 0 */
42169 - map = (ClickMap_t *)(map_addr & (~PAGE_MASK));
42170 -diff -Nurp linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c
42171 ---- linux-2.6.23.15/arch/i386/mach-voyager/voyager_smp.c 2007-10-09 21:31:38.000000000 +0100
42172 -+++ linux-2.6.23.15-grsec/arch/i386/mach-voyager/voyager_smp.c 2008-02-11 10:37:44.000000000 +0000
42173 -@@ -554,6 +554,10 @@ do_boot_cpu(__u8 cpu)
42174 - __u32 *hijack_vector;
42175 - __u32 start_phys_address = setup_trampoline();
42176 -
42177 -+#ifdef CONFIG_PAX_KERNEXEC
42178 -+ unsigned long cr0;
42179 -+#endif
42180 -+
42181 - /* There's a clever trick to this: The linux trampoline is
42182 - * compiled to begin at absolute location zero, so make the
42183 - * address zero but have the data segment selector compensate
42184 -@@ -573,7 +577,17 @@ do_boot_cpu(__u8 cpu)
42185 -
42186 - init_gdt(cpu);
42187 - per_cpu(current_task, cpu) = idle;
42188 -- early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
42189 -+
42190 -+#ifdef CONFIG_PAX_KERNEXEC
42191 -+ pax_open_kernel(cr0);
42192 -+#endif
42193 -+
42194 -+ early_gdt_descr.address = get_cpu_gdt_table(cpu);
42195 -+
42196 -+#ifdef CONFIG_PAX_KERNEXEC
42197 -+ pax_close_kernel(cr0);
42198 -+#endif
42199 -+
42200 - irq_ctx_init(cpu);
42201 -
42202 - /* Note: Don't modify initial ss override */
42203 -@@ -1276,7 +1290,7 @@ smp_local_timer_interrupt(void)
42204 - per_cpu(prof_counter, cpu);
42205 - }
42206 -
42207 -- update_process_times(user_mode_vm(get_irq_regs()));
42208 -+ update_process_times(user_mode(get_irq_regs()));
42209 - }
42210 -
42211 - if( ((1<<cpu) & voyager_extended_vic_processors) == 0)
42212 -diff -Nurp linux-2.6.23.15/arch/i386/mm/boot_ioremap.c linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c
42213 ---- linux-2.6.23.15/arch/i386/mm/boot_ioremap.c 2007-10-09 21:31:38.000000000 +0100
42214 -+++ linux-2.6.23.15-grsec/arch/i386/mm/boot_ioremap.c 2008-02-11 10:37:44.000000000 +0000
42215 -@@ -7,57 +7,37 @@
42216 - * Written by Dave Hansen <haveblue@××××××.com>
42217 - */
42218 -
42219 --
42220 --/*
42221 -- * We need to use the 2-level pagetable functions, but CONFIG_X86_PAE
42222 -- * keeps that from happenning. If anyone has a better way, I'm listening.
42223 -- *
42224 -- * boot_pte_t is defined only if this all works correctly
42225 -- */
42226 --
42227 --#undef CONFIG_X86_PAE
42228 - #undef CONFIG_PARAVIRT
42229 - #include <asm/page.h>
42230 - #include <asm/pgtable.h>
42231 - #include <asm/tlbflush.h>
42232 - #include <linux/init.h>
42233 - #include <linux/stddef.h>
42234 --
42235 --/*
42236 -- * I'm cheating here. It is known that the two boot PTE pages are
42237 -- * allocated next to each other. I'm pretending that they're just
42238 -- * one big array.
42239 -- */
42240 --
42241 --#define BOOT_PTE_PTRS (PTRS_PER_PTE*2)
42242 --
42243 --static unsigned long boot_pte_index(unsigned long vaddr)
42244 --{
42245 -- return __pa(vaddr) >> PAGE_SHIFT;
42246 --}
42247 --
42248 --static inline boot_pte_t* boot_vaddr_to_pte(void *address)
42249 --{
42250 -- boot_pte_t* boot_pg = (boot_pte_t*)pg0;
42251 -- return &boot_pg[boot_pte_index((unsigned long)address)];
42252 --}
42253 -+#include <linux/sched.h>
42254 -
42255 - /*
42256 - * This is only for a caller who is clever enough to page-align
42257 - * phys_addr and virtual_source, and who also has a preference
42258 - * about which virtual address from which to steal ptes
42259 - */
42260 --static void __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
42261 -- void* virtual_source)
42262 -+static void __init __boot_ioremap(unsigned long phys_addr, unsigned long nrpages,
42263 -+ char* virtual_source)
42264 - {
42265 -- boot_pte_t* pte;
42266 -- int i;
42267 -- char *vaddr = virtual_source;
42268 -+ pgd_t *pgd;
42269 -+ pud_t *pud;
42270 -+ pmd_t *pmd;
42271 -+ pte_t* pte;
42272 -+ unsigned int i;
42273 -+ unsigned long vaddr = (unsigned long)virtual_source;
42274 -+
42275 -+ pgd = pgd_offset_k(vaddr);
42276 -+ pud = pud_offset(pgd, vaddr);
42277 -+ pmd = pmd_offset(pud, vaddr);
42278 -+ pte = pte_offset_kernel(pmd, vaddr);
42279 -
42280 -- pte = boot_vaddr_to_pte(virtual_source);
42281 - for (i=0; i < nrpages; i++, phys_addr += PAGE_SIZE, pte++) {
42282 - set_pte(pte, pfn_pte(phys_addr>>PAGE_SHIFT, PAGE_KERNEL));
42283 -- __flush_tlb_one(&vaddr[i*PAGE_SIZE]);
42284 -+ __flush_tlb_one(&virtual_source[i*PAGE_SIZE]);
42285 - }
42286 - }
42287 -
42288 -diff -Nurp linux-2.6.23.15/arch/i386/mm/extable.c linux-2.6.23.15-grsec/arch/i386/mm/extable.c
42289 ---- linux-2.6.23.15/arch/i386/mm/extable.c 2007-10-09 21:31:38.000000000 +0100
42290 -+++ linux-2.6.23.15-grsec/arch/i386/mm/extable.c 2008-02-11 10:37:44.000000000 +0000
42291 -@@ -4,14 +4,63 @@
42292 -
42293 - #include <linux/module.h>
42294 - #include <linux/spinlock.h>
42295 -+#include <linux/sort.h>
42296 - #include <asm/uaccess.h>
42297 -
42298 -+/*
42299 -+ * The exception table needs to be sorted so that the binary
42300 -+ * search that we use to find entries in it works properly.
42301 -+ * This is used both for the kernel exception table and for
42302 -+ * the exception tables of modules that get loaded.
42303 -+ */
42304 -+static int cmp_ex(const void *a, const void *b)
42305 -+{
42306 -+ const struct exception_table_entry *x = a, *y = b;
42307 -+
42308 -+ /* avoid overflow */
42309 -+ if (x->insn > y->insn)
42310 -+ return 1;
42311 -+ if (x->insn < y->insn)
42312 -+ return -1;
42313 -+ return 0;
42314 -+}
42315 -+
42316 -+static void swap_ex(void *a, void *b, int size)
42317 -+{
42318 -+ struct exception_table_entry t, *x = a, *y = b;
42319 -+
42320 -+#ifdef CONFIG_PAX_KERNEXEC
42321 -+ unsigned long cr0;
42322 -+#endif
42323 -+
42324 -+ t = *x;
42325 -+
42326 -+#ifdef CONFIG_PAX_KERNEXEC
42327 -+ pax_open_kernel(cr0);
42328 -+#endif
42329 -+
42330 -+ *x = *y;
42331 -+ *y = t;
42332 -+
42333 -+#ifdef CONFIG_PAX_KERNEXEC
42334 -+ pax_close_kernel(cr0);
42335 -+#endif
42336 -+
42337 -+}
42338 -+
42339 -+void sort_extable(struct exception_table_entry *start,
42340 -+ struct exception_table_entry *finish)
42341 -+{
42342 -+ sort(start, finish - start, sizeof(struct exception_table_entry),
42343 -+ cmp_ex, swap_ex);
42344 -+}
42345 -+
42346 - int fixup_exception(struct pt_regs *regs)
42347 - {
42348 - const struct exception_table_entry *fixup;
42349 -
42350 - #ifdef CONFIG_PNPBIOS
42351 -- if (unlikely(SEGMENT_IS_PNP_CODE(regs->xcs)))
42352 -+ if (unlikely(!(regs->eflags & VM_MASK) && SEGMENT_IS_PNP_CODE(regs->xcs)))
42353 - {
42354 - extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
42355 - extern u32 pnp_bios_is_utter_crap;
42356 -diff -Nurp linux-2.6.23.15/arch/i386/mm/fault.c linux-2.6.23.15-grsec/arch/i386/mm/fault.c
42357 ---- linux-2.6.23.15/arch/i386/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
42358 -+++ linux-2.6.23.15-grsec/arch/i386/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
42359 -@@ -25,10 +25,14 @@
42360 - #include <linux/kprobes.h>
42361 - #include <linux/uaccess.h>
42362 - #include <linux/kdebug.h>
42363 -+#include <linux/unistd.h>
42364 -+#include <linux/compiler.h>
42365 -+#include <linux/binfmts.h>
42366 -
42367 - #include <asm/system.h>
42368 - #include <asm/desc.h>
42369 - #include <asm/segment.h>
42370 -+#include <asm/tlbflush.h>
42371 -
42372 - extern void die(const char *,struct pt_regs *,long);
42373 -
42374 -@@ -79,7 +83,8 @@ static inline unsigned long get_segment_
42375 - {
42376 - unsigned long eip = regs->eip;
42377 - unsigned seg = regs->xcs & 0xffff;
42378 -- u32 seg_ar, seg_limit, base, *desc;
42379 -+ u32 seg_ar, seg_limit, base;
42380 -+ struct desc_struct *desc;
42381 -
42382 - /* Unlikely, but must come before segment checks. */
42383 - if (unlikely(regs->eflags & VM_MASK)) {
42384 -@@ -93,7 +98,7 @@ static inline unsigned long get_segment_
42385 -
42386 - /* By far the most common cases. */
42387 - if (likely(SEGMENT_IS_FLAT_CODE(seg)))
42388 -- return eip;
42389 -+ return eip + (seg == __KERNEL_CS ? __KERNEL_TEXT_OFFSET : 0);
42390 -
42391 - /* Check the segment exists, is within the current LDT/GDT size,
42392 - that kernel/user (ring 0..3) has the appropriate privilege,
42393 -@@ -111,16 +116,19 @@ static inline unsigned long get_segment_
42394 - if (seg & (1<<2)) {
42395 - /* Must lock the LDT while reading it. */
42396 - down(&current->mm->context.sem);
42397 -- desc = current->mm->context.ldt;
42398 -- desc = (void *)desc + (seg & ~7);
42399 -+ if ((seg >> 3) >= current->mm->context.size) {
42400 -+ up(&current->mm->context.sem);
42401 -+ *eip_limit = 0;
42402 -+ return 1; /* So that returned eip > *eip_limit. */
42403 -+ }
42404 -+ desc = &current->mm->context.ldt[seg >> 3];
42405 - } else {
42406 - /* Must disable preemption while reading the GDT. */
42407 -- desc = (u32 *)get_cpu_gdt_table(get_cpu());
42408 -- desc = (void *)desc + (seg & ~7);
42409 -+ desc = &get_cpu_gdt_table(get_cpu())[seg >> 3];
42410 - }
42411 -
42412 - /* Decode the code segment base from the descriptor */
42413 -- base = get_desc_base((unsigned long *)desc);
42414 -+ base = get_desc_base(desc);
42415 -
42416 - if (seg & (1<<2)) {
42417 - up(&current->mm->context.sem);
42418 -@@ -221,6 +229,30 @@ static noinline void force_sig_info_faul
42419 -
42420 - fastcall void do_invalid_op(struct pt_regs *, unsigned long);
42421 -
42422 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42423 -+static int pax_handle_fetch_fault(struct pt_regs *regs);
42424 -+#endif
42425 -+
42426 -+#ifdef CONFIG_PAX_PAGEEXEC
42427 -+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
42428 -+{
42429 -+ pgd_t *pgd;
42430 -+ pud_t *pud;
42431 -+ pmd_t *pmd;
42432 -+
42433 -+ pgd = pgd_offset(mm, address);
42434 -+ if (!pgd_present(*pgd))
42435 -+ return NULL;
42436 -+ pud = pud_offset(pgd, address);
42437 -+ if (!pud_present(*pud))
42438 -+ return NULL;
42439 -+ pmd = pmd_offset(pud, address);
42440 -+ if (!pmd_present(*pmd))
42441 -+ return NULL;
42442 -+ return pmd;
42443 -+}
42444 -+#endif
42445 -+
42446 - static inline pmd_t *vmalloc_sync_one(pgd_t *pgd, unsigned long address)
42447 - {
42448 - unsigned index = pgd_index(address);
42449 -@@ -304,14 +336,21 @@ fastcall void __kprobes do_page_fault(st
42450 - struct task_struct *tsk;
42451 - struct mm_struct *mm;
42452 - struct vm_area_struct * vma;
42453 -- unsigned long address;
42454 - int write, si_code;
42455 - int fault;
42456 -+ pte_t *pte;
42457 -+
42458 -+#ifdef CONFIG_PAX_PAGEEXEC
42459 -+ pmd_t *pmd;
42460 -+ spinlock_t *ptl;
42461 -+ unsigned char pte_mask;
42462 -+#endif
42463 -
42464 - /* get the address */
42465 -- address = read_cr2();
42466 -+ const unsigned long address = read_cr2();
42467 -
42468 - tsk = current;
42469 -+ mm = tsk->mm;
42470 -
42471 - si_code = SEGV_MAPERR;
42472 -
42473 -@@ -348,14 +387,12 @@ fastcall void __kprobes do_page_fault(st
42474 - if (regs->eflags & (X86_EFLAGS_IF|VM_MASK))
42475 - local_irq_enable();
42476 -
42477 -- mm = tsk->mm;
42478 --
42479 - /*
42480 - * If we're in an interrupt, have no user context or are running in an
42481 - * atomic region then we must not take the fault..
42482 - */
42483 - if (in_atomic() || !mm)
42484 -- goto bad_area_nosemaphore;
42485 -+ goto bad_area_nopax;
42486 -
42487 - /* When running in the kernel we expect faults to occur only to
42488 - * addresses in user space. All other faults represent errors in the
42489 -@@ -375,10 +412,104 @@ fastcall void __kprobes do_page_fault(st
42490 - if (!down_read_trylock(&mm->mmap_sem)) {
42491 - if ((error_code & 4) == 0 &&
42492 - !search_exception_tables(regs->eip))
42493 -- goto bad_area_nosemaphore;
42494 -+ goto bad_area_nopax;
42495 - down_read(&mm->mmap_sem);
42496 - }
42497 -
42498 -+#ifdef CONFIG_PAX_PAGEEXEC
42499 -+ if (nx_enabled || (error_code & 5) != 5 || (regs->eflags & X86_EFLAGS_VM) ||
42500 -+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
42501 -+ goto not_pax_fault;
42502 -+
42503 -+ /* PaX: it's our fault, let's handle it if we can */
42504 -+
42505 -+ /* PaX: take a look at read faults before acquiring any locks */
42506 -+ if (unlikely(!(error_code & 2) && (regs->eip == address))) {
42507 -+ /* instruction fetch attempt from a protected page in user mode */
42508 -+ up_read(&mm->mmap_sem);
42509 -+
42510 -+#ifdef CONFIG_PAX_EMUTRAMP
42511 -+ switch (pax_handle_fetch_fault(regs)) {
42512 -+ case 2:
42513 -+ return;
42514 -+ }
42515 -+#endif
42516 -+
42517 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
42518 -+ do_exit(SIGKILL);
42519 -+ }
42520 -+
42521 -+ pmd = pax_get_pmd(mm, address);
42522 -+ if (unlikely(!pmd))
42523 -+ goto not_pax_fault;
42524 -+
42525 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
42526 -+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
42527 -+ pte_unmap_unlock(pte, ptl);
42528 -+ goto not_pax_fault;
42529 -+ }
42530 -+
42531 -+ if (unlikely((error_code & 2) && !pte_write(*pte))) {
42532 -+ /* write attempt to a protected page in user mode */
42533 -+ pte_unmap_unlock(pte, ptl);
42534 -+ goto not_pax_fault;
42535 -+ }
42536 -+
42537 -+#ifdef CONFIG_SMP
42538 -+ if (likely(address > get_limit(regs->xcs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
42539 -+#else
42540 -+ if (likely(address > get_limit(regs->xcs)))
42541 -+#endif
42542 -+ {
42543 -+ set_pte(pte, pte_mkread(*pte));
42544 -+ __flush_tlb_one(address);
42545 -+ pte_unmap_unlock(pte, ptl);
42546 -+ up_read(&mm->mmap_sem);
42547 -+ return;
42548 -+ }
42549 -+
42550 -+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & 2) << (_PAGE_BIT_DIRTY-1));
42551 -+
42552 -+ /*
42553 -+ * PaX: fill DTLB with user rights and retry
42554 -+ */
42555 -+ __asm__ __volatile__ (
42556 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
42557 -+ "movw %w4,%%es\n"
42558 -+#endif
42559 -+ "orb %2,(%1)\n"
42560 -+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
42561 -+/*
42562 -+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
42563 -+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
42564 -+ * page fault when examined during a TLB load attempt. this is true not only
42565 -+ * for PTEs holding a non-present entry but also present entries that will
42566 -+ * raise a page fault (such as those set up by PaX, or the copy-on-write
42567 -+ * mechanism). in effect it means that we do *not* need to flush the TLBs
42568 -+ * for our target pages since their PTEs are simply not in the TLBs at all.
42569 -+
42570 -+ * the best thing in omitting it is that we gain around 15-20% speed in the
42571 -+ * fast path of the page fault handler and can get rid of tracing since we
42572 -+ * can no longer flush unintended entries.
42573 -+ */
42574 -+ "invlpg (%0)\n"
42575 -+#endif
42576 -+ "testb $0,%%es:(%0)\n"
42577 -+ "xorb %3,(%1)\n"
42578 -+#ifdef CONFIG_PAX_MEMORY_UDEREF
42579 -+ "pushl %%ss\n"
42580 -+ "popl %%es\n"
42581 -+#endif
42582 -+ :
42583 -+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
42584 -+ : "memory", "cc");
42585 -+ pte_unmap_unlock(pte, ptl);
42586 -+ up_read(&mm->mmap_sem);
42587 -+ return;
42588 -+
42589 -+not_pax_fault:
42590 -+#endif
42591 -+
42592 - vma = find_vma(mm, address);
42593 - if (!vma)
42594 - goto bad_area;
42595 -@@ -396,6 +527,12 @@ fastcall void __kprobes do_page_fault(st
42596 - if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
42597 - goto bad_area;
42598 - }
42599 -+
42600 -+#ifdef CONFIG_PAX_SEGMEXEC
42601 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)
42602 -+ goto bad_area;
42603 -+#endif
42604 -+
42605 - if (expand_stack(vma, address))
42606 - goto bad_area;
42607 - /*
42608 -@@ -405,6 +542,8 @@ fastcall void __kprobes do_page_fault(st
42609 - good_area:
42610 - si_code = SEGV_ACCERR;
42611 - write = 0;
42612 -+ if (nx_enabled && (error_code & 16) && !(vma->vm_flags & VM_EXEC))
42613 -+ goto bad_area;
42614 - switch (error_code & 3) {
42615 - default: /* 3: write, present */
42616 - /* fall through */
42617 -@@ -458,6 +597,41 @@ bad_area:
42618 - up_read(&mm->mmap_sem);
42619 -
42620 - bad_area_nosemaphore:
42621 -+
42622 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42623 -+ if (mm && (error_code & 4) && !(regs->eflags & X86_EFLAGS_VM)) {
42624 -+ /*
42625 -+ * It's possible to have interrupts off here.
42626 -+ */
42627 -+ local_irq_enable();
42628 -+
42629 -+#ifdef CONFIG_PAX_PAGEEXEC
42630 -+ if ((nx_enabled && (error_code & 16)) ||
42631 -+ ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address))) {
42632 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
42633 -+ do_exit(SIGKILL);
42634 -+ }
42635 -+#endif
42636 -+
42637 -+#ifdef CONFIG_PAX_SEGMEXEC
42638 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & 3) && (regs->eip + SEGMEXEC_TASK_SIZE == address)) {
42639 -+
42640 -+#ifdef CONFIG_PAX_EMUTRAMP
42641 -+ switch (pax_handle_fetch_fault(regs)) {
42642 -+ case 2:
42643 -+ return;
42644 -+ }
42645 -+#endif
42646 -+
42647 -+ pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
42648 -+ do_exit(SIGKILL);
42649 -+ }
42650 -+#endif
42651 -+
42652 -+ }
42653 -+#endif
42654 -+
42655 -+bad_area_nopax:
42656 - /* User mode accesses just cause a SIGSEGV */
42657 - if (error_code & 4) {
42658 - /*
42659 -@@ -495,7 +669,7 @@ bad_area_nosemaphore:
42660 - if (boot_cpu_data.f00f_bug) {
42661 - unsigned long nr;
42662 -
42663 -- nr = (address - idt_descr.address) >> 3;
42664 -+ nr = (address - (unsigned long)idt_descr.address) >> 3;
42665 -
42666 - if (nr == 6) {
42667 - do_invalid_op(regs, 0);
42668 -@@ -528,18 +702,34 @@ no_context:
42669 - __typeof__(pte_val(__pte(0))) page;
42670 -
42671 - #ifdef CONFIG_X86_PAE
42672 -- if (error_code & 16) {
42673 -- pte_t *pte = lookup_address(address);
42674 -+ if (nx_enabled && (error_code & 16)) {
42675 -+ pte = lookup_address(address);
42676 -
42677 - if (pte && pte_present(*pte) && !pte_exec_kernel(*pte))
42678 - printk(KERN_CRIT "kernel tried to execute "
42679 - "NX-protected page - exploit attempt? "
42680 -- "(uid: %d)\n", current->uid);
42681 -+ "(uid: %d, task: %s, pid: %d)\n",
42682 -+ current->uid, current->comm, current->pid);
42683 - }
42684 - #endif
42685 - if (address < PAGE_SIZE)
42686 - printk(KERN_ALERT "BUG: unable to handle kernel NULL "
42687 - "pointer dereference");
42688 -+
42689 -+#ifdef CONFIG_PAX_KERNEXEC
42690 -+#ifdef CONFIG_MODULES
42691 -+ else if (init_mm.start_code <= address && address < (unsigned long)MODULES_END)
42692 -+#else
42693 -+ else if (init_mm.start_code <= address && address < init_mm.end_code)
42694 -+#endif
42695 -+ if (tsk->signal->curr_ip)
42696 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
42697 -+ NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
42698 -+ else
42699 -+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
42700 -+ tsk->comm, tsk->pid, tsk->uid, tsk->euid);
42701 -+#endif
42702 -+
42703 - else
42704 - printk(KERN_ALERT "BUG: unable to handle kernel paging"
42705 - " request");
42706 -@@ -570,7 +760,7 @@ no_context:
42707 - * it's allocated already.
42708 - */
42709 - if ((page >> PAGE_SHIFT) < max_low_pfn
42710 -- && (page & _PAGE_PRESENT)) {
42711 -+ && (page & (_PAGE_PRESENT | _PAGE_PSE)) == _PAGE_PRESENT) {
42712 - page &= PAGE_MASK;
42713 - page = ((__typeof__(page) *) __va(page))[(address >> PAGE_SHIFT)
42714 - & (PTRS_PER_PTE - 1)];
42715 -@@ -655,3 +845,92 @@ void vmalloc_sync_all(void)
42716 - start = address + PGDIR_SIZE;
42717 - }
42718 - }
42719 -+
42720 -+#ifdef CONFIG_PAX_EMUTRAMP
42721 -+/*
42722 -+ * PaX: decide what to do with offenders (regs->eip = fault address)
42723 -+ *
42724 -+ * returns 1 when task should be killed
42725 -+ * 2 when gcc trampoline was detected
42726 -+ */
42727 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
42728 -+{
42729 -+ int err;
42730 -+
42731 -+ if (regs->eflags & X86_EFLAGS_VM)
42732 -+ return 1;
42733 -+
42734 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
42735 -+ return 1;
42736 -+
42737 -+ do { /* PaX: gcc trampoline emulation #1 */
42738 -+ unsigned char mov1, mov2;
42739 -+ unsigned short jmp;
42740 -+ unsigned long addr1, addr2;
42741 -+
42742 -+ err = get_user(mov1, (unsigned char __user *)regs->eip);
42743 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
42744 -+ err |= get_user(mov2, (unsigned char __user *)(regs->eip + 5));
42745 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
42746 -+ err |= get_user(jmp, (unsigned short __user *)(regs->eip + 10));
42747 -+
42748 -+ if (err)
42749 -+ break;
42750 -+
42751 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
42752 -+ regs->ecx = addr1;
42753 -+ regs->eax = addr2;
42754 -+ regs->eip = addr2;
42755 -+ return 2;
42756 -+ }
42757 -+ } while (0);
42758 -+
42759 -+ do { /* PaX: gcc trampoline emulation #2 */
42760 -+ unsigned char mov, jmp;
42761 -+ unsigned long addr1, addr2;
42762 -+
42763 -+ err = get_user(mov, (unsigned char __user *)regs->eip);
42764 -+ err |= get_user(addr1, (unsigned long __user *)(regs->eip + 1));
42765 -+ err |= get_user(jmp, (unsigned char __user *)(regs->eip + 5));
42766 -+ err |= get_user(addr2, (unsigned long __user *)(regs->eip + 6));
42767 -+
42768 -+ if (err)
42769 -+ break;
42770 -+
42771 -+ if (mov == 0xB9 && jmp == 0xE9) {
42772 -+ regs->ecx = addr1;
42773 -+ regs->eip += addr2 + 10;
42774 -+ return 2;
42775 -+ }
42776 -+ } while (0);
42777 -+
42778 -+ return 1; /* PaX in action */
42779 -+}
42780 -+#endif
42781 -+
42782 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42783 -+void pax_report_insns(void *pc, void *sp)
42784 -+{
42785 -+ long i;
42786 -+
42787 -+ printk(KERN_ERR "PAX: bytes at PC: ");
42788 -+ for (i = 0; i < 20; i++) {
42789 -+ unsigned char c;
42790 -+ if (get_user(c, (unsigned char __user *)pc+i))
42791 -+ printk("?? ");
42792 -+ else
42793 -+ printk("%02x ", c);
42794 -+ }
42795 -+ printk("\n");
42796 -+
42797 -+ printk(KERN_ERR "PAX: bytes at SP-4: ");
42798 -+ for (i = -1; i < 20; i++) {
42799 -+ unsigned long c;
42800 -+ if (get_user(c, (unsigned long __user *)sp+i))
42801 -+ printk("???????? ");
42802 -+ else
42803 -+ printk("%08lx ", c);
42804 -+ }
42805 -+ printk("\n");
42806 -+}
42807 -+#endif
42808 -diff -Nurp linux-2.6.23.15/arch/i386/mm/hugetlbpage.c linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c
42809 ---- linux-2.6.23.15/arch/i386/mm/hugetlbpage.c 2007-10-09 21:31:38.000000000 +0100
42810 -+++ linux-2.6.23.15-grsec/arch/i386/mm/hugetlbpage.c 2008-02-11 10:37:44.000000000 +0000
42811 -@@ -229,13 +229,18 @@ static unsigned long hugetlb_get_unmappe
42812 - {
42813 - struct mm_struct *mm = current->mm;
42814 - struct vm_area_struct *vma;
42815 -- unsigned long start_addr;
42816 -+ unsigned long start_addr, task_size = TASK_SIZE;
42817 -+
42818 -+#ifdef CONFIG_PAX_SEGMEXEC
42819 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
42820 -+ task_size = SEGMEXEC_TASK_SIZE;
42821 -+#endif
42822 -
42823 - if (len > mm->cached_hole_size) {
42824 -- start_addr = mm->free_area_cache;
42825 -+ start_addr = mm->free_area_cache;
42826 - } else {
42827 -- start_addr = TASK_UNMAPPED_BASE;
42828 -- mm->cached_hole_size = 0;
42829 -+ start_addr = mm->mmap_base;
42830 -+ mm->cached_hole_size = 0;
42831 - }
42832 -
42833 - full_search:
42834 -@@ -243,13 +248,13 @@ full_search:
42835 -
42836 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
42837 - /* At this point: (!vma || addr < vma->vm_end). */
42838 -- if (TASK_SIZE - len < addr) {
42839 -+ if (task_size - len < addr) {
42840 - /*
42841 - * Start a new search - just in case we missed
42842 - * some holes.
42843 - */
42844 -- if (start_addr != TASK_UNMAPPED_BASE) {
42845 -- start_addr = TASK_UNMAPPED_BASE;
42846 -+ if (start_addr != mm->mmap_base) {
42847 -+ start_addr = mm->mmap_base;
42848 - mm->cached_hole_size = 0;
42849 - goto full_search;
42850 - }
42851 -@@ -271,9 +276,8 @@ static unsigned long hugetlb_get_unmappe
42852 - {
42853 - struct mm_struct *mm = current->mm;
42854 - struct vm_area_struct *vma, *prev_vma;
42855 -- unsigned long base = mm->mmap_base, addr = addr0;
42856 -+ unsigned long base = mm->mmap_base, addr;
42857 - unsigned long largest_hole = mm->cached_hole_size;
42858 -- int first_time = 1;
42859 -
42860 - /* don't allow allocations above current base */
42861 - if (mm->free_area_cache > base)
42862 -@@ -283,7 +287,7 @@ static unsigned long hugetlb_get_unmappe
42863 - largest_hole = 0;
42864 - mm->free_area_cache = base;
42865 - }
42866 --try_again:
42867 -+
42868 - /* make sure it can fit in the remaining address space */
42869 - if (mm->free_area_cache < len)
42870 - goto fail;
42871 -@@ -325,22 +329,26 @@ try_again:
42872 -
42873 - fail:
42874 - /*
42875 -- * if hint left us with no space for the requested
42876 -- * mapping then try again:
42877 -- */
42878 -- if (first_time) {
42879 -- mm->free_area_cache = base;
42880 -- largest_hole = 0;
42881 -- first_time = 0;
42882 -- goto try_again;
42883 -- }
42884 -- /*
42885 - * A failed mmap() very likely causes application failure,
42886 - * so fall back to the bottom-up function here. This scenario
42887 - * can happen with large stack limits and large mmap()
42888 - * allocations.
42889 - */
42890 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
42891 -+
42892 -+#ifdef CONFIG_PAX_SEGMEXEC
42893 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
42894 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
42895 -+ else
42896 -+#endif
42897 -+
42898 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
42899 -+
42900 -+#ifdef CONFIG_PAX_RANDMMAP
42901 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
42902 -+ mm->mmap_base += mm->delta_mmap;
42903 -+#endif
42904 -+
42905 -+ mm->free_area_cache = mm->mmap_base;
42906 - mm->cached_hole_size = ~0UL;
42907 - addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
42908 - len, pgoff, flags);
42909 -@@ -348,6 +356,7 @@ fail:
42910 - /*
42911 - * Restore the topdown base:
42912 - */
42913 -+ mm->mmap_base = base;
42914 - mm->free_area_cache = base;
42915 - mm->cached_hole_size = ~0UL;
42916 -
42917 -@@ -360,10 +369,17 @@ hugetlb_get_unmapped_area(struct file *f
42918 - {
42919 - struct mm_struct *mm = current->mm;
42920 - struct vm_area_struct *vma;
42921 -+ unsigned long task_size = TASK_SIZE;
42922 -
42923 - if (len & ~HPAGE_MASK)
42924 - return -EINVAL;
42925 -- if (len > TASK_SIZE)
42926 -+
42927 -+#ifdef CONFIG_PAX_SEGMEXEC
42928 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
42929 -+ task_size = SEGMEXEC_TASK_SIZE;
42930 -+#endif
42931 -+
42932 -+ if (len > task_size)
42933 - return -ENOMEM;
42934 -
42935 - if (flags & MAP_FIXED) {
42936 -@@ -375,7 +391,7 @@ hugetlb_get_unmapped_area(struct file *f
42937 - if (addr) {
42938 - addr = ALIGN(addr, HPAGE_SIZE);
42939 - vma = find_vma(mm, addr);
42940 -- if (TASK_SIZE - len >= addr &&
42941 -+ if (task_size - len >= addr &&
42942 - (!vma || addr + len <= vma->vm_start))
42943 - return addr;
42944 - }
42945 -diff -Nurp linux-2.6.23.15/arch/i386/mm/init.c linux-2.6.23.15-grsec/arch/i386/mm/init.c
42946 ---- linux-2.6.23.15/arch/i386/mm/init.c 2007-10-09 21:31:38.000000000 +0100
42947 -+++ linux-2.6.23.15-grsec/arch/i386/mm/init.c 2008-02-11 10:37:44.000000000 +0000
42948 -@@ -44,6 +44,7 @@
42949 - #include <asm/tlbflush.h>
42950 - #include <asm/sections.h>
42951 - #include <asm/paravirt.h>
42952 -+#include <asm/desc.h>
42953 -
42954 - unsigned int __VMALLOC_RESERVE = 128 << 20;
42955 -
42956 -@@ -53,32 +54,6 @@ unsigned long highstart_pfn, highend_pfn
42957 - static int noinline do_test_wp_bit(void);
42958 -
42959 - /*
42960 -- * Creates a middle page table and puts a pointer to it in the
42961 -- * given global directory entry. This only returns the gd entry
42962 -- * in non-PAE compilation mode, since the middle layer is folded.
42963 -- */
42964 --static pmd_t * __init one_md_table_init(pgd_t *pgd)
42965 --{
42966 -- pud_t *pud;
42967 -- pmd_t *pmd_table;
42968 --
42969 --#ifdef CONFIG_X86_PAE
42970 -- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
42971 -- pmd_table = (pmd_t *) alloc_bootmem_low_pages(PAGE_SIZE);
42972 --
42973 -- paravirt_alloc_pd(__pa(pmd_table) >> PAGE_SHIFT);
42974 -- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
42975 -- pud = pud_offset(pgd, 0);
42976 -- if (pmd_table != pmd_offset(pud, 0))
42977 -- BUG();
42978 -- }
42979 --#endif
42980 -- pud = pud_offset(pgd, 0);
42981 -- pmd_table = pmd_offset(pud, 0);
42982 -- return pmd_table;
42983 --}
42984 --
42985 --/*
42986 - * Create a page table and place a pointer to it in a middle page
42987 - * directory entry.
42988 - */
42989 -@@ -88,7 +63,11 @@ static pte_t * __init one_page_table_ini
42990 - pte_t *page_table = (pte_t *) alloc_bootmem_low_pages(PAGE_SIZE);
42991 -
42992 - paravirt_alloc_pt(&init_mm, __pa(page_table) >> PAGE_SHIFT);
42993 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
42994 -+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
42995 -+#else
42996 - set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
42997 -+#endif
42998 - BUG_ON(page_table != pte_offset_kernel(pmd, 0));
42999 - }
43000 -
43001 -@@ -109,6 +88,7 @@ static pte_t * __init one_page_table_ini
43002 - static void __init page_table_range_init (unsigned long start, unsigned long end, pgd_t *pgd_base)
43003 - {
43004 - pgd_t *pgd;
43005 -+ pud_t *pud;
43006 - pmd_t *pmd;
43007 - int pgd_idx, pmd_idx;
43008 - unsigned long vaddr;
43009 -@@ -119,8 +99,13 @@ static void __init page_table_range_init
43010 - pgd = pgd_base + pgd_idx;
43011 -
43012 - for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
43013 -- pmd = one_md_table_init(pgd);
43014 -- pmd = pmd + pmd_index(vaddr);
43015 -+ pud = pud_offset(pgd, vaddr);
43016 -+ pmd = pmd_offset(pud, vaddr);
43017 -+
43018 -+#ifdef CONFIG_X86_PAE
43019 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
43020 -+#endif
43021 -+
43022 - for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end); pmd++, pmd_idx++) {
43023 - one_page_table_init(pmd);
43024 -
43025 -@@ -130,11 +115,23 @@ static void __init page_table_range_init
43026 - }
43027 - }
43028 -
43029 --static inline int is_kernel_text(unsigned long addr)
43030 -+static inline int is_kernel_text(unsigned long start, unsigned long end)
43031 - {
43032 -- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
43033 -- return 1;
43034 -- return 0;
43035 -+ unsigned long etext;
43036 -+
43037 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43038 -+ etext = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
43039 -+#else
43040 -+ etext = (unsigned long)&_etext;
43041 -+#endif
43042 -+
43043 -+ if ((start > etext + __KERNEL_TEXT_OFFSET ||
43044 -+ end <= (unsigned long)_stext + __KERNEL_TEXT_OFFSET) &&
43045 -+ (start > (unsigned long)_einittext + __KERNEL_TEXT_OFFSET ||
43046 -+ end <= (unsigned long)_sinittext + __KERNEL_TEXT_OFFSET) &&
43047 -+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
43048 -+ return 0;
43049 -+ return 1;
43050 - }
43051 -
43052 - /*
43053 -@@ -146,25 +143,29 @@ static void __init kernel_physical_mappi
43054 - {
43055 - unsigned long pfn;
43056 - pgd_t *pgd;
43057 -+ pud_t *pud;
43058 - pmd_t *pmd;
43059 - pte_t *pte;
43060 -- int pgd_idx, pmd_idx, pte_ofs;
43061 -+ unsigned int pgd_idx, pmd_idx, pte_ofs;
43062 -
43063 - pgd_idx = pgd_index(PAGE_OFFSET);
43064 - pgd = pgd_base + pgd_idx;
43065 - pfn = 0;
43066 -
43067 -- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
43068 -- pmd = one_md_table_init(pgd);
43069 -- if (pfn >= max_low_pfn)
43070 -- continue;
43071 -+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
43072 -+ pud = pud_offset(pgd, 0);
43073 -+ pmd = pmd_offset(pud, 0);
43074 -+
43075 -+#ifdef CONFIG_X86_PAE
43076 -+ paravirt_alloc_pd(__pa(pmd) >> PAGE_SHIFT);
43077 -+#endif
43078 -+
43079 - for (pmd_idx = 0; pmd_idx < PTRS_PER_PMD && pfn < max_low_pfn; pmd++, pmd_idx++) {
43080 -- unsigned int address = pfn * PAGE_SIZE + PAGE_OFFSET;
43081 -+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
43082 -
43083 - /* Map with big pages if possible, otherwise create normal page tables. */
43084 -- if (cpu_has_pse) {
43085 -- unsigned int address2 = (pfn + PTRS_PER_PTE - 1) * PAGE_SIZE + PAGE_OFFSET + PAGE_SIZE-1;
43086 -- if (is_kernel_text(address) || is_kernel_text(address2))
43087 -+ if (cpu_has_pse && address >= (unsigned long)__va(0x100000)) {
43088 -+ if (is_kernel_text(address, address + PMD_SIZE))
43089 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE_EXEC));
43090 - else
43091 - set_pmd(pmd, pfn_pmd(pfn, PAGE_KERNEL_LARGE));
43092 -@@ -176,7 +177,7 @@ static void __init kernel_physical_mappi
43093 - for (pte_ofs = 0;
43094 - pte_ofs < PTRS_PER_PTE && pfn < max_low_pfn;
43095 - pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
43096 -- if (is_kernel_text(address))
43097 -+ if (is_kernel_text(address, address + PAGE_SIZE))
43098 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL_EXEC));
43099 - else
43100 - set_pte(pte, pfn_pte(pfn, PAGE_KERNEL));
43101 -@@ -326,9 +327,9 @@ static void __init set_highmem_pages_ini
43102 - #define set_highmem_pages_init(bad_ppro) do { } while (0)
43103 - #endif /* CONFIG_HIGHMEM */
43104 -
43105 --unsigned long long __PAGE_KERNEL = _PAGE_KERNEL;
43106 -+unsigned long long __PAGE_KERNEL __read_only = _PAGE_KERNEL;
43107 - EXPORT_SYMBOL(__PAGE_KERNEL);
43108 --unsigned long long __PAGE_KERNEL_EXEC = _PAGE_KERNEL_EXEC;
43109 -+unsigned long long __PAGE_KERNEL_EXEC __read_only = _PAGE_KERNEL_EXEC;
43110 -
43111 - #ifdef CONFIG_NUMA
43112 - extern void __init remap_numa_kva(void);
43113 -@@ -339,26 +340,10 @@ extern void __init remap_numa_kva(void);
43114 - void __init native_pagetable_setup_start(pgd_t *base)
43115 - {
43116 - #ifdef CONFIG_X86_PAE
43117 -- int i;
43118 -+ unsigned int i;
43119 -
43120 -- /*
43121 -- * Init entries of the first-level page table to the
43122 -- * zero page, if they haven't already been set up.
43123 -- *
43124 -- * In a normal native boot, we'll be running on a
43125 -- * pagetable rooted in swapper_pg_dir, but not in PAE
43126 -- * mode, so this will end up clobbering the mappings
43127 -- * for the lower 24Mbytes of the address space,
43128 -- * without affecting the kernel address space.
43129 -- */
43130 -- for (i = 0; i < USER_PTRS_PER_PGD; i++)
43131 -- set_pgd(&base[i],
43132 -- __pgd(__pa(empty_zero_page) | _PAGE_PRESENT));
43133 --
43134 -- /* Make sure kernel address space is empty so that a pagetable
43135 -- will be allocated for it. */
43136 -- memset(&base[USER_PTRS_PER_PGD], 0,
43137 -- KERNEL_PGD_PTRS * sizeof(pgd_t));
43138 -+ for (i = 0; i < PTRS_PER_PGD; i++)
43139 -+ paravirt_alloc_pd(__pa(swapper_pm_dir + i) >> PAGE_SHIFT);
43140 - #else
43141 - paravirt_alloc_pd(__pa(swapper_pg_dir) >> PAGE_SHIFT);
43142 - #endif
43143 -@@ -366,16 +351,6 @@ void __init native_pagetable_setup_start
43144 -
43145 - void __init native_pagetable_setup_done(pgd_t *base)
43146 - {
43147 --#ifdef CONFIG_X86_PAE
43148 -- /*
43149 -- * Add low memory identity-mappings - SMP needs it when
43150 -- * starting up on an AP from real-mode. In the non-PAE
43151 -- * case we already have these mappings through head.S.
43152 -- * All user-space mappings are explicitly cleared after
43153 -- * SMP startup.
43154 -- */
43155 -- set_pgd(&base[0], base[USER_PTRS_PER_PGD]);
43156 --#endif
43157 - }
43158 -
43159 - /*
43160 -@@ -437,12 +412,12 @@ static void __init pagetable_init (void)
43161 - * Swap suspend & friends need this for resume because things like the intel-agp
43162 - * driver might have split up a kernel 4MB mapping.
43163 - */
43164 --char __nosavedata swsusp_pg_dir[PAGE_SIZE]
43165 -+pgd_t __nosavedata swsusp_pg_dir[PTRS_PER_PGD]
43166 - __attribute__ ((aligned (PAGE_SIZE)));
43167 -
43168 - static inline void save_pg_dir(void)
43169 - {
43170 -- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
43171 -+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
43172 - }
43173 - #else
43174 - static inline void save_pg_dir(void)
43175 -@@ -471,12 +446,11 @@ void zap_low_mappings (void)
43176 - flush_tlb_all();
43177 - }
43178 -
43179 --int nx_enabled = 0;
43180 -+int nx_enabled;
43181 -
43182 - #ifdef CONFIG_X86_PAE
43183 -
43184 --static int disable_nx __initdata = 0;
43185 --u64 __supported_pte_mask __read_mostly = ~_PAGE_NX;
43186 -+u64 __supported_pte_mask __read_only = ~_PAGE_NX;
43187 - EXPORT_SYMBOL_GPL(__supported_pte_mask);
43188 -
43189 - /*
43190 -@@ -487,36 +461,31 @@ EXPORT_SYMBOL_GPL(__supported_pte_mask);
43191 - * on Enable
43192 - * off Disable
43193 - */
43194 -+#if !defined(CONFIG_PAX_PAGEEXEC)
43195 - static int __init noexec_setup(char *str)
43196 - {
43197 - if (!str || !strcmp(str, "on")) {
43198 -- if (cpu_has_nx) {
43199 -- __supported_pte_mask |= _PAGE_NX;
43200 -- disable_nx = 0;
43201 -- }
43202 -+ if (cpu_has_nx)
43203 -+ nx_enabled = 1;
43204 - } else if (!strcmp(str,"off")) {
43205 -- disable_nx = 1;
43206 -- __supported_pte_mask &= ~_PAGE_NX;
43207 -+ nx_enabled = 0;
43208 - } else
43209 - return -EINVAL;
43210 -
43211 - return 0;
43212 - }
43213 - early_param("noexec", noexec_setup);
43214 -+#endif
43215 -
43216 - static void __init set_nx(void)
43217 - {
43218 -- unsigned int v[4], l, h;
43219 -+ if (!nx_enabled && cpu_has_nx) {
43220 -+ unsigned l, h;
43221 -
43222 -- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
43223 -- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
43224 -- if ((v[3] & (1 << 20)) && !disable_nx) {
43225 -- rdmsr(MSR_EFER, l, h);
43226 -- l |= EFER_NX;
43227 -- wrmsr(MSR_EFER, l, h);
43228 -- nx_enabled = 1;
43229 -- __supported_pte_mask |= _PAGE_NX;
43230 -- }
43231 -+ __supported_pte_mask &= ~_PAGE_NX;
43232 -+ rdmsr(MSR_EFER, l, h);
43233 -+ l &= ~EFER_NX;
43234 -+ wrmsr(MSR_EFER, l, h);
43235 - }
43236 - }
43237 -
43238 -@@ -569,14 +538,6 @@ void __init paging_init(void)
43239 -
43240 - load_cr3(swapper_pg_dir);
43241 -
43242 --#ifdef CONFIG_X86_PAE
43243 -- /*
43244 -- * We will bail out later - printk doesn't work right now so
43245 -- * the user would just see a hanging kernel.
43246 -- */
43247 -- if (cpu_has_pae)
43248 -- set_in_cr4(X86_CR4_PAE);
43249 --#endif
43250 - __flush_tlb_all();
43251 -
43252 - kmap_init();
43253 -@@ -647,7 +608,7 @@ void __init mem_init(void)
43254 - set_highmem_pages_init(bad_ppro);
43255 -
43256 - codesize = (unsigned long) &_etext - (unsigned long) &_text;
43257 -- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
43258 -+ datasize = (unsigned long) &_edata - (unsigned long) &_data;
43259 - initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
43260 -
43261 - kclist_add(&kcore_mem, __va(0), max_low_pfn << PAGE_SHIFT);
43262 -@@ -692,10 +653,10 @@ void __init mem_init(void)
43263 - (unsigned long)&__init_begin, (unsigned long)&__init_end,
43264 - ((unsigned long)&__init_end - (unsigned long)&__init_begin) >> 10,
43265 -
43266 -- (unsigned long)&_etext, (unsigned long)&_edata,
43267 -- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
43268 -+ (unsigned long)&_data, (unsigned long)&_edata,
43269 -+ ((unsigned long)&_edata - (unsigned long)&_data) >> 10,
43270 -
43271 -- (unsigned long)&_text, (unsigned long)&_etext,
43272 -+ (unsigned long)&_text + __KERNEL_TEXT_OFFSET, (unsigned long)&_etext + __KERNEL_TEXT_OFFSET,
43273 - ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
43274 -
43275 - #ifdef CONFIG_HIGHMEM
43276 -@@ -706,10 +667,6 @@ void __init mem_init(void)
43277 - BUG_ON((unsigned long)high_memory > VMALLOC_START);
43278 - #endif /* double-sanity-check paranoia */
43279 -
43280 --#ifdef CONFIG_X86_PAE
43281 -- if (!cpu_has_pae)
43282 -- panic("cannot execute a PAE-enabled kernel on a PAE-less CPU!");
43283 --#endif
43284 - if (boot_cpu_data.wp_works_ok < 0)
43285 - test_wp_bit();
43286 -
43287 -@@ -844,6 +801,38 @@ void free_init_pages(char *what, unsigne
43288 -
43289 - void free_initmem(void)
43290 - {
43291 -+
43292 -+#ifdef CONFIG_PAX_KERNEXEC
43293 -+ /* PaX: limit KERNEL_CS to actual size */
43294 -+ unsigned long addr, limit;
43295 -+ __u32 a, b;
43296 -+ int cpu;
43297 -+ pgd_t *pgd;
43298 -+ pud_t *pud;
43299 -+ pmd_t *pmd;
43300 -+
43301 -+#ifdef CONFIG_MODULES
43302 -+ limit = (unsigned long)&MODULES_END - __KERNEL_TEXT_OFFSET;
43303 -+#else
43304 -+ limit = (unsigned long)&_etext;
43305 -+#endif
43306 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
43307 -+
43308 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
43309 -+ pack_descriptor(&a, &b, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
43310 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, a, b);
43311 -+ }
43312 -+
43313 -+ /* PaX: make KERNEL_CS read-only */
43314 -+ for (addr = __KERNEL_TEXT_OFFSET; addr < (unsigned long)&_data; addr += PMD_SIZE) {
43315 -+ pgd = pgd_offset_k(addr);
43316 -+ pud = pud_offset(pgd, addr);
43317 -+ pmd = pmd_offset(pud, addr);
43318 -+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
43319 -+ }
43320 -+ flush_tlb_all();
43321 -+#endif
43322 -+
43323 - free_init_pages("unused kernel memory",
43324 - (unsigned long)(&__init_begin),
43325 - (unsigned long)(&__init_end));
43326 -diff -Nurp linux-2.6.23.15/arch/i386/mm/mmap.c linux-2.6.23.15-grsec/arch/i386/mm/mmap.c
43327 ---- linux-2.6.23.15/arch/i386/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
43328 -+++ linux-2.6.23.15-grsec/arch/i386/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
43329 -@@ -35,12 +35,18 @@
43330 - * Leave an at least ~128 MB hole.
43331 - */
43332 - #define MIN_GAP (128*1024*1024)
43333 --#define MAX_GAP (TASK_SIZE/6*5)
43334 -+#define MAX_GAP (task_size/6*5)
43335 -
43336 - static inline unsigned long mmap_base(struct mm_struct *mm)
43337 - {
43338 - unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
43339 - unsigned long random_factor = 0;
43340 -+ unsigned long task_size = TASK_SIZE;
43341 -+
43342 -+#ifdef CONFIG_PAX_SEGMEXEC
43343 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
43344 -+ task_size = SEGMEXEC_TASK_SIZE;
43345 -+#endif
43346 -
43347 - if (current->flags & PF_RANDOMIZE)
43348 - random_factor = get_random_int() % (1024*1024);
43349 -@@ -50,7 +56,7 @@ static inline unsigned long mmap_base(st
43350 - else if (gap > MAX_GAP)
43351 - gap = MAX_GAP;
43352 -
43353 -- return PAGE_ALIGN(TASK_SIZE - gap - random_factor);
43354 -+ return PAGE_ALIGN(task_size - gap - random_factor);
43355 - }
43356 -
43357 - /*
43358 -@@ -66,11 +72,30 @@ void arch_pick_mmap_layout(struct mm_str
43359 - if (sysctl_legacy_va_layout ||
43360 - (current->personality & ADDR_COMPAT_LAYOUT) ||
43361 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
43362 -+
43363 -+#ifdef CONFIG_PAX_SEGMEXEC
43364 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
43365 -+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
43366 -+ else
43367 -+#endif
43368 -+
43369 - mm->mmap_base = TASK_UNMAPPED_BASE;
43370 -+
43371 -+#ifdef CONFIG_PAX_RANDMMAP
43372 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
43373 -+ mm->mmap_base += mm->delta_mmap;
43374 -+#endif
43375 -+
43376 - mm->get_unmapped_area = arch_get_unmapped_area;
43377 - mm->unmap_area = arch_unmap_area;
43378 - } else {
43379 - mm->mmap_base = mmap_base(mm);
43380 -+
43381 -+#ifdef CONFIG_PAX_RANDMMAP
43382 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
43383 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
43384 -+#endif
43385 -+
43386 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
43387 - mm->unmap_area = arch_unmap_area_topdown;
43388 - }
43389 -diff -Nurp linux-2.6.23.15/arch/i386/mm/pageattr.c linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c
43390 ---- linux-2.6.23.15/arch/i386/mm/pageattr.c 2007-10-09 21:31:38.000000000 +0100
43391 -+++ linux-2.6.23.15-grsec/arch/i386/mm/pageattr.c 2008-02-11 10:37:44.000000000 +0000
43392 -@@ -13,6 +13,7 @@
43393 - #include <asm/tlbflush.h>
43394 - #include <asm/pgalloc.h>
43395 - #include <asm/sections.h>
43396 -+#include <asm/desc.h>
43397 -
43398 - static DEFINE_SPINLOCK(cpa_lock);
43399 - static struct list_head df_list = LIST_HEAD_INIT(df_list);
43400 -@@ -37,16 +38,16 @@ pte_t *lookup_address(unsigned long addr
43401 - }
43402 -
43403 - static struct page *split_large_page(unsigned long address, pgprot_t prot,
43404 -- pgprot_t ref_prot)
43405 -+ pgprot_t ref_prot, unsigned long flags)
43406 - {
43407 - int i;
43408 - unsigned long addr;
43409 - struct page *base;
43410 - pte_t *pbase;
43411 -
43412 -- spin_unlock_irq(&cpa_lock);
43413 -+ spin_unlock_irqrestore(&cpa_lock, flags);
43414 - base = alloc_pages(GFP_KERNEL, 0);
43415 -- spin_lock_irq(&cpa_lock);
43416 -+ spin_lock_irqsave(&cpa_lock, flags);
43417 - if (!base)
43418 - return NULL;
43419 -
43420 -@@ -99,7 +100,18 @@ static void set_pmd_pte(pte_t *kpte, uns
43421 - struct page *page;
43422 - unsigned long flags;
43423 -
43424 -+#ifdef CONFIG_PAX_KERNEXEC
43425 -+ unsigned long cr0;
43426 -+
43427 -+ pax_open_kernel(cr0);
43428 -+#endif
43429 -+
43430 - set_pte_atomic(kpte, pte); /* change init_mm */
43431 -+
43432 -+#ifdef CONFIG_PAX_KERNEXEC
43433 -+ pax_close_kernel(cr0);
43434 -+#endif
43435 -+
43436 - if (SHARED_KERNEL_PMD)
43437 - return;
43438 -
43439 -@@ -126,7 +138,7 @@ static inline void revert_page(struct pa
43440 - pte_t *linear;
43441 -
43442 - ref_prot =
43443 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
43444 -+ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
43445 - ? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
43446 -
43447 - linear = (pte_t *)
43448 -@@ -143,7 +155,7 @@ static inline void save_page(struct page
43449 - }
43450 -
43451 - static int
43452 --__change_page_attr(struct page *page, pgprot_t prot)
43453 -+__change_page_attr(struct page *page, pgprot_t prot, unsigned long flags)
43454 - {
43455 - pte_t *kpte;
43456 - unsigned long address;
43457 -@@ -167,13 +179,20 @@ __change_page_attr(struct page *page, pg
43458 - struct page *split;
43459 -
43460 - ref_prot =
43461 -- ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
43462 -+ ((address & LARGE_PAGE_MASK) < (unsigned long)&_etext + __KERNEL_TEXT_OFFSET)
43463 - ? PAGE_KERNEL_EXEC : PAGE_KERNEL;
43464 -- split = split_large_page(address, prot, ref_prot);
43465 -+ split = split_large_page(address, prot, ref_prot, flags);
43466 - if (!split)
43467 - return -ENOMEM;
43468 -- set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
43469 -- kpte_page = split;
43470 -+ if (pte_huge(*kpte)) {
43471 -+ set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
43472 -+ kpte_page = split;
43473 -+ } else {
43474 -+ __free_pages(split, 0);
43475 -+ kpte = lookup_address(address);
43476 -+ kpte_page = virt_to_page(kpte);
43477 -+ set_pte_atomic(kpte, mk_pte(page, prot));
43478 -+ }
43479 - }
43480 - page_private(kpte_page)++;
43481 - } else if (!pte_huge(*kpte)) {
43482 -@@ -225,7 +244,7 @@ int change_page_attr(struct page *page,
43483 -
43484 - spin_lock_irqsave(&cpa_lock, flags);
43485 - for (i = 0; i < numpages; i++, page++) {
43486 -- err = __change_page_attr(page, prot);
43487 -+ err = __change_page_attr(page, prot, flags);
43488 - if (err)
43489 - break;
43490 - }
43491 -diff -Nurp linux-2.6.23.15/arch/i386/oprofile/backtrace.c linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c
43492 ---- linux-2.6.23.15/arch/i386/oprofile/backtrace.c 2007-10-09 21:31:38.000000000 +0100
43493 -+++ linux-2.6.23.15-grsec/arch/i386/oprofile/backtrace.c 2008-02-11 10:37:44.000000000 +0000
43494 -@@ -22,7 +22,7 @@ struct frame_head {
43495 - static struct frame_head *
43496 - dump_kernel_backtrace(struct frame_head * head)
43497 - {
43498 -- oprofile_add_trace(head->ret);
43499 -+ oprofile_add_trace(head->ret + __KERNEL_TEXT_OFFSET);
43500 -
43501 - /* frame pointers should strictly progress back up the stack
43502 - * (towards higher addresses) */
43503 -@@ -116,7 +116,7 @@ x86_backtrace(struct pt_regs * const reg
43504 - head = (struct frame_head *)regs->ebp;
43505 - #endif
43506 -
43507 -- if (!user_mode_vm(regs)) {
43508 -+ if (!user_mode(regs)) {
43509 - while (depth-- && valid_kernel_stack(head, regs))
43510 - head = dump_kernel_backtrace(head);
43511 - return;
43512 -diff -Nurp linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c
43513 ---- linux-2.6.23.15/arch/i386/oprofile/op_model_p4.c 2007-10-09 21:31:38.000000000 +0100
43514 -+++ linux-2.6.23.15-grsec/arch/i386/oprofile/op_model_p4.c 2008-02-11 10:37:44.000000000 +0000
43515 -@@ -47,7 +47,7 @@ static inline void setup_num_counters(vo
43516 - #endif
43517 - }
43518 -
43519 --static int inline addr_increment(void)
43520 -+static inline int addr_increment(void)
43521 - {
43522 - #ifdef CONFIG_SMP
43523 - return smp_num_siblings == 2 ? 2 : 1;
43524 -diff -Nurp linux-2.6.23.15/arch/i386/pci/common.c linux-2.6.23.15-grsec/arch/i386/pci/common.c
43525 ---- linux-2.6.23.15/arch/i386/pci/common.c 2007-10-09 21:31:38.000000000 +0100
43526 -+++ linux-2.6.23.15-grsec/arch/i386/pci/common.c 2008-02-11 10:37:44.000000000 +0000
43527 -@@ -287,7 +287,7 @@ static struct dmi_system_id __devinitdat
43528 - DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant BL685c G1"),
43529 - },
43530 - },
43531 -- {}
43532 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
43533 - };
43534 -
43535 - struct pci_bus * __devinit pcibios_scan_root(int busnum)
43536 -diff -Nurp linux-2.6.23.15/arch/i386/pci/early.c linux-2.6.23.15-grsec/arch/i386/pci/early.c
43537 ---- linux-2.6.23.15/arch/i386/pci/early.c 2007-10-09 21:31:38.000000000 +0100
43538 -+++ linux-2.6.23.15-grsec/arch/i386/pci/early.c 2008-02-11 10:37:44.000000000 +0000
43539 -@@ -7,7 +7,7 @@
43540 - /* Direct PCI access. This is used for PCI accesses in early boot before
43541 - the PCI subsystem works. */
43542 -
43543 --#define PDprintk(x...)
43544 -+#define PDprintk(x...) do {} while (0)
43545 -
43546 - u32 read_pci_config(u8 bus, u8 slot, u8 func, u8 offset)
43547 - {
43548 -diff -Nurp linux-2.6.23.15/arch/i386/pci/fixup.c linux-2.6.23.15-grsec/arch/i386/pci/fixup.c
43549 ---- linux-2.6.23.15/arch/i386/pci/fixup.c 2007-10-09 21:31:38.000000000 +0100
43550 -+++ linux-2.6.23.15-grsec/arch/i386/pci/fixup.c 2008-02-11 10:37:44.000000000 +0000
43551 -@@ -386,7 +386,7 @@ static struct dmi_system_id __devinitdat
43552 - DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
43553 - },
43554 - },
43555 -- { }
43556 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
43557 - };
43558 -
43559 - static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
43560 -diff -Nurp linux-2.6.23.15/arch/i386/pci/irq.c linux-2.6.23.15-grsec/arch/i386/pci/irq.c
43561 ---- linux-2.6.23.15/arch/i386/pci/irq.c 2007-10-09 21:31:38.000000000 +0100
43562 -+++ linux-2.6.23.15-grsec/arch/i386/pci/irq.c 2008-02-11 10:37:44.000000000 +0000
43563 -@@ -508,7 +508,7 @@ static __init int intel_router_probe(str
43564 - static struct pci_device_id __initdata pirq_440gx[] = {
43565 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
43566 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
43567 -- { },
43568 -+ { PCI_DEVICE(0, 0) }
43569 - };
43570 -
43571 - /* 440GX has a proprietary PIRQ router -- don't use it */
43572 -@@ -1051,7 +1051,7 @@ static struct dmi_system_id __initdata p
43573 - DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
43574 - },
43575 - },
43576 -- { }
43577 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
43578 - };
43579 -
43580 - static int __init pcibios_irq_init(void)
43581 -diff -Nurp linux-2.6.23.15/arch/i386/pci/pcbios.c linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c
43582 ---- linux-2.6.23.15/arch/i386/pci/pcbios.c 2007-10-09 21:31:38.000000000 +0100
43583 -+++ linux-2.6.23.15-grsec/arch/i386/pci/pcbios.c 2008-02-11 10:37:44.000000000 +0000
43584 -@@ -57,50 +57,124 @@ union bios32 {
43585 - static struct {
43586 - unsigned long address;
43587 - unsigned short segment;
43588 --} bios32_indirect = { 0, __KERNEL_CS };
43589 -+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
43590 -
43591 - /*
43592 - * Returns the entry point for the given service, NULL on error
43593 - */
43594 -
43595 --static unsigned long bios32_service(unsigned long service)
43596 -+static unsigned long __devinit bios32_service(unsigned long service)
43597 - {
43598 - unsigned char return_code; /* %al */
43599 - unsigned long address; /* %ebx */
43600 - unsigned long length; /* %ecx */
43601 - unsigned long entry; /* %edx */
43602 - unsigned long flags;
43603 -+ struct desc_struct *gdt;
43604 -+
43605 -+#ifdef CONFIG_PAX_KERNEXEC
43606 -+ unsigned long cr0;
43607 -+#endif
43608 -
43609 - local_irq_save(flags);
43610 -- __asm__("lcall *(%%edi); cld"
43611 -+
43612 -+ gdt = get_cpu_gdt_table(smp_processor_id());
43613 -+
43614 -+#ifdef CONFIG_PAX_KERNEXEC
43615 -+ pax_open_kernel(cr0);
43616 -+#endif
43617 -+
43618 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
43619 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
43620 -+ 0UL, 0xFFFFFUL, 0x9B, 0xC);
43621 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
43622 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
43623 -+ 0UL, 0xFFFFFUL, 0x93, 0xC);
43624 -+
43625 -+#ifdef CONFIG_PAX_KERNEXEC
43626 -+ pax_close_kernel(cr0);
43627 -+#endif
43628 -+
43629 -+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
43630 - : "=a" (return_code),
43631 - "=b" (address),
43632 - "=c" (length),
43633 - "=d" (entry)
43634 - : "0" (service),
43635 - "1" (0),
43636 -- "D" (&bios32_indirect));
43637 -+ "D" (&bios32_indirect),
43638 -+ "r"(__PCIBIOS_DS)
43639 -+ : "memory");
43640 -+
43641 -+#ifdef CONFIG_PAX_KERNEXEC
43642 -+ pax_open_kernel(cr0);
43643 -+#endif
43644 -+
43645 -+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
43646 -+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
43647 -+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
43648 -+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
43649 -+
43650 -+#ifdef CONFIG_PAX_KERNEXEC
43651 -+ pax_close_kernel(cr0);
43652 -+#endif
43653 -+
43654 - local_irq_restore(flags);
43655 -
43656 - switch (return_code) {
43657 -- case 0:
43658 -- return address + entry;
43659 -- case 0x80: /* Not present */
43660 -- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
43661 -- return 0;
43662 -- default: /* Shouldn't happen */
43663 -- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
43664 -- service, return_code);
43665 -+ case 0: {
43666 -+ int cpu;
43667 -+ unsigned char flags;
43668 -+
43669 -+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
43670 -+ if (address >= 0xFFFF0 || length >= 0xFFFF0 - address || length <= entry) {
43671 -+ printk(KERN_WARNING "bios32_service: not valid\n");
43672 - return 0;
43673 -+ }
43674 -+ address = address + PAGE_OFFSET;
43675 -+ length += 16UL; /* some BIOSs underreport this... */
43676 -+ flags = 4;
43677 -+ if (length >= 64*1024*1024) {
43678 -+ length >>= PAGE_SHIFT;
43679 -+ flags |= 8;
43680 -+ }
43681 -+
43682 -+#ifdef CONFIG_PAX_KERNEXEC
43683 -+ pax_open_kernel(cr0);
43684 -+#endif
43685 -+
43686 -+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
43687 -+ gdt = get_cpu_gdt_table(cpu);
43688 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].a,
43689 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_CS].b,
43690 -+ address, length, 0x9b, flags);
43691 -+ pack_descriptor((__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].a,
43692 -+ (__u32 *)&gdt[GDT_ENTRY_PCIBIOS_DS].b,
43693 -+ address, length, 0x93, flags);
43694 -+ }
43695 -+
43696 -+#ifdef CONFIG_PAX_KERNEXEC
43697 -+ pax_close_kernel(cr0);
43698 -+#endif
43699 -+
43700 -+ return entry;
43701 -+ }
43702 -+ case 0x80: /* Not present */
43703 -+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
43704 -+ return 0;
43705 -+ default: /* Shouldn't happen */
43706 -+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
43707 -+ service, return_code);
43708 -+ return 0;
43709 - }
43710 - }
43711 -
43712 - static struct {
43713 - unsigned long address;
43714 - unsigned short segment;
43715 --} pci_indirect = { 0, __KERNEL_CS };
43716 -+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
43717 -
43718 --static int pci_bios_present;
43719 -+static int pci_bios_present __read_only;
43720 -
43721 - static int __devinit check_pcibios(void)
43722 - {
43723 -@@ -109,11 +183,13 @@ static int __devinit check_pcibios(void)
43724 - unsigned long flags, pcibios_entry;
43725 -
43726 - if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
43727 -- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
43728 -+ pci_indirect.address = pcibios_entry;
43729 -
43730 - local_irq_save(flags);
43731 -- __asm__(
43732 -- "lcall *(%%edi); cld\n\t"
43733 -+ __asm__("movw %w6, %%ds\n\t"
43734 -+ "lcall *%%ss:(%%edi); cld\n\t"
43735 -+ "push %%ss\n\t"
43736 -+ "pop %%ds\n\t"
43737 - "jc 1f\n\t"
43738 - "xor %%ah, %%ah\n"
43739 - "1:"
43740 -@@ -122,7 +198,8 @@ static int __devinit check_pcibios(void)
43741 - "=b" (ebx),
43742 - "=c" (ecx)
43743 - : "1" (PCIBIOS_PCI_BIOS_PRESENT),
43744 -- "D" (&pci_indirect)
43745 -+ "D" (&pci_indirect),
43746 -+ "r" (__PCIBIOS_DS)
43747 - : "memory");
43748 - local_irq_restore(flags);
43749 -
43750 -@@ -158,7 +235,10 @@ static int __devinit pci_bios_find_devic
43751 - unsigned short bx;
43752 - unsigned short ret;
43753 -
43754 -- __asm__("lcall *(%%edi); cld\n\t"
43755 -+ __asm__("movw %w7, %%ds\n\t"
43756 -+ "lcall *%%ss:(%%edi); cld\n\t"
43757 -+ "push %%ss\n\t"
43758 -+ "pop %%ds\n\t"
43759 - "jc 1f\n\t"
43760 - "xor %%ah, %%ah\n"
43761 - "1:"
43762 -@@ -168,7 +248,8 @@ static int __devinit pci_bios_find_devic
43763 - "c" (device_id),
43764 - "d" (vendor),
43765 - "S" ((int) index),
43766 -- "D" (&pci_indirect));
43767 -+ "D" (&pci_indirect),
43768 -+ "r" (__PCIBIOS_DS));
43769 - *bus = (bx >> 8) & 0xff;
43770 - *device_fn = bx & 0xff;
43771 - return (int) (ret & 0xff00) >> 8;
43772 -@@ -188,7 +269,10 @@ static int pci_bios_read(unsigned int se
43773 -
43774 - switch (len) {
43775 - case 1:
43776 -- __asm__("lcall *(%%esi); cld\n\t"
43777 -+ __asm__("movw %w6, %%ds\n\t"
43778 -+ "lcall *%%ss:(%%esi); cld\n\t"
43779 -+ "push %%ss\n\t"
43780 -+ "pop %%ds\n\t"
43781 - "jc 1f\n\t"
43782 - "xor %%ah, %%ah\n"
43783 - "1:"
43784 -@@ -197,10 +281,14 @@ static int pci_bios_read(unsigned int se
43785 - : "1" (PCIBIOS_READ_CONFIG_BYTE),
43786 - "b" (bx),
43787 - "D" ((long)reg),
43788 -- "S" (&pci_indirect));
43789 -+ "S" (&pci_indirect),
43790 -+ "r" (__PCIBIOS_DS));
43791 - break;
43792 - case 2:
43793 -- __asm__("lcall *(%%esi); cld\n\t"
43794 -+ __asm__("movw %w6, %%ds\n\t"
43795 -+ "lcall *%%ss:(%%esi); cld\n\t"
43796 -+ "push %%ss\n\t"
43797 -+ "pop %%ds\n\t"
43798 - "jc 1f\n\t"
43799 - "xor %%ah, %%ah\n"
43800 - "1:"
43801 -@@ -209,10 +297,14 @@ static int pci_bios_read(unsigned int se
43802 - : "1" (PCIBIOS_READ_CONFIG_WORD),
43803 - "b" (bx),
43804 - "D" ((long)reg),
43805 -- "S" (&pci_indirect));
43806 -+ "S" (&pci_indirect),
43807 -+ "r" (__PCIBIOS_DS));
43808 - break;
43809 - case 4:
43810 -- __asm__("lcall *(%%esi); cld\n\t"
43811 -+ __asm__("movw %w6, %%ds\n\t"
43812 -+ "lcall *%%ss:(%%esi); cld\n\t"
43813 -+ "push %%ss\n\t"
43814 -+ "pop %%ds\n\t"
43815 - "jc 1f\n\t"
43816 - "xor %%ah, %%ah\n"
43817 - "1:"
43818 -@@ -221,7 +313,8 @@ static int pci_bios_read(unsigned int se
43819 - : "1" (PCIBIOS_READ_CONFIG_DWORD),
43820 - "b" (bx),
43821 - "D" ((long)reg),
43822 -- "S" (&pci_indirect));
43823 -+ "S" (&pci_indirect),
43824 -+ "r" (__PCIBIOS_DS));
43825 - break;
43826 - }
43827 -
43828 -@@ -244,7 +337,10 @@ static int pci_bios_write(unsigned int s
43829 -
43830 - switch (len) {
43831 - case 1:
43832 -- __asm__("lcall *(%%esi); cld\n\t"
43833 -+ __asm__("movw %w6, %%ds\n\t"
43834 -+ "lcall *%%ss:(%%esi); cld\n\t"
43835 -+ "push %%ss\n\t"
43836 -+ "pop %%ds\n\t"
43837 - "jc 1f\n\t"
43838 - "xor %%ah, %%ah\n"
43839 - "1:"
43840 -@@ -253,10 +349,14 @@ static int pci_bios_write(unsigned int s
43841 - "c" (value),
43842 - "b" (bx),
43843 - "D" ((long)reg),
43844 -- "S" (&pci_indirect));
43845 -+ "S" (&pci_indirect),
43846 -+ "r" (__PCIBIOS_DS));
43847 - break;
43848 - case 2:
43849 -- __asm__("lcall *(%%esi); cld\n\t"
43850 -+ __asm__("movw %w6, %%ds\n\t"
43851 -+ "lcall *%%ss:(%%esi); cld\n\t"
43852 -+ "push %%ss\n\t"
43853 -+ "pop %%ds\n\t"
43854 - "jc 1f\n\t"
43855 - "xor %%ah, %%ah\n"
43856 - "1:"
43857 -@@ -265,10 +365,14 @@ static int pci_bios_write(unsigned int s
43858 - "c" (value),
43859 - "b" (bx),
43860 - "D" ((long)reg),
43861 -- "S" (&pci_indirect));
43862 -+ "S" (&pci_indirect),
43863 -+ "r" (__PCIBIOS_DS));
43864 - break;
43865 - case 4:
43866 -- __asm__("lcall *(%%esi); cld\n\t"
43867 -+ __asm__("movw %w6, %%ds\n\t"
43868 -+ "lcall *%%ss:(%%esi); cld\n\t"
43869 -+ "push %%ss\n\t"
43870 -+ "pop %%ds\n\t"
43871 - "jc 1f\n\t"
43872 - "xor %%ah, %%ah\n"
43873 - "1:"
43874 -@@ -277,7 +381,8 @@ static int pci_bios_write(unsigned int s
43875 - "c" (value),
43876 - "b" (bx),
43877 - "D" ((long)reg),
43878 -- "S" (&pci_indirect));
43879 -+ "S" (&pci_indirect),
43880 -+ "r" (__PCIBIOS_DS));
43881 - break;
43882 - }
43883 -
43884 -@@ -430,10 +535,13 @@ struct irq_routing_table * pcibios_get_i
43885 -
43886 - DBG("PCI: Fetching IRQ routing table... ");
43887 - __asm__("push %%es\n\t"
43888 -+ "movw %w8, %%ds\n\t"
43889 - "push %%ds\n\t"
43890 - "pop %%es\n\t"
43891 -- "lcall *(%%esi); cld\n\t"
43892 -+ "lcall *%%ss:(%%esi); cld\n\t"
43893 - "pop %%es\n\t"
43894 -+ "push %%ss\n\t"
43895 -+ "pop %%ds\n"
43896 - "jc 1f\n\t"
43897 - "xor %%ah, %%ah\n"
43898 - "1:"
43899 -@@ -444,7 +552,8 @@ struct irq_routing_table * pcibios_get_i
43900 - "1" (0),
43901 - "D" ((long) &opt),
43902 - "S" (&pci_indirect),
43903 -- "m" (opt)
43904 -+ "m" (opt),
43905 -+ "r" (__PCIBIOS_DS)
43906 - : "memory");
43907 - DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
43908 - if (ret & 0xff00)
43909 -@@ -468,7 +577,10 @@ int pcibios_set_irq_routing(struct pci_d
43910 - {
43911 - int ret;
43912 -
43913 -- __asm__("lcall *(%%esi); cld\n\t"
43914 -+ __asm__("movw %w5, %%ds\n\t"
43915 -+ "lcall *%%ss:(%%esi); cld\n\t"
43916 -+ "push %%ss\n\t"
43917 -+ "pop %%ds\n"
43918 - "jc 1f\n\t"
43919 - "xor %%ah, %%ah\n"
43920 - "1:"
43921 -@@ -476,7 +588,8 @@ int pcibios_set_irq_routing(struct pci_d
43922 - : "0" (PCIBIOS_SET_PCI_HW_INT),
43923 - "b" ((dev->bus->number << 8) | dev->devfn),
43924 - "c" ((irq << 8) | (pin + 10)),
43925 -- "S" (&pci_indirect));
43926 -+ "S" (&pci_indirect),
43927 -+ "r" (__PCIBIOS_DS));
43928 - return !(ret & 0xff00);
43929 - }
43930 - EXPORT_SYMBOL(pcibios_set_irq_routing);
43931 -diff -Nurp linux-2.6.23.15/arch/i386/power/cpu.c linux-2.6.23.15-grsec/arch/i386/power/cpu.c
43932 ---- linux-2.6.23.15/arch/i386/power/cpu.c 2007-10-09 21:31:38.000000000 +0100
43933 -+++ linux-2.6.23.15-grsec/arch/i386/power/cpu.c 2008-02-11 10:37:44.000000000 +0000
43934 -@@ -64,7 +64,7 @@ static void do_fpu_end(void)
43935 - static void fix_processor_context(void)
43936 - {
43937 - int cpu = smp_processor_id();
43938 -- struct tss_struct * t = &per_cpu(init_tss, cpu);
43939 -+ struct tss_struct *t = init_tss + cpu;
43940 -
43941 - set_tss_desc(cpu,t); /* This just modifies memory; should not be necessary. But... This is necessary, because 386 hardware has concept of busy TSS or some similar stupidity. */
43942 -
43943 -diff -Nurp linux-2.6.23.15/arch/i386/xen/enlighten.c linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c
43944 ---- linux-2.6.23.15/arch/i386/xen/enlighten.c 2008-02-11 10:36:03.000000000 +0000
43945 -+++ linux-2.6.23.15-grsec/arch/i386/xen/enlighten.c 2008-02-11 10:37:44.000000000 +0000
43946 -@@ -320,7 +320,7 @@ static void xen_set_ldt(const void *addr
43947 - static void xen_load_gdt(const struct Xgt_desc_struct *dtr)
43948 - {
43949 - unsigned long *frames;
43950 -- unsigned long va = dtr->address;
43951 -+ unsigned long va = (unsigned long)dtr->address;
43952 - unsigned int size = dtr->size + 1;
43953 - unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
43954 - int f;
43955 -@@ -335,7 +335,7 @@ static void xen_load_gdt(const struct Xg
43956 - mcs = xen_mc_entry(sizeof(*frames) * pages);
43957 - frames = mcs.args;
43958 -
43959 -- for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
43960 -+ for (f = 0; va < (unsigned long)dtr->address + size; va += PAGE_SIZE, f++) {
43961 - frames[f] = virt_to_mfn(va);
43962 - make_lowmem_page_readonly((void *)va);
43963 - }
43964 -@@ -429,7 +429,7 @@ static void xen_write_idt_entry(struct d
43965 -
43966 - preempt_disable();
43967 -
43968 -- start = __get_cpu_var(idt_desc).address;
43969 -+ start = (unsigned long)__get_cpu_var(idt_desc).address;
43970 - end = start + __get_cpu_var(idt_desc).size + 1;
43971 -
43972 - xen_mc_flush();
43973 -diff -Nurp linux-2.6.23.15/arch/i386/xen/smp.c linux-2.6.23.15-grsec/arch/i386/xen/smp.c
43974 ---- linux-2.6.23.15/arch/i386/xen/smp.c 2007-10-09 21:31:38.000000000 +0100
43975 -+++ linux-2.6.23.15-grsec/arch/i386/xen/smp.c 2008-02-11 10:37:44.000000000 +0000
43976 -@@ -144,7 +144,7 @@ void __init xen_smp_prepare_boot_cpu(voi
43977 -
43978 - /* We've switched to the "real" per-cpu gdt, so make sure the
43979 - old memory can be recycled */
43980 -- make_lowmem_page_readwrite(&per_cpu__gdt_page);
43981 -+ make_lowmem_page_readwrite(get_cpu_gdt_table(smp_processor_id()));
43982 -
43983 - for (cpu = 0; cpu < NR_CPUS; cpu++) {
43984 - cpus_clear(cpu_sibling_map[cpu]);
43985 -@@ -198,7 +198,7 @@ static __cpuinit int
43986 - cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
43987 - {
43988 - struct vcpu_guest_context *ctxt;
43989 -- struct gdt_page *gdt = &per_cpu(gdt_page, cpu);
43990 -+ struct desc_struct *gdt = get_cpu_gdt_table(cpu);
43991 -
43992 - if (cpu_test_and_set(cpu, cpu_initialized_map))
43993 - return 0;
43994 -@@ -222,11 +222,11 @@ cpu_initialize_context(unsigned int cpu,
43995 -
43996 - ctxt->ldt_ents = 0;
43997 -
43998 -- BUG_ON((unsigned long)gdt->gdt & ~PAGE_MASK);
43999 -- make_lowmem_page_readonly(gdt->gdt);
44000 -+ BUG_ON((unsigned long)gdt & ~PAGE_MASK);
44001 -+ make_lowmem_page_readonly(gdt);
44002 -
44003 -- ctxt->gdt_frames[0] = virt_to_mfn(gdt->gdt);
44004 -- ctxt->gdt_ents = ARRAY_SIZE(gdt->gdt);
44005 -+ ctxt->gdt_frames[0] = virt_to_mfn(gdt);
44006 -+ ctxt->gdt_ents = GDT_ENTRIES;
44007 -
44008 - ctxt->user_regs.cs = __KERNEL_CS;
44009 - ctxt->user_regs.esp = idle->thread.esp0 - sizeof(struct pt_regs);
44010 -diff -Nurp linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c
44011 ---- linux-2.6.23.15/arch/ia64/ia32/binfmt_elf32.c 2007-10-09 21:31:38.000000000 +0100
44012 -+++ linux-2.6.23.15-grsec/arch/ia64/ia32/binfmt_elf32.c 2008-02-11 10:37:44.000000000 +0000
44013 -@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
44014 -
44015 - #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
44016 -
44017 -+#ifdef CONFIG_PAX_ASLR
44018 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
44019 -+
44020 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
44021 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
44022 -+#endif
44023 -+
44024 - /* Ugly but avoids duplication */
44025 - #include "../../../fs/binfmt_elf.c"
44026 -
44027 -diff -Nurp linux-2.6.23.15/arch/ia64/ia32/ia32priv.h linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h
44028 ---- linux-2.6.23.15/arch/ia64/ia32/ia32priv.h 2007-10-09 21:31:38.000000000 +0100
44029 -+++ linux-2.6.23.15-grsec/arch/ia64/ia32/ia32priv.h 2008-02-11 10:37:44.000000000 +0000
44030 -@@ -304,7 +304,14 @@ struct old_linux32_dirent {
44031 - #define ELF_DATA ELFDATA2LSB
44032 - #define ELF_ARCH EM_386
44033 -
44034 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
44035 -+#ifdef CONFIG_PAX_RANDUSTACK
44036 -+#define __IA32_DELTA_STACK (current->mm->delta_stack)
44037 -+#else
44038 -+#define __IA32_DELTA_STACK 0UL
44039 -+#endif
44040 -+
44041 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
44042 -+
44043 - #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
44044 - #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
44045 -
44046 -diff -Nurp linux-2.6.23.15/arch/ia64/kernel/module.c linux-2.6.23.15-grsec/arch/ia64/kernel/module.c
44047 ---- linux-2.6.23.15/arch/ia64/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
44048 -+++ linux-2.6.23.15-grsec/arch/ia64/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
44049 -@@ -321,7 +321,7 @@ module_alloc (unsigned long size)
44050 - void
44051 - module_free (struct module *mod, void *module_region)
44052 - {
44053 -- if (mod->arch.init_unw_table && module_region == mod->module_init) {
44054 -+ if (mod->arch.init_unw_table && module_region == mod->module_init_rx) {
44055 - unw_remove_unwind_table(mod->arch.init_unw_table);
44056 - mod->arch.init_unw_table = NULL;
44057 - }
44058 -@@ -499,15 +499,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
44059 - }
44060 -
44061 - static inline int
44062 -+in_init_rx (const struct module *mod, uint64_t addr)
44063 -+{
44064 -+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
44065 -+}
44066 -+
44067 -+static inline int
44068 -+in_init_rw (const struct module *mod, uint64_t addr)
44069 -+{
44070 -+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
44071 -+}
44072 -+
44073 -+static inline int
44074 - in_init (const struct module *mod, uint64_t addr)
44075 - {
44076 -- return addr - (uint64_t) mod->module_init < mod->init_size;
44077 -+ return in_init_rx(mod, value) || in_init_rw(mod, value);
44078 -+}
44079 -+
44080 -+static inline int
44081 -+in_core_rx (const struct module *mod, uint64_t addr)
44082 -+{
44083 -+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
44084 -+}
44085 -+
44086 -+static inline int
44087 -+in_core_rw (const struct module *mod, uint64_t addr)
44088 -+{
44089 -+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
44090 - }
44091 -
44092 - static inline int
44093 - in_core (const struct module *mod, uint64_t addr)
44094 - {
44095 -- return addr - (uint64_t) mod->module_core < mod->core_size;
44096 -+ return in_core_rx(mod, value) || in_core_rw(mod, value);
44097 - }
44098 -
44099 - static inline int
44100 -@@ -691,7 +715,14 @@ do_reloc (struct module *mod, uint8_t r_
44101 - break;
44102 -
44103 - case RV_BDREL:
44104 -- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
44105 -+ if (in_init_rx(mod, val))
44106 -+ val -= (uint64_t) mod->module_init_rx;
44107 -+ else if (in_init_rw(mod, val))
44108 -+ val -= (uint64_t) mod->module_init_rw;
44109 -+ else if (in_core_rx(mod, val))
44110 -+ val -= (uint64_t) mod->module_core_rx;
44111 -+ else if (in_core_rw(mod, val))
44112 -+ val -= (uint64_t) mod->module_core_rw;
44113 - break;
44114 -
44115 - case RV_LTV:
44116 -@@ -825,15 +856,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
44117 - * addresses have been selected...
44118 - */
44119 - uint64_t gp;
44120 -- if (mod->core_size > MAX_LTOFF)
44121 -+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
44122 - /*
44123 - * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
44124 - * at the end of the module.
44125 - */
44126 -- gp = mod->core_size - MAX_LTOFF / 2;
44127 -+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
44128 - else
44129 -- gp = mod->core_size / 2;
44130 -- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
44131 -+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
44132 -+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
44133 - mod->arch.gp = gp;
44134 - DEBUGP("%s: placing gp at 0x%lx\n", __FUNCTION__, gp);
44135 - }
44136 -diff -Nurp linux-2.6.23.15/arch/ia64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c
44137 ---- linux-2.6.23.15/arch/ia64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
44138 -+++ linux-2.6.23.15-grsec/arch/ia64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
44139 -@@ -17,6 +17,7 @@
44140 - #include <linux/security.h>
44141 - #include <linux/audit.h>
44142 - #include <linux/signal.h>
44143 -+#include <linux/grsecurity.h>
44144 -
44145 - #include <asm/pgtable.h>
44146 - #include <asm/processor.h>
44147 -@@ -1451,6 +1452,9 @@ sys_ptrace (long request, pid_t pid, uns
44148 - if (pid == 1) /* no messing around with init! */
44149 - goto out_tsk;
44150 -
44151 -+ if (gr_handle_ptrace(child, request))
44152 -+ goto out_tsk;
44153 -+
44154 - if (request == PTRACE_ATTACH) {
44155 - ret = ptrace_attach(child);
44156 - goto out_tsk;
44157 -diff -Nurp linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c
44158 ---- linux-2.6.23.15/arch/ia64/kernel/sys_ia64.c 2007-10-09 21:31:38.000000000 +0100
44159 -+++ linux-2.6.23.15-grsec/arch/ia64/kernel/sys_ia64.c 2008-02-11 10:37:44.000000000 +0000
44160 -@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
44161 - if (REGION_NUMBER(addr) == RGN_HPAGE)
44162 - addr = 0;
44163 - #endif
44164 -+
44165 -+#ifdef CONFIG_PAX_RANDMMAP
44166 -+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && addr && filp)
44167 -+ addr = mm->free_area_cache;
44168 -+ else
44169 -+#endif
44170 -+
44171 - if (!addr)
44172 - addr = mm->free_area_cache;
44173 -
44174 -@@ -61,9 +68,9 @@ arch_get_unmapped_area (struct file *fil
44175 - for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
44176 - /* At this point: (!vma || addr < vma->vm_end). */
44177 - if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
44178 -- if (start_addr != TASK_UNMAPPED_BASE) {
44179 -+ if (start_addr != mm->mmap_base) {
44180 - /* Start a new search --- just in case we missed some holes. */
44181 -- addr = TASK_UNMAPPED_BASE;
44182 -+ addr = mm->mmap_base;
44183 - goto full_search;
44184 - }
44185 - return -ENOMEM;
44186 -diff -Nurp linux-2.6.23.15/arch/ia64/mm/fault.c linux-2.6.23.15-grsec/arch/ia64/mm/fault.c
44187 ---- linux-2.6.23.15/arch/ia64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44188 -+++ linux-2.6.23.15-grsec/arch/ia64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44189 -@@ -10,6 +10,7 @@
44190 - #include <linux/interrupt.h>
44191 - #include <linux/kprobes.h>
44192 - #include <linux/kdebug.h>
44193 -+#include <linux/binfmts.h>
44194 -
44195 - #include <asm/pgtable.h>
44196 - #include <asm/processor.h>
44197 -@@ -72,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
44198 - return pte_present(pte);
44199 - }
44200 -
44201 -+#ifdef CONFIG_PAX_PAGEEXEC
44202 -+void pax_report_insns(void *pc, void *sp)
44203 -+{
44204 -+ unsigned long i;
44205 -+
44206 -+ printk(KERN_ERR "PAX: bytes at PC: ");
44207 -+ for (i = 0; i < 8; i++) {
44208 -+ unsigned int c;
44209 -+ if (get_user(c, (unsigned int *)pc+i))
44210 -+ printk("???????? ");
44211 -+ else
44212 -+ printk("%08x ", c);
44213 -+ }
44214 -+ printk("\n");
44215 -+}
44216 -+#endif
44217 -+
44218 - void __kprobes
44219 - ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
44220 - {
44221 -@@ -145,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
44222 - mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
44223 - | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
44224 -
44225 -- if ((vma->vm_flags & mask) != mask)
44226 -+ if ((vma->vm_flags & mask) != mask) {
44227 -+
44228 -+#ifdef CONFIG_PAX_PAGEEXEC
44229 -+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
44230 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
44231 -+ goto bad_area;
44232 -+
44233 -+ up_read(&mm->mmap_sem);
44234 -+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
44235 -+ do_exit(SIGKILL);
44236 -+ }
44237 -+#endif
44238 -+
44239 - goto bad_area;
44240 -
44241 -+ }
44242 -+
44243 - survive:
44244 - /*
44245 - * If for any reason at all we couldn't handle the fault, make
44246 -diff -Nurp linux-2.6.23.15/arch/ia64/mm/init.c linux-2.6.23.15-grsec/arch/ia64/mm/init.c
44247 ---- linux-2.6.23.15/arch/ia64/mm/init.c 2007-10-09 21:31:38.000000000 +0100
44248 -+++ linux-2.6.23.15-grsec/arch/ia64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
44249 -@@ -20,8 +20,8 @@
44250 - #include <linux/proc_fs.h>
44251 - #include <linux/bitops.h>
44252 - #include <linux/kexec.h>
44253 -+#include <linux/a.out.h>
44254 -
44255 --#include <asm/a.out.h>
44256 - #include <asm/dma.h>
44257 - #include <asm/ia32.h>
44258 - #include <asm/io.h>
44259 -@@ -130,8 +130,21 @@ ia64_init_addr_space (void)
44260 - vma->vm_mm = current->mm;
44261 - vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
44262 - vma->vm_end = vma->vm_start + PAGE_SIZE;
44263 -- vma->vm_page_prot = protection_map[VM_DATA_DEFAULT_FLAGS & 0x7];
44264 - vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
44265 -+
44266 -+#ifdef CONFIG_PAX_PAGEEXEC
44267 -+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
44268 -+ vm->vm_flags &= ~VM_EXEC;
44269 -+
44270 -+#ifdef CONFIG_PAX_MPROTECT
44271 -+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
44272 -+ vma->vm_flags &= ~VM_MAYEXEC;
44273 -+#endif
44274 -+
44275 -+ }
44276 -+#endif
44277 -+
44278 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
44279 - down_write(&current->mm->mmap_sem);
44280 - if (insert_vm_struct(current->mm, vma)) {
44281 - up_write(&current->mm->mmap_sem);
44282 -diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c
44283 ---- linux-2.6.23.15/arch/mips/kernel/binfmt_elfn32.c 2007-10-09 21:31:38.000000000 +0100
44284 -+++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfn32.c 2008-02-11 10:37:44.000000000 +0000
44285 -@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
44286 - #undef ELF_ET_DYN_BASE
44287 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
44288 -
44289 -+#ifdef CONFIG_PAX_ASLR
44290 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
44291 -+
44292 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44293 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44294 -+#endif
44295 -+
44296 - #include <asm/processor.h>
44297 - #include <linux/module.h>
44298 - #include <linux/elfcore.h>
44299 -diff -Nurp linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c
44300 ---- linux-2.6.23.15/arch/mips/kernel/binfmt_elfo32.c 2007-10-09 21:31:38.000000000 +0100
44301 -+++ linux-2.6.23.15-grsec/arch/mips/kernel/binfmt_elfo32.c 2008-02-11 10:37:44.000000000 +0000
44302 -@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
44303 - #undef ELF_ET_DYN_BASE
44304 - #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
44305 -
44306 -+#ifdef CONFIG_PAX_ASLR
44307 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
44308 -+
44309 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44310 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
44311 -+#endif
44312 -+
44313 - #include <asm/processor.h>
44314 - #include <linux/module.h>
44315 - #include <linux/elfcore.h>
44316 -diff -Nurp linux-2.6.23.15/arch/mips/kernel/syscall.c linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c
44317 ---- linux-2.6.23.15/arch/mips/kernel/syscall.c 2007-10-09 21:31:38.000000000 +0100
44318 -+++ linux-2.6.23.15-grsec/arch/mips/kernel/syscall.c 2008-02-11 10:37:44.000000000 +0000
44319 -@@ -88,6 +88,11 @@ unsigned long arch_get_unmapped_area(str
44320 - do_color_align = 0;
44321 - if (filp || (flags & MAP_SHARED))
44322 - do_color_align = 1;
44323 -+
44324 -+#ifdef CONFIG_PAX_RANDMMAP
44325 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
44326 -+#endif
44327 -+
44328 - if (addr) {
44329 - if (do_color_align)
44330 - addr = COLOUR_ALIGN(addr, pgoff);
44331 -@@ -98,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
44332 - (!vmm || addr + len <= vmm->vm_start))
44333 - return addr;
44334 - }
44335 -- addr = TASK_UNMAPPED_BASE;
44336 -+ addr = current->mm->mmap_base;
44337 - if (do_color_align)
44338 - addr = COLOUR_ALIGN(addr, pgoff);
44339 - else
44340 -diff -Nurp linux-2.6.23.15/arch/mips/mm/fault.c linux-2.6.23.15-grsec/arch/mips/mm/fault.c
44341 ---- linux-2.6.23.15/arch/mips/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44342 -+++ linux-2.6.23.15-grsec/arch/mips/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44343 -@@ -26,6 +26,23 @@
44344 - #include <asm/ptrace.h>
44345 - #include <asm/highmem.h> /* For VMALLOC_END */
44346 -
44347 -+#ifdef CONFIG_PAX_PAGEEXEC
44348 -+void pax_report_insns(void *pc)
44349 -+{
44350 -+ unsigned long i;
44351 -+
44352 -+ printk(KERN_ERR "PAX: bytes at PC: ");
44353 -+ for (i = 0; i < 5; i++) {
44354 -+ unsigned int c;
44355 -+ if (get_user(c, (unsigned int *)pc+i))
44356 -+ printk("???????? ");
44357 -+ else
44358 -+ printk("%08x ", c);
44359 -+ }
44360 -+ printk("\n");
44361 -+}
44362 -+#endif
44363 -+
44364 - /*
44365 - * This routine handles page faults. It determines the address,
44366 - * and the problem, and then passes it off to one of the appropriate
44367 -diff -Nurp linux-2.6.23.15/arch/parisc/kernel/module.c linux-2.6.23.15-grsec/arch/parisc/kernel/module.c
44368 ---- linux-2.6.23.15/arch/parisc/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
44369 -+++ linux-2.6.23.15-grsec/arch/parisc/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
44370 -@@ -73,16 +73,38 @@
44371 -
44372 - /* three functions to determine where in the module core
44373 - * or init pieces the location is */
44374 -+static inline int in_init_rx(struct module *me, void *loc)
44375 -+{
44376 -+ return (loc >= me->module_init_rx &&
44377 -+ loc < (me->module_init_rx + me->init_size_rx));
44378 -+}
44379 -+
44380 -+static inline int in_init_rw(struct module *me, void *loc)
44381 -+{
44382 -+ return (loc >= me->module_init_rw &&
44383 -+ loc < (me->module_init_rw + me->init_size_rw));
44384 -+}
44385 -+
44386 - static inline int in_init(struct module *me, void *loc)
44387 - {
44388 -- return (loc >= me->module_init &&
44389 -- loc <= (me->module_init + me->init_size));
44390 -+ return in_init_rx(me, loc) || in_init_rw(me, loc);
44391 -+}
44392 -+
44393 -+static inline int in_core_rx(struct module *me, void *loc)
44394 -+{
44395 -+ return (loc >= me->module_core_rx &&
44396 -+ loc < (me->module_core_rx + me->core_size_rx));
44397 -+}
44398 -+
44399 -+static inline int in_core_rw(struct module *me, void *loc)
44400 -+{
44401 -+ return (loc >= me->module_core_rw &&
44402 -+ loc < (me->module_core_rw + me->core_size_rw));
44403 - }
44404 -
44405 - static inline int in_core(struct module *me, void *loc)
44406 - {
44407 -- return (loc >= me->module_core &&
44408 -- loc <= (me->module_core + me->core_size));
44409 -+ return in_core_rx(me, loc) || in_core_rw(me, loc);
44410 - }
44411 -
44412 - static inline int in_local(struct module *me, void *loc)
44413 -@@ -296,21 +318,21 @@ int module_frob_arch_sections(CONST Elf_
44414 - }
44415 -
44416 - /* align things a bit */
44417 -- me->core_size = ALIGN(me->core_size, 16);
44418 -- me->arch.got_offset = me->core_size;
44419 -- me->core_size += gots * sizeof(struct got_entry);
44420 --
44421 -- me->core_size = ALIGN(me->core_size, 16);
44422 -- me->arch.fdesc_offset = me->core_size;
44423 -- me->core_size += fdescs * sizeof(Elf_Fdesc);
44424 --
44425 -- me->core_size = ALIGN(me->core_size, 16);
44426 -- me->arch.stub_offset = me->core_size;
44427 -- me->core_size += stubs * sizeof(struct stub_entry);
44428 --
44429 -- me->init_size = ALIGN(me->init_size, 16);
44430 -- me->arch.init_stub_offset = me->init_size;
44431 -- me->init_size += init_stubs * sizeof(struct stub_entry);
44432 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
44433 -+ me->arch.got_offset = me->core_size_rw;
44434 -+ me->core_size_rw += gots * sizeof(struct got_entry);
44435 -+
44436 -+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
44437 -+ me->arch.fdesc_offset = me->core_size_rw;
44438 -+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
44439 -+
44440 -+ me->core_size_rx = ALIGN(me->core_size_rx, 16);
44441 -+ me->arch.stub_offset = me->core_size_rx;
44442 -+ me->core_size_rx += stubs * sizeof(struct stub_entry);
44443 -+
44444 -+ me->init_size_rx = ALIGN(me->init_size_rx, 16);
44445 -+ me->arch.init_stub_offset = me->init_size_rx;
44446 -+ me->init_size_rx += init_stubs * sizeof(struct stub_entry);
44447 -
44448 - me->arch.got_max = gots;
44449 - me->arch.fdesc_max = fdescs;
44450 -@@ -330,7 +352,7 @@ static Elf64_Word get_got(struct module
44451 -
44452 - BUG_ON(value == 0);
44453 -
44454 -- got = me->module_core + me->arch.got_offset;
44455 -+ got = me->module_core_rw + me->arch.got_offset;
44456 - for (i = 0; got[i].addr; i++)
44457 - if (got[i].addr == value)
44458 - goto out;
44459 -@@ -348,7 +370,7 @@ static Elf64_Word get_got(struct module
44460 - #ifdef CONFIG_64BIT
44461 - static Elf_Addr get_fdesc(struct module *me, unsigned long value)
44462 - {
44463 -- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
44464 -+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
44465 -
44466 - if (!value) {
44467 - printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
44468 -@@ -366,7 +388,7 @@ static Elf_Addr get_fdesc(struct module
44469 -
44470 - /* Create new one */
44471 - fdesc->addr = value;
44472 -- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
44473 -+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
44474 - return (Elf_Addr)fdesc;
44475 - }
44476 - #endif /* CONFIG_64BIT */
44477 -@@ -386,12 +408,12 @@ static Elf_Addr get_stub(struct module *
44478 - if(init_section) {
44479 - i = me->arch.init_stub_count++;
44480 - BUG_ON(me->arch.init_stub_count > me->arch.init_stub_max);
44481 -- stub = me->module_init + me->arch.init_stub_offset +
44482 -+ stub = me->module_init_rx + me->arch.init_stub_offset +
44483 - i * sizeof(struct stub_entry);
44484 - } else {
44485 - i = me->arch.stub_count++;
44486 - BUG_ON(me->arch.stub_count > me->arch.stub_max);
44487 -- stub = me->module_core + me->arch.stub_offset +
44488 -+ stub = me->module_core_rx + me->arch.stub_offset +
44489 - i * sizeof(struct stub_entry);
44490 - }
44491 -
44492 -@@ -759,7 +781,7 @@ register_unwind_table(struct module *me,
44493 -
44494 - table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
44495 - end = table + sechdrs[me->arch.unwind_section].sh_size;
44496 -- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
44497 -+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
44498 -
44499 - DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
44500 - me->arch.unwind_section, table, end, gp);
44501 -diff -Nurp linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c
44502 ---- linux-2.6.23.15/arch/parisc/kernel/sys_parisc.c 2007-10-09 21:31:38.000000000 +0100
44503 -+++ linux-2.6.23.15-grsec/arch/parisc/kernel/sys_parisc.c 2008-02-11 10:37:44.000000000 +0000
44504 -@@ -111,7 +111,7 @@ unsigned long arch_get_unmapped_area(str
44505 - if (flags & MAP_FIXED)
44506 - return addr;
44507 - if (!addr)
44508 -- addr = TASK_UNMAPPED_BASE;
44509 -+ addr = current->mm->mmap_base;
44510 -
44511 - if (filp) {
44512 - addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
44513 -diff -Nurp linux-2.6.23.15/arch/parisc/kernel/traps.c linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c
44514 ---- linux-2.6.23.15/arch/parisc/kernel/traps.c 2007-10-09 21:31:38.000000000 +0100
44515 -+++ linux-2.6.23.15-grsec/arch/parisc/kernel/traps.c 2008-02-11 10:37:44.000000000 +0000
44516 -@@ -713,9 +713,7 @@ void handle_interruption(int code, struc
44517 -
44518 - down_read(&current->mm->mmap_sem);
44519 - vma = find_vma(current->mm,regs->iaoq[0]);
44520 -- if (vma && (regs->iaoq[0] >= vma->vm_start)
44521 -- && (vma->vm_flags & VM_EXEC)) {
44522 --
44523 -+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
44524 - fault_address = regs->iaoq[0];
44525 - fault_space = regs->iasq[0];
44526 -
44527 -diff -Nurp linux-2.6.23.15/arch/parisc/mm/fault.c linux-2.6.23.15-grsec/arch/parisc/mm/fault.c
44528 ---- linux-2.6.23.15/arch/parisc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44529 -+++ linux-2.6.23.15-grsec/arch/parisc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44530 -@@ -16,6 +16,8 @@
44531 - #include <linux/sched.h>
44532 - #include <linux/interrupt.h>
44533 - #include <linux/module.h>
44534 -+#include <linux/unistd.h>
44535 -+#include <linux/binfmts.h>
44536 -
44537 - #include <asm/uaccess.h>
44538 - #include <asm/traps.h>
44539 -@@ -53,7 +55,7 @@ DEFINE_PER_CPU(struct exception_data, ex
44540 - static unsigned long
44541 - parisc_acctyp(unsigned long code, unsigned int inst)
44542 - {
44543 -- if (code == 6 || code == 16)
44544 -+ if (code == 6 || code == 7 || code == 16)
44545 - return VM_EXEC;
44546 -
44547 - switch (inst & 0xf0000000) {
44548 -@@ -139,6 +141,116 @@ parisc_acctyp(unsigned long code, unsign
44549 - }
44550 - #endif
44551 -
44552 -+#ifdef CONFIG_PAX_PAGEEXEC
44553 -+/*
44554 -+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
44555 -+ *
44556 -+ * returns 1 when task should be killed
44557 -+ * 2 when rt_sigreturn trampoline was detected
44558 -+ * 3 when unpatched PLT trampoline was detected
44559 -+ */
44560 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
44561 -+{
44562 -+
44563 -+#ifdef CONFIG_PAX_EMUPLT
44564 -+ int err;
44565 -+
44566 -+ do { /* PaX: unpatched PLT emulation */
44567 -+ unsigned int bl, depwi;
44568 -+
44569 -+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
44570 -+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
44571 -+
44572 -+ if (err)
44573 -+ break;
44574 -+
44575 -+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
44576 -+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
44577 -+
44578 -+ err = get_user(ldw, (unsigned int *)addr);
44579 -+ err |= get_user(bv, (unsigned int *)(addr+4));
44580 -+ err |= get_user(ldw2, (unsigned int *)(addr+8));
44581 -+
44582 -+ if (err)
44583 -+ break;
44584 -+
44585 -+ if (ldw == 0x0E801096U &&
44586 -+ bv == 0xEAC0C000U &&
44587 -+ ldw2 == 0x0E881095U)
44588 -+ {
44589 -+ unsigned int resolver, map;
44590 -+
44591 -+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
44592 -+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
44593 -+ if (err)
44594 -+ break;
44595 -+
44596 -+ regs->gr[20] = instruction_pointer(regs)+8;
44597 -+ regs->gr[21] = map;
44598 -+ regs->gr[22] = resolver;
44599 -+ regs->iaoq[0] = resolver | 3UL;
44600 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
44601 -+ return 3;
44602 -+ }
44603 -+ }
44604 -+ } while (0);
44605 -+#endif
44606 -+
44607 -+#ifdef CONFIG_PAX_EMUTRAMP
44608 -+
44609 -+#ifndef CONFIG_PAX_EMUSIGRT
44610 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
44611 -+ return 1;
44612 -+#endif
44613 -+
44614 -+ do { /* PaX: rt_sigreturn emulation */
44615 -+ unsigned int ldi1, ldi2, bel, nop;
44616 -+
44617 -+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
44618 -+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
44619 -+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
44620 -+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
44621 -+
44622 -+ if (err)
44623 -+ break;
44624 -+
44625 -+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
44626 -+ ldi2 == 0x3414015AU &&
44627 -+ bel == 0xE4008200U &&
44628 -+ nop == 0x08000240U)
44629 -+ {
44630 -+ regs->gr[25] = (ldi1 & 2) >> 1;
44631 -+ regs->gr[20] = __NR_rt_sigreturn;
44632 -+ regs->gr[31] = regs->iaoq[1] + 16;
44633 -+ regs->sr[0] = regs->iasq[1];
44634 -+ regs->iaoq[0] = 0x100UL;
44635 -+ regs->iaoq[1] = regs->iaoq[0] + 4;
44636 -+ regs->iasq[0] = regs->sr[2];
44637 -+ regs->iasq[1] = regs->sr[2];
44638 -+ return 2;
44639 -+ }
44640 -+ } while (0);
44641 -+#endif
44642 -+
44643 -+ return 1;
44644 -+}
44645 -+
44646 -+void pax_report_insns(void *pc, void *sp)
44647 -+{
44648 -+ unsigned long i;
44649 -+
44650 -+ printk(KERN_ERR "PAX: bytes at PC: ");
44651 -+ for (i = 0; i < 5; i++) {
44652 -+ unsigned int c;
44653 -+ if (get_user(c, (unsigned int *)pc+i))
44654 -+ printk("???????? ");
44655 -+ else
44656 -+ printk("%08x ", c);
44657 -+ }
44658 -+ printk("\n");
44659 -+}
44660 -+#endif
44661 -+
44662 - void do_page_fault(struct pt_regs *regs, unsigned long code,
44663 - unsigned long address)
44664 - {
44665 -@@ -165,8 +277,33 @@ good_area:
44666 -
44667 - acc_type = parisc_acctyp(code,regs->iir);
44668 -
44669 -- if ((vma->vm_flags & acc_type) != acc_type)
44670 -+ if ((vma->vm_flags & acc_type) != acc_type) {
44671 -+
44672 -+#ifdef CONFIG_PAX_PAGEEXEC
44673 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
44674 -+ (address & ~3UL) == instruction_pointer(regs))
44675 -+ {
44676 -+ up_read(&mm->mmap_sem);
44677 -+ switch (pax_handle_fetch_fault(regs)) {
44678 -+
44679 -+#ifdef CONFIG_PAX_EMUPLT
44680 -+ case 3:
44681 -+ return;
44682 -+#endif
44683 -+
44684 -+#ifdef CONFIG_PAX_EMUTRAMP
44685 -+ case 2:
44686 -+ return;
44687 -+#endif
44688 -+
44689 -+ }
44690 -+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
44691 -+ do_exit(SIGKILL);
44692 -+ }
44693 -+#endif
44694 -+
44695 - goto bad_area;
44696 -+ }
44697 -
44698 - /*
44699 - * If for any reason at all we couldn't handle the fault, make
44700 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/module_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c
44701 ---- linux-2.6.23.15/arch/powerpc/kernel/module_32.c 2007-10-09 21:31:38.000000000 +0100
44702 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/module_32.c 2008-02-11 10:37:44.000000000 +0000
44703 -@@ -126,7 +126,7 @@ int module_frob_arch_sections(Elf32_Ehdr
44704 - me->arch.core_plt_section = i;
44705 - }
44706 - if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
44707 -- printk("Module doesn't contain .plt or .init.plt sections.\n");
44708 -+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
44709 - return -ENOEXEC;
44710 - }
44711 -
44712 -@@ -167,11 +167,16 @@ static uint32_t do_plt_call(void *locati
44713 -
44714 - DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
44715 - /* Init, or core PLT? */
44716 -- if (location >= mod->module_core
44717 -- && location < mod->module_core + mod->core_size)
44718 -+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
44719 -+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
44720 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
44721 -- else
44722 -+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
44723 -+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
44724 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
44725 -+ else {
44726 -+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
44727 -+ return ~0UL;
44728 -+ }
44729 -
44730 - /* Find this entry, or if that fails, the next avail. entry */
44731 - while (entry->jump[0]) {
44732 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_32.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c
44733 ---- linux-2.6.23.15/arch/powerpc/kernel/signal_32.c 2007-10-09 21:31:38.000000000 +0100
44734 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_32.c 2008-02-11 10:37:44.000000000 +0000
44735 -@@ -728,7 +728,7 @@ int handle_rt_signal32(unsigned long sig
44736 -
44737 - /* Save user registers on the stack */
44738 - frame = &rt_sf->uc.uc_mcontext;
44739 -- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
44740 -+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
44741 - if (save_user_regs(regs, frame, 0))
44742 - goto badframe;
44743 - regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
44744 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/signal_64.c linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c
44745 ---- linux-2.6.23.15/arch/powerpc/kernel/signal_64.c 2007-10-09 21:31:38.000000000 +0100
44746 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/signal_64.c 2008-02-11 10:37:44.000000000 +0000
44747 -@@ -359,7 +359,7 @@ int handle_rt_signal64(int signr, struct
44748 - current->thread.fpscr.val = 0;
44749 -
44750 - /* Set up to return from userspace. */
44751 -- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
44752 -+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
44753 - regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
44754 - } else {
44755 - err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
44756 -diff -Nurp linux-2.6.23.15/arch/powerpc/kernel/vdso.c linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c
44757 ---- linux-2.6.23.15/arch/powerpc/kernel/vdso.c 2007-10-09 21:31:38.000000000 +0100
44758 -+++ linux-2.6.23.15-grsec/arch/powerpc/kernel/vdso.c 2008-02-11 10:37:44.000000000 +0000
44759 -@@ -211,7 +211,7 @@ int arch_setup_additional_pages(struct l
44760 - vdso_base = VDSO32_MBASE;
44761 - #endif
44762 -
44763 -- current->mm->context.vdso_base = 0;
44764 -+ current->mm->context.vdso_base = ~0UL;
44765 -
44766 - /* vDSO has a problem and was disabled, just don't "enable" it for the
44767 - * process
44768 -@@ -228,7 +228,7 @@ int arch_setup_additional_pages(struct l
44769 - */
44770 - down_write(&mm->mmap_sem);
44771 - vdso_base = get_unmapped_area(NULL, vdso_base,
44772 -- vdso_pages << PAGE_SHIFT, 0, 0);
44773 -+ vdso_pages << PAGE_SHIFT, 0, MAP_PRIVATE | MAP_EXECUTABLE);
44774 - if (IS_ERR_VALUE(vdso_base)) {
44775 - rc = vdso_base;
44776 - goto fail_mmapsem;
44777 -diff -Nurp linux-2.6.23.15/arch/powerpc/mm/fault.c linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c
44778 ---- linux-2.6.23.15/arch/powerpc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
44779 -+++ linux-2.6.23.15-grsec/arch/powerpc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
44780 -@@ -29,6 +29,12 @@
44781 - #include <linux/module.h>
44782 - #include <linux/kprobes.h>
44783 - #include <linux/kdebug.h>
44784 -+#include <linux/binfmts.h>
44785 -+#include <linux/slab.h>
44786 -+#include <linux/pagemap.h>
44787 -+#include <linux/compiler.h>
44788 -+#include <linux/binfmts.h>
44789 -+#include <linux/unistd.h>
44790 -
44791 - #include <asm/page.h>
44792 - #include <asm/pgtable.h>
44793 -@@ -62,6 +68,364 @@ static inline int notify_page_fault(stru
44794 - }
44795 - #endif
44796 -
44797 -+#ifdef CONFIG_PAX_EMUSIGRT
44798 -+void pax_syscall_close(struct vm_area_struct *vma)
44799 -+{
44800 -+ vma->vm_mm->call_syscall = 0UL;
44801 -+}
44802 -+
44803 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
44804 -+{
44805 -+ struct page *page;
44806 -+ unsigned int *kaddr;
44807 -+
44808 -+ page = alloc_page(GFP_HIGHUSER);
44809 -+ if (!page)
44810 -+ return NOPAGE_OOM;
44811 -+
44812 -+ kaddr = kmap(page);
44813 -+ memset(kaddr, 0, PAGE_SIZE);
44814 -+ kaddr[0] = 0x44000002U; /* sc */
44815 -+ __flush_dcache_icache(kaddr);
44816 -+ kunmap(page);
44817 -+ if (type)
44818 -+ *type = VM_FAULT_MAJOR;
44819 -+ return page;
44820 -+}
44821 -+
44822 -+static struct vm_operations_struct pax_vm_ops = {
44823 -+ .close = pax_syscall_close,
44824 -+ .nopage = pax_syscall_nopage,
44825 -+};
44826 -+
44827 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
44828 -+{
44829 -+ int ret;
44830 -+
44831 -+ memset(vma, 0, sizeof(*vma));
44832 -+ vma->vm_mm = current->mm;
44833 -+ vma->vm_start = addr;
44834 -+ vma->vm_end = addr + PAGE_SIZE;
44835 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
44836 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
44837 -+ vma->vm_ops = &pax_vm_ops;
44838 -+
44839 -+ ret = insert_vm_struct(current->mm, vma);
44840 -+ if (ret)
44841 -+ return ret;
44842 -+
44843 -+ ++current->mm->total_vm;
44844 -+ return 0;
44845 -+}
44846 -+#endif
44847 -+
44848 -+#ifdef CONFIG_PAX_PAGEEXEC
44849 -+/*
44850 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
44851 -+ *
44852 -+ * returns 1 when task should be killed
44853 -+ * 2 when patched GOT trampoline was detected
44854 -+ * 3 when patched PLT trampoline was detected
44855 -+ * 4 when unpatched PLT trampoline was detected
44856 -+ * 5 when sigreturn trampoline was detected
44857 -+ * 6 when rt_sigreturn trampoline was detected
44858 -+ */
44859 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
44860 -+{
44861 -+
44862 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
44863 -+ int err;
44864 -+#endif
44865 -+
44866 -+#ifdef CONFIG_PAX_EMUPLT
44867 -+ do { /* PaX: patched GOT emulation */
44868 -+ unsigned int blrl;
44869 -+
44870 -+ err = get_user(blrl, (unsigned int *)regs->nip);
44871 -+
44872 -+ if (!err && blrl == 0x4E800021U) {
44873 -+ unsigned long temp = regs->nip;
44874 -+
44875 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
44876 -+ regs->link = temp + 4UL;
44877 -+ return 2;
44878 -+ }
44879 -+ } while (0);
44880 -+
44881 -+ do { /* PaX: patched PLT emulation #1 */
44882 -+ unsigned int b;
44883 -+
44884 -+ err = get_user(b, (unsigned int *)regs->nip);
44885 -+
44886 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
44887 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
44888 -+ return 3;
44889 -+ }
44890 -+ } while (0);
44891 -+
44892 -+ do { /* PaX: unpatched PLT emulation #1 */
44893 -+ unsigned int li, b;
44894 -+
44895 -+ err = get_user(li, (unsigned int *)regs->nip);
44896 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
44897 -+
44898 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
44899 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
44900 -+ unsigned long addr = b | 0xFC000000UL;
44901 -+
44902 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
44903 -+ err = get_user(rlwinm, (unsigned int *)addr);
44904 -+ err |= get_user(add, (unsigned int *)(addr+4));
44905 -+ err |= get_user(li2, (unsigned int *)(addr+8));
44906 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
44907 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
44908 -+ err |= get_user(li3, (unsigned int *)(addr+20));
44909 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
44910 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
44911 -+
44912 -+ if (err)
44913 -+ break;
44914 -+
44915 -+ if (rlwinm == 0x556C083CU &&
44916 -+ add == 0x7D6C5A14U &&
44917 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
44918 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
44919 -+ mtctr == 0x7D8903A6U &&
44920 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
44921 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
44922 -+ bctr == 0x4E800420U)
44923 -+ {
44924 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44925 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44926 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
44927 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44928 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
44929 -+ regs->nip = regs->ctr;
44930 -+ return 4;
44931 -+ }
44932 -+ }
44933 -+ } while (0);
44934 -+
44935 -+#if 0
44936 -+ do { /* PaX: unpatched PLT emulation #2 */
44937 -+ unsigned int lis, lwzu, b, bctr;
44938 -+
44939 -+ err = get_user(lis, (unsigned int *)regs->nip);
44940 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
44941 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
44942 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
44943 -+
44944 -+ if (err)
44945 -+ break;
44946 -+
44947 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
44948 -+ (lwzu & 0xU) == 0xU &&
44949 -+ (b & 0xFC000003U) == 0x48000000U &&
44950 -+ bctr == 0x4E800420U)
44951 -+ {
44952 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
44953 -+ unsigned long addr = b | 0xFC000000UL;
44954 -+
44955 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
44956 -+ err = get_user(addis, (unsigned int*)addr);
44957 -+ err |= get_user(addi, (unsigned int*)(addr+4));
44958 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
44959 -+ err |= get_user(add, (unsigned int*)(addr+12));
44960 -+ err |= get_user(li2, (unsigned int*)(addr+16));
44961 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
44962 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
44963 -+ err |= get_user(li3, (unsigned int*)(addr+28));
44964 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
44965 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
44966 -+
44967 -+ if (err)
44968 -+ break;
44969 -+
44970 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
44971 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
44972 -+ rlwinm == 0x556C083CU &&
44973 -+ add == 0x7D6C5A14U &&
44974 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
44975 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
44976 -+ mtctr == 0x7D8903A6U &&
44977 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
44978 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
44979 -+ bctr == 0x4E800420U)
44980 -+ {
44981 -+ regs->gpr[PT_R11] =
44982 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44983 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44984 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
44985 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
44986 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
44987 -+ regs->nip = regs->ctr;
44988 -+ return 4;
44989 -+ }
44990 -+ }
44991 -+ } while (0);
44992 -+#endif
44993 -+
44994 -+ do { /* PaX: unpatched PLT emulation #3 */
44995 -+ unsigned int li, b;
44996 -+
44997 -+ err = get_user(li, (unsigned int *)regs->nip);
44998 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
44999 -+
45000 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
45001 -+ unsigned int addis, lwz, mtctr, bctr;
45002 -+ unsigned long addr = b | 0xFC000000UL;
45003 -+
45004 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45005 -+ err = get_user(addis, (unsigned int *)addr);
45006 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
45007 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
45008 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
45009 -+
45010 -+ if (err)
45011 -+ break;
45012 -+
45013 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
45014 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
45015 -+ mtctr == 0x7D6903A6U &&
45016 -+ bctr == 0x4E800420U)
45017 -+ {
45018 -+ unsigned int r11;
45019 -+
45020 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45021 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45022 -+
45023 -+ err = get_user(r11, (unsigned int *)addr);
45024 -+ if (err)
45025 -+ break;
45026 -+
45027 -+ regs->gpr[PT_R11] = r11;
45028 -+ regs->ctr = r11;
45029 -+ regs->nip = r11;
45030 -+ return 4;
45031 -+ }
45032 -+ }
45033 -+ } while (0);
45034 -+#endif
45035 -+
45036 -+#ifdef CONFIG_PAX_EMUSIGRT
45037 -+ do { /* PaX: sigreturn emulation */
45038 -+ unsigned int li, sc;
45039 -+
45040 -+ err = get_user(li, (unsigned int *)regs->nip);
45041 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45042 -+
45043 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
45044 -+ struct vm_area_struct *vma;
45045 -+ unsigned long call_syscall;
45046 -+
45047 -+ down_read(&current->mm->mmap_sem);
45048 -+ call_syscall = current->mm->call_syscall;
45049 -+ up_read(&current->mm->mmap_sem);
45050 -+ if (likely(call_syscall))
45051 -+ goto emulate;
45052 -+
45053 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45054 -+
45055 -+ down_write(&current->mm->mmap_sem);
45056 -+ if (current->mm->call_syscall) {
45057 -+ call_syscall = current->mm->call_syscall;
45058 -+ up_write(&current->mm->mmap_sem);
45059 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45060 -+ goto emulate;
45061 -+ }
45062 -+
45063 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45064 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45065 -+ up_write(&current->mm->mmap_sem);
45066 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45067 -+ return 1;
45068 -+ }
45069 -+
45070 -+ if (pax_insert_vma(vma, call_syscall)) {
45071 -+ up_write(&current->mm->mmap_sem);
45072 -+ kmem_cache_free(vm_area_cachep, vma);
45073 -+ return 1;
45074 -+ }
45075 -+
45076 -+ current->mm->call_syscall = call_syscall;
45077 -+ up_write(&current->mm->mmap_sem);
45078 -+
45079 -+emulate:
45080 -+ regs->gpr[PT_R0] = __NR_sigreturn;
45081 -+ regs->nip = call_syscall;
45082 -+ return 5;
45083 -+ }
45084 -+ } while (0);
45085 -+
45086 -+ do { /* PaX: rt_sigreturn emulation */
45087 -+ unsigned int li, sc;
45088 -+
45089 -+ err = get_user(li, (unsigned int *)regs->nip);
45090 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45091 -+
45092 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
45093 -+ struct vm_area_struct *vma;
45094 -+ unsigned int call_syscall;
45095 -+
45096 -+ down_read(&current->mm->mmap_sem);
45097 -+ call_syscall = current->mm->call_syscall;
45098 -+ up_read(&current->mm->mmap_sem);
45099 -+ if (likely(call_syscall))
45100 -+ goto rt_emulate;
45101 -+
45102 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45103 -+
45104 -+ down_write(&current->mm->mmap_sem);
45105 -+ if (current->mm->call_syscall) {
45106 -+ call_syscall = current->mm->call_syscall;
45107 -+ up_write(&current->mm->mmap_sem);
45108 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45109 -+ goto rt_emulate;
45110 -+ }
45111 -+
45112 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45113 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45114 -+ up_write(&current->mm->mmap_sem);
45115 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45116 -+ return 1;
45117 -+ }
45118 -+
45119 -+ if (pax_insert_vma(vma, call_syscall)) {
45120 -+ up_write(&current->mm->mmap_sem);
45121 -+ kmem_cache_free(vm_area_cachep, vma);
45122 -+ return 1;
45123 -+ }
45124 -+
45125 -+ current->mm->call_syscall = call_syscall;
45126 -+ up_write(&current->mm->mmap_sem);
45127 -+
45128 -+rt_emulate:
45129 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
45130 -+ regs->nip = call_syscall;
45131 -+ return 6;
45132 -+ }
45133 -+ } while (0);
45134 -+#endif
45135 -+
45136 -+ return 1;
45137 -+}
45138 -+
45139 -+void pax_report_insns(void *pc, void *sp)
45140 -+{
45141 -+ unsigned long i;
45142 -+
45143 -+ printk(KERN_ERR "PAX: bytes at PC: ");
45144 -+ for (i = 0; i < 5; i++) {
45145 -+ unsigned int c;
45146 -+ if (get_user(c, (unsigned int *)pc+i))
45147 -+ printk("???????? ");
45148 -+ else
45149 -+ printk("%08x ", c);
45150 -+ }
45151 -+ printk("\n");
45152 -+}
45153 -+#endif
45154 -+
45155 - /*
45156 - * Check whether the instruction at regs->nip is a store using
45157 - * an update addressing form which will update r1.
45158 -@@ -157,7 +521,7 @@ int __kprobes do_page_fault(struct pt_re
45159 - * indicate errors in DSISR but can validly be set in SRR1.
45160 - */
45161 - if (trap == 0x400)
45162 -- error_code &= 0x48200000;
45163 -+ error_code &= 0x58200000;
45164 - else
45165 - is_write = error_code & DSISR_ISSTORE;
45166 - #else
45167 -@@ -357,6 +721,37 @@ bad_area:
45168 - bad_area_nosemaphore:
45169 - /* User mode accesses cause a SIGSEGV */
45170 - if (user_mode(regs)) {
45171 -+
45172 -+#ifdef CONFIG_PAX_PAGEEXEC
45173 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
45174 -+#ifdef CONFIG_PPC64
45175 -+ if (is_exec && (error_code & DSISR_PROTFAULT)) {
45176 -+#else
45177 -+ if (is_exec && regs->nip == address) {
45178 -+#endif
45179 -+ switch (pax_handle_fetch_fault(regs)) {
45180 -+
45181 -+#ifdef CONFIG_PAX_EMUPLT
45182 -+ case 2:
45183 -+ case 3:
45184 -+ case 4:
45185 -+ return 0;
45186 -+#endif
45187 -+
45188 -+#ifdef CONFIG_PAX_EMUSIGRT
45189 -+ case 5:
45190 -+ case 6:
45191 -+ return 0;
45192 -+#endif
45193 -+
45194 -+ }
45195 -+
45196 -+ pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
45197 -+ do_exit(SIGKILL);
45198 -+ }
45199 -+ }
45200 -+#endif
45201 -+
45202 - _exception(SIGSEGV, regs, code, address);
45203 - return 0;
45204 - }
45205 -diff -Nurp linux-2.6.23.15/arch/powerpc/mm/mmap.c linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c
45206 ---- linux-2.6.23.15/arch/powerpc/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
45207 -+++ linux-2.6.23.15-grsec/arch/powerpc/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
45208 -@@ -75,10 +75,22 @@ void arch_pick_mmap_layout(struct mm_str
45209 - */
45210 - if (mmap_is_legacy()) {
45211 - mm->mmap_base = TASK_UNMAPPED_BASE;
45212 -+
45213 -+#ifdef CONFIG_PAX_RANDMMAP
45214 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
45215 -+ mm->mmap_base += mm->delta_mmap;
45216 -+#endif
45217 -+
45218 - mm->get_unmapped_area = arch_get_unmapped_area;
45219 - mm->unmap_area = arch_unmap_area;
45220 - } else {
45221 - mm->mmap_base = mmap_base();
45222 -+
45223 -+#ifdef CONFIG_PAX_RANDMMAP
45224 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
45225 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
45226 -+#endif
45227 -+
45228 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
45229 - mm->unmap_area = arch_unmap_area_topdown;
45230 - }
45231 -diff -Nurp linux-2.6.23.15/arch/ppc/mm/fault.c linux-2.6.23.15-grsec/arch/ppc/mm/fault.c
45232 ---- linux-2.6.23.15/arch/ppc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
45233 -+++ linux-2.6.23.15-grsec/arch/ppc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
45234 -@@ -25,6 +25,11 @@
45235 - #include <linux/interrupt.h>
45236 - #include <linux/highmem.h>
45237 - #include <linux/module.h>
45238 -+#include <linux/slab.h>
45239 -+#include <linux/pagemap.h>
45240 -+#include <linux/compiler.h>
45241 -+#include <linux/binfmts.h>
45242 -+#include <linux/unistd.h>
45243 -
45244 - #include <asm/page.h>
45245 - #include <asm/pgtable.h>
45246 -@@ -48,6 +53,364 @@ unsigned long pte_misses; /* updated by
45247 - unsigned long pte_errors; /* updated by do_page_fault() */
45248 - unsigned int probingmem;
45249 -
45250 -+#ifdef CONFIG_PAX_EMUSIGRT
45251 -+void pax_syscall_close(struct vm_area_struct *vma)
45252 -+{
45253 -+ vma->vm_mm->call_syscall = 0UL;
45254 -+}
45255 -+
45256 -+static struct page *pax_syscall_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
45257 -+{
45258 -+ struct page *page;
45259 -+ unsigned int *kaddr;
45260 -+
45261 -+ page = alloc_page(GFP_HIGHUSER);
45262 -+ if (!page)
45263 -+ return NOPAGE_OOM;
45264 -+
45265 -+ kaddr = kmap(page);
45266 -+ memset(kaddr, 0, PAGE_SIZE);
45267 -+ kaddr[0] = 0x44000002U; /* sc */
45268 -+ __flush_dcache_icache(kaddr);
45269 -+ kunmap(page);
45270 -+ if (type)
45271 -+ *type = VM_FAULT_MAJOR;
45272 -+ return page;
45273 -+}
45274 -+
45275 -+static struct vm_operations_struct pax_vm_ops = {
45276 -+ .close = pax_syscall_close,
45277 -+ .nopage = pax_syscall_nopage,
45278 -+};
45279 -+
45280 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
45281 -+{
45282 -+ int ret;
45283 -+
45284 -+ memset(vma, 0, sizeof(*vma));
45285 -+ vma->vm_mm = current->mm;
45286 -+ vma->vm_start = addr;
45287 -+ vma->vm_end = addr + PAGE_SIZE;
45288 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
45289 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45290 -+ vma->vm_ops = &pax_vm_ops;
45291 -+
45292 -+ ret = insert_vm_struct(current->mm, vma);
45293 -+ if (ret)
45294 -+ return ret;
45295 -+
45296 -+ ++current->mm->total_vm;
45297 -+ return 0;
45298 -+}
45299 -+#endif
45300 -+
45301 -+#ifdef CONFIG_PAX_PAGEEXEC
45302 -+/*
45303 -+ * PaX: decide what to do with offenders (regs->nip = fault address)
45304 -+ *
45305 -+ * returns 1 when task should be killed
45306 -+ * 2 when patched GOT trampoline was detected
45307 -+ * 3 when patched PLT trampoline was detected
45308 -+ * 4 when unpatched PLT trampoline was detected
45309 -+ * 5 when sigreturn trampoline was detected
45310 -+ * 6 when rt_sigreturn trampoline was detected
45311 -+ */
45312 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
45313 -+{
45314 -+
45315 -+#if defined(CONFIG_PAX_EMUPLT) || defined(CONFIG_PAX_EMUSIGRT)
45316 -+ int err;
45317 -+#endif
45318 -+
45319 -+#ifdef CONFIG_PAX_EMUPLT
45320 -+ do { /* PaX: patched GOT emulation */
45321 -+ unsigned int blrl;
45322 -+
45323 -+ err = get_user(blrl, (unsigned int *)regs->nip);
45324 -+
45325 -+ if (!err && blrl == 0x4E800021U) {
45326 -+ unsigned long temp = regs->nip;
45327 -+
45328 -+ regs->nip = regs->link & 0xFFFFFFFCUL;
45329 -+ regs->link = temp + 4UL;
45330 -+ return 2;
45331 -+ }
45332 -+ } while (0);
45333 -+
45334 -+ do { /* PaX: patched PLT emulation #1 */
45335 -+ unsigned int b;
45336 -+
45337 -+ err = get_user(b, (unsigned int *)regs->nip);
45338 -+
45339 -+ if (!err && (b & 0xFC000003U) == 0x48000000U) {
45340 -+ regs->nip += (((b | 0xFC000000UL) ^ 0x02000000UL) + 0x02000000UL);
45341 -+ return 3;
45342 -+ }
45343 -+ } while (0);
45344 -+
45345 -+ do { /* PaX: unpatched PLT emulation #1 */
45346 -+ unsigned int li, b;
45347 -+
45348 -+ err = get_user(li, (unsigned int *)regs->nip);
45349 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
45350 -+
45351 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
45352 -+ unsigned int rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
45353 -+ unsigned long addr = b | 0xFC000000UL;
45354 -+
45355 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45356 -+ err = get_user(rlwinm, (unsigned int *)addr);
45357 -+ err |= get_user(add, (unsigned int *)(addr+4));
45358 -+ err |= get_user(li2, (unsigned int *)(addr+8));
45359 -+ err |= get_user(addis2, (unsigned int *)(addr+12));
45360 -+ err |= get_user(mtctr, (unsigned int *)(addr+16));
45361 -+ err |= get_user(li3, (unsigned int *)(addr+20));
45362 -+ err |= get_user(addis3, (unsigned int *)(addr+24));
45363 -+ err |= get_user(bctr, (unsigned int *)(addr+28));
45364 -+
45365 -+ if (err)
45366 -+ break;
45367 -+
45368 -+ if (rlwinm == 0x556C083CU &&
45369 -+ add == 0x7D6C5A14U &&
45370 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
45371 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
45372 -+ mtctr == 0x7D8903A6U &&
45373 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
45374 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
45375 -+ bctr == 0x4E800420U)
45376 -+ {
45377 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45378 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45379 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
45380 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45381 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
45382 -+ regs->nip = regs->ctr;
45383 -+ return 4;
45384 -+ }
45385 -+ }
45386 -+ } while (0);
45387 -+
45388 -+#if 0
45389 -+ do { /* PaX: unpatched PLT emulation #2 */
45390 -+ unsigned int lis, lwzu, b, bctr;
45391 -+
45392 -+ err = get_user(lis, (unsigned int *)regs->nip);
45393 -+ err |= get_user(lwzu, (unsigned int *)(regs->nip+4));
45394 -+ err |= get_user(b, (unsigned int *)(regs->nip+8));
45395 -+ err |= get_user(bctr, (unsigned int *)(regs->nip+12));
45396 -+
45397 -+ if (err)
45398 -+ break;
45399 -+
45400 -+ if ((lis & 0xFFFF0000U) == 0x39600000U &&
45401 -+ (lwzu & 0xU) == 0xU &&
45402 -+ (b & 0xFC000003U) == 0x48000000U &&
45403 -+ bctr == 0x4E800420U)
45404 -+ {
45405 -+ unsigned int addis, addi, rlwinm, add, li2, addis2, mtctr, li3, addis3, bctr;
45406 -+ unsigned long addr = b | 0xFC000000UL;
45407 -+
45408 -+ addr = regs->nip + 12 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45409 -+ err = get_user(addis, (unsigned int*)addr);
45410 -+ err |= get_user(addi, (unsigned int*)(addr+4));
45411 -+ err |= get_user(rlwinm, (unsigned int*)(addr+8));
45412 -+ err |= get_user(add, (unsigned int*)(addr+12));
45413 -+ err |= get_user(li2, (unsigned int*)(addr+16));
45414 -+ err |= get_user(addis2, (unsigned int*)(addr+20));
45415 -+ err |= get_user(mtctr, (unsigned int*)(addr+24));
45416 -+ err |= get_user(li3, (unsigned int*)(addr+28));
45417 -+ err |= get_user(addis3, (unsigned int*)(addr+32));
45418 -+ err |= get_user(bctr, (unsigned int*)(addr+36));
45419 -+
45420 -+ if (err)
45421 -+ break;
45422 -+
45423 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
45424 -+ (addi & 0xFFFF0000U) == 0x396B0000U &&
45425 -+ rlwinm == 0x556C083CU &&
45426 -+ add == 0x7D6C5A14U &&
45427 -+ (li2 & 0xFFFF0000U) == 0x39800000U &&
45428 -+ (addis2 & 0xFFFF0000U) == 0x3D8C0000U &&
45429 -+ mtctr == 0x7D8903A6U &&
45430 -+ (li3 & 0xFFFF0000U) == 0x39800000U &&
45431 -+ (addis3 & 0xFFFF0000U) == 0x3D8C0000U &&
45432 -+ bctr == 0x4E800420U)
45433 -+ {
45434 -+ regs->gpr[PT_R11] =
45435 -+ regs->gpr[PT_R11] = 3 * (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45436 -+ regs->gpr[PT_R12] = (((li3 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45437 -+ regs->gpr[PT_R12] += (addis3 & 0xFFFFU) << 16;
45438 -+ regs->ctr = (((li2 | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45439 -+ regs->ctr += (addis2 & 0xFFFFU) << 16;
45440 -+ regs->nip = regs->ctr;
45441 -+ return 4;
45442 -+ }
45443 -+ }
45444 -+ } while (0);
45445 -+#endif
45446 -+
45447 -+ do { /* PaX: unpatched PLT emulation #3 */
45448 -+ unsigned int li, b;
45449 -+
45450 -+ err = get_user(li, (unsigned int *)regs->nip);
45451 -+ err |= get_user(b, (unsigned int *)(regs->nip+4));
45452 -+
45453 -+ if (!err && (li & 0xFFFF0000U) == 0x39600000U && (b & 0xFC000003U) == 0x48000000U) {
45454 -+ unsigned int addis, lwz, mtctr, bctr;
45455 -+ unsigned long addr = b | 0xFC000000UL;
45456 -+
45457 -+ addr = regs->nip + 4 + ((addr ^ 0x02000000UL) + 0x02000000UL);
45458 -+ err = get_user(addis, (unsigned int *)addr);
45459 -+ err |= get_user(lwz, (unsigned int *)(addr+4));
45460 -+ err |= get_user(mtctr, (unsigned int *)(addr+8));
45461 -+ err |= get_user(bctr, (unsigned int *)(addr+12));
45462 -+
45463 -+ if (err)
45464 -+ break;
45465 -+
45466 -+ if ((addis & 0xFFFF0000U) == 0x3D6B0000U &&
45467 -+ (lwz & 0xFFFF0000U) == 0x816B0000U &&
45468 -+ mtctr == 0x7D6903A6U &&
45469 -+ bctr == 0x4E800420U)
45470 -+ {
45471 -+ unsigned int r11;
45472 -+
45473 -+ addr = (addis << 16) + (((li | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45474 -+ addr += (((lwz | 0xFFFF0000UL) ^ 0x00008000UL) + 0x00008000UL);
45475 -+
45476 -+ err = get_user(r11, (unsigned int *)addr);
45477 -+ if (err)
45478 -+ break;
45479 -+
45480 -+ regs->gpr[PT_R11] = r11;
45481 -+ regs->ctr = r11;
45482 -+ regs->nip = r11;
45483 -+ return 4;
45484 -+ }
45485 -+ }
45486 -+ } while (0);
45487 -+#endif
45488 -+
45489 -+#ifdef CONFIG_PAX_EMUSIGRT
45490 -+ do { /* PaX: sigreturn emulation */
45491 -+ unsigned int li, sc;
45492 -+
45493 -+ err = get_user(li, (unsigned int *)regs->nip);
45494 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45495 -+
45496 -+ if (!err && li == 0x38000000U + __NR_sigreturn && sc == 0x44000002U) {
45497 -+ struct vm_area_struct *vma;
45498 -+ unsigned long call_syscall;
45499 -+
45500 -+ down_read(&current->mm->mmap_sem);
45501 -+ call_syscall = current->mm->call_syscall;
45502 -+ up_read(&current->mm->mmap_sem);
45503 -+ if (likely(call_syscall))
45504 -+ goto emulate;
45505 -+
45506 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45507 -+
45508 -+ down_write(&current->mm->mmap_sem);
45509 -+ if (current->mm->call_syscall) {
45510 -+ call_syscall = current->mm->call_syscall;
45511 -+ up_write(&current->mm->mmap_sem);
45512 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45513 -+ goto emulate;
45514 -+ }
45515 -+
45516 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45517 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45518 -+ up_write(&current->mm->mmap_sem);
45519 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45520 -+ return 1;
45521 -+ }
45522 -+
45523 -+ if (pax_insert_vma(vma, call_syscall)) {
45524 -+ up_write(&current->mm->mmap_sem);
45525 -+ kmem_cache_free(vm_area_cachep, vma);
45526 -+ return 1;
45527 -+ }
45528 -+
45529 -+ current->mm->call_syscall = call_syscall;
45530 -+ up_write(&current->mm->mmap_sem);
45531 -+
45532 -+emulate:
45533 -+ regs->gpr[PT_R0] = __NR_sigreturn;
45534 -+ regs->nip = call_syscall;
45535 -+ return 5;
45536 -+ }
45537 -+ } while (0);
45538 -+
45539 -+ do { /* PaX: rt_sigreturn emulation */
45540 -+ unsigned int li, sc;
45541 -+
45542 -+ err = get_user(li, (unsigned int *)regs->nip);
45543 -+ err |= get_user(sc, (unsigned int *)(regs->nip+4));
45544 -+
45545 -+ if (!err && li == 0x38000000U + __NR_rt_sigreturn && sc == 0x44000002U) {
45546 -+ struct vm_area_struct *vma;
45547 -+ unsigned int call_syscall;
45548 -+
45549 -+ down_read(&current->mm->mmap_sem);
45550 -+ call_syscall = current->mm->call_syscall;
45551 -+ up_read(&current->mm->mmap_sem);
45552 -+ if (likely(call_syscall))
45553 -+ goto rt_emulate;
45554 -+
45555 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45556 -+
45557 -+ down_write(&current->mm->mmap_sem);
45558 -+ if (current->mm->call_syscall) {
45559 -+ call_syscall = current->mm->call_syscall;
45560 -+ up_write(&current->mm->mmap_sem);
45561 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45562 -+ goto rt_emulate;
45563 -+ }
45564 -+
45565 -+ call_syscall = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45566 -+ if (!vma || (call_syscall & ~PAGE_MASK)) {
45567 -+ up_write(&current->mm->mmap_sem);
45568 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45569 -+ return 1;
45570 -+ }
45571 -+
45572 -+ if (pax_insert_vma(vma, call_syscall)) {
45573 -+ up_write(&current->mm->mmap_sem);
45574 -+ kmem_cache_free(vm_area_cachep, vma);
45575 -+ return 1;
45576 -+ }
45577 -+
45578 -+ current->mm->call_syscall = call_syscall;
45579 -+ up_write(&current->mm->mmap_sem);
45580 -+
45581 -+rt_emulate:
45582 -+ regs->gpr[PT_R0] = __NR_rt_sigreturn;
45583 -+ regs->nip = call_syscall;
45584 -+ return 6;
45585 -+ }
45586 -+ } while (0);
45587 -+#endif
45588 -+
45589 -+ return 1;
45590 -+}
45591 -+
45592 -+void pax_report_insns(void *pc, void *sp)
45593 -+{
45594 -+ unsigned long i;
45595 -+
45596 -+ printk(KERN_ERR "PAX: bytes at PC: ");
45597 -+ for (i = 0; i < 5; i++) {
45598 -+ unsigned int c;
45599 -+ if (get_user(c, (unsigned int *)pc+i))
45600 -+ printk("???????? ");
45601 -+ else
45602 -+ printk("%08x ", c);
45603 -+ }
45604 -+ printk("\n");
45605 -+}
45606 -+#endif
45607 -+
45608 - /*
45609 - * Check whether the instruction at regs->nip is a store using
45610 - * an update addressing form which will update r1.
45611 -@@ -109,7 +472,7 @@ int do_page_fault(struct pt_regs *regs,
45612 - * indicate errors in DSISR but can validly be set in SRR1.
45613 - */
45614 - if (TRAP(regs) == 0x400)
45615 -- error_code &= 0x48200000;
45616 -+ error_code &= 0x58200000;
45617 - else
45618 - is_write = error_code & 0x02000000;
45619 - #endif /* CONFIG_4xx || CONFIG_BOOKE */
45620 -@@ -204,15 +567,14 @@ good_area:
45621 - pte_t *ptep;
45622 - pmd_t *pmdp;
45623 -
45624 --#if 0
45625 -+#if 1
45626 - /* It would be nice to actually enforce the VM execute
45627 - permission on CPUs which can do so, but far too
45628 - much stuff in userspace doesn't get the permissions
45629 - right, so we let any page be executed for now. */
45630 - if (! (vma->vm_flags & VM_EXEC))
45631 - goto bad_area;
45632 --#endif
45633 --
45634 -+#else
45635 - /* Since 4xx/Book-E supports per-page execute permission,
45636 - * we lazily flush dcache to icache. */
45637 - ptep = NULL;
45638 -@@ -235,6 +597,7 @@ good_area:
45639 - pte_unmap_unlock(ptep, ptl);
45640 - }
45641 - #endif
45642 -+#endif
45643 - /* a read */
45644 - } else {
45645 - /* protection fault */
45646 -@@ -278,6 +641,33 @@ bad_area:
45647 -
45648 - /* User mode accesses cause a SIGSEGV */
45649 - if (user_mode(regs)) {
45650 -+
45651 -+#ifdef CONFIG_PAX_PAGEEXEC
45652 -+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
45653 -+ if ((TRAP(regs) == 0x400) && (regs->nip == address)) {
45654 -+ switch (pax_handle_fetch_fault(regs)) {
45655 -+
45656 -+#ifdef CONFIG_PAX_EMUPLT
45657 -+ case 2:
45658 -+ case 3:
45659 -+ case 4:
45660 -+ return 0;
45661 -+#endif
45662 -+
45663 -+#ifdef CONFIG_PAX_EMUSIGRT
45664 -+ case 5:
45665 -+ case 6:
45666 -+ return 0;
45667 -+#endif
45668 -+
45669 -+ }
45670 -+
45671 -+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
45672 -+ do_exit(SIGKILL);
45673 -+ }
45674 -+ }
45675 -+#endif
45676 -+
45677 - _exception(SIGSEGV, regs, code, address);
45678 - return 0;
45679 - }
45680 -diff -Nurp linux-2.6.23.15/arch/s390/kernel/module.c linux-2.6.23.15-grsec/arch/s390/kernel/module.c
45681 ---- linux-2.6.23.15/arch/s390/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
45682 -+++ linux-2.6.23.15-grsec/arch/s390/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
45683 -@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
45684 -
45685 - /* Increase core size by size of got & plt and set start
45686 - offsets for got and plt. */
45687 -- me->core_size = ALIGN(me->core_size, 4);
45688 -- me->arch.got_offset = me->core_size;
45689 -- me->core_size += me->arch.got_size;
45690 -- me->arch.plt_offset = me->core_size;
45691 -- me->core_size += me->arch.plt_size;
45692 -+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
45693 -+ me->arch.got_offset = me->core_size_rw;
45694 -+ me->core_size_rw += me->arch.got_size;
45695 -+ me->arch.plt_offset = me->core_size_rx;
45696 -+ me->core_size_rx += me->arch.plt_size;
45697 - return 0;
45698 - }
45699 -
45700 -@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45701 - if (info->got_initialized == 0) {
45702 - Elf_Addr *gotent;
45703 -
45704 -- gotent = me->module_core + me->arch.got_offset +
45705 -+ gotent = me->module_core_rw + me->arch.got_offset +
45706 - info->got_offset;
45707 - *gotent = val;
45708 - info->got_initialized = 1;
45709 -@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45710 - else if (r_type == R_390_GOTENT ||
45711 - r_type == R_390_GOTPLTENT)
45712 - *(unsigned int *) loc =
45713 -- (val + (Elf_Addr) me->module_core - loc) >> 1;
45714 -+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
45715 - else if (r_type == R_390_GOT64 ||
45716 - r_type == R_390_GOTPLT64)
45717 - *(unsigned long *) loc = val;
45718 -@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45719 - case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
45720 - if (info->plt_initialized == 0) {
45721 - unsigned int *ip;
45722 -- ip = me->module_core + me->arch.plt_offset +
45723 -+ ip = me->module_core_rx + me->arch.plt_offset +
45724 - info->plt_offset;
45725 - #ifndef CONFIG_64BIT
45726 - ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
45727 -@@ -316,7 +316,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45728 - val = me->arch.plt_offset - me->arch.got_offset +
45729 - info->plt_offset + rela->r_addend;
45730 - else
45731 -- val = (Elf_Addr) me->module_core +
45732 -+ val = (Elf_Addr) me->module_core_rx +
45733 - me->arch.plt_offset + info->plt_offset +
45734 - rela->r_addend - loc;
45735 - if (r_type == R_390_PLT16DBL)
45736 -@@ -336,7 +336,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45737 - case R_390_GOTOFF32: /* 32 bit offset to GOT. */
45738 - case R_390_GOTOFF64: /* 64 bit offset to GOT. */
45739 - val = val + rela->r_addend -
45740 -- ((Elf_Addr) me->module_core + me->arch.got_offset);
45741 -+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
45742 - if (r_type == R_390_GOTOFF16)
45743 - *(unsigned short *) loc = val;
45744 - else if (r_type == R_390_GOTOFF32)
45745 -@@ -346,7 +346,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
45746 - break;
45747 - case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
45748 - case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
45749 -- val = (Elf_Addr) me->module_core + me->arch.got_offset +
45750 -+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
45751 - rela->r_addend - loc;
45752 - if (r_type == R_390_GOTPC)
45753 - *(unsigned int *) loc = val;
45754 -diff -Nurp linux-2.6.23.15/arch/sparc/Makefile linux-2.6.23.15-grsec/arch/sparc/Makefile
45755 ---- linux-2.6.23.15/arch/sparc/Makefile 2007-10-09 21:31:38.000000000 +0100
45756 -+++ linux-2.6.23.15-grsec/arch/sparc/Makefile 2008-02-11 10:37:44.000000000 +0000
45757 -@@ -36,7 +36,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
45758 - # Renaming is done to avoid confusing pattern matching rules in 2.5.45 (multy-)
45759 - INIT_Y := $(patsubst %/, %/built-in.o, $(init-y))
45760 - CORE_Y := $(core-y)
45761 --CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
45762 -+CORE_Y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
45763 - CORE_Y := $(patsubst %/, %/built-in.o, $(CORE_Y))
45764 - DRIVERS_Y := $(patsubst %/, %/built-in.o, $(drivers-y))
45765 - NET_Y := $(patsubst %/, %/built-in.o, $(net-y))
45766 -diff -Nurp linux-2.6.23.15/arch/sparc/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c
45767 ---- linux-2.6.23.15/arch/sparc/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
45768 -+++ linux-2.6.23.15-grsec/arch/sparc/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
45769 -@@ -19,6 +19,7 @@
45770 - #include <linux/smp_lock.h>
45771 - #include <linux/security.h>
45772 - #include <linux/signal.h>
45773 -+#include <linux/grsecurity.h>
45774 -
45775 - #include <asm/pgtable.h>
45776 - #include <asm/system.h>
45777 -@@ -303,6 +304,11 @@ asmlinkage void do_ptrace(struct pt_regs
45778 - goto out;
45779 - }
45780 -
45781 -+ if (gr_handle_ptrace(child, request)) {
45782 -+ pt_error_return(regs, EPERM);
45783 -+ goto out_tsk;
45784 -+ }
45785 -+
45786 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
45787 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
45788 - if (ptrace_attach(child)) {
45789 -diff -Nurp linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c
45790 ---- linux-2.6.23.15/arch/sparc/kernel/sys_sparc.c 2007-10-09 21:31:38.000000000 +0100
45791 -+++ linux-2.6.23.15-grsec/arch/sparc/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
45792 -@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
45793 - if (ARCH_SUN4C_SUN4 && len > 0x20000000)
45794 - return -ENOMEM;
45795 - if (!addr)
45796 -- addr = TASK_UNMAPPED_BASE;
45797 -+ addr = current->mm->mmap_base;
45798 -
45799 - if (flags & MAP_SHARED)
45800 - addr = COLOUR_ALIGN(addr);
45801 -diff -Nurp linux-2.6.23.15/arch/sparc/mm/fault.c linux-2.6.23.15-grsec/arch/sparc/mm/fault.c
45802 ---- linux-2.6.23.15/arch/sparc/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
45803 -+++ linux-2.6.23.15-grsec/arch/sparc/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
45804 -@@ -21,6 +21,10 @@
45805 - #include <linux/interrupt.h>
45806 - #include <linux/module.h>
45807 - #include <linux/kdebug.h>
45808 -+#include <linux/slab.h>
45809 -+#include <linux/pagemap.h>
45810 -+#include <linux/compiler.h>
45811 -+#include <linux/binfmts.h>
45812 -
45813 - #include <asm/system.h>
45814 - #include <asm/page.h>
45815 -@@ -216,6 +220,252 @@ static unsigned long compute_si_addr(str
45816 - return safe_compute_effective_address(regs, insn);
45817 - }
45818 -
45819 -+#ifdef CONFIG_PAX_PAGEEXEC
45820 -+void pax_emuplt_close(struct vm_area_struct *vma)
45821 -+{
45822 -+ vma->vm_mm->call_dl_resolve = 0UL;
45823 -+}
45824 -+
45825 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
45826 -+{
45827 -+ struct page *page;
45828 -+ unsigned int *kaddr;
45829 -+
45830 -+ page = alloc_page(GFP_HIGHUSER);
45831 -+ if (!page)
45832 -+ return NOPAGE_OOM;
45833 -+
45834 -+ kaddr = kmap(page);
45835 -+ memset(kaddr, 0, PAGE_SIZE);
45836 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
45837 -+ flush_dcache_page(page);
45838 -+ kunmap(page);
45839 -+ if (type)
45840 -+ *type = VM_FAULT_MAJOR;
45841 -+
45842 -+ return page;
45843 -+}
45844 -+
45845 -+static struct vm_operations_struct pax_vm_ops = {
45846 -+ .close = pax_emuplt_close,
45847 -+ .nopage = pax_emuplt_nopage,
45848 -+};
45849 -+
45850 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
45851 -+{
45852 -+ int ret;
45853 -+
45854 -+ memset(vma, 0, sizeof(*vma));
45855 -+ vma->vm_mm = current->mm;
45856 -+ vma->vm_start = addr;
45857 -+ vma->vm_end = addr + PAGE_SIZE;
45858 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
45859 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
45860 -+ vma->vm_ops = &pax_vm_ops;
45861 -+
45862 -+ ret = insert_vm_struct(current->mm, vma);
45863 -+ if (ret)
45864 -+ return ret;
45865 -+
45866 -+ ++current->mm->total_vm;
45867 -+ return 0;
45868 -+}
45869 -+
45870 -+/*
45871 -+ * PaX: decide what to do with offenders (regs->pc = fault address)
45872 -+ *
45873 -+ * returns 1 when task should be killed
45874 -+ * 2 when patched PLT trampoline was detected
45875 -+ * 3 when unpatched PLT trampoline was detected
45876 -+ */
45877 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
45878 -+{
45879 -+
45880 -+#ifdef CONFIG_PAX_EMUPLT
45881 -+ int err;
45882 -+
45883 -+ do { /* PaX: patched PLT emulation #1 */
45884 -+ unsigned int sethi1, sethi2, jmpl;
45885 -+
45886 -+ err = get_user(sethi1, (unsigned int *)regs->pc);
45887 -+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
45888 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
45889 -+
45890 -+ if (err)
45891 -+ break;
45892 -+
45893 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
45894 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
45895 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
45896 -+ {
45897 -+ unsigned int addr;
45898 -+
45899 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
45900 -+ addr = regs->u_regs[UREG_G1];
45901 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
45902 -+ regs->pc = addr;
45903 -+ regs->npc = addr+4;
45904 -+ return 2;
45905 -+ }
45906 -+ } while (0);
45907 -+
45908 -+ { /* PaX: patched PLT emulation #2 */
45909 -+ unsigned int ba;
45910 -+
45911 -+ err = get_user(ba, (unsigned int *)regs->pc);
45912 -+
45913 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
45914 -+ unsigned int addr;
45915 -+
45916 -+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
45917 -+ regs->pc = addr;
45918 -+ regs->npc = addr+4;
45919 -+ return 2;
45920 -+ }
45921 -+ }
45922 -+
45923 -+ do { /* PaX: patched PLT emulation #3 */
45924 -+ unsigned int sethi, jmpl, nop;
45925 -+
45926 -+ err = get_user(sethi, (unsigned int *)regs->pc);
45927 -+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
45928 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
45929 -+
45930 -+ if (err)
45931 -+ break;
45932 -+
45933 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
45934 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
45935 -+ nop == 0x01000000U)
45936 -+ {
45937 -+ unsigned int addr;
45938 -+
45939 -+ addr = (sethi & 0x003FFFFFU) << 10;
45940 -+ regs->u_regs[UREG_G1] = addr;
45941 -+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
45942 -+ regs->pc = addr;
45943 -+ regs->npc = addr+4;
45944 -+ return 2;
45945 -+ }
45946 -+ } while (0);
45947 -+
45948 -+ do { /* PaX: unpatched PLT emulation step 1 */
45949 -+ unsigned int sethi, ba, nop;
45950 -+
45951 -+ err = get_user(sethi, (unsigned int *)regs->pc);
45952 -+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
45953 -+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
45954 -+
45955 -+ if (err)
45956 -+ break;
45957 -+
45958 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
45959 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
45960 -+ nop == 0x01000000U)
45961 -+ {
45962 -+ unsigned int addr, save, call;
45963 -+
45964 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
45965 -+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
45966 -+ else
45967 -+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
45968 -+
45969 -+ err = get_user(save, (unsigned int *)addr);
45970 -+ err |= get_user(call, (unsigned int *)(addr+4));
45971 -+ err |= get_user(nop, (unsigned int *)(addr+8));
45972 -+ if (err)
45973 -+ break;
45974 -+
45975 -+ if (save == 0x9DE3BFA8U &&
45976 -+ (call & 0xC0000000U) == 0x40000000U &&
45977 -+ nop == 0x01000000U)
45978 -+ {
45979 -+ struct vm_area_struct *vma;
45980 -+ unsigned long call_dl_resolve;
45981 -+
45982 -+ down_read(&current->mm->mmap_sem);
45983 -+ call_dl_resolve = current->mm->call_dl_resolve;
45984 -+ up_read(&current->mm->mmap_sem);
45985 -+ if (likely(call_dl_resolve))
45986 -+ goto emulate;
45987 -+
45988 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
45989 -+
45990 -+ down_write(&current->mm->mmap_sem);
45991 -+ if (current->mm->call_dl_resolve) {
45992 -+ call_dl_resolve = current->mm->call_dl_resolve;
45993 -+ up_write(&current->mm->mmap_sem);
45994 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
45995 -+ goto emulate;
45996 -+ }
45997 -+
45998 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
45999 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
46000 -+ up_write(&current->mm->mmap_sem);
46001 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
46002 -+ return 1;
46003 -+ }
46004 -+
46005 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
46006 -+ up_write(&current->mm->mmap_sem);
46007 -+ kmem_cache_free(vm_area_cachep, vma);
46008 -+ return 1;
46009 -+ }
46010 -+
46011 -+ current->mm->call_dl_resolve = call_dl_resolve;
46012 -+ up_write(&current->mm->mmap_sem);
46013 -+
46014 -+emulate:
46015 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
46016 -+ regs->pc = call_dl_resolve;
46017 -+ regs->npc = addr+4;
46018 -+ return 3;
46019 -+ }
46020 -+ }
46021 -+ } while (0);
46022 -+
46023 -+ do { /* PaX: unpatched PLT emulation step 2 */
46024 -+ unsigned int save, call, nop;
46025 -+
46026 -+ err = get_user(save, (unsigned int *)(regs->pc-4));
46027 -+ err |= get_user(call, (unsigned int *)regs->pc);
46028 -+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
46029 -+ if (err)
46030 -+ break;
46031 -+
46032 -+ if (save == 0x9DE3BFA8U &&
46033 -+ (call & 0xC0000000U) == 0x40000000U &&
46034 -+ nop == 0x01000000U)
46035 -+ {
46036 -+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
46037 -+
46038 -+ regs->u_regs[UREG_RETPC] = regs->pc;
46039 -+ regs->pc = dl_resolve;
46040 -+ regs->npc = dl_resolve+4;
46041 -+ return 3;
46042 -+ }
46043 -+ } while (0);
46044 -+#endif
46045 -+
46046 -+ return 1;
46047 -+}
46048 -+
46049 -+void pax_report_insns(void *pc, void *sp)
46050 -+{
46051 -+ unsigned long i;
46052 -+
46053 -+ printk(KERN_ERR "PAX: bytes at PC: ");
46054 -+ for (i = 0; i < 5; i++) {
46055 -+ unsigned int c;
46056 -+ if (get_user(c, (unsigned int *)pc+i))
46057 -+ printk("???????? ");
46058 -+ else
46059 -+ printk("%08x ", c);
46060 -+ }
46061 -+ printk("\n");
46062 -+}
46063 -+#endif
46064 -+
46065 - asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
46066 - unsigned long address)
46067 - {
46068 -@@ -280,6 +530,24 @@ good_area:
46069 - if(!(vma->vm_flags & VM_WRITE))
46070 - goto bad_area;
46071 - } else {
46072 -+
46073 -+#ifdef CONFIG_PAX_PAGEEXEC
46074 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
46075 -+ up_read(&mm->mmap_sem);
46076 -+ switch (pax_handle_fetch_fault(regs)) {
46077 -+
46078 -+#ifdef CONFIG_PAX_EMUPLT
46079 -+ case 2:
46080 -+ case 3:
46081 -+ return;
46082 -+#endif
46083 -+
46084 -+ }
46085 -+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
46086 -+ do_exit(SIGKILL);
46087 -+ }
46088 -+#endif
46089 -+
46090 - /* Allow reads even for write-only mappings */
46091 - if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
46092 - goto bad_area;
46093 -diff -Nurp linux-2.6.23.15/arch/sparc/mm/init.c linux-2.6.23.15-grsec/arch/sparc/mm/init.c
46094 ---- linux-2.6.23.15/arch/sparc/mm/init.c 2007-10-09 21:31:38.000000000 +0100
46095 -+++ linux-2.6.23.15-grsec/arch/sparc/mm/init.c 2008-02-11 10:37:44.000000000 +0000
46096 -@@ -336,17 +336,17 @@ void __init paging_init(void)
46097 -
46098 - /* Initialize the protection map with non-constant, MMU dependent values. */
46099 - protection_map[0] = PAGE_NONE;
46100 -- protection_map[1] = PAGE_READONLY;
46101 -- protection_map[2] = PAGE_COPY;
46102 -- protection_map[3] = PAGE_COPY;
46103 -+ protection_map[1] = PAGE_READONLY_NOEXEC;
46104 -+ protection_map[2] = PAGE_COPY_NOEXEC;
46105 -+ protection_map[3] = PAGE_COPY_NOEXEC;
46106 - protection_map[4] = PAGE_READONLY;
46107 - protection_map[5] = PAGE_READONLY;
46108 - protection_map[6] = PAGE_COPY;
46109 - protection_map[7] = PAGE_COPY;
46110 - protection_map[8] = PAGE_NONE;
46111 -- protection_map[9] = PAGE_READONLY;
46112 -- protection_map[10] = PAGE_SHARED;
46113 -- protection_map[11] = PAGE_SHARED;
46114 -+ protection_map[9] = PAGE_READONLY_NOEXEC;
46115 -+ protection_map[10] = PAGE_SHARED_NOEXEC;
46116 -+ protection_map[11] = PAGE_SHARED_NOEXEC;
46117 - protection_map[12] = PAGE_READONLY;
46118 - protection_map[13] = PAGE_READONLY;
46119 - protection_map[14] = PAGE_SHARED;
46120 -diff -Nurp linux-2.6.23.15/arch/sparc/mm/srmmu.c linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c
46121 ---- linux-2.6.23.15/arch/sparc/mm/srmmu.c 2007-10-09 21:31:38.000000000 +0100
46122 -+++ linux-2.6.23.15-grsec/arch/sparc/mm/srmmu.c 2008-02-11 10:37:44.000000000 +0000
46123 -@@ -2157,6 +2157,13 @@ void __init ld_mmu_srmmu(void)
46124 - PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
46125 - BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
46126 - BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
46127 -+
46128 -+#ifdef CONFIG_PAX_PAGEEXEC
46129 -+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
46130 -+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
46131 -+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
46132 -+#endif
46133 -+
46134 - BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
46135 - page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
46136 -
46137 -diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/Makefile linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile
46138 ---- linux-2.6.23.15/arch/sparc64/kernel/Makefile 2007-10-09 21:31:38.000000000 +0100
46139 -+++ linux-2.6.23.15-grsec/arch/sparc64/kernel/Makefile 2008-02-11 10:37:44.000000000 +0000
46140 -@@ -3,7 +3,7 @@
46141 - #
46142 -
46143 - EXTRA_AFLAGS := -ansi
46144 --EXTRA_CFLAGS := -Werror
46145 -+#EXTRA_CFLAGS := -Werror
46146 -
46147 - extra-y := head.o init_task.o vmlinux.lds
46148 -
46149 -diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/ptrace.c linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c
46150 ---- linux-2.6.23.15/arch/sparc64/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
46151 -+++ linux-2.6.23.15-grsec/arch/sparc64/kernel/ptrace.c 2008-02-11 10:37:44.000000000 +0000
46152 -@@ -22,6 +22,7 @@
46153 - #include <linux/seccomp.h>
46154 - #include <linux/audit.h>
46155 - #include <linux/signal.h>
46156 -+#include <linux/grsecurity.h>
46157 -
46158 - #include <asm/asi.h>
46159 - #include <asm/pgtable.h>
46160 -@@ -216,6 +217,11 @@ asmlinkage void do_ptrace(struct pt_regs
46161 - goto out;
46162 - }
46163 -
46164 -+ if (gr_handle_ptrace(child, (long)request)) {
46165 -+ pt_error_return(regs, EPERM);
46166 -+ goto out_tsk;
46167 -+ }
46168 -+
46169 - if ((current->personality == PER_SUNOS && request == PTRACE_SUNATTACH)
46170 - || (current->personality != PER_SUNOS && request == PTRACE_ATTACH)) {
46171 - if (ptrace_attach(child)) {
46172 -diff -Nurp linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c
46173 ---- linux-2.6.23.15/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:36:03.000000000 +0000
46174 -+++ linux-2.6.23.15-grsec/arch/sparc64/kernel/sys_sparc.c 2008-02-11 10:37:44.000000000 +0000
46175 -@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
46176 - /* We do not accept a shared mapping if it would violate
46177 - * cache aliasing constraints.
46178 - */
46179 -- if ((flags & MAP_SHARED) &&
46180 -+ if ((filp || (flags & MAP_SHARED)) &&
46181 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
46182 - return -EINVAL;
46183 - return addr;
46184 -@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
46185 - if (filp || (flags & MAP_SHARED))
46186 - do_color_align = 1;
46187 -
46188 -+#ifdef CONFIG_PAX_RANDMMAP
46189 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
46190 -+#endif
46191 -+
46192 - if (addr) {
46193 - if (do_color_align)
46194 - addr = COLOUR_ALIGN(addr, pgoff);
46195 -@@ -152,9 +156,9 @@ unsigned long arch_get_unmapped_area(str
46196 - }
46197 -
46198 - if (len > mm->cached_hole_size) {
46199 -- start_addr = addr = mm->free_area_cache;
46200 -+ start_addr = addr = mm->free_area_cache;
46201 - } else {
46202 -- start_addr = addr = TASK_UNMAPPED_BASE;
46203 -+ start_addr = addr = mm->mmap_base;
46204 - mm->cached_hole_size = 0;
46205 - }
46206 -
46207 -@@ -174,8 +178,8 @@ full_search:
46208 - vma = find_vma(mm, VA_EXCLUDE_END);
46209 - }
46210 - if (unlikely(task_size < addr)) {
46211 -- if (start_addr != TASK_UNMAPPED_BASE) {
46212 -- start_addr = addr = TASK_UNMAPPED_BASE;
46213 -+ if (start_addr != mm->mmap_base) {
46214 -+ start_addr = addr = mm->mmap_base;
46215 - mm->cached_hole_size = 0;
46216 - goto full_search;
46217 - }
46218 -@@ -215,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
46219 - /* We do not accept a shared mapping if it would violate
46220 - * cache aliasing constraints.
46221 - */
46222 -- if ((flags & MAP_SHARED) &&
46223 -+ if ((filp || (flags & MAP_SHARED)) &&
46224 - ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
46225 - return -EINVAL;
46226 - return addr;
46227 -@@ -378,6 +382,12 @@ void arch_pick_mmap_layout(struct mm_str
46228 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
46229 - sysctl_legacy_va_layout) {
46230 - mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
46231 -+
46232 -+#ifdef CONFIG_PAX_RANDMMAP
46233 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46234 -+ mm->mmap_base += mm->delta_mmap;
46235 -+#endif
46236 -+
46237 - mm->get_unmapped_area = arch_get_unmapped_area;
46238 - mm->unmap_area = arch_unmap_area;
46239 - } else {
46240 -@@ -392,6 +402,12 @@ void arch_pick_mmap_layout(struct mm_str
46241 - gap = (task_size / 6 * 5);
46242 -
46243 - mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
46244 -+
46245 -+#ifdef CONFIG_PAX_RANDMMAP
46246 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46247 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
46248 -+#endif
46249 -+
46250 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
46251 - mm->unmap_area = arch_unmap_area_topdown;
46252 - }
46253 -diff -Nurp linux-2.6.23.15/arch/sparc64/mm/Makefile linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile
46254 ---- linux-2.6.23.15/arch/sparc64/mm/Makefile 2007-10-09 21:31:38.000000000 +0100
46255 -+++ linux-2.6.23.15-grsec/arch/sparc64/mm/Makefile 2008-02-11 10:37:44.000000000 +0000
46256 -@@ -3,7 +3,7 @@
46257 - #
46258 -
46259 - EXTRA_AFLAGS := -ansi
46260 --EXTRA_CFLAGS := -Werror
46261 -+#EXTRA_CFLAGS := -Werror
46262 -
46263 - obj-y := ultra.o tlb.o tsb.o fault.o init.o generic.o
46264 -
46265 -diff -Nurp linux-2.6.23.15/arch/sparc64/mm/fault.c linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c
46266 ---- linux-2.6.23.15/arch/sparc64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
46267 -+++ linux-2.6.23.15-grsec/arch/sparc64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
46268 -@@ -20,6 +20,10 @@
46269 - #include <linux/kprobes.h>
46270 - #include <linux/kallsyms.h>
46271 - #include <linux/kdebug.h>
46272 -+#include <linux/slab.h>
46273 -+#include <linux/pagemap.h>
46274 -+#include <linux/compiler.h>
46275 -+#include <linux/binfmts.h>
46276 -
46277 - #include <asm/page.h>
46278 - #include <asm/pgtable.h>
46279 -@@ -270,6 +274,369 @@ cannot_handle:
46280 - unhandled_fault (address, current, regs);
46281 - }
46282 -
46283 -+#ifdef CONFIG_PAX_PAGEEXEC
46284 -+#ifdef CONFIG_PAX_EMUPLT
46285 -+static void pax_emuplt_close(struct vm_area_struct *vma)
46286 -+{
46287 -+ vma->vm_mm->call_dl_resolve = 0UL;
46288 -+}
46289 -+
46290 -+static struct page *pax_emuplt_nopage(struct vm_area_struct *vma, unsigned long address, int *type)
46291 -+{
46292 -+ struct page *page;
46293 -+ unsigned int *kaddr;
46294 -+
46295 -+ page = alloc_page(GFP_HIGHUSER);
46296 -+ if (!page)
46297 -+ return NOPAGE_OOM;
46298 -+
46299 -+ kaddr = kmap(page);
46300 -+ memset(kaddr, 0, PAGE_SIZE);
46301 -+ kaddr[0] = 0x9DE3BFA8U; /* save */
46302 -+ flush_dcache_page(page);
46303 -+ kunmap(page);
46304 -+ if (type)
46305 -+ *type = VM_FAULT_MAJOR;
46306 -+ return page;
46307 -+}
46308 -+
46309 -+static struct vm_operations_struct pax_vm_ops = {
46310 -+ .close = pax_emuplt_close,
46311 -+ .nopage = pax_emuplt_nopage,
46312 -+};
46313 -+
46314 -+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
46315 -+{
46316 -+ int ret;
46317 -+
46318 -+ memset(vma, 0, sizeof(*vma));
46319 -+ vma->vm_mm = current->mm;
46320 -+ vma->vm_start = addr;
46321 -+ vma->vm_end = addr + PAGE_SIZE;
46322 -+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
46323 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
46324 -+ vma->vm_ops = &pax_vm_ops;
46325 -+
46326 -+ ret = insert_vm_struct(current->mm, vma);
46327 -+ if (ret)
46328 -+ return ret;
46329 -+
46330 -+ ++current->mm->total_vm;
46331 -+ return 0;
46332 -+}
46333 -+#endif
46334 -+
46335 -+/*
46336 -+ * PaX: decide what to do with offenders (regs->tpc = fault address)
46337 -+ *
46338 -+ * returns 1 when task should be killed
46339 -+ * 2 when patched PLT trampoline was detected
46340 -+ * 3 when unpatched PLT trampoline was detected
46341 -+ */
46342 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
46343 -+{
46344 -+
46345 -+#ifdef CONFIG_PAX_EMUPLT
46346 -+ int err;
46347 -+
46348 -+ do { /* PaX: patched PLT emulation #1 */
46349 -+ unsigned int sethi1, sethi2, jmpl;
46350 -+
46351 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
46352 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
46353 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
46354 -+
46355 -+ if (err)
46356 -+ break;
46357 -+
46358 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
46359 -+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
46360 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
46361 -+ {
46362 -+ unsigned long addr;
46363 -+
46364 -+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
46365 -+ addr = regs->u_regs[UREG_G1];
46366 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
46367 -+ regs->tpc = addr;
46368 -+ regs->tnpc = addr+4;
46369 -+ return 2;
46370 -+ }
46371 -+ } while (0);
46372 -+
46373 -+ { /* PaX: patched PLT emulation #2 */
46374 -+ unsigned int ba;
46375 -+
46376 -+ err = get_user(ba, (unsigned int *)regs->tpc);
46377 -+
46378 -+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
46379 -+ unsigned long addr;
46380 -+
46381 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
46382 -+ regs->tpc = addr;
46383 -+ regs->tnpc = addr+4;
46384 -+ return 2;
46385 -+ }
46386 -+ }
46387 -+
46388 -+ do { /* PaX: patched PLT emulation #3 */
46389 -+ unsigned int sethi, jmpl, nop;
46390 -+
46391 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
46392 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
46393 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
46394 -+
46395 -+ if (err)
46396 -+ break;
46397 -+
46398 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
46399 -+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
46400 -+ nop == 0x01000000U)
46401 -+ {
46402 -+ unsigned long addr;
46403 -+
46404 -+ addr = (sethi & 0x003FFFFFU) << 10;
46405 -+ regs->u_regs[UREG_G1] = addr;
46406 -+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
46407 -+ regs->tpc = addr;
46408 -+ regs->tnpc = addr+4;
46409 -+ return 2;
46410 -+ }
46411 -+ } while (0);
46412 -+
46413 -+ do { /* PaX: patched PLT emulation #4 */
46414 -+ unsigned int mov1, call, mov2;
46415 -+
46416 -+ err = get_user(mov1, (unsigned int *)regs->tpc);
46417 -+ err |= get_user(call, (unsigned int *)(regs->tpc+4));
46418 -+ err |= get_user(mov2, (unsigned int *)(regs->tpc+8));
46419 -+
46420 -+ if (err)
46421 -+ break;
46422 -+
46423 -+ if (mov1 == 0x8210000FU &&
46424 -+ (call & 0xC0000000U) == 0x40000000U &&
46425 -+ mov2 == 0x9E100001U)
46426 -+ {
46427 -+ unsigned long addr;
46428 -+
46429 -+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
46430 -+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
46431 -+ regs->tpc = addr;
46432 -+ regs->tnpc = addr+4;
46433 -+ return 2;
46434 -+ }
46435 -+ } while (0);
46436 -+
46437 -+ do { /* PaX: patched PLT emulation #5 */
46438 -+ unsigned int sethi1, sethi2, or1, or2, sllx, jmpl, nop;
46439 -+
46440 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
46441 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
46442 -+ err |= get_user(or1, (unsigned int *)(regs->tpc+8));
46443 -+ err |= get_user(or2, (unsigned int *)(regs->tpc+12));
46444 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+16));
46445 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
46446 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
46447 -+
46448 -+ if (err)
46449 -+ break;
46450 -+
46451 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
46452 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
46453 -+ (or1 & 0xFFFFE000U) == 0x82106000U &&
46454 -+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
46455 -+ sllx == 0x83287020 &&
46456 -+ jmpl == 0x81C04005U &&
46457 -+ nop == 0x01000000U)
46458 -+ {
46459 -+ unsigned long addr;
46460 -+
46461 -+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
46462 -+ regs->u_regs[UREG_G1] <<= 32;
46463 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
46464 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
46465 -+ regs->tpc = addr;
46466 -+ regs->tnpc = addr+4;
46467 -+ return 2;
46468 -+ }
46469 -+ } while (0);
46470 -+
46471 -+ do { /* PaX: patched PLT emulation #6 */
46472 -+ unsigned int sethi1, sethi2, sllx, or, jmpl, nop;
46473 -+
46474 -+ err = get_user(sethi1, (unsigned int *)regs->tpc);
46475 -+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
46476 -+ err |= get_user(sllx, (unsigned int *)(regs->tpc+8));
46477 -+ err |= get_user(or, (unsigned int *)(regs->tpc+12));
46478 -+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+16));
46479 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+20));
46480 -+
46481 -+ if (err)
46482 -+ break;
46483 -+
46484 -+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
46485 -+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
46486 -+ sllx == 0x83287020 &&
46487 -+ (or & 0xFFFFE000U) == 0x8A116000U &&
46488 -+ jmpl == 0x81C04005U &&
46489 -+ nop == 0x01000000U)
46490 -+ {
46491 -+ unsigned long addr;
46492 -+
46493 -+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
46494 -+ regs->u_regs[UREG_G1] <<= 32;
46495 -+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
46496 -+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
46497 -+ regs->tpc = addr;
46498 -+ regs->tnpc = addr+4;
46499 -+ return 2;
46500 -+ }
46501 -+ } while (0);
46502 -+
46503 -+ do { /* PaX: patched PLT emulation #7 */
46504 -+ unsigned int sethi, ba, nop;
46505 -+
46506 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
46507 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
46508 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
46509 -+
46510 -+ if (err)
46511 -+ break;
46512 -+
46513 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
46514 -+ (ba & 0xFFF00000U) == 0x30600000U &&
46515 -+ nop == 0x01000000U)
46516 -+ {
46517 -+ unsigned long addr;
46518 -+
46519 -+ addr = (sethi & 0x003FFFFFU) << 10;
46520 -+ regs->u_regs[UREG_G1] = addr;
46521 -+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
46522 -+ regs->tpc = addr;
46523 -+ regs->tnpc = addr+4;
46524 -+ return 2;
46525 -+ }
46526 -+ } while (0);
46527 -+
46528 -+ do { /* PaX: unpatched PLT emulation step 1 */
46529 -+ unsigned int sethi, ba, nop;
46530 -+
46531 -+ err = get_user(sethi, (unsigned int *)regs->tpc);
46532 -+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
46533 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
46534 -+
46535 -+ if (err)
46536 -+ break;
46537 -+
46538 -+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
46539 -+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
46540 -+ nop == 0x01000000U)
46541 -+ {
46542 -+ unsigned long addr;
46543 -+ unsigned int save, call;
46544 -+
46545 -+ if ((ba & 0xFFC00000U) == 0x30800000U)
46546 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
46547 -+ else
46548 -+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
46549 -+
46550 -+ err = get_user(save, (unsigned int *)addr);
46551 -+ err |= get_user(call, (unsigned int *)(addr+4));
46552 -+ err |= get_user(nop, (unsigned int *)(addr+8));
46553 -+ if (err)
46554 -+ break;
46555 -+
46556 -+ if (save == 0x9DE3BFA8U &&
46557 -+ (call & 0xC0000000U) == 0x40000000U &&
46558 -+ nop == 0x01000000U)
46559 -+ {
46560 -+ struct vm_area_struct *vma;
46561 -+ unsigned long call_dl_resolve;
46562 -+
46563 -+ down_read(&current->mm->mmap_sem);
46564 -+ call_dl_resolve = current->mm->call_dl_resolve;
46565 -+ up_read(&current->mm->mmap_sem);
46566 -+ if (likely(call_dl_resolve))
46567 -+ goto emulate;
46568 -+
46569 -+ vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
46570 -+
46571 -+ down_write(&current->mm->mmap_sem);
46572 -+ if (current->mm->call_dl_resolve) {
46573 -+ call_dl_resolve = current->mm->call_dl_resolve;
46574 -+ up_write(&current->mm->mmap_sem);
46575 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
46576 -+ goto emulate;
46577 -+ }
46578 -+
46579 -+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
46580 -+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
46581 -+ up_write(&current->mm->mmap_sem);
46582 -+ if (vma) kmem_cache_free(vm_area_cachep, vma);
46583 -+ return 1;
46584 -+ }
46585 -+
46586 -+ if (pax_insert_vma(vma, call_dl_resolve)) {
46587 -+ up_write(&current->mm->mmap_sem);
46588 -+ kmem_cache_free(vm_area_cachep, vma);
46589 -+ return 1;
46590 -+ }
46591 -+
46592 -+ current->mm->call_dl_resolve = call_dl_resolve;
46593 -+ up_write(&current->mm->mmap_sem);
46594 -+
46595 -+emulate:
46596 -+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
46597 -+ regs->tpc = call_dl_resolve;
46598 -+ regs->tnpc = addr+4;
46599 -+ return 3;
46600 -+ }
46601 -+ }
46602 -+ } while (0);
46603 -+
46604 -+ do { /* PaX: unpatched PLT emulation step 2 */
46605 -+ unsigned int save, call, nop;
46606 -+
46607 -+ err = get_user(save, (unsigned int *)(regs->tpc-4));
46608 -+ err |= get_user(call, (unsigned int *)regs->tpc);
46609 -+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
46610 -+ if (err)
46611 -+ break;
46612 -+
46613 -+ if (save == 0x9DE3BFA8U &&
46614 -+ (call & 0xC0000000U) == 0x40000000U &&
46615 -+ nop == 0x01000000U)
46616 -+ {
46617 -+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
46618 -+
46619 -+ regs->u_regs[UREG_RETPC] = regs->tpc;
46620 -+ regs->tpc = dl_resolve;
46621 -+ regs->tnpc = dl_resolve+4;
46622 -+ return 3;
46623 -+ }
46624 -+ } while (0);
46625 -+#endif
46626 -+
46627 -+ return 1;
46628 -+}
46629 -+
46630 -+void pax_report_insns(void *pc, void *sp)
46631 -+{
46632 -+ unsigned long i;
46633 -+
46634 -+ printk(KERN_ERR "PAX: bytes at PC: ");
46635 -+ for (i = 0; i < 5; i++) {
46636 -+ unsigned int c;
46637 -+ if (get_user(c, (unsigned int *)pc+i))
46638 -+ printk("???????? ");
46639 -+ else
46640 -+ printk("%08x ", c);
46641 -+ }
46642 -+ printk("\n");
46643 -+}
46644 -+#endif
46645 -+
46646 - asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
46647 - {
46648 - struct mm_struct *mm = current->mm;
46649 -@@ -311,8 +678,10 @@ asmlinkage void __kprobes do_sparc64_fau
46650 - goto intr_or_no_mm;
46651 -
46652 - if (test_thread_flag(TIF_32BIT)) {
46653 -- if (!(regs->tstate & TSTATE_PRIV))
46654 -+ if (!(regs->tstate & TSTATE_PRIV)) {
46655 - regs->tpc &= 0xffffffff;
46656 -+ regs->tnpc &= 0xffffffff;
46657 -+ }
46658 - address &= 0xffffffff;
46659 - }
46660 -
46661 -@@ -329,6 +698,29 @@ asmlinkage void __kprobes do_sparc64_fau
46662 - if (!vma)
46663 - goto bad_area;
46664 -
46665 -+#ifdef CONFIG_PAX_PAGEEXEC
46666 -+ /* PaX: detect ITLB misses on non-exec pages */
46667 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
46668 -+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
46669 -+ {
46670 -+ if (address != regs->tpc)
46671 -+ goto good_area;
46672 -+
46673 -+ up_read(&mm->mmap_sem);
46674 -+ switch (pax_handle_fetch_fault(regs)) {
46675 -+
46676 -+#ifdef CONFIG_PAX_EMUPLT
46677 -+ case 2:
46678 -+ case 3:
46679 -+ return;
46680 -+#endif
46681 -+
46682 -+ }
46683 -+ pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
46684 -+ do_exit(SIGKILL);
46685 -+ }
46686 -+#endif
46687 -+
46688 - /* Pure DTLB misses do not tell us whether the fault causing
46689 - * load/store/atomic was a write or not, it only says that there
46690 - * was no match. So in such a case we (carefully) read the
46691 -diff -Nurp linux-2.6.23.15/arch/v850/kernel/module.c linux-2.6.23.15-grsec/arch/v850/kernel/module.c
46692 ---- linux-2.6.23.15/arch/v850/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
46693 -+++ linux-2.6.23.15-grsec/arch/v850/kernel/module.c 2008-02-11 10:37:44.000000000 +0000
46694 -@@ -150,8 +150,8 @@ static uint32_t do_plt_call (void *locat
46695 - tramp[1] = ((val >> 16) & 0xffff) + 0x610000; /* ...; jmp r1 */
46696 -
46697 - /* Init, or core PLT? */
46698 -- if (location >= mod->module_core
46699 -- && location < mod->module_core + mod->core_size)
46700 -+ if (location >= mod->module_core_rx
46701 -+ && location < mod->module_core_rx + mod->core_size_rx)
46702 - entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
46703 - else
46704 - entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
46705 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c
46706 ---- linux-2.6.23.15/arch/x86_64/ia32/ia32_binfmt.c 2007-10-09 21:31:38.000000000 +0100
46707 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_binfmt.c 2008-02-11 10:37:44.000000000 +0000
46708 -@@ -36,12 +36,12 @@
46709 - #define AT_SYSINFO 32
46710 - #define AT_SYSINFO_EHDR 33
46711 -
46712 --int sysctl_vsyscall32 = 1;
46713 -+int sysctl_vsyscall32;
46714 -
46715 - #undef ARCH_DLINFO
46716 - #define ARCH_DLINFO do { \
46717 - if (sysctl_vsyscall32) { \
46718 -- current->mm->context.vdso = (void *)VSYSCALL32_BASE; \
46719 -+ current->mm->context.vdso = VSYSCALL32_BASE; \
46720 - NEW_AUX_ENT(AT_SYSINFO, (u32)(u64)VSYSCALL32_VSYSCALL); \
46721 - NEW_AUX_ENT(AT_SYSINFO_EHDR, VSYSCALL32_BASE); \
46722 - } \
46723 -@@ -145,6 +145,13 @@ struct elf_prpsinfo
46724 - //#include <asm/ia32.h>
46725 - #include <linux/elf.h>
46726 -
46727 -+#ifdef CONFIG_PAX_ASLR
46728 -+#define PAX_ELF_ET_DYN_BASE 0x08048000UL
46729 -+
46730 -+#define PAX_DELTA_MMAP_LEN 16
46731 -+#define PAX_DELTA_STACK_LEN 16
46732 -+#endif
46733 -+
46734 - typedef struct user_i387_ia32_struct elf_fpregset_t;
46735 - typedef struct user32_fxsr_struct elf_fpxregset_t;
46736 -
46737 -@@ -298,7 +305,7 @@ static ctl_table abi_table2[] = {
46738 - .mode = 0644,
46739 - .proc_handler = proc_dointvec
46740 - },
46741 -- {}
46742 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
46743 - };
46744 -
46745 - static ctl_table abi_root_table2[] = {
46746 -@@ -308,7 +315,7 @@ static ctl_table abi_root_table2[] = {
46747 - .mode = 0555,
46748 - .child = abi_table2
46749 - },
46750 -- {}
46751 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
46752 - };
46753 -
46754 - static __init int ia32_binfmt_init(void)
46755 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c
46756 ---- linux-2.6.23.15/arch/x86_64/ia32/ia32_signal.c 2007-10-09 21:31:38.000000000 +0100
46757 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ia32_signal.c 2008-02-11 10:37:44.000000000 +0000
46758 -@@ -573,6 +573,7 @@ int ia32_setup_rt_frame(int sig, struct
46759 - __NR_ia32_rt_sigreturn,
46760 - 0x80cd,
46761 - 0,
46762 -+ 0
46763 - };
46764 - err |= __copy_to_user(frame->retcode, &code, 8);
46765 - }
46766 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/mmap32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c
46767 ---- linux-2.6.23.15/arch/x86_64/ia32/mmap32.c 2007-10-09 21:31:38.000000000 +0100
46768 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/mmap32.c 2008-02-11 10:37:44.000000000 +0000
46769 -@@ -69,10 +69,22 @@ void ia32_pick_mmap_layout(struct mm_str
46770 - (current->personality & ADDR_COMPAT_LAYOUT) ||
46771 - current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY) {
46772 - mm->mmap_base = TASK_UNMAPPED_BASE;
46773 -+
46774 -+#ifdef CONFIG_PAX_RANDMMAP
46775 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46776 -+ mm->mmap_base += mm->delta_mmap;
46777 -+#endif
46778 -+
46779 - mm->get_unmapped_area = arch_get_unmapped_area;
46780 - mm->unmap_area = arch_unmap_area;
46781 - } else {
46782 - mm->mmap_base = mmap_base(mm);
46783 -+
46784 -+#ifdef CONFIG_PAX_RANDMMAP
46785 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
46786 -+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
46787 -+#endif
46788 -+
46789 - mm->get_unmapped_area = arch_get_unmapped_area_topdown;
46790 - mm->unmap_area = arch_unmap_area_topdown;
46791 - }
46792 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c
46793 ---- linux-2.6.23.15/arch/x86_64/ia32/ptrace32.c 2007-10-09 21:31:38.000000000 +0100
46794 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/ptrace32.c 2008-02-11 10:37:44.000000000 +0000
46795 -@@ -382,7 +382,7 @@ asmlinkage long sys32_ptrace(long reques
46796 - /* no checking to be bug-to-bug compatible with i386. */
46797 - /* but silence warning */
46798 - if (__copy_from_user(&child->thread.i387.fxsave, u, sizeof(*u)))
46799 -- ;
46800 -+ {}
46801 - set_stopped_child_used_math(child);
46802 - child->thread.i387.fxsave.mxcsr &= mxcsr_feature_mask;
46803 - ret = 0;
46804 -diff -Nurp linux-2.6.23.15/arch/x86_64/ia32/syscall32.c linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c
46805 ---- linux-2.6.23.15/arch/x86_64/ia32/syscall32.c 2007-10-09 21:31:38.000000000 +0100
46806 -+++ linux-2.6.23.15-grsec/arch/x86_64/ia32/syscall32.c 2008-02-11 10:37:44.000000000 +0000
46807 -@@ -30,6 +30,9 @@ int syscall32_setup_pages(struct linux_b
46808 - struct mm_struct *mm = current->mm;
46809 - int ret;
46810 -
46811 -+ if (!sysctl_vsyscall32)
46812 -+ return 0;
46813 -+
46814 - down_write(&mm->mmap_sem);
46815 - /*
46816 - * MAYWRITE to allow gdb to COW and set breakpoints
46817 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/hpet.c linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c
46818 ---- linux-2.6.23.15/arch/x86_64/kernel/hpet.c 2007-10-09 21:31:38.000000000 +0100
46819 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/hpet.c 2008-02-11 10:37:44.000000000 +0000
46820 -@@ -65,7 +65,7 @@ static __init int late_hpet_init(void)
46821 - hpet = (struct hpet *) fix_to_virt(FIX_HPET_BASE);
46822 - timer = &hpet->hpet_timers[2];
46823 - for (i = 2; i < ntimer; timer++, i++)
46824 -- hd.hd_irq[i] = (timer->hpet_config &
46825 -+ hd.hd_irq[i] = (readl(&timer->hpet_config) &
46826 - Tn_INT_ROUTE_CNF_MASK) >>
46827 - Tn_INT_ROUTE_CNF_SHIFT;
46828 -
46829 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/i8259.c linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c
46830 ---- linux-2.6.23.15/arch/x86_64/kernel/i8259.c 2007-10-09 21:31:38.000000000 +0100
46831 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/i8259.c 2008-02-11 10:37:44.000000000 +0000
46832 -@@ -395,7 +395,7 @@ device_initcall(i8259A_init_sysfs);
46833 - * IRQ2 is cascade interrupt to second interrupt controller
46834 - */
46835 -
46836 --static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL};
46837 -+static struct irqaction irq2 = { no_action, 0, CPU_MASK_NONE, "cascade", NULL, NULL, 0, NULL};
46838 - DEFINE_PER_CPU(vector_irq_t, vector_irq) = {
46839 - [0 ... IRQ0_VECTOR - 1] = -1,
46840 - [IRQ0_VECTOR] = 0,
46841 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/ioport.c linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c
46842 ---- linux-2.6.23.15/arch/x86_64/kernel/ioport.c 2007-10-09 21:31:38.000000000 +0100
46843 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/ioport.c 2008-02-11 10:37:44.000000000 +0000
46844 -@@ -16,6 +16,7 @@
46845 - #include <linux/slab.h>
46846 - #include <linux/thread_info.h>
46847 - #include <linux/syscalls.h>
46848 -+#include <linux/grsecurity.h>
46849 -
46850 - /* Set EXTENT bits starting at BASE in BITMAP to value TURN_ON. */
46851 - static void set_bitmap(unsigned long *bitmap, unsigned int base, unsigned int extent, int new_value)
46852 -@@ -41,8 +42,16 @@ asmlinkage long sys_ioperm(unsigned long
46853 -
46854 - if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
46855 - return -EINVAL;
46856 -+
46857 -+#ifdef CONFIG_GRKERNSEC_IO
46858 -+ if (turn_on) {
46859 -+ gr_handle_ioperm();
46860 -+ return -EPERM;
46861 -+ }
46862 -+#else
46863 - if (turn_on && !capable(CAP_SYS_RAWIO))
46864 - return -EPERM;
46865 -+#endif
46866 -
46867 - /*
46868 - * If it's the first ioperm() call in this thread's lifetime, set the
46869 -@@ -111,8 +120,13 @@ asmlinkage long sys_iopl(unsigned int le
46870 - return -EINVAL;
46871 - /* Trying to gain more privileges? */
46872 - if (level > old) {
46873 -+#ifdef CONFIG_GRKERNSEC_IO
46874 -+ gr_handle_iopl();
46875 -+ return -EPERM;
46876 -+#else
46877 - if (!capable(CAP_SYS_RAWIO))
46878 - return -EPERM;
46879 -+#endif
46880 - }
46881 - regs->eflags = (regs->eflags &~ X86_EFLAGS_IOPL) | (level << 12);
46882 - return 0;
46883 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/mce.c linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c
46884 ---- linux-2.6.23.15/arch/x86_64/kernel/mce.c 2007-10-09 21:31:38.000000000 +0100
46885 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/mce.c 2008-02-11 10:37:44.000000000 +0000
46886 -@@ -665,6 +665,7 @@ static struct miscdevice mce_log_device
46887 - MISC_MCELOG_MINOR,
46888 - "mcelog",
46889 - &mce_chrdev_ops,
46890 -+ {NULL, NULL}, NULL, NULL
46891 - };
46892 -
46893 - static unsigned long old_cr4 __initdata;
46894 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/process.c linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c
46895 ---- linux-2.6.23.15/arch/x86_64/kernel/process.c 2007-10-09 21:31:38.000000000 +0100
46896 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/process.c 2008-02-11 10:37:44.000000000 +0000
46897 -@@ -894,10 +894,3 @@ int dump_task_regs(struct task_struct *t
46898 -
46899 - return 1;
46900 - }
46901 --
46902 --unsigned long arch_align_stack(unsigned long sp)
46903 --{
46904 -- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
46905 -- sp -= get_random_int() % 8192;
46906 -- return sp & ~0xf;
46907 --}
46908 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/setup64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c
46909 ---- linux-2.6.23.15/arch/x86_64/kernel/setup64.c 2007-10-09 21:31:38.000000000 +0100
46910 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/setup64.c 2008-02-11 10:37:44.000000000 +0000
46911 -@@ -37,7 +37,7 @@ struct desc_ptr idt_descr = { 256 * 16 -
46912 - char boot_cpu_stack[IRQSTACKSIZE] __attribute__((section(".bss.page_aligned")));
46913 -
46914 - unsigned long __supported_pte_mask __read_mostly = ~0UL;
46915 --static int do_not_nx __cpuinitdata = 0;
46916 -+EXPORT_SYMBOL(__supported_pte_mask);
46917 -
46918 - /* noexec=on|off
46919 - Control non executable mappings for 64bit processes.
46920 -@@ -51,16 +51,14 @@ static int __init nonx_setup(char *str)
46921 - return -EINVAL;
46922 - if (!strncmp(str, "on", 2)) {
46923 - __supported_pte_mask |= _PAGE_NX;
46924 -- do_not_nx = 0;
46925 - } else if (!strncmp(str, "off", 3)) {
46926 -- do_not_nx = 1;
46927 - __supported_pte_mask &= ~_PAGE_NX;
46928 - }
46929 - return 0;
46930 - }
46931 - early_param("noexec", nonx_setup);
46932 -
46933 --int force_personality32 = 0;
46934 -+int force_personality32;
46935 -
46936 - /* noexec32=on|off
46937 - Control non executable heap for 32bit processes.
46938 -@@ -177,7 +175,7 @@ void __cpuinit check_efer(void)
46939 - unsigned long efer;
46940 -
46941 - rdmsrl(MSR_EFER, efer);
46942 -- if (!(efer & EFER_NX) || do_not_nx) {
46943 -+ if (!(efer & EFER_NX)) {
46944 - __supported_pte_mask &= ~_PAGE_NX;
46945 - }
46946 - }
46947 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/signal.c linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c
46948 ---- linux-2.6.23.15/arch/x86_64/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
46949 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/signal.c 2008-02-11 10:37:44.000000000 +0000
46950 -@@ -254,8 +254,8 @@ static int setup_rt_frame(int sig, struc
46951 - err |= setup_sigcontext(&frame->uc.uc_mcontext, regs, set->sig[0], me);
46952 - err |= __put_user(fp, &frame->uc.uc_mcontext.fpstate);
46953 - if (sizeof(*set) == 16) {
46954 -- __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
46955 -- __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
46956 -+ err |= __put_user(set->sig[0], &frame->uc.uc_sigmask.sig[0]);
46957 -+ err |= __put_user(set->sig[1], &frame->uc.uc_sigmask.sig[1]);
46958 - } else
46959 - err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
46960 -
46961 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c
46962 ---- linux-2.6.23.15/arch/x86_64/kernel/sys_x86_64.c 2007-10-09 21:31:38.000000000 +0100
46963 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/sys_x86_64.c 2008-02-11 10:37:44.000000000 +0000
46964 -@@ -65,8 +65,8 @@ out:
46965 - return error;
46966 - }
46967 -
46968 --static void find_start_end(unsigned long flags, unsigned long *begin,
46969 -- unsigned long *end)
46970 -+static void find_start_end(struct mm_struct *mm, unsigned long flags,
46971 -+ unsigned long *begin, unsigned long *end)
46972 - {
46973 - if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
46974 - /* This is usually used needed to map code in small
46975 -@@ -79,7 +79,7 @@ static void find_start_end(unsigned long
46976 - *begin = 0x40000000;
46977 - *end = 0x80000000;
46978 - } else {
46979 -- *begin = TASK_UNMAPPED_BASE;
46980 -+ *begin = mm->mmap_base;
46981 - *end = TASK_SIZE;
46982 - }
46983 - }
46984 -@@ -96,11 +96,15 @@ arch_get_unmapped_area(struct file *filp
46985 - if (flags & MAP_FIXED)
46986 - return addr;
46987 -
46988 -- find_start_end(flags, &begin, &end);
46989 -+ find_start_end(mm, flags, &begin, &end);
46990 -
46991 - if (len > end)
46992 - return -ENOMEM;
46993 -
46994 -+#ifdef CONFIG_PAX_RANDMMAP
46995 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || !filp)
46996 -+#endif
46997 -+
46998 - if (addr) {
46999 - addr = PAGE_ALIGN(addr);
47000 - vma = find_vma(mm, addr);
47001 -diff -Nurp linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c
47002 ---- linux-2.6.23.15/arch/x86_64/kernel/vsyscall.c 2007-10-09 21:31:38.000000000 +0100
47003 -+++ linux-2.6.23.15-grsec/arch/x86_64/kernel/vsyscall.c 2008-02-11 10:37:44.000000000 +0000
47004 -@@ -273,13 +273,13 @@ static ctl_table kernel_table2[] = {
47005 - .mode = 0644,
47006 - .strategy = vsyscall_sysctl_nostrat,
47007 - .proc_handler = vsyscall_sysctl_change },
47008 -- {}
47009 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47010 - };
47011 -
47012 - static ctl_table kernel_root_table2[] = {
47013 - { .ctl_name = CTL_KERN, .procname = "kernel", .mode = 0555,
47014 - .child = kernel_table2 },
47015 -- {}
47016 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
47017 - };
47018 -
47019 - #endif
47020 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/fault.c linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c
47021 ---- linux-2.6.23.15/arch/x86_64/mm/fault.c 2007-10-09 21:31:38.000000000 +0100
47022 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/fault.c 2008-02-11 10:37:44.000000000 +0000
47023 -@@ -25,6 +25,7 @@
47024 - #include <linux/kprobes.h>
47025 - #include <linux/uaccess.h>
47026 - #include <linux/kdebug.h>
47027 -+#include <linux/binfmts.h>
47028 -
47029 - #include <asm/system.h>
47030 - #include <asm/pgalloc.h>
47031 -@@ -291,6 +292,163 @@ static int vmalloc_fault(unsigned long a
47032 - return 0;
47033 - }
47034 -
47035 -+#ifdef CONFIG_PAX_EMUTRAMP
47036 -+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
47037 -+{
47038 -+ int err;
47039 -+
47040 -+ do { /* PaX: gcc trampoline emulation #1 */
47041 -+ unsigned char mov1, mov2;
47042 -+ unsigned short jmp;
47043 -+ unsigned int addr1, addr2;
47044 -+
47045 -+ if ((regs->rip + 11) >> 32)
47046 -+ break;
47047 -+
47048 -+ err = get_user(mov1, (unsigned char __user *)regs->rip);
47049 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
47050 -+ err |= get_user(mov2, (unsigned char __user *)(regs->rip + 5));
47051 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
47052 -+ err |= get_user(jmp, (unsigned short __user *)(regs->rip + 10));
47053 -+
47054 -+ if (err)
47055 -+ break;
47056 -+
47057 -+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
47058 -+ regs->rcx = addr1;
47059 -+ regs->rax = addr2;
47060 -+ regs->rip = addr2;
47061 -+ return 2;
47062 -+ }
47063 -+ } while (0);
47064 -+
47065 -+ do { /* PaX: gcc trampoline emulation #2 */
47066 -+ unsigned char mov, jmp;
47067 -+ unsigned int addr1, addr2;
47068 -+
47069 -+ if ((regs->rip + 9) >> 32)
47070 -+ break;
47071 -+
47072 -+ err = get_user(mov, (unsigned char __user *)regs->rip);
47073 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 1));
47074 -+ err |= get_user(jmp, (unsigned char __user *)(regs->rip + 5));
47075 -+ err |= get_user(addr2, (unsigned int __user *)(regs->rip + 6));
47076 -+
47077 -+ if (err)
47078 -+ break;
47079 -+
47080 -+ if (mov == 0xB9 && jmp == 0xE9) {
47081 -+ regs->rcx = addr1;
47082 -+ regs->rip = (unsigned int)(regs->rip + addr2 + 10);
47083 -+ return 2;
47084 -+ }
47085 -+ } while (0);
47086 -+
47087 -+ return 1; /* PaX in action */
47088 -+}
47089 -+
47090 -+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
47091 -+{
47092 -+ int err;
47093 -+
47094 -+ do { /* PaX: gcc trampoline emulation #1 */
47095 -+ unsigned short mov1, mov2, jmp1;
47096 -+ unsigned char jmp2;
47097 -+ unsigned int addr1;
47098 -+ unsigned long addr2;
47099 -+
47100 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
47101 -+ err |= get_user(addr1, (unsigned int __user *)(regs->rip + 2));
47102 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 6));
47103 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 8));
47104 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 16));
47105 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 18));
47106 -+
47107 -+ if (err)
47108 -+ break;
47109 -+
47110 -+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
47111 -+ regs->r11 = addr1;
47112 -+ regs->r10 = addr2;
47113 -+ regs->rip = addr1;
47114 -+ return 2;
47115 -+ }
47116 -+ } while (0);
47117 -+
47118 -+ do { /* PaX: gcc trampoline emulation #2 */
47119 -+ unsigned short mov1, mov2, jmp1;
47120 -+ unsigned char jmp2;
47121 -+ unsigned long addr1, addr2;
47122 -+
47123 -+ err = get_user(mov1, (unsigned short __user *)regs->rip);
47124 -+ err |= get_user(addr1, (unsigned long __user *)(regs->rip + 2));
47125 -+ err |= get_user(mov2, (unsigned short __user *)(regs->rip + 10));
47126 -+ err |= get_user(addr2, (unsigned long __user *)(regs->rip + 12));
47127 -+ err |= get_user(jmp1, (unsigned short __user *)(regs->rip + 20));
47128 -+ err |= get_user(jmp2, (unsigned char __user *)(regs->rip + 22));
47129 -+
47130 -+ if (err)
47131 -+ break;
47132 -+
47133 -+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
47134 -+ regs->r11 = addr1;
47135 -+ regs->r10 = addr2;
47136 -+ regs->rip = addr1;
47137 -+ return 2;
47138 -+ }
47139 -+ } while (0);
47140 -+
47141 -+ return 1; /* PaX in action */
47142 -+}
47143 -+
47144 -+/*
47145 -+ * PaX: decide what to do with offenders (regs->rip = fault address)
47146 -+ *
47147 -+ * returns 1 when task should be killed
47148 -+ * 2 when gcc trampoline was detected
47149 -+ */
47150 -+static int pax_handle_fetch_fault(struct pt_regs *regs)
47151 -+{
47152 -+ if (regs->eflags & X86_EFLAGS_VM)
47153 -+ return 1;
47154 -+
47155 -+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
47156 -+ return 1;
47157 -+
47158 -+ if (regs->cs == __USER32_CS || (regs->cs & (1<<2)))
47159 -+ return pax_handle_fetch_fault_32(regs);
47160 -+ else
47161 -+ return pax_handle_fetch_fault_64(regs);
47162 -+}
47163 -+#endif
47164 -+
47165 -+#ifdef CONFIG_PAX_PAGEEXEC
47166 -+void pax_report_insns(void *pc, void *sp)
47167 -+{
47168 -+ long i;
47169 -+
47170 -+ printk(KERN_ERR "PAX: bytes at PC: ");
47171 -+ for (i = 0; i < 20; i++) {
47172 -+ unsigned char c;
47173 -+ if (get_user(c, (unsigned char __user *)pc+i))
47174 -+ printk("?? ");
47175 -+ else
47176 -+ printk("%02x ", c);
47177 -+ }
47178 -+ printk("\n");
47179 -+
47180 -+ printk(KERN_ERR "PAX: bytes at SP-8: ");
47181 -+ for (i = -1; i < 10; i++) {
47182 -+ unsigned long c;
47183 -+ if (get_user(c, (unsigned long __user *)sp+i))
47184 -+ printk("???????????????? ");
47185 -+ else
47186 -+ printk("%016lx ", c);
47187 -+ }
47188 -+ printk("\n");
47189 -+}
47190 -+#endif
47191 -+
47192 - static int page_fault_trace;
47193 - int show_unhandled_signals = 1;
47194 -
47195 -@@ -427,6 +585,8 @@ asmlinkage void __kprobes do_page_fault(
47196 - good_area:
47197 - info.si_code = SEGV_ACCERR;
47198 - write = 0;
47199 -+ if ((error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
47200 -+ goto bad_area;
47201 - switch (error_code & (PF_PROT|PF_WRITE)) {
47202 - default: /* 3: write, present */
47203 - /* fall through */
47204 -@@ -478,6 +638,21 @@ bad_area_nosemaphore:
47205 - */
47206 - local_irq_enable();
47207 -
47208 -+#ifdef CONFIG_PAX_PAGEEXEC
47209 -+ if (mm && (mm->pax_flags & MF_PAX_PAGEEXEC) && (error_code & 16)) {
47210 -+
47211 -+#ifdef CONFIG_PAX_EMUTRAMP
47212 -+ switch (pax_handle_fetch_fault(regs)) {
47213 -+ case 2:
47214 -+ return;
47215 -+ }
47216 -+#endif
47217 -+
47218 -+ pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
47219 -+ do_exit(SIGKILL);
47220 -+ }
47221 -+#endif
47222 -+
47223 - if (is_prefetch(regs, address, error_code))
47224 - return;
47225 -
47226 -@@ -499,7 +674,7 @@ bad_area_nosemaphore:
47227 - tsk->comm, tsk->pid, address, regs->rip,
47228 - regs->rsp, error_code);
47229 - }
47230 --
47231 -+
47232 - tsk->thread.cr2 = address;
47233 - /* Kernel addresses are always protection faults */
47234 - tsk->thread.error_code = error_code | (address >= TASK_SIZE);
47235 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/init.c linux-2.6.23.15-grsec/arch/x86_64/mm/init.c
47236 ---- linux-2.6.23.15/arch/x86_64/mm/init.c 2008-02-11 10:36:03.000000000 +0000
47237 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/init.c 2008-02-11 10:37:44.000000000 +0000
47238 -@@ -45,7 +45,7 @@
47239 - #include <asm/sections.h>
47240 -
47241 - #ifndef Dprintk
47242 --#define Dprintk(x...)
47243 -+#define Dprintk(x...) do {} while (0)
47244 - #endif
47245 -
47246 - const struct dma_mapping_ops* dma_ops;
47247 -@@ -736,7 +736,7 @@ int in_gate_area_no_task(unsigned long a
47248 -
47249 - const char *arch_vma_name(struct vm_area_struct *vma)
47250 - {
47251 -- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
47252 -+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
47253 - return "[vdso]";
47254 - if (vma == &gate_vma)
47255 - return "[vsyscall]";
47256 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/mmap.c linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c
47257 ---- linux-2.6.23.15/arch/x86_64/mm/mmap.c 2007-10-09 21:31:38.000000000 +0100
47258 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/mmap.c 2008-02-11 10:37:44.000000000 +0000
47259 -@@ -23,6 +23,12 @@ void arch_pick_mmap_layout(struct mm_str
47260 - unsigned rnd = get_random_int() & 0xfffffff;
47261 - mm->mmap_base += ((unsigned long)rnd) << PAGE_SHIFT;
47262 - }
47263 -+
47264 -+#ifdef CONFIG_PAX_RANDMMAP
47265 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
47266 -+ mm->mmap_base += mm->delta_mmap;
47267 -+#endif
47268 -+
47269 - mm->get_unmapped_area = arch_get_unmapped_area;
47270 - mm->unmap_area = arch_unmap_area;
47271 - }
47272 -diff -Nurp linux-2.6.23.15/arch/x86_64/mm/numa.c linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c
47273 ---- linux-2.6.23.15/arch/x86_64/mm/numa.c 2007-10-09 21:31:38.000000000 +0100
47274 -+++ linux-2.6.23.15-grsec/arch/x86_64/mm/numa.c 2008-02-11 10:37:44.000000000 +0000
47275 -@@ -19,7 +19,7 @@
47276 - #include <asm/acpi.h>
47277 -
47278 - #ifndef Dprintk
47279 --#define Dprintk(x...)
47280 -+#define Dprintk(x...) do {} while (0)
47281 - #endif
47282 -
47283 - struct pglist_data *node_data[MAX_NUMNODES] __read_mostly;
47284 -diff -Nurp linux-2.6.23.15/arch/x86_64/vdso/vma.c linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c
47285 ---- linux-2.6.23.15/arch/x86_64/vdso/vma.c 2007-10-09 21:31:38.000000000 +0100
47286 -+++ linux-2.6.23.15-grsec/arch/x86_64/vdso/vma.c 2008-02-11 10:37:44.000000000 +0000
47287 -@@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
47288 - if (ret)
47289 - goto up_fail;
47290 -
47291 -- current->mm->context.vdso = (void *)addr;
47292 -+ current->mm->context.vdso = addr;
47293 - up_fail:
47294 - up_write(&mm->mmap_sem);
47295 - return ret;
47296 -diff -Nurp linux-2.6.23.15/crypto/async_tx/async_tx.c linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c
47297 ---- linux-2.6.23.15/crypto/async_tx/async_tx.c 2007-10-09 21:31:38.000000000 +0100
47298 -+++ linux-2.6.23.15-grsec/crypto/async_tx/async_tx.c 2008-02-11 10:37:44.000000000 +0000
47299 -@@ -342,8 +342,8 @@ async_tx_init(void)
47300 - err:
47301 - printk(KERN_ERR "async_tx: initialization failure\n");
47302 -
47303 -- while (--cap >= 0)
47304 -- free_percpu(channel_table[cap]);
47305 -+ while (cap)
47306 -+ free_percpu(channel_table[--cap]);
47307 -
47308 - return 1;
47309 - }
47310 -diff -Nurp linux-2.6.23.15/crypto/lrw.c linux-2.6.23.15-grsec/crypto/lrw.c
47311 ---- linux-2.6.23.15/crypto/lrw.c 2007-10-09 21:31:38.000000000 +0100
47312 -+++ linux-2.6.23.15-grsec/crypto/lrw.c 2008-02-11 10:37:44.000000000 +0000
47313 -@@ -54,7 +54,7 @@ static int setkey(struct crypto_tfm *par
47314 - struct priv *ctx = crypto_tfm_ctx(parent);
47315 - struct crypto_cipher *child = ctx->child;
47316 - int err, i;
47317 -- be128 tmp = { 0 };
47318 -+ be128 tmp = { 0, 0 };
47319 - int bsize = crypto_cipher_blocksize(child);
47320 -
47321 - crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
47322 -diff -Nurp linux-2.6.23.15/drivers/acpi/blacklist.c linux-2.6.23.15-grsec/drivers/acpi/blacklist.c
47323 ---- linux-2.6.23.15/drivers/acpi/blacklist.c 2008-02-11 10:36:03.000000000 +0000
47324 -+++ linux-2.6.23.15-grsec/drivers/acpi/blacklist.c 2008-02-11 10:37:44.000000000 +0000
47325 -@@ -71,7 +71,7 @@ static struct acpi_blacklist_item acpi_b
47326 - {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
47327 - "Incorrect _ADR", 1},
47328 -
47329 -- {""}
47330 -+ {"", "", 0, 0, 0, all_versions, 0}
47331 - };
47332 -
47333 - #if CONFIG_ACPI_BLACKLIST_YEAR
47334 -diff -Nurp linux-2.6.23.15/drivers/acpi/processor_core.c linux-2.6.23.15-grsec/drivers/acpi/processor_core.c
47335 ---- linux-2.6.23.15/drivers/acpi/processor_core.c 2007-10-09 21:31:38.000000000 +0100
47336 -+++ linux-2.6.23.15-grsec/drivers/acpi/processor_core.c 2008-02-11 10:37:44.000000000 +0000
47337 -@@ -643,7 +643,7 @@ static int __cpuinit acpi_processor_star
47338 - return 0;
47339 - }
47340 -
47341 -- BUG_ON((pr->id >= NR_CPUS) || (pr->id < 0));
47342 -+ BUG_ON(pr->id >= NR_CPUS);
47343 -
47344 - /*
47345 - * Buggy BIOS check
47346 -diff -Nurp linux-2.6.23.15/drivers/acpi/processor_idle.c linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c
47347 ---- linux-2.6.23.15/drivers/acpi/processor_idle.c 2007-10-09 21:31:38.000000000 +0100
47348 -+++ linux-2.6.23.15-grsec/drivers/acpi/processor_idle.c 2008-02-11 10:37:44.000000000 +0000
47349 -@@ -164,7 +164,7 @@ static struct dmi_system_id __cpuinitdat
47350 - DMI_MATCH(DMI_BIOS_VENDOR,"Phoenix Technologies LTD"),
47351 - DMI_MATCH(DMI_BIOS_VERSION,"SHE845M0.86C.0013.D.0302131307")},
47352 - (void *)2},
47353 -- {},
47354 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
47355 - };
47356 -
47357 - static inline u32 ticks_elapsed(u32 t1, u32 t2)
47358 -diff -Nurp linux-2.6.23.15/drivers/acpi/sleep/main.c linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c
47359 ---- linux-2.6.23.15/drivers/acpi/sleep/main.c 2008-02-11 10:36:03.000000000 +0000
47360 -+++ linux-2.6.23.15-grsec/drivers/acpi/sleep/main.c 2008-02-11 10:37:44.000000000 +0000
47361 -@@ -228,7 +228,7 @@ static struct dmi_system_id __initdata a
47362 - .ident = "Toshiba Satellite 4030cdt",
47363 - .matches = {DMI_MATCH(DMI_PRODUCT_NAME, "S4030CDT/4.3"),},
47364 - },
47365 -- {},
47366 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL},
47367 - };
47368 - #endif /* CONFIG_SUSPEND */
47369 -
47370 -diff -Nurp linux-2.6.23.15/drivers/acpi/tables/tbfadt.c linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c
47371 ---- linux-2.6.23.15/drivers/acpi/tables/tbfadt.c 2007-10-09 21:31:38.000000000 +0100
47372 -+++ linux-2.6.23.15-grsec/drivers/acpi/tables/tbfadt.c 2008-02-11 10:37:44.000000000 +0000
47373 -@@ -48,7 +48,7 @@
47374 - ACPI_MODULE_NAME("tbfadt")
47375 -
47376 - /* Local prototypes */
47377 --static void inline
47378 -+static inline void
47379 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
47380 - u8 bit_width, u64 address);
47381 -
47382 -@@ -122,7 +122,7 @@ static struct acpi_fadt_info fadt_info_t
47383 - *
47384 - ******************************************************************************/
47385 -
47386 --static void inline
47387 -+static inline void
47388 - acpi_tb_init_generic_address(struct acpi_generic_address *generic_address,
47389 - u8 bit_width, u64 address)
47390 - {
47391 -diff -Nurp linux-2.6.23.15/drivers/ata/ahci.c linux-2.6.23.15-grsec/drivers/ata/ahci.c
47392 ---- linux-2.6.23.15/drivers/ata/ahci.c 2008-02-11 10:36:03.000000000 +0000
47393 -+++ linux-2.6.23.15-grsec/drivers/ata/ahci.c 2008-02-11 10:37:44.000000000 +0000
47394 -@@ -523,7 +523,7 @@ static const struct pci_device_id ahci_p
47395 - { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
47396 - PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
47397 -
47398 -- { } /* terminate list */
47399 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
47400 - };
47401 -
47402 -
47403 -diff -Nurp linux-2.6.23.15/drivers/ata/ata_piix.c linux-2.6.23.15-grsec/drivers/ata/ata_piix.c
47404 ---- linux-2.6.23.15/drivers/ata/ata_piix.c 2007-10-09 21:31:38.000000000 +0100
47405 -+++ linux-2.6.23.15-grsec/drivers/ata/ata_piix.c 2008-02-11 10:37:44.000000000 +0000
47406 -@@ -257,7 +257,7 @@ static const struct pci_device_id piix_p
47407 - /* SATA Controller IDE (Tolapai) */
47408 - { 0x8086, 0x5028, PCI_ANY_ID, PCI_ANY_ID, 0, 0, tolapai_sata_ahci },
47409 -
47410 -- { } /* terminate list */
47411 -+ { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
47412 - };
47413 -
47414 - static struct pci_driver piix_pci_driver = {
47415 -@@ -617,7 +617,7 @@ static const struct ich_laptop ich_lapto
47416 - { 0x27DF, 0x1043, 0x1267 }, /* ICH7 on Asus W5F */
47417 - { 0x24CA, 0x1025, 0x0061 }, /* ICH4 on ACER Aspire 2023WLMi */
47418 - /* end marker */
47419 -- { 0, }
47420 -+ { 0, 0, 0 }
47421 - };
47422 -
47423 - /**
47424 -@@ -963,7 +963,7 @@ static int piix_broken_suspend(void)
47425 - },
47426 - },
47427 -
47428 -- { } /* terminate list */
47429 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL } /* terminate list */
47430 - };
47431 - static const char *oemstrs[] = {
47432 - "Tecra M3,",
47433 -diff -Nurp linux-2.6.23.15/drivers/ata/libata-core.c linux-2.6.23.15-grsec/drivers/ata/libata-core.c
47434 ---- linux-2.6.23.15/drivers/ata/libata-core.c 2008-02-11 10:36:03.000000000 +0000
47435 -+++ linux-2.6.23.15-grsec/drivers/ata/libata-core.c 2008-02-11 10:37:44.000000000 +0000
47436 -@@ -472,7 +472,7 @@ static const struct ata_xfer_ent {
47437 - { ATA_SHIFT_PIO, ATA_BITS_PIO, XFER_PIO_0 },
47438 - { ATA_SHIFT_MWDMA, ATA_BITS_MWDMA, XFER_MW_DMA_0 },
47439 - { ATA_SHIFT_UDMA, ATA_BITS_UDMA, XFER_UDMA_0 },
47440 -- { -1, },
47441 -+ { -1, 0, 0 },
47442 - };
47443 -
47444 - /**
47445 -@@ -2546,7 +2546,7 @@ static const struct ata_timing ata_timin
47446 -
47447 - /* { XFER_PIO_SLOW, 120, 290, 240, 960, 290, 240, 960, 0 }, */
47448 -
47449 -- { 0xFF }
47450 -+ { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
47451 - };
47452 -
47453 - #define ENOUGH(v,unit) (((v)-1)/(unit)+1)
47454 -@@ -3799,7 +3799,7 @@ static const struct ata_blacklist_entry
47455 - { "MAXTOR 6L080L4", "A93.0500", ATA_HORKAGE_BROKEN_HPA },
47456 -
47457 - /* End Marker */
47458 -- { }
47459 -+ { NULL, NULL, 0 }
47460 - };
47461 -
47462 - static unsigned long ata_dev_blacklisted(const struct ata_device *dev)
47463 -diff -Nurp linux-2.6.23.15/drivers/char/agp/frontend.c linux-2.6.23.15-grsec/drivers/char/agp/frontend.c
47464 ---- linux-2.6.23.15/drivers/char/agp/frontend.c 2007-10-09 21:31:38.000000000 +0100
47465 -+++ linux-2.6.23.15-grsec/drivers/char/agp/frontend.c 2008-02-11 10:37:44.000000000 +0000
47466 -@@ -820,7 +820,7 @@ static int agpioc_reserve_wrap(struct ag
47467 - if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
47468 - return -EFAULT;
47469 -
47470 -- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
47471 -+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
47472 - return -EFAULT;
47473 -
47474 - client = agp_find_client_by_pid(reserve.pid);
47475 -diff -Nurp linux-2.6.23.15/drivers/char/agp/intel-agp.c linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c
47476 ---- linux-2.6.23.15/drivers/char/agp/intel-agp.c 2007-10-09 21:31:38.000000000 +0100
47477 -+++ linux-2.6.23.15-grsec/drivers/char/agp/intel-agp.c 2008-02-11 10:37:44.000000000 +0000
47478 -@@ -2071,7 +2071,7 @@ static struct pci_device_id agp_intel_pc
47479 - ID(PCI_DEVICE_ID_INTEL_G33_HB),
47480 - ID(PCI_DEVICE_ID_INTEL_Q35_HB),
47481 - ID(PCI_DEVICE_ID_INTEL_Q33_HB),
47482 -- { }
47483 -+ { 0, 0, 0, 0, 0, 0, 0 }
47484 - };
47485 -
47486 - MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
47487 -diff -Nurp linux-2.6.23.15/drivers/char/drm/drm_pciids.h linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h
47488 ---- linux-2.6.23.15/drivers/char/drm/drm_pciids.h 2007-10-09 21:31:38.000000000 +0100
47489 -+++ linux-2.6.23.15-grsec/drivers/char/drm/drm_pciids.h 2008-02-11 10:37:44.000000000 +0000
47490 -@@ -251,7 +251,7 @@
47491 - {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47492 - {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47493 - {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47494 -- {0, 0, 0}
47495 -+ {0, 0, 0, 0, 0, 0, 0 }
47496 -
47497 - #define i830_PCI_IDS \
47498 - {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
47499 -diff -Nurp linux-2.6.23.15/drivers/char/hpet.c linux-2.6.23.15-grsec/drivers/char/hpet.c
47500 ---- linux-2.6.23.15/drivers/char/hpet.c 2007-10-09 21:31:38.000000000 +0100
47501 -+++ linux-2.6.23.15-grsec/drivers/char/hpet.c 2008-02-11 10:37:44.000000000 +0000
47502 -@@ -1028,7 +1028,7 @@ static struct acpi_driver hpet_acpi_driv
47503 - },
47504 - };
47505 -
47506 --static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
47507 -+static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
47508 -
47509 - static int __init hpet_init(void)
47510 - {
47511 -diff -Nurp linux-2.6.23.15/drivers/char/keyboard.c linux-2.6.23.15-grsec/drivers/char/keyboard.c
47512 ---- linux-2.6.23.15/drivers/char/keyboard.c 2007-10-09 21:31:38.000000000 +0100
47513 -+++ linux-2.6.23.15-grsec/drivers/char/keyboard.c 2008-02-11 10:37:44.000000000 +0000
47514 -@@ -605,6 +605,16 @@ static void k_spec(struct vc_data *vc, u
47515 - kbd->kbdmode == VC_MEDIUMRAW) &&
47516 - value != KVAL(K_SAK))
47517 - return; /* SAK is allowed even in raw mode */
47518 -+
47519 -+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
47520 -+ {
47521 -+ void *func = fn_handler[value];
47522 -+ if (func == fn_show_state || func == fn_show_ptregs ||
47523 -+ func == fn_show_mem)
47524 -+ return;
47525 -+ }
47526 -+#endif
47527 -+
47528 - fn_handler[value](vc);
47529 - }
47530 -
47531 -@@ -1340,7 +1350,7 @@ static const struct input_device_id kbd_
47532 - .evbit = { BIT(EV_SND) },
47533 - },
47534 -
47535 -- { }, /* Terminating entry */
47536 -+ { 0 }, /* Terminating entry */
47537 - };
47538 -
47539 - MODULE_DEVICE_TABLE(input, kbd_ids);
47540 -diff -Nurp linux-2.6.23.15/drivers/char/mem.c linux-2.6.23.15-grsec/drivers/char/mem.c
47541 ---- linux-2.6.23.15/drivers/char/mem.c 2007-10-09 21:31:38.000000000 +0100
47542 -+++ linux-2.6.23.15-grsec/drivers/char/mem.c 2008-02-11 10:37:44.000000000 +0000
47543 -@@ -26,6 +26,7 @@
47544 - #include <linux/bootmem.h>
47545 - #include <linux/splice.h>
47546 - #include <linux/pfn.h>
47547 -+#include <linux/grsecurity.h>
47548 -
47549 - #include <asm/uaccess.h>
47550 - #include <asm/io.h>
47551 -@@ -34,6 +35,10 @@
47552 - # include <linux/efi.h>
47553 - #endif
47554 -
47555 -+#ifdef CONFIG_GRKERNSEC
47556 -+extern struct file_operations grsec_fops;
47557 -+#endif
47558 -+
47559 - /*
47560 - * Architectures vary in how they handle caching for addresses
47561 - * outside of main memory.
47562 -@@ -180,6 +185,11 @@ static ssize_t write_mem(struct file * f
47563 - if (!valid_phys_addr_range(p, count))
47564 - return -EFAULT;
47565 -
47566 -+#ifdef CONFIG_GRKERNSEC_KMEM
47567 -+ gr_handle_mem_write();
47568 -+ return -EPERM;
47569 -+#endif
47570 -+
47571 - written = 0;
47572 -
47573 - #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
47574 -@@ -281,6 +291,11 @@ static int mmap_mem(struct file * file,
47575 - if (!private_mapping_ok(vma))
47576 - return -ENOSYS;
47577 -
47578 -+#ifdef CONFIG_GRKERNSEC_KMEM
47579 -+ if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
47580 -+ return -EPERM;
47581 -+#endif
47582 -+
47583 - vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
47584 - size,
47585 - vma->vm_page_prot);
47586 -@@ -512,6 +527,11 @@ static ssize_t write_kmem(struct file *
47587 - ssize_t written;
47588 - char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
47589 -
47590 -+#ifdef CONFIG_GRKERNSEC_KMEM
47591 -+ gr_handle_kmem_write();
47592 -+ return -EPERM;
47593 -+#endif
47594 -+
47595 - if (p < (unsigned long) high_memory) {
47596 -
47597 - wrote = count;
47598 -@@ -635,6 +655,10 @@ static inline size_t read_zero_pagealign
47599 - struct vm_area_struct * vma;
47600 - unsigned long addr=(unsigned long)buf;
47601 -
47602 -+#ifdef CONFIG_PAX_SEGMEXEC
47603 -+ struct vm_area_struct *vma_m;
47604 -+#endif
47605 -+
47606 - mm = current->mm;
47607 - /* Oops, this was forgotten before. -ben */
47608 - down_read(&mm->mmap_sem);
47609 -@@ -651,8 +675,14 @@ static inline size_t read_zero_pagealign
47610 - if (count > size)
47611 - count = size;
47612 -
47613 -+#ifdef CONFIG_PAX_SEGMEXEC
47614 -+ vma_m = pax_find_mirror_vma(vma);
47615 -+ if (vma_m)
47616 -+ zap_page_range(vma_m, addr + SEGMEXEC_TASK_SIZE, count, NULL);
47617 -+#endif
47618 -+
47619 - zap_page_range(vma, addr, count, NULL);
47620 -- if (zeromap_page_range(vma, addr, count, PAGE_COPY))
47621 -+ if (zeromap_page_range(vma, addr, count, vma->vm_page_prot))
47622 - break;
47623 -
47624 - size -= count;
47625 -@@ -805,6 +835,16 @@ static loff_t memory_lseek(struct file *
47626 -
47627 - static int open_port(struct inode * inode, struct file * filp)
47628 - {
47629 -+#ifdef CONFIG_GRKERNSEC_KMEM
47630 -+ gr_handle_open_port();
47631 -+ return -EPERM;
47632 -+#endif
47633 -+
47634 -+ return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
47635 -+}
47636 -+
47637 -+static int open_mem(struct inode * inode, struct file * filp)
47638 -+{
47639 - return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
47640 - }
47641 -
47642 -@@ -812,7 +852,6 @@ static int open_port(struct inode * inod
47643 - #define full_lseek null_lseek
47644 - #define write_zero write_null
47645 - #define read_full read_zero
47646 --#define open_mem open_port
47647 - #define open_kmem open_mem
47648 - #define open_oldmem open_mem
47649 -
47650 -@@ -945,6 +984,11 @@ static int memory_open(struct inode * in
47651 - filp->f_op = &oldmem_fops;
47652 - break;
47653 - #endif
47654 -+#ifdef CONFIG_GRKERNSEC
47655 -+ case 13:
47656 -+ filp->f_op = &grsec_fops;
47657 -+ break;
47658 -+#endif
47659 - default:
47660 - return -ENXIO;
47661 - }
47662 -@@ -977,6 +1021,9 @@ static const struct {
47663 - #ifdef CONFIG_CRASH_DUMP
47664 - {12,"oldmem", S_IRUSR | S_IWUSR | S_IRGRP, &oldmem_fops},
47665 - #endif
47666 -+#ifdef CONFIG_GRKERNSEC
47667 -+ {13,"grsec", S_IRUSR | S_IWUGO, &grsec_fops},
47668 -+#endif
47669 - };
47670 -
47671 - static struct class *mem_class;
47672 -diff -Nurp linux-2.6.23.15/drivers/char/nvram.c linux-2.6.23.15-grsec/drivers/char/nvram.c
47673 ---- linux-2.6.23.15/drivers/char/nvram.c 2007-10-09 21:31:38.000000000 +0100
47674 -+++ linux-2.6.23.15-grsec/drivers/char/nvram.c 2008-02-11 10:37:44.000000000 +0000
47675 -@@ -430,7 +430,10 @@ static const struct file_operations nvra
47676 - static struct miscdevice nvram_dev = {
47677 - NVRAM_MINOR,
47678 - "nvram",
47679 -- &nvram_fops
47680 -+ &nvram_fops,
47681 -+ {NULL, NULL},
47682 -+ NULL,
47683 -+ NULL
47684 - };
47685 -
47686 - static int __init
47687 -diff -Nurp linux-2.6.23.15/drivers/char/random.c linux-2.6.23.15-grsec/drivers/char/random.c
47688 ---- linux-2.6.23.15/drivers/char/random.c 2008-02-11 10:36:03.000000000 +0000
47689 -+++ linux-2.6.23.15-grsec/drivers/char/random.c 2008-02-11 10:37:44.000000000 +0000
47690 -@@ -248,8 +248,13 @@
47691 - /*
47692 - * Configuration information
47693 - */
47694 -+#ifdef CONFIG_GRKERNSEC_RANDNET
47695 -+#define INPUT_POOL_WORDS 512
47696 -+#define OUTPUT_POOL_WORDS 128
47697 -+#else
47698 - #define INPUT_POOL_WORDS 128
47699 - #define OUTPUT_POOL_WORDS 32
47700 -+#endif
47701 - #define SEC_XFER_SIZE 512
47702 -
47703 - /*
47704 -@@ -286,10 +291,17 @@ static struct poolinfo {
47705 - int poolwords;
47706 - int tap1, tap2, tap3, tap4, tap5;
47707 - } poolinfo_table[] = {
47708 -+#ifdef CONFIG_GRKERNSEC_RANDNET
47709 -+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
47710 -+ { 512, 411, 308, 208, 104, 1 },
47711 -+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
47712 -+ { 128, 103, 76, 51, 25, 1 },
47713 -+#else
47714 - /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
47715 - { 128, 103, 76, 51, 25, 1 },
47716 - /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
47717 - { 32, 26, 20, 14, 7, 1 },
47718 -+#endif
47719 - #if 0
47720 - /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
47721 - { 2048, 1638, 1231, 819, 411, 1 },
47722 -@@ -1172,7 +1184,7 @@ EXPORT_SYMBOL(generate_random_uuid);
47723 - #include <linux/sysctl.h>
47724 -
47725 - static int min_read_thresh = 8, min_write_thresh;
47726 --static int max_read_thresh = INPUT_POOL_WORDS * 32;
47727 -+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
47728 - static int max_write_thresh = INPUT_POOL_WORDS * 32;
47729 - static char sysctl_bootid[16];
47730 -
47731 -diff -Nurp linux-2.6.23.15/drivers/char/vt_ioctl.c linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c
47732 ---- linux-2.6.23.15/drivers/char/vt_ioctl.c 2007-10-09 21:31:38.000000000 +0100
47733 -+++ linux-2.6.23.15-grsec/drivers/char/vt_ioctl.c 2008-02-11 10:37:44.000000000 +0000
47734 -@@ -95,6 +95,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
47735 - case KDSKBENT:
47736 - if (!perm)
47737 - return -EPERM;
47738 -+
47739 -+#ifdef CONFIG_GRKERNSEC
47740 -+ if (!capable(CAP_SYS_TTY_CONFIG))
47741 -+ return -EPERM;
47742 -+#endif
47743 -+
47744 - if (!i && v == K_NOSUCHMAP) {
47745 - /* deallocate map */
47746 - key_map = key_maps[s];
47747 -@@ -235,6 +241,13 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
47748 - goto reterr;
47749 - }
47750 -
47751 -+#ifdef CONFIG_GRKERNSEC
47752 -+ if (!capable(CAP_SYS_TTY_CONFIG)) {
47753 -+ ret = -EPERM;
47754 -+ goto reterr;
47755 -+ }
47756 -+#endif
47757 -+
47758 - q = func_table[i];
47759 - first_free = funcbufptr + (funcbufsize - funcbufleft);
47760 - for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
47761 -diff -Nurp linux-2.6.23.15/drivers/dma/ioatdma.c linux-2.6.23.15-grsec/drivers/dma/ioatdma.c
47762 ---- linux-2.6.23.15/drivers/dma/ioatdma.c 2007-10-09 21:31:38.000000000 +0100
47763 -+++ linux-2.6.23.15-grsec/drivers/dma/ioatdma.c 2008-02-11 10:37:44.000000000 +0000
47764 -@@ -244,7 +244,6 @@ static void ioat_dma_free_chan_resources
47765 - struct ioat_dma_chan *ioat_chan = to_ioat_chan(chan);
47766 - struct ioat_device *ioat_device = to_ioat_device(chan->device);
47767 - struct ioat_desc_sw *desc, *_desc;
47768 -- u16 chanctrl;
47769 - int in_use_descs = 0;
47770 -
47771 - ioat_dma_memcpy_cleanup(ioat_chan);
47772 -diff -Nurp linux-2.6.23.15/drivers/edac/edac_core.h linux-2.6.23.15-grsec/drivers/edac/edac_core.h
47773 ---- linux-2.6.23.15/drivers/edac/edac_core.h 2007-10-09 21:31:38.000000000 +0100
47774 -+++ linux-2.6.23.15-grsec/drivers/edac/edac_core.h 2008-02-11 10:37:44.000000000 +0000
47775 -@@ -86,11 +86,11 @@ extern int edac_debug_level;
47776 -
47777 - #else /* !CONFIG_EDAC_DEBUG */
47778 -
47779 --#define debugf0( ... )
47780 --#define debugf1( ... )
47781 --#define debugf2( ... )
47782 --#define debugf3( ... )
47783 --#define debugf4( ... )
47784 -+#define debugf0( ... ) do {} while (0)
47785 -+#define debugf1( ... ) do {} while (0)
47786 -+#define debugf2( ... ) do {} while (0)
47787 -+#define debugf3( ... ) do {} while (0)
47788 -+#define debugf4( ... ) do {} while (0)
47789 -
47790 - #endif /* !CONFIG_EDAC_DEBUG */
47791 -
47792 -diff -Nurp linux-2.6.23.15/drivers/hwmon/fscpos.c linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c
47793 ---- linux-2.6.23.15/drivers/hwmon/fscpos.c 2007-10-09 21:31:38.000000000 +0100
47794 -+++ linux-2.6.23.15-grsec/drivers/hwmon/fscpos.c 2008-02-11 10:37:44.000000000 +0000
47795 -@@ -231,7 +231,6 @@ static ssize_t set_pwm(struct i2c_client
47796 - unsigned long v = simple_strtoul(buf, NULL, 10);
47797 -
47798 - /* Range: 0..255 */
47799 -- if (v < 0) v = 0;
47800 - if (v > 255) v = 255;
47801 -
47802 - mutex_lock(&data->update_lock);
47803 -diff -Nurp linux-2.6.23.15/drivers/hwmon/k8temp.c linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c
47804 ---- linux-2.6.23.15/drivers/hwmon/k8temp.c 2007-10-09 21:31:38.000000000 +0100
47805 -+++ linux-2.6.23.15-grsec/drivers/hwmon/k8temp.c 2008-02-11 10:37:44.000000000 +0000
47806 -@@ -130,7 +130,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
47807 -
47808 - static struct pci_device_id k8temp_ids[] = {
47809 - { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
47810 -- { 0 },
47811 -+ { 0, 0, 0, 0, 0, 0, 0 },
47812 - };
47813 -
47814 - MODULE_DEVICE_TABLE(pci, k8temp_ids);
47815 -diff -Nurp linux-2.6.23.15/drivers/hwmon/sis5595.c linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c
47816 ---- linux-2.6.23.15/drivers/hwmon/sis5595.c 2007-10-09 21:31:38.000000000 +0100
47817 -+++ linux-2.6.23.15-grsec/drivers/hwmon/sis5595.c 2008-02-11 10:37:44.000000000 +0000
47818 -@@ -673,7 +673,7 @@ static struct sis5595_data *sis5595_upda
47819 -
47820 - static struct pci_device_id sis5595_pci_ids[] = {
47821 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
47822 -- { 0, }
47823 -+ { 0, 0, 0, 0, 0, 0, 0 }
47824 - };
47825 -
47826 - MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
47827 -diff -Nurp linux-2.6.23.15/drivers/hwmon/thmc50.c linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c
47828 ---- linux-2.6.23.15/drivers/hwmon/thmc50.c 2007-10-09 21:31:38.000000000 +0100
47829 -+++ linux-2.6.23.15-grsec/drivers/hwmon/thmc50.c 2008-02-11 10:37:44.000000000 +0000
47830 -@@ -47,9 +47,9 @@ I2C_CLIENT_MODULE_PARM(adm1022_temp3, "L
47831 - #define THMC50_REG_DIE_CODE 0x3F
47832 - #define THMC50_REG_ANALOG_OUT 0x19
47833 -
47834 --const static u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
47835 --const static u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
47836 --const static u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
47837 -+static const u8 THMC50_REG_TEMP[] = { 0x27, 0x26, 0x20 };
47838 -+static const u8 THMC50_REG_TEMP_MIN[] = { 0x3A, 0x38, 0x2C };
47839 -+static const u8 THMC50_REG_TEMP_MAX[] = { 0x39, 0x37, 0x2B };
47840 -
47841 - #define THMC50_REG_CONF_nFANOFF 0x20
47842 -
47843 -diff -Nurp linux-2.6.23.15/drivers/hwmon/via686a.c linux-2.6.23.15-grsec/drivers/hwmon/via686a.c
47844 ---- linux-2.6.23.15/drivers/hwmon/via686a.c 2007-10-09 21:31:38.000000000 +0100
47845 -+++ linux-2.6.23.15-grsec/drivers/hwmon/via686a.c 2008-02-11 10:37:44.000000000 +0000
47846 -@@ -740,7 +740,7 @@ static struct via686a_data *via686a_upda
47847 -
47848 - static struct pci_device_id via686a_pci_ids[] = {
47849 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
47850 -- { 0, }
47851 -+ { 0, 0, 0, 0, 0, 0, 0 }
47852 - };
47853 -
47854 - MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
47855 -diff -Nurp linux-2.6.23.15/drivers/hwmon/vt8231.c linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c
47856 ---- linux-2.6.23.15/drivers/hwmon/vt8231.c 2007-10-09 21:31:38.000000000 +0100
47857 -+++ linux-2.6.23.15-grsec/drivers/hwmon/vt8231.c 2008-02-11 10:37:44.000000000 +0000
47858 -@@ -662,7 +662,7 @@ static struct platform_driver vt8231_dri
47859 -
47860 - static struct pci_device_id vt8231_pci_ids[] = {
47861 - { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
47862 -- { 0, }
47863 -+ { 0, 0, 0, 0, 0, 0, 0 }
47864 - };
47865 -
47866 - MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
47867 -diff -Nurp linux-2.6.23.15/drivers/hwmon/w83791d.c linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c
47868 ---- linux-2.6.23.15/drivers/hwmon/w83791d.c 2007-10-09 21:31:38.000000000 +0100
47869 -+++ linux-2.6.23.15-grsec/drivers/hwmon/w83791d.c 2008-02-11 10:37:44.000000000 +0000
47870 -@@ -289,8 +289,8 @@ static int w83791d_attach_adapter(struct
47871 - static int w83791d_detect(struct i2c_adapter *adapter, int address, int kind);
47872 - static int w83791d_detach_client(struct i2c_client *client);
47873 -
47874 --static int w83791d_read(struct i2c_client *client, u8 register);
47875 --static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
47876 -+static int w83791d_read(struct i2c_client *client, u8 reg);
47877 -+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
47878 - static struct w83791d_data *w83791d_update_device(struct device *dev);
47879 -
47880 - #ifdef DEBUG
47881 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c
47882 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-i801.c 2007-10-09 21:31:38.000000000 +0100
47883 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i801.c 2008-02-11 10:37:44.000000000 +0000
47884 -@@ -543,7 +543,7 @@ static struct pci_device_id i801_ids[] =
47885 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ESB2_17) },
47886 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH8_5) },
47887 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH9_6) },
47888 -- { 0, }
47889 -+ { 0, 0, 0, 0, 0, 0, 0 }
47890 - };
47891 -
47892 - MODULE_DEVICE_TABLE (pci, i801_ids);
47893 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c
47894 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-i810.c 2007-10-09 21:31:38.000000000 +0100
47895 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-i810.c 2008-02-11 10:37:44.000000000 +0000
47896 -@@ -198,7 +198,7 @@ static struct pci_device_id i810_ids[] _
47897 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82810E_IG) },
47898 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC) },
47899 - { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82845G_IG) },
47900 -- { 0, },
47901 -+ { 0, 0, 0, 0, 0, 0, 0 },
47902 - };
47903 -
47904 - MODULE_DEVICE_TABLE (pci, i810_ids);
47905 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c
47906 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-piix4.c 2007-10-09 21:31:38.000000000 +0100
47907 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-piix4.c 2008-02-11 10:37:44.000000000 +0000
47908 -@@ -113,7 +113,7 @@ static struct dmi_system_id __devinitdat
47909 - .ident = "IBM",
47910 - .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
47911 - },
47912 -- { },
47913 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL },
47914 - };
47915 -
47916 - static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
47917 -@@ -411,7 +411,7 @@ static struct pci_device_id piix4_ids[]
47918 - .driver_data = 3 },
47919 - { PCI_DEVICE(PCI_VENDOR_ID_EFAR, PCI_DEVICE_ID_EFAR_SLC90E66_3),
47920 - .driver_data = 0 },
47921 -- { 0, }
47922 -+ { 0, 0, 0, 0, 0, 0, 0 }
47923 - };
47924 -
47925 - MODULE_DEVICE_TABLE (pci, piix4_ids);
47926 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c
47927 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-sis630.c 2007-10-09 21:31:38.000000000 +0100
47928 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis630.c 2008-02-11 10:37:44.000000000 +0000
47929 -@@ -465,7 +465,7 @@ static struct i2c_adapter sis630_adapter
47930 - static struct pci_device_id sis630_ids[] __devinitdata = {
47931 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
47932 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
47933 -- { 0, }
47934 -+ { PCI_DEVICE(0, 0) }
47935 - };
47936 -
47937 - MODULE_DEVICE_TABLE (pci, sis630_ids);
47938 -diff -Nurp linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c
47939 ---- linux-2.6.23.15/drivers/i2c/busses/i2c-sis96x.c 2007-10-09 21:31:38.000000000 +0100
47940 -+++ linux-2.6.23.15-grsec/drivers/i2c/busses/i2c-sis96x.c 2008-02-11 10:37:44.000000000 +0000
47941 -@@ -255,7 +255,7 @@ static struct i2c_adapter sis96x_adapter
47942 -
47943 - static struct pci_device_id sis96x_ids[] = {
47944 - { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
47945 -- { 0, }
47946 -+ { PCI_DEVICE(0, 0) }
47947 - };
47948 -
47949 - MODULE_DEVICE_TABLE (pci, sis96x_ids);
47950 -diff -Nurp linux-2.6.23.15/drivers/ide/ide-cd.c linux-2.6.23.15-grsec/drivers/ide/ide-cd.c
47951 ---- linux-2.6.23.15/drivers/ide/ide-cd.c 2007-10-09 21:31:38.000000000 +0100
47952 -+++ linux-2.6.23.15-grsec/drivers/ide/ide-cd.c 2008-02-11 10:37:44.000000000 +0000
47953 -@@ -457,8 +457,6 @@ void cdrom_analyze_sense_data(ide_drive_
47954 - sector &= ~(bio_sectors -1);
47955 - valid = (sector - failed_command->sector) << 9;
47956 -
47957 -- if (valid < 0)
47958 -- valid = 0;
47959 - if (sector < get_capacity(info->disk) &&
47960 - drive->probed_capacity - sector < 4 * 75) {
47961 - set_capacity(info->disk, sector);
47962 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/dv1394.c linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c
47963 ---- linux-2.6.23.15/drivers/ieee1394/dv1394.c 2007-10-09 21:31:38.000000000 +0100
47964 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/dv1394.c 2008-02-11 10:37:44.000000000 +0000
47965 -@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
47966 - based upon DIF section and sequence
47967 - */
47968 -
47969 --static void inline
47970 -+static inline void
47971 - frame_put_packet (struct frame *f, struct packet *p)
47972 - {
47973 - int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
47974 -@@ -918,7 +918,7 @@ static int do_dv1394_init(struct video_c
47975 - /* default SYT offset is 3 cycles */
47976 - init->syt_offset = 3;
47977 -
47978 -- if ( (init->channel > 63) || (init->channel < 0) )
47979 -+ if (init->channel > 63)
47980 - init->channel = 63;
47981 -
47982 - chan_mask = (u64)1 << init->channel;
47983 -@@ -2173,7 +2173,7 @@ static struct ieee1394_device_id dv1394_
47984 - .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
47985 - .version = AVC_SW_VERSION_ENTRY & 0xffffff
47986 - },
47987 -- { }
47988 -+ { 0, 0, 0, 0, 0, 0 }
47989 - };
47990 -
47991 - MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
47992 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/eth1394.c linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c
47993 ---- linux-2.6.23.15/drivers/ieee1394/eth1394.c 2007-10-09 21:31:38.000000000 +0100
47994 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/eth1394.c 2008-02-11 10:37:44.000000000 +0000
47995 -@@ -449,7 +449,7 @@ static struct ieee1394_device_id eth1394
47996 - .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
47997 - .version = ETHER1394_GASP_VERSION,
47998 - },
47999 -- {}
48000 -+ { 0, 0, 0, 0, 0, 0 }
48001 - };
48002 -
48003 - MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
48004 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/hosts.c linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c
48005 ---- linux-2.6.23.15/drivers/ieee1394/hosts.c 2007-10-09 21:31:38.000000000 +0100
48006 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/hosts.c 2008-02-11 10:37:44.000000000 +0000
48007 -@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
48008 - }
48009 -
48010 - static struct hpsb_host_driver dummy_driver = {
48011 -+ .name = "dummy",
48012 - .transmit_packet = dummy_transmit_packet,
48013 - .devctl = dummy_devctl,
48014 - .isoctl = dummy_isoctl
48015 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/ohci1394.c linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c
48016 ---- linux-2.6.23.15/drivers/ieee1394/ohci1394.c 2007-10-09 21:31:38.000000000 +0100
48017 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/ohci1394.c 2008-02-11 10:37:44.000000000 +0000
48018 -@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
48019 - printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
48020 -
48021 - /* Module Parameters */
48022 --static int phys_dma = 1;
48023 -+static int phys_dma;
48024 - module_param(phys_dma, int, 0444);
48025 --MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 1).");
48026 -+MODULE_PARM_DESC(phys_dma, "Enable physical dma (default = 0).");
48027 -
48028 - static void dma_trm_tasklet(unsigned long data);
48029 - static void dma_trm_reset(struct dma_trm_ctx *d);
48030 -@@ -3396,7 +3396,7 @@ static struct pci_device_id ohci1394_pci
48031 - .subvendor = PCI_ANY_ID,
48032 - .subdevice = PCI_ANY_ID,
48033 - },
48034 -- { 0, },
48035 -+ { 0, 0, 0, 0, 0, 0, 0 },
48036 - };
48037 -
48038 - MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
48039 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/raw1394.c linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c
48040 ---- linux-2.6.23.15/drivers/ieee1394/raw1394.c 2007-10-09 21:31:38.000000000 +0100
48041 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/raw1394.c 2008-02-11 10:37:44.000000000 +0000
48042 -@@ -2952,7 +2952,7 @@ static struct ieee1394_device_id raw1394
48043 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
48044 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
48045 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
48046 -- {}
48047 -+ { 0, 0, 0, 0, 0, 0 }
48048 - };
48049 -
48050 - MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
48051 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/sbp2.c linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c
48052 ---- linux-2.6.23.15/drivers/ieee1394/sbp2.c 2007-10-09 21:31:38.000000000 +0100
48053 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/sbp2.c 2008-02-11 10:37:44.000000000 +0000
48054 -@@ -272,7 +272,7 @@ static struct ieee1394_device_id sbp2_id
48055 - .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
48056 - .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
48057 - .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
48058 -- {}
48059 -+ { 0, 0, 0, 0, 0, 0 }
48060 - };
48061 - MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
48062 -
48063 -@@ -2063,7 +2063,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
48064 - MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
48065 - MODULE_LICENSE("GPL");
48066 -
48067 --static int sbp2_module_init(void)
48068 -+static int __init sbp2_module_init(void)
48069 - {
48070 - int ret;
48071 -
48072 -diff -Nurp linux-2.6.23.15/drivers/ieee1394/video1394.c linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c
48073 ---- linux-2.6.23.15/drivers/ieee1394/video1394.c 2007-10-09 21:31:38.000000000 +0100
48074 -+++ linux-2.6.23.15-grsec/drivers/ieee1394/video1394.c 2008-02-11 10:37:44.000000000 +0000
48075 -@@ -893,7 +893,7 @@ static long video1394_ioctl(struct file
48076 - if (unlikely(d == NULL))
48077 - return -EFAULT;
48078 -
48079 -- if (unlikely((v.buffer<0) || (v.buffer>=d->num_desc - 1))) {
48080 -+ if (unlikely(v.buffer>=d->num_desc - 1)) {
48081 - PRINT(KERN_ERR, ohci->host->id,
48082 - "Buffer %d out of range",v.buffer);
48083 - return -EINVAL;
48084 -@@ -959,7 +959,7 @@ static long video1394_ioctl(struct file
48085 - if (unlikely(d == NULL))
48086 - return -EFAULT;
48087 -
48088 -- if (unlikely((v.buffer<0) || (v.buffer>d->num_desc - 1))) {
48089 -+ if (unlikely(v.buffer>d->num_desc - 1)) {
48090 - PRINT(KERN_ERR, ohci->host->id,
48091 - "Buffer %d out of range",v.buffer);
48092 - return -EINVAL;
48093 -@@ -1030,7 +1030,7 @@ static long video1394_ioctl(struct file
48094 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
48095 - if (d == NULL) return -EFAULT;
48096 -
48097 -- if ((v.buffer<0) || (v.buffer>=d->num_desc - 1)) {
48098 -+ if (v.buffer>=d->num_desc - 1) {
48099 - PRINT(KERN_ERR, ohci->host->id,
48100 - "Buffer %d out of range",v.buffer);
48101 - return -EINVAL;
48102 -@@ -1137,7 +1137,7 @@ static long video1394_ioctl(struct file
48103 - d = find_ctx(&ctx->context_list, OHCI_ISO_TRANSMIT, v.channel);
48104 - if (d == NULL) return -EFAULT;
48105 -
48106 -- if ((v.buffer<0) || (v.buffer>=d->num_desc-1)) {
48107 -+ if (v.buffer>=d->num_desc-1) {
48108 - PRINT(KERN_ERR, ohci->host->id,
48109 - "Buffer %d out of range",v.buffer);
48110 - return -EINVAL;
48111 -@@ -1309,7 +1309,7 @@ static struct ieee1394_device_id video13
48112 - .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
48113 - .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
48114 - },
48115 -- { }
48116 -+ { 0, 0, 0, 0, 0, 0 }
48117 - };
48118 -
48119 - MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
48120 -diff -Nurp linux-2.6.23.15/drivers/input/keyboard/atkbd.c linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c
48121 ---- linux-2.6.23.15/drivers/input/keyboard/atkbd.c 2007-10-09 21:31:38.000000000 +0100
48122 -+++ linux-2.6.23.15-grsec/drivers/input/keyboard/atkbd.c 2008-02-11 10:37:44.000000000 +0000
48123 -@@ -1075,7 +1075,7 @@ static struct serio_device_id atkbd_seri
48124 - .id = SERIO_ANY,
48125 - .extra = SERIO_ANY,
48126 - },
48127 -- { 0 }
48128 -+ { 0, 0, 0, 0 }
48129 - };
48130 -
48131 - MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
48132 -diff -Nurp linux-2.6.23.15/drivers/input/mouse/lifebook.c linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c
48133 ---- linux-2.6.23.15/drivers/input/mouse/lifebook.c 2007-10-09 21:31:38.000000000 +0100
48134 -+++ linux-2.6.23.15-grsec/drivers/input/mouse/lifebook.c 2008-02-11 10:37:44.000000000 +0000
48135 -@@ -102,7 +102,7 @@ static struct dmi_system_id lifebook_dmi
48136 - DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
48137 - },
48138 - },
48139 -- { }
48140 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL}
48141 - };
48142 -
48143 - static psmouse_ret_t lifebook_process_byte(struct psmouse *psmouse)
48144 -diff -Nurp linux-2.6.23.15/drivers/input/mouse/psmouse-base.c linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c
48145 ---- linux-2.6.23.15/drivers/input/mouse/psmouse-base.c 2007-10-09 21:31:38.000000000 +0100
48146 -+++ linux-2.6.23.15-grsec/drivers/input/mouse/psmouse-base.c 2008-02-11 10:37:44.000000000 +0000
48147 -@@ -1325,7 +1325,7 @@ static struct serio_device_id psmouse_se
48148 - .id = SERIO_ANY,
48149 - .extra = SERIO_ANY,
48150 - },
48151 -- { 0 }
48152 -+ { 0, 0, 0, 0 }
48153 - };
48154 -
48155 - MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
48156 -diff -Nurp linux-2.6.23.15/drivers/input/mouse/synaptics.c linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c
48157 ---- linux-2.6.23.15/drivers/input/mouse/synaptics.c 2007-10-09 21:31:38.000000000 +0100
48158 -+++ linux-2.6.23.15-grsec/drivers/input/mouse/synaptics.c 2008-02-11 10:37:44.000000000 +0000
48159 -@@ -417,7 +417,7 @@ static void synaptics_process_packet(str
48160 - break;
48161 - case 2:
48162 - if (SYN_MODEL_PEN(priv->model_id))
48163 -- ; /* Nothing, treat a pen as a single finger */
48164 -+ break; /* Nothing, treat a pen as a single finger */
48165 - break;
48166 - case 4 ... 15:
48167 - if (SYN_CAP_PALMDETECT(priv->capabilities))
48168 -@@ -624,7 +624,7 @@ static struct dmi_system_id toshiba_dmi_
48169 - DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
48170 - },
48171 - },
48172 -- { }
48173 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
48174 - };
48175 - #endif
48176 -
48177 -diff -Nurp linux-2.6.23.15/drivers/input/mousedev.c linux-2.6.23.15-grsec/drivers/input/mousedev.c
48178 ---- linux-2.6.23.15/drivers/input/mousedev.c 2008-02-11 10:36:03.000000000 +0000
48179 -+++ linux-2.6.23.15-grsec/drivers/input/mousedev.c 2008-02-11 10:37:44.000000000 +0000
48180 -@@ -1048,7 +1048,7 @@ static struct input_handler mousedev_han
48181 -
48182 - #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
48183 - static struct miscdevice psaux_mouse = {
48184 -- PSMOUSE_MINOR, "psaux", &mousedev_fops
48185 -+ PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
48186 - };
48187 - static int psaux_registered;
48188 - #endif
48189 -diff -Nurp linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h
48190 ---- linux-2.6.23.15/drivers/input/serio/i8042-x86ia64io.h 2007-10-09 21:31:38.000000000 +0100
48191 -+++ linux-2.6.23.15-grsec/drivers/input/serio/i8042-x86ia64io.h 2008-02-11 10:37:44.000000000 +0000
48192 -@@ -110,7 +110,7 @@ static struct dmi_system_id __initdata i
48193 - DMI_MATCH(DMI_PRODUCT_VERSION, "5a"),
48194 - },
48195 - },
48196 -- { }
48197 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
48198 - };
48199 -
48200 - /*
48201 -@@ -262,7 +262,7 @@ static struct dmi_system_id __initdata i
48202 - DMI_MATCH(DMI_PRODUCT_NAME, "M636/A737 platform"),
48203 - },
48204 - },
48205 -- { }
48206 -+ { NULL, NULL, {DMI_MATCH(DMI_NONE, NULL)}, NULL }
48207 - };
48208 -
48209 -
48210 -diff -Nurp linux-2.6.23.15/drivers/input/serio/serio_raw.c linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c
48211 ---- linux-2.6.23.15/drivers/input/serio/serio_raw.c 2007-10-09 21:31:38.000000000 +0100
48212 -+++ linux-2.6.23.15-grsec/drivers/input/serio/serio_raw.c 2008-02-11 10:37:44.000000000 +0000
48213 -@@ -369,7 +369,7 @@ static struct serio_device_id serio_raw_
48214 - .id = SERIO_ANY,
48215 - .extra = SERIO_ANY,
48216 - },
48217 -- { 0 }
48218 -+ { 0, 0, 0, 0 }
48219 - };
48220 -
48221 - MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
48222 -diff -Nurp linux-2.6.23.15/drivers/kvm/kvm_main.c linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c
48223 ---- linux-2.6.23.15/drivers/kvm/kvm_main.c 2008-02-11 10:36:03.000000000 +0000
48224 -+++ linux-2.6.23.15-grsec/drivers/kvm/kvm_main.c 2008-02-11 10:37:44.000000000 +0000
48225 -@@ -63,21 +63,21 @@ static struct kvm_stats_debugfs_item {
48226 - int offset;
48227 - struct dentry *dentry;
48228 - } debugfs_entries[] = {
48229 -- { "pf_fixed", STAT_OFFSET(pf_fixed) },
48230 -- { "pf_guest", STAT_OFFSET(pf_guest) },
48231 -- { "tlb_flush", STAT_OFFSET(tlb_flush) },
48232 -- { "invlpg", STAT_OFFSET(invlpg) },
48233 -- { "exits", STAT_OFFSET(exits) },
48234 -- { "io_exits", STAT_OFFSET(io_exits) },
48235 -- { "mmio_exits", STAT_OFFSET(mmio_exits) },
48236 -- { "signal_exits", STAT_OFFSET(signal_exits) },
48237 -- { "irq_window", STAT_OFFSET(irq_window_exits) },
48238 -- { "halt_exits", STAT_OFFSET(halt_exits) },
48239 -- { "request_irq", STAT_OFFSET(request_irq_exits) },
48240 -- { "irq_exits", STAT_OFFSET(irq_exits) },
48241 -- { "light_exits", STAT_OFFSET(light_exits) },
48242 -- { "efer_reload", STAT_OFFSET(efer_reload) },
48243 -- { NULL }
48244 -+ { "pf_fixed", STAT_OFFSET(pf_fixed), NULL },
48245 -+ { "pf_guest", STAT_OFFSET(pf_guest), NULL },
48246 -+ { "tlb_flush", STAT_OFFSET(tlb_flush), NULL },
48247 -+ { "invlpg", STAT_OFFSET(invlpg), NULL },
48248 -+ { "exits", STAT_OFFSET(exits), NULL },
48249 -+ { "io_exits", STAT_OFFSET(io_exits), NULL },
48250 -+ { "mmio_exits", STAT_OFFSET(mmio_exits), NULL },
48251 -+ { "signal_exits", STAT_OFFSET(signal_exits), NULL },
48252 -+ { "irq_window", STAT_OFFSET(irq_window_exits), NULL },
48253 -+ { "halt_exits", STAT_OFFSET(halt_exits), NULL },
48254 -+ { "request_irq", STAT_OFFSET(request_irq_exits), NULL },
48255 -+ { "irq_exits", STAT_OFFSET(irq_exits), NULL },
48256 -+ { "light_exits", STAT_OFFSET(light_exits), NULL },
48257 -+ { "efer_reload", STAT_OFFSET(efer_reload), NULL },
48258 -+ { NULL, 0, NULL }
48259 - };
48260 -
48261 - static struct dentry *debugfs_dir;
48262 -@@ -2255,7 +2255,7 @@ static int kvm_vcpu_ioctl_translate(stru
48263 - static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
48264 - struct kvm_interrupt *irq)
48265 - {
48266 -- if (irq->irq < 0 || irq->irq >= 256)
48267 -+ if (irq->irq >= 256)
48268 - return -EINVAL;
48269 - vcpu_load(vcpu);
48270 -
48271 -@@ -2895,6 +2895,9 @@ static struct miscdevice kvm_dev = {
48272 - KVM_MINOR,
48273 - "kvm",
48274 - &kvm_chardev_ops,
48275 -+ {NULL, NULL},
48276 -+ NULL,
48277 -+ NULL
48278 - };
48279 -
48280 - static int kvm_reboot(struct notifier_block *notifier, unsigned long val,
48281 -diff -Nurp linux-2.6.23.15/drivers/kvm/vmx.c linux-2.6.23.15-grsec/drivers/kvm/vmx.c
48282 ---- linux-2.6.23.15/drivers/kvm/vmx.c 2008-02-11 10:36:03.000000000 +0000
48283 -+++ linux-2.6.23.15-grsec/drivers/kvm/vmx.c 2008-02-11 10:37:44.000000000 +0000
48284 -@@ -2148,7 +2148,7 @@ again:
48285 -
48286 - vcpu->interrupt_window_open = (vmcs_read32(GUEST_INTERRUPTIBILITY_INFO) & 3) == 0;
48287 -
48288 -- asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
48289 -+ asm ("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
48290 -
48291 - if (unlikely(fail)) {
48292 - kvm_run->exit_reason = KVM_EXIT_FAIL_ENTRY;
48293 -diff -Nurp linux-2.6.23.15/drivers/kvm/x86_emulate.c linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c
48294 ---- linux-2.6.23.15/drivers/kvm/x86_emulate.c 2008-02-11 10:36:03.000000000 +0000
48295 -+++ linux-2.6.23.15-grsec/drivers/kvm/x86_emulate.c 2008-02-11 10:37:44.000000000 +0000
48296 -@@ -823,7 +823,7 @@ done_prefixes:
48297 - case DstReg:
48298 - dst.type = OP_REG;
48299 - if ((d & ByteOp)
48300 -- && !(twobyte_table && (b == 0xb6 || b == 0xb7))) {
48301 -+ && !(twobyte && (b == 0xb6 || b == 0xb7))) {
48302 - dst.ptr = decode_register(modrm_reg, _regs,
48303 - (rex_prefix == 0));
48304 - dst.val = *(u8 *) dst.ptr;
48305 -diff -Nurp linux-2.6.23.15/drivers/md/bitmap.c linux-2.6.23.15-grsec/drivers/md/bitmap.c
48306 ---- linux-2.6.23.15/drivers/md/bitmap.c 2008-02-11 10:36:03.000000000 +0000
48307 -+++ linux-2.6.23.15-grsec/drivers/md/bitmap.c 2008-02-11 10:37:44.000000000 +0000
48308 -@@ -57,7 +57,7 @@
48309 - # if DEBUG > 0
48310 - # define PRINTK(x...) printk(KERN_DEBUG x)
48311 - # else
48312 --# define PRINTK(x...)
48313 -+# define PRINTK(x...) do {} while (0)
48314 - # endif
48315 - #endif
48316 -
48317 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2000.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c
48318 ---- linux-2.6.23.15/drivers/mtd/devices/doc2000.c 2007-10-09 21:31:38.000000000 +0100
48319 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2000.c 2008-02-11 10:37:44.000000000 +0000
48320 -@@ -632,7 +632,7 @@ static int doc_read(struct mtd_info *mtd
48321 - len = ((from | 0x1ff) + 1) - from;
48322 -
48323 - /* The ECC will not be calculated correctly if less than 512 is read */
48324 -- if (len != 0x200 && eccbuf)
48325 -+ if (len != 0x200)
48326 - printk(KERN_WARNING
48327 - "ECC needs a full sector read (adr: %lx size %lx)\n",
48328 - (long) from, (long) len);
48329 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c
48330 ---- linux-2.6.23.15/drivers/mtd/devices/doc2001.c 2007-10-09 21:31:38.000000000 +0100
48331 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001.c 2008-02-11 10:37:44.000000000 +0000
48332 -@@ -398,6 +398,8 @@ static int doc_read (struct mtd_info *mt
48333 - /* Don't allow read past end of device */
48334 - if (from >= this->totlen)
48335 - return -EINVAL;
48336 -+ if (!len)
48337 -+ return -EINVAL;
48338 -
48339 - /* Don't allow a single read to cross a 512-byte block boundary */
48340 - if (from + len > ((from | 0x1ff) + 1))
48341 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c
48342 ---- linux-2.6.23.15/drivers/mtd/devices/doc2001plus.c 2007-10-09 21:31:38.000000000 +0100
48343 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/doc2001plus.c 2008-02-11 10:37:44.000000000 +0000
48344 -@@ -748,7 +748,7 @@ static int doc_write(struct mtd_info *mt
48345 - WriteDOC(DoC_GetDataOffset(mtd, &fto), docptr, Mplus_FlashCmd);
48346 -
48347 - /* On interleaved devices the flags for 2nd half 512 are before data */
48348 -- if (eccbuf && before)
48349 -+ if (before)
48350 - fto -= 2;
48351 -
48352 - /* issue the Serial Data In command to initial the Page Program process */
48353 -diff -Nurp linux-2.6.23.15/drivers/mtd/devices/slram.c linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c
48354 ---- linux-2.6.23.15/drivers/mtd/devices/slram.c 2007-10-09 21:31:38.000000000 +0100
48355 -+++ linux-2.6.23.15-grsec/drivers/mtd/devices/slram.c 2008-02-11 10:37:44.000000000 +0000
48356 -@@ -270,7 +270,7 @@ static int parse_cmdline(char *devname,
48357 - }
48358 - T("slram: devname=%s, devstart=0x%lx, devlength=0x%lx\n",
48359 - devname, devstart, devlength);
48360 -- if ((devstart < 0) || (devlength < 0) || (devlength % SLRAM_BLK_SZ != 0)) {
48361 -+ if (devlength % SLRAM_BLK_SZ != 0) {
48362 - E("slram: Illegal start / length parameter.\n");
48363 - return(-EINVAL);
48364 - }
48365 -diff -Nurp linux-2.6.23.15/drivers/mtd/ubi/build.c linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c
48366 ---- linux-2.6.23.15/drivers/mtd/ubi/build.c 2007-10-09 21:31:38.000000000 +0100
48367 -+++ linux-2.6.23.15-grsec/drivers/mtd/ubi/build.c 2008-02-11 10:37:44.000000000 +0000
48368 -@@ -727,7 +727,7 @@ static int __init bytes_str_to_int(const
48369 - unsigned long result;
48370 -
48371 - result = simple_strtoul(str, &endp, 0);
48372 -- if (str == endp || result < 0) {
48373 -+ if (str == endp) {
48374 - printk("UBI error: incorrect bytes count: \"%s\"\n", str);
48375 - return -EINVAL;
48376 - }
48377 -diff -Nurp linux-2.6.23.15/drivers/net/eepro100.c linux-2.6.23.15-grsec/drivers/net/eepro100.c
48378 ---- linux-2.6.23.15/drivers/net/eepro100.c 2007-10-09 21:31:38.000000000 +0100
48379 -+++ linux-2.6.23.15-grsec/drivers/net/eepro100.c 2008-02-11 10:37:44.000000000 +0000
48380 -@@ -47,7 +47,7 @@ static int rxdmacount /* = 0 */;
48381 - # define rx_align(skb) skb_reserve((skb), 2)
48382 - # define RxFD_ALIGNMENT __attribute__ ((aligned (2), packed))
48383 - #else
48384 --# define rx_align(skb)
48385 -+# define rx_align(skb) do {} while (0)
48386 - # define RxFD_ALIGNMENT
48387 - #endif
48388 -
48389 -@@ -2344,33 +2344,33 @@ static void __devexit eepro100_remove_on
48390 - }
48391 -
48392 - static struct pci_device_id eepro100_pci_tbl[] = {
48393 -- { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, },
48394 -- { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, },
48395 -- { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, },
48396 -- { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, },
48397 -- { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, },
48398 -- { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, },
48399 -- { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, },
48400 -- { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, },
48401 -- { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, },
48402 -- { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, },
48403 -- { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, },
48404 -- { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, },
48405 -- { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, },
48406 -- { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, },
48407 -- { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, },
48408 -- { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, },
48409 -- { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, },
48410 -- { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, },
48411 -- { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, },
48412 -- { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, },
48413 -- { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, },
48414 -- { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, },
48415 -- { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, },
48416 -- { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, },
48417 -- { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, },
48418 -- { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, },
48419 -- { 0,}
48420 -+ { PCI_VENDOR_ID_INTEL, 0x1229, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48421 -+ { PCI_VENDOR_ID_INTEL, 0x1209, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48422 -+ { PCI_VENDOR_ID_INTEL, 0x1029, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48423 -+ { PCI_VENDOR_ID_INTEL, 0x1030, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48424 -+ { PCI_VENDOR_ID_INTEL, 0x1031, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48425 -+ { PCI_VENDOR_ID_INTEL, 0x1032, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48426 -+ { PCI_VENDOR_ID_INTEL, 0x1033, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48427 -+ { PCI_VENDOR_ID_INTEL, 0x1034, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48428 -+ { PCI_VENDOR_ID_INTEL, 0x1035, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48429 -+ { PCI_VENDOR_ID_INTEL, 0x1036, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48430 -+ { PCI_VENDOR_ID_INTEL, 0x1037, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48431 -+ { PCI_VENDOR_ID_INTEL, 0x1038, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48432 -+ { PCI_VENDOR_ID_INTEL, 0x1039, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48433 -+ { PCI_VENDOR_ID_INTEL, 0x103A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48434 -+ { PCI_VENDOR_ID_INTEL, 0x103B, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48435 -+ { PCI_VENDOR_ID_INTEL, 0x103C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48436 -+ { PCI_VENDOR_ID_INTEL, 0x103D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48437 -+ { PCI_VENDOR_ID_INTEL, 0x103E, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48438 -+ { PCI_VENDOR_ID_INTEL, 0x1050, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48439 -+ { PCI_VENDOR_ID_INTEL, 0x1059, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48440 -+ { PCI_VENDOR_ID_INTEL, 0x1227, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48441 -+ { PCI_VENDOR_ID_INTEL, 0x2449, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48442 -+ { PCI_VENDOR_ID_INTEL, 0x2459, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48443 -+ { PCI_VENDOR_ID_INTEL, 0x245D, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48444 -+ { PCI_VENDOR_ID_INTEL, 0x5200, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48445 -+ { PCI_VENDOR_ID_INTEL, 0x5201, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0 },
48446 -+ { 0, 0, 0, 0, 0, 0, 0 }
48447 - };
48448 - MODULE_DEVICE_TABLE(pci, eepro100_pci_tbl);
48449 -
48450 -diff -Nurp linux-2.6.23.15/drivers/net/irda/vlsi_ir.c linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c
48451 ---- linux-2.6.23.15/drivers/net/irda/vlsi_ir.c 2007-10-09 21:31:38.000000000 +0100
48452 -+++ linux-2.6.23.15-grsec/drivers/net/irda/vlsi_ir.c 2008-02-11 10:37:44.000000000 +0000
48453 -@@ -906,13 +906,12 @@ static int vlsi_hard_start_xmit(struct s
48454 - /* no race - tx-ring already empty */
48455 - vlsi_set_baud(idev, iobase);
48456 - netif_wake_queue(ndev);
48457 -- }
48458 -- else
48459 -- ;
48460 -+ } else {
48461 - /* keep the speed change pending like it would
48462 - * for any len>0 packet. tx completion interrupt
48463 - * will apply it when the tx ring becomes empty.
48464 - */
48465 -+ }
48466 - spin_unlock_irqrestore(&idev->lock, flags);
48467 - dev_kfree_skb_any(skb);
48468 - return 0;
48469 -diff -Nurp linux-2.6.23.15/drivers/net/pcnet32.c linux-2.6.23.15-grsec/drivers/net/pcnet32.c
48470 ---- linux-2.6.23.15/drivers/net/pcnet32.c 2007-10-09 21:31:38.000000000 +0100
48471 -+++ linux-2.6.23.15-grsec/drivers/net/pcnet32.c 2008-02-11 10:37:44.000000000 +0000
48472 -@@ -82,7 +82,7 @@ static int cards_found;
48473 - /*
48474 - * VLB I/O addresses
48475 - */
48476 --static unsigned int pcnet32_portlist[] __initdata =
48477 -+static unsigned int pcnet32_portlist[] __devinitdata =
48478 - { 0x300, 0x320, 0x340, 0x360, 0 };
48479 -
48480 - static int pcnet32_debug = 0;
48481 -diff -Nurp linux-2.6.23.15/drivers/net/tg3.h linux-2.6.23.15-grsec/drivers/net/tg3.h
48482 ---- linux-2.6.23.15/drivers/net/tg3.h 2007-10-09 21:31:38.000000000 +0100
48483 -+++ linux-2.6.23.15-grsec/drivers/net/tg3.h 2008-02-11 10:37:44.000000000 +0000
48484 -@@ -127,6 +127,7 @@
48485 - #define CHIPREV_ID_5750_A0 0x4000
48486 - #define CHIPREV_ID_5750_A1 0x4001
48487 - #define CHIPREV_ID_5750_A3 0x4003
48488 -+#define CHIPREV_ID_5750_C1 0x4201
48489 - #define CHIPREV_ID_5750_C2 0x4202
48490 - #define CHIPREV_ID_5752_A0_HW 0x5000
48491 - #define CHIPREV_ID_5752_A0 0x6000
48492 -diff -Nurp linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c
48493 ---- linux-2.6.23.15/drivers/pci/hotplug/cpqphp_nvram.c 2007-10-09 21:31:38.000000000 +0100
48494 -+++ linux-2.6.23.15-grsec/drivers/pci/hotplug/cpqphp_nvram.c 2008-02-11 10:37:44.000000000 +0000
48495 -@@ -425,9 +425,13 @@ static u32 store_HRT (void __iomem *rom_
48496 -
48497 - void compaq_nvram_init (void __iomem *rom_start)
48498 - {
48499 -+
48500 -+#ifndef CONFIG_PAX_KERNEXEC
48501 - if (rom_start) {
48502 - compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
48503 - }
48504 -+#endif
48505 -+
48506 - dbg("int15 entry = %p\n", compaq_int15_entry_point);
48507 -
48508 - /* initialize our int15 lock */
48509 -diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c
48510 ---- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv.c 2007-10-09 21:31:38.000000000 +0100
48511 -+++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv.c 2008-02-11 10:37:44.000000000 +0000
48512 -@@ -58,7 +58,7 @@ static struct pcie_port_service_id aer_i
48513 - .port_type = PCIE_RC_PORT,
48514 - .service_type = PCIE_PORT_SERVICE_AER,
48515 - },
48516 -- { /* end: all zeroes */ }
48517 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0 }
48518 - };
48519 -
48520 - static struct pci_error_handlers aer_error_handlers = {
48521 -diff -Nurp linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c
48522 ---- linux-2.6.23.15/drivers/pci/pcie/aer/aerdrv_core.c 2007-10-09 21:31:38.000000000 +0100
48523 -+++ linux-2.6.23.15-grsec/drivers/pci/pcie/aer/aerdrv_core.c 2008-02-11 10:37:44.000000000 +0000
48524 -@@ -660,7 +660,7 @@ static void aer_isr_one_error(struct pci
48525 - struct aer_err_source *e_src)
48526 - {
48527 - struct device *s_device;
48528 -- struct aer_err_info e_info = {0, 0, 0,};
48529 -+ struct aer_err_info e_info = {0, 0, 0, {0, 0, 0, 0}};
48530 - int i;
48531 - u16 id;
48532 -
48533 -diff -Nurp linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c
48534 ---- linux-2.6.23.15/drivers/pci/pcie/portdrv_pci.c 2007-10-09 21:31:38.000000000 +0100
48535 -+++ linux-2.6.23.15-grsec/drivers/pci/pcie/portdrv_pci.c 2008-02-11 10:37:44.000000000 +0000
48536 -@@ -265,7 +265,7 @@ static void pcie_portdrv_err_resume(stru
48537 - static const struct pci_device_id port_pci_ids[] = { {
48538 - /* handle any PCI-Express port */
48539 - PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
48540 -- }, { /* end: all zeroes */ }
48541 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
48542 - };
48543 - MODULE_DEVICE_TABLE(pci, port_pci_ids);
48544 -
48545 -diff -Nurp linux-2.6.23.15/drivers/pci/proc.c linux-2.6.23.15-grsec/drivers/pci/proc.c
48546 ---- linux-2.6.23.15/drivers/pci/proc.c 2007-10-09 21:31:38.000000000 +0100
48547 -+++ linux-2.6.23.15-grsec/drivers/pci/proc.c 2008-02-11 10:37:44.000000000 +0000
48548 -@@ -466,7 +466,15 @@ static int __init pci_proc_init(void)
48549 - {
48550 - struct proc_dir_entry *entry;
48551 - struct pci_dev *dev = NULL;
48552 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
48553 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
48554 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
48555 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
48556 -+ proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
48557 -+#endif
48558 -+#else
48559 - proc_bus_pci_dir = proc_mkdir("pci", proc_bus);
48560 -+#endif
48561 - entry = create_proc_entry("devices", 0, proc_bus_pci_dir);
48562 - if (entry)
48563 - entry->proc_fops = &proc_bus_pci_dev_operations;
48564 -diff -Nurp linux-2.6.23.15/drivers/pcmcia/ti113x.h linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h
48565 ---- linux-2.6.23.15/drivers/pcmcia/ti113x.h 2007-10-09 21:31:38.000000000 +0100
48566 -+++ linux-2.6.23.15-grsec/drivers/pcmcia/ti113x.h 2008-02-11 10:37:44.000000000 +0000
48567 -@@ -897,7 +897,7 @@ static struct pci_device_id ene_tune_tbl
48568 - DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
48569 - ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
48570 -
48571 -- {}
48572 -+ { 0, 0, 0, 0, 0, 0, 0 }
48573 - };
48574 -
48575 - static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
48576 -diff -Nurp linux-2.6.23.15/drivers/pcmcia/yenta_socket.c linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c
48577 ---- linux-2.6.23.15/drivers/pcmcia/yenta_socket.c 2007-10-09 21:31:38.000000000 +0100
48578 -+++ linux-2.6.23.15-grsec/drivers/pcmcia/yenta_socket.c 2008-02-11 10:37:44.000000000 +0000
48579 -@@ -1358,7 +1358,7 @@ static struct pci_device_id yenta_table
48580 -
48581 - /* match any cardbus bridge */
48582 - CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
48583 -- { /* all zeroes */ }
48584 -+ { 0, 0, 0, 0, 0, 0, 0 }
48585 - };
48586 - MODULE_DEVICE_TABLE(pci, yenta_table);
48587 -
48588 -diff -Nurp linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c
48589 ---- linux-2.6.23.15/drivers/pnp/pnpbios/bioscalls.c 2007-10-09 21:31:38.000000000 +0100
48590 -+++ linux-2.6.23.15-grsec/drivers/pnp/pnpbios/bioscalls.c 2008-02-11 10:37:44.000000000 +0000
48591 -@@ -61,7 +61,7 @@ set_base(gdt[(selname) >> 3], (u32)(addr
48592 - set_limit(gdt[(selname) >> 3], size); \
48593 - } while(0)
48594 -
48595 --static struct desc_struct bad_bios_desc = { 0, 0x00409200 };
48596 -+static struct desc_struct bad_bios_desc __read_only = { 0, 0x00409300 };
48597 -
48598 - /*
48599 - * At some point we want to use this stack frame pointer to unwind
48600 -@@ -88,6 +88,10 @@ static inline u16 call_pnp_bios(u16 func
48601 - struct desc_struct save_desc_40;
48602 - int cpu;
48603 -
48604 -+#ifdef CONFIG_PAX_KERNEXEC
48605 -+ unsigned long cr0;
48606 -+#endif
48607 -+
48608 - /*
48609 - * PnP BIOSes are generally not terribly re-entrant.
48610 - * Also, don't rely on them to save everything correctly.
48611 -@@ -97,8 +101,17 @@ static inline u16 call_pnp_bios(u16 func
48612 -
48613 - cpu = get_cpu();
48614 - save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
48615 -+
48616 -+#ifdef CONFIG_PAX_KERNEXEC
48617 -+ pax_open_kernel(cr0);
48618 -+#endif
48619 -+
48620 - get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
48621 -
48622 -+#ifdef CONFIG_PAX_KERNEXEC
48623 -+ pax_close_kernel(cr0);
48624 -+#endif
48625 -+
48626 - /* On some boxes IRQ's during PnP BIOS calls are deadly. */
48627 - spin_lock_irqsave(&pnp_bios_lock, flags);
48628 -
48629 -@@ -135,7 +148,16 @@ static inline u16 call_pnp_bios(u16 func
48630 - :"memory");
48631 - spin_unlock_irqrestore(&pnp_bios_lock, flags);
48632 -
48633 -+#ifdef CONFIG_PAX_KERNEXEC
48634 -+ pax_open_kernel(cr0);
48635 -+#endif
48636 -+
48637 - get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
48638 -+
48639 -+#ifdef CONFIG_PAX_KERNEXEC
48640 -+ pax_close_kernel(cr0);
48641 -+#endif
48642 -+
48643 - put_cpu();
48644 -
48645 - /* If we get here and this is set then the PnP BIOS faulted on us. */
48646 -@@ -469,16 +491,25 @@ int pnp_bios_read_escd(char *data, u32 n
48647 - return status;
48648 - }
48649 -
48650 --void pnpbios_calls_init(union pnp_bios_install_struct *header)
48651 -+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
48652 - {
48653 - int i;
48654 -
48655 -+#ifdef CONFIG_PAX_KERNEXEC
48656 -+ unsigned long cr0;
48657 -+#endif
48658 -+
48659 - spin_lock_init(&pnp_bios_lock);
48660 - pnp_bios_callpoint.offset = header->fields.pm16offset;
48661 - pnp_bios_callpoint.segment = PNP_CS16;
48662 -
48663 - set_base(bad_bios_desc, __va((unsigned long)0x40 << 4));
48664 - _set_limit((char *)&bad_bios_desc, 4095 - (0x40 << 4));
48665 -+
48666 -+#ifdef CONFIG_PAX_KERNEXEC
48667 -+ pax_open_kernel(cr0);
48668 -+#endif
48669 -+
48670 - for (i = 0; i < NR_CPUS; i++) {
48671 - struct desc_struct *gdt = get_cpu_gdt_table(i);
48672 - if (!gdt)
48673 -@@ -489,4 +520,9 @@ void pnpbios_calls_init(union pnp_bios_i
48674 - set_base(gdt[GDT_ENTRY_PNPBIOS_DS],
48675 - __va(header->fields.pm16dseg));
48676 - }
48677 -+
48678 -+#ifdef CONFIG_PAX_KERNEXEC
48679 -+ pax_close_kernel(cr0);
48680 -+#endif
48681 -+
48682 - }
48683 -diff -Nurp linux-2.6.23.15/drivers/pnp/quirks.c linux-2.6.23.15-grsec/drivers/pnp/quirks.c
48684 ---- linux-2.6.23.15/drivers/pnp/quirks.c 2007-10-09 21:31:38.000000000 +0100
48685 -+++ linux-2.6.23.15-grsec/drivers/pnp/quirks.c 2008-02-11 10:37:44.000000000 +0000
48686 -@@ -127,7 +127,7 @@ static struct pnp_fixup pnp_fixups[] = {
48687 - {"CTL0043", quirk_sb16audio_resources},
48688 - {"CTL0044", quirk_sb16audio_resources},
48689 - {"CTL0045", quirk_sb16audio_resources},
48690 -- {""}
48691 -+ {"", NULL}
48692 - };
48693 -
48694 - void pnp_fixup_device(struct pnp_dev *dev)
48695 -diff -Nurp linux-2.6.23.15/drivers/pnp/resource.c linux-2.6.23.15-grsec/drivers/pnp/resource.c
48696 ---- linux-2.6.23.15/drivers/pnp/resource.c 2007-10-09 21:31:38.000000000 +0100
48697 -+++ linux-2.6.23.15-grsec/drivers/pnp/resource.c 2008-02-11 10:37:44.000000000 +0000
48698 -@@ -345,7 +345,7 @@ int pnp_check_irq(struct pnp_dev *dev, i
48699 - return 1;
48700 -
48701 - /* check if the resource is valid */
48702 -- if (*irq < 0 || *irq > 15)
48703 -+ if (*irq > 15)
48704 - return 0;
48705 -
48706 - /* check if the resource is reserved */
48707 -@@ -412,7 +412,7 @@ int pnp_check_dma(struct pnp_dev *dev, i
48708 - return 1;
48709 -
48710 - /* check if the resource is valid */
48711 -- if (*dma < 0 || *dma == 4 || *dma > 7)
48712 -+ if (*dma == 4 || *dma > 7)
48713 - return 0;
48714 -
48715 - /* check if the resource is reserved */
48716 -diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_lib.c linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c
48717 ---- linux-2.6.23.15/drivers/scsi/scsi_lib.c 2007-10-09 21:31:38.000000000 +0100
48718 -+++ linux-2.6.23.15-grsec/drivers/scsi/scsi_lib.c 2008-02-11 10:37:44.000000000 +0000
48719 -@@ -44,7 +44,7 @@ struct scsi_host_sg_pool {
48720 - #error SCSI_MAX_PHYS_SEGMENTS is too small
48721 - #endif
48722 -
48723 --#define SP(x) { x, "sgpool-" #x }
48724 -+#define SP(x) { x, "sgpool-" #x, NULL, NULL }
48725 - static struct scsi_host_sg_pool scsi_sg_pools[] = {
48726 - SP(8),
48727 - SP(16),
48728 -diff -Nurp linux-2.6.23.15/drivers/scsi/scsi_logging.h linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h
48729 ---- linux-2.6.23.15/drivers/scsi/scsi_logging.h 2007-10-09 21:31:38.000000000 +0100
48730 -+++ linux-2.6.23.15-grsec/drivers/scsi/scsi_logging.h 2008-02-11 10:37:44.000000000 +0000
48731 -@@ -51,7 +51,7 @@ do { \
48732 - } while (0); \
48733 - } while (0)
48734 - #else
48735 --#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
48736 -+#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
48737 - #endif /* CONFIG_SCSI_LOGGING */
48738 -
48739 - /*
48740 -diff -Nurp linux-2.6.23.15/drivers/serial/8250_pci.c linux-2.6.23.15-grsec/drivers/serial/8250_pci.c
48741 ---- linux-2.6.23.15/drivers/serial/8250_pci.c 2007-10-09 21:31:38.000000000 +0100
48742 -+++ linux-2.6.23.15-grsec/drivers/serial/8250_pci.c 2008-02-11 10:37:44.000000000 +0000
48743 -@@ -2589,7 +2589,7 @@ static struct pci_device_id serial_pci_t
48744 - PCI_ANY_ID, PCI_ANY_ID,
48745 - PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
48746 - 0xffff00, pbn_default },
48747 -- { 0, }
48748 -+ { 0, 0, 0, 0, 0, 0, 0 }
48749 - };
48750 -
48751 - static struct pci_driver serial_pci_driver = {
48752 -diff -Nurp linux-2.6.23.15/drivers/usb/class/cdc-acm.c linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c
48753 ---- linux-2.6.23.15/drivers/usb/class/cdc-acm.c 2007-10-09 21:31:38.000000000 +0100
48754 -+++ linux-2.6.23.15-grsec/drivers/usb/class/cdc-acm.c 2008-02-11 10:37:44.000000000 +0000
48755 -@@ -1199,7 +1199,7 @@ static struct usb_device_id acm_ids[] =
48756 - USB_CDC_ACM_PROTO_AT_CDMA) },
48757 -
48758 - /* NOTE: COMM/ACM/0xff is likely MSFT RNDIS ... NOT a modem!! */
48759 -- { }
48760 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
48761 - };
48762 -
48763 - MODULE_DEVICE_TABLE (usb, acm_ids);
48764 -diff -Nurp linux-2.6.23.15/drivers/usb/class/usblp.c linux-2.6.23.15-grsec/drivers/usb/class/usblp.c
48765 ---- linux-2.6.23.15/drivers/usb/class/usblp.c 2007-10-09 21:31:38.000000000 +0100
48766 -+++ linux-2.6.23.15-grsec/drivers/usb/class/usblp.c 2008-02-11 10:37:44.000000000 +0000
48767 -@@ -225,7 +225,7 @@ static const struct quirk_printer_struct
48768 - { 0x0409, 0xf1be, USBLP_QUIRK_BIDIR }, /* NEC Picty800 (HP OEM) */
48769 - { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@×××.de> */
48770 - { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
48771 -- { 0, 0 }
48772 -+ { 0, 0, 0 }
48773 - };
48774 -
48775 - static int usblp_wwait(struct usblp *usblp, int nonblock);
48776 -@@ -1376,7 +1376,7 @@ static struct usb_device_id usblp_ids []
48777 - { USB_INTERFACE_INFO(7, 1, 2) },
48778 - { USB_INTERFACE_INFO(7, 1, 3) },
48779 - { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
48780 -- { } /* Terminating entry */
48781 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
48782 - };
48783 -
48784 - MODULE_DEVICE_TABLE (usb, usblp_ids);
48785 -diff -Nurp linux-2.6.23.15/drivers/usb/core/hub.c linux-2.6.23.15-grsec/drivers/usb/core/hub.c
48786 ---- linux-2.6.23.15/drivers/usb/core/hub.c 2008-02-11 10:36:03.000000000 +0000
48787 -+++ linux-2.6.23.15-grsec/drivers/usb/core/hub.c 2008-02-11 10:37:44.000000000 +0000
48788 -@@ -2762,7 +2762,7 @@ static struct usb_device_id hub_id_table
48789 - .bDeviceClass = USB_CLASS_HUB},
48790 - { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
48791 - .bInterfaceClass = USB_CLASS_HUB},
48792 -- { } /* Terminating entry */
48793 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
48794 - };
48795 -
48796 - MODULE_DEVICE_TABLE (usb, hub_id_table);
48797 -diff -Nurp linux-2.6.23.15/drivers/usb/host/ehci-pci.c linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c
48798 ---- linux-2.6.23.15/drivers/usb/host/ehci-pci.c 2007-10-09 21:31:38.000000000 +0100
48799 -+++ linux-2.6.23.15-grsec/drivers/usb/host/ehci-pci.c 2008-02-11 10:37:44.000000000 +0000
48800 -@@ -377,7 +377,7 @@ static const struct pci_device_id pci_id
48801 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
48802 - .driver_data = (unsigned long) &ehci_pci_hc_driver,
48803 - },
48804 -- { /* end: all zeroes */ }
48805 -+ { 0, 0, 0, 0, 0, 0, 0 }
48806 - };
48807 - MODULE_DEVICE_TABLE(pci, pci_ids);
48808 -
48809 -diff -Nurp linux-2.6.23.15/drivers/usb/host/uhci-hcd.c linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c
48810 ---- linux-2.6.23.15/drivers/usb/host/uhci-hcd.c 2007-10-09 21:31:38.000000000 +0100
48811 -+++ linux-2.6.23.15-grsec/drivers/usb/host/uhci-hcd.c 2008-02-11 10:37:44.000000000 +0000
48812 -@@ -894,7 +894,7 @@ static const struct pci_device_id uhci_p
48813 - /* handle any USB UHCI controller */
48814 - PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
48815 - .driver_data = (unsigned long) &uhci_driver,
48816 -- }, { /* end: all zeroes */ }
48817 -+ }, { 0, 0, 0, 0, 0, 0, 0 }
48818 - };
48819 -
48820 - MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
48821 -diff -Nurp linux-2.6.23.15/drivers/usb/storage/debug.h linux-2.6.23.15-grsec/drivers/usb/storage/debug.h
48822 ---- linux-2.6.23.15/drivers/usb/storage/debug.h 2007-10-09 21:31:38.000000000 +0100
48823 -+++ linux-2.6.23.15-grsec/drivers/usb/storage/debug.h 2008-02-11 10:37:44.000000000 +0000
48824 -@@ -56,9 +56,9 @@ void usb_stor_show_sense( unsigned char
48825 - #define US_DEBUGPX(x...) printk( x )
48826 - #define US_DEBUG(x) x
48827 - #else
48828 --#define US_DEBUGP(x...)
48829 --#define US_DEBUGPX(x...)
48830 --#define US_DEBUG(x)
48831 -+#define US_DEBUGP(x...) do {} while (0)
48832 -+#define US_DEBUGPX(x...) do {} while (0)
48833 -+#define US_DEBUG(x) do {} while (0)
48834 - #endif
48835 -
48836 - #endif
48837 -diff -Nurp linux-2.6.23.15/drivers/usb/storage/usb.c linux-2.6.23.15-grsec/drivers/usb/storage/usb.c
48838 ---- linux-2.6.23.15/drivers/usb/storage/usb.c 2007-10-09 21:31:38.000000000 +0100
48839 -+++ linux-2.6.23.15-grsec/drivers/usb/storage/usb.c 2008-02-11 10:37:44.000000000 +0000
48840 -@@ -134,7 +134,7 @@ static struct usb_device_id storage_usb_
48841 - #undef UNUSUAL_DEV
48842 - #undef USUAL_DEV
48843 - /* Terminating entry */
48844 -- { }
48845 -+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
48846 - };
48847 -
48848 - MODULE_DEVICE_TABLE (usb, storage_usb_ids);
48849 -@@ -174,7 +174,7 @@ static struct us_unusual_dev us_unusual_
48850 - # undef USUAL_DEV
48851 -
48852 - /* Terminating entry */
48853 -- { NULL }
48854 -+ { NULL, NULL, 0, 0, NULL }
48855 - };
48856 -
48857 -
48858 -diff -Nurp linux-2.6.23.15/drivers/video/fbcmap.c linux-2.6.23.15-grsec/drivers/video/fbcmap.c
48859 ---- linux-2.6.23.15/drivers/video/fbcmap.c 2007-10-09 21:31:38.000000000 +0100
48860 -+++ linux-2.6.23.15-grsec/drivers/video/fbcmap.c 2008-02-11 10:37:44.000000000 +0000
48861 -@@ -251,8 +251,7 @@ int fb_set_user_cmap(struct fb_cmap_user
48862 - int rc, size = cmap->len * sizeof(u16);
48863 - struct fb_cmap umap;
48864 -
48865 -- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
48866 -- !info->fbops->fb_setcmap))
48867 -+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap)
48868 - return -EINVAL;
48869 -
48870 - memset(&umap, 0, sizeof(struct fb_cmap));
48871 -diff -Nurp linux-2.6.23.15/drivers/video/fbmem.c linux-2.6.23.15-grsec/drivers/video/fbmem.c
48872 ---- linux-2.6.23.15/drivers/video/fbmem.c 2007-10-09 21:31:38.000000000 +0100
48873 -+++ linux-2.6.23.15-grsec/drivers/video/fbmem.c 2008-02-11 10:37:44.000000000 +0000
48874 -@@ -394,7 +394,7 @@ static void fb_do_show_logo(struct fb_in
48875 - image->dx += image->width + 8;
48876 - }
48877 - } else if (rotate == FB_ROTATE_UD) {
48878 -- for (x = 0; x < num && image->dx >= 0; x++) {
48879 -+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
48880 - info->fbops->fb_imageblit(info, image);
48881 - image->dx -= image->width + 8;
48882 - }
48883 -@@ -406,7 +406,7 @@ static void fb_do_show_logo(struct fb_in
48884 - image->dy += image->height + 8;
48885 - }
48886 - } else if (rotate == FB_ROTATE_CCW) {
48887 -- for (x = 0; x < num && image->dy >= 0; x++) {
48888 -+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
48889 - info->fbops->fb_imageblit(info, image);
48890 - image->dy -= image->height + 8;
48891 - }
48892 -@@ -1057,9 +1057,9 @@ fb_ioctl(struct inode *inode, struct fil
48893 - case FBIOPUT_CON2FBMAP:
48894 - if (copy_from_user(&con2fb, argp, sizeof(con2fb)))
48895 - return - EFAULT;
48896 -- if (con2fb.console < 0 || con2fb.console > MAX_NR_CONSOLES)
48897 -+ if (con2fb.console > MAX_NR_CONSOLES)
48898 - return -EINVAL;
48899 -- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
48900 -+ if (con2fb.framebuffer >= FB_MAX)
48901 - return -EINVAL;
48902 - #ifdef CONFIG_KMOD
48903 - if (!registered_fb[con2fb.framebuffer])
48904 -diff -Nurp linux-2.6.23.15/drivers/video/fbmon.c linux-2.6.23.15-grsec/drivers/video/fbmon.c
48905 ---- linux-2.6.23.15/drivers/video/fbmon.c 2007-10-09 21:31:38.000000000 +0100
48906 -+++ linux-2.6.23.15-grsec/drivers/video/fbmon.c 2008-02-11 10:37:44.000000000 +0000
48907 -@@ -45,7 +45,7 @@
48908 - #ifdef DEBUG
48909 - #define DPRINTK(fmt, args...) printk(fmt,## args)
48910 - #else
48911 --#define DPRINTK(fmt, args...)
48912 -+#define DPRINTK(fmt, args...) do {} while (0)
48913 - #endif
48914 -
48915 - #define FBMON_FIX_HEADER 1
48916 -diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_accel.c linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c
48917 ---- linux-2.6.23.15/drivers/video/i810/i810_accel.c 2007-10-09 21:31:38.000000000 +0100
48918 -+++ linux-2.6.23.15-grsec/drivers/video/i810/i810_accel.c 2008-02-11 10:37:44.000000000 +0000
48919 -@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
48920 - }
48921 - }
48922 - printk("ringbuffer lockup!!!\n");
48923 -+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
48924 - i810_report_error(mmio);
48925 - par->dev_flags |= LOCKUP;
48926 - info->pixmap.scan_align = 1;
48927 -diff -Nurp linux-2.6.23.15/drivers/video/i810/i810_main.c linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c
48928 ---- linux-2.6.23.15/drivers/video/i810/i810_main.c 2007-10-09 21:31:38.000000000 +0100
48929 -+++ linux-2.6.23.15-grsec/drivers/video/i810/i810_main.c 2008-02-11 10:37:44.000000000 +0000
48930 -@@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
48931 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
48932 - { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
48933 - PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
48934 -- { 0 },
48935 -+ { 0, 0, 0, 0, 0, 0, 0 },
48936 - };
48937 -
48938 - static struct pci_driver i810fb_driver = {
48939 -@@ -1509,7 +1509,7 @@ static int i810fb_cursor(struct fb_info
48940 - int size = ((cursor->image.width + 7) >> 3) *
48941 - cursor->image.height;
48942 - int i;
48943 -- u8 *data = kmalloc(64 * 8, GFP_ATOMIC);
48944 -+ u8 *data = kmalloc(64 * 8, GFP_KERNEL);
48945 -
48946 - if (data == NULL)
48947 - return -ENOMEM;
48948 -diff -Nurp linux-2.6.23.15/drivers/video/modedb.c linux-2.6.23.15-grsec/drivers/video/modedb.c
48949 ---- linux-2.6.23.15/drivers/video/modedb.c 2007-10-09 21:31:38.000000000 +0100
48950 -+++ linux-2.6.23.15-grsec/drivers/video/modedb.c 2008-02-11 10:37:44.000000000 +0000
48951 -@@ -37,228 +37,228 @@ static const struct fb_videomode modedb[
48952 - {
48953 - /* 640x400 @ 70 Hz, 31.5 kHz hsync */
48954 - NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
48955 -- 0, FB_VMODE_NONINTERLACED
48956 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48957 - }, {
48958 - /* 640x480 @ 60 Hz, 31.5 kHz hsync */
48959 - NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
48960 -- 0, FB_VMODE_NONINTERLACED
48961 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48962 - }, {
48963 - /* 800x600 @ 56 Hz, 35.15 kHz hsync */
48964 - NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
48965 -- 0, FB_VMODE_NONINTERLACED
48966 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48967 - }, {
48968 - /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
48969 - NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
48970 -- 0, FB_VMODE_INTERLACED
48971 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
48972 - }, {
48973 - /* 640x400 @ 85 Hz, 37.86 kHz hsync */
48974 - NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
48975 -- FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
48976 -+ FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48977 - }, {
48978 - /* 640x480 @ 72 Hz, 36.5 kHz hsync */
48979 - NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
48980 -- 0, FB_VMODE_NONINTERLACED
48981 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48982 - }, {
48983 - /* 640x480 @ 75 Hz, 37.50 kHz hsync */
48984 - NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
48985 -- 0, FB_VMODE_NONINTERLACED
48986 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48987 - }, {
48988 - /* 800x600 @ 60 Hz, 37.8 kHz hsync */
48989 - NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
48990 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
48991 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48992 - }, {
48993 - /* 640x480 @ 85 Hz, 43.27 kHz hsync */
48994 - NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
48995 -- 0, FB_VMODE_NONINTERLACED
48996 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
48997 - }, {
48998 - /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
48999 - NULL, 69, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
49000 -- 0, FB_VMODE_INTERLACED
49001 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
49002 - }, {
49003 - /* 800x600 @ 72 Hz, 48.0 kHz hsync */
49004 - NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
49005 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49006 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49007 - }, {
49008 - /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
49009 - NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
49010 -- 0, FB_VMODE_NONINTERLACED
49011 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49012 - }, {
49013 - /* 640x480 @ 100 Hz, 53.01 kHz hsync */
49014 - NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
49015 -- 0, FB_VMODE_NONINTERLACED
49016 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49017 - }, {
49018 - /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
49019 - NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
49020 -- 0, FB_VMODE_NONINTERLACED
49021 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49022 - }, {
49023 - /* 800x600 @ 85 Hz, 55.84 kHz hsync */
49024 - NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
49025 -- 0, FB_VMODE_NONINTERLACED
49026 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49027 - }, {
49028 - /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
49029 - NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
49030 -- 0, FB_VMODE_NONINTERLACED
49031 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49032 - }, {
49033 - /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
49034 - NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
49035 -- 0, FB_VMODE_INTERLACED
49036 -+ 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
49037 - }, {
49038 - /* 800x600 @ 100 Hz, 64.02 kHz hsync */
49039 - NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
49040 -- 0, FB_VMODE_NONINTERLACED
49041 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49042 - }, {
49043 - /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
49044 - NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
49045 -- 0, FB_VMODE_NONINTERLACED
49046 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49047 - }, {
49048 - /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
49049 - NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
49050 -- 0, FB_VMODE_NONINTERLACED
49051 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49052 - }, {
49053 - /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
49054 - NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
49055 -- 0, FB_VMODE_NONINTERLACED
49056 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49057 - }, {
49058 - /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
49059 - NULL, 68, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
49060 -- 0, FB_VMODE_NONINTERLACED
49061 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49062 - }, {
49063 - /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
49064 - NULL, 75, 1400, 1050, 9271, 120, 56, 13, 0, 112, 3,
49065 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49066 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49067 - }, {
49068 - /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
49069 - NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
49070 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49071 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49072 - }, {
49073 - /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
49074 - NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
49075 -- 0, FB_VMODE_NONINTERLACED
49076 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49077 - }, {
49078 - /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
49079 - NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
49080 -- 0, FB_VMODE_NONINTERLACED
49081 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49082 - }, {
49083 - /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
49084 - NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
49085 -- 0, FB_VMODE_NONINTERLACED
49086 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49087 - }, {
49088 - /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
49089 - NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
49090 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49091 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49092 - }, {
49093 - /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
49094 - NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
49095 -- 0, FB_VMODE_NONINTERLACED
49096 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49097 - }, {
49098 - /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
49099 - NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
49100 -- 0, FB_VMODE_NONINTERLACED
49101 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49102 - }, {
49103 - /* 1024x768 @ 100Hz, 80.21 kHz hsync */
49104 - NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
49105 -- 0, FB_VMODE_NONINTERLACED
49106 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49107 - }, {
49108 - /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
49109 - NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
49110 -- 0, FB_VMODE_NONINTERLACED
49111 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49112 - }, {
49113 - /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
49114 - NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
49115 -- 0, FB_VMODE_NONINTERLACED
49116 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49117 - }, {
49118 - /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
49119 - NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
49120 -- 0, FB_VMODE_NONINTERLACED
49121 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49122 - }, {
49123 - /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
49124 - NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
49125 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49126 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49127 - }, {
49128 - /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
49129 - NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
49130 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49131 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49132 - }, {
49133 - /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
49134 - NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
49135 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49136 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49137 - }, {
49138 - /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
49139 - NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
49140 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49141 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49142 - }, {
49143 - /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
49144 - NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
49145 -- 0, FB_VMODE_NONINTERLACED
49146 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49147 - }, {
49148 - /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
49149 - NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
49150 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49151 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49152 - }, {
49153 - /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
49154 - NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
49155 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49156 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49157 - }, {
49158 - /* 512x384 @ 78 Hz, 31.50 kHz hsync */
49159 - NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
49160 -- 0, FB_VMODE_NONINTERLACED
49161 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49162 - }, {
49163 - /* 512x384 @ 85 Hz, 34.38 kHz hsync */
49164 - NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
49165 -- 0, FB_VMODE_NONINTERLACED
49166 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49167 - }, {
49168 - /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
49169 - NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
49170 -- 0, FB_VMODE_DOUBLE
49171 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49172 - }, {
49173 - /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
49174 - NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
49175 -- 0, FB_VMODE_DOUBLE
49176 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49177 - }, {
49178 - /* 320x240 @ 72 Hz, 36.5 kHz hsync */
49179 - NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
49180 -- 0, FB_VMODE_DOUBLE
49181 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49182 - }, {
49183 - /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
49184 - NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
49185 -- 0, FB_VMODE_DOUBLE
49186 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49187 - }, {
49188 - /* 400x300 @ 60 Hz, 37.8 kHz hsync */
49189 - NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
49190 -- 0, FB_VMODE_DOUBLE
49191 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49192 - }, {
49193 - /* 400x300 @ 72 Hz, 48.0 kHz hsync */
49194 - NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
49195 -- 0, FB_VMODE_DOUBLE
49196 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49197 - }, {
49198 - /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
49199 - NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
49200 -- 0, FB_VMODE_DOUBLE
49201 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49202 - }, {
49203 - /* 480x300 @ 60 Hz, 37.8 kHz hsync */
49204 - NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
49205 -- 0, FB_VMODE_DOUBLE
49206 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49207 - }, {
49208 - /* 480x300 @ 63 Hz, 39.6 kHz hsync */
49209 - NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
49210 -- 0, FB_VMODE_DOUBLE
49211 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49212 - }, {
49213 - /* 480x300 @ 72 Hz, 48.0 kHz hsync */
49214 - NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
49215 -- 0, FB_VMODE_DOUBLE
49216 -+ 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
49217 - }, {
49218 - /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
49219 - NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
49220 - FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
49221 -- FB_VMODE_NONINTERLACED
49222 -+ FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49223 - }, {
49224 - /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
49225 - NULL, 60, 1152, 768, 15386, 158, 26, 29, 3, 136, 6,
49226 -- FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
49227 -+ FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49228 - }, {
49229 - /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
49230 - NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
49231 -- 0, FB_VMODE_NONINTERLACED
49232 -+ 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
49233 - },
49234 - };
49235 -
49236 -diff -Nurp linux-2.6.23.15/drivers/video/vesafb.c linux-2.6.23.15-grsec/drivers/video/vesafb.c
49237 ---- linux-2.6.23.15/drivers/video/vesafb.c 2007-10-09 21:31:38.000000000 +0100
49238 -+++ linux-2.6.23.15-grsec/drivers/video/vesafb.c 2008-02-11 10:37:44.000000000 +0000
49239 -@@ -9,6 +9,7 @@
49240 - */
49241 -
49242 - #include <linux/module.h>
49243 -+#include <linux/moduleloader.h>
49244 - #include <linux/kernel.h>
49245 - #include <linux/errno.h>
49246 - #include <linux/string.h>
49247 -@@ -224,6 +225,7 @@ static int __init vesafb_probe(struct pl
49248 - unsigned int size_vmode;
49249 - unsigned int size_remap;
49250 - unsigned int size_total;
49251 -+ void *pmi_code = NULL;
49252 -
49253 - if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
49254 - return -ENODEV;
49255 -@@ -266,10 +268,6 @@ static int __init vesafb_probe(struct pl
49256 - size_remap = size_total;
49257 - vesafb_fix.smem_len = size_remap;
49258 -
49259 --#ifndef __i386__
49260 -- screen_info.vesapm_seg = 0;
49261 --#endif
49262 --
49263 - if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
49264 - printk(KERN_WARNING
49265 - "vesafb: cannot reserve video memory at 0x%lx\n",
49266 -@@ -302,9 +300,21 @@ static int __init vesafb_probe(struct pl
49267 - printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
49268 - vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
49269 -
49270 -+#ifdef __i386__
49271 -+
49272 -+#ifdef CONFIG_PAX_KERNEXEC
49273 -+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
49274 -+ if (!pmi_code)
49275 -+#else
49276 -+ if (0)
49277 -+#endif
49278 -+
49279 -+#endif
49280 -+ screen_info.vesapm_seg = 0;
49281 -+
49282 - if (screen_info.vesapm_seg) {
49283 -- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
49284 -- screen_info.vesapm_seg,screen_info.vesapm_off);
49285 -+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
49286 -+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
49287 - }
49288 -
49289 - if (screen_info.vesapm_seg < 0xc000)
49290 -@@ -312,9 +322,29 @@ static int __init vesafb_probe(struct pl
49291 -
49292 - if (ypan || pmi_setpal) {
49293 - unsigned short *pmi_base;
49294 -- pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
49295 -- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
49296 -- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
49297 -+
49298 -+#ifdef CONFIG_PAX_KERNEXEC
49299 -+ unsigned long cr0;
49300 -+#endif
49301 -+
49302 -+ pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
49303 -+
49304 -+#ifdef CONFIG_PAX_KERNEXEC
49305 -+ pax_open_kernel(cr0);
49306 -+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
49307 -+ pax_close_kernel(cr0);
49308 -+#else
49309 -+ pmi_code = pmi_base;
49310 -+#endif
49311 -+
49312 -+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
49313 -+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
49314 -+
49315 -+#ifdef CONFIG_PAX_KERNEXEC
49316 -+ pmi_start -= __KERNEL_TEXT_OFFSET;
49317 -+ pmi_pal -= __KERNEL_TEXT_OFFSET;
49318 -+#endif
49319 -+
49320 - printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
49321 - if (pmi_base[3]) {
49322 - printk(KERN_INFO "vesafb: pmi: ports = ");
49323 -@@ -456,6 +486,11 @@ static int __init vesafb_probe(struct pl
49324 - info->node, info->fix.id);
49325 - return 0;
49326 - err:
49327 -+
49328 -+#ifdef CONFIG_PAX_KERNEXEC
49329 -+ module_free_exec(NULL, pmi_code);
49330 -+#endif
49331 -+
49332 - if (info->screen_base)
49333 - iounmap(info->screen_base);
49334 - framebuffer_release(info);
49335 -diff -Nurp linux-2.6.23.15/fs/Kconfig linux-2.6.23.15-grsec/fs/Kconfig
49336 ---- linux-2.6.23.15/fs/Kconfig 2007-10-09 21:31:38.000000000 +0100
49337 -+++ linux-2.6.23.15-grsec/fs/Kconfig 2008-02-11 10:37:44.000000000 +0000
49338 -@@ -909,7 +909,7 @@ config PROC_FS
49339 -
49340 - config PROC_KCORE
49341 - bool "/proc/kcore support" if !ARM
49342 -- depends on PROC_FS && MMU
49343 -+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
49344 -
49345 - config PROC_VMCORE
49346 - bool "/proc/vmcore support (EXPERIMENTAL)"
49347 -diff -Nurp linux-2.6.23.15/fs/binfmt_aout.c linux-2.6.23.15-grsec/fs/binfmt_aout.c
49348 ---- linux-2.6.23.15/fs/binfmt_aout.c 2007-10-09 21:31:38.000000000 +0100
49349 -+++ linux-2.6.23.15-grsec/fs/binfmt_aout.c 2008-02-11 10:37:44.000000000 +0000
49350 -@@ -24,6 +24,7 @@
49351 - #include <linux/binfmts.h>
49352 - #include <linux/personality.h>
49353 - #include <linux/init.h>
49354 -+#include <linux/grsecurity.h>
49355 -
49356 - #include <asm/system.h>
49357 - #include <asm/uaccess.h>
49358 -@@ -123,10 +124,12 @@ static int aout_core_dump(long signr, st
49359 - /* If the size of the dump file exceeds the rlimit, then see what would happen
49360 - if we wrote the stack, but not the data area. */
49361 - #ifdef __sparc__
49362 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_dsize+dump.u_ssize, 1);
49363 - if ((dump.u_dsize+dump.u_ssize) >
49364 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49365 - dump.u_dsize = 0;
49366 - #else
49367 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE, 1);
49368 - if ((dump.u_dsize+dump.u_ssize+1) * PAGE_SIZE >
49369 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49370 - dump.u_dsize = 0;
49371 -@@ -134,10 +137,12 @@ static int aout_core_dump(long signr, st
49372 -
49373 - /* Make sure we have enough room to write the stack and data areas. */
49374 - #ifdef __sparc__
49375 -+ gr_learn_resource(current, RLIMIT_CORE, dump.u_ssize, 1);
49376 - if ((dump.u_ssize) >
49377 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49378 - dump.u_ssize = 0;
49379 - #else
49380 -+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize+1) * PAGE_SIZE, 1);
49381 - if ((dump.u_ssize+1) * PAGE_SIZE >
49382 - current->signal->rlim[RLIMIT_CORE].rlim_cur)
49383 - dump.u_ssize = 0;
49384 -@@ -294,6 +299,8 @@ static int load_aout_binary(struct linux
49385 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
49386 - if (rlim >= RLIM_INFINITY)
49387 - rlim = ~0;
49388 -+
49389 -+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
49390 - if (ex.a_data + ex.a_bss > rlim)
49391 - return -ENOMEM;
49392 -
49393 -@@ -326,6 +333,28 @@ static int load_aout_binary(struct linux
49394 - current->mm->mmap = NULL;
49395 - compute_creds(bprm);
49396 - current->flags &= ~PF_FORKNOEXEC;
49397 -+
49398 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49399 -+ current->mm->pax_flags = 0UL;
49400 -+#endif
49401 -+
49402 -+#ifdef CONFIG_PAX_PAGEEXEC
49403 -+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
49404 -+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
49405 -+
49406 -+#ifdef CONFIG_PAX_EMUTRAMP
49407 -+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
49408 -+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
49409 -+#endif
49410 -+
49411 -+#ifdef CONFIG_PAX_MPROTECT
49412 -+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
49413 -+ current->mm->pax_flags |= MF_PAX_MPROTECT;
49414 -+#endif
49415 -+
49416 -+ }
49417 -+#endif
49418 -+
49419 - #ifdef __sparc__
49420 - if (N_MAGIC(ex) == NMAGIC) {
49421 - loff_t pos = fd_offset;
49422 -@@ -421,7 +450,7 @@ static int load_aout_binary(struct linux
49423 -
49424 - down_write(&current->mm->mmap_sem);
49425 - error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
49426 -- PROT_READ | PROT_WRITE | PROT_EXEC,
49427 -+ PROT_READ | PROT_WRITE,
49428 - MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
49429 - fd_offset + ex.a_text);
49430 - up_write(&current->mm->mmap_sem);
49431 -diff -Nurp linux-2.6.23.15/fs/binfmt_elf.c linux-2.6.23.15-grsec/fs/binfmt_elf.c
49432 ---- linux-2.6.23.15/fs/binfmt_elf.c 2007-10-09 21:31:38.000000000 +0100
49433 -+++ linux-2.6.23.15-grsec/fs/binfmt_elf.c 2008-02-11 10:37:44.000000000 +0000
49434 -@@ -39,10 +39,21 @@
49435 - #include <linux/random.h>
49436 - #include <linux/elf.h>
49437 - #include <linux/utsname.h>
49438 -+#include <linux/grsecurity.h>
49439 -+
49440 - #include <asm/uaccess.h>
49441 - #include <asm/param.h>
49442 - #include <asm/page.h>
49443 -
49444 -+#ifdef CONFIG_PAX_SEGMEXEC
49445 -+#include <asm/desc.h>
49446 -+#endif
49447 -+
49448 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
49449 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
49450 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
49451 -+#endif
49452 -+
49453 - static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
49454 - static int load_elf_library(struct file *);
49455 - static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
49456 -@@ -84,6 +95,8 @@ static struct linux_binfmt elf_format =
49457 -
49458 - static int set_brk(unsigned long start, unsigned long end)
49459 - {
49460 -+ unsigned long e = end;
49461 -+
49462 - start = ELF_PAGEALIGN(start);
49463 - end = ELF_PAGEALIGN(end);
49464 - if (end > start) {
49465 -@@ -94,7 +107,7 @@ static int set_brk(unsigned long start,
49466 - if (BAD_ADDR(addr))
49467 - return addr;
49468 - }
49469 -- current->mm->start_brk = current->mm->brk = end;
49470 -+ current->mm->start_brk = current->mm->brk = e;
49471 - return 0;
49472 - }
49473 -
49474 -@@ -325,10 +338,9 @@ static unsigned long load_elf_interp(str
49475 - {
49476 - struct elf_phdr *elf_phdata;
49477 - struct elf_phdr *eppnt;
49478 -- unsigned long load_addr = 0;
49479 -- int load_addr_set = 0;
49480 -+ unsigned long load_addr = 0, min_addr, max_addr, task_size = TASK_SIZE;
49481 - unsigned long last_bss = 0, elf_bss = 0;
49482 -- unsigned long error = ~0UL;
49483 -+ unsigned long error = -EINVAL;
49484 - int retval, i, size;
49485 -
49486 - /* First of all, some simple consistency checks */
49487 -@@ -367,66 +379,86 @@ static unsigned long load_elf_interp(str
49488 - goto out_close;
49489 - }
49490 -
49491 -+#ifdef CONFIG_PAX_SEGMEXEC
49492 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
49493 -+ task_size = SEGMEXEC_TASK_SIZE;
49494 -+#endif
49495 -+
49496 - eppnt = elf_phdata;
49497 -+ min_addr = task_size;
49498 -+ max_addr = 0;
49499 -+ error = -ENOMEM;
49500 -+
49501 - for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
49502 -- if (eppnt->p_type == PT_LOAD) {
49503 -- int elf_type = MAP_PRIVATE | MAP_DENYWRITE;
49504 -- int elf_prot = 0;
49505 -- unsigned long vaddr = 0;
49506 -- unsigned long k, map_addr;
49507 --
49508 -- if (eppnt->p_flags & PF_R)
49509 -- elf_prot = PROT_READ;
49510 -- if (eppnt->p_flags & PF_W)
49511 -- elf_prot |= PROT_WRITE;
49512 -- if (eppnt->p_flags & PF_X)
49513 -- elf_prot |= PROT_EXEC;
49514 -- vaddr = eppnt->p_vaddr;
49515 -- if (interp_elf_ex->e_type == ET_EXEC || load_addr_set)
49516 -- elf_type |= MAP_FIXED;
49517 --
49518 -- map_addr = elf_map(interpreter, load_addr + vaddr,
49519 -- eppnt, elf_prot, elf_type);
49520 -- error = map_addr;
49521 -- if (BAD_ADDR(map_addr))
49522 -- goto out_close;
49523 --
49524 -- if (!load_addr_set &&
49525 -- interp_elf_ex->e_type == ET_DYN) {
49526 -- load_addr = map_addr - ELF_PAGESTART(vaddr);
49527 -- load_addr_set = 1;
49528 -- }
49529 -+ if (eppnt->p_type != PT_LOAD)
49530 -+ continue;
49531 -
49532 -- /*
49533 -- * Check to see if the section's size will overflow the
49534 -- * allowed task size. Note that p_filesz must always be
49535 -- * <= p_memsize so it's only necessary to check p_memsz.
49536 -- */
49537 -- k = load_addr + eppnt->p_vaddr;
49538 -- if (BAD_ADDR(k) ||
49539 -- eppnt->p_filesz > eppnt->p_memsz ||
49540 -- eppnt->p_memsz > TASK_SIZE ||
49541 -- TASK_SIZE - eppnt->p_memsz < k) {
49542 -- error = -ENOMEM;
49543 -- goto out_close;
49544 -- }
49545 -+ /*
49546 -+ * Check to see if the section's size will overflow the
49547 -+ * allowed task size. Note that p_filesz must always be
49548 -+ * <= p_memsize so it is only necessary to check p_memsz.
49549 -+ */
49550 -+ if (eppnt->p_filesz > eppnt->p_memsz || eppnt->p_vaddr >= eppnt->p_vaddr + eppnt->p_memsz)
49551 -+ goto out_close;
49552 -
49553 -- /*
49554 -- * Find the end of the file mapping for this phdr, and
49555 -- * keep track of the largest address we see for this.
49556 -- */
49557 -- k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
49558 -- if (k > elf_bss)
49559 -- elf_bss = k;
49560 -+ if (min_addr > ELF_PAGESTART(eppnt->p_vaddr))
49561 -+ min_addr = ELF_PAGESTART(eppnt->p_vaddr);
49562 -+ if (max_addr < ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz))
49563 -+ max_addr = ELF_PAGEALIGN(eppnt->p_vaddr + eppnt->p_memsz);
49564 -+ }
49565 -+ if (min_addr >= max_addr || max_addr > task_size)
49566 -+ goto out_close;
49567 -
49568 -- /*
49569 -- * Do the same thing for the memory mapping - between
49570 -- * elf_bss and last_bss is the bss section.
49571 -- */
49572 -- k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
49573 -- if (k > last_bss)
49574 -- last_bss = k;
49575 -- }
49576 -+ if (interp_elf_ex->e_type == ET_DYN) {
49577 -+ load_addr = get_unmapped_area(interpreter, 0, max_addr - min_addr, 0, MAP_PRIVATE | MAP_EXECUTABLE);
49578 -+
49579 -+ if (load_addr >= task_size)
49580 -+ goto out_close;
49581 -+
49582 -+ load_addr -= min_addr;
49583 -+ }
49584 -+
49585 -+ eppnt = elf_phdata;
49586 -+ for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
49587 -+ int elf_type = MAP_PRIVATE | MAP_DENYWRITE | MAP_FIXED;
49588 -+ int elf_prot = 0;
49589 -+ unsigned long vaddr = 0;
49590 -+ unsigned long k, map_addr;
49591 -+
49592 -+ if (eppnt->p_type != PT_LOAD)
49593 -+ continue;
49594 -+
49595 -+ if (eppnt->p_flags & PF_R)
49596 -+ elf_prot = PROT_READ;
49597 -+ if (eppnt->p_flags & PF_W)
49598 -+ elf_prot |= PROT_WRITE;
49599 -+ if (eppnt->p_flags & PF_X)
49600 -+ elf_prot |= PROT_EXEC;
49601 -+ vaddr = eppnt->p_vaddr;
49602 -+
49603 -+ map_addr = elf_map(interpreter, load_addr + vaddr,
49604 -+ eppnt, elf_prot, elf_type);
49605 -+ error = map_addr;
49606 -+ if (BAD_ADDR(map_addr))
49607 -+ goto out_close;
49608 -+
49609 -+ k = load_addr + eppnt->p_vaddr;
49610 -+
49611 -+ /*
49612 -+ * Find the end of the file mapping for this phdr, and
49613 -+ * keep track of the largest address we see for this.
49614 -+ */
49615 -+ k = load_addr + eppnt->p_vaddr + eppnt->p_filesz;
49616 -+ if (k > elf_bss)
49617 -+ elf_bss = k;
49618 -+
49619 -+ /*
49620 -+ * Do the same thing for the memory mapping - between
49621 -+ * elf_bss and last_bss is the bss section.
49622 -+ */
49623 -+ k = load_addr + eppnt->p_memsz + eppnt->p_vaddr;
49624 -+ if (k > last_bss)
49625 -+ last_bss = k;
49626 - }
49627 -
49628 - /*
49629 -@@ -454,6 +486,8 @@ static unsigned long load_elf_interp(str
49630 -
49631 - *interp_load_addr = load_addr;
49632 - error = ((unsigned long)interp_elf_ex->e_entry) + load_addr;
49633 -+ if (BAD_ADDR(error))
49634 -+ error = -EFAULT;
49635 -
49636 - out_close:
49637 - kfree(elf_phdata);
49638 -@@ -464,7 +498,7 @@ out:
49639 - static unsigned long load_aout_interp(struct exec *interp_ex,
49640 - struct file *interpreter)
49641 - {
49642 -- unsigned long text_data, elf_entry = ~0UL;
49643 -+ unsigned long text_data, elf_entry = -EINVAL;
49644 - char __user * addr;
49645 - loff_t offset;
49646 -
49647 -@@ -507,6 +541,177 @@ out:
49648 - return elf_entry;
49649 - }
49650 -
49651 -+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
49652 -+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
49653 -+{
49654 -+ unsigned long pax_flags = 0UL;
49655 -+
49656 -+#ifdef CONFIG_PAX_PAGEEXEC
49657 -+ if (elf_phdata->p_flags & PF_PAGEEXEC)
49658 -+ pax_flags |= MF_PAX_PAGEEXEC;
49659 -+#endif
49660 -+
49661 -+#ifdef CONFIG_PAX_SEGMEXEC
49662 -+ if (elf_phdata->p_flags & PF_SEGMEXEC)
49663 -+ pax_flags |= MF_PAX_SEGMEXEC;
49664 -+#endif
49665 -+
49666 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
49667 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49668 -+ if (nx_enabled)
49669 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
49670 -+ else
49671 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
49672 -+ }
49673 -+#endif
49674 -+
49675 -+#ifdef CONFIG_PAX_EMUTRAMP
49676 -+ if (elf_phdata->p_flags & PF_EMUTRAMP)
49677 -+ pax_flags |= MF_PAX_EMUTRAMP;
49678 -+#endif
49679 -+
49680 -+#ifdef CONFIG_PAX_MPROTECT
49681 -+ if (elf_phdata->p_flags & PF_MPROTECT)
49682 -+ pax_flags |= MF_PAX_MPROTECT;
49683 -+#endif
49684 -+
49685 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
49686 -+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
49687 -+ pax_flags |= MF_PAX_RANDMMAP;
49688 -+#endif
49689 -+
49690 -+ return pax_flags;
49691 -+}
49692 -+#endif
49693 -+
49694 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
49695 -+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
49696 -+{
49697 -+ unsigned long pax_flags = 0UL;
49698 -+
49699 -+#ifdef CONFIG_PAX_PAGEEXEC
49700 -+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
49701 -+ pax_flags |= MF_PAX_PAGEEXEC;
49702 -+#endif
49703 -+
49704 -+#ifdef CONFIG_PAX_SEGMEXEC
49705 -+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
49706 -+ pax_flags |= MF_PAX_SEGMEXEC;
49707 -+#endif
49708 -+
49709 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
49710 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49711 -+ if (nx_enabled)
49712 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
49713 -+ else
49714 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
49715 -+ }
49716 -+#endif
49717 -+
49718 -+#ifdef CONFIG_PAX_EMUTRAMP
49719 -+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
49720 -+ pax_flags |= MF_PAX_EMUTRAMP;
49721 -+#endif
49722 -+
49723 -+#ifdef CONFIG_PAX_MPROTECT
49724 -+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
49725 -+ pax_flags |= MF_PAX_MPROTECT;
49726 -+#endif
49727 -+
49728 -+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
49729 -+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
49730 -+ pax_flags |= MF_PAX_RANDMMAP;
49731 -+#endif
49732 -+
49733 -+ return pax_flags;
49734 -+}
49735 -+#endif
49736 -+
49737 -+#ifdef CONFIG_PAX_EI_PAX
49738 -+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
49739 -+{
49740 -+ unsigned long pax_flags = 0UL;
49741 -+
49742 -+#ifdef CONFIG_PAX_PAGEEXEC
49743 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
49744 -+ pax_flags |= MF_PAX_PAGEEXEC;
49745 -+#endif
49746 -+
49747 -+#ifdef CONFIG_PAX_SEGMEXEC
49748 -+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
49749 -+ pax_flags |= MF_PAX_SEGMEXEC;
49750 -+#endif
49751 -+
49752 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
49753 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49754 -+ if (nx_enabled)
49755 -+ pax_flags &= ~MF_PAX_SEGMEXEC;
49756 -+ else
49757 -+ pax_flags &= ~MF_PAX_PAGEEXEC;
49758 -+ }
49759 -+#endif
49760 -+
49761 -+#ifdef CONFIG_PAX_EMUTRAMP
49762 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
49763 -+ pax_flags |= MF_PAX_EMUTRAMP;
49764 -+#endif
49765 -+
49766 -+#ifdef CONFIG_PAX_MPROTECT
49767 -+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
49768 -+ pax_flags |= MF_PAX_MPROTECT;
49769 -+#endif
49770 -+
49771 -+#ifdef CONFIG_PAX_ASLR
49772 -+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
49773 -+ pax_flags |= MF_PAX_RANDMMAP;
49774 -+#endif
49775 -+
49776 -+ return pax_flags;
49777 -+}
49778 -+#endif
49779 -+
49780 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
49781 -+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
49782 -+{
49783 -+ unsigned long pax_flags = 0UL;
49784 -+
49785 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
49786 -+ unsigned long i;
49787 -+#endif
49788 -+
49789 -+#ifdef CONFIG_PAX_EI_PAX
49790 -+ pax_flags = pax_parse_ei_pax(elf_ex);
49791 -+#endif
49792 -+
49793 -+#ifdef CONFIG_PAX_PT_PAX_FLAGS
49794 -+ for (i = 0UL; i < elf_ex->e_phnum; i++)
49795 -+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
49796 -+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
49797 -+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
49798 -+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
49799 -+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
49800 -+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
49801 -+ return -EINVAL;
49802 -+
49803 -+#ifdef CONFIG_PAX_SOFTMODE
49804 -+ if (pax_softmode)
49805 -+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
49806 -+ else
49807 -+#endif
49808 -+
49809 -+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
49810 -+ break;
49811 -+ }
49812 -+#endif
49813 -+
49814 -+ if (0 > pax_check_flags(&pax_flags))
49815 -+ return -EINVAL;
49816 -+
49817 -+ current->mm->pax_flags = pax_flags;
49818 -+ return 0;
49819 -+}
49820 -+#endif
49821 -+
49822 - /*
49823 - * These are the functions used to load ELF style executables and shared
49824 - * libraries. There is no binary dependent code anywhere else.
49825 -@@ -544,7 +749,7 @@ static int load_elf_binary(struct linux_
49826 - char * elf_interpreter = NULL;
49827 - unsigned int interpreter_type = INTERPRETER_NONE;
49828 - unsigned char ibcs2_interpreter = 0;
49829 -- unsigned long error;
49830 -+ unsigned long error = 0;
49831 - struct elf_phdr *elf_ppnt, *elf_phdata;
49832 - unsigned long elf_bss, elf_brk;
49833 - int elf_exec_fileno;
49834 -@@ -556,12 +761,12 @@ static int load_elf_binary(struct linux_
49835 - char passed_fileno[6];
49836 - struct files_struct *files;
49837 - int executable_stack = EXSTACK_DEFAULT;
49838 -- unsigned long def_flags = 0;
49839 - struct {
49840 - struct elfhdr elf_ex;
49841 - struct elfhdr interp_elf_ex;
49842 - struct exec interp_ex;
49843 - } *loc;
49844 -+ unsigned long task_size = TASK_SIZE;
49845 -
49846 - loc = kmalloc(sizeof(*loc), GFP_KERNEL);
49847 - if (!loc) {
49848 -@@ -788,14 +993,89 @@ static int load_elf_binary(struct linux_
49849 -
49850 - /* OK, This is the point of no return */
49851 - current->flags &= ~PF_FORKNOEXEC;
49852 -- current->mm->def_flags = def_flags;
49853 -+
49854 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
49855 -+ current->mm->pax_flags = 0UL;
49856 -+#endif
49857 -+
49858 -+#ifdef CONFIG_PAX_DLRESOLVE
49859 -+ current->mm->call_dl_resolve = 0UL;
49860 -+#endif
49861 -+
49862 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
49863 -+ current->mm->call_syscall = 0UL;
49864 -+#endif
49865 -+
49866 -+#ifdef CONFIG_PAX_ASLR
49867 -+ current->mm->delta_mmap = 0UL;
49868 -+ current->mm->delta_stack = 0UL;
49869 -+#endif
49870 -+
49871 -+ current->mm->def_flags = 0;
49872 -+
49873 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
49874 -+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
49875 -+ send_sig(SIGKILL, current, 0);
49876 -+ goto out_free_dentry;
49877 -+ }
49878 -+#endif
49879 -+
49880 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
49881 -+ pax_set_initial_flags(bprm);
49882 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
49883 -+ if (pax_set_initial_flags_func)
49884 -+ (pax_set_initial_flags_func)(bprm);
49885 -+#endif
49886 -+
49887 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
49888 -+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
49889 -+ current->mm->context.user_cs_limit = PAGE_SIZE;
49890 -+ current->mm->def_flags |= VM_PAGEEXEC;
49891 -+ }
49892 -+#endif
49893 -+
49894 -+#ifdef CONFIG_PAX_SEGMEXEC
49895 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
49896 -+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
49897 -+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
49898 -+ task_size = SEGMEXEC_TASK_SIZE;
49899 -+ }
49900 -+#endif
49901 -+
49902 -+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
49903 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
49904 -+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
49905 -+ put_cpu_no_resched();
49906 -+ }
49907 -+#endif
49908 -+
49909 -+#ifdef CONFIG_PAX_ASLR
49910 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
49911 -+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
49912 -+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
49913 -+ }
49914 -+#endif
49915 -+
49916 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49917 -+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
49918 -+ executable_stack = EXSTACK_DEFAULT;
49919 -+#endif
49920 -
49921 - /* Do this immediately, since STACK_TOP as used in setup_arg_pages
49922 - may depend on the personality. */
49923 - SET_PERSONALITY(loc->elf_ex, ibcs2_interpreter);
49924 -+
49925 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
49926 -+ if (!(current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
49927 -+#endif
49928 -+
49929 - if (elf_read_implies_exec(loc->elf_ex, executable_stack))
49930 - current->personality |= READ_IMPLIES_EXEC;
49931 -
49932 -+#ifdef CONFIG_PAX_ASLR
49933 -+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
49934 -+#endif
49935 -+
49936 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
49937 - current->flags |= PF_RANDOMIZE;
49938 - arch_pick_mmap_layout(current->mm);
49939 -@@ -871,6 +1151,20 @@ static int load_elf_binary(struct linux_
49940 - * might try to exec. This is because the brk will
49941 - * follow the loader, and is not movable. */
49942 - load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
49943 -+
49944 -+#ifdef CONFIG_PAX_RANDMMAP
49945 -+ /* PaX: randomize base address at the default exe base if requested */
49946 -+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
49947 -+#ifdef CONFIG_SPARC64
49948 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
49949 -+#else
49950 -+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
49951 -+#endif
49952 -+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
49953 -+ elf_flags |= MAP_FIXED;
49954 -+ }
49955 -+#endif
49956 -+
49957 - }
49958 -
49959 - error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
49960 -@@ -903,9 +1197,9 @@ static int load_elf_binary(struct linux_
49961 - * allowed task size. Note that p_filesz must always be
49962 - * <= p_memsz so it is only necessary to check p_memsz.
49963 - */
49964 -- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
49965 -- elf_ppnt->p_memsz > TASK_SIZE ||
49966 -- TASK_SIZE - elf_ppnt->p_memsz < k) {
49967 -+ if (k >= task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
49968 -+ elf_ppnt->p_memsz > task_size ||
49969 -+ task_size - elf_ppnt->p_memsz < k) {
49970 - /* set_brk can never work. Avoid overflows. */
49971 - send_sig(SIGKILL, current, 0);
49972 - retval = -EINVAL;
49973 -@@ -933,6 +1227,11 @@ static int load_elf_binary(struct linux_
49974 - start_data += load_bias;
49975 - end_data += load_bias;
49976 -
49977 -+#ifdef CONFIG_PAX_RANDMMAP
49978 -+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
49979 -+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
49980 -+#endif
49981 -+
49982 - /* Calling set_brk effectively mmaps the pages that we need
49983 - * for the bss and break sections. We must do this before
49984 - * mapping in the interpreter, to make sure it doesn't wind
49985 -@@ -944,9 +1243,11 @@ static int load_elf_binary(struct linux_
49986 - goto out_free_dentry;
49987 - }
49988 - if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
49989 -- send_sig(SIGSEGV, current, 0);
49990 -- retval = -EFAULT; /* Nobody gets to see this, but.. */
49991 -- goto out_free_dentry;
49992 -+ /*
49993 -+ * This bss-zeroing can fail if the ELF
49994 -+ * file specifies odd protections. So
49995 -+ * we don't check the return value
49996 -+ */
49997 - }
49998 -
49999 - if (elf_interpreter) {
50000 -@@ -1183,8 +1484,10 @@ static int dump_seek(struct file *file,
50001 - unsigned long n = off;
50002 - if (n > PAGE_SIZE)
50003 - n = PAGE_SIZE;
50004 -- if (!dump_write(file, buf, n))
50005 -+ if (!dump_write(file, buf, n)) {
50006 -+ free_page((unsigned long)buf);
50007 - return 0;
50008 -+ }
50009 - off -= n;
50010 - }
50011 - free_page((unsigned long)buf);
50012 -@@ -1199,7 +1502,7 @@ static int dump_seek(struct file *file,
50013 - *
50014 - * I think we should skip something. But I am not sure how. H.J.
50015 - */
50016 --static int maydump(struct vm_area_struct *vma, unsigned long mm_flags)
50017 -+static int maydump(struct vm_area_struct *vma, unsigned long mm_flags, long signr)
50018 - {
50019 - /* The vma can be set up to tell us the answer directly. */
50020 - if (vma->vm_flags & VM_ALWAYSDUMP)
50021 -@@ -1218,7 +1521,7 @@ static int maydump(struct vm_area_struct
50022 - }
50023 -
50024 - /* By default, if it hasn't been written to, don't write it out. */
50025 -- if (!vma->anon_vma)
50026 -+ if (signr != SIGKILL && !vma->anon_vma)
50027 - return test_bit(MMF_DUMP_MAPPED_PRIVATE, &mm_flags);
50028 -
50029 - return test_bit(MMF_DUMP_ANON_PRIVATE, &mm_flags);
50030 -@@ -1275,8 +1578,11 @@ static int writenote(struct memelfnote *
50031 - #undef DUMP_WRITE
50032 -
50033 - #define DUMP_WRITE(addr, nr) \
50034 -+ do { \
50035 -+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
50036 - if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
50037 -- goto end_coredump;
50038 -+ goto end_coredump; \
50039 -+ } while (0);
50040 - #define DUMP_SEEK(off) \
50041 - if (!dump_seek(file, (off))) \
50042 - goto end_coredump;
50043 -@@ -1676,7 +1982,7 @@ static int elf_core_dump(long signr, str
50044 - phdr.p_offset = offset;
50045 - phdr.p_vaddr = vma->vm_start;
50046 - phdr.p_paddr = 0;
50047 -- phdr.p_filesz = maydump(vma, mm_flags) ? sz : 0;
50048 -+ phdr.p_filesz = maydump(vma, mm_flags, signr) ? sz : 0;
50049 - phdr.p_memsz = sz;
50050 - offset += phdr.p_filesz;
50051 - phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
50052 -@@ -1720,7 +2026,7 @@ static int elf_core_dump(long signr, str
50053 - vma = next_vma(vma, gate_vma)) {
50054 - unsigned long addr;
50055 -
50056 -- if (!maydump(vma, mm_flags))
50057 -+ if (!maydump(vma, mm_flags, signr))
50058 - continue;
50059 -
50060 - for (addr = vma->vm_start;
50061 -@@ -1743,6 +2049,7 @@ static int elf_core_dump(long signr, str
50062 - flush_cache_page(vma, addr,
50063 - page_to_pfn(page));
50064 - kaddr = kmap(page);
50065 -+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
50066 - if ((size += PAGE_SIZE) > limit ||
50067 - !dump_write(file, kaddr,
50068 - PAGE_SIZE)) {
50069 -diff -Nurp linux-2.6.23.15/fs/binfmt_flat.c linux-2.6.23.15-grsec/fs/binfmt_flat.c
50070 ---- linux-2.6.23.15/fs/binfmt_flat.c 2007-10-09 21:31:38.000000000 +0100
50071 -+++ linux-2.6.23.15-grsec/fs/binfmt_flat.c 2008-02-11 10:37:44.000000000 +0000
50072 -@@ -559,7 +559,9 @@ static int load_flat_file(struct linux_b
50073 - realdatastart = (unsigned long) -ENOMEM;
50074 - printk("Unable to allocate RAM for process data, errno %d\n",
50075 - (int)-realdatastart);
50076 -+ down_write(&current->mm->mmap_sem);
50077 - do_munmap(current->mm, textpos, text_len);
50078 -+ up_write(&current->mm->mmap_sem);
50079 - ret = realdatastart;
50080 - goto err;
50081 - }
50082 -@@ -581,8 +583,10 @@ static int load_flat_file(struct linux_b
50083 - }
50084 - if (result >= (unsigned long)-4096) {
50085 - printk("Unable to read data+bss, errno %d\n", (int)-result);
50086 -+ down_write(&current->mm->mmap_sem);
50087 - do_munmap(current->mm, textpos, text_len);
50088 - do_munmap(current->mm, realdatastart, data_len + extra);
50089 -+ up_write(&current->mm->mmap_sem);
50090 - ret = result;
50091 - goto err;
50092 - }
50093 -@@ -655,8 +659,10 @@ static int load_flat_file(struct linux_b
50094 - }
50095 - if (result >= (unsigned long)-4096) {
50096 - printk("Unable to read code+data+bss, errno %d\n",(int)-result);
50097 -+ down_write(&current->mm->mmap_sem);
50098 - do_munmap(current->mm, textpos, text_len + data_len + extra +
50099 - MAX_SHARED_LIBS * sizeof(unsigned long));
50100 -+ up_write(&current->mm->mmap_sem);
50101 - ret = result;
50102 - goto err;
50103 - }
50104 -diff -Nurp linux-2.6.23.15/fs/binfmt_misc.c linux-2.6.23.15-grsec/fs/binfmt_misc.c
50105 ---- linux-2.6.23.15/fs/binfmt_misc.c 2007-10-09 21:31:38.000000000 +0100
50106 -+++ linux-2.6.23.15-grsec/fs/binfmt_misc.c 2008-02-11 10:37:44.000000000 +0000
50107 -@@ -113,9 +113,11 @@ static int load_misc_binary(struct linux
50108 - struct files_struct *files = NULL;
50109 -
50110 - retval = -ENOEXEC;
50111 -- if (!enabled)
50112 -+ if (!enabled || bprm->misc)
50113 - goto _ret;
50114 -
50115 -+ bprm->misc++;
50116 -+
50117 - /* to keep locking time low, we copy the interpreter string */
50118 - read_lock(&entries_lock);
50119 - fmt = check_file(bprm);
50120 -@@ -720,7 +722,7 @@ static int bm_fill_super(struct super_bl
50121 - static struct tree_descr bm_files[] = {
50122 - [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
50123 - [3] = {"register", &bm_register_operations, S_IWUSR},
50124 -- /* last one */ {""}
50125 -+ /* last one */ {"", NULL, 0}
50126 - };
50127 - int err = simple_fill_super(sb, 0x42494e4d, bm_files);
50128 - if (!err)
50129 -diff -Nurp linux-2.6.23.15/fs/buffer.c linux-2.6.23.15-grsec/fs/buffer.c
50130 ---- linux-2.6.23.15/fs/buffer.c 2007-10-09 21:31:38.000000000 +0100
50131 -+++ linux-2.6.23.15-grsec/fs/buffer.c 2008-02-11 10:37:44.000000000 +0000
50132 -@@ -41,6 +41,7 @@
50133 - #include <linux/bitops.h>
50134 - #include <linux/mpage.h>
50135 - #include <linux/bit_spinlock.h>
50136 -+#include <linux/grsecurity.h>
50137 -
50138 - static int fsync_buffers_list(spinlock_t *lock, struct list_head *list);
50139 -
50140 -@@ -2017,6 +2018,7 @@ static int __generic_cont_expand(struct
50141 -
50142 - err = -EFBIG;
50143 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
50144 -+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long) size, 1);
50145 - if (limit != RLIM_INFINITY && size > (loff_t)limit) {
50146 - send_sig(SIGXFSZ, current, 0);
50147 - goto out;
50148 -diff -Nurp linux-2.6.23.15/fs/cifs/cifs_uniupr.h linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h
50149 ---- linux-2.6.23.15/fs/cifs/cifs_uniupr.h 2007-10-09 21:31:38.000000000 +0100
50150 -+++ linux-2.6.23.15-grsec/fs/cifs/cifs_uniupr.h 2008-02-11 10:37:44.000000000 +0000
50151 -@@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
50152 - {0x0490, 0x04cc, UniCaseRangeU0490},
50153 - {0x1e00, 0x1ffc, UniCaseRangeU1e00},
50154 - {0xff40, 0xff5a, UniCaseRangeUff40},
50155 -- {0}
50156 -+ {0, 0, NULL}
50157 - };
50158 - #endif
50159 -
50160 -diff -Nurp linux-2.6.23.15/fs/cifs/dir.c linux-2.6.23.15-grsec/fs/cifs/dir.c
50161 ---- linux-2.6.23.15/fs/cifs/dir.c 2007-10-09 21:31:38.000000000 +0100
50162 -+++ linux-2.6.23.15-grsec/fs/cifs/dir.c 2008-02-11 10:37:44.000000000 +0000
50163 -@@ -397,7 +397,7 @@ int cifs_mknod(struct inode *inode, stru
50164 - /* BB Do not bother to decode buf since no
50165 - local inode yet to put timestamps in,
50166 - but we can reuse it safely */
50167 -- int bytes_written;
50168 -+ unsigned int bytes_written;
50169 - struct win_dev *pdev;
50170 - pdev = (struct win_dev *)buf;
50171 - if (S_ISCHR(mode)) {
50172 -diff -Nurp linux-2.6.23.15/fs/cifs/inode.c linux-2.6.23.15-grsec/fs/cifs/inode.c
50173 ---- linux-2.6.23.15/fs/cifs/inode.c 2008-02-11 10:36:03.000000000 +0000
50174 -+++ linux-2.6.23.15-grsec/fs/cifs/inode.c 2008-02-11 10:37:44.000000000 +0000
50175 -@@ -1470,7 +1470,7 @@ int cifs_setattr(struct dentry *direntry
50176 - atomic_dec(&open_file->wrtPending);
50177 - cFYI(1, ("SetFSize for attrs rc = %d", rc));
50178 - if ((rc == -EINVAL) || (rc == -EOPNOTSUPP)) {
50179 -- int bytes_written;
50180 -+ unsigned int bytes_written;
50181 - rc = CIFSSMBWrite(xid, pTcon,
50182 - nfid, 0, attrs->ia_size,
50183 - &bytes_written, NULL, NULL,
50184 -@@ -1503,7 +1503,7 @@ int cifs_setattr(struct dentry *direntry
50185 - cifs_sb->mnt_cifs_flags &
50186 - CIFS_MOUNT_MAP_SPECIAL_CHR);
50187 - if (rc == 0) {
50188 -- int bytes_written;
50189 -+ unsigned int bytes_written;
50190 - rc = CIFSSMBWrite(xid, pTcon,
50191 - netfid, 0,
50192 - attrs->ia_size,
50193 -diff -Nurp linux-2.6.23.15/fs/compat.c linux-2.6.23.15-grsec/fs/compat.c
50194 ---- linux-2.6.23.15/fs/compat.c 2007-10-09 21:31:38.000000000 +0100
50195 -+++ linux-2.6.23.15-grsec/fs/compat.c 2008-02-11 10:37:44.000000000 +0000
50196 -@@ -50,6 +50,7 @@
50197 - #include <linux/poll.h>
50198 - #include <linux/mm.h>
50199 - #include <linux/eventpoll.h>
50200 -+#include <linux/grsecurity.h>
50201 -
50202 - #include <asm/uaccess.h>
50203 - #include <asm/mmu_context.h>
50204 -@@ -1300,14 +1301,12 @@ static int compat_copy_strings(int argc,
50205 - if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
50206 - struct page *page;
50207 -
50208 --#ifdef CONFIG_STACK_GROWSUP
50209 - ret = expand_stack_downwards(bprm->vma, pos);
50210 - if (ret < 0) {
50211 - /* We've exceed the stack rlimit. */
50212 - ret = -E2BIG;
50213 - goto out;
50214 - }
50215 --#endif
50216 - ret = get_user_pages(current, bprm->mm, pos,
50217 - 1, 1, 1, &page, NULL);
50218 - if (ret <= 0) {
50219 -@@ -1353,6 +1352,11 @@ int compat_do_execve(char * filename,
50220 - compat_uptr_t __user *envp,
50221 - struct pt_regs * regs)
50222 - {
50223 -+#ifdef CONFIG_GRKERNSEC
50224 -+ struct file *old_exec_file;
50225 -+ struct acl_subject_label *old_acl;
50226 -+ struct rlimit old_rlim[RLIM_NLIMITS];
50227 -+#endif
50228 - struct linux_binprm *bprm;
50229 - struct file *file;
50230 - int retval;
50231 -@@ -1373,6 +1377,14 @@ int compat_do_execve(char * filename,
50232 - bprm->filename = filename;
50233 - bprm->interp = filename;
50234 -
50235 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
50236 -+ retval = -EAGAIN;
50237 -+ if (gr_handle_nproc())
50238 -+ goto out_file;
50239 -+ retval = -EACCES;
50240 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
50241 -+ goto out_file;
50242 -+
50243 - retval = bprm_mm_init(bprm);
50244 - if (retval)
50245 - goto out_file;
50246 -@@ -1406,8 +1418,36 @@ int compat_do_execve(char * filename,
50247 - if (retval < 0)
50248 - goto out;
50249 -
50250 -+ if (!gr_tpe_allow(file)) {
50251 -+ retval = -EACCES;
50252 -+ goto out;
50253 -+ }
50254 -+
50255 -+ if (gr_check_crash_exec(file)) {
50256 -+ retval = -EACCES;
50257 -+ goto out;
50258 -+ }
50259 -+
50260 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
50261 -+
50262 -+ gr_handle_exec_args(bprm, (char __user * __user *)argv);
50263 -+
50264 -+#ifdef CONFIG_GRKERNSEC
50265 -+ old_acl = current->acl;
50266 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
50267 -+ old_exec_file = current->exec_file;
50268 -+ get_file(file);
50269 -+ current->exec_file = file;
50270 -+#endif
50271 -+
50272 -+ gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
50273 -+
50274 - retval = search_binary_handler(bprm, regs);
50275 - if (retval >= 0) {
50276 -+#ifdef CONFIG_GRKERNSEC
50277 -+ if (old_exec_file)
50278 -+ fput(old_exec_file);
50279 -+#endif
50280 - /* execve success */
50281 - security_bprm_free(bprm);
50282 - acct_update_integrals(current);
50283 -@@ -1415,6 +1455,13 @@ int compat_do_execve(char * filename,
50284 - return retval;
50285 - }
50286 -
50287 -+#ifdef CONFIG_GRKERNSEC
50288 -+ current->acl = old_acl;
50289 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
50290 -+ fput(current->exec_file);
50291 -+ current->exec_file = old_exec_file;
50292 -+#endif
50293 -+
50294 - out:
50295 - if (bprm->security)
50296 - security_bprm_free(bprm);
50297 -diff -Nurp linux-2.6.23.15/fs/compat_ioctl.c linux-2.6.23.15-grsec/fs/compat_ioctl.c
50298 ---- linux-2.6.23.15/fs/compat_ioctl.c 2007-10-09 21:31:38.000000000 +0100
50299 -+++ linux-2.6.23.15-grsec/fs/compat_ioctl.c 2008-02-11 10:37:44.000000000 +0000
50300 -@@ -2431,15 +2431,15 @@ struct ioctl_trans {
50301 - };
50302 -
50303 - #define HANDLE_IOCTL(cmd,handler) \
50304 -- { (cmd), (ioctl_trans_handler_t)(handler) },
50305 -+ { (cmd), (ioctl_trans_handler_t)(handler), NULL },
50306 -
50307 - /* pointer to compatible structure or no argument */
50308 - #define COMPATIBLE_IOCTL(cmd) \
50309 -- { (cmd), do_ioctl32_pointer },
50310 -+ { (cmd), do_ioctl32_pointer, NULL },
50311 -
50312 - /* argument is an unsigned long integer, not a pointer */
50313 - #define ULONG_IOCTL(cmd) \
50314 -- { (cmd), (ioctl_trans_handler_t)sys_ioctl },
50315 -+ { (cmd), (ioctl_trans_handler_t)sys_ioctl, NULL },
50316 -
50317 - /* ioctl should not be warned about even if it's not implemented.
50318 - Valid reasons to use this:
50319 -diff -Nurp linux-2.6.23.15/fs/debugfs/inode.c linux-2.6.23.15-grsec/fs/debugfs/inode.c
50320 ---- linux-2.6.23.15/fs/debugfs/inode.c 2007-10-09 21:31:38.000000000 +0100
50321 -+++ linux-2.6.23.15-grsec/fs/debugfs/inode.c 2008-02-11 10:37:44.000000000 +0000
50322 -@@ -125,7 +125,7 @@ static inline int debugfs_positive(struc
50323 -
50324 - static int debug_fill_super(struct super_block *sb, void *data, int silent)
50325 - {
50326 -- static struct tree_descr debug_files[] = {{""}};
50327 -+ static struct tree_descr debug_files[] = {{"", NULL, 0}};
50328 -
50329 - return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
50330 - }
50331 -diff -Nurp linux-2.6.23.15/fs/exec.c linux-2.6.23.15-grsec/fs/exec.c
50332 ---- linux-2.6.23.15/fs/exec.c 2008-02-11 10:36:03.000000000 +0000
50333 -+++ linux-2.6.23.15-grsec/fs/exec.c 2008-02-11 10:37:44.000000000 +0000
50334 -@@ -50,6 +50,8 @@
50335 - #include <linux/tsacct_kern.h>
50336 - #include <linux/cn_proc.h>
50337 - #include <linux/audit.h>
50338 -+#include <linux/random.h>
50339 -+#include <linux/grsecurity.h>
50340 -
50341 - #include <asm/uaccess.h>
50342 - #include <asm/mmu_context.h>
50343 -@@ -184,18 +186,10 @@ static struct page *get_arg_page(struct
50344 - int write)
50345 - {
50346 - struct page *page;
50347 -- int ret;
50348 -
50349 --#ifdef CONFIG_STACK_GROWSUP
50350 -- if (write) {
50351 -- ret = expand_stack_downwards(bprm->vma, pos);
50352 -- if (ret < 0)
50353 -- return NULL;
50354 -- }
50355 --#endif
50356 -- ret = get_user_pages(current, bprm->mm, pos,
50357 -- 1, write, 1, &page, NULL);
50358 -- if (ret <= 0)
50359 -+ if (0 > expand_stack_downwards(bprm->vma, pos))
50360 -+ return NULL;
50361 -+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
50362 - return NULL;
50363 -
50364 - if (write) {
50365 -@@ -260,7 +254,12 @@ static int __bprm_mm_init(struct linux_b
50366 - vma->vm_start = vma->vm_end - PAGE_SIZE;
50367 -
50368 - vma->vm_flags = VM_STACK_FLAGS;
50369 -- vma->vm_page_prot = protection_map[vma->vm_flags & 0x7];
50370 -+
50371 -+#ifdef CONFIG_PAX_SEGMEXEC
50372 -+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
50373 -+#endif
50374 -+
50375 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
50376 - err = insert_vm_struct(mm, vma);
50377 - if (err) {
50378 - up_write(&mm->mmap_sem);
50379 -@@ -272,6 +271,11 @@ static int __bprm_mm_init(struct linux_b
50380 -
50381 - bprm->p = vma->vm_end - sizeof(void *);
50382 -
50383 -+#ifdef CONFIG_PAX_RANDUSTACK
50384 -+ if (randomize_va_space)
50385 -+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
50386 -+#endif
50387 -+
50388 - return 0;
50389 -
50390 - err:
50391 -@@ -395,7 +399,7 @@ static int count(char __user * __user *
50392 - if (!p)
50393 - break;
50394 - argv++;
50395 -- if(++i > max)
50396 -+ if (++i > max)
50397 - return -E2BIG;
50398 - cond_resched();
50399 - }
50400 -@@ -535,6 +539,10 @@ static int shift_arg_pages(struct vm_are
50401 - if (vma != find_vma(mm, new_start))
50402 - return -EFAULT;
50403 -
50404 -+#ifdef CONFIG_PAX_SEGMEXEC
50405 -+ BUG_ON(pax_find_mirror_vma(vma));
50406 -+#endif
50407 -+
50408 - /*
50409 - * cover the whole range: [new_start, old_end)
50410 - */
50411 -@@ -623,6 +631,14 @@ int setup_arg_pages(struct linux_binprm
50412 - bprm->exec -= stack_shift;
50413 -
50414 - down_write(&mm->mmap_sem);
50415 -+
50416 -+ /* Move stack pages down in memory. */
50417 -+ if (stack_shift) {
50418 -+ ret = shift_arg_pages(vma, stack_shift);
50419 -+ if (ret)
50420 -+ goto out_unlock;
50421 -+ }
50422 -+
50423 - vm_flags = vma->vm_flags;
50424 -
50425 - /*
50426 -@@ -634,23 +650,28 @@ int setup_arg_pages(struct linux_binprm
50427 - vm_flags |= VM_EXEC;
50428 - else if (executable_stack == EXSTACK_DISABLE_X)
50429 - vm_flags &= ~VM_EXEC;
50430 -+ else
50431 -+ vm_flags = VM_STACK_FLAGS;
50432 - vm_flags |= mm->def_flags;
50433 -
50434 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
50435 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
50436 -+ vm_flags &= ~VM_EXEC;
50437 -+
50438 -+#ifdef CONFIG_PAX_MPROTECT
50439 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
50440 -+ vm_flags &= ~VM_MAYEXEC;
50441 -+#endif
50442 -+
50443 -+ }
50444 -+#endif
50445 -+
50446 - ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
50447 - vm_flags);
50448 - if (ret)
50449 - goto out_unlock;
50450 - BUG_ON(prev != vma);
50451 -
50452 -- /* Move stack pages down in memory. */
50453 -- if (stack_shift) {
50454 -- ret = shift_arg_pages(vma, stack_shift);
50455 -- if (ret) {
50456 -- up_write(&mm->mmap_sem);
50457 -- return ret;
50458 -- }
50459 -- }
50460 --
50461 - #ifdef CONFIG_STACK_GROWSUP
50462 - stack_base = vma->vm_end + EXTRA_STACK_VM_PAGES * PAGE_SIZE;
50463 - #else
50464 -@@ -662,7 +683,7 @@ int setup_arg_pages(struct linux_binprm
50465 -
50466 - out_unlock:
50467 - up_write(&mm->mmap_sem);
50468 -- return 0;
50469 -+ return ret;
50470 - }
50471 - EXPORT_SYMBOL(setup_arg_pages);
50472 -
50473 -@@ -682,7 +703,7 @@ struct file *open_exec(const char *name)
50474 - file = ERR_PTR(-EACCES);
50475 - if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
50476 - S_ISREG(inode->i_mode)) {
50477 -- int err = vfs_permission(&nd, MAY_EXEC);
50478 -+ err = vfs_permission(&nd, MAY_EXEC);
50479 - file = ERR_PTR(err);
50480 - if (!err) {
50481 - file = nameidata_to_filp(&nd, O_RDONLY);
50482 -@@ -1339,6 +1360,11 @@ int do_execve(char * filename,
50483 - char __user *__user *envp,
50484 - struct pt_regs * regs)
50485 - {
50486 -+#ifdef CONFIG_GRKERNSEC
50487 -+ struct file *old_exec_file;
50488 -+ struct acl_subject_label *old_acl;
50489 -+ struct rlimit old_rlim[RLIM_NLIMITS];
50490 -+#endif
50491 - struct linux_binprm *bprm;
50492 - struct file *file;
50493 - unsigned long env_p;
50494 -@@ -1354,6 +1380,20 @@ int do_execve(char * filename,
50495 - if (IS_ERR(file))
50496 - goto out_kfree;
50497 -
50498 -+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->user->processes), 1);
50499 -+
50500 -+ if (gr_handle_nproc()) {
50501 -+ allow_write_access(file);
50502 -+ fput(file);
50503 -+ return -EAGAIN;
50504 -+ }
50505 -+
50506 -+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
50507 -+ allow_write_access(file);
50508 -+ fput(file);
50509 -+ return -EACCES;
50510 -+ }
50511 -+
50512 - sched_exec();
50513 -
50514 - bprm->file = file;
50515 -@@ -1395,8 +1435,38 @@ int do_execve(char * filename,
50516 - goto out;
50517 - bprm->argv_len = env_p - bprm->p;
50518 -
50519 -+ if (!gr_tpe_allow(file)) {
50520 -+ retval = -EACCES;
50521 -+ goto out;
50522 -+ }
50523 -+
50524 -+ if (gr_check_crash_exec(file)) {
50525 -+ retval = -EACCES;
50526 -+ goto out;
50527 -+ }
50528 -+
50529 -+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
50530 -+
50531 -+ gr_handle_exec_args(bprm, argv);
50532 -+
50533 -+#ifdef CONFIG_GRKERNSEC
50534 -+ old_acl = current->acl;
50535 -+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
50536 -+ old_exec_file = current->exec_file;
50537 -+ get_file(file);
50538 -+ current->exec_file = file;
50539 -+#endif
50540 -+
50541 -+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt);
50542 -+ if (retval < 0)
50543 -+ goto out_fail;
50544 -+
50545 - retval = search_binary_handler(bprm,regs);
50546 - if (retval >= 0) {
50547 -+#ifdef CONFIG_GRKERNSEC
50548 -+ if (old_exec_file)
50549 -+ fput(old_exec_file);
50550 -+#endif
50551 - /* execve success */
50552 - free_arg_pages(bprm);
50553 - security_bprm_free(bprm);
50554 -@@ -1405,6 +1475,14 @@ int do_execve(char * filename,
50555 - return retval;
50556 - }
50557 -
50558 -+out_fail:
50559 -+#ifdef CONFIG_GRKERNSEC
50560 -+ current->acl = old_acl;
50561 -+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
50562 -+ fput(current->exec_file);
50563 -+ current->exec_file = old_exec_file;
50564 -+#endif
50565 -+
50566 - out:
50567 - free_arg_pages(bprm);
50568 - if (bprm->security)
50569 -@@ -1561,6 +1639,114 @@ out:
50570 - return ispipe;
50571 - }
50572 -
50573 -+int pax_check_flags(unsigned long *flags)
50574 -+{
50575 -+ int retval = 0;
50576 -+
50577 -+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
50578 -+ if (*flags & MF_PAX_SEGMEXEC)
50579 -+ {
50580 -+ *flags &= ~MF_PAX_SEGMEXEC;
50581 -+ retval = -EINVAL;
50582 -+ }
50583 -+#endif
50584 -+
50585 -+ if ((*flags & MF_PAX_PAGEEXEC)
50586 -+
50587 -+#ifdef CONFIG_PAX_PAGEEXEC
50588 -+ && (*flags & MF_PAX_SEGMEXEC)
50589 -+#endif
50590 -+
50591 -+ )
50592 -+ {
50593 -+ *flags &= ~MF_PAX_PAGEEXEC;
50594 -+ retval = -EINVAL;
50595 -+ }
50596 -+
50597 -+ if ((*flags & MF_PAX_MPROTECT)
50598 -+
50599 -+#ifdef CONFIG_PAX_MPROTECT
50600 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
50601 -+#endif
50602 -+
50603 -+ )
50604 -+ {
50605 -+ *flags &= ~MF_PAX_MPROTECT;
50606 -+ retval = -EINVAL;
50607 -+ }
50608 -+
50609 -+ if ((*flags & MF_PAX_EMUTRAMP)
50610 -+
50611 -+#ifdef CONFIG_PAX_EMUTRAMP
50612 -+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
50613 -+#endif
50614 -+
50615 -+ )
50616 -+ {
50617 -+ *flags &= ~MF_PAX_EMUTRAMP;
50618 -+ retval = -EINVAL;
50619 -+ }
50620 -+
50621 -+ return retval;
50622 -+}
50623 -+
50624 -+EXPORT_SYMBOL(pax_check_flags);
50625 -+
50626 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
50627 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
50628 -+{
50629 -+ struct task_struct *tsk = current;
50630 -+ struct mm_struct *mm = current->mm;
50631 -+ char *buffer_exec = (char *)__get_free_page(GFP_ATOMIC);
50632 -+ char *buffer_fault = (char *)__get_free_page(GFP_ATOMIC);
50633 -+ char *path_exec = NULL;
50634 -+ char *path_fault = NULL;
50635 -+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
50636 -+
50637 -+ if (buffer_exec && buffer_fault) {
50638 -+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
50639 -+
50640 -+ down_read(&mm->mmap_sem);
50641 -+ vma = mm->mmap;
50642 -+ while (vma && (!vma_exec || !vma_fault)) {
50643 -+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
50644 -+ vma_exec = vma;
50645 -+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
50646 -+ vma_fault = vma;
50647 -+ vma = vma->vm_next;
50648 -+ }
50649 -+ if (vma_exec) {
50650 -+ path_exec = d_path(vma_exec->vm_file->f_path.dentry, vma_exec->vm_file->f_path.mnt, buffer_exec, PAGE_SIZE);
50651 -+ if (IS_ERR(path_exec))
50652 -+ path_exec = "<path too long>";
50653 -+ }
50654 -+ if (vma_fault) {
50655 -+ start = vma_fault->vm_start;
50656 -+ end = vma_fault->vm_end;
50657 -+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
50658 -+ if (vma_fault->vm_file) {
50659 -+ path_fault = d_path(vma_fault->vm_file->f_path.dentry, vma_fault->vm_file->f_path.mnt, buffer_fault, PAGE_SIZE);
50660 -+ if (IS_ERR(path_fault))
50661 -+ path_fault = "<path too long>";
50662 -+ } else
50663 -+ path_fault = "<anonymous mapping>";
50664 -+ }
50665 -+ up_read(&mm->mmap_sem);
50666 -+ }
50667 -+ if (tsk->signal->curr_ip)
50668 -+ printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
50669 -+ else
50670 -+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
50671 -+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
50672 -+ "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
50673 -+ tsk->uid, tsk->euid, pc, sp);
50674 -+ free_page((unsigned long)buffer_exec);
50675 -+ free_page((unsigned long)buffer_fault);
50676 -+ pax_report_insns(pc, sp);
50677 -+ do_coredump(SIGKILL, SIGKILL, regs);
50678 -+}
50679 -+#endif
50680 -+
50681 - static void zap_process(struct task_struct *start)
50682 - {
50683 - struct task_struct *t;
50684 -@@ -1753,6 +1939,10 @@ int do_coredump(long signr, int exit_cod
50685 - */
50686 - clear_thread_flag(TIF_SIGPENDING);
50687 -
50688 -+ if (signr == SIGKILL || signr == SIGILL)
50689 -+ gr_handle_brute_attach(current);
50690 -+
50691 -+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
50692 - if (current->signal->rlim[RLIMIT_CORE].rlim_cur < binfmt->min_coredump)
50693 - goto fail_unlock;
50694 -
50695 -diff -Nurp linux-2.6.23.15/fs/ext2/balloc.c linux-2.6.23.15-grsec/fs/ext2/balloc.c
50696 ---- linux-2.6.23.15/fs/ext2/balloc.c 2007-10-09 21:31:38.000000000 +0100
50697 -+++ linux-2.6.23.15-grsec/fs/ext2/balloc.c 2008-02-11 10:37:44.000000000 +0000
50698 -@@ -111,7 +111,7 @@ static int reserve_blocks(struct super_b
50699 - if (free_blocks < count)
50700 - count = free_blocks;
50701 -
50702 -- if (free_blocks < root_blocks + count && !capable(CAP_SYS_RESOURCE) &&
50703 -+ if (free_blocks < root_blocks + count && !capable_nolog(CAP_SYS_RESOURCE) &&
50704 - sbi->s_resuid != current->fsuid &&
50705 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
50706 - /*
50707 -diff -Nurp linux-2.6.23.15/fs/ext3/balloc.c linux-2.6.23.15-grsec/fs/ext3/balloc.c
50708 ---- linux-2.6.23.15/fs/ext3/balloc.c 2007-10-09 21:31:38.000000000 +0100
50709 -+++ linux-2.6.23.15-grsec/fs/ext3/balloc.c 2008-02-11 10:37:44.000000000 +0000
50710 -@@ -1359,7 +1359,7 @@ static int ext3_has_free_blocks(struct e
50711 -
50712 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
50713 - root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
50714 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
50715 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
50716 - sbi->s_resuid != current->fsuid &&
50717 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
50718 - return 0;
50719 -diff -Nurp linux-2.6.23.15/fs/ext3/namei.c linux-2.6.23.15-grsec/fs/ext3/namei.c
50720 ---- linux-2.6.23.15/fs/ext3/namei.c 2007-10-09 21:31:38.000000000 +0100
50721 -+++ linux-2.6.23.15-grsec/fs/ext3/namei.c 2008-02-11 10:37:44.000000000 +0000
50722 -@@ -1188,9 +1188,9 @@ static struct ext3_dir_entry_2 *do_split
50723 - u32 hash2;
50724 - struct dx_map_entry *map;
50725 - char *data1 = (*bh)->b_data, *data2;
50726 -- unsigned split, move, size, i;
50727 -+ unsigned split, move, size;
50728 - struct ext3_dir_entry_2 *de = NULL, *de2;
50729 -- int err = 0;
50730 -+ int i, err = 0;
50731 -
50732 - bh2 = ext3_append (handle, dir, &newblock, &err);
50733 - if (!(bh2)) {
50734 -diff -Nurp linux-2.6.23.15/fs/ext3/xattr.c linux-2.6.23.15-grsec/fs/ext3/xattr.c
50735 ---- linux-2.6.23.15/fs/ext3/xattr.c 2007-10-09 21:31:38.000000000 +0100
50736 -+++ linux-2.6.23.15-grsec/fs/ext3/xattr.c 2008-02-11 10:37:44.000000000 +0000
50737 -@@ -89,8 +89,8 @@
50738 - printk("\n"); \
50739 - } while (0)
50740 - #else
50741 --# define ea_idebug(f...)
50742 --# define ea_bdebug(f...)
50743 -+# define ea_idebug(f...) do {} while (0)
50744 -+# define ea_bdebug(f...) do {} while (0)
50745 - #endif
50746 -
50747 - static void ext3_xattr_cache_insert(struct buffer_head *);
50748 -diff -Nurp linux-2.6.23.15/fs/ext4/balloc.c linux-2.6.23.15-grsec/fs/ext4/balloc.c
50749 ---- linux-2.6.23.15/fs/ext4/balloc.c 2007-10-09 21:31:38.000000000 +0100
50750 -+++ linux-2.6.23.15-grsec/fs/ext4/balloc.c 2008-02-11 10:37:44.000000000 +0000
50751 -@@ -1376,7 +1376,7 @@ static int ext4_has_free_blocks(struct e
50752 -
50753 - free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
50754 - root_blocks = ext4_r_blocks_count(sbi->s_es);
50755 -- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
50756 -+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
50757 - sbi->s_resuid != current->fsuid &&
50758 - (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
50759 - return 0;
50760 -diff -Nurp linux-2.6.23.15/fs/ext4/namei.c linux-2.6.23.15-grsec/fs/ext4/namei.c
50761 ---- linux-2.6.23.15/fs/ext4/namei.c 2007-10-09 21:31:38.000000000 +0100
50762 -+++ linux-2.6.23.15-grsec/fs/ext4/namei.c 2008-02-11 10:37:44.000000000 +0000
50763 -@@ -1186,9 +1186,9 @@ static struct ext4_dir_entry_2 *do_split
50764 - u32 hash2;
50765 - struct dx_map_entry *map;
50766 - char *data1 = (*bh)->b_data, *data2;
50767 -- unsigned split, move, size, i;
50768 -+ unsigned split, move, size;
50769 - struct ext4_dir_entry_2 *de = NULL, *de2;
50770 -- int err = 0;
50771 -+ int i, err = 0;
50772 -
50773 - bh2 = ext4_append (handle, dir, &newblock, &err);
50774 - if (!(bh2)) {
50775 -diff -Nurp linux-2.6.23.15/fs/fcntl.c linux-2.6.23.15-grsec/fs/fcntl.c
50776 ---- linux-2.6.23.15/fs/fcntl.c 2007-10-09 21:31:38.000000000 +0100
50777 -+++ linux-2.6.23.15-grsec/fs/fcntl.c 2008-02-11 10:37:44.000000000 +0000
50778 -@@ -18,6 +18,7 @@
50779 - #include <linux/ptrace.h>
50780 - #include <linux/signal.h>
50781 - #include <linux/rcupdate.h>
50782 -+#include <linux/grsecurity.h>
50783 -
50784 - #include <asm/poll.h>
50785 - #include <asm/siginfo.h>
50786 -@@ -63,6 +64,7 @@ static int locate_fd(struct files_struct
50787 - struct fdtable *fdt;
50788 -
50789 - error = -EINVAL;
50790 -+ gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
50791 - if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
50792 - goto out;
50793 -
50794 -@@ -82,6 +84,7 @@ repeat:
50795 - fdt->max_fds, start);
50796 -
50797 - error = -EMFILE;
50798 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
50799 - if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
50800 - goto out;
50801 -
50802 -@@ -140,6 +143,8 @@ asmlinkage long sys_dup2(unsigned int ol
50803 - struct files_struct * files = current->files;
50804 - struct fdtable *fdt;
50805 -
50806 -+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
50807 -+
50808 - spin_lock(&files->file_lock);
50809 - if (!(file = fcheck(oldfd)))
50810 - goto out_unlock;
50811 -@@ -458,7 +463,8 @@ static inline int sigio_perm(struct task
50812 - return (((fown->euid == 0) ||
50813 - (fown->euid == p->suid) || (fown->euid == p->uid) ||
50814 - (fown->uid == p->suid) || (fown->uid == p->uid)) &&
50815 -- !security_file_send_sigiotask(p, fown, sig));
50816 -+ !security_file_send_sigiotask(p, fown, sig) &&
50817 -+ !gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
50818 - }
50819 -
50820 - static void send_sigio_to_task(struct task_struct *p,
50821 -diff -Nurp linux-2.6.23.15/fs/fuse/control.c linux-2.6.23.15-grsec/fs/fuse/control.c
50822 ---- linux-2.6.23.15/fs/fuse/control.c 2007-10-09 21:31:38.000000000 +0100
50823 -+++ linux-2.6.23.15-grsec/fs/fuse/control.c 2008-02-11 10:37:44.000000000 +0000
50824 -@@ -159,7 +159,7 @@ void fuse_ctl_remove_conn(struct fuse_co
50825 -
50826 - static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
50827 - {
50828 -- struct tree_descr empty_descr = {""};
50829 -+ struct tree_descr empty_descr = {"", NULL, 0};
50830 - struct fuse_conn *fc;
50831 - int err;
50832 -
50833 -diff -Nurp linux-2.6.23.15/fs/hfs/inode.c linux-2.6.23.15-grsec/fs/hfs/inode.c
50834 ---- linux-2.6.23.15/fs/hfs/inode.c 2007-10-09 21:31:38.000000000 +0100
50835 -+++ linux-2.6.23.15-grsec/fs/hfs/inode.c 2008-02-11 10:37:44.000000000 +0000
50836 -@@ -415,7 +415,7 @@ int hfs_write_inode(struct inode *inode,
50837 -
50838 - if (S_ISDIR(main_inode->i_mode)) {
50839 - if (fd.entrylength < sizeof(struct hfs_cat_dir))
50840 -- /* panic? */;
50841 -+ {/* panic? */}
50842 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
50843 - sizeof(struct hfs_cat_dir));
50844 - if (rec.type != HFS_CDR_DIR ||
50845 -@@ -436,7 +436,7 @@ int hfs_write_inode(struct inode *inode,
50846 - sizeof(struct hfs_cat_file));
50847 - } else {
50848 - if (fd.entrylength < sizeof(struct hfs_cat_file))
50849 -- /* panic? */;
50850 -+ {/* panic? */}
50851 - hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
50852 - sizeof(struct hfs_cat_file));
50853 - if (rec.type != HFS_CDR_FIL ||
50854 -diff -Nurp linux-2.6.23.15/fs/hfsplus/inode.c linux-2.6.23.15-grsec/fs/hfsplus/inode.c
50855 ---- linux-2.6.23.15/fs/hfsplus/inode.c 2007-10-09 21:31:38.000000000 +0100
50856 -+++ linux-2.6.23.15-grsec/fs/hfsplus/inode.c 2008-02-11 10:37:44.000000000 +0000
50857 -@@ -418,7 +418,7 @@ int hfsplus_cat_read_inode(struct inode
50858 - struct hfsplus_cat_folder *folder = &entry.folder;
50859 -
50860 - if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
50861 -- /* panic? */;
50862 -+ {/* panic? */}
50863 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
50864 - sizeof(struct hfsplus_cat_folder));
50865 - hfsplus_get_perms(inode, &folder->permissions, 1);
50866 -@@ -435,7 +435,7 @@ int hfsplus_cat_read_inode(struct inode
50867 - struct hfsplus_cat_file *file = &entry.file;
50868 -
50869 - if (fd->entrylength < sizeof(struct hfsplus_cat_file))
50870 -- /* panic? */;
50871 -+ {/* panic? */}
50872 - hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
50873 - sizeof(struct hfsplus_cat_file));
50874 -
50875 -@@ -491,7 +491,7 @@ int hfsplus_cat_write_inode(struct inode
50876 - struct hfsplus_cat_folder *folder = &entry.folder;
50877 -
50878 - if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
50879 -- /* panic? */;
50880 -+ {/* panic? */}
50881 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
50882 - sizeof(struct hfsplus_cat_folder));
50883 - /* simple node checks? */
50884 -@@ -513,7 +513,7 @@ int hfsplus_cat_write_inode(struct inode
50885 - struct hfsplus_cat_file *file = &entry.file;
50886 -
50887 - if (fd.entrylength < sizeof(struct hfsplus_cat_file))
50888 -- /* panic? */;
50889 -+ {/* panic? */}
50890 - hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
50891 - sizeof(struct hfsplus_cat_file));
50892 - hfsplus_inode_write_fork(inode, &file->data_fork);
50893 -diff -Nurp linux-2.6.23.15/fs/jffs2/debug.h linux-2.6.23.15-grsec/fs/jffs2/debug.h
50894 ---- linux-2.6.23.15/fs/jffs2/debug.h 2007-10-09 21:31:38.000000000 +0100
50895 -+++ linux-2.6.23.15-grsec/fs/jffs2/debug.h 2008-02-11 10:37:44.000000000 +0000
50896 -@@ -51,13 +51,13 @@
50897 - #if CONFIG_JFFS2_FS_DEBUG > 0
50898 - #define D1(x) x
50899 - #else
50900 --#define D1(x)
50901 -+#define D1(x) do {} while (0);
50902 - #endif
50903 -
50904 - #if CONFIG_JFFS2_FS_DEBUG > 1
50905 - #define D2(x) x
50906 - #else
50907 --#define D2(x)
50908 -+#define D2(x) do {} while (0);
50909 - #endif
50910 -
50911 - /* The prefixes of JFFS2 messages */
50912 -@@ -113,68 +113,68 @@
50913 - #ifdef JFFS2_DBG_READINODE_MESSAGES
50914 - #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50915 - #else
50916 --#define dbg_readinode(fmt, ...)
50917 -+#define dbg_readinode(fmt, ...) do {} while (0)
50918 - #endif
50919 -
50920 - /* Fragtree build debugging messages */
50921 - #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
50922 - #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50923 - #else
50924 --#define dbg_fragtree(fmt, ...)
50925 -+#define dbg_fragtree(fmt, ...) do {} while (0)
50926 - #endif
50927 - #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
50928 - #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50929 - #else
50930 --#define dbg_fragtree2(fmt, ...)
50931 -+#define dbg_fragtree2(fmt, ...) do {} while (0)
50932 - #endif
50933 -
50934 - /* Directory entry list manilulation debugging messages */
50935 - #ifdef JFFS2_DBG_DENTLIST_MESSAGES
50936 - #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50937 - #else
50938 --#define dbg_dentlist(fmt, ...)
50939 -+#define dbg_dentlist(fmt, ...) do {} while (0)
50940 - #endif
50941 -
50942 - /* Print the messages about manipulating node_refs */
50943 - #ifdef JFFS2_DBG_NODEREF_MESSAGES
50944 - #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50945 - #else
50946 --#define dbg_noderef(fmt, ...)
50947 -+#define dbg_noderef(fmt, ...) do {} while (0)
50948 - #endif
50949 -
50950 - /* Manipulations with the list of inodes (JFFS2 inocache) */
50951 - #ifdef JFFS2_DBG_INOCACHE_MESSAGES
50952 - #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50953 - #else
50954 --#define dbg_inocache(fmt, ...)
50955 -+#define dbg_inocache(fmt, ...) do {} while (0)
50956 - #endif
50957 -
50958 - /* Summary debugging messages */
50959 - #ifdef JFFS2_DBG_SUMMARY_MESSAGES
50960 - #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50961 - #else
50962 --#define dbg_summary(fmt, ...)
50963 -+#define dbg_summary(fmt, ...) do {} while (0)
50964 - #endif
50965 -
50966 - /* File system build messages */
50967 - #ifdef JFFS2_DBG_FSBUILD_MESSAGES
50968 - #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50969 - #else
50970 --#define dbg_fsbuild(fmt, ...)
50971 -+#define dbg_fsbuild(fmt, ...) do {} while (0)
50972 - #endif
50973 -
50974 - /* Watch the object allocations */
50975 - #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
50976 - #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50977 - #else
50978 --#define dbg_memalloc(fmt, ...)
50979 -+#define dbg_memalloc(fmt, ...) do {} while (0)
50980 - #endif
50981 -
50982 - /* Watch the XATTR subsystem */
50983 - #ifdef JFFS2_DBG_XATTR_MESSAGES
50984 - #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
50985 - #else
50986 --#define dbg_xattr(fmt, ...)
50987 -+#define dbg_xattr(fmt, ...) do {} while (0)
50988 - #endif
50989 -
50990 - /* "Sanity" checks */
50991 -diff -Nurp linux-2.6.23.15/fs/jffs2/erase.c linux-2.6.23.15-grsec/fs/jffs2/erase.c
50992 ---- linux-2.6.23.15/fs/jffs2/erase.c 2007-10-09 21:31:38.000000000 +0100
50993 -+++ linux-2.6.23.15-grsec/fs/jffs2/erase.c 2008-02-11 10:37:44.000000000 +0000
50994 -@@ -389,7 +389,8 @@ static void jffs2_mark_erased_block(stru
50995 - struct jffs2_unknown_node marker = {
50996 - .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
50997 - .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
50998 -- .totlen = cpu_to_je32(c->cleanmarker_size)
50999 -+ .totlen = cpu_to_je32(c->cleanmarker_size),
51000 -+ .hdr_crc = cpu_to_je32(0)
51001 - };
51002 -
51003 - jffs2_prealloc_raw_node_refs(c, jeb, 1);
51004 -diff -Nurp linux-2.6.23.15/fs/jffs2/summary.h linux-2.6.23.15-grsec/fs/jffs2/summary.h
51005 ---- linux-2.6.23.15/fs/jffs2/summary.h 2007-10-09 21:31:38.000000000 +0100
51006 -+++ linux-2.6.23.15-grsec/fs/jffs2/summary.h 2008-02-11 10:37:44.000000000 +0000
51007 -@@ -188,18 +188,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
51008 -
51009 - #define jffs2_sum_active() (0)
51010 - #define jffs2_sum_init(a) (0)
51011 --#define jffs2_sum_exit(a)
51012 --#define jffs2_sum_disable_collecting(a)
51013 -+#define jffs2_sum_exit(a) do {} while (0)
51014 -+#define jffs2_sum_disable_collecting(a) do {} while (0)
51015 - #define jffs2_sum_is_disabled(a) (0)
51016 --#define jffs2_sum_reset_collected(a)
51017 -+#define jffs2_sum_reset_collected(a) do {} while (0)
51018 - #define jffs2_sum_add_kvec(a,b,c,d) (0)
51019 --#define jffs2_sum_move_collected(a,b)
51020 -+#define jffs2_sum_move_collected(a,b) do {} while (0)
51021 - #define jffs2_sum_write_sumnode(a) (0)
51022 --#define jffs2_sum_add_padding_mem(a,b)
51023 --#define jffs2_sum_add_inode_mem(a,b,c)
51024 --#define jffs2_sum_add_dirent_mem(a,b,c)
51025 --#define jffs2_sum_add_xattr_mem(a,b,c)
51026 --#define jffs2_sum_add_xref_mem(a,b,c)
51027 -+#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
51028 -+#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
51029 -+#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
51030 -+#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
51031 -+#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
51032 - #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
51033 -
51034 - #endif /* CONFIG_JFFS2_SUMMARY */
51035 -diff -Nurp linux-2.6.23.15/fs/jffs2/wbuf.c linux-2.6.23.15-grsec/fs/jffs2/wbuf.c
51036 ---- linux-2.6.23.15/fs/jffs2/wbuf.c 2007-10-09 21:31:38.000000000 +0100
51037 -+++ linux-2.6.23.15-grsec/fs/jffs2/wbuf.c 2008-02-11 10:37:44.000000000 +0000
51038 -@@ -973,7 +973,8 @@ static const struct jffs2_unknown_node o
51039 - {
51040 - .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
51041 - .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
51042 -- .totlen = constant_cpu_to_je32(8)
51043 -+ .totlen = constant_cpu_to_je32(8),
51044 -+ .hdr_crc = constant_cpu_to_je32(0)
51045 - };
51046 -
51047 - /*
51048 -diff -Nurp linux-2.6.23.15/fs/namei.c linux-2.6.23.15-grsec/fs/namei.c
51049 ---- linux-2.6.23.15/fs/namei.c 2008-02-11 10:36:03.000000000 +0000
51050 -+++ linux-2.6.23.15-grsec/fs/namei.c 2008-02-11 10:37:44.000000000 +0000
51051 -@@ -31,6 +31,7 @@
51052 - #include <linux/file.h>
51053 - #include <linux/fcntl.h>
51054 - #include <linux/namei.h>
51055 -+#include <linux/grsecurity.h>
51056 - #include <asm/namei.h>
51057 - #include <asm/uaccess.h>
51058 -
51059 -@@ -638,6 +639,13 @@ static inline int do_follow_link(struct
51060 - err = security_inode_follow_link(path->dentry, nd);
51061 - if (err)
51062 - goto loop;
51063 -+
51064 -+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
51065 -+ path->dentry->d_inode, path->dentry, nd->mnt)) {
51066 -+ err = -EACCES;
51067 -+ goto loop;
51068 -+ }
51069 -+
51070 - current->link_count++;
51071 - current->total_link_count++;
51072 - nd->depth++;
51073 -@@ -983,11 +991,18 @@ return_reval:
51074 - break;
51075 - }
51076 - return_base:
51077 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt)) {
51078 -+ path_release(nd);
51079 -+ return -ENOENT;
51080 -+ }
51081 - return 0;
51082 - out_dput:
51083 - dput_path(&next, nd);
51084 - break;
51085 - }
51086 -+ if (!gr_acl_handle_hidden_file(nd->dentry, nd->mnt))
51087 -+ err = -ENOENT;
51088 -+
51089 - path_release(nd);
51090 - return_err:
51091 - return err;
51092 -@@ -1649,9 +1664,17 @@ static int open_namei_create(struct name
51093 - int error;
51094 - struct dentry *dir = nd->dentry;
51095 -
51096 -+ if (!gr_acl_handle_creat(path->dentry, nd->dentry, nd->mnt, flag, mode)) {
51097 -+ error = -EACCES;
51098 -+ goto out_unlock_dput;
51099 -+ }
51100 -+
51101 - if (!IS_POSIXACL(dir->d_inode))
51102 - mode &= ~current->fs->umask;
51103 - error = vfs_create(dir->d_inode, path->dentry, mode, nd);
51104 -+ if (!error)
51105 -+ gr_handle_create(path->dentry, nd->mnt);
51106 -+out_unlock_dput:
51107 - mutex_unlock(&dir->d_inode->i_mutex);
51108 - dput(nd->dentry);
51109 - nd->dentry = path->dentry;
51110 -@@ -1702,6 +1725,17 @@ int open_namei(int dfd, const char *path
51111 - nd, flag);
51112 - if (error)
51113 - return error;
51114 -+
51115 -+ if (gr_handle_rawio(nd->dentry->d_inode)) {
51116 -+ error = -EPERM;
51117 -+ goto exit;
51118 -+ }
51119 -+
51120 -+ if (!gr_acl_handle_open(nd->dentry, nd->mnt, flag)) {
51121 -+ error = -EACCES;
51122 -+ goto exit;
51123 -+ }
51124 -+
51125 - goto ok;
51126 - }
51127 -
51128 -@@ -1751,6 +1785,23 @@ do_last:
51129 - /*
51130 - * It already exists.
51131 - */
51132 -+
51133 -+ if (gr_handle_rawio(path.dentry->d_inode)) {
51134 -+ mutex_unlock(&dir->d_inode->i_mutex);
51135 -+ error = -EPERM;
51136 -+ goto exit_dput;
51137 -+ }
51138 -+ if (!gr_acl_handle_open(path.dentry, nd->mnt, flag)) {
51139 -+ mutex_unlock(&dir->d_inode->i_mutex);
51140 -+ error = -EACCES;
51141 -+ goto exit_dput;
51142 -+ }
51143 -+ if (gr_handle_fifo(path.dentry, nd->mnt, dir, flag, acc_mode)) {
51144 -+ mutex_unlock(&dir->d_inode->i_mutex);
51145 -+ error = -EACCES;
51146 -+ goto exit_dput;
51147 -+ }
51148 -+
51149 - mutex_unlock(&dir->d_inode->i_mutex);
51150 - audit_inode(pathname, path.dentry->d_inode);
51151 -
51152 -@@ -1806,6 +1857,13 @@ do_link:
51153 - error = security_inode_follow_link(path.dentry, nd);
51154 - if (error)
51155 - goto exit_dput;
51156 -+
51157 -+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
51158 -+ path.dentry, nd->mnt)) {
51159 -+ error = -EACCES;
51160 -+ goto exit_dput;
51161 -+ }
51162 -+
51163 - error = __do_follow_link(&path, nd);
51164 - if (error) {
51165 - /* Does someone understand code flow here? Or it is only
51166 -@@ -1934,6 +1992,22 @@ asmlinkage long sys_mknodat(int dfd, con
51167 - if (!IS_POSIXACL(nd.dentry->d_inode))
51168 - mode &= ~current->fs->umask;
51169 - if (!IS_ERR(dentry)) {
51170 -+ if (gr_handle_chroot_mknod(dentry, nd.mnt, mode)) {
51171 -+ error = -EPERM;
51172 -+ dput(dentry);
51173 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
51174 -+ path_release(&nd);
51175 -+ goto out;
51176 -+ }
51177 -+
51178 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
51179 -+ error = -EACCES;
51180 -+ dput(dentry);
51181 -+ mutex_unlock(&nd.dentry->d_inode->i_mutex);
51182 -+ path_release(&nd);
51183 -+ goto out;
51184 -+ }
51185 -+
51186 - switch (mode & S_IFMT) {
51187 - case 0: case S_IFREG:
51188 - error = vfs_create(nd.dentry->d_inode,dentry,mode,&nd);
51189 -@@ -1951,6 +2025,10 @@ asmlinkage long sys_mknodat(int dfd, con
51190 - default:
51191 - error = -EINVAL;
51192 - }
51193 -+
51194 -+ if (!error)
51195 -+ gr_handle_create(dentry, nd.mnt);
51196 -+
51197 - dput(dentry);
51198 - }
51199 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51200 -@@ -2008,9 +2086,18 @@ asmlinkage long sys_mkdirat(int dfd, con
51201 - if (IS_ERR(dentry))
51202 - goto out_unlock;
51203 -
51204 -+ if (!gr_acl_handle_mkdir(dentry, nd.dentry, nd.mnt)) {
51205 -+ error = -EACCES;
51206 -+ goto out_unlock_dput;
51207 -+ }
51208 -+
51209 - if (!IS_POSIXACL(nd.dentry->d_inode))
51210 - mode &= ~current->fs->umask;
51211 - error = vfs_mkdir(nd.dentry->d_inode, dentry, mode);
51212 -+
51213 -+ if (!error)
51214 -+ gr_handle_create(dentry, nd.mnt);
51215 -+out_unlock_dput:
51216 - dput(dentry);
51217 - out_unlock:
51218 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51219 -@@ -2092,6 +2179,8 @@ static long do_rmdir(int dfd, const char
51220 - char * name;
51221 - struct dentry *dentry;
51222 - struct nameidata nd;
51223 -+ ino_t saved_ino = 0;
51224 -+ dev_t saved_dev = 0;
51225 -
51226 - name = getname(pathname);
51227 - if(IS_ERR(name))
51228 -@@ -2117,7 +2206,22 @@ static long do_rmdir(int dfd, const char
51229 - error = PTR_ERR(dentry);
51230 - if (IS_ERR(dentry))
51231 - goto exit2;
51232 -+
51233 -+ if (dentry->d_inode != NULL) {
51234 -+ if (dentry->d_inode->i_nlink <= 1) {
51235 -+ saved_ino = dentry->d_inode->i_ino;
51236 -+ saved_dev = dentry->d_inode->i_sb->s_dev;
51237 -+ }
51238 -+
51239 -+ if (!gr_acl_handle_rmdir(dentry, nd.mnt)) {
51240 -+ error = -EACCES;
51241 -+ goto dput_exit2;
51242 -+ }
51243 -+ }
51244 - error = vfs_rmdir(nd.dentry->d_inode, dentry);
51245 -+ if (!error && (saved_dev || saved_ino))
51246 -+ gr_handle_delete(saved_ino, saved_dev);
51247 -+dput_exit2:
51248 - dput(dentry);
51249 - exit2:
51250 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51251 -@@ -2176,6 +2280,8 @@ static long do_unlinkat(int dfd, const c
51252 - struct dentry *dentry;
51253 - struct nameidata nd;
51254 - struct inode *inode = NULL;
51255 -+ ino_t saved_ino = 0;
51256 -+ dev_t saved_dev = 0;
51257 -
51258 - name = getname(pathname);
51259 - if(IS_ERR(name))
51260 -@@ -2191,13 +2297,26 @@ static long do_unlinkat(int dfd, const c
51261 - dentry = lookup_hash(&nd);
51262 - error = PTR_ERR(dentry);
51263 - if (!IS_ERR(dentry)) {
51264 -+ error = 0;
51265 - /* Why not before? Because we want correct error value */
51266 - if (nd.last.name[nd.last.len])
51267 - goto slashes;
51268 - inode = dentry->d_inode;
51269 -- if (inode)
51270 -+ if (inode) {
51271 -+ if (inode->i_nlink <= 1) {
51272 -+ saved_ino = inode->i_ino;
51273 -+ saved_dev = inode->i_sb->s_dev;
51274 -+ }
51275 -+
51276 -+ if (!gr_acl_handle_unlink(dentry, nd.mnt))
51277 -+ error = -EACCES;
51278 -+
51279 - atomic_inc(&inode->i_count);
51280 -- error = vfs_unlink(nd.dentry->d_inode, dentry);
51281 -+ }
51282 -+ if (!error)
51283 -+ error = vfs_unlink(nd.dentry->d_inode, dentry);
51284 -+ if (!error && (saved_ino || saved_dev))
51285 -+ gr_handle_delete(saved_ino, saved_dev);
51286 - exit2:
51287 - dput(dentry);
51288 - }
51289 -@@ -2278,7 +2397,16 @@ asmlinkage long sys_symlinkat(const char
51290 - if (IS_ERR(dentry))
51291 - goto out_unlock;
51292 -
51293 -+ if (!gr_acl_handle_symlink(dentry, nd.dentry, nd.mnt, from)) {
51294 -+ error = -EACCES;
51295 -+ goto out_dput_unlock;
51296 -+ }
51297 -+
51298 - error = vfs_symlink(nd.dentry->d_inode, dentry, from, S_IALLUGO);
51299 -+
51300 -+ if (!error)
51301 -+ gr_handle_create(dentry, nd.mnt);
51302 -+out_dput_unlock:
51303 - dput(dentry);
51304 - out_unlock:
51305 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51306 -@@ -2373,7 +2501,25 @@ asmlinkage long sys_linkat(int olddfd, c
51307 - error = PTR_ERR(new_dentry);
51308 - if (IS_ERR(new_dentry))
51309 - goto out_unlock;
51310 -+
51311 -+ if (gr_handle_hardlink(old_nd.dentry, old_nd.mnt,
51312 -+ old_nd.dentry->d_inode,
51313 -+ old_nd.dentry->d_inode->i_mode, to)) {
51314 -+ error = -EACCES;
51315 -+ goto out_unlock_dput;
51316 -+ }
51317 -+
51318 -+ if (!gr_acl_handle_link(new_dentry, nd.dentry, nd.mnt,
51319 -+ old_nd.dentry, old_nd.mnt, to)) {
51320 -+ error = -EACCES;
51321 -+ goto out_unlock_dput;
51322 -+ }
51323 -+
51324 - error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
51325 -+
51326 -+ if (!error)
51327 -+ gr_handle_create(new_dentry, nd.mnt);
51328 -+out_unlock_dput:
51329 - dput(new_dentry);
51330 - out_unlock:
51331 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
51332 -@@ -2599,8 +2745,16 @@ static int do_rename(int olddfd, const c
51333 - if (new_dentry == trap)
51334 - goto exit5;
51335 -
51336 -- error = vfs_rename(old_dir->d_inode, old_dentry,
51337 -+ error = gr_acl_handle_rename(new_dentry, newnd.dentry, newnd.mnt,
51338 -+ old_dentry, old_dir->d_inode, oldnd.mnt,
51339 -+ newname);
51340 -+
51341 -+ if (!error)
51342 -+ error = vfs_rename(old_dir->d_inode, old_dentry,
51343 - new_dir->d_inode, new_dentry);
51344 -+ if (!error)
51345 -+ gr_handle_rename(old_dir->d_inode, newnd.dentry->d_inode, old_dentry,
51346 -+ new_dentry, oldnd.mnt, new_dentry->d_inode ? 1 : 0);
51347 - exit5:
51348 - dput(new_dentry);
51349 - exit4:
51350 -diff -Nurp linux-2.6.23.15/fs/namespace.c linux-2.6.23.15-grsec/fs/namespace.c
51351 ---- linux-2.6.23.15/fs/namespace.c 2007-10-09 21:31:38.000000000 +0100
51352 -+++ linux-2.6.23.15-grsec/fs/namespace.c 2008-02-11 10:37:44.000000000 +0000
51353 -@@ -25,6 +25,7 @@
51354 - #include <linux/security.h>
51355 - #include <linux/mount.h>
51356 - #include <linux/ramfs.h>
51357 -+#include <linux/grsecurity.h>
51358 - #include <asm/uaccess.h>
51359 - #include <asm/unistd.h>
51360 - #include "pnode.h"
51361 -@@ -597,6 +598,8 @@ static int do_umount(struct vfsmount *mn
51362 - DQUOT_OFF(sb);
51363 - retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
51364 - unlock_kernel();
51365 -+
51366 -+ gr_log_remount(mnt->mnt_devname, retval);
51367 - }
51368 - up_write(&sb->s_umount);
51369 - return retval;
51370 -@@ -617,6 +620,9 @@ static int do_umount(struct vfsmount *mn
51371 - security_sb_umount_busy(mnt);
51372 - up_write(&namespace_sem);
51373 - release_mounts(&umount_list);
51374 -+
51375 -+ gr_log_unmount(mnt->mnt_devname, retval);
51376 -+
51377 - return retval;
51378 - }
51379 -
51380 -@@ -1422,6 +1428,11 @@ long do_mount(char *dev_name, char *dir_
51381 - if (retval)
51382 - goto dput_out;
51383 -
51384 -+ if (gr_handle_chroot_mount(nd.dentry, nd.mnt, dev_name)) {
51385 -+ retval = -EPERM;
51386 -+ goto dput_out;
51387 -+ }
51388 -+
51389 - if (flags & MS_REMOUNT)
51390 - retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
51391 - data_page);
51392 -@@ -1436,6 +1447,9 @@ long do_mount(char *dev_name, char *dir_
51393 - dev_name, data_page);
51394 - dput_out:
51395 - path_release(&nd);
51396 -+
51397 -+ gr_log_mount(dev_name, dir_name, retval);
51398 -+
51399 - return retval;
51400 - }
51401 -
51402 -@@ -1673,6 +1687,9 @@ asmlinkage long sys_pivot_root(const cha
51403 - if (!capable(CAP_SYS_ADMIN))
51404 - return -EPERM;
51405 -
51406 -+ if (gr_handle_chroot_pivot())
51407 -+ return -EPERM;
51408 -+
51409 - lock_kernel();
51410 -
51411 - error = __user_walk(new_root, LOOKUP_FOLLOW | LOOKUP_DIRECTORY,
51412 -diff -Nurp linux-2.6.23.15/fs/nfs/callback_xdr.c linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c
51413 ---- linux-2.6.23.15/fs/nfs/callback_xdr.c 2007-10-09 21:31:38.000000000 +0100
51414 -+++ linux-2.6.23.15-grsec/fs/nfs/callback_xdr.c 2008-02-11 10:37:44.000000000 +0000
51415 -@@ -139,7 +139,7 @@ static __be32 decode_compound_hdr_arg(st
51416 - if (unlikely(status != 0))
51417 - return status;
51418 - /* We do not like overly long tags! */
51419 -- if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12 || hdr->taglen < 0) {
51420 -+ if (hdr->taglen > CB_OP_TAGLEN_MAXSZ-12) {
51421 - printk("NFSv4 CALLBACK %s: client sent tag of length %u\n",
51422 - __FUNCTION__, hdr->taglen);
51423 - return htonl(NFS4ERR_RESOURCE);
51424 -diff -Nurp linux-2.6.23.15/fs/nfs/nfs4proc.c linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c
51425 ---- linux-2.6.23.15/fs/nfs/nfs4proc.c 2007-10-09 21:31:38.000000000 +0100
51426 -+++ linux-2.6.23.15-grsec/fs/nfs/nfs4proc.c 2008-02-11 10:37:44.000000000 +0000
51427 -@@ -657,7 +657,7 @@ static int _nfs4_do_open_reclaim(struct
51428 - static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
51429 - {
51430 - struct nfs_server *server = NFS_SERVER(state->inode);
51431 -- struct nfs4_exception exception = { };
51432 -+ struct nfs4_exception exception = {0, 0};
51433 - int err;
51434 - do {
51435 - err = _nfs4_do_open_reclaim(ctx, state);
51436 -@@ -699,7 +699,7 @@ static int _nfs4_open_delegation_recall(
51437 -
51438 - int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
51439 - {
51440 -- struct nfs4_exception exception = { };
51441 -+ struct nfs4_exception exception = {0, 0};
51442 - struct nfs_server *server = NFS_SERVER(state->inode);
51443 - int err;
51444 - do {
51445 -@@ -1020,7 +1020,7 @@ static int _nfs4_open_expired(struct nfs
51446 - static inline int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
51447 - {
51448 - struct nfs_server *server = NFS_SERVER(state->inode);
51449 -- struct nfs4_exception exception = { };
51450 -+ struct nfs4_exception exception = {0, 0};
51451 - int err;
51452 -
51453 - do {
51454 -@@ -1122,7 +1122,7 @@ out_err:
51455 -
51456 - static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, int flags, struct iattr *sattr, struct rpc_cred *cred)
51457 - {
51458 -- struct nfs4_exception exception = { };
51459 -+ struct nfs4_exception exception = {0, 0};
51460 - struct nfs4_state *res;
51461 - int status;
51462 -
51463 -@@ -1211,7 +1211,7 @@ static int nfs4_do_setattr(struct inode
51464 - struct iattr *sattr, struct nfs4_state *state)
51465 - {
51466 - struct nfs_server *server = NFS_SERVER(inode);
51467 -- struct nfs4_exception exception = { };
51468 -+ struct nfs4_exception exception = {0, 0};
51469 - int err;
51470 - do {
51471 - err = nfs4_handle_exception(server,
51472 -@@ -1504,7 +1504,7 @@ static int _nfs4_server_capabilities(str
51473 -
51474 - int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
51475 - {
51476 -- struct nfs4_exception exception = { };
51477 -+ struct nfs4_exception exception = {0, 0};
51478 - int err;
51479 - do {
51480 - err = nfs4_handle_exception(server,
51481 -@@ -1537,7 +1537,7 @@ static int _nfs4_lookup_root(struct nfs_
51482 - static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
51483 - struct nfs_fsinfo *info)
51484 - {
51485 -- struct nfs4_exception exception = { };
51486 -+ struct nfs4_exception exception = {0, 0};
51487 - int err;
51488 - do {
51489 - err = nfs4_handle_exception(server,
51490 -@@ -1626,7 +1626,7 @@ static int _nfs4_proc_getattr(struct nfs
51491 -
51492 - static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
51493 - {
51494 -- struct nfs4_exception exception = { };
51495 -+ struct nfs4_exception exception = {0, 0};
51496 - int err;
51497 - do {
51498 - err = nfs4_handle_exception(server,
51499 -@@ -1716,7 +1716,7 @@ static int nfs4_proc_lookupfh(struct nfs
51500 - struct qstr *name, struct nfs_fh *fhandle,
51501 - struct nfs_fattr *fattr)
51502 - {
51503 -- struct nfs4_exception exception = { };
51504 -+ struct nfs4_exception exception = {0, 0};
51505 - int err;
51506 - do {
51507 - err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
51508 -@@ -1745,7 +1745,7 @@ static int _nfs4_proc_lookup(struct inod
51509 -
51510 - static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
51511 - {
51512 -- struct nfs4_exception exception = { };
51513 -+ struct nfs4_exception exception = {0, 0};
51514 - int err;
51515 - do {
51516 - err = nfs4_handle_exception(NFS_SERVER(dir),
51517 -@@ -1801,7 +1801,7 @@ static int _nfs4_proc_access(struct inod
51518 -
51519 - static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
51520 - {
51521 -- struct nfs4_exception exception = { };
51522 -+ struct nfs4_exception exception = {0, 0};
51523 - int err;
51524 - do {
51525 - err = nfs4_handle_exception(NFS_SERVER(inode),
51526 -@@ -1856,7 +1856,7 @@ static int _nfs4_proc_readlink(struct in
51527 - static int nfs4_proc_readlink(struct inode *inode, struct page *page,
51528 - unsigned int pgbase, unsigned int pglen)
51529 - {
51530 -- struct nfs4_exception exception = { };
51531 -+ struct nfs4_exception exception = {0, 0};
51532 - int err;
51533 - do {
51534 - err = nfs4_handle_exception(NFS_SERVER(inode),
51535 -@@ -1950,7 +1950,7 @@ static int _nfs4_proc_remove(struct inod
51536 -
51537 - static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
51538 - {
51539 -- struct nfs4_exception exception = { };
51540 -+ struct nfs4_exception exception = {0, 0};
51541 - int err;
51542 - do {
51543 - err = nfs4_handle_exception(NFS_SERVER(dir),
51544 -@@ -2022,7 +2022,7 @@ static int _nfs4_proc_rename(struct inod
51545 - static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
51546 - struct inode *new_dir, struct qstr *new_name)
51547 - {
51548 -- struct nfs4_exception exception = { };
51549 -+ struct nfs4_exception exception = {0, 0};
51550 - int err;
51551 - do {
51552 - err = nfs4_handle_exception(NFS_SERVER(old_dir),
51553 -@@ -2069,7 +2069,7 @@ static int _nfs4_proc_link(struct inode
51554 -
51555 - static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
51556 - {
51557 -- struct nfs4_exception exception = { };
51558 -+ struct nfs4_exception exception = {0, 0};
51559 - int err;
51560 - do {
51561 - err = nfs4_handle_exception(NFS_SERVER(inode),
51562 -@@ -2126,7 +2126,7 @@ static int _nfs4_proc_symlink(struct ino
51563 - static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
51564 - struct page *page, unsigned int len, struct iattr *sattr)
51565 - {
51566 -- struct nfs4_exception exception = { };
51567 -+ struct nfs4_exception exception = {0, 0};
51568 - int err;
51569 - do {
51570 - err = nfs4_handle_exception(NFS_SERVER(dir),
51571 -@@ -2179,7 +2179,7 @@ static int _nfs4_proc_mkdir(struct inode
51572 - static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
51573 - struct iattr *sattr)
51574 - {
51575 -- struct nfs4_exception exception = { };
51576 -+ struct nfs4_exception exception = {0, 0};
51577 - int err;
51578 - do {
51579 - err = nfs4_handle_exception(NFS_SERVER(dir),
51580 -@@ -2225,7 +2225,7 @@ static int _nfs4_proc_readdir(struct den
51581 - static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
51582 - u64 cookie, struct page *page, unsigned int count, int plus)
51583 - {
51584 -- struct nfs4_exception exception = { };
51585 -+ struct nfs4_exception exception = {0, 0};
51586 - int err;
51587 - do {
51588 - err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
51589 -@@ -2295,7 +2295,7 @@ static int _nfs4_proc_mknod(struct inode
51590 - static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
51591 - struct iattr *sattr, dev_t rdev)
51592 - {
51593 -- struct nfs4_exception exception = { };
51594 -+ struct nfs4_exception exception = {0, 0};
51595 - int err;
51596 - do {
51597 - err = nfs4_handle_exception(NFS_SERVER(dir),
51598 -@@ -2324,7 +2324,7 @@ static int _nfs4_proc_statfs(struct nfs_
51599 -
51600 - static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
51601 - {
51602 -- struct nfs4_exception exception = { };
51603 -+ struct nfs4_exception exception = {0, 0};
51604 - int err;
51605 - do {
51606 - err = nfs4_handle_exception(server,
51607 -@@ -2352,7 +2352,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
51608 -
51609 - static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
51610 - {
51611 -- struct nfs4_exception exception = { };
51612 -+ struct nfs4_exception exception = {0, 0};
51613 - int err;
51614 -
51615 - do {
51616 -@@ -2395,7 +2395,7 @@ static int _nfs4_proc_pathconf(struct nf
51617 - static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
51618 - struct nfs_pathconf *pathconf)
51619 - {
51620 -- struct nfs4_exception exception = { };
51621 -+ struct nfs4_exception exception = {0, 0};
51622 - int err;
51623 -
51624 - do {
51625 -@@ -2714,7 +2714,7 @@ out_free:
51626 -
51627 - static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
51628 - {
51629 -- struct nfs4_exception exception = { };
51630 -+ struct nfs4_exception exception = {0, 0};
51631 - ssize_t ret;
51632 - do {
51633 - ret = __nfs4_get_acl_uncached(inode, buf, buflen);
51634 -@@ -2768,7 +2768,7 @@ static int __nfs4_proc_set_acl(struct in
51635 -
51636 - static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
51637 - {
51638 -- struct nfs4_exception exception = { };
51639 -+ struct nfs4_exception exception = {0, 0};
51640 - int err;
51641 - do {
51642 - err = nfs4_handle_exception(NFS_SERVER(inode),
51643 -@@ -3065,7 +3065,7 @@ static int _nfs4_proc_delegreturn(struct
51644 - int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid)
51645 - {
51646 - struct nfs_server *server = NFS_SERVER(inode);
51647 -- struct nfs4_exception exception = { };
51648 -+ struct nfs4_exception exception = {0, 0};
51649 - int err;
51650 - do {
51651 - err = _nfs4_proc_delegreturn(inode, cred, stateid);
51652 -@@ -3140,7 +3140,7 @@ out:
51653 -
51654 - static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
51655 - {
51656 -- struct nfs4_exception exception = { };
51657 -+ struct nfs4_exception exception = {0, 0};
51658 - int err;
51659 -
51660 - do {
51661 -@@ -3474,7 +3474,7 @@ static int _nfs4_do_setlk(struct nfs4_st
51662 - static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
51663 - {
51664 - struct nfs_server *server = NFS_SERVER(state->inode);
51665 -- struct nfs4_exception exception = { };
51666 -+ struct nfs4_exception exception = {0, 0};
51667 - int err;
51668 -
51669 - do {
51670 -@@ -3492,7 +3492,7 @@ static int nfs4_lock_reclaim(struct nfs4
51671 - static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
51672 - {
51673 - struct nfs_server *server = NFS_SERVER(state->inode);
51674 -- struct nfs4_exception exception = { };
51675 -+ struct nfs4_exception exception = {0, 0};
51676 - int err;
51677 -
51678 - err = nfs4_set_lock_state(state, request);
51679 -@@ -3553,7 +3553,7 @@ out:
51680 -
51681 - static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
51682 - {
51683 -- struct nfs4_exception exception = { };
51684 -+ struct nfs4_exception exception = {0, 0};
51685 - int err;
51686 -
51687 - do {
51688 -@@ -3603,7 +3603,7 @@ nfs4_proc_lock(struct file *filp, int cm
51689 - int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
51690 - {
51691 - struct nfs_server *server = NFS_SERVER(state->inode);
51692 -- struct nfs4_exception exception = { };
51693 -+ struct nfs4_exception exception = {0, 0};
51694 - int err;
51695 -
51696 - err = nfs4_set_lock_state(state, fl);
51697 -diff -Nurp linux-2.6.23.15/fs/nfsd/export.c linux-2.6.23.15-grsec/fs/nfsd/export.c
51698 ---- linux-2.6.23.15/fs/nfsd/export.c 2007-10-09 21:31:38.000000000 +0100
51699 -+++ linux-2.6.23.15-grsec/fs/nfsd/export.c 2008-02-11 10:37:44.000000000 +0000
51700 -@@ -478,7 +478,7 @@ static int secinfo_parse(char **mesg, ch
51701 - * probably discover the problem when someone fails to
51702 - * authenticate.
51703 - */
51704 -- if (f->pseudoflavor < 0)
51705 -+ if ((s32)f->pseudoflavor < 0)
51706 - return -EINVAL;
51707 - err = get_int(mesg, &f->flags);
51708 - if (err)
51709 -diff -Nurp linux-2.6.23.15/fs/nfsd/nfs4state.c linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c
51710 ---- linux-2.6.23.15/fs/nfsd/nfs4state.c 2007-10-09 21:31:38.000000000 +0100
51711 -+++ linux-2.6.23.15-grsec/fs/nfsd/nfs4state.c 2008-02-11 10:37:44.000000000 +0000
51712 -@@ -1248,7 +1248,7 @@ static int access_valid(u32 x)
51713 -
51714 - static int deny_valid(u32 x)
51715 - {
51716 -- return (x >= 0 && x < 5);
51717 -+ return (x < 5);
51718 - }
51719 -
51720 - static void
51721 -diff -Nurp linux-2.6.23.15/fs/nls/nls_base.c linux-2.6.23.15-grsec/fs/nls/nls_base.c
51722 ---- linux-2.6.23.15/fs/nls/nls_base.c 2007-10-09 21:31:38.000000000 +0100
51723 -+++ linux-2.6.23.15-grsec/fs/nls/nls_base.c 2008-02-11 10:37:44.000000000 +0000
51724 -@@ -42,7 +42,7 @@ static struct utf8_table utf8_table[] =
51725 - {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
51726 - {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
51727 - {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
51728 -- {0, /* end of table */}
51729 -+ {0, 0, 0, 0, 0, /* end of table */}
51730 - };
51731 -
51732 - int
51733 -diff -Nurp linux-2.6.23.15/fs/ntfs/file.c linux-2.6.23.15-grsec/fs/ntfs/file.c
51734 ---- linux-2.6.23.15/fs/ntfs/file.c 2007-10-09 21:31:38.000000000 +0100
51735 -+++ linux-2.6.23.15-grsec/fs/ntfs/file.c 2008-02-11 10:37:44.000000000 +0000
51736 -@@ -2295,6 +2295,6 @@ const struct inode_operations ntfs_file_
51737 - #endif /* NTFS_RW */
51738 - };
51739 -
51740 --const struct file_operations ntfs_empty_file_ops = {};
51741 -+const struct file_operations ntfs_empty_file_ops;
51742 -
51743 --const struct inode_operations ntfs_empty_inode_ops = {};
51744 -+const struct inode_operations ntfs_empty_inode_ops;
51745 -diff -Nurp linux-2.6.23.15/fs/open.c linux-2.6.23.15-grsec/fs/open.c
51746 ---- linux-2.6.23.15/fs/open.c 2007-10-09 21:31:38.000000000 +0100
51747 -+++ linux-2.6.23.15-grsec/fs/open.c 2008-02-11 10:37:44.000000000 +0000
51748 -@@ -27,6 +27,7 @@
51749 - #include <linux/rcupdate.h>
51750 - #include <linux/audit.h>
51751 - #include <linux/falloc.h>
51752 -+#include <linux/grsecurity.h>
51753 -
51754 - int vfs_statfs(struct dentry *dentry, struct kstatfs *buf)
51755 - {
51756 -@@ -204,6 +205,9 @@ int do_truncate(struct dentry *dentry, l
51757 - if (length < 0)
51758 - return -EINVAL;
51759 -
51760 -+ if (filp && !gr_acl_handle_truncate(dentry, filp->f_vfsmnt))
51761 -+ return -EACCES;
51762 -+
51763 - newattrs.ia_size = length;
51764 - newattrs.ia_valid = ATTR_SIZE | time_attrs;
51765 - if (filp) {
51766 -@@ -461,6 +465,9 @@ asmlinkage long sys_faccessat(int dfd, c
51767 - if(IS_RDONLY(nd.dentry->d_inode))
51768 - res = -EROFS;
51769 -
51770 -+ if (!res && !gr_acl_handle_access(nd.dentry, nd.mnt, mode))
51771 -+ res = -EACCES;
51772 -+
51773 - out_path_release:
51774 - path_release(&nd);
51775 - out:
51776 -@@ -490,6 +497,8 @@ asmlinkage long sys_chdir(const char __u
51777 - if (error)
51778 - goto dput_and_out;
51779 -
51780 -+ gr_log_chdir(nd.dentry, nd.mnt);
51781 -+
51782 - set_fs_pwd(current->fs, nd.mnt, nd.dentry);
51783 -
51784 - dput_and_out:
51785 -@@ -520,6 +529,13 @@ asmlinkage long sys_fchdir(unsigned int
51786 - goto out_putf;
51787 -
51788 - error = file_permission(file, MAY_EXEC);
51789 -+
51790 -+ if (!error && !gr_chroot_fchdir(dentry, mnt))
51791 -+ error = -EPERM;
51792 -+
51793 -+ if (!error)
51794 -+ gr_log_chdir(dentry, mnt);
51795 -+
51796 - if (!error)
51797 - set_fs_pwd(current->fs, mnt, dentry);
51798 - out_putf:
51799 -@@ -545,8 +561,16 @@ asmlinkage long sys_chroot(const char __
51800 - if (!capable(CAP_SYS_CHROOT))
51801 - goto dput_and_out;
51802 -
51803 -+ if (gr_handle_chroot_chroot(nd.dentry, nd.mnt))
51804 -+ goto dput_and_out;
51805 -+
51806 - set_fs_root(current->fs, nd.mnt, nd.dentry);
51807 - set_fs_altroot();
51808 -+
51809 -+ gr_handle_chroot_caps(current);
51810 -+
51811 -+ gr_handle_chroot_chdir(nd.dentry, nd.mnt);
51812 -+
51813 - error = 0;
51814 - dput_and_out:
51815 - path_release(&nd);
51816 -@@ -577,9 +601,22 @@ asmlinkage long sys_fchmod(unsigned int
51817 - err = -EPERM;
51818 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
51819 - goto out_putf;
51820 -+
51821 -+ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
51822 -+ err = -EACCES;
51823 -+ goto out_putf;
51824 -+ }
51825 -+
51826 - mutex_lock(&inode->i_mutex);
51827 - if (mode == (mode_t) -1)
51828 - mode = inode->i_mode;
51829 -+
51830 -+ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
51831 -+ err = -EPERM;
51832 -+ mutex_unlock(&inode->i_mutex);
51833 -+ goto out_putf;
51834 -+ }
51835 -+
51836 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
51837 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
51838 - err = notify_change(dentry, &newattrs);
51839 -@@ -612,9 +649,21 @@ asmlinkage long sys_fchmodat(int dfd, co
51840 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
51841 - goto dput_and_out;
51842 -
51843 -+ if (!gr_acl_handle_chmod(nd.dentry, nd.mnt, mode)) {
51844 -+ error = -EACCES;
51845 -+ goto dput_and_out;
51846 -+ };
51847 -+
51848 - mutex_lock(&inode->i_mutex);
51849 - if (mode == (mode_t) -1)
51850 - mode = inode->i_mode;
51851 -+
51852 -+ if (gr_handle_chroot_chmod(nd.dentry, nd.mnt, mode)) {
51853 -+ error = -EACCES;
51854 -+ mutex_unlock(&inode->i_mutex);
51855 -+ goto dput_and_out;
51856 -+ }
51857 -+
51858 - newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
51859 - newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
51860 - error = notify_change(nd.dentry, &newattrs);
51861 -@@ -631,7 +680,7 @@ asmlinkage long sys_chmod(const char __u
51862 - return sys_fchmodat(AT_FDCWD, filename, mode);
51863 - }
51864 -
51865 --static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
51866 -+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
51867 - {
51868 - struct inode * inode;
51869 - int error;
51870 -@@ -648,6 +697,12 @@ static int chown_common(struct dentry *
51871 - error = -EPERM;
51872 - if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
51873 - goto out;
51874 -+
51875 -+ if (!gr_acl_handle_chown(dentry, mnt)) {
51876 -+ error = -EACCES;
51877 -+ goto out;
51878 -+ }
51879 -+
51880 - newattrs.ia_valid = ATTR_CTIME;
51881 - if (user != (uid_t) -1) {
51882 - newattrs.ia_valid |= ATTR_UID;
51883 -@@ -674,7 +729,7 @@ asmlinkage long sys_chown(const char __u
51884 - error = user_path_walk(filename, &nd);
51885 - if (error)
51886 - goto out;
51887 -- error = chown_common(nd.dentry, user, group);
51888 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
51889 - path_release(&nd);
51890 - out:
51891 - return error;
51892 -@@ -694,7 +749,7 @@ asmlinkage long sys_fchownat(int dfd, co
51893 - error = __user_walk_fd(dfd, filename, follow, &nd);
51894 - if (error)
51895 - goto out;
51896 -- error = chown_common(nd.dentry, user, group);
51897 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
51898 - path_release(&nd);
51899 - out:
51900 - return error;
51901 -@@ -708,7 +763,7 @@ asmlinkage long sys_lchown(const char __
51902 - error = user_path_walk_link(filename, &nd);
51903 - if (error)
51904 - goto out;
51905 -- error = chown_common(nd.dentry, user, group);
51906 -+ error = chown_common(nd.dentry, user, group, nd.mnt);
51907 - path_release(&nd);
51908 - out:
51909 - return error;
51910 -@@ -727,7 +782,7 @@ asmlinkage long sys_fchown(unsigned int
51911 -
51912 - dentry = file->f_path.dentry;
51913 - audit_inode(NULL, dentry->d_inode);
51914 -- error = chown_common(dentry, user, group);
51915 -+ error = chown_common(dentry, user, group, file->f_vfsmnt);
51916 - fput(file);
51917 - out:
51918 - return error;
51919 -@@ -934,6 +989,7 @@ repeat:
51920 - * N.B. For clone tasks sharing a files structure, this test
51921 - * will limit the total number of files that can be opened.
51922 - */
51923 -+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
51924 - if (fd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
51925 - goto out;
51926 -
51927 -diff -Nurp linux-2.6.23.15/fs/partitions/efi.c linux-2.6.23.15-grsec/fs/partitions/efi.c
51928 ---- linux-2.6.23.15/fs/partitions/efi.c 2007-10-09 21:31:38.000000000 +0100
51929 -+++ linux-2.6.23.15-grsec/fs/partitions/efi.c 2008-02-11 10:37:44.000000000 +0000
51930 -@@ -99,7 +99,7 @@
51931 - #ifdef EFI_DEBUG
51932 - #define Dprintk(x...) printk(KERN_DEBUG x)
51933 - #else
51934 --#define Dprintk(x...)
51935 -+#define Dprintk(x...) do {} while (0)
51936 - #endif
51937 -
51938 - /* This allows a kernel command line option 'gpt' to override
51939 -diff -Nurp linux-2.6.23.15/fs/pipe.c linux-2.6.23.15-grsec/fs/pipe.c
51940 ---- linux-2.6.23.15/fs/pipe.c 2007-10-09 21:31:38.000000000 +0100
51941 -+++ linux-2.6.23.15-grsec/fs/pipe.c 2008-02-11 10:37:44.000000000 +0000
51942 -@@ -888,7 +888,7 @@ void free_pipe_info(struct inode *inode)
51943 - inode->i_pipe = NULL;
51944 - }
51945 -
51946 --static struct vfsmount *pipe_mnt __read_mostly;
51947 -+struct vfsmount *pipe_mnt __read_mostly;
51948 - static int pipefs_delete_dentry(struct dentry *dentry)
51949 - {
51950 - /*
51951 -diff -Nurp linux-2.6.23.15/fs/proc/array.c linux-2.6.23.15-grsec/fs/proc/array.c
51952 ---- linux-2.6.23.15/fs/proc/array.c 2008-02-11 10:36:03.000000000 +0000
51953 -+++ linux-2.6.23.15-grsec/fs/proc/array.c 2008-02-11 10:37:44.000000000 +0000
51954 -@@ -298,6 +298,21 @@ static inline char *task_context_switch_
51955 - p->nivcsw);
51956 - }
51957 -
51958 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
51959 -+static inline char *task_pax(struct task_struct *p, char *buffer)
51960 -+{
51961 -+ if (p->mm)
51962 -+ return buffer + sprintf(buffer, "PaX:\t%c%c%c%c%c\n",
51963 -+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
51964 -+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
51965 -+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
51966 -+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
51967 -+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
51968 -+ else
51969 -+ return buffer + sprintf(buffer, "PaX:\t-----\n");
51970 -+}
51971 -+#endif
51972 -+
51973 - int proc_pid_status(struct task_struct *task, char *buffer)
51974 - {
51975 - char *orig = buffer;
51976 -@@ -317,6 +332,11 @@ int proc_pid_status(struct task_struct *
51977 - buffer = task_show_regs(task, buffer);
51978 - #endif
51979 - buffer = task_context_switch_counts(task, buffer);
51980 -+
51981 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
51982 -+ buffer = task_pax(task, buffer);
51983 -+#endif
51984 -+
51985 - return buffer - orig;
51986 - }
51987 -
51988 -@@ -372,6 +392,12 @@ static cputime_t task_stime(struct task_
51989 - }
51990 - #endif
51991 -
51992 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51993 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
51994 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
51995 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
51996 -+#endif
51997 -+
51998 - static int do_task_stat(struct task_struct *task, char *buffer, int whole)
51999 - {
52000 - unsigned long vsize, eip, esp, wchan = ~0UL;
52001 -@@ -458,6 +484,19 @@ static int do_task_stat(struct task_stru
52002 - stime = task_stime(task);
52003 - }
52004 -
52005 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52006 -+ if (PAX_RAND_FLAGS(mm)) {
52007 -+ eip = 0;
52008 -+ esp = 0;
52009 -+ wchan = 0;
52010 -+ }
52011 -+#endif
52012 -+#ifdef CONFIG_GRKERNSEC_HIDESYM
52013 -+ wchan = 0;
52014 -+ eip =0;
52015 -+ esp =0;
52016 -+#endif
52017 -+
52018 - /* scale priority and nice values from timeslices to -20..20 */
52019 - /* to make it look like a "normal" Unix priority/nice value */
52020 - priority = task_prio(task);
52021 -@@ -498,9 +537,15 @@ static int do_task_stat(struct task_stru
52022 - vsize,
52023 - mm ? get_mm_rss(mm) : 0,
52024 - rsslim,
52025 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52026 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
52027 -+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
52028 -+ PAX_RAND_FLAGS(mm) ? 0 : (mm ? mm->start_stack : 0),
52029 -+#else
52030 - mm ? mm->start_code : 0,
52031 - mm ? mm->end_code : 0,
52032 - mm ? mm->start_stack : 0,
52033 -+#endif
52034 - esp,
52035 - eip,
52036 - /* The signal information here is obsolete.
52037 -@@ -547,3 +592,14 @@ int proc_pid_statm(struct task_struct *t
52038 - return sprintf(buffer, "%d %d %d %d %d %d %d\n",
52039 - size, resident, shared, text, lib, data, 0);
52040 - }
52041 -+
52042 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
52043 -+int proc_pid_ipaddr(struct task_struct *task, char * buffer)
52044 -+{
52045 -+ int len;
52046 -+
52047 -+ len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->signal->curr_ip));
52048 -+ return len;
52049 -+}
52050 -+#endif
52051 -+
52052 -diff -Nurp linux-2.6.23.15/fs/proc/base.c linux-2.6.23.15-grsec/fs/proc/base.c
52053 ---- linux-2.6.23.15/fs/proc/base.c 2007-10-09 21:31:38.000000000 +0100
52054 -+++ linux-2.6.23.15-grsec/fs/proc/base.c 2008-02-11 10:37:44.000000000 +0000
52055 -@@ -73,6 +73,7 @@
52056 - #include <linux/nsproxy.h>
52057 - #include <linux/oom.h>
52058 - #include <linux/elf.h>
52059 -+#include <linux/grsecurity.h>
52060 - #include "internal.h"
52061 -
52062 - /* NOTE:
52063 -@@ -123,7 +124,7 @@ struct pid_entry {
52064 - NULL, &proc_info_file_operations, \
52065 - { .proc_read = &proc_##OTYPE } )
52066 -
52067 --int maps_protect;
52068 -+int maps_protect = 1;
52069 - EXPORT_SYMBOL(maps_protect);
52070 -
52071 - static struct fs_struct *get_fs_struct(struct task_struct *task)
52072 -@@ -197,7 +198,7 @@ static int proc_root_link(struct inode *
52073 - (task->parent == current && \
52074 - (task->ptrace & PT_PTRACED) && \
52075 - (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
52076 -- security_ptrace(current,task) == 0))
52077 -+ security_ptrace(current,task) == 0 && !gr_handle_proc_ptrace(task)))
52078 -
52079 - static int proc_pid_environ(struct task_struct *task, char * buffer)
52080 - {
52081 -@@ -263,9 +264,9 @@ static int proc_pid_auxv(struct task_str
52082 - struct mm_struct *mm = get_task_mm(task);
52083 - if (mm) {
52084 - unsigned int nwords = 0;
52085 -- do
52086 -+ do {
52087 - nwords += 2;
52088 -- while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
52089 -+ } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
52090 - res = nwords * sizeof(mm->saved_auxv[0]);
52091 - if (res > PAGE_SIZE)
52092 - res = PAGE_SIZE;
52093 -@@ -338,6 +339,8 @@ static int proc_fd_access_allowed(struct
52094 - task = get_proc_task(inode);
52095 - if (task) {
52096 - allowed = ptrace_may_attach(task);
52097 -+ if (allowed != 0)
52098 -+ allowed = !gr_acl_handle_procpidmem(task);
52099 - put_task_struct(task);
52100 - }
52101 - return allowed;
52102 -@@ -528,7 +531,7 @@ static ssize_t mem_read(struct file * fi
52103 - if (!task)
52104 - goto out_no_task;
52105 -
52106 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
52107 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
52108 - goto out;
52109 -
52110 - ret = -ENOMEM;
52111 -@@ -598,7 +601,7 @@ static ssize_t mem_write(struct file * f
52112 - if (!task)
52113 - goto out_no_task;
52114 -
52115 -- if (!MAY_PTRACE(task) || !ptrace_may_attach(task))
52116 -+ if (!MAY_PTRACE(task) || !ptrace_may_attach(task) || gr_acl_handle_procpidmem(task))
52117 - goto out;
52118 -
52119 - copied = -ENOMEM;
52120 -@@ -1050,7 +1053,11 @@ static struct inode *proc_pid_make_inode
52121 - inode->i_gid = 0;
52122 - if (task_dumpable(task)) {
52123 - inode->i_uid = task->euid;
52124 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52125 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52126 -+#else
52127 - inode->i_gid = task->egid;
52128 -+#endif
52129 - }
52130 - security_task_to_inode(task, inode);
52131 -
52132 -@@ -1066,17 +1073,45 @@ static int pid_getattr(struct vfsmount *
52133 - {
52134 - struct inode *inode = dentry->d_inode;
52135 - struct task_struct *task;
52136 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52137 -+ struct task_struct *tmp = current;
52138 -+#endif
52139 -+
52140 - generic_fillattr(inode, stat);
52141 -
52142 - rcu_read_lock();
52143 - stat->uid = 0;
52144 - stat->gid = 0;
52145 - task = pid_task(proc_pid(inode), PIDTYPE_PID);
52146 -- if (task) {
52147 -+
52148 -+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
52149 -+ rcu_read_unlock();
52150 -+ return -ENOENT;
52151 -+ }
52152 -+
52153 -+
52154 -+ if (task
52155 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52156 -+ && (!tmp->uid || (tmp->uid == task->uid)
52157 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52158 -+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
52159 -+#endif
52160 -+ )
52161 -+#endif
52162 -+ ) {
52163 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
52164 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52165 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
52166 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
52167 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
52168 -+#endif
52169 - task_dumpable(task)) {
52170 - stat->uid = task->euid;
52171 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52172 -+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
52173 -+#else
52174 - stat->gid = task->egid;
52175 -+#endif
52176 - }
52177 - }
52178 - rcu_read_unlock();
52179 -@@ -1104,11 +1139,21 @@ static int pid_revalidate(struct dentry
52180 - {
52181 - struct inode *inode = dentry->d_inode;
52182 - struct task_struct *task = get_proc_task(inode);
52183 -+
52184 - if (task) {
52185 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
52186 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52187 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
52188 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
52189 -+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
52190 -+#endif
52191 - task_dumpable(task)) {
52192 - inode->i_uid = task->euid;
52193 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52194 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52195 -+#else
52196 - inode->i_gid = task->egid;
52197 -+#endif
52198 - } else {
52199 - inode->i_uid = 0;
52200 - inode->i_gid = 0;
52201 -@@ -1118,6 +1163,7 @@ static int pid_revalidate(struct dentry
52202 - put_task_struct(task);
52203 - return 1;
52204 - }
52205 -+out:
52206 - d_drop(dentry);
52207 - return 0;
52208 - }
52209 -@@ -1374,6 +1420,9 @@ static struct dentry *proc_lookupfd_comm
52210 - if (fd == ~0U)
52211 - goto out;
52212 -
52213 -+ if (gr_acl_handle_procpidmem(task))
52214 -+ goto out;
52215 -+
52216 - result = instantiate(dir, dentry, task, &fd);
52217 - out:
52218 - put_task_struct(task);
52219 -@@ -1410,6 +1459,8 @@ static int proc_readfd_common(struct fil
52220 - goto out;
52221 - filp->f_pos++;
52222 - default:
52223 -+ if (gr_acl_handle_procpidmem(p))
52224 -+ goto out;
52225 - files = get_files_struct(p);
52226 - if (!files)
52227 - goto out;
52228 -@@ -1598,6 +1649,9 @@ static struct dentry *proc_pident_lookup
52229 - if (!task)
52230 - goto out_no_task;
52231 -
52232 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
52233 -+ goto out;
52234 -+
52235 - /*
52236 - * Yes, it does not scale. And it should not. Don't add
52237 - * new entries into /proc/<tgid>/ without very good reasons.
52238 -@@ -1643,6 +1697,9 @@ static int proc_pident_readdir(struct fi
52239 - if (!task)
52240 - goto out_no_task;
52241 -
52242 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
52243 -+ goto out;
52244 -+
52245 - ret = 0;
52246 - pid = task->pid;
52247 - i = filp->f_pos;
52248 -@@ -1998,6 +2055,9 @@ static struct dentry *proc_base_lookup(s
52249 - if (p > last)
52250 - goto out;
52251 -
52252 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
52253 -+ goto out;
52254 -+
52255 - error = proc_base_instantiate(dir, dentry, task, p);
52256 -
52257 - out:
52258 -@@ -2097,6 +2157,9 @@ static const struct pid_entry tgid_base_
52259 - #ifdef CONFIG_TASK_IO_ACCOUNTING
52260 - INF("io", S_IRUGO, pid_io_accounting),
52261 - #endif
52262 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
52263 -+ INF("ipaddr", S_IRUSR, pid_ipaddr),
52264 -+#endif
52265 - };
52266 -
52267 - static int proc_tgid_base_readdir(struct file * filp,
52268 -@@ -2200,7 +2263,14 @@ static struct dentry *proc_pid_instantia
52269 - if (!inode)
52270 - goto out;
52271 -
52272 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52273 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
52274 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
52275 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52276 -+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
52277 -+#else
52278 - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
52279 -+#endif
52280 - inode->i_op = &proc_tgid_base_inode_operations;
52281 - inode->i_fop = &proc_tgid_base_operations;
52282 - inode->i_flags|=S_IMMUTABLE;
52283 -@@ -2241,7 +2311,11 @@ struct dentry *proc_pid_lookup(struct in
52284 - if (!task)
52285 - goto out;
52286 -
52287 -+ if (gr_check_hidden_task(task))
52288 -+ goto out_put_task;
52289 -+
52290 - result = proc_pid_instantiate(dir, dentry, task, NULL);
52291 -+out_put_task:
52292 - put_task_struct(task);
52293 - out:
52294 - return result;
52295 -@@ -2299,6 +2373,9 @@ int proc_pid_readdir(struct file * filp,
52296 - {
52297 - unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
52298 - struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
52299 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52300 -+ struct task_struct *tmp = current;
52301 -+#endif
52302 - struct task_struct *task;
52303 - int tgid;
52304 -
52305 -@@ -2316,6 +2393,18 @@ int proc_pid_readdir(struct file * filp,
52306 - task;
52307 - put_task_struct(task), task = next_tgid(tgid + 1)) {
52308 - tgid = task->pid;
52309 -+
52310 -+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task)
52311 -+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52312 -+ || (tmp->uid && (task->uid != tmp->uid)
52313 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52314 -+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
52315 -+#endif
52316 -+ )
52317 -+#endif
52318 -+ )
52319 -+ continue;
52320 -+
52321 - filp->f_pos = tgid + TGID_OFFSET;
52322 - if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
52323 - put_task_struct(task);
52324 -diff -Nurp linux-2.6.23.15/fs/proc/inode.c linux-2.6.23.15-grsec/fs/proc/inode.c
52325 ---- linux-2.6.23.15/fs/proc/inode.c 2007-10-09 21:31:38.000000000 +0100
52326 -+++ linux-2.6.23.15-grsec/fs/proc/inode.c 2008-02-11 10:37:44.000000000 +0000
52327 -@@ -418,7 +418,11 @@ struct inode *proc_get_inode(struct supe
52328 - if (de->mode) {
52329 - inode->i_mode = de->mode;
52330 - inode->i_uid = de->uid;
52331 -+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
52332 -+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
52333 -+#else
52334 - inode->i_gid = de->gid;
52335 -+#endif
52336 - }
52337 - if (de->size)
52338 - inode->i_size = de->size;
52339 -diff -Nurp linux-2.6.23.15/fs/proc/internal.h linux-2.6.23.15-grsec/fs/proc/internal.h
52340 ---- linux-2.6.23.15/fs/proc/internal.h 2007-10-09 21:31:38.000000000 +0100
52341 -+++ linux-2.6.23.15-grsec/fs/proc/internal.h 2008-02-11 10:37:44.000000000 +0000
52342 -@@ -45,6 +45,9 @@ extern int proc_tid_stat(struct task_str
52343 - extern int proc_tgid_stat(struct task_struct *, char *);
52344 - extern int proc_pid_status(struct task_struct *, char *);
52345 - extern int proc_pid_statm(struct task_struct *, char *);
52346 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
52347 -+extern int proc_pid_ipaddr(struct task_struct*,char*);
52348 -+#endif
52349 -
52350 - extern const struct file_operations proc_maps_operations;
52351 - extern const struct file_operations proc_numa_maps_operations;
52352 -diff -Nurp linux-2.6.23.15/fs/proc/proc_misc.c linux-2.6.23.15-grsec/fs/proc/proc_misc.c
52353 ---- linux-2.6.23.15/fs/proc/proc_misc.c 2007-10-09 21:31:38.000000000 +0100
52354 -+++ linux-2.6.23.15-grsec/fs/proc/proc_misc.c 2008-02-11 10:37:44.000000000 +0000
52355 -@@ -668,6 +668,8 @@ void create_seq_entry(char *name, mode_t
52356 -
52357 - void __init proc_misc_init(void)
52358 - {
52359 -+ int gr_mode = 0;
52360 -+
52361 - static struct {
52362 - char *name;
52363 - int (*read_proc)(char*,char**,off_t,int,int*,void*);
52364 -@@ -683,7 +685,9 @@ void __init proc_misc_init(void)
52365 - {"stram", stram_read_proc},
52366 - #endif
52367 - {"filesystems", filesystems_read_proc},
52368 -+#ifndef CONFIG_GRKERNSEC_PROC_ADD
52369 - {"cmdline", cmdline_read_proc},
52370 -+#endif
52371 - {"locks", locks_read_proc},
52372 - {"execdomains", execdomains_read_proc},
52373 - {NULL,}
52374 -@@ -691,6 +695,15 @@ void __init proc_misc_init(void)
52375 - for (p = simple_ones; p->name; p++)
52376 - create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
52377 -
52378 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52379 -+ gr_mode = S_IRUSR;
52380 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52381 -+ gr_mode = S_IRUSR | S_IRGRP;
52382 -+#endif
52383 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52384 -+ create_proc_read_entry("cmdline", gr_mode, NULL, &cmdline_read_proc, NULL);
52385 -+#endif
52386 -+
52387 - proc_symlink("mounts", NULL, "self/mounts");
52388 -
52389 - /* And now for trickier ones */
52390 -@@ -702,7 +715,11 @@ void __init proc_misc_init(void)
52391 - entry->proc_fops = &proc_kmsg_operations;
52392 - }
52393 - #endif
52394 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52395 -+ create_seq_entry("devices", gr_mode, &proc_devinfo_operations);
52396 -+#else
52397 - create_seq_entry("devices", 0, &proc_devinfo_operations);
52398 -+#endif
52399 - create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
52400 - #ifdef CONFIG_BLOCK
52401 - create_seq_entry("partitions", 0, &proc_partitions_operations);
52402 -@@ -710,7 +727,11 @@ void __init proc_misc_init(void)
52403 - create_seq_entry("stat", 0, &proc_stat_operations);
52404 - create_seq_entry("interrupts", 0, &proc_interrupts_operations);
52405 - #ifdef CONFIG_SLAB
52406 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52407 -+ create_seq_entry("slabinfo",S_IWUSR|gr_mode,&proc_slabinfo_operations);
52408 -+#else
52409 - create_seq_entry("slabinfo",S_IWUSR|S_IRUGO,&proc_slabinfo_operations);
52410 -+#endif
52411 - #ifdef CONFIG_DEBUG_SLAB_LEAK
52412 - create_seq_entry("slab_allocators", 0 ,&proc_slabstats_operations);
52413 - #endif
52414 -@@ -727,7 +748,7 @@ void __init proc_misc_init(void)
52415 - #ifdef CONFIG_SCHEDSTATS
52416 - create_seq_entry("schedstat", 0, &proc_schedstat_operations);
52417 - #endif
52418 --#ifdef CONFIG_PROC_KCORE
52419 -+#if defined(CONFIG_PROC_KCORE) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
52420 - proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
52421 - if (proc_root_kcore) {
52422 - proc_root_kcore->proc_fops = &proc_kcore_operations;
52423 -diff -Nurp linux-2.6.23.15/fs/proc/proc_sysctl.c linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c
52424 ---- linux-2.6.23.15/fs/proc/proc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
52425 -+++ linux-2.6.23.15-grsec/fs/proc/proc_sysctl.c 2008-02-11 10:37:44.000000000 +0000
52426 -@@ -7,6 +7,8 @@
52427 - #include <linux/security.h>
52428 - #include "internal.h"
52429 -
52430 -+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
52431 -+
52432 - static struct dentry_operations proc_sys_dentry_operations;
52433 - static const struct file_operations proc_sys_file_operations;
52434 - static struct inode_operations proc_sys_inode_operations;
52435 -@@ -151,6 +153,9 @@ static struct dentry *proc_sys_lookup(st
52436 - if (!table)
52437 - goto out;
52438 -
52439 -+ if (gr_handle_sysctl(table, 001))
52440 -+ goto out;
52441 -+
52442 - err = ERR_PTR(-ENOMEM);
52443 - inode = proc_sys_make_inode(dir, table);
52444 - if (!inode)
52445 -@@ -358,6 +363,9 @@ static int proc_sys_readdir(struct file
52446 - if (pos < filp->f_pos)
52447 - continue;
52448 -
52449 -+ if (gr_handle_sysctl(table, 0))
52450 -+ continue;
52451 -+
52452 - if (proc_sys_fill_cache(filp, dirent, filldir, table) < 0)
52453 - goto out;
52454 - filp->f_pos = pos + 1;
52455 -@@ -420,6 +428,30 @@ out:
52456 - return error;
52457 - }
52458 -
52459 -+/* Eric Biederman is to blame */
52460 -+static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
52461 -+{
52462 -+ int error = 0;
52463 -+ struct ctl_table_header *head;
52464 -+ struct ctl_table *table;
52465 -+
52466 -+ table = do_proc_sys_lookup(dentry->d_parent, &dentry->d_name, &head);
52467 -+ /* Has the sysctl entry disappeared on us? */
52468 -+ if (!table)
52469 -+ goto out;
52470 -+
52471 -+ if (gr_handle_sysctl(table, 001)) {
52472 -+ error = -ENOENT;
52473 -+ goto out;
52474 -+ }
52475 -+
52476 -+out:
52477 -+ sysctl_head_finish(head);
52478 -+
52479 -+ generic_fillattr(dentry->d_inode, stat);
52480 -+
52481 -+ return error;
52482 -+}
52483 - static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
52484 - {
52485 - struct inode *inode = dentry->d_inode;
52486 -@@ -448,6 +480,7 @@ static struct inode_operations proc_sys_
52487 - .lookup = proc_sys_lookup,
52488 - .permission = proc_sys_permission,
52489 - .setattr = proc_sys_setattr,
52490 -+ .getattr = proc_sys_getattr,
52491 - };
52492 -
52493 - static int proc_sys_revalidate(struct dentry *dentry, struct nameidata *nd)
52494 -diff -Nurp linux-2.6.23.15/fs/proc/root.c linux-2.6.23.15-grsec/fs/proc/root.c
52495 ---- linux-2.6.23.15/fs/proc/root.c 2007-10-09 21:31:38.000000000 +0100
52496 -+++ linux-2.6.23.15-grsec/fs/proc/root.c 2008-02-11 10:37:44.000000000 +0000
52497 -@@ -61,7 +61,13 @@ void __init proc_root_init(void)
52498 - return;
52499 - }
52500 - proc_misc_init();
52501 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52502 -+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR, NULL);
52503 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52504 -+ proc_net = proc_mkdir_mode("net", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
52505 -+#else
52506 - proc_net = proc_mkdir("net", NULL);
52507 -+#endif
52508 - proc_net_stat = proc_mkdir("net/stat", NULL);
52509 -
52510 - #ifdef CONFIG_SYSVIPC
52511 -@@ -78,7 +84,15 @@ void __init proc_root_init(void)
52512 - #ifdef CONFIG_PROC_DEVICETREE
52513 - proc_device_tree_init();
52514 - #endif
52515 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
52516 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
52517 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
52518 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52519 -+ proc_bus = proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
52520 -+#endif
52521 -+#else
52522 - proc_bus = proc_mkdir("bus", NULL);
52523 -+#endif
52524 - proc_sys_init();
52525 - }
52526 -
52527 -diff -Nurp linux-2.6.23.15/fs/proc/task_mmu.c linux-2.6.23.15-grsec/fs/proc/task_mmu.c
52528 ---- linux-2.6.23.15/fs/proc/task_mmu.c 2007-10-09 21:31:38.000000000 +0100
52529 -+++ linux-2.6.23.15-grsec/fs/proc/task_mmu.c 2008-02-11 10:37:44.000000000 +0000
52530 -@@ -44,15 +44,27 @@ char *task_mem(struct mm_struct *mm, cha
52531 - "VmStk:\t%8lu kB\n"
52532 - "VmExe:\t%8lu kB\n"
52533 - "VmLib:\t%8lu kB\n"
52534 -- "VmPTE:\t%8lu kB\n",
52535 -- hiwater_vm << (PAGE_SHIFT-10),
52536 -+ "VmPTE:\t%8lu kB\n"
52537 -+
52538 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52539 -+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
52540 -+#endif
52541 -+
52542 -+ ,hiwater_vm << (PAGE_SHIFT-10),
52543 - (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
52544 - mm->locked_vm << (PAGE_SHIFT-10),
52545 - hiwater_rss << (PAGE_SHIFT-10),
52546 - total_rss << (PAGE_SHIFT-10),
52547 - data << (PAGE_SHIFT-10),
52548 - mm->stack_vm << (PAGE_SHIFT-10), text, lib,
52549 -- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
52550 -+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
52551 -+
52552 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52553 -+ , mm->context.user_cs_base, mm->context.user_cs_limit
52554 -+#endif
52555 -+
52556 -+ );
52557 -+
52558 - return buffer;
52559 - }
52560 -
52561 -@@ -131,6 +143,12 @@ struct pmd_walker {
52562 - unsigned long, void *);
52563 - };
52564 -
52565 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52566 -+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
52567 -+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
52568 -+ _mm->pax_flags & MF_PAX_SEGMEXEC))
52569 -+#endif
52570 -+
52571 - static int show_map_internal(struct seq_file *m, void *v, struct mem_size_stats *mss)
52572 - {
52573 - struct proc_maps_private *priv = m->private;
52574 -@@ -153,13 +171,22 @@ static int show_map_internal(struct seq_
52575 - }
52576 -
52577 - seq_printf(m, "%08lx-%08lx %c%c%c%c %08lx %02x:%02x %lu %n",
52578 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52579 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
52580 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
52581 -+#else
52582 - vma->vm_start,
52583 - vma->vm_end,
52584 -+#endif
52585 - flags & VM_READ ? 'r' : '-',
52586 - flags & VM_WRITE ? 'w' : '-',
52587 - flags & VM_EXEC ? 'x' : '-',
52588 - flags & VM_MAYSHARE ? 's' : 'p',
52589 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52590 -+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_pgoff << PAGE_SHIFT,
52591 -+#else
52592 - vma->vm_pgoff << PAGE_SHIFT,
52593 -+#endif
52594 - MAJOR(dev), MINOR(dev), ino, &len);
52595 -
52596 - /*
52597 -@@ -173,11 +200,11 @@ static int show_map_internal(struct seq_
52598 - const char *name = arch_vma_name(vma);
52599 - if (!name) {
52600 - if (mm) {
52601 -- if (vma->vm_start <= mm->start_brk &&
52602 -- vma->vm_end >= mm->brk) {
52603 -+ if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
52604 - name = "[heap]";
52605 -- } else if (vma->vm_start <= mm->start_stack &&
52606 -- vma->vm_end >= mm->start_stack) {
52607 -+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
52608 -+ (vma->vm_start <= mm->start_stack &&
52609 -+ vma->vm_end >= mm->start_stack)) {
52610 - name = "[stack]";
52611 - }
52612 - } else {
52613 -@@ -191,7 +218,27 @@ static int show_map_internal(struct seq_
52614 - }
52615 - seq_putc(m, '\n');
52616 -
52617 -- if (mss)
52618 -+
52619 -+ if (mss) {
52620 -+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52621 -+ if (PAX_RAND_FLAGS(mm))
52622 -+ seq_printf(m,
52623 -+ "Size: %8lu kB\n"
52624 -+ "Rss: %8lu kB\n"
52625 -+ "Shared_Clean: %8lu kB\n"
52626 -+ "Shared_Dirty: %8lu kB\n"
52627 -+ "Private_Clean: %8lu kB\n"
52628 -+ "Private_Dirty: %8lu kB\n",
52629 -+ "Referenced: %8lu kB\n",
52630 -+ 0UL,
52631 -+ 0UL,
52632 -+ 0UL,
52633 -+ 0UL,
52634 -+ 0UL,
52635 -+ 0UL,
52636 -+ 0UL);
52637 -+ else
52638 -+#endif
52639 - seq_printf(m,
52640 - "Size: %8lu kB\n"
52641 - "Rss: %8lu kB\n"
52642 -@@ -207,6 +254,7 @@ static int show_map_internal(struct seq_
52643 - mss->private_clean >> 10,
52644 - mss->private_dirty >> 10,
52645 - mss->referenced >> 10);
52646 -+ }
52647 -
52648 - if (m->count < m->size) /* vma is copied successfully */
52649 - m->version = (vma != get_gate_vma(task))? vma->vm_start: 0;
52650 -diff -Nurp linux-2.6.23.15/fs/readdir.c linux-2.6.23.15-grsec/fs/readdir.c
52651 ---- linux-2.6.23.15/fs/readdir.c 2007-10-09 21:31:38.000000000 +0100
52652 -+++ linux-2.6.23.15-grsec/fs/readdir.c 2008-02-11 10:37:44.000000000 +0000
52653 -@@ -16,6 +16,8 @@
52654 - #include <linux/security.h>
52655 - #include <linux/syscalls.h>
52656 - #include <linux/unistd.h>
52657 -+#include <linux/namei.h>
52658 -+#include <linux/grsecurity.h>
52659 -
52660 - #include <asm/uaccess.h>
52661 -
52662 -@@ -64,6 +66,7 @@ struct old_linux_dirent {
52663 -
52664 - struct readdir_callback {
52665 - struct old_linux_dirent __user * dirent;
52666 -+ struct file * file;
52667 - int result;
52668 - };
52669 -
52670 -@@ -79,6 +82,10 @@ static int fillonedir(void * __buf, cons
52671 - d_ino = ino;
52672 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
52673 - return -EOVERFLOW;
52674 -+
52675 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52676 -+ return 0;
52677 -+
52678 - buf->result++;
52679 - dirent = buf->dirent;
52680 - if (!access_ok(VERIFY_WRITE, dirent,
52681 -@@ -110,6 +117,7 @@ asmlinkage long old_readdir(unsigned int
52682 -
52683 - buf.result = 0;
52684 - buf.dirent = dirent;
52685 -+ buf.file = file;
52686 -
52687 - error = vfs_readdir(file, fillonedir, &buf);
52688 - if (error >= 0)
52689 -@@ -136,6 +144,7 @@ struct linux_dirent {
52690 - struct getdents_callback {
52691 - struct linux_dirent __user * current_dir;
52692 - struct linux_dirent __user * previous;
52693 -+ struct file * file;
52694 - int count;
52695 - int error;
52696 - };
52697 -@@ -154,6 +163,10 @@ static int filldir(void * __buf, const c
52698 - d_ino = ino;
52699 - if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
52700 - return -EOVERFLOW;
52701 -+
52702 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52703 -+ return 0;
52704 -+
52705 - dirent = buf->previous;
52706 - if (dirent) {
52707 - if (__put_user(offset, &dirent->d_off))
52708 -@@ -200,6 +213,7 @@ asmlinkage long sys_getdents(unsigned in
52709 - buf.previous = NULL;
52710 - buf.count = count;
52711 - buf.error = 0;
52712 -+ buf.file = file;
52713 -
52714 - error = vfs_readdir(file, filldir, &buf);
52715 - if (error < 0)
52716 -@@ -222,6 +236,7 @@ out:
52717 - struct getdents_callback64 {
52718 - struct linux_dirent64 __user * current_dir;
52719 - struct linux_dirent64 __user * previous;
52720 -+ struct file *file;
52721 - int count;
52722 - int error;
52723 - };
52724 -@@ -236,6 +251,10 @@ static int filldir64(void * __buf, const
52725 - buf->error = -EINVAL; /* only used if we fail.. */
52726 - if (reclen > buf->count)
52727 - return -EINVAL;
52728 -+
52729 -+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
52730 -+ return 0;
52731 -+
52732 - dirent = buf->previous;
52733 - if (dirent) {
52734 - if (__put_user(offset, &dirent->d_off))
52735 -@@ -282,6 +301,7 @@ asmlinkage long sys_getdents64(unsigned
52736 -
52737 - buf.current_dir = dirent;
52738 - buf.previous = NULL;
52739 -+ buf.file = file;
52740 - buf.count = count;
52741 - buf.error = 0;
52742 -
52743 -diff -Nurp linux-2.6.23.15/fs/udf/balloc.c linux-2.6.23.15-grsec/fs/udf/balloc.c
52744 ---- linux-2.6.23.15/fs/udf/balloc.c 2007-10-09 21:31:38.000000000 +0100
52745 -+++ linux-2.6.23.15-grsec/fs/udf/balloc.c 2008-02-11 10:37:44.000000000 +0000
52746 -@@ -154,8 +154,7 @@ static void udf_bitmap_free_blocks(struc
52747 - unsigned long overflow;
52748 -
52749 - mutex_lock(&sbi->s_alloc_mutex);
52750 -- if (bloc.logicalBlockNum < 0 ||
52751 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52752 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52753 - udf_debug("%d < %d || %d + %d > %d\n",
52754 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
52755 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
52756 -@@ -221,7 +220,7 @@ static int udf_bitmap_prealloc_blocks(st
52757 - struct buffer_head *bh;
52758 -
52759 - mutex_lock(&sbi->s_alloc_mutex);
52760 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
52761 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
52762 - goto out;
52763 -
52764 - if (first_block + block_count > UDF_SB_PARTLEN(sb, partition))
52765 -@@ -287,7 +286,7 @@ static int udf_bitmap_new_block(struct s
52766 - mutex_lock(&sbi->s_alloc_mutex);
52767 -
52768 - repeat:
52769 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
52770 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
52771 - goal = 0;
52772 -
52773 - nr_groups = bitmap->s_nr_groups;
52774 -@@ -420,8 +419,7 @@ static void udf_table_free_blocks(struct
52775 - int i;
52776 -
52777 - mutex_lock(&sbi->s_alloc_mutex);
52778 -- if (bloc.logicalBlockNum < 0 ||
52779 -- (bloc.logicalBlockNum + count) > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52780 -+ if (bloc.logicalBlockNum + count > UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum)) {
52781 - udf_debug("%d < %d || %d + %d > %d\n",
52782 - bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
52783 - UDF_SB_PARTLEN(sb, bloc.partitionReferenceNum));
52784 -@@ -627,7 +625,7 @@ static int udf_table_prealloc_blocks(str
52785 - struct extent_position epos;
52786 - int8_t etype = -1;
52787 -
52788 -- if (first_block < 0 || first_block >= UDF_SB_PARTLEN(sb, partition))
52789 -+ if (first_block >= UDF_SB_PARTLEN(sb, partition))
52790 - return 0;
52791 -
52792 - if (UDF_I_ALLOCTYPE(table) == ICBTAG_FLAG_AD_SHORT)
52793 -@@ -703,7 +701,7 @@ static int udf_table_new_block(struct su
52794 - return newblock;
52795 -
52796 - mutex_lock(&sbi->s_alloc_mutex);
52797 -- if (goal < 0 || goal >= UDF_SB_PARTLEN(sb, partition))
52798 -+ if (goal >= UDF_SB_PARTLEN(sb, partition))
52799 - goal = 0;
52800 -
52801 - /* We search for the closest matching block to goal. If we find a exact hit,
52802 -diff -Nurp linux-2.6.23.15/fs/udf/inode.c linux-2.6.23.15-grsec/fs/udf/inode.c
52803 ---- linux-2.6.23.15/fs/udf/inode.c 2007-10-09 21:31:38.000000000 +0100
52804 -+++ linux-2.6.23.15-grsec/fs/udf/inode.c 2008-02-11 10:37:44.000000000 +0000
52805 -@@ -308,9 +308,6 @@ static int udf_get_block(struct inode *i
52806 -
52807 - lock_kernel();
52808 -
52809 -- if (block < 0)
52810 -- goto abort_negative;
52811 --
52812 - if (block == UDF_I_NEXT_ALLOC_BLOCK(inode) + 1) {
52813 - UDF_I_NEXT_ALLOC_BLOCK(inode)++;
52814 - UDF_I_NEXT_ALLOC_GOAL(inode)++;
52815 -@@ -331,10 +328,6 @@ static int udf_get_block(struct inode *i
52816 - abort:
52817 - unlock_kernel();
52818 - return err;
52819 --
52820 --abort_negative:
52821 -- udf_warning(inode->i_sb, "udf_get_block", "block < 0");
52822 -- goto abort;
52823 - }
52824 -
52825 - static struct buffer_head *udf_getblk(struct inode *inode, long block,
52826 -diff -Nurp linux-2.6.23.15/fs/ufs/inode.c linux-2.6.23.15-grsec/fs/ufs/inode.c
52827 ---- linux-2.6.23.15/fs/ufs/inode.c 2007-10-09 21:31:38.000000000 +0100
52828 -+++ linux-2.6.23.15-grsec/fs/ufs/inode.c 2008-02-11 10:37:44.000000000 +0000
52829 -@@ -55,9 +55,7 @@ static int ufs_block_to_path(struct inod
52830 -
52831 -
52832 - UFSD("ptrs=uspi->s_apb = %d,double_blocks=%ld \n",ptrs,double_blocks);
52833 -- if (i_block < 0) {
52834 -- ufs_warning(inode->i_sb, "ufs_block_to_path", "block < 0");
52835 -- } else if (i_block < direct_blocks) {
52836 -+ if (i_block < direct_blocks) {
52837 - offsets[n++] = i_block;
52838 - } else if ((i_block -= direct_blocks) < indirect_blocks) {
52839 - offsets[n++] = UFS_IND_BLOCK;
52840 -@@ -439,8 +437,6 @@ int ufs_getfrag_block(struct inode *inod
52841 - lock_kernel();
52842 -
52843 - UFSD("ENTER, ino %lu, fragment %llu\n", inode->i_ino, (unsigned long long)fragment);
52844 -- if (fragment < 0)
52845 -- goto abort_negative;
52846 - if (fragment >
52847 - ((UFS_NDADDR + uspi->s_apb + uspi->s_2apb + uspi->s_3apb)
52848 - << uspi->s_fpbshift))
52849 -@@ -503,10 +499,6 @@ abort:
52850 - unlock_kernel();
52851 - return err;
52852 -
52853 --abort_negative:
52854 -- ufs_warning(sb, "ufs_get_block", "block < 0");
52855 -- goto abort;
52856 --
52857 - abort_too_big:
52858 - ufs_warning(sb, "ufs_get_block", "block > big");
52859 - goto abort;
52860 -diff -Nurp linux-2.6.23.15/fs/utimes.c linux-2.6.23.15-grsec/fs/utimes.c
52861 ---- linux-2.6.23.15/fs/utimes.c 2007-10-09 21:31:38.000000000 +0100
52862 -+++ linux-2.6.23.15-grsec/fs/utimes.c 2008-02-11 10:37:44.000000000 +0000
52863 -@@ -6,6 +6,7 @@
52864 - #include <linux/sched.h>
52865 - #include <linux/stat.h>
52866 - #include <linux/utime.h>
52867 -+#include <linux/grsecurity.h>
52868 - #include <asm/uaccess.h>
52869 - #include <asm/unistd.h>
52870 -
52871 -@@ -47,6 +48,7 @@ long do_utimes(int dfd, char __user *fil
52872 - int error;
52873 - struct nameidata nd;
52874 - struct dentry *dentry;
52875 -+ struct vfsmount *mnt;
52876 - struct inode *inode;
52877 - struct iattr newattrs;
52878 - struct file *f = NULL;
52879 -@@ -65,12 +67,14 @@ long do_utimes(int dfd, char __user *fil
52880 - if (!f)
52881 - goto out;
52882 - dentry = f->f_path.dentry;
52883 -+ mnt = f->f_path.mnt;
52884 - } else {
52885 - error = __user_walk_fd(dfd, filename, (flags & AT_SYMLINK_NOFOLLOW) ? 0 : LOOKUP_FOLLOW, &nd);
52886 - if (error)
52887 - goto out;
52888 -
52889 - dentry = nd.dentry;
52890 -+ mnt = nd.mnt;
52891 - }
52892 -
52893 - inode = dentry->d_inode;
52894 -@@ -117,6 +121,12 @@ long do_utimes(int dfd, char __user *fil
52895 - }
52896 - }
52897 - }
52898 -+
52899 -+ if (!gr_acl_handle_utime(dentry, mnt)) {
52900 -+ error = -EACCES;
52901 -+ goto dput_and_out;
52902 -+ }
52903 -+
52904 - mutex_lock(&inode->i_mutex);
52905 - error = notify_change(dentry, &newattrs);
52906 - mutex_unlock(&inode->i_mutex);
52907 -diff -Nurp linux-2.6.23.15/fs/xfs/xfs_bmap.c linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c
52908 ---- linux-2.6.23.15/fs/xfs/xfs_bmap.c 2007-10-09 21:31:38.000000000 +0100
52909 -+++ linux-2.6.23.15-grsec/fs/xfs/xfs_bmap.c 2008-02-11 10:37:44.000000000 +0000
52910 -@@ -374,7 +374,7 @@ xfs_bmap_validate_ret(
52911 - int nmap,
52912 - int ret_nmap);
52913 - #else
52914 --#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
52915 -+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
52916 - #endif /* DEBUG */
52917 -
52918 - #if defined(XFS_RW_TRACE)
52919 -diff -Nurp linux-2.6.23.15/grsecurity/Kconfig linux-2.6.23.15-grsec/grsecurity/Kconfig
52920 ---- linux-2.6.23.15/grsecurity/Kconfig 1970-01-01 01:00:00.000000000 +0100
52921 -+++ linux-2.6.23.15-grsec/grsecurity/Kconfig 2008-02-11 10:37:44.000000000 +0000
52922 -@@ -0,0 +1,873 @@
52923 -+#
52924 -+# grecurity configuration
52925 -+#
52926 -+
52927 -+menu "Grsecurity"
52928 -+
52929 -+config GRKERNSEC
52930 -+ bool "Grsecurity"
52931 -+ select CRYPTO
52932 -+ select CRYPTO_SHA256
52933 -+ help
52934 -+ If you say Y here, you will be able to configure many features
52935 -+ that will enhance the security of your system. It is highly
52936 -+ recommended that you say Y here and read through the help
52937 -+ for each option so that you fully understand the features and
52938 -+ can evaluate their usefulness for your machine.
52939 -+
52940 -+choice
52941 -+ prompt "Security Level"
52942 -+ depends GRKERNSEC
52943 -+ default GRKERNSEC_CUSTOM
52944 -+
52945 -+config GRKERNSEC_LOW
52946 -+ bool "Low"
52947 -+ select GRKERNSEC_LINK
52948 -+ select GRKERNSEC_FIFO
52949 -+ select GRKERNSEC_EXECVE
52950 -+ select GRKERNSEC_RANDNET
52951 -+ select GRKERNSEC_DMESG
52952 -+ select GRKERNSEC_CHROOT_CHDIR
52953 -+ select GRKERNSEC_MODSTOP if (MODULES)
52954 -+
52955 -+ help
52956 -+ If you choose this option, several of the grsecurity options will
52957 -+ be enabled that will give you greater protection against a number
52958 -+ of attacks, while assuring that none of your software will have any
52959 -+ conflicts with the additional security measures. If you run a lot
52960 -+ of unusual software, or you are having problems with the higher
52961 -+ security levels, you should say Y here. With this option, the
52962 -+ following features are enabled:
52963 -+
52964 -+ - Linking restrictions
52965 -+ - FIFO restrictions
52966 -+ - Enforcing RLIMIT_NPROC on execve
52967 -+ - Restricted dmesg
52968 -+ - Enforced chdir("/") on chroot
52969 -+ - Runtime module disabling
52970 -+
52971 -+config GRKERNSEC_MEDIUM
52972 -+ bool "Medium"
52973 -+ select PAX
52974 -+ select PAX_EI_PAX
52975 -+ select PAX_PT_PAX_FLAGS
52976 -+ select PAX_HAVE_ACL_FLAGS
52977 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
52978 -+ select GRKERNSEC_CHROOT_SYSCTL
52979 -+ select GRKERNSEC_LINK
52980 -+ select GRKERNSEC_FIFO
52981 -+ select GRKERNSEC_EXECVE
52982 -+ select GRKERNSEC_DMESG
52983 -+ select GRKERNSEC_RANDNET
52984 -+ select GRKERNSEC_FORKFAIL
52985 -+ select GRKERNSEC_TIME
52986 -+ select GRKERNSEC_SIGNAL
52987 -+ select GRKERNSEC_CHROOT
52988 -+ select GRKERNSEC_CHROOT_UNIX
52989 -+ select GRKERNSEC_CHROOT_MOUNT
52990 -+ select GRKERNSEC_CHROOT_PIVOT
52991 -+ select GRKERNSEC_CHROOT_DOUBLE
52992 -+ select GRKERNSEC_CHROOT_CHDIR
52993 -+ select GRKERNSEC_CHROOT_MKNOD
52994 -+ select GRKERNSEC_PROC
52995 -+ select GRKERNSEC_PROC_USERGROUP
52996 -+ select GRKERNSEC_MODSTOP if (MODULES)
52997 -+ select PAX_RANDUSTACK
52998 -+ select PAX_ASLR
52999 -+ select PAX_RANDMMAP
53000 -+
53001 -+ help
53002 -+ If you say Y here, several features in addition to those included
53003 -+ in the low additional security level will be enabled. These
53004 -+ features provide even more security to your system, though in rare
53005 -+ cases they may be incompatible with very old or poorly written
53006 -+ software. If you enable this option, make sure that your auth
53007 -+ service (identd) is running as gid 1001. With this option,
53008 -+ the following features (in addition to those provided in the
53009 -+ low additional security level) will be enabled:
53010 -+
53011 -+ - Randomized TCP source ports
53012 -+ - Failed fork logging
53013 -+ - Time change logging
53014 -+ - Signal logging
53015 -+ - Deny mounts in chroot
53016 -+ - Deny double chrooting
53017 -+ - Deny sysctl writes in chroot
53018 -+ - Deny mknod in chroot
53019 -+ - Deny access to abstract AF_UNIX sockets out of chroot
53020 -+ - Deny pivot_root in chroot
53021 -+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
53022 -+ - /proc restrictions with special GID set to 10 (usually wheel)
53023 -+ - Address Space Layout Randomization (ASLR)
53024 -+
53025 -+config GRKERNSEC_HIGH
53026 -+ bool "High"
53027 -+ select GRKERNSEC_LINK
53028 -+ select GRKERNSEC_FIFO
53029 -+ select GRKERNSEC_EXECVE
53030 -+ select GRKERNSEC_DMESG
53031 -+ select GRKERNSEC_FORKFAIL
53032 -+ select GRKERNSEC_TIME
53033 -+ select GRKERNSEC_SIGNAL
53034 -+ select GRKERNSEC_CHROOT_SHMAT
53035 -+ select GRKERNSEC_CHROOT_UNIX
53036 -+ select GRKERNSEC_CHROOT_MOUNT
53037 -+ select GRKERNSEC_CHROOT_FCHDIR
53038 -+ select GRKERNSEC_CHROOT_PIVOT
53039 -+ select GRKERNSEC_CHROOT_DOUBLE
53040 -+ select GRKERNSEC_CHROOT_CHDIR
53041 -+ select GRKERNSEC_CHROOT_MKNOD
53042 -+ select GRKERNSEC_CHROOT_CAPS
53043 -+ select GRKERNSEC_CHROOT_SYSCTL
53044 -+ select GRKERNSEC_CHROOT_FINDTASK
53045 -+ select GRKERNSEC_PROC
53046 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
53047 -+ select GRKERNSEC_HIDESYM
53048 -+ select GRKERNSEC_BRUTE
53049 -+ select GRKERNSEC_SHM if (SYSVIPC)
53050 -+ select GRKERNSEC_PROC_USERGROUP
53051 -+ select GRKERNSEC_KMEM
53052 -+ select GRKERNSEC_RESLOG
53053 -+ select GRKERNSEC_RANDNET
53054 -+ select GRKERNSEC_PROC_ADD
53055 -+ select GRKERNSEC_CHROOT_CHMOD
53056 -+ select GRKERNSEC_CHROOT_NICE
53057 -+ select GRKERNSEC_AUDIT_MOUNT
53058 -+ select GRKERNSEC_MODSTOP if (MODULES)
53059 -+ select PAX
53060 -+ select PAX_RANDUSTACK
53061 -+ select PAX_ASLR
53062 -+ select PAX_RANDMMAP
53063 -+ select PAX_NOEXEC
53064 -+ select PAX_MPROTECT
53065 -+ select PAX_EI_PAX
53066 -+ select PAX_PT_PAX_FLAGS
53067 -+ select PAX_HAVE_ACL_FLAGS
53068 -+ select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
53069 -+ select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
53070 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
53071 -+ select PAX_SEGMEXEC if (X86 && !X86_64)
53072 -+ select PAX_PAGEEXEC if (!X86)
53073 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
53074 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
53075 -+ select PAX_SYSCALL if (PPC32)
53076 -+ select PAX_EMUTRAMP if (PARISC)
53077 -+ select PAX_EMUSIGRT if (PARISC)
53078 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
53079 -+ help
53080 -+ If you say Y here, many of the features of grsecurity will be
53081 -+ enabled, which will protect you against many kinds of attacks
53082 -+ against your system. The heightened security comes at a cost
53083 -+ of an increased chance of incompatibilities with rare software
53084 -+ on your machine. Since this security level enables PaX, you should
53085 -+ view <http://pax.grsecurity.net> and read about the PaX
53086 -+ project. While you are there, download chpax and run it on
53087 -+ binaries that cause problems with PaX. Also remember that
53088 -+ since the /proc restrictions are enabled, you must run your
53089 -+ identd as gid 1001. This security level enables the following
53090 -+ features in addition to those listed in the low and medium
53091 -+ security levels:
53092 -+
53093 -+ - Additional /proc restrictions
53094 -+ - Chmod restrictions in chroot
53095 -+ - No signals, ptrace, or viewing of processes outside of chroot
53096 -+ - Capability restrictions in chroot
53097 -+ - Deny fchdir out of chroot
53098 -+ - Priority restrictions in chroot
53099 -+ - Segmentation-based implementation of PaX
53100 -+ - Mprotect restrictions
53101 -+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
53102 -+ - Kernel stack randomization
53103 -+ - Mount/unmount/remount logging
53104 -+ - Kernel symbol hiding
53105 -+ - Destroy unused shared memory
53106 -+ - Prevention of memory exhaustion-based exploits
53107 -+config GRKERNSEC_CUSTOM
53108 -+ bool "Custom"
53109 -+ help
53110 -+ If you say Y here, you will be able to configure every grsecurity
53111 -+ option, which allows you to enable many more features that aren't
53112 -+ covered in the basic security levels. These additional features
53113 -+ include TPE, socket restrictions, and the sysctl system for
53114 -+ grsecurity. It is advised that you read through the help for
53115 -+ each option to determine its usefulness in your situation.
53116 -+
53117 -+endchoice
53118 -+
53119 -+menu "Address Space Protection"
53120 -+depends on GRKERNSEC
53121 -+
53122 -+config GRKERNSEC_KMEM
53123 -+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
53124 -+ help
53125 -+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
53126 -+ be written to via mmap or otherwise to modify the running kernel.
53127 -+ /dev/port will also not be allowed to be opened. If you have module
53128 -+ support disabled, enabling this will close up four ways that are
53129 -+ currently used to insert malicious code into the running kernel.
53130 -+ Even with all these features enabled, we still highly recommend that
53131 -+ you use the RBAC system, as it is still possible for an attacker to
53132 -+ modify the running kernel through privileged I/O granted by ioperm/iopl.
53133 -+ If you are not using XFree86, you may be able to stop this additional
53134 -+ case by enabling the 'Disable privileged I/O' option. Though nothing
53135 -+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
53136 -+ but only to video memory, which is the only writing we allow in this
53137 -+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
53138 -+ not be allowed to mprotect it with PROT_WRITE later.
53139 -+ It is highly recommended that you say Y here if you meet all the
53140 -+ conditions above.
53141 -+
53142 -+config GRKERNSEC_IO
53143 -+ bool "Disable privileged I/O"
53144 -+ depends on X86
53145 -+ select RTC
53146 -+ help
53147 -+ If you say Y here, all ioperm and iopl calls will return an error.
53148 -+ Ioperm and iopl can be used to modify the running kernel.
53149 -+ Unfortunately, some programs need this access to operate properly,
53150 -+ the most notable of which are XFree86 and hwclock. hwclock can be
53151 -+ remedied by having RTC support in the kernel, so CONFIG_RTC is
53152 -+ enabled if this option is enabled, to ensure that hwclock operates
53153 -+ correctly. XFree86 still will not operate correctly with this option
53154 -+ enabled, so DO NOT CHOOSE Y IF YOU USE XFree86. If you use XFree86
53155 -+ and you still want to protect your kernel against modification,
53156 -+ use the RBAC system.
53157 -+
53158 -+config GRKERNSEC_PROC_MEMMAP
53159 -+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
53160 -+ depends on PAX_NOEXEC || PAX_ASLR
53161 -+ help
53162 -+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
53163 -+ give no information about the addresses of its mappings if
53164 -+ PaX features that rely on random addresses are enabled on the task.
53165 -+ If you use PaX it is greatly recommended that you say Y here as it
53166 -+ closes up a hole that makes the full ASLR useless for suid
53167 -+ binaries.
53168 -+
53169 -+config GRKERNSEC_BRUTE
53170 -+ bool "Deter exploit bruteforcing"
53171 -+ help
53172 -+ If you say Y here, attempts to bruteforce exploits against forking
53173 -+ daemons such as apache or sshd will be deterred. When a child of a
53174 -+ forking daemon is killed by PaX or crashes due to an illegal
53175 -+ instruction, the parent process will be delayed 30 seconds upon every
53176 -+ subsequent fork until the administrator is able to assess the
53177 -+ situation and restart the daemon. It is recommended that you also
53178 -+ enable signal logging in the auditing section so that logs are
53179 -+ generated when a process performs an illegal instruction.
53180 -+
53181 -+config GRKERNSEC_MODSTOP
53182 -+ bool "Runtime module disabling"
53183 -+ depends on MODULES
53184 -+ help
53185 -+ If you say Y here, you will be able to disable the ability to (un)load
53186 -+ modules at runtime. This feature is useful if you need the ability
53187 -+ to load kernel modules at boot time, but do not want to allow an
53188 -+ attacker to load a rootkit kernel module into the system, or to remove
53189 -+ a loaded kernel module important to system functioning. You should
53190 -+ enable the /dev/mem protection feature as well, since rootkits can be
53191 -+ inserted into the kernel via other methods than kernel modules. Since
53192 -+ an untrusted module could still be loaded by modifying init scripts and
53193 -+ rebooting the system, it is also recommended that you enable the RBAC
53194 -+ system. If you enable this option, a sysctl option with name
53195 -+ "disable_modules" will be created. Setting this option to "1" disables
53196 -+ module loading. After this option is set, no further writes to it are
53197 -+ allowed until the system is rebooted.
53198 -+
53199 -+config GRKERNSEC_HIDESYM
53200 -+ bool "Hide kernel symbols"
53201 -+ help
53202 -+ If you say Y here, getting information on loaded modules, and
53203 -+ displaying all kernel symbols through a syscall will be restricted
53204 -+ to users with CAP_SYS_MODULE. This option is only effective
53205 -+ provided the following conditions are met:
53206 -+ 1) The kernel using grsecurity is not precompiled by some distribution
53207 -+ 2) You are using the RBAC system and hiding other files such as your
53208 -+ kernel image and System.map
53209 -+ 3) You have the additional /proc restrictions enabled, which removes
53210 -+ /proc/kcore
53211 -+ If the above conditions are met, this option will aid to provide a
53212 -+ useful protection against local and remote kernel exploitation of
53213 -+ overflows and arbitrary read/write vulnerabilities.
53214 -+
53215 -+endmenu
53216 -+menu "Role Based Access Control Options"
53217 -+depends on GRKERNSEC
53218 -+
53219 -+config GRKERNSEC_ACL_HIDEKERN
53220 -+ bool "Hide kernel processes"
53221 -+ help
53222 -+ If you say Y here, all kernel threads will be hidden to all
53223 -+ processes but those whose subject has the "view hidden processes"
53224 -+ flag.
53225 -+
53226 -+config GRKERNSEC_ACL_MAXTRIES
53227 -+ int "Maximum tries before password lockout"
53228 -+ default 3
53229 -+ help
53230 -+ This option enforces the maximum number of times a user can attempt
53231 -+ to authorize themselves with the grsecurity RBAC system before being
53232 -+ denied the ability to attempt authorization again for a specified time.
53233 -+ The lower the number, the harder it will be to brute-force a password.
53234 -+
53235 -+config GRKERNSEC_ACL_TIMEOUT
53236 -+ int "Time to wait after max password tries, in seconds"
53237 -+ default 30
53238 -+ help
53239 -+ This option specifies the time the user must wait after attempting to
53240 -+ authorize to the RBAC system with the maximum number of invalid
53241 -+ passwords. The higher the number, the harder it will be to brute-force
53242 -+ a password.
53243 -+
53244 -+endmenu
53245 -+menu "Filesystem Protections"
53246 -+depends on GRKERNSEC
53247 -+
53248 -+config GRKERNSEC_PROC
53249 -+ bool "Proc restrictions"
53250 -+ help
53251 -+ If you say Y here, the permissions of the /proc filesystem
53252 -+ will be altered to enhance system security and privacy. You MUST
53253 -+ choose either a user only restriction or a user and group restriction.
53254 -+ Depending upon the option you choose, you can either restrict users to
53255 -+ see only the processes they themselves run, or choose a group that can
53256 -+ view all processes and files normally restricted to root if you choose
53257 -+ the "restrict to user only" option. NOTE: If you're running identd as
53258 -+ a non-root user, you will have to run it as the group you specify here.
53259 -+
53260 -+config GRKERNSEC_PROC_USER
53261 -+ bool "Restrict /proc to user only"
53262 -+ depends on GRKERNSEC_PROC
53263 -+ help
53264 -+ If you say Y here, non-root users will only be able to view their own
53265 -+ processes, and restricts them from viewing network-related information,
53266 -+ and viewing kernel symbol and module information.
53267 -+
53268 -+config GRKERNSEC_PROC_USERGROUP
53269 -+ bool "Allow special group"
53270 -+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
53271 -+ help
53272 -+ If you say Y here, you will be able to select a group that will be
53273 -+ able to view all processes, network-related information, and
53274 -+ kernel and symbol information. This option is useful if you want
53275 -+ to run identd as a non-root user.
53276 -+
53277 -+config GRKERNSEC_PROC_GID
53278 -+ int "GID for special group"
53279 -+ depends on GRKERNSEC_PROC_USERGROUP
53280 -+ default 1001
53281 -+
53282 -+config GRKERNSEC_PROC_ADD
53283 -+ bool "Additional restrictions"
53284 -+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
53285 -+ help
53286 -+ If you say Y here, additional restrictions will be placed on
53287 -+ /proc that keep normal users from viewing device information and
53288 -+ slabinfo information that could be useful for exploits.
53289 -+
53290 -+config GRKERNSEC_LINK
53291 -+ bool "Linking restrictions"
53292 -+ help
53293 -+ If you say Y here, /tmp race exploits will be prevented, since users
53294 -+ will no longer be able to follow symlinks owned by other users in
53295 -+ world-writable +t directories (i.e. /tmp), unless the owner of the
53296 -+ symlink is the owner of the directory. users will also not be
53297 -+ able to hardlink to files they do not own. If the sysctl option is
53298 -+ enabled, a sysctl option with name "linking_restrictions" is created.
53299 -+
53300 -+config GRKERNSEC_FIFO
53301 -+ bool "FIFO restrictions"
53302 -+ help
53303 -+ If you say Y here, users will not be able to write to FIFOs they don't
53304 -+ own in world-writable +t directories (i.e. /tmp), unless the owner of
53305 -+ the FIFO is the same owner of the directory it's held in. If the sysctl
53306 -+ option is enabled, a sysctl option with name "fifo_restrictions" is
53307 -+ created.
53308 -+
53309 -+config GRKERNSEC_CHROOT
53310 -+ bool "Chroot jail restrictions"
53311 -+ help
53312 -+ If you say Y here, you will be able to choose several options that will
53313 -+ make breaking out of a chrooted jail much more difficult. If you
53314 -+ encounter no software incompatibilities with the following options, it
53315 -+ is recommended that you enable each one.
53316 -+
53317 -+config GRKERNSEC_CHROOT_MOUNT
53318 -+ bool "Deny mounts"
53319 -+ depends on GRKERNSEC_CHROOT
53320 -+ help
53321 -+ If you say Y here, processes inside a chroot will not be able to
53322 -+ mount or remount filesystems. If the sysctl option is enabled, a
53323 -+ sysctl option with name "chroot_deny_mount" is created.
53324 -+
53325 -+config GRKERNSEC_CHROOT_DOUBLE
53326 -+ bool "Deny double-chroots"
53327 -+ depends on GRKERNSEC_CHROOT
53328 -+ help
53329 -+ If you say Y here, processes inside a chroot will not be able to chroot
53330 -+ again outside the chroot. This is a widely used method of breaking
53331 -+ out of a chroot jail and should not be allowed. If the sysctl
53332 -+ option is enabled, a sysctl option with name
53333 -+ "chroot_deny_chroot" is created.
53334 -+
53335 -+config GRKERNSEC_CHROOT_PIVOT
53336 -+ bool "Deny pivot_root in chroot"
53337 -+ depends on GRKERNSEC_CHROOT
53338 -+ help
53339 -+ If you say Y here, processes inside a chroot will not be able to use
53340 -+ a function called pivot_root() that was introduced in Linux 2.3.41. It
53341 -+ works similar to chroot in that it changes the root filesystem. This
53342 -+ function could be misused in a chrooted process to attempt to break out
53343 -+ of the chroot, and therefore should not be allowed. If the sysctl
53344 -+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
53345 -+ created.
53346 -+
53347 -+config GRKERNSEC_CHROOT_CHDIR
53348 -+ bool "Enforce chdir(\"/\") on all chroots"
53349 -+ depends on GRKERNSEC_CHROOT
53350 -+ help
53351 -+ If you say Y here, the current working directory of all newly-chrooted
53352 -+ applications will be set to the the root directory of the chroot.
53353 -+ The man page on chroot(2) states:
53354 -+ Note that this call does not change the current working
53355 -+ directory, so that `.' can be outside the tree rooted at
53356 -+ `/'. In particular, the super-user can escape from a
53357 -+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
53358 -+
53359 -+ It is recommended that you say Y here, since it's not known to break
53360 -+ any software. If the sysctl option is enabled, a sysctl option with
53361 -+ name "chroot_enforce_chdir" is created.
53362 -+
53363 -+config GRKERNSEC_CHROOT_CHMOD
53364 -+ bool "Deny (f)chmod +s"
53365 -+ depends on GRKERNSEC_CHROOT
53366 -+ help
53367 -+ If you say Y here, processes inside a chroot will not be able to chmod
53368 -+ or fchmod files to make them have suid or sgid bits. This protects
53369 -+ against another published method of breaking a chroot. If the sysctl
53370 -+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
53371 -+ created.
53372 -+
53373 -+config GRKERNSEC_CHROOT_FCHDIR
53374 -+ bool "Deny fchdir out of chroot"
53375 -+ depends on GRKERNSEC_CHROOT
53376 -+ help
53377 -+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
53378 -+ to a file descriptor of the chrooting process that points to a directory
53379 -+ outside the filesystem will be stopped. If the sysctl option
53380 -+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
53381 -+
53382 -+config GRKERNSEC_CHROOT_MKNOD
53383 -+ bool "Deny mknod"
53384 -+ depends on GRKERNSEC_CHROOT
53385 -+ help
53386 -+ If you say Y here, processes inside a chroot will not be allowed to
53387 -+ mknod. The problem with using mknod inside a chroot is that it
53388 -+ would allow an attacker to create a device entry that is the same
53389 -+ as one on the physical root of your system, which could range from
53390 -+ anything from the console device to a device for your harddrive (which
53391 -+ they could then use to wipe the drive or steal data). It is recommended
53392 -+ that you say Y here, unless you run into software incompatibilities.
53393 -+ If the sysctl option is enabled, a sysctl option with name
53394 -+ "chroot_deny_mknod" is created.
53395 -+
53396 -+config GRKERNSEC_CHROOT_SHMAT
53397 -+ bool "Deny shmat() out of chroot"
53398 -+ depends on GRKERNSEC_CHROOT
53399 -+ help
53400 -+ If you say Y here, processes inside a chroot will not be able to attach
53401 -+ to shared memory segments that were created outside of the chroot jail.
53402 -+ It is recommended that you say Y here. If the sysctl option is enabled,
53403 -+ a sysctl option with name "chroot_deny_shmat" is created.
53404 -+
53405 -+config GRKERNSEC_CHROOT_UNIX
53406 -+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
53407 -+ depends on GRKERNSEC_CHROOT
53408 -+ help
53409 -+ If you say Y here, processes inside a chroot will not be able to
53410 -+ connect to abstract (meaning not belonging to a filesystem) Unix
53411 -+ domain sockets that were bound outside of a chroot. It is recommended
53412 -+ that you say Y here. If the sysctl option is enabled, a sysctl option
53413 -+ with name "chroot_deny_unix" is created.
53414 -+
53415 -+config GRKERNSEC_CHROOT_FINDTASK
53416 -+ bool "Protect outside processes"
53417 -+ depends on GRKERNSEC_CHROOT
53418 -+ help
53419 -+ If you say Y here, processes inside a chroot will not be able to
53420 -+ kill, send signals with fcntl, ptrace, capget, getpgid, getsid,
53421 -+ or view any process outside of the chroot. If the sysctl
53422 -+ option is enabled, a sysctl option with name "chroot_findtask" is
53423 -+ created.
53424 -+
53425 -+config GRKERNSEC_CHROOT_NICE
53426 -+ bool "Restrict priority changes"
53427 -+ depends on GRKERNSEC_CHROOT
53428 -+ help
53429 -+ If you say Y here, processes inside a chroot will not be able to raise
53430 -+ the priority of processes in the chroot, or alter the priority of
53431 -+ processes outside the chroot. This provides more security than simply
53432 -+ removing CAP_SYS_NICE from the process' capability set. If the
53433 -+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
53434 -+ is created.
53435 -+
53436 -+config GRKERNSEC_CHROOT_SYSCTL
53437 -+ bool "Deny sysctl writes"
53438 -+ depends on GRKERNSEC_CHROOT
53439 -+ help
53440 -+ If you say Y here, an attacker in a chroot will not be able to
53441 -+ write to sysctl entries, either by sysctl(2) or through a /proc
53442 -+ interface. It is strongly recommended that you say Y here. If the
53443 -+ sysctl option is enabled, a sysctl option with name
53444 -+ "chroot_deny_sysctl" is created.
53445 -+
53446 -+config GRKERNSEC_CHROOT_CAPS
53447 -+ bool "Capability restrictions"
53448 -+ depends on GRKERNSEC_CHROOT
53449 -+ help
53450 -+ If you say Y here, the capabilities on all root processes within a
53451 -+ chroot jail will be lowered to stop module insertion, raw i/o,
53452 -+ system and net admin tasks, rebooting the system, modifying immutable
53453 -+ files, modifying IPC owned by another, and changing the system time.
53454 -+ This is left an option because it can break some apps. Disable this
53455 -+ if your chrooted apps are having problems performing those kinds of
53456 -+ tasks. If the sysctl option is enabled, a sysctl option with
53457 -+ name "chroot_caps" is created.
53458 -+
53459 -+endmenu
53460 -+menu "Kernel Auditing"
53461 -+depends on GRKERNSEC
53462 -+
53463 -+config GRKERNSEC_AUDIT_GROUP
53464 -+ bool "Single group for auditing"
53465 -+ help
53466 -+ If you say Y here, the exec, chdir, (un)mount, and ipc logging features
53467 -+ will only operate on a group you specify. This option is recommended
53468 -+ if you only want to watch certain users instead of having a large
53469 -+ amount of logs from the entire system. If the sysctl option is enabled,
53470 -+ a sysctl option with name "audit_group" is created.
53471 -+
53472 -+config GRKERNSEC_AUDIT_GID
53473 -+ int "GID for auditing"
53474 -+ depends on GRKERNSEC_AUDIT_GROUP
53475 -+ default 1007
53476 -+
53477 -+config GRKERNSEC_EXECLOG
53478 -+ bool "Exec logging"
53479 -+ help
53480 -+ If you say Y here, all execve() calls will be logged (since the
53481 -+ other exec*() calls are frontends to execve(), all execution
53482 -+ will be logged). Useful for shell-servers that like to keep track
53483 -+ of their users. If the sysctl option is enabled, a sysctl option with
53484 -+ name "exec_logging" is created.
53485 -+ WARNING: This option when enabled will produce a LOT of logs, especially
53486 -+ on an active system.
53487 -+
53488 -+config GRKERNSEC_RESLOG
53489 -+ bool "Resource logging"
53490 -+ help
53491 -+ If you say Y here, all attempts to overstep resource limits will
53492 -+ be logged with the resource name, the requested size, and the current
53493 -+ limit. It is highly recommended that you say Y here. If the sysctl
53494 -+ option is enabled, a sysctl option with name "resource_logging" is
53495 -+ created. If the RBAC system is enabled, the sysctl value is ignored.
53496 -+
53497 -+config GRKERNSEC_CHROOT_EXECLOG
53498 -+ bool "Log execs within chroot"
53499 -+ help
53500 -+ If you say Y here, all executions inside a chroot jail will be logged
53501 -+ to syslog. This can cause a large amount of logs if certain
53502 -+ applications (eg. djb's daemontools) are installed on the system, and
53503 -+ is therefore left as an option. If the sysctl option is enabled, a
53504 -+ sysctl option with name "chroot_execlog" is created.
53505 -+
53506 -+config GRKERNSEC_AUDIT_CHDIR
53507 -+ bool "Chdir logging"
53508 -+ help
53509 -+ If you say Y here, all chdir() calls will be logged. If the sysctl
53510 -+ option is enabled, a sysctl option with name "audit_chdir" is created.
53511 -+
53512 -+config GRKERNSEC_AUDIT_MOUNT
53513 -+ bool "(Un)Mount logging"
53514 -+ help
53515 -+ If you say Y here, all mounts and unmounts will be logged. If the
53516 -+ sysctl option is enabled, a sysctl option with name "audit_mount" is
53517 -+ created.
53518 -+
53519 -+config GRKERNSEC_AUDIT_IPC
53520 -+ bool "IPC logging"
53521 -+ help
53522 -+ If you say Y here, creation and removal of message queues, semaphores,
53523 -+ and shared memory will be logged. If the sysctl option is enabled, a
53524 -+ sysctl option with name "audit_ipc" is created.
53525 -+
53526 -+config GRKERNSEC_SIGNAL
53527 -+ bool "Signal logging"
53528 -+ help
53529 -+ If you say Y here, certain important signals will be logged, such as
53530 -+ SIGSEGV, which will as a result inform you of when a error in a program
53531 -+ occurred, which in some cases could mean a possible exploit attempt.
53532 -+ If the sysctl option is enabled, a sysctl option with name
53533 -+ "signal_logging" is created.
53534 -+
53535 -+config GRKERNSEC_FORKFAIL
53536 -+ bool "Fork failure logging"
53537 -+ help
53538 -+ If you say Y here, all failed fork() attempts will be logged.
53539 -+ This could suggest a fork bomb, or someone attempting to overstep
53540 -+ their process limit. If the sysctl option is enabled, a sysctl option
53541 -+ with name "forkfail_logging" is created.
53542 -+
53543 -+config GRKERNSEC_TIME
53544 -+ bool "Time change logging"
53545 -+ help
53546 -+ If you say Y here, any changes of the system clock will be logged.
53547 -+ If the sysctl option is enabled, a sysctl option with name
53548 -+ "timechange_logging" is created.
53549 -+
53550 -+config GRKERNSEC_PROC_IPADDR
53551 -+ bool "/proc/<pid>/ipaddr support"
53552 -+ help
53553 -+ If you say Y here, a new entry will be added to each /proc/<pid>
53554 -+ directory that contains the IP address of the person using the task.
53555 -+ The IP is carried across local TCP and AF_UNIX stream sockets.
53556 -+ This information can be useful for IDS/IPSes to perform remote response
53557 -+ to a local attack. The entry is readable by only the owner of the
53558 -+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
53559 -+ the RBAC system), and thus does not create privacy concerns.
53560 -+
53561 -+config GRKERNSEC_AUDIT_TEXTREL
53562 -+ bool 'ELF text relocations logging (READ HELP)'
53563 -+ depends on PAX_MPROTECT
53564 -+ help
53565 -+ If you say Y here, text relocations will be logged with the filename
53566 -+ of the offending library or binary. The purpose of the feature is
53567 -+ to help Linux distribution developers get rid of libraries and
53568 -+ binaries that need text relocations which hinder the future progress
53569 -+ of PaX. Only Linux distribution developers should say Y here, and
53570 -+ never on a production machine, as this option creates an information
53571 -+ leak that could aid an attacker in defeating the randomization of
53572 -+ a single memory region. If the sysctl option is enabled, a sysctl
53573 -+ option with name "audit_textrel" is created.
53574 -+
53575 -+endmenu
53576 -+
53577 -+menu "Executable Protections"
53578 -+depends on GRKERNSEC
53579 -+
53580 -+config GRKERNSEC_EXECVE
53581 -+ bool "Enforce RLIMIT_NPROC on execs"
53582 -+ help
53583 -+ If you say Y here, users with a resource limit on processes will
53584 -+ have the value checked during execve() calls. The current system
53585 -+ only checks the system limit during fork() calls. If the sysctl option
53586 -+ is enabled, a sysctl option with name "execve_limiting" is created.
53587 -+
53588 -+config GRKERNSEC_SHM
53589 -+ bool "Destroy unused shared memory"
53590 -+ depends on SYSVIPC
53591 -+ help
53592 -+ If you say Y here, shared memory will be destroyed when no one is
53593 -+ attached to it. Otherwise, resources involved with the shared
53594 -+ memory can be used up and not be associated with any process (as the
53595 -+ shared memory still exists, and the creating process has exited). If
53596 -+ the sysctl option is enabled, a sysctl option with name
53597 -+ "destroy_unused_shm" is created.
53598 -+
53599 -+config GRKERNSEC_DMESG
53600 -+ bool "Dmesg(8) restriction"
53601 -+ help
53602 -+ If you say Y here, non-root users will not be able to use dmesg(8)
53603 -+ to view up to the last 4kb of messages in the kernel's log buffer.
53604 -+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
53605 -+ created.
53606 -+
53607 -+config GRKERNSEC_TPE
53608 -+ bool "Trusted Path Execution (TPE)"
53609 -+ help
53610 -+ If you say Y here, you will be able to choose a gid to add to the
53611 -+ supplementary groups of users you want to mark as "untrusted."
53612 -+ These users will not be able to execute any files that are not in
53613 -+ root-owned directories writable only by root. If the sysctl option
53614 -+ is enabled, a sysctl option with name "tpe" is created.
53615 -+
53616 -+config GRKERNSEC_TPE_ALL
53617 -+ bool "Partially restrict non-root users"
53618 -+ depends on GRKERNSEC_TPE
53619 -+ help
53620 -+ If you say Y here, All non-root users other than the ones in the
53621 -+ group specified in the main TPE option will only be allowed to
53622 -+ execute files in directories they own that are not group or
53623 -+ world-writable, or in directories owned by root and writable only by
53624 -+ root. If the sysctl option is enabled, a sysctl option with name
53625 -+ "tpe_restrict_all" is created.
53626 -+
53627 -+config GRKERNSEC_TPE_INVERT
53628 -+ bool "Invert GID option"
53629 -+ depends on GRKERNSEC_TPE
53630 -+ help
53631 -+ If you say Y here, the group you specify in the TPE configuration will
53632 -+ decide what group TPE restrictions will be *disabled* for. This
53633 -+ option is useful if you want TPE restrictions to be applied to most
53634 -+ users on the system.
53635 -+
53636 -+config GRKERNSEC_TPE_GID
53637 -+ int "GID for untrusted users"
53638 -+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
53639 -+ default 1005
53640 -+ help
53641 -+ If you have selected the "Invert GID option" above, setting this
53642 -+ GID determines what group TPE restrictions will be *disabled* for.
53643 -+ If you have not selected the "Invert GID option" above, setting this
53644 -+ GID determines what group TPE restrictions will be *enabled* for.
53645 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
53646 -+ is created.
53647 -+
53648 -+config GRKERNSEC_TPE_GID
53649 -+ int "GID for trusted users"
53650 -+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
53651 -+ default 1005
53652 -+ help
53653 -+ If you have selected the "Invert GID option" above, setting this
53654 -+ GID determines what group TPE restrictions will be *disabled* for.
53655 -+ If you have not selected the "Invert GID option" above, setting this
53656 -+ GID determines what group TPE restrictions will be *enabled* for.
53657 -+ If the sysctl option is enabled, a sysctl option with name "tpe_gid"
53658 -+ is created.
53659 -+
53660 -+endmenu
53661 -+menu "Network Protections"
53662 -+depends on GRKERNSEC
53663 -+
53664 -+config GRKERNSEC_RANDNET
53665 -+ bool "Larger entropy pools"
53666 -+ help
53667 -+ If you say Y here, the entropy pools used for many features of Linux
53668 -+ and grsecurity will be doubled in size. Since several grsecurity
53669 -+ features use additional randomness, it is recommended that you say Y
53670 -+ here. Saying Y here has a similar effect as modifying
53671 -+ /proc/sys/kernel/random/poolsize.
53672 -+
53673 -+config GRKERNSEC_SOCKET
53674 -+ bool "Socket restrictions"
53675 -+ help
53676 -+ If you say Y here, you will be able to choose from several options.
53677 -+ If you assign a GID on your system and add it to the supplementary
53678 -+ groups of users you want to restrict socket access to, this patch
53679 -+ will perform up to three things, based on the option(s) you choose.
53680 -+
53681 -+config GRKERNSEC_SOCKET_ALL
53682 -+ bool "Deny any sockets to group"
53683 -+ depends on GRKERNSEC_SOCKET
53684 -+ help
53685 -+ If you say Y here, you will be able to choose a GID of whose users will
53686 -+ be unable to connect to other hosts from your machine or run server
53687 -+ applications from your machine. If the sysctl option is enabled, a
53688 -+ sysctl option with name "socket_all" is created.
53689 -+
53690 -+config GRKERNSEC_SOCKET_ALL_GID
53691 -+ int "GID to deny all sockets for"
53692 -+ depends on GRKERNSEC_SOCKET_ALL
53693 -+ default 1004
53694 -+ help
53695 -+ Here you can choose the GID to disable socket access for. Remember to
53696 -+ add the users you want socket access disabled for to the GID
53697 -+ specified here. If the sysctl option is enabled, a sysctl option
53698 -+ with name "socket_all_gid" is created.
53699 -+
53700 -+config GRKERNSEC_SOCKET_CLIENT
53701 -+ bool "Deny client sockets to group"
53702 -+ depends on GRKERNSEC_SOCKET
53703 -+ help
53704 -+ If you say Y here, you will be able to choose a GID of whose users will
53705 -+ be unable to connect to other hosts from your machine, but will be
53706 -+ able to run servers. If this option is enabled, all users in the group
53707 -+ you specify will have to use passive mode when initiating ftp transfers
53708 -+ from the shell on your machine. If the sysctl option is enabled, a
53709 -+ sysctl option with name "socket_client" is created.
53710 -+
53711 -+config GRKERNSEC_SOCKET_CLIENT_GID
53712 -+ int "GID to deny client sockets for"
53713 -+ depends on GRKERNSEC_SOCKET_CLIENT
53714 -+ default 1003
53715 -+ help
53716 -+ Here you can choose the GID to disable client socket access for.
53717 -+ Remember to add the users you want client socket access disabled for to
53718 -+ the GID specified here. If the sysctl option is enabled, a sysctl
53719 -+ option with name "socket_client_gid" is created.
53720 -+
53721 -+config GRKERNSEC_SOCKET_SERVER
53722 -+ bool "Deny server sockets to group"
53723 -+ depends on GRKERNSEC_SOCKET
53724 -+ help
53725 -+ If you say Y here, you will be able to choose a GID of whose users will
53726 -+ be unable to run server applications from your machine. If the sysctl
53727 -+ option is enabled, a sysctl option with name "socket_server" is created.
53728 -+
53729 -+config GRKERNSEC_SOCKET_SERVER_GID
53730 -+ int "GID to deny server sockets for"
53731 -+ depends on GRKERNSEC_SOCKET_SERVER
53732 -+ default 1002
53733 -+ help
53734 -+ Here you can choose the GID to disable server socket access for.
53735 -+ Remember to add the users you want server socket access disabled for to
53736 -+ the GID specified here. If the sysctl option is enabled, a sysctl
53737 -+ option with name "socket_server_gid" is created.
53738 -+
53739 -+endmenu
53740 -+menu "Sysctl support"
53741 -+depends on GRKERNSEC && SYSCTL
53742 -+
53743 -+config GRKERNSEC_SYSCTL
53744 -+ bool "Sysctl support"
53745 -+ help
53746 -+ If you say Y here, you will be able to change the options that
53747 -+ grsecurity runs with at bootup, without having to recompile your
53748 -+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
53749 -+ to enable (1) or disable (0) various features. All the sysctl entries
53750 -+ are mutable until the "grsec_lock" entry is set to a non-zero value.
53751 -+ All features enabled in the kernel configuration are disabled at boot
53752 -+ if you do not say Y to the "Turn on features by default" option.
53753 -+ All options should be set at startup, and the grsec_lock entry should
53754 -+ be set to a non-zero value after all the options are set.
53755 -+ *THIS IS EXTREMELY IMPORTANT*
53756 -+
53757 -+config GRKERNSEC_SYSCTL_ON
53758 -+ bool "Turn on features by default"
53759 -+ depends on GRKERNSEC_SYSCTL
53760 -+ help
53761 -+ If you say Y here, instead of having all features enabled in the
53762 -+ kernel configuration disabled at boot time, the features will be
53763 -+ enabled at boot time. It is recommended you say Y here unless
53764 -+ there is some reason you would want all sysctl-tunable features to
53765 -+ be disabled by default. As mentioned elsewhere, it is important
53766 -+ to enable the grsec_lock entry once you have finished modifying
53767 -+ the sysctl entries.
53768 -+
53769 -+endmenu
53770 -+menu "Logging Options"
53771 -+depends on GRKERNSEC
53772 -+
53773 -+config GRKERNSEC_FLOODTIME
53774 -+ int "Seconds in between log messages (minimum)"
53775 -+ default 10
53776 -+ help
53777 -+ This option allows you to enforce the number of seconds between
53778 -+ grsecurity log messages. The default should be suitable for most
53779 -+ people, however, if you choose to change it, choose a value small enough
53780 -+ to allow informative logs to be produced, but large enough to
53781 -+ prevent flooding.
53782 -+
53783 -+config GRKERNSEC_FLOODBURST
53784 -+ int "Number of messages in a burst (maximum)"
53785 -+ default 4
53786 -+ help
53787 -+ This option allows you to choose the maximum number of messages allowed
53788 -+ within the flood time interval you chose in a separate option. The
53789 -+ default should be suitable for most people, however if you find that
53790 -+ many of your logs are being interpreted as flooding, you may want to
53791 -+ raise this value.
53792 -+
53793 -+endmenu
53794 -+
53795 -+endmenu
53796 -diff -Nurp linux-2.6.23.15/grsecurity/Makefile linux-2.6.23.15-grsec/grsecurity/Makefile
53797 ---- linux-2.6.23.15/grsecurity/Makefile 1970-01-01 01:00:00.000000000 +0100
53798 -+++ linux-2.6.23.15-grsec/grsecurity/Makefile 2008-02-11 10:37:44.000000000 +0000
53799 -@@ -0,0 +1,20 @@
53800 -+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
53801 -+# during 2001-2005 it has been completely redesigned by Brad Spengler
53802 -+# into an RBAC system
53803 -+#
53804 -+# All code in this directory and various hooks inserted throughout the kernel
53805 -+# are copyright Brad Spengler, and released under the GPL v2 or higher
53806 -+
53807 -+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
53808 -+ grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
53809 -+ grsec_time.o grsec_tpe.o grsec_ipc.o grsec_link.o grsec_textrel.o
53810 -+
53811 -+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
53812 -+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
53813 -+ gracl_learn.o grsec_log.o
53814 -+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
53815 -+
53816 -+ifndef CONFIG_GRKERNSEC
53817 -+obj-y += grsec_disabled.o
53818 -+endif
53819 -+
53820 -diff -Nurp linux-2.6.23.15/grsecurity/gracl.c linux-2.6.23.15-grsec/grsecurity/gracl.c
53821 ---- linux-2.6.23.15/grsecurity/gracl.c 1970-01-01 01:00:00.000000000 +0100
53822 -+++ linux-2.6.23.15-grsec/grsecurity/gracl.c 2008-02-11 10:37:44.000000000 +0000
53823 -@@ -0,0 +1,3722 @@
53824 -+#include <linux/kernel.h>
53825 -+#include <linux/module.h>
53826 -+#include <linux/sched.h>
53827 -+#include <linux/mm.h>
53828 -+#include <linux/file.h>
53829 -+#include <linux/fs.h>
53830 -+#include <linux/namei.h>
53831 -+#include <linux/mount.h>
53832 -+#include <linux/tty.h>
53833 -+#include <linux/proc_fs.h>
53834 -+#include <linux/smp_lock.h>
53835 -+#include <linux/slab.h>
53836 -+#include <linux/vmalloc.h>
53837 -+#include <linux/types.h>
53838 -+#include <linux/capability.h>
53839 -+#include <linux/sysctl.h>
53840 -+#include <linux/netdevice.h>
53841 -+#include <linux/ptrace.h>
53842 -+#include <linux/gracl.h>
53843 -+#include <linux/gralloc.h>
53844 -+#include <linux/grsecurity.h>
53845 -+#include <linux/grinternal.h>
53846 -+#include <linux/pid_namespace.h>
53847 -+#include <linux/percpu.h>
53848 -+
53849 -+#include <asm/uaccess.h>
53850 -+#include <asm/errno.h>
53851 -+#include <asm/mman.h>
53852 -+
53853 -+static struct acl_role_db acl_role_set;
53854 -+static struct name_db name_set;
53855 -+static struct inodev_db inodev_set;
53856 -+
53857 -+/* for keeping track of userspace pointers used for subjects, so we
53858 -+ can share references in the kernel as well
53859 -+*/
53860 -+
53861 -+static struct dentry *real_root;
53862 -+static struct vfsmount *real_root_mnt;
53863 -+
53864 -+static struct acl_subj_map_db subj_map_set;
53865 -+
53866 -+static struct acl_role_label *default_role;
53867 -+
53868 -+static u16 acl_sp_role_value;
53869 -+
53870 -+extern char *gr_shared_page[4];
53871 -+static DECLARE_MUTEX(gr_dev_sem);
53872 -+rwlock_t gr_inode_lock = RW_LOCK_UNLOCKED;
53873 -+
53874 -+struct gr_arg *gr_usermode;
53875 -+
53876 -+static unsigned int gr_status = GR_STATUS_INIT;
53877 -+
53878 -+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
53879 -+extern void gr_clear_learn_entries(void);
53880 -+
53881 -+#ifdef CONFIG_GRKERNSEC_RESLOG
53882 -+extern void gr_log_resource(const struct task_struct *task,
53883 -+ const int res, const unsigned long wanted, const int gt);
53884 -+#endif
53885 -+
53886 -+unsigned char *gr_system_salt;
53887 -+unsigned char *gr_system_sum;
53888 -+
53889 -+static struct sprole_pw **acl_special_roles = NULL;
53890 -+static __u16 num_sprole_pws = 0;
53891 -+
53892 -+static struct acl_role_label *kernel_role = NULL;
53893 -+
53894 -+static unsigned int gr_auth_attempts = 0;
53895 -+static unsigned long gr_auth_expires = 0UL;
53896 -+
53897 -+extern struct vfsmount *sock_mnt;
53898 -+extern struct vfsmount *pipe_mnt;
53899 -+extern struct vfsmount *shm_mnt;
53900 -+static struct acl_object_label *fakefs_obj;
53901 -+
53902 -+extern int gr_init_uidset(void);
53903 -+extern void gr_free_uidset(void);
53904 -+extern void gr_remove_uid(uid_t uid);
53905 -+extern int gr_find_uid(uid_t uid);
53906 -+
53907 -+__inline__ int
53908 -+gr_acl_is_enabled(void)
53909 -+{
53910 -+ return (gr_status & GR_READY);
53911 -+}
53912 -+
53913 -+char gr_roletype_to_char(void)
53914 -+{
53915 -+ switch (current->role->roletype &
53916 -+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
53917 -+ GR_ROLE_SPECIAL)) {
53918 -+ case GR_ROLE_DEFAULT:
53919 -+ return 'D';
53920 -+ case GR_ROLE_USER:
53921 -+ return 'U';
53922 -+ case GR_ROLE_GROUP:
53923 -+ return 'G';
53924 -+ case GR_ROLE_SPECIAL:
53925 -+ return 'S';
53926 -+ }
53927 -+
53928 -+ return 'X';
53929 -+}
53930 -+
53931 -+__inline__ int
53932 -+gr_acl_tpe_check(void)
53933 -+{
53934 -+ if (unlikely(!(gr_status & GR_READY)))
53935 -+ return 0;
53936 -+ if (current->role->roletype & GR_ROLE_TPE)
53937 -+ return 1;
53938 -+ else
53939 -+ return 0;
53940 -+}
53941 -+
53942 -+int
53943 -+gr_handle_rawio(const struct inode *inode)
53944 -+{
53945 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53946 -+ if (inode && S_ISBLK(inode->i_mode) &&
53947 -+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
53948 -+ !capable(CAP_SYS_RAWIO))
53949 -+ return 1;
53950 -+#endif
53951 -+ return 0;
53952 -+}
53953 -+
53954 -+static int
53955 -+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
53956 -+{
53957 -+ int i;
53958 -+ unsigned long *l1;
53959 -+ unsigned long *l2;
53960 -+ unsigned char *c1;
53961 -+ unsigned char *c2;
53962 -+ int num_longs;
53963 -+
53964 -+ if (likely(lena != lenb))
53965 -+ return 0;
53966 -+
53967 -+ l1 = (unsigned long *)a;
53968 -+ l2 = (unsigned long *)b;
53969 -+
53970 -+ num_longs = lena / sizeof(unsigned long);
53971 -+
53972 -+ for (i = num_longs; i--; l1++, l2++) {
53973 -+ if (unlikely(*l1 != *l2))
53974 -+ return 0;
53975 -+ }
53976 -+
53977 -+ c1 = (unsigned char *) l1;
53978 -+ c2 = (unsigned char *) l2;
53979 -+
53980 -+ i = lena - (num_longs * sizeof(unsigned long));
53981 -+
53982 -+ for (; i--; c1++, c2++) {
53983 -+ if (unlikely(*c1 != *c2))
53984 -+ return 0;
53985 -+ }
53986 -+
53987 -+ return 1;
53988 -+}
53989 -+
53990 -+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
53991 -+ struct dentry *root, struct vfsmount *rootmnt,
53992 -+ char *buffer, int buflen)
53993 -+{
53994 -+ char * end = buffer+buflen;
53995 -+ char * retval;
53996 -+ int namelen;
53997 -+
53998 -+ *--end = '\0';
53999 -+ buflen--;
54000 -+
54001 -+ if (buflen < 1)
54002 -+ goto Elong;
54003 -+ /* Get '/' right */
54004 -+ retval = end-1;
54005 -+ *retval = '/';
54006 -+
54007 -+ for (;;) {
54008 -+ struct dentry * parent;
54009 -+
54010 -+ if (dentry == root && vfsmnt == rootmnt)
54011 -+ break;
54012 -+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
54013 -+ /* Global root? */
54014 -+ spin_lock(&vfsmount_lock);
54015 -+ if (vfsmnt->mnt_parent == vfsmnt) {
54016 -+ spin_unlock(&vfsmount_lock);
54017 -+ goto global_root;
54018 -+ }
54019 -+ dentry = vfsmnt->mnt_mountpoint;
54020 -+ vfsmnt = vfsmnt->mnt_parent;
54021 -+ spin_unlock(&vfsmount_lock);
54022 -+ continue;
54023 -+ }
54024 -+ parent = dentry->d_parent;
54025 -+ prefetch(parent);
54026 -+ namelen = dentry->d_name.len;
54027 -+ buflen -= namelen + 1;
54028 -+ if (buflen < 0)
54029 -+ goto Elong;
54030 -+ end -= namelen;
54031 -+ memcpy(end, dentry->d_name.name, namelen);
54032 -+ *--end = '/';
54033 -+ retval = end;
54034 -+ dentry = parent;
54035 -+ }
54036 -+
54037 -+ return retval;
54038 -+
54039 -+global_root:
54040 -+ namelen = dentry->d_name.len;
54041 -+ buflen -= namelen;
54042 -+ if (buflen < 0)
54043 -+ goto Elong;
54044 -+ retval -= namelen-1; /* hit the slash */
54045 -+ memcpy(retval, dentry->d_name.name, namelen);
54046 -+ return retval;
54047 -+Elong:
54048 -+ return ERR_PTR(-ENAMETOOLONG);
54049 -+}
54050 -+
54051 -+static char *
54052 -+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
54053 -+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
54054 -+{
54055 -+ char *retval;
54056 -+
54057 -+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
54058 -+ if (unlikely(IS_ERR(retval)))
54059 -+ retval = strcpy(buf, "<path too long>");
54060 -+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
54061 -+ retval[1] = '\0';
54062 -+
54063 -+ return retval;
54064 -+}
54065 -+
54066 -+static char *
54067 -+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
54068 -+ char *buf, int buflen)
54069 -+{
54070 -+ char *res;
54071 -+
54072 -+ /* we can use real_root, real_root_mnt, because this is only called
54073 -+ by the RBAC system */
54074 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
54075 -+
54076 -+ return res;
54077 -+}
54078 -+
54079 -+static char *
54080 -+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
54081 -+ char *buf, int buflen)
54082 -+{
54083 -+ char *res;
54084 -+ struct dentry *root;
54085 -+ struct vfsmount *rootmnt;
54086 -+ struct task_struct *reaper = child_reaper(current);
54087 -+
54088 -+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
54089 -+ read_lock(&reaper->fs->lock);
54090 -+ root = dget(reaper->fs->root);
54091 -+ rootmnt = mntget(reaper->fs->rootmnt);
54092 -+ read_unlock(&reaper->fs->lock);
54093 -+
54094 -+ spin_lock(&dcache_lock);
54095 -+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
54096 -+ spin_unlock(&dcache_lock);
54097 -+
54098 -+ dput(root);
54099 -+ mntput(rootmnt);
54100 -+ return res;
54101 -+}
54102 -+
54103 -+static char *
54104 -+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
54105 -+{
54106 -+ char *ret;
54107 -+ spin_lock(&dcache_lock);
54108 -+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
54109 -+ PAGE_SIZE);
54110 -+ spin_unlock(&dcache_lock);
54111 -+ return ret;
54112 -+}
54113 -+
54114 -+char *
54115 -+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
54116 -+{
54117 -+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
54118 -+ PAGE_SIZE);
54119 -+}
54120 -+
54121 -+char *
54122 -+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
54123 -+{
54124 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
54125 -+ PAGE_SIZE);
54126 -+}
54127 -+
54128 -+char *
54129 -+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
54130 -+{
54131 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
54132 -+ PAGE_SIZE);
54133 -+}
54134 -+
54135 -+char *
54136 -+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
54137 -+{
54138 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
54139 -+ PAGE_SIZE);
54140 -+}
54141 -+
54142 -+char *
54143 -+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
54144 -+{
54145 -+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
54146 -+ PAGE_SIZE);
54147 -+}
54148 -+
54149 -+__inline__ __u32
54150 -+to_gr_audit(const __u32 reqmode)
54151 -+{
54152 -+ /* masks off auditable permission flags, then shifts them to create
54153 -+ auditing flags, and adds the special case of append auditing if
54154 -+ we're requesting write */
54155 -+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
54156 -+}
54157 -+
54158 -+struct acl_subject_label *
54159 -+lookup_subject_map(const struct acl_subject_label *userp)
54160 -+{
54161 -+ unsigned int index = shash(userp, subj_map_set.s_size);
54162 -+ struct subject_map *match;
54163 -+
54164 -+ match = subj_map_set.s_hash[index];
54165 -+
54166 -+ while (match && match->user != userp)
54167 -+ match = match->next;
54168 -+
54169 -+ if (match != NULL)
54170 -+ return match->kernel;
54171 -+ else
54172 -+ return NULL;
54173 -+}
54174 -+
54175 -+static void
54176 -+insert_subj_map_entry(struct subject_map *subjmap)
54177 -+{
54178 -+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
54179 -+ struct subject_map **curr;
54180 -+
54181 -+ subjmap->prev = NULL;
54182 -+
54183 -+ curr = &subj_map_set.s_hash[index];
54184 -+ if (*curr != NULL)
54185 -+ (*curr)->prev = subjmap;
54186 -+
54187 -+ subjmap->next = *curr;
54188 -+ *curr = subjmap;
54189 -+
54190 -+ return;
54191 -+}
54192 -+
54193 -+static struct acl_role_label *
54194 -+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
54195 -+ const gid_t gid)
54196 -+{
54197 -+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
54198 -+ struct acl_role_label *match;
54199 -+ struct role_allowed_ip *ipp;
54200 -+ unsigned int x;
54201 -+
54202 -+ match = acl_role_set.r_hash[index];
54203 -+
54204 -+ while (match) {
54205 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
54206 -+ for (x = 0; x < match->domain_child_num; x++) {
54207 -+ if (match->domain_children[x] == uid)
54208 -+ goto found;
54209 -+ }
54210 -+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
54211 -+ break;
54212 -+ match = match->next;
54213 -+ }
54214 -+found:
54215 -+ if (match == NULL) {
54216 -+ try_group:
54217 -+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
54218 -+ match = acl_role_set.r_hash[index];
54219 -+
54220 -+ while (match) {
54221 -+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
54222 -+ for (x = 0; x < match->domain_child_num; x++) {
54223 -+ if (match->domain_children[x] == gid)
54224 -+ goto found2;
54225 -+ }
54226 -+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
54227 -+ break;
54228 -+ match = match->next;
54229 -+ }
54230 -+found2:
54231 -+ if (match == NULL)
54232 -+ match = default_role;
54233 -+ if (match->allowed_ips == NULL)
54234 -+ return match;
54235 -+ else {
54236 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
54237 -+ if (likely
54238 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
54239 -+ (ntohl(ipp->addr) & ipp->netmask)))
54240 -+ return match;
54241 -+ }
54242 -+ match = default_role;
54243 -+ }
54244 -+ } else if (match->allowed_ips == NULL) {
54245 -+ return match;
54246 -+ } else {
54247 -+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
54248 -+ if (likely
54249 -+ ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
54250 -+ (ntohl(ipp->addr) & ipp->netmask)))
54251 -+ return match;
54252 -+ }
54253 -+ goto try_group;
54254 -+ }
54255 -+
54256 -+ return match;
54257 -+}
54258 -+
54259 -+struct acl_subject_label *
54260 -+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
54261 -+ const struct acl_role_label *role)
54262 -+{
54263 -+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
54264 -+ struct acl_subject_label *match;
54265 -+
54266 -+ match = role->subj_hash[index];
54267 -+
54268 -+ while (match && (match->inode != ino || match->device != dev ||
54269 -+ (match->mode & GR_DELETED))) {
54270 -+ match = match->next;
54271 -+ }
54272 -+
54273 -+ if (match && !(match->mode & GR_DELETED))
54274 -+ return match;
54275 -+ else
54276 -+ return NULL;
54277 -+}
54278 -+
54279 -+static struct acl_object_label *
54280 -+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
54281 -+ const struct acl_subject_label *subj)
54282 -+{
54283 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
54284 -+ struct acl_object_label *match;
54285 -+
54286 -+ match = subj->obj_hash[index];
54287 -+
54288 -+ while (match && (match->inode != ino || match->device != dev ||
54289 -+ (match->mode & GR_DELETED))) {
54290 -+ match = match->next;
54291 -+ }
54292 -+
54293 -+ if (match && !(match->mode & GR_DELETED))
54294 -+ return match;
54295 -+ else
54296 -+ return NULL;
54297 -+}
54298 -+
54299 -+static struct acl_object_label *
54300 -+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
54301 -+ const struct acl_subject_label *subj)
54302 -+{
54303 -+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
54304 -+ struct acl_object_label *match;
54305 -+
54306 -+ match = subj->obj_hash[index];
54307 -+
54308 -+ while (match && (match->inode != ino || match->device != dev ||
54309 -+ !(match->mode & GR_DELETED))) {
54310 -+ match = match->next;
54311 -+ }
54312 -+
54313 -+ if (match && (match->mode & GR_DELETED))
54314 -+ return match;
54315 -+
54316 -+ match = subj->obj_hash[index];
54317 -+
54318 -+ while (match && (match->inode != ino || match->device != dev ||
54319 -+ (match->mode & GR_DELETED))) {
54320 -+ match = match->next;
54321 -+ }
54322 -+
54323 -+ if (match && !(match->mode & GR_DELETED))
54324 -+ return match;
54325 -+ else
54326 -+ return NULL;
54327 -+}
54328 -+
54329 -+static struct name_entry *
54330 -+lookup_name_entry(const char *name)
54331 -+{
54332 -+ unsigned int len = strlen(name);
54333 -+ unsigned int key = full_name_hash(name, len);
54334 -+ unsigned int index = key % name_set.n_size;
54335 -+ struct name_entry *match;
54336 -+
54337 -+ match = name_set.n_hash[index];
54338 -+
54339 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
54340 -+ match = match->next;
54341 -+
54342 -+ return match;
54343 -+}
54344 -+
54345 -+static struct name_entry *
54346 -+lookup_name_entry_create(const char *name)
54347 -+{
54348 -+ unsigned int len = strlen(name);
54349 -+ unsigned int key = full_name_hash(name, len);
54350 -+ unsigned int index = key % name_set.n_size;
54351 -+ struct name_entry *match;
54352 -+
54353 -+ match = name_set.n_hash[index];
54354 -+
54355 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
54356 -+ !match->deleted))
54357 -+ match = match->next;
54358 -+
54359 -+ if (match && match->deleted)
54360 -+ return match;
54361 -+
54362 -+ match = name_set.n_hash[index];
54363 -+
54364 -+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
54365 -+ match->deleted))
54366 -+ match = match->next;
54367 -+
54368 -+ if (match && !match->deleted)
54369 -+ return match;
54370 -+ else
54371 -+ return NULL;
54372 -+}
54373 -+
54374 -+static struct inodev_entry *
54375 -+lookup_inodev_entry(const ino_t ino, const dev_t dev)
54376 -+{
54377 -+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
54378 -+ struct inodev_entry *match;
54379 -+
54380 -+ match = inodev_set.i_hash[index];
54381 -+
54382 -+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
54383 -+ match = match->next;
54384 -+
54385 -+ return match;
54386 -+}
54387 -+
54388 -+static void
54389 -+insert_inodev_entry(struct inodev_entry *entry)
54390 -+{
54391 -+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
54392 -+ inodev_set.i_size);
54393 -+ struct inodev_entry **curr;
54394 -+
54395 -+ entry->prev = NULL;
54396 -+
54397 -+ curr = &inodev_set.i_hash[index];
54398 -+ if (*curr != NULL)
54399 -+ (*curr)->prev = entry;
54400 -+
54401 -+ entry->next = *curr;
54402 -+ *curr = entry;
54403 -+
54404 -+ return;
54405 -+}
54406 -+
54407 -+static void
54408 -+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
54409 -+{
54410 -+ unsigned int index =
54411 -+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
54412 -+ struct acl_role_label **curr;
54413 -+
54414 -+ role->prev = NULL;
54415 -+
54416 -+ curr = &acl_role_set.r_hash[index];
54417 -+ if (*curr != NULL)
54418 -+ (*curr)->prev = role;
54419 -+
54420 -+ role->next = *curr;
54421 -+ *curr = role;
54422 -+
54423 -+ return;
54424 -+}
54425 -+
54426 -+static void
54427 -+insert_acl_role_label(struct acl_role_label *role)
54428 -+{
54429 -+ int i;
54430 -+
54431 -+ if (role->roletype & GR_ROLE_DOMAIN) {
54432 -+ for (i = 0; i < role->domain_child_num; i++)
54433 -+ __insert_acl_role_label(role, role->domain_children[i]);
54434 -+ } else
54435 -+ __insert_acl_role_label(role, role->uidgid);
54436 -+}
54437 -+
54438 -+static int
54439 -+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
54440 -+{
54441 -+ struct name_entry **curr, *nentry;
54442 -+ struct inodev_entry *ientry;
54443 -+ unsigned int len = strlen(name);
54444 -+ unsigned int key = full_name_hash(name, len);
54445 -+ unsigned int index = key % name_set.n_size;
54446 -+
54447 -+ curr = &name_set.n_hash[index];
54448 -+
54449 -+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
54450 -+ curr = &((*curr)->next);
54451 -+
54452 -+ if (*curr != NULL)
54453 -+ return 1;
54454 -+
54455 -+ nentry = acl_alloc(sizeof (struct name_entry));
54456 -+ if (nentry == NULL)
54457 -+ return 0;
54458 -+ ientry = acl_alloc(sizeof (struct inodev_entry));
54459 -+ if (ientry == NULL)
54460 -+ return 0;
54461 -+ ientry->nentry = nentry;
54462 -+
54463 -+ nentry->key = key;
54464 -+ nentry->name = name;
54465 -+ nentry->inode = inode;
54466 -+ nentry->device = device;
54467 -+ nentry->len = len;
54468 -+ nentry->deleted = deleted;
54469 -+
54470 -+ nentry->prev = NULL;
54471 -+ curr = &name_set.n_hash[index];
54472 -+ if (*curr != NULL)
54473 -+ (*curr)->prev = nentry;
54474 -+ nentry->next = *curr;
54475 -+ *curr = nentry;
54476 -+
54477 -+ /* insert us into the table searchable by inode/dev */
54478 -+ insert_inodev_entry(ientry);
54479 -+
54480 -+ return 1;
54481 -+}
54482 -+
54483 -+static void
54484 -+insert_acl_obj_label(struct acl_object_label *obj,
54485 -+ struct acl_subject_label *subj)
54486 -+{
54487 -+ unsigned int index =
54488 -+ fhash(obj->inode, obj->device, subj->obj_hash_size);
54489 -+ struct acl_object_label **curr;
54490 -+
54491 -+
54492 -+ obj->prev = NULL;
54493 -+
54494 -+ curr = &subj->obj_hash[index];
54495 -+ if (*curr != NULL)
54496 -+ (*curr)->prev = obj;
54497 -+
54498 -+ obj->next = *curr;
54499 -+ *curr = obj;
54500 -+
54501 -+ return;
54502 -+}
54503 -+
54504 -+static void
54505 -+insert_acl_subj_label(struct acl_subject_label *obj,
54506 -+ struct acl_role_label *role)
54507 -+{
54508 -+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
54509 -+ struct acl_subject_label **curr;
54510 -+
54511 -+ obj->prev = NULL;
54512 -+
54513 -+ curr = &role->subj_hash[index];
54514 -+ if (*curr != NULL)
54515 -+ (*curr)->prev = obj;
54516 -+
54517 -+ obj->next = *curr;
54518 -+ *curr = obj;
54519 -+
54520 -+ return;
54521 -+}
54522 -+
54523 -+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
54524 -+
54525 -+static void *
54526 -+create_table(__u32 * len, int elementsize)
54527 -+{
54528 -+ unsigned int table_sizes[] = {
54529 -+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
54530 -+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
54531 -+ 4194301, 8388593, 16777213, 33554393, 67108859, 134217689,
54532 -+ 268435399, 536870909, 1073741789, 2147483647
54533 -+ };
54534 -+ void *newtable = NULL;
54535 -+ unsigned int pwr = 0;
54536 -+
54537 -+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
54538 -+ table_sizes[pwr] <= *len)
54539 -+ pwr++;
54540 -+
54541 -+ if (table_sizes[pwr] <= *len)
54542 -+ return newtable;
54543 -+
54544 -+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
54545 -+ newtable =
54546 -+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
54547 -+ else
54548 -+ newtable = vmalloc(table_sizes[pwr] * elementsize);
54549 -+
54550 -+ *len = table_sizes[pwr];
54551 -+
54552 -+ return newtable;
54553 -+}
54554 -+
54555 -+static int
54556 -+init_variables(const struct gr_arg *arg)
54557 -+{
54558 -+ struct task_struct *reaper = child_reaper(current);
54559 -+ unsigned int stacksize;
54560 -+
54561 -+ subj_map_set.s_size = arg->role_db.num_subjects;
54562 -+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
54563 -+ name_set.n_size = arg->role_db.num_objects;
54564 -+ inodev_set.i_size = arg->role_db.num_objects;
54565 -+
54566 -+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
54567 -+ !name_set.n_size || !inodev_set.i_size)
54568 -+ return 1;
54569 -+
54570 -+ if (!gr_init_uidset())
54571 -+ return 1;
54572 -+
54573 -+ /* set up the stack that holds allocation info */
54574 -+
54575 -+ stacksize = arg->role_db.num_pointers + 5;
54576 -+
54577 -+ if (!acl_alloc_stack_init(stacksize))
54578 -+ return 1;
54579 -+
54580 -+ /* grab reference for the real root dentry and vfsmount */
54581 -+ read_lock(&reaper->fs->lock);
54582 -+ real_root_mnt = mntget(reaper->fs->rootmnt);
54583 -+ real_root = dget(reaper->fs->root);
54584 -+ read_unlock(&reaper->fs->lock);
54585 -+
54586 -+ fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
54587 -+ if (fakefs_obj == NULL)
54588 -+ return 1;
54589 -+ fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
54590 -+
54591 -+ subj_map_set.s_hash =
54592 -+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
54593 -+ acl_role_set.r_hash =
54594 -+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
54595 -+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
54596 -+ inodev_set.i_hash =
54597 -+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
54598 -+
54599 -+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
54600 -+ !name_set.n_hash || !inodev_set.i_hash)
54601 -+ return 1;
54602 -+
54603 -+ memset(subj_map_set.s_hash, 0,
54604 -+ sizeof(struct subject_map *) * subj_map_set.s_size);
54605 -+ memset(acl_role_set.r_hash, 0,
54606 -+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
54607 -+ memset(name_set.n_hash, 0,
54608 -+ sizeof (struct name_entry *) * name_set.n_size);
54609 -+ memset(inodev_set.i_hash, 0,
54610 -+ sizeof (struct inodev_entry *) * inodev_set.i_size);
54611 -+
54612 -+ return 0;
54613 -+}
54614 -+
54615 -+/* free information not needed after startup
54616 -+ currently contains user->kernel pointer mappings for subjects
54617 -+*/
54618 -+
54619 -+static void
54620 -+free_init_variables(void)
54621 -+{
54622 -+ __u32 i;
54623 -+
54624 -+ if (subj_map_set.s_hash) {
54625 -+ for (i = 0; i < subj_map_set.s_size; i++) {
54626 -+ if (subj_map_set.s_hash[i]) {
54627 -+ kfree(subj_map_set.s_hash[i]);
54628 -+ subj_map_set.s_hash[i] = NULL;
54629 -+ }
54630 -+ }
54631 -+
54632 -+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
54633 -+ PAGE_SIZE)
54634 -+ kfree(subj_map_set.s_hash);
54635 -+ else
54636 -+ vfree(subj_map_set.s_hash);
54637 -+ }
54638 -+
54639 -+ return;
54640 -+}
54641 -+
54642 -+static void
54643 -+free_variables(void)
54644 -+{
54645 -+ struct acl_subject_label *s;
54646 -+ struct acl_role_label *r;
54647 -+ struct task_struct *task, *task2;
54648 -+ unsigned int i, x;
54649 -+
54650 -+ gr_clear_learn_entries();
54651 -+
54652 -+ read_lock(&tasklist_lock);
54653 -+ do_each_thread(task2, task) {
54654 -+ task->acl_sp_role = 0;
54655 -+ task->acl_role_id = 0;
54656 -+ task->acl = NULL;
54657 -+ task->role = NULL;
54658 -+ } while_each_thread(task2, task);
54659 -+ read_unlock(&tasklist_lock);
54660 -+
54661 -+ /* release the reference to the real root dentry and vfsmount */
54662 -+ if (real_root)
54663 -+ dput(real_root);
54664 -+ real_root = NULL;
54665 -+ if (real_root_mnt)
54666 -+ mntput(real_root_mnt);
54667 -+ real_root_mnt = NULL;
54668 -+
54669 -+ /* free all object hash tables */
54670 -+
54671 -+ FOR_EACH_ROLE_START(r, i)
54672 -+ if (r->subj_hash == NULL)
54673 -+ break;
54674 -+ FOR_EACH_SUBJECT_START(r, s, x)
54675 -+ if (s->obj_hash == NULL)
54676 -+ break;
54677 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
54678 -+ kfree(s->obj_hash);
54679 -+ else
54680 -+ vfree(s->obj_hash);
54681 -+ FOR_EACH_SUBJECT_END(s, x)
54682 -+ FOR_EACH_NESTED_SUBJECT_START(r, s)
54683 -+ if (s->obj_hash == NULL)
54684 -+ break;
54685 -+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
54686 -+ kfree(s->obj_hash);
54687 -+ else
54688 -+ vfree(s->obj_hash);
54689 -+ FOR_EACH_NESTED_SUBJECT_END(s)
54690 -+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
54691 -+ kfree(r->subj_hash);
54692 -+ else
54693 -+ vfree(r->subj_hash);
54694 -+ r->subj_hash = NULL;
54695 -+ FOR_EACH_ROLE_END(r,i)
54696 -+
54697 -+ acl_free_all();
54698 -+
54699 -+ if (acl_role_set.r_hash) {
54700 -+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
54701 -+ PAGE_SIZE)
54702 -+ kfree(acl_role_set.r_hash);
54703 -+ else
54704 -+ vfree(acl_role_set.r_hash);
54705 -+ }
54706 -+ if (name_set.n_hash) {
54707 -+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
54708 -+ PAGE_SIZE)
54709 -+ kfree(name_set.n_hash);
54710 -+ else
54711 -+ vfree(name_set.n_hash);
54712 -+ }
54713 -+
54714 -+ if (inodev_set.i_hash) {
54715 -+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
54716 -+ PAGE_SIZE)
54717 -+ kfree(inodev_set.i_hash);
54718 -+ else
54719 -+ vfree(inodev_set.i_hash);
54720 -+ }
54721 -+
54722 -+ gr_free_uidset();
54723 -+
54724 -+ memset(&name_set, 0, sizeof (struct name_db));
54725 -+ memset(&inodev_set, 0, sizeof (struct inodev_db));
54726 -+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
54727 -+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
54728 -+
54729 -+ default_role = NULL;
54730 -+
54731 -+ return;
54732 -+}
54733 -+
54734 -+static __u32
54735 -+count_user_objs(struct acl_object_label *userp)
54736 -+{
54737 -+ struct acl_object_label o_tmp;
54738 -+ __u32 num = 0;
54739 -+
54740 -+ while (userp) {
54741 -+ if (copy_from_user(&o_tmp, userp,
54742 -+ sizeof (struct acl_object_label)))
54743 -+ break;
54744 -+
54745 -+ userp = o_tmp.prev;
54746 -+ num++;
54747 -+ }
54748 -+
54749 -+ return num;
54750 -+}
54751 -+
54752 -+static struct acl_subject_label *
54753 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
54754 -+
54755 -+static int
54756 -+copy_user_glob(struct acl_object_label *obj)
54757 -+{
54758 -+ struct acl_object_label *g_tmp, **guser;
54759 -+ unsigned int len;
54760 -+ char *tmp;
54761 -+
54762 -+ if (obj->globbed == NULL)
54763 -+ return 0;
54764 -+
54765 -+ guser = &obj->globbed;
54766 -+ while (*guser) {
54767 -+ g_tmp = (struct acl_object_label *)
54768 -+ acl_alloc(sizeof (struct acl_object_label));
54769 -+ if (g_tmp == NULL)
54770 -+ return -ENOMEM;
54771 -+
54772 -+ if (copy_from_user(g_tmp, *guser,
54773 -+ sizeof (struct acl_object_label)))
54774 -+ return -EFAULT;
54775 -+
54776 -+ len = strnlen_user(g_tmp->filename, PATH_MAX);
54777 -+
54778 -+ if (!len || len >= PATH_MAX)
54779 -+ return -EINVAL;
54780 -+
54781 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
54782 -+ return -ENOMEM;
54783 -+
54784 -+ if (copy_from_user(tmp, g_tmp->filename, len))
54785 -+ return -EFAULT;
54786 -+
54787 -+ g_tmp->filename = tmp;
54788 -+
54789 -+ *guser = g_tmp;
54790 -+ guser = &(g_tmp->next);
54791 -+ }
54792 -+
54793 -+ return 0;
54794 -+}
54795 -+
54796 -+static int
54797 -+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
54798 -+ struct acl_role_label *role)
54799 -+{
54800 -+ struct acl_object_label *o_tmp;
54801 -+ unsigned int len;
54802 -+ int ret;
54803 -+ char *tmp;
54804 -+
54805 -+ while (userp) {
54806 -+ if ((o_tmp = (struct acl_object_label *)
54807 -+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
54808 -+ return -ENOMEM;
54809 -+
54810 -+ if (copy_from_user(o_tmp, userp,
54811 -+ sizeof (struct acl_object_label)))
54812 -+ return -EFAULT;
54813 -+
54814 -+ userp = o_tmp->prev;
54815 -+
54816 -+ len = strnlen_user(o_tmp->filename, PATH_MAX);
54817 -+
54818 -+ if (!len || len >= PATH_MAX)
54819 -+ return -EINVAL;
54820 -+
54821 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
54822 -+ return -ENOMEM;
54823 -+
54824 -+ if (copy_from_user(tmp, o_tmp->filename, len))
54825 -+ return -EFAULT;
54826 -+
54827 -+ o_tmp->filename = tmp;
54828 -+
54829 -+ insert_acl_obj_label(o_tmp, subj);
54830 -+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
54831 -+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
54832 -+ return -ENOMEM;
54833 -+
54834 -+ ret = copy_user_glob(o_tmp);
54835 -+ if (ret)
54836 -+ return ret;
54837 -+
54838 -+ if (o_tmp->nested) {
54839 -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
54840 -+ if (IS_ERR(o_tmp->nested))
54841 -+ return PTR_ERR(o_tmp->nested);
54842 -+
54843 -+ /* insert into nested subject list */
54844 -+ o_tmp->nested->next = role->hash->first;
54845 -+ role->hash->first = o_tmp->nested;
54846 -+ }
54847 -+ }
54848 -+
54849 -+ return 0;
54850 -+}
54851 -+
54852 -+static __u32
54853 -+count_user_subjs(struct acl_subject_label *userp)
54854 -+{
54855 -+ struct acl_subject_label s_tmp;
54856 -+ __u32 num = 0;
54857 -+
54858 -+ while (userp) {
54859 -+ if (copy_from_user(&s_tmp, userp,
54860 -+ sizeof (struct acl_subject_label)))
54861 -+ break;
54862 -+
54863 -+ userp = s_tmp.prev;
54864 -+ /* do not count nested subjects against this count, since
54865 -+ they are not included in the hash table, but are
54866 -+ attached to objects. We have already counted
54867 -+ the subjects in userspace for the allocation
54868 -+ stack
54869 -+ */
54870 -+ if (!(s_tmp.mode & GR_NESTED))
54871 -+ num++;
54872 -+ }
54873 -+
54874 -+ return num;
54875 -+}
54876 -+
54877 -+static int
54878 -+copy_user_allowedips(struct acl_role_label *rolep)
54879 -+{
54880 -+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
54881 -+
54882 -+ ruserip = rolep->allowed_ips;
54883 -+
54884 -+ while (ruserip) {
54885 -+ rlast = rtmp;
54886 -+
54887 -+ if ((rtmp = (struct role_allowed_ip *)
54888 -+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
54889 -+ return -ENOMEM;
54890 -+
54891 -+ if (copy_from_user(rtmp, ruserip,
54892 -+ sizeof (struct role_allowed_ip)))
54893 -+ return -EFAULT;
54894 -+
54895 -+ ruserip = rtmp->prev;
54896 -+
54897 -+ if (!rlast) {
54898 -+ rtmp->prev = NULL;
54899 -+ rolep->allowed_ips = rtmp;
54900 -+ } else {
54901 -+ rlast->next = rtmp;
54902 -+ rtmp->prev = rlast;
54903 -+ }
54904 -+
54905 -+ if (!ruserip)
54906 -+ rtmp->next = NULL;
54907 -+ }
54908 -+
54909 -+ return 0;
54910 -+}
54911 -+
54912 -+static int
54913 -+copy_user_transitions(struct acl_role_label *rolep)
54914 -+{
54915 -+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
54916 -+
54917 -+ unsigned int len;
54918 -+ char *tmp;
54919 -+
54920 -+ rusertp = rolep->transitions;
54921 -+
54922 -+ while (rusertp) {
54923 -+ rlast = rtmp;
54924 -+
54925 -+ if ((rtmp = (struct role_transition *)
54926 -+ acl_alloc(sizeof (struct role_transition))) == NULL)
54927 -+ return -ENOMEM;
54928 -+
54929 -+ if (copy_from_user(rtmp, rusertp,
54930 -+ sizeof (struct role_transition)))
54931 -+ return -EFAULT;
54932 -+
54933 -+ rusertp = rtmp->prev;
54934 -+
54935 -+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
54936 -+
54937 -+ if (!len || len >= GR_SPROLE_LEN)
54938 -+ return -EINVAL;
54939 -+
54940 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
54941 -+ return -ENOMEM;
54942 -+
54943 -+ if (copy_from_user(tmp, rtmp->rolename, len))
54944 -+ return -EFAULT;
54945 -+
54946 -+ rtmp->rolename = tmp;
54947 -+
54948 -+ if (!rlast) {
54949 -+ rtmp->prev = NULL;
54950 -+ rolep->transitions = rtmp;
54951 -+ } else {
54952 -+ rlast->next = rtmp;
54953 -+ rtmp->prev = rlast;
54954 -+ }
54955 -+
54956 -+ if (!rusertp)
54957 -+ rtmp->next = NULL;
54958 -+ }
54959 -+
54960 -+ return 0;
54961 -+}
54962 -+
54963 -+static struct acl_subject_label *
54964 -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
54965 -+{
54966 -+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
54967 -+ unsigned int len;
54968 -+ char *tmp;
54969 -+ __u32 num_objs;
54970 -+ struct acl_ip_label **i_tmp, *i_utmp2;
54971 -+ struct gr_hash_struct ghash;
54972 -+ struct subject_map *subjmap;
54973 -+ unsigned int i_num;
54974 -+ int err;
54975 -+
54976 -+ s_tmp = lookup_subject_map(userp);
54977 -+
54978 -+ /* we've already copied this subject into the kernel, just return
54979 -+ the reference to it, and don't copy it over again
54980 -+ */
54981 -+ if (s_tmp)
54982 -+ return(s_tmp);
54983 -+
54984 -+ if ((s_tmp = (struct acl_subject_label *)
54985 -+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
54986 -+ return ERR_PTR(-ENOMEM);
54987 -+
54988 -+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
54989 -+ if (subjmap == NULL)
54990 -+ return ERR_PTR(-ENOMEM);
54991 -+
54992 -+ subjmap->user = userp;
54993 -+ subjmap->kernel = s_tmp;
54994 -+ insert_subj_map_entry(subjmap);
54995 -+
54996 -+ if (copy_from_user(s_tmp, userp,
54997 -+ sizeof (struct acl_subject_label)))
54998 -+ return ERR_PTR(-EFAULT);
54999 -+
55000 -+ len = strnlen_user(s_tmp->filename, PATH_MAX);
55001 -+
55002 -+ if (!len || len >= PATH_MAX)
55003 -+ return ERR_PTR(-EINVAL);
55004 -+
55005 -+ if ((tmp = (char *) acl_alloc(len)) == NULL)
55006 -+ return ERR_PTR(-ENOMEM);
55007 -+
55008 -+ if (copy_from_user(tmp, s_tmp->filename, len))
55009 -+ return ERR_PTR(-EFAULT);
55010 -+
55011 -+ s_tmp->filename = tmp;
55012 -+
55013 -+ if (!strcmp(s_tmp->filename, "/"))
55014 -+ role->root_label = s_tmp;
55015 -+
55016 -+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
55017 -+ return ERR_PTR(-EFAULT);
55018 -+
55019 -+ /* copy user and group transition tables */
55020 -+
55021 -+ if (s_tmp->user_trans_num) {
55022 -+ uid_t *uidlist;
55023 -+
55024 -+ uidlist = (uid_t *)acl_alloc(s_tmp->user_trans_num * sizeof(uid_t));
55025 -+ if (uidlist == NULL)
55026 -+ return ERR_PTR(-ENOMEM);
55027 -+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
55028 -+ return ERR_PTR(-EFAULT);
55029 -+
55030 -+ s_tmp->user_transitions = uidlist;
55031 -+ }
55032 -+
55033 -+ if (s_tmp->group_trans_num) {
55034 -+ gid_t *gidlist;
55035 -+
55036 -+ gidlist = (gid_t *)acl_alloc(s_tmp->group_trans_num * sizeof(gid_t));
55037 -+ if (gidlist == NULL)
55038 -+ return ERR_PTR(-ENOMEM);
55039 -+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
55040 -+ return ERR_PTR(-EFAULT);
55041 -+
55042 -+ s_tmp->group_transitions = gidlist;
55043 -+ }
55044 -+
55045 -+ /* set up object hash table */
55046 -+ num_objs = count_user_objs(ghash.first);
55047 -+
55048 -+ s_tmp->obj_hash_size = num_objs;
55049 -+ s_tmp->obj_hash =
55050 -+ (struct acl_object_label **)
55051 -+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
55052 -+
55053 -+ if (!s_tmp->obj_hash)
55054 -+ return ERR_PTR(-ENOMEM);
55055 -+
55056 -+ memset(s_tmp->obj_hash, 0,
55057 -+ s_tmp->obj_hash_size *
55058 -+ sizeof (struct acl_object_label *));
55059 -+
55060 -+ /* add in objects */
55061 -+ err = copy_user_objs(ghash.first, s_tmp, role);
55062 -+
55063 -+ if (err)
55064 -+ return ERR_PTR(err);
55065 -+
55066 -+ /* set pointer for parent subject */
55067 -+ if (s_tmp->parent_subject) {
55068 -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
55069 -+
55070 -+ if (IS_ERR(s_tmp2))
55071 -+ return s_tmp2;
55072 -+
55073 -+ s_tmp->parent_subject = s_tmp2;
55074 -+ }
55075 -+
55076 -+ /* add in ip acls */
55077 -+
55078 -+ if (!s_tmp->ip_num) {
55079 -+ s_tmp->ips = NULL;
55080 -+ goto insert;
55081 -+ }
55082 -+
55083 -+ i_tmp =
55084 -+ (struct acl_ip_label **) acl_alloc(s_tmp->ip_num *
55085 -+ sizeof (struct
55086 -+ acl_ip_label *));
55087 -+
55088 -+ if (!i_tmp)
55089 -+ return ERR_PTR(-ENOMEM);
55090 -+
55091 -+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
55092 -+ *(i_tmp + i_num) =
55093 -+ (struct acl_ip_label *)
55094 -+ acl_alloc(sizeof (struct acl_ip_label));
55095 -+ if (!*(i_tmp + i_num))
55096 -+ return ERR_PTR(-ENOMEM);
55097 -+
55098 -+ if (copy_from_user
55099 -+ (&i_utmp2, s_tmp->ips + i_num,
55100 -+ sizeof (struct acl_ip_label *)))
55101 -+ return ERR_PTR(-EFAULT);
55102 -+
55103 -+ if (copy_from_user
55104 -+ (*(i_tmp + i_num), i_utmp2,
55105 -+ sizeof (struct acl_ip_label)))
55106 -+ return ERR_PTR(-EFAULT);
55107 -+
55108 -+ if ((*(i_tmp + i_num))->iface == NULL)
55109 -+ continue;
55110 -+
55111 -+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
55112 -+ if (!len || len >= IFNAMSIZ)
55113 -+ return ERR_PTR(-EINVAL);
55114 -+ tmp = acl_alloc(len);
55115 -+ if (tmp == NULL)
55116 -+ return ERR_PTR(-ENOMEM);
55117 -+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
55118 -+ return ERR_PTR(-EFAULT);
55119 -+ (*(i_tmp + i_num))->iface = tmp;
55120 -+ }
55121 -+
55122 -+ s_tmp->ips = i_tmp;
55123 -+
55124 -+insert:
55125 -+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
55126 -+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
55127 -+ return ERR_PTR(-ENOMEM);
55128 -+
55129 -+ return s_tmp;
55130 -+}
55131 -+
55132 -+static int
55133 -+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
55134 -+{
55135 -+ struct acl_subject_label s_pre;
55136 -+ struct acl_subject_label * ret;
55137 -+ int err;
55138 -+
55139 -+ while (userp) {
55140 -+ if (copy_from_user(&s_pre, userp,
55141 -+ sizeof (struct acl_subject_label)))
55142 -+ return -EFAULT;
55143 -+
55144 -+ /* do not add nested subjects here, add
55145 -+ while parsing objects
55146 -+ */
55147 -+
55148 -+ if (s_pre.mode & GR_NESTED) {
55149 -+ userp = s_pre.prev;
55150 -+ continue;
55151 -+ }
55152 -+
55153 -+ ret = do_copy_user_subj(userp, role);
55154 -+
55155 -+ err = PTR_ERR(ret);
55156 -+ if (IS_ERR(ret))
55157 -+ return err;
55158 -+
55159 -+ insert_acl_subj_label(ret, role);
55160 -+
55161 -+ userp = s_pre.prev;
55162 -+ }
55163 -+
55164 -+ return 0;
55165 -+}
55166 -+
55167 -+static int
55168 -+copy_user_acl(struct gr_arg *arg)
55169 -+{
55170 -+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
55171 -+ struct sprole_pw *sptmp;
55172 -+ struct gr_hash_struct *ghash;
55173 -+ uid_t *domainlist;
55174 -+ unsigned int r_num;
55175 -+ unsigned int len;
55176 -+ char *tmp;
55177 -+ int err = 0;
55178 -+ __u16 i;
55179 -+ __u32 num_subjs;
55180 -+
55181 -+ /* we need a default and kernel role */
55182 -+ if (arg->role_db.num_roles < 2)
55183 -+ return -EINVAL;
55184 -+
55185 -+ /* copy special role authentication info from userspace */
55186 -+
55187 -+ num_sprole_pws = arg->num_sprole_pws;
55188 -+ acl_special_roles = (struct sprole_pw **) acl_alloc(num_sprole_pws * sizeof(struct sprole_pw *));
55189 -+
55190 -+ if (!acl_special_roles) {
55191 -+ err = -ENOMEM;
55192 -+ goto cleanup;
55193 -+ }
55194 -+
55195 -+ for (i = 0; i < num_sprole_pws; i++) {
55196 -+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
55197 -+ if (!sptmp) {
55198 -+ err = -ENOMEM;
55199 -+ goto cleanup;
55200 -+ }
55201 -+ if (copy_from_user(sptmp, arg->sprole_pws + i,
55202 -+ sizeof (struct sprole_pw))) {
55203 -+ err = -EFAULT;
55204 -+ goto cleanup;
55205 -+ }
55206 -+
55207 -+ len =
55208 -+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
55209 -+
55210 -+ if (!len || len >= GR_SPROLE_LEN) {
55211 -+ err = -EINVAL;
55212 -+ goto cleanup;
55213 -+ }
55214 -+
55215 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
55216 -+ err = -ENOMEM;
55217 -+ goto cleanup;
55218 -+ }
55219 -+
55220 -+ if (copy_from_user(tmp, sptmp->rolename, len)) {
55221 -+ err = -EFAULT;
55222 -+ goto cleanup;
55223 -+ }
55224 -+
55225 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
55226 -+ printk(KERN_ALERT "Copying special role %s\n", tmp);
55227 -+#endif
55228 -+ sptmp->rolename = tmp;
55229 -+ acl_special_roles[i] = sptmp;
55230 -+ }
55231 -+
55232 -+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
55233 -+
55234 -+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
55235 -+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
55236 -+
55237 -+ if (!r_tmp) {
55238 -+ err = -ENOMEM;
55239 -+ goto cleanup;
55240 -+ }
55241 -+
55242 -+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
55243 -+ sizeof (struct acl_role_label *))) {
55244 -+ err = -EFAULT;
55245 -+ goto cleanup;
55246 -+ }
55247 -+
55248 -+ if (copy_from_user(r_tmp, r_utmp2,
55249 -+ sizeof (struct acl_role_label))) {
55250 -+ err = -EFAULT;
55251 -+ goto cleanup;
55252 -+ }
55253 -+
55254 -+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
55255 -+
55256 -+ if (!len || len >= PATH_MAX) {
55257 -+ err = -EINVAL;
55258 -+ goto cleanup;
55259 -+ }
55260 -+
55261 -+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
55262 -+ err = -ENOMEM;
55263 -+ goto cleanup;
55264 -+ }
55265 -+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
55266 -+ err = -EFAULT;
55267 -+ goto cleanup;
55268 -+ }
55269 -+ r_tmp->rolename = tmp;
55270 -+
55271 -+ if (!strcmp(r_tmp->rolename, "default")
55272 -+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
55273 -+ default_role = r_tmp;
55274 -+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
55275 -+ kernel_role = r_tmp;
55276 -+ }
55277 -+
55278 -+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
55279 -+ err = -ENOMEM;
55280 -+ goto cleanup;
55281 -+ }
55282 -+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
55283 -+ err = -EFAULT;
55284 -+ goto cleanup;
55285 -+ }
55286 -+
55287 -+ r_tmp->hash = ghash;
55288 -+
55289 -+ num_subjs = count_user_subjs(r_tmp->hash->first);
55290 -+
55291 -+ r_tmp->subj_hash_size = num_subjs;
55292 -+ r_tmp->subj_hash =
55293 -+ (struct acl_subject_label **)
55294 -+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
55295 -+
55296 -+ if (!r_tmp->subj_hash) {
55297 -+ err = -ENOMEM;
55298 -+ goto cleanup;
55299 -+ }
55300 -+
55301 -+ err = copy_user_allowedips(r_tmp);
55302 -+ if (err)
55303 -+ goto cleanup;
55304 -+
55305 -+ /* copy domain info */
55306 -+ if (r_tmp->domain_children != NULL) {
55307 -+ domainlist = acl_alloc(r_tmp->domain_child_num * sizeof(uid_t));
55308 -+ if (domainlist == NULL) {
55309 -+ err = -ENOMEM;
55310 -+ goto cleanup;
55311 -+ }
55312 -+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
55313 -+ err = -EFAULT;
55314 -+ goto cleanup;
55315 -+ }
55316 -+ r_tmp->domain_children = domainlist;
55317 -+ }
55318 -+
55319 -+ err = copy_user_transitions(r_tmp);
55320 -+ if (err)
55321 -+ goto cleanup;
55322 -+
55323 -+ memset(r_tmp->subj_hash, 0,
55324 -+ r_tmp->subj_hash_size *
55325 -+ sizeof (struct acl_subject_label *));
55326 -+
55327 -+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
55328 -+
55329 -+ if (err)
55330 -+ goto cleanup;
55331 -+
55332 -+ /* set nested subject list to null */
55333 -+ r_tmp->hash->first = NULL;
55334 -+
55335 -+ insert_acl_role_label(r_tmp);
55336 -+ }
55337 -+
55338 -+ goto return_err;
55339 -+ cleanup:
55340 -+ free_variables();
55341 -+ return_err:
55342 -+ return err;
55343 -+
55344 -+}
55345 -+
55346 -+static int
55347 -+gracl_init(struct gr_arg *args)
55348 -+{
55349 -+ int error = 0;
55350 -+
55351 -+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
55352 -+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
55353 -+
55354 -+ if (init_variables(args)) {
55355 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
55356 -+ error = -ENOMEM;
55357 -+ free_variables();
55358 -+ goto out;
55359 -+ }
55360 -+
55361 -+ error = copy_user_acl(args);
55362 -+ free_init_variables();
55363 -+ if (error) {
55364 -+ free_variables();
55365 -+ goto out;
55366 -+ }
55367 -+
55368 -+ if ((error = gr_set_acls(0))) {
55369 -+ free_variables();
55370 -+ goto out;
55371 -+ }
55372 -+
55373 -+ gr_status |= GR_READY;
55374 -+ out:
55375 -+ return error;
55376 -+}
55377 -+
55378 -+/* derived from glibc fnmatch() 0: match, 1: no match*/
55379 -+
55380 -+static int
55381 -+glob_match(const char *p, const char *n)
55382 -+{
55383 -+ char c;
55384 -+
55385 -+ while ((c = *p++) != '\0') {
55386 -+ switch (c) {
55387 -+ case '?':
55388 -+ if (*n == '\0')
55389 -+ return 1;
55390 -+ else if (*n == '/')
55391 -+ return 1;
55392 -+ break;
55393 -+ case '\\':
55394 -+ if (*n != c)
55395 -+ return 1;
55396 -+ break;
55397 -+ case '*':
55398 -+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
55399 -+ if (*n == '/')
55400 -+ return 1;
55401 -+ else if (c == '?') {
55402 -+ if (*n == '\0')
55403 -+ return 1;
55404 -+ else
55405 -+ ++n;
55406 -+ }
55407 -+ }
55408 -+ if (c == '\0') {
55409 -+ return 0;
55410 -+ } else {
55411 -+ const char *endp;
55412 -+
55413 -+ if ((endp = strchr(n, '/')) == NULL)
55414 -+ endp = n + strlen(n);
55415 -+
55416 -+ if (c == '[') {
55417 -+ for (--p; n < endp; ++n)
55418 -+ if (!glob_match(p, n))
55419 -+ return 0;
55420 -+ } else if (c == '/') {
55421 -+ while (*n != '\0' && *n != '/')
55422 -+ ++n;
55423 -+ if (*n == '/' && !glob_match(p, n + 1))
55424 -+ return 0;
55425 -+ } else {
55426 -+ for (--p; n < endp; ++n)
55427 -+ if (*n == c && !glob_match(p, n))
55428 -+ return 0;
55429 -+ }
55430 -+
55431 -+ return 1;
55432 -+ }
55433 -+ case '[':
55434 -+ {
55435 -+ int not;
55436 -+ char cold;
55437 -+
55438 -+ if (*n == '\0' || *n == '/')
55439 -+ return 1;
55440 -+
55441 -+ not = (*p == '!' || *p == '^');
55442 -+ if (not)
55443 -+ ++p;
55444 -+
55445 -+ c = *p++;
55446 -+ for (;;) {
55447 -+ unsigned char fn = (unsigned char)*n;
55448 -+
55449 -+ if (c == '\0')
55450 -+ return 1;
55451 -+ else {
55452 -+ if (c == fn)
55453 -+ goto matched;
55454 -+ cold = c;
55455 -+ c = *p++;
55456 -+
55457 -+ if (c == '-' && *p != ']') {
55458 -+ unsigned char cend = *p++;
55459 -+
55460 -+ if (cend == '\0')
55461 -+ return 1;
55462 -+
55463 -+ if (cold <= fn && fn <= cend)
55464 -+ goto matched;
55465 -+
55466 -+ c = *p++;
55467 -+ }
55468 -+ }
55469 -+
55470 -+ if (c == ']')
55471 -+ break;
55472 -+ }
55473 -+ if (!not)
55474 -+ return 1;
55475 -+ break;
55476 -+ matched:
55477 -+ while (c != ']') {
55478 -+ if (c == '\0')
55479 -+ return 1;
55480 -+
55481 -+ c = *p++;
55482 -+ }
55483 -+ if (not)
55484 -+ return 1;
55485 -+ }
55486 -+ break;
55487 -+ default:
55488 -+ if (c != *n)
55489 -+ return 1;
55490 -+ }
55491 -+
55492 -+ ++n;
55493 -+ }
55494 -+
55495 -+ if (*n == '\0')
55496 -+ return 0;
55497 -+
55498 -+ if (*n == '/')
55499 -+ return 0;
55500 -+
55501 -+ return 1;
55502 -+}
55503 -+
55504 -+static struct acl_object_label *
55505 -+chk_glob_label(struct acl_object_label *globbed,
55506 -+ struct dentry *dentry, struct vfsmount *mnt, char **path)
55507 -+{
55508 -+ struct acl_object_label *tmp;
55509 -+
55510 -+ if (*path == NULL)
55511 -+ *path = gr_to_filename_nolock(dentry, mnt);
55512 -+
55513 -+ tmp = globbed;
55514 -+
55515 -+ while (tmp) {
55516 -+ if (!glob_match(tmp->filename, *path))
55517 -+ return tmp;
55518 -+ tmp = tmp->next;
55519 -+ }
55520 -+
55521 -+ return NULL;
55522 -+}
55523 -+
55524 -+static struct acl_object_label *
55525 -+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
55526 -+ const ino_t curr_ino, const dev_t curr_dev,
55527 -+ const struct acl_subject_label *subj, char **path)
55528 -+{
55529 -+ struct acl_subject_label *tmpsubj;
55530 -+ struct acl_object_label *retval;
55531 -+ struct acl_object_label *retval2;
55532 -+
55533 -+ tmpsubj = (struct acl_subject_label *) subj;
55534 -+ read_lock(&gr_inode_lock);
55535 -+ do {
55536 -+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
55537 -+ if (retval) {
55538 -+ if (retval->globbed) {
55539 -+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
55540 -+ (struct vfsmount *)orig_mnt, path);
55541 -+ if (retval2)
55542 -+ retval = retval2;
55543 -+ }
55544 -+ break;
55545 -+ }
55546 -+ } while ((tmpsubj = tmpsubj->parent_subject));
55547 -+ read_unlock(&gr_inode_lock);
55548 -+
55549 -+ return retval;
55550 -+}
55551 -+
55552 -+static __inline__ struct acl_object_label *
55553 -+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
55554 -+ const struct dentry *curr_dentry,
55555 -+ const struct acl_subject_label *subj, char **path)
55556 -+{
55557 -+ return __full_lookup(orig_dentry, orig_mnt,
55558 -+ curr_dentry->d_inode->i_ino,
55559 -+ curr_dentry->d_inode->i_sb->s_dev, subj, path);
55560 -+}
55561 -+
55562 -+static struct acl_object_label *
55563 -+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55564 -+ const struct acl_subject_label *subj, char *path)
55565 -+{
55566 -+ struct dentry *dentry = (struct dentry *) l_dentry;
55567 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
55568 -+ struct acl_object_label *retval;
55569 -+
55570 -+ spin_lock(&dcache_lock);
55571 -+
55572 -+ if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
55573 -+ /* ignore Eric Biederman */
55574 -+ IS_PRIVATE(l_dentry->d_inode))) {
55575 -+ retval = fakefs_obj;
55576 -+ goto out;
55577 -+ }
55578 -+
55579 -+ for (;;) {
55580 -+ if (dentry == real_root && mnt == real_root_mnt)
55581 -+ break;
55582 -+
55583 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
55584 -+ if (mnt->mnt_parent == mnt)
55585 -+ break;
55586 -+
55587 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
55588 -+ if (retval != NULL)
55589 -+ goto out;
55590 -+
55591 -+ dentry = mnt->mnt_mountpoint;
55592 -+ mnt = mnt->mnt_parent;
55593 -+ continue;
55594 -+ }
55595 -+
55596 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
55597 -+ if (retval != NULL)
55598 -+ goto out;
55599 -+
55600 -+ dentry = dentry->d_parent;
55601 -+ }
55602 -+
55603 -+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path);
55604 -+
55605 -+ if (retval == NULL)
55606 -+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path);
55607 -+out:
55608 -+ spin_unlock(&dcache_lock);
55609 -+ return retval;
55610 -+}
55611 -+
55612 -+static __inline__ struct acl_object_label *
55613 -+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55614 -+ const struct acl_subject_label *subj)
55615 -+{
55616 -+ char *path = NULL;
55617 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
55618 -+}
55619 -+
55620 -+static __inline__ struct acl_object_label *
55621 -+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55622 -+ const struct acl_subject_label *subj, char *path)
55623 -+{
55624 -+ return __chk_obj_label(l_dentry, l_mnt, subj, path);
55625 -+}
55626 -+
55627 -+static struct acl_subject_label *
55628 -+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
55629 -+ const struct acl_role_label *role)
55630 -+{
55631 -+ struct dentry *dentry = (struct dentry *) l_dentry;
55632 -+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
55633 -+ struct acl_subject_label *retval;
55634 -+
55635 -+ spin_lock(&dcache_lock);
55636 -+
55637 -+ for (;;) {
55638 -+ if (dentry == real_root && mnt == real_root_mnt)
55639 -+ break;
55640 -+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
55641 -+ if (mnt->mnt_parent == mnt)
55642 -+ break;
55643 -+
55644 -+ read_lock(&gr_inode_lock);
55645 -+ retval =
55646 -+ lookup_acl_subj_label(dentry->d_inode->i_ino,
55647 -+ dentry->d_inode->i_sb->s_dev, role);
55648 -+ read_unlock(&gr_inode_lock);
55649 -+ if (retval != NULL)
55650 -+ goto out;
55651 -+
55652 -+ dentry = mnt->mnt_mountpoint;
55653 -+ mnt = mnt->mnt_parent;
55654 -+ continue;
55655 -+ }
55656 -+
55657 -+ read_lock(&gr_inode_lock);
55658 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
55659 -+ dentry->d_inode->i_sb->s_dev, role);
55660 -+ read_unlock(&gr_inode_lock);
55661 -+ if (retval != NULL)
55662 -+ goto out;
55663 -+
55664 -+ dentry = dentry->d_parent;
55665 -+ }
55666 -+
55667 -+ read_lock(&gr_inode_lock);
55668 -+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
55669 -+ dentry->d_inode->i_sb->s_dev, role);
55670 -+ read_unlock(&gr_inode_lock);
55671 -+
55672 -+ if (unlikely(retval == NULL)) {
55673 -+ read_lock(&gr_inode_lock);
55674 -+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
55675 -+ real_root->d_inode->i_sb->s_dev, role);
55676 -+ read_unlock(&gr_inode_lock);
55677 -+ }
55678 -+out:
55679 -+ spin_unlock(&dcache_lock);
55680 -+
55681 -+ return retval;
55682 -+}
55683 -+
55684 -+static void
55685 -+gr_log_learn(const struct task_struct *task, const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
55686 -+{
55687 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
55688 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
55689 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
55690 -+ 1, 1, gr_to_filename(dentry, mnt), (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
55691 -+
55692 -+ return;
55693 -+}
55694 -+
55695 -+static void
55696 -+gr_log_learn_sysctl(const struct task_struct *task, const char *path, const __u32 mode)
55697 -+{
55698 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
55699 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
55700 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
55701 -+ 1, 1, path, (unsigned long) mode, NIPQUAD(task->signal->curr_ip));
55702 -+
55703 -+ return;
55704 -+}
55705 -+
55706 -+static void
55707 -+gr_log_learn_id_change(const struct task_struct *task, const char type, const unsigned int real,
55708 -+ const unsigned int effective, const unsigned int fs)
55709 -+{
55710 -+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
55711 -+ task->uid, task->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_dentry,
55712 -+ task->exec_file->f_vfsmnt) : task->acl->filename, task->acl->filename,
55713 -+ type, real, effective, fs, NIPQUAD(task->signal->curr_ip));
55714 -+
55715 -+ return;
55716 -+}
55717 -+
55718 -+__u32
55719 -+gr_check_link(const struct dentry * new_dentry,
55720 -+ const struct dentry * parent_dentry,
55721 -+ const struct vfsmount * parent_mnt,
55722 -+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
55723 -+{
55724 -+ struct acl_object_label *obj;
55725 -+ __u32 oldmode, newmode;
55726 -+ __u32 needmode;
55727 -+
55728 -+ if (unlikely(!(gr_status & GR_READY)))
55729 -+ return (GR_CREATE | GR_LINK);
55730 -+
55731 -+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
55732 -+ oldmode = obj->mode;
55733 -+
55734 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55735 -+ oldmode |= (GR_CREATE | GR_LINK);
55736 -+
55737 -+ needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
55738 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
55739 -+ needmode |= GR_SETID | GR_AUDIT_SETID;
55740 -+
55741 -+ newmode =
55742 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
55743 -+ oldmode | needmode);
55744 -+
55745 -+ needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
55746 -+ GR_SETID | GR_READ | GR_FIND | GR_DELETE |
55747 -+ GR_INHERIT | GR_AUDIT_INHERIT);
55748 -+
55749 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
55750 -+ goto bad;
55751 -+
55752 -+ if ((oldmode & needmode) != needmode)
55753 -+ goto bad;
55754 -+
55755 -+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
55756 -+ if ((newmode & needmode) != needmode)
55757 -+ goto bad;
55758 -+
55759 -+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
55760 -+ return newmode;
55761 -+bad:
55762 -+ needmode = oldmode;
55763 -+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
55764 -+ needmode |= GR_SETID;
55765 -+
55766 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
55767 -+ gr_log_learn(current, old_dentry, old_mnt, needmode);
55768 -+ return (GR_CREATE | GR_LINK);
55769 -+ } else if (newmode & GR_SUPPRESS)
55770 -+ return GR_SUPPRESS;
55771 -+ else
55772 -+ return 0;
55773 -+}
55774 -+
55775 -+__u32
55776 -+gr_search_file(const struct dentry * dentry, const __u32 mode,
55777 -+ const struct vfsmount * mnt)
55778 -+{
55779 -+ __u32 retval = mode;
55780 -+ struct acl_subject_label *curracl;
55781 -+ struct acl_object_label *currobj;
55782 -+
55783 -+ if (unlikely(!(gr_status & GR_READY)))
55784 -+ return (mode & ~GR_AUDITS);
55785 -+
55786 -+ curracl = current->acl;
55787 -+
55788 -+ currobj = chk_obj_label(dentry, mnt, curracl);
55789 -+ retval = currobj->mode & mode;
55790 -+
55791 -+ if (unlikely
55792 -+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
55793 -+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
55794 -+ __u32 new_mode = mode;
55795 -+
55796 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55797 -+
55798 -+ retval = new_mode;
55799 -+
55800 -+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
55801 -+ new_mode |= GR_INHERIT;
55802 -+
55803 -+ if (!(mode & GR_NOLEARN))
55804 -+ gr_log_learn(current, dentry, mnt, new_mode);
55805 -+ }
55806 -+
55807 -+ return retval;
55808 -+}
55809 -+
55810 -+__u32
55811 -+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
55812 -+ const struct vfsmount * mnt, const __u32 mode)
55813 -+{
55814 -+ struct name_entry *match;
55815 -+ struct acl_object_label *matchpo;
55816 -+ struct acl_subject_label *curracl;
55817 -+ char *path;
55818 -+ __u32 retval;
55819 -+
55820 -+ if (unlikely(!(gr_status & GR_READY)))
55821 -+ return (mode & ~GR_AUDITS);
55822 -+
55823 -+ preempt_disable();
55824 -+ path = gr_to_filename_rbac(new_dentry, mnt);
55825 -+ match = lookup_name_entry_create(path);
55826 -+
55827 -+ if (!match)
55828 -+ goto check_parent;
55829 -+
55830 -+ curracl = current->acl;
55831 -+
55832 -+ read_lock(&gr_inode_lock);
55833 -+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
55834 -+ read_unlock(&gr_inode_lock);
55835 -+
55836 -+ if (matchpo) {
55837 -+ if ((matchpo->mode & mode) !=
55838 -+ (mode & ~(GR_AUDITS | GR_SUPPRESS))
55839 -+ && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
55840 -+ __u32 new_mode = mode;
55841 -+
55842 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55843 -+
55844 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
55845 -+
55846 -+ preempt_enable();
55847 -+ return new_mode;
55848 -+ }
55849 -+ preempt_enable();
55850 -+ return (matchpo->mode & mode);
55851 -+ }
55852 -+
55853 -+ check_parent:
55854 -+ curracl = current->acl;
55855 -+
55856 -+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
55857 -+ retval = matchpo->mode & mode;
55858 -+
55859 -+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
55860 -+ && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
55861 -+ __u32 new_mode = mode;
55862 -+
55863 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
55864 -+
55865 -+ gr_log_learn(current, new_dentry, mnt, new_mode);
55866 -+ preempt_enable();
55867 -+ return new_mode;
55868 -+ }
55869 -+
55870 -+ preempt_enable();
55871 -+ return retval;
55872 -+}
55873 -+
55874 -+int
55875 -+gr_check_hidden_task(const struct task_struct *task)
55876 -+{
55877 -+ if (unlikely(!(gr_status & GR_READY)))
55878 -+ return 0;
55879 -+
55880 -+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
55881 -+ return 1;
55882 -+
55883 -+ return 0;
55884 -+}
55885 -+
55886 -+int
55887 -+gr_check_protected_task(const struct task_struct *task)
55888 -+{
55889 -+ if (unlikely(!(gr_status & GR_READY) || !task))
55890 -+ return 0;
55891 -+
55892 -+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
55893 -+ task->acl != current->acl)
55894 -+ return 1;
55895 -+
55896 -+ return 0;
55897 -+}
55898 -+
55899 -+void
55900 -+gr_copy_label(struct task_struct *tsk)
55901 -+{
55902 -+ tsk->signal->used_accept = 0;
55903 -+ tsk->acl_sp_role = 0;
55904 -+ tsk->acl_role_id = current->acl_role_id;
55905 -+ tsk->acl = current->acl;
55906 -+ tsk->role = current->role;
55907 -+ tsk->signal->curr_ip = current->signal->curr_ip;
55908 -+ if (current->exec_file)
55909 -+ get_file(current->exec_file);
55910 -+ tsk->exec_file = current->exec_file;
55911 -+ tsk->is_writable = current->is_writable;
55912 -+ if (unlikely(current->signal->used_accept))
55913 -+ current->signal->curr_ip = 0;
55914 -+
55915 -+ return;
55916 -+}
55917 -+
55918 -+static void
55919 -+gr_set_proc_res(struct task_struct *task)
55920 -+{
55921 -+ struct acl_subject_label *proc;
55922 -+ unsigned short i;
55923 -+
55924 -+ proc = task->acl;
55925 -+
55926 -+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
55927 -+ return;
55928 -+
55929 -+ for (i = 0; i < (GR_NLIMITS - 1); i++) {
55930 -+ if (!(proc->resmask & (1 << i)))
55931 -+ continue;
55932 -+
55933 -+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
55934 -+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
55935 -+ }
55936 -+
55937 -+ return;
55938 -+}
55939 -+
55940 -+int
55941 -+gr_check_user_change(int real, int effective, int fs)
55942 -+{
55943 -+ unsigned int i;
55944 -+ __u16 num;
55945 -+ uid_t *uidlist;
55946 -+ int curuid;
55947 -+ int realok = 0;
55948 -+ int effectiveok = 0;
55949 -+ int fsok = 0;
55950 -+
55951 -+ if (unlikely(!(gr_status & GR_READY)))
55952 -+ return 0;
55953 -+
55954 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
55955 -+ gr_log_learn_id_change(current, 'u', real, effective, fs);
55956 -+
55957 -+ num = current->acl->user_trans_num;
55958 -+ uidlist = current->acl->user_transitions;
55959 -+
55960 -+ if (uidlist == NULL)
55961 -+ return 0;
55962 -+
55963 -+ if (real == -1)
55964 -+ realok = 1;
55965 -+ if (effective == -1)
55966 -+ effectiveok = 1;
55967 -+ if (fs == -1)
55968 -+ fsok = 1;
55969 -+
55970 -+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
55971 -+ for (i = 0; i < num; i++) {
55972 -+ curuid = (int)uidlist[i];
55973 -+ if (real == curuid)
55974 -+ realok = 1;
55975 -+ if (effective == curuid)
55976 -+ effectiveok = 1;
55977 -+ if (fs == curuid)
55978 -+ fsok = 1;
55979 -+ }
55980 -+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
55981 -+ for (i = 0; i < num; i++) {
55982 -+ curuid = (int)uidlist[i];
55983 -+ if (real == curuid)
55984 -+ break;
55985 -+ if (effective == curuid)
55986 -+ break;
55987 -+ if (fs == curuid)
55988 -+ break;
55989 -+ }
55990 -+ /* not in deny list */
55991 -+ if (i == num) {
55992 -+ realok = 1;
55993 -+ effectiveok = 1;
55994 -+ fsok = 1;
55995 -+ }
55996 -+ }
55997 -+
55998 -+ if (realok && effectiveok && fsok)
55999 -+ return 0;
56000 -+ else {
56001 -+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
56002 -+ return 1;
56003 -+ }
56004 -+}
56005 -+
56006 -+int
56007 -+gr_check_group_change(int real, int effective, int fs)
56008 -+{
56009 -+ unsigned int i;
56010 -+ __u16 num;
56011 -+ gid_t *gidlist;
56012 -+ int curgid;
56013 -+ int realok = 0;
56014 -+ int effectiveok = 0;
56015 -+ int fsok = 0;
56016 -+
56017 -+ if (unlikely(!(gr_status & GR_READY)))
56018 -+ return 0;
56019 -+
56020 -+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
56021 -+ gr_log_learn_id_change(current, 'g', real, effective, fs);
56022 -+
56023 -+ num = current->acl->group_trans_num;
56024 -+ gidlist = current->acl->group_transitions;
56025 -+
56026 -+ if (gidlist == NULL)
56027 -+ return 0;
56028 -+
56029 -+ if (real == -1)
56030 -+ realok = 1;
56031 -+ if (effective == -1)
56032 -+ effectiveok = 1;
56033 -+ if (fs == -1)
56034 -+ fsok = 1;
56035 -+
56036 -+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
56037 -+ for (i = 0; i < num; i++) {
56038 -+ curgid = (int)gidlist[i];
56039 -+ if (real == curgid)
56040 -+ realok = 1;
56041 -+ if (effective == curgid)
56042 -+ effectiveok = 1;
56043 -+ if (fs == curgid)
56044 -+ fsok = 1;
56045 -+ }
56046 -+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
56047 -+ for (i = 0; i < num; i++) {
56048 -+ curgid = (int)gidlist[i];
56049 -+ if (real == curgid)
56050 -+ break;
56051 -+ if (effective == curgid)
56052 -+ break;
56053 -+ if (fs == curgid)
56054 -+ break;
56055 -+ }
56056 -+ /* not in deny list */
56057 -+ if (i == num) {
56058 -+ realok = 1;
56059 -+ effectiveok = 1;
56060 -+ fsok = 1;
56061 -+ }
56062 -+ }
56063 -+
56064 -+ if (realok && effectiveok && fsok)
56065 -+ return 0;
56066 -+ else {
56067 -+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
56068 -+ return 1;
56069 -+ }
56070 -+}
56071 -+
56072 -+void
56073 -+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
56074 -+{
56075 -+ struct acl_role_label *role = task->role;
56076 -+ struct acl_subject_label *subj = NULL;
56077 -+ struct acl_object_label *obj;
56078 -+ struct file *filp;
56079 -+
56080 -+ if (unlikely(!(gr_status & GR_READY)))
56081 -+ return;
56082 -+
56083 -+ filp = task->exec_file;
56084 -+
56085 -+ /* kernel process, we'll give them the kernel role */
56086 -+ if (unlikely(!filp)) {
56087 -+ task->role = kernel_role;
56088 -+ task->acl = kernel_role->root_label;
56089 -+ return;
56090 -+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
56091 -+ role = lookup_acl_role_label(task, uid, gid);
56092 -+
56093 -+ /* perform subject lookup in possibly new role
56094 -+ we can use this result below in the case where role == task->role
56095 -+ */
56096 -+ subj = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, role);
56097 -+
56098 -+ /* if we changed uid/gid, but result in the same role
56099 -+ and are using inheritance, don't lose the inherited subject
56100 -+ if current subject is other than what normal lookup
56101 -+ would result in, we arrived via inheritance, don't
56102 -+ lose subject
56103 -+ */
56104 -+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
56105 -+ (subj == task->acl)))
56106 -+ task->acl = subj;
56107 -+
56108 -+ task->role = role;
56109 -+
56110 -+ task->is_writable = 0;
56111 -+
56112 -+ /* ignore additional mmap checks for processes that are writable
56113 -+ by the default ACL */
56114 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
56115 -+ if (unlikely(obj->mode & GR_WRITE))
56116 -+ task->is_writable = 1;
56117 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
56118 -+ if (unlikely(obj->mode & GR_WRITE))
56119 -+ task->is_writable = 1;
56120 -+
56121 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56122 -+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
56123 -+#endif
56124 -+
56125 -+ gr_set_proc_res(task);
56126 -+
56127 -+ return;
56128 -+}
56129 -+
56130 -+int
56131 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
56132 -+{
56133 -+ struct task_struct *task = current;
56134 -+ struct acl_subject_label *newacl;
56135 -+ struct acl_object_label *obj;
56136 -+ __u32 retmode;
56137 -+
56138 -+ if (unlikely(!(gr_status & GR_READY)))
56139 -+ return 0;
56140 -+
56141 -+ newacl = chk_subj_label(dentry, mnt, task->role);
56142 -+
56143 -+ task_lock(task);
56144 -+ if (((task->ptrace & PT_PTRACED) && !(task->acl->mode &
56145 -+ GR_POVERRIDE) && (task->acl != newacl) &&
56146 -+ !(task->role->roletype & GR_ROLE_GOD) &&
56147 -+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
56148 -+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) ||
56149 -+ (atomic_read(&task->fs->count) > 1 ||
56150 -+ atomic_read(&task->files->count) > 1 ||
56151 -+ atomic_read(&task->sighand->count) > 1)) {
56152 -+ task_unlock(task);
56153 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
56154 -+ return -EACCES;
56155 -+ }
56156 -+ task_unlock(task);
56157 -+
56158 -+ obj = chk_obj_label(dentry, mnt, task->acl);
56159 -+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
56160 -+
56161 -+ if (!(task->acl->mode & GR_INHERITLEARN) &&
56162 -+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
56163 -+ if (obj->nested)
56164 -+ task->acl = obj->nested;
56165 -+ else
56166 -+ task->acl = newacl;
56167 -+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
56168 -+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
56169 -+
56170 -+ task->is_writable = 0;
56171 -+
56172 -+ /* ignore additional mmap checks for processes that are writable
56173 -+ by the default ACL */
56174 -+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
56175 -+ if (unlikely(obj->mode & GR_WRITE))
56176 -+ task->is_writable = 1;
56177 -+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
56178 -+ if (unlikely(obj->mode & GR_WRITE))
56179 -+ task->is_writable = 1;
56180 -+
56181 -+ gr_set_proc_res(task);
56182 -+
56183 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56184 -+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
56185 -+#endif
56186 -+ return 0;
56187 -+}
56188 -+
56189 -+/* always called with valid inodev ptr */
56190 -+static void
56191 -+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
56192 -+{
56193 -+ struct acl_object_label *matchpo;
56194 -+ struct acl_subject_label *matchps;
56195 -+ struct acl_subject_label *subj;
56196 -+ struct acl_role_label *role;
56197 -+ unsigned int i, x;
56198 -+
56199 -+ FOR_EACH_ROLE_START(role, i)
56200 -+ FOR_EACH_SUBJECT_START(role, subj, x)
56201 -+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
56202 -+ matchpo->mode |= GR_DELETED;
56203 -+ FOR_EACH_SUBJECT_END(subj,x)
56204 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
56205 -+ if (subj->inode == ino && subj->device == dev)
56206 -+ subj->mode |= GR_DELETED;
56207 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
56208 -+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
56209 -+ matchps->mode |= GR_DELETED;
56210 -+ FOR_EACH_ROLE_END(role,i)
56211 -+
56212 -+ inodev->nentry->deleted = 1;
56213 -+
56214 -+ return;
56215 -+}
56216 -+
56217 -+void
56218 -+gr_handle_delete(const ino_t ino, const dev_t dev)
56219 -+{
56220 -+ struct inodev_entry *inodev;
56221 -+
56222 -+ if (unlikely(!(gr_status & GR_READY)))
56223 -+ return;
56224 -+
56225 -+ write_lock(&gr_inode_lock);
56226 -+ inodev = lookup_inodev_entry(ino, dev);
56227 -+ if (inodev != NULL)
56228 -+ do_handle_delete(inodev, ino, dev);
56229 -+ write_unlock(&gr_inode_lock);
56230 -+
56231 -+ return;
56232 -+}
56233 -+
56234 -+static void
56235 -+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
56236 -+ const ino_t newinode, const dev_t newdevice,
56237 -+ struct acl_subject_label *subj)
56238 -+{
56239 -+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
56240 -+ struct acl_object_label *match;
56241 -+
56242 -+ match = subj->obj_hash[index];
56243 -+
56244 -+ while (match && (match->inode != oldinode ||
56245 -+ match->device != olddevice ||
56246 -+ !(match->mode & GR_DELETED)))
56247 -+ match = match->next;
56248 -+
56249 -+ if (match && (match->inode == oldinode)
56250 -+ && (match->device == olddevice)
56251 -+ && (match->mode & GR_DELETED)) {
56252 -+ if (match->prev == NULL) {
56253 -+ subj->obj_hash[index] = match->next;
56254 -+ if (match->next != NULL)
56255 -+ match->next->prev = NULL;
56256 -+ } else {
56257 -+ match->prev->next = match->next;
56258 -+ if (match->next != NULL)
56259 -+ match->next->prev = match->prev;
56260 -+ }
56261 -+ match->prev = NULL;
56262 -+ match->next = NULL;
56263 -+ match->inode = newinode;
56264 -+ match->device = newdevice;
56265 -+ match->mode &= ~GR_DELETED;
56266 -+
56267 -+ insert_acl_obj_label(match, subj);
56268 -+ }
56269 -+
56270 -+ return;
56271 -+}
56272 -+
56273 -+static void
56274 -+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
56275 -+ const ino_t newinode, const dev_t newdevice,
56276 -+ struct acl_role_label *role)
56277 -+{
56278 -+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
56279 -+ struct acl_subject_label *match;
56280 -+
56281 -+ match = role->subj_hash[index];
56282 -+
56283 -+ while (match && (match->inode != oldinode ||
56284 -+ match->device != olddevice ||
56285 -+ !(match->mode & GR_DELETED)))
56286 -+ match = match->next;
56287 -+
56288 -+ if (match && (match->inode == oldinode)
56289 -+ && (match->device == olddevice)
56290 -+ && (match->mode & GR_DELETED)) {
56291 -+ if (match->prev == NULL) {
56292 -+ role->subj_hash[index] = match->next;
56293 -+ if (match->next != NULL)
56294 -+ match->next->prev = NULL;
56295 -+ } else {
56296 -+ match->prev->next = match->next;
56297 -+ if (match->next != NULL)
56298 -+ match->next->prev = match->prev;
56299 -+ }
56300 -+ match->prev = NULL;
56301 -+ match->next = NULL;
56302 -+ match->inode = newinode;
56303 -+ match->device = newdevice;
56304 -+ match->mode &= ~GR_DELETED;
56305 -+
56306 -+ insert_acl_subj_label(match, role);
56307 -+ }
56308 -+
56309 -+ return;
56310 -+}
56311 -+
56312 -+static void
56313 -+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
56314 -+ const ino_t newinode, const dev_t newdevice)
56315 -+{
56316 -+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
56317 -+ struct inodev_entry *match;
56318 -+
56319 -+ match = inodev_set.i_hash[index];
56320 -+
56321 -+ while (match && (match->nentry->inode != oldinode ||
56322 -+ match->nentry->device != olddevice || !match->nentry->deleted))
56323 -+ match = match->next;
56324 -+
56325 -+ if (match && (match->nentry->inode == oldinode)
56326 -+ && (match->nentry->device == olddevice) &&
56327 -+ match->nentry->deleted) {
56328 -+ if (match->prev == NULL) {
56329 -+ inodev_set.i_hash[index] = match->next;
56330 -+ if (match->next != NULL)
56331 -+ match->next->prev = NULL;
56332 -+ } else {
56333 -+ match->prev->next = match->next;
56334 -+ if (match->next != NULL)
56335 -+ match->next->prev = match->prev;
56336 -+ }
56337 -+ match->prev = NULL;
56338 -+ match->next = NULL;
56339 -+ match->nentry->inode = newinode;
56340 -+ match->nentry->device = newdevice;
56341 -+ match->nentry->deleted = 0;
56342 -+
56343 -+ insert_inodev_entry(match);
56344 -+ }
56345 -+
56346 -+ return;
56347 -+}
56348 -+
56349 -+static void
56350 -+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
56351 -+ const struct vfsmount *mnt)
56352 -+{
56353 -+ struct acl_subject_label *subj;
56354 -+ struct acl_role_label *role;
56355 -+ unsigned int i, x;
56356 -+
56357 -+ FOR_EACH_ROLE_START(role, i)
56358 -+ update_acl_subj_label(matchn->inode, matchn->device,
56359 -+ dentry->d_inode->i_ino,
56360 -+ dentry->d_inode->i_sb->s_dev, role);
56361 -+
56362 -+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
56363 -+ if ((subj->inode == dentry->d_inode->i_ino) &&
56364 -+ (subj->device == dentry->d_inode->i_sb->s_dev)) {
56365 -+ subj->inode = dentry->d_inode->i_ino;
56366 -+ subj->device = dentry->d_inode->i_sb->s_dev;
56367 -+ }
56368 -+ FOR_EACH_NESTED_SUBJECT_END(subj)
56369 -+ FOR_EACH_SUBJECT_START(role, subj, x)
56370 -+ update_acl_obj_label(matchn->inode, matchn->device,
56371 -+ dentry->d_inode->i_ino,
56372 -+ dentry->d_inode->i_sb->s_dev, subj);
56373 -+ FOR_EACH_SUBJECT_END(subj,x)
56374 -+ FOR_EACH_ROLE_END(role,i)
56375 -+
56376 -+ update_inodev_entry(matchn->inode, matchn->device,
56377 -+ dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
56378 -+
56379 -+ return;
56380 -+}
56381 -+
56382 -+void
56383 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
56384 -+{
56385 -+ struct name_entry *matchn;
56386 -+
56387 -+ if (unlikely(!(gr_status & GR_READY)))
56388 -+ return;
56389 -+
56390 -+ preempt_disable();
56391 -+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
56392 -+
56393 -+ if (unlikely((unsigned long)matchn)) {
56394 -+ write_lock(&gr_inode_lock);
56395 -+ do_handle_create(matchn, dentry, mnt);
56396 -+ write_unlock(&gr_inode_lock);
56397 -+ }
56398 -+ preempt_enable();
56399 -+
56400 -+ return;
56401 -+}
56402 -+
56403 -+void
56404 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
56405 -+ struct dentry *old_dentry,
56406 -+ struct dentry *new_dentry,
56407 -+ struct vfsmount *mnt, const __u8 replace)
56408 -+{
56409 -+ struct name_entry *matchn;
56410 -+ struct inodev_entry *inodev;
56411 -+
56412 -+ /* vfs_rename swaps the name and parent link for old_dentry and
56413 -+ new_dentry
56414 -+ at this point, old_dentry has the new name, parent link, and inode
56415 -+ for the renamed file
56416 -+ if a file is being replaced by a rename, new_dentry has the inode
56417 -+ and name for the replaced file
56418 -+ */
56419 -+
56420 -+ if (unlikely(!(gr_status & GR_READY)))
56421 -+ return;
56422 -+
56423 -+ preempt_disable();
56424 -+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
56425 -+
56426 -+ /* we wouldn't have to check d_inode if it weren't for
56427 -+ NFS silly-renaming
56428 -+ */
56429 -+
56430 -+ write_lock(&gr_inode_lock);
56431 -+ if (unlikely(replace && new_dentry->d_inode)) {
56432 -+ inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
56433 -+ new_dentry->d_inode->i_sb->s_dev);
56434 -+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
56435 -+ do_handle_delete(inodev, new_dentry->d_inode->i_ino,
56436 -+ new_dentry->d_inode->i_sb->s_dev);
56437 -+ }
56438 -+
56439 -+ inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
56440 -+ old_dentry->d_inode->i_sb->s_dev);
56441 -+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
56442 -+ do_handle_delete(inodev, old_dentry->d_inode->i_ino,
56443 -+ old_dentry->d_inode->i_sb->s_dev);
56444 -+
56445 -+ if (unlikely((unsigned long)matchn))
56446 -+ do_handle_create(matchn, old_dentry, mnt);
56447 -+
56448 -+ write_unlock(&gr_inode_lock);
56449 -+ preempt_enable();
56450 -+
56451 -+ return;
56452 -+}
56453 -+
56454 -+static int
56455 -+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
56456 -+ unsigned char **sum)
56457 -+{
56458 -+ struct acl_role_label *r;
56459 -+ struct role_allowed_ip *ipp;
56460 -+ struct role_transition *trans;
56461 -+ unsigned int i;
56462 -+ int found = 0;
56463 -+
56464 -+ /* check transition table */
56465 -+
56466 -+ for (trans = current->role->transitions; trans; trans = trans->next) {
56467 -+ if (!strcmp(rolename, trans->rolename)) {
56468 -+ found = 1;
56469 -+ break;
56470 -+ }
56471 -+ }
56472 -+
56473 -+ if (!found)
56474 -+ return 0;
56475 -+
56476 -+ /* handle special roles that do not require authentication
56477 -+ and check ip */
56478 -+
56479 -+ FOR_EACH_ROLE_START(r, i)
56480 -+ if (!strcmp(rolename, r->rolename) &&
56481 -+ (r->roletype & GR_ROLE_SPECIAL)) {
56482 -+ found = 0;
56483 -+ if (r->allowed_ips != NULL) {
56484 -+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
56485 -+ if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
56486 -+ (ntohl(ipp->addr) & ipp->netmask))
56487 -+ found = 1;
56488 -+ }
56489 -+ } else
56490 -+ found = 2;
56491 -+ if (!found)
56492 -+ return 0;
56493 -+
56494 -+ if (((mode == SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
56495 -+ ((mode == SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
56496 -+ *salt = NULL;
56497 -+ *sum = NULL;
56498 -+ return 1;
56499 -+ }
56500 -+ }
56501 -+ FOR_EACH_ROLE_END(r,i)
56502 -+
56503 -+ for (i = 0; i < num_sprole_pws; i++) {
56504 -+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
56505 -+ *salt = acl_special_roles[i]->salt;
56506 -+ *sum = acl_special_roles[i]->sum;
56507 -+ return 1;
56508 -+ }
56509 -+ }
56510 -+
56511 -+ return 0;
56512 -+}
56513 -+
56514 -+static void
56515 -+assign_special_role(char *rolename)
56516 -+{
56517 -+ struct acl_object_label *obj;
56518 -+ struct acl_role_label *r;
56519 -+ struct acl_role_label *assigned = NULL;
56520 -+ struct task_struct *tsk;
56521 -+ struct file *filp;
56522 -+ unsigned int i;
56523 -+
56524 -+ FOR_EACH_ROLE_START(r, i)
56525 -+ if (!strcmp(rolename, r->rolename) &&
56526 -+ (r->roletype & GR_ROLE_SPECIAL))
56527 -+ assigned = r;
56528 -+ FOR_EACH_ROLE_END(r,i)
56529 -+
56530 -+ if (!assigned)
56531 -+ return;
56532 -+
56533 -+ read_lock(&tasklist_lock);
56534 -+ read_lock(&grsec_exec_file_lock);
56535 -+
56536 -+ tsk = current->parent;
56537 -+ if (tsk == NULL)
56538 -+ goto out_unlock;
56539 -+
56540 -+ filp = tsk->exec_file;
56541 -+ if (filp == NULL)
56542 -+ goto out_unlock;
56543 -+
56544 -+ tsk->is_writable = 0;
56545 -+
56546 -+ tsk->acl_sp_role = 1;
56547 -+ tsk->acl_role_id = ++acl_sp_role_value;
56548 -+ tsk->role = assigned;
56549 -+ tsk->acl = chk_subj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role);
56550 -+
56551 -+ /* ignore additional mmap checks for processes that are writable
56552 -+ by the default ACL */
56553 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
56554 -+ if (unlikely(obj->mode & GR_WRITE))
56555 -+ tsk->is_writable = 1;
56556 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, tsk->role->root_label);
56557 -+ if (unlikely(obj->mode & GR_WRITE))
56558 -+ tsk->is_writable = 1;
56559 -+
56560 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56561 -+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
56562 -+#endif
56563 -+
56564 -+out_unlock:
56565 -+ read_unlock(&grsec_exec_file_lock);
56566 -+ read_unlock(&tasklist_lock);
56567 -+ return;
56568 -+}
56569 -+
56570 -+int gr_check_secure_terminal(struct task_struct *task)
56571 -+{
56572 -+ struct task_struct *p, *p2, *p3;
56573 -+ struct files_struct *files;
56574 -+ struct fdtable *fdt;
56575 -+ struct file *our_file = NULL, *file;
56576 -+ int i;
56577 -+
56578 -+ if (task->signal->tty == NULL)
56579 -+ return 1;
56580 -+
56581 -+ files = get_files_struct(task);
56582 -+ if (files != NULL) {
56583 -+ rcu_read_lock();
56584 -+ fdt = files_fdtable(files);
56585 -+ for (i=0; i < fdt->max_fds; i++) {
56586 -+ file = fcheck_files(files, i);
56587 -+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
56588 -+ get_file(file);
56589 -+ our_file = file;
56590 -+ }
56591 -+ }
56592 -+ rcu_read_unlock();
56593 -+ put_files_struct(files);
56594 -+ }
56595 -+
56596 -+ if (our_file == NULL)
56597 -+ return 1;
56598 -+
56599 -+ read_lock(&tasklist_lock);
56600 -+ do_each_thread(p2, p) {
56601 -+ files = get_files_struct(p);
56602 -+ if (files == NULL ||
56603 -+ (p->signal && p->signal->tty == task->signal->tty)) {
56604 -+ if (files != NULL)
56605 -+ put_files_struct(files);
56606 -+ continue;
56607 -+ }
56608 -+ rcu_read_lock();
56609 -+ fdt = files_fdtable(files);
56610 -+ for (i=0; i < fdt->max_fds; i++) {
56611 -+ file = fcheck_files(files, i);
56612 -+ if (file && S_ISCHR(file->f_dentry->d_inode->i_mode) &&
56613 -+ file->f_dentry->d_inode->i_rdev == our_file->f_dentry->d_inode->i_rdev) {
56614 -+ p3 = task;
56615 -+ while (p3->pid > 0) {
56616 -+ if (p3 == p)
56617 -+ break;
56618 -+ p3 = p3->parent;
56619 -+ }
56620 -+ if (p3 == p)
56621 -+ break;
56622 -+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
56623 -+ gr_handle_alertkill(p);
56624 -+ rcu_read_unlock();
56625 -+ put_files_struct(files);
56626 -+ read_unlock(&tasklist_lock);
56627 -+ fput(our_file);
56628 -+ return 0;
56629 -+ }
56630 -+ }
56631 -+ rcu_read_unlock();
56632 -+ put_files_struct(files);
56633 -+ } while_each_thread(p2, p);
56634 -+ read_unlock(&tasklist_lock);
56635 -+
56636 -+ fput(our_file);
56637 -+ return 1;
56638 -+}
56639 -+
56640 -+ssize_t
56641 -+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
56642 -+{
56643 -+ struct gr_arg_wrapper uwrap;
56644 -+ unsigned char *sprole_salt;
56645 -+ unsigned char *sprole_sum;
56646 -+ int error = sizeof (struct gr_arg_wrapper);
56647 -+ int error2 = 0;
56648 -+
56649 -+ down(&gr_dev_sem);
56650 -+
56651 -+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
56652 -+ error = -EPERM;
56653 -+ goto out;
56654 -+ }
56655 -+
56656 -+ if (count != sizeof (struct gr_arg_wrapper)) {
56657 -+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
56658 -+ error = -EINVAL;
56659 -+ goto out;
56660 -+ }
56661 -+
56662 -+
56663 -+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
56664 -+ gr_auth_expires = 0;
56665 -+ gr_auth_attempts = 0;
56666 -+ }
56667 -+
56668 -+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
56669 -+ error = -EFAULT;
56670 -+ goto out;
56671 -+ }
56672 -+
56673 -+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
56674 -+ error = -EINVAL;
56675 -+ goto out;
56676 -+ }
56677 -+
56678 -+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
56679 -+ error = -EFAULT;
56680 -+ goto out;
56681 -+ }
56682 -+
56683 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != SPROLEPAM &&
56684 -+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
56685 -+ time_after(gr_auth_expires, get_seconds())) {
56686 -+ error = -EBUSY;
56687 -+ goto out;
56688 -+ }
56689 -+
56690 -+ /* if non-root trying to do anything other than use a special role,
56691 -+ do not attempt authentication, do not count towards authentication
56692 -+ locking
56693 -+ */
56694 -+
56695 -+ if (gr_usermode->mode != SPROLE && gr_usermode->mode != STATUS &&
56696 -+ gr_usermode->mode != UNSPROLE && gr_usermode->mode != SPROLEPAM &&
56697 -+ current->uid) {
56698 -+ error = -EPERM;
56699 -+ goto out;
56700 -+ }
56701 -+
56702 -+ /* ensure pw and special role name are null terminated */
56703 -+
56704 -+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
56705 -+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
56706 -+
56707 -+ /* Okay.
56708 -+ * We have our enough of the argument structure..(we have yet
56709 -+ * to copy_from_user the tables themselves) . Copy the tables
56710 -+ * only if we need them, i.e. for loading operations. */
56711 -+
56712 -+ switch (gr_usermode->mode) {
56713 -+ case STATUS:
56714 -+ if (gr_status & GR_READY) {
56715 -+ error = 1;
56716 -+ if (!gr_check_secure_terminal(current))
56717 -+ error = 3;
56718 -+ } else
56719 -+ error = 2;
56720 -+ goto out;
56721 -+ case SHUTDOWN:
56722 -+ if ((gr_status & GR_READY)
56723 -+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
56724 -+ gr_status &= ~GR_READY;
56725 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
56726 -+ free_variables();
56727 -+ memset(gr_usermode, 0, sizeof (struct gr_arg));
56728 -+ memset(gr_system_salt, 0, GR_SALT_LEN);
56729 -+ memset(gr_system_sum, 0, GR_SHA_LEN);
56730 -+ } else if (gr_status & GR_READY) {
56731 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
56732 -+ error = -EPERM;
56733 -+ } else {
56734 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
56735 -+ error = -EAGAIN;
56736 -+ }
56737 -+ break;
56738 -+ case ENABLE:
56739 -+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
56740 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
56741 -+ else {
56742 -+ if (gr_status & GR_READY)
56743 -+ error = -EAGAIN;
56744 -+ else
56745 -+ error = error2;
56746 -+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
56747 -+ }
56748 -+ break;
56749 -+ case RELOAD:
56750 -+ if (!(gr_status & GR_READY)) {
56751 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
56752 -+ error = -EAGAIN;
56753 -+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
56754 -+ lock_kernel();
56755 -+ gr_status &= ~GR_READY;
56756 -+ free_variables();
56757 -+ if (!(error2 = gracl_init(gr_usermode))) {
56758 -+ unlock_kernel();
56759 -+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
56760 -+ } else {
56761 -+ unlock_kernel();
56762 -+ error = error2;
56763 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
56764 -+ }
56765 -+ } else {
56766 -+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
56767 -+ error = -EPERM;
56768 -+ }
56769 -+ break;
56770 -+ case SEGVMOD:
56771 -+ if (unlikely(!(gr_status & GR_READY))) {
56772 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
56773 -+ error = -EAGAIN;
56774 -+ break;
56775 -+ }
56776 -+
56777 -+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
56778 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
56779 -+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
56780 -+ struct acl_subject_label *segvacl;
56781 -+ segvacl =
56782 -+ lookup_acl_subj_label(gr_usermode->segv_inode,
56783 -+ gr_usermode->segv_device,
56784 -+ current->role);
56785 -+ if (segvacl) {
56786 -+ segvacl->crashes = 0;
56787 -+ segvacl->expires = 0;
56788 -+ }
56789 -+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
56790 -+ gr_remove_uid(gr_usermode->segv_uid);
56791 -+ }
56792 -+ } else {
56793 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
56794 -+ error = -EPERM;
56795 -+ }
56796 -+ break;
56797 -+ case SPROLE:
56798 -+ case SPROLEPAM:
56799 -+ if (unlikely(!(gr_status & GR_READY))) {
56800 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
56801 -+ error = -EAGAIN;
56802 -+ break;
56803 -+ }
56804 -+
56805 -+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
56806 -+ current->role->expires = 0;
56807 -+ current->role->auth_attempts = 0;
56808 -+ }
56809 -+
56810 -+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
56811 -+ time_after(current->role->expires, get_seconds())) {
56812 -+ error = -EBUSY;
56813 -+ goto out;
56814 -+ }
56815 -+
56816 -+ if (lookup_special_role_auth
56817 -+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
56818 -+ && ((!sprole_salt && !sprole_sum)
56819 -+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
56820 -+ char *p = "";
56821 -+ assign_special_role(gr_usermode->sp_role);
56822 -+ read_lock(&tasklist_lock);
56823 -+ if (current->parent)
56824 -+ p = current->parent->role->rolename;
56825 -+ read_unlock(&tasklist_lock);
56826 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
56827 -+ p, acl_sp_role_value);
56828 -+ } else {
56829 -+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
56830 -+ error = -EPERM;
56831 -+ if(!(current->role->auth_attempts++))
56832 -+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
56833 -+
56834 -+ goto out;
56835 -+ }
56836 -+ break;
56837 -+ case UNSPROLE:
56838 -+ if (unlikely(!(gr_status & GR_READY))) {
56839 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
56840 -+ error = -EAGAIN;
56841 -+ break;
56842 -+ }
56843 -+
56844 -+ if (current->role->roletype & GR_ROLE_SPECIAL) {
56845 -+ char *p = "";
56846 -+ int i = 0;
56847 -+
56848 -+ read_lock(&tasklist_lock);
56849 -+ if (current->parent) {
56850 -+ p = current->parent->role->rolename;
56851 -+ i = current->parent->acl_role_id;
56852 -+ }
56853 -+ read_unlock(&tasklist_lock);
56854 -+
56855 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
56856 -+ gr_set_acls(1);
56857 -+ } else {
56858 -+ gr_log_str(GR_DONT_AUDIT, GR_UNSPROLEF_ACL_MSG, current->role->rolename);
56859 -+ error = -EPERM;
56860 -+ goto out;
56861 -+ }
56862 -+ break;
56863 -+ default:
56864 -+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
56865 -+ error = -EINVAL;
56866 -+ break;
56867 -+ }
56868 -+
56869 -+ if (error != -EPERM)
56870 -+ goto out;
56871 -+
56872 -+ if(!(gr_auth_attempts++))
56873 -+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
56874 -+
56875 -+ out:
56876 -+ up(&gr_dev_sem);
56877 -+ return error;
56878 -+}
56879 -+
56880 -+int
56881 -+gr_set_acls(const int type)
56882 -+{
56883 -+ struct acl_object_label *obj;
56884 -+ struct task_struct *task, *task2;
56885 -+ struct file *filp;
56886 -+ struct acl_role_label *role = current->role;
56887 -+ __u16 acl_role_id = current->acl_role_id;
56888 -+
56889 -+ read_lock(&tasklist_lock);
56890 -+ read_lock(&grsec_exec_file_lock);
56891 -+ do_each_thread(task2, task) {
56892 -+ /* check to see if we're called from the exit handler,
56893 -+ if so, only replace ACLs that have inherited the admin
56894 -+ ACL */
56895 -+
56896 -+ if (type && (task->role != role ||
56897 -+ task->acl_role_id != acl_role_id))
56898 -+ continue;
56899 -+
56900 -+ task->acl_role_id = 0;
56901 -+ task->acl_sp_role = 0;
56902 -+
56903 -+ if ((filp = task->exec_file)) {
56904 -+ task->role = lookup_acl_role_label(task, task->uid, task->gid);
56905 -+
56906 -+ task->acl =
56907 -+ chk_subj_label(filp->f_dentry, filp->f_vfsmnt,
56908 -+ task->role);
56909 -+ if (task->acl) {
56910 -+ struct acl_subject_label *curr;
56911 -+ curr = task->acl;
56912 -+
56913 -+ task->is_writable = 0;
56914 -+ /* ignore additional mmap checks for processes that are writable
56915 -+ by the default ACL */
56916 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
56917 -+ if (unlikely(obj->mode & GR_WRITE))
56918 -+ task->is_writable = 1;
56919 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, task->role->root_label);
56920 -+ if (unlikely(obj->mode & GR_WRITE))
56921 -+ task->is_writable = 1;
56922 -+
56923 -+ gr_set_proc_res(task);
56924 -+
56925 -+#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
56926 -+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
56927 -+#endif
56928 -+ } else {
56929 -+ read_unlock(&grsec_exec_file_lock);
56930 -+ read_unlock(&tasklist_lock);
56931 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
56932 -+ return 1;
56933 -+ }
56934 -+ } else {
56935 -+ // it's a kernel process
56936 -+ task->role = kernel_role;
56937 -+ task->acl = kernel_role->root_label;
56938 -+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
56939 -+ task->acl->mode &= ~GR_PROCFIND;
56940 -+#endif
56941 -+ }
56942 -+ } while_each_thread(task2, task);
56943 -+ read_unlock(&grsec_exec_file_lock);
56944 -+ read_unlock(&tasklist_lock);
56945 -+ return 0;
56946 -+}
56947 -+
56948 -+void
56949 -+gr_learn_resource(const struct task_struct *task,
56950 -+ const int res, const unsigned long wanted, const int gt)
56951 -+{
56952 -+ struct acl_subject_label *acl;
56953 -+
56954 -+ if (unlikely((gr_status & GR_READY) &&
56955 -+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
56956 -+ goto skip_reslog;
56957 -+
56958 -+#ifdef CONFIG_GRKERNSEC_RESLOG
56959 -+ gr_log_resource(task, res, wanted, gt);
56960 -+#endif
56961 -+ skip_reslog:
56962 -+
56963 -+ if (unlikely(!(gr_status & GR_READY) || !wanted))
56964 -+ return;
56965 -+
56966 -+ acl = task->acl;
56967 -+
56968 -+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
56969 -+ !(acl->resmask & (1 << (unsigned short) res))))
56970 -+ return;
56971 -+
56972 -+ if (wanted >= acl->res[res].rlim_cur) {
56973 -+ unsigned long res_add;
56974 -+
56975 -+ res_add = wanted;
56976 -+ switch (res) {
56977 -+ case RLIMIT_CPU:
56978 -+ res_add += GR_RLIM_CPU_BUMP;
56979 -+ break;
56980 -+ case RLIMIT_FSIZE:
56981 -+ res_add += GR_RLIM_FSIZE_BUMP;
56982 -+ break;
56983 -+ case RLIMIT_DATA:
56984 -+ res_add += GR_RLIM_DATA_BUMP;
56985 -+ break;
56986 -+ case RLIMIT_STACK:
56987 -+ res_add += GR_RLIM_STACK_BUMP;
56988 -+ break;
56989 -+ case RLIMIT_CORE:
56990 -+ res_add += GR_RLIM_CORE_BUMP;
56991 -+ break;
56992 -+ case RLIMIT_RSS:
56993 -+ res_add += GR_RLIM_RSS_BUMP;
56994 -+ break;
56995 -+ case RLIMIT_NPROC:
56996 -+ res_add += GR_RLIM_NPROC_BUMP;
56997 -+ break;
56998 -+ case RLIMIT_NOFILE:
56999 -+ res_add += GR_RLIM_NOFILE_BUMP;
57000 -+ break;
57001 -+ case RLIMIT_MEMLOCK:
57002 -+ res_add += GR_RLIM_MEMLOCK_BUMP;
57003 -+ break;
57004 -+ case RLIMIT_AS:
57005 -+ res_add += GR_RLIM_AS_BUMP;
57006 -+ break;
57007 -+ case RLIMIT_LOCKS:
57008 -+ res_add += GR_RLIM_LOCKS_BUMP;
57009 -+ break;
57010 -+ }
57011 -+
57012 -+ acl->res[res].rlim_cur = res_add;
57013 -+
57014 -+ if (wanted > acl->res[res].rlim_max)
57015 -+ acl->res[res].rlim_max = res_add;
57016 -+
57017 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
57018 -+ task->role->roletype, acl->filename,
57019 -+ acl->res[res].rlim_cur, acl->res[res].rlim_max,
57020 -+ "", (unsigned long) res);
57021 -+ }
57022 -+
57023 -+ return;
57024 -+}
57025 -+
57026 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57027 -+void
57028 -+pax_set_initial_flags(struct linux_binprm *bprm)
57029 -+{
57030 -+ struct task_struct *task = current;
57031 -+ struct acl_subject_label *proc;
57032 -+ unsigned long flags;
57033 -+
57034 -+ if (unlikely(!(gr_status & GR_READY)))
57035 -+ return;
57036 -+
57037 -+ flags = pax_get_flags(task);
57038 -+
57039 -+ proc = task->acl;
57040 -+
57041 -+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
57042 -+ flags &= ~MF_PAX_PAGEEXEC;
57043 -+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
57044 -+ flags &= ~MF_PAX_SEGMEXEC;
57045 -+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
57046 -+ flags &= ~MF_PAX_RANDMMAP;
57047 -+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
57048 -+ flags &= ~MF_PAX_EMUTRAMP;
57049 -+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
57050 -+ flags &= ~MF_PAX_MPROTECT;
57051 -+
57052 -+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
57053 -+ flags |= MF_PAX_PAGEEXEC;
57054 -+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
57055 -+ flags |= MF_PAX_SEGMEXEC;
57056 -+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
57057 -+ flags |= MF_PAX_RANDMMAP;
57058 -+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
57059 -+ flags |= MF_PAX_EMUTRAMP;
57060 -+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
57061 -+ flags |= MF_PAX_MPROTECT;
57062 -+
57063 -+ pax_set_flags(task, flags);
57064 -+
57065 -+ return;
57066 -+}
57067 -+#endif
57068 -+
57069 -+#ifdef CONFIG_SYSCTL
57070 -+/* Eric Biederman likes breaking userland ABI and every inode-based security
57071 -+ system to save 35kb of memory */
57072 -+
57073 -+/* we modify the passed in filename, but adjust it back before returning */
57074 -+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
57075 -+{
57076 -+ struct name_entry *nmatch;
57077 -+ char *p, *lastp = NULL;
57078 -+ struct acl_object_label *obj = NULL, *tmp;
57079 -+ struct acl_subject_label *tmpsubj;
57080 -+ int done = 0;
57081 -+ char c = '\0';
57082 -+
57083 -+ read_lock(&gr_inode_lock);
57084 -+
57085 -+ p = name + len - 1;
57086 -+ do {
57087 -+ nmatch = lookup_name_entry(name);
57088 -+ if (lastp != NULL)
57089 -+ *lastp = c;
57090 -+
57091 -+ if (nmatch == NULL)
57092 -+ goto next_component;
57093 -+ tmpsubj = current->acl;
57094 -+ do {
57095 -+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
57096 -+ if (obj != NULL) {
57097 -+ tmp = obj->globbed;
57098 -+ while (tmp) {
57099 -+ if (!glob_match(tmp->filename, name)) {
57100 -+ obj = tmp;
57101 -+ goto found_obj;
57102 -+ }
57103 -+ tmp = tmp->next;
57104 -+ }
57105 -+ goto found_obj;
57106 -+ }
57107 -+ } while ((tmpsubj = tmpsubj->parent_subject));
57108 -+next_component:
57109 -+ /* end case */
57110 -+ if (p == name)
57111 -+ break;
57112 -+
57113 -+ while (*p != '/')
57114 -+ p--;
57115 -+ if (p == name)
57116 -+ lastp = p + 1;
57117 -+ else {
57118 -+ lastp = p;
57119 -+ p--;
57120 -+ }
57121 -+ c = *lastp;
57122 -+ *lastp = '\0';
57123 -+ } while (1);
57124 -+found_obj:
57125 -+ read_unlock(&gr_inode_lock);
57126 -+ /* obj returned will always be non-null */
57127 -+ return obj;
57128 -+}
57129 -+
57130 -+/* returns 0 when allowing, non-zero on error
57131 -+ op of 0 is used for readdir, so we don't log the names of hidden files
57132 -+*/
57133 -+__u32
57134 -+gr_handle_sysctl(const struct ctl_table *table, const int op)
57135 -+{
57136 -+ ctl_table *tmp;
57137 -+ struct nameidata nd;
57138 -+ const char *proc_sys = "/proc/sys";
57139 -+ char *path;
57140 -+ struct acl_object_label *obj;
57141 -+ unsigned short len = 0, pos = 0, depth = 0, i;
57142 -+ __u32 err = 0;
57143 -+ __u32 mode = 0;
57144 -+
57145 -+ if (unlikely(!(gr_status & GR_READY)))
57146 -+ return 0;
57147 -+
57148 -+ /* for now, ignore operations on non-sysctl entries if it's not a
57149 -+ readdir*/
57150 -+ if (table->child != NULL && op != 0)
57151 -+ return 0;
57152 -+
57153 -+ mode |= GR_FIND;
57154 -+ /* it's only a read if it's an entry, read on dirs is for readdir */
57155 -+ if (op & 004)
57156 -+ mode |= GR_READ;
57157 -+ if (op & 002)
57158 -+ mode |= GR_WRITE;
57159 -+
57160 -+ preempt_disable();
57161 -+
57162 -+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
57163 -+
57164 -+ /* it's only a read/write if it's an actual entry, not a dir
57165 -+ (which are opened for readdir)
57166 -+ */
57167 -+
57168 -+ /* convert the requested sysctl entry into a pathname */
57169 -+
57170 -+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
57171 -+ len += strlen(tmp->procname);
57172 -+ len++;
57173 -+ depth++;
57174 -+ }
57175 -+
57176 -+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
57177 -+ /* deny */
57178 -+ goto out;
57179 -+ }
57180 -+
57181 -+ memset(path, 0, PAGE_SIZE);
57182 -+
57183 -+ memcpy(path, proc_sys, strlen(proc_sys));
57184 -+
57185 -+ pos += strlen(proc_sys);
57186 -+
57187 -+ for (; depth > 0; depth--) {
57188 -+ path[pos] = '/';
57189 -+ pos++;
57190 -+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
57191 -+ if (depth == i) {
57192 -+ memcpy(path + pos, tmp->procname,
57193 -+ strlen(tmp->procname));
57194 -+ pos += strlen(tmp->procname);
57195 -+ }
57196 -+ i++;
57197 -+ }
57198 -+ }
57199 -+
57200 -+ obj = gr_lookup_by_name(path, pos);
57201 -+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
57202 -+
57203 -+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
57204 -+ ((err & mode) != mode))) {
57205 -+ __u32 new_mode = mode;
57206 -+
57207 -+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
57208 -+
57209 -+ err = 0;
57210 -+ gr_log_learn_sysctl(current, path, new_mode);
57211 -+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
57212 -+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
57213 -+ err = -ENOENT;
57214 -+ } else if (!(err & GR_FIND)) {
57215 -+ err = -ENOENT;
57216 -+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
57217 -+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
57218 -+ path, (mode & GR_READ) ? " reading" : "",
57219 -+ (mode & GR_WRITE) ? " writing" : "");
57220 -+ err = -EACCES;
57221 -+ } else if ((err & mode) != mode) {
57222 -+ err = -EACCES;
57223 -+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
57224 -+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
57225 -+ path, (mode & GR_READ) ? " reading" : "",
57226 -+ (mode & GR_WRITE) ? " writing" : "");
57227 -+ err = 0;
57228 -+ } else
57229 -+ err = 0;
57230 -+
57231 -+ out:
57232 -+ preempt_enable();
57233 -+
57234 -+ return err;
57235 -+}
57236 -+#endif
57237 -+
57238 -+int
57239 -+gr_handle_proc_ptrace(struct task_struct *task)
57240 -+{
57241 -+ struct file *filp;
57242 -+ struct task_struct *tmp = task;
57243 -+ struct task_struct *curtemp = current;
57244 -+ __u32 retmode;
57245 -+
57246 -+ if (unlikely(!(gr_status & GR_READY)))
57247 -+ return 0;
57248 -+
57249 -+ read_lock(&tasklist_lock);
57250 -+ read_lock(&grsec_exec_file_lock);
57251 -+ filp = task->exec_file;
57252 -+
57253 -+ while (tmp->pid > 0) {
57254 -+ if (tmp == curtemp)
57255 -+ break;
57256 -+ tmp = tmp->parent;
57257 -+ }
57258 -+
57259 -+ if (!filp || (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE))) {
57260 -+ read_unlock(&grsec_exec_file_lock);
57261 -+ read_unlock(&tasklist_lock);
57262 -+ return 1;
57263 -+ }
57264 -+
57265 -+ retmode = gr_search_file(filp->f_dentry, GR_NOPTRACE, filp->f_vfsmnt);
57266 -+ read_unlock(&grsec_exec_file_lock);
57267 -+ read_unlock(&tasklist_lock);
57268 -+
57269 -+ if (retmode & GR_NOPTRACE)
57270 -+ return 1;
57271 -+
57272 -+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
57273 -+ && (current->acl != task->acl || (current->acl != current->role->root_label
57274 -+ && current->pid != task->pid)))
57275 -+ return 1;
57276 -+
57277 -+ return 0;
57278 -+}
57279 -+
57280 -+int
57281 -+gr_handle_ptrace(struct task_struct *task, const long request)
57282 -+{
57283 -+ struct task_struct *tmp = task;
57284 -+ struct task_struct *curtemp = current;
57285 -+ __u32 retmode;
57286 -+
57287 -+ if (unlikely(!(gr_status & GR_READY)))
57288 -+ return 0;
57289 -+
57290 -+ read_lock(&tasklist_lock);
57291 -+ while (tmp->pid > 0) {
57292 -+ if (tmp == curtemp)
57293 -+ break;
57294 -+ tmp = tmp->parent;
57295 -+ }
57296 -+
57297 -+ if (tmp->pid == 0 && !(current->acl->mode & GR_RELAXPTRACE)) {
57298 -+ read_unlock(&tasklist_lock);
57299 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
57300 -+ return 1;
57301 -+ }
57302 -+ read_unlock(&tasklist_lock);
57303 -+
57304 -+ read_lock(&grsec_exec_file_lock);
57305 -+ if (unlikely(!task->exec_file)) {
57306 -+ read_unlock(&grsec_exec_file_lock);
57307 -+ return 0;
57308 -+ }
57309 -+
57310 -+ retmode = gr_search_file(task->exec_file->f_dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_vfsmnt);
57311 -+ read_unlock(&grsec_exec_file_lock);
57312 -+
57313 -+ if (retmode & GR_NOPTRACE) {
57314 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
57315 -+ return 1;
57316 -+ }
57317 -+
57318 -+ if (retmode & GR_PTRACERD) {
57319 -+ switch (request) {
57320 -+ case PTRACE_POKETEXT:
57321 -+ case PTRACE_POKEDATA:
57322 -+ case PTRACE_POKEUSR:
57323 -+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
57324 -+ case PTRACE_SETREGS:
57325 -+ case PTRACE_SETFPREGS:
57326 -+#endif
57327 -+#ifdef CONFIG_X86
57328 -+ case PTRACE_SETFPXREGS:
57329 -+#endif
57330 -+#ifdef CONFIG_ALTIVEC
57331 -+ case PTRACE_SETVRREGS:
57332 -+#endif
57333 -+ return 1;
57334 -+ default:
57335 -+ return 0;
57336 -+ }
57337 -+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
57338 -+ !(current->role->roletype & GR_ROLE_GOD) &&
57339 -+ (current->acl != task->acl)) {
57340 -+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
57341 -+ return 1;
57342 -+ }
57343 -+
57344 -+ return 0;
57345 -+}
57346 -+
57347 -+static int is_writable_mmap(const struct file *filp)
57348 -+{
57349 -+ struct task_struct *task = current;
57350 -+ struct acl_object_label *obj, *obj2;
57351 -+
57352 -+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
57353 -+ !task->is_writable && S_ISREG(filp->f_dentry->d_inode->i_mode)) {
57354 -+ obj = chk_obj_label(filp->f_dentry, filp->f_vfsmnt, default_role->root_label);
57355 -+ obj2 = chk_obj_label(filp->f_dentry, filp->f_vfsmnt,
57356 -+ task->role->root_label);
57357 -+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
57358 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_dentry, filp->f_vfsmnt);
57359 -+ return 1;
57360 -+ }
57361 -+ }
57362 -+ return 0;
57363 -+}
57364 -+
57365 -+int
57366 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
57367 -+{
57368 -+ __u32 mode;
57369 -+
57370 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
57371 -+ return 1;
57372 -+
57373 -+ if (is_writable_mmap(file))
57374 -+ return 0;
57375 -+
57376 -+ mode =
57377 -+ gr_search_file(file->f_dentry,
57378 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
57379 -+ file->f_vfsmnt);
57380 -+
57381 -+ if (!gr_tpe_allow(file))
57382 -+ return 0;
57383 -+
57384 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
57385 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57386 -+ return 0;
57387 -+ } else if (unlikely(!(mode & GR_EXEC))) {
57388 -+ return 0;
57389 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
57390 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57391 -+ return 1;
57392 -+ }
57393 -+
57394 -+ return 1;
57395 -+}
57396 -+
57397 -+int
57398 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
57399 -+{
57400 -+ __u32 mode;
57401 -+
57402 -+ if (unlikely(!file || !(prot & PROT_EXEC)))
57403 -+ return 1;
57404 -+
57405 -+ if (is_writable_mmap(file))
57406 -+ return 0;
57407 -+
57408 -+ mode =
57409 -+ gr_search_file(file->f_dentry,
57410 -+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
57411 -+ file->f_vfsmnt);
57412 -+
57413 -+ if (!gr_tpe_allow(file))
57414 -+ return 0;
57415 -+
57416 -+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
57417 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57418 -+ return 0;
57419 -+ } else if (unlikely(!(mode & GR_EXEC))) {
57420 -+ return 0;
57421 -+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
57422 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_dentry, file->f_vfsmnt);
57423 -+ return 1;
57424 -+ }
57425 -+
57426 -+ return 1;
57427 -+}
57428 -+
57429 -+void
57430 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
57431 -+{
57432 -+ unsigned long runtime;
57433 -+ unsigned long cputime;
57434 -+ unsigned int wday, cday;
57435 -+ __u8 whr, chr;
57436 -+ __u8 wmin, cmin;
57437 -+ __u8 wsec, csec;
57438 -+
57439 -+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
57440 -+ !(task->acl->mode & GR_PROCACCT)))
57441 -+ return;
57442 -+
57443 -+ runtime = xtime.tv_sec - task->start_time.tv_sec;
57444 -+ wday = runtime / (3600 * 24);
57445 -+ runtime -= wday * (3600 * 24);
57446 -+ whr = runtime / 3600;
57447 -+ runtime -= whr * 3600;
57448 -+ wmin = runtime / 60;
57449 -+ runtime -= wmin * 60;
57450 -+ wsec = runtime;
57451 -+
57452 -+ cputime = (task->utime + task->stime) / HZ;
57453 -+ cday = cputime / (3600 * 24);
57454 -+ cputime -= cday * (3600 * 24);
57455 -+ chr = cputime / 3600;
57456 -+ cputime -= chr * 3600;
57457 -+ cmin = cputime / 60;
57458 -+ cputime -= cmin * 60;
57459 -+ csec = cputime;
57460 -+
57461 -+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
57462 -+
57463 -+ return;
57464 -+}
57465 -+
57466 -+void gr_set_kernel_label(struct task_struct *task)
57467 -+{
57468 -+ if (gr_status & GR_READY) {
57469 -+ task->role = kernel_role;
57470 -+ task->acl = kernel_role->root_label;
57471 -+ }
57472 -+ return;
57473 -+}
57474 -+
57475 -+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
57476 -+{
57477 -+ struct task_struct *task = current;
57478 -+ struct dentry *dentry = file->f_dentry;
57479 -+ struct vfsmount *mnt = file->f_vfsmnt;
57480 -+ struct acl_object_label *obj, *tmp;
57481 -+ struct acl_subject_label *subj;
57482 -+ unsigned int bufsize;
57483 -+ int is_not_root;
57484 -+ char *path;
57485 -+
57486 -+ if (unlikely(!(gr_status & GR_READY)))
57487 -+ return 1;
57488 -+
57489 -+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
57490 -+ return 1;
57491 -+
57492 -+ /* ignore Eric Biederman */
57493 -+ if (IS_PRIVATE(dentry->d_inode))
57494 -+ return 1;
57495 -+
57496 -+ subj = task->acl;
57497 -+ do {
57498 -+ obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
57499 -+ if (obj != NULL)
57500 -+ return (obj->mode & GR_FIND) ? 1 : 0;
57501 -+ } while ((subj = subj->parent_subject));
57502 -+
57503 -+ obj = chk_obj_label(dentry, mnt, task->acl);
57504 -+ if (obj->globbed == NULL)
57505 -+ return (obj->mode & GR_FIND) ? 1 : 0;
57506 -+
57507 -+ is_not_root = ((obj->filename[0] == '/') &&
57508 -+ (obj->filename[1] == '\0')) ? 0 : 1;
57509 -+ bufsize = PAGE_SIZE - namelen - is_not_root;
57510 -+
57511 -+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
57512 -+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
57513 -+ return 1;
57514 -+
57515 -+ preempt_disable();
57516 -+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
57517 -+ bufsize);
57518 -+
57519 -+ bufsize = strlen(path);
57520 -+
57521 -+ /* if base is "/", don't append an additional slash */
57522 -+ if (is_not_root)
57523 -+ *(path + bufsize) = '/';
57524 -+ memcpy(path + bufsize + is_not_root, name, namelen);
57525 -+ *(path + bufsize + namelen + is_not_root) = '\0';
57526 -+
57527 -+ tmp = obj->globbed;
57528 -+ while (tmp) {
57529 -+ if (!glob_match(tmp->filename, path)) {
57530 -+ preempt_enable();
57531 -+ return (tmp->mode & GR_FIND) ? 1 : 0;
57532 -+ }
57533 -+ tmp = tmp->next;
57534 -+ }
57535 -+ preempt_enable();
57536 -+ return (obj->mode & GR_FIND) ? 1 : 0;
57537 -+}
57538 -+
57539 -+EXPORT_SYMBOL(gr_learn_resource);
57540 -+EXPORT_SYMBOL(gr_set_kernel_label);
57541 -+#ifdef CONFIG_SECURITY
57542 -+EXPORT_SYMBOL(gr_check_user_change);
57543 -+EXPORT_SYMBOL(gr_check_group_change);
57544 -+#endif
57545 -+
57546 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_alloc.c linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c
57547 ---- linux-2.6.23.15/grsecurity/gracl_alloc.c 1970-01-01 01:00:00.000000000 +0100
57548 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_alloc.c 2008-02-11 10:37:44.000000000 +0000
57549 -@@ -0,0 +1,91 @@
57550 -+#include <linux/kernel.h>
57551 -+#include <linux/mm.h>
57552 -+#include <linux/slab.h>
57553 -+#include <linux/vmalloc.h>
57554 -+#include <linux/gracl.h>
57555 -+#include <linux/grsecurity.h>
57556 -+
57557 -+static unsigned long alloc_stack_next = 1;
57558 -+static unsigned long alloc_stack_size = 1;
57559 -+static void **alloc_stack;
57560 -+
57561 -+static __inline__ int
57562 -+alloc_pop(void)
57563 -+{
57564 -+ if (alloc_stack_next == 1)
57565 -+ return 0;
57566 -+
57567 -+ kfree(alloc_stack[alloc_stack_next - 2]);
57568 -+
57569 -+ alloc_stack_next--;
57570 -+
57571 -+ return 1;
57572 -+}
57573 -+
57574 -+static __inline__ void
57575 -+alloc_push(void *buf)
57576 -+{
57577 -+ if (alloc_stack_next >= alloc_stack_size)
57578 -+ BUG();
57579 -+
57580 -+ alloc_stack[alloc_stack_next - 1] = buf;
57581 -+
57582 -+ alloc_stack_next++;
57583 -+
57584 -+ return;
57585 -+}
57586 -+
57587 -+void *
57588 -+acl_alloc(unsigned long len)
57589 -+{
57590 -+ void *ret;
57591 -+
57592 -+ if (len > PAGE_SIZE)
57593 -+ BUG();
57594 -+
57595 -+ ret = kmalloc(len, GFP_KERNEL);
57596 -+
57597 -+ if (ret)
57598 -+ alloc_push(ret);
57599 -+
57600 -+ return ret;
57601 -+}
57602 -+
57603 -+void
57604 -+acl_free_all(void)
57605 -+{
57606 -+ if (gr_acl_is_enabled() || !alloc_stack)
57607 -+ return;
57608 -+
57609 -+ while (alloc_pop()) ;
57610 -+
57611 -+ if (alloc_stack) {
57612 -+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
57613 -+ kfree(alloc_stack);
57614 -+ else
57615 -+ vfree(alloc_stack);
57616 -+ }
57617 -+
57618 -+ alloc_stack = NULL;
57619 -+ alloc_stack_size = 1;
57620 -+ alloc_stack_next = 1;
57621 -+
57622 -+ return;
57623 -+}
57624 -+
57625 -+int
57626 -+acl_alloc_stack_init(unsigned long size)
57627 -+{
57628 -+ if ((size * sizeof (void *)) <= PAGE_SIZE)
57629 -+ alloc_stack =
57630 -+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
57631 -+ else
57632 -+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
57633 -+
57634 -+ alloc_stack_size = size;
57635 -+
57636 -+ if (!alloc_stack)
57637 -+ return 0;
57638 -+ else
57639 -+ return 1;
57640 -+}
57641 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_cap.c linux-2.6.23.15-grsec/grsecurity/gracl_cap.c
57642 ---- linux-2.6.23.15/grsecurity/gracl_cap.c 1970-01-01 01:00:00.000000000 +0100
57643 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_cap.c 2008-02-11 10:37:44.000000000 +0000
57644 -@@ -0,0 +1,112 @@
57645 -+#include <linux/kernel.h>
57646 -+#include <linux/module.h>
57647 -+#include <linux/sched.h>
57648 -+#include <linux/capability.h>
57649 -+#include <linux/gracl.h>
57650 -+#include <linux/grsecurity.h>
57651 -+#include <linux/grinternal.h>
57652 -+
57653 -+static const char *captab_log[] = {
57654 -+ "CAP_CHOWN",
57655 -+ "CAP_DAC_OVERRIDE",
57656 -+ "CAP_DAC_READ_SEARCH",
57657 -+ "CAP_FOWNER",
57658 -+ "CAP_FSETID",
57659 -+ "CAP_KILL",
57660 -+ "CAP_SETGID",
57661 -+ "CAP_SETUID",
57662 -+ "CAP_SETPCAP",
57663 -+ "CAP_LINUX_IMMUTABLE",
57664 -+ "CAP_NET_BIND_SERVICE",
57665 -+ "CAP_NET_BROADCAST",
57666 -+ "CAP_NET_ADMIN",
57667 -+ "CAP_NET_RAW",
57668 -+ "CAP_IPC_LOCK",
57669 -+ "CAP_IPC_OWNER",
57670 -+ "CAP_SYS_MODULE",
57671 -+ "CAP_SYS_RAWIO",
57672 -+ "CAP_SYS_CHROOT",
57673 -+ "CAP_SYS_PTRACE",
57674 -+ "CAP_SYS_PACCT",
57675 -+ "CAP_SYS_ADMIN",
57676 -+ "CAP_SYS_BOOT",
57677 -+ "CAP_SYS_NICE",
57678 -+ "CAP_SYS_RESOURCE",
57679 -+ "CAP_SYS_TIME",
57680 -+ "CAP_SYS_TTY_CONFIG",
57681 -+ "CAP_MKNOD",
57682 -+ "CAP_LEASE",
57683 -+ "CAP_AUDIT_WRITE",
57684 -+ "CAP_AUDIT_CONTROL"
57685 -+};
57686 -+
57687 -+EXPORT_SYMBOL(gr_task_is_capable);
57688 -+EXPORT_SYMBOL(gr_is_capable_nolog);
57689 -+
57690 -+int
57691 -+gr_task_is_capable(struct task_struct *task, const int cap)
57692 -+{
57693 -+ struct acl_subject_label *curracl;
57694 -+ __u32 cap_drop = 0, cap_mask = 0;
57695 -+
57696 -+ if (!gr_acl_is_enabled())
57697 -+ return 1;
57698 -+
57699 -+ curracl = task->acl;
57700 -+
57701 -+ cap_drop = curracl->cap_lower;
57702 -+ cap_mask = curracl->cap_mask;
57703 -+
57704 -+ while ((curracl = curracl->parent_subject)) {
57705 -+ if (!(cap_mask & (1 << cap)) && (curracl->cap_mask & (1 << cap)))
57706 -+ cap_drop |= curracl->cap_lower & (1 << cap);
57707 -+ cap_mask |= curracl->cap_mask;
57708 -+ }
57709 -+
57710 -+ if (!cap_raised(cap_drop, cap))
57711 -+ return 1;
57712 -+
57713 -+ curracl = task->acl;
57714 -+
57715 -+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
57716 -+ && cap_raised(task->cap_effective, cap)) {
57717 -+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
57718 -+ task->role->roletype, task->uid,
57719 -+ task->gid, task->exec_file ?
57720 -+ gr_to_filename(task->exec_file->f_dentry,
57721 -+ task->exec_file->f_vfsmnt) : curracl->filename,
57722 -+ curracl->filename, 0UL,
57723 -+ 0UL, "", (unsigned long) cap, NIPQUAD(task->signal->curr_ip));
57724 -+ return 1;
57725 -+ }
57726 -+
57727 -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(task->cap_effective, cap))
57728 -+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
57729 -+ return 0;
57730 -+}
57731 -+
57732 -+int
57733 -+gr_is_capable_nolog(const int cap)
57734 -+{
57735 -+ struct acl_subject_label *curracl;
57736 -+ __u32 cap_drop = 0, cap_mask = 0;
57737 -+
57738 -+ if (!gr_acl_is_enabled())
57739 -+ return 1;
57740 -+
57741 -+ curracl = current->acl;
57742 -+
57743 -+ cap_drop = curracl->cap_lower;
57744 -+ cap_mask = curracl->cap_mask;
57745 -+
57746 -+ while ((curracl = curracl->parent_subject)) {
57747 -+ cap_drop |= curracl->cap_lower & (cap_mask & ~curracl->cap_mask);
57748 -+ cap_mask |= curracl->cap_mask;
57749 -+ }
57750 -+
57751 -+ if (!cap_raised(cap_drop, cap))
57752 -+ return 1;
57753 -+
57754 -+ return 0;
57755 -+}
57756 -+
57757 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_fs.c linux-2.6.23.15-grsec/grsecurity/gracl_fs.c
57758 ---- linux-2.6.23.15/grsecurity/gracl_fs.c 1970-01-01 01:00:00.000000000 +0100
57759 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_fs.c 2008-02-11 10:37:44.000000000 +0000
57760 -@@ -0,0 +1,423 @@
57761 -+#include <linux/kernel.h>
57762 -+#include <linux/sched.h>
57763 -+#include <linux/types.h>
57764 -+#include <linux/fs.h>
57765 -+#include <linux/file.h>
57766 -+#include <linux/stat.h>
57767 -+#include <linux/grsecurity.h>
57768 -+#include <linux/grinternal.h>
57769 -+#include <linux/gracl.h>
57770 -+
57771 -+__u32
57772 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
57773 -+ const struct vfsmount * mnt)
57774 -+{
57775 -+ __u32 mode;
57776 -+
57777 -+ if (unlikely(!dentry->d_inode))
57778 -+ return GR_FIND;
57779 -+
57780 -+ mode =
57781 -+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
57782 -+
57783 -+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
57784 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
57785 -+ return mode;
57786 -+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
57787 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
57788 -+ return 0;
57789 -+ } else if (unlikely(!(mode & GR_FIND)))
57790 -+ return 0;
57791 -+
57792 -+ return GR_FIND;
57793 -+}
57794 -+
57795 -+__u32
57796 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
57797 -+ const int fmode)
57798 -+{
57799 -+ __u32 reqmode = GR_FIND;
57800 -+ __u32 mode;
57801 -+
57802 -+ if (unlikely(!dentry->d_inode))
57803 -+ return reqmode;
57804 -+
57805 -+ if (unlikely(fmode & O_APPEND))
57806 -+ reqmode |= GR_APPEND;
57807 -+ else if (unlikely(fmode & FMODE_WRITE))
57808 -+ reqmode |= GR_WRITE;
57809 -+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
57810 -+ reqmode |= GR_READ;
57811 -+
57812 -+ mode =
57813 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
57814 -+ mnt);
57815 -+
57816 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
57817 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
57818 -+ reqmode & GR_READ ? " reading" : "",
57819 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57820 -+ GR_APPEND ? " appending" : "");
57821 -+ return reqmode;
57822 -+ } else
57823 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
57824 -+ {
57825 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
57826 -+ reqmode & GR_READ ? " reading" : "",
57827 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57828 -+ GR_APPEND ? " appending" : "");
57829 -+ return 0;
57830 -+ } else if (unlikely((mode & reqmode) != reqmode))
57831 -+ return 0;
57832 -+
57833 -+ return reqmode;
57834 -+}
57835 -+
57836 -+__u32
57837 -+gr_acl_handle_creat(const struct dentry * dentry,
57838 -+ const struct dentry * p_dentry,
57839 -+ const struct vfsmount * p_mnt, const int fmode,
57840 -+ const int imode)
57841 -+{
57842 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
57843 -+ __u32 mode;
57844 -+
57845 -+ if (unlikely(fmode & O_APPEND))
57846 -+ reqmode |= GR_APPEND;
57847 -+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
57848 -+ reqmode |= GR_READ;
57849 -+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
57850 -+ reqmode |= GR_SETID;
57851 -+
57852 -+ mode =
57853 -+ gr_check_create(dentry, p_dentry, p_mnt,
57854 -+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
57855 -+
57856 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
57857 -+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
57858 -+ reqmode & GR_READ ? " reading" : "",
57859 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57860 -+ GR_APPEND ? " appending" : "");
57861 -+ return reqmode;
57862 -+ } else
57863 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
57864 -+ {
57865 -+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
57866 -+ reqmode & GR_READ ? " reading" : "",
57867 -+ reqmode & GR_WRITE ? " writing" : reqmode &
57868 -+ GR_APPEND ? " appending" : "");
57869 -+ return 0;
57870 -+ } else if (unlikely((mode & reqmode) != reqmode))
57871 -+ return 0;
57872 -+
57873 -+ return reqmode;
57874 -+}
57875 -+
57876 -+__u32
57877 -+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
57878 -+ const int fmode)
57879 -+{
57880 -+ __u32 mode, reqmode = GR_FIND;
57881 -+
57882 -+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
57883 -+ reqmode |= GR_EXEC;
57884 -+ if (fmode & S_IWOTH)
57885 -+ reqmode |= GR_WRITE;
57886 -+ if (fmode & S_IROTH)
57887 -+ reqmode |= GR_READ;
57888 -+
57889 -+ mode =
57890 -+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
57891 -+ mnt);
57892 -+
57893 -+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
57894 -+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
57895 -+ reqmode & GR_READ ? " reading" : "",
57896 -+ reqmode & GR_WRITE ? " writing" : "",
57897 -+ reqmode & GR_EXEC ? " executing" : "");
57898 -+ return reqmode;
57899 -+ } else
57900 -+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
57901 -+ {
57902 -+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
57903 -+ reqmode & GR_READ ? " reading" : "",
57904 -+ reqmode & GR_WRITE ? " writing" : "",
57905 -+ reqmode & GR_EXEC ? " executing" : "");
57906 -+ return 0;
57907 -+ } else if (unlikely((mode & reqmode) != reqmode))
57908 -+ return 0;
57909 -+
57910 -+ return reqmode;
57911 -+}
57912 -+
57913 -+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
57914 -+{
57915 -+ __u32 mode;
57916 -+
57917 -+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
57918 -+
57919 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
57920 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
57921 -+ return mode;
57922 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
57923 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
57924 -+ return 0;
57925 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
57926 -+ return 0;
57927 -+
57928 -+ return (reqmode);
57929 -+}
57930 -+
57931 -+__u32
57932 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
57933 -+{
57934 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
57935 -+}
57936 -+
57937 -+__u32
57938 -+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
57939 -+{
57940 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
57941 -+}
57942 -+
57943 -+__u32
57944 -+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
57945 -+{
57946 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
57947 -+}
57948 -+
57949 -+__u32
57950 -+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
57951 -+{
57952 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
57953 -+}
57954 -+
57955 -+__u32
57956 -+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
57957 -+ mode_t mode)
57958 -+{
57959 -+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
57960 -+ return 1;
57961 -+
57962 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
57963 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
57964 -+ GR_FCHMOD_ACL_MSG);
57965 -+ } else {
57966 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
57967 -+ }
57968 -+}
57969 -+
57970 -+__u32
57971 -+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
57972 -+ mode_t mode)
57973 -+{
57974 -+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
57975 -+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
57976 -+ GR_CHMOD_ACL_MSG);
57977 -+ } else {
57978 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
57979 -+ }
57980 -+}
57981 -+
57982 -+__u32
57983 -+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
57984 -+{
57985 -+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
57986 -+}
57987 -+
57988 -+__u32
57989 -+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
57990 -+{
57991 -+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
57992 -+}
57993 -+
57994 -+__u32
57995 -+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
57996 -+{
57997 -+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
57998 -+ GR_UNIXCONNECT_ACL_MSG);
57999 -+}
58000 -+
58001 -+/* hardlinks require at minimum create permission,
58002 -+ any additional privilege required is based on the
58003 -+ privilege of the file being linked to
58004 -+*/
58005 -+__u32
58006 -+gr_acl_handle_link(const struct dentry * new_dentry,
58007 -+ const struct dentry * parent_dentry,
58008 -+ const struct vfsmount * parent_mnt,
58009 -+ const struct dentry * old_dentry,
58010 -+ const struct vfsmount * old_mnt, const char *to)
58011 -+{
58012 -+ __u32 mode;
58013 -+ __u32 needmode = GR_CREATE | GR_LINK;
58014 -+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
58015 -+
58016 -+ mode =
58017 -+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
58018 -+ old_mnt);
58019 -+
58020 -+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
58021 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
58022 -+ return mode;
58023 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
58024 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
58025 -+ return 0;
58026 -+ } else if (unlikely((mode & needmode) != needmode))
58027 -+ return 0;
58028 -+
58029 -+ return 1;
58030 -+}
58031 -+
58032 -+__u32
58033 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
58034 -+ const struct dentry * parent_dentry,
58035 -+ const struct vfsmount * parent_mnt, const char *from)
58036 -+{
58037 -+ __u32 needmode = GR_WRITE | GR_CREATE;
58038 -+ __u32 mode;
58039 -+
58040 -+ mode =
58041 -+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
58042 -+ GR_CREATE | GR_AUDIT_CREATE |
58043 -+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
58044 -+
58045 -+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
58046 -+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
58047 -+ return mode;
58048 -+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
58049 -+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
58050 -+ return 0;
58051 -+ } else if (unlikely((mode & needmode) != needmode))
58052 -+ return 0;
58053 -+
58054 -+ return (GR_WRITE | GR_CREATE);
58055 -+}
58056 -+
58057 -+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
58058 -+{
58059 -+ __u32 mode;
58060 -+
58061 -+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
58062 -+
58063 -+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
58064 -+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
58065 -+ return mode;
58066 -+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
58067 -+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
58068 -+ return 0;
58069 -+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
58070 -+ return 0;
58071 -+
58072 -+ return (reqmode);
58073 -+}
58074 -+
58075 -+__u32
58076 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
58077 -+ const struct dentry * parent_dentry,
58078 -+ const struct vfsmount * parent_mnt,
58079 -+ const int mode)
58080 -+{
58081 -+ __u32 reqmode = GR_WRITE | GR_CREATE;
58082 -+ if (unlikely(mode & (S_ISUID | S_ISGID)))
58083 -+ reqmode |= GR_SETID;
58084 -+
58085 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
58086 -+ reqmode, GR_MKNOD_ACL_MSG);
58087 -+}
58088 -+
58089 -+__u32
58090 -+gr_acl_handle_mkdir(const struct dentry *new_dentry,
58091 -+ const struct dentry *parent_dentry,
58092 -+ const struct vfsmount *parent_mnt)
58093 -+{
58094 -+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
58095 -+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
58096 -+}
58097 -+
58098 -+#define RENAME_CHECK_SUCCESS(old, new) \
58099 -+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
58100 -+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
58101 -+
58102 -+int
58103 -+gr_acl_handle_rename(struct dentry *new_dentry,
58104 -+ struct dentry *parent_dentry,
58105 -+ const struct vfsmount *parent_mnt,
58106 -+ struct dentry *old_dentry,
58107 -+ struct inode *old_parent_inode,
58108 -+ struct vfsmount *old_mnt, const char *newname)
58109 -+{
58110 -+ __u32 comp1, comp2;
58111 -+ int error = 0;
58112 -+
58113 -+ if (unlikely(!gr_acl_is_enabled()))
58114 -+ return 0;
58115 -+
58116 -+ if (!new_dentry->d_inode) {
58117 -+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
58118 -+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
58119 -+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
58120 -+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
58121 -+ GR_DELETE | GR_AUDIT_DELETE |
58122 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
58123 -+ GR_SUPPRESS, old_mnt);
58124 -+ } else {
58125 -+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
58126 -+ GR_CREATE | GR_DELETE |
58127 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
58128 -+ GR_AUDIT_READ | GR_AUDIT_WRITE |
58129 -+ GR_SUPPRESS, parent_mnt);
58130 -+ comp2 =
58131 -+ gr_search_file(old_dentry,
58132 -+ GR_READ | GR_WRITE | GR_AUDIT_READ |
58133 -+ GR_DELETE | GR_AUDIT_DELETE |
58134 -+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
58135 -+ }
58136 -+
58137 -+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
58138 -+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
58139 -+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
58140 -+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
58141 -+ && !(comp2 & GR_SUPPRESS)) {
58142 -+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
58143 -+ error = -EACCES;
58144 -+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
58145 -+ error = -EACCES;
58146 -+
58147 -+ return error;
58148 -+}
58149 -+
58150 -+void
58151 -+gr_acl_handle_exit(void)
58152 -+{
58153 -+ u16 id;
58154 -+ char *rolename;
58155 -+ struct file *exec_file;
58156 -+
58157 -+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
58158 -+ id = current->acl_role_id;
58159 -+ rolename = current->role->rolename;
58160 -+ gr_set_acls(1);
58161 -+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
58162 -+ }
58163 -+
58164 -+ write_lock(&grsec_exec_file_lock);
58165 -+ exec_file = current->exec_file;
58166 -+ current->exec_file = NULL;
58167 -+ write_unlock(&grsec_exec_file_lock);
58168 -+
58169 -+ if (exec_file)
58170 -+ fput(exec_file);
58171 -+}
58172 -+
58173 -+int
58174 -+gr_acl_handle_procpidmem(const struct task_struct *task)
58175 -+{
58176 -+ if (unlikely(!gr_acl_is_enabled()))
58177 -+ return 0;
58178 -+
58179 -+ if (task->acl->mode & GR_PROTPROCFD)
58180 -+ return -EACCES;
58181 -+
58182 -+ return 0;
58183 -+}
58184 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_ip.c linux-2.6.23.15-grsec/grsecurity/gracl_ip.c
58185 ---- linux-2.6.23.15/grsecurity/gracl_ip.c 1970-01-01 01:00:00.000000000 +0100
58186 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_ip.c 2008-02-11 10:37:44.000000000 +0000
58187 -@@ -0,0 +1,313 @@
58188 -+#include <linux/kernel.h>
58189 -+#include <asm/uaccess.h>
58190 -+#include <asm/errno.h>
58191 -+#include <net/sock.h>
58192 -+#include <linux/file.h>
58193 -+#include <linux/fs.h>
58194 -+#include <linux/net.h>
58195 -+#include <linux/in.h>
58196 -+#include <linux/skbuff.h>
58197 -+#include <linux/ip.h>
58198 -+#include <linux/udp.h>
58199 -+#include <linux/smp_lock.h>
58200 -+#include <linux/types.h>
58201 -+#include <linux/sched.h>
58202 -+#include <linux/netdevice.h>
58203 -+#include <linux/inetdevice.h>
58204 -+#include <linux/gracl.h>
58205 -+#include <linux/grsecurity.h>
58206 -+#include <linux/grinternal.h>
58207 -+
58208 -+#define GR_BIND 0x01
58209 -+#define GR_CONNECT 0x02
58210 -+#define GR_INVERT 0x04
58211 -+
58212 -+static const char * gr_protocols[256] = {
58213 -+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
58214 -+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
58215 -+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
58216 -+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
58217 -+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
58218 -+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
58219 -+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
58220 -+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
58221 -+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
58222 -+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
58223 -+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
58224 -+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
58225 -+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
58226 -+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
58227 -+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
58228 -+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
58229 -+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
58230 -+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
58231 -+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
58232 -+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
58233 -+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
58234 -+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
58235 -+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
58236 -+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
58237 -+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
58238 -+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
58239 -+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
58240 -+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
58241 -+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
58242 -+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
58243 -+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
58244 -+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
58245 -+ };
58246 -+
58247 -+static const char * gr_socktypes[11] = {
58248 -+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
58249 -+ "unknown:7", "unknown:8", "unknown:9", "packet"
58250 -+ };
58251 -+
58252 -+const char *
58253 -+gr_proto_to_name(unsigned char proto)
58254 -+{
58255 -+ return gr_protocols[proto];
58256 -+}
58257 -+
58258 -+const char *
58259 -+gr_socktype_to_name(unsigned char type)
58260 -+{
58261 -+ return gr_socktypes[type];
58262 -+}
58263 -+
58264 -+int
58265 -+gr_search_socket(const int domain, const int type, const int protocol)
58266 -+{
58267 -+ struct acl_subject_label *curr;
58268 -+
58269 -+ if (unlikely(!gr_acl_is_enabled()))
58270 -+ goto exit;
58271 -+
58272 -+ if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
58273 -+ || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
58274 -+ goto exit; // let the kernel handle it
58275 -+
58276 -+ curr = current->acl;
58277 -+
58278 -+ if (!curr->ips)
58279 -+ goto exit;
58280 -+
58281 -+ if ((curr->ip_type & (1 << type)) &&
58282 -+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
58283 -+ goto exit;
58284 -+
58285 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
58286 -+ /* we don't place acls on raw sockets , and sometimes
58287 -+ dgram/ip sockets are opened for ioctl and not
58288 -+ bind/connect, so we'll fake a bind learn log */
58289 -+ if (type == SOCK_RAW || type == SOCK_PACKET) {
58290 -+ __u32 fakeip = 0;
58291 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
58292 -+ current->role->roletype, current->uid,
58293 -+ current->gid, current->exec_file ?
58294 -+ gr_to_filename(current->exec_file->f_dentry,
58295 -+ current->exec_file->f_vfsmnt) :
58296 -+ curr->filename, curr->filename,
58297 -+ NIPQUAD(fakeip), 0, type,
58298 -+ protocol, GR_CONNECT,
58299 -+NIPQUAD(current->signal->curr_ip));
58300 -+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
58301 -+ __u32 fakeip = 0;
58302 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
58303 -+ current->role->roletype, current->uid,
58304 -+ current->gid, current->exec_file ?
58305 -+ gr_to_filename(current->exec_file->f_dentry,
58306 -+ current->exec_file->f_vfsmnt) :
58307 -+ curr->filename, curr->filename,
58308 -+ NIPQUAD(fakeip), 0, type,
58309 -+ protocol, GR_BIND, NIPQUAD(current->signal->curr_ip));
58310 -+ }
58311 -+ /* we'll log when they use connect or bind */
58312 -+ goto exit;
58313 -+ }
58314 -+
58315 -+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
58316 -+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
58317 -+
58318 -+ return 0;
58319 -+ exit:
58320 -+ return 1;
58321 -+}
58322 -+
58323 -+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
58324 -+{
58325 -+ if ((ip->mode & mode) &&
58326 -+ (ip_port >= ip->low) &&
58327 -+ (ip_port <= ip->high) &&
58328 -+ ((ntohl(ip_addr) & our_netmask) ==
58329 -+ (ntohl(our_addr) & our_netmask))
58330 -+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
58331 -+ && (ip->type & (1 << type))) {
58332 -+ if (ip->mode & GR_INVERT)
58333 -+ return 2; // specifically denied
58334 -+ else
58335 -+ return 1; // allowed
58336 -+ }
58337 -+
58338 -+ return 0; // not specifically allowed, may continue parsing
58339 -+}
58340 -+
58341 -+static int
58342 -+gr_search_connectbind(const int mode, const struct sock *sk,
58343 -+ const struct sockaddr_in *addr, const int type)
58344 -+{
58345 -+ char iface[IFNAMSIZ] = {0};
58346 -+ struct acl_subject_label *curr;
58347 -+ struct acl_ip_label *ip;
58348 -+ struct net_device *dev;
58349 -+ struct in_device *idev;
58350 -+ unsigned long i;
58351 -+ int ret;
58352 -+ __u32 ip_addr = 0;
58353 -+ __u32 our_addr;
58354 -+ __u32 our_netmask;
58355 -+ char *p;
58356 -+ __u16 ip_port = 0;
58357 -+
58358 -+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
58359 -+ return 1;
58360 -+
58361 -+ curr = current->acl;
58362 -+
58363 -+ if (!curr->ips)
58364 -+ return 1;
58365 -+
58366 -+ ip_addr = addr->sin_addr.s_addr;
58367 -+ ip_port = ntohs(addr->sin_port);
58368 -+
58369 -+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
58370 -+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
58371 -+ current->role->roletype, current->uid,
58372 -+ current->gid, current->exec_file ?
58373 -+ gr_to_filename(current->exec_file->f_dentry,
58374 -+ current->exec_file->f_vfsmnt) :
58375 -+ curr->filename, curr->filename,
58376 -+ NIPQUAD(ip_addr), ip_port, type,
58377 -+ sk->sk_protocol, mode, NIPQUAD(current->signal->curr_ip));
58378 -+ return 1;
58379 -+ }
58380 -+
58381 -+ for (i = 0; i < curr->ip_num; i++) {
58382 -+ ip = *(curr->ips + i);
58383 -+ if (ip->iface != NULL) {
58384 -+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
58385 -+ p = strchr(iface, ':');
58386 -+ if (p != NULL)
58387 -+ *p = '\0';
58388 -+ dev = dev_get_by_name(iface);
58389 -+ if (dev == NULL)
58390 -+ continue;
58391 -+ idev = in_dev_get(dev);
58392 -+ if (idev == NULL) {
58393 -+ dev_put(dev);
58394 -+ continue;
58395 -+ }
58396 -+ rcu_read_lock();
58397 -+ for_ifa(idev) {
58398 -+ if (!strcmp(ip->iface, ifa->ifa_label)) {
58399 -+ our_addr = ifa->ifa_address;
58400 -+ our_netmask = 0xffffffff;
58401 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
58402 -+ if (ret == 1) {
58403 -+ rcu_read_unlock();
58404 -+ in_dev_put(idev);
58405 -+ dev_put(dev);
58406 -+ return 1;
58407 -+ } else if (ret == 2) {
58408 -+ rcu_read_unlock();
58409 -+ in_dev_put(idev);
58410 -+ dev_put(dev);
58411 -+ goto denied;
58412 -+ }
58413 -+ }
58414 -+ } endfor_ifa(idev);
58415 -+ rcu_read_unlock();
58416 -+ in_dev_put(idev);
58417 -+ dev_put(dev);
58418 -+ } else {
58419 -+ our_addr = ip->addr;
58420 -+ our_netmask = ip->netmask;
58421 -+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
58422 -+ if (ret == 1)
58423 -+ return 1;
58424 -+ else if (ret == 2)
58425 -+ goto denied;
58426 -+ }
58427 -+ }
58428 -+
58429 -+denied:
58430 -+ if (mode == GR_BIND)
58431 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58432 -+ else if (mode == GR_CONNECT)
58433 -+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, NIPQUAD(ip_addr), ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
58434 -+
58435 -+ return 0;
58436 -+}
58437 -+
58438 -+int
58439 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58440 -+{
58441 -+ return gr_search_connectbind(GR_CONNECT, sock->sk, addr, sock->type);
58442 -+}
58443 -+
58444 -+int
58445 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58446 -+{
58447 -+ return gr_search_connectbind(GR_BIND, sock->sk, addr, sock->type);
58448 -+}
58449 -+
58450 -+int gr_search_listen(const struct socket *sock)
58451 -+{
58452 -+ struct sock *sk = sock->sk;
58453 -+ struct sockaddr_in addr;
58454 -+
58455 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
58456 -+ addr.sin_port = inet_sk(sk)->sport;
58457 -+
58458 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
58459 -+}
58460 -+
58461 -+int gr_search_accept(const struct socket *sock)
58462 -+{
58463 -+ struct sock *sk = sock->sk;
58464 -+ struct sockaddr_in addr;
58465 -+
58466 -+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
58467 -+ addr.sin_port = inet_sk(sk)->sport;
58468 -+
58469 -+ return gr_search_connectbind(GR_BIND, sock->sk, &addr, sock->type);
58470 -+}
58471 -+
58472 -+int
58473 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58474 -+{
58475 -+ if (addr)
58476 -+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
58477 -+ else {
58478 -+ struct sockaddr_in sin;
58479 -+ const struct inet_sock *inet = inet_sk(sk);
58480 -+
58481 -+ sin.sin_addr.s_addr = inet->daddr;
58482 -+ sin.sin_port = inet->dport;
58483 -+
58484 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
58485 -+ }
58486 -+}
58487 -+
58488 -+int
58489 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58490 -+{
58491 -+ struct sockaddr_in sin;
58492 -+
58493 -+ if (unlikely(skb->len < sizeof (struct udphdr)))
58494 -+ return 1; // skip this packet
58495 -+
58496 -+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
58497 -+ sin.sin_port = udp_hdr(skb)->source;
58498 -+
58499 -+ return gr_search_connectbind(GR_CONNECT, sk, &sin, SOCK_DGRAM);
58500 -+}
58501 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_learn.c linux-2.6.23.15-grsec/grsecurity/gracl_learn.c
58502 ---- linux-2.6.23.15/grsecurity/gracl_learn.c 1970-01-01 01:00:00.000000000 +0100
58503 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_learn.c 2008-02-11 10:37:44.000000000 +0000
58504 -@@ -0,0 +1,211 @@
58505 -+#include <linux/kernel.h>
58506 -+#include <linux/mm.h>
58507 -+#include <linux/sched.h>
58508 -+#include <linux/poll.h>
58509 -+#include <linux/smp_lock.h>
58510 -+#include <linux/string.h>
58511 -+#include <linux/file.h>
58512 -+#include <linux/types.h>
58513 -+#include <linux/vmalloc.h>
58514 -+#include <linux/grinternal.h>
58515 -+
58516 -+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
58517 -+ size_t count, loff_t *ppos);
58518 -+extern int gr_acl_is_enabled(void);
58519 -+
58520 -+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
58521 -+static int gr_learn_attached;
58522 -+
58523 -+/* use a 512k buffer */
58524 -+#define LEARN_BUFFER_SIZE (512 * 1024)
58525 -+
58526 -+static spinlock_t gr_learn_lock = SPIN_LOCK_UNLOCKED;
58527 -+static DECLARE_MUTEX(gr_learn_user_sem);
58528 -+
58529 -+/* we need to maintain two buffers, so that the kernel context of grlearn
58530 -+ uses a semaphore around the userspace copying, and the other kernel contexts
58531 -+ use a spinlock when copying into the buffer, since they cannot sleep
58532 -+*/
58533 -+static char *learn_buffer;
58534 -+static char *learn_buffer_user;
58535 -+static int learn_buffer_len;
58536 -+static int learn_buffer_user_len;
58537 -+
58538 -+static ssize_t
58539 -+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
58540 -+{
58541 -+ DECLARE_WAITQUEUE(wait, current);
58542 -+ ssize_t retval = 0;
58543 -+
58544 -+ add_wait_queue(&learn_wait, &wait);
58545 -+ set_current_state(TASK_INTERRUPTIBLE);
58546 -+ do {
58547 -+ down(&gr_learn_user_sem);
58548 -+ spin_lock(&gr_learn_lock);
58549 -+ if (learn_buffer_len)
58550 -+ break;
58551 -+ spin_unlock(&gr_learn_lock);
58552 -+ up(&gr_learn_user_sem);
58553 -+ if (file->f_flags & O_NONBLOCK) {
58554 -+ retval = -EAGAIN;
58555 -+ goto out;
58556 -+ }
58557 -+ if (signal_pending(current)) {
58558 -+ retval = -ERESTARTSYS;
58559 -+ goto out;
58560 -+ }
58561 -+
58562 -+ schedule();
58563 -+ } while (1);
58564 -+
58565 -+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
58566 -+ learn_buffer_user_len = learn_buffer_len;
58567 -+ retval = learn_buffer_len;
58568 -+ learn_buffer_len = 0;
58569 -+
58570 -+ spin_unlock(&gr_learn_lock);
58571 -+
58572 -+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
58573 -+ retval = -EFAULT;
58574 -+
58575 -+ up(&gr_learn_user_sem);
58576 -+out:
58577 -+ set_current_state(TASK_RUNNING);
58578 -+ remove_wait_queue(&learn_wait, &wait);
58579 -+ return retval;
58580 -+}
58581 -+
58582 -+static unsigned int
58583 -+poll_learn(struct file * file, poll_table * wait)
58584 -+{
58585 -+ poll_wait(file, &learn_wait, wait);
58586 -+
58587 -+ if (learn_buffer_len)
58588 -+ return (POLLIN | POLLRDNORM);
58589 -+
58590 -+ return 0;
58591 -+}
58592 -+
58593 -+void
58594 -+gr_clear_learn_entries(void)
58595 -+{
58596 -+ char *tmp;
58597 -+
58598 -+ down(&gr_learn_user_sem);
58599 -+ if (learn_buffer != NULL) {
58600 -+ spin_lock(&gr_learn_lock);
58601 -+ tmp = learn_buffer;
58602 -+ learn_buffer = NULL;
58603 -+ spin_unlock(&gr_learn_lock);
58604 -+ vfree(learn_buffer);
58605 -+ }
58606 -+ if (learn_buffer_user != NULL) {
58607 -+ vfree(learn_buffer_user);
58608 -+ learn_buffer_user = NULL;
58609 -+ }
58610 -+ learn_buffer_len = 0;
58611 -+ up(&gr_learn_user_sem);
58612 -+
58613 -+ return;
58614 -+}
58615 -+
58616 -+void
58617 -+gr_add_learn_entry(const char *fmt, ...)
58618 -+{
58619 -+ va_list args;
58620 -+ unsigned int len;
58621 -+
58622 -+ if (!gr_learn_attached)
58623 -+ return;
58624 -+
58625 -+ spin_lock(&gr_learn_lock);
58626 -+
58627 -+ /* leave a gap at the end so we know when it's "full" but don't have to
58628 -+ compute the exact length of the string we're trying to append
58629 -+ */
58630 -+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
58631 -+ spin_unlock(&gr_learn_lock);
58632 -+ wake_up_interruptible(&learn_wait);
58633 -+ return;
58634 -+ }
58635 -+ if (learn_buffer == NULL) {
58636 -+ spin_unlock(&gr_learn_lock);
58637 -+ return;
58638 -+ }
58639 -+
58640 -+ va_start(args, fmt);
58641 -+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
58642 -+ va_end(args);
58643 -+
58644 -+ learn_buffer_len += len + 1;
58645 -+
58646 -+ spin_unlock(&gr_learn_lock);
58647 -+ wake_up_interruptible(&learn_wait);
58648 -+
58649 -+ return;
58650 -+}
58651 -+
58652 -+static int
58653 -+open_learn(struct inode *inode, struct file *file)
58654 -+{
58655 -+ if (file->f_mode & FMODE_READ && gr_learn_attached)
58656 -+ return -EBUSY;
58657 -+ if (file->f_mode & FMODE_READ) {
58658 -+ int retval = 0;
58659 -+ down(&gr_learn_user_sem);
58660 -+ if (learn_buffer == NULL)
58661 -+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
58662 -+ if (learn_buffer_user == NULL)
58663 -+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
58664 -+ if (learn_buffer == NULL) {
58665 -+ retval = -ENOMEM;
58666 -+ goto out_error;
58667 -+ }
58668 -+ if (learn_buffer_user == NULL) {
58669 -+ retval = -ENOMEM;
58670 -+ goto out_error;
58671 -+ }
58672 -+ learn_buffer_len = 0;
58673 -+ learn_buffer_user_len = 0;
58674 -+ gr_learn_attached = 1;
58675 -+out_error:
58676 -+ up(&gr_learn_user_sem);
58677 -+ return retval;
58678 -+ }
58679 -+ return 0;
58680 -+}
58681 -+
58682 -+static int
58683 -+close_learn(struct inode *inode, struct file *file)
58684 -+{
58685 -+ char *tmp;
58686 -+
58687 -+ if (file->f_mode & FMODE_READ) {
58688 -+ down(&gr_learn_user_sem);
58689 -+ if (learn_buffer != NULL) {
58690 -+ spin_lock(&gr_learn_lock);
58691 -+ tmp = learn_buffer;
58692 -+ learn_buffer = NULL;
58693 -+ spin_unlock(&gr_learn_lock);
58694 -+ vfree(tmp);
58695 -+ }
58696 -+ if (learn_buffer_user != NULL) {
58697 -+ vfree(learn_buffer_user);
58698 -+ learn_buffer_user = NULL;
58699 -+ }
58700 -+ learn_buffer_len = 0;
58701 -+ learn_buffer_user_len = 0;
58702 -+ gr_learn_attached = 0;
58703 -+ up(&gr_learn_user_sem);
58704 -+ }
58705 -+
58706 -+ return 0;
58707 -+}
58708 -+
58709 -+struct file_operations grsec_fops = {
58710 -+ .read = read_learn,
58711 -+ .write = write_grsec_handler,
58712 -+ .open = open_learn,
58713 -+ .release = close_learn,
58714 -+ .poll = poll_learn,
58715 -+};
58716 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_res.c linux-2.6.23.15-grsec/grsecurity/gracl_res.c
58717 ---- linux-2.6.23.15/grsecurity/gracl_res.c 1970-01-01 01:00:00.000000000 +0100
58718 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_res.c 2008-02-11 10:37:44.000000000 +0000
58719 -@@ -0,0 +1,45 @@
58720 -+#include <linux/kernel.h>
58721 -+#include <linux/sched.h>
58722 -+#include <linux/gracl.h>
58723 -+#include <linux/grinternal.h>
58724 -+
58725 -+static const char *restab_log[] = {
58726 -+ [RLIMIT_CPU] = "RLIMIT_CPU",
58727 -+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
58728 -+ [RLIMIT_DATA] = "RLIMIT_DATA",
58729 -+ [RLIMIT_STACK] = "RLIMIT_STACK",
58730 -+ [RLIMIT_CORE] = "RLIMIT_CORE",
58731 -+ [RLIMIT_RSS] = "RLIMIT_RSS",
58732 -+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
58733 -+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
58734 -+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
58735 -+ [RLIMIT_AS] = "RLIMIT_AS",
58736 -+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
58737 -+ [RLIMIT_LOCKS + 1] = "RLIMIT_CRASH"
58738 -+};
58739 -+
58740 -+void
58741 -+gr_log_resource(const struct task_struct *task,
58742 -+ const int res, const unsigned long wanted, const int gt)
58743 -+{
58744 -+ if (res == RLIMIT_NPROC &&
58745 -+ (cap_raised(task->cap_effective, CAP_SYS_ADMIN) ||
58746 -+ cap_raised(task->cap_effective, CAP_SYS_RESOURCE)))
58747 -+ return;
58748 -+ else if (res == RLIMIT_MEMLOCK &&
58749 -+ cap_raised(task->cap_effective, CAP_IPC_LOCK))
58750 -+ return;
58751 -+
58752 -+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
58753 -+ return;
58754 -+
58755 -+ preempt_disable();
58756 -+
58757 -+ if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) ||
58758 -+ (!gt && wanted >= task->signal->rlim[res].rlim_cur)) &&
58759 -+ task->signal->rlim[res].rlim_cur != RLIM_INFINITY))
58760 -+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur);
58761 -+ preempt_enable_no_resched();
58762 -+
58763 -+ return;
58764 -+}
58765 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_segv.c linux-2.6.23.15-grsec/grsecurity/gracl_segv.c
58766 ---- linux-2.6.23.15/grsecurity/gracl_segv.c 1970-01-01 01:00:00.000000000 +0100
58767 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_segv.c 2008-02-11 10:37:44.000000000 +0000
58768 -@@ -0,0 +1,301 @@
58769 -+#include <linux/kernel.h>
58770 -+#include <linux/mm.h>
58771 -+#include <asm/uaccess.h>
58772 -+#include <asm/errno.h>
58773 -+#include <asm/mman.h>
58774 -+#include <net/sock.h>
58775 -+#include <linux/file.h>
58776 -+#include <linux/fs.h>
58777 -+#include <linux/net.h>
58778 -+#include <linux/in.h>
58779 -+#include <linux/smp_lock.h>
58780 -+#include <linux/slab.h>
58781 -+#include <linux/types.h>
58782 -+#include <linux/sched.h>
58783 -+#include <linux/timer.h>
58784 -+#include <linux/gracl.h>
58785 -+#include <linux/grsecurity.h>
58786 -+#include <linux/grinternal.h>
58787 -+
58788 -+static struct crash_uid *uid_set;
58789 -+static unsigned short uid_used;
58790 -+static spinlock_t gr_uid_lock = SPIN_LOCK_UNLOCKED;
58791 -+extern rwlock_t gr_inode_lock;
58792 -+extern struct acl_subject_label *
58793 -+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
58794 -+ struct acl_role_label *role);
58795 -+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
58796 -+
58797 -+int
58798 -+gr_init_uidset(void)
58799 -+{
58800 -+ uid_set =
58801 -+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
58802 -+ uid_used = 0;
58803 -+
58804 -+ return uid_set ? 1 : 0;
58805 -+}
58806 -+
58807 -+void
58808 -+gr_free_uidset(void)
58809 -+{
58810 -+ if (uid_set)
58811 -+ kfree(uid_set);
58812 -+
58813 -+ return;
58814 -+}
58815 -+
58816 -+int
58817 -+gr_find_uid(const uid_t uid)
58818 -+{
58819 -+ struct crash_uid *tmp = uid_set;
58820 -+ uid_t buid;
58821 -+ int low = 0, high = uid_used - 1, mid;
58822 -+
58823 -+ while (high >= low) {
58824 -+ mid = (low + high) >> 1;
58825 -+ buid = tmp[mid].uid;
58826 -+ if (buid == uid)
58827 -+ return mid;
58828 -+ if (buid > uid)
58829 -+ high = mid - 1;
58830 -+ if (buid < uid)
58831 -+ low = mid + 1;
58832 -+ }
58833 -+
58834 -+ return -1;
58835 -+}
58836 -+
58837 -+static __inline__ void
58838 -+gr_insertsort(void)
58839 -+{
58840 -+ unsigned short i, j;
58841 -+ struct crash_uid index;
58842 -+
58843 -+ for (i = 1; i < uid_used; i++) {
58844 -+ index = uid_set[i];
58845 -+ j = i;
58846 -+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
58847 -+ uid_set[j] = uid_set[j - 1];
58848 -+ j--;
58849 -+ }
58850 -+ uid_set[j] = index;
58851 -+ }
58852 -+
58853 -+ return;
58854 -+}
58855 -+
58856 -+static __inline__ void
58857 -+gr_insert_uid(const uid_t uid, const unsigned long expires)
58858 -+{
58859 -+ int loc;
58860 -+
58861 -+ if (uid_used == GR_UIDTABLE_MAX)
58862 -+ return;
58863 -+
58864 -+ loc = gr_find_uid(uid);
58865 -+
58866 -+ if (loc >= 0) {
58867 -+ uid_set[loc].expires = expires;
58868 -+ return;
58869 -+ }
58870 -+
58871 -+ uid_set[uid_used].uid = uid;
58872 -+ uid_set[uid_used].expires = expires;
58873 -+ uid_used++;
58874 -+
58875 -+ gr_insertsort();
58876 -+
58877 -+ return;
58878 -+}
58879 -+
58880 -+void
58881 -+gr_remove_uid(const unsigned short loc)
58882 -+{
58883 -+ unsigned short i;
58884 -+
58885 -+ for (i = loc + 1; i < uid_used; i++)
58886 -+ uid_set[i - 1] = uid_set[i];
58887 -+
58888 -+ uid_used--;
58889 -+
58890 -+ return;
58891 -+}
58892 -+
58893 -+int
58894 -+gr_check_crash_uid(const uid_t uid)
58895 -+{
58896 -+ int loc;
58897 -+ int ret = 0;
58898 -+
58899 -+ if (unlikely(!gr_acl_is_enabled()))
58900 -+ return 0;
58901 -+
58902 -+ spin_lock(&gr_uid_lock);
58903 -+ loc = gr_find_uid(uid);
58904 -+
58905 -+ if (loc < 0)
58906 -+ goto out_unlock;
58907 -+
58908 -+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
58909 -+ gr_remove_uid(loc);
58910 -+ else
58911 -+ ret = 1;
58912 -+
58913 -+out_unlock:
58914 -+ spin_unlock(&gr_uid_lock);
58915 -+ return ret;
58916 -+}
58917 -+
58918 -+static __inline__ int
58919 -+proc_is_setxid(const struct task_struct *task)
58920 -+{
58921 -+ if (task->uid != task->euid || task->uid != task->suid ||
58922 -+ task->uid != task->fsuid)
58923 -+ return 1;
58924 -+ if (task->gid != task->egid || task->gid != task->sgid ||
58925 -+ task->gid != task->fsgid)
58926 -+ return 1;
58927 -+
58928 -+ return 0;
58929 -+}
58930 -+static __inline__ int
58931 -+gr_fake_force_sig(int sig, struct task_struct *t)
58932 -+{
58933 -+ unsigned long int flags;
58934 -+ int ret, blocked, ignored;
58935 -+ struct k_sigaction *action;
58936 -+
58937 -+ spin_lock_irqsave(&t->sighand->siglock, flags);
58938 -+ action = &t->sighand->action[sig-1];
58939 -+ ignored = action->sa.sa_handler == SIG_IGN;
58940 -+ blocked = sigismember(&t->blocked, sig);
58941 -+ if (blocked || ignored) {
58942 -+ action->sa.sa_handler = SIG_DFL;
58943 -+ if (blocked) {
58944 -+ sigdelset(&t->blocked, sig);
58945 -+ recalc_sigpending_and_wake(t);
58946 -+ }
58947 -+ }
58948 -+ ret = specific_send_sig_info(sig, (void*)1L, t);
58949 -+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
58950 -+
58951 -+ return ret;
58952 -+}
58953 -+
58954 -+void
58955 -+gr_handle_crash(struct task_struct *task, const int sig)
58956 -+{
58957 -+ struct acl_subject_label *curr;
58958 -+ struct acl_subject_label *curr2;
58959 -+ struct task_struct *tsk, *tsk2;
58960 -+
58961 -+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
58962 -+ return;
58963 -+
58964 -+ if (unlikely(!gr_acl_is_enabled()))
58965 -+ return;
58966 -+
58967 -+ curr = task->acl;
58968 -+
58969 -+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
58970 -+ return;
58971 -+
58972 -+ if (time_before_eq(curr->expires, get_seconds())) {
58973 -+ curr->expires = 0;
58974 -+ curr->crashes = 0;
58975 -+ }
58976 -+
58977 -+ curr->crashes++;
58978 -+
58979 -+ if (!curr->expires)
58980 -+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
58981 -+
58982 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
58983 -+ time_after(curr->expires, get_seconds())) {
58984 -+ if (task->uid && proc_is_setxid(task)) {
58985 -+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
58986 -+ spin_lock(&gr_uid_lock);
58987 -+ gr_insert_uid(task->uid, curr->expires);
58988 -+ spin_unlock(&gr_uid_lock);
58989 -+ curr->expires = 0;
58990 -+ curr->crashes = 0;
58991 -+ read_lock(&tasklist_lock);
58992 -+ do_each_thread(tsk2, tsk) {
58993 -+ if (tsk != task && tsk->uid == task->uid)
58994 -+ gr_fake_force_sig(SIGKILL, tsk);
58995 -+ } while_each_thread(tsk2, tsk);
58996 -+ read_unlock(&tasklist_lock);
58997 -+ } else {
58998 -+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
58999 -+ read_lock(&tasklist_lock);
59000 -+ do_each_thread(tsk2, tsk) {
59001 -+ if (likely(tsk != task)) {
59002 -+ curr2 = tsk->acl;
59003 -+
59004 -+ if (curr2->device == curr->device &&
59005 -+ curr2->inode == curr->inode)
59006 -+ gr_fake_force_sig(SIGKILL, tsk);
59007 -+ }
59008 -+ } while_each_thread(tsk2, tsk);
59009 -+ read_unlock(&tasklist_lock);
59010 -+ }
59011 -+ }
59012 -+
59013 -+ return;
59014 -+}
59015 -+
59016 -+int
59017 -+gr_check_crash_exec(const struct file *filp)
59018 -+{
59019 -+ struct acl_subject_label *curr;
59020 -+
59021 -+ if (unlikely(!gr_acl_is_enabled()))
59022 -+ return 0;
59023 -+
59024 -+ read_lock(&gr_inode_lock);
59025 -+ curr = lookup_acl_subj_label(filp->f_dentry->d_inode->i_ino,
59026 -+ filp->f_dentry->d_inode->i_sb->s_dev,
59027 -+ current->role);
59028 -+ read_unlock(&gr_inode_lock);
59029 -+
59030 -+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
59031 -+ (!curr->crashes && !curr->expires))
59032 -+ return 0;
59033 -+
59034 -+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
59035 -+ time_after(curr->expires, get_seconds()))
59036 -+ return 1;
59037 -+ else if (time_before_eq(curr->expires, get_seconds())) {
59038 -+ curr->crashes = 0;
59039 -+ curr->expires = 0;
59040 -+ }
59041 -+
59042 -+ return 0;
59043 -+}
59044 -+
59045 -+void
59046 -+gr_handle_alertkill(struct task_struct *task)
59047 -+{
59048 -+ struct acl_subject_label *curracl;
59049 -+ __u32 curr_ip;
59050 -+ struct task_struct *p, *p2;
59051 -+
59052 -+ if (unlikely(!gr_acl_is_enabled()))
59053 -+ return;
59054 -+
59055 -+ curracl = task->acl;
59056 -+ curr_ip = task->signal->curr_ip;
59057 -+
59058 -+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
59059 -+ read_lock(&tasklist_lock);
59060 -+ do_each_thread(p2, p) {
59061 -+ if (p->signal->curr_ip == curr_ip)
59062 -+ gr_fake_force_sig(SIGKILL, p);
59063 -+ } while_each_thread(p2, p);
59064 -+ read_unlock(&tasklist_lock);
59065 -+ } else if (curracl->mode & GR_KILLPROC)
59066 -+ gr_fake_force_sig(SIGKILL, task);
59067 -+
59068 -+ return;
59069 -+}
59070 -diff -Nurp linux-2.6.23.15/grsecurity/gracl_shm.c linux-2.6.23.15-grsec/grsecurity/gracl_shm.c
59071 ---- linux-2.6.23.15/grsecurity/gracl_shm.c 1970-01-01 01:00:00.000000000 +0100
59072 -+++ linux-2.6.23.15-grsec/grsecurity/gracl_shm.c 2008-02-11 10:37:44.000000000 +0000
59073 -@@ -0,0 +1,33 @@
59074 -+#include <linux/kernel.h>
59075 -+#include <linux/mm.h>
59076 -+#include <linux/sched.h>
59077 -+#include <linux/file.h>
59078 -+#include <linux/ipc.h>
59079 -+#include <linux/gracl.h>
59080 -+#include <linux/grsecurity.h>
59081 -+#include <linux/grinternal.h>
59082 -+
59083 -+int
59084 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
59085 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
59086 -+{
59087 -+ struct task_struct *task;
59088 -+
59089 -+ if (!gr_acl_is_enabled())
59090 -+ return 1;
59091 -+
59092 -+ task = find_task_by_pid(shm_cprid);
59093 -+
59094 -+ if (unlikely(!task))
59095 -+ task = find_task_by_pid(shm_lapid);
59096 -+
59097 -+ if (unlikely(task && (time_before((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
59098 -+ (task->pid == shm_lapid)) &&
59099 -+ (task->acl->mode & GR_PROTSHM) &&
59100 -+ (task->acl != current->acl))) {
59101 -+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
59102 -+ return 0;
59103 -+ }
59104 -+
59105 -+ return 1;
59106 -+}
59107 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_chdir.c linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c
59108 ---- linux-2.6.23.15/grsecurity/grsec_chdir.c 1970-01-01 01:00:00.000000000 +0100
59109 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_chdir.c 2008-02-11 10:37:44.000000000 +0000
59110 -@@ -0,0 +1,19 @@
59111 -+#include <linux/kernel.h>
59112 -+#include <linux/sched.h>
59113 -+#include <linux/fs.h>
59114 -+#include <linux/file.h>
59115 -+#include <linux/grsecurity.h>
59116 -+#include <linux/grinternal.h>
59117 -+
59118 -+void
59119 -+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
59120 -+{
59121 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59122 -+ if ((grsec_enable_chdir && grsec_enable_group &&
59123 -+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
59124 -+ !grsec_enable_group)) {
59125 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
59126 -+ }
59127 -+#endif
59128 -+ return;
59129 -+}
59130 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_chroot.c linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c
59131 ---- linux-2.6.23.15/grsecurity/grsec_chroot.c 1970-01-01 01:00:00.000000000 +0100
59132 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_chroot.c 2008-02-11 10:37:44.000000000 +0000
59133 -@@ -0,0 +1,335 @@
59134 -+#include <linux/kernel.h>
59135 -+#include <linux/module.h>
59136 -+#include <linux/sched.h>
59137 -+#include <linux/file.h>
59138 -+#include <linux/fs.h>
59139 -+#include <linux/mount.h>
59140 -+#include <linux/types.h>
59141 -+#include <linux/pid_namespace.h>
59142 -+#include <linux/grsecurity.h>
59143 -+#include <linux/grinternal.h>
59144 -+
59145 -+int
59146 -+gr_handle_chroot_unix(const pid_t pid)
59147 -+{
59148 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59149 -+ struct pid *spid = NULL;
59150 -+
59151 -+ if (unlikely(!grsec_enable_chroot_unix))
59152 -+ return 1;
59153 -+
59154 -+ if (likely(!proc_is_chrooted(current)))
59155 -+ return 1;
59156 -+
59157 -+ read_lock(&tasklist_lock);
59158 -+
59159 -+ spid = find_pid(pid);
59160 -+ if (spid) {
59161 -+ struct task_struct *p;
59162 -+ p = pid_task(spid, PIDTYPE_PID);
59163 -+ task_lock(p);
59164 -+ if (unlikely(!have_same_root(current, p))) {
59165 -+ task_unlock(p);
59166 -+ read_unlock(&tasklist_lock);
59167 -+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
59168 -+ return 0;
59169 -+ }
59170 -+ task_unlock(p);
59171 -+ }
59172 -+ read_unlock(&tasklist_lock);
59173 -+#endif
59174 -+ return 1;
59175 -+}
59176 -+
59177 -+int
59178 -+gr_handle_chroot_nice(void)
59179 -+{
59180 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59181 -+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
59182 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
59183 -+ return -EPERM;
59184 -+ }
59185 -+#endif
59186 -+ return 0;
59187 -+}
59188 -+
59189 -+int
59190 -+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
59191 -+{
59192 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59193 -+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
59194 -+ && proc_is_chrooted(current)) {
59195 -+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
59196 -+ return -EACCES;
59197 -+ }
59198 -+#endif
59199 -+ return 0;
59200 -+}
59201 -+
59202 -+int
59203 -+gr_handle_chroot_rawio(const struct inode *inode)
59204 -+{
59205 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59206 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
59207 -+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
59208 -+ return 1;
59209 -+#endif
59210 -+ return 0;
59211 -+}
59212 -+
59213 -+int
59214 -+gr_pid_is_chrooted(struct task_struct *p)
59215 -+{
59216 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59217 -+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
59218 -+ return 0;
59219 -+
59220 -+ task_lock(p);
59221 -+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
59222 -+ !have_same_root(current, p)) {
59223 -+ task_unlock(p);
59224 -+ return 1;
59225 -+ }
59226 -+ task_unlock(p);
59227 -+#endif
59228 -+ return 0;
59229 -+}
59230 -+
59231 -+EXPORT_SYMBOL(gr_pid_is_chrooted);
59232 -+
59233 -+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
59234 -+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
59235 -+{
59236 -+ struct dentry *dentry = (struct dentry *)u_dentry;
59237 -+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
59238 -+ struct dentry *realroot;
59239 -+ struct vfsmount *realrootmnt;
59240 -+ struct dentry *currentroot;
59241 -+ struct vfsmount *currentmnt;
59242 -+ struct task_struct *reaper = child_reaper(current);
59243 -+ int ret = 1;
59244 -+
59245 -+ read_lock(&reaper->fs->lock);
59246 -+ realrootmnt = mntget(reaper->fs->rootmnt);
59247 -+ realroot = dget(reaper->fs->root);
59248 -+ read_unlock(&reaper->fs->lock);
59249 -+
59250 -+ read_lock(&current->fs->lock);
59251 -+ currentmnt = mntget(current->fs->rootmnt);
59252 -+ currentroot = dget(current->fs->root);
59253 -+ read_unlock(&current->fs->lock);
59254 -+
59255 -+ spin_lock(&dcache_lock);
59256 -+ for (;;) {
59257 -+ if (unlikely((dentry == realroot && mnt == realrootmnt)
59258 -+ || (dentry == currentroot && mnt == currentmnt)))
59259 -+ break;
59260 -+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
59261 -+ if (mnt->mnt_parent == mnt)
59262 -+ break;
59263 -+ dentry = mnt->mnt_mountpoint;
59264 -+ mnt = mnt->mnt_parent;
59265 -+ continue;
59266 -+ }
59267 -+ dentry = dentry->d_parent;
59268 -+ }
59269 -+ spin_unlock(&dcache_lock);
59270 -+
59271 -+ dput(currentroot);
59272 -+ mntput(currentmnt);
59273 -+
59274 -+ /* access is outside of chroot */
59275 -+ if (dentry == realroot && mnt == realrootmnt)
59276 -+ ret = 0;
59277 -+
59278 -+ dput(realroot);
59279 -+ mntput(realrootmnt);
59280 -+ return ret;
59281 -+}
59282 -+#endif
59283 -+
59284 -+int
59285 -+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
59286 -+{
59287 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59288 -+ if (!grsec_enable_chroot_fchdir)
59289 -+ return 1;
59290 -+
59291 -+ if (!proc_is_chrooted(current))
59292 -+ return 1;
59293 -+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
59294 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
59295 -+ return 0;
59296 -+ }
59297 -+#endif
59298 -+ return 1;
59299 -+}
59300 -+
59301 -+int
59302 -+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
59303 -+ const time_t shm_createtime)
59304 -+{
59305 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59306 -+ struct pid *pid = NULL;
59307 -+ time_t starttime;
59308 -+
59309 -+ if (unlikely(!grsec_enable_chroot_shmat))
59310 -+ return 1;
59311 -+
59312 -+ if (likely(!proc_is_chrooted(current)))
59313 -+ return 1;
59314 -+
59315 -+ read_lock(&tasklist_lock);
59316 -+
59317 -+ pid = find_pid(shm_cprid);
59318 -+ if (pid) {
59319 -+ struct task_struct *p;
59320 -+ p = pid_task(pid, PIDTYPE_PID);
59321 -+ task_lock(p);
59322 -+ starttime = p->start_time.tv_sec;
59323 -+ if (unlikely(!have_same_root(current, p) &&
59324 -+ time_before((unsigned long)starttime, (unsigned long)shm_createtime))) {
59325 -+ task_unlock(p);
59326 -+ read_unlock(&tasklist_lock);
59327 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
59328 -+ return 0;
59329 -+ }
59330 -+ task_unlock(p);
59331 -+ } else {
59332 -+ pid = find_pid(shm_lapid);
59333 -+ if (pid) {
59334 -+ struct task_struct *p;
59335 -+ p = pid_task(pid, PIDTYPE_PID);
59336 -+ task_lock(p);
59337 -+ if (unlikely(!have_same_root(current, p))) {
59338 -+ task_unlock(p);
59339 -+ read_unlock(&tasklist_lock);
59340 -+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
59341 -+ return 0;
59342 -+ }
59343 -+ task_unlock(p);
59344 -+ }
59345 -+ }
59346 -+
59347 -+ read_unlock(&tasklist_lock);
59348 -+#endif
59349 -+ return 1;
59350 -+}
59351 -+
59352 -+void
59353 -+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
59354 -+{
59355 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59356 -+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
59357 -+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
59358 -+#endif
59359 -+ return;
59360 -+}
59361 -+
59362 -+int
59363 -+gr_handle_chroot_mknod(const struct dentry *dentry,
59364 -+ const struct vfsmount *mnt, const int mode)
59365 -+{
59366 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59367 -+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
59368 -+ proc_is_chrooted(current)) {
59369 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
59370 -+ return -EPERM;
59371 -+ }
59372 -+#endif
59373 -+ return 0;
59374 -+}
59375 -+
59376 -+int
59377 -+gr_handle_chroot_mount(const struct dentry *dentry,
59378 -+ const struct vfsmount *mnt, const char *dev_name)
59379 -+{
59380 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59381 -+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
59382 -+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
59383 -+ return -EPERM;
59384 -+ }
59385 -+#endif
59386 -+ return 0;
59387 -+}
59388 -+
59389 -+int
59390 -+gr_handle_chroot_pivot(void)
59391 -+{
59392 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59393 -+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
59394 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
59395 -+ return -EPERM;
59396 -+ }
59397 -+#endif
59398 -+ return 0;
59399 -+}
59400 -+
59401 -+int
59402 -+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
59403 -+{
59404 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59405 -+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
59406 -+ !gr_is_outside_chroot(dentry, mnt)) {
59407 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
59408 -+ return -EPERM;
59409 -+ }
59410 -+#endif
59411 -+ return 0;
59412 -+}
59413 -+
59414 -+void
59415 -+gr_handle_chroot_caps(struct task_struct *task)
59416 -+{
59417 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59418 -+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
59419 -+ task->cap_permitted =
59420 -+ cap_drop(task->cap_permitted, GR_CHROOT_CAPS);
59421 -+ task->cap_inheritable =
59422 -+ cap_drop(task->cap_inheritable, GR_CHROOT_CAPS);
59423 -+ task->cap_effective =
59424 -+ cap_drop(task->cap_effective, GR_CHROOT_CAPS);
59425 -+ }
59426 -+#endif
59427 -+ return;
59428 -+}
59429 -+
59430 -+int
59431 -+gr_handle_chroot_sysctl(const int op)
59432 -+{
59433 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59434 -+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
59435 -+ && (op & 002))
59436 -+ return -EACCES;
59437 -+#endif
59438 -+ return 0;
59439 -+}
59440 -+
59441 -+void
59442 -+gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt)
59443 -+{
59444 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59445 -+ if (grsec_enable_chroot_chdir)
59446 -+ set_fs_pwd(current->fs, mnt, dentry);
59447 -+#endif
59448 -+ return;
59449 -+}
59450 -+
59451 -+int
59452 -+gr_handle_chroot_chmod(const struct dentry *dentry,
59453 -+ const struct vfsmount *mnt, const int mode)
59454 -+{
59455 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59456 -+ if (grsec_enable_chroot_chmod &&
59457 -+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
59458 -+ proc_is_chrooted(current)) {
59459 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
59460 -+ return -EPERM;
59461 -+ }
59462 -+#endif
59463 -+ return 0;
59464 -+}
59465 -+
59466 -+#ifdef CONFIG_SECURITY
59467 -+EXPORT_SYMBOL(gr_handle_chroot_caps);
59468 -+#endif
59469 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_disabled.c linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c
59470 ---- linux-2.6.23.15/grsecurity/grsec_disabled.c 1970-01-01 01:00:00.000000000 +0100
59471 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_disabled.c 2008-02-11 10:37:44.000000000 +0000
59472 -@@ -0,0 +1,418 @@
59473 -+#include <linux/kernel.h>
59474 -+#include <linux/module.h>
59475 -+#include <linux/sched.h>
59476 -+#include <linux/file.h>
59477 -+#include <linux/fs.h>
59478 -+#include <linux/kdev_t.h>
59479 -+#include <linux/net.h>
59480 -+#include <linux/in.h>
59481 -+#include <linux/ip.h>
59482 -+#include <linux/skbuff.h>
59483 -+#include <linux/sysctl.h>
59484 -+
59485 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
59486 -+void
59487 -+pax_set_initial_flags(struct linux_binprm *bprm)
59488 -+{
59489 -+ return;
59490 -+}
59491 -+#endif
59492 -+
59493 -+#ifdef CONFIG_SYSCTL
59494 -+__u32
59495 -+gr_handle_sysctl(const struct ctl_table * table, const int op)
59496 -+{
59497 -+ return 0;
59498 -+}
59499 -+#endif
59500 -+
59501 -+int
59502 -+gr_acl_is_enabled(void)
59503 -+{
59504 -+ return 0;
59505 -+}
59506 -+
59507 -+int
59508 -+gr_handle_rawio(const struct inode *inode)
59509 -+{
59510 -+ return 0;
59511 -+}
59512 -+
59513 -+void
59514 -+gr_acl_handle_psacct(struct task_struct *task, const long code)
59515 -+{
59516 -+ return;
59517 -+}
59518 -+
59519 -+int
59520 -+gr_handle_ptrace(struct task_struct *task, const long request)
59521 -+{
59522 -+ return 0;
59523 -+}
59524 -+
59525 -+int
59526 -+gr_handle_proc_ptrace(struct task_struct *task)
59527 -+{
59528 -+ return 0;
59529 -+}
59530 -+
59531 -+void
59532 -+gr_learn_resource(const struct task_struct *task,
59533 -+ const int res, const unsigned long wanted, const int gt)
59534 -+{
59535 -+ return;
59536 -+}
59537 -+
59538 -+int
59539 -+gr_set_acls(const int type)
59540 -+{
59541 -+ return 0;
59542 -+}
59543 -+
59544 -+int
59545 -+gr_check_hidden_task(const struct task_struct *tsk)
59546 -+{
59547 -+ return 0;
59548 -+}
59549 -+
59550 -+int
59551 -+gr_check_protected_task(const struct task_struct *task)
59552 -+{
59553 -+ return 0;
59554 -+}
59555 -+
59556 -+void
59557 -+gr_copy_label(struct task_struct *tsk)
59558 -+{
59559 -+ return;
59560 -+}
59561 -+
59562 -+void
59563 -+gr_set_pax_flags(struct task_struct *task)
59564 -+{
59565 -+ return;
59566 -+}
59567 -+
59568 -+int
59569 -+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt)
59570 -+{
59571 -+ return 0;
59572 -+}
59573 -+
59574 -+void
59575 -+gr_handle_delete(const ino_t ino, const dev_t dev)
59576 -+{
59577 -+ return;
59578 -+}
59579 -+
59580 -+void
59581 -+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
59582 -+{
59583 -+ return;
59584 -+}
59585 -+
59586 -+void
59587 -+gr_handle_crash(struct task_struct *task, const int sig)
59588 -+{
59589 -+ return;
59590 -+}
59591 -+
59592 -+int
59593 -+gr_check_crash_exec(const struct file *filp)
59594 -+{
59595 -+ return 0;
59596 -+}
59597 -+
59598 -+int
59599 -+gr_check_crash_uid(const uid_t uid)
59600 -+{
59601 -+ return 0;
59602 -+}
59603 -+
59604 -+void
59605 -+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
59606 -+ struct dentry *old_dentry,
59607 -+ struct dentry *new_dentry,
59608 -+ struct vfsmount *mnt, const __u8 replace)
59609 -+{
59610 -+ return;
59611 -+}
59612 -+
59613 -+int
59614 -+gr_search_socket(const int family, const int type, const int protocol)
59615 -+{
59616 -+ return 1;
59617 -+}
59618 -+
59619 -+int
59620 -+gr_search_connectbind(const int mode, const struct socket *sock,
59621 -+ const struct sockaddr_in *addr)
59622 -+{
59623 -+ return 1;
59624 -+}
59625 -+
59626 -+int
59627 -+gr_task_is_capable(struct task_struct *task, const int cap)
59628 -+{
59629 -+ return 1;
59630 -+}
59631 -+
59632 -+int
59633 -+gr_is_capable_nolog(const int cap)
59634 -+{
59635 -+ return 1;
59636 -+}
59637 -+
59638 -+void
59639 -+gr_handle_alertkill(struct task_struct *task)
59640 -+{
59641 -+ return;
59642 -+}
59643 -+
59644 -+__u32
59645 -+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
59646 -+{
59647 -+ return 1;
59648 -+}
59649 -+
59650 -+__u32
59651 -+gr_acl_handle_hidden_file(const struct dentry * dentry,
59652 -+ const struct vfsmount * mnt)
59653 -+{
59654 -+ return 1;
59655 -+}
59656 -+
59657 -+__u32
59658 -+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
59659 -+ const int fmode)
59660 -+{
59661 -+ return 1;
59662 -+}
59663 -+
59664 -+__u32
59665 -+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
59666 -+{
59667 -+ return 1;
59668 -+}
59669 -+
59670 -+__u32
59671 -+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
59672 -+{
59673 -+ return 1;
59674 -+}
59675 -+
59676 -+int
59677 -+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
59678 -+ unsigned int *vm_flags)
59679 -+{
59680 -+ return 1;
59681 -+}
59682 -+
59683 -+__u32
59684 -+gr_acl_handle_truncate(const struct dentry * dentry,
59685 -+ const struct vfsmount * mnt)
59686 -+{
59687 -+ return 1;
59688 -+}
59689 -+
59690 -+__u32
59691 -+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
59692 -+{
59693 -+ return 1;
59694 -+}
59695 -+
59696 -+__u32
59697 -+gr_acl_handle_access(const struct dentry * dentry,
59698 -+ const struct vfsmount * mnt, const int fmode)
59699 -+{
59700 -+ return 1;
59701 -+}
59702 -+
59703 -+__u32
59704 -+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
59705 -+ mode_t mode)
59706 -+{
59707 -+ return 1;
59708 -+}
59709 -+
59710 -+__u32
59711 -+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
59712 -+ mode_t mode)
59713 -+{
59714 -+ return 1;
59715 -+}
59716 -+
59717 -+__u32
59718 -+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
59719 -+{
59720 -+ return 1;
59721 -+}
59722 -+
59723 -+void
59724 -+grsecurity_init(void)
59725 -+{
59726 -+ return;
59727 -+}
59728 -+
59729 -+__u32
59730 -+gr_acl_handle_mknod(const struct dentry * new_dentry,
59731 -+ const struct dentry * parent_dentry,
59732 -+ const struct vfsmount * parent_mnt,
59733 -+ const int mode)
59734 -+{
59735 -+ return 1;
59736 -+}
59737 -+
59738 -+__u32
59739 -+gr_acl_handle_mkdir(const struct dentry * new_dentry,
59740 -+ const struct dentry * parent_dentry,
59741 -+ const struct vfsmount * parent_mnt)
59742 -+{
59743 -+ return 1;
59744 -+}
59745 -+
59746 -+__u32
59747 -+gr_acl_handle_symlink(const struct dentry * new_dentry,
59748 -+ const struct dentry * parent_dentry,
59749 -+ const struct vfsmount * parent_mnt, const char *from)
59750 -+{
59751 -+ return 1;
59752 -+}
59753 -+
59754 -+__u32
59755 -+gr_acl_handle_link(const struct dentry * new_dentry,
59756 -+ const struct dentry * parent_dentry,
59757 -+ const struct vfsmount * parent_mnt,
59758 -+ const struct dentry * old_dentry,
59759 -+ const struct vfsmount * old_mnt, const char *to)
59760 -+{
59761 -+ return 1;
59762 -+}
59763 -+
59764 -+int
59765 -+gr_acl_handle_rename(const struct dentry *new_dentry,
59766 -+ const struct dentry *parent_dentry,
59767 -+ const struct vfsmount *parent_mnt,
59768 -+ const struct dentry *old_dentry,
59769 -+ const struct inode *old_parent_inode,
59770 -+ const struct vfsmount *old_mnt, const char *newname)
59771 -+{
59772 -+ return 0;
59773 -+}
59774 -+
59775 -+int
59776 -+gr_acl_handle_filldir(const struct file *file, const char *name,
59777 -+ const int namelen, const ino_t ino)
59778 -+{
59779 -+ return 1;
59780 -+}
59781 -+
59782 -+int
59783 -+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
59784 -+ const time_t shm_createtime, const uid_t cuid, const int shmid)
59785 -+{
59786 -+ return 1;
59787 -+}
59788 -+
59789 -+int
59790 -+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
59791 -+{
59792 -+ return 1;
59793 -+}
59794 -+
59795 -+int
59796 -+gr_search_accept(const struct socket *sock)
59797 -+{
59798 -+ return 1;
59799 -+}
59800 -+
59801 -+int
59802 -+gr_search_listen(const struct socket *sock)
59803 -+{
59804 -+ return 1;
59805 -+}
59806 -+
59807 -+int
59808 -+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
59809 -+{
59810 -+ return 1;
59811 -+}
59812 -+
59813 -+__u32
59814 -+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
59815 -+{
59816 -+ return 1;
59817 -+}
59818 -+
59819 -+__u32
59820 -+gr_acl_handle_creat(const struct dentry * dentry,
59821 -+ const struct dentry * p_dentry,
59822 -+ const struct vfsmount * p_mnt, const int fmode,
59823 -+ const int imode)
59824 -+{
59825 -+ return 1;
59826 -+}
59827 -+
59828 -+void
59829 -+gr_acl_handle_exit(void)
59830 -+{
59831 -+ return;
59832 -+}
59833 -+
59834 -+int
59835 -+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
59836 -+{
59837 -+ return 1;
59838 -+}
59839 -+
59840 -+void
59841 -+gr_set_role_label(const uid_t uid, const gid_t gid)
59842 -+{
59843 -+ return;
59844 -+}
59845 -+
59846 -+int
59847 -+gr_acl_handle_procpidmem(const struct task_struct *task)
59848 -+{
59849 -+ return 0;
59850 -+}
59851 -+
59852 -+int
59853 -+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
59854 -+{
59855 -+ return 1;
59856 -+}
59857 -+
59858 -+int
59859 -+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
59860 -+{
59861 -+ return 1;
59862 -+}
59863 -+
59864 -+void
59865 -+gr_set_kernel_label(struct task_struct *task)
59866 -+{
59867 -+ return;
59868 -+}
59869 -+
59870 -+int
59871 -+gr_check_user_change(int real, int effective, int fs)
59872 -+{
59873 -+ return 0;
59874 -+}
59875 -+
59876 -+int
59877 -+gr_check_group_change(int real, int effective, int fs)
59878 -+{
59879 -+ return 0;
59880 -+}
59881 -+
59882 -+
59883 -+EXPORT_SYMBOL(gr_task_is_capable);
59884 -+EXPORT_SYMBOL(gr_is_capable_nolog);
59885 -+EXPORT_SYMBOL(gr_learn_resource);
59886 -+EXPORT_SYMBOL(gr_set_kernel_label);
59887 -+#ifdef CONFIG_SECURITY
59888 -+EXPORT_SYMBOL(gr_check_user_change);
59889 -+EXPORT_SYMBOL(gr_check_group_change);
59890 -+#endif
59891 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_exec.c linux-2.6.23.15-grsec/grsecurity/grsec_exec.c
59892 ---- linux-2.6.23.15/grsecurity/grsec_exec.c 1970-01-01 01:00:00.000000000 +0100
59893 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_exec.c 2008-02-11 10:37:44.000000000 +0000
59894 -@@ -0,0 +1,88 @@
59895 -+#include <linux/kernel.h>
59896 -+#include <linux/sched.h>
59897 -+#include <linux/file.h>
59898 -+#include <linux/binfmts.h>
59899 -+#include <linux/smp_lock.h>
59900 -+#include <linux/fs.h>
59901 -+#include <linux/types.h>
59902 -+#include <linux/grdefs.h>
59903 -+#include <linux/grinternal.h>
59904 -+#include <linux/capability.h>
59905 -+
59906 -+#include <asm/uaccess.h>
59907 -+
59908 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
59909 -+static char gr_exec_arg_buf[132];
59910 -+static DECLARE_MUTEX(gr_exec_arg_sem);
59911 -+#endif
59912 -+
59913 -+int
59914 -+gr_handle_nproc(void)
59915 -+{
59916 -+#ifdef CONFIG_GRKERNSEC_EXECVE
59917 -+ if (grsec_enable_execve && current->user &&
59918 -+ (atomic_read(&current->user->processes) >
59919 -+ current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
59920 -+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
59921 -+ gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
59922 -+ return -EAGAIN;
59923 -+ }
59924 -+#endif
59925 -+ return 0;
59926 -+}
59927 -+
59928 -+void
59929 -+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
59930 -+{
59931 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
59932 -+ char *grarg = gr_exec_arg_buf;
59933 -+ unsigned int i, x, execlen = 0;
59934 -+ char c;
59935 -+
59936 -+ if (!((grsec_enable_execlog && grsec_enable_group &&
59937 -+ in_group_p(grsec_audit_gid))
59938 -+ || (grsec_enable_execlog && !grsec_enable_group)))
59939 -+ return;
59940 -+
59941 -+ down(&gr_exec_arg_sem);
59942 -+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
59943 -+
59944 -+ if (unlikely(argv == NULL))
59945 -+ goto log;
59946 -+
59947 -+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
59948 -+ const char __user *p;
59949 -+ unsigned int len;
59950 -+
59951 -+ if (copy_from_user(&p, argv + i, sizeof(p)))
59952 -+ goto log;
59953 -+ if (!p)
59954 -+ goto log;
59955 -+ len = strnlen_user(p, 128 - execlen);
59956 -+ if (len > 128 - execlen)
59957 -+ len = 128 - execlen;
59958 -+ else if (len > 0)
59959 -+ len--;
59960 -+ if (copy_from_user(grarg + execlen, p, len))
59961 -+ goto log;
59962 -+
59963 -+ /* rewrite unprintable characters */
59964 -+ for (x = 0; x < len; x++) {
59965 -+ c = *(grarg + execlen + x);
59966 -+ if (c < 32 || c > 126)
59967 -+ *(grarg + execlen + x) = ' ';
59968 -+ }
59969 -+
59970 -+ execlen += len;
59971 -+ *(grarg + execlen) = ' ';
59972 -+ *(grarg + execlen + 1) = '\0';
59973 -+ execlen++;
59974 -+ }
59975 -+
59976 -+ log:
59977 -+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_dentry,
59978 -+ bprm->file->f_vfsmnt, grarg);
59979 -+ up(&gr_exec_arg_sem);
59980 -+#endif
59981 -+ return;
59982 -+}
59983 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_fifo.c linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c
59984 ---- linux-2.6.23.15/grsecurity/grsec_fifo.c 1970-01-01 01:00:00.000000000 +0100
59985 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_fifo.c 2008-02-11 10:37:44.000000000 +0000
59986 -@@ -0,0 +1,22 @@
59987 -+#include <linux/kernel.h>
59988 -+#include <linux/sched.h>
59989 -+#include <linux/fs.h>
59990 -+#include <linux/file.h>
59991 -+#include <linux/grinternal.h>
59992 -+
59993 -+int
59994 -+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
59995 -+ const struct dentry *dir, const int flag, const int acc_mode)
59996 -+{
59997 -+#ifdef CONFIG_GRKERNSEC_FIFO
59998 -+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
59999 -+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
60000 -+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
60001 -+ (current->fsuid != dentry->d_inode->i_uid)) {
60002 -+ if (!generic_permission(dentry->d_inode, acc_mode, NULL))
60003 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
60004 -+ return -EACCES;
60005 -+ }
60006 -+#endif
60007 -+ return 0;
60008 -+}
60009 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_fork.c linux-2.6.23.15-grsec/grsecurity/grsec_fork.c
60010 ---- linux-2.6.23.15/grsecurity/grsec_fork.c 1970-01-01 01:00:00.000000000 +0100
60011 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_fork.c 2008-02-11 10:37:44.000000000 +0000
60012 -@@ -0,0 +1,15 @@
60013 -+#include <linux/kernel.h>
60014 -+#include <linux/sched.h>
60015 -+#include <linux/grsecurity.h>
60016 -+#include <linux/grinternal.h>
60017 -+#include <linux/errno.h>
60018 -+
60019 -+void
60020 -+gr_log_forkfail(const int retval)
60021 -+{
60022 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
60023 -+ if (grsec_enable_forkfail && retval != -ERESTARTNOINTR)
60024 -+ gr_log_int(GR_DONT_AUDIT, GR_FAILFORK_MSG, retval);
60025 -+#endif
60026 -+ return;
60027 -+}
60028 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_init.c linux-2.6.23.15-grsec/grsecurity/grsec_init.c
60029 ---- linux-2.6.23.15/grsecurity/grsec_init.c 1970-01-01 01:00:00.000000000 +0100
60030 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_init.c 2008-02-11 10:37:44.000000000 +0000
60031 -@@ -0,0 +1,230 @@
60032 -+#include <linux/kernel.h>
60033 -+#include <linux/sched.h>
60034 -+#include <linux/mm.h>
60035 -+#include <linux/smp_lock.h>
60036 -+#include <linux/gracl.h>
60037 -+#include <linux/slab.h>
60038 -+#include <linux/vmalloc.h>
60039 -+#include <linux/percpu.h>
60040 -+
60041 -+int grsec_enable_shm;
60042 -+int grsec_enable_link;
60043 -+int grsec_enable_dmesg;
60044 -+int grsec_enable_fifo;
60045 -+int grsec_enable_execve;
60046 -+int grsec_enable_execlog;
60047 -+int grsec_enable_signal;
60048 -+int grsec_enable_forkfail;
60049 -+int grsec_enable_time;
60050 -+int grsec_enable_audit_textrel;
60051 -+int grsec_enable_group;
60052 -+int grsec_audit_gid;
60053 -+int grsec_enable_chdir;
60054 -+int grsec_enable_audit_ipc;
60055 -+int grsec_enable_mount;
60056 -+int grsec_enable_chroot_findtask;
60057 -+int grsec_enable_chroot_mount;
60058 -+int grsec_enable_chroot_shmat;
60059 -+int grsec_enable_chroot_fchdir;
60060 -+int grsec_enable_chroot_double;
60061 -+int grsec_enable_chroot_pivot;
60062 -+int grsec_enable_chroot_chdir;
60063 -+int grsec_enable_chroot_chmod;
60064 -+int grsec_enable_chroot_mknod;
60065 -+int grsec_enable_chroot_nice;
60066 -+int grsec_enable_chroot_execlog;
60067 -+int grsec_enable_chroot_caps;
60068 -+int grsec_enable_chroot_sysctl;
60069 -+int grsec_enable_chroot_unix;
60070 -+int grsec_enable_tpe;
60071 -+int grsec_tpe_gid;
60072 -+int grsec_enable_tpe_all;
60073 -+int grsec_enable_socket_all;
60074 -+int grsec_socket_all_gid;
60075 -+int grsec_enable_socket_client;
60076 -+int grsec_socket_client_gid;
60077 -+int grsec_enable_socket_server;
60078 -+int grsec_socket_server_gid;
60079 -+int grsec_resource_logging;
60080 -+int grsec_lock;
60081 -+
60082 -+spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
60083 -+unsigned long grsec_alert_wtime = 0;
60084 -+unsigned long grsec_alert_fyet = 0;
60085 -+
60086 -+spinlock_t grsec_audit_lock = SPIN_LOCK_UNLOCKED;
60087 -+
60088 -+rwlock_t grsec_exec_file_lock = RW_LOCK_UNLOCKED;
60089 -+
60090 -+char *gr_shared_page[4];
60091 -+
60092 -+char *gr_alert_log_fmt;
60093 -+char *gr_audit_log_fmt;
60094 -+char *gr_alert_log_buf;
60095 -+char *gr_audit_log_buf;
60096 -+
60097 -+extern struct gr_arg *gr_usermode;
60098 -+extern unsigned char *gr_system_salt;
60099 -+extern unsigned char *gr_system_sum;
60100 -+
60101 -+void
60102 -+grsecurity_init(void)
60103 -+{
60104 -+ int j;
60105 -+ /* create the per-cpu shared pages */
60106 -+
60107 -+ for (j = 0; j < 4; j++) {
60108 -+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE);
60109 -+ if (gr_shared_page[j] == NULL) {
60110 -+ panic("Unable to allocate grsecurity shared page");
60111 -+ return;
60112 -+ }
60113 -+ }
60114 -+
60115 -+ /* allocate log buffers */
60116 -+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
60117 -+ if (!gr_alert_log_fmt) {
60118 -+ panic("Unable to allocate grsecurity alert log format buffer");
60119 -+ return;
60120 -+ }
60121 -+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
60122 -+ if (!gr_audit_log_fmt) {
60123 -+ panic("Unable to allocate grsecurity audit log format buffer");
60124 -+ return;
60125 -+ }
60126 -+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
60127 -+ if (!gr_alert_log_buf) {
60128 -+ panic("Unable to allocate grsecurity alert log buffer");
60129 -+ return;
60130 -+ }
60131 -+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
60132 -+ if (!gr_audit_log_buf) {
60133 -+ panic("Unable to allocate grsecurity audit log buffer");
60134 -+ return;
60135 -+ }
60136 -+
60137 -+ /* allocate memory for authentication structure */
60138 -+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
60139 -+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
60140 -+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
60141 -+
60142 -+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
60143 -+ panic("Unable to allocate grsecurity authentication structure");
60144 -+ return;
60145 -+ }
60146 -+
60147 -+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
60148 -+#ifndef CONFIG_GRKERNSEC_SYSCTL
60149 -+ grsec_lock = 1;
60150 -+#endif
60151 -+#ifdef CONFIG_GRKERNSEC_SHM
60152 -+ grsec_enable_shm = 1;
60153 -+#endif
60154 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60155 -+ grsec_enable_audit_textrel = 1;
60156 -+#endif
60157 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60158 -+ grsec_enable_group = 1;
60159 -+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
60160 -+#endif
60161 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60162 -+ grsec_enable_chdir = 1;
60163 -+#endif
60164 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60165 -+ grsec_enable_audit_ipc = 1;
60166 -+#endif
60167 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60168 -+ grsec_enable_mount = 1;
60169 -+#endif
60170 -+#ifdef CONFIG_GRKERNSEC_LINK
60171 -+ grsec_enable_link = 1;
60172 -+#endif
60173 -+#ifdef CONFIG_GRKERNSEC_DMESG
60174 -+ grsec_enable_dmesg = 1;
60175 -+#endif
60176 -+#ifdef CONFIG_GRKERNSEC_FIFO
60177 -+ grsec_enable_fifo = 1;
60178 -+#endif
60179 -+#ifdef CONFIG_GRKERNSEC_EXECVE
60180 -+ grsec_enable_execve = 1;
60181 -+#endif
60182 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
60183 -+ grsec_enable_execlog = 1;
60184 -+#endif
60185 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
60186 -+ grsec_enable_signal = 1;
60187 -+#endif
60188 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
60189 -+ grsec_enable_forkfail = 1;
60190 -+#endif
60191 -+#ifdef CONFIG_GRKERNSEC_TIME
60192 -+ grsec_enable_time = 1;
60193 -+#endif
60194 -+#ifdef CONFIG_GRKERNSEC_RESLOG
60195 -+ grsec_resource_logging = 1;
60196 -+#endif
60197 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60198 -+ grsec_enable_chroot_findtask = 1;
60199 -+#endif
60200 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
60201 -+ grsec_enable_chroot_unix = 1;
60202 -+#endif
60203 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
60204 -+ grsec_enable_chroot_mount = 1;
60205 -+#endif
60206 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
60207 -+ grsec_enable_chroot_fchdir = 1;
60208 -+#endif
60209 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
60210 -+ grsec_enable_chroot_shmat = 1;
60211 -+#endif
60212 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
60213 -+ grsec_enable_chroot_double = 1;
60214 -+#endif
60215 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
60216 -+ grsec_enable_chroot_pivot = 1;
60217 -+#endif
60218 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
60219 -+ grsec_enable_chroot_chdir = 1;
60220 -+#endif
60221 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
60222 -+ grsec_enable_chroot_chmod = 1;
60223 -+#endif
60224 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
60225 -+ grsec_enable_chroot_mknod = 1;
60226 -+#endif
60227 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
60228 -+ grsec_enable_chroot_nice = 1;
60229 -+#endif
60230 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
60231 -+ grsec_enable_chroot_execlog = 1;
60232 -+#endif
60233 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
60234 -+ grsec_enable_chroot_caps = 1;
60235 -+#endif
60236 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
60237 -+ grsec_enable_chroot_sysctl = 1;
60238 -+#endif
60239 -+#ifdef CONFIG_GRKERNSEC_TPE
60240 -+ grsec_enable_tpe = 1;
60241 -+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
60242 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
60243 -+ grsec_enable_tpe_all = 1;
60244 -+#endif
60245 -+#endif
60246 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60247 -+ grsec_enable_socket_all = 1;
60248 -+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
60249 -+#endif
60250 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60251 -+ grsec_enable_socket_client = 1;
60252 -+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
60253 -+#endif
60254 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60255 -+ grsec_enable_socket_server = 1;
60256 -+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
60257 -+#endif
60258 -+#endif
60259 -+
60260 -+ return;
60261 -+}
60262 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_ipc.c linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c
60263 ---- linux-2.6.23.15/grsecurity/grsec_ipc.c 1970-01-01 01:00:00.000000000 +0100
60264 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_ipc.c 2008-02-11 10:37:44.000000000 +0000
60265 -@@ -0,0 +1,81 @@
60266 -+#include <linux/kernel.h>
60267 -+#include <linux/sched.h>
60268 -+#include <linux/types.h>
60269 -+#include <linux/ipc.h>
60270 -+#include <linux/grsecurity.h>
60271 -+#include <linux/grinternal.h>
60272 -+
60273 -+void
60274 -+gr_log_msgget(const int ret, const int msgflg)
60275 -+{
60276 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60277 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60278 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
60279 -+ !grsec_enable_group)) && (ret >= 0)
60280 -+ && (msgflg & IPC_CREAT))
60281 -+ gr_log_noargs(GR_DO_AUDIT, GR_MSGQ_AUDIT_MSG);
60282 -+#endif
60283 -+ return;
60284 -+}
60285 -+
60286 -+void
60287 -+gr_log_msgrm(const uid_t uid, const uid_t cuid)
60288 -+{
60289 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60290 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60291 -+ grsec_enable_audit_ipc) ||
60292 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
60293 -+ gr_log_int_int(GR_DO_AUDIT, GR_MSGQR_AUDIT_MSG, uid, cuid);
60294 -+#endif
60295 -+ return;
60296 -+}
60297 -+
60298 -+void
60299 -+gr_log_semget(const int err, const int semflg)
60300 -+{
60301 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60302 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60303 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
60304 -+ !grsec_enable_group)) && (err >= 0)
60305 -+ && (semflg & IPC_CREAT))
60306 -+ gr_log_noargs(GR_DO_AUDIT, GR_SEM_AUDIT_MSG);
60307 -+#endif
60308 -+ return;
60309 -+}
60310 -+
60311 -+void
60312 -+gr_log_semrm(const uid_t uid, const uid_t cuid)
60313 -+{
60314 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60315 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60316 -+ grsec_enable_audit_ipc) ||
60317 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
60318 -+ gr_log_int_int(GR_DO_AUDIT, GR_SEMR_AUDIT_MSG, uid, cuid);
60319 -+#endif
60320 -+ return;
60321 -+}
60322 -+
60323 -+void
60324 -+gr_log_shmget(const int err, const int shmflg, const size_t size)
60325 -+{
60326 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60327 -+ if (((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60328 -+ grsec_enable_audit_ipc) || (grsec_enable_audit_ipc &&
60329 -+ !grsec_enable_group)) && (err >= 0)
60330 -+ && (shmflg & IPC_CREAT))
60331 -+ gr_log_int(GR_DO_AUDIT, GR_SHM_AUDIT_MSG, size);
60332 -+#endif
60333 -+ return;
60334 -+}
60335 -+
60336 -+void
60337 -+gr_log_shmrm(const uid_t uid, const uid_t cuid)
60338 -+{
60339 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
60340 -+ if ((grsec_enable_group && in_group_p(grsec_audit_gid) &&
60341 -+ grsec_enable_audit_ipc) ||
60342 -+ (grsec_enable_audit_ipc && !grsec_enable_group))
60343 -+ gr_log_int_int(GR_DO_AUDIT, GR_SHMR_AUDIT_MSG, uid, cuid);
60344 -+#endif
60345 -+ return;
60346 -+}
60347 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_link.c linux-2.6.23.15-grsec/grsecurity/grsec_link.c
60348 ---- linux-2.6.23.15/grsecurity/grsec_link.c 1970-01-01 01:00:00.000000000 +0100
60349 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_link.c 2008-02-11 10:37:44.000000000 +0000
60350 -@@ -0,0 +1,39 @@
60351 -+#include <linux/kernel.h>
60352 -+#include <linux/sched.h>
60353 -+#include <linux/fs.h>
60354 -+#include <linux/file.h>
60355 -+#include <linux/grinternal.h>
60356 -+
60357 -+int
60358 -+gr_handle_follow_link(const struct inode *parent,
60359 -+ const struct inode *inode,
60360 -+ const struct dentry *dentry, const struct vfsmount *mnt)
60361 -+{
60362 -+#ifdef CONFIG_GRKERNSEC_LINK
60363 -+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
60364 -+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
60365 -+ (parent->i_mode & S_IWOTH) && (current->fsuid != inode->i_uid)) {
60366 -+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
60367 -+ return -EACCES;
60368 -+ }
60369 -+#endif
60370 -+ return 0;
60371 -+}
60372 -+
60373 -+int
60374 -+gr_handle_hardlink(const struct dentry *dentry,
60375 -+ const struct vfsmount *mnt,
60376 -+ struct inode *inode, const int mode, const char *to)
60377 -+{
60378 -+#ifdef CONFIG_GRKERNSEC_LINK
60379 -+ if (grsec_enable_link && current->fsuid != inode->i_uid &&
60380 -+ (!S_ISREG(mode) || (mode & S_ISUID) ||
60381 -+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
60382 -+ (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
60383 -+ !capable(CAP_FOWNER) && current->uid) {
60384 -+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
60385 -+ return -EPERM;
60386 -+ }
60387 -+#endif
60388 -+ return 0;
60389 -+}
60390 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_log.c linux-2.6.23.15-grsec/grsecurity/grsec_log.c
60391 ---- linux-2.6.23.15/grsecurity/grsec_log.c 1970-01-01 01:00:00.000000000 +0100
60392 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_log.c 2008-02-11 10:37:44.000000000 +0000
60393 -@@ -0,0 +1,269 @@
60394 -+#include <linux/kernel.h>
60395 -+#include <linux/sched.h>
60396 -+#include <linux/file.h>
60397 -+#include <linux/tty.h>
60398 -+#include <linux/fs.h>
60399 -+#include <linux/grinternal.h>
60400 -+
60401 -+#define BEGIN_LOCKS(x) \
60402 -+ read_lock(&tasklist_lock); \
60403 -+ read_lock(&grsec_exec_file_lock); \
60404 -+ if (x != GR_DO_AUDIT) \
60405 -+ spin_lock(&grsec_alert_lock); \
60406 -+ else \
60407 -+ spin_lock(&grsec_audit_lock)
60408 -+
60409 -+#define END_LOCKS(x) \
60410 -+ if (x != GR_DO_AUDIT) \
60411 -+ spin_unlock(&grsec_alert_lock); \
60412 -+ else \
60413 -+ spin_unlock(&grsec_audit_lock); \
60414 -+ read_unlock(&grsec_exec_file_lock); \
60415 -+ read_unlock(&tasklist_lock); \
60416 -+ if (x == GR_DONT_AUDIT) \
60417 -+ gr_handle_alertkill(current)
60418 -+
60419 -+enum {
60420 -+ FLOODING,
60421 -+ NO_FLOODING
60422 -+};
60423 -+
60424 -+extern char *gr_alert_log_fmt;
60425 -+extern char *gr_audit_log_fmt;
60426 -+extern char *gr_alert_log_buf;
60427 -+extern char *gr_audit_log_buf;
60428 -+
60429 -+static int gr_log_start(int audit)
60430 -+{
60431 -+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
60432 -+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
60433 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60434 -+
60435 -+ if (audit == GR_DO_AUDIT)
60436 -+ goto set_fmt;
60437 -+
60438 -+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
60439 -+ grsec_alert_wtime = jiffies;
60440 -+ grsec_alert_fyet = 0;
60441 -+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
60442 -+ grsec_alert_fyet++;
60443 -+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
60444 -+ grsec_alert_wtime = jiffies;
60445 -+ grsec_alert_fyet++;
60446 -+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
60447 -+ return FLOODING;
60448 -+ } else return FLOODING;
60449 -+
60450 -+set_fmt:
60451 -+ memset(buf, 0, PAGE_SIZE);
60452 -+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
60453 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: (%.64s:%c:%.950s) ");
60454 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip), current->role->rolename, gr_roletype_to_char(), current->acl->filename);
60455 -+ } else if (current->signal->curr_ip) {
60456 -+ sprintf(fmt, "%s%s", loglevel, "grsec: From %u.%u.%u.%u: ");
60457 -+ snprintf(buf, PAGE_SIZE - 1, fmt, NIPQUAD(current->signal->curr_ip));
60458 -+ } else if (gr_acl_is_enabled()) {
60459 -+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
60460 -+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
60461 -+ } else {
60462 -+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
60463 -+ strcpy(buf, fmt);
60464 -+ }
60465 -+
60466 -+ return NO_FLOODING;
60467 -+}
60468 -+
60469 -+static void gr_log_middle(int audit, const char *msg, va_list ap)
60470 -+{
60471 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60472 -+ unsigned int len = strlen(buf);
60473 -+
60474 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
60475 -+
60476 -+ return;
60477 -+}
60478 -+
60479 -+static void gr_log_middle_varargs(int audit, const char *msg, ...)
60480 -+{
60481 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60482 -+ unsigned int len = strlen(buf);
60483 -+ va_list ap;
60484 -+
60485 -+ va_start(ap, msg);
60486 -+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
60487 -+ va_end(ap);
60488 -+
60489 -+ return;
60490 -+}
60491 -+
60492 -+static void gr_log_end(int audit)
60493 -+{
60494 -+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
60495 -+ unsigned int len = strlen(buf);
60496 -+
60497 -+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current));
60498 -+ printk("%s\n", buf);
60499 -+
60500 -+ return;
60501 -+}
60502 -+
60503 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
60504 -+{
60505 -+ int logtype;
60506 -+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
60507 -+ char *str1, *str2, *str3;
60508 -+ int num1, num2;
60509 -+ unsigned long ulong1, ulong2;
60510 -+ struct dentry *dentry;
60511 -+ struct vfsmount *mnt;
60512 -+ struct file *file;
60513 -+ struct task_struct *task;
60514 -+ va_list ap;
60515 -+
60516 -+ BEGIN_LOCKS(audit);
60517 -+ logtype = gr_log_start(audit);
60518 -+ if (logtype == FLOODING) {
60519 -+ END_LOCKS(audit);
60520 -+ return;
60521 -+ }
60522 -+ va_start(ap, argtypes);
60523 -+ switch (argtypes) {
60524 -+ case GR_TTYSNIFF:
60525 -+ task = va_arg(ap, struct task_struct *);
60526 -+ gr_log_middle_varargs(audit, msg, NIPQUAD(task->signal->curr_ip), gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
60527 -+ break;
60528 -+ case GR_SYSCTL_HIDDEN:
60529 -+ str1 = va_arg(ap, char *);
60530 -+ gr_log_middle_varargs(audit, msg, result, str1);
60531 -+ break;
60532 -+ case GR_RBAC:
60533 -+ dentry = va_arg(ap, struct dentry *);
60534 -+ mnt = va_arg(ap, struct vfsmount *);
60535 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
60536 -+ break;
60537 -+ case GR_RBAC_STR:
60538 -+ dentry = va_arg(ap, struct dentry *);
60539 -+ mnt = va_arg(ap, struct vfsmount *);
60540 -+ str1 = va_arg(ap, char *);
60541 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
60542 -+ break;
60543 -+ case GR_STR_RBAC:
60544 -+ str1 = va_arg(ap, char *);
60545 -+ dentry = va_arg(ap, struct dentry *);
60546 -+ mnt = va_arg(ap, struct vfsmount *);
60547 -+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
60548 -+ break;
60549 -+ case GR_RBAC_MODE2:
60550 -+ dentry = va_arg(ap, struct dentry *);
60551 -+ mnt = va_arg(ap, struct vfsmount *);
60552 -+ str1 = va_arg(ap, char *);
60553 -+ str2 = va_arg(ap, char *);
60554 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
60555 -+ break;
60556 -+ case GR_RBAC_MODE3:
60557 -+ dentry = va_arg(ap, struct dentry *);
60558 -+ mnt = va_arg(ap, struct vfsmount *);
60559 -+ str1 = va_arg(ap, char *);
60560 -+ str2 = va_arg(ap, char *);
60561 -+ str3 = va_arg(ap, char *);
60562 -+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
60563 -+ break;
60564 -+ case GR_FILENAME:
60565 -+ dentry = va_arg(ap, struct dentry *);
60566 -+ mnt = va_arg(ap, struct vfsmount *);
60567 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
60568 -+ break;
60569 -+ case GR_STR_FILENAME:
60570 -+ str1 = va_arg(ap, char *);
60571 -+ dentry = va_arg(ap, struct dentry *);
60572 -+ mnt = va_arg(ap, struct vfsmount *);
60573 -+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
60574 -+ break;
60575 -+ case GR_FILENAME_STR:
60576 -+ dentry = va_arg(ap, struct dentry *);
60577 -+ mnt = va_arg(ap, struct vfsmount *);
60578 -+ str1 = va_arg(ap, char *);
60579 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
60580 -+ break;
60581 -+ case GR_FILENAME_TWO_INT:
60582 -+ dentry = va_arg(ap, struct dentry *);
60583 -+ mnt = va_arg(ap, struct vfsmount *);
60584 -+ num1 = va_arg(ap, int);
60585 -+ num2 = va_arg(ap, int);
60586 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
60587 -+ break;
60588 -+ case GR_FILENAME_TWO_INT_STR:
60589 -+ dentry = va_arg(ap, struct dentry *);
60590 -+ mnt = va_arg(ap, struct vfsmount *);
60591 -+ num1 = va_arg(ap, int);
60592 -+ num2 = va_arg(ap, int);
60593 -+ str1 = va_arg(ap, char *);
60594 -+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
60595 -+ break;
60596 -+ case GR_TEXTREL:
60597 -+ file = va_arg(ap, struct file *);
60598 -+ ulong1 = va_arg(ap, unsigned long);
60599 -+ ulong2 = va_arg(ap, unsigned long);
60600 -+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_dentry, file->f_vfsmnt) : "<anonymous mapping>", ulong1, ulong2);
60601 -+ break;
60602 -+ case GR_PTRACE:
60603 -+ task = va_arg(ap, struct task_struct *);
60604 -+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_dentry, task->exec_file->f_vfsmnt) : "(none)", task->comm, task->pid);
60605 -+ break;
60606 -+ case GR_RESOURCE:
60607 -+ task = va_arg(ap, struct task_struct *);
60608 -+ ulong1 = va_arg(ap, unsigned long);
60609 -+ str1 = va_arg(ap, char *);
60610 -+ ulong2 = va_arg(ap, unsigned long);
60611 -+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60612 -+ break;
60613 -+ case GR_CAP:
60614 -+ task = va_arg(ap, struct task_struct *);
60615 -+ str1 = va_arg(ap, char *);
60616 -+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60617 -+ break;
60618 -+ case GR_SIG:
60619 -+ task = va_arg(ap, struct task_struct *);
60620 -+ num1 = va_arg(ap, int);
60621 -+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60622 -+ break;
60623 -+ case GR_CRASH1:
60624 -+ task = va_arg(ap, struct task_struct *);
60625 -+ ulong1 = va_arg(ap, unsigned long);
60626 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, task->uid, ulong1);
60627 -+ break;
60628 -+ case GR_CRASH2:
60629 -+ task = va_arg(ap, struct task_struct *);
60630 -+ ulong1 = va_arg(ap, unsigned long);
60631 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, task->uid, task->euid, task->gid, task->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid, ulong1);
60632 -+ break;
60633 -+ case GR_PSACCT:
60634 -+ {
60635 -+ unsigned int wday, cday;
60636 -+ __u8 whr, chr;
60637 -+ __u8 wmin, cmin;
60638 -+ __u8 wsec, csec;
60639 -+ char cur_tty[64] = { 0 };
60640 -+ char parent_tty[64] = { 0 };
60641 -+
60642 -+ task = va_arg(ap, struct task_struct *);
60643 -+ wday = va_arg(ap, unsigned int);
60644 -+ cday = va_arg(ap, unsigned int);
60645 -+ whr = va_arg(ap, int);
60646 -+ chr = va_arg(ap, int);
60647 -+ wmin = va_arg(ap, int);
60648 -+ cmin = va_arg(ap, int);
60649 -+ wsec = va_arg(ap, int);
60650 -+ csec = va_arg(ap, int);
60651 -+ ulong1 = va_arg(ap, unsigned long);
60652 -+
60653 -+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, NIPQUAD(task->signal->curr_ip), tty_name(task->signal->tty, cur_tty), task->uid, task->euid, task->gid, task->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, NIPQUAD(task->parent->signal->curr_ip), tty_name(task->parent->signal->tty, parent_tty), task->parent->uid, task->parent->euid, task->parent->gid, task->parent->egid);
60654 -+ }
60655 -+ break;
60656 -+ default:
60657 -+ gr_log_middle(audit, msg, ap);
60658 -+ }
60659 -+ va_end(ap);
60660 -+ gr_log_end(audit);
60661 -+ END_LOCKS(audit);
60662 -+}
60663 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_mem.c linux-2.6.23.15-grsec/grsecurity/grsec_mem.c
60664 ---- linux-2.6.23.15/grsecurity/grsec_mem.c 1970-01-01 01:00:00.000000000 +0100
60665 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_mem.c 2008-02-11 10:37:44.000000000 +0000
60666 -@@ -0,0 +1,71 @@
60667 -+#include <linux/kernel.h>
60668 -+#include <linux/sched.h>
60669 -+#include <linux/mm.h>
60670 -+#include <linux/mman.h>
60671 -+#include <linux/grinternal.h>
60672 -+
60673 -+void
60674 -+gr_handle_ioperm(void)
60675 -+{
60676 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
60677 -+ return;
60678 -+}
60679 -+
60680 -+void
60681 -+gr_handle_iopl(void)
60682 -+{
60683 -+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
60684 -+ return;
60685 -+}
60686 -+
60687 -+void
60688 -+gr_handle_mem_write(void)
60689 -+{
60690 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
60691 -+ return;
60692 -+}
60693 -+
60694 -+void
60695 -+gr_handle_kmem_write(void)
60696 -+{
60697 -+ gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
60698 -+ return;
60699 -+}
60700 -+
60701 -+void
60702 -+gr_handle_open_port(void)
60703 -+{
60704 -+ gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
60705 -+ return;
60706 -+}
60707 -+
60708 -+int
60709 -+gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
60710 -+{
60711 -+ unsigned long start, end;
60712 -+
60713 -+ start = offset;
60714 -+ end = start + vma->vm_end - vma->vm_start;
60715 -+
60716 -+ if (start > end) {
60717 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
60718 -+ return -EPERM;
60719 -+ }
60720 -+
60721 -+ /* allowed ranges : ISA I/O BIOS */
60722 -+ if ((start >= __pa(high_memory))
60723 -+#ifdef CONFIG_X86
60724 -+ || (start >= 0x000a0000 && end <= 0x00100000)
60725 -+ || (start >= 0x00000000 && end <= 0x00001000)
60726 -+#endif
60727 -+ )
60728 -+ return 0;
60729 -+
60730 -+ if (vma->vm_flags & VM_WRITE) {
60731 -+ gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
60732 -+ return -EPERM;
60733 -+ } else
60734 -+ vma->vm_flags &= ~VM_MAYWRITE;
60735 -+
60736 -+ return 0;
60737 -+}
60738 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_mount.c linux-2.6.23.15-grsec/grsecurity/grsec_mount.c
60739 ---- linux-2.6.23.15/grsecurity/grsec_mount.c 1970-01-01 01:00:00.000000000 +0100
60740 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_mount.c 2008-02-11 10:37:44.000000000 +0000
60741 -@@ -0,0 +1,34 @@
60742 -+#include <linux/kernel.h>
60743 -+#include <linux/sched.h>
60744 -+#include <linux/grsecurity.h>
60745 -+#include <linux/grinternal.h>
60746 -+
60747 -+void
60748 -+gr_log_remount(const char *devname, const int retval)
60749 -+{
60750 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60751 -+ if (grsec_enable_mount && (retval >= 0))
60752 -+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
60753 -+#endif
60754 -+ return;
60755 -+}
60756 -+
60757 -+void
60758 -+gr_log_unmount(const char *devname, const int retval)
60759 -+{
60760 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60761 -+ if (grsec_enable_mount && (retval >= 0))
60762 -+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
60763 -+#endif
60764 -+ return;
60765 -+}
60766 -+
60767 -+void
60768 -+gr_log_mount(const char *from, const char *to, const int retval)
60769 -+{
60770 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60771 -+ if (grsec_enable_mount && (retval >= 0))
60772 -+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
60773 -+#endif
60774 -+ return;
60775 -+}
60776 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_sig.c linux-2.6.23.15-grsec/grsecurity/grsec_sig.c
60777 ---- linux-2.6.23.15/grsecurity/grsec_sig.c 1970-01-01 01:00:00.000000000 +0100
60778 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_sig.c 2008-02-11 10:37:44.000000000 +0000
60779 -@@ -0,0 +1,59 @@
60780 -+#include <linux/kernel.h>
60781 -+#include <linux/sched.h>
60782 -+#include <linux/grsecurity.h>
60783 -+#include <linux/grinternal.h>
60784 -+
60785 -+void
60786 -+gr_log_signal(const int sig, const struct task_struct *t)
60787 -+{
60788 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
60789 -+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
60790 -+ (sig == SIGABRT) || (sig == SIGBUS))) {
60791 -+ if (t->pid == current->pid) {
60792 -+ gr_log_int(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, sig);
60793 -+ } else {
60794 -+ gr_log_sig(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
60795 -+ }
60796 -+ }
60797 -+#endif
60798 -+ return;
60799 -+}
60800 -+
60801 -+int
60802 -+gr_handle_signal(const struct task_struct *p, const int sig)
60803 -+{
60804 -+#ifdef CONFIG_GRKERNSEC
60805 -+ if (current->pid > 1 && gr_check_protected_task(p)) {
60806 -+ gr_log_sig(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
60807 -+ return -EPERM;
60808 -+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
60809 -+ return -EPERM;
60810 -+ }
60811 -+#endif
60812 -+ return 0;
60813 -+}
60814 -+
60815 -+void gr_handle_brute_attach(struct task_struct *p)
60816 -+{
60817 -+#ifdef CONFIG_GRKERNSEC_BRUTE
60818 -+ read_lock(&tasklist_lock);
60819 -+ read_lock(&grsec_exec_file_lock);
60820 -+ if (p->parent && p->parent->exec_file == p->exec_file)
60821 -+ p->parent->brute = 1;
60822 -+ read_unlock(&grsec_exec_file_lock);
60823 -+ read_unlock(&tasklist_lock);
60824 -+#endif
60825 -+ return;
60826 -+}
60827 -+
60828 -+void gr_handle_brute_check(void)
60829 -+{
60830 -+#ifdef CONFIG_GRKERNSEC_BRUTE
60831 -+ if (current->brute) {
60832 -+ set_current_state(TASK_UNINTERRUPTIBLE);
60833 -+ schedule_timeout(30 * HZ);
60834 -+ }
60835 -+#endif
60836 -+ return;
60837 -+}
60838 -+
60839 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_sock.c linux-2.6.23.15-grsec/grsecurity/grsec_sock.c
60840 ---- linux-2.6.23.15/grsecurity/grsec_sock.c 1970-01-01 01:00:00.000000000 +0100
60841 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_sock.c 2008-02-11 10:37:44.000000000 +0000
60842 -@@ -0,0 +1,263 @@
60843 -+#include <linux/kernel.h>
60844 -+#include <linux/module.h>
60845 -+#include <linux/sched.h>
60846 -+#include <linux/file.h>
60847 -+#include <linux/net.h>
60848 -+#include <linux/in.h>
60849 -+#include <linux/ip.h>
60850 -+#include <net/sock.h>
60851 -+#include <net/inet_sock.h>
60852 -+#include <linux/grsecurity.h>
60853 -+#include <linux/grinternal.h>
60854 -+#include <linux/gracl.h>
60855 -+
60856 -+#if defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
60857 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
60858 -+EXPORT_SYMBOL(udp_v4_lookup);
60859 -+#endif
60860 -+
60861 -+EXPORT_SYMBOL(gr_cap_rtnetlink);
60862 -+
60863 -+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
60864 -+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
60865 -+
60866 -+EXPORT_SYMBOL(gr_search_udp_recvmsg);
60867 -+EXPORT_SYMBOL(gr_search_udp_sendmsg);
60868 -+
60869 -+#ifdef CONFIG_UNIX_MODULE
60870 -+EXPORT_SYMBOL(gr_acl_handle_unix);
60871 -+EXPORT_SYMBOL(gr_acl_handle_mknod);
60872 -+EXPORT_SYMBOL(gr_handle_chroot_unix);
60873 -+EXPORT_SYMBOL(gr_handle_create);
60874 -+#endif
60875 -+
60876 -+#ifdef CONFIG_GRKERNSEC
60877 -+#define gr_conn_table_size 32749
60878 -+struct conn_table_entry {
60879 -+ struct conn_table_entry *next;
60880 -+ struct signal_struct *sig;
60881 -+};
60882 -+
60883 -+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
60884 -+spinlock_t gr_conn_table_lock = SPIN_LOCK_UNLOCKED;
60885 -+
60886 -+extern const char * gr_socktype_to_name(unsigned char type);
60887 -+extern const char * gr_proto_to_name(unsigned char proto);
60888 -+
60889 -+static __inline__ int
60890 -+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
60891 -+{
60892 -+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
60893 -+}
60894 -+
60895 -+static __inline__ int
60896 -+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
60897 -+ __u16 sport, __u16 dport)
60898 -+{
60899 -+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
60900 -+ sig->gr_sport == sport && sig->gr_dport == dport))
60901 -+ return 1;
60902 -+ else
60903 -+ return 0;
60904 -+}
60905 -+
60906 -+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
60907 -+{
60908 -+ struct conn_table_entry **match;
60909 -+ unsigned int index;
60910 -+
60911 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60912 -+ sig->gr_sport, sig->gr_dport,
60913 -+ gr_conn_table_size);
60914 -+
60915 -+ newent->sig = sig;
60916 -+
60917 -+ match = &gr_conn_table[index];
60918 -+ newent->next = *match;
60919 -+ *match = newent;
60920 -+
60921 -+ return;
60922 -+}
60923 -+
60924 -+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
60925 -+{
60926 -+ struct conn_table_entry *match, *last = NULL;
60927 -+ unsigned int index;
60928 -+
60929 -+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60930 -+ sig->gr_sport, sig->gr_dport,
60931 -+ gr_conn_table_size);
60932 -+
60933 -+ match = gr_conn_table[index];
60934 -+ while (match && !conn_match(match->sig,
60935 -+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
60936 -+ sig->gr_dport)) {
60937 -+ last = match;
60938 -+ match = match->next;
60939 -+ }
60940 -+
60941 -+ if (match) {
60942 -+ if (last)
60943 -+ last->next = match->next;
60944 -+ else
60945 -+ gr_conn_table[index] = NULL;
60946 -+ kfree(match);
60947 -+ }
60948 -+
60949 -+ return;
60950 -+}
60951 -+
60952 -+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
60953 -+ __u16 sport, __u16 dport)
60954 -+{
60955 -+ struct conn_table_entry *match;
60956 -+ unsigned int index;
60957 -+
60958 -+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
60959 -+
60960 -+ match = gr_conn_table[index];
60961 -+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
60962 -+ match = match->next;
60963 -+
60964 -+ if (match)
60965 -+ return match->sig;
60966 -+ else
60967 -+ return NULL;
60968 -+}
60969 -+
60970 -+#endif
60971 -+
60972 -+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
60973 -+{
60974 -+#ifdef CONFIG_GRKERNSEC
60975 -+ struct signal_struct *sig = task->signal;
60976 -+ struct conn_table_entry *newent;
60977 -+
60978 -+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
60979 -+ if (newent == NULL)
60980 -+ return;
60981 -+ /* no bh lock needed since we are called with bh disabled */
60982 -+ spin_lock(&gr_conn_table_lock);
60983 -+ gr_del_task_from_ip_table_nolock(sig);
60984 -+ sig->gr_saddr = inet->rcv_saddr;
60985 -+ sig->gr_daddr = inet->daddr;
60986 -+ sig->gr_sport = inet->sport;
60987 -+ sig->gr_dport = inet->dport;
60988 -+ gr_add_to_task_ip_table_nolock(sig, newent);
60989 -+ spin_unlock(&gr_conn_table_lock);
60990 -+#endif
60991 -+ return;
60992 -+}
60993 -+
60994 -+void gr_del_task_from_ip_table(struct task_struct *task)
60995 -+{
60996 -+#ifdef CONFIG_GRKERNSEC
60997 -+ spin_lock(&gr_conn_table_lock);
60998 -+ gr_del_task_from_ip_table_nolock(task->signal);
60999 -+ spin_unlock(&gr_conn_table_lock);
61000 -+#endif
61001 -+ return;
61002 -+}
61003 -+
61004 -+void
61005 -+gr_attach_curr_ip(const struct sock *sk)
61006 -+{
61007 -+#ifdef CONFIG_GRKERNSEC
61008 -+ struct signal_struct *p, *set;
61009 -+ const struct inet_sock *inet = inet_sk(sk);
61010 -+
61011 -+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
61012 -+ return;
61013 -+
61014 -+ set = current->signal;
61015 -+
61016 -+ spin_lock_bh(&gr_conn_table_lock);
61017 -+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
61018 -+ inet->dport, inet->sport);
61019 -+ if (unlikely(p != NULL)) {
61020 -+ set->curr_ip = p->curr_ip;
61021 -+ set->used_accept = 1;
61022 -+ gr_del_task_from_ip_table_nolock(p);
61023 -+ spin_unlock_bh(&gr_conn_table_lock);
61024 -+ return;
61025 -+ }
61026 -+ spin_unlock_bh(&gr_conn_table_lock);
61027 -+
61028 -+ set->curr_ip = inet->daddr;
61029 -+ set->used_accept = 1;
61030 -+#endif
61031 -+ return;
61032 -+}
61033 -+
61034 -+int
61035 -+gr_handle_sock_all(const int family, const int type, const int protocol)
61036 -+{
61037 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
61038 -+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
61039 -+ (family != AF_UNIX) && (family != AF_LOCAL)) {
61040 -+ gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
61041 -+ return -EACCES;
61042 -+ }
61043 -+#endif
61044 -+ return 0;
61045 -+}
61046 -+
61047 -+int
61048 -+gr_handle_sock_server(const struct sockaddr *sck)
61049 -+{
61050 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
61051 -+ if (grsec_enable_socket_server &&
61052 -+ in_group_p(grsec_socket_server_gid) &&
61053 -+ sck && (sck->sa_family != AF_UNIX) &&
61054 -+ (sck->sa_family != AF_LOCAL)) {
61055 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
61056 -+ return -EACCES;
61057 -+ }
61058 -+#endif
61059 -+ return 0;
61060 -+}
61061 -+
61062 -+int
61063 -+gr_handle_sock_server_other(const struct sock *sck)
61064 -+{
61065 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
61066 -+ if (grsec_enable_socket_server &&
61067 -+ in_group_p(grsec_socket_server_gid) &&
61068 -+ sck && (sck->sk_family != AF_UNIX) &&
61069 -+ (sck->sk_family != AF_LOCAL)) {
61070 -+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
61071 -+ return -EACCES;
61072 -+ }
61073 -+#endif
61074 -+ return 0;
61075 -+}
61076 -+
61077 -+int
61078 -+gr_handle_sock_client(const struct sockaddr *sck)
61079 -+{
61080 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
61081 -+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
61082 -+ sck && (sck->sa_family != AF_UNIX) &&
61083 -+ (sck->sa_family != AF_LOCAL)) {
61084 -+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
61085 -+ return -EACCES;
61086 -+ }
61087 -+#endif
61088 -+ return 0;
61089 -+}
61090 -+
61091 -+__u32
61092 -+gr_cap_rtnetlink(void)
61093 -+{
61094 -+#ifdef CONFIG_GRKERNSEC
61095 -+ if (!gr_acl_is_enabled())
61096 -+ return current->cap_effective;
61097 -+ else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
61098 -+ gr_task_is_capable(current, CAP_NET_ADMIN))
61099 -+ return current->cap_effective;
61100 -+ else
61101 -+ return 0;
61102 -+#else
61103 -+ return current->cap_effective;
61104 -+#endif
61105 -+}
61106 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_sysctl.c linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c
61107 ---- linux-2.6.23.15/grsecurity/grsec_sysctl.c 1970-01-01 01:00:00.000000000 +0100
61108 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_sysctl.c 2008-02-11 10:37:44.000000000 +0000
61109 -@@ -0,0 +1,456 @@
61110 -+#include <linux/kernel.h>
61111 -+#include <linux/sched.h>
61112 -+#include <linux/sysctl.h>
61113 -+#include <linux/grsecurity.h>
61114 -+#include <linux/grinternal.h>
61115 -+
61116 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61117 -+int grsec_modstop;
61118 -+#endif
61119 -+
61120 -+int
61121 -+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
61122 -+{
61123 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
61124 -+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & 002)) {
61125 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
61126 -+ return -EACCES;
61127 -+ }
61128 -+#endif
61129 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61130 -+ if (!strcmp(dirname, "grsecurity") && !strcmp(name, "disable_modules") &&
61131 -+ grsec_modstop && (op & 002)) {
61132 -+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
61133 -+ return -EACCES;
61134 -+ }
61135 -+#endif
61136 -+ return 0;
61137 -+}
61138 -+
61139 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
61140 -+enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL,
61141 -+GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT,
61142 -+GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM,
61143 -+GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS,
61144 -+GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS,
61145 -+GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
61146 -+GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
61147 -+GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG,
61148 -+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_LOCK, GS_MODSTOP, GS_RESLOG};
61149 -+
61150 -+
61151 -+ctl_table grsecurity_table[] = {
61152 -+#ifdef CONFIG_GRKERNSEC_SYSCTL
61153 -+#ifdef CONFIG_GRKERNSEC_LINK
61154 -+ {
61155 -+ .ctl_name = GS_LINK,
61156 -+ .procname = "linking_restrictions",
61157 -+ .data = &grsec_enable_link,
61158 -+ .maxlen = sizeof(int),
61159 -+ .mode = 0600,
61160 -+ .proc_handler = &proc_dointvec,
61161 -+ },
61162 -+#endif
61163 -+#ifdef CONFIG_GRKERNSEC_FIFO
61164 -+ {
61165 -+ .ctl_name = GS_FIFO,
61166 -+ .procname = "fifo_restrictions",
61167 -+ .data = &grsec_enable_fifo,
61168 -+ .maxlen = sizeof(int),
61169 -+ .mode = 0600,
61170 -+ .proc_handler = &proc_dointvec,
61171 -+ },
61172 -+#endif
61173 -+#ifdef CONFIG_GRKERNSEC_EXECVE
61174 -+ {
61175 -+ .ctl_name = GS_EXECVE,
61176 -+ .procname = "execve_limiting",
61177 -+ .data = &grsec_enable_execve,
61178 -+ .maxlen = sizeof(int),
61179 -+ .mode = 0600,
61180 -+ .proc_handler = &proc_dointvec,
61181 -+ },
61182 -+#endif
61183 -+#ifdef CONFIG_GRKERNSEC_EXECLOG
61184 -+ {
61185 -+ .ctl_name = GS_EXECLOG,
61186 -+ .procname = "exec_logging",
61187 -+ .data = &grsec_enable_execlog,
61188 -+ .maxlen = sizeof(int),
61189 -+ .mode = 0600,
61190 -+ .proc_handler = &proc_dointvec,
61191 -+ },
61192 -+#endif
61193 -+#ifdef CONFIG_GRKERNSEC_SIGNAL
61194 -+ {
61195 -+ .ctl_name = GS_SIGNAL,
61196 -+ .procname = "signal_logging",
61197 -+ .data = &grsec_enable_signal,
61198 -+ .maxlen = sizeof(int),
61199 -+ .mode = 0600,
61200 -+ .proc_handler = &proc_dointvec,
61201 -+ },
61202 -+#endif
61203 -+#ifdef CONFIG_GRKERNSEC_FORKFAIL
61204 -+ {
61205 -+ .ctl_name = GS_FORKFAIL,
61206 -+ .procname = "forkfail_logging",
61207 -+ .data = &grsec_enable_forkfail,
61208 -+ .maxlen = sizeof(int),
61209 -+ .mode = 0600,
61210 -+ .proc_handler = &proc_dointvec,
61211 -+ },
61212 -+#endif
61213 -+#ifdef CONFIG_GRKERNSEC_TIME
61214 -+ {
61215 -+ .ctl_name = GS_TIME,
61216 -+ .procname = "timechange_logging",
61217 -+ .data = &grsec_enable_time,
61218 -+ .maxlen = sizeof(int),
61219 -+ .mode = 0600,
61220 -+ .proc_handler = &proc_dointvec,
61221 -+ },
61222 -+#endif
61223 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
61224 -+ {
61225 -+ .ctl_name = GS_CHROOT_SHMAT,
61226 -+ .procname = "chroot_deny_shmat",
61227 -+ .data = &grsec_enable_chroot_shmat,
61228 -+ .maxlen = sizeof(int),
61229 -+ .mode = 0600,
61230 -+ .proc_handler = &proc_dointvec,
61231 -+ },
61232 -+#endif
61233 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
61234 -+ {
61235 -+ .ctl_name = GS_CHROOT_UNIX,
61236 -+ .procname = "chroot_deny_unix",
61237 -+ .data = &grsec_enable_chroot_unix,
61238 -+ .maxlen = sizeof(int),
61239 -+ .mode = 0600,
61240 -+ .proc_handler = &proc_dointvec,
61241 -+ },
61242 -+#endif
61243 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
61244 -+ {
61245 -+ .ctl_name = GS_CHROOT_MNT,
61246 -+ .procname = "chroot_deny_mount",
61247 -+ .data = &grsec_enable_chroot_mount,
61248 -+ .maxlen = sizeof(int),
61249 -+ .mode = 0600,
61250 -+ .proc_handler = &proc_dointvec,
61251 -+ },
61252 -+#endif
61253 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
61254 -+ {
61255 -+ .ctl_name = GS_CHROOT_FCHDIR,
61256 -+ .procname = "chroot_deny_fchdir",
61257 -+ .data = &grsec_enable_chroot_fchdir,
61258 -+ .maxlen = sizeof(int),
61259 -+ .mode = 0600,
61260 -+ .proc_handler = &proc_dointvec,
61261 -+ },
61262 -+#endif
61263 -+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
61264 -+ {
61265 -+ .ctl_name = GS_CHROOT_DBL,
61266 -+ .procname = "chroot_deny_chroot",
61267 -+ .data = &grsec_enable_chroot_double,
61268 -+ .maxlen = sizeof(int),
61269 -+ .mode = 0600,
61270 -+ .proc_handler = &proc_dointvec,
61271 -+ },
61272 -+#endif
61273 -+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
61274 -+ {
61275 -+ .ctl_name = GS_CHROOT_PVT,
61276 -+ .procname = "chroot_deny_pivot",
61277 -+ .data = &grsec_enable_chroot_pivot,
61278 -+ .maxlen = sizeof(int),
61279 -+ .mode = 0600,
61280 -+ .proc_handler = &proc_dointvec,
61281 -+ },
61282 -+#endif
61283 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
61284 -+ {
61285 -+ .ctl_name = GS_CHROOT_CD,
61286 -+ .procname = "chroot_enforce_chdir",
61287 -+ .data = &grsec_enable_chroot_chdir,
61288 -+ .maxlen = sizeof(int),
61289 -+ .mode = 0600,
61290 -+ .proc_handler = &proc_dointvec,
61291 -+ },
61292 -+#endif
61293 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
61294 -+ {
61295 -+ .ctl_name = GS_CHROOT_CM,
61296 -+ .procname = "chroot_deny_chmod",
61297 -+ .data = &grsec_enable_chroot_chmod,
61298 -+ .maxlen = sizeof(int),
61299 -+ .mode = 0600,
61300 -+ .proc_handler = &proc_dointvec,
61301 -+ },
61302 -+#endif
61303 -+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
61304 -+ {
61305 -+ .ctl_name = GS_CHROOT_MK,
61306 -+ .procname = "chroot_deny_mknod",
61307 -+ .data = &grsec_enable_chroot_mknod,
61308 -+ .maxlen = sizeof(int),
61309 -+ .mode = 0600,
61310 -+ .proc_handler = &proc_dointvec,
61311 -+ },
61312 -+#endif
61313 -+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
61314 -+ {
61315 -+ .ctl_name = GS_CHROOT_NI,
61316 -+ .procname = "chroot_restrict_nice",
61317 -+ .data = &grsec_enable_chroot_nice,
61318 -+ .maxlen = sizeof(int),
61319 -+ .mode = 0600,
61320 -+ .proc_handler = &proc_dointvec,
61321 -+ },
61322 -+#endif
61323 -+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
61324 -+ {
61325 -+ .ctl_name = GS_CHROOT_EXECLOG,
61326 -+ .procname = "chroot_execlog",
61327 -+ .data = &grsec_enable_chroot_execlog,
61328 -+ .maxlen = sizeof(int),
61329 -+ .mode = 0600,
61330 -+ .proc_handler = &proc_dointvec,
61331 -+ },
61332 -+#endif
61333 -+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
61334 -+ {
61335 -+ .ctl_name = GS_CHROOT_CAPS,
61336 -+ .procname = "chroot_caps",
61337 -+ .data = &grsec_enable_chroot_caps,
61338 -+ .maxlen = sizeof(int),
61339 -+ .mode = 0600,
61340 -+ .proc_handler = &proc_dointvec,
61341 -+ },
61342 -+#endif
61343 -+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
61344 -+ {
61345 -+ .ctl_name = GS_CHROOT_SYSCTL,
61346 -+ .procname = "chroot_deny_sysctl",
61347 -+ .data = &grsec_enable_chroot_sysctl,
61348 -+ .maxlen = sizeof(int),
61349 -+ .mode = 0600,
61350 -+ .proc_handler = &proc_dointvec,
61351 -+ },
61352 -+#endif
61353 -+#ifdef CONFIG_GRKERNSEC_TPE
61354 -+ {
61355 -+ .ctl_name = GS_TPE,
61356 -+ .procname = "tpe",
61357 -+ .data = &grsec_enable_tpe,
61358 -+ .maxlen = sizeof(int),
61359 -+ .mode = 0600,
61360 -+ .proc_handler = &proc_dointvec,
61361 -+ },
61362 -+ {
61363 -+ .ctl_name = GS_TPE_GID,
61364 -+ .procname = "tpe_gid",
61365 -+ .data = &grsec_tpe_gid,
61366 -+ .maxlen = sizeof(int),
61367 -+ .mode = 0600,
61368 -+ .proc_handler = &proc_dointvec,
61369 -+ },
61370 -+#endif
61371 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
61372 -+ {
61373 -+ .ctl_name = GS_TPE_ALL,
61374 -+ .procname = "tpe_restrict_all",
61375 -+ .data = &grsec_enable_tpe_all,
61376 -+ .maxlen = sizeof(int),
61377 -+ .mode = 0600,
61378 -+ .proc_handler = &proc_dointvec,
61379 -+ },
61380 -+#endif
61381 -+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
61382 -+ {
61383 -+ .ctl_name = GS_SOCKET_ALL,
61384 -+ .procname = "socket_all",
61385 -+ .data = &grsec_enable_socket_all,
61386 -+ .maxlen = sizeof(int),
61387 -+ .mode = 0600,
61388 -+ .proc_handler = &proc_dointvec,
61389 -+ },
61390 -+ {
61391 -+ .ctl_name = GS_SOCKET_ALL_GID,
61392 -+ .procname = "socket_all_gid",
61393 -+ .data = &grsec_socket_all_gid,
61394 -+ .maxlen = sizeof(int),
61395 -+ .mode = 0600,
61396 -+ .proc_handler = &proc_dointvec,
61397 -+ },
61398 -+#endif
61399 -+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
61400 -+ {
61401 -+ .ctl_name = GS_SOCKET_CLIENT,
61402 -+ .procname = "socket_client",
61403 -+ .data = &grsec_enable_socket_client,
61404 -+ .maxlen = sizeof(int),
61405 -+ .mode = 0600,
61406 -+ .proc_handler = &proc_dointvec,
61407 -+ },
61408 -+ {
61409 -+ .ctl_name = GS_SOCKET_CLIENT_GID,
61410 -+ .procname = "socket_client_gid",
61411 -+ .data = &grsec_socket_client_gid,
61412 -+ .maxlen = sizeof(int),
61413 -+ .mode = 0600,
61414 -+ .proc_handler = &proc_dointvec,
61415 -+ },
61416 -+#endif
61417 -+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
61418 -+ {
61419 -+ .ctl_name = GS_SOCKET_SERVER,
61420 -+ .procname = "socket_server",
61421 -+ .data = &grsec_enable_socket_server,
61422 -+ .maxlen = sizeof(int),
61423 -+ .mode = 0600,
61424 -+ .proc_handler = &proc_dointvec,
61425 -+ },
61426 -+ {
61427 -+ .ctl_name = GS_SOCKET_SERVER_GID,
61428 -+ .procname = "socket_server_gid",
61429 -+ .data = &grsec_socket_server_gid,
61430 -+ .maxlen = sizeof(int),
61431 -+ .mode = 0600,
61432 -+ .proc_handler = &proc_dointvec,
61433 -+ },
61434 -+#endif
61435 -+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
61436 -+ {
61437 -+ .ctl_name = GS_GROUP,
61438 -+ .procname = "audit_group",
61439 -+ .data = &grsec_enable_group,
61440 -+ .maxlen = sizeof(int),
61441 -+ .mode = 0600,
61442 -+ .proc_handler = &proc_dointvec,
61443 -+ },
61444 -+ {
61445 -+ .ctl_name = GS_GID,
61446 -+ .procname = "audit_gid",
61447 -+ .data = &grsec_audit_gid,
61448 -+ .maxlen = sizeof(int),
61449 -+ .mode = 0600,
61450 -+ .proc_handler = &proc_dointvec,
61451 -+ },
61452 -+#endif
61453 -+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
61454 -+ {
61455 -+ .ctl_name = GS_ACHDIR,
61456 -+ .procname = "audit_chdir",
61457 -+ .data = &grsec_enable_chdir,
61458 -+ .maxlen = sizeof(int),
61459 -+ .mode = 0600,
61460 -+ .proc_handler = &proc_dointvec,
61461 -+ },
61462 -+#endif
61463 -+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
61464 -+ {
61465 -+ .ctl_name = GS_AMOUNT,
61466 -+ .procname = "audit_mount",
61467 -+ .data = &grsec_enable_mount,
61468 -+ .maxlen = sizeof(int),
61469 -+ .mode = 0600,
61470 -+ .proc_handler = &proc_dointvec,
61471 -+ },
61472 -+#endif
61473 -+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
61474 -+ {
61475 -+ .ctl_name = GS_AIPC,
61476 -+ .procname = "audit_ipc",
61477 -+ .data = &grsec_enable_audit_ipc,
61478 -+ .maxlen = sizeof(int),
61479 -+ .mode = 0600,
61480 -+ .proc_handler = &proc_dointvec,
61481 -+ },
61482 -+#endif
61483 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
61484 -+ {
61485 -+ .ctl_name = GS_TEXTREL,
61486 -+ .procname = "audit_textrel",
61487 -+ .data = &grsec_enable_audit_textrel,
61488 -+ .maxlen = sizeof(int),
61489 -+ .mode = 0600,
61490 -+ .proc_handler = &proc_dointvec,
61491 -+ },
61492 -+#endif
61493 -+#ifdef CONFIG_GRKERNSEC_DMESG
61494 -+ {
61495 -+ .ctl_name = GS_DMSG,
61496 -+ .procname = "dmesg",
61497 -+ .data = &grsec_enable_dmesg,
61498 -+ .maxlen = sizeof(int),
61499 -+ .mode = 0600,
61500 -+ .proc_handler = &proc_dointvec,
61501 -+ },
61502 -+#endif
61503 -+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
61504 -+ {
61505 -+ .ctl_name = GS_FINDTASK,
61506 -+ .procname = "chroot_findtask",
61507 -+ .data = &grsec_enable_chroot_findtask,
61508 -+ .maxlen = sizeof(int),
61509 -+ .mode = 0600,
61510 -+ .proc_handler = &proc_dointvec,
61511 -+ },
61512 -+#endif
61513 -+#ifdef CONFIG_GRKERNSEC_SHM
61514 -+ {
61515 -+ .ctl_name = GS_SHM,
61516 -+ .procname = "destroy_unused_shm",
61517 -+ .data = &grsec_enable_shm,
61518 -+ .maxlen = sizeof(int),
61519 -+ .mode = 0600,
61520 -+ .proc_handler = &proc_dointvec,
61521 -+ },
61522 -+#endif
61523 -+#ifdef CONFIG_GRKERNSEC_RESLOG
61524 -+ {
61525 -+ .ctl_name = GS_RESLOG,
61526 -+ .procname = "resource_logging",
61527 -+ .data = &grsec_resource_logging,
61528 -+ .maxlen = sizeof(int),
61529 -+ .mode = 0600,
61530 -+ .proc_handler = &proc_dointvec,
61531 -+ },
61532 -+#endif
61533 -+ {
61534 -+ .ctl_name = GS_LOCK,
61535 -+ .procname = "grsec_lock",
61536 -+ .data = &grsec_lock,
61537 -+ .maxlen = sizeof(int),
61538 -+ .mode = 0600,
61539 -+ .proc_handler = &proc_dointvec,
61540 -+ },
61541 -+#endif
61542 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61543 -+ {
61544 -+ .ctl_name = GS_MODSTOP,
61545 -+ .procname = "disable_modules",
61546 -+ .data = &grsec_modstop,
61547 -+ .maxlen = sizeof(int),
61548 -+ .mode = 0600,
61549 -+ .proc_handler = &proc_dointvec,
61550 -+ },
61551 -+#endif
61552 -+ { .ctl_name = 0 }
61553 -+};
61554 -+#endif
61555 -+
61556 -+int gr_check_modstop(void)
61557 -+{
61558 -+#ifdef CONFIG_GRKERNSEC_MODSTOP
61559 -+ if (grsec_modstop == 1) {
61560 -+ gr_log_noargs(GR_DONT_AUDIT, GR_STOPMOD_MSG);
61561 -+ return 1;
61562 -+ }
61563 -+#endif
61564 -+ return 0;
61565 -+}
61566 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_textrel.c linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c
61567 ---- linux-2.6.23.15/grsecurity/grsec_textrel.c 1970-01-01 01:00:00.000000000 +0100
61568 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_textrel.c 2008-02-11 10:37:44.000000000 +0000
61569 -@@ -0,0 +1,16 @@
61570 -+#include <linux/kernel.h>
61571 -+#include <linux/sched.h>
61572 -+#include <linux/mm.h>
61573 -+#include <linux/file.h>
61574 -+#include <linux/grinternal.h>
61575 -+#include <linux/grsecurity.h>
61576 -+
61577 -+void
61578 -+gr_log_textrel(struct vm_area_struct * vma)
61579 -+{
61580 -+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
61581 -+ if (grsec_enable_audit_textrel)
61582 -+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
61583 -+#endif
61584 -+ return;
61585 -+}
61586 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_time.c linux-2.6.23.15-grsec/grsecurity/grsec_time.c
61587 ---- linux-2.6.23.15/grsecurity/grsec_time.c 1970-01-01 01:00:00.000000000 +0100
61588 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_time.c 2008-02-11 10:37:44.000000000 +0000
61589 -@@ -0,0 +1,13 @@
61590 -+#include <linux/kernel.h>
61591 -+#include <linux/sched.h>
61592 -+#include <linux/grinternal.h>
61593 -+
61594 -+void
61595 -+gr_log_timechange(void)
61596 -+{
61597 -+#ifdef CONFIG_GRKERNSEC_TIME
61598 -+ if (grsec_enable_time)
61599 -+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
61600 -+#endif
61601 -+ return;
61602 -+}
61603 -diff -Nurp linux-2.6.23.15/grsecurity/grsec_tpe.c linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c
61604 ---- linux-2.6.23.15/grsecurity/grsec_tpe.c 1970-01-01 01:00:00.000000000 +0100
61605 -+++ linux-2.6.23.15-grsec/grsecurity/grsec_tpe.c 2008-02-11 10:37:44.000000000 +0000
61606 -@@ -0,0 +1,37 @@
61607 -+#include <linux/kernel.h>
61608 -+#include <linux/sched.h>
61609 -+#include <linux/file.h>
61610 -+#include <linux/fs.h>
61611 -+#include <linux/grinternal.h>
61612 -+
61613 -+extern int gr_acl_tpe_check(void);
61614 -+
61615 -+int
61616 -+gr_tpe_allow(const struct file *file)
61617 -+{
61618 -+#ifdef CONFIG_GRKERNSEC
61619 -+ struct inode *inode = file->f_dentry->d_parent->d_inode;
61620 -+
61621 -+ if (current->uid && ((grsec_enable_tpe &&
61622 -+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
61623 -+ !in_group_p(grsec_tpe_gid)
61624 -+#else
61625 -+ in_group_p(grsec_tpe_gid)
61626 -+#endif
61627 -+ ) || gr_acl_tpe_check()) &&
61628 -+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
61629 -+ (inode->i_mode & S_IWOTH))))) {
61630 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
61631 -+ return 0;
61632 -+ }
61633 -+#ifdef CONFIG_GRKERNSEC_TPE_ALL
61634 -+ if (current->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
61635 -+ ((inode->i_uid && (inode->i_uid != current->uid)) ||
61636 -+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
61637 -+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_dentry, file->f_vfsmnt);
61638 -+ return 0;
61639 -+ }
61640 -+#endif
61641 -+#endif
61642 -+ return 1;
61643 -+}
61644 -diff -Nurp linux-2.6.23.15/grsecurity/grsum.c linux-2.6.23.15-grsec/grsecurity/grsum.c
61645 ---- linux-2.6.23.15/grsecurity/grsum.c 1970-01-01 01:00:00.000000000 +0100
61646 -+++ linux-2.6.23.15-grsec/grsecurity/grsum.c 2008-02-11 10:37:44.000000000 +0000
61647 -@@ -0,0 +1,59 @@
61648 -+#include <linux/err.h>
61649 -+#include <linux/kernel.h>
61650 -+#include <linux/sched.h>
61651 -+#include <linux/mm.h>
61652 -+#include <linux/scatterlist.h>
61653 -+#include <linux/crypto.h>
61654 -+#include <linux/gracl.h>
61655 -+
61656 -+
61657 -+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
61658 -+#error "crypto and sha256 must be built into the kernel"
61659 -+#endif
61660 -+
61661 -+int
61662 -+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
61663 -+{
61664 -+ char *p;
61665 -+ struct crypto_hash *tfm;
61666 -+ struct hash_desc desc;
61667 -+ struct scatterlist sg;
61668 -+ unsigned char temp_sum[GR_SHA_LEN];
61669 -+ volatile int retval = 0;
61670 -+ volatile int dummy = 0;
61671 -+ unsigned int i;
61672 -+
61673 -+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
61674 -+ if (IS_ERR(tfm)) {
61675 -+ /* should never happen, since sha256 should be built in */
61676 -+ return 1;
61677 -+ }
61678 -+
61679 -+ desc.tfm = tfm;
61680 -+ desc.flags = 0;
61681 -+
61682 -+ crypto_hash_init(&desc);
61683 -+
61684 -+ p = salt;
61685 -+ sg_set_buf(&sg, p, GR_SALT_LEN);
61686 -+ crypto_hash_update(&desc, &sg, sg.length);
61687 -+
61688 -+ p = entry->pw;
61689 -+ sg_set_buf(&sg, p, strlen(p));
61690 -+
61691 -+ crypto_hash_update(&desc, &sg, sg.length);
61692 -+
61693 -+ crypto_hash_final(&desc, temp_sum);
61694 -+
61695 -+ memset(entry->pw, 0, GR_PW_LEN);
61696 -+
61697 -+ for (i = 0; i < GR_SHA_LEN; i++)
61698 -+ if (sum[i] != temp_sum[i])
61699 -+ retval = 1;
61700 -+ else
61701 -+ dummy = 1; // waste a cycle
61702 -+
61703 -+ crypto_free_hash(tfm);
61704 -+
61705 -+ return retval;
61706 -+}
61707 -diff -Nurp linux-2.6.23.15/include/asm-alpha/a.out.h linux-2.6.23.15-grsec/include/asm-alpha/a.out.h
61708 ---- linux-2.6.23.15/include/asm-alpha/a.out.h 2007-10-09 21:31:38.000000000 +0100
61709 -+++ linux-2.6.23.15-grsec/include/asm-alpha/a.out.h 2008-02-11 10:37:44.000000000 +0000
61710 -@@ -98,7 +98,7 @@ struct exec
61711 - set_personality (((BFPM->sh_bang || EX.ah.entry < 0x100000000L \
61712 - ? ADDR_LIMIT_32BIT : 0) | PER_OSF4))
61713 -
61714 --#define STACK_TOP \
61715 -+#define __STACK_TOP \
61716 - (current->personality & ADDR_LIMIT_32BIT ? 0x80000000 : 0x00120000000UL)
61717 -
61718 - #define STACK_TOP_MAX 0x00120000000UL
61719 -diff -Nurp linux-2.6.23.15/include/asm-alpha/elf.h linux-2.6.23.15-grsec/include/asm-alpha/elf.h
61720 ---- linux-2.6.23.15/include/asm-alpha/elf.h 2007-10-09 21:31:38.000000000 +0100
61721 -+++ linux-2.6.23.15-grsec/include/asm-alpha/elf.h 2008-02-11 10:37:44.000000000 +0000
61722 -@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
61723 -
61724 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
61725 -
61726 -+#ifdef CONFIG_PAX_ASLR
61727 -+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
61728 -+
61729 -+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
61730 -+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
61731 -+#endif
61732 -+
61733 - /* $0 is set by ld.so to a pointer to a function which might be
61734 - registered using atexit. This provides a mean for the dynamic
61735 - linker to call DT_FINI functions for shared libraries that have
61736 -diff -Nurp linux-2.6.23.15/include/asm-alpha/kmap_types.h linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h
61737 ---- linux-2.6.23.15/include/asm-alpha/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61738 -+++ linux-2.6.23.15-grsec/include/asm-alpha/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61739 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
61740 - D(10) KM_IRQ1,
61741 - D(11) KM_SOFTIRQ0,
61742 - D(12) KM_SOFTIRQ1,
61743 --D(13) KM_TYPE_NR
61744 -+D(13) KM_CLEARPAGE,
61745 -+D(14) KM_TYPE_NR
61746 - };
61747 -
61748 - #undef D
61749 -diff -Nurp linux-2.6.23.15/include/asm-alpha/pgtable.h linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h
61750 ---- linux-2.6.23.15/include/asm-alpha/pgtable.h 2007-10-09 21:31:38.000000000 +0100
61751 -+++ linux-2.6.23.15-grsec/include/asm-alpha/pgtable.h 2008-02-11 10:37:44.000000000 +0000
61752 -@@ -101,6 +101,17 @@ struct vm_area_struct;
61753 - #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
61754 - #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
61755 - #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
61756 -+
61757 -+#ifdef CONFIG_PAX_PAGEEXEC
61758 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
61759 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
61760 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
61761 -+#else
61762 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
61763 -+# define PAGE_COPY_NOEXEC PAGE_COPY
61764 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
61765 -+#endif
61766 -+
61767 - #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
61768 -
61769 - #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
61770 -diff -Nurp linux-2.6.23.15/include/asm-arm/a.out.h linux-2.6.23.15-grsec/include/asm-arm/a.out.h
61771 ---- linux-2.6.23.15/include/asm-arm/a.out.h 2007-10-09 21:31:38.000000000 +0100
61772 -+++ linux-2.6.23.15-grsec/include/asm-arm/a.out.h 2008-02-11 10:37:44.000000000 +0000
61773 -@@ -28,7 +28,7 @@ struct exec
61774 - #define M_ARM 103
61775 -
61776 - #ifdef __KERNEL__
61777 --#define STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
61778 -+#define __STACK_TOP ((current->personality == PER_LINUX_32BIT) ? \
61779 - TASK_SIZE : TASK_SIZE_26)
61780 - #define STACK_TOP_MAX TASK_SIZE
61781 - #endif
61782 -diff -Nurp linux-2.6.23.15/include/asm-arm/elf.h linux-2.6.23.15-grsec/include/asm-arm/elf.h
61783 ---- linux-2.6.23.15/include/asm-arm/elf.h 2007-10-09 21:31:38.000000000 +0100
61784 -+++ linux-2.6.23.15-grsec/include/asm-arm/elf.h 2008-02-11 10:37:44.000000000 +0000
61785 -@@ -90,6 +90,13 @@ extern char elf_platform[];
61786 -
61787 - #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
61788 -
61789 -+#ifdef CONFIG_PAX_ASLR
61790 -+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
61791 -+
61792 -+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
61793 -+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
61794 -+#endif
61795 -+
61796 - /* When the program starts, a1 contains a pointer to a function to be
61797 - registered with atexit, as per the SVR4 ABI. A value of 0 means we
61798 - have no such handler. */
61799 -diff -Nurp linux-2.6.23.15/include/asm-arm/kmap_types.h linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h
61800 ---- linux-2.6.23.15/include/asm-arm/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61801 -+++ linux-2.6.23.15-grsec/include/asm-arm/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61802 -@@ -18,6 +18,7 @@ enum km_type {
61803 - KM_IRQ1,
61804 - KM_SOFTIRQ0,
61805 - KM_SOFTIRQ1,
61806 -+ KM_CLEARPAGE,
61807 - KM_TYPE_NR
61808 - };
61809 -
61810 -diff -Nurp linux-2.6.23.15/include/asm-avr32/a.out.h linux-2.6.23.15-grsec/include/asm-avr32/a.out.h
61811 ---- linux-2.6.23.15/include/asm-avr32/a.out.h 2007-10-09 21:31:38.000000000 +0100
61812 -+++ linux-2.6.23.15-grsec/include/asm-avr32/a.out.h 2008-02-11 10:37:44.000000000 +0000
61813 -@@ -19,8 +19,8 @@ struct exec
61814 -
61815 - #ifdef __KERNEL__
61816 -
61817 --#define STACK_TOP TASK_SIZE
61818 --#define STACK_TOP_MAX STACK_TOP
61819 -+#define __STACK_TOP TASK_SIZE
61820 -+#define STACK_TOP_MAX __STACK_TOP
61821 -
61822 - #endif
61823 -
61824 -diff -Nurp linux-2.6.23.15/include/asm-avr32/elf.h linux-2.6.23.15-grsec/include/asm-avr32/elf.h
61825 ---- linux-2.6.23.15/include/asm-avr32/elf.h 2007-10-09 21:31:38.000000000 +0100
61826 -+++ linux-2.6.23.15-grsec/include/asm-avr32/elf.h 2008-02-11 10:37:44.000000000 +0000
61827 -@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
61828 - the loader. We need to make sure that it is out of the way of the program
61829 - that it will "exec", and that there is sufficient room for the brk. */
61830 -
61831 --#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
61832 -+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
61833 -
61834 -+#ifdef CONFIG_PAX_ASLR
61835 -+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
61836 -+
61837 -+#define PAX_DELTA_MMAP_LEN 15
61838 -+#define PAX_DELTA_STACK_LEN 15
61839 -+#endif
61840 -
61841 - /* This yields a mask that user programs can use to figure out what
61842 - instruction set this CPU supports. This could be done in user space,
61843 -diff -Nurp linux-2.6.23.15/include/asm-avr32/kmap_types.h linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h
61844 ---- linux-2.6.23.15/include/asm-avr32/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61845 -+++ linux-2.6.23.15-grsec/include/asm-avr32/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61846 -@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
61847 - D(11) KM_IRQ1,
61848 - D(12) KM_SOFTIRQ0,
61849 - D(13) KM_SOFTIRQ1,
61850 --D(14) KM_TYPE_NR
61851 -+D(14) KM_CLEARPAGE,
61852 -+D(15) KM_TYPE_NR
61853 - };
61854 -
61855 - #undef D
61856 -diff -Nurp linux-2.6.23.15/include/asm-blackfin/kmap_types.h linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h
61857 ---- linux-2.6.23.15/include/asm-blackfin/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61858 -+++ linux-2.6.23.15-grsec/include/asm-blackfin/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61859 -@@ -15,6 +15,7 @@ enum km_type {
61860 - KM_IRQ1,
61861 - KM_SOFTIRQ0,
61862 - KM_SOFTIRQ1,
61863 -+ KM_CLEARPAGE,
61864 - KM_TYPE_NR
61865 - };
61866 -
61867 -diff -Nurp linux-2.6.23.15/include/asm-cris/kmap_types.h linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h
61868 ---- linux-2.6.23.15/include/asm-cris/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61869 -+++ linux-2.6.23.15-grsec/include/asm-cris/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61870 -@@ -19,6 +19,7 @@ enum km_type {
61871 - KM_IRQ1,
61872 - KM_SOFTIRQ0,
61873 - KM_SOFTIRQ1,
61874 -+ KM_CLEARPAGE,
61875 - KM_TYPE_NR
61876 - };
61877 -
61878 -diff -Nurp linux-2.6.23.15/include/asm-frv/kmap_types.h linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h
61879 ---- linux-2.6.23.15/include/asm-frv/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61880 -+++ linux-2.6.23.15-grsec/include/asm-frv/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61881 -@@ -23,6 +23,7 @@ enum km_type {
61882 - KM_IRQ1,
61883 - KM_SOFTIRQ0,
61884 - KM_SOFTIRQ1,
61885 -+ KM_CLEARPAGE,
61886 - KM_TYPE_NR
61887 - };
61888 -
61889 -diff -Nurp linux-2.6.23.15/include/asm-generic/futex.h linux-2.6.23.15-grsec/include/asm-generic/futex.h
61890 ---- linux-2.6.23.15/include/asm-generic/futex.h 2007-10-09 21:31:38.000000000 +0100
61891 -+++ linux-2.6.23.15-grsec/include/asm-generic/futex.h 2008-02-11 10:37:44.000000000 +0000
61892 -@@ -8,7 +8,7 @@
61893 - #include <asm/uaccess.h>
61894 -
61895 - static inline int
61896 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
61897 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
61898 - {
61899 - int op = (encoded_op >> 28) & 7;
61900 - int cmp = (encoded_op >> 24) & 15;
61901 -@@ -50,7 +50,7 @@ futex_atomic_op_inuser (int encoded_op,
61902 - }
61903 -
61904 - static inline int
61905 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
61906 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
61907 - {
61908 - return -ENOSYS;
61909 - }
61910 -diff -Nurp linux-2.6.23.15/include/asm-generic/vmlinux.lds.h linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h
61911 ---- linux-2.6.23.15/include/asm-generic/vmlinux.lds.h 2007-10-09 21:31:38.000000000 +0100
61912 -+++ linux-2.6.23.15-grsec/include/asm-generic/vmlinux.lds.h 2008-02-11 10:37:44.000000000 +0000
61913 -@@ -19,6 +19,7 @@
61914 - .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
61915 - VMLINUX_SYMBOL(__start_rodata) = .; \
61916 - *(.rodata) *(.rodata.*) \
61917 -+ *(.data.read_only) \
61918 - *(__vermagic) /* Kernel version magic */ \
61919 - } \
61920 - \
61921 -diff -Nurp linux-2.6.23.15/include/asm-h8300/kmap_types.h linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h
61922 ---- linux-2.6.23.15/include/asm-h8300/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
61923 -+++ linux-2.6.23.15-grsec/include/asm-h8300/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
61924 -@@ -15,6 +15,7 @@ enum km_type {
61925 - KM_IRQ1,
61926 - KM_SOFTIRQ0,
61927 - KM_SOFTIRQ1,
61928 -+ KM_CLEARPAGE,
61929 - KM_TYPE_NR
61930 - };
61931 -
61932 -diff -Nurp linux-2.6.23.15/include/asm-i386/a.out.h linux-2.6.23.15-grsec/include/asm-i386/a.out.h
61933 ---- linux-2.6.23.15/include/asm-i386/a.out.h 2007-10-09 21:31:38.000000000 +0100
61934 -+++ linux-2.6.23.15-grsec/include/asm-i386/a.out.h 2008-02-11 10:37:44.000000000 +0000
61935 -@@ -19,8 +19,13 @@ struct exec
61936 -
61937 - #ifdef __KERNEL__
61938 -
61939 --#define STACK_TOP TASK_SIZE
61940 --#define STACK_TOP_MAX STACK_TOP
61941 -+#ifdef CONFIG_PAX_SEGMEXEC
61942 -+#define __STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?TASK_SIZE/2:TASK_SIZE)
61943 -+#else
61944 -+#define __STACK_TOP TASK_SIZE
61945 -+#endif
61946 -+
61947 -+#define STACK_TOP_MAX TASK_SIZE
61948 -
61949 - #endif
61950 -
61951 -diff -Nurp linux-2.6.23.15/include/asm-i386/alternative.h linux-2.6.23.15-grsec/include/asm-i386/alternative.h
61952 ---- linux-2.6.23.15/include/asm-i386/alternative.h 2007-10-09 21:31:38.000000000 +0100
61953 -+++ linux-2.6.23.15-grsec/include/asm-i386/alternative.h 2008-02-11 10:37:44.000000000 +0000
61954 -@@ -54,7 +54,7 @@ static inline void alternatives_smp_swit
61955 - " .byte 662b-661b\n" /* sourcelen */ \
61956 - " .byte 664f-663f\n" /* replacementlen */ \
61957 - ".previous\n" \
61958 -- ".section .altinstr_replacement,\"ax\"\n" \
61959 -+ ".section .altinstr_replacement,\"a\"\n" \
61960 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
61961 - ".previous" :: "i" (feature) : "memory")
61962 -
61963 -@@ -78,7 +78,7 @@ static inline void alternatives_smp_swit
61964 - " .byte 662b-661b\n" /* sourcelen */ \
61965 - " .byte 664f-663f\n" /* replacementlen */ \
61966 - ".previous\n" \
61967 -- ".section .altinstr_replacement,\"ax\"\n" \
61968 -+ ".section .altinstr_replacement,\"a\"\n" \
61969 - "663:\n\t" newinstr "\n664:\n" /* replacement */\
61970 - ".previous" :: "i" (feature), ##input)
61971 -
61972 -@@ -93,7 +93,7 @@ static inline void alternatives_smp_swit
61973 - " .byte 662b-661b\n" /* sourcelen */ \
61974 - " .byte 664f-663f\n" /* replacementlen */ \
61975 - ".previous\n" \
61976 -- ".section .altinstr_replacement,\"ax\"\n" \
61977 -+ ".section .altinstr_replacement,\"a\"\n" \
61978 - "663:\n\t" newinstr "\n664:\n" /* replacement */ \
61979 - ".previous" : output : [feat] "i" (feature), ##input)
61980 -
61981 -diff -Nurp linux-2.6.23.15/include/asm-i386/apic.h linux-2.6.23.15-grsec/include/asm-i386/apic.h
61982 ---- linux-2.6.23.15/include/asm-i386/apic.h 2007-10-09 21:31:38.000000000 +0100
61983 -+++ linux-2.6.23.15-grsec/include/asm-i386/apic.h 2008-02-11 10:37:44.000000000 +0000
61984 -@@ -8,7 +8,7 @@
61985 - #include <asm/processor.h>
61986 - #include <asm/system.h>
61987 -
61988 --#define Dprintk(x...)
61989 -+#define Dprintk(x...) do {} while (0)
61990 -
61991 - /*
61992 - * Debugging macros
61993 -diff -Nurp linux-2.6.23.15/include/asm-i386/cache.h linux-2.6.23.15-grsec/include/asm-i386/cache.h
61994 ---- linux-2.6.23.15/include/asm-i386/cache.h 2007-10-09 21:31:38.000000000 +0100
61995 -+++ linux-2.6.23.15-grsec/include/asm-i386/cache.h 2008-02-11 10:37:44.000000000 +0000
61996 -@@ -10,5 +10,6 @@
61997 - #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
61998 -
61999 - #define __read_mostly __attribute__((__section__(".data.read_mostly")))
62000 -+#define __read_only __attribute__((__section__(".data.read_only")))
62001 -
62002 - #endif
62003 -diff -Nurp linux-2.6.23.15/include/asm-i386/checksum.h linux-2.6.23.15-grsec/include/asm-i386/checksum.h
62004 ---- linux-2.6.23.15/include/asm-i386/checksum.h 2007-10-09 21:31:38.000000000 +0100
62005 -+++ linux-2.6.23.15-grsec/include/asm-i386/checksum.h 2008-02-11 10:37:44.000000000 +0000
62006 -@@ -30,6 +30,12 @@ asmlinkage __wsum csum_partial(const voi
62007 - asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
62008 - int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
62009 -
62010 -+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
62011 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
62012 -+
62013 -+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
62014 -+ int len, __wsum sum, int *src_err_ptr, int *dst_err_ptr);
62015 -+
62016 - /*
62017 - * Note: when you get a NULL pointer exception here this means someone
62018 - * passed in an incorrect kernel address to one of these functions.
62019 -@@ -49,7 +55,7 @@ __wsum csum_partial_copy_from_user(const
62020 - int len, __wsum sum, int *err_ptr)
62021 - {
62022 - might_sleep();
62023 -- return csum_partial_copy_generic((__force void *)src, dst,
62024 -+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
62025 - len, sum, err_ptr, NULL);
62026 - }
62027 -
62028 -@@ -180,7 +186,7 @@ static __inline__ __wsum csum_and_copy_t
62029 - {
62030 - might_sleep();
62031 - if (access_ok(VERIFY_WRITE, dst, len))
62032 -- return csum_partial_copy_generic(src, (__force void *)dst, len, sum, NULL, err_ptr);
62033 -+ return csum_partial_copy_generic_to_user(src, (__force void *)dst, len, sum, NULL, err_ptr);
62034 -
62035 - if (len)
62036 - *err_ptr = -EFAULT;
62037 -diff -Nurp linux-2.6.23.15/include/asm-i386/desc.h linux-2.6.23.15-grsec/include/asm-i386/desc.h
62038 ---- linux-2.6.23.15/include/asm-i386/desc.h 2007-10-09 21:31:38.000000000 +0100
62039 -+++ linux-2.6.23.15-grsec/include/asm-i386/desc.h 2008-02-11 10:37:44.000000000 +0000
62040 -@@ -7,26 +7,22 @@
62041 - #ifndef __ASSEMBLY__
62042 -
62043 - #include <linux/preempt.h>
62044 --#include <linux/smp.h>
62045 - #include <linux/percpu.h>
62046 -+#include <linux/smp.h>
62047 -
62048 - #include <asm/mmu.h>
62049 -
62050 -+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
62051 -+
62052 - struct Xgt_desc_struct {
62053 - unsigned short size;
62054 -- unsigned long address __attribute__((packed));
62055 -+ struct desc_struct *address __attribute__((packed));
62056 - unsigned short pad;
62057 - } __attribute__ ((packed));
62058 -
62059 --struct gdt_page
62060 --{
62061 -- struct desc_struct gdt[GDT_ENTRIES];
62062 --} __attribute__((aligned(PAGE_SIZE)));
62063 --DECLARE_PER_CPU(struct gdt_page, gdt_page);
62064 --
62065 - static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
62066 - {
62067 -- return per_cpu(gdt_page, cpu).gdt;
62068 -+ return cpu_gdt_table[cpu];
62069 - }
62070 -
62071 - extern struct Xgt_desc_struct idt_descr;
62072 -@@ -81,8 +77,20 @@ static inline void pack_gate(__u32 *a, _
62073 - static inline void write_dt_entry(struct desc_struct *dt,
62074 - int entry, u32 entry_low, u32 entry_high)
62075 - {
62076 -+
62077 -+#ifdef CONFIG_PAX_KERNEXEC
62078 -+ unsigned long cr0;
62079 -+
62080 -+ pax_open_kernel(cr0);
62081 -+#endif
62082 -+
62083 - dt[entry].a = entry_low;
62084 - dt[entry].b = entry_high;
62085 -+
62086 -+#ifdef CONFIG_PAX_KERNEXEC
62087 -+ pax_close_kernel(cr0);
62088 -+#endif
62089 -+
62090 - }
62091 -
62092 - static inline void native_set_ldt(const void *addr, unsigned int entries)
62093 -@@ -139,8 +147,19 @@ static inline void native_load_tls(struc
62094 - unsigned int i;
62095 - struct desc_struct *gdt = get_cpu_gdt_table(cpu);
62096 -
62097 -+#ifdef CONFIG_PAX_KERNEXEC
62098 -+ unsigned long cr0;
62099 -+
62100 -+ pax_open_kernel(cr0);
62101 -+#endif
62102 -+
62103 - for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
62104 - gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
62105 -+
62106 -+#ifdef CONFIG_PAX_KERNEXEC
62107 -+ pax_close_kernel(cr0);
62108 -+#endif
62109 -+
62110 - }
62111 -
62112 - static inline void _set_gate(int gate, unsigned int type, void *addr, unsigned short seg)
62113 -@@ -175,7 +194,7 @@ static inline void __set_tss_desc(unsign
62114 - ((info)->seg_32bit << 22) | \
62115 - ((info)->limit_in_pages << 23) | \
62116 - ((info)->useable << 20) | \
62117 -- 0x7000)
62118 -+ 0x7100)
62119 -
62120 - #define LDT_empty(info) (\
62121 - (info)->base_addr == 0 && \
62122 -@@ -207,15 +226,25 @@ static inline void load_LDT(mm_context_t
62123 - preempt_enable();
62124 - }
62125 -
62126 --static inline unsigned long get_desc_base(unsigned long *desc)
62127 -+static inline unsigned long get_desc_base(struct desc_struct *desc)
62128 - {
62129 - unsigned long base;
62130 -- base = ((desc[0] >> 16) & 0x0000ffff) |
62131 -- ((desc[1] << 16) & 0x00ff0000) |
62132 -- (desc[1] & 0xff000000);
62133 -+ base = ((desc->a >> 16) & 0x0000ffff) |
62134 -+ ((desc->b << 16) & 0x00ff0000) |
62135 -+ (desc->b & 0xff000000);
62136 - return base;
62137 - }
62138 -
62139 -+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
62140 -+{
62141 -+ __u32 a, b;
62142 -+
62143 -+ if (likely(limit))
62144 -+ limit = (limit - 1UL) >> PAGE_SHIFT;
62145 -+ pack_descriptor(&a, &b, base, limit, 0xFB, 0xC);
62146 -+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, a, b);
62147 -+}
62148 -+
62149 - #else /* __ASSEMBLY__ */
62150 -
62151 - /*
62152 -diff -Nurp linux-2.6.23.15/include/asm-i386/elf.h linux-2.6.23.15-grsec/include/asm-i386/elf.h
62153 ---- linux-2.6.23.15/include/asm-i386/elf.h 2007-10-09 21:31:38.000000000 +0100
62154 -+++ linux-2.6.23.15-grsec/include/asm-i386/elf.h 2008-02-11 10:37:44.000000000 +0000
62155 -@@ -73,7 +73,18 @@ typedef struct user_fxsr_struct elf_fpxr
62156 - the loader. We need to make sure that it is out of the way of the program
62157 - that it will "exec", and that there is sufficient room for the brk. */
62158 -
62159 -+#ifdef CONFIG_PAX_SEGMEXEC
62160 -+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
62161 -+#else
62162 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
62163 -+#endif
62164 -+
62165 -+#ifdef CONFIG_PAX_ASLR
62166 -+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
62167 -+
62168 -+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
62169 -+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
62170 -+#endif
62171 -
62172 - /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
62173 - now struct_user_regs, they are different) */
62174 -@@ -131,7 +142,7 @@ extern int dump_task_extended_fpu (struc
62175 - #define ELF_CORE_COPY_XFPREGS(tsk, elf_xfpregs) dump_task_extended_fpu(tsk, elf_xfpregs)
62176 -
62177 - #define VDSO_HIGH_BASE (__fix_to_virt(FIX_VDSO))
62178 --#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
62179 -+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
62180 - #define VDSO_PRELINK 0
62181 -
62182 - #define VDSO_SYM(x) \
62183 -diff -Nurp linux-2.6.23.15/include/asm-i386/futex.h linux-2.6.23.15-grsec/include/asm-i386/futex.h
62184 ---- linux-2.6.23.15/include/asm-i386/futex.h 2007-10-09 21:31:38.000000000 +0100
62185 -+++ linux-2.6.23.15-grsec/include/asm-i386/futex.h 2008-02-11 10:37:44.000000000 +0000
62186 -@@ -11,8 +11,11 @@
62187 -
62188 - #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
62189 - __asm__ __volatile ( \
62190 -+ "movw %w6, %%ds\n"\
62191 - "1: " insn "\n" \
62192 --"2: .section .fixup,\"ax\"\n\
62193 -+"2: pushl %%ss\n\
62194 -+ popl %%ds\n\
62195 -+ .section .fixup,\"ax\"\n\
62196 - 3: mov %3, %1\n\
62197 - jmp 2b\n\
62198 - .previous\n\
62199 -@@ -21,16 +24,19 @@
62200 - .long 1b,3b\n\
62201 - .previous" \
62202 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
62203 -- : "i" (-EFAULT), "0" (oparg), "1" (0))
62204 -+ : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
62205 -
62206 - #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
62207 - __asm__ __volatile ( \
62208 --"1: movl %2, %0\n\
62209 -+" movw %w7, %%es\n\
62210 -+1: movl %%es:%2, %0\n\
62211 - movl %0, %3\n" \
62212 - insn "\n" \
62213 --"2: " LOCK_PREFIX "cmpxchgl %3, %2\n\
62214 -+"2: " LOCK_PREFIX "cmpxchgl %3, %%es:%2\n\
62215 - jnz 1b\n\
62216 --3: .section .fixup,\"ax\"\n\
62217 -+3: pushl %%ss\n\
62218 -+ popl %%es\n\
62219 -+ .section .fixup,\"ax\"\n\
62220 - 4: mov %5, %1\n\
62221 - jmp 3b\n\
62222 - .previous\n\
62223 -@@ -40,10 +46,10 @@
62224 - .previous" \
62225 - : "=&a" (oldval), "=&r" (ret), "+m" (*uaddr), \
62226 - "=&r" (tem) \
62227 -- : "r" (oparg), "i" (-EFAULT), "1" (0))
62228 -+ : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
62229 -
62230 - static inline int
62231 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
62232 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
62233 - {
62234 - int op = (encoded_op >> 28) & 7;
62235 - int cmp = (encoded_op >> 24) & 15;
62236 -@@ -59,7 +65,7 @@ futex_atomic_op_inuser (int encoded_op,
62237 - pagefault_disable();
62238 -
62239 - if (op == FUTEX_OP_SET)
62240 -- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
62241 -+ __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
62242 - else {
62243 - #ifndef CONFIG_X86_BSWAP
62244 - if (boot_cpu_data.x86 == 3)
62245 -@@ -68,7 +74,7 @@ futex_atomic_op_inuser (int encoded_op,
62246 - #endif
62247 - switch (op) {
62248 - case FUTEX_OP_ADD:
62249 -- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret,
62250 -+ __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret,
62251 - oldval, uaddr, oparg);
62252 - break;
62253 - case FUTEX_OP_OR:
62254 -@@ -105,15 +111,17 @@ futex_atomic_op_inuser (int encoded_op,
62255 - }
62256 -
62257 - static inline int
62258 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
62259 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
62260 - {
62261 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
62262 - return -EFAULT;
62263 -
62264 - __asm__ __volatile__(
62265 -- "1: " LOCK_PREFIX "cmpxchgl %3, %1 \n"
62266 --
62267 -- "2: .section .fixup, \"ax\" \n"
62268 -+ " movw %w5, %%ds \n"
62269 -+ "1: " LOCK_PREFIX "cmpxchgl %3, %%ds:%1 \n"
62270 -+ "2: pushl %%ss \n"
62271 -+ " popl %%ds \n"
62272 -+ " .section .fixup, \"ax\" \n"
62273 - "3: mov %2, %0 \n"
62274 - " jmp 2b \n"
62275 - " .previous \n"
62276 -@@ -124,7 +132,7 @@ futex_atomic_cmpxchg_inatomic(int __user
62277 - " .previous \n"
62278 -
62279 - : "=a" (oldval), "+m" (*uaddr)
62280 -- : "i" (-EFAULT), "r" (newval), "0" (oldval)
62281 -+ : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
62282 - : "memory"
62283 - );
62284 -
62285 -diff -Nurp linux-2.6.23.15/include/asm-i386/i387.h linux-2.6.23.15-grsec/include/asm-i386/i387.h
62286 ---- linux-2.6.23.15/include/asm-i386/i387.h 2007-10-09 21:31:38.000000000 +0100
62287 -+++ linux-2.6.23.15-grsec/include/asm-i386/i387.h 2008-02-11 10:37:44.000000000 +0000
62288 -@@ -40,13 +40,8 @@ extern void kernel_fpu_begin(void);
62289 - #define kernel_fpu_end() do { stts(); preempt_enable(); } while(0)
62290 -
62291 - /* We need a safe address that is cheap to find and that is already
62292 -- in L1 during context switch. The best choices are unfortunately
62293 -- different for UP and SMP */
62294 --#ifdef CONFIG_SMP
62295 --#define safe_address (__per_cpu_offset[0])
62296 --#else
62297 --#define safe_address (kstat_cpu(0).cpustat.user)
62298 --#endif
62299 -+ in L1 during context switch. */
62300 -+#define safe_address (init_tss[smp_processor_id()].x86_tss.esp0)
62301 -
62302 - /*
62303 - * These must be called with preempt disabled
62304 -diff -Nurp linux-2.6.23.15/include/asm-i386/irqflags.h linux-2.6.23.15-grsec/include/asm-i386/irqflags.h
62305 ---- linux-2.6.23.15/include/asm-i386/irqflags.h 2007-10-09 21:31:38.000000000 +0100
62306 -+++ linux-2.6.23.15-grsec/include/asm-i386/irqflags.h 2008-02-11 10:37:44.000000000 +0000
62307 -@@ -108,6 +108,8 @@ static inline unsigned long __raw_local_
62308 - #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
62309 - #define INTERRUPT_RETURN iret
62310 - #define GET_CR0_INTO_EAX movl %cr0, %eax
62311 -+#define GET_CR0_INTO_EDX movl %cr0, %edx
62312 -+#define SET_CR0_FROM_EDX movl %edx, %cr0
62313 - #endif /* __ASSEMBLY__ */
62314 - #endif /* CONFIG_PARAVIRT */
62315 -
62316 -diff -Nurp linux-2.6.23.15/include/asm-i386/kmap_types.h linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h
62317 ---- linux-2.6.23.15/include/asm-i386/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
62318 -+++ linux-2.6.23.15-grsec/include/asm-i386/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
62319 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
62320 - D(10) KM_IRQ1,
62321 - D(11) KM_SOFTIRQ0,
62322 - D(12) KM_SOFTIRQ1,
62323 --D(13) KM_TYPE_NR
62324 -+D(13) KM_CLEARPAGE,
62325 -+D(14) KM_TYPE_NR
62326 - };
62327 -
62328 - #undef D
62329 -diff -Nurp linux-2.6.23.15/include/asm-i386/mach-default/apm.h linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h
62330 ---- linux-2.6.23.15/include/asm-i386/mach-default/apm.h 2007-10-09 21:31:38.000000000 +0100
62331 -+++ linux-2.6.23.15-grsec/include/asm-i386/mach-default/apm.h 2008-02-11 10:37:44.000000000 +0000
62332 -@@ -36,7 +36,7 @@ static inline void apm_bios_call_asm(u32
62333 - __asm__ __volatile__(APM_DO_ZERO_SEGS
62334 - "pushl %%edi\n\t"
62335 - "pushl %%ebp\n\t"
62336 -- "lcall *%%cs:apm_bios_entry\n\t"
62337 -+ "lcall *%%ss:apm_bios_entry\n\t"
62338 - "setc %%al\n\t"
62339 - "popl %%ebp\n\t"
62340 - "popl %%edi\n\t"
62341 -@@ -60,7 +60,7 @@ static inline u8 apm_bios_call_simple_as
62342 - __asm__ __volatile__(APM_DO_ZERO_SEGS
62343 - "pushl %%edi\n\t"
62344 - "pushl %%ebp\n\t"
62345 -- "lcall *%%cs:apm_bios_entry\n\t"
62346 -+ "lcall *%%ss:apm_bios_entry\n\t"
62347 - "setc %%bl\n\t"
62348 - "popl %%ebp\n\t"
62349 - "popl %%edi\n\t"
62350 -diff -Nurp linux-2.6.23.15/include/asm-i386/mman.h linux-2.6.23.15-grsec/include/asm-i386/mman.h
62351 ---- linux-2.6.23.15/include/asm-i386/mman.h 2007-10-09 21:31:38.000000000 +0100
62352 -+++ linux-2.6.23.15-grsec/include/asm-i386/mman.h 2008-02-11 10:37:44.000000000 +0000
62353 -@@ -14,4 +14,12 @@
62354 - #define MCL_CURRENT 1 /* lock all current mappings */
62355 - #define MCL_FUTURE 2 /* lock all future mappings */
62356 -
62357 -+#ifdef __KERNEL__
62358 -+#ifndef __ASSEMBLY__
62359 -+#define arch_mmap_check i386_mmap_check
62360 -+int i386_mmap_check(unsigned long addr, unsigned long len,
62361 -+ unsigned long flags);
62362 -+#endif
62363 -+#endif
62364 -+
62365 - #endif /* __I386_MMAN_H__ */
62366 -diff -Nurp linux-2.6.23.15/include/asm-i386/mmu.h linux-2.6.23.15-grsec/include/asm-i386/mmu.h
62367 ---- linux-2.6.23.15/include/asm-i386/mmu.h 2007-10-09 21:31:38.000000000 +0100
62368 -+++ linux-2.6.23.15-grsec/include/asm-i386/mmu.h 2008-02-11 10:37:44.000000000 +0000
62369 -@@ -11,8 +11,19 @@
62370 - typedef struct {
62371 - int size;
62372 - struct semaphore sem;
62373 -- void *ldt;
62374 -- void *vdso;
62375 -+ struct desc_struct *ldt;
62376 -+ unsigned long vdso;
62377 -+
62378 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
62379 -+ unsigned long user_cs_base;
62380 -+ unsigned long user_cs_limit;
62381 -+
62382 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
62383 -+ cpumask_t cpu_user_cs_mask;
62384 -+#endif
62385 -+
62386 -+#endif
62387 -+
62388 - } mm_context_t;
62389 -
62390 - #endif
62391 -diff -Nurp linux-2.6.23.15/include/asm-i386/mmu_context.h linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h
62392 ---- linux-2.6.23.15/include/asm-i386/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
62393 -+++ linux-2.6.23.15-grsec/include/asm-i386/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
62394 -@@ -57,6 +57,22 @@ static inline void switch_mm(struct mm_s
62395 - */
62396 - if (unlikely(prev->context.ldt != next->context.ldt))
62397 - load_LDT_nolock(&next->context);
62398 -+
62399 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
62400 -+ if (!nx_enabled) {
62401 -+ smp_mb__before_clear_bit();
62402 -+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
62403 -+ smp_mb__after_clear_bit();
62404 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
62405 -+ }
62406 -+#endif
62407 -+
62408 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
62409 -+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
62410 -+ prev->context.user_cs_limit != next->context.user_cs_limit))
62411 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
62412 -+#endif
62413 -+
62414 - }
62415 - #ifdef CONFIG_SMP
62416 - else {
62417 -@@ -69,6 +85,19 @@ static inline void switch_mm(struct mm_s
62418 - */
62419 - load_cr3(next->pgd);
62420 - load_LDT_nolock(&next->context);
62421 -+
62422 -+#ifdef CONFIG_PAX_PAGEEXEC
62423 -+ if (!nx_enabled)
62424 -+ cpu_set(cpu, next->context.cpu_user_cs_mask);
62425 -+#endif
62426 -+
62427 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
62428 -+#ifdef CONFIG_PAX_PAGEEXEC
62429 -+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
62430 -+#endif
62431 -+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
62432 -+#endif
62433 -+
62434 - }
62435 - }
62436 - #endif
62437 -diff -Nurp linux-2.6.23.15/include/asm-i386/module.h linux-2.6.23.15-grsec/include/asm-i386/module.h
62438 ---- linux-2.6.23.15/include/asm-i386/module.h 2007-10-09 21:31:38.000000000 +0100
62439 -+++ linux-2.6.23.15-grsec/include/asm-i386/module.h 2008-02-11 10:37:44.000000000 +0000
62440 -@@ -70,6 +70,12 @@ struct mod_arch_specific
62441 - #define MODULE_STACKSIZE ""
62442 - #endif
62443 -
62444 --#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
62445 -+#ifdef CONFIG_GRKERNSEC
62446 -+#define MODULE_GRSEC "GRSECURTY "
62447 -+#else
62448 -+#define MODULE_GRSEC ""
62449 -+#endif
62450 -+
62451 -+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC
62452 -
62453 - #endif /* _ASM_I386_MODULE_H */
62454 -diff -Nurp linux-2.6.23.15/include/asm-i386/page.h linux-2.6.23.15-grsec/include/asm-i386/page.h
62455 ---- linux-2.6.23.15/include/asm-i386/page.h 2007-10-09 21:31:38.000000000 +0100
62456 -+++ linux-2.6.23.15-grsec/include/asm-i386/page.h 2008-02-11 10:37:44.000000000 +0000
62457 -@@ -10,6 +10,7 @@
62458 - #define LARGE_PAGE_SIZE (1UL << PMD_SHIFT)
62459 -
62460 - #ifdef __KERNEL__
62461 -+#include <asm/boot.h>
62462 - #ifndef __ASSEMBLY__
62463 -
62464 - #ifdef CONFIG_X86_USE_3DNOW
62465 -@@ -90,7 +91,6 @@ static inline pte_t native_make_pte(unsi
62466 - typedef struct { unsigned long pte_low; } pte_t;
62467 - typedef struct { unsigned long pgd; } pgd_t;
62468 - typedef struct { unsigned long pgprot; } pgprot_t;
62469 --#define boot_pte_t pte_t /* or would you rather have a typedef */
62470 -
62471 - static inline unsigned long native_pgd_val(pgd_t pgd)
62472 - {
62473 -@@ -175,6 +175,18 @@ extern int page_is_ram(unsigned long pag
62474 - #define __PAGE_OFFSET ((unsigned long)CONFIG_PAGE_OFFSET)
62475 - #endif
62476 -
62477 -+#ifdef CONFIG_PAX_KERNEXEC
62478 -+#ifdef __ASSEMBLY__
62479 -+#define __KERNEL_TEXT_OFFSET (__PAGE_OFFSET + ((LOAD_PHYSICAL_ADDR + 6*1024*1024 - 1) & ~(4*1024*1024 - 1)))
62480 -+#else
62481 -+extern unsigned char KERNEL_TEXT_OFFSET[];
62482 -+#define __KERNEL_TEXT_OFFSET ((unsigned long)KERNEL_TEXT_OFFSET)
62483 -+extern unsigned char MODULES_VADDR[];
62484 -+extern unsigned char MODULES_END[];
62485 -+#endif
62486 -+#else
62487 -+#define __KERNEL_TEXT_OFFSET (0)
62488 -+#endif
62489 -
62490 - #define PAGE_OFFSET ((unsigned long)__PAGE_OFFSET)
62491 - #define VMALLOC_RESERVE ((unsigned long)__VMALLOC_RESERVE)
62492 -@@ -197,6 +209,10 @@ extern int page_is_ram(unsigned long pag
62493 - ((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
62494 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
62495 -
62496 -+#ifdef CONFIG_PAX_PAGEEXEC
62497 -+#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
62498 -+#endif
62499 -+
62500 - #include <asm-generic/memory_model.h>
62501 - #include <asm-generic/page.h>
62502 -
62503 -diff -Nurp linux-2.6.23.15/include/asm-i386/paravirt.h linux-2.6.23.15-grsec/include/asm-i386/paravirt.h
62504 ---- linux-2.6.23.15/include/asm-i386/paravirt.h 2007-10-09 21:31:38.000000000 +0100
62505 -+++ linux-2.6.23.15-grsec/include/asm-i386/paravirt.h 2008-02-11 10:37:44.000000000 +0000
62506 -@@ -1057,23 +1057,23 @@ static inline unsigned long __raw_local_
62507 -
62508 - #define INTERRUPT_RETURN \
62509 - PARA_SITE(PARA_PATCH(PARAVIRT_iret), CLBR_NONE, \
62510 -- jmp *%cs:paravirt_ops+PARAVIRT_iret)
62511 -+ jmp *%ss:paravirt_ops+PARAVIRT_iret)
62512 -
62513 - #define DISABLE_INTERRUPTS(clobbers) \
62514 - PARA_SITE(PARA_PATCH(PARAVIRT_irq_disable), clobbers, \
62515 - pushl %eax; pushl %ecx; pushl %edx; \
62516 -- call *%cs:paravirt_ops+PARAVIRT_irq_disable; \
62517 -+ call *%ss:paravirt_ops+PARAVIRT_irq_disable; \
62518 - popl %edx; popl %ecx; popl %eax) \
62519 -
62520 - #define ENABLE_INTERRUPTS(clobbers) \
62521 - PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable), clobbers, \
62522 - pushl %eax; pushl %ecx; pushl %edx; \
62523 -- call *%cs:paravirt_ops+PARAVIRT_irq_enable; \
62524 -+ call *%ss:paravirt_ops+PARAVIRT_irq_enable; \
62525 - popl %edx; popl %ecx; popl %eax)
62526 -
62527 - #define ENABLE_INTERRUPTS_SYSEXIT \
62528 - PARA_SITE(PARA_PATCH(PARAVIRT_irq_enable_sysexit), CLBR_NONE, \
62529 -- jmp *%cs:paravirt_ops+PARAVIRT_irq_enable_sysexit)
62530 -+ jmp *%ss:paravirt_ops+PARAVIRT_irq_enable_sysexit)
62531 -
62532 - #define GET_CR0_INTO_EAX \
62533 - push %ecx; push %edx; \
62534 -diff -Nurp linux-2.6.23.15/include/asm-i386/percpu.h linux-2.6.23.15-grsec/include/asm-i386/percpu.h
62535 ---- linux-2.6.23.15/include/asm-i386/percpu.h 2007-10-09 21:31:38.000000000 +0100
62536 -+++ linux-2.6.23.15-grsec/include/asm-i386/percpu.h 2008-02-11 10:37:44.000000000 +0000
62537 -@@ -22,7 +22,7 @@
62538 - #define PER_CPU_VAR(var) %fs:per_cpu__##var
62539 - #else /* ! SMP */
62540 - #define PER_CPU(var, reg) \
62541 -- movl $per_cpu__##var, reg
62542 -+ movl per_cpu__##var, reg
62543 - #define PER_CPU_VAR(var) per_cpu__##var
62544 - #endif /* SMP */
62545 -
62546 -@@ -42,12 +42,12 @@
62547 - */
62548 - #ifdef CONFIG_SMP
62549 - /* Same as generic implementation except for optimized local access. */
62550 --#define __GENERIC_PER_CPU
62551 -
62552 - /* This is used for other cpus to find our section. */
62553 - extern unsigned long __per_cpu_offset[];
62554 -+extern void setup_per_cpu_areas(void);
62555 -
62556 --#define per_cpu_offset(x) (__per_cpu_offset[x])
62557 -+#define per_cpu_offset(x) (__per_cpu_offset[x] - (unsigned long)__per_cpu_start)
62558 -
62559 - /* Separate out the type, so (int[3], foo) works. */
62560 - #define DECLARE_PER_CPU(type, name) extern __typeof__(type) per_cpu__##name
62561 -@@ -64,11 +64,11 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
62562 -
62563 - /* var is in discarded region: offset to particular copy we want */
62564 - #define per_cpu(var, cpu) (*({ \
62565 -- extern int simple_indentifier_##var(void); \
62566 -+ extern int simple_identifier_##var(void); \
62567 - RELOC_HIDE(&per_cpu__##var, __per_cpu_offset[cpu]); }))
62568 -
62569 - #define __raw_get_cpu_var(var) (*({ \
62570 -- extern int simple_indentifier_##var(void); \
62571 -+ extern int simple_identifier_##var(void); \
62572 - RELOC_HIDE(&per_cpu__##var, x86_read_percpu(this_cpu_off)); \
62573 - }))
62574 -
62575 -@@ -79,7 +79,7 @@ DECLARE_PER_CPU(unsigned long, this_cpu_
62576 - do { \
62577 - unsigned int __i; \
62578 - for_each_possible_cpu(__i) \
62579 -- memcpy((pcpudst)+__per_cpu_offset[__i], \
62580 -+ memcpy((pcpudst)+per_cpu_offset(__i), \
62581 - (src), (size)); \
62582 - } while (0)
62583 -
62584 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgalloc.h linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h
62585 ---- linux-2.6.23.15/include/asm-i386/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
62586 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgalloc.h 2008-02-11 10:37:44.000000000 +0000
62587 -@@ -15,11 +15,19 @@
62588 - #define paravirt_release_pd(pfn) do { } while (0)
62589 - #endif
62590 -
62591 -+#ifdef CONFIG_COMPAT_VDSO
62592 - #define pmd_populate_kernel(mm, pmd, pte) \
62593 - do { \
62594 - paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
62595 - set_pmd(pmd, __pmd(_PAGE_TABLE + __pa(pte))); \
62596 - } while (0)
62597 -+#else
62598 -+#define pmd_populate_kernel(mm, pmd, pte) \
62599 -+do { \
62600 -+ paravirt_alloc_pt(mm, __pa(pte) >> PAGE_SHIFT); \
62601 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE + __pa(pte))); \
62602 -+} while (0)
62603 -+#endif
62604 -
62605 - #define pmd_populate(mm, pmd, pte) \
62606 - do { \
62607 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-2level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h
62608 ---- linux-2.6.23.15/include/asm-i386/pgtable-2level.h 2007-10-09 21:31:38.000000000 +0100
62609 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-2level.h 2008-02-11 10:37:44.000000000 +0000
62610 -@@ -22,7 +22,19 @@ static inline void native_set_pte_at(str
62611 - }
62612 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
62613 - {
62614 -+
62615 -+#ifdef CONFIG_PAX_KERNEXEC
62616 -+ unsigned long cr0;
62617 -+
62618 -+ pax_open_kernel(cr0);
62619 -+#endif
62620 -+
62621 - *pmdp = pmd;
62622 -+
62623 -+#ifdef CONFIG_PAX_KERNEXEC
62624 -+ pax_close_kernel(cr0);
62625 -+#endif
62626 -+
62627 - }
62628 - #ifndef CONFIG_PARAVIRT
62629 - #define set_pte(pteptr, pteval) native_set_pte(pteptr, pteval)
62630 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable-3level.h linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h
62631 ---- linux-2.6.23.15/include/asm-i386/pgtable-3level.h 2007-10-09 21:31:38.000000000 +0100
62632 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgtable-3level.h 2008-02-11 10:37:44.000000000 +0000
62633 -@@ -67,11 +67,35 @@ static inline void native_set_pte_atomic
62634 - }
62635 - static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
62636 - {
62637 -+
62638 -+#ifdef CONFIG_PAX_KERNEXEC
62639 -+ unsigned long cr0;
62640 -+
62641 -+ pax_open_kernel(cr0);
62642 -+#endif
62643 -+
62644 - set_64bit((unsigned long long *)(pmdp),native_pmd_val(pmd));
62645 -+
62646 -+#ifdef CONFIG_PAX_KERNEXEC
62647 -+ pax_close_kernel(cr0);
62648 -+#endif
62649 -+
62650 - }
62651 - static inline void native_set_pud(pud_t *pudp, pud_t pud)
62652 - {
62653 -+
62654 -+#ifdef CONFIG_PAX_KERNEXEC
62655 -+ unsigned long cr0;
62656 -+
62657 -+ pax_open_kernel(cr0);
62658 -+#endif
62659 -+
62660 - *pudp = pud;
62661 -+
62662 -+#ifdef CONFIG_PAX_KERNEXEC
62663 -+ pax_close_kernel(cr0);
62664 -+#endif
62665 -+
62666 - }
62667 -
62668 - /*
62669 -diff -Nurp linux-2.6.23.15/include/asm-i386/pgtable.h linux-2.6.23.15-grsec/include/asm-i386/pgtable.h
62670 ---- linux-2.6.23.15/include/asm-i386/pgtable.h 2007-10-09 21:31:38.000000000 +0100
62671 -+++ linux-2.6.23.15-grsec/include/asm-i386/pgtable.h 2008-02-11 10:37:44.000000000 +0000
62672 -@@ -34,7 +34,6 @@ struct vm_area_struct;
62673 - */
62674 - #define ZERO_PAGE(vaddr) (virt_to_page(empty_zero_page))
62675 - extern unsigned long empty_zero_page[1024];
62676 --extern pgd_t swapper_pg_dir[1024];
62677 - extern struct kmem_cache *pmd_cache;
62678 - extern spinlock_t pgd_lock;
62679 - extern struct page *pgd_list;
62680 -@@ -58,6 +57,11 @@ void paging_init(void);
62681 - # include <asm/pgtable-2level-defs.h>
62682 - #endif
62683 -
62684 -+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
62685 -+#ifdef CONFIG_X86_PAE
62686 -+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
62687 -+#endif
62688 -+
62689 - #define PGDIR_SIZE (1UL << PGDIR_SHIFT)
62690 - #define PGDIR_MASK (~(PGDIR_SIZE-1))
62691 -
62692 -@@ -67,9 +71,11 @@ void paging_init(void);
62693 - #define USER_PGD_PTRS (PAGE_OFFSET >> PGDIR_SHIFT)
62694 - #define KERNEL_PGD_PTRS (PTRS_PER_PGD-USER_PGD_PTRS)
62695 -
62696 -+#ifndef CONFIG_X86_PAE
62697 - #define TWOLEVEL_PGDIR_SHIFT 22
62698 - #define BOOT_USER_PGD_PTRS (__PAGE_OFFSET >> TWOLEVEL_PGDIR_SHIFT)
62699 - #define BOOT_KERNEL_PGD_PTRS (1024-BOOT_USER_PGD_PTRS)
62700 -+#endif
62701 -
62702 - /* Just any arbitrary offset to the start of the vmalloc VM area: the
62703 - * current 8MB value just means that there will be a 8MB "hole" after the
62704 -@@ -136,7 +142,7 @@ void paging_init(void);
62705 - #define PAGE_NONE \
62706 - __pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
62707 - #define PAGE_SHARED \
62708 -- __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
62709 -+ __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
62710 -
62711 - #define PAGE_SHARED_EXEC \
62712 - __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
62713 -@@ -202,7 +208,7 @@ extern unsigned long long __PAGE_KERNEL,
62714 - #undef TEST_ACCESS_OK
62715 -
62716 - /* The boot page tables (all created as a single array) */
62717 --extern unsigned long pg0[];
62718 -+extern pte_t pg0[];
62719 -
62720 - #define pte_present(x) ((x).pte_low & (_PAGE_PRESENT | _PAGE_PROTNONE))
62721 -
62722 -@@ -218,30 +224,55 @@ extern unsigned long pg0[];
62723 - * The following only work if pte_present() is true.
62724 - * Undefined behaviour if not..
62725 - */
62726 -+static inline int pte_user(pte_t pte) { return (pte).pte_low & _PAGE_USER; }
62727 - static inline int pte_dirty(pte_t pte) { return (pte).pte_low & _PAGE_DIRTY; }
62728 - static inline int pte_young(pte_t pte) { return (pte).pte_low & _PAGE_ACCESSED; }
62729 - static inline int pte_write(pte_t pte) { return (pte).pte_low & _PAGE_RW; }
62730 - static inline int pte_huge(pte_t pte) { return (pte).pte_low & _PAGE_PSE; }
62731 -
62732 -+#ifdef CONFIG_X86_PAE
62733 -+# include <asm/pgtable-3level.h>
62734 -+#else
62735 -+# include <asm/pgtable-2level.h>
62736 -+#endif
62737 -+
62738 - /*
62739 - * The following only works if pte_present() is not true.
62740 - */
62741 - static inline int pte_file(pte_t pte) { return (pte).pte_low & _PAGE_FILE; }
62742 -
62743 -+static inline pte_t pte_exprotect(pte_t pte)
62744 -+{
62745 -+#ifdef CONFIG_X86_PAE
62746 -+ if (__supported_pte_mask & _PAGE_NX)
62747 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_NX));
62748 -+ else
62749 -+#endif
62750 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_USER));
62751 -+ return pte;
62752 -+}
62753 -+
62754 - static inline pte_t pte_mkclean(pte_t pte) { (pte).pte_low &= ~_PAGE_DIRTY; return pte; }
62755 - static inline pte_t pte_mkold(pte_t pte) { (pte).pte_low &= ~_PAGE_ACCESSED; return pte; }
62756 - static inline pte_t pte_wrprotect(pte_t pte) { (pte).pte_low &= ~_PAGE_RW; return pte; }
62757 -+static inline pte_t pte_mkread(pte_t pte) { (pte).pte_low |= _PAGE_USER; return pte; }
62758 -+
62759 -+static inline pte_t pte_mkexec(pte_t pte)
62760 -+{
62761 -+#ifdef CONFIG_X86_PAE
62762 -+ if (__supported_pte_mask & _PAGE_NX)
62763 -+ set_pte(&pte, __pte(pte_val(pte) & ~_PAGE_NX));
62764 -+ else
62765 -+#endif
62766 -+ set_pte(&pte, __pte(pte_val(pte) | _PAGE_USER));
62767 -+ return pte;
62768 -+}
62769 -+
62770 - static inline pte_t pte_mkdirty(pte_t pte) { (pte).pte_low |= _PAGE_DIRTY; return pte; }
62771 - static inline pte_t pte_mkyoung(pte_t pte) { (pte).pte_low |= _PAGE_ACCESSED; return pte; }
62772 - static inline pte_t pte_mkwrite(pte_t pte) { (pte).pte_low |= _PAGE_RW; return pte; }
62773 - static inline pte_t pte_mkhuge(pte_t pte) { (pte).pte_low |= _PAGE_PSE; return pte; }
62774 -
62775 --#ifdef CONFIG_X86_PAE
62776 --# include <asm/pgtable-3level.h>
62777 --#else
62778 --# include <asm/pgtable-2level.h>
62779 --#endif
62780 --
62781 - #ifndef CONFIG_PARAVIRT
62782 - /*
62783 - * Rules for using pte_update - it must be called after any PTE update which
62784 -@@ -353,7 +384,19 @@ static inline void ptep_set_wrprotect(st
62785 - */
62786 - static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
62787 - {
62788 -- memcpy(dst, src, count * sizeof(pgd_t));
62789 -+
62790 -+#ifdef CONFIG_PAX_KERNEXEC
62791 -+ unsigned long cr0;
62792 -+
62793 -+ pax_open_kernel(cr0);
62794 -+#endif
62795 -+
62796 -+ memcpy(dst, src, count * sizeof(pgd_t));
62797 -+
62798 -+#ifdef CONFIG_PAX_KERNEXEC
62799 -+ pax_close_kernel(cr0);
62800 -+#endif
62801 -+
62802 - }
62803 -
62804 - /*
62805 -@@ -500,6 +543,9 @@ static inline void paravirt_pagetable_se
62806 -
62807 - #endif /* !__ASSEMBLY__ */
62808 -
62809 -+#define HAVE_ARCH_UNMAPPED_AREA
62810 -+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
62811 -+
62812 - #ifdef CONFIG_FLATMEM
62813 - #define kern_addr_valid(addr) (1)
62814 - #endif /* CONFIG_FLATMEM */
62815 -diff -Nurp linux-2.6.23.15/include/asm-i386/processor.h linux-2.6.23.15-grsec/include/asm-i386/processor.h
62816 ---- linux-2.6.23.15/include/asm-i386/processor.h 2007-10-09 21:31:38.000000000 +0100
62817 -+++ linux-2.6.23.15-grsec/include/asm-i386/processor.h 2008-02-11 10:37:44.000000000 +0000
62818 -@@ -99,8 +99,6 @@ struct cpuinfo_x86 {
62819 -
62820 - extern struct cpuinfo_x86 boot_cpu_data;
62821 - extern struct cpuinfo_x86 new_cpu_data;
62822 --extern struct tss_struct doublefault_tss;
62823 --DECLARE_PER_CPU(struct tss_struct, init_tss);
62824 -
62825 - #ifdef CONFIG_SMP
62826 - extern struct cpuinfo_x86 cpu_data[];
62827 -@@ -209,11 +207,19 @@ extern int bootloader_type;
62828 - */
62829 - #define TASK_SIZE (PAGE_OFFSET)
62830 -
62831 -+#ifdef CONFIG_PAX_SEGMEXEC
62832 -+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
62833 -+#endif
62834 -+
62835 - /* This decides where the kernel will search for a free chunk of vm
62836 - * space during mmap's.
62837 - */
62838 - #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
62839 -
62840 -+#ifdef CONFIG_PAX_SEGMEXEC
62841 -+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
62842 -+#endif
62843 -+
62844 - #define HAVE_ARCH_PICK_MMAP_LAYOUT
62845 -
62846 - extern void hard_disable_TSC(void);
62847 -@@ -338,6 +344,9 @@ struct tss_struct {
62848 -
62849 - #define ARCH_MIN_TASKALIGN 16
62850 -
62851 -+extern struct tss_struct doublefault_tss;
62852 -+extern struct tss_struct init_tss[NR_CPUS];
62853 -+
62854 - struct thread_struct {
62855 - /* cached TLS descriptors. */
62856 - struct desc_struct tls_array[GDT_ENTRY_TLS_ENTRIES];
62857 -@@ -366,7 +375,7 @@ struct thread_struct {
62858 - };
62859 -
62860 - #define INIT_THREAD { \
62861 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
62862 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
62863 - .vm86_info = NULL, \
62864 - .sysenter_cs = __KERNEL_CS, \
62865 - .io_bitmap_ptr = NULL, \
62866 -@@ -381,7 +390,7 @@ struct thread_struct {
62867 - */
62868 - #define INIT_TSS { \
62869 - .x86_tss = { \
62870 -- .esp0 = sizeof(init_stack) + (long)&init_stack, \
62871 -+ .esp0 = sizeof(init_stack) + (long)&init_stack - 8, \
62872 - .ss0 = __KERNEL_DS, \
62873 - .ss1 = __KERNEL_CS, \
62874 - .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
62875 -@@ -422,11 +431,7 @@ void show_trace(struct task_struct *task
62876 - unsigned long get_wchan(struct task_struct *p);
62877 -
62878 - #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
62879 --#define KSTK_TOP(info) \
62880 --({ \
62881 -- unsigned long *__ptr = (unsigned long *)(info); \
62882 -- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
62883 --})
62884 -+#define KSTK_TOP(info) ((info)->task.thread.esp0)
62885 -
62886 - /*
62887 - * The below -8 is to reserve 8 bytes on top of the ring0 stack.
62888 -@@ -441,7 +446,7 @@ unsigned long get_wchan(struct task_stru
62889 - #define task_pt_regs(task) \
62890 - ({ \
62891 - struct pt_regs *__regs__; \
62892 -- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
62893 -+ __regs__ = (struct pt_regs *)((task)->thread.esp0); \
62894 - __regs__ - 1; \
62895 - })
62896 -
62897 -@@ -603,8 +608,8 @@ static inline void cpuid(unsigned int op
62898 - }
62899 -
62900 - /* Some CPUID calls want 'count' to be placed in ecx */
62901 --static inline void cpuid_count(int op, int count, int *eax, int *ebx, int *ecx,
62902 -- int *edx)
62903 -+static inline void cpuid_count(unsigned int op, unsigned int count, unsigned int *eax, unsigned int *ebx, unsigned int *ecx,
62904 -+ unsigned int *edx)
62905 - {
62906 - *eax = op;
62907 - *ecx = count;
62908 -diff -Nurp linux-2.6.23.15/include/asm-i386/ptrace.h linux-2.6.23.15-grsec/include/asm-i386/ptrace.h
62909 ---- linux-2.6.23.15/include/asm-i386/ptrace.h 2007-10-09 21:31:38.000000000 +0100
62910 -+++ linux-2.6.23.15-grsec/include/asm-i386/ptrace.h 2008-02-11 10:37:44.000000000 +0000
62911 -@@ -35,17 +35,18 @@ struct task_struct;
62912 - extern void send_sigtrap(struct task_struct *tsk, struct pt_regs *regs, int error_code);
62913 -
62914 - /*
62915 -- * user_mode_vm(regs) determines whether a register set came from user mode.
62916 -+ * user_mode(regs) determines whether a register set came from user mode.
62917 - * This is true if V8086 mode was enabled OR if the register set was from
62918 - * protected mode with RPL-3 CS value. This tricky test checks that with
62919 - * one comparison. Many places in the kernel can bypass this full check
62920 -- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
62921 -+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
62922 -+ * be used.
62923 - */
62924 --static inline int user_mode(struct pt_regs *regs)
62925 -+static inline int user_mode_novm(struct pt_regs *regs)
62926 - {
62927 - return (regs->xcs & SEGMENT_RPL_MASK) == USER_RPL;
62928 - }
62929 --static inline int user_mode_vm(struct pt_regs *regs)
62930 -+static inline int user_mode(struct pt_regs *regs)
62931 - {
62932 - return ((regs->xcs & SEGMENT_RPL_MASK) | (regs->eflags & VM_MASK)) >= USER_RPL;
62933 - }
62934 -diff -Nurp linux-2.6.23.15/include/asm-i386/reboot.h linux-2.6.23.15-grsec/include/asm-i386/reboot.h
62935 ---- linux-2.6.23.15/include/asm-i386/reboot.h 2007-10-09 21:31:38.000000000 +0100
62936 -+++ linux-2.6.23.15-grsec/include/asm-i386/reboot.h 2008-02-11 10:37:44.000000000 +0000
62937 -@@ -15,6 +15,6 @@ struct machine_ops
62938 -
62939 - extern struct machine_ops machine_ops;
62940 -
62941 --void machine_real_restart(unsigned char *code, int length);
62942 -+void machine_real_restart(const unsigned char *code, unsigned int length);
62943 -
62944 - #endif /* _ASM_REBOOT_H */
62945 -diff -Nurp linux-2.6.23.15/include/asm-i386/segment.h linux-2.6.23.15-grsec/include/asm-i386/segment.h
62946 ---- linux-2.6.23.15/include/asm-i386/segment.h 2007-10-09 21:31:38.000000000 +0100
62947 -+++ linux-2.6.23.15-grsec/include/asm-i386/segment.h 2008-02-11 10:37:44.000000000 +0000
62948 -@@ -81,6 +81,12 @@
62949 - #define __KERNEL_PERCPU 0
62950 - #endif
62951 -
62952 -+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 16)
62953 -+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
62954 -+
62955 -+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 17)
62956 -+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
62957 -+
62958 - #define GDT_ENTRY_DOUBLEFAULT_TSS 31
62959 -
62960 - /*
62961 -@@ -140,9 +146,9 @@
62962 - #define SEGMENT_IS_KERNEL_CODE(x) (((x) & 0xfc) == GDT_ENTRY_KERNEL_CS * 8)
62963 -
62964 - /* Matches __KERNEL_CS and __USER_CS (they must be 2 entries apart) */
62965 --#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xec) == GDT_ENTRY_KERNEL_CS * 8)
62966 -+#define SEGMENT_IS_FLAT_CODE(x) (((x) & 0xFFFCU) == __KERNEL_CS || ((x) & 0xFFFCU) == __USER_CS)
62967 -
62968 - /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
62969 --#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
62970 -+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
62971 -
62972 - #endif
62973 -diff -Nurp linux-2.6.23.15/include/asm-i386/system.h linux-2.6.23.15-grsec/include/asm-i386/system.h
62974 ---- linux-2.6.23.15/include/asm-i386/system.h 2008-02-11 10:36:03.000000000 +0000
62975 -+++ linux-2.6.23.15-grsec/include/asm-i386/system.h 2008-02-11 10:37:44.000000000 +0000
62976 -@@ -183,6 +183,21 @@ static inline void native_wbinvd(void)
62977 - /* Set the 'TS' bit */
62978 - #define stts() write_cr0(8 | read_cr0())
62979 -
62980 -+#define pax_open_kernel(cr0) \
62981 -+do { \
62982 -+ typecheck(unsigned long, cr0); \
62983 -+ preempt_disable(); \
62984 -+ cr0 = read_cr0(); \
62985 -+ write_cr0(cr0 & ~X86_CR0_WP); \
62986 -+} while (0)
62987 -+
62988 -+#define pax_close_kernel(cr0) \
62989 -+do { \
62990 -+ typecheck(unsigned long, cr0); \
62991 -+ write_cr0(cr0); \
62992 -+ preempt_enable_no_resched(); \
62993 -+} while (0)
62994 -+
62995 - #endif /* __KERNEL__ */
62996 -
62997 - static inline unsigned long get_limit(unsigned long segment)
62998 -@@ -190,7 +205,7 @@ static inline unsigned long get_limit(un
62999 - unsigned long __limit;
63000 - __asm__("lsll %1,%0"
63001 - :"=r" (__limit):"r" (segment));
63002 -- return __limit+1;
63003 -+ return __limit;
63004 - }
63005 -
63006 - #define nop() __asm__ __volatile__ ("nop")
63007 -@@ -305,7 +320,7 @@ void enable_hlt(void);
63008 - extern int es7000_plat;
63009 - void cpu_idle_wait(void);
63010 -
63011 --extern unsigned long arch_align_stack(unsigned long sp);
63012 -+#define arch_align_stack(x) (x)
63013 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
63014 -
63015 - void default_idle(void);
63016 -diff -Nurp linux-2.6.23.15/include/asm-i386/uaccess.h linux-2.6.23.15-grsec/include/asm-i386/uaccess.h
63017 ---- linux-2.6.23.15/include/asm-i386/uaccess.h 2007-10-09 21:31:38.000000000 +0100
63018 -+++ linux-2.6.23.15-grsec/include/asm-i386/uaccess.h 2008-02-11 10:37:44.000000000 +0000
63019 -@@ -9,6 +9,7 @@
63020 - #include <linux/prefetch.h>
63021 - #include <linux/string.h>
63022 - #include <asm/page.h>
63023 -+#include <asm/segment.h>
63024 -
63025 - #define VERIFY_READ 0
63026 - #define VERIFY_WRITE 1
63027 -@@ -29,7 +30,8 @@
63028 -
63029 - #define get_ds() (KERNEL_DS)
63030 - #define get_fs() (current_thread_info()->addr_limit)
63031 --#define set_fs(x) (current_thread_info()->addr_limit = (x))
63032 -+void __set_fs(mm_segment_t x, int cpu);
63033 -+void set_fs(mm_segment_t x);
63034 -
63035 - #define segment_eq(a,b) ((a).seg == (b).seg)
63036 -
63037 -@@ -101,6 +103,7 @@ struct exception_table_entry
63038 - };
63039 -
63040 - extern int fixup_exception(struct pt_regs *regs);
63041 -+#define ARCH_HAS_SORT_EXTABLE
63042 -
63043 - /*
63044 - * These are the main single-value transfer routines. They automatically
63045 -@@ -280,9 +283,12 @@ extern void __put_user_8(void);
63046 -
63047 - #define __put_user_u64(x, addr, err) \
63048 - __asm__ __volatile__( \
63049 -- "1: movl %%eax,0(%2)\n" \
63050 -- "2: movl %%edx,4(%2)\n" \
63051 -+ " movw %w5,%%ds\n" \
63052 -+ "1: movl %%eax,%%ds:0(%2)\n" \
63053 -+ "2: movl %%edx,%%ds:4(%2)\n" \
63054 - "3:\n" \
63055 -+ " pushl %%ss\n" \
63056 -+ " popl %%ds\n" \
63057 - ".section .fixup,\"ax\"\n" \
63058 - "4: movl %3,%0\n" \
63059 - " jmp 3b\n" \
63060 -@@ -293,7 +299,8 @@ extern void __put_user_8(void);
63061 - " .long 2b,4b\n" \
63062 - ".previous" \
63063 - : "=r"(err) \
63064 -- : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err))
63065 -+ : "A" (x), "r" (addr), "i"(-EFAULT), "0"(err), \
63066 -+ "r"(__USER_DS))
63067 -
63068 - #ifdef CONFIG_X86_WP_WORKS_OK
63069 -
63070 -@@ -332,8 +339,11 @@ struct __large_struct { unsigned long bu
63071 - */
63072 - #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
63073 - __asm__ __volatile__( \
63074 -- "1: mov"itype" %"rtype"1,%2\n" \
63075 -+ " movw %w5,%%ds\n" \
63076 -+ "1: mov"itype" %"rtype"1,%%ds:%2\n" \
63077 - "2:\n" \
63078 -+ " pushl %%ss\n" \
63079 -+ " popl %%ds\n" \
63080 - ".section .fixup,\"ax\"\n" \
63081 - "3: movl %3,%0\n" \
63082 - " jmp 2b\n" \
63083 -@@ -343,7 +353,8 @@ struct __large_struct { unsigned long bu
63084 - " .long 1b,3b\n" \
63085 - ".previous" \
63086 - : "=r"(err) \
63087 -- : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err))
63088 -+ : ltype (x), "m"(__m(addr)), "i"(errret), "0"(err), \
63089 -+ "r"(__USER_DS))
63090 -
63091 -
63092 - #define __get_user_nocheck(x,ptr,size) \
63093 -@@ -371,8 +382,11 @@ do { \
63094 -
63095 - #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
63096 - __asm__ __volatile__( \
63097 -- "1: mov"itype" %2,%"rtype"1\n" \
63098 -+ " movw %w5,%%ds\n" \
63099 -+ "1: mov"itype" %%ds:%2,%"rtype"1\n" \
63100 - "2:\n" \
63101 -+ " pushl %%ss\n" \
63102 -+ " popl %%ds\n" \
63103 - ".section .fixup,\"ax\"\n" \
63104 - "3: movl %3,%0\n" \
63105 - " xor"itype" %"rtype"1,%"rtype"1\n" \
63106 -@@ -383,7 +397,7 @@ do { \
63107 - " .long 1b,3b\n" \
63108 - ".previous" \
63109 - : "=r"(err), ltype (x) \
63110 -- : "m"(__m(addr)), "i"(errret), "0"(err))
63111 -+ : "m"(__m(addr)), "i"(errret), "0"(err), "r"(__USER_DS))
63112 -
63113 -
63114 - unsigned long __must_check __copy_to_user_ll(void __user *to,
63115 -diff -Nurp linux-2.6.23.15/include/asm-ia64/elf.h linux-2.6.23.15-grsec/include/asm-ia64/elf.h
63116 ---- linux-2.6.23.15/include/asm-ia64/elf.h 2007-10-09 21:31:38.000000000 +0100
63117 -+++ linux-2.6.23.15-grsec/include/asm-ia64/elf.h 2008-02-11 10:37:44.000000000 +0000
63118 -@@ -162,7 +162,12 @@ typedef elf_greg_t elf_gregset_t[ELF_NGR
63119 - typedef struct ia64_fpreg elf_fpreg_t;
63120 - typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
63121 -
63122 -+#ifdef CONFIG_PAX_ASLR
63123 -+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
63124 -
63125 -+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
63126 -+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
63127 -+#endif
63128 -
63129 - struct pt_regs; /* forward declaration... */
63130 - extern void ia64_elf_core_copy_regs (struct pt_regs *src, elf_gregset_t dst);
63131 -diff -Nurp linux-2.6.23.15/include/asm-ia64/kmap_types.h linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h
63132 ---- linux-2.6.23.15/include/asm-ia64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63133 -+++ linux-2.6.23.15-grsec/include/asm-ia64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63134 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
63135 - D(10) KM_IRQ1,
63136 - D(11) KM_SOFTIRQ0,
63137 - D(12) KM_SOFTIRQ1,
63138 --D(13) KM_TYPE_NR
63139 -+D(13) KM_CLEARPAGE,
63140 -+D(14) KM_TYPE_NR
63141 - };
63142 -
63143 - #undef D
63144 -diff -Nurp linux-2.6.23.15/include/asm-ia64/pgtable.h linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h
63145 ---- linux-2.6.23.15/include/asm-ia64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63146 -+++ linux-2.6.23.15-grsec/include/asm-ia64/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63147 -@@ -143,6 +143,17 @@
63148 - #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63149 - #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63150 - #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
63151 -+
63152 -+#ifdef CONFIG_PAX_PAGEEXEC
63153 -+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
63154 -+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63155 -+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
63156 -+#else
63157 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63158 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63159 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63160 -+#endif
63161 -+
63162 - #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
63163 - #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
63164 - #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
63165 -diff -Nurp linux-2.6.23.15/include/asm-ia64/processor.h linux-2.6.23.15-grsec/include/asm-ia64/processor.h
63166 ---- linux-2.6.23.15/include/asm-ia64/processor.h 2007-10-09 21:31:38.000000000 +0100
63167 -+++ linux-2.6.23.15-grsec/include/asm-ia64/processor.h 2008-02-11 10:37:44.000000000 +0000
63168 -@@ -275,7 +275,7 @@ struct thread_struct {
63169 - .on_ustack = 0, \
63170 - .ksp = 0, \
63171 - .map_base = DEFAULT_MAP_BASE, \
63172 -- .rbs_bot = STACK_TOP - DEFAULT_USER_STACK_SIZE, \
63173 -+ .rbs_bot = __STACK_TOP - DEFAULT_USER_STACK_SIZE, \
63174 - .task_size = DEFAULT_TASK_SIZE, \
63175 - .last_fph_cpu = -1, \
63176 - INIT_THREAD_IA32 \
63177 -diff -Nurp linux-2.6.23.15/include/asm-ia64/ustack.h linux-2.6.23.15-grsec/include/asm-ia64/ustack.h
63178 ---- linux-2.6.23.15/include/asm-ia64/ustack.h 2007-10-09 21:31:38.000000000 +0100
63179 -+++ linux-2.6.23.15-grsec/include/asm-ia64/ustack.h 2008-02-11 10:37:44.000000000 +0000
63180 -@@ -10,8 +10,8 @@
63181 -
63182 - /* The absolute hard limit for stack size is 1/2 of the mappable space in the region */
63183 - #define MAX_USER_STACK_SIZE (RGN_MAP_LIMIT/2)
63184 --#define STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
63185 --#define STACK_TOP_MAX STACK_TOP
63186 -+#define __STACK_TOP (0x6000000000000000UL + RGN_MAP_LIMIT)
63187 -+#define STACK_TOP_MAX __STACK_TOP
63188 - #endif
63189 -
63190 - /* Make a default stack size of 2GiB */
63191 -diff -Nurp linux-2.6.23.15/include/asm-m32r/kmap_types.h linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h
63192 ---- linux-2.6.23.15/include/asm-m32r/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63193 -+++ linux-2.6.23.15-grsec/include/asm-m32r/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63194 -@@ -21,7 +21,8 @@ D(9) KM_IRQ0,
63195 - D(10) KM_IRQ1,
63196 - D(11) KM_SOFTIRQ0,
63197 - D(12) KM_SOFTIRQ1,
63198 --D(13) KM_TYPE_NR
63199 -+D(13) KM_CLEARPAGE,
63200 -+D(14) KM_TYPE_NR
63201 - };
63202 -
63203 - #undef D
63204 -diff -Nurp linux-2.6.23.15/include/asm-m68k/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h
63205 ---- linux-2.6.23.15/include/asm-m68k/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63206 -+++ linux-2.6.23.15-grsec/include/asm-m68k/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63207 -@@ -15,6 +15,7 @@ enum km_type {
63208 - KM_IRQ1,
63209 - KM_SOFTIRQ0,
63210 - KM_SOFTIRQ1,
63211 -+ KM_CLEARPAGE,
63212 - KM_TYPE_NR
63213 - };
63214 -
63215 -diff -Nurp linux-2.6.23.15/include/asm-m68knommu/kmap_types.h linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h
63216 ---- linux-2.6.23.15/include/asm-m68knommu/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63217 -+++ linux-2.6.23.15-grsec/include/asm-m68knommu/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63218 -@@ -15,6 +15,7 @@ enum km_type {
63219 - KM_IRQ1,
63220 - KM_SOFTIRQ0,
63221 - KM_SOFTIRQ1,
63222 -+ KM_CLEARPAGE,
63223 - KM_TYPE_NR
63224 - };
63225 -
63226 -diff -Nurp linux-2.6.23.15/include/asm-mips/a.out.h linux-2.6.23.15-grsec/include/asm-mips/a.out.h
63227 ---- linux-2.6.23.15/include/asm-mips/a.out.h 2007-10-09 21:31:38.000000000 +0100
63228 -+++ linux-2.6.23.15-grsec/include/asm-mips/a.out.h 2008-02-11 10:37:44.000000000 +0000
63229 -@@ -35,10 +35,10 @@ struct exec
63230 - #ifdef __KERNEL__
63231 -
63232 - #ifdef CONFIG_32BIT
63233 --#define STACK_TOP TASK_SIZE
63234 -+#define __STACK_TOP TASK_SIZE
63235 - #endif
63236 - #ifdef CONFIG_64BIT
63237 --#define STACK_TOP \
63238 -+#define __STACK_TOP \
63239 - (test_thread_flag(TIF_32BIT_ADDR) ? TASK_SIZE32 : TASK_SIZE)
63240 - #endif
63241 - #define STACK_TOP_MAX TASK_SIZE
63242 -diff -Nurp linux-2.6.23.15/include/asm-mips/elf.h linux-2.6.23.15-grsec/include/asm-mips/elf.h
63243 ---- linux-2.6.23.15/include/asm-mips/elf.h 2007-10-09 21:31:38.000000000 +0100
63244 -+++ linux-2.6.23.15-grsec/include/asm-mips/elf.h 2008-02-11 10:37:44.000000000 +0000
63245 -@@ -372,4 +372,11 @@ extern int dump_task_fpu(struct task_str
63246 - #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
63247 - #endif
63248 -
63249 -+#ifdef CONFIG_PAX_ASLR
63250 -+#define PAX_ELF_ET_DYN_BASE ((current->thread.mflags & MF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
63251 -+
63252 -+#define PAX_DELTA_MMAP_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
63253 -+#define PAX_DELTA_STACK_LEN ((current->thread.mflags & MF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
63254 -+#endif
63255 -+
63256 - #endif /* _ASM_ELF_H */
63257 -diff -Nurp linux-2.6.23.15/include/asm-mips/kmap_types.h linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h
63258 ---- linux-2.6.23.15/include/asm-mips/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63259 -+++ linux-2.6.23.15-grsec/include/asm-mips/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63260 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
63261 - D(10) KM_IRQ1,
63262 - D(11) KM_SOFTIRQ0,
63263 - D(12) KM_SOFTIRQ1,
63264 --D(13) KM_TYPE_NR
63265 -+D(13) KM_CLEARPAGE,
63266 -+D(14) KM_TYPE_NR
63267 - };
63268 -
63269 - #undef D
63270 -diff -Nurp linux-2.6.23.15/include/asm-mips/page.h linux-2.6.23.15-grsec/include/asm-mips/page.h
63271 ---- linux-2.6.23.15/include/asm-mips/page.h 2007-10-09 21:31:38.000000000 +0100
63272 -+++ linux-2.6.23.15-grsec/include/asm-mips/page.h 2008-02-11 10:37:44.000000000 +0000
63273 -@@ -82,7 +82,7 @@ extern void copy_user_highpage(struct pa
63274 - #ifdef CONFIG_CPU_MIPS32
63275 - typedef struct { unsigned long pte_low, pte_high; } pte_t;
63276 - #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
63277 -- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
63278 -+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
63279 - #else
63280 - typedef struct { unsigned long long pte; } pte_t;
63281 - #define pte_val(x) ((x).pte)
63282 -diff -Nurp linux-2.6.23.15/include/asm-mips/system.h linux-2.6.23.15-grsec/include/asm-mips/system.h
63283 ---- linux-2.6.23.15/include/asm-mips/system.h 2007-10-09 21:31:38.000000000 +0100
63284 -+++ linux-2.6.23.15-grsec/include/asm-mips/system.h 2008-02-11 10:37:44.000000000 +0000
63285 -@@ -213,6 +213,6 @@ extern int stop_a_enabled;
63286 - */
63287 - #define __ARCH_WANT_UNLOCKED_CTXSW
63288 -
63289 --extern unsigned long arch_align_stack(unsigned long sp);
63290 -+#define arch_align_stack(x) (x)
63291 -
63292 - #endif /* _ASM_SYSTEM_H */
63293 -diff -Nurp linux-2.6.23.15/include/asm-parisc/a.out.h linux-2.6.23.15-grsec/include/asm-parisc/a.out.h
63294 ---- linux-2.6.23.15/include/asm-parisc/a.out.h 2007-10-09 21:31:38.000000000 +0100
63295 -+++ linux-2.6.23.15-grsec/include/asm-parisc/a.out.h 2008-02-11 10:37:44.000000000 +0000
63296 -@@ -22,7 +22,7 @@ struct exec
63297 - /* XXX: STACK_TOP actually should be STACK_BOTTOM for parisc.
63298 - * prumpf */
63299 -
63300 --#define STACK_TOP TASK_SIZE
63301 -+#define __STACK_TOP TASK_SIZE
63302 - #define STACK_TOP_MAX DEFAULT_TASK_SIZE
63303 -
63304 - #endif
63305 -diff -Nurp linux-2.6.23.15/include/asm-parisc/elf.h linux-2.6.23.15-grsec/include/asm-parisc/elf.h
63306 ---- linux-2.6.23.15/include/asm-parisc/elf.h 2007-10-09 21:31:38.000000000 +0100
63307 -+++ linux-2.6.23.15-grsec/include/asm-parisc/elf.h 2008-02-11 10:37:44.000000000 +0000
63308 -@@ -337,6 +337,13 @@ struct pt_regs; /* forward declaration..
63309 -
63310 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
63311 -
63312 -+#ifdef CONFIG_PAX_ASLR
63313 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
63314 -+
63315 -+#define PAX_DELTA_MMAP_LEN 16
63316 -+#define PAX_DELTA_STACK_LEN 16
63317 -+#endif
63318 -+
63319 - /* This yields a mask that user programs can use to figure out what
63320 - instruction set this CPU supports. This could be done in user space,
63321 - but it's not easy, and we've already done it here. */
63322 -diff -Nurp linux-2.6.23.15/include/asm-parisc/kmap_types.h linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h
63323 ---- linux-2.6.23.15/include/asm-parisc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63324 -+++ linux-2.6.23.15-grsec/include/asm-parisc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63325 -@@ -22,7 +22,8 @@ D(9) KM_IRQ0,
63326 - D(10) KM_IRQ1,
63327 - D(11) KM_SOFTIRQ0,
63328 - D(12) KM_SOFTIRQ1,
63329 --D(13) KM_TYPE_NR
63330 -+D(13) KM_CLEARPAGE,
63331 -+D(14) KM_TYPE_NR
63332 - };
63333 -
63334 - #undef D
63335 -diff -Nurp linux-2.6.23.15/include/asm-parisc/pgtable.h linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h
63336 ---- linux-2.6.23.15/include/asm-parisc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63337 -+++ linux-2.6.23.15-grsec/include/asm-parisc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63338 -@@ -218,6 +218,17 @@ extern void *vmalloc_start;
63339 - #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
63340 - #define PAGE_COPY PAGE_EXECREAD
63341 - #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
63342 -+
63343 -+#ifdef CONFIG_PAX_PAGEEXEC
63344 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
63345 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
63346 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
63347 -+#else
63348 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63349 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63350 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63351 -+#endif
63352 -+
63353 - #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
63354 - #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
63355 - #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
63356 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/a.out.h linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h
63357 ---- linux-2.6.23.15/include/asm-powerpc/a.out.h 2007-10-09 21:31:38.000000000 +0100
63358 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/a.out.h 2008-02-11 10:37:44.000000000 +0000
63359 -@@ -23,15 +23,15 @@ struct exec
63360 - #define STACK_TOP_USER64 TASK_SIZE_USER64
63361 - #define STACK_TOP_USER32 TASK_SIZE_USER32
63362 -
63363 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63364 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63365 - STACK_TOP_USER32 : STACK_TOP_USER64)
63366 -
63367 - #define STACK_TOP_MAX STACK_TOP_USER64
63368 -
63369 - #else /* __powerpc64__ */
63370 -
63371 --#define STACK_TOP TASK_SIZE
63372 --#define STACK_TOP_MAX STACK_TOP
63373 -+#define __STACK_TOP TASK_SIZE
63374 -+#define STACK_TOP_MAX __STACK_TOP
63375 -
63376 - #endif /* __powerpc64__ */
63377 - #endif /* __KERNEL__ */
63378 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/elf.h linux-2.6.23.15-grsec/include/asm-powerpc/elf.h
63379 ---- linux-2.6.23.15/include/asm-powerpc/elf.h 2007-10-09 21:31:38.000000000 +0100
63380 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/elf.h 2008-02-11 10:37:44.000000000 +0000
63381 -@@ -159,6 +159,18 @@ typedef elf_vrreg_t elf_vrregset_t[ELF_N
63382 - typedef elf_vrreg_t elf_vrregset_t32[ELF_NVRREG32];
63383 - #endif
63384 -
63385 -+#ifdef CONFIG_PAX_ASLR
63386 -+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
63387 -+
63388 -+#ifdef __powerpc64__
63389 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
63390 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
63391 -+#else
63392 -+#define PAX_DELTA_MMAP_LEN 15
63393 -+#define PAX_DELTA_STACK_LEN 15
63394 -+#endif
63395 -+#endif
63396 -+
63397 - #ifdef __KERNEL__
63398 - /*
63399 - * This is used to ensure we don't load something for the wrong architecture.
63400 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/kmap_types.h linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h
63401 ---- linux-2.6.23.15/include/asm-powerpc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63402 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63403 -@@ -26,6 +26,7 @@ enum km_type {
63404 - KM_SOFTIRQ1,
63405 - KM_PPC_SYNC_PAGE,
63406 - KM_PPC_SYNC_ICACHE,
63407 -+ KM_CLEARPAGE,
63408 - KM_TYPE_NR
63409 - };
63410 -
63411 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/page.h linux-2.6.23.15-grsec/include/asm-powerpc/page.h
63412 ---- linux-2.6.23.15/include/asm-powerpc/page.h 2007-10-09 21:31:38.000000000 +0100
63413 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/page.h 2008-02-11 10:37:44.000000000 +0000
63414 -@@ -71,8 +71,9 @@
63415 - * and needs to be executable. This means the whole heap ends
63416 - * up being executable.
63417 - */
63418 --#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
63419 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63420 -+#define VM_DATA_DEFAULT_FLAGS32 \
63421 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
63422 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63423 -
63424 - #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
63425 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63426 -diff -Nurp linux-2.6.23.15/include/asm-powerpc/page_64.h linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h
63427 ---- linux-2.6.23.15/include/asm-powerpc/page_64.h 2007-10-09 21:31:38.000000000 +0100
63428 -+++ linux-2.6.23.15-grsec/include/asm-powerpc/page_64.h 2008-02-11 10:37:44.000000000 +0000
63429 -@@ -158,15 +158,18 @@ extern int is_hugepage_only_range(struct
63430 - * stack by default, so in the absense of a PT_GNU_STACK program header
63431 - * we turn execute permission off.
63432 - */
63433 --#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
63434 -- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63435 -+#define VM_STACK_DEFAULT_FLAGS32 \
63436 -+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0 ) | \
63437 -+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63438 -
63439 - #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
63440 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
63441 -
63442 -+#ifndef CONFIG_PAX_PAGEEXEC
63443 - #define VM_STACK_DEFAULT_FLAGS \
63444 - (test_thread_flag(TIF_32BIT) ? \
63445 - VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
63446 -+#endif
63447 -
63448 - #include <asm-generic/page.h>
63449 -
63450 -diff -Nurp linux-2.6.23.15/include/asm-ppc/mmu_context.h linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h
63451 ---- linux-2.6.23.15/include/asm-ppc/mmu_context.h 2007-10-09 21:31:38.000000000 +0100
63452 -+++ linux-2.6.23.15-grsec/include/asm-ppc/mmu_context.h 2008-02-11 10:37:44.000000000 +0000
63453 -@@ -145,7 +145,8 @@ static inline void get_mmu_context(struc
63454 - static inline int init_new_context(struct task_struct *t, struct mm_struct *mm)
63455 - {
63456 - mm->context.id = NO_CONTEXT;
63457 -- mm->context.vdso_base = 0;
63458 -+ if (t == current)
63459 -+ mm->context.vdso_base = ~0UL;
63460 - return 0;
63461 - }
63462 -
63463 -diff -Nurp linux-2.6.23.15/include/asm-ppc/pgtable.h linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h
63464 ---- linux-2.6.23.15/include/asm-ppc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63465 -+++ linux-2.6.23.15-grsec/include/asm-ppc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63466 -@@ -440,11 +440,21 @@ extern unsigned long ioremap_bot, iorema
63467 -
63468 - #define PAGE_NONE __pgprot(_PAGE_BASE)
63469 - #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER)
63470 --#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
63471 -+#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
63472 - #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW)
63473 --#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC)
63474 -+#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC | _PAGE_HWEXEC)
63475 - #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER)
63476 --#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC)
63477 -+#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC | _PAGE_HWEXEC)
63478 -+
63479 -+#if defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_40x) && !defined(CONFIG_44x)
63480 -+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_GUARDED)
63481 -+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
63482 -+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_GUARDED)
63483 -+#else
63484 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63485 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63486 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63487 -+#endif
63488 -
63489 - #define PAGE_KERNEL __pgprot(_PAGE_RAM)
63490 - #define PAGE_KERNEL_NOCACHE __pgprot(_PAGE_IO)
63491 -@@ -456,21 +466,21 @@ extern unsigned long ioremap_bot, iorema
63492 - * This is the closest we can get..
63493 - */
63494 - #define __P000 PAGE_NONE
63495 --#define __P001 PAGE_READONLY_X
63496 --#define __P010 PAGE_COPY
63497 --#define __P011 PAGE_COPY_X
63498 --#define __P100 PAGE_READONLY
63499 -+#define __P001 PAGE_READONLY_NOEXEC
63500 -+#define __P010 PAGE_COPY_NOEXEC
63501 -+#define __P011 PAGE_COPY_NOEXEC
63502 -+#define __P100 PAGE_READONLY_X
63503 - #define __P101 PAGE_READONLY_X
63504 --#define __P110 PAGE_COPY
63505 -+#define __P110 PAGE_COPY_X
63506 - #define __P111 PAGE_COPY_X
63507 -
63508 - #define __S000 PAGE_NONE
63509 --#define __S001 PAGE_READONLY_X
63510 --#define __S010 PAGE_SHARED
63511 --#define __S011 PAGE_SHARED_X
63512 --#define __S100 PAGE_READONLY
63513 -+#define __S001 PAGE_READONLY_NOEXEC
63514 -+#define __S010 PAGE_SHARED_NOEXEC
63515 -+#define __S011 PAGE_SHARED_NOEXEC
63516 -+#define __S100 PAGE_READONLY_X
63517 - #define __S101 PAGE_READONLY_X
63518 --#define __S110 PAGE_SHARED
63519 -+#define __S110 PAGE_SHARED_X
63520 - #define __S111 PAGE_SHARED_X
63521 -
63522 - #ifndef __ASSEMBLY__
63523 -diff -Nurp linux-2.6.23.15/include/asm-s390/kmap_types.h linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h
63524 ---- linux-2.6.23.15/include/asm-s390/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63525 -+++ linux-2.6.23.15-grsec/include/asm-s390/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63526 -@@ -16,6 +16,7 @@ enum km_type {
63527 - KM_IRQ1,
63528 - KM_SOFTIRQ0,
63529 - KM_SOFTIRQ1,
63530 -+ KM_CLEARPAGE,
63531 - KM_TYPE_NR
63532 - };
63533 -
63534 -diff -Nurp linux-2.6.23.15/include/asm-sh/kmap_types.h linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h
63535 ---- linux-2.6.23.15/include/asm-sh/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63536 -+++ linux-2.6.23.15-grsec/include/asm-sh/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63537 -@@ -24,7 +24,8 @@ D(9) KM_IRQ0,
63538 - D(10) KM_IRQ1,
63539 - D(11) KM_SOFTIRQ0,
63540 - D(12) KM_SOFTIRQ1,
63541 --D(13) KM_TYPE_NR
63542 -+D(13) KM_CLEARPAGE,
63543 -+D(14) KM_TYPE_NR
63544 - };
63545 -
63546 - #undef D
63547 -diff -Nurp linux-2.6.23.15/include/asm-sparc/a.out.h linux-2.6.23.15-grsec/include/asm-sparc/a.out.h
63548 ---- linux-2.6.23.15/include/asm-sparc/a.out.h 2007-10-09 21:31:38.000000000 +0100
63549 -+++ linux-2.6.23.15-grsec/include/asm-sparc/a.out.h 2008-02-11 10:37:44.000000000 +0000
63550 -@@ -91,8 +91,8 @@ struct relocation_info /* used when head
63551 -
63552 - #include <asm/page.h>
63553 -
63554 --#define STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
63555 --#define STACK_TOP_MAX STACK_TOP
63556 -+#define __STACK_TOP (PAGE_OFFSET - PAGE_SIZE)
63557 -+#define STACK_TOP_MAX __STACK_TOP
63558 -
63559 - #endif /* __KERNEL__ */
63560 -
63561 -diff -Nurp linux-2.6.23.15/include/asm-sparc/elf.h linux-2.6.23.15-grsec/include/asm-sparc/elf.h
63562 ---- linux-2.6.23.15/include/asm-sparc/elf.h 2007-10-09 21:31:38.000000000 +0100
63563 -+++ linux-2.6.23.15-grsec/include/asm-sparc/elf.h 2008-02-11 10:37:44.000000000 +0000
63564 -@@ -143,6 +143,13 @@ do { unsigned long *dest = &(__elf_regs[
63565 -
63566 - #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
63567 -
63568 -+#ifdef CONFIG_PAX_ASLR
63569 -+#define PAX_ELF_ET_DYN_BASE 0x10000UL
63570 -+
63571 -+#define PAX_DELTA_MMAP_LEN 16
63572 -+#define PAX_DELTA_STACK_LEN 16
63573 -+#endif
63574 -+
63575 - /* This yields a mask that user programs can use to figure out what
63576 - instruction set this cpu supports. This can NOT be done in userspace
63577 - on Sparc. */
63578 -diff -Nurp linux-2.6.23.15/include/asm-sparc/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h
63579 ---- linux-2.6.23.15/include/asm-sparc/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63580 -+++ linux-2.6.23.15-grsec/include/asm-sparc/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63581 -@@ -15,6 +15,7 @@ enum km_type {
63582 - KM_IRQ1,
63583 - KM_SOFTIRQ0,
63584 - KM_SOFTIRQ1,
63585 -+ KM_CLEARPAGE,
63586 - KM_TYPE_NR
63587 - };
63588 -
63589 -diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtable.h linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h
63590 ---- linux-2.6.23.15/include/asm-sparc/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63591 -+++ linux-2.6.23.15-grsec/include/asm-sparc/pgtable.h 2008-02-11 10:37:44.000000000 +0000
63592 -@@ -69,6 +69,16 @@ extern pgprot_t PAGE_SHARED;
63593 - #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
63594 - #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
63595 -
63596 -+#ifdef CONFIG_PAX_PAGEEXEC
63597 -+extern pgprot_t PAGE_SHARED_NOEXEC;
63598 -+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
63599 -+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
63600 -+#else
63601 -+# define PAGE_SHARED_NOEXEC PAGE_SHARED
63602 -+# define PAGE_COPY_NOEXEC PAGE_COPY
63603 -+# define PAGE_READONLY_NOEXEC PAGE_READONLY
63604 -+#endif
63605 -+
63606 - extern unsigned long page_kernel;
63607 -
63608 - #ifdef MODULE
63609 -diff -Nurp linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h
63610 ---- linux-2.6.23.15/include/asm-sparc/pgtsrmmu.h 2007-10-09 21:31:38.000000000 +0100
63611 -+++ linux-2.6.23.15-grsec/include/asm-sparc/pgtsrmmu.h 2008-02-11 10:37:44.000000000 +0000
63612 -@@ -115,6 +115,16 @@
63613 - SRMMU_EXEC | SRMMU_REF)
63614 - #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63615 - SRMMU_EXEC | SRMMU_REF)
63616 -+
63617 -+#ifdef CONFIG_PAX_PAGEEXEC
63618 -+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63619 -+ SRMMU_WRITE | SRMMU_REF)
63620 -+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63621 -+ SRMMU_REF)
63622 -+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | \
63623 -+ SRMMU_REF)
63624 -+#endif
63625 -+
63626 - #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
63627 - SRMMU_DIRTY | SRMMU_REF)
63628 -
63629 -diff -Nurp linux-2.6.23.15/include/asm-sparc/uaccess.h linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h
63630 ---- linux-2.6.23.15/include/asm-sparc/uaccess.h 2007-10-09 21:31:38.000000000 +0100
63631 -+++ linux-2.6.23.15-grsec/include/asm-sparc/uaccess.h 2008-02-11 10:37:44.000000000 +0000
63632 -@@ -41,7 +41,7 @@
63633 - * No one can read/write anything from userland in the kernel space by setting
63634 - * large size and address near to PAGE_OFFSET - a fault will break his intentions.
63635 - */
63636 --#define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
63637 -+#define __user_ok(addr, size) ({ (void)(size); (addr) < __STACK_TOP; })
63638 - #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
63639 - #define __access_ok(addr,size) (__user_ok((addr) & get_fs().seg,(size)))
63640 - #define access_ok(type, addr, size) \
63641 -diff -Nurp linux-2.6.23.15/include/asm-sparc64/a.out.h linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h
63642 ---- linux-2.6.23.15/include/asm-sparc64/a.out.h 2007-10-09 21:31:38.000000000 +0100
63643 -+++ linux-2.6.23.15-grsec/include/asm-sparc64/a.out.h 2008-02-11 10:37:44.000000000 +0000
63644 -@@ -98,7 +98,7 @@ struct relocation_info /* used when head
63645 - #define STACK_TOP32 ((1UL << 32UL) - PAGE_SIZE)
63646 - #define STACK_TOP64 (0x0000080000000000UL - (1UL << 32UL))
63647 -
63648 --#define STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63649 -+#define __STACK_TOP (test_thread_flag(TIF_32BIT) ? \
63650 - STACK_TOP32 : STACK_TOP64)
63651 -
63652 - #define STACK_TOP_MAX STACK_TOP64
63653 -diff -Nurp linux-2.6.23.15/include/asm-sparc64/elf.h linux-2.6.23.15-grsec/include/asm-sparc64/elf.h
63654 ---- linux-2.6.23.15/include/asm-sparc64/elf.h 2007-10-09 21:31:38.000000000 +0100
63655 -+++ linux-2.6.23.15-grsec/include/asm-sparc64/elf.h 2008-02-11 10:37:44.000000000 +0000
63656 -@@ -143,6 +143,12 @@ typedef struct {
63657 - #define ELF_ET_DYN_BASE 0x0000010000000000UL
63658 - #endif
63659 -
63660 -+#ifdef CONFIG_PAX_ASLR
63661 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
63662 -+
63663 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28 )
63664 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29 )
63665 -+#endif
63666 -
63667 - /* This yields a mask that user programs can use to figure out what
63668 - instruction set this cpu supports. */
63669 -diff -Nurp linux-2.6.23.15/include/asm-sparc64/kmap_types.h linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h
63670 ---- linux-2.6.23.15/include/asm-sparc64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63671 -+++ linux-2.6.23.15-grsec/include/asm-sparc64/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63672 -@@ -19,6 +19,7 @@ enum km_type {
63673 - KM_IRQ1,
63674 - KM_SOFTIRQ0,
63675 - KM_SOFTIRQ1,
63676 -+ KM_CLEARPAGE,
63677 - KM_TYPE_NR
63678 - };
63679 -
63680 -diff -Nurp linux-2.6.23.15/include/asm-um/kmap_types.h linux-2.6.23.15-grsec/include/asm-um/kmap_types.h
63681 ---- linux-2.6.23.15/include/asm-um/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63682 -+++ linux-2.6.23.15-grsec/include/asm-um/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63683 -@@ -23,6 +23,7 @@ enum km_type {
63684 - KM_IRQ1,
63685 - KM_SOFTIRQ0,
63686 - KM_SOFTIRQ1,
63687 -+ KM_CLEARPAGE,
63688 - KM_TYPE_NR
63689 - };
63690 -
63691 -diff -Nurp linux-2.6.23.15/include/asm-v850/kmap_types.h linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h
63692 ---- linux-2.6.23.15/include/asm-v850/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63693 -+++ linux-2.6.23.15-grsec/include/asm-v850/kmap_types.h 2008-02-11 10:37:44.000000000 +0000
63694 -@@ -13,6 +13,7 @@ enum km_type {
63695 - KM_PTE1,
63696 - KM_IRQ0,
63697 - KM_IRQ1,
63698 -+ KM_CLEARPAGE,
63699 - KM_TYPE_NR
63700 - };
63701 -
63702 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/a.out.h linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h
63703 ---- linux-2.6.23.15/include/asm-x86_64/a.out.h 2007-10-09 21:31:38.000000000 +0100
63704 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/a.out.h 2008-02-11 10:37:45.000000000 +0000
63705 -@@ -21,7 +21,7 @@ struct exec
63706 -
63707 - #ifdef __KERNEL__
63708 - #include <linux/thread_info.h>
63709 --#define STACK_TOP TASK_SIZE
63710 -+#define __STACK_TOP TASK_SIZE
63711 - #define STACK_TOP_MAX TASK_SIZE64
63712 - #endif
63713 -
63714 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/apic.h linux-2.6.23.15-grsec/include/asm-x86_64/apic.h
63715 ---- linux-2.6.23.15/include/asm-x86_64/apic.h 2007-10-09 21:31:38.000000000 +0100
63716 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/apic.h 2008-02-11 10:37:45.000000000 +0000
63717 -@@ -7,7 +7,7 @@
63718 - #include <asm/apicdef.h>
63719 - #include <asm/system.h>
63720 -
63721 --#define Dprintk(x...)
63722 -+#define Dprintk(x...) do {} while (0)
63723 -
63724 - /*
63725 - * Debugging macros
63726 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/elf.h linux-2.6.23.15-grsec/include/asm-x86_64/elf.h
63727 ---- linux-2.6.23.15/include/asm-x86_64/elf.h 2007-10-09 21:31:38.000000000 +0100
63728 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/elf.h 2008-02-11 10:37:45.000000000 +0000
63729 -@@ -92,6 +92,13 @@ typedef struct user_i387_struct elf_fpre
63730 -
63731 - #define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
63732 -
63733 -+#ifdef CONFIG_PAX_ASLR
63734 -+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_IA32) ? 0x08048000UL : 0x400000UL)
63735 -+
63736 -+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
63737 -+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_IA32) ? 16 : 32)
63738 -+#endif
63739 -+
63740 - /* regs is struct pt_regs, pr_reg is elf_gregset_t (which is
63741 - now struct_user_regs, they are different). Assumes current is the process
63742 - getting dumped. */
63743 -@@ -172,7 +179,7 @@ extern int vdso_enabled;
63744 -
63745 - #define ARCH_DLINFO \
63746 - do if (vdso_enabled) { \
63747 -- NEW_AUX_ENT(AT_SYSINFO_EHDR,(unsigned long)current->mm->context.vdso);\
63748 -+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
63749 - } while (0)
63750 -
63751 - #endif
63752 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/futex.h linux-2.6.23.15-grsec/include/asm-x86_64/futex.h
63753 ---- linux-2.6.23.15/include/asm-x86_64/futex.h 2007-10-09 21:31:38.000000000 +0100
63754 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/futex.h 2008-02-11 10:37:45.000000000 +0000
63755 -@@ -42,7 +42,7 @@
63756 - : "r" (oparg), "i" (-EFAULT), "m" (*uaddr), "1" (0))
63757 -
63758 - static inline int
63759 --futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
63760 -+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
63761 - {
63762 - int op = (encoded_op >> 28) & 7;
63763 - int cmp = (encoded_op >> 24) & 15;
63764 -@@ -95,7 +95,7 @@ futex_atomic_op_inuser (int encoded_op,
63765 - }
63766 -
63767 - static inline int
63768 --futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
63769 -+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
63770 - {
63771 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
63772 - return -EFAULT;
63773 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/ia32.h linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h
63774 ---- linux-2.6.23.15/include/asm-x86_64/ia32.h 2007-10-09 21:31:38.000000000 +0100
63775 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/ia32.h 2008-02-11 10:37:45.000000000 +0000
63776 -@@ -156,7 +156,13 @@ struct ustat32 {
63777 - char f_fpack[6];
63778 - };
63779 -
63780 --#define IA32_STACK_TOP IA32_PAGE_OFFSET
63781 -+#ifdef CONFIG_PAX_RANDUSTACK
63782 -+#define IA32_DELTA_STACK (current->mm->delta_stack)
63783 -+#else
63784 -+#define IA32_DELTA_STACK 0UL
63785 -+#endif
63786 -+
63787 -+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - IA32_DELTA_STACK)
63788 -
63789 - #ifdef __KERNEL__
63790 - struct user_desc;
63791 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/kmap_types.h linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h
63792 ---- linux-2.6.23.15/include/asm-x86_64/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63793 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
63794 -@@ -13,6 +13,7 @@ enum km_type {
63795 - KM_IRQ1,
63796 - KM_SOFTIRQ0,
63797 - KM_SOFTIRQ1,
63798 -+ KM_CLEARPAGE,
63799 - KM_TYPE_NR
63800 - };
63801 -
63802 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/mmu.h linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h
63803 ---- linux-2.6.23.15/include/asm-x86_64/mmu.h 2007-10-09 21:31:38.000000000 +0100
63804 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/mmu.h 2008-02-11 10:37:45.000000000 +0000
63805 -@@ -15,7 +15,7 @@ typedef struct {
63806 - rwlock_t ldtlock;
63807 - int size;
63808 - struct semaphore sem;
63809 -- void *vdso;
63810 -+ unsigned long vdso;
63811 - } mm_context_t;
63812 -
63813 - #endif
63814 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/page.h linux-2.6.23.15-grsec/include/asm-x86_64/page.h
63815 ---- linux-2.6.23.15/include/asm-x86_64/page.h 2007-10-09 21:31:38.000000000 +0100
63816 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/page.h 2008-02-11 10:37:45.000000000 +0000
63817 -@@ -94,6 +94,8 @@ extern unsigned long phys_base;
63818 - #define __START_KERNEL_map _AC(0xffffffff80000000, UL)
63819 - #define __PAGE_OFFSET _AC(0xffff810000000000, UL)
63820 -
63821 -+#define __KERNEL_TEXT_OFFSET (0)
63822 -+
63823 - /* to align the pointer to the (next) page boundary */
63824 - #define PAGE_ALIGN(addr) (((addr)+PAGE_SIZE-1)&PAGE_MASK)
63825 -
63826 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgalloc.h linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h
63827 ---- linux-2.6.23.15/include/asm-x86_64/pgalloc.h 2007-10-09 21:31:38.000000000 +0100
63828 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/pgalloc.h 2008-02-11 10:37:45.000000000 +0000
63829 -@@ -6,7 +6,7 @@
63830 - #include <linux/mm.h>
63831 -
63832 - #define pmd_populate_kernel(mm, pmd, pte) \
63833 -- set_pmd(pmd, __pmd(_PAGE_TABLE | __pa(pte)))
63834 -+ set_pmd(pmd, __pmd(_KERNPG_TABLE | __pa(pte)))
63835 - #define pud_populate(mm, pud, pmd) \
63836 - set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)))
63837 - #define pgd_populate(mm, pgd, pud) \
63838 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/pgtable.h linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h
63839 ---- linux-2.6.23.15/include/asm-x86_64/pgtable.h 2007-10-09 21:31:38.000000000 +0100
63840 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/pgtable.h 2008-02-11 10:37:45.000000000 +0000
63841 -@@ -179,6 +179,10 @@ static inline pte_t ptep_get_and_clear_f
63842 - #define PAGE_COPY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
63843 - #define PAGE_READONLY __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED | _PAGE_NX)
63844 - #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
63845 -+
63846 -+#define PAGE_READONLY_NOEXEC PAGE_READONLY
63847 -+#define PAGE_SHARED_NOEXEC PAGE_SHARED
63848 -+
63849 - #define __PAGE_KERNEL \
63850 - (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_NX)
63851 - #define __PAGE_KERNEL_EXEC \
63852 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/processor.h linux-2.6.23.15-grsec/include/asm-x86_64/processor.h
63853 ---- linux-2.6.23.15/include/asm-x86_64/processor.h 2007-10-09 21:31:38.000000000 +0100
63854 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/processor.h 2008-02-11 10:37:45.000000000 +0000
63855 -@@ -140,7 +140,7 @@ static inline void clear_in_cr4 (unsigne
63856 - /* This decides where the kernel will search for a free chunk of vm
63857 - * space during mmap's.
63858 - */
63859 --#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFe000)
63860 -+#define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? 0xc0000000 : 0xFFFFf000)
63861 -
63862 - #define TASK_SIZE (test_thread_flag(TIF_IA32) ? IA32_PAGE_OFFSET : TASK_SIZE64)
63863 - #define TASK_SIZE_OF(child) ((test_tsk_thread_flag(child, TIF_IA32)) ? IA32_PAGE_OFFSET : TASK_SIZE64)
63864 -diff -Nurp linux-2.6.23.15/include/asm-x86_64/system.h linux-2.6.23.15-grsec/include/asm-x86_64/system.h
63865 ---- linux-2.6.23.15/include/asm-x86_64/system.h 2008-02-11 10:36:03.000000000 +0000
63866 -+++ linux-2.6.23.15-grsec/include/asm-x86_64/system.h 2008-02-11 10:37:45.000000000 +0000
63867 -@@ -174,7 +174,7 @@ static inline void write_cr8(unsigned lo
63868 -
63869 - void cpu_idle_wait(void);
63870 -
63871 --extern unsigned long arch_align_stack(unsigned long sp);
63872 -+#define arch_align_stack(x) (x)
63873 - extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
63874 -
63875 - #endif
63876 -diff -Nurp linux-2.6.23.15/include/asm-xtensa/kmap_types.h linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h
63877 ---- linux-2.6.23.15/include/asm-xtensa/kmap_types.h 2007-10-09 21:31:38.000000000 +0100
63878 -+++ linux-2.6.23.15-grsec/include/asm-xtensa/kmap_types.h 2008-02-11 10:37:45.000000000 +0000
63879 -@@ -25,6 +25,7 @@ enum km_type {
63880 - KM_IRQ1,
63881 - KM_SOFTIRQ0,
63882 - KM_SOFTIRQ1,
63883 -+ KM_CLEARPAGE,
63884 - KM_TYPE_NR
63885 - };
63886 -
63887 -diff -Nurp linux-2.6.23.15/include/linux/a.out.h linux-2.6.23.15-grsec/include/linux/a.out.h
63888 ---- linux-2.6.23.15/include/linux/a.out.h 2007-10-09 21:31:38.000000000 +0100
63889 -+++ linux-2.6.23.15-grsec/include/linux/a.out.h 2008-02-11 10:37:45.000000000 +0000
63890 -@@ -7,6 +7,16 @@
63891 -
63892 - #include <asm/a.out.h>
63893 -
63894 -+#ifdef CONFIG_PAX_RANDUSTACK
63895 -+#define __DELTA_STACK (current->mm->delta_stack)
63896 -+#else
63897 -+#define __DELTA_STACK 0UL
63898 -+#endif
63899 -+
63900 -+#ifndef STACK_TOP
63901 -+#define STACK_TOP (__STACK_TOP - __DELTA_STACK)
63902 -+#endif
63903 -+
63904 - #endif /* __STRUCT_EXEC_OVERRIDE__ */
63905 -
63906 - /* these go in the N_MACHTYPE field */
63907 -@@ -37,6 +47,14 @@ enum machine_type {
63908 - M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
63909 - };
63910 -
63911 -+/* Constants for the N_FLAGS field */
63912 -+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
63913 -+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
63914 -+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
63915 -+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
63916 -+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
63917 -+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
63918 -+
63919 - #if !defined (N_MAGIC)
63920 - #define N_MAGIC(exec) ((exec).a_info & 0xffff)
63921 - #endif
63922 -diff -Nurp linux-2.6.23.15/include/linux/binfmts.h linux-2.6.23.15-grsec/include/linux/binfmts.h
63923 ---- linux-2.6.23.15/include/linux/binfmts.h 2007-10-09 21:31:38.000000000 +0100
63924 -+++ linux-2.6.23.15-grsec/include/linux/binfmts.h 2008-02-11 10:37:45.000000000 +0000
63925 -@@ -48,6 +48,7 @@ struct linux_binprm{
63926 - unsigned interp_data;
63927 - unsigned long loader, exec;
63928 - unsigned long argv_len;
63929 -+ int misc;
63930 - };
63931 -
63932 - #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
63933 -@@ -99,5 +100,8 @@ extern void compute_creds(struct linux_b
63934 - extern int do_coredump(long signr, int exit_code, struct pt_regs * regs);
63935 - extern int set_binfmt(struct linux_binfmt *new);
63936 -
63937 -+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
63938 -+void pax_report_insns(void *pc, void *sp);
63939 -+
63940 - #endif /* __KERNEL__ */
63941 - #endif /* _LINUX_BINFMTS_H */
63942 -diff -Nurp linux-2.6.23.15/include/linux/cache.h linux-2.6.23.15-grsec/include/linux/cache.h
63943 ---- linux-2.6.23.15/include/linux/cache.h 2007-10-09 21:31:38.000000000 +0100
63944 -+++ linux-2.6.23.15-grsec/include/linux/cache.h 2008-02-11 10:37:45.000000000 +0000
63945 -@@ -16,6 +16,10 @@
63946 - #define __read_mostly
63947 - #endif
63948 -
63949 -+#ifndef __read_only
63950 -+#define __read_only
63951 -+#endif
63952 -+
63953 - #ifndef ____cacheline_aligned
63954 - #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
63955 - #endif
63956 -diff -Nurp linux-2.6.23.15/include/linux/capability.h linux-2.6.23.15-grsec/include/linux/capability.h
63957 ---- linux-2.6.23.15/include/linux/capability.h 2007-10-09 21:31:38.000000000 +0100
63958 -+++ linux-2.6.23.15-grsec/include/linux/capability.h 2008-02-11 10:37:45.000000000 +0000
63959 -@@ -359,6 +359,7 @@ static inline kernel_cap_t cap_invert(ke
63960 - #define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
63961 -
63962 - int capable(int cap);
63963 -+int capable_nolog(int cap);
63964 - int __capable(struct task_struct *t, int cap);
63965 -
63966 - #endif /* __KERNEL__ */
63967 -diff -Nurp linux-2.6.23.15/include/linux/elf.h linux-2.6.23.15-grsec/include/linux/elf.h
63968 ---- linux-2.6.23.15/include/linux/elf.h 2007-10-09 21:31:38.000000000 +0100
63969 -+++ linux-2.6.23.15-grsec/include/linux/elf.h 2008-02-11 10:37:45.000000000 +0000
63970 -@@ -8,6 +8,10 @@
63971 -
63972 - struct file;
63973 -
63974 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
63975 -+#undef elf_read_implies_exec
63976 -+#endif
63977 -+
63978 - #ifndef elf_read_implies_exec
63979 - /* Executables for which elf_read_implies_exec() returns TRUE will
63980 - have the READ_IMPLIES_EXEC personality flag set automatically.
63981 -@@ -49,6 +53,16 @@ typedef __s64 Elf64_Sxword;
63982 -
63983 - #define PT_GNU_STACK (PT_LOOS + 0x474e551)
63984 -
63985 -+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
63986 -+
63987 -+/* Constants for the e_flags field */
63988 -+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
63989 -+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
63990 -+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
63991 -+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
63992 -+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
63993 -+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
63994 -+
63995 - /* These constants define the different elf file types */
63996 - #define ET_NONE 0
63997 - #define ET_REL 1
63998 -@@ -83,6 +97,8 @@ typedef __s64 Elf64_Sxword;
63999 - #define DT_DEBUG 21
64000 - #define DT_TEXTREL 22
64001 - #define DT_JMPREL 23
64002 -+#define DT_FLAGS 30
64003 -+ #define DF_TEXTREL 0x00000004
64004 - #define DT_ENCODING 32
64005 - #define OLD_DT_LOOS 0x60000000
64006 - #define DT_LOOS 0x6000000d
64007 -@@ -229,6 +245,19 @@ typedef struct elf64_hdr {
64008 - #define PF_W 0x2
64009 - #define PF_X 0x1
64010 -
64011 -+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
64012 -+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
64013 -+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
64014 -+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
64015 -+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
64016 -+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
64017 -+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
64018 -+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
64019 -+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
64020 -+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
64021 -+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
64022 -+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
64023 -+
64024 - typedef struct elf32_phdr{
64025 - Elf32_Word p_type;
64026 - Elf32_Off p_offset;
64027 -@@ -321,6 +350,8 @@ typedef struct elf64_shdr {
64028 - #define EI_OSABI 7
64029 - #define EI_PAD 8
64030 -
64031 -+#define EI_PAX 14
64032 -+
64033 - #define ELFMAG0 0x7f /* EI_MAG */
64034 - #define ELFMAG1 'E'
64035 - #define ELFMAG2 'L'
64036 -@@ -378,6 +409,7 @@ extern Elf32_Dyn _DYNAMIC [];
64037 - #define elf_phdr elf32_phdr
64038 - #define elf_note elf32_note
64039 - #define elf_addr_t Elf32_Off
64040 -+#define elf_dyn Elf32_Dyn
64041 -
64042 - #else
64043 -
64044 -@@ -386,6 +418,7 @@ extern Elf64_Dyn _DYNAMIC [];
64045 - #define elf_phdr elf64_phdr
64046 - #define elf_note elf64_note
64047 - #define elf_addr_t Elf64_Off
64048 -+#define elf_dyn Elf64_Dyn
64049 -
64050 - #endif
64051 -
64052 -diff -Nurp linux-2.6.23.15/include/linux/ext4_fs_extents.h linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h
64053 ---- linux-2.6.23.15/include/linux/ext4_fs_extents.h 2007-10-09 21:31:38.000000000 +0100
64054 -+++ linux-2.6.23.15-grsec/include/linux/ext4_fs_extents.h 2008-02-11 10:37:45.000000000 +0000
64055 -@@ -50,7 +50,7 @@
64056 - #ifdef EXT_DEBUG
64057 - #define ext_debug(a...) printk(a)
64058 - #else
64059 --#define ext_debug(a...)
64060 -+#define ext_debug(a...) do {} while (0)
64061 - #endif
64062 -
64063 - /*
64064 -diff -Nurp linux-2.6.23.15/include/linux/gracl.h linux-2.6.23.15-grsec/include/linux/gracl.h
64065 ---- linux-2.6.23.15/include/linux/gracl.h 1970-01-01 01:00:00.000000000 +0100
64066 -+++ linux-2.6.23.15-grsec/include/linux/gracl.h 2008-02-11 10:37:45.000000000 +0000
64067 -@@ -0,0 +1,317 @@
64068 -+#ifndef GR_ACL_H
64069 -+#define GR_ACL_H
64070 -+
64071 -+#include <linux/grdefs.h>
64072 -+#include <linux/resource.h>
64073 -+#include <linux/dcache.h>
64074 -+#include <asm/resource.h>
64075 -+
64076 -+/* Major status information */
64077 -+
64078 -+#define GR_VERSION "grsecurity 2.1.11"
64079 -+#define GRSECURITY_VERSION 0x2111
64080 -+
64081 -+enum {
64082 -+
64083 -+ SHUTDOWN = 0,
64084 -+ ENABLE = 1,
64085 -+ SPROLE = 2,
64086 -+ RELOAD = 3,
64087 -+ SEGVMOD = 4,
64088 -+ STATUS = 5,
64089 -+ UNSPROLE = 6,
64090 -+ PASSSET = 7,
64091 -+ SPROLEPAM = 8
64092 -+};
64093 -+
64094 -+/* Password setup definitions
64095 -+ * kernel/grhash.c */
64096 -+enum {
64097 -+ GR_PW_LEN = 128,
64098 -+ GR_SALT_LEN = 16,
64099 -+ GR_SHA_LEN = 32,
64100 -+};
64101 -+
64102 -+enum {
64103 -+ GR_SPROLE_LEN = 64,
64104 -+};
64105 -+
64106 -+#define GR_NLIMITS (RLIMIT_LOCKS + 2)
64107 -+
64108 -+/* Begin Data Structures */
64109 -+
64110 -+struct sprole_pw {
64111 -+ unsigned char *rolename;
64112 -+ unsigned char salt[GR_SALT_LEN];
64113 -+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
64114 -+};
64115 -+
64116 -+struct name_entry {
64117 -+ __u32 key;
64118 -+ ino_t inode;
64119 -+ dev_t device;
64120 -+ char *name;
64121 -+ __u16 len;
64122 -+ __u8 deleted;
64123 -+ struct name_entry *prev;
64124 -+ struct name_entry *next;
64125 -+};
64126 -+
64127 -+struct inodev_entry {
64128 -+ struct name_entry *nentry;
64129 -+ struct inodev_entry *prev;
64130 -+ struct inodev_entry *next;
64131 -+};
64132 -+
64133 -+struct acl_role_db {
64134 -+ struct acl_role_label **r_hash;
64135 -+ __u32 r_size;
64136 -+};
64137 -+
64138 -+struct inodev_db {
64139 -+ struct inodev_entry **i_hash;
64140 -+ __u32 i_size;
64141 -+};
64142 -+
64143 -+struct name_db {
64144 -+ struct name_entry **n_hash;
64145 -+ __u32 n_size;
64146 -+};
64147 -+
64148 -+struct crash_uid {
64149 -+ uid_t uid;
64150 -+ unsigned long expires;
64151 -+};
64152 -+
64153 -+struct gr_hash_struct {
64154 -+ void **table;
64155 -+ void **nametable;
64156 -+ void *first;
64157 -+ __u32 table_size;
64158 -+ __u32 used_size;
64159 -+ int type;
64160 -+};
64161 -+
64162 -+/* Userspace Grsecurity ACL data structures */
64163 -+
64164 -+struct acl_subject_label {
64165 -+ char *filename;
64166 -+ ino_t inode;
64167 -+ dev_t device;
64168 -+ __u32 mode;
64169 -+ __u32 cap_mask;
64170 -+ __u32 cap_lower;
64171 -+
64172 -+ struct rlimit res[GR_NLIMITS];
64173 -+ __u16 resmask;
64174 -+
64175 -+ __u8 user_trans_type;
64176 -+ __u8 group_trans_type;
64177 -+ uid_t *user_transitions;
64178 -+ gid_t *group_transitions;
64179 -+ __u16 user_trans_num;
64180 -+ __u16 group_trans_num;
64181 -+
64182 -+ __u32 ip_proto[8];
64183 -+ __u32 ip_type;
64184 -+ struct acl_ip_label **ips;
64185 -+ __u32 ip_num;
64186 -+
64187 -+ __u32 crashes;
64188 -+ unsigned long expires;
64189 -+
64190 -+ struct acl_subject_label *parent_subject;
64191 -+ struct gr_hash_struct *hash;
64192 -+ struct acl_subject_label *prev;
64193 -+ struct acl_subject_label *next;
64194 -+
64195 -+ struct acl_object_label **obj_hash;
64196 -+ __u32 obj_hash_size;
64197 -+ __u16 pax_flags;
64198 -+};
64199 -+
64200 -+struct role_allowed_ip {
64201 -+ __u32 addr;
64202 -+ __u32 netmask;
64203 -+
64204 -+ struct role_allowed_ip *prev;
64205 -+ struct role_allowed_ip *next;
64206 -+};
64207 -+
64208 -+struct role_transition {
64209 -+ char *rolename;
64210 -+
64211 -+ struct role_transition *prev;
64212 -+ struct role_transition *next;
64213 -+};
64214 -+
64215 -+struct acl_role_label {
64216 -+ char *rolename;
64217 -+ uid_t uidgid;
64218 -+ __u16 roletype;
64219 -+
64220 -+ __u16 auth_attempts;
64221 -+ unsigned long expires;
64222 -+
64223 -+ struct acl_subject_label *root_label;
64224 -+ struct gr_hash_struct *hash;
64225 -+
64226 -+ struct acl_role_label *prev;
64227 -+ struct acl_role_label *next;
64228 -+
64229 -+ struct role_transition *transitions;
64230 -+ struct role_allowed_ip *allowed_ips;
64231 -+ uid_t *domain_children;
64232 -+ __u16 domain_child_num;
64233 -+
64234 -+ struct acl_subject_label **subj_hash;
64235 -+ __u32 subj_hash_size;
64236 -+};
64237 -+
64238 -+struct user_acl_role_db {
64239 -+ struct acl_role_label **r_table;
64240 -+ __u32 num_pointers; /* Number of allocations to track */
64241 -+ __u32 num_roles; /* Number of roles */
64242 -+ __u32 num_domain_children; /* Number of domain children */
64243 -+ __u32 num_subjects; /* Number of subjects */
64244 -+ __u32 num_objects; /* Number of objects */
64245 -+};
64246 -+
64247 -+struct acl_object_label {
64248 -+ char *filename;
64249 -+ ino_t inode;
64250 -+ dev_t device;
64251 -+ __u32 mode;
64252 -+
64253 -+ struct acl_subject_label *nested;
64254 -+ struct acl_object_label *globbed;
64255 -+
64256 -+ /* next two structures not used */
64257 -+
64258 -+ struct acl_object_label *prev;
64259 -+ struct acl_object_label *next;
64260 -+};
64261 -+
64262 -+struct acl_ip_label {
64263 -+ char *iface;
64264 -+ __u32 addr;
64265 -+ __u32 netmask;
64266 -+ __u16 low, high;
64267 -+ __u8 mode;
64268 -+ __u32 type;
64269 -+ __u32 proto[8];
64270 -+
64271 -+ /* next two structures not used */
64272 -+
64273 -+ struct acl_ip_label *prev;
64274 -+ struct acl_ip_label *next;
64275 -+};
64276 -+
64277 -+struct gr_arg {
64278 -+ struct user_acl_role_db role_db;
64279 -+ unsigned char pw[GR_PW_LEN];
64280 -+ unsigned char salt[GR_SALT_LEN];
64281 -+ unsigned char sum[GR_SHA_LEN];
64282 -+ unsigned char sp_role[GR_SPROLE_LEN];
64283 -+ struct sprole_pw *sprole_pws;
64284 -+ dev_t segv_device;
64285 -+ ino_t segv_inode;
64286 -+ uid_t segv_uid;
64287 -+ __u16 num_sprole_pws;
64288 -+ __u16 mode;
64289 -+};
64290 -+
64291 -+struct gr_arg_wrapper {
64292 -+ struct gr_arg *arg;
64293 -+ __u32 version;
64294 -+ __u32 size;
64295 -+};
64296 -+
64297 -+struct subject_map {
64298 -+ struct acl_subject_label *user;
64299 -+ struct acl_subject_label *kernel;
64300 -+ struct subject_map *prev;
64301 -+ struct subject_map *next;
64302 -+};
64303 -+
64304 -+struct acl_subj_map_db {
64305 -+ struct subject_map **s_hash;
64306 -+ __u32 s_size;
64307 -+};
64308 -+
64309 -+/* End Data Structures Section */
64310 -+
64311 -+/* Hash functions generated by empirical testing by Brad Spengler
64312 -+ Makes good use of the low bits of the inode. Generally 0-1 times
64313 -+ in loop for successful match. 0-3 for unsuccessful match.
64314 -+ Shift/add algorithm with modulus of table size and an XOR*/
64315 -+
64316 -+static __inline__ unsigned int
64317 -+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
64318 -+{
64319 -+ return (((uid << type) + (uid ^ type)) % sz);
64320 -+}
64321 -+
64322 -+ static __inline__ unsigned int
64323 -+shash(const struct acl_subject_label *userp, const unsigned int sz)
64324 -+{
64325 -+ return ((const unsigned long)userp % sz);
64326 -+}
64327 -+
64328 -+static __inline__ unsigned int
64329 -+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
64330 -+{
64331 -+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
64332 -+}
64333 -+
64334 -+static __inline__ unsigned int
64335 -+nhash(const char *name, const __u16 len, const unsigned int sz)
64336 -+{
64337 -+ return full_name_hash(name, len) % sz;
64338 -+}
64339 -+
64340 -+#define FOR_EACH_ROLE_START(role,iter) \
64341 -+ role = NULL; \
64342 -+ iter = 0; \
64343 -+ while (iter < acl_role_set.r_size) { \
64344 -+ if (role == NULL) \
64345 -+ role = acl_role_set.r_hash[iter]; \
64346 -+ if (role == NULL) { \
64347 -+ iter++; \
64348 -+ continue; \
64349 -+ }
64350 -+
64351 -+#define FOR_EACH_ROLE_END(role,iter) \
64352 -+ role = role->next; \
64353 -+ if (role == NULL) \
64354 -+ iter++; \
64355 -+ }
64356 -+
64357 -+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
64358 -+ subj = NULL; \
64359 -+ iter = 0; \
64360 -+ while (iter < role->subj_hash_size) { \
64361 -+ if (subj == NULL) \
64362 -+ subj = role->subj_hash[iter]; \
64363 -+ if (subj == NULL) { \
64364 -+ iter++; \
64365 -+ continue; \
64366 -+ }
64367 -+
64368 -+#define FOR_EACH_SUBJECT_END(subj,iter) \
64369 -+ subj = subj->next; \
64370 -+ if (subj == NULL) \
64371 -+ iter++; \
64372 -+ }
64373 -+
64374 -+
64375 -+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
64376 -+ subj = role->hash->first; \
64377 -+ while (subj != NULL) {
64378 -+
64379 -+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
64380 -+ subj = subj->next; \
64381 -+ }
64382 -+
64383 -+#endif
64384 -+
64385 -diff -Nurp linux-2.6.23.15/include/linux/gralloc.h linux-2.6.23.15-grsec/include/linux/gralloc.h
64386 ---- linux-2.6.23.15/include/linux/gralloc.h 1970-01-01 01:00:00.000000000 +0100
64387 -+++ linux-2.6.23.15-grsec/include/linux/gralloc.h 2008-02-11 10:37:45.000000000 +0000
64388 -@@ -0,0 +1,8 @@
64389 -+#ifndef __GRALLOC_H
64390 -+#define __GRALLOC_H
64391 -+
64392 -+void acl_free_all(void);
64393 -+int acl_alloc_stack_init(unsigned long size);
64394 -+void *acl_alloc(unsigned long len);
64395 -+
64396 -+#endif
64397 -diff -Nurp linux-2.6.23.15/include/linux/grdefs.h linux-2.6.23.15-grsec/include/linux/grdefs.h
64398 ---- linux-2.6.23.15/include/linux/grdefs.h 1970-01-01 01:00:00.000000000 +0100
64399 -+++ linux-2.6.23.15-grsec/include/linux/grdefs.h 2008-02-11 10:37:45.000000000 +0000
64400 -@@ -0,0 +1,131 @@
64401 -+#ifndef GRDEFS_H
64402 -+#define GRDEFS_H
64403 -+
64404 -+/* Begin grsecurity status declarations */
64405 -+
64406 -+enum {
64407 -+ GR_READY = 0x01,
64408 -+ GR_STATUS_INIT = 0x00 // disabled state
64409 -+};
64410 -+
64411 -+/* Begin ACL declarations */
64412 -+
64413 -+/* Role flags */
64414 -+
64415 -+enum {
64416 -+ GR_ROLE_USER = 0x0001,
64417 -+ GR_ROLE_GROUP = 0x0002,
64418 -+ GR_ROLE_DEFAULT = 0x0004,
64419 -+ GR_ROLE_SPECIAL = 0x0008,
64420 -+ GR_ROLE_AUTH = 0x0010,
64421 -+ GR_ROLE_NOPW = 0x0020,
64422 -+ GR_ROLE_GOD = 0x0040,
64423 -+ GR_ROLE_LEARN = 0x0080,
64424 -+ GR_ROLE_TPE = 0x0100,
64425 -+ GR_ROLE_DOMAIN = 0x0200,
64426 -+ GR_ROLE_PAM = 0x0400
64427 -+};
64428 -+
64429 -+/* ACL Subject and Object mode flags */
64430 -+enum {
64431 -+ GR_DELETED = 0x80000000
64432 -+};
64433 -+
64434 -+/* ACL Object-only mode flags */
64435 -+enum {
64436 -+ GR_READ = 0x00000001,
64437 -+ GR_APPEND = 0x00000002,
64438 -+ GR_WRITE = 0x00000004,
64439 -+ GR_EXEC = 0x00000008,
64440 -+ GR_FIND = 0x00000010,
64441 -+ GR_INHERIT = 0x00000020,
64442 -+ GR_SETID = 0x00000040,
64443 -+ GR_CREATE = 0x00000080,
64444 -+ GR_DELETE = 0x00000100,
64445 -+ GR_LINK = 0x00000200,
64446 -+ GR_AUDIT_READ = 0x00000400,
64447 -+ GR_AUDIT_APPEND = 0x00000800,
64448 -+ GR_AUDIT_WRITE = 0x00001000,
64449 -+ GR_AUDIT_EXEC = 0x00002000,
64450 -+ GR_AUDIT_FIND = 0x00004000,
64451 -+ GR_AUDIT_INHERIT= 0x00008000,
64452 -+ GR_AUDIT_SETID = 0x00010000,
64453 -+ GR_AUDIT_CREATE = 0x00020000,
64454 -+ GR_AUDIT_DELETE = 0x00040000,
64455 -+ GR_AUDIT_LINK = 0x00080000,
64456 -+ GR_PTRACERD = 0x00100000,
64457 -+ GR_NOPTRACE = 0x00200000,
64458 -+ GR_SUPPRESS = 0x00400000,
64459 -+ GR_NOLEARN = 0x00800000
64460 -+};
64461 -+
64462 -+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
64463 -+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
64464 -+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
64465 -+
64466 -+/* ACL subject-only mode flags */
64467 -+enum {
64468 -+ GR_KILL = 0x00000001,
64469 -+ GR_VIEW = 0x00000002,
64470 -+ GR_PROTECTED = 0x00000004,
64471 -+ GR_LEARN = 0x00000008,
64472 -+ GR_OVERRIDE = 0x00000010,
64473 -+ /* just a placeholder, this mode is only used in userspace */
64474 -+ GR_DUMMY = 0x00000020,
64475 -+ GR_PROTSHM = 0x00000040,
64476 -+ GR_KILLPROC = 0x00000080,
64477 -+ GR_KILLIPPROC = 0x00000100,
64478 -+ /* just a placeholder, this mode is only used in userspace */
64479 -+ GR_NOTROJAN = 0x00000200,
64480 -+ GR_PROTPROCFD = 0x00000400,
64481 -+ GR_PROCACCT = 0x00000800,
64482 -+ GR_RELAXPTRACE = 0x00001000,
64483 -+ GR_NESTED = 0x00002000,
64484 -+ GR_INHERITLEARN = 0x00004000,
64485 -+ GR_PROCFIND = 0x00008000,
64486 -+ GR_POVERRIDE = 0x00010000,
64487 -+ GR_KERNELAUTH = 0x00020000,
64488 -+};
64489 -+
64490 -+enum {
64491 -+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
64492 -+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
64493 -+ GR_PAX_ENABLE_MPROTECT = 0x0004,
64494 -+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
64495 -+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
64496 -+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
64497 -+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
64498 -+ GR_PAX_DISABLE_MPROTECT = 0x0400,
64499 -+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
64500 -+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
64501 -+};
64502 -+
64503 -+enum {
64504 -+ GR_ID_USER = 0x01,
64505 -+ GR_ID_GROUP = 0x02,
64506 -+};
64507 -+
64508 -+enum {
64509 -+ GR_ID_ALLOW = 0x01,
64510 -+ GR_ID_DENY = 0x02,
64511 -+};
64512 -+
64513 -+#define GR_CRASH_RES 11
64514 -+#define GR_UIDTABLE_MAX 500
64515 -+
64516 -+/* begin resource learning section */
64517 -+enum {
64518 -+ GR_RLIM_CPU_BUMP = 60,
64519 -+ GR_RLIM_FSIZE_BUMP = 50000,
64520 -+ GR_RLIM_DATA_BUMP = 10000,
64521 -+ GR_RLIM_STACK_BUMP = 1000,
64522 -+ GR_RLIM_CORE_BUMP = 10000,
64523 -+ GR_RLIM_RSS_BUMP = 500000,
64524 -+ GR_RLIM_NPROC_BUMP = 1,
64525 -+ GR_RLIM_NOFILE_BUMP = 5,
64526 -+ GR_RLIM_MEMLOCK_BUMP = 50000,
64527 -+ GR_RLIM_AS_BUMP = 500000,
64528 -+ GR_RLIM_LOCKS_BUMP = 2
64529 -+};
64530 -+
64531 -+#endif
64532 -diff -Nurp linux-2.6.23.15/include/linux/grinternal.h linux-2.6.23.15-grsec/include/linux/grinternal.h
64533 ---- linux-2.6.23.15/include/linux/grinternal.h 1970-01-01 01:00:00.000000000 +0100
64534 -+++ linux-2.6.23.15-grsec/include/linux/grinternal.h 2008-02-11 10:37:45.000000000 +0000
64535 -@@ -0,0 +1,210 @@
64536 -+#ifndef __GRINTERNAL_H
64537 -+#define __GRINTERNAL_H
64538 -+
64539 -+#ifdef CONFIG_GRKERNSEC
64540 -+
64541 -+#include <linux/fs.h>
64542 -+#include <linux/gracl.h>
64543 -+#include <linux/grdefs.h>
64544 -+#include <linux/grmsg.h>
64545 -+
64546 -+void gr_add_learn_entry(const char *fmt, ...);
64547 -+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
64548 -+ const struct vfsmount *mnt);
64549 -+__u32 gr_check_create(const struct dentry *new_dentry,
64550 -+ const struct dentry *parent,
64551 -+ const struct vfsmount *mnt, const __u32 mode);
64552 -+int gr_check_protected_task(const struct task_struct *task);
64553 -+__u32 to_gr_audit(const __u32 reqmode);
64554 -+int gr_set_acls(const int type);
64555 -+
64556 -+int gr_acl_is_enabled(void);
64557 -+char gr_roletype_to_char(void);
64558 -+
64559 -+void gr_handle_alertkill(struct task_struct *task);
64560 -+char *gr_to_filename(const struct dentry *dentry,
64561 -+ const struct vfsmount *mnt);
64562 -+char *gr_to_filename1(const struct dentry *dentry,
64563 -+ const struct vfsmount *mnt);
64564 -+char *gr_to_filename2(const struct dentry *dentry,
64565 -+ const struct vfsmount *mnt);
64566 -+char *gr_to_filename3(const struct dentry *dentry,
64567 -+ const struct vfsmount *mnt);
64568 -+
64569 -+extern int grsec_enable_link;
64570 -+extern int grsec_enable_fifo;
64571 -+extern int grsec_enable_execve;
64572 -+extern int grsec_enable_shm;
64573 -+extern int grsec_enable_execlog;
64574 -+extern int grsec_enable_signal;
64575 -+extern int grsec_enable_forkfail;
64576 -+extern int grsec_enable_time;
64577 -+extern int grsec_enable_chroot_shmat;
64578 -+extern int grsec_enable_chroot_findtask;
64579 -+extern int grsec_enable_chroot_mount;
64580 -+extern int grsec_enable_chroot_double;
64581 -+extern int grsec_enable_chroot_pivot;
64582 -+extern int grsec_enable_chroot_chdir;
64583 -+extern int grsec_enable_chroot_chmod;
64584 -+extern int grsec_enable_chroot_mknod;
64585 -+extern int grsec_enable_chroot_fchdir;
64586 -+extern int grsec_enable_chroot_nice;
64587 -+extern int grsec_enable_chroot_execlog;
64588 -+extern int grsec_enable_chroot_caps;
64589 -+extern int grsec_enable_chroot_sysctl;
64590 -+extern int grsec_enable_chroot_unix;
64591 -+extern int grsec_enable_tpe;
64592 -+extern int grsec_tpe_gid;
64593 -+extern int grsec_enable_tpe_all;
64594 -+extern int grsec_enable_sidcaps;
64595 -+extern int grsec_enable_socket_all;
64596 -+extern int grsec_socket_all_gid;
64597 -+extern int grsec_enable_socket_client;
64598 -+extern int grsec_socket_client_gid;
64599 -+extern int grsec_enable_socket_server;
64600 -+extern int grsec_socket_server_gid;
64601 -+extern int grsec_audit_gid;
64602 -+extern int grsec_enable_group;
64603 -+extern int grsec_enable_audit_ipc;
64604 -+extern int grsec_enable_audit_textrel;
64605 -+extern int grsec_enable_mount;
64606 -+extern int grsec_enable_chdir;
64607 -+extern int grsec_resource_logging;
64608 -+extern int grsec_lock;
64609 -+
64610 -+extern spinlock_t grsec_alert_lock;
64611 -+extern unsigned long grsec_alert_wtime;
64612 -+extern unsigned long grsec_alert_fyet;
64613 -+
64614 -+extern spinlock_t grsec_audit_lock;
64615 -+
64616 -+extern rwlock_t grsec_exec_file_lock;
64617 -+
64618 -+#define gr_task_fullpath(tsk) (tsk->exec_file ? \
64619 -+ gr_to_filename2(tsk->exec_file->f_dentry, \
64620 -+ tsk->exec_file->f_vfsmnt) : "/")
64621 -+
64622 -+#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
64623 -+ gr_to_filename3(tsk->parent->exec_file->f_dentry, \
64624 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
64625 -+
64626 -+#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
64627 -+ gr_to_filename(tsk->exec_file->f_dentry, \
64628 -+ tsk->exec_file->f_vfsmnt) : "/")
64629 -+
64630 -+#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
64631 -+ gr_to_filename1(tsk->parent->exec_file->f_dentry, \
64632 -+ tsk->parent->exec_file->f_vfsmnt) : "/")
64633 -+
64634 -+#define proc_is_chrooted(tsk_a) ((tsk_a->pid > 1) && (tsk_a->fs != NULL) && \
64635 -+ ((tsk_a->fs->root->d_inode->i_sb->s_dev != \
64636 -+ child_reaper(tsk_a)->fs->root->d_inode->i_sb->s_dev) || \
64637 -+ (tsk_a->fs->root->d_inode->i_ino != \
64638 -+ child_reaper(tsk_a)->fs->root->d_inode->i_ino)))
64639 -+
64640 -+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs != NULL) && (tsk_b->fs != NULL) && \
64641 -+ (tsk_a->fs->root->d_inode->i_sb->s_dev == \
64642 -+ tsk_b->fs->root->d_inode->i_sb->s_dev) && \
64643 -+ (tsk_a->fs->root->d_inode->i_ino == \
64644 -+ tsk_b->fs->root->d_inode->i_ino))
64645 -+
64646 -+#define DEFAULTSECARGS(task) gr_task_fullpath(task), task->comm, \
64647 -+ task->pid, task->uid, \
64648 -+ task->euid, task->gid, task->egid, \
64649 -+ gr_parent_task_fullpath(task), \
64650 -+ task->parent->comm, task->parent->pid, \
64651 -+ task->parent->uid, task->parent->euid, \
64652 -+ task->parent->gid, task->parent->egid
64653 -+
64654 -+#define GR_CHROOT_CAPS ( \
64655 -+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
64656 -+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
64657 -+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
64658 -+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
64659 -+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
64660 -+ CAP_TO_MASK(CAP_IPC_OWNER))
64661 -+
64662 -+#define security_learn(normal_msg,args...) \
64663 -+({ \
64664 -+ read_lock(&grsec_exec_file_lock); \
64665 -+ gr_add_learn_entry(normal_msg "\n", ## args); \
64666 -+ read_unlock(&grsec_exec_file_lock); \
64667 -+})
64668 -+
64669 -+enum {
64670 -+ GR_DO_AUDIT,
64671 -+ GR_DONT_AUDIT,
64672 -+ GR_DONT_AUDIT_GOOD
64673 -+};
64674 -+
64675 -+enum {
64676 -+ GR_TTYSNIFF,
64677 -+ GR_RBAC,
64678 -+ GR_RBAC_STR,
64679 -+ GR_STR_RBAC,
64680 -+ GR_RBAC_MODE2,
64681 -+ GR_RBAC_MODE3,
64682 -+ GR_FILENAME,
64683 -+ GR_SYSCTL_HIDDEN,
64684 -+ GR_NOARGS,
64685 -+ GR_ONE_INT,
64686 -+ GR_ONE_INT_TWO_STR,
64687 -+ GR_ONE_STR,
64688 -+ GR_STR_INT,
64689 -+ GR_TWO_INT,
64690 -+ GR_THREE_INT,
64691 -+ GR_FIVE_INT_TWO_STR,
64692 -+ GR_TWO_STR,
64693 -+ GR_THREE_STR,
64694 -+ GR_FOUR_STR,
64695 -+ GR_STR_FILENAME,
64696 -+ GR_FILENAME_STR,
64697 -+ GR_FILENAME_TWO_INT,
64698 -+ GR_FILENAME_TWO_INT_STR,
64699 -+ GR_TEXTREL,
64700 -+ GR_PTRACE,
64701 -+ GR_RESOURCE,
64702 -+ GR_CAP,
64703 -+ GR_SIG,
64704 -+ GR_CRASH1,
64705 -+ GR_CRASH2,
64706 -+ GR_PSACCT
64707 -+};
64708 -+
64709 -+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
64710 -+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
64711 -+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
64712 -+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
64713 -+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
64714 -+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
64715 -+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
64716 -+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
64717 -+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
64718 -+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
64719 -+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
64720 -+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
64721 -+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
64722 -+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
64723 -+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
64724 -+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
64725 -+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
64726 -+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
64727 -+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
64728 -+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
64729 -+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
64730 -+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
64731 -+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
64732 -+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
64733 -+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
64734 -+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
64735 -+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
64736 -+#define gr_log_sig(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG, task, num)
64737 -+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
64738 -+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
64739 -+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
64740 -+
64741 -+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
64742 -+
64743 -+#endif
64744 -+
64745 -+#endif
64746 -diff -Nurp linux-2.6.23.15/include/linux/grmsg.h linux-2.6.23.15-grsec/include/linux/grmsg.h
64747 ---- linux-2.6.23.15/include/linux/grmsg.h 1970-01-01 01:00:00.000000000 +0100
64748 -+++ linux-2.6.23.15-grsec/include/linux/grmsg.h 2008-02-11 10:37:45.000000000 +0000
64749 -@@ -0,0 +1,108 @@
64750 -+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
64751 -+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%u.%u.%u.%u TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
64752 -+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
64753 -+#define GR_STOPMOD_MSG "denied modification of module state by "
64754 -+#define GR_IOPERM_MSG "denied use of ioperm() by "
64755 -+#define GR_IOPL_MSG "denied use of iopl() by "
64756 -+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
64757 -+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
64758 -+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
64759 -+#define GR_KMEM_MSG "denied write of /dev/kmem by "
64760 -+#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
64761 -+#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
64762 -+#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
64763 -+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
64764 -+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%u.%u.%u.%u"
64765 -+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%u.%u.%u.%u"
64766 -+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
64767 -+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
64768 -+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
64769 -+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
64770 -+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
64771 -+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
64772 -+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
64773 -+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%u.%u.%u.%u %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
64774 -+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
64775 -+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
64776 -+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
64777 -+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
64778 -+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
64779 -+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
64780 -+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
64781 -+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
64782 -+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
64783 -+#define GR_NPROC_MSG "denied overstep of process limit by "
64784 -+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
64785 -+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
64786 -+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
64787 -+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
64788 -+#define GR_MOUNT_CHROOT_MSG "denied mount of %.30s as %.930s from chroot by "
64789 -+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
64790 -+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
64791 -+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
64792 -+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
64793 -+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
64794 -+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
64795 -+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
64796 -+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
64797 -+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
64798 -+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
64799 -+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
64800 -+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
64801 -+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
64802 -+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
64803 -+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
64804 -+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
64805 -+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
64806 -+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
64807 -+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
64808 -+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
64809 -+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
64810 -+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
64811 -+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
64812 -+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
64813 -+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
64814 -+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
64815 -+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
64816 -+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
64817 -+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
64818 -+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
64819 -+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
64820 -+#define GR_UNSPROLEF_ACL_MSG "special role unauth of %s failure for "
64821 -+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
64822 -+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
64823 -+#define GR_FAILFORK_MSG "failed fork with errno %d by "
64824 -+#define GR_NICE_CHROOT_MSG "denied priority change by "
64825 -+#define GR_UNISIGLOG_MSG "signal %d sent to "
64826 -+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
64827 -+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
64828 -+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
64829 -+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
64830 -+#define GR_TIME_MSG "time set by "
64831 -+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
64832 -+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
64833 -+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
64834 -+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
64835 -+#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
64836 -+#define GR_BIND_MSG "denied bind() by "
64837 -+#define GR_CONNECT_MSG "denied connect() by "
64838 -+#define GR_BIND_ACL_MSG "denied bind() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
64839 -+#define GR_CONNECT_ACL_MSG "denied connect() to %u.%u.%u.%u port %u sock type %.16s protocol %.16s by "
64840 -+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%u.%u.%u.%u\t%u\t%u\t%u\t%u\t%u.%u.%u.%u"
64841 -+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
64842 -+#define GR_CAP_ACL_MSG "use of %s denied for "
64843 -+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
64844 -+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
64845 -+#define GR_REMOUNT_AUDIT_MSG "remount of %.30s by "
64846 -+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.30s by "
64847 -+#define GR_MOUNT_AUDIT_MSG "mount of %.30s to %.64s by "
64848 -+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
64849 -+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
64850 -+#define GR_MSGQ_AUDIT_MSG "message queue created by "
64851 -+#define GR_MSGQR_AUDIT_MSG "message queue of uid:%u euid:%u removed by "
64852 -+#define GR_SEM_AUDIT_MSG "semaphore created by "
64853 -+#define GR_SEMR_AUDIT_MSG "semaphore of uid:%u euid:%u removed by "
64854 -+#define GR_SHM_AUDIT_MSG "shared memory of size %d created by "
64855 -+#define GR_SHMR_AUDIT_MSG "shared memory of uid:%u euid:%u removed by "
64856 -+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
64857 -+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
64858 -diff -Nurp linux-2.6.23.15/include/linux/grsecurity.h linux-2.6.23.15-grsec/include/linux/grsecurity.h
64859 ---- linux-2.6.23.15/include/linux/grsecurity.h 1970-01-01 01:00:00.000000000 +0100
64860 -+++ linux-2.6.23.15-grsec/include/linux/grsecurity.h 2008-02-11 10:37:45.000000000 +0000
64861 -@@ -0,0 +1,193 @@
64862 -+#ifndef GR_SECURITY_H
64863 -+#define GR_SECURITY_H
64864 -+#include <linux/fs.h>
64865 -+#include <linux/binfmts.h>
64866 -+#include <linux/gracl.h>
64867 -+
64868 -+void gr_handle_brute_attach(struct task_struct *p);
64869 -+void gr_handle_brute_check(void);
64870 -+
64871 -+char gr_roletype_to_char(void);
64872 -+
64873 -+int gr_check_user_change(int real, int effective, int fs);
64874 -+int gr_check_group_change(int real, int effective, int fs);
64875 -+
64876 -+void gr_del_task_from_ip_table(struct task_struct *p);
64877 -+
64878 -+int gr_pid_is_chrooted(struct task_struct *p);
64879 -+int gr_handle_chroot_nice(void);
64880 -+int gr_handle_chroot_sysctl(const int op);
64881 -+int gr_handle_chroot_setpriority(struct task_struct *p,
64882 -+ const int niceval);
64883 -+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
64884 -+int gr_handle_chroot_chroot(const struct dentry *dentry,
64885 -+ const struct vfsmount *mnt);
64886 -+void gr_handle_chroot_caps(struct task_struct *task);
64887 -+void gr_handle_chroot_chdir(struct dentry *dentry, struct vfsmount *mnt);
64888 -+int gr_handle_chroot_chmod(const struct dentry *dentry,
64889 -+ const struct vfsmount *mnt, const int mode);
64890 -+int gr_handle_chroot_mknod(const struct dentry *dentry,
64891 -+ const struct vfsmount *mnt, const int mode);
64892 -+int gr_handle_chroot_mount(const struct dentry *dentry,
64893 -+ const struct vfsmount *mnt,
64894 -+ const char *dev_name);
64895 -+int gr_handle_chroot_pivot(void);
64896 -+int gr_handle_chroot_unix(const pid_t pid);
64897 -+
64898 -+int gr_handle_rawio(const struct inode *inode);
64899 -+int gr_handle_nproc(void);
64900 -+
64901 -+void gr_handle_ioperm(void);
64902 -+void gr_handle_iopl(void);
64903 -+
64904 -+int gr_tpe_allow(const struct file *file);
64905 -+
64906 -+int gr_random_pid(void);
64907 -+
64908 -+void gr_log_forkfail(const int retval);
64909 -+void gr_log_timechange(void);
64910 -+void gr_log_signal(const int sig, const struct task_struct *t);
64911 -+void gr_log_chdir(const struct dentry *dentry,
64912 -+ const struct vfsmount *mnt);
64913 -+void gr_log_chroot_exec(const struct dentry *dentry,
64914 -+ const struct vfsmount *mnt);
64915 -+void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
64916 -+void gr_log_remount(const char *devname, const int retval);
64917 -+void gr_log_unmount(const char *devname, const int retval);
64918 -+void gr_log_mount(const char *from, const char *to, const int retval);
64919 -+void gr_log_msgget(const int ret, const int msgflg);
64920 -+void gr_log_msgrm(const uid_t uid, const uid_t cuid);
64921 -+void gr_log_semget(const int err, const int semflg);
64922 -+void gr_log_semrm(const uid_t uid, const uid_t cuid);
64923 -+void gr_log_shmget(const int err, const int shmflg, const size_t size);
64924 -+void gr_log_shmrm(const uid_t uid, const uid_t cuid);
64925 -+void gr_log_textrel(struct vm_area_struct *vma);
64926 -+
64927 -+int gr_handle_follow_link(const struct inode *parent,
64928 -+ const struct inode *inode,
64929 -+ const struct dentry *dentry,
64930 -+ const struct vfsmount *mnt);
64931 -+int gr_handle_fifo(const struct dentry *dentry,
64932 -+ const struct vfsmount *mnt,
64933 -+ const struct dentry *dir, const int flag,
64934 -+ const int acc_mode);
64935 -+int gr_handle_hardlink(const struct dentry *dentry,
64936 -+ const struct vfsmount *mnt,
64937 -+ struct inode *inode,
64938 -+ const int mode, const char *to);
64939 -+
64940 -+int gr_task_is_capable(struct task_struct *task, const int cap);
64941 -+int gr_is_capable_nolog(const int cap);
64942 -+void gr_learn_resource(const struct task_struct *task, const int limit,
64943 -+ const unsigned long wanted, const int gt);
64944 -+void gr_copy_label(struct task_struct *tsk);
64945 -+void gr_handle_crash(struct task_struct *task, const int sig);
64946 -+int gr_handle_signal(const struct task_struct *p, const int sig);
64947 -+int gr_check_crash_uid(const uid_t uid);
64948 -+int gr_check_protected_task(const struct task_struct *task);
64949 -+int gr_acl_handle_mmap(const struct file *file,
64950 -+ const unsigned long prot);
64951 -+int gr_acl_handle_mprotect(const struct file *file,
64952 -+ const unsigned long prot);
64953 -+int gr_check_hidden_task(const struct task_struct *tsk);
64954 -+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
64955 -+ const struct vfsmount *mnt);
64956 -+__u32 gr_acl_handle_utime(const struct dentry *dentry,
64957 -+ const struct vfsmount *mnt);
64958 -+__u32 gr_acl_handle_access(const struct dentry *dentry,
64959 -+ const struct vfsmount *mnt, const int fmode);
64960 -+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
64961 -+ const struct vfsmount *mnt, mode_t mode);
64962 -+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
64963 -+ const struct vfsmount *mnt, mode_t mode);
64964 -+__u32 gr_acl_handle_chown(const struct dentry *dentry,
64965 -+ const struct vfsmount *mnt);
64966 -+int gr_handle_ptrace(struct task_struct *task, const long request);
64967 -+int gr_handle_proc_ptrace(struct task_struct *task);
64968 -+__u32 gr_acl_handle_execve(const struct dentry *dentry,
64969 -+ const struct vfsmount *mnt);
64970 -+int gr_check_crash_exec(const struct file *filp);
64971 -+int gr_acl_is_enabled(void);
64972 -+void gr_set_kernel_label(struct task_struct *task);
64973 -+void gr_set_role_label(struct task_struct *task, const uid_t uid,
64974 -+ const gid_t gid);
64975 -+int gr_set_proc_label(const struct dentry *dentry,
64976 -+ const struct vfsmount *mnt);
64977 -+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
64978 -+ const struct vfsmount *mnt);
64979 -+__u32 gr_acl_handle_open(const struct dentry *dentry,
64980 -+ const struct vfsmount *mnt, const int fmode);
64981 -+__u32 gr_acl_handle_creat(const struct dentry *dentry,
64982 -+ const struct dentry *p_dentry,
64983 -+ const struct vfsmount *p_mnt, const int fmode,
64984 -+ const int imode);
64985 -+void gr_handle_create(const struct dentry *dentry,
64986 -+ const struct vfsmount *mnt);
64987 -+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
64988 -+ const struct dentry *parent_dentry,
64989 -+ const struct vfsmount *parent_mnt,
64990 -+ const int mode);
64991 -+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
64992 -+ const struct dentry *parent_dentry,
64993 -+ const struct vfsmount *parent_mnt);
64994 -+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
64995 -+ const struct vfsmount *mnt);
64996 -+void gr_handle_delete(const ino_t ino, const dev_t dev);
64997 -+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
64998 -+ const struct vfsmount *mnt);
64999 -+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
65000 -+ const struct dentry *parent_dentry,
65001 -+ const struct vfsmount *parent_mnt,
65002 -+ const char *from);
65003 -+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
65004 -+ const struct dentry *parent_dentry,
65005 -+ const struct vfsmount *parent_mnt,
65006 -+ const struct dentry *old_dentry,
65007 -+ const struct vfsmount *old_mnt, const char *to);
65008 -+int gr_acl_handle_rename(struct dentry *new_dentry,
65009 -+ struct dentry *parent_dentry,
65010 -+ const struct vfsmount *parent_mnt,
65011 -+ struct dentry *old_dentry,
65012 -+ struct inode *old_parent_inode,
65013 -+ struct vfsmount *old_mnt, const char *newname);
65014 -+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
65015 -+ struct dentry *old_dentry,
65016 -+ struct dentry *new_dentry,
65017 -+ struct vfsmount *mnt, const __u8 replace);
65018 -+__u32 gr_check_link(const struct dentry *new_dentry,
65019 -+ const struct dentry *parent_dentry,
65020 -+ const struct vfsmount *parent_mnt,
65021 -+ const struct dentry *old_dentry,
65022 -+ const struct vfsmount *old_mnt);
65023 -+int gr_acl_handle_filldir(const struct file *file, const char *name,
65024 -+ const unsigned int namelen, const ino_t ino);
65025 -+
65026 -+__u32 gr_acl_handle_unix(const struct dentry *dentry,
65027 -+ const struct vfsmount *mnt);
65028 -+void gr_acl_handle_exit(void);
65029 -+void gr_acl_handle_psacct(struct task_struct *task, const long code);
65030 -+int gr_acl_handle_procpidmem(const struct task_struct *task);
65031 -+__u32 gr_cap_rtnetlink(void);
65032 -+
65033 -+#ifdef CONFIG_SYSVIPC
65034 -+void gr_shm_exit(struct task_struct *task);
65035 -+#else
65036 -+static inline void gr_shm_exit(struct task_struct *task)
65037 -+{
65038 -+ return;
65039 -+}
65040 -+#endif
65041 -+
65042 -+#ifdef CONFIG_GRKERNSEC
65043 -+void gr_handle_mem_write(void);
65044 -+void gr_handle_kmem_write(void);
65045 -+void gr_handle_open_port(void);
65046 -+int gr_handle_mem_mmap(const unsigned long offset,
65047 -+ struct vm_area_struct *vma);
65048 -+
65049 -+extern int grsec_enable_dmesg;
65050 -+extern int grsec_enable_randsrc;
65051 -+extern int grsec_enable_shm;
65052 -+#endif
65053 -+
65054 -+#endif
65055 -diff -Nurp linux-2.6.23.15/include/linux/highmem.h linux-2.6.23.15-grsec/include/linux/highmem.h
65056 ---- linux-2.6.23.15/include/linux/highmem.h 2007-10-09 21:31:38.000000000 +0100
65057 -+++ linux-2.6.23.15-grsec/include/linux/highmem.h 2008-02-11 10:37:45.000000000 +0000
65058 -@@ -124,6 +124,13 @@ static inline void clear_highpage(struct
65059 - kunmap_atomic(kaddr, KM_USER0);
65060 - }
65061 -
65062 -+static inline void sanitize_highpage(struct page *page)
65063 -+{
65064 -+ void *kaddr = kmap_atomic(page, KM_CLEARPAGE);
65065 -+ clear_page(kaddr);
65066 -+ kunmap_atomic(kaddr, KM_CLEARPAGE);
65067 -+}
65068 -+
65069 - /*
65070 - * Same but also flushes aliased cache contents to RAM.
65071 - *
65072 -@@ -132,14 +139,14 @@ static inline void clear_highpage(struct
65073 - */
65074 - #define zero_user_page(page, offset, size, km_type) \
65075 - do { \
65076 -- void *kaddr; \
65077 -+ void *__kaddr; \
65078 - \
65079 - BUG_ON((offset) + (size) > PAGE_SIZE); \
65080 - \
65081 -- kaddr = kmap_atomic(page, km_type); \
65082 -- memset((char *)kaddr + (offset), 0, (size)); \
65083 -+ __kaddr = kmap_atomic(page, km_type); \
65084 -+ memset((char *)__kaddr + (offset), 0, (size)); \
65085 - flush_dcache_page(page); \
65086 -- kunmap_atomic(kaddr, (km_type)); \
65087 -+ kunmap_atomic(__kaddr, (km_type)); \
65088 - } while (0)
65089 -
65090 - static inline void __deprecated memclear_highpage_flush(struct page *page,
65091 -diff -Nurp linux-2.6.23.15/include/linux/irqflags.h linux-2.6.23.15-grsec/include/linux/irqflags.h
65092 ---- linux-2.6.23.15/include/linux/irqflags.h 2007-10-09 21:31:38.000000000 +0100
65093 -+++ linux-2.6.23.15-grsec/include/linux/irqflags.h 2008-02-11 10:37:45.000000000 +0000
65094 -@@ -84,10 +84,10 @@
65095 -
65096 - #define irqs_disabled() \
65097 - ({ \
65098 -- unsigned long flags; \
65099 -+ unsigned long __flags; \
65100 - \
65101 -- raw_local_save_flags(flags); \
65102 -- raw_irqs_disabled_flags(flags); \
65103 -+ raw_local_save_flags(__flags); \
65104 -+ raw_irqs_disabled_flags(__flags); \
65105 - })
65106 -
65107 - #define irqs_disabled_flags(flags) raw_irqs_disabled_flags(flags)
65108 -diff -Nurp linux-2.6.23.15/include/linux/jbd.h linux-2.6.23.15-grsec/include/linux/jbd.h
65109 ---- linux-2.6.23.15/include/linux/jbd.h 2007-10-09 21:31:38.000000000 +0100
65110 -+++ linux-2.6.23.15-grsec/include/linux/jbd.h 2008-02-11 10:37:45.000000000 +0000
65111 -@@ -68,7 +68,7 @@ extern int journal_enable_debug;
65112 - } \
65113 - } while (0)
65114 - #else
65115 --#define jbd_debug(f, a...) /**/
65116 -+#define jbd_debug(f, a...) do {} while (0)
65117 - #endif
65118 -
65119 - extern void * __jbd_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
65120 -diff -Nurp linux-2.6.23.15/include/linux/jbd2.h linux-2.6.23.15-grsec/include/linux/jbd2.h
65121 ---- linux-2.6.23.15/include/linux/jbd2.h 2007-10-09 21:31:38.000000000 +0100
65122 -+++ linux-2.6.23.15-grsec/include/linux/jbd2.h 2008-02-11 10:37:45.000000000 +0000
65123 -@@ -68,7 +68,7 @@ extern u8 jbd2_journal_enable_debug;
65124 - } \
65125 - } while (0)
65126 - #else
65127 --#define jbd_debug(f, a...) /**/
65128 -+#define jbd_debug(f, a...) do {} while (0)
65129 - #endif
65130 -
65131 - extern void * __jbd2_kmalloc (const char *where, size_t size, gfp_t flags, int retry);
65132 -diff -Nurp linux-2.6.23.15/include/linux/libata.h linux-2.6.23.15-grsec/include/linux/libata.h
65133 ---- linux-2.6.23.15/include/linux/libata.h 2008-02-11 10:36:03.000000000 +0000
65134 -+++ linux-2.6.23.15-grsec/include/linux/libata.h 2008-02-11 10:37:45.000000000 +0000
65135 -@@ -63,11 +63,11 @@
65136 - #ifdef ATA_VERBOSE_DEBUG
65137 - #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
65138 - #else
65139 --#define VPRINTK(fmt, args...)
65140 -+#define VPRINTK(fmt, args...) do {} while (0)
65141 - #endif /* ATA_VERBOSE_DEBUG */
65142 - #else
65143 --#define DPRINTK(fmt, args...)
65144 --#define VPRINTK(fmt, args...)
65145 -+#define DPRINTK(fmt, args...) do {} while (0)
65146 -+#define VPRINTK(fmt, args...) do {} while (0)
65147 - #endif /* ATA_DEBUG */
65148 -
65149 - #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __FUNCTION__, ## args)
65150 -diff -Nurp linux-2.6.23.15/include/linux/mm.h linux-2.6.23.15-grsec/include/linux/mm.h
65151 ---- linux-2.6.23.15/include/linux/mm.h 2007-10-09 21:31:38.000000000 +0100
65152 -+++ linux-2.6.23.15-grsec/include/linux/mm.h 2008-02-11 10:37:45.000000000 +0000
65153 -@@ -38,6 +38,7 @@ extern int sysctl_legacy_va_layout;
65154 - #include <asm/page.h>
65155 - #include <asm/pgtable.h>
65156 - #include <asm/processor.h>
65157 -+#include <asm/mman.h>
65158 -
65159 - #define nth_page(page,n) pfn_to_page(page_to_pfn((page)) + (n))
65160 -
65161 -@@ -111,6 +112,8 @@ struct vm_area_struct {
65162 - #ifdef CONFIG_NUMA
65163 - struct mempolicy *vm_policy; /* NUMA policy for the VMA */
65164 - #endif
65165 -+
65166 -+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
65167 - };
65168 -
65169 - extern struct kmem_cache *vm_area_cachep;
65170 -@@ -171,6 +174,14 @@ extern unsigned int kobjsize(const void
65171 -
65172 - #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
65173 -
65174 -+#ifdef CONFIG_PAX_PAGEEXEC
65175 -+#define VM_PAGEEXEC 0x10000000 /* vma->vm_page_prot needs special handling */
65176 -+#endif
65177 -+
65178 -+#ifdef CONFIG_PAX_MPROTECT
65179 -+#define VM_MAYNOTWRITE 0x20000000 /* vma cannot be granted VM_WRITE any more */
65180 -+#endif
65181 -+
65182 - #ifndef VM_STACK_DEFAULT_FLAGS /* arch can override this */
65183 - #define VM_STACK_DEFAULT_FLAGS VM_DATA_DEFAULT_FLAGS
65184 - #endif
65185 -@@ -862,6 +873,8 @@ struct shrinker {
65186 - extern void register_shrinker(struct shrinker *);
65187 - extern void unregister_shrinker(struct shrinker *);
65188 -
65189 -+pgprot_t vm_get_page_prot(unsigned long vm_flags);
65190 -+
65191 - int vma_wants_writenotify(struct vm_area_struct *vma);
65192 -
65193 - extern pte_t *FASTCALL(get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl));
65194 -@@ -1088,6 +1101,7 @@ out:
65195 - }
65196 -
65197 - extern int do_munmap(struct mm_struct *, unsigned long, size_t);
65198 -+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
65199 -
65200 - extern unsigned long do_brk(unsigned long, unsigned long);
65201 -
65202 -@@ -1142,6 +1156,10 @@ extern struct vm_area_struct * find_vma(
65203 - extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
65204 - struct vm_area_struct **pprev);
65205 -
65206 -+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
65207 -+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
65208 -+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
65209 -+
65210 - /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
65211 - NULL if none. Assume start_addr < end_addr. */
65212 - static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
65213 -@@ -1158,7 +1176,6 @@ static inline unsigned long vma_pages(st
65214 - return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
65215 - }
65216 -
65217 --pgprot_t vm_get_page_prot(unsigned long vm_flags);
65218 - struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
65219 - struct page *vmalloc_to_page(void *addr);
65220 - unsigned long vmalloc_to_pfn(void *addr);
65221 -@@ -1218,5 +1235,11 @@ extern int randomize_va_space;
65222 -
65223 - const char * arch_vma_name(struct vm_area_struct *vma);
65224 -
65225 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
65226 -+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
65227 -+#else
65228 -+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
65229 -+#endif
65230 -+
65231 - #endif /* __KERNEL__ */
65232 - #endif /* _LINUX_MM_H */
65233 -diff -Nurp linux-2.6.23.15/include/linux/module.h linux-2.6.23.15-grsec/include/linux/module.h
65234 ---- linux-2.6.23.15/include/linux/module.h 2007-10-09 21:31:38.000000000 +0100
65235 -+++ linux-2.6.23.15-grsec/include/linux/module.h 2008-02-11 10:37:45.000000000 +0000
65236 -@@ -295,16 +295,16 @@ struct module
65237 - int (*init)(void);
65238 -
65239 - /* If this is non-NULL, vfree after init() returns */
65240 -- void *module_init;
65241 -+ void *module_init_rx, *module_init_rw;
65242 -
65243 - /* Here is the actual code + data, vfree'd on unload. */
65244 -- void *module_core;
65245 -+ void *module_core_rx, *module_core_rw;
65246 -
65247 - /* Here are the sizes of the init and core sections */
65248 -- unsigned long init_size, core_size;
65249 -+ unsigned long init_size_rw, core_size_rw;
65250 -
65251 - /* The size of the executable code in each section. */
65252 -- unsigned long init_text_size, core_text_size;
65253 -+ unsigned long init_size_rx, core_size_rx;
65254 -
65255 - /* The handle returned from unwind_add_table. */
65256 - void *unwind_info;
65257 -diff -Nurp linux-2.6.23.15/include/linux/moduleloader.h linux-2.6.23.15-grsec/include/linux/moduleloader.h
65258 ---- linux-2.6.23.15/include/linux/moduleloader.h 2007-10-09 21:31:38.000000000 +0100
65259 -+++ linux-2.6.23.15-grsec/include/linux/moduleloader.h 2008-02-11 10:37:45.000000000 +0000
65260 -@@ -17,9 +17,21 @@ int module_frob_arch_sections(Elf_Ehdr *
65261 - sections. Returns NULL on failure. */
65262 - void *module_alloc(unsigned long size);
65263 -
65264 -+#ifdef CONFIG_PAX_KERNEXEC
65265 -+void *module_alloc_exec(unsigned long size);
65266 -+#else
65267 -+#define module_alloc_exec(x) module_alloc(x)
65268 -+#endif
65269 -+
65270 - /* Free memory returned from module_alloc. */
65271 - void module_free(struct module *mod, void *module_region);
65272 -
65273 -+#ifdef CONFIG_PAX_KERNEXEC
65274 -+void module_free_exec(struct module *mod, void *module_region);
65275 -+#else
65276 -+#define module_free_exec(x, y) module_free(x, y)
65277 -+#endif
65278 -+
65279 - /* Apply the given relocation to the (simplified) ELF. Return -error
65280 - or 0. */
65281 - int apply_relocate(Elf_Shdr *sechdrs,
65282 -diff -Nurp linux-2.6.23.15/include/linux/percpu.h linux-2.6.23.15-grsec/include/linux/percpu.h
65283 ---- linux-2.6.23.15/include/linux/percpu.h 2007-10-09 21:31:38.000000000 +0100
65284 -+++ linux-2.6.23.15-grsec/include/linux/percpu.h 2008-02-11 10:37:45.000000000 +0000
65285 -@@ -18,7 +18,7 @@
65286 - #endif
65287 -
65288 - #define PERCPU_ENOUGH_ROOM \
65289 -- (__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE)
65290 -+ ((unsigned long)(__per_cpu_end - __per_cpu_start + PERCPU_MODULE_RESERVE))
65291 - #endif /* PERCPU_ENOUGH_ROOM */
65292 -
65293 - /*
65294 -diff -Nurp linux-2.6.23.15/include/linux/random.h linux-2.6.23.15-grsec/include/linux/random.h
65295 ---- linux-2.6.23.15/include/linux/random.h 2007-10-09 21:31:38.000000000 +0100
65296 -+++ linux-2.6.23.15-grsec/include/linux/random.h 2008-02-11 10:37:45.000000000 +0000
65297 -@@ -72,6 +72,11 @@ unsigned long randomize_range(unsigned l
65298 - u32 random32(void);
65299 - void srandom32(u32 seed);
65300 -
65301 -+static inline unsigned long pax_get_random_long(void)
65302 -+{
65303 -+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
65304 -+}
65305 -+
65306 - #endif /* __KERNEL___ */
65307 -
65308 - #endif /* _LINUX_RANDOM_H */
65309 -diff -Nurp linux-2.6.23.15/include/linux/sched.h linux-2.6.23.15-grsec/include/linux/sched.h
65310 ---- linux-2.6.23.15/include/linux/sched.h 2008-02-11 10:36:03.000000000 +0000
65311 -+++ linux-2.6.23.15-grsec/include/linux/sched.h 2008-02-11 10:37:45.000000000 +0000
65312 -@@ -92,6 +92,7 @@ struct sched_param {
65313 - struct exec_domain;
65314 - struct futex_pi_state;
65315 - struct bio;
65316 -+struct linux_binprm;
65317 -
65318 - /*
65319 - * List of flags we want to share for kernel threads,
65320 -@@ -432,6 +433,24 @@ struct mm_struct {
65321 - /* aio bits */
65322 - rwlock_t ioctx_list_lock;
65323 - struct kioctx *ioctx_list;
65324 -+
65325 -+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65326 -+ unsigned long pax_flags;
65327 -+#endif
65328 -+
65329 -+#ifdef CONFIG_PAX_DLRESOLVE
65330 -+ unsigned long call_dl_resolve;
65331 -+#endif
65332 -+
65333 -+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
65334 -+ unsigned long call_syscall;
65335 -+#endif
65336 -+
65337 -+#ifdef CONFIG_PAX_ASLR
65338 -+ unsigned long delta_mmap; /* randomized offset */
65339 -+ unsigned long delta_stack; /* randomized offset */
65340 -+#endif
65341 -+
65342 - };
65343 -
65344 - struct sighand_struct {
65345 -@@ -556,6 +575,15 @@ struct signal_struct {
65346 - unsigned audit_tty;
65347 - struct tty_audit_buf *tty_audit_buf;
65348 - #endif
65349 -+
65350 -+#ifdef CONFIG_GRKERNSEC
65351 -+ u32 curr_ip;
65352 -+ u32 gr_saddr;
65353 -+ u32 gr_daddr;
65354 -+ u16 gr_sport;
65355 -+ u16 gr_dport;
65356 -+ u8 used_accept:1;
65357 -+#endif
65358 - };
65359 -
65360 - /* Context switch must be unlocked if interrupts are to be enabled */
65361 -@@ -1017,8 +1045,8 @@ struct task_struct {
65362 - struct list_head thread_group;
65363 -
65364 - struct completion *vfork_done; /* for vfork() */
65365 -- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65366 -- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65367 -+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65368 -+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65369 -
65370 - unsigned int rt_priority;
65371 - cputime_t utime, stime;
65372 -@@ -1183,6 +1211,17 @@ struct task_struct {
65373 - struct list_head pi_state_list;
65374 - struct futex_pi_state *pi_state_cache;
65375 -
65376 -+#ifdef CONFIG_GRKERNSEC
65377 -+ /* grsecurity */
65378 -+ struct acl_subject_label *acl;
65379 -+ struct acl_role_label *role;
65380 -+ struct file *exec_file;
65381 -+ u16 acl_role_id;
65382 -+ u8 acl_sp_role:1;
65383 -+ u8 is_writable:1;
65384 -+ u8 brute:1;
65385 -+#endif
65386 -+
65387 - atomic_t fs_excl; /* holding fs exclusive resources */
65388 - struct rcu_head rcu;
65389 -
65390 -@@ -1198,6 +1237,46 @@ struct task_struct {
65391 - #endif
65392 - };
65393 -
65394 -+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65395 -+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65396 -+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65397 -+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65398 -+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65399 -+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65400 -+
65401 -+#ifdef CONFIG_PAX_SOFTMODE
65402 -+extern unsigned int pax_softmode;
65403 -+#endif
65404 -+
65405 -+extern int pax_check_flags(unsigned long *);
65406 -+
65407 -+/* if tsk != current then task_lock must be held on it */
65408 -+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65409 -+static inline unsigned long pax_get_flags(struct task_struct *tsk)
65410 -+{
65411 -+ if (likely(tsk->mm))
65412 -+ return tsk->mm->pax_flags;
65413 -+ else
65414 -+ return 0UL;
65415 -+}
65416 -+
65417 -+/* if tsk != current then task_lock must be held on it */
65418 -+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65419 -+{
65420 -+ if (likely(tsk->mm)) {
65421 -+ tsk->mm->pax_flags = flags;
65422 -+ return 0;
65423 -+ }
65424 -+ return -EINVAL;
65425 -+}
65426 -+#endif
65427 -+
65428 -+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65429 -+extern void pax_set_initial_flags(struct linux_binprm *bprm);
65430 -+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65431 -+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65432 -+#endif
65433 -+
65434 - /*
65435 - * Priority of a process goes from 0..MAX_PRIO-1, valid RT
65436 - * priority is 0..MAX_RT_PRIO-1, and SCHED_NORMAL/SCHED_BATCH
65437 -@@ -1831,6 +1910,12 @@ extern void arch_pick_mmap_layout(struct
65438 - static inline void arch_pick_mmap_layout(struct mm_struct *mm)
65439 - {
65440 - mm->mmap_base = TASK_UNMAPPED_BASE;
65441 -+
65442 -+#ifdef CONFIG_PAX_RANDMMAP
65443 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
65444 -+ mm->mmap_base += mm->delta_mmap;
65445 -+#endif
65446 -+
65447 - mm->get_unmapped_area = arch_get_unmapped_area;
65448 - mm->unmap_area = arch_unmap_area;
65449 - }
65450 -diff -Nurp linux-2.6.23.15/include/linux/screen_info.h linux-2.6.23.15-grsec/include/linux/screen_info.h
65451 ---- linux-2.6.23.15/include/linux/screen_info.h 2007-10-09 21:31:38.000000000 +0100
65452 -+++ linux-2.6.23.15-grsec/include/linux/screen_info.h 2008-02-11 10:37:45.000000000 +0000
65453 -@@ -42,7 +42,8 @@ struct screen_info {
65454 - u16 pages; /* 0x32 */
65455 - u16 vesa_attributes; /* 0x34 */
65456 - u32 capabilities; /* 0x36 */
65457 -- u8 _reserved[6]; /* 0x3a */
65458 -+ u16 vesapm_size; /* 0x3a */
65459 -+ u8 _reserved[4]; /* 0x3c */
65460 - } __attribute__((packed));
65461 -
65462 - extern struct screen_info screen_info;
65463 -diff -Nurp linux-2.6.23.15/include/linux/security.h linux-2.6.23.15-grsec/include/linux/security.h
65464 ---- linux-2.6.23.15/include/linux/security.h 2007-10-09 21:31:38.000000000 +0100
65465 -+++ linux-2.6.23.15-grsec/include/linux/security.h 2008-02-11 10:37:45.000000000 +0000
65466 -@@ -2796,7 +2796,7 @@ static inline struct dentry *securityfs_
65467 - mode_t mode,
65468 - struct dentry *parent,
65469 - void *data,
65470 -- struct file_operations *fops)
65471 -+ const struct file_operations *fops)
65472 - {
65473 - return ERR_PTR(-ENODEV);
65474 - }
65475 -diff -Nurp linux-2.6.23.15/include/linux/shm.h linux-2.6.23.15-grsec/include/linux/shm.h
65476 ---- linux-2.6.23.15/include/linux/shm.h 2007-10-09 21:31:38.000000000 +0100
65477 -+++ linux-2.6.23.15-grsec/include/linux/shm.h 2008-02-11 10:37:45.000000000 +0000
65478 -@@ -86,6 +86,10 @@ struct shmid_kernel /* private to the ke
65479 - pid_t shm_cprid;
65480 - pid_t shm_lprid;
65481 - struct user_struct *mlock_user;
65482 -+#ifdef CONFIG_GRKERNSEC
65483 -+ time_t shm_createtime;
65484 -+ pid_t shm_lapid;
65485 -+#endif
65486 - };
65487 -
65488 - /* shm_mode upper byte flags */
65489 -diff -Nurp linux-2.6.23.15/include/linux/skbuff.h linux-2.6.23.15-grsec/include/linux/skbuff.h
65490 ---- linux-2.6.23.15/include/linux/skbuff.h 2008-02-11 10:36:03.000000000 +0000
65491 -+++ linux-2.6.23.15-grsec/include/linux/skbuff.h 2008-02-11 10:37:45.000000000 +0000
65492 -@@ -385,7 +385,7 @@ extern void skb_truesize_bug(struc
65493 -
65494 - static inline void skb_truesize_check(struct sk_buff *skb)
65495 - {
65496 -- if (unlikely((int)skb->truesize < sizeof(struct sk_buff) + skb->len))
65497 -+ if (unlikely(skb->truesize < sizeof(struct sk_buff) + skb->len))
65498 - skb_truesize_bug(skb);
65499 - }
65500 -
65501 -diff -Nurp linux-2.6.23.15/include/linux/sysctl.h linux-2.6.23.15-grsec/include/linux/sysctl.h
65502 ---- linux-2.6.23.15/include/linux/sysctl.h 2008-02-11 10:36:24.000000000 +0000
65503 -+++ linux-2.6.23.15-grsec/include/linux/sysctl.h 2008-02-11 10:37:45.000000000 +0000
65504 -@@ -168,9 +168,22 @@ enum
65505 - #ifdef CONFIG_ALPHA_UAC_SYSCTL
65506 - KERN_UAC_POLICY=78, /* int: Alpha unaligned access control policy flags */
65507 - #endif /* CONFIG_ALPHA_UAC_SYSCTL */
65508 --};
65509 -
65510 -+#ifdef CONFIG_GRKERNSEC
65511 -+ KERN_GRSECURITY=98, /* grsecurity */
65512 -+#endif
65513 -+
65514 -+#ifdef CONFIG_PAX_SOFTMODE
65515 -+ KERN_PAX=99, /* PaX control */
65516 -+#endif
65517 -+
65518 -+};
65519 -
65520 -+#ifdef CONFIG_PAX_SOFTMODE
65521 -+enum {
65522 -+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
65523 -+};
65524 -+#endif
65525 -
65526 - /* CTL_VM names: */
65527 - enum
65528 -diff -Nurp linux-2.6.23.15/include/linux/uaccess.h linux-2.6.23.15-grsec/include/linux/uaccess.h
65529 ---- linux-2.6.23.15/include/linux/uaccess.h 2007-10-09 21:31:38.000000000 +0100
65530 -+++ linux-2.6.23.15-grsec/include/linux/uaccess.h 2008-02-11 10:37:45.000000000 +0000
65531 -@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
65532 - long ret; \
65533 - mm_segment_t old_fs = get_fs(); \
65534 - \
65535 -- set_fs(KERNEL_DS); \
65536 - pagefault_disable(); \
65537 -+ set_fs(KERNEL_DS); \
65538 - ret = __get_user(retval, (__force typeof(retval) __user *)(addr)); \
65539 -- pagefault_enable(); \
65540 - set_fs(old_fs); \
65541 -+ pagefault_enable(); \
65542 - ret; \
65543 - })
65544 -
65545 -diff -Nurp linux-2.6.23.15/include/linux/udf_fs.h linux-2.6.23.15-grsec/include/linux/udf_fs.h
65546 ---- linux-2.6.23.15/include/linux/udf_fs.h 2007-10-09 21:31:38.000000000 +0100
65547 -+++ linux-2.6.23.15-grsec/include/linux/udf_fs.h 2008-02-11 10:37:45.000000000 +0000
65548 -@@ -45,7 +45,7 @@
65549 - printk (f, ##a); \
65550 - }
65551 - #else
65552 --#define udf_debug(f, a...) /**/
65553 -+#define udf_debug(f, a...) do {} while (0)
65554 - #endif
65555 -
65556 - #define udf_info(f, a...) \
65557 -diff -Nurp linux-2.6.23.15/include/net/sctp/sctp.h linux-2.6.23.15-grsec/include/net/sctp/sctp.h
65558 ---- linux-2.6.23.15/include/net/sctp/sctp.h 2007-10-09 21:31:38.000000000 +0100
65559 -+++ linux-2.6.23.15-grsec/include/net/sctp/sctp.h 2008-02-11 10:37:45.000000000 +0000
65560 -@@ -317,8 +317,8 @@ extern int sctp_debug_flag;
65561 -
65562 - #else /* SCTP_DEBUG */
65563 -
65564 --#define SCTP_DEBUG_PRINTK(whatever...)
65565 --#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
65566 -+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
65567 -+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
65568 - #define SCTP_ENABLE_DEBUG
65569 - #define SCTP_DISABLE_DEBUG
65570 - #define SCTP_ASSERT(expr, str, func)
65571 -diff -Nurp linux-2.6.23.15/include/sound/core.h linux-2.6.23.15-grsec/include/sound/core.h
65572 ---- linux-2.6.23.15/include/sound/core.h 2007-10-09 21:31:38.000000000 +0100
65573 -+++ linux-2.6.23.15-grsec/include/sound/core.h 2008-02-11 10:37:45.000000000 +0000
65574 -@@ -396,9 +396,9 @@ void snd_verbose_printd(const char *file
65575 -
65576 - #else /* !CONFIG_SND_DEBUG */
65577 -
65578 --#define snd_printd(fmt, args...) /* nothing */
65579 -+#define snd_printd(fmt, args...) do {} while (0)
65580 - #define snd_assert(expr, args...) (void)(expr)
65581 --#define snd_BUG() /* nothing */
65582 -+#define snd_BUG() do {} while (0)
65583 -
65584 - #endif /* CONFIG_SND_DEBUG */
65585 -
65586 -@@ -412,7 +412,7 @@ void snd_verbose_printd(const char *file
65587 - */
65588 - #define snd_printdd(format, args...) snd_printk(format, ##args)
65589 - #else
65590 --#define snd_printdd(format, args...) /* nothing */
65591 -+#define snd_printdd(format, args...) do {} while (0)
65592 - #endif
65593 -
65594 -
65595 -diff -Nurp linux-2.6.23.15/init/Kconfig linux-2.6.23.15-grsec/init/Kconfig
65596 ---- linux-2.6.23.15/init/Kconfig 2007-10-09 21:31:38.000000000 +0100
65597 -+++ linux-2.6.23.15-grsec/init/Kconfig 2008-02-11 10:37:45.000000000 +0000
65598 -@@ -384,6 +384,7 @@ config SYSCTL_SYSCALL
65599 - config KALLSYMS
65600 - bool "Load all symbols for debugging/ksymoops" if EMBEDDED
65601 - default y
65602 -+ depends on !GRKERNSEC_HIDESYM
65603 - help
65604 - Say Y here to let the kernel print out symbolic crash information and
65605 - symbolic stack backtraces. This increases the size of the kernel
65606 -diff -Nurp linux-2.6.23.15/init/do_mounts.c linux-2.6.23.15-grsec/init/do_mounts.c
65607 ---- linux-2.6.23.15/init/do_mounts.c 2007-10-09 21:31:38.000000000 +0100
65608 -+++ linux-2.6.23.15-grsec/init/do_mounts.c 2008-02-11 10:37:45.000000000 +0000
65609 -@@ -68,11 +68,12 @@ static dev_t try_name(char *name, int pa
65610 -
65611 - /* read device number from .../dev */
65612 -
65613 -- sprintf(path, "/sys/block/%s/dev", name);
65614 -- fd = sys_open(path, 0, 0);
65615 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/dev", name))
65616 -+ goto fail;
65617 -+ fd = sys_open((char __user *)path, 0, 0);
65618 - if (fd < 0)
65619 - goto fail;
65620 -- len = sys_read(fd, buf, 32);
65621 -+ len = sys_read(fd, (char __user *)buf, 32);
65622 - sys_close(fd);
65623 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
65624 - goto fail;
65625 -@@ -98,11 +99,12 @@ static dev_t try_name(char *name, int pa
65626 - return res;
65627 -
65628 - /* otherwise read range from .../range */
65629 -- sprintf(path, "/sys/block/%s/range", name);
65630 -- fd = sys_open(path, 0, 0);
65631 -+ if (sizeof path <= snprintf(path, sizeof path, "/sys/block/%s/range", name))
65632 -+ goto fail;
65633 -+ fd = sys_open((char __user *)path, 0, 0);
65634 - if (fd < 0)
65635 - goto fail;
65636 -- len = sys_read(fd, buf, 32);
65637 -+ len = sys_read(fd, (char __user *)buf, 32);
65638 - sys_close(fd);
65639 - if (len <= 0 || len == 32 || buf[len - 1] != '\n')
65640 - goto fail;
65641 -@@ -145,8 +147,8 @@ dev_t name_to_dev_t(char *name)
65642 - int part;
65643 -
65644 - #ifdef CONFIG_SYSFS
65645 -- int mkdir_err = sys_mkdir("/sys", 0700);
65646 -- if (sys_mount("sysfs", "/sys", "sysfs", 0, NULL) < 0)
65647 -+ int mkdir_err = sys_mkdir((char __user *)"/sys", 0700);
65648 -+ if (sys_mount((char __user *)"sysfs", (char __user *)"/sys", (char __user *)"sysfs", 0, NULL) < 0)
65649 - goto out;
65650 - #endif
65651 -
65652 -@@ -198,10 +200,10 @@ dev_t name_to_dev_t(char *name)
65653 - res = try_name(s, part);
65654 - done:
65655 - #ifdef CONFIG_SYSFS
65656 -- sys_umount("/sys", 0);
65657 -+ sys_umount((char __user *)"/sys", 0);
65658 - out:
65659 - if (!mkdir_err)
65660 -- sys_rmdir("/sys");
65661 -+ sys_rmdir((char __user *)"/sys");
65662 - #endif
65663 - return res;
65664 - fail:
65665 -@@ -281,11 +283,11 @@ static void __init get_fs_names(char *pa
65666 -
65667 - static int __init do_mount_root(char *name, char *fs, int flags, void *data)
65668 - {
65669 -- int err = sys_mount(name, "/root", fs, flags, data);
65670 -+ int err = sys_mount((char __user *)name, (char __user *)"/root", (char __user *)fs, flags, (void __user *)data);
65671 - if (err)
65672 - return err;
65673 -
65674 -- sys_chdir("/root");
65675 -+ sys_chdir((char __user *)"/root");
65676 - ROOT_DEV = current->fs->pwdmnt->mnt_sb->s_dev;
65677 - printk("VFS: Mounted root (%s filesystem)%s.\n",
65678 - current->fs->pwdmnt->mnt_sb->s_type->name,
65679 -@@ -371,18 +373,18 @@ void __init change_floppy(char *fmt, ...
65680 - va_start(args, fmt);
65681 - vsprintf(buf, fmt, args);
65682 - va_end(args);
65683 -- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
65684 -+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
65685 - if (fd >= 0) {
65686 - sys_ioctl(fd, FDEJECT, 0);
65687 - sys_close(fd);
65688 - }
65689 - printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
65690 -- fd = sys_open("/dev/console", O_RDWR, 0);
65691 -+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
65692 - if (fd >= 0) {
65693 - sys_ioctl(fd, TCGETS, (long)&termios);
65694 - termios.c_lflag &= ~ICANON;
65695 - sys_ioctl(fd, TCSETSF, (long)&termios);
65696 -- sys_read(fd, &c, 1);
65697 -+ sys_read(fd, (char __user *)&c, 1);
65698 - termios.c_lflag |= ICANON;
65699 - sys_ioctl(fd, TCSETSF, (long)&termios);
65700 - sys_close(fd);
65701 -@@ -468,8 +470,8 @@ void __init prepare_namespace(void)
65702 -
65703 - mount_root();
65704 - out:
65705 -- sys_mount(".", "/", NULL, MS_MOVE, NULL);
65706 -- sys_chroot(".");
65707 -+ sys_mount((char __user *)".", (char __user *)"/", NULL, MS_MOVE, NULL);
65708 -+ sys_chroot((char __user *)".");
65709 - security_sb_post_mountroot();
65710 - }
65711 -
65712 -diff -Nurp linux-2.6.23.15/init/do_mounts.h linux-2.6.23.15-grsec/init/do_mounts.h
65713 ---- linux-2.6.23.15/init/do_mounts.h 2007-10-09 21:31:38.000000000 +0100
65714 -+++ linux-2.6.23.15-grsec/init/do_mounts.h 2008-02-11 10:37:45.000000000 +0000
65715 -@@ -15,15 +15,15 @@ extern char *root_device_name;
65716 -
65717 - static inline int create_dev(char *name, dev_t dev)
65718 - {
65719 -- sys_unlink(name);
65720 -- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
65721 -+ sys_unlink((char __user *)name);
65722 -+ return sys_mknod((char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
65723 - }
65724 -
65725 - #if BITS_PER_LONG == 32
65726 - static inline u32 bstat(char *name)
65727 - {
65728 - struct stat64 stat;
65729 -- if (sys_stat64(name, &stat) != 0)
65730 -+ if (sys_stat64((char __user *)name, (struct stat64 __user *)&stat) != 0)
65731 - return 0;
65732 - if (!S_ISBLK(stat.st_mode))
65733 - return 0;
65734 -diff -Nurp linux-2.6.23.15/init/do_mounts_md.c linux-2.6.23.15-grsec/init/do_mounts_md.c
65735 ---- linux-2.6.23.15/init/do_mounts_md.c 2007-10-09 21:31:38.000000000 +0100
65736 -+++ linux-2.6.23.15-grsec/init/do_mounts_md.c 2008-02-11 10:37:45.000000000 +0000
65737 -@@ -167,7 +167,7 @@ static void __init md_setup_drive(void)
65738 - partitioned ? "_d" : "", minor,
65739 - md_setup_args[ent].device_names);
65740 -
65741 -- fd = sys_open(name, 0, 0);
65742 -+ fd = sys_open((char __user *)name, 0, 0);
65743 - if (fd < 0) {
65744 - printk(KERN_ERR "md: open failed - cannot start "
65745 - "array %s\n", name);
65746 -@@ -230,7 +230,7 @@ static void __init md_setup_drive(void)
65747 - * array without it
65748 - */
65749 - sys_close(fd);
65750 -- fd = sys_open(name, 0, 0);
65751 -+ fd = sys_open((char __user *)name, 0, 0);
65752 - sys_ioctl(fd, BLKRRPART, 0);
65753 - }
65754 - sys_close(fd);
65755 -@@ -271,7 +271,7 @@ void __init md_run_setup(void)
65756 - if (raid_noautodetect)
65757 - printk(KERN_INFO "md: Skipping autodetection of RAID arrays. (raid=noautodetect)\n");
65758 - else {
65759 -- int fd = sys_open("/dev/md0", 0, 0);
65760 -+ int fd = sys_open((char __user *)"/dev/md0", 0, 0);
65761 - if (fd >= 0) {
65762 - sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
65763 - sys_close(fd);
65764 -diff -Nurp linux-2.6.23.15/init/initramfs.c linux-2.6.23.15-grsec/init/initramfs.c
65765 ---- linux-2.6.23.15/init/initramfs.c 2007-10-09 21:31:38.000000000 +0100
65766 -+++ linux-2.6.23.15-grsec/init/initramfs.c 2008-02-11 10:37:45.000000000 +0000
65767 -@@ -240,7 +240,7 @@ static int __init maybe_link(void)
65768 - if (nlink >= 2) {
65769 - char *old = find_link(major, minor, ino, mode, collected);
65770 - if (old)
65771 -- return (sys_link(old, collected) < 0) ? -1 : 1;
65772 -+ return (sys_link((char __user *)old, (char __user *)collected) < 0) ? -1 : 1;
65773 - }
65774 - return 0;
65775 - }
65776 -@@ -249,11 +249,11 @@ static void __init clean_path(char *path
65777 - {
65778 - struct stat st;
65779 -
65780 -- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
65781 -+ if (!sys_newlstat((char __user *)path, (struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
65782 - if (S_ISDIR(st.st_mode))
65783 -- sys_rmdir(path);
65784 -+ sys_rmdir((char __user *)path);
65785 - else
65786 -- sys_unlink(path);
65787 -+ sys_unlink((char __user *)path);
65788 - }
65789 - }
65790 -
65791 -@@ -276,7 +276,7 @@ static int __init do_name(void)
65792 - int openflags = O_WRONLY|O_CREAT;
65793 - if (ml != 1)
65794 - openflags |= O_TRUNC;
65795 -- wfd = sys_open(collected, openflags, mode);
65796 -+ wfd = sys_open((char __user *)collected, openflags, mode);
65797 -
65798 - if (wfd >= 0) {
65799 - sys_fchown(wfd, uid, gid);
65800 -@@ -285,15 +285,15 @@ static int __init do_name(void)
65801 - }
65802 - }
65803 - } else if (S_ISDIR(mode)) {
65804 -- sys_mkdir(collected, mode);
65805 -- sys_chown(collected, uid, gid);
65806 -- sys_chmod(collected, mode);
65807 -+ sys_mkdir((char __user *)collected, mode);
65808 -+ sys_chown((char __user *)collected, uid, gid);
65809 -+ sys_chmod((char __user *)collected, mode);
65810 - } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
65811 - S_ISFIFO(mode) || S_ISSOCK(mode)) {
65812 - if (maybe_link() == 0) {
65813 -- sys_mknod(collected, mode, rdev);
65814 -- sys_chown(collected, uid, gid);
65815 -- sys_chmod(collected, mode);
65816 -+ sys_mknod((char __user *)collected, mode, rdev);
65817 -+ sys_chown((char __user *)collected, uid, gid);
65818 -+ sys_chmod((char __user *)collected, mode);
65819 - }
65820 - }
65821 - return 0;
65822 -@@ -302,13 +302,13 @@ static int __init do_name(void)
65823 - static int __init do_copy(void)
65824 - {
65825 - if (count >= body_len) {
65826 -- sys_write(wfd, victim, body_len);
65827 -+ sys_write(wfd, (char __user *)victim, body_len);
65828 - sys_close(wfd);
65829 - eat(body_len);
65830 - state = SkipIt;
65831 - return 0;
65832 - } else {
65833 -- sys_write(wfd, victim, count);
65834 -+ sys_write(wfd, (char __user *)victim, count);
65835 - body_len -= count;
65836 - eat(count);
65837 - return 1;
65838 -@@ -319,8 +319,8 @@ static int __init do_symlink(void)
65839 - {
65840 - collected[N_ALIGN(name_len) + body_len] = '\0';
65841 - clean_path(collected, 0);
65842 -- sys_symlink(collected + N_ALIGN(name_len), collected);
65843 -- sys_lchown(collected, uid, gid);
65844 -+ sys_symlink((char __user *)collected + N_ALIGN(name_len), (char __user *)collected);
65845 -+ sys_lchown((char __user *)collected, uid, gid);
65846 - state = SkipIt;
65847 - next_state = Reset;
65848 - return 0;
65849 -diff -Nurp linux-2.6.23.15/init/main.c linux-2.6.23.15-grsec/init/main.c
65850 ---- linux-2.6.23.15/init/main.c 2007-10-09 21:31:38.000000000 +0100
65851 -+++ linux-2.6.23.15-grsec/init/main.c 2008-02-11 10:37:45.000000000 +0000
65852 -@@ -107,6 +107,7 @@ static inline void mark_rodata_ro(void)
65853 - #ifdef CONFIG_TC
65854 - extern void tc_init(void);
65855 - #endif
65856 -+extern void grsecurity_init(void);
65857 -
65858 - enum system_states system_state;
65859 - EXPORT_SYMBOL(system_state);
65860 -@@ -193,6 +194,17 @@ static int __init set_reset_devices(char
65861 -
65862 - __setup("reset_devices", set_reset_devices);
65863 -
65864 -+#ifdef CONFIG_PAX_SOFTMODE
65865 -+unsigned int pax_softmode;
65866 -+
65867 -+static int __init setup_pax_softmode(char *str)
65868 -+{
65869 -+ get_option(&str, &pax_softmode);
65870 -+ return 1;
65871 -+}
65872 -+__setup("pax_softmode=", setup_pax_softmode);
65873 -+#endif
65874 -+
65875 - static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
65876 - char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
65877 - static const char *panic_later, *panic_param;
65878 -@@ -854,6 +866,8 @@ static int __init kernel_init(void * unu
65879 - prepare_namespace();
65880 - }
65881 -
65882 -+ grsecurity_init();
65883 -+
65884 - /*
65885 - * Ok, we have completed the initial bootup, and
65886 - * we're essentially up and running. Get rid of the
65887 -diff -Nurp linux-2.6.23.15/init/noinitramfs.c linux-2.6.23.15-grsec/init/noinitramfs.c
65888 ---- linux-2.6.23.15/init/noinitramfs.c 2007-10-09 21:31:38.000000000 +0100
65889 -+++ linux-2.6.23.15-grsec/init/noinitramfs.c 2008-02-11 10:37:45.000000000 +0000
65890 -@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
65891 - {
65892 - int err;
65893 -
65894 -- err = sys_mkdir("/dev", 0755);
65895 -+ err = sys_mkdir((const char __user *)"/dev", 0755);
65896 - if (err < 0)
65897 - goto out;
65898 -
65899 -@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
65900 - if (err < 0)
65901 - goto out;
65902 -
65903 -- err = sys_mkdir("/root", 0700);
65904 -+ err = sys_mkdir((const char __user *)"/root", 0700);
65905 - if (err < 0)
65906 - goto out;
65907 -
65908 -diff -Nurp linux-2.6.23.15/ipc/ipc_sysctl.c linux-2.6.23.15-grsec/ipc/ipc_sysctl.c
65909 ---- linux-2.6.23.15/ipc/ipc_sysctl.c 2007-10-09 21:31:38.000000000 +0100
65910 -+++ linux-2.6.23.15-grsec/ipc/ipc_sysctl.c 2008-02-11 10:37:45.000000000 +0000
65911 -@@ -161,7 +161,7 @@ static struct ctl_table ipc_kern_table[]
65912 - .proc_handler = proc_ipc_dointvec,
65913 - .strategy = sysctl_ipc_data,
65914 - },
65915 -- {}
65916 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
65917 - };
65918 -
65919 - static struct ctl_table ipc_root_table[] = {
65920 -@@ -171,7 +171,7 @@ static struct ctl_table ipc_root_table[]
65921 - .mode = 0555,
65922 - .child = ipc_kern_table,
65923 - },
65924 -- {}
65925 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
65926 - };
65927 -
65928 - static int __init ipc_sysctl_init(void)
65929 -diff -Nurp linux-2.6.23.15/ipc/msg.c linux-2.6.23.15-grsec/ipc/msg.c
65930 ---- linux-2.6.23.15/ipc/msg.c 2007-10-09 21:31:38.000000000 +0100
65931 -+++ linux-2.6.23.15-grsec/ipc/msg.c 2008-02-11 10:37:45.000000000 +0000
65932 -@@ -36,6 +36,7 @@
65933 - #include <linux/seq_file.h>
65934 - #include <linux/mutex.h>
65935 - #include <linux/nsproxy.h>
65936 -+#include <linux/grsecurity.h>
65937 -
65938 - #include <asm/current.h>
65939 - #include <asm/uaccess.h>
65940 -@@ -286,6 +287,8 @@ asmlinkage long sys_msgget(key_t key, in
65941 - }
65942 - mutex_unlock(&msg_ids(ns).mutex);
65943 -
65944 -+ gr_log_msgget(ret, msgflg);
65945 -+
65946 - return ret;
65947 - }
65948 -
65949 -@@ -552,6 +555,7 @@ asmlinkage long sys_msgctl(int msqid, in
65950 - break;
65951 - }
65952 - case IPC_RMID:
65953 -+ gr_log_msgrm(ipcp->uid, ipcp->cuid);
65954 - freeque(ns, msq, msqid);
65955 - break;
65956 - }
65957 -diff -Nurp linux-2.6.23.15/ipc/sem.c linux-2.6.23.15-grsec/ipc/sem.c
65958 ---- linux-2.6.23.15/ipc/sem.c 2007-10-09 21:31:38.000000000 +0100
65959 -+++ linux-2.6.23.15-grsec/ipc/sem.c 2008-02-11 10:37:45.000000000 +0000
65960 -@@ -82,6 +82,7 @@
65961 - #include <linux/seq_file.h>
65962 - #include <linux/mutex.h>
65963 - #include <linux/nsproxy.h>
65964 -+#include <linux/grsecurity.h>
65965 -
65966 - #include <asm/uaccess.h>
65967 - #include "util.h"
65968 -@@ -293,6 +294,9 @@ asmlinkage long sys_semget (key_t key, i
65969 - }
65970 -
65971 - mutex_unlock(&sem_ids(ns).mutex);
65972 -+
65973 -+ gr_log_semget(err, semflg);
65974 -+
65975 - return err;
65976 - }
65977 -
65978 -@@ -894,6 +898,7 @@ static int semctl_down(struct ipc_namesp
65979 -
65980 - switch(cmd){
65981 - case IPC_RMID:
65982 -+ gr_log_semrm(ipcp->uid, ipcp->cuid);
65983 - freeary(ns, sma, semid);
65984 - err = 0;
65985 - break;
65986 -diff -Nurp linux-2.6.23.15/ipc/shm.c linux-2.6.23.15-grsec/ipc/shm.c
65987 ---- linux-2.6.23.15/ipc/shm.c 2007-10-09 21:31:38.000000000 +0100
65988 -+++ linux-2.6.23.15-grsec/ipc/shm.c 2008-02-11 10:37:45.000000000 +0000
65989 -@@ -38,6 +38,7 @@
65990 - #include <linux/mutex.h>
65991 - #include <linux/nsproxy.h>
65992 - #include <linux/mount.h>
65993 -+#include <linux/grsecurity.h>
65994 -
65995 - #include <asm/uaccess.h>
65996 -
65997 -@@ -77,6 +78,14 @@ static void shm_destroy (struct ipc_name
65998 - static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
65999 - #endif
66000 -
66001 -+#ifdef CONFIG_GRKERNSEC
66002 -+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66003 -+ const time_t shm_createtime, const uid_t cuid,
66004 -+ const int shmid);
66005 -+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
66006 -+ const time_t shm_createtime);
66007 -+#endif
66008 -+
66009 - static void __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
66010 - {
66011 - ns->ids[IPC_SHM_IDS] = ids;
66012 -@@ -89,6 +98,8 @@ static void __shm_init_ns(struct ipc_nam
66013 -
66014 - static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp)
66015 - {
66016 -+ gr_log_shmrm(shp->shm_perm.uid, shp->shm_perm.cuid);
66017 -+
66018 - if (shp->shm_nattch){
66019 - shp->shm_perm.mode |= SHM_DEST;
66020 - /* Do not find it any more */
66021 -@@ -216,6 +227,17 @@ static void shm_close(struct vm_area_str
66022 - shp->shm_lprid = current->tgid;
66023 - shp->shm_dtim = get_seconds();
66024 - shp->shm_nattch--;
66025 -+#ifdef CONFIG_GRKERNSEC_SHM
66026 -+ if (grsec_enable_shm) {
66027 -+ if (shp->shm_nattch == 0) {
66028 -+ shp->shm_perm.mode |= SHM_DEST;
66029 -+ shm_destroy(ns, shp);
66030 -+ } else
66031 -+ shm_unlock(shp);
66032 -+ mutex_unlock(&shm_ids(ns).mutex);
66033 -+ return;
66034 -+ }
66035 -+#endif
66036 - if(shp->shm_nattch == 0 &&
66037 - shp->shm_perm.mode & SHM_DEST)
66038 - shm_destroy(ns, shp);
66039 -@@ -395,6 +417,9 @@ static int newseg (struct ipc_namespace
66040 - shp->shm_lprid = 0;
66041 - shp->shm_atim = shp->shm_dtim = 0;
66042 - shp->shm_ctim = get_seconds();
66043 -+#ifdef CONFIG_GRKERNSEC
66044 -+ shp->shm_createtime = get_seconds();
66045 -+#endif
66046 - shp->shm_segsz = size;
66047 - shp->shm_nattch = 0;
66048 - shp->id = shm_buildid(ns, id, shp->shm_perm.seq);
66049 -@@ -452,6 +477,8 @@ asmlinkage long sys_shmget (key_t key, s
66050 - }
66051 - mutex_unlock(&shm_ids(ns).mutex);
66052 -
66053 -+ gr_log_shmget(err, shmflg, size);
66054 -+
66055 - return err;
66056 - }
66057 -
66058 -@@ -905,9 +932,21 @@ long do_shmat(int shmid, char __user *sh
66059 - if (err)
66060 - goto out_unlock;
66061 -
66062 -+#ifdef CONFIG_GRKERNSEC
66063 -+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
66064 -+ shp->shm_perm.cuid, shmid) ||
66065 -+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
66066 -+ err = -EACCES;
66067 -+ goto out_unlock;
66068 -+ }
66069 -+#endif
66070 -+
66071 - path.dentry = dget(shp->shm_file->f_path.dentry);
66072 - path.mnt = mntget(shp->shm_file->f_path.mnt);
66073 - shp->shm_nattch++;
66074 -+#ifdef CONFIG_GRKERNSEC
66075 -+ shp->shm_lapid = current->pid;
66076 -+#endif
66077 - size = i_size_read(path.dentry->d_inode);
66078 - shm_unlock(shp);
66079 -
66080 -@@ -1111,3 +1150,27 @@ static int sysvipc_shm_proc_show(struct
66081 - shp->shm_ctim);
66082 - }
66083 - #endif
66084 -+
66085 -+void gr_shm_exit(struct task_struct *task)
66086 -+{
66087 -+#ifdef CONFIG_GRKERNSEC_SHM
66088 -+ int i;
66089 -+ struct shmid_kernel *shp;
66090 -+ struct ipc_namespace *ns;
66091 -+
66092 -+ ns = current->nsproxy->ipc_ns;
66093 -+
66094 -+ if (!grsec_enable_shm)
66095 -+ return;
66096 -+
66097 -+ for (i = 0; i <= shm_ids(ns).max_id; i++) {
66098 -+ shp = shm_get(ns, i);
66099 -+ if (shp && (shp->shm_cprid == task->pid) &&
66100 -+ (shp->shm_nattch <= 0)) {
66101 -+ shp->shm_perm.mode |= SHM_DEST;
66102 -+ shm_destroy(ns, shp);
66103 -+ }
66104 -+ }
66105 -+#endif
66106 -+ return;
66107 -+}
66108 -diff -Nurp linux-2.6.23.15/kernel/acct.c linux-2.6.23.15-grsec/kernel/acct.c
66109 ---- linux-2.6.23.15/kernel/acct.c 2007-10-09 21:31:38.000000000 +0100
66110 -+++ linux-2.6.23.15-grsec/kernel/acct.c 2008-02-11 10:37:45.000000000 +0000
66111 -@@ -511,7 +511,7 @@ static void do_acct_process(struct file
66112 - */
66113 - flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
66114 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
66115 -- file->f_op->write(file, (char *)&ac,
66116 -+ file->f_op->write(file, (char __user *)&ac,
66117 - sizeof(acct_t), &file->f_pos);
66118 - current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
66119 - set_fs(fs);
66120 -diff -Nurp linux-2.6.23.15/kernel/capability.c linux-2.6.23.15-grsec/kernel/capability.c
66121 ---- linux-2.6.23.15/kernel/capability.c 2007-10-09 21:31:38.000000000 +0100
66122 -+++ linux-2.6.23.15-grsec/kernel/capability.c 2008-02-11 10:37:45.000000000 +0000
66123 -@@ -12,6 +12,7 @@
66124 - #include <linux/module.h>
66125 - #include <linux/security.h>
66126 - #include <linux/syscalls.h>
66127 -+#include <linux/grsecurity.h>
66128 - #include <asm/uaccess.h>
66129 -
66130 - unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
66131 -@@ -236,14 +237,25 @@ out:
66132 - return ret;
66133 - }
66134 -
66135 -+extern int gr_task_is_capable(struct task_struct *task, const int cap);
66136 -+extern int gr_is_capable_nolog(const int cap);
66137 -+
66138 - int __capable(struct task_struct *t, int cap)
66139 - {
66140 -- if (security_capable(t, cap) == 0) {
66141 -+ if ((security_capable(t, cap) == 0) && gr_task_is_capable(t, cap)) {
66142 - t->flags |= PF_SUPERPRIV;
66143 - return 1;
66144 - }
66145 - return 0;
66146 - }
66147 -+int capable_nolog(int cap)
66148 -+{
66149 -+ if ((security_capable(current, cap) == 0) && gr_is_capable_nolog(cap)) {
66150 -+ current->flags |= PF_SUPERPRIV;
66151 -+ return 1;
66152 -+ }
66153 -+ return 0;
66154 -+}
66155 - EXPORT_SYMBOL(__capable);
66156 -
66157 - int capable(int cap)
66158 -@@ -251,3 +263,4 @@ int capable(int cap)
66159 - return __capable(current, cap);
66160 - }
66161 - EXPORT_SYMBOL(capable);
66162 -+EXPORT_SYMBOL(capable_nolog);
66163 -diff -Nurp linux-2.6.23.15/kernel/configs.c linux-2.6.23.15-grsec/kernel/configs.c
66164 ---- linux-2.6.23.15/kernel/configs.c 2007-10-09 21:31:38.000000000 +0100
66165 -+++ linux-2.6.23.15-grsec/kernel/configs.c 2008-02-11 10:37:45.000000000 +0000
66166 -@@ -79,8 +79,16 @@ static int __init ikconfig_init(void)
66167 - struct proc_dir_entry *entry;
66168 -
66169 - /* create the current config file */
66170 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66171 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
66172 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
66173 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
66174 -+ entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
66175 -+#endif
66176 -+#else
66177 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUGO,
66178 - &proc_root);
66179 -+#endif
66180 - if (!entry)
66181 - return -ENOMEM;
66182 -
66183 -diff -Nurp linux-2.6.23.15/kernel/exit.c linux-2.6.23.15-grsec/kernel/exit.c
66184 ---- linux-2.6.23.15/kernel/exit.c 2008-02-11 10:36:03.000000000 +0000
66185 -+++ linux-2.6.23.15-grsec/kernel/exit.c 2008-02-11 10:37:45.000000000 +0000
66186 -@@ -45,6 +45,11 @@
66187 - #include <linux/blkdev.h>
66188 - #include <linux/task_io_accounting_ops.h>
66189 - #include <linux/freezer.h>
66190 -+#include <linux/grsecurity.h>
66191 -+
66192 -+#ifdef CONFIG_GRKERNSEC
66193 -+extern rwlock_t grsec_exec_file_lock;
66194 -+#endif
66195 -
66196 - #include <asm/uaccess.h>
66197 - #include <asm/unistd.h>
66198 -@@ -123,6 +128,7 @@ static void __exit_signal(struct task_st
66199 -
66200 - __unhash_process(tsk);
66201 -
66202 -+ gr_del_task_from_ip_table(tsk);
66203 - tsk->signal = NULL;
66204 - tsk->sighand = NULL;
66205 - spin_unlock(&sighand->siglock);
66206 -@@ -274,12 +280,23 @@ static void reparent_to_kthreadd(void)
66207 - {
66208 - write_lock_irq(&tasklist_lock);
66209 -
66210 -+#ifdef CONFIG_GRKERNSEC
66211 -+ write_lock(&grsec_exec_file_lock);
66212 -+ if (current->exec_file) {
66213 -+ fput(current->exec_file);
66214 -+ current->exec_file = NULL;
66215 -+ }
66216 -+ write_unlock(&grsec_exec_file_lock);
66217 -+#endif
66218 -+
66219 - ptrace_unlink(current);
66220 - /* Reparent to init */
66221 - remove_parent(current);
66222 - current->real_parent = current->parent = kthreadd_task;
66223 - add_parent(current);
66224 -
66225 -+ gr_set_kernel_label(current);
66226 -+
66227 - /* Set the exit signal to SIGCHLD so we signal init on exit */
66228 - current->exit_signal = SIGCHLD;
66229 -
66230 -@@ -374,6 +391,17 @@ void daemonize(const char *name, ...)
66231 - vsnprintf(current->comm, sizeof(current->comm), name, args);
66232 - va_end(args);
66233 -
66234 -+#ifdef CONFIG_GRKERNSEC
66235 -+ write_lock(&grsec_exec_file_lock);
66236 -+ if (current->exec_file) {
66237 -+ fput(current->exec_file);
66238 -+ current->exec_file = NULL;
66239 -+ }
66240 -+ write_unlock(&grsec_exec_file_lock);
66241 -+#endif
66242 -+
66243 -+ gr_set_kernel_label(current);
66244 -+
66245 - /*
66246 - * If we were started as result of loading a module, close all of the
66247 - * user space pages. We don't need them, and if we didn't close them
66248 -@@ -969,11 +997,15 @@ fastcall NORET_TYPE void do_exit(long co
66249 - tsk->exit_code = code;
66250 - taskstats_exit(tsk, group_dead);
66251 -
66252 -+ gr_acl_handle_psacct(tsk, code);
66253 -+ gr_acl_handle_exit();
66254 -+
66255 - exit_mm(tsk);
66256 -
66257 - if (group_dead)
66258 - acct_process();
66259 - exit_sem(tsk);
66260 -+ gr_shm_exit(tsk);
66261 - __exit_files(tsk);
66262 - __exit_fs(tsk);
66263 - check_stack_usage();
66264 -@@ -1174,7 +1206,7 @@ static int wait_task_zombie(struct task_
66265 - pid_t pid = p->pid;
66266 - uid_t uid = p->uid;
66267 - int exit_code = p->exit_code;
66268 -- int why, status;
66269 -+ int why;
66270 -
66271 - if (unlikely(p->exit_state != EXIT_ZOMBIE))
66272 - return 0;
66273 -diff -Nurp linux-2.6.23.15/kernel/fork.c linux-2.6.23.15-grsec/kernel/fork.c
66274 ---- linux-2.6.23.15/kernel/fork.c 2008-02-11 10:36:03.000000000 +0000
66275 -+++ linux-2.6.23.15-grsec/kernel/fork.c 2008-02-11 10:37:45.000000000 +0000
66276 -@@ -50,6 +50,7 @@
66277 - #include <linux/taskstats_kern.h>
66278 - #include <linux/random.h>
66279 - #include <linux/tty.h>
66280 -+#include <linux/grsecurity.h>
66281 -
66282 - #include <asm/pgtable.h>
66283 - #include <asm/pgalloc.h>
66284 -@@ -181,7 +182,7 @@ static struct task_struct *dup_task_stru
66285 - setup_thread_stack(tsk, orig);
66286 -
66287 - #ifdef CONFIG_CC_STACKPROTECTOR
66288 -- tsk->stack_canary = get_random_int();
66289 -+ tsk->stack_canary = pax_get_random_long();
66290 - #endif
66291 -
66292 - /* One for us, one for whoever does the "release_task()" (usually parent) */
66293 -@@ -203,6 +204,10 @@ static inline int dup_mmap(struct mm_str
66294 - unsigned long charge;
66295 - struct mempolicy *pol;
66296 -
66297 -+#ifdef CONFIG_PAX_SEGMEXEC
66298 -+ struct vm_area_struct *mpnt_m;
66299 -+#endif
66300 -+
66301 - down_write(&oldmm->mmap_sem);
66302 - flush_cache_dup_mm(oldmm);
66303 - /*
66304 -@@ -213,8 +218,8 @@ static inline int dup_mmap(struct mm_str
66305 - mm->locked_vm = 0;
66306 - mm->mmap = NULL;
66307 - mm->mmap_cache = NULL;
66308 -- mm->free_area_cache = oldmm->mmap_base;
66309 -- mm->cached_hole_size = ~0UL;
66310 -+ mm->free_area_cache = oldmm->free_area_cache;
66311 -+ mm->cached_hole_size = oldmm->cached_hole_size;
66312 - mm->map_count = 0;
66313 - cpus_clear(mm->cpu_vm_mask);
66314 - mm->mm_rb = RB_ROOT;
66315 -@@ -233,6 +238,7 @@ static inline int dup_mmap(struct mm_str
66316 - continue;
66317 - }
66318 - charge = 0;
66319 -+
66320 - if (mpnt->vm_flags & VM_ACCOUNT) {
66321 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
66322 - if (security_vm_enough_memory(len))
66323 -@@ -251,6 +257,7 @@ static inline int dup_mmap(struct mm_str
66324 - tmp->vm_flags &= ~VM_LOCKED;
66325 - tmp->vm_mm = mm;
66326 - tmp->vm_next = NULL;
66327 -+ tmp->vm_mirror = NULL;
66328 - anon_vma_link(tmp);
66329 - file = tmp->vm_file;
66330 - if (file) {
66331 -@@ -287,6 +294,29 @@ static inline int dup_mmap(struct mm_str
66332 - if (retval)
66333 - goto out;
66334 - }
66335 -+
66336 -+#ifdef CONFIG_PAX_SEGMEXEC
66337 -+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
66338 -+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
66339 -+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
66340 -+
66341 -+ if (!mpnt->vm_mirror)
66342 -+ continue;
66343 -+
66344 -+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
66345 -+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
66346 -+ mpnt->vm_mirror = mpnt_m;
66347 -+ } else {
66348 -+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
66349 -+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
66350 -+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
66351 -+ mpnt->vm_mirror->vm_mirror = mpnt;
66352 -+ }
66353 -+ }
66354 -+ BUG_ON(mpnt_m);
66355 -+ }
66356 -+#endif
66357 -+
66358 - /* a new mm has just been created */
66359 - arch_dup_mmap(oldmm, mm);
66360 - retval = 0;
66361 -@@ -464,7 +494,7 @@ void mm_release(struct task_struct *tsk,
66362 - if (tsk->clear_child_tid
66363 - && !(tsk->flags & PF_SIGNALED)
66364 - && atomic_read(&mm->mm_users) > 1) {
66365 -- u32 __user * tidptr = tsk->clear_child_tid;
66366 -+ pid_t __user * tidptr = tsk->clear_child_tid;
66367 - tsk->clear_child_tid = NULL;
66368 -
66369 - /*
66370 -@@ -472,7 +502,7 @@ void mm_release(struct task_struct *tsk,
66371 - * not set up a proper pointer then tough luck.
66372 - */
66373 - put_user(0, tidptr);
66374 -- sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
66375 -+ sys_futex((u32 __user *)tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);
66376 - }
66377 - }
66378 -
66379 -@@ -1001,6 +1031,9 @@ static struct task_struct *copy_process(
66380 - DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
66381 - #endif
66382 - retval = -EAGAIN;
66383 -+
66384 -+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->user->processes), 0);
66385 -+
66386 - if (atomic_read(&p->user->processes) >=
66387 - p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
66388 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
66389 -@@ -1140,6 +1173,8 @@ static struct task_struct *copy_process(
66390 - if (retval)
66391 - goto bad_fork_cleanup_namespaces;
66392 -
66393 -+ gr_copy_label(p);
66394 -+
66395 - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
66396 - /*
66397 - * Clear TID on mm_release()?
66398 -@@ -1318,6 +1353,8 @@ bad_fork_cleanup_count:
66399 - bad_fork_free:
66400 - free_task(p);
66401 - fork_out:
66402 -+ gr_log_forkfail(retval);
66403 -+
66404 - return ERR_PTR(retval);
66405 - }
66406 -
66407 -@@ -1391,6 +1428,8 @@ long do_fork(unsigned long clone_flags,
66408 - if (!IS_ERR(p)) {
66409 - struct completion vfork;
66410 -
66411 -+ gr_handle_brute_check();
66412 -+
66413 - if (clone_flags & CLONE_VFORK) {
66414 - p->vfork_done = &vfork;
66415 - init_completion(&vfork);
66416 -diff -Nurp linux-2.6.23.15/kernel/futex.c linux-2.6.23.15-grsec/kernel/futex.c
66417 ---- linux-2.6.23.15/kernel/futex.c 2008-02-11 10:36:03.000000000 +0000
66418 -+++ linux-2.6.23.15-grsec/kernel/futex.c 2008-02-11 10:37:45.000000000 +0000
66419 -@@ -186,6 +186,11 @@ int get_futex_key(u32 __user *uaddr, str
66420 - struct page *page;
66421 - int err;
66422 -
66423 -+#ifdef CONFIG_PAX_SEGMEXEC
66424 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
66425 -+ return -EFAULT;
66426 -+#endif
66427 -+
66428 - /*
66429 - * The futex address must be "naturally" aligned.
66430 - */
66431 -@@ -212,8 +217,8 @@ int get_futex_key(u32 __user *uaddr, str
66432 - * The futex is hashed differently depending on whether
66433 - * it's in a shared or private mapping. So check vma first.
66434 - */
66435 -- vma = find_extend_vma(mm, address);
66436 -- if (unlikely(!vma))
66437 -+ vma = find_vma(mm, address);
66438 -+ if (unlikely(!vma || address < vma->vm_start))
66439 - return -EFAULT;
66440 -
66441 - /*
66442 -@@ -1922,7 +1927,7 @@ retry:
66443 - */
66444 - static inline int fetch_robust_entry(struct robust_list __user **entry,
66445 - struct robust_list __user * __user *head,
66446 -- int *pi)
66447 -+ unsigned int *pi)
66448 - {
66449 - unsigned long uentry;
66450 -
66451 -diff -Nurp linux-2.6.23.15/kernel/irq/handle.c linux-2.6.23.15-grsec/kernel/irq/handle.c
66452 ---- linux-2.6.23.15/kernel/irq/handle.c 2007-10-09 21:31:38.000000000 +0100
66453 -+++ linux-2.6.23.15-grsec/kernel/irq/handle.c 2008-02-11 10:37:45.000000000 +0000
66454 -@@ -55,7 +55,8 @@ struct irq_desc irq_desc[NR_IRQS] __cach
66455 - .depth = 1,
66456 - .lock = __SPIN_LOCK_UNLOCKED(irq_desc->lock),
66457 - #ifdef CONFIG_SMP
66458 -- .affinity = CPU_MASK_ALL
66459 -+ .affinity = CPU_MASK_ALL,
66460 -+ .cpu = 0,
66461 - #endif
66462 - }
66463 - };
66464 -diff -Nurp linux-2.6.23.15/kernel/kallsyms.c linux-2.6.23.15-grsec/kernel/kallsyms.c
66465 ---- linux-2.6.23.15/kernel/kallsyms.c 2007-10-09 21:31:38.000000000 +0100
66466 -+++ linux-2.6.23.15-grsec/kernel/kallsyms.c 2008-02-11 10:37:45.000000000 +0000
66467 -@@ -65,6 +65,19 @@ static inline int is_kernel_text(unsigne
66468 -
66469 - static inline int is_kernel(unsigned long addr)
66470 - {
66471 -+
66472 -+#ifdef CONFIG_PAX_KERNEXEC
66473 -+
66474 -+#ifdef CONFIG_MODULES
66475 -+ if ((unsigned long)MODULES_VADDR <= addr + __KERNEL_TEXT_OFFSET &&
66476 -+ addr + __KERNEL_TEXT_OFFSET < (unsigned long)MODULES_END)
66477 -+ return 0;
66478 -+#endif
66479 -+
66480 -+ if (is_kernel_inittext(addr))
66481 -+ return 1;
66482 -+#endif
66483 -+
66484 - if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
66485 - return 1;
66486 - return in_gate_area_no_task(addr);
66487 -@@ -373,7 +386,6 @@ static unsigned long get_ksymbol_core(st
66488 -
66489 - static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
66490 - {
66491 -- iter->name[0] = '\0';
66492 - iter->nameoff = get_symbol_offset(new_pos);
66493 - iter->pos = new_pos;
66494 - }
66495 -@@ -457,7 +469,7 @@ static int kallsyms_open(struct inode *i
66496 - struct kallsym_iter *iter;
66497 - int ret;
66498 -
66499 -- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
66500 -+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
66501 - if (!iter)
66502 - return -ENOMEM;
66503 - reset_iter(iter, 0);
66504 -@@ -481,7 +493,15 @@ static int __init kallsyms_init(void)
66505 - {
66506 - struct proc_dir_entry *entry;
66507 -
66508 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66509 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
66510 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
66511 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
66512 -+ entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
66513 -+#endif
66514 -+#else
66515 - entry = create_proc_entry("kallsyms", 0444, NULL);
66516 -+#endif
66517 - if (entry)
66518 - entry->proc_fops = &kallsyms_operations;
66519 - return 0;
66520 -diff -Nurp linux-2.6.23.15/kernel/kprobes.c linux-2.6.23.15-grsec/kernel/kprobes.c
66521 ---- linux-2.6.23.15/kernel/kprobes.c 2007-10-09 21:31:38.000000000 +0100
66522 -+++ linux-2.6.23.15-grsec/kernel/kprobes.c 2008-02-11 10:37:45.000000000 +0000
66523 -@@ -168,7 +168,7 @@ kprobe_opcode_t __kprobes *get_insn_slot
66524 - * kernel image and loaded module images reside. This is required
66525 - * so x86_64 can correctly handle the %rip-relative fixups.
66526 - */
66527 -- kip->insns = module_alloc(PAGE_SIZE);
66528 -+ kip->insns = module_alloc_exec(PAGE_SIZE);
66529 - if (!kip->insns) {
66530 - kfree(kip);
66531 - return NULL;
66532 -@@ -200,7 +200,7 @@ static int __kprobes collect_one_slot(st
66533 - hlist_add_head(&kip->hlist,
66534 - &kprobe_insn_pages);
66535 - } else {
66536 -- module_free(NULL, kip->insns);
66537 -+ module_free_exec(NULL, kip->insns);
66538 - kfree(kip);
66539 - }
66540 - return 1;
66541 -diff -Nurp linux-2.6.23.15/kernel/module.c linux-2.6.23.15-grsec/kernel/module.c
66542 ---- linux-2.6.23.15/kernel/module.c 2007-10-09 21:31:38.000000000 +0100
66543 -+++ linux-2.6.23.15-grsec/kernel/module.c 2008-02-11 10:37:45.000000000 +0000
66544 -@@ -44,6 +44,11 @@
66545 - #include <asm/uaccess.h>
66546 - #include <asm/semaphore.h>
66547 - #include <asm/cacheflush.h>
66548 -+
66549 -+#ifdef CONFIG_PAX_KERNEXEC
66550 -+#include <asm/desc.h>
66551 -+#endif
66552 -+
66553 - #include <linux/license.h>
66554 -
66555 - extern int module_sysfs_initialized;
66556 -@@ -68,6 +73,8 @@ static LIST_HEAD(modules);
66557 -
66558 - static BLOCKING_NOTIFIER_HEAD(module_notify_list);
66559 -
66560 -+extern int gr_check_modstop(void);
66561 -+
66562 - int register_module_notifier(struct notifier_block * nb)
66563 - {
66564 - return blocking_notifier_chain_register(&module_notify_list, nb);
66565 -@@ -347,7 +354,7 @@ static void *percpu_modalloc(unsigned lo
66566 - unsigned int i;
66567 - void *ptr;
66568 -
66569 -- if (align > PAGE_SIZE) {
66570 -+ if (align-1 >= PAGE_SIZE) {
66571 - printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
66572 - name, align, PAGE_SIZE);
66573 - align = PAGE_SIZE;
66574 -@@ -660,6 +667,9 @@ sys_delete_module(const char __user *nam
66575 - char name[MODULE_NAME_LEN];
66576 - int ret, forced = 0;
66577 -
66578 -+ if (gr_check_modstop())
66579 -+ return -EPERM;
66580 -+
66581 - if (!capable(CAP_SYS_MODULE))
66582 - return -EPERM;
66583 -
66584 -@@ -1209,16 +1219,19 @@ static void free_module(struct module *m
66585 - module_unload_free(mod);
66586 -
66587 - /* This may be NULL, but that's OK */
66588 -- module_free(mod, mod->module_init);
66589 -+ module_free(mod, mod->module_init_rw);
66590 -+ module_free_exec(mod, mod->module_init_rx);
66591 - kfree(mod->args);
66592 - if (mod->percpu)
66593 - percpu_modfree(mod->percpu);
66594 -
66595 - /* Free lock-classes: */
66596 -- lockdep_free_key_range(mod->module_core, mod->core_size);
66597 -+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
66598 -+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
66599 -
66600 - /* Finally, free the core (containing the module structure) */
66601 -- module_free(mod, mod->module_core);
66602 -+ module_free_exec(mod, mod->module_core_rx);
66603 -+ module_free(mod, mod->module_core_rw);
66604 - }
66605 -
66606 - void *__symbol_get(const char *symbol)
66607 -@@ -1279,10 +1292,14 @@ static int simplify_symbols(Elf_Shdr *se
66608 - struct module *mod)
66609 - {
66610 - Elf_Sym *sym = (void *)sechdrs[symindex].sh_addr;
66611 -- unsigned long secbase;
66612 -+ unsigned long secbase, symbol;
66613 - unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
66614 - int ret = 0;
66615 -
66616 -+#ifdef CONFIG_PAX_KERNEXEC
66617 -+ unsigned long cr0;
66618 -+#endif
66619 -+
66620 - for (i = 1; i < n; i++) {
66621 - switch (sym[i].st_shndx) {
66622 - case SHN_COMMON:
66623 -@@ -1301,10 +1318,19 @@ static int simplify_symbols(Elf_Shdr *se
66624 - break;
66625 -
66626 - case SHN_UNDEF:
66627 -- sym[i].st_value
66628 -- = resolve_symbol(sechdrs, versindex,
66629 -+ symbol = resolve_symbol(sechdrs, versindex,
66630 - strtab + sym[i].st_name, mod);
66631 -
66632 -+#ifdef CONFIG_PAX_KERNEXEC
66633 -+ pax_open_kernel(cr0);
66634 -+#endif
66635 -+
66636 -+ sym[i].st_value = symbol;
66637 -+
66638 -+#ifdef CONFIG_PAX_KERNEXEC
66639 -+ pax_close_kernel(cr0);
66640 -+#endif
66641 -+
66642 - /* Ok if resolved. */
66643 - if (sym[i].st_value != 0)
66644 - break;
66645 -@@ -1319,11 +1345,27 @@ static int simplify_symbols(Elf_Shdr *se
66646 -
66647 - default:
66648 - /* Divert to percpu allocation if a percpu var. */
66649 -- if (sym[i].st_shndx == pcpuindex)
66650 -+ if (sym[i].st_shndx == pcpuindex) {
66651 -+
66652 -+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
66653 -+ secbase = (unsigned long)mod->percpu - (unsigned long)__per_cpu_start;
66654 -+#else
66655 - secbase = (unsigned long)mod->percpu;
66656 -- else
66657 -+#endif
66658 -+
66659 -+ } else
66660 - secbase = sechdrs[sym[i].st_shndx].sh_addr;
66661 -+
66662 -+#ifdef CONFIG_PAX_KERNEXEC
66663 -+ pax_open_kernel(cr0);
66664 -+#endif
66665 -+
66666 - sym[i].st_value += secbase;
66667 -+
66668 -+#ifdef CONFIG_PAX_KERNEXEC
66669 -+ pax_close_kernel(cr0);
66670 -+#endif
66671 -+
66672 - break;
66673 - }
66674 - }
66675 -@@ -1375,11 +1417,14 @@ static void layout_sections(struct modul
66676 - || strncmp(secstrings + s->sh_name,
66677 - ".init", 5) == 0)
66678 - continue;
66679 -- s->sh_entsize = get_offset(&mod->core_size, s);
66680 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
66681 -+ s->sh_entsize = get_offset(&mod->core_size_rw, s);
66682 -+ else
66683 -+ s->sh_entsize = get_offset(&mod->core_size_rx, s);
66684 - DEBUGP("\t%s\n", secstrings + s->sh_name);
66685 - }
66686 - if (m == 0)
66687 -- mod->core_text_size = mod->core_size;
66688 -+ mod->core_size_rx = mod->core_size_rx;
66689 - }
66690 -
66691 - DEBUGP("Init section allocation order:\n");
66692 -@@ -1393,12 +1438,15 @@ static void layout_sections(struct modul
66693 - || strncmp(secstrings + s->sh_name,
66694 - ".init", 5) != 0)
66695 - continue;
66696 -- s->sh_entsize = (get_offset(&mod->init_size, s)
66697 -- | INIT_OFFSET_MASK);
66698 -+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
66699 -+ s->sh_entsize = get_offset(&mod->init_size_rw, s);
66700 -+ else
66701 -+ s->sh_entsize = get_offset(&mod->init_size_rx, s);
66702 -+ s->sh_entsize |= INIT_OFFSET_MASK;
66703 - DEBUGP("\t%s\n", secstrings + s->sh_name);
66704 - }
66705 - if (m == 0)
66706 -- mod->init_text_size = mod->init_size;
66707 -+ mod->init_size_rx = mod->init_size_rx;
66708 - }
66709 - }
66710 -
66711 -@@ -1525,14 +1573,31 @@ static void add_kallsyms(struct module *
66712 - {
66713 - unsigned int i;
66714 -
66715 -+#ifdef CONFIG_PAX_KERNEXEC
66716 -+ unsigned long cr0;
66717 -+#endif
66718 -+
66719 - mod->symtab = (void *)sechdrs[symindex].sh_addr;
66720 - mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
66721 - mod->strtab = (void *)sechdrs[strindex].sh_addr;
66722 -
66723 - /* Set types up while we still have access to sections. */
66724 -- for (i = 0; i < mod->num_symtab; i++)
66725 -- mod->symtab[i].st_info
66726 -- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
66727 -+
66728 -+ for (i = 0; i < mod->num_symtab; i++) {
66729 -+ char type = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
66730 -+
66731 -+#ifdef CONFIG_PAX_KERNEXEC
66732 -+ pax_open_kernel(cr0);
66733 -+#endif
66734 -+
66735 -+ mod->symtab[i].st_info = type;
66736 -+
66737 -+#ifdef CONFIG_PAX_KERNEXEC
66738 -+ pax_close_kernel(cr0);
66739 -+#endif
66740 -+
66741 -+ }
66742 -+
66743 - }
66744 - #else
66745 - static inline void add_kallsyms(struct module *mod,
66746 -@@ -1580,6 +1645,10 @@ static struct module *load_module(void _
66747 - struct exception_table_entry *extable;
66748 - mm_segment_t old_fs;
66749 -
66750 -+#ifdef CONFIG_PAX_KERNEXEC
66751 -+ unsigned long cr0;
66752 -+#endif
66753 -+
66754 - DEBUGP("load_module: umod=%p, len=%lu, uargs=%p\n",
66755 - umod, len, uargs);
66756 - if (len < sizeof(*hdr))
66757 -@@ -1738,21 +1807,57 @@ static struct module *load_module(void _
66758 - layout_sections(mod, hdr, sechdrs, secstrings);
66759 -
66760 - /* Do the allocs. */
66761 -- ptr = module_alloc(mod->core_size);
66762 -+ ptr = module_alloc(mod->core_size_rw);
66763 - if (!ptr) {
66764 - err = -ENOMEM;
66765 - goto free_percpu;
66766 - }
66767 -- memset(ptr, 0, mod->core_size);
66768 -- mod->module_core = ptr;
66769 -+ memset(ptr, 0, mod->core_size_rw);
66770 -+ mod->module_core_rw = ptr;
66771 -+
66772 -+ ptr = module_alloc(mod->init_size_rw);
66773 -+ if (!ptr && mod->init_size_rw) {
66774 -+ err = -ENOMEM;
66775 -+ goto free_core_rw;
66776 -+ }
66777 -+ memset(ptr, 0, mod->init_size_rw);
66778 -+ mod->module_init_rw = ptr;
66779 -+
66780 -+ ptr = module_alloc_exec(mod->core_size_rx);
66781 -+ if (!ptr) {
66782 -+ err = -ENOMEM;
66783 -+ goto free_init_rw;
66784 -+ }
66785 -+
66786 -+#ifdef CONFIG_PAX_KERNEXEC
66787 -+ pax_open_kernel(cr0);
66788 -+#endif
66789 -
66790 -- ptr = module_alloc(mod->init_size);
66791 -- if (!ptr && mod->init_size) {
66792 -+ memset(ptr, 0, mod->core_size_rx);
66793 -+
66794 -+#ifdef CONFIG_PAX_KERNEXEC
66795 -+ pax_close_kernel(cr0);
66796 -+#endif
66797 -+
66798 -+ mod->module_core_rx = ptr;
66799 -+
66800 -+ ptr = module_alloc_exec(mod->init_size_rx);
66801 -+ if (!ptr && mod->init_size_rx) {
66802 - err = -ENOMEM;
66803 -- goto free_core;
66804 -+ goto free_core_rx;
66805 - }
66806 -- memset(ptr, 0, mod->init_size);
66807 -- mod->module_init = ptr;
66808 -+
66809 -+#ifdef CONFIG_PAX_KERNEXEC
66810 -+ pax_open_kernel(cr0);
66811 -+#endif
66812 -+
66813 -+ memset(ptr, 0, mod->init_size_rx);
66814 -+
66815 -+#ifdef CONFIG_PAX_KERNEXEC
66816 -+ pax_close_kernel(cr0);
66817 -+#endif
66818 -+
66819 -+ mod->module_init_rx = ptr;
66820 -
66821 - /* Transfer each section which specifies SHF_ALLOC */
66822 - DEBUGP("final section addresses:\n");
66823 -@@ -1762,17 +1867,41 @@ static struct module *load_module(void _
66824 - if (!(sechdrs[i].sh_flags & SHF_ALLOC))
66825 - continue;
66826 -
66827 -- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
66828 -- dest = mod->module_init
66829 -- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66830 -- else
66831 -- dest = mod->module_core + sechdrs[i].sh_entsize;
66832 -+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
66833 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
66834 -+ dest = mod->module_init_rw
66835 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66836 -+ else
66837 -+ dest = mod->module_init_rx
66838 -+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66839 -+ } else {
66840 -+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
66841 -+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
66842 -+ else
66843 -+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
66844 -+ }
66845 -+
66846 -+ if (sechdrs[i].sh_type != SHT_NOBITS) {
66847 -
66848 -- if (sechdrs[i].sh_type != SHT_NOBITS)
66849 -- memcpy(dest, (void *)sechdrs[i].sh_addr,
66850 -- sechdrs[i].sh_size);
66851 -+#ifdef CONFIG_PAX_KERNEXEC
66852 -+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
66853 -+ pax_open_kernel(cr0);
66854 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
66855 -+ pax_close_kernel(cr0);
66856 -+ } else
66857 -+#endif
66858 -+
66859 -+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
66860 -+ }
66861 - /* Update sh_addr to point to copy in image. */
66862 -- sechdrs[i].sh_addr = (unsigned long)dest;
66863 -+
66864 -+#ifdef CONFIG_PAX_KERNEXEC
66865 -+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
66866 -+ sechdrs[i].sh_addr = (unsigned long)dest - __KERNEL_TEXT_OFFSET;
66867 -+ else
66868 -+#endif
66869 -+
66870 -+ sechdrs[i].sh_addr = (unsigned long)dest;
66871 - DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
66872 - }
66873 - /* Module has been moved. */
66874 -@@ -1892,12 +2021,12 @@ static struct module *load_module(void _
66875 - * Do it before processing of module parameters, so the module
66876 - * can provide parameter accessor functions of its own.
66877 - */
66878 -- if (mod->module_init)
66879 -- flush_icache_range((unsigned long)mod->module_init,
66880 -- (unsigned long)mod->module_init
66881 -- + mod->init_size);
66882 -- flush_icache_range((unsigned long)mod->module_core,
66883 -- (unsigned long)mod->module_core + mod->core_size);
66884 -+ if (mod->module_init_rx)
66885 -+ flush_icache_range((unsigned long)mod->module_init_rx,
66886 -+ (unsigned long)mod->module_init_rx
66887 -+ + mod->init_size_rx);
66888 -+ flush_icache_range((unsigned long)mod->module_core_rx,
66889 -+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
66890 -
66891 - set_fs(old_fs);
66892 -
66893 -@@ -1940,9 +2069,13 @@ static struct module *load_module(void _
66894 - module_arch_cleanup(mod);
66895 - cleanup:
66896 - module_unload_free(mod);
66897 -- module_free(mod, mod->module_init);
66898 -- free_core:
66899 -- module_free(mod, mod->module_core);
66900 -+ module_free_exec(mod, mod->module_init_rx);
66901 -+ free_core_rx:
66902 -+ module_free_exec(mod, mod->module_core_rx);
66903 -+ free_init_rw:
66904 -+ module_free(mod, mod->module_init_rw);
66905 -+ free_core_rw:
66906 -+ module_free(mod, mod->module_core_rw);
66907 - free_percpu:
66908 - if (percpu)
66909 - percpu_modfree(percpu);
66910 -@@ -1978,6 +2111,9 @@ sys_init_module(void __user *umod,
66911 - struct module *mod;
66912 - int ret = 0;
66913 -
66914 -+ if (gr_check_modstop())
66915 -+ return -EPERM;
66916 -+
66917 - /* Must have permission */
66918 - if (!capable(CAP_SYS_MODULE))
66919 - return -EPERM;
66920 -@@ -2029,10 +2165,12 @@ sys_init_module(void __user *umod,
66921 - /* Drop initial reference. */
66922 - module_put(mod);
66923 - unwind_remove_table(mod->unwind_info, 1);
66924 -- module_free(mod, mod->module_init);
66925 -- mod->module_init = NULL;
66926 -- mod->init_size = 0;
66927 -- mod->init_text_size = 0;
66928 -+ module_free(mod, mod->module_init_rw);
66929 -+ module_free_exec(mod, mod->module_init_rx);
66930 -+ mod->module_init_rw = NULL;
66931 -+ mod->module_init_rx = NULL;
66932 -+ mod->init_size_rw = 0;
66933 -+ mod->init_size_rx = 0;
66934 - mutex_unlock(&module_mutex);
66935 -
66936 - return 0;
66937 -@@ -2040,6 +2178,13 @@ sys_init_module(void __user *umod,
66938 -
66939 - static inline int within(unsigned long addr, void *start, unsigned long size)
66940 - {
66941 -+
66942 -+#ifdef CONFIG_PAX_KERNEXEC
66943 -+ if (addr + __KERNEL_TEXT_OFFSET >= (unsigned long)start &&
66944 -+ addr + __KERNEL_TEXT_OFFSET < (unsigned long)start + size)
66945 -+ return 1;
66946 -+#endif
66947 -+
66948 - return ((void *)addr >= start && (void *)addr < start + size);
66949 - }
66950 -
66951 -@@ -2063,10 +2208,14 @@ static const char *get_ksymbol(struct mo
66952 - unsigned long nextval;
66953 -
66954 - /* At worse, next value is at end of module */
66955 -- if (within(addr, mod->module_init, mod->init_size))
66956 -- nextval = (unsigned long)mod->module_init+mod->init_text_size;
66957 -- else
66958 -- nextval = (unsigned long)mod->module_core+mod->core_text_size;
66959 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx))
66960 -+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
66961 -+ else if (within(addr, mod->module_init_rw, mod->init_size_rw))
66962 -+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
66963 -+ else if (within(addr, mod->module_core_rx, mod->core_size_rx))
66964 -+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
66965 -+ else
66966 -+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
66967 -
66968 - /* Scan for closest preceeding symbol, and next symbol. (ELF
66969 - starts real symbols at 1). */
66970 -@@ -2109,8 +2258,10 @@ const char *module_address_lookup(unsign
66971 - struct module *mod;
66972 -
66973 - list_for_each_entry(mod, &modules, list) {
66974 -- if (within(addr, mod->module_init, mod->init_size)
66975 -- || within(addr, mod->module_core, mod->core_size)) {
66976 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
66977 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
66978 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
66979 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
66980 - if (modname)
66981 - *modname = mod->name;
66982 - return get_ksymbol(mod, addr, size, offset);
66983 -@@ -2125,8 +2276,10 @@ int lookup_module_symbol_name(unsigned l
66984 -
66985 - mutex_lock(&module_mutex);
66986 - list_for_each_entry(mod, &modules, list) {
66987 -- if (within(addr, mod->module_init, mod->init_size) ||
66988 -- within(addr, mod->module_core, mod->core_size)) {
66989 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
66990 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
66991 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
66992 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
66993 - const char *sym;
66994 -
66995 - sym = get_ksymbol(mod, addr, NULL, NULL);
66996 -@@ -2149,8 +2302,10 @@ int lookup_module_symbol_attrs(unsigned
66997 -
66998 - mutex_lock(&module_mutex);
66999 - list_for_each_entry(mod, &modules, list) {
67000 -- if (within(addr, mod->module_init, mod->init_size) ||
67001 -- within(addr, mod->module_core, mod->core_size)) {
67002 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx) ||
67003 -+ within(addr, mod->module_init_rw, mod->init_size_rw) ||
67004 -+ within(addr, mod->module_core_rx, mod->core_size_rx) ||
67005 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
67006 - const char *sym;
67007 -
67008 - sym = get_ksymbol(mod, addr, size, offset);
67009 -@@ -2270,7 +2425,7 @@ static int m_show(struct seq_file *m, vo
67010 - char buf[8];
67011 -
67012 - seq_printf(m, "%s %lu",
67013 -- mod->name, mod->init_size + mod->core_size);
67014 -+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
67015 - print_unload_info(m, mod);
67016 -
67017 - /* Informative for users. */
67018 -@@ -2279,7 +2434,7 @@ static int m_show(struct seq_file *m, vo
67019 - mod->state == MODULE_STATE_COMING ? "Loading":
67020 - "Live");
67021 - /* Used by oprofile and other similar tools. */
67022 -- seq_printf(m, " 0x%p", mod->module_core);
67023 -+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
67024 -
67025 - /* Taints info */
67026 - if (mod->taints)
67027 -@@ -2335,7 +2490,8 @@ int is_module_address(unsigned long addr
67028 - preempt_disable();
67029 -
67030 - list_for_each_entry(mod, &modules, list) {
67031 -- if (within(addr, mod->module_core, mod->core_size)) {
67032 -+ if (within(addr, mod->module_core_rx, mod->core_size_rx) ||
67033 -+ within(addr, mod->module_core_rw, mod->core_size_rw)) {
67034 - preempt_enable();
67035 - return 1;
67036 - }
67037 -@@ -2353,8 +2509,8 @@ struct module *__module_text_address(uns
67038 - struct module *mod;
67039 -
67040 - list_for_each_entry(mod, &modules, list)
67041 -- if (within(addr, mod->module_init, mod->init_text_size)
67042 -- || within(addr, mod->module_core, mod->core_text_size))
67043 -+ if (within(addr, mod->module_init_rx, mod->init_size_rx)
67044 -+ || within(addr, mod->module_core_rx, mod->core_size_rx))
67045 - return mod;
67046 - return NULL;
67047 - }
67048 -diff -Nurp linux-2.6.23.15/kernel/mutex.c linux-2.6.23.15-grsec/kernel/mutex.c
67049 ---- linux-2.6.23.15/kernel/mutex.c 2007-10-09 21:31:38.000000000 +0100
67050 -+++ linux-2.6.23.15-grsec/kernel/mutex.c 2008-02-11 10:37:45.000000000 +0000
67051 -@@ -81,7 +81,7 @@ __mutex_lock_slowpath(atomic_t *lock_cou
67052 - *
67053 - * This function is similar to (but not equivalent to) down().
67054 - */
67055 --void inline fastcall __sched mutex_lock(struct mutex *lock)
67056 -+inline void fastcall __sched mutex_lock(struct mutex *lock)
67057 - {
67058 - might_sleep();
67059 - /*
67060 -diff -Nurp linux-2.6.23.15/kernel/params.c linux-2.6.23.15-grsec/kernel/params.c
67061 ---- linux-2.6.23.15/kernel/params.c 2008-02-11 10:36:03.000000000 +0000
67062 -+++ linux-2.6.23.15-grsec/kernel/params.c 2008-02-11 10:37:45.000000000 +0000
67063 -@@ -275,7 +275,7 @@ static int param_array(const char *name,
67064 - unsigned int min, unsigned int max,
67065 - void *elem, int elemsize,
67066 - int (*set)(const char *, struct kernel_param *kp),
67067 -- int *num)
67068 -+ unsigned int *num)
67069 - {
67070 - int ret;
67071 - struct kernel_param kp;
67072 -diff -Nurp linux-2.6.23.15/kernel/pid.c linux-2.6.23.15-grsec/kernel/pid.c
67073 ---- linux-2.6.23.15/kernel/pid.c 2007-10-09 21:31:38.000000000 +0100
67074 -+++ linux-2.6.23.15-grsec/kernel/pid.c 2008-02-11 10:37:45.000000000 +0000
67075 -@@ -28,6 +28,7 @@
67076 - #include <linux/hash.h>
67077 - #include <linux/pid_namespace.h>
67078 - #include <linux/init_task.h>
67079 -+#include <linux/grsecurity.h>
67080 -
67081 - #define pid_hashfn(nr) hash_long((unsigned long)nr, pidhash_shift)
67082 - static struct hlist_head *pid_hash;
67083 -@@ -37,7 +38,7 @@ struct pid init_struct_pid = INIT_STRUCT
67084 -
67085 - int pid_max = PID_MAX_DEFAULT;
67086 -
67087 --#define RESERVED_PIDS 300
67088 -+#define RESERVED_PIDS 500
67089 -
67090 - int pid_max_min = RESERVED_PIDS + 1;
67091 - int pid_max_max = PID_MAX_LIMIT;
67092 -@@ -309,7 +310,14 @@ struct task_struct * fastcall pid_task(s
67093 - */
67094 - struct task_struct *find_task_by_pid_type(int type, int nr)
67095 - {
67096 -- return pid_task(find_pid(nr), type);
67097 -+ struct task_struct *task;
67098 -+
67099 -+ task = pid_task(find_pid(nr), type);
67100 -+
67101 -+ if (gr_pid_is_chrooted(task))
67102 -+ return NULL;
67103 -+
67104 -+ return task;
67105 - }
67106 -
67107 - EXPORT_SYMBOL(find_task_by_pid_type);
67108 -diff -Nurp linux-2.6.23.15/kernel/posix-cpu-timers.c linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c
67109 ---- linux-2.6.23.15/kernel/posix-cpu-timers.c 2007-10-09 21:31:38.000000000 +0100
67110 -+++ linux-2.6.23.15-grsec/kernel/posix-cpu-timers.c 2008-02-11 10:37:45.000000000 +0000
67111 -@@ -6,6 +6,7 @@
67112 - #include <linux/posix-timers.h>
67113 - #include <asm/uaccess.h>
67114 - #include <linux/errno.h>
67115 -+#include <linux/grsecurity.h>
67116 -
67117 - static int check_clock(const clockid_t which_clock)
67118 - {
67119 -@@ -1144,6 +1145,7 @@ static void check_process_timers(struct
67120 - __group_send_sig_info(SIGKILL, SEND_SIG_PRIV, tsk);
67121 - return;
67122 - }
67123 -+ gr_learn_resource(tsk, RLIMIT_CPU, psecs, 1);
67124 - if (psecs >= sig->rlim[RLIMIT_CPU].rlim_cur) {
67125 - /*
67126 - * At the soft limit, send a SIGXCPU every second.
67127 -diff -Nurp linux-2.6.23.15/kernel/power/poweroff.c linux-2.6.23.15-grsec/kernel/power/poweroff.c
67128 ---- linux-2.6.23.15/kernel/power/poweroff.c 2007-10-09 21:31:38.000000000 +0100
67129 -+++ linux-2.6.23.15-grsec/kernel/power/poweroff.c 2008-02-11 10:37:45.000000000 +0000
67130 -@@ -35,7 +35,7 @@ static struct sysrq_key_op sysrq_powerof
67131 - .enable_mask = SYSRQ_ENABLE_BOOT,
67132 - };
67133 -
67134 --static int pm_sysrq_init(void)
67135 -+static int __init pm_sysrq_init(void)
67136 - {
67137 - register_sysrq_key('o', &sysrq_poweroff_op);
67138 - return 0;
67139 -diff -Nurp linux-2.6.23.15/kernel/printk.c linux-2.6.23.15-grsec/kernel/printk.c
67140 ---- linux-2.6.23.15/kernel/printk.c 2007-10-09 21:31:38.000000000 +0100
67141 -+++ linux-2.6.23.15-grsec/kernel/printk.c 2008-02-11 10:37:45.000000000 +0000
67142 -@@ -31,6 +31,7 @@
67143 - #include <linux/bootmem.h>
67144 - #include <linux/syscalls.h>
67145 - #include <linux/jiffies.h>
67146 -+#include <linux/grsecurity.h>
67147 -
67148 - #include <asm/uaccess.h>
67149 -
67150 -@@ -184,6 +185,11 @@ int do_syslog(int type, char __user *buf
67151 - char c;
67152 - int error = 0;
67153 -
67154 -+#ifdef CONFIG_GRKERNSEC_DMESG
67155 -+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
67156 -+ return -EPERM;
67157 -+#endif
67158 -+
67159 - error = security_syslog(type);
67160 - if (error)
67161 - return error;
67162 -diff -Nurp linux-2.6.23.15/kernel/ptrace.c linux-2.6.23.15-grsec/kernel/ptrace.c
67163 ---- linux-2.6.23.15/kernel/ptrace.c 2007-10-09 21:31:38.000000000 +0100
67164 -+++ linux-2.6.23.15-grsec/kernel/ptrace.c 2008-02-11 10:37:45.000000000 +0000
67165 -@@ -19,6 +19,7 @@
67166 - #include <linux/security.h>
67167 - #include <linux/signal.h>
67168 - #include <linux/audit.h>
67169 -+#include <linux/grsecurity.h>
67170 -
67171 - #include <asm/pgtable.h>
67172 - #include <asm/uaccess.h>
67173 -@@ -138,12 +139,12 @@ static int may_attach(struct task_struct
67174 - (current->uid != task->uid) ||
67175 - (current->gid != task->egid) ||
67176 - (current->gid != task->sgid) ||
67177 -- (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
67178 -+ (current->gid != task->gid)) && !capable_nolog(CAP_SYS_PTRACE))
67179 - return -EPERM;
67180 - smp_rmb();
67181 - if (task->mm)
67182 - dumpable = get_dumpable(task->mm);
67183 -- if (!dumpable && !capable(CAP_SYS_PTRACE))
67184 -+ if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
67185 - return -EPERM;
67186 -
67187 - return security_ptrace(current, task);
67188 -@@ -480,6 +481,11 @@ asmlinkage long sys_ptrace(long request,
67189 - if (ret < 0)
67190 - goto out_put_task_struct;
67191 -
67192 -+ if (gr_handle_ptrace(child, request)) {
67193 -+ ret = -EPERM;
67194 -+ goto out_put_task_struct;
67195 -+ }
67196 -+
67197 - ret = arch_ptrace(child, request, addr, data);
67198 - if (ret < 0)
67199 - goto out_put_task_struct;
67200 -diff -Nurp linux-2.6.23.15/kernel/rcupdate.c linux-2.6.23.15-grsec/kernel/rcupdate.c
67201 ---- linux-2.6.23.15/kernel/rcupdate.c 2007-10-09 21:31:38.000000000 +0100
67202 -+++ linux-2.6.23.15-grsec/kernel/rcupdate.c 2008-02-11 10:37:45.000000000 +0000
67203 -@@ -63,11 +63,11 @@ static struct rcu_ctrlblk rcu_bh_ctrlblk
67204 - .cpumask = CPU_MASK_NONE,
67205 - };
67206 -
67207 --DEFINE_PER_CPU(struct rcu_data, rcu_data) = { 0L };
67208 --DEFINE_PER_CPU(struct rcu_data, rcu_bh_data) = { 0L };
67209 -+DEFINE_PER_CPU(struct rcu_data, rcu_data);
67210 -+DEFINE_PER_CPU(struct rcu_data, rcu_bh_data);
67211 -
67212 - /* Fake initialization required by compiler */
67213 --static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet) = {NULL};
67214 -+static DEFINE_PER_CPU(struct tasklet_struct, rcu_tasklet);
67215 - static int blimit = 10;
67216 - static int qhimark = 10000;
67217 - static int qlowmark = 100;
67218 -diff -Nurp linux-2.6.23.15/kernel/relay.c linux-2.6.23.15-grsec/kernel/relay.c
67219 ---- linux-2.6.23.15/kernel/relay.c 2008-02-11 10:36:03.000000000 +0000
67220 -+++ linux-2.6.23.15-grsec/kernel/relay.c 2008-02-11 10:37:45.000000000 +0000
67221 -@@ -1140,7 +1140,7 @@ static int subbuf_splice_actor(struct fi
67222 - return 0;
67223 -
67224 - ret = *nonpad_ret = splice_to_pipe(pipe, &spd);
67225 -- if (ret < 0 || ret < total_len)
67226 -+ if ((int)ret < 0 || ret < total_len)
67227 - return ret;
67228 -
67229 - if (read_start + ret == nonpad_end)
67230 -diff -Nurp linux-2.6.23.15/kernel/resource.c linux-2.6.23.15-grsec/kernel/resource.c
67231 ---- linux-2.6.23.15/kernel/resource.c 2007-10-09 21:31:38.000000000 +0100
67232 -+++ linux-2.6.23.15-grsec/kernel/resource.c 2008-02-11 10:37:45.000000000 +0000
67233 -@@ -133,10 +133,27 @@ static int __init ioresources_init(void)
67234 - {
67235 - struct proc_dir_entry *entry;
67236 -
67237 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
67238 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
67239 -+ entry = create_proc_entry("ioports", S_IRUSR, NULL);
67240 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
67241 -+ entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
67242 -+#endif
67243 -+#else
67244 - entry = create_proc_entry("ioports", 0, NULL);
67245 -+#endif
67246 - if (entry)
67247 - entry->proc_fops = &proc_ioports_operations;
67248 -+
67249 -+#ifdef CONFIG_GRKERNSEC_PROC_ADD
67250 -+#ifdef CONFIG_GRKERNSEC_PROC_USER
67251 -+ entry = create_proc_entry("iomem", S_IRUSR, NULL);
67252 -+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
67253 -+ entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
67254 -+#endif
67255 -+#else
67256 - entry = create_proc_entry("iomem", 0, NULL);
67257 -+#endif
67258 - if (entry)
67259 - entry->proc_fops = &proc_iomem_operations;
67260 - return 0;
67261 -diff -Nurp linux-2.6.23.15/kernel/sched.c linux-2.6.23.15-grsec/kernel/sched.c
67262 ---- linux-2.6.23.15/kernel/sched.c 2008-02-11 10:36:03.000000000 +0000
67263 -+++ linux-2.6.23.15-grsec/kernel/sched.c 2008-02-11 10:37:45.000000000 +0000
67264 -@@ -61,6 +61,7 @@
67265 - #include <linux/delayacct.h>
67266 - #include <linux/reciprocal_div.h>
67267 - #include <linux/unistd.h>
67268 -+#include <linux/grsecurity.h>
67269 -
67270 - #include <asm/tlb.h>
67271 -
67272 -@@ -3470,7 +3471,7 @@ pick_next_task(struct rq *rq, struct tas
67273 - asmlinkage void __sched schedule(void)
67274 - {
67275 - struct task_struct *prev, *next;
67276 -- long *switch_count;
67277 -+ unsigned long *switch_count;
67278 - struct rq *rq;
67279 - int cpu;
67280 -
67281 -@@ -4079,7 +4080,8 @@ asmlinkage long sys_nice(int increment)
67282 - if (nice > 19)
67283 - nice = 19;
67284 -
67285 -- if (increment < 0 && !can_nice(current, nice))
67286 -+ if (increment < 0 && (!can_nice(current, nice) ||
67287 -+ gr_handle_chroot_nice()))
67288 - return -EPERM;
67289 -
67290 - retval = security_task_setnice(current, nice);
67291 -@@ -5267,7 +5269,7 @@ static struct ctl_table sd_ctl_dir[] = {
67292 - .procname = "sched_domain",
67293 - .mode = 0555,
67294 - },
67295 -- {0,},
67296 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
67297 - };
67298 -
67299 - static struct ctl_table sd_ctl_root[] = {
67300 -@@ -5277,7 +5279,7 @@ static struct ctl_table sd_ctl_root[] =
67301 - .mode = 0555,
67302 - .child = sd_ctl_dir,
67303 - },
67304 -- {0,},
67305 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
67306 - };
67307 -
67308 - static struct ctl_table *sd_alloc_ctl_entry(int n)
67309 -diff -Nurp linux-2.6.23.15/kernel/signal.c linux-2.6.23.15-grsec/kernel/signal.c
67310 ---- linux-2.6.23.15/kernel/signal.c 2007-10-09 21:31:38.000000000 +0100
67311 -+++ linux-2.6.23.15-grsec/kernel/signal.c 2008-02-11 10:37:45.000000000 +0000
67312 -@@ -25,6 +25,7 @@
67313 - #include <linux/capability.h>
67314 - #include <linux/freezer.h>
67315 - #include <linux/pid_namespace.h>
67316 -+#include <linux/grsecurity.h>
67317 - #include <linux/nsproxy.h>
67318 -
67319 - #include <asm/param.h>
67320 -@@ -541,7 +542,9 @@ static int check_kill_permission(int sig
67321 - && (current->euid ^ t->suid) && (current->euid ^ t->uid)
67322 - && (current->uid ^ t->suid) && (current->uid ^ t->uid)
67323 - && !capable(CAP_KILL))
67324 -- return error;
67325 -+ return error;
67326 -+ if (gr_handle_signal(t, sig))
67327 -+ return error;
67328 - }
67329 -
67330 - return security_task_kill(t, info, sig, 0);
67331 -@@ -758,7 +761,7 @@ static int __init setup_print_fatal_sign
67332 -
67333 - __setup("print-fatal-signals=", setup_print_fatal_signals);
67334 -
67335 --static int
67336 -+int
67337 - specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
67338 - {
67339 - int ret = 0;
67340 -@@ -812,8 +815,12 @@ force_sig_info(int sig, struct siginfo *
67341 - }
67342 - }
67343 - ret = specific_send_sig_info(sig, info, t);
67344 -+
67345 - spin_unlock_irqrestore(&t->sighand->siglock, flags);
67346 -
67347 -+ gr_log_signal(sig, t);
67348 -+ gr_handle_crash(t, sig);
67349 -+
67350 - return ret;
67351 - }
67352 -
67353 -diff -Nurp linux-2.6.23.15/kernel/softirq.c linux-2.6.23.15-grsec/kernel/softirq.c
67354 ---- linux-2.6.23.15/kernel/softirq.c 2007-10-09 21:31:38.000000000 +0100
67355 -+++ linux-2.6.23.15-grsec/kernel/softirq.c 2008-02-11 10:37:45.000000000 +0000
67356 -@@ -471,9 +471,9 @@ void tasklet_kill(struct tasklet_struct
67357 - printk("Attempt to kill tasklet from interrupt\n");
67358 -
67359 - while (test_and_set_bit(TASKLET_STATE_SCHED, &t->state)) {
67360 -- do
67361 -+ do {
67362 - yield();
67363 -- while (test_bit(TASKLET_STATE_SCHED, &t->state));
67364 -+ } while (test_bit(TASKLET_STATE_SCHED, &t->state));
67365 - }
67366 - tasklet_unlock_wait(t);
67367 - clear_bit(TASKLET_STATE_SCHED, &t->state);
67368 -diff -Nurp linux-2.6.23.15/kernel/sys.c linux-2.6.23.15-grsec/kernel/sys.c
67369 ---- linux-2.6.23.15/kernel/sys.c 2007-10-09 21:31:38.000000000 +0100
67370 -+++ linux-2.6.23.15-grsec/kernel/sys.c 2008-02-11 10:37:45.000000000 +0000
67371 -@@ -33,6 +33,7 @@
67372 - #include <linux/task_io_accounting_ops.h>
67373 - #include <linux/seccomp.h>
67374 - #include <linux/cpu.h>
67375 -+#include <linux/grsecurity.h>
67376 -
67377 - #include <linux/compat.h>
67378 - #include <linux/syscalls.h>
67379 -@@ -651,6 +652,12 @@ static int set_one_prio(struct task_stru
67380 - error = -EACCES;
67381 - goto out;
67382 - }
67383 -+
67384 -+ if (gr_handle_chroot_setpriority(p, niceval)) {
67385 -+ error = -EACCES;
67386 -+ goto out;
67387 -+ }
67388 -+
67389 - no_nice = security_task_setnice(p, niceval);
67390 - if (no_nice) {
67391 - error = no_nice;
67392 -@@ -707,10 +714,10 @@ asmlinkage long sys_setpriority(int whic
67393 - if ((who != current->uid) && !(user = find_user(who)))
67394 - goto out_unlock; /* No processes for this user */
67395 -
67396 -- do_each_thread(g, p)
67397 -+ do_each_thread(g, p) {
67398 - if (p->uid == who)
67399 - error = set_one_prio(p, niceval, error);
67400 -- while_each_thread(g, p);
67401 -+ } while_each_thread(g, p);
67402 - if (who != current->uid)
67403 - free_uid(user); /* For find_user() */
67404 - break;
67405 -@@ -769,13 +776,13 @@ asmlinkage long sys_getpriority(int whic
67406 - if ((who != current->uid) && !(user = find_user(who)))
67407 - goto out_unlock; /* No processes for this user */
67408 -
67409 -- do_each_thread(g, p)
67410 -+ do_each_thread(g, p) {
67411 - if (p->uid == who) {
67412 - niceval = 20 - task_nice(p);
67413 - if (niceval > retval)
67414 - retval = niceval;
67415 - }
67416 -- while_each_thread(g, p);
67417 -+ } while_each_thread(g, p);
67418 - if (who != current->uid)
67419 - free_uid(user); /* for find_user() */
67420 - break;
67421 -@@ -1047,6 +1054,9 @@ asmlinkage long sys_setregid(gid_t rgid,
67422 - if (rgid != (gid_t) -1 ||
67423 - (egid != (gid_t) -1 && egid != old_rgid))
67424 - current->sgid = new_egid;
67425 -+
67426 -+ gr_set_role_label(current, current->uid, new_rgid);
67427 -+
67428 - current->fsgid = new_egid;
67429 - current->egid = new_egid;
67430 - current->gid = new_rgid;
67431 -@@ -1074,6 +1084,9 @@ asmlinkage long sys_setgid(gid_t gid)
67432 - set_dumpable(current->mm, suid_dumpable);
67433 - smp_wmb();
67434 - }
67435 -+
67436 -+ gr_set_role_label(current, current->uid, gid);
67437 -+
67438 - current->gid = current->egid = current->sgid = current->fsgid = gid;
67439 - } else if ((gid == current->gid) || (gid == current->sgid)) {
67440 - if (old_egid != gid) {
67441 -@@ -1111,6 +1124,9 @@ static int set_user(uid_t new_ruid, int
67442 - set_dumpable(current->mm, suid_dumpable);
67443 - smp_wmb();
67444 - }
67445 -+
67446 -+ gr_set_role_label(current, new_ruid, current->gid);
67447 -+
67448 - current->uid = new_ruid;
67449 - return 0;
67450 - }
67451 -@@ -1213,6 +1229,9 @@ asmlinkage long sys_setuid(uid_t uid)
67452 - } else if ((uid != current->uid) && (uid != new_suid))
67453 - return -EPERM;
67454 -
67455 -+ if (gr_check_crash_uid(uid))
67456 -+ return -EPERM;
67457 -+
67458 - if (old_euid != uid) {
67459 - set_dumpable(current->mm, suid_dumpable);
67460 - smp_wmb();
67461 -@@ -1315,8 +1334,10 @@ asmlinkage long sys_setresgid(gid_t rgid
67462 - current->egid = egid;
67463 - }
67464 - current->fsgid = current->egid;
67465 -- if (rgid != (gid_t) -1)
67466 -+ if (rgid != (gid_t) -1) {
67467 -+ gr_set_role_label(current, current->uid, rgid);
67468 - current->gid = rgid;
67469 -+ }
67470 - if (sgid != (gid_t) -1)
67471 - current->sgid = sgid;
67472 -
67473 -@@ -1463,7 +1484,10 @@ asmlinkage long sys_setpgid(pid_t pid, p
67474 - write_lock_irq(&tasklist_lock);
67475 -
67476 - err = -ESRCH;
67477 -- p = find_task_by_pid(pid);
67478 -+ /* grsec: replaced find_task_by_pid with equivalent call
67479 -+ which lacks the chroot restriction
67480 -+ */
67481 -+ p = pid_task(find_pid(pid), PIDTYPE_PID);
67482 - if (!p)
67483 - goto out;
67484 -
67485 -@@ -2183,7 +2207,7 @@ asmlinkage long sys_prctl(int option, un
67486 - error = get_dumpable(current->mm);
67487 - break;
67488 - case PR_SET_DUMPABLE:
67489 -- if (arg2 < 0 || arg2 > 1) {
67490 -+ if (arg2 > 1) {
67491 - error = -EINVAL;
67492 - break;
67493 - }
67494 -diff -Nurp linux-2.6.23.15/kernel/sysctl.c linux-2.6.23.15-grsec/kernel/sysctl.c
67495 ---- linux-2.6.23.15/kernel/sysctl.c 2008-02-11 10:36:24.000000000 +0000
67496 -+++ linux-2.6.23.15-grsec/kernel/sysctl.c 2008-02-11 10:37:45.000000000 +0000
67497 -@@ -56,6 +56,13 @@
67498 - #endif
67499 -
67500 - #if defined(CONFIG_SYSCTL)
67501 -+#include <linux/grsecurity.h>
67502 -+#include <linux/grinternal.h>
67503 -+
67504 -+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
67505 -+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
67506 -+ const int op);
67507 -+extern int gr_handle_chroot_sysctl(const int op);
67508 -
67509 - /* External variables not in a header file. */
67510 - extern int C_A_D;
67511 -@@ -141,7 +148,7 @@ static int proc_dointvec_taint(ctl_table
67512 -
67513 - static ctl_table root_table[];
67514 - static struct ctl_table_header root_table_header =
67515 -- { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry) };
67516 -+ { root_table, LIST_HEAD_INIT(root_table_header.ctl_entry), 0, NULL };
67517 -
67518 - static ctl_table kern_table[];
67519 - static ctl_table vm_table[];
67520 -@@ -158,11 +165,27 @@ extern ctl_table inotify_table[];
67521 - #ifdef CONFIG_ALPHA_UAC_SYSCTL
67522 - extern ctl_table uac_table[];
67523 - #endif
67524 -+extern ctl_table grsecurity_table[];
67525 -
67526 - #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
67527 - int sysctl_legacy_va_layout;
67528 - #endif
67529 -
67530 -+#ifdef CONFIG_PAX_SOFTMODE
67531 -+static ctl_table pax_table[] = {
67532 -+ {
67533 -+ .ctl_name = CTL_UNNUMBERED,
67534 -+ .procname = "softmode",
67535 -+ .data = &pax_softmode,
67536 -+ .maxlen = sizeof(unsigned int),
67537 -+ .mode = 0600,
67538 -+ .proc_handler = &proc_dointvec,
67539 -+ },
67540 -+
67541 -+ { .ctl_name = 0 }
67542 -+};
67543 -+#endif
67544 -+
67545 - extern int prove_locking;
67546 - extern int lock_stat;
67547 -
67548 -@@ -207,6 +230,16 @@ static ctl_table root_table[] = {
67549 - .mode = 0555,
67550 - .child = dev_table,
67551 - },
67552 -+
67553 -+#ifdef CONFIG_PAX_SOFTMODE
67554 -+ {
67555 -+ .ctl_name = CTL_UNNUMBERED,
67556 -+ .procname = "pax",
67557 -+ .mode = 0500,
67558 -+ .child = pax_table,
67559 -+ },
67560 -+#endif
67561 -+
67562 - /*
67563 - * NOTE: do not add new entries to this table unless you have read
67564 - * Documentation/sysctl/ctl_unnumbered.txt
67565 -@@ -777,6 +810,14 @@ static ctl_table kern_table[] = {
67566 - .proc_handler = &proc_dostring,
67567 - .strategy = &sysctl_string,
67568 - },
67569 -+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP)
67570 -+ {
67571 -+ .ctl_name = KERN_GRSECURITY,
67572 -+ .procname = "grsecurity",
67573 -+ .mode = 0500,
67574 -+ .child = grsecurity_table,
67575 -+ },
67576 -+#endif
67577 - /*
67578 - * NOTE: do not add new entries to this table unless you have read
67579 - * Documentation/sysctl/ctl_unnumbered.txt
67580 -@@ -1388,6 +1429,25 @@ static int test_perm(int mode, int op)
67581 - int sysctl_perm(ctl_table *table, int op)
67582 - {
67583 - int error;
67584 -+ if (table->parent != NULL && table->parent->procname != NULL &&
67585 -+ table->procname != NULL &&
67586 -+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
67587 -+ return -EACCES;
67588 -+ if (gr_handle_chroot_sysctl(op))
67589 -+ return -EACCES;
67590 -+ error = gr_handle_sysctl(table, op);
67591 -+ if (error)
67592 -+ return error;
67593 -+ error = security_sysctl(table, op);
67594 -+ if (error)
67595 -+ return error;
67596 -+ return test_perm(table->mode, op);
67597 -+}
67598 -+
67599 -+int sysctl_perm_nochk(ctl_table *table, int op)
67600 -+{
67601 -+ int error;
67602 -+
67603 - error = security_sysctl(table, op);
67604 - if (error)
67605 - return error;
67606 -@@ -1412,13 +1472,14 @@ repeat:
67607 - if (n == table->ctl_name) {
67608 - int error;
67609 - if (table->child) {
67610 -- if (sysctl_perm(table, 001))
67611 -+ if (sysctl_perm_nochk(table, 001))
67612 - return -EPERM;
67613 - name++;
67614 - nlen--;
67615 - table = table->child;
67616 - goto repeat;
67617 - }
67618 -+
67619 - error = do_sysctl_strategy(table, name, nlen,
67620 - oldval, oldlenp,
67621 - newval, newlen);
67622 -diff -Nurp linux-2.6.23.15/kernel/time.c linux-2.6.23.15-grsec/kernel/time.c
67623 ---- linux-2.6.23.15/kernel/time.c 2007-10-09 21:31:38.000000000 +0100
67624 -+++ linux-2.6.23.15-grsec/kernel/time.c 2008-02-11 10:37:45.000000000 +0000
67625 -@@ -35,6 +35,7 @@
67626 - #include <linux/security.h>
67627 - #include <linux/fs.h>
67628 - #include <linux/module.h>
67629 -+#include <linux/grsecurity.h>
67630 -
67631 - #include <asm/uaccess.h>
67632 - #include <asm/unistd.h>
67633 -@@ -92,6 +93,9 @@ asmlinkage long sys_stime(time_t __user
67634 - return err;
67635 -
67636 - do_settimeofday(&tv);
67637 -+
67638 -+ gr_log_timechange();
67639 -+
67640 - return 0;
67641 - }
67642 -
67643 -@@ -197,6 +201,8 @@ asmlinkage long sys_settimeofday(struct
67644 - return -EFAULT;
67645 - }
67646 -
67647 -+ gr_log_timechange();
67648 -+
67649 - return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
67650 - }
67651 -
67652 -@@ -235,7 +241,7 @@ EXPORT_SYMBOL(current_fs_time);
67653 - * Avoid unnecessary multiplications/divisions in the
67654 - * two most common HZ cases:
67655 - */
67656 --unsigned int inline jiffies_to_msecs(const unsigned long j)
67657 -+inline unsigned int jiffies_to_msecs(const unsigned long j)
67658 - {
67659 - #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
67660 - return (MSEC_PER_SEC / HZ) * j;
67661 -@@ -247,7 +253,7 @@ unsigned int inline jiffies_to_msecs(con
67662 - }
67663 - EXPORT_SYMBOL(jiffies_to_msecs);
67664 -
67665 --unsigned int inline jiffies_to_usecs(const unsigned long j)
67666 -+inline unsigned int jiffies_to_usecs(const unsigned long j)
67667 - {
67668 - #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
67669 - return (USEC_PER_SEC / HZ) * j;
67670 -diff -Nurp linux-2.6.23.15/kernel/utsname_sysctl.c linux-2.6.23.15-grsec/kernel/utsname_sysctl.c
67671 ---- linux-2.6.23.15/kernel/utsname_sysctl.c 2007-10-09 21:31:38.000000000 +0100
67672 -+++ linux-2.6.23.15-grsec/kernel/utsname_sysctl.c 2008-02-11 10:37:45.000000000 +0000
67673 -@@ -121,7 +121,7 @@ static struct ctl_table uts_kern_table[]
67674 - .proc_handler = proc_do_uts_string,
67675 - .strategy = sysctl_uts_string,
67676 - },
67677 -- {}
67678 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
67679 - };
67680 -
67681 - static struct ctl_table uts_root_table[] = {
67682 -@@ -131,7 +131,7 @@ static struct ctl_table uts_root_table[]
67683 - .mode = 0555,
67684 - .child = uts_kern_table,
67685 - },
67686 -- {}
67687 -+ { 0, NULL, NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, NULL }
67688 - };
67689 -
67690 - static int __init utsname_sysctl_init(void)
67691 -diff -Nurp linux-2.6.23.15/lib/radix-tree.c linux-2.6.23.15-grsec/lib/radix-tree.c
67692 ---- linux-2.6.23.15/lib/radix-tree.c 2007-10-09 21:31:38.000000000 +0100
67693 -+++ linux-2.6.23.15-grsec/lib/radix-tree.c 2008-02-11 10:37:45.000000000 +0000
67694 -@@ -76,7 +76,7 @@ struct radix_tree_preload {
67695 - int nr;
67696 - struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
67697 - };
67698 --DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
67699 -+DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, {NULL} };
67700 -
67701 - static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
67702 - {
67703 -diff -Nurp linux-2.6.23.15/mm/filemap.c linux-2.6.23.15-grsec/mm/filemap.c
67704 ---- linux-2.6.23.15/mm/filemap.c 2008-02-11 10:36:03.000000000 +0000
67705 -+++ linux-2.6.23.15-grsec/mm/filemap.c 2008-02-11 10:37:45.000000000 +0000
67706 -@@ -30,6 +30,7 @@
67707 - #include <linux/security.h>
67708 - #include <linux/syscalls.h>
67709 - #include <linux/cpuset.h>
67710 -+#include <linux/grsecurity.h>
67711 - #include "filemap.h"
67712 - #include "internal.h"
67713 -
67714 -@@ -1461,7 +1462,7 @@ int generic_file_mmap(struct file * file
67715 - struct address_space *mapping = file->f_mapping;
67716 -
67717 - if (!mapping->a_ops->readpage)
67718 -- return -ENOEXEC;
67719 -+ return -ENODEV;
67720 - file_accessed(file);
67721 - vma->vm_ops = &generic_file_vm_ops;
67722 - vma->vm_flags |= VM_CAN_NONLINEAR;
67723 -@@ -1726,6 +1727,7 @@ inline int generic_write_checks(struct f
67724 - *pos = i_size_read(inode);
67725 -
67726 - if (limit != RLIM_INFINITY) {
67727 -+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
67728 - if (*pos >= limit) {
67729 - send_sig(SIGXFSZ, current, 0);
67730 - return -EFBIG;
67731 -diff -Nurp linux-2.6.23.15/mm/fremap.c linux-2.6.23.15-grsec/mm/fremap.c
67732 ---- linux-2.6.23.15/mm/fremap.c 2007-10-09 21:31:38.000000000 +0100
67733 -+++ linux-2.6.23.15-grsec/mm/fremap.c 2008-02-11 10:37:45.000000000 +0000
67734 -@@ -148,6 +148,13 @@ asmlinkage long sys_remap_file_pages(uns
67735 - retry:
67736 - vma = find_vma(mm, start);
67737 -
67738 -+#ifdef CONFIG_PAX_SEGMEXEC
67739 -+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC)) {
67740 -+ up_read(&mm->mmap_sem);
67741 -+ return err;
67742 -+ }
67743 -+#endif
67744 -+
67745 - /*
67746 - * Make sure the vma is shared, that it supports prefaulting,
67747 - * and that the remapped range is valid and fully within
67748 -diff -Nurp linux-2.6.23.15/mm/hugetlb.c linux-2.6.23.15-grsec/mm/hugetlb.c
67749 ---- linux-2.6.23.15/mm/hugetlb.c 2007-10-09 21:31:38.000000000 +0100
67750 -+++ linux-2.6.23.15-grsec/mm/hugetlb.c 2008-02-11 10:37:45.000000000 +0000
67751 -@@ -460,6 +460,26 @@ void unmap_hugepage_range(struct vm_area
67752 - }
67753 - }
67754 -
67755 -+#ifdef CONFIG_PAX_SEGMEXEC
67756 -+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
67757 -+{
67758 -+ struct mm_struct *mm = vma->vm_mm;
67759 -+ struct vm_area_struct *vma_m;
67760 -+ unsigned long address_m;
67761 -+ pte_t *ptep_m;
67762 -+
67763 -+ vma_m = pax_find_mirror_vma(vma);
67764 -+ if (!vma_m)
67765 -+ return;
67766 -+
67767 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67768 -+ address_m = address + SEGMEXEC_TASK_SIZE;
67769 -+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
67770 -+ get_page(page_m);
67771 -+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
67772 -+}
67773 -+#endif
67774 -+
67775 - static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
67776 - unsigned long address, pte_t *ptep, pte_t pte)
67777 - {
67778 -@@ -493,6 +513,11 @@ static int hugetlb_cow(struct mm_struct
67779 - /* Break COW */
67780 - set_huge_pte_at(mm, address, ptep,
67781 - make_huge_pte(vma, new_page, 1));
67782 -+
67783 -+#ifdef CONFIG_PAX_SEGMEXEC
67784 -+ pax_mirror_huge_pte(vma, address, new_page);
67785 -+#endif
67786 -+
67787 - /* Make the old page be freed below */
67788 - new_page = old_page;
67789 - }
67790 -@@ -563,6 +588,10 @@ retry:
67791 - && (vma->vm_flags & VM_SHARED)));
67792 - set_huge_pte_at(mm, address, ptep, new_pte);
67793 -
67794 -+#ifdef CONFIG_PAX_SEGMEXEC
67795 -+ pax_mirror_huge_pte(vma, address, page);
67796 -+#endif
67797 -+
67798 - if (write_access && !(vma->vm_flags & VM_SHARED)) {
67799 - /* Optimization, do the COW without a second fault */
67800 - ret = hugetlb_cow(mm, vma, address, ptep, new_pte);
67801 -@@ -589,6 +618,27 @@ int hugetlb_fault(struct mm_struct *mm,
67802 - int ret;
67803 - static DEFINE_MUTEX(hugetlb_instantiation_mutex);
67804 -
67805 -+#ifdef CONFIG_PAX_SEGMEXEC
67806 -+ struct vm_area_struct *vma_m;
67807 -+
67808 -+ vma_m = pax_find_mirror_vma(vma);
67809 -+ if (vma_m) {
67810 -+ unsigned long address_m;
67811 -+
67812 -+ if (vma->vm_start > vma_m->vm_start) {
67813 -+ address_m = address;
67814 -+ address -= SEGMEXEC_TASK_SIZE;
67815 -+ vma = vma_m;
67816 -+ } else
67817 -+ address_m = address + SEGMEXEC_TASK_SIZE;
67818 -+
67819 -+ if (!huge_pte_alloc(mm, address_m))
67820 -+ return VM_FAULT_OOM;
67821 -+ address_m &= HPAGE_MASK;
67822 -+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE);
67823 -+ }
67824 -+#endif
67825 -+
67826 - ptep = huge_pte_alloc(mm, address);
67827 - if (!ptep)
67828 - return VM_FAULT_OOM;
67829 -diff -Nurp linux-2.6.23.15/mm/madvise.c linux-2.6.23.15-grsec/mm/madvise.c
67830 ---- linux-2.6.23.15/mm/madvise.c 2007-10-09 21:31:38.000000000 +0100
67831 -+++ linux-2.6.23.15-grsec/mm/madvise.c 2008-02-11 10:37:45.000000000 +0000
67832 -@@ -43,6 +43,10 @@ static long madvise_behavior(struct vm_a
67833 - pgoff_t pgoff;
67834 - int new_flags = vma->vm_flags;
67835 -
67836 -+#ifdef CONFIG_PAX_SEGMEXEC
67837 -+ struct vm_area_struct *vma_m;
67838 -+#endif
67839 -+
67840 - switch (behavior) {
67841 - case MADV_NORMAL:
67842 - new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67843 -@@ -92,6 +96,13 @@ success:
67844 - /*
67845 - * vm_flags is protected by the mmap_sem held in write mode.
67846 - */
67847 -+
67848 -+#ifdef CONFIG_PAX_SEGMEXEC
67849 -+ vma_m = pax_find_mirror_vma(vma);
67850 -+ if (vma_m)
67851 -+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67852 -+#endif
67853 -+
67854 - vma->vm_flags = new_flags;
67855 -
67856 - out:
67857 -@@ -236,6 +247,17 @@ madvise_vma(struct vm_area_struct *vma,
67858 -
67859 - case MADV_DONTNEED:
67860 - error = madvise_dontneed(vma, prev, start, end);
67861 -+
67862 -+#ifdef CONFIG_PAX_SEGMEXEC
67863 -+ if (!error) {
67864 -+ struct vm_area_struct *vma_m, *prev_m;
67865 -+
67866 -+ vma_m = pax_find_mirror_vma(vma);
67867 -+ if (vma_m)
67868 -+ error = madvise_dontneed(vma_m, &prev_m, start + SEGMEXEC_TASK_SIZE, end + SEGMEXEC_TASK_SIZE);
67869 -+ }
67870 -+#endif
67871 -+
67872 - break;
67873 -
67874 - default:
67875 -@@ -308,6 +330,16 @@ asmlinkage long sys_madvise(unsigned lon
67876 - if (end < start)
67877 - goto out;
67878 -
67879 -+#ifdef CONFIG_PAX_SEGMEXEC
67880 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67881 -+ if (end > SEGMEXEC_TASK_SIZE)
67882 -+ goto out;
67883 -+ } else
67884 -+#endif
67885 -+
67886 -+ if (end > TASK_SIZE)
67887 -+ goto out;
67888 -+
67889 - error = 0;
67890 - if (end == start)
67891 - goto out;
67892 -diff -Nurp linux-2.6.23.15/mm/memory.c linux-2.6.23.15-grsec/mm/memory.c
67893 ---- linux-2.6.23.15/mm/memory.c 2007-10-09 21:31:38.000000000 +0100
67894 -+++ linux-2.6.23.15-grsec/mm/memory.c 2008-02-11 10:37:45.000000000 +0000
67895 -@@ -50,6 +50,7 @@
67896 - #include <linux/delayacct.h>
67897 - #include <linux/init.h>
67898 - #include <linux/writeback.h>
67899 -+#include <linux/grsecurity.h>
67900 -
67901 - #include <asm/pgalloc.h>
67902 - #include <asm/uaccess.h>
67903 -@@ -993,7 +994,7 @@ int get_user_pages(struct task_struct *t
67904 - struct vm_area_struct *vma;
67905 - unsigned int foll_flags;
67906 -
67907 -- vma = find_extend_vma(mm, start);
67908 -+ vma = find_vma(mm, start);
67909 - if (!vma && in_gate_area(tsk, start)) {
67910 - unsigned long pg = start & PAGE_MASK;
67911 - struct vm_area_struct *gate_vma = get_gate_vma(tsk);
67912 -@@ -1033,7 +1034,7 @@ int get_user_pages(struct task_struct *t
67913 - continue;
67914 - }
67915 -
67916 -- if (!vma || (vma->vm_flags & (VM_IO | VM_PFNMAP))
67917 -+ if (!vma || start < vma->vm_start || (vma->vm_flags & (VM_IO | VM_PFNMAP))
67918 - || !(vm_flags & vma->vm_flags))
67919 - return i ? : -EFAULT;
67920 -
67921 -@@ -1614,6 +1615,195 @@ static inline void cow_user_page(struct
67922 - copy_user_highpage(dst, src, va, vma);
67923 - }
67924 -
67925 -+#ifdef CONFIG_PAX_SEGMEXEC
67926 -+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67927 -+{
67928 -+ struct mm_struct *mm = vma->vm_mm;
67929 -+ spinlock_t *ptl;
67930 -+ pte_t *pte, entry;
67931 -+
67932 -+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67933 -+ entry = *pte;
67934 -+ if (!pte_present(entry)) {
67935 -+ if (!pte_none(entry)) {
67936 -+ BUG_ON(pte_file(entry));
67937 -+ free_swap_and_cache(pte_to_swp_entry(entry));
67938 -+ pte_clear_not_present_full(mm, address, pte, 0);
67939 -+ }
67940 -+ } else {
67941 -+ struct page *page;
67942 -+
67943 -+ page = vm_normal_page(vma, address, entry);
67944 -+ if (page) {
67945 -+ flush_cache_page(vma, address, pte_pfn(entry));
67946 -+ flush_icache_page(vma, page);
67947 -+ }
67948 -+ ptep_clear_flush(vma, address, pte);
67949 -+ BUG_ON(pte_dirty(entry));
67950 -+ if (page) {
67951 -+ update_hiwater_rss(mm);
67952 -+ if (PageAnon(page))
67953 -+ dec_mm_counter(mm, anon_rss);
67954 -+ else
67955 -+ dec_mm_counter(mm, file_rss);
67956 -+ page_remove_rmap(page, vma);
67957 -+ page_cache_release(page);
67958 -+ }
67959 -+ }
67960 -+ pte_unmap_unlock(pte, ptl);
67961 -+}
67962 -+
67963 -+/* PaX: if vma is mirrored, synchronize the mirror's PTE
67964 -+ *
67965 -+ * the ptl of the lower mapped page is held on entry and is not released on exit
67966 -+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67967 -+ */
67968 -+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67969 -+{
67970 -+ struct mm_struct *mm = vma->vm_mm;
67971 -+ unsigned long address_m;
67972 -+ spinlock_t *ptl_m;
67973 -+ struct vm_area_struct *vma_m;
67974 -+ pmd_t *pmd_m;
67975 -+ pte_t *pte_m, entry_m;
67976 -+
67977 -+ BUG_ON(!page_m || !PageAnon(page_m));
67978 -+
67979 -+ vma_m = pax_find_mirror_vma(vma);
67980 -+ if (!vma_m)
67981 -+ return;
67982 -+
67983 -+ BUG_ON(!PageLocked(page_m));
67984 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67985 -+ address_m = address + SEGMEXEC_TASK_SIZE;
67986 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67987 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
67988 -+ ptl_m = pte_lockptr(mm, pmd_m);
67989 -+ if (ptl != ptl_m) {
67990 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67991 -+ if (!pte_none(*pte_m)) {
67992 -+ spin_unlock(ptl_m);
67993 -+ pte_unmap_nested(pte_m);
67994 -+ unlock_page(page_m);
67995 -+ return;
67996 -+ }
67997 -+ }
67998 -+
67999 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
68000 -+ page_cache_get(page_m);
68001 -+ page_add_anon_rmap(page_m, vma_m, address_m);
68002 -+ inc_mm_counter(mm, anon_rss);
68003 -+ set_pte_at(mm, address_m, pte_m, entry_m);
68004 -+ update_mmu_cache(vma_m, address_m, entry_m);
68005 -+ lazy_mmu_prot_update(entry_m);
68006 -+ if (ptl != ptl_m)
68007 -+ spin_unlock(ptl_m);
68008 -+ pte_unmap_nested(pte_m);
68009 -+ unlock_page(page_m);
68010 -+}
68011 -+
68012 -+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
68013 -+{
68014 -+ struct mm_struct *mm = vma->vm_mm;
68015 -+ unsigned long address_m;
68016 -+ spinlock_t *ptl_m;
68017 -+ struct vm_area_struct *vma_m;
68018 -+ pmd_t *pmd_m;
68019 -+ pte_t *pte_m, entry_m;
68020 -+
68021 -+ BUG_ON(!page_m || PageAnon(page_m));
68022 -+
68023 -+ vma_m = pax_find_mirror_vma(vma);
68024 -+ if (!vma_m)
68025 -+ return;
68026 -+
68027 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
68028 -+ address_m = address + SEGMEXEC_TASK_SIZE;
68029 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
68030 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
68031 -+ ptl_m = pte_lockptr(mm, pmd_m);
68032 -+ if (ptl != ptl_m) {
68033 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
68034 -+ if (!pte_none(*pte_m)) {
68035 -+ spin_unlock(ptl_m);
68036 -+ pte_unmap_nested(pte_m);
68037 -+ return;
68038 -+ }
68039 -+ }
68040 -+
68041 -+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
68042 -+ page_cache_get(page_m);
68043 -+ page_add_file_rmap(page_m);
68044 -+ inc_mm_counter(mm, file_rss);
68045 -+ set_pte_at(mm, address_m, pte_m, entry_m);
68046 -+ update_mmu_cache(vma_m, address_m, entry_m);
68047 -+ lazy_mmu_prot_update(entry_m);
68048 -+ if (ptl != ptl_m)
68049 -+ spin_unlock(ptl_m);
68050 -+ pte_unmap_nested(pte_m);
68051 -+}
68052 -+
68053 -+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
68054 -+{
68055 -+ struct mm_struct *mm = vma->vm_mm;
68056 -+ unsigned long address_m;
68057 -+ spinlock_t *ptl_m;
68058 -+ struct vm_area_struct *vma_m;
68059 -+ pmd_t *pmd_m;
68060 -+ pte_t *pte_m, entry_m;
68061 -+
68062 -+ vma_m = pax_find_mirror_vma(vma);
68063 -+ if (!vma_m)
68064 -+ return;
68065 -+
68066 -+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
68067 -+ address_m = address + SEGMEXEC_TASK_SIZE;
68068 -+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
68069 -+ pte_m = pte_offset_map_nested(pmd_m, address_m);
68070 -+ ptl_m = pte_lockptr(mm, pmd_m);
68071 -+ if (ptl != ptl_m) {
68072 -+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
68073 -+ if (!pte_none(*pte_m)) {
68074 -+ spin_unlock(ptl_m);
68075 -+ pte_unmap_nested(pte_m);
68076 -+ return;
68077 -+ }
68078 -+ }
68079 -+
68080 -+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
68081 -+ set_pte_at(mm, address_m, pte_m, entry_m);
68082 -+ if (ptl != ptl_m)
68083 -+ spin_unlock(ptl_m);
68084 -+ pte_unmap_nested(pte_m);
68085 -+}
68086 -+
68087 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
68088 -+{
68089 -+ struct page *page_m;
68090 -+ pte_t entry;
68091 -+
68092 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
68093 -+ return;
68094 -+
68095 -+ entry = *pte;
68096 -+ page_m = vm_normal_page(vma, address, entry);
68097 -+ if (!page_m)
68098 -+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
68099 -+ else if (PageAnon(page_m)) {
68100 -+ if (pax_find_mirror_vma(vma)) {
68101 -+ spin_unlock(ptl);
68102 -+ lock_page(page_m);
68103 -+ spin_lock(ptl);
68104 -+ if (pte_same(entry, *pte))
68105 -+ pax_mirror_anon_pte(vma, address, page_m, ptl);
68106 -+ else
68107 -+ unlock_page(page_m);
68108 -+ }
68109 -+ } else
68110 -+ pax_mirror_file_pte(vma, address, page_m, ptl);
68111 -+}
68112 -+#endif
68113 -+
68114 - /*
68115 - * This routine handles present pages, when users try to write
68116 - * to a shared page. It is done by copying the page to a new address
68117 -@@ -1733,6 +1923,12 @@ gotten:
68118 - */
68119 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
68120 - if (likely(pte_same(*page_table, orig_pte))) {
68121 -+
68122 -+#ifdef CONFIG_PAX_SEGMEXEC
68123 -+ if (pax_find_mirror_vma(vma))
68124 -+ BUG_ON(TestSetPageLocked(new_page));
68125 -+#endif
68126 -+
68127 - if (old_page) {
68128 - page_remove_rmap(old_page, vma);
68129 - if (!PageAnon(old_page)) {
68130 -@@ -1757,6 +1953,10 @@ gotten:
68131 - lru_cache_add_active(new_page);
68132 - page_add_new_anon_rmap(new_page, vma, address);
68133 -
68134 -+#ifdef CONFIG_PAX_SEGMEXEC
68135 -+ pax_mirror_anon_pte(vma, address, new_page, ptl);
68136 -+#endif
68137 -+
68138 - /* Free the old page.. */
68139 - new_page = old_page;
68140 - ret |= VM_FAULT_WRITE;
68141 -@@ -2034,6 +2234,7 @@ int vmtruncate(struct inode * inode, lof
68142 -
68143 - do_expand:
68144 - limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
68145 -+ gr_learn_resource(current, RLIMIT_FSIZE, offset, 1);
68146 - if (limit != RLIM_INFINITY && offset > limit)
68147 - goto out_sig;
68148 - if (offset > inode->i_sb->s_maxbytes)
68149 -@@ -2216,6 +2417,11 @@ static int do_swap_page(struct mm_struct
68150 - swap_free(entry);
68151 - if (vm_swap_full())
68152 - remove_exclusive_swap_page(page);
68153 -+
68154 -+#ifdef CONFIG_PAX_SEGMEXEC
68155 -+ if (write_access || !pax_find_mirror_vma(vma))
68156 -+#endif
68157 -+
68158 - unlock_page(page);
68159 -
68160 - if (write_access) {
68161 -@@ -2228,6 +2434,11 @@ static int do_swap_page(struct mm_struct
68162 -
68163 - /* No need to invalidate - it was non-present before */
68164 - update_mmu_cache(vma, address, pte);
68165 -+
68166 -+#ifdef CONFIG_PAX_SEGMEXEC
68167 -+ pax_mirror_anon_pte(vma, address, page, ptl);
68168 -+#endif
68169 -+
68170 - unlock:
68171 - pte_unmap_unlock(page_table, ptl);
68172 - out:
68173 -@@ -2268,6 +2479,12 @@ static int do_anonymous_page(struct mm_s
68174 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
68175 - if (!pte_none(*page_table))
68176 - goto release;
68177 -+
68178 -+#ifdef CONFIG_PAX_SEGMEXEC
68179 -+ if (pax_find_mirror_vma(vma))
68180 -+ BUG_ON(TestSetPageLocked(page));
68181 -+#endif
68182 -+
68183 - inc_mm_counter(mm, anon_rss);
68184 - lru_cache_add_active(page);
68185 - page_add_new_anon_rmap(page, vma, address);
68186 -@@ -2290,6 +2507,14 @@ static int do_anonymous_page(struct mm_s
68187 - /* No need to invalidate - it was non-present before */
68188 - update_mmu_cache(vma, address, entry);
68189 - lazy_mmu_prot_update(entry);
68190 -+
68191 -+#ifdef CONFIG_PAX_SEGMEXEC
68192 -+ if (write_access)
68193 -+ pax_mirror_anon_pte(vma, address, page, ptl);
68194 -+ else
68195 -+ pax_mirror_file_pte(vma, address, page, ptl);
68196 -+#endif
68197 -+
68198 - unlock:
68199 - pte_unmap_unlock(page_table, ptl);
68200 - return 0;
68201 -@@ -2422,6 +2647,12 @@ static int __do_fault(struct mm_struct *
68202 - */
68203 - /* Only go through if we didn't race with anybody else... */
68204 - if (likely(pte_same(*page_table, orig_pte))) {
68205 -+
68206 -+#ifdef CONFIG_PAX_SEGMEXEC
68207 -+ if (anon && pax_find_mirror_vma(vma))
68208 -+ BUG_ON(TestSetPageLocked(page));
68209 -+#endif
68210 -+
68211 - flush_icache_page(vma, page);
68212 - entry = mk_pte(page, vma->vm_page_prot);
68213 - if (flags & FAULT_FLAG_WRITE)
68214 -@@ -2443,6 +2674,14 @@ static int __do_fault(struct mm_struct *
68215 - /* no need to invalidate: a not-present page won't be cached */
68216 - update_mmu_cache(vma, address, entry);
68217 - lazy_mmu_prot_update(entry);
68218 -+
68219 -+#ifdef CONFIG_PAX_SEGMEXEC
68220 -+ if (anon)
68221 -+ pax_mirror_anon_pte(vma, address, page, ptl);
68222 -+ else
68223 -+ pax_mirror_file_pte(vma, address, page, ptl);
68224 -+#endif
68225 -+
68226 - } else {
68227 - if (anon)
68228 - page_cache_release(page);
68229 -@@ -2522,6 +2761,11 @@ static noinline int do_no_pfn(struct mm_
68230 - if (write_access)
68231 - entry = maybe_mkwrite(pte_mkdirty(entry), vma);
68232 - set_pte_at(mm, address, page_table, entry);
68233 -+
68234 -+#ifdef CONFIG_PAX_SEGMEXEC
68235 -+ pax_mirror_pfn_pte(vma, address, pfn, ptl);
68236 -+#endif
68237 -+
68238 - }
68239 - pte_unmap_unlock(page_table, ptl);
68240 - return 0;
68241 -@@ -2625,6 +2869,11 @@ static inline int handle_pte_fault(struc
68242 - if (write_access)
68243 - flush_tlb_page(vma, address);
68244 - }
68245 -+
68246 -+#ifdef CONFIG_PAX_SEGMEXEC
68247 -+ pax_mirror_pte(vma, address, pte, ptl);
68248 -+#endif
68249 -+
68250 - unlock:
68251 - pte_unmap_unlock(pte, ptl);
68252 - return 0;
68253 -@@ -2641,6 +2890,10 @@ int handle_mm_fault(struct mm_struct *mm
68254 - pmd_t *pmd;
68255 - pte_t *pte;
68256 -
68257 -+#ifdef CONFIG_PAX_SEGMEXEC
68258 -+ struct vm_area_struct *vma_m;
68259 -+#endif
68260 -+
68261 - __set_current_state(TASK_RUNNING);
68262 -
68263 - count_vm_event(PGFAULT);
68264 -@@ -2648,6 +2901,34 @@ int handle_mm_fault(struct mm_struct *mm
68265 - if (unlikely(is_vm_hugetlb_page(vma)))
68266 - return hugetlb_fault(mm, vma, address, write_access);
68267 -
68268 -+#ifdef CONFIG_PAX_SEGMEXEC
68269 -+ vma_m = pax_find_mirror_vma(vma);
68270 -+ if (vma_m) {
68271 -+ unsigned long address_m;
68272 -+ pgd_t *pgd_m;
68273 -+ pud_t *pud_m;
68274 -+ pmd_t *pmd_m;
68275 -+
68276 -+ if (vma->vm_start > vma_m->vm_start) {
68277 -+ address_m = address;
68278 -+ address -= SEGMEXEC_TASK_SIZE;
68279 -+ vma = vma_m;
68280 -+ } else
68281 -+ address_m = address + SEGMEXEC_TASK_SIZE;
68282 -+
68283 -+ pgd_m = pgd_offset(mm, address_m);
68284 -+ pud_m = pud_alloc(mm, pgd_m, address_m);
68285 -+ if (!pud_m)
68286 -+ return VM_FAULT_OOM;
68287 -+ pmd_m = pmd_alloc(mm, pud_m, address_m);
68288 -+ if (!pmd_m)
68289 -+ return VM_FAULT_OOM;
68290 -+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
68291 -+ return VM_FAULT_OOM;
68292 -+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
68293 -+ }
68294 -+#endif
68295 -+
68296 - pgd = pgd_offset(mm, address);
68297 - pud = pud_alloc(mm, pgd, address);
68298 - if (!pud)
68299 -@@ -2781,7 +3062,7 @@ static int __init gate_vma_init(void)
68300 - gate_vma.vm_start = FIXADDR_USER_START;
68301 - gate_vma.vm_end = FIXADDR_USER_END;
68302 - gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
68303 -- gate_vma.vm_page_prot = __P101;
68304 -+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
68305 - /*
68306 - * Make sure the vDSO gets into every core dump.
68307 - * Dumping its contents makes post-mortem fully interpretable later
68308 -diff -Nurp linux-2.6.23.15/mm/mempolicy.c linux-2.6.23.15-grsec/mm/mempolicy.c
68309 ---- linux-2.6.23.15/mm/mempolicy.c 2007-10-09 21:31:38.000000000 +0100
68310 -+++ linux-2.6.23.15-grsec/mm/mempolicy.c 2008-02-11 10:37:45.000000000 +0000
68311 -@@ -401,6 +401,10 @@ static int mbind_range(struct vm_area_st
68312 - struct vm_area_struct *next;
68313 - int err;
68314 -
68315 -+#ifdef CONFIG_PAX_SEGMEXEC
68316 -+ struct vm_area_struct *vma_m;
68317 -+#endif
68318 -+
68319 - err = 0;
68320 - for (; vma && vma->vm_start < end; vma = next) {
68321 - next = vma->vm_next;
68322 -@@ -412,6 +416,16 @@ static int mbind_range(struct vm_area_st
68323 - err = policy_vma(vma, new);
68324 - if (err)
68325 - break;
68326 -+
68327 -+#ifdef CONFIG_PAX_SEGMEXEC
68328 -+ vma_m = pax_find_mirror_vma(vma);
68329 -+ if (vma_m) {
68330 -+ err = policy_vma(vma_m, new);
68331 -+ if (err)
68332 -+ break;
68333 -+ }
68334 -+#endif
68335 -+
68336 - }
68337 - return err;
68338 - }
68339 -@@ -732,7 +746,7 @@ static struct page *new_vma_page(struct
68340 - }
68341 - #endif
68342 -
68343 --long do_mbind(unsigned long start, unsigned long len,
68344 -+static long do_mbind(unsigned long start, unsigned long len,
68345 - unsigned long mode, nodemask_t *nmask, unsigned long flags)
68346 - {
68347 - struct vm_area_struct *vma;
68348 -@@ -760,6 +774,17 @@ long do_mbind(unsigned long start, unsig
68349 -
68350 - if (end < start)
68351 - return -EINVAL;
68352 -+
68353 -+#ifdef CONFIG_PAX_SEGMEXEC
68354 -+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68355 -+ if (end > SEGMEXEC_TASK_SIZE)
68356 -+ return -EINVAL;
68357 -+ } else
68358 -+#endif
68359 -+
68360 -+ if (end > TASK_SIZE)
68361 -+ return -EINVAL;
68362 -+
68363 - if (end == start)
68364 - return 0;
68365 -
68366 -diff -Nurp linux-2.6.23.15/mm/mlock.c linux-2.6.23.15-grsec/mm/mlock.c
68367 ---- linux-2.6.23.15/mm/mlock.c 2007-10-09 21:31:38.000000000 +0100
68368 -+++ linux-2.6.23.15-grsec/mm/mlock.c 2008-02-11 10:37:45.000000000 +0000
68369 -@@ -12,6 +12,7 @@
68370 - #include <linux/syscalls.h>
68371 - #include <linux/sched.h>
68372 - #include <linux/module.h>
68373 -+#include <linux/grsecurity.h>
68374 -
68375 - int can_do_mlock(void)
68376 - {
68377 -@@ -95,6 +96,17 @@ static int do_mlock(unsigned long start,
68378 - return -EINVAL;
68379 - if (end == start)
68380 - return 0;
68381 -+
68382 -+#ifdef CONFIG_PAX_SEGMEXEC
68383 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
68384 -+ if (end > SEGMEXEC_TASK_SIZE)
68385 -+ return -EINVAL;
68386 -+ } else
68387 -+#endif
68388 -+
68389 -+ if (end > TASK_SIZE)
68390 -+ return -EINVAL;
68391 -+
68392 - vma = find_vma_prev(current->mm, start, &prev);
68393 - if (!vma || vma->vm_start > start)
68394 - return -ENOMEM;
68395 -@@ -152,6 +164,7 @@ asmlinkage long sys_mlock(unsigned long
68396 - lock_limit >>= PAGE_SHIFT;
68397 -
68398 - /* check against resource limits */
68399 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
68400 - if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
68401 - error = do_mlock(start, len, 1);
68402 - up_write(&current->mm->mmap_sem);
68403 -@@ -173,10 +186,10 @@ asmlinkage long sys_munlock(unsigned lon
68404 - static int do_mlockall(int flags)
68405 - {
68406 - struct vm_area_struct * vma, * prev = NULL;
68407 -- unsigned int def_flags = 0;
68408 -+ unsigned int def_flags = current->mm->def_flags & ~VM_LOCKED;
68409 -
68410 - if (flags & MCL_FUTURE)
68411 -- def_flags = VM_LOCKED;
68412 -+ def_flags |= VM_LOCKED;
68413 - current->mm->def_flags = def_flags;
68414 - if (flags == MCL_FUTURE)
68415 - goto out;
68416 -@@ -184,6 +197,12 @@ static int do_mlockall(int flags)
68417 - for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
68418 - unsigned int newflags;
68419 -
68420 -+#ifdef CONFIG_PAX_SEGMEXEC
68421 -+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68422 -+ break;
68423 -+#endif
68424 -+
68425 -+ BUG_ON(vma->vm_end > TASK_SIZE);
68426 - newflags = vma->vm_flags | VM_LOCKED;
68427 - if (!(flags & MCL_CURRENT))
68428 - newflags &= ~VM_LOCKED;
68429 -@@ -213,6 +232,7 @@ asmlinkage long sys_mlockall(int flags)
68430 - lock_limit >>= PAGE_SHIFT;
68431 -
68432 - ret = -ENOMEM;
68433 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm, 1);
68434 - if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
68435 - capable(CAP_IPC_LOCK))
68436 - ret = do_mlockall(flags);
68437 -diff -Nurp linux-2.6.23.15/mm/mmap.c linux-2.6.23.15-grsec/mm/mmap.c
68438 ---- linux-2.6.23.15/mm/mmap.c 2008-02-11 10:36:03.000000000 +0000
68439 -+++ linux-2.6.23.15-grsec/mm/mmap.c 2008-02-11 10:43:32.000000000 +0000
68440 -@@ -25,6 +25,7 @@
68441 - #include <linux/mount.h>
68442 - #include <linux/mempolicy.h>
68443 - #include <linux/rmap.h>
68444 -+#include <linux/grsecurity.h>
68445 -
68446 - #include <asm/uaccess.h>
68447 - #include <asm/cacheflush.h>
68448 -@@ -35,6 +36,16 @@
68449 - #define arch_mmap_check(addr, len, flags) (0)
68450 - #endif
68451 -
68452 -+static inline void verify_mm_writelocked(struct mm_struct *mm)
68453 -+{
68454 -+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
68455 -+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68456 -+ up_read(&mm->mmap_sem);
68457 -+ BUG();
68458 -+ }
68459 -+#endif
68460 -+}
68461 -+
68462 - static void unmap_region(struct mm_struct *mm,
68463 - struct vm_area_struct *vma, struct vm_area_struct *prev,
68464 - unsigned long start, unsigned long end);
68465 -@@ -60,15 +71,23 @@ static void unmap_region(struct mm_struc
68466 - * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
68467 - *
68468 - */
68469 --pgprot_t protection_map[16] = {
68470 -+pgprot_t protection_map[16] __read_only = {
68471 - __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
68472 - __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
68473 - };
68474 -
68475 - pgprot_t vm_get_page_prot(unsigned long vm_flags)
68476 - {
68477 -- return protection_map[vm_flags &
68478 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
68479 -+ pgprot_t prot = protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
68480 -+
68481 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68482 -+ if (!nx_enabled &&
68483 -+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
68484 -+ (vm_flags & (VM_READ | VM_WRITE)))
68485 -+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
68486 -+#endif
68487 -+
68488 -+ return prot;
68489 - }
68490 - EXPORT_SYMBOL(vm_get_page_prot);
68491 -
68492 -@@ -225,6 +244,7 @@ static struct vm_area_struct *remove_vma
68493 - struct vm_area_struct *next = vma->vm_next;
68494 -
68495 - might_sleep();
68496 -+ BUG_ON(vma->vm_mirror);
68497 - if (vma->vm_ops && vma->vm_ops->close)
68498 - vma->vm_ops->close(vma);
68499 - if (vma->vm_file)
68500 -@@ -252,6 +272,7 @@ asmlinkage unsigned long sys_brk(unsigne
68501 - * not page aligned -Ram Gupta
68502 - */
68503 - rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
68504 -+ gr_learn_resource(current, RLIMIT_DATA, brk - mm->start_data, 1);
68505 - if (rlim < RLIM_INFINITY && brk - mm->start_data > rlim)
68506 - goto out;
68507 -
68508 -@@ -352,8 +373,12 @@ find_vma_prepare(struct mm_struct *mm, u
68509 -
68510 - if (vma_tmp->vm_end > addr) {
68511 - vma = vma_tmp;
68512 -- if (vma_tmp->vm_start <= addr)
68513 -- return vma;
68514 -+ if (vma_tmp->vm_start <= addr) {
68515 -+//printk("PAX: prep: %08lx-%08lx %08lx pr:%p l:%p pa:%p ",
68516 -+//vma->vm_start, vma->vm_end, addr, *pprev, *rb_link, *rb_parent);
68517 -+//__print_symbol("%s\n", __builtin_extract_return_addr(__builtin_return_address(0)));
68518 -+ break;
68519 -+ }
68520 - __rb_link = &__rb_parent->rb_left;
68521 - } else {
68522 - rb_prev = __rb_parent;
68523 -@@ -677,6 +702,12 @@ static int
68524 - can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68525 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68526 - {
68527 -+
68528 -+#ifdef CONFIG_PAX_SEGMEXEC
68529 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68530 -+ return 0;
68531 -+#endif
68532 -+
68533 - if (is_mergeable_vma(vma, file, vm_flags) &&
68534 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
68535 - if (vma->vm_pgoff == vm_pgoff)
68536 -@@ -696,6 +727,12 @@ static int
68537 - can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68538 - struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68539 - {
68540 -+
68541 -+#ifdef CONFIG_PAX_SEGMEXEC
68542 -+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68543 -+ return 0;
68544 -+#endif
68545 -+
68546 - if (is_mergeable_vma(vma, file, vm_flags) &&
68547 - is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
68548 - pgoff_t vm_pglen;
68549 -@@ -738,12 +775,19 @@ can_vma_merge_after(struct vm_area_struc
68550 - struct vm_area_struct *vma_merge(struct mm_struct *mm,
68551 - struct vm_area_struct *prev, unsigned long addr,
68552 - unsigned long end, unsigned long vm_flags,
68553 -- struct anon_vma *anon_vma, struct file *file,
68554 -+ struct anon_vma *anon_vma, struct file *file,
68555 - pgoff_t pgoff, struct mempolicy *policy)
68556 - {
68557 - pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68558 - struct vm_area_struct *area, *next;
68559 -
68560 -+#ifdef CONFIG_PAX_SEGMEXEC
68561 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68562 -+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68563 -+
68564 -+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68565 -+#endif
68566 -+
68567 - /*
68568 - * We later require that vma->vm_flags == vm_flags,
68569 - * so this tests vma->vm_flags & VM_SPECIAL, too.
68570 -@@ -759,6 +803,15 @@ struct vm_area_struct *vma_merge(struct
68571 - if (next && next->vm_end == end) /* cases 6, 7, 8 */
68572 - next = next->vm_next;
68573 -
68574 -+#ifdef CONFIG_PAX_SEGMEXEC
68575 -+ if (prev)
68576 -+ prev_m = pax_find_mirror_vma(prev);
68577 -+ if (area)
68578 -+ area_m = pax_find_mirror_vma(area);
68579 -+ if (next)
68580 -+ next_m = pax_find_mirror_vma(next);
68581 -+#endif
68582 -+
68583 - /*
68584 - * Can it merge with the predecessor?
68585 - */
68586 -@@ -778,9 +831,24 @@ struct vm_area_struct *vma_merge(struct
68587 - /* cases 1, 6 */
68588 - vma_adjust(prev, prev->vm_start,
68589 - next->vm_end, prev->vm_pgoff, NULL);
68590 -- } else /* cases 2, 5, 7 */
68591 -+
68592 -+#ifdef CONFIG_PAX_SEGMEXEC
68593 -+ if (prev_m)
68594 -+ vma_adjust(prev_m, prev_m->vm_start,
68595 -+ next_m->vm_end, prev_m->vm_pgoff, NULL);
68596 -+#endif
68597 -+
68598 -+ } else { /* cases 2, 5, 7 */
68599 - vma_adjust(prev, prev->vm_start,
68600 - end, prev->vm_pgoff, NULL);
68601 -+
68602 -+#ifdef CONFIG_PAX_SEGMEXEC
68603 -+ if (prev_m)
68604 -+ vma_adjust(prev_m, prev_m->vm_start,
68605 -+ end_m, prev_m->vm_pgoff, NULL);
68606 -+#endif
68607 -+
68608 -+ }
68609 - return prev;
68610 - }
68611 -
68612 -@@ -791,12 +859,27 @@ struct vm_area_struct *vma_merge(struct
68613 - mpol_equal(policy, vma_policy(next)) &&
68614 - can_vma_merge_before(next, vm_flags,
68615 - anon_vma, file, pgoff+pglen)) {
68616 -- if (prev && addr < prev->vm_end) /* case 4 */
68617 -+ if (prev && addr < prev->vm_end) { /* case 4 */
68618 - vma_adjust(prev, prev->vm_start,
68619 - addr, prev->vm_pgoff, NULL);
68620 -- else /* cases 3, 8 */
68621 -+
68622 -+#ifdef CONFIG_PAX_SEGMEXEC
68623 -+ if (prev_m)
68624 -+ vma_adjust(prev_m, prev_m->vm_start,
68625 -+ addr_m, prev_m->vm_pgoff, NULL);
68626 -+#endif
68627 -+
68628 -+ } else { /* cases 3, 8 */
68629 - vma_adjust(area, addr, next->vm_end,
68630 - next->vm_pgoff - pglen, NULL);
68631 -+
68632 -+#ifdef CONFIG_PAX_SEGMEXEC
68633 -+ if (area_m)
68634 -+ vma_adjust(area_m, addr_m, next_m->vm_end,
68635 -+ next_m->vm_pgoff - pglen, NULL);
68636 -+#endif
68637 -+
68638 -+ }
68639 - return area;
68640 - }
68641 -
68642 -@@ -871,14 +954,11 @@ none:
68643 - void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68644 - struct file *file, long pages)
68645 - {
68646 -- const unsigned long stack_flags
68647 -- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68648 --
68649 - if (file) {
68650 - mm->shared_vm += pages;
68651 - if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68652 - mm->exec_vm += pages;
68653 -- } else if (flags & stack_flags)
68654 -+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68655 - mm->stack_vm += pages;
68656 - if (flags & (VM_RESERVED|VM_IO))
68657 - mm->reserved_vm += pages;
68658 -@@ -906,22 +986,22 @@ unsigned long do_mmap_pgoff(struct file
68659 - * (the exception is when the underlying filesystem is noexec
68660 - * mounted, in which case we dont add PROT_EXEC.)
68661 - */
68662 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68663 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68664 - if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68665 - prot |= PROT_EXEC;
68666 -
68667 - if (!len)
68668 - return -EINVAL;
68669 -
68670 -- error = arch_mmap_check(addr, len, flags);
68671 -- if (error)
68672 -- return error;
68673 --
68674 - /* Careful about overflows.. */
68675 - len = PAGE_ALIGN(len);
68676 - if (!len || len > TASK_SIZE)
68677 - return -ENOMEM;
68678 -
68679 -+ error = arch_mmap_check(addr, len, flags);
68680 -+ if (error)
68681 -+ return error;
68682 -+
68683 - /* offset overflow? */
68684 - if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
68685 - return -EOVERFLOW;
68686 -@@ -933,7 +1013,7 @@ unsigned long do_mmap_pgoff(struct file
68687 - /* Obtain the address to map to. we verify (or select) it and ensure
68688 - * that it represents a valid section of the address space.
68689 - */
68690 -- addr = get_unmapped_area(file, addr, len, pgoff, flags);
68691 -+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68692 - if (addr & ~PAGE_MASK)
68693 - return addr;
68694 -
68695 -@@ -944,6 +1024,26 @@ unsigned long do_mmap_pgoff(struct file
68696 - vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68697 - mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68698 -
68699 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
68700 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
68701 -+
68702 -+#ifdef CONFIG_PAX_MPROTECT
68703 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
68704 -+ if ((prot & (PROT_WRITE | PROT_EXEC)) != PROT_EXEC)
68705 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68706 -+ else
68707 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
68708 -+ }
68709 -+#endif
68710 -+
68711 -+ }
68712 -+#endif
68713 -+
68714 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68715 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68716 -+ vm_flags &= ~VM_PAGEEXEC;
68717 -+#endif
68718 -+
68719 - if (flags & MAP_LOCKED) {
68720 - if (!can_do_mlock())
68721 - return -EPERM;
68722 -@@ -956,6 +1056,7 @@ unsigned long do_mmap_pgoff(struct file
68723 - locked += mm->locked_vm;
68724 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
68725 - lock_limit >>= PAGE_SHIFT;
68726 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68727 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68728 - return -EAGAIN;
68729 - }
68730 -@@ -1024,6 +1125,9 @@ unsigned long do_mmap_pgoff(struct file
68731 - if (error)
68732 - return error;
68733 -
68734 -+ if (!gr_acl_handle_mmap(file, prot))
68735 -+ return -EACCES;
68736 -+
68737 - return mmap_region(file, addr, len, flags, vm_flags, pgoff,
68738 - accountable);
68739 - }
68740 -@@ -1037,10 +1141,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
68741 - */
68742 - int vma_wants_writenotify(struct vm_area_struct *vma)
68743 - {
68744 -- unsigned int vm_flags = vma->vm_flags;
68745 -+ unsigned long vm_flags = vma->vm_flags;
68746 -
68747 - /* If it was private or non-writable, the write bit is already clear */
68748 -- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68749 -+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68750 - return 0;
68751 -
68752 - /* The backer wishes to know when pages are first written to? */
68753 -@@ -1049,8 +1153,7 @@ int vma_wants_writenotify(struct vm_area
68754 -
68755 - /* The open routine did something to the protections already? */
68756 - if (pgprot_val(vma->vm_page_prot) !=
68757 -- pgprot_val(protection_map[vm_flags &
68758 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]))
68759 -+ pgprot_val(vm_get_page_prot(vm_flags)))
68760 - return 0;
68761 -
68762 - /* Specialty mapping? */
68763 -@@ -1076,14 +1179,24 @@ unsigned long mmap_region(struct file *f
68764 - unsigned long charged = 0;
68765 - struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68766 -
68767 -+#ifdef CONFIG_PAX_SEGMEXEC
68768 -+ struct vm_area_struct *vma_m = NULL;
68769 -+#endif
68770 -+
68771 -+ /*
68772 -+ * mm->mmap_sem is required to protect against another thread
68773 -+ * changing the mappings in case we sleep.
68774 -+ */
68775 -+ verify_mm_writelocked(mm);
68776 -+
68777 - /* Clear old maps */
68778 - error = -ENOMEM;
68779 --munmap_back:
68780 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68781 - if (vma && vma->vm_start < addr + len) {
68782 - if (do_munmap(mm, addr, len))
68783 - return -ENOMEM;
68784 -- goto munmap_back;
68785 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68786 -+ BUG_ON(vma && vma->vm_start < addr + len);
68787 - }
68788 -
68789 - /* Check against address space limit. */
68790 -@@ -1127,12 +1240,22 @@ munmap_back:
68791 - goto unacct_error;
68792 - }
68793 -
68794 -+#ifdef CONFIG_PAX_SEGMEXEC
68795 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68796 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68797 -+ if (!vma_m) {
68798 -+ kmem_cache_free(vm_area_cachep, vma);
68799 -+ error = -ENOMEM;
68800 -+ goto unacct_error;
68801 -+ }
68802 -+ }
68803 -+#endif
68804 -+
68805 - vma->vm_mm = mm;
68806 - vma->vm_start = addr;
68807 - vma->vm_end = addr + len;
68808 - vma->vm_flags = vm_flags;
68809 -- vma->vm_page_prot = protection_map[vm_flags &
68810 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
68811 -+ vma->vm_page_prot = vm_get_page_prot(vm_flags);
68812 - vma->vm_pgoff = pgoff;
68813 -
68814 - if (file) {
68815 -@@ -1150,6 +1273,14 @@ munmap_back:
68816 - error = file->f_op->mmap(file, vma);
68817 - if (error)
68818 - goto unmap_and_free_vma;
68819 -+
68820 -+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68821 -+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68822 -+ vma->vm_flags |= VM_PAGEEXEC;
68823 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68824 -+ }
68825 -+#endif
68826 -+
68827 - } else if (vm_flags & VM_SHARED) {
68828 - error = shmem_zero_setup(vma);
68829 - if (error)
68830 -@@ -1174,13 +1305,18 @@ munmap_back:
68831 - vm_flags = vma->vm_flags;
68832 -
68833 - if (vma_wants_writenotify(vma))
68834 -- vma->vm_page_prot =
68835 -- protection_map[vm_flags & (VM_READ|VM_WRITE|VM_EXEC)];
68836 -+ vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
68837 -
68838 - if (!file || !vma_merge(mm, prev, addr, vma->vm_end,
68839 - vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
68840 - file = vma->vm_file;
68841 - vma_link(mm, vma, prev, rb_link, rb_parent);
68842 -+
68843 -+#ifdef CONFIG_PAX_SEGMEXEC
68844 -+ if (vma_m)
68845 -+ pax_mirror_vma(vma_m, vma);
68846 -+#endif
68847 -+
68848 - if (correct_wcount)
68849 - atomic_inc(&inode->i_writecount);
68850 - } else {
68851 -@@ -1191,10 +1327,12 @@ munmap_back:
68852 - }
68853 - mpol_free(vma_policy(vma));
68854 - kmem_cache_free(vm_area_cachep, vma);
68855 -+ vma = NULL;
68856 - }
68857 - out:
68858 - mm->total_vm += len >> PAGE_SHIFT;
68859 - vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68860 -+ track_exec_limit(mm, addr, addr + len, vm_flags);
68861 - if (vm_flags & VM_LOCKED) {
68862 - mm->locked_vm += len >> PAGE_SHIFT;
68863 - make_pages_present(addr, addr + len);
68864 -@@ -1213,6 +1351,12 @@ unmap_and_free_vma:
68865 - unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68866 - charged = 0;
68867 - free_vma:
68868 -+
68869 -+#ifdef CONFIG_PAX_SEGMEXEC
68870 -+ if (vma_m)
68871 -+ kmem_cache_free(vm_area_cachep, vma_m);
68872 -+#endif
68873 -+
68874 - kmem_cache_free(vm_area_cachep, vma);
68875 - unacct_error:
68876 - if (charged)
68877 -@@ -1246,6 +1390,10 @@ arch_get_unmapped_area(struct file *filp
68878 - if (flags & MAP_FIXED)
68879 - return addr;
68880 -
68881 -+#ifdef CONFIG_PAX_RANDMMAP
68882 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68883 -+#endif
68884 -+
68885 - if (addr) {
68886 - addr = PAGE_ALIGN(addr);
68887 - vma = find_vma(mm, addr);
68888 -@@ -1254,10 +1402,10 @@ arch_get_unmapped_area(struct file *filp
68889 - return addr;
68890 - }
68891 - if (len > mm->cached_hole_size) {
68892 -- start_addr = addr = mm->free_area_cache;
68893 -+ start_addr = addr = mm->free_area_cache;
68894 - } else {
68895 -- start_addr = addr = TASK_UNMAPPED_BASE;
68896 -- mm->cached_hole_size = 0;
68897 -+ start_addr = addr = mm->mmap_base;
68898 -+ mm->cached_hole_size = 0;
68899 - }
68900 -
68901 - full_search:
68902 -@@ -1268,9 +1416,8 @@ full_search:
68903 - * Start a new search - just in case we missed
68904 - * some holes.
68905 - */
68906 -- if (start_addr != TASK_UNMAPPED_BASE) {
68907 -- addr = TASK_UNMAPPED_BASE;
68908 -- start_addr = addr;
68909 -+ if (start_addr != mm->mmap_base) {
68910 -+ start_addr = addr = mm->mmap_base;
68911 - mm->cached_hole_size = 0;
68912 - goto full_search;
68913 - }
68914 -@@ -1292,10 +1439,16 @@ full_search:
68915 -
68916 - void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68917 - {
68918 -+
68919 -+#ifdef CONFIG_PAX_SEGMEXEC
68920 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68921 -+ return;
68922 -+#endif
68923 -+
68924 - /*
68925 - * Is this a new hole at the lowest possible address?
68926 - */
68927 -- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68928 -+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68929 - mm->free_area_cache = addr;
68930 - mm->cached_hole_size = ~0UL;
68931 - }
68932 -@@ -1313,7 +1466,7 @@ arch_get_unmapped_area_topdown(struct fi
68933 - {
68934 - struct vm_area_struct *vma;
68935 - struct mm_struct *mm = current->mm;
68936 -- unsigned long addr = addr0;
68937 -+ unsigned long base = mm->mmap_base, addr = addr0;
68938 -
68939 - /* requested length too big for entire address space */
68940 - if (len > TASK_SIZE)
68941 -@@ -1322,6 +1475,10 @@ arch_get_unmapped_area_topdown(struct fi
68942 - if (flags & MAP_FIXED)
68943 - return addr;
68944 -
68945 -+#ifdef CONFIG_PAX_RANDMMAP
68946 -+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68947 -+#endif
68948 -+
68949 - /* requesting a specific address */
68950 - if (addr) {
68951 - addr = PAGE_ALIGN(addr);
68952 -@@ -1379,13 +1536,21 @@ bottomup:
68953 - * can happen with large stack limits and large mmap()
68954 - * allocations.
68955 - */
68956 -+ mm->mmap_base = TASK_UNMAPPED_BASE;
68957 -+
68958 -+#ifdef CONFIG_PAX_RANDMMAP
68959 -+ if (mm->pax_flags & MF_PAX_RANDMMAP)
68960 -+ mm->mmap_base += mm->delta_mmap;
68961 -+#endif
68962 -+
68963 -+ mm->free_area_cache = mm->mmap_base;
68964 - mm->cached_hole_size = ~0UL;
68965 -- mm->free_area_cache = TASK_UNMAPPED_BASE;
68966 - addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68967 - /*
68968 - * Restore the topdown base:
68969 - */
68970 -- mm->free_area_cache = mm->mmap_base;
68971 -+ mm->mmap_base = base;
68972 -+ mm->free_area_cache = base;
68973 - mm->cached_hole_size = ~0UL;
68974 -
68975 - return addr;
68976 -@@ -1394,6 +1559,12 @@ bottomup:
68977 -
68978 - void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68979 - {
68980 -+
68981 -+#ifdef CONFIG_PAX_SEGMEXEC
68982 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68983 -+ return;
68984 -+#endif
68985 -+
68986 - /*
68987 - * Is this a new hole at the highest possible address?
68988 - */
68989 -@@ -1401,8 +1572,10 @@ void arch_unmap_area_topdown(struct mm_s
68990 - mm->free_area_cache = addr;
68991 -
68992 - /* dont allow allocations above current base */
68993 -- if (mm->free_area_cache > mm->mmap_base)
68994 -+ if (mm->free_area_cache > mm->mmap_base) {
68995 - mm->free_area_cache = mm->mmap_base;
68996 -+ mm->cached_hole_size = ~0UL;
68997 -+ }
68998 - }
68999 -
69000 - unsigned long
69001 -@@ -1502,6 +1675,32 @@ out:
69002 - return prev ? prev->vm_next : vma;
69003 - }
69004 -
69005 -+#ifdef CONFIG_PAX_SEGMEXEC
69006 -+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
69007 -+{
69008 -+ struct vm_area_struct *vma_m;
69009 -+
69010 -+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
69011 -+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
69012 -+ BUG_ON(vma->vm_mirror);
69013 -+ return NULL;
69014 -+ }
69015 -+ BUG_ON(vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < vma->vm_start - SEGMEXEC_TASK_SIZE - 1);
69016 -+ vma_m = vma->vm_mirror;
69017 -+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
69018 -+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
69019 -+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
69020 -+
69021 -+#ifdef CONFIG_PAX_MPROTECT
69022 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_MAYNOTWRITE));
69023 -+#else
69024 -+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
69025 -+#endif
69026 -+
69027 -+ return vma_m;
69028 -+}
69029 -+#endif
69030 -+
69031 - /*
69032 - * Verify that the stack growth is acceptable and
69033 - * update accounting. This is shared with both the
69034 -@@ -1518,6 +1717,7 @@ static int acct_stack_growth(struct vm_a
69035 - return -ENOMEM;
69036 -
69037 - /* Stack limit test */
69038 -+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
69039 - if (size > rlim[RLIMIT_STACK].rlim_cur)
69040 - return -ENOMEM;
69041 -
69042 -@@ -1527,6 +1727,7 @@ static int acct_stack_growth(struct vm_a
69043 - unsigned long limit;
69044 - locked = mm->locked_vm + grow;
69045 - limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
69046 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
69047 - if (locked > limit && !capable(CAP_IPC_LOCK))
69048 - return -ENOMEM;
69049 - }
69050 -@@ -1562,35 +1763,40 @@ static inline
69051 - #endif
69052 - int expand_upwards(struct vm_area_struct *vma, unsigned long address)
69053 - {
69054 -- int error;
69055 -+ int error, locknext;
69056 -
69057 - if (!(vma->vm_flags & VM_GROWSUP))
69058 - return -EFAULT;
69059 -
69060 -+ /* Also guard against wrapping around to address 0. */
69061 -+ if (address < PAGE_ALIGN(address+1))
69062 -+ address = PAGE_ALIGN(address+1);
69063 -+ else
69064 -+ return -ENOMEM;
69065 -+
69066 - /*
69067 - * We must make sure the anon_vma is allocated
69068 - * so that the anon_vma locking is not a noop.
69069 - */
69070 - if (unlikely(anon_vma_prepare(vma)))
69071 - return -ENOMEM;
69072 -+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
69073 -+ if (locknext && unlikely(anon_vma_prepare(vma->vm_next)))
69074 -+ return -ENOMEM;
69075 - anon_vma_lock(vma);
69076 -+ if (locknext)
69077 -+ anon_vma_lock(vma->vm_next);
69078 -
69079 - /*
69080 - * vma->vm_start/vm_end cannot change under us because the caller
69081 - * is required to hold the mmap_sem in read mode. We need the
69082 -- * anon_vma lock to serialize against concurrent expand_stacks.
69083 -- * Also guard against wrapping around to address 0.
69084 -+ * anon_vma locks to serialize against concurrent expand_stacks
69085 -+ * and expand_upwards.
69086 - */
69087 -- if (address < PAGE_ALIGN(address+4))
69088 -- address = PAGE_ALIGN(address+4);
69089 -- else {
69090 -- anon_vma_unlock(vma);
69091 -- return -ENOMEM;
69092 -- }
69093 - error = 0;
69094 -
69095 - /* Somebody else might have raced and expanded it already */
69096 -- if (address > vma->vm_end) {
69097 -+ if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
69098 - unsigned long size, grow;
69099 -
69100 - size = address - vma->vm_start;
69101 -@@ -1600,6 +1806,8 @@ int expand_upwards(struct vm_area_struct
69102 - if (!error)
69103 - vma->vm_end = address;
69104 - }
69105 -+ if (locknext)
69106 -+ anon_vma_unlock(vma->vm_next);
69107 - anon_vma_unlock(vma);
69108 - return error;
69109 - }
69110 -@@ -1611,7 +1819,8 @@ int expand_upwards(struct vm_area_struct
69111 - static inline int expand_downwards(struct vm_area_struct *vma,
69112 - unsigned long address)
69113 - {
69114 -- int error;
69115 -+ int error, lockprev = 0;
69116 -+ struct vm_area_struct *prev = NULL;
69117 -
69118 - /*
69119 - * We must make sure the anon_vma is allocated
69120 -@@ -1625,6 +1834,15 @@ static inline int expand_downwards(struc
69121 - if (error)
69122 - return error;
69123 -
69124 -+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
69125 -+ find_vma_prev(address, &prev);
69126 -+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
69127 -+#endif
69128 -+ if (lockprev && unlikely(anon_vma_prepare(prev)))
69129 -+ return -ENOMEM;
69130 -+ if (lockprev)
69131 -+ anon_vma_lock(prev);
69132 -+
69133 - anon_vma_lock(vma);
69134 -
69135 - /*
69136 -@@ -1634,9 +1852,15 @@ static inline int expand_downwards(struc
69137 - */
69138 -
69139 - /* Somebody else might have raced and expanded it already */
69140 -- if (address < vma->vm_start) {
69141 -+ if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
69142 - unsigned long size, grow;
69143 -
69144 -+#ifdef CONFIG_PAX_SEGMEXEC
69145 -+ struct vm_area_struct *vma_m;
69146 -+
69147 -+ vma_m = pax_find_mirror_vma(vma);
69148 -+#endif
69149 -+
69150 - size = vma->vm_end - address;
69151 - grow = (vma->vm_start - address) >> PAGE_SHIFT;
69152 -
69153 -@@ -1644,9 +1868,20 @@ static inline int expand_downwards(struc
69154 - if (!error) {
69155 - vma->vm_start = address;
69156 - vma->vm_pgoff -= grow;
69157 -+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
69158 -+
69159 -+#ifdef CONFIG_PAX_SEGMEXEC
69160 -+ if (vma_m) {
69161 -+ vma_m->vm_start -= grow << PAGE_SHIFT;
69162 -+ vma_m->vm_pgoff -= grow;
69163 -+ }
69164 -+#endif
69165 -+
69166 - }
69167 - }
69168 - anon_vma_unlock(vma);
69169 -+ if (lockprev)
69170 -+ anon_vma_unlock(prev);
69171 - return error;
69172 - }
69173 -
69174 -@@ -1718,6 +1953,13 @@ static void remove_vma_list(struct mm_st
69175 - do {
69176 - long nrpages = vma_pages(vma);
69177 -
69178 -+#ifdef CONFIG_PAX_SEGMEXEC
69179 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
69180 -+ vma = remove_vma(vma);
69181 -+ continue;
69182 -+ }
69183 -+#endif
69184 -+
69185 - mm->total_vm -= nrpages;
69186 - if (vma->vm_flags & VM_LOCKED)
69187 - mm->locked_vm -= nrpages;
69188 -@@ -1764,6 +2006,16 @@ detach_vmas_to_be_unmapped(struct mm_str
69189 -
69190 - insertion_point = (prev ? &prev->vm_next : &mm->mmap);
69191 - do {
69192 -+
69193 -+#ifdef CONFIG_PAX_SEGMEXEC
69194 -+ if (vma->vm_mirror) {
69195 -+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
69196 -+ vma->vm_mirror->vm_mirror = NULL;
69197 -+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
69198 -+ vma->vm_mirror = NULL;
69199 -+ }
69200 -+#endif
69201 -+
69202 - rb_erase(&vma->vm_rb, &mm->mm_rb);
69203 - mm->map_count--;
69204 - tail_vma = vma;
69205 -@@ -1783,6 +2035,112 @@ detach_vmas_to_be_unmapped(struct mm_str
69206 - * Split a vma into two pieces at address 'addr', a new vma is allocated
69207 - * either for the first part or the tail.
69208 - */
69209 -+
69210 -+#ifdef CONFIG_PAX_SEGMEXEC
69211 -+int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
69212 -+ unsigned long addr, int new_below)
69213 -+{
69214 -+ struct mempolicy *pol, *pol_m;
69215 -+ struct vm_area_struct *new, *vma_m, *new_m = NULL;
69216 -+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
69217 -+
69218 -+ if (is_vm_hugetlb_page(vma) && (addr & ~HPAGE_MASK))
69219 -+ return -EINVAL;
69220 -+
69221 -+ vma_m = pax_find_mirror_vma(vma);
69222 -+ if (vma_m) {
69223 -+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
69224 -+ if (mm->map_count >= sysctl_max_map_count-1)
69225 -+ return -ENOMEM;
69226 -+ } else if (mm->map_count >= sysctl_max_map_count)
69227 -+ return -ENOMEM;
69228 -+
69229 -+ new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69230 -+ if (!new)
69231 -+ return -ENOMEM;
69232 -+
69233 -+ if (vma_m) {
69234 -+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69235 -+ if (!new_m) {
69236 -+ kmem_cache_free(vm_area_cachep, new);
69237 -+ return -ENOMEM;
69238 -+ }
69239 -+ }
69240 -+
69241 -+ /* most fields are the same, copy all, and then fixup */
69242 -+ *new = *vma;
69243 -+
69244 -+ if (new_below)
69245 -+ new->vm_end = addr;
69246 -+ else {
69247 -+ new->vm_start = addr;
69248 -+ new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
69249 -+ }
69250 -+
69251 -+ if (vma_m) {
69252 -+ *new_m = *vma_m;
69253 -+ new_m->vm_mirror = new;
69254 -+ new->vm_mirror = new_m;
69255 -+
69256 -+ if (new_below)
69257 -+ new_m->vm_end = addr_m;
69258 -+ else {
69259 -+ new_m->vm_start = addr_m;
69260 -+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
69261 -+ }
69262 -+ }
69263 -+
69264 -+ pol = mpol_copy(vma_policy(vma));
69265 -+ if (IS_ERR(pol)) {
69266 -+ if (new_m)
69267 -+ kmem_cache_free(vm_area_cachep, new_m);
69268 -+ kmem_cache_free(vm_area_cachep, new);
69269 -+ return PTR_ERR(pol);
69270 -+ }
69271 -+
69272 -+ if (vma_m) {
69273 -+ pol_m = mpol_copy(vma_policy(vma_m));
69274 -+ if (IS_ERR(pol_m)) {
69275 -+ mpol_free(pol);
69276 -+ kmem_cache_free(vm_area_cachep, new_m);
69277 -+ kmem_cache_free(vm_area_cachep, new);
69278 -+ return PTR_ERR(pol);
69279 -+ }
69280 -+ }
69281 -+
69282 -+ vma_set_policy(new, pol);
69283 -+
69284 -+ if (new->vm_file)
69285 -+ get_file(new->vm_file);
69286 -+
69287 -+ if (new->vm_ops && new->vm_ops->open)
69288 -+ new->vm_ops->open(new);
69289 -+
69290 -+ if (new_below)
69291 -+ vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
69292 -+ ((addr - new->vm_start) >> PAGE_SHIFT), new);
69293 -+ else
69294 -+ vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
69295 -+
69296 -+ if (vma_m) {
69297 -+ vma_set_policy(new_m, pol_m);
69298 -+
69299 -+ if (new_m->vm_file)
69300 -+ get_file(new_m->vm_file);
69301 -+
69302 -+ if (new_m->vm_ops && new_m->vm_ops->open)
69303 -+ new_m->vm_ops->open(new_m);
69304 -+
69305 -+ if (new_below)
69306 -+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
69307 -+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
69308 -+ else
69309 -+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
69310 -+ }
69311 -+
69312 -+ return 0;
69313 -+}
69314 -+#else
69315 - int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
69316 - unsigned long addr, int new_below)
69317 - {
69318 -@@ -1830,17 +2188,37 @@ int split_vma(struct mm_struct * mm, str
69319 -
69320 - return 0;
69321 - }
69322 -+#endif
69323 -
69324 - /* Munmap is split into 2 main parts -- this part which finds
69325 - * what needs doing, and the areas themselves, which do the
69326 - * work. This now handles partial unmappings.
69327 - * Jeremy Fitzhardinge <jeremy@××××.org>
69328 - */
69329 -+#ifdef CONFIG_PAX_SEGMEXEC
69330 - int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69331 - {
69332 -+ int ret = __do_munmap(mm, start, len);
69333 -+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
69334 -+ return ret;
69335 -+
69336 -+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
69337 -+}
69338 -+
69339 -+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69340 -+#else
69341 -+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69342 -+#endif
69343 -+{
69344 - unsigned long end;
69345 - struct vm_area_struct *vma, *prev, *last;
69346 -
69347 -+ /*
69348 -+ * mm->mmap_sem is required to protect against another thread
69349 -+ * changing the mappings in case we sleep.
69350 -+ */
69351 -+ verify_mm_writelocked(mm);
69352 -+
69353 - if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
69354 - return -EINVAL;
69355 -
69356 -@@ -1890,6 +2268,8 @@ int do_munmap(struct mm_struct *mm, unsi
69357 - /* Fix up all other VM information */
69358 - remove_vma_list(mm, vma);
69359 -
69360 -+ track_exec_limit(mm, start, end, 0UL);
69361 -+
69362 - return 0;
69363 - }
69364 -
69365 -@@ -1902,22 +2282,18 @@ asmlinkage long sys_munmap(unsigned long
69366 -
69367 - profile_munmap(addr);
69368 -
69369 -+#ifdef CONFIG_PAX_SEGMEXEC
69370 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
69371 -+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
69372 -+ return -EINVAL;
69373 -+#endif
69374 -+
69375 - down_write(&mm->mmap_sem);
69376 - ret = do_munmap(mm, addr, len);
69377 - up_write(&mm->mmap_sem);
69378 - return ret;
69379 - }
69380 -
69381 --static inline void verify_mm_writelocked(struct mm_struct *mm)
69382 --{
69383 --#ifdef CONFIG_DEBUG_VM
69384 -- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
69385 -- WARN_ON(1);
69386 -- up_read(&mm->mmap_sem);
69387 -- }
69388 --#endif
69389 --}
69390 --
69391 - /*
69392 - * this is really a simplified "do_mmap". it only handles
69393 - * anonymous maps. eventually we may be able to do some
69394 -@@ -1931,6 +2307,11 @@ unsigned long do_brk(unsigned long addr,
69395 - struct rb_node ** rb_link, * rb_parent;
69396 - pgoff_t pgoff = addr >> PAGE_SHIFT;
69397 - int error;
69398 -+ unsigned long charged;
69399 -+
69400 -+#ifdef CONFIG_PAX_SEGMEXEC
69401 -+ struct vm_area_struct *vma_m = NULL;
69402 -+#endif
69403 -
69404 - len = PAGE_ALIGN(len);
69405 - if (!len)
69406 -@@ -1948,19 +2329,34 @@ unsigned long do_brk(unsigned long addr,
69407 -
69408 - flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
69409 -
69410 -+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69411 -+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69412 -+ flags &= ~VM_EXEC;
69413 -+
69414 -+#ifdef CONFIG_PAX_MPROTECT
69415 -+ if (mm->pax_flags & MF_PAX_MPROTECT)
69416 -+ flags &= ~VM_MAYEXEC;
69417 -+#endif
69418 -+
69419 -+ }
69420 -+#endif
69421 -+
69422 - error = arch_mmap_check(addr, len, flags);
69423 - if (error)
69424 - return error;
69425 -
69426 -+ charged = len >> PAGE_SHIFT;
69427 -+
69428 - /*
69429 - * mlock MCL_FUTURE?
69430 - */
69431 - if (mm->def_flags & VM_LOCKED) {
69432 - unsigned long locked, lock_limit;
69433 -- locked = len >> PAGE_SHIFT;
69434 -+ locked = charged;
69435 - locked += mm->locked_vm;
69436 - lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
69437 - lock_limit >>= PAGE_SHIFT;
69438 -+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
69439 - if (locked > lock_limit && !capable(CAP_IPC_LOCK))
69440 - return -EAGAIN;
69441 - }
69442 -@@ -1974,22 +2370,22 @@ unsigned long do_brk(unsigned long addr,
69443 - /*
69444 - * Clear old maps. this also does some error checking for us
69445 - */
69446 -- munmap_back:
69447 - vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69448 - if (vma && vma->vm_start < addr + len) {
69449 - if (do_munmap(mm, addr, len))
69450 - return -ENOMEM;
69451 -- goto munmap_back;
69452 -+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69453 -+ BUG_ON(vma && vma->vm_start < addr + len);
69454 - }
69455 -
69456 - /* Check against address space limits *after* clearing old maps... */
69457 -- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69458 -+ if (!may_expand_vm(mm, charged))
69459 - return -ENOMEM;
69460 -
69461 - if (mm->map_count > sysctl_max_map_count)
69462 - return -ENOMEM;
69463 -
69464 -- if (security_vm_enough_memory(len >> PAGE_SHIFT))
69465 -+ if (security_vm_enough_memory(charged))
69466 - return -ENOMEM;
69467 -
69468 - /* Can we just expand an old private anonymous mapping? */
69469 -@@ -2002,24 +2398,41 @@ unsigned long do_brk(unsigned long addr,
69470 - */
69471 - vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69472 - if (!vma) {
69473 -- vm_unacct_memory(len >> PAGE_SHIFT);
69474 -+ vm_unacct_memory(charged);
69475 - return -ENOMEM;
69476 - }
69477 -
69478 -+#ifdef CONFIG_PAX_SEGMEXEC
69479 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (flags & VM_EXEC)) {
69480 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69481 -+ if (!vma_m) {
69482 -+ kmem_cache_free(vm_area_cachep, vma);
69483 -+ vm_unacct_memory(charged);
69484 -+ return -ENOMEM;
69485 -+ }
69486 -+ }
69487 -+#endif
69488 -+
69489 - vma->vm_mm = mm;
69490 - vma->vm_start = addr;
69491 - vma->vm_end = addr + len;
69492 - vma->vm_pgoff = pgoff;
69493 - vma->vm_flags = flags;
69494 -- vma->vm_page_prot = protection_map[flags &
69495 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
69496 -+ vma->vm_page_prot = vm_get_page_prot(flags);
69497 - vma_link(mm, vma, prev, rb_link, rb_parent);
69498 -+
69499 -+#ifdef CONFIG_PAX_SEGMEXEC
69500 -+ if (vma_m)
69501 -+ pax_mirror_vma(vma_m, vma);
69502 -+#endif
69503 -+
69504 - out:
69505 -- mm->total_vm += len >> PAGE_SHIFT;
69506 -+ mm->total_vm += charged;
69507 - if (flags & VM_LOCKED) {
69508 -- mm->locked_vm += len >> PAGE_SHIFT;
69509 -+ mm->locked_vm += charged;
69510 - make_pages_present(addr, addr + len);
69511 - }
69512 -+ track_exec_limit(mm, addr, addr + len, flags);
69513 - return addr;
69514 - }
69515 -
69516 -@@ -2050,8 +2463,10 @@ void exit_mmap(struct mm_struct *mm)
69517 - * Walk the list again, actually closing and freeing it,
69518 - * with preemption enabled, without holding any MM locks.
69519 - */
69520 -- while (vma)
69521 -+ while (vma) {
69522 -+ vma->vm_mirror = NULL;
69523 - vma = remove_vma(vma);
69524 -+ }
69525 -
69526 - BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69527 - }
69528 -@@ -2065,6 +2480,10 @@ int insert_vm_struct(struct mm_struct *
69529 - struct vm_area_struct * __vma, * prev;
69530 - struct rb_node ** rb_link, * rb_parent;
69531 -
69532 -+#ifdef CONFIG_PAX_SEGMEXEC
69533 -+ struct vm_area_struct *vma_m = NULL;
69534 -+#endif
69535 -+
69536 - /*
69537 - * The vm_pgoff of a purely anonymous vma should be irrelevant
69538 - * until its first write fault, when page's anon_vma and index
69539 -@@ -2087,7 +2506,22 @@ int insert_vm_struct(struct mm_struct *
69540 - if ((vma->vm_flags & VM_ACCOUNT) &&
69541 - security_vm_enough_memory_mm(mm, vma_pages(vma)))
69542 - return -ENOMEM;
69543 -+
69544 -+#ifdef CONFIG_PAX_SEGMEXEC
69545 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69546 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69547 -+ if (!vma_m)
69548 -+ return -ENOMEM;
69549 -+ }
69550 -+#endif
69551 -+
69552 - vma_link(mm, vma, prev, rb_link, rb_parent);
69553 -+
69554 -+#ifdef CONFIG_PAX_SEGMEXEC
69555 -+ if (vma_m)
69556 -+ pax_mirror_vma(vma_m, vma);
69557 -+#endif
69558 -+
69559 - return 0;
69560 - }
69561 -
69562 -@@ -2145,6 +2579,30 @@ struct vm_area_struct *copy_vma(struct v
69563 - return new_vma;
69564 - }
69565 -
69566 -+#ifdef CONFIG_PAX_SEGMEXEC
69567 -+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69568 -+{
69569 -+ struct vm_area_struct *prev_m;
69570 -+ struct rb_node **rb_link_m, *rb_parent_m;
69571 -+
69572 -+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69573 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
69574 -+ *vma_m = *vma;
69575 -+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69576 -+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69577 -+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69578 -+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69579 -+ if (vma_m->vm_file)
69580 -+ get_file(vma_m->vm_file);
69581 -+ if (vma_m->vm_ops && vma_m->vm_ops->open)
69582 -+ vma_m->vm_ops->open(vma_m);
69583 -+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69584 -+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69585 -+ vma_m->vm_mirror = vma;
69586 -+ vma->vm_mirror = vma_m;
69587 -+}
69588 -+#endif
69589 -+
69590 - /*
69591 - * Return true if the calling process may expand its vm space by the passed
69592 - * number of pages
69593 -@@ -2155,7 +2613,7 @@ int may_expand_vm(struct mm_struct *mm,
69594 - unsigned long lim;
69595 -
69596 - lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
69597 --
69598 -+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69599 - if (cur + npages > lim)
69600 - return 0;
69601 - return 1;
69602 -@@ -2167,7 +2625,7 @@ static struct page *special_mapping_nopa
69603 - {
69604 - struct page **pages;
69605 -
69606 -- BUG_ON(address < vma->vm_start || address >= vma->vm_end);
69607 -+ BUG_ON(address < vma->vm_start || address >= vma->vm_end || (address & ~PAGE_MASK));
69608 -
69609 - address -= vma->vm_start;
69610 - for (pages = vma->vm_private_data; address > 0 && *pages; ++pages)
69611 -@@ -2217,8 +2675,17 @@ int install_special_mapping(struct mm_st
69612 - vma->vm_start = addr;
69613 - vma->vm_end = addr + len;
69614 -
69615 -+#ifdef CONFIG_PAX_MPROTECT
69616 -+ if (mm->pax_flags & MF_PAX_MPROTECT) {
69617 -+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69618 -+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69619 -+ else
69620 -+ vm_flags &= ~(VM_WRITE | VM_MAYWRITE);
69621 -+ }
69622 -+#endif
69623 -+
69624 - vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69625 -- vma->vm_page_prot = protection_map[vma->vm_flags & 7];
69626 -+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69627 -
69628 - vma->vm_ops = &special_mapping_vmops;
69629 - vma->vm_private_data = pages;
69630 -diff -Nurp linux-2.6.23.15/mm/mprotect.c linux-2.6.23.15-grsec/mm/mprotect.c
69631 ---- linux-2.6.23.15/mm/mprotect.c 2007-10-09 21:31:38.000000000 +0100
69632 -+++ linux-2.6.23.15-grsec/mm/mprotect.c 2008-02-11 10:37:45.000000000 +0000
69633 -@@ -21,10 +21,17 @@
69634 - #include <linux/syscalls.h>
69635 - #include <linux/swap.h>
69636 - #include <linux/swapops.h>
69637 -+#include <linux/grsecurity.h>
69638 -+
69639 -+#ifdef CONFIG_PAX_MPROTECT
69640 -+#include <linux/elf.h>
69641 -+#endif
69642 -+
69643 - #include <asm/uaccess.h>
69644 - #include <asm/pgtable.h>
69645 - #include <asm/cacheflush.h>
69646 - #include <asm/tlbflush.h>
69647 -+#include <asm/mmu_context.h>
69648 -
69649 - static void change_pte_range(struct mm_struct *mm, pmd_t *pmd,
69650 - unsigned long addr, unsigned long end, pgprot_t newprot,
69651 -@@ -128,6 +135,48 @@ static void change_protection(struct vm_
69652 - flush_tlb_range(vma, start, end);
69653 - }
69654 -
69655 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69656 -+/* called while holding the mmap semaphor for writing except stack expansion */
69657 -+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69658 -+{
69659 -+ unsigned long oldlimit, newlimit = 0UL;
69660 -+
69661 -+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
69662 -+ return;
69663 -+
69664 -+ spin_lock(&mm->page_table_lock);
69665 -+ oldlimit = mm->context.user_cs_limit;
69666 -+ if ((prot & VM_EXEC) && oldlimit < end)
69667 -+ /* USER_CS limit moved up */
69668 -+ newlimit = end;
69669 -+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69670 -+ /* USER_CS limit moved down */
69671 -+ newlimit = start;
69672 -+
69673 -+ if (newlimit) {
69674 -+ mm->context.user_cs_limit = newlimit;
69675 -+
69676 -+#ifdef CONFIG_SMP
69677 -+ wmb();
69678 -+ cpus_clear(mm->context.cpu_user_cs_mask);
69679 -+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69680 -+#endif
69681 -+
69682 -+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69683 -+ }
69684 -+ spin_unlock(&mm->page_table_lock);
69685 -+ if (newlimit == end) {
69686 -+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
69687 -+
69688 -+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
69689 -+ if (is_vm_hugetlb_page(vma))
69690 -+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69691 -+ else
69692 -+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69693 -+ }
69694 -+}
69695 -+#endif
69696 -+
69697 - int
69698 - mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69699 - unsigned long start, unsigned long end, unsigned long newflags)
69700 -@@ -140,11 +189,39 @@ mprotect_fixup(struct vm_area_struct *vm
69701 - int error;
69702 - int dirty_accountable = 0;
69703 -
69704 -+#ifdef CONFIG_PAX_SEGMEXEC
69705 -+ struct vm_area_struct *vma_m = NULL;
69706 -+ unsigned long start_m, end_m;
69707 -+
69708 -+ start_m = start + SEGMEXEC_TASK_SIZE;
69709 -+ end_m = end + SEGMEXEC_TASK_SIZE;
69710 -+#endif
69711 -+
69712 - if (newflags == oldflags) {
69713 - *pprev = vma;
69714 - return 0;
69715 - }
69716 -
69717 -+#ifdef CONFIG_PAX_SEGMEXEC
69718 -+ if (pax_find_mirror_vma(vma) && !(newflags & VM_EXEC)) {
69719 -+ if (start != vma->vm_start) {
69720 -+ error = split_vma(mm, vma, start, 1);
69721 -+ if (error)
69722 -+ return -ENOMEM;
69723 -+ }
69724 -+
69725 -+ if (end != vma->vm_end) {
69726 -+ error = split_vma(mm, vma, end, 0);
69727 -+ if (error)
69728 -+ return -ENOMEM;
69729 -+ }
69730 -+
69731 -+ error = __do_munmap(mm, start_m, end_m - start_m);
69732 -+ if (error)
69733 -+ return -ENOMEM;
69734 -+ }
69735 -+#endif
69736 -+
69737 - /*
69738 - * If we make a private mapping writable we increase our commit;
69739 - * but (without finer accounting) cannot reduce our commit if we
69740 -@@ -187,17 +264,25 @@ mprotect_fixup(struct vm_area_struct *vm
69741 - goto fail;
69742 - }
69743 -
69744 -+#ifdef CONFIG_PAX_SEGMEXEC
69745 -+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
69746 -+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69747 -+ if (!vma_m) {
69748 -+ error = -ENOMEM;
69749 -+ goto fail;
69750 -+ }
69751 -+ }
69752 -+#endif
69753 -+
69754 - success:
69755 - /*
69756 - * vm_flags and vm_page_prot are protected by the mmap_sem
69757 - * held in write mode.
69758 - */
69759 - vma->vm_flags = newflags;
69760 -- vma->vm_page_prot = protection_map[newflags &
69761 -- (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
69762 -+ vma->vm_page_prot = vm_get_page_prot(newflags);
69763 - if (vma_wants_writenotify(vma)) {
69764 -- vma->vm_page_prot = protection_map[newflags &
69765 -- (VM_READ|VM_WRITE|VM_EXEC)];
69766 -+ vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69767 - dirty_accountable = 1;
69768 - }
69769 -
69770 -@@ -205,6 +290,12 @@ success:
69771 - hugetlb_change_protection(vma, start, end, vma->vm_page_prot);
69772 - else
69773 - change_protection(vma, start, end, vma->vm_page_prot, dirty_accountable);
69774 -+
69775 -+#ifdef CONFIG_PAX_SEGMEXEC
69776 -+ if (vma_m)
69777 -+ pax_mirror_vma(vma_m, vma);
69778 -+#endif
69779 -+
69780 - vm_stat_account(mm, oldflags, vma->vm_file, -nrpages);
69781 - vm_stat_account(mm, newflags, vma->vm_file, nrpages);
69782 - return 0;
69783 -@@ -214,6 +305,70 @@ fail:
69784 - return error;
69785 - }
69786 -
69787 -+#ifdef CONFIG_PAX_MPROTECT
69788 -+/* PaX: non-PIC ELF libraries need relocations on their executable segments
69789 -+ * therefore we'll grant them VM_MAYWRITE once during their life.
69790 -+ *
69791 -+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
69792 -+ * basis because we want to allow the common case and not the special ones.
69793 -+ */
69794 -+static inline void pax_handle_maywrite(struct vm_area_struct *vma, unsigned long start)
69795 -+{
69796 -+ struct elfhdr elf_h;
69797 -+ struct elf_phdr elf_p;
69798 -+ elf_addr_t dyn_offset = 0UL;
69799 -+ elf_dyn dyn;
69800 -+ unsigned long i, j = 65536UL / sizeof(struct elf_phdr);
69801 -+
69802 -+#ifndef CONFIG_PAX_NOELFRELOCS
69803 -+ if ((vma->vm_start != start) ||
69804 -+ !vma->vm_file ||
69805 -+ !(vma->vm_flags & VM_MAYEXEC) ||
69806 -+ (vma->vm_flags & VM_MAYNOTWRITE))
69807 -+#endif
69808 -+
69809 -+ return;
69810 -+
69811 -+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
69812 -+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
69813 -+
69814 -+#ifdef CONFIG_PAX_ETEXECRELOCS
69815 -+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) ||
69816 -+#else
69817 -+ elf_h.e_type != ET_DYN ||
69818 -+#endif
69819 -+
69820 -+ !elf_check_arch(&elf_h) ||
69821 -+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
69822 -+ elf_h.e_phnum > j)
69823 -+ return;
69824 -+
69825 -+ for (i = 0UL; i < elf_h.e_phnum; i++) {
69826 -+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
69827 -+ return;
69828 -+ if (elf_p.p_type == PT_DYNAMIC) {
69829 -+ dyn_offset = elf_p.p_offset;
69830 -+ j = i;
69831 -+ }
69832 -+ }
69833 -+ if (elf_h.e_phnum <= j)
69834 -+ return;
69835 -+
69836 -+ i = 0UL;
69837 -+ do {
69838 -+ if (sizeof(dyn) != kernel_read(vma->vm_file, dyn_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
69839 -+ return;
69840 -+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
69841 -+ vma->vm_flags |= VM_MAYWRITE | VM_MAYNOTWRITE;
69842 -+ gr_log_textrel(vma);
69843 -+ return;
69844 -+ }
69845 -+ i++;
69846 -+ } while (dyn.d_tag != DT_NULL);
69847 -+ return;
69848 -+}
69849 -+#endif
69850 -+
69851 - asmlinkage long
69852 - sys_mprotect(unsigned long start, size_t len, unsigned long prot)
69853 - {
69854 -@@ -233,6 +388,17 @@ sys_mprotect(unsigned long start, size_t
69855 - end = start + len;
69856 - if (end <= start)
69857 - return -ENOMEM;
69858 -+
69859 -+#ifdef CONFIG_PAX_SEGMEXEC
69860 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69861 -+ if (end > SEGMEXEC_TASK_SIZE)
69862 -+ return -EINVAL;
69863 -+ } else
69864 -+#endif
69865 -+
69866 -+ if (end > TASK_SIZE)
69867 -+ return -EINVAL;
69868 -+
69869 - if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
69870 - return -EINVAL;
69871 -
69872 -@@ -240,7 +406,7 @@ sys_mprotect(unsigned long start, size_t
69873 - /*
69874 - * Does the application expect PROT_READ to imply PROT_EXEC:
69875 - */
69876 -- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69877 -+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69878 - prot |= PROT_EXEC;
69879 -
69880 - vm_flags = calc_vm_prot_bits(prot);
69881 -@@ -272,6 +438,16 @@ sys_mprotect(unsigned long start, size_t
69882 - if (start > vma->vm_start)
69883 - prev = vma;
69884 -
69885 -+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69886 -+ error = -EACCES;
69887 -+ goto out;
69888 -+ }
69889 -+
69890 -+#ifdef CONFIG_PAX_MPROTECT
69891 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && (prot & PROT_WRITE))
69892 -+ pax_handle_maywrite(vma, start);
69893 -+#endif
69894 -+
69895 - for (nstart = start ; ; ) {
69896 - unsigned long newflags;
69897 -
69898 -@@ -285,6 +461,12 @@ sys_mprotect(unsigned long start, size_t
69899 - goto out;
69900 - }
69901 -
69902 -+#ifdef CONFIG_PAX_MPROTECT
69903 -+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
69904 -+ if ((vma->vm_mm->pax_flags & MF_PAX_MPROTECT) && !(prot & PROT_WRITE) && (vma->vm_flags & VM_MAYNOTWRITE))
69905 -+ newflags &= ~VM_MAYWRITE;
69906 -+#endif
69907 -+
69908 - error = security_file_mprotect(vma, reqprot, prot);
69909 - if (error)
69910 - goto out;
69911 -@@ -295,6 +477,9 @@ sys_mprotect(unsigned long start, size_t
69912 - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69913 - if (error)
69914 - goto out;
69915 -+
69916 -+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
69917 -+
69918 - nstart = tmp;
69919 -
69920 - if (nstart < prev->vm_end)
69921 -diff -Nurp linux-2.6.23.15/mm/mremap.c linux-2.6.23.15-grsec/mm/mremap.c
69922 ---- linux-2.6.23.15/mm/mremap.c 2007-10-09 21:31:38.000000000 +0100
69923 -+++ linux-2.6.23.15-grsec/mm/mremap.c 2008-02-11 10:37:45.000000000 +0000
69924 -@@ -106,6 +106,12 @@ static void move_ptes(struct vm_area_str
69925 - continue;
69926 - pte = ptep_clear_flush(vma, old_addr, old_pte);
69927 - pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69928 -+
69929 -+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69930 -+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69931 -+ pte = pte_exprotect(pte);
69932 -+#endif
69933 -+
69934 - set_pte_at(mm, new_addr, new_pte, pte);
69935 - }
69936 -
69937 -@@ -254,6 +260,7 @@ unsigned long do_mremap(unsigned long ad
69938 - struct vm_area_struct *vma;
69939 - unsigned long ret = -EINVAL;
69940 - unsigned long charged = 0;
69941 -+ unsigned long task_size = TASK_SIZE;
69942 -
69943 - if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69944 - goto out;
69945 -@@ -272,6 +279,15 @@ unsigned long do_mremap(unsigned long ad
69946 - if (!new_len)
69947 - goto out;
69948 -
69949 -+#ifdef CONFIG_PAX_SEGMEXEC
69950 -+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
69951 -+ task_size = SEGMEXEC_TASK_SIZE;
69952 -+#endif
69953 -+
69954 -+ if (new_len > task_size || addr > task_size-new_len ||
69955 -+ old_len > task_size || addr > task_size-old_len)
69956 -+ goto out;
69957 -+
69958 - /* new_addr is only valid if MREMAP_FIXED is specified */
69959 - if (flags & MREMAP_FIXED) {
69960 - if (new_addr & ~PAGE_MASK)
69961 -@@ -279,16 +295,13 @@ unsigned long do_mremap(unsigned long ad
69962 - if (!(flags & MREMAP_MAYMOVE))
69963 - goto out;
69964 -
69965 -- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69966 -+ if (new_addr > task_size - new_len)
69967 - goto out;
69968 -
69969 - /* Check if the location we're moving into overlaps the
69970 - * old location at all, and fail if it does.
69971 - */
69972 -- if ((new_addr <= addr) && (new_addr+new_len) > addr)
69973 -- goto out;
69974 --
69975 -- if ((addr <= new_addr) && (addr+old_len) > new_addr)
69976 -+ if (addr + old_len > new_addr && new_addr + new_len > addr)
69977 - goto out;
69978 -
69979 - ret = security_file_mmap(0, 0, 0, 0, new_addr, 1);
69980 -@@ -326,6 +339,14 @@ unsigned long do_mremap(unsigned long ad
69981 - ret = -EINVAL;
69982 - goto out;
69983 - }
69984 -+
69985 -+#ifdef CONFIG_PAX_SEGMEXEC
69986 -+ if (pax_find_mirror_vma(vma)) {
69987 -+ ret = -EINVAL;
69988 -+ goto out;
69989 -+ }
69990 -+#endif
69991 -+
69992 - /* We can't remap across vm area boundaries */
69993 - if (old_len > vma->vm_end - addr)
69994 - goto out;
69995 -@@ -359,7 +380,7 @@ unsigned long do_mremap(unsigned long ad
69996 - if (old_len == vma->vm_end - addr &&
69997 - !((flags & MREMAP_FIXED) && (addr != new_addr)) &&
69998 - (old_len != new_len || !(flags & MREMAP_MAYMOVE))) {
69999 -- unsigned long max_addr = TASK_SIZE;
70000 -+ unsigned long max_addr = task_size;
70001 - if (vma->vm_next)
70002 - max_addr = vma->vm_next->vm_start;
70003 - /* can we just expand the current mapping? */
70004 -@@ -377,6 +398,7 @@ unsigned long do_mremap(unsigned long ad
70005 - addr + new_len);
70006 - }
70007 - ret = addr;
70008 -+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
70009 - goto out;
70010 - }
70011 - }
70012 -@@ -387,8 +409,8 @@ unsigned long do_mremap(unsigned long ad
70013 - */
70014 - ret = -ENOMEM;
70015 - if (flags & MREMAP_MAYMOVE) {
70016 -+ unsigned long map_flags = 0;
70017 - if (!(flags & MREMAP_FIXED)) {
70018 -- unsigned long map_flags = 0;
70019 - if (vma->vm_flags & VM_MAYSHARE)
70020 - map_flags |= MAP_SHARED;
70021 -
70022 -@@ -403,7 +425,12 @@ unsigned long do_mremap(unsigned long ad
70023 - if (ret)
70024 - goto out;
70025 - }
70026 -+ map_flags = vma->vm_flags;
70027 - ret = move_vma(vma, addr, old_len, new_len, new_addr);
70028 -+ if (!(ret & ~PAGE_MASK)) {
70029 -+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
70030 -+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
70031 -+ }
70032 - }
70033 - out:
70034 - if (ret & ~PAGE_MASK)
70035 -diff -Nurp linux-2.6.23.15/mm/nommu.c linux-2.6.23.15-grsec/mm/nommu.c
70036 ---- linux-2.6.23.15/mm/nommu.c 2007-10-09 21:31:38.000000000 +0100
70037 -+++ linux-2.6.23.15-grsec/mm/nommu.c 2008-02-11 10:37:45.000000000 +0000
70038 -@@ -376,15 +376,6 @@ struct vm_area_struct *find_vma(struct m
70039 - }
70040 - EXPORT_SYMBOL(find_vma);
70041 -
70042 --/*
70043 -- * find a VMA
70044 -- * - we don't extend stack VMAs under NOMMU conditions
70045 -- */
70046 --struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
70047 --{
70048 -- return find_vma(mm, addr);
70049 --}
70050 --
70051 - int expand_stack(struct vm_area_struct *vma, unsigned long address)
70052 - {
70053 - return -ENOMEM;
70054 -diff -Nurp linux-2.6.23.15/mm/page_alloc.c linux-2.6.23.15-grsec/mm/page_alloc.c
70055 ---- linux-2.6.23.15/mm/page_alloc.c 2007-10-09 21:31:38.000000000 +0100
70056 -+++ linux-2.6.23.15-grsec/mm/page_alloc.c 2008-02-11 10:37:45.000000000 +0000
70057 -@@ -402,7 +402,7 @@ static inline int page_is_buddy(struct p
70058 - static inline void __free_one_page(struct page *page,
70059 - struct zone *zone, unsigned int order)
70060 - {
70061 -- unsigned long page_idx;
70062 -+ unsigned long page_idx, index;
70063 - int order_size = 1 << order;
70064 -
70065 - if (unlikely(PageCompound(page)))
70066 -@@ -413,6 +413,11 @@ static inline void __free_one_page(struc
70067 - VM_BUG_ON(page_idx & (order_size - 1));
70068 - VM_BUG_ON(bad_range(zone, page));
70069 -
70070 -+#ifdef CONFIG_PAX_MEMORY_SANITIZE
70071 -+ for (index = order_size; index; --index)
70072 -+ sanitize_highpage(page + index - 1);
70073 -+#endif
70074 -+
70075 - __mod_zone_page_state(zone, NR_FREE_PAGES, order_size);
70076 - while (order < MAX_ORDER-1) {
70077 - unsigned long combined_idx;
70078 -diff -Nurp linux-2.6.23.15/mm/rmap.c linux-2.6.23.15-grsec/mm/rmap.c
70079 ---- linux-2.6.23.15/mm/rmap.c 2007-10-09 21:31:38.000000000 +0100
70080 -+++ linux-2.6.23.15-grsec/mm/rmap.c 2008-02-11 10:37:45.000000000 +0000
70081 -@@ -63,6 +63,10 @@ int anon_vma_prepare(struct vm_area_stru
70082 - struct mm_struct *mm = vma->vm_mm;
70083 - struct anon_vma *allocated, *locked;
70084 -
70085 -+#ifdef CONFIG_PAX_SEGMEXEC
70086 -+ struct vm_area_struct *vma_m;
70087 -+#endif
70088 -+
70089 - anon_vma = find_mergeable_anon_vma(vma);
70090 - if (anon_vma) {
70091 - allocated = NULL;
70092 -@@ -79,6 +83,15 @@ int anon_vma_prepare(struct vm_area_stru
70093 - /* page_table_lock to protect against threads */
70094 - spin_lock(&mm->page_table_lock);
70095 - if (likely(!vma->anon_vma)) {
70096 -+
70097 -+#ifdef CONFIG_PAX_SEGMEXEC
70098 -+ vma_m = pax_find_mirror_vma(vma);
70099 -+ if (vma_m) {
70100 -+ vma_m->anon_vma = anon_vma;
70101 -+ __anon_vma_link(vma_m);
70102 -+ }
70103 -+#endif
70104 -+
70105 - vma->anon_vma = anon_vma;
70106 - list_add_tail(&vma->anon_vma_node, &anon_vma->head);
70107 - allocated = NULL;
70108 -diff -Nurp linux-2.6.23.15/mm/shmem.c linux-2.6.23.15-grsec/mm/shmem.c
70109 ---- linux-2.6.23.15/mm/shmem.c 2008-02-11 10:36:03.000000000 +0000
70110 -+++ linux-2.6.23.15-grsec/mm/shmem.c 2008-02-11 10:37:45.000000000 +0000
70111 -@@ -2452,7 +2452,7 @@ static struct file_system_type tmpfs_fs_
70112 - .get_sb = shmem_get_sb,
70113 - .kill_sb = kill_litter_super,
70114 - };
70115 --static struct vfsmount *shm_mnt;
70116 -+struct vfsmount *shm_mnt;
70117 -
70118 - static int __init init_tmpfs(void)
70119 - {
70120 -diff -Nurp linux-2.6.23.15/mm/slab.c linux-2.6.23.15-grsec/mm/slab.c
70121 ---- linux-2.6.23.15/mm/slab.c 2007-10-09 21:31:38.000000000 +0100
70122 -+++ linux-2.6.23.15-grsec/mm/slab.c 2008-02-11 10:37:45.000000000 +0000
70123 -@@ -306,7 +306,7 @@ struct kmem_list3 {
70124 - * Need this for bootstrapping a per node allocator.
70125 - */
70126 - #define NUM_INIT_LISTS (2 * MAX_NUMNODES + 1)
70127 --struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
70128 -+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
70129 - #define CACHE_CACHE 0
70130 - #define SIZE_AC 1
70131 - #define SIZE_L3 (1 + MAX_NUMNODES)
70132 -@@ -655,14 +655,14 @@ struct cache_names {
70133 - static struct cache_names __initdata cache_names[] = {
70134 - #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
70135 - #include <linux/kmalloc_sizes.h>
70136 -- {NULL,}
70137 -+ {NULL, NULL}
70138 - #undef CACHE
70139 - };
70140 -
70141 - static struct arraycache_init initarray_cache __initdata =
70142 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
70143 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
70144 - static struct arraycache_init initarray_generic =
70145 -- { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
70146 -+ { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
70147 -
70148 - /* internal cache of cache description objs */
70149 - static struct kmem_cache cache_cache = {
70150 -@@ -2980,7 +2980,7 @@ retry:
70151 - * there must be at least one object available for
70152 - * allocation.
70153 - */
70154 -- BUG_ON(slabp->inuse < 0 || slabp->inuse >= cachep->num);
70155 -+ BUG_ON(slabp->inuse >= cachep->num);
70156 -
70157 - while (slabp->inuse < cachep->num && batchcount--) {
70158 - STATS_INC_ALLOCED(cachep);
70159 -diff -Nurp linux-2.6.23.15/mm/slub.c linux-2.6.23.15-grsec/mm/slub.c
70160 ---- linux-2.6.23.15/mm/slub.c 2008-02-11 10:36:03.000000000 +0000
70161 -+++ linux-2.6.23.15-grsec/mm/slub.c 2008-02-11 10:37:45.000000000 +0000
70162 -@@ -1530,7 +1530,7 @@ debug:
70163 - *
70164 - * Otherwise we can simply pick the next object from the lockless free list.
70165 - */
70166 --static void __always_inline *slab_alloc(struct kmem_cache *s,
70167 -+static __always_inline void *slab_alloc(struct kmem_cache *s,
70168 - gfp_t gfpflags, int node, void *addr)
70169 - {
70170 - struct page *page;
70171 -@@ -1639,7 +1639,7 @@ debug:
70172 - * If fastpath is not possible then fall back to __slab_free where we deal
70173 - * with all sorts of special processing.
70174 - */
70175 --static void __always_inline slab_free(struct kmem_cache *s,
70176 -+static __always_inline void slab_free(struct kmem_cache *s,
70177 - struct page *page, void *x, void *addr)
70178 - {
70179 - void **object = (void *)x;
70180 -diff -Nurp linux-2.6.23.15/mm/swap.c linux-2.6.23.15-grsec/mm/swap.c
70181 ---- linux-2.6.23.15/mm/swap.c 2007-10-09 21:31:38.000000000 +0100
70182 -+++ linux-2.6.23.15-grsec/mm/swap.c 2008-02-11 10:37:45.000000000 +0000
70183 -@@ -174,8 +174,8 @@ EXPORT_SYMBOL(mark_page_accessed);
70184 - * lru_cache_add: add a page to the page lists
70185 - * @page: the page to add
70186 - */
70187 --static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, };
70188 --static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, };
70189 -+static DEFINE_PER_CPU(struct pagevec, lru_add_pvecs) = { 0, 0, {NULL} };
70190 -+static DEFINE_PER_CPU(struct pagevec, lru_add_active_pvecs) = { 0, 0, {NULL} };
70191 -
70192 - void fastcall lru_cache_add(struct page *page)
70193 - {
70194 -diff -Nurp linux-2.6.23.15/mm/tiny-shmem.c linux-2.6.23.15-grsec/mm/tiny-shmem.c
70195 ---- linux-2.6.23.15/mm/tiny-shmem.c 2007-10-09 21:31:38.000000000 +0100
70196 -+++ linux-2.6.23.15-grsec/mm/tiny-shmem.c 2008-02-11 10:37:45.000000000 +0000
70197 -@@ -26,7 +26,7 @@ static struct file_system_type tmpfs_fs_
70198 - .kill_sb = kill_litter_super,
70199 - };
70200 -
70201 --static struct vfsmount *shm_mnt;
70202 -+struct vfsmount *shm_mnt;
70203 -
70204 - static int __init init_tmpfs(void)
70205 - {
70206 -diff -Nurp linux-2.6.23.15/mm/vmalloc.c linux-2.6.23.15-grsec/mm/vmalloc.c
70207 ---- linux-2.6.23.15/mm/vmalloc.c 2007-10-09 21:31:38.000000000 +0100
70208 -+++ linux-2.6.23.15-grsec/mm/vmalloc.c 2008-02-11 10:37:45.000000000 +0000
70209 -@@ -201,6 +201,8 @@ static struct vm_struct *__get_vm_area_n
70210 -
70211 - write_lock(&vmlist_lock);
70212 - for (p = &vmlist; (tmp = *p) != NULL ;p = &tmp->next) {
70213 -+ if (addr > end - size)
70214 -+ goto out;
70215 - if ((unsigned long)tmp->addr < addr) {
70216 - if((unsigned long)tmp->addr + tmp->size >= addr)
70217 - addr = ALIGN(tmp->size +
70218 -@@ -212,8 +214,6 @@ static struct vm_struct *__get_vm_area_n
70219 - if (size + addr <= (unsigned long)tmp->addr)
70220 - goto found;
70221 - addr = ALIGN(tmp->size + (unsigned long)tmp->addr, align);
70222 -- if (addr > end - size)
70223 -- goto out;
70224 - }
70225 -
70226 - found:
70227 -diff -Nurp linux-2.6.23.15/net/core/flow.c linux-2.6.23.15-grsec/net/core/flow.c
70228 ---- linux-2.6.23.15/net/core/flow.c 2007-10-09 21:31:38.000000000 +0100
70229 -+++ linux-2.6.23.15-grsec/net/core/flow.c 2008-02-11 10:37:45.000000000 +0000
70230 -@@ -40,7 +40,7 @@ atomic_t flow_cache_genid = ATOMIC_INIT(
70231 -
70232 - static u32 flow_hash_shift;
70233 - #define flow_hash_size (1 << flow_hash_shift)
70234 --static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
70235 -+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
70236 -
70237 - #define flow_table(cpu) (per_cpu(flow_tables, cpu))
70238 -
70239 -@@ -53,7 +53,7 @@ struct flow_percpu_info {
70240 - u32 hash_rnd;
70241 - int count;
70242 - } ____cacheline_aligned;
70243 --static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
70244 -+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
70245 -
70246 - #define flow_hash_rnd_recalc(cpu) \
70247 - (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
70248 -@@ -70,7 +70,7 @@ struct flow_flush_info {
70249 - atomic_t cpuleft;
70250 - struct completion completion;
70251 - };
70252 --static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
70253 -+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
70254 -
70255 - #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
70256 -
70257 -diff -Nurp linux-2.6.23.15/net/dccp/ccids/ccid3.c linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c
70258 ---- linux-2.6.23.15/net/dccp/ccids/ccid3.c 2007-10-09 21:31:38.000000000 +0100
70259 -+++ linux-2.6.23.15-grsec/net/dccp/ccids/ccid3.c 2008-02-11 10:37:45.000000000 +0000
70260 -@@ -44,7 +44,7 @@
70261 - static int ccid3_debug;
70262 - #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
70263 - #else
70264 --#define ccid3_pr_debug(format, a...)
70265 -+#define ccid3_pr_debug(format, a...) do {} while (0)
70266 - #endif
70267 -
70268 - static struct dccp_tx_hist *ccid3_tx_hist;
70269 -diff -Nurp linux-2.6.23.15/net/dccp/dccp.h linux-2.6.23.15-grsec/net/dccp/dccp.h
70270 ---- linux-2.6.23.15/net/dccp/dccp.h 2007-10-09 21:31:38.000000000 +0100
70271 -+++ linux-2.6.23.15-grsec/net/dccp/dccp.h 2008-02-11 10:37:45.000000000 +0000
70272 -@@ -42,8 +42,8 @@ extern int dccp_debug;
70273 - #define dccp_pr_debug(format, a...) DCCP_PR_DEBUG(dccp_debug, format, ##a)
70274 - #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
70275 - #else
70276 --#define dccp_pr_debug(format, a...)
70277 --#define dccp_pr_debug_cat(format, a...)
70278 -+#define dccp_pr_debug(format, a...) do {} while (0)
70279 -+#define dccp_pr_debug_cat(format, a...) do {} while (0)
70280 - #endif
70281 -
70282 - extern struct inet_hashinfo dccp_hashinfo;
70283 -diff -Nurp linux-2.6.23.15/net/ipv4/inet_connection_sock.c linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c
70284 ---- linux-2.6.23.15/net/ipv4/inet_connection_sock.c 2007-10-09 21:31:38.000000000 +0100
70285 -+++ linux-2.6.23.15-grsec/net/ipv4/inet_connection_sock.c 2008-02-11 10:37:45.000000000 +0000
70286 -@@ -15,6 +15,7 @@
70287 -
70288 - #include <linux/module.h>
70289 - #include <linux/jhash.h>
70290 -+#include <linux/grsecurity.h>
70291 -
70292 - #include <net/inet_connection_sock.h>
70293 - #include <net/inet_hashtables.h>
70294 -diff -Nurp linux-2.6.23.15/net/ipv4/inet_hashtables.c linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c
70295 ---- linux-2.6.23.15/net/ipv4/inet_hashtables.c 2007-10-09 21:31:38.000000000 +0100
70296 -+++ linux-2.6.23.15-grsec/net/ipv4/inet_hashtables.c 2008-02-11 10:37:45.000000000 +0000
70297 -@@ -18,11 +18,14 @@
70298 - #include <linux/sched.h>
70299 - #include <linux/slab.h>
70300 - #include <linux/wait.h>
70301 -+#include <linux/grsecurity.h>
70302 -
70303 - #include <net/inet_connection_sock.h>
70304 - #include <net/inet_hashtables.h>
70305 - #include <net/ip.h>
70306 -
70307 -+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
70308 -+
70309 - /*
70310 - * Allocate and initialize a new local port bind bucket.
70311 - * The bindhash mutex for snum's hash chain must be held here.
70312 -@@ -338,6 +341,8 @@ ok:
70313 - }
70314 - spin_unlock(&head->lock);
70315 -
70316 -+ gr_update_task_in_ip_table(current, inet_sk(sk));
70317 -+
70318 - if (tw) {
70319 - inet_twsk_deschedule(tw, death_row);
70320 - inet_twsk_put(tw);
70321 -diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Kconfig linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig
70322 ---- linux-2.6.23.15/net/ipv4/netfilter/Kconfig 2007-10-09 21:31:38.000000000 +0100
70323 -+++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Kconfig 2008-02-11 10:37:45.000000000 +0000
70324 -@@ -130,6 +130,21 @@ config IP_NF_MATCH_ADDRTYPE
70325 - If you want to compile it as a module, say M here and read
70326 - <file:Documentation/modules.txt>. If unsure, say `N'.
70327 -
70328 -+config IP_NF_MATCH_STEALTH
70329 -+ tristate "stealth match support"
70330 -+ depends on IP_NF_IPTABLES
70331 -+ help
70332 -+ Enabling this option will drop all syn packets coming to unserved tcp
70333 -+ ports as well as all packets coming to unserved udp ports. If you
70334 -+ are using your system to route any type of packets (ie. via NAT)
70335 -+ you should put this module at the end of your ruleset, since it will
70336 -+ drop packets that aren't going to ports that are listening on your
70337 -+ machine itself, it doesn't take into account that the packet might be
70338 -+ destined for someone on your internal network if you're using NAT for
70339 -+ instance.
70340 -+
70341 -+ To compile it as a module, choose M here. If unsure, say N.
70342 -+
70343 - # `filter', generic and specific targets
70344 - config IP_NF_FILTER
70345 - tristate "Packet filtering"
70346 -@@ -403,4 +418,3 @@ config IP_NF_ARP_MANGLE
70347 - hardware and network addresses.
70348 -
70349 - endmenu
70350 --
70351 -diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/Makefile linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile
70352 ---- linux-2.6.23.15/net/ipv4/netfilter/Makefile 2007-10-09 21:31:38.000000000 +0100
70353 -+++ linux-2.6.23.15-grsec/net/ipv4/netfilter/Makefile 2008-02-11 10:37:45.000000000 +0000
70354 -@@ -49,6 +49,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
70355 - obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
70356 - obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
70357 - obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
70358 -+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
70359 -
70360 - # targets
70361 - obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
70362 -diff -Nurp linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c
70363 ---- linux-2.6.23.15/net/ipv4/netfilter/ipt_stealth.c 1970-01-01 01:00:00.000000000 +0100
70364 -+++ linux-2.6.23.15-grsec/net/ipv4/netfilter/ipt_stealth.c 2008-02-11 10:37:45.000000000 +0000
70365 -@@ -0,0 +1,114 @@
70366 -+/* Kernel module to add stealth support.
70367 -+ *
70368 -+ * Copyright (C) 2002-2006 Brad Spengler <spender@××××××××××.net>
70369 -+ *
70370 -+ */
70371 -+
70372 -+#include <linux/kernel.h>
70373 -+#include <linux/module.h>
70374 -+#include <linux/skbuff.h>
70375 -+#include <linux/net.h>
70376 -+#include <linux/sched.h>
70377 -+#include <linux/inet.h>
70378 -+#include <linux/stddef.h>
70379 -+
70380 -+#include <net/ip.h>
70381 -+#include <net/sock.h>
70382 -+#include <net/tcp.h>
70383 -+#include <net/udp.h>
70384 -+#include <net/route.h>
70385 -+#include <net/inet_common.h>
70386 -+
70387 -+#include <linux/netfilter_ipv4/ip_tables.h>
70388 -+
70389 -+MODULE_LICENSE("GPL");
70390 -+
70391 -+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
70392 -+
70393 -+static int
70394 -+match(const struct sk_buff *skb,
70395 -+ const struct net_device *in,
70396 -+ const struct net_device *out,
70397 -+ const struct xt_match *match,
70398 -+ const void *matchinfo,
70399 -+ int offset,
70400 -+ unsigned int protoff,
70401 -+ int *hotdrop)
70402 -+{
70403 -+ struct iphdr *ip = ip_hdr(skb);
70404 -+ struct tcphdr th;
70405 -+ struct udphdr uh;
70406 -+ struct sock *sk = NULL;
70407 -+
70408 -+ if (!ip || offset) return 0;
70409 -+
70410 -+ switch(ip->protocol) {
70411 -+ case IPPROTO_TCP:
70412 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &th, sizeof(th)) < 0) {
70413 -+ *hotdrop = 1;
70414 -+ return 0;
70415 -+ }
70416 -+ if (!(th.syn && !th.ack)) return 0;
70417 -+ sk = inet_lookup_listener(&tcp_hashinfo, ip->daddr, th.dest, inet_iif(skb));
70418 -+ break;
70419 -+ case IPPROTO_UDP:
70420 -+ if (skb_copy_bits(skb, (ip_hdr(skb))->ihl*4, &uh, sizeof(uh)) < 0) {
70421 -+ *hotdrop = 1;
70422 -+ return 0;
70423 -+ }
70424 -+ sk = udp_v4_lookup(ip->saddr, uh.source, ip->daddr, uh.dest, skb->dev->ifindex);
70425 -+ break;
70426 -+ default:
70427 -+ return 0;
70428 -+ }
70429 -+
70430 -+ if(!sk) // port is being listened on, match this
70431 -+ return 1;
70432 -+ else {
70433 -+ sock_put(sk);
70434 -+ return 0;
70435 -+ }
70436 -+}
70437 -+
70438 -+/* Called when user tries to insert an entry of this type. */
70439 -+static int
70440 -+checkentry(const char *tablename,
70441 -+ const void *nip,
70442 -+ const struct xt_match *match,
70443 -+ void *matchinfo,
70444 -+ unsigned int hook_mask)
70445 -+{
70446 -+ const struct ipt_ip *ip = (const struct ipt_ip *)nip;
70447 -+
70448 -+ if(((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
70449 -+ ((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
70450 -+ && (hook_mask & (1 << NF_IP_LOCAL_IN)))
70451 -+ return 1;
70452 -+
70453 -+ printk("stealth: Only works on TCP and UDP for the INPUT chain.\n");
70454 -+
70455 -+ return 0;
70456 -+}
70457 -+
70458 -+
70459 -+static struct xt_match stealth_match = {
70460 -+ .name = "stealth",
70461 -+ .family = AF_INET,
70462 -+ .match = match,
70463 -+ .checkentry = checkentry,
70464 -+ .destroy = NULL,
70465 -+ .me = THIS_MODULE
70466 -+};
70467 -+
70468 -+static int __init init(void)
70469 -+{
70470 -+ return xt_register_match(&stealth_match);
70471 -+}
70472 -+
70473 -+static void __exit fini(void)
70474 -+{
70475 -+ xt_unregister_match(&stealth_match);
70476 -+}
70477 -+
70478 -+module_init(init);
70479 -+module_exit(fini);
70480 -diff -Nurp linux-2.6.23.15/net/ipv4/tcp.c linux-2.6.23.15-grsec/net/ipv4/tcp.c
70481 ---- linux-2.6.23.15/net/ipv4/tcp.c 2007-10-09 21:31:38.000000000 +0100
70482 -+++ linux-2.6.23.15-grsec/net/ipv4/tcp.c 2008-02-11 10:37:45.000000000 +0000
70483 -@@ -1053,7 +1053,8 @@ int tcp_read_sock(struct sock *sk, read_
70484 - return -ENOTCONN;
70485 - while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
70486 - if (offset < skb->len) {
70487 -- size_t used, len;
70488 -+ int used;
70489 -+ size_t len;
70490 -
70491 - len = skb->len - offset;
70492 - /* Stop reading if we hit a patch of urgent data */
70493 -diff -Nurp linux-2.6.23.15/net/ipv4/tcp_ipv4.c linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c
70494 ---- linux-2.6.23.15/net/ipv4/tcp_ipv4.c 2007-10-09 21:31:38.000000000 +0100
70495 -+++ linux-2.6.23.15-grsec/net/ipv4/tcp_ipv4.c 2008-02-11 10:37:45.000000000 +0000
70496 -@@ -61,6 +61,7 @@
70497 - #include <linux/jhash.h>
70498 - #include <linux/init.h>
70499 - #include <linux/times.h>
70500 -+#include <linux/grsecurity.h>
70501 -
70502 - #include <net/icmp.h>
70503 - #include <net/inet_hashtables.h>
70504 -diff -Nurp linux-2.6.23.15/net/ipv4/udp.c linux-2.6.23.15-grsec/net/ipv4/udp.c
70505 ---- linux-2.6.23.15/net/ipv4/udp.c 2007-10-09 21:31:38.000000000 +0100
70506 -+++ linux-2.6.23.15-grsec/net/ipv4/udp.c 2008-02-11 10:37:45.000000000 +0000
70507 -@@ -98,12 +98,19 @@
70508 - #include <linux/skbuff.h>
70509 - #include <linux/proc_fs.h>
70510 - #include <linux/seq_file.h>
70511 -+#include <linux/grsecurity.h>
70512 - #include <net/icmp.h>
70513 - #include <net/route.h>
70514 - #include <net/checksum.h>
70515 - #include <net/xfrm.h>
70516 - #include "udp_impl.h"
70517 -
70518 -+extern int gr_search_udp_recvmsg(const struct sock *sk,
70519 -+ const struct sk_buff *skb);
70520 -+extern int gr_search_udp_sendmsg(const struct sock *sk,
70521 -+ const struct sockaddr_in *addr);
70522 -+
70523 -+
70524 - /*
70525 - * Snmp MIB for the UDP layer
70526 - */
70527 -@@ -287,6 +294,13 @@ static struct sock *__udp4_lib_lookup(__
70528 - return result;
70529 - }
70530 -
70531 -+struct sock *udp_v4_lookup(__be32 saddr, __be16 sport,
70532 -+ __be32 daddr, __be16 dport, int dif)
70533 -+{
70534 -+ return __udp4_lib_lookup(saddr, sport, daddr, dport, dif, udp_hash);
70535 -+}
70536 -+
70537 -+
70538 - static inline struct sock *udp_v4_mcast_next(struct sock *sk,
70539 - __be16 loc_port, __be32 loc_addr,
70540 - __be16 rmt_port, __be32 rmt_addr,
70541 -@@ -572,9 +586,16 @@ int udp_sendmsg(struct kiocb *iocb, stru
70542 - dport = usin->sin_port;
70543 - if (dport == 0)
70544 - return -EINVAL;
70545 -+
70546 -+ if (!gr_search_udp_sendmsg(sk, usin))
70547 -+ return -EPERM;
70548 - } else {
70549 - if (sk->sk_state != TCP_ESTABLISHED)
70550 - return -EDESTADDRREQ;
70551 -+
70552 -+ if (!gr_search_udp_sendmsg(sk, NULL))
70553 -+ return -EPERM;
70554 -+
70555 - daddr = inet->daddr;
70556 - dport = inet->dport;
70557 - /* Open fast path for connected socket.
70558 -@@ -834,6 +855,11 @@ try_again:
70559 - if (!skb)
70560 - goto out;
70561 -
70562 -+ if (!gr_search_udp_recvmsg(sk, skb)) {
70563 -+ err = -EPERM;
70564 -+ goto out_free;
70565 -+ }
70566 -+
70567 - ulen = skb->len - sizeof(struct udphdr);
70568 - copied = len;
70569 - if (copied > ulen)
70570 -diff -Nurp linux-2.6.23.15/net/ipv6/exthdrs.c linux-2.6.23.15-grsec/net/ipv6/exthdrs.c
70571 ---- linux-2.6.23.15/net/ipv6/exthdrs.c 2007-10-09 21:31:38.000000000 +0100
70572 -+++ linux-2.6.23.15-grsec/net/ipv6/exthdrs.c 2008-02-11 10:37:45.000000000 +0000
70573 -@@ -645,7 +645,7 @@ static struct tlvtype_proc tlvprochopopt
70574 - .type = IPV6_TLV_JUMBO,
70575 - .func = ipv6_hop_jumbo,
70576 - },
70577 -- { -1, }
70578 -+ { -1, NULL }
70579 - };
70580 -
70581 - int ipv6_parse_hopopts(struct sk_buff **skbp)
70582 -diff -Nurp linux-2.6.23.15/net/ipv6/raw.c linux-2.6.23.15-grsec/net/ipv6/raw.c
70583 ---- linux-2.6.23.15/net/ipv6/raw.c 2007-10-09 21:31:38.000000000 +0100
70584 -+++ linux-2.6.23.15-grsec/net/ipv6/raw.c 2008-02-11 10:37:45.000000000 +0000
70585 -@@ -577,7 +577,7 @@ out:
70586 - return err;
70587 - }
70588 -
70589 --static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
70590 -+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
70591 - struct flowi *fl, struct rt6_info *rt,
70592 - unsigned int flags)
70593 - {
70594 -diff -Nurp linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c
70595 ---- linux-2.6.23.15/net/irda/ircomm/ircomm_tty.c 2007-10-09 21:31:38.000000000 +0100
70596 -+++ linux-2.6.23.15-grsec/net/irda/ircomm/ircomm_tty.c 2008-02-11 10:37:45.000000000 +0000
70597 -@@ -371,7 +371,7 @@ static int ircomm_tty_open(struct tty_st
70598 - IRDA_DEBUG(2, "%s()\n", __FUNCTION__ );
70599 -
70600 - line = tty->index;
70601 -- if ((line < 0) || (line >= IRCOMM_TTY_PORTS)) {
70602 -+ if (line >= IRCOMM_TTY_PORTS) {
70603 - return -ENODEV;
70604 - }
70605 -
70606 -diff -Nurp linux-2.6.23.15/net/mac80211/ieee80211.c linux-2.6.23.15-grsec/net/mac80211/ieee80211.c
70607 ---- linux-2.6.23.15/net/mac80211/ieee80211.c 2008-02-11 10:36:03.000000000 +0000
70608 -+++ linux-2.6.23.15-grsec/net/mac80211/ieee80211.c 2008-02-11 10:37:45.000000000 +0000
70609 -@@ -1260,7 +1260,7 @@ __ieee80211_parse_tx_radiotap(
70610 - }
70611 -
70612 -
70613 --static ieee80211_txrx_result inline
70614 -+static inline ieee80211_txrx_result
70615 - __ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
70616 - struct sk_buff *skb,
70617 - struct net_device *dev,
70618 -@@ -1332,7 +1332,7 @@ __ieee80211_tx_prepare(struct ieee80211_
70619 - return res;
70620 - }
70621 -
70622 --static int inline is_ieee80211_device(struct net_device *dev,
70623 -+static inline int is_ieee80211_device(struct net_device *dev,
70624 - struct net_device *master)
70625 - {
70626 - return (wdev_priv(dev->ieee80211_ptr) ==
70627 -@@ -1341,7 +1341,7 @@ static int inline is_ieee80211_device(st
70628 -
70629 - /* Device in tx->dev has a reference added; use dev_put(tx->dev) when
70630 - * finished with it. */
70631 --static int inline ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
70632 -+static inline int ieee80211_tx_prepare(struct ieee80211_txrx_data *tx,
70633 - struct sk_buff *skb,
70634 - struct net_device *mdev,
70635 - struct ieee80211_tx_control *control)
70636 -diff -Nurp linux-2.6.23.15/net/mac80211/regdomain.c linux-2.6.23.15-grsec/net/mac80211/regdomain.c
70637 ---- linux-2.6.23.15/net/mac80211/regdomain.c 2007-10-09 21:31:38.000000000 +0100
70638 -+++ linux-2.6.23.15-grsec/net/mac80211/regdomain.c 2008-02-11 10:37:45.000000000 +0000
70639 -@@ -61,14 +61,14 @@ static const struct ieee80211_channel_ra
70640 - { 5180, 5240, 17, 6 } /* IEEE 802.11a, channels 36..48 */,
70641 - { 5260, 5320, 23, 6 } /* IEEE 802.11a, channels 52..64 */,
70642 - { 5745, 5825, 30, 6 } /* IEEE 802.11a, channels 149..165, outdoor */,
70643 -- { 0 }
70644 -+ { 0, 0, 0, 0 }
70645 - };
70646 -
70647 - static const struct ieee80211_channel_range ieee80211_mkk_channels[] = {
70648 - { 2412, 2472, 20, 6 } /* IEEE 802.11b/g, channels 1..13 */,
70649 - { 5170, 5240, 20, 6 } /* IEEE 802.11a, channels 34..48 */,
70650 - { 5260, 5320, 20, 6 } /* IEEE 802.11a, channels 52..64 */,
70651 -- { 0 }
70652 -+ { 0, 0, 0, 0 }
70653 - };
70654 -
70655 -
70656 -diff -Nurp linux-2.6.23.15/net/sctp/socket.c linux-2.6.23.15-grsec/net/sctp/socket.c
70657 ---- linux-2.6.23.15/net/sctp/socket.c 2007-10-09 21:31:38.000000000 +0100
70658 -+++ linux-2.6.23.15-grsec/net/sctp/socket.c 2008-02-11 10:37:45.000000000 +0000
70659 -@@ -1370,7 +1370,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
70660 - struct sctp_sndrcvinfo *sinfo;
70661 - struct sctp_initmsg *sinit;
70662 - sctp_assoc_t associd = 0;
70663 -- sctp_cmsgs_t cmsgs = { NULL };
70664 -+ sctp_cmsgs_t cmsgs = { NULL, NULL };
70665 - int err;
70666 - sctp_scope_t scope;
70667 - long timeo;
70668 -diff -Nurp linux-2.6.23.15/net/socket.c linux-2.6.23.15-grsec/net/socket.c
70669 ---- linux-2.6.23.15/net/socket.c 2008-02-11 10:36:03.000000000 +0000
70670 -+++ linux-2.6.23.15-grsec/net/socket.c 2008-02-11 10:37:45.000000000 +0000
70671 -@@ -84,6 +84,7 @@
70672 - #include <linux/kmod.h>
70673 - #include <linux/audit.h>
70674 - #include <linux/wireless.h>
70675 -+#include <linux/in.h>
70676 -
70677 - #include <asm/uaccess.h>
70678 - #include <asm/unistd.h>
70679 -@@ -93,6 +94,21 @@
70680 - #include <net/sock.h>
70681 - #include <linux/netfilter.h>
70682 -
70683 -+extern void gr_attach_curr_ip(const struct sock *sk);
70684 -+extern int gr_handle_sock_all(const int family, const int type,
70685 -+ const int protocol);
70686 -+extern int gr_handle_sock_server(const struct sockaddr *sck);
70687 -+extern int gr_handle_sock_server_other(const struct socket *sck);
70688 -+extern int gr_handle_sock_client(const struct sockaddr *sck);
70689 -+extern int gr_search_connect(const struct socket * sock,
70690 -+ const struct sockaddr_in * addr);
70691 -+extern int gr_search_bind(const struct socket * sock,
70692 -+ const struct sockaddr_in * addr);
70693 -+extern int gr_search_listen(const struct socket * sock);
70694 -+extern int gr_search_accept(const struct socket * sock);
70695 -+extern int gr_search_socket(const int domain, const int type,
70696 -+ const int protocol);
70697 -+
70698 - static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
70699 - static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
70700 - unsigned long nr_segs, loff_t pos);
70701 -@@ -292,7 +308,7 @@ static int sockfs_get_sb(struct file_sys
70702 - mnt);
70703 - }
70704 -
70705 --static struct vfsmount *sock_mnt __read_mostly;
70706 -+struct vfsmount *sock_mnt __read_mostly;
70707 -
70708 - static struct file_system_type sock_fs_type = {
70709 - .name = "sockfs",
70710 -@@ -1199,6 +1215,16 @@ asmlinkage long sys_socket(int family, i
70711 - int retval;
70712 - struct socket *sock;
70713 -
70714 -+ if(!gr_search_socket(family, type, protocol)) {
70715 -+ retval = -EACCES;
70716 -+ goto out;
70717 -+ }
70718 -+
70719 -+ if (gr_handle_sock_all(family, type, protocol)) {
70720 -+ retval = -EACCES;
70721 -+ goto out;
70722 -+ }
70723 -+
70724 - retval = sock_create(family, type, protocol, &sock);
70725 - if (retval < 0)
70726 - goto out;
70727 -@@ -1329,6 +1355,12 @@ asmlinkage long sys_bind(int fd, struct
70728 - if (sock) {
70729 - err = move_addr_to_kernel(umyaddr, addrlen, address);
70730 - if (err >= 0) {
70731 -+ if (!gr_search_bind(sock, (struct sockaddr_in *)address) ||
70732 -+ gr_handle_sock_server((struct sockaddr *)address)) {
70733 -+ err = -EACCES;
70734 -+ goto error;
70735 -+ }
70736 -+
70737 - err = security_socket_bind(sock,
70738 - (struct sockaddr *)address,
70739 - addrlen);
70740 -@@ -1337,6 +1369,7 @@ asmlinkage long sys_bind(int fd, struct
70741 - (struct sockaddr *)
70742 - address, addrlen);
70743 - }
70744 -+error:
70745 - fput_light(sock->file, fput_needed);
70746 - }
70747 - return err;
70748 -@@ -1360,10 +1393,17 @@ asmlinkage long sys_listen(int fd, int b
70749 - if ((unsigned)backlog > sysctl_somaxconn)
70750 - backlog = sysctl_somaxconn;
70751 -
70752 -+ if (gr_handle_sock_server_other(sock) ||
70753 -+ !gr_search_listen(sock)) {
70754 -+ err = -EPERM;
70755 -+ goto error;
70756 -+ }
70757 -+
70758 - err = security_socket_listen(sock, backlog);
70759 - if (!err)
70760 - err = sock->ops->listen(sock, backlog);
70761 -
70762 -+error:
70763 - fput_light(sock->file, fput_needed);
70764 - }
70765 - return err;
70766 -@@ -1400,6 +1440,13 @@ asmlinkage long sys_accept(int fd, struc
70767 - newsock->type = sock->type;
70768 - newsock->ops = sock->ops;
70769 -
70770 -+ if (gr_handle_sock_server_other(sock) ||
70771 -+ !gr_search_accept(sock)) {
70772 -+ err = -EPERM;
70773 -+ sock_release(newsock);
70774 -+ goto out_put;
70775 -+ }
70776 -+
70777 - /*
70778 - * We don't need try_module_get here, as the listening socket (sock)
70779 - * has the protocol module (sock->ops->owner) held.
70780 -@@ -1443,6 +1490,7 @@ asmlinkage long sys_accept(int fd, struc
70781 - err = newfd;
70782 -
70783 - security_socket_post_accept(sock, newsock);
70784 -+ gr_attach_curr_ip(newsock->sk);
70785 -
70786 - out_put:
70787 - fput_light(sock->file, fput_needed);
70788 -@@ -1476,6 +1524,7 @@ asmlinkage long sys_connect(int fd, stru
70789 - {
70790 - struct socket *sock;
70791 - char address[MAX_SOCK_ADDR];
70792 -+ struct sockaddr *sck;
70793 - int err, fput_needed;
70794 -
70795 - sock = sockfd_lookup_light(fd, &err, &fput_needed);
70796 -@@ -1485,6 +1534,13 @@ asmlinkage long sys_connect(int fd, stru
70797 - if (err < 0)
70798 - goto out_put;
70799 -
70800 -+ sck = (struct sockaddr *)address;
70801 -+ if (!gr_search_connect(sock, (struct sockaddr_in *)sck) ||
70802 -+ gr_handle_sock_client(sck)) {
70803 -+ err = -EACCES;
70804 -+ goto out_put;
70805 -+ }
70806 -+
70807 - err =
70808 - security_socket_connect(sock, (struct sockaddr *)address, addrlen);
70809 - if (err)
70810 -@@ -1762,6 +1818,7 @@ asmlinkage long sys_shutdown(int fd, int
70811 - err = sock->ops->shutdown(sock, how);
70812 - fput_light(sock->file, fput_needed);
70813 - }
70814 -+
70815 - return err;
70816 - }
70817 -
70818 -diff -Nurp linux-2.6.23.15/net/unix/af_unix.c linux-2.6.23.15-grsec/net/unix/af_unix.c
70819 ---- linux-2.6.23.15/net/unix/af_unix.c 2008-02-11 10:36:03.000000000 +0000
70820 -+++ linux-2.6.23.15-grsec/net/unix/af_unix.c 2008-02-11 10:37:45.000000000 +0000
70821 -@@ -115,6 +115,7 @@
70822 - #include <linux/mount.h>
70823 - #include <net/checksum.h>
70824 - #include <linux/security.h>
70825 -+#include <linux/grsecurity.h>
70826 -
70827 - int sysctl_unix_max_dgram_qlen __read_mostly = 10;
70828 -
70829 -@@ -733,6 +734,11 @@ static struct sock *unix_find_other(stru
70830 - if (err)
70831 - goto put_fail;
70832 -
70833 -+ if (!gr_acl_handle_unix(nd.dentry, nd.mnt)) {
70834 -+ err = -EACCES;
70835 -+ goto put_fail;
70836 -+ }
70837 -+
70838 - err = -ECONNREFUSED;
70839 - if (!S_ISSOCK(nd.dentry->d_inode->i_mode))
70840 - goto put_fail;
70841 -@@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
70842 - if (u) {
70843 - struct dentry *dentry;
70844 - dentry = unix_sk(u)->dentry;
70845 -+
70846 -+ if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
70847 -+ err = -EPERM;
70848 -+ sock_put(u);
70849 -+ goto fail;
70850 -+ }
70851 -+
70852 - if (dentry)
70853 - touch_atime(unix_sk(u)->mnt, dentry);
70854 - } else
70855 -@@ -834,9 +847,18 @@ static int unix_bind(struct socket *sock
70856 - */
70857 - mode = S_IFSOCK |
70858 - (SOCK_INODE(sock)->i_mode & ~current->fs->umask);
70859 -+
70860 -+ if (!gr_acl_handle_mknod(dentry, nd.dentry, nd.mnt, mode)) {
70861 -+ err = -EACCES;
70862 -+ goto out_mknod_dput;
70863 -+ }
70864 -+
70865 - err = vfs_mknod(nd.dentry->d_inode, dentry, mode, 0);
70866 - if (err)
70867 - goto out_mknod_dput;
70868 -+
70869 -+ gr_handle_create(dentry, nd.mnt);
70870 -+
70871 - mutex_unlock(&nd.dentry->d_inode->i_mutex);
70872 - dput(nd.dentry);
70873 - nd.dentry = dentry;
70874 -@@ -854,6 +876,10 @@ static int unix_bind(struct socket *sock
70875 - goto out_unlock;
70876 - }
70877 -
70878 -+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
70879 -+ sk->sk_peercred.pid = current->pid;
70880 -+#endif
70881 -+
70882 - list = &unix_socket_table[addr->hash];
70883 - } else {
70884 - list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
70885 -diff -Nurp linux-2.6.23.15/scripts/pnmtologo.c linux-2.6.23.15-grsec/scripts/pnmtologo.c
70886 ---- linux-2.6.23.15/scripts/pnmtologo.c 2007-10-09 21:31:38.000000000 +0100
70887 -+++ linux-2.6.23.15-grsec/scripts/pnmtologo.c 2008-02-11 10:37:45.000000000 +0000
70888 -@@ -237,14 +237,14 @@ static void write_header(void)
70889 - fprintf(out, " * Linux logo %s\n", logoname);
70890 - fputs(" */\n\n", out);
70891 - fputs("#include <linux/linux_logo.h>\n\n", out);
70892 -- fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
70893 -+ fprintf(out, "static unsigned char %s_data[] = {\n",
70894 - logoname);
70895 - }
70896 -
70897 - static void write_footer(void)
70898 - {
70899 - fputs("\n};\n\n", out);
70900 -- fprintf(out, "struct linux_logo %s __initdata = {\n", logoname);
70901 -+ fprintf(out, "struct linux_logo %s = {\n", logoname);
70902 - fprintf(out, " .type\t= %s,\n", logo_types[logo_type]);
70903 - fprintf(out, " .width\t= %d,\n", logo_width);
70904 - fprintf(out, " .height\t= %d,\n", logo_height);
70905 -@@ -374,7 +374,7 @@ static void write_logo_clut224(void)
70906 - fputs("\n};\n\n", out);
70907 -
70908 - /* write logo clut */
70909 -- fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
70910 -+ fprintf(out, "static unsigned char %s_clut[] = {\n",
70911 - logoname);
70912 - write_hex_cnt = 0;
70913 - for (i = 0; i < logo_clutsize; i++) {
70914 -diff -Nurp linux-2.6.23.15/security/Kconfig linux-2.6.23.15-grsec/security/Kconfig
70915 ---- linux-2.6.23.15/security/Kconfig 2007-10-09 21:31:38.000000000 +0100
70916 -+++ linux-2.6.23.15-grsec/security/Kconfig 2008-02-11 10:37:45.000000000 +0000
70917 -@@ -4,6 +4,429 @@
70918 -
70919 - menu "Security options"
70920 -
70921 -+source grsecurity/Kconfig
70922 -+
70923 -+menu "PaX"
70924 -+
70925 -+config PAX
70926 -+ bool "Enable various PaX features"
70927 -+ depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
70928 -+ help
70929 -+ This allows you to enable various PaX features. PaX adds
70930 -+ intrusion prevention mechanisms to the kernel that reduce
70931 -+ the risks posed by exploitable memory corruption bugs.
70932 -+
70933 -+menu "PaX Control"
70934 -+ depends on PAX
70935 -+
70936 -+config PAX_SOFTMODE
70937 -+ bool 'Support soft mode'
70938 -+ help
70939 -+ Enabling this option will allow you to run PaX in soft mode, that
70940 -+ is, PaX features will not be enforced by default, only on executables
70941 -+ marked explicitly. You must also enable PT_PAX_FLAGS support as it
70942 -+ is the only way to mark executables for soft mode use.
70943 -+
70944 -+ Soft mode can be activated by using the "pax_softmode=1" kernel command
70945 -+ line option on boot. Furthermore you can control various PaX features
70946 -+ at runtime via the entries in /proc/sys/kernel/pax.
70947 -+
70948 -+config PAX_EI_PAX
70949 -+ bool 'Use legacy ELF header marking'
70950 -+ help
70951 -+ Enabling this option will allow you to control PaX features on
70952 -+ a per executable basis via the 'chpax' utility available at
70953 -+ http://pax.grsecurity.net/. The control flags will be read from
70954 -+ an otherwise reserved part of the ELF header. This marking has
70955 -+ numerous drawbacks (no support for soft-mode, toolchain does not
70956 -+ know about the non-standard use of the ELF header) therefore it
70957 -+ has been deprecated in favour of PT_PAX_FLAGS support.
70958 -+
70959 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
70960 -+ program header then you MUST enable this option otherwise they
70961 -+ will not get any protection.
70962 -+
70963 -+ Note that if you enable PT_PAX_FLAGS marking support as well,
70964 -+ the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
70965 -+
70966 -+config PAX_PT_PAX_FLAGS
70967 -+ bool 'Use ELF program header marking'
70968 -+ help
70969 -+ Enabling this option will allow you to control PaX features on
70970 -+ a per executable basis via the 'paxctl' utility available at
70971 -+ http://pax.grsecurity.net/. The control flags will be read from
70972 -+ a PaX specific ELF program header (PT_PAX_FLAGS). This marking
70973 -+ has the benefits of supporting both soft mode and being fully
70974 -+ integrated into the toolchain (the binutils patch is available
70975 -+ from http://pax.grsecurity.net).
70976 -+
70977 -+ If you have applications not marked by the PT_PAX_FLAGS ELF
70978 -+ program header then you MUST enable the EI_PAX marking support
70979 -+ otherwise they will not get any protection.
70980 -+
70981 -+ Note that if you enable the legacy EI_PAX marking support as well,
70982 -+ the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
70983 -+
70984 -+choice
70985 -+ prompt 'MAC system integration'
70986 -+ default PAX_HAVE_ACL_FLAGS
70987 -+ help
70988 -+ Mandatory Access Control systems have the option of controlling
70989 -+ PaX flags on a per executable basis, choose the method supported
70990 -+ by your particular system.
70991 -+
70992 -+ - "none": if your MAC system does not interact with PaX,
70993 -+ - "direct": if your MAC system defines pax_set_initial_flags() itself,
70994 -+ - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
70995 -+
70996 -+ NOTE: this option is for developers/integrators only.
70997 -+
70998 -+ config PAX_NO_ACL_FLAGS
70999 -+ bool 'none'
71000 -+
71001 -+ config PAX_HAVE_ACL_FLAGS
71002 -+ bool 'direct'
71003 -+
71004 -+ config PAX_HOOK_ACL_FLAGS
71005 -+ bool 'hook'
71006 -+endchoice
71007 -+
71008 -+endmenu
71009 -+
71010 -+menu "Non-executable pages"
71011 -+ depends on PAX
71012 -+
71013 -+config PAX_NOEXEC
71014 -+ bool "Enforce non-executable pages"
71015 -+ depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
71016 -+ help
71017 -+ By design some architectures do not allow for protecting memory
71018 -+ pages against execution or even if they do, Linux does not make
71019 -+ use of this feature. In practice this means that if a page is
71020 -+ readable (such as the stack or heap) it is also executable.
71021 -+
71022 -+ There is a well known exploit technique that makes use of this
71023 -+ fact and a common programming mistake where an attacker can
71024 -+ introduce code of his choice somewhere in the attacked program's
71025 -+ memory (typically the stack or the heap) and then execute it.
71026 -+
71027 -+ If the attacked program was running with different (typically
71028 -+ higher) privileges than that of the attacker, then he can elevate
71029 -+ his own privilege level (e.g. get a root shell, write to files for
71030 -+ which he does not have write access to, etc).
71031 -+
71032 -+ Enabling this option will let you choose from various features
71033 -+ that prevent the injection and execution of 'foreign' code in
71034 -+ a program.
71035 -+
71036 -+ This will also break programs that rely on the old behaviour and
71037 -+ expect that dynamically allocated memory via the malloc() family
71038 -+ of functions is executable (which it is not). Notable examples
71039 -+ are the XFree86 4.x server, the java runtime and wine.
71040 -+
71041 -+config PAX_PAGEEXEC
71042 -+ bool "Paging based non-executable pages"
71043 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MPENTIUM4 || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2)
71044 -+ help
71045 -+ This implementation is based on the paging feature of the CPU.
71046 -+ On i386 without hardware non-executable bit support there is a
71047 -+ variable but usually low performance impact, however on Intel's
71048 -+ P4 core based CPUs it is very high so you should not enable this
71049 -+ for kernels meant to be used on such CPUs.
71050 -+
71051 -+ On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
71052 -+ with hardware non-executable bit support there is no performance
71053 -+ impact, on ppc the impact is negligible.
71054 -+
71055 -+ Note that several architectures require various emulations due to
71056 -+ badly designed userland ABIs, this will cause a performance impact
71057 -+ but will disappear as soon as userland is fixed (e.g., ppc users
71058 -+ can make use of the secure-plt feature found in binutils).
71059 -+
71060 -+config PAX_SEGMEXEC
71061 -+ bool "Segmentation based non-executable pages"
71062 -+ depends on !COMPAT_VDSO && PAX_NOEXEC && X86_32
71063 -+ help
71064 -+ This implementation is based on the segmentation feature of the
71065 -+ CPU and has a very small performance impact, however applications
71066 -+ will be limited to a 1.5 GB address space instead of the normal
71067 -+ 3 GB.
71068 -+
71069 -+config PAX_EMUTRAMP
71070 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
71071 -+ default y if PARISC || PPC32
71072 -+ help
71073 -+ There are some programs and libraries that for one reason or
71074 -+ another attempt to execute special small code snippets from
71075 -+ non-executable memory pages. Most notable examples are the
71076 -+ signal handler return code generated by the kernel itself and
71077 -+ the GCC trampolines.
71078 -+
71079 -+ If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
71080 -+ such programs will no longer work under your kernel.
71081 -+
71082 -+ As a remedy you can say Y here and use the 'chpax' or 'paxctl'
71083 -+ utilities to enable trampoline emulation for the affected programs
71084 -+ yet still have the protection provided by the non-executable pages.
71085 -+
71086 -+ On parisc and ppc you MUST enable this option and EMUSIGRT as
71087 -+ well, otherwise your system will not even boot.
71088 -+
71089 -+ Alternatively you can say N here and use the 'chpax' or 'paxctl'
71090 -+ utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
71091 -+ for the affected files.
71092 -+
71093 -+ NOTE: enabling this feature *may* open up a loophole in the
71094 -+ protection provided by non-executable pages that an attacker
71095 -+ could abuse. Therefore the best solution is to not have any
71096 -+ files on your system that would require this option. This can
71097 -+ be achieved by not using libc5 (which relies on the kernel
71098 -+ signal handler return code) and not using or rewriting programs
71099 -+ that make use of the nested function implementation of GCC.
71100 -+ Skilled users can just fix GCC itself so that it implements
71101 -+ nested function calls in a way that does not interfere with PaX.
71102 -+
71103 -+config PAX_EMUSIGRT
71104 -+ bool "Automatically emulate sigreturn trampolines"
71105 -+ depends on PAX_EMUTRAMP && (PARISC || PPC32)
71106 -+ default y
71107 -+ help
71108 -+ Enabling this option will have the kernel automatically detect
71109 -+ and emulate signal return trampolines executing on the stack
71110 -+ that would otherwise lead to task termination.
71111 -+
71112 -+ This solution is intended as a temporary one for users with
71113 -+ legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
71114 -+ Modula-3 runtime, etc) or executables linked to such, basically
71115 -+ everything that does not specify its own SA_RESTORER function in
71116 -+ normal executable memory like glibc 2.1+ does.
71117 -+
71118 -+ On parisc and ppc you MUST enable this option, otherwise your
71119 -+ system will not even boot.
71120 -+
71121 -+ NOTE: this feature cannot be disabled on a per executable basis
71122 -+ and since it *does* open up a loophole in the protection provided
71123 -+ by non-executable pages, the best solution is to not have any
71124 -+ files on your system that would require this option.
71125 -+
71126 -+config PAX_MPROTECT
71127 -+ bool "Restrict mprotect()"
71128 -+ depends on (PAX_PAGEEXEC || PAX_SEGMEXEC) && !PPC64
71129 -+ help
71130 -+ Enabling this option will prevent programs from
71131 -+ - changing the executable status of memory pages that were
71132 -+ not originally created as executable,
71133 -+ - making read-only executable pages writable again,
71134 -+ - creating executable pages from anonymous memory.
71135 -+
71136 -+ You should say Y here to complete the protection provided by
71137 -+ the enforcement of non-executable pages.
71138 -+
71139 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
71140 -+ this feature on a per file basis.
71141 -+
71142 -+config PAX_NOELFRELOCS
71143 -+ bool "Disallow ELF text relocations"
71144 -+ depends on PAX_MPROTECT && !PAX_ETEXECRELOCS && (IA64 || X86 || X86_64)
71145 -+ help
71146 -+ Non-executable pages and mprotect() restrictions are effective
71147 -+ in preventing the introduction of new executable code into an
71148 -+ attacked task's address space. There remain only two venues
71149 -+ for this kind of attack: if the attacker can execute already
71150 -+ existing code in the attacked task then he can either have it
71151 -+ create and mmap() a file containing his code or have it mmap()
71152 -+ an already existing ELF library that does not have position
71153 -+ independent code in it and use mprotect() on it to make it
71154 -+ writable and copy his code there. While protecting against
71155 -+ the former approach is beyond PaX, the latter can be prevented
71156 -+ by having only PIC ELF libraries on one's system (which do not
71157 -+ need to relocate their code). If you are sure this is your case,
71158 -+ then enable this option otherwise be careful as you may not even
71159 -+ be able to boot or log on your system (for example, some PAM
71160 -+ modules are erroneously compiled as non-PIC by default).
71161 -+
71162 -+ NOTE: if you are using dynamic ELF executables (as suggested
71163 -+ when using ASLR) then you must have made sure that you linked
71164 -+ your files using the PIC version of crt1 (the et_dyn.tar.gz package
71165 -+ referenced there has already been updated to support this).
71166 -+
71167 -+config PAX_ETEXECRELOCS
71168 -+ bool "Allow ELF ET_EXEC text relocations"
71169 -+ depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
71170 -+ default y
71171 -+ help
71172 -+ On some architectures there are incorrectly created applications
71173 -+ that require text relocations and would not work without enabling
71174 -+ this option. If you are an alpha, ia64 or parisc user, you should
71175 -+ enable this option and disable it once you have made sure that
71176 -+ none of your applications need it.
71177 -+
71178 -+config PAX_EMUPLT
71179 -+ bool "Automatically emulate ELF PLT"
71180 -+ depends on PAX_MPROTECT && (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
71181 -+ default y
71182 -+ help
71183 -+ Enabling this option will have the kernel automatically detect
71184 -+ and emulate the Procedure Linkage Table entries in ELF files.
71185 -+ On some architectures such entries are in writable memory, and
71186 -+ become non-executable leading to task termination. Therefore
71187 -+ it is mandatory that you enable this option on alpha, parisc,
71188 -+ ppc (if secure-plt is not used throughout in userland), sparc
71189 -+ and sparc64, otherwise your system would not even boot.
71190 -+
71191 -+ NOTE: this feature *does* open up a loophole in the protection
71192 -+ provided by the non-executable pages, therefore the proper
71193 -+ solution is to modify the toolchain to produce a PLT that does
71194 -+ not need to be writable.
71195 -+
71196 -+config PAX_DLRESOLVE
71197 -+ bool
71198 -+ depends on PAX_EMUPLT && (SPARC32 || SPARC64)
71199 -+ default y
71200 -+
71201 -+config PAX_SYSCALL
71202 -+ bool
71203 -+ depends on PAX_PAGEEXEC && PPC32
71204 -+ default y
71205 -+
71206 -+config PAX_KERNEXEC
71207 -+ bool "Enforce non-executable kernel pages"
71208 -+ depends on PAX_NOEXEC && X86_32 && !EFI && !COMPAT_VDSO && X86_WP_WORKS_OK && !PARAVIRT
71209 -+ help
71210 -+ This is the kernel land equivalent of PAGEEXEC and MPROTECT,
71211 -+ that is, enabling this option will make it harder to inject
71212 -+ and execute 'foreign' code in kernel memory itself.
71213 -+
71214 -+endmenu
71215 -+
71216 -+menu "Address Space Layout Randomization"
71217 -+ depends on PAX
71218 -+
71219 -+config PAX_ASLR
71220 -+ bool "Address Space Layout Randomization"
71221 -+ depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
71222 -+ help
71223 -+ Many if not most exploit techniques rely on the knowledge of
71224 -+ certain addresses in the attacked program. The following options
71225 -+ will allow the kernel to apply a certain amount of randomization
71226 -+ to specific parts of the program thereby forcing an attacker to
71227 -+ guess them in most cases. Any failed guess will most likely crash
71228 -+ the attacked program which allows the kernel to detect such attempts
71229 -+ and react on them. PaX itself provides no reaction mechanisms,
71230 -+ instead it is strongly encouraged that you make use of Nergal's
71231 -+ segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
71232 -+ (http://www.grsecurity.net/) built-in crash detection features or
71233 -+ develop one yourself.
71234 -+
71235 -+ By saying Y here you can choose to randomize the following areas:
71236 -+ - top of the task's kernel stack
71237 -+ - top of the task's userland stack
71238 -+ - base address for mmap() requests that do not specify one
71239 -+ (this includes all libraries)
71240 -+ - base address of the main executable
71241 -+
71242 -+ It is strongly recommended to say Y here as address space layout
71243 -+ randomization has negligible impact on performance yet it provides
71244 -+ a very effective protection.
71245 -+
71246 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control
71247 -+ this feature on a per file basis.
71248 -+
71249 -+config PAX_RANDKSTACK
71250 -+ bool "Randomize kernel stack base"
71251 -+ depends on PAX_ASLR && X86_TSC && X86_32
71252 -+ help
71253 -+ By saying Y here the kernel will randomize every task's kernel
71254 -+ stack on every system call. This will not only force an attacker
71255 -+ to guess it but also prevent him from making use of possible
71256 -+ leaked information about it.
71257 -+
71258 -+ Since the kernel stack is a rather scarce resource, randomization
71259 -+ may cause unexpected stack overflows, therefore you should very
71260 -+ carefully test your system. Note that once enabled in the kernel
71261 -+ configuration, this feature cannot be disabled on a per file basis.
71262 -+
71263 -+config PAX_RANDUSTACK
71264 -+ bool "Randomize user stack base"
71265 -+ depends on PAX_ASLR
71266 -+ help
71267 -+ By saying Y here the kernel will randomize every task's userland
71268 -+ stack. The randomization is done in two steps where the second
71269 -+ one may apply a big amount of shift to the top of the stack and
71270 -+ cause problems for programs that want to use lots of memory (more
71271 -+ than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
71272 -+ For this reason the second step can be controlled by 'chpax' or
71273 -+ 'paxctl' on a per file basis.
71274 -+
71275 -+config PAX_RANDMMAP
71276 -+ bool "Randomize mmap() base"
71277 -+ depends on PAX_ASLR
71278 -+ help
71279 -+ By saying Y here the kernel will use a randomized base address for
71280 -+ mmap() requests that do not specify one themselves. As a result
71281 -+ all dynamically loaded libraries will appear at random addresses
71282 -+ and therefore be harder to exploit by a technique where an attacker
71283 -+ attempts to execute library code for his purposes (e.g. spawn a
71284 -+ shell from an exploited program that is running at an elevated
71285 -+ privilege level).
71286 -+
71287 -+ Furthermore, if a program is relinked as a dynamic ELF file, its
71288 -+ base address will be randomized as well, completing the full
71289 -+ randomization of the address space layout. Attacking such programs
71290 -+ becomes a guess game. You can find an example of doing this at
71291 -+ http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
71292 -+ http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
71293 -+
71294 -+ NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
71295 -+ feature on a per file basis.
71296 -+
71297 -+endmenu
71298 -+
71299 -+menu "Miscellaneous hardening features"
71300 -+
71301 -+config PAX_MEMORY_SANITIZE
71302 -+ bool "Sanitize all freed memory"
71303 -+ help
71304 -+ By saying Y here the kernel will erase memory pages as soon as they
71305 -+ are freed. This in turn reduces the lifetime of data stored in the
71306 -+ pages, making it less likely that sensitive information such as
71307 -+ passwords, cryptographic secrets, etc stay in memory for too long.
71308 -+
71309 -+ This is especially useful for programs whose runtime is short, long
71310 -+ lived processes and the kernel itself benefit from this as long as
71311 -+ they operate on whole memory pages and ensure timely freeing of pages
71312 -+ that may hold sensitive information.
71313 -+
71314 -+ The tradeoff is performance impact, on a single CPU system kernel
71315 -+ compilation sees a 3% slowdown, other systems and workloads may vary
71316 -+ and you are advised to test this feature on your expected workload
71317 -+ before deploying it.
71318 -+
71319 -+ Note that this feature does not protect data stored in live pages,
71320 -+ e.g., process memory swapped to disk may stay there for a long time.
71321 -+
71322 -+config PAX_MEMORY_UDEREF
71323 -+ bool "Prevent invalid userland pointer dereference"
71324 -+ depends on X86_32 && !COMPAT_VDSO
71325 -+ help
71326 -+ By saying Y here the kernel will be prevented from dereferencing
71327 -+ userland pointers in contexts where the kernel expects only kernel
71328 -+ pointers. This is both a useful runtime debugging feature and a
71329 -+ security measure that prevents exploiting a class of kernel bugs.
71330 -+
71331 -+ The tradeoff is that some virtualization solutions may experience
71332 -+ a huge slowdown and therefore you should not enable this feature
71333 -+ for kernels meant to run in such environments. Whether a given VM
71334 -+ solution is affected or not is best determined by simply trying it
71335 -+ out, the performance impact will be obvious right on boot as this
71336 -+ mechanism engages from very early on. A good rule of thumb is that
71337 -+ VMs running on CPUs without hardware virtualization support (i.e.,
71338 -+ the majority of IA-32 CPUs) will likely experience the slowdown.
71339 -+
71340 -+endmenu
71341 -+
71342 -+endmenu
71343 -+
71344 - config KEYS
71345 - bool "Enable access key retention support"
71346 - help
71347 -diff -Nurp linux-2.6.23.15/security/commoncap.c linux-2.6.23.15-grsec/security/commoncap.c
71348 ---- linux-2.6.23.15/security/commoncap.c 2007-10-09 21:31:38.000000000 +0100
71349 -+++ linux-2.6.23.15-grsec/security/commoncap.c 2008-02-11 10:37:45.000000000 +0000
71350 -@@ -22,10 +22,11 @@
71351 - #include <linux/ptrace.h>
71352 - #include <linux/xattr.h>
71353 - #include <linux/hugetlb.h>
71354 -+#include <linux/grsecurity.h>
71355 -
71356 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
71357 - {
71358 -- NETLINK_CB(skb).eff_cap = current->cap_effective;
71359 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
71360 - return 0;
71361 - }
71362 -
71363 -@@ -43,7 +44,15 @@ EXPORT_SYMBOL(cap_netlink_recv);
71364 - int cap_capable (struct task_struct *tsk, int cap)
71365 - {
71366 - /* Derived from include/linux/sched.h:capable. */
71367 -- if (cap_raised(tsk->cap_effective, cap))
71368 -+ if (cap_raised (tsk->cap_effective, cap))
71369 -+ return 0;
71370 -+ return -EPERM;
71371 -+}
71372 -+
71373 -+int cap_capable_nolog (struct task_struct *tsk, int cap)
71374 -+{
71375 -+ /* tsk = current for all callers */
71376 -+ if (cap_raised(tsk->cap_effective, cap) && gr_is_capable_nolog(cap))
71377 - return 0;
71378 - return -EPERM;
71379 - }
71380 -@@ -162,8 +171,11 @@ void cap_bprm_apply_creds (struct linux_
71381 - }
71382 - }
71383 -
71384 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
71385 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
71386 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
71387 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
71388 -+
71389 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
71390 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
71391 -
71392 - /* For init, we want to retain the capabilities set
71393 - * in the init_task struct. Thus we skip the usual
71394 -@@ -174,6 +186,8 @@ void cap_bprm_apply_creds (struct linux_
71395 - cap_intersect (new_permitted, bprm->cap_effective);
71396 - }
71397 -
71398 -+ gr_handle_chroot_caps(current);
71399 -+
71400 - /* AUD: Audit candidate if current->cap_effective is set */
71401 -
71402 - current->keep_capabilities = 0;
71403 -@@ -319,12 +333,13 @@ int cap_vm_enough_memory(struct mm_struc
71404 - {
71405 - int cap_sys_admin = 0;
71406 -
71407 -- if (cap_capable(current, CAP_SYS_ADMIN) == 0)
71408 -+ if (cap_capable_nolog(current, CAP_SYS_ADMIN) == 0)
71409 - cap_sys_admin = 1;
71410 - return __vm_enough_memory(mm, pages, cap_sys_admin);
71411 - }
71412 -
71413 - EXPORT_SYMBOL(cap_capable);
71414 -+EXPORT_SYMBOL(cap_capable_nolog);
71415 - EXPORT_SYMBOL(cap_settime);
71416 - EXPORT_SYMBOL(cap_ptrace);
71417 - EXPORT_SYMBOL(cap_capget);
71418 -diff -Nurp linux-2.6.23.15/security/dummy.c linux-2.6.23.15-grsec/security/dummy.c
71419 ---- linux-2.6.23.15/security/dummy.c 2007-10-09 21:31:38.000000000 +0100
71420 -+++ linux-2.6.23.15-grsec/security/dummy.c 2008-02-11 10:37:45.000000000 +0000
71421 -@@ -28,6 +28,7 @@
71422 - #include <linux/hugetlb.h>
71423 - #include <linux/ptrace.h>
71424 - #include <linux/file.h>
71425 -+#include <linux/grsecurity.h>
71426 -
71427 - static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
71428 - {
71429 -@@ -138,8 +139,11 @@ static void dummy_bprm_apply_creds (stru
71430 - }
71431 - }
71432 -
71433 -- current->suid = current->euid = current->fsuid = bprm->e_uid;
71434 -- current->sgid = current->egid = current->fsgid = bprm->e_gid;
71435 -+ if (!gr_check_user_change(-1, bprm->e_uid, bprm->e_uid))
71436 -+ current->suid = current->euid = current->fsuid = bprm->e_uid;
71437 -+
71438 -+ if (!gr_check_group_change(-1, bprm->e_gid, bprm->e_gid))
71439 -+ current->sgid = current->egid = current->fsgid = bprm->e_gid;
71440 -
71441 - dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
71442 - }
71443 -diff -Nurp linux-2.6.23.15/sound/core/oss/pcm_oss.c linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c
71444 ---- linux-2.6.23.15/sound/core/oss/pcm_oss.c 2007-10-09 21:31:38.000000000 +0100
71445 -+++ linux-2.6.23.15-grsec/sound/core/oss/pcm_oss.c 2008-02-11 10:37:45.000000000 +0000
71446 -@@ -2880,8 +2880,8 @@ static void snd_pcm_oss_proc_done(struct
71447 - }
71448 - }
71449 - #else /* !CONFIG_SND_VERBOSE_PROCFS */
71450 --#define snd_pcm_oss_proc_init(pcm)
71451 --#define snd_pcm_oss_proc_done(pcm)
71452 -+#define snd_pcm_oss_proc_init(pcm) do {} while (0)
71453 -+#define snd_pcm_oss_proc_done(pcm) do {} while (0)
71454 - #endif /* CONFIG_SND_VERBOSE_PROCFS */
71455 -
71456 - /*
71457 -diff -Nurp linux-2.6.23.15/sound/core/seq/seq_lock.h linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h
71458 ---- linux-2.6.23.15/sound/core/seq/seq_lock.h 2007-10-09 21:31:38.000000000 +0100
71459 -+++ linux-2.6.23.15-grsec/sound/core/seq/seq_lock.h 2008-02-11 10:37:45.000000000 +0000
71460 -@@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
71461 - #else /* SMP || CONFIG_SND_DEBUG */
71462 -
71463 - typedef spinlock_t snd_use_lock_t; /* dummy */
71464 --#define snd_use_lock_init(lockp) /**/
71465 --#define snd_use_lock_use(lockp) /**/
71466 --#define snd_use_lock_free(lockp) /**/
71467 --#define snd_use_lock_sync(lockp) /**/
71468 -+#define snd_use_lock_init(lockp) do {} while (0)
71469 -+#define snd_use_lock_use(lockp) do {} while (0)
71470 -+#define snd_use_lock_free(lockp) do {} while (0)
71471 -+#define snd_use_lock_sync(lockp) do {} while (0)
71472 -
71473 - #endif /* SMP || CONFIG_SND_DEBUG */
71474 -
71475 -diff -Nurp linux-2.6.23.15/sound/pci/ac97/ac97_patch.c linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c
71476 ---- linux-2.6.23.15/sound/pci/ac97/ac97_patch.c 2007-10-09 21:31:38.000000000 +0100
71477 -+++ linux-2.6.23.15-grsec/sound/pci/ac97/ac97_patch.c 2008-02-11 10:37:45.000000000 +0000
71478 -@@ -1415,7 +1415,7 @@ static const struct snd_ac97_res_table a
71479 - { AC97_VIDEO, 0x9f1f },
71480 - { AC97_AUX, 0x9f1f },
71481 - { AC97_PCM, 0x9f1f },
71482 -- { } /* terminator */
71483 -+ { 0, 0 } /* terminator */
71484 - };
71485 -
71486 - static int patch_ad1819(struct snd_ac97 * ac97)
71487 -@@ -3489,7 +3489,7 @@ static struct snd_ac97_res_table lm4550_
71488 - { AC97_AUX, 0x1f1f },
71489 - { AC97_PCM, 0x1f1f },
71490 - { AC97_REC_GAIN, 0x0f0f },
71491 -- { } /* terminator */
71492 -+ { 0, 0 } /* terminator */
71493 - };
71494 -
71495 - static int patch_lm4550(struct snd_ac97 *ac97)
71496 -diff -Nurp linux-2.6.23.15/sound/pci/ens1370.c linux-2.6.23.15-grsec/sound/pci/ens1370.c
71497 ---- linux-2.6.23.15/sound/pci/ens1370.c 2007-10-09 21:31:38.000000000 +0100
71498 -+++ linux-2.6.23.15-grsec/sound/pci/ens1370.c 2008-02-11 10:37:45.000000000 +0000
71499 -@@ -453,7 +453,7 @@ static struct pci_device_id snd_audiopci
71500 - { 0x1274, 0x5880, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* ES1373 - CT5880 */
71501 - { 0x1102, 0x8938, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0, }, /* Ectiva EV1938 */
71502 - #endif
71503 -- { 0, }
71504 -+ { 0, 0, 0, 0, 0, 0, 0 }
71505 - };
71506 -
71507 - MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
71508 -diff -Nurp linux-2.6.23.15/sound/pci/intel8x0.c linux-2.6.23.15-grsec/sound/pci/intel8x0.c
71509 ---- linux-2.6.23.15/sound/pci/intel8x0.c 2007-10-09 21:31:38.000000000 +0100
71510 -+++ linux-2.6.23.15-grsec/sound/pci/intel8x0.c 2008-02-11 10:37:45.000000000 +0000
71511 -@@ -436,7 +436,7 @@ static struct pci_device_id snd_intel8x0
71512 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
71513 - { 0x1022, 0x7445, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD768 */
71514 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
71515 -- { 0, }
71516 -+ { 0, 0, 0, 0, 0, 0, 0 }
71517 - };
71518 -
71519 - MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
71520 -@@ -2044,7 +2044,7 @@ static struct ac97_quirk ac97_quirks[] _
71521 - .type = AC97_TUNE_HP_ONLY
71522 - },
71523 - #endif
71524 -- { } /* terminator */
71525 -+ { 0, 0, 0, 0, NULL, 0 } /* terminator */
71526 - };
71527 -
71528 - static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
71529 -diff -Nurp linux-2.6.23.15/sound/pci/intel8x0m.c linux-2.6.23.15-grsec/sound/pci/intel8x0m.c
71530 ---- linux-2.6.23.15/sound/pci/intel8x0m.c 2007-10-09 21:31:38.000000000 +0100
71531 -+++ linux-2.6.23.15-grsec/sound/pci/intel8x0m.c 2008-02-11 10:37:45.000000000 +0000
71532 -@@ -240,7 +240,7 @@ static struct pci_device_id snd_intel8x0
71533 - { 0x1022, 0x746d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_INTEL }, /* AMD8111 */
71534 - { 0x10b9, 0x5455, PCI_ANY_ID, PCI_ANY_ID, 0, 0, DEVICE_ALI }, /* Ali5455 */
71535 - #endif
71536 -- { 0, }
71537 -+ { 0, 0, 0, 0, 0, 0, 0 }
71538 - };
71539 -
71540 - MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
71541 -@@ -1261,7 +1261,7 @@ static struct shortname_table {
71542 - { 0x5455, "ALi M5455" },
71543 - { 0x746d, "AMD AMD8111" },
71544 - #endif
71545 -- { 0 },
71546 -+ { 0, NULL },
71547 - };
71548 -
71549 - static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
71550
71551 Deleted: hardened-sources/2.6/trunk/2.6.23/4435_grsec-2.1.10-mute-warnings.patch
71552 ===================================================================
71553 --- hardened-sources/2.6/trunk/2.6.23/4435_grsec-2.1.10-mute-warnings.patch 2008-04-07 12:57:31 UTC (rev 89)
71554 +++ hardened-sources/2.6/trunk/2.6.23/4435_grsec-2.1.10-mute-warnings.patch 2008-04-30 11:22:14 UTC (rev 90)
71555 @@ -1,23 +0,0 @@
71556 -From: Alexander Gabert <gaberta@××××××××.de>
71557 -
71558 -This patch removes the warnings introduced by grsec patch 2.1.9 and later.
71559 -It removes the -W options added by the patch and restores the original
71560 -warning flags of vanilla kernel versions.
71561 -
71562 -Acked-by: Christian Heim <phreak@g.o>
71563 -
71564 ----
71565 - Makefile | 5 +++--
71566 - 1 file changed, 3 insertions(+), 2 deletions(-)
71567 -
71568 ---- a/Makefile
71569 -+++ b/Makefile
71570 -@@ -312,7 +312,7 @@ LINUXINCLUDE := -Iinclude \
71571 -
71572 - CPPFLAGS := -D__KERNEL__ $(LINUXINCLUDE)
71573 -
71574 --CFLAGS := -Wall -W -Wno-unused -Wno-sign-compare -Wundef -Wstrict-prototypes -Wno-trigraphs \
71575 -+CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
71576 - -fno-strict-aliasing -fno-common \
71577 - -Werror-implicit-function-declaration
71578 - AFLAGS := -D__ASSEMBLY__
71579
71580 Added: hardened-sources/2.6/trunk/2.6.23/4435_grsec-kconfig-gentoo.patch
71581 ===================================================================
71582 --- hardened-sources/2.6/trunk/2.6.23/4435_grsec-kconfig-gentoo.patch (rev 0)
71583 +++ hardened-sources/2.6/trunk/2.6.23/4435_grsec-kconfig-gentoo.patch 2008-04-30 11:22:14 UTC (rev 90)
71584 @@ -0,0 +1,117 @@
71585 +From: Kerin Millar <kerframil@×××××.com>
71586 +
71587 +Add a Hardened Gentoo target to the list of security levels. It's
71588 +designed to provide a comparitively high level of security and to be
71589 +generally suitable for as great a majority of the userbase as possible
71590 +(particularly new users). The patch was originally contributed by Ned
71591 +Ludd <solar@g.o>. This instance was revised by the author with
71592 +contributions from Gordon Malm <bugs-gentoo-org-02@××××××.org> for the
71593 +hardened-sources-2.6.23-r9 release where it is now a default.
71594 +
71595 +--- a/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
71596 ++++ b/grsecurity/Kconfig 2008-03-22 17:54:44.000000000 +0000
71597 +@@ -18,7 +18,7 @@
71598 + choice
71599 + prompt "Security Level"
71600 + depends GRKERNSEC
71601 +- default GRKERNSEC_CUSTOM
71602 ++ default GRKERNSEC_HARDENED
71603 +
71604 + config GRKERNSEC_LOW
71605 + bool "Low"
71606 +@@ -182,6 +182,95 @@
71607 + - Kernel symbol hiding
71608 + - Destroy unused shared memory
71609 + - Prevention of memory exhaustion-based exploits
71610 ++
71611 ++config GRKERNSEC_HARDENED
71612 ++ bool "Hardened [Gentoo]"
71613 ++ select GRKERNSEC_KMEM
71614 ++ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
71615 ++ select GRKERNSEC_BRUTE
71616 ++ select GRKERNSEC_MODSTOP if (MODULES)
71617 ++ select GRKERNSEC_HIDESYM
71618 ++ select GRKERNSEC_PROC
71619 ++ select GRKERNSEC_PROC_USER
71620 ++ select GRKERNSEC_PROC_ADD
71621 ++ select GRKERNSEC_LINK
71622 ++ select GRKERNSEC_FIFO
71623 ++ select GRKERNSEC_CHROOT
71624 ++ select GRKERNSEC_CHROOT_MOUNT
71625 ++ select GRKERNSEC_CHROOT_DOUBLE
71626 ++ select GRKERNSEC_CHROOT_PIVOT
71627 ++ select GRKERNSEC_CHROOT_CHDIR
71628 ++ select GRKERNSEC_CHROOT_CHMOD
71629 ++ select GRKERNSEC_CHROOT_FCHDIR
71630 ++ select GRKERNSEC_CHROOT_MKNOD
71631 ++ select GRKERNSEC_CHROOT_SHMAT
71632 ++ select GRKERNSEC_CHROOT_UNIX
71633 ++ select GRKERNSEC_CHROOT_FINDTASK
71634 ++ select GRKERNSEC_CHROOT_NICE
71635 ++ select GRKERNSEC_CHROOT_SYSCTL
71636 ++ select GRKERNSEC_CHROOT_CAPS
71637 ++ select GRKERNSEC_RESLOG
71638 ++ select GRKERNSEC_SIGNAL
71639 ++ select GRKERNSEC_FORKFAIL
71640 ++ select GRKERNSEC_TIME
71641 ++ select GRKERNSEC_PROC_IPADDR
71642 ++ select GRKERNSEC_EXECVE
71643 ++ select GRKERNSEC_DMESG
71644 ++ select GRKERNSEC_RANDNET
71645 ++ select GRKERNSEC_SYSCTL
71646 ++ select GRKERNSEC_SYSCTL_ON
71647 ++ select PAX
71648 ++ select PAX_EI_PAX
71649 ++ select PAX_PT_PAX_FLAGS
71650 ++ select PAX_HAVE_ACL_FLAGS
71651 ++ select PAX_NOEXEC
71652 ++ select PAX_PAGEEXEC
71653 ++ select PAX_SEGMEXEC if (X86 && !X86_64)
71654 ++ select PAX_EMUTRAMP if (PARISC)
71655 ++ select PAX_EMUSIGRT if (PARISC)
71656 ++ select PAX_MPROTECT
71657 ++ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
71658 ++ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
71659 ++ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
71660 ++ select PAX_SYSCALL if (PPC32)
71661 ++ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
71662 ++ select PAX_ASLR
71663 ++ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
71664 ++ select PAX_RANDUSTACK
71665 ++ select PAX_RANDMMAP
71666 ++ select PAX_MEMORY_SANITIZE
71667 ++ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
71668 ++ help
71669 ++ If you say Y here, a configuration will be used that is endorsed by the
71670 ++ Hardened Gentoo project. It is designed to provide a high level of
71671 ++ security whilst minimizing the chance of incompatibilities with rare
71672 ++ software on your machine. As such, many of the features of grsecurity
71673 ++ and PaX will be enabled. For further information, you should view
71674 ++ <http://grsecurity.net> and <http://pax.grsecurity.net> as well as the
71675 ++ Hardened Gentoo Primer at
71676 ++ <http://gentoo.org/proj/en/hardened/primer.xml>.
71677 ++
71678 ++ You may wish to emerge paxctl which will allow you to toggle specific
71679 ++ PaX features on problematic binaries. Note that this only works for ELF
71680 ++ binaries that contain a PT_PAX_FLAGS header. In layman's terms this
71681 ++ means that, if you need to toggle PaX features on binaries provided by
71682 ++ applications that are distributed only in binary format (rather than
71683 ++ being built locally from sources), you may need to run paxctl -C on the
71684 ++ binaries beforehand so as to add the missing headers.
71685 ++
71686 ++ When this level is selected, some options cannot be changed. However,
71687 ++ you may opt to fully customize the options that are selected by choosing
71688 ++ "Custom" in the Security Level menu. You may find it helpful to inherit
71689 ++ the options selected by the "Hardened [Gentoo]" level as a starting
71690 ++ point for further configuration. To accomplish this, select this level
71691 ++ then exit the menuconfig interface, saving changes when prompted. Next,
71692 ++ run make menuconfig again and select the "Custom" level.
71693 ++
71694 ++ Please note that this security level is not designed to be used in
71695 ++ virtualized environments. If you intend to run the kernel in a virtual
71696 ++ machine then you will probably need to disable the PAX_MEMORY_UDEREF
71697 ++ option in order to avoid an unacceptable impact upon performance.
71698 ++
71699 + config GRKERNSEC_CUSTOM
71700 + bool "Custom"
71701 + help
71702
71703 Deleted: hardened-sources/2.6/trunk/2.6.23/4440_grsec-2.1.10-pax_curr_ip-fixes.patch
71704 ===================================================================
71705 --- hardened-sources/2.6/trunk/2.6.23/4440_grsec-2.1.10-pax_curr_ip-fixes.patch 2008-04-07 12:57:31 UTC (rev 89)
71706 +++ hardened-sources/2.6/trunk/2.6.23/4440_grsec-2.1.10-pax_curr_ip-fixes.patch 2008-04-30 11:22:14 UTC (rev 90)
71707 @@ -1,46 +0,0 @@
71708 ----
71709 - arch/i386/mm/fault.c | 2 ++
71710 - fs/exec.c | 2 ++
71711 - security/Kconfig | 2 +-
71712 - 3 files changed, 5 insertions(+), 1 deletion(-)
71713 -
71714 ---- a/arch/i386/mm/fault.c
71715 -+++ b/arch/i386/mm/fault.c
71716 -@@ -722,10 +722,12 @@ no_context:
71717 - #else
71718 - else if (init_mm.start_code <= address && address < init_mm.end_code)
71719 - #endif
71720 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
71721 - if (tsk->signal->curr_ip)
71722 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
71723 - NIPQUAD(tsk->signal->curr_ip), tsk->comm, tsk->pid, tsk->uid, tsk->euid);
71724 - else
71725 -+#endif
71726 - printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code",
71727 - tsk->comm, tsk->pid, tsk->uid, tsk->euid);
71728 - #endif
71729 ---- a/fs/exec.c
71730 -+++ b/fs/exec.c
71731 -@@ -1733,9 +1733,11 @@ void pax_report_fault(struct pt_regs *re
71732 - }
71733 - up_read(&mm->mmap_sem);
71734 - }
71735 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
71736 - if (tsk->signal->curr_ip)
71737 - printk(KERN_ERR "PAX: From %u.%u.%u.%u: execution attempt in: %s, %08lx-%08lx %08lx\n", NIPQUAD(tsk->signal->curr_ip), path_fault, start, end, offset);
71738 - else
71739 -+#endif
71740 - printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
71741 - printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
71742 - "PC: %p, SP: %p\n", path_exec, tsk->comm, tsk->pid,
71743 ---- a/security/Kconfig
71744 -+++ b/security/Kconfig
71745 -@@ -10,7 +10,7 @@ menu "PaX"
71746 -
71747 - config PAX
71748 - bool "Enable various PaX features"
71749 -- depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
71750 -+ depends on (ALPHA || ARM || AVR32 || IA64 || MIPS32 || MIPS64 || PARISC || PPC32 || PPC64 || SPARC32 || SPARC64 || X86 || X86_64)
71751 - help
71752 - This allows you to enable various PaX features. PaX adds
71753 - intrusion prevention mechanisms to the kernel that reduce
71754
71755 Added: hardened-sources/2.6/trunk/2.6.23/4440_selinux-avc_audit-log-curr_ip.patch
71756 ===================================================================
71757 --- hardened-sources/2.6/trunk/2.6.23/4440_selinux-avc_audit-log-curr_ip.patch (rev 0)
71758 +++ hardened-sources/2.6/trunk/2.6.23/4440_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:22:14 UTC (rev 90)
71759 @@ -0,0 +1,26 @@
71760 +
71761 +Provides support for a new field ipaddr within the SELinux
71762 +AVC audit log, relying in task_struct->curr_ip (ipv4 only)
71763 +provided by grSecurity patch to be applied before.
71764 +
71765 +Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
71766 +---
71767 +
71768 + security/selinux/avc.c | 6 ++++++
71769 + 1 file changed, 6 insertions(+)
71770 +
71771 +--- a/security/selinux/avc.c
71772 ++++ b/security/selinux/avc.c
71773 +@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
71774 + char *scontext;
71775 + u32 scontext_len;
71776 +
71777 ++/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
71778 ++#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
71779 ++ if (current->signal->curr_ip)
71780 ++ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
71781 ++#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
71782 ++
71783 + rc = security_sid_to_context(ssid, &scontext, &scontext_len);
71784 + if (rc)
71785 + audit_log_format(ab, "ssid=%d", ssid);
71786
71787 Added: hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-default-gids.patch
71788 ===================================================================
71789 --- hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-default-gids.patch (rev 0)
71790 +++ hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-default-gids.patch 2008-04-30 11:22:14 UTC (rev 90)
71791 @@ -0,0 +1,76 @@
71792 +From: Kerin Millar <kerframil@×××××.com>
71793 +
71794 +grsecurity contains a number of options which allow certain protections
71795 +to be applied to or exempted from members of a given group. However, the
71796 +default GIDs specified in the upstream patch are entirely arbitrary and
71797 +there is no telling which (if any) groups the GIDs will correlate with
71798 +on an end-user's system. Because some users don't pay a great deal of
71799 +attention to the finer points of kernel configuration, it is probably
71800 +wise to specify some reasonable defaults so as to stop careless users
71801 +from shooting themselves in the foot.
71802 +
71803 +--- a/grsecurity/Kconfig 2008-03-22 17:26:35.000000000 +0000
71804 ++++ b/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
71805 +@@ -355,7 +355,7 @@
71806 + config GRKERNSEC_PROC_GID
71807 + int "GID for special group"
71808 + depends on GRKERNSEC_PROC_USERGROUP
71809 +- default 1001
71810 ++ default 10
71811 +
71812 + config GRKERNSEC_PROC_ADD
71813 + bool "Additional restrictions"
71814 +@@ -550,7 +550,7 @@
71815 + config GRKERNSEC_AUDIT_GID
71816 + int "GID for auditing"
71817 + depends on GRKERNSEC_AUDIT_GROUP
71818 +- default 1007
71819 ++ default 100
71820 +
71821 + config GRKERNSEC_EXECLOG
71822 + bool "Exec logging"
71823 +@@ -714,7 +714,7 @@
71824 + config GRKERNSEC_TPE_GID
71825 + int "GID for untrusted users"
71826 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
71827 +- default 1005
71828 ++ default 100
71829 + help
71830 + If you have selected the "Invert GID option" above, setting this
71831 + GID determines what group TPE restrictions will be *disabled* for.
71832 +@@ -726,7 +726,7 @@
71833 + config GRKERNSEC_TPE_GID
71834 + int "GID for trusted users"
71835 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
71836 +- default 1005
71837 ++ default 10
71838 + help
71839 + If you have selected the "Invert GID option" above, setting this
71840 + GID determines what group TPE restrictions will be *disabled* for.
71841 +@@ -768,7 +768,7 @@
71842 + config GRKERNSEC_SOCKET_ALL_GID
71843 + int "GID to deny all sockets for"
71844 + depends on GRKERNSEC_SOCKET_ALL
71845 +- default 1004
71846 ++ default 65534
71847 + help
71848 + Here you can choose the GID to disable socket access for. Remember to
71849 + add the users you want socket access disabled for to the GID
71850 +@@ -789,7 +789,7 @@
71851 + config GRKERNSEC_SOCKET_CLIENT_GID
71852 + int "GID to deny client sockets for"
71853 + depends on GRKERNSEC_SOCKET_CLIENT
71854 +- default 1003
71855 ++ default 65534
71856 + help
71857 + Here you can choose the GID to disable client socket access for.
71858 + Remember to add the users you want client socket access disabled for to
71859 +@@ -807,7 +807,7 @@
71860 + config GRKERNSEC_SOCKET_SERVER_GID
71861 + int "GID to deny server sockets for"
71862 + depends on GRKERNSEC_SOCKET_SERVER
71863 +- default 1002
71864 ++ default 65534
71865 + help
71866 + Here you can choose the GID to disable server socket access for.
71867 + Remember to add the users you want server socket access disabled for to
71868
71869 Deleted: hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-gentoo.patch
71870 ===================================================================
71871 --- hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-gentoo.patch 2008-04-07 12:57:31 UTC (rev 89)
71872 +++ hardened-sources/2.6/trunk/2.6.23/4445_grsec-kconfig-gentoo.patch 2008-04-30 11:22:14 UTC (rev 90)
71873 @@ -1,118 +0,0 @@
71874 -From: Kerin Millar <kerframil@×××××.com>
71875 -
71876 -Add a Hardened Gentoo target to the list of security levels. It's
71877 -designed to provide a comparitively high level of security and to be
71878 -generally suitable for as great a majority of the userbase as possible
71879 -(particularly new users). The patch was originally contributed by Ned
71880 -Ludd <solar@g.o>. This instance was revised by the author with
71881 -contributions from Gordon Malm <bugs-gentoo-org-02@××××××.org> for the
71882 -hardened-sources-2.6.23-r9 release where it is now a default.
71883 -
71884 ---- a/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
71885 -+++ b/grsecurity/Kconfig 2008-03-22 17:54:44.000000000 +0000
71886 -@@ -18,7 +18,7 @@
71887 - choice
71888 - prompt "Security Level"
71889 - depends GRKERNSEC
71890 -- default GRKERNSEC_CUSTOM
71891 -+ default GRKERNSEC_HARDENED
71892 -
71893 - config GRKERNSEC_LOW
71894 - bool "Low"
71895 -@@ -182,6 +182,96 @@
71896 - - Kernel symbol hiding
71897 - - Destroy unused shared memory
71898 - - Prevention of memory exhaustion-based exploits
71899 -+
71900 -+config GRKERNSEC_HARDENED
71901 -+ bool "Hardened [Gentoo]"
71902 -+ select GRKERNSEC_KMEM
71903 -+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
71904 -+ select GRKERNSEC_BRUTE
71905 -+ select GRKERNSEC_MODSTOP if (MODULES)
71906 -+ select GRKERNSEC_HIDESYM
71907 -+ select GRKERNSEC_PROC
71908 -+ select GRKERNSEC_PROC_USER
71909 -+ select GRKERNSEC_PROC_ADD
71910 -+ select GRKERNSEC_LINK
71911 -+ select GRKERNSEC_FIFO
71912 -+ select GRKERNSEC_CHROOT
71913 -+ select GRKERNSEC_CHROOT_MOUNT
71914 -+ select GRKERNSEC_CHROOT_DOUBLE
71915 -+ select GRKERNSEC_CHROOT_PIVOT
71916 -+ select GRKERNSEC_CHROOT_CHDIR
71917 -+ select GRKERNSEC_CHROOT_CHMOD
71918 -+ select GRKERNSEC_CHROOT_FCHDIR
71919 -+ select GRKERNSEC_CHROOT_MKNOD
71920 -+ select GRKERNSEC_CHROOT_SHMAT
71921 -+ select GRKERNSEC_CHROOT_UNIX
71922 -+ select GRKERNSEC_CHROOT_FINDTASK
71923 -+ select GRKERNSEC_CHROOT_NICE
71924 -+ select GRKERNSEC_CHROOT_SYSCTL
71925 -+ select GRKERNSEC_CHROOT_CAPS
71926 -+ select GRKERNSEC_RESLOG
71927 -+ select GRKERNSEC_SIGNAL
71928 -+ select GRKERNSEC_FORKFAIL
71929 -+ select GRKERNSEC_TIME
71930 -+ select GRKERNSEC_PROC_IPADDR
71931 -+ select GRKERNSEC_EXECVE
71932 -+ select GRKERNSEC_SHM if (SYSVIPC)
71933 -+ select GRKERNSEC_DMESG
71934 -+ select GRKERNSEC_RANDNET
71935 -+ select GRKERNSEC_SYSCTL
71936 -+ select GRKERNSEC_SYSCTL_ON
71937 -+ select PAX
71938 -+ select PAX_EI_PAX
71939 -+ select PAX_PT_PAX_FLAGS
71940 -+ select PAX_HAVE_ACL_FLAGS
71941 -+ select PAX_NOEXEC
71942 -+ select PAX_PAGEEXEC
71943 -+ select PAX_SEGMEXEC if (X86 && !X86_64)
71944 -+ select PAX_EMUTRAMP if (PARISC)
71945 -+ select PAX_EMUSIGRT if (PARISC)
71946 -+ select PAX_MPROTECT
71947 -+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
71948 -+ select PAX_EMUPLT if (ALPHA || PARISC || PPC32 || SPARC32 || SPARC64)
71949 -+ select PAX_DLRESOLVE if (SPARC32 || SPARC64)
71950 -+ select PAX_SYSCALL if (PPC32)
71951 -+ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
71952 -+ select PAX_ASLR
71953 -+ select PAX_RANDKSTACK if (X86_TSC && !X86_64)
71954 -+ select PAX_RANDUSTACK
71955 -+ select PAX_RANDMMAP
71956 -+ select PAX_MEMORY_SANITIZE
71957 -+ select PAX_MEMORY_UDEREF if (X86_32 && !COMPAT_VDSO)
71958 -+ help
71959 -+ If you say Y here, a configuration will be used that is endorsed by the
71960 -+ Hardened Gentoo project. It is designed to provide a high level of
71961 -+ security whilst minimizing the chance of incompatibilities with rare
71962 -+ software on your machine. As such, many of the features of grsecurity
71963 -+ and PaX will be enabled. For further information, you should view
71964 -+ <http://grsecurity.net> and <http://pax.grsecurity.net> as well as the
71965 -+ Hardened Gentoo Primer at
71966 -+ <http://gentoo.org/proj/en/hardened/primer.xml>.
71967 -+
71968 -+ You may wish to emerge paxctl which will allow you to toggle specific
71969 -+ PaX features on problematic binaries. Note that this only works for ELF
71970 -+ binaries that contain a PT_PAX_FLAGS header. In layman's terms this
71971 -+ means that, if you need to toggle PaX features on binaries provided by
71972 -+ applications that are distributed only in binary format (rather than
71973 -+ being built locally from sources), you may need to run paxctl -C on the
71974 -+ binaries beforehand so as to add the missing headers.
71975 -+
71976 -+ When this level is selected, some options cannot be changed. However,
71977 -+ you may opt to fully customize the options that are selected by choosing
71978 -+ "Custom" in the Security Level menu. You may find it helpful to inherit
71979 -+ the options selected by the "Hardened [Gentoo]" level as a starting
71980 -+ point for further configuration. To accomplish this, select this level
71981 -+ then exit the menuconfig interface, saving changes when prompted. Next,
71982 -+ run make menuconfig again and select the "Custom" level.
71983 -+
71984 -+ Please note that this security level is not designed to be used in
71985 -+ virtualized environments. If you intend to run the kernel in a virtual
71986 -+ machine then you will probably need to disable the PAX_MEMORY_UDEREF
71987 -+ option in order to avoid an unacceptable impact upon performance.
71988 -+
71989 - config GRKERNSEC_CUSTOM
71990 - bool "Custom"
71991 - help
71992
71993 Added: hardened-sources/2.6/trunk/2.6.23/4450_disable-compat_vdso.patch
71994 ===================================================================
71995 --- hardened-sources/2.6/trunk/2.6.23/4450_disable-compat_vdso.patch (rev 0)
71996 +++ hardened-sources/2.6/trunk/2.6.23/4450_disable-compat_vdso.patch 2008-04-30 11:22:14 UTC (rev 90)
71997 @@ -0,0 +1,65 @@
71998 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
71999 +From: Kerin Millar <kerframil@×××××.com>
72000 +
72001 +COMPAT_VDSO is inappropriate for any modern Hardened Gentoo system. It
72002 +conflicts with various parts of PaX, crashing the system if enabled
72003 +while PaX's NOEXEC or UDEREF features are active. Moreover, it prevents
72004 +a number of important PaX options from appearing in the configuration
72005 +menu, including all PaX NOEXEC implementations. Unfortunately, the
72006 +reason for the disappearance of these PaX configuration options is
72007 +often far from obvious to inexperienced users.
72008 +
72009 +Therefore, we disable the COMPAT_VDSO menu entry entirely. However,
72010 +COMPAT_VDSO operation can still be enabled via bootparam and sysctl
72011 +interfaces. Consequently, we must also disable the ability to select
72012 +COMPAT_VDSO operation at boot or runtime. Here we patch the kernel so
72013 +that selecting COMPAT_VDSO operation at boot/runtime has no effect if
72014 +conflicting PaX options are enabled, leaving VDSO_ENABLED operation
72015 +intact.
72016 +
72017 +Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
72018 +
72019 +--- a/arch/i386/Kconfig 2008-02-14 17:46:47.000000000 +0000
72020 ++++ b/arch/i386/Kconfig 2008-02-14 17:57:03.000000000 +0000
72021 +@@ -915,16 +915,8 @@
72022 + /sys/devices/system/cpu.
72023 +
72024 + config COMPAT_VDSO
72025 +- bool "Compat VDSO support"
72026 ++ bool
72027 + default n
72028 +- help
72029 +- Map the VDSO to the predictable old-style address too.
72030 +- ---help---
72031 +- Say N here if you are running a sufficiently recent glibc
72032 +- version (2.3.3 or later), to remove the high-mapped
72033 +- VDSO mapping and to exclusively use the randomized VDSO.
72034 +-
72035 +- If unsure, say Y.
72036 +
72037 + endmenu
72038 +
72039 +--- a/arch/i386/kernel/sysenter.c
72040 ++++ b/arch/i386/kernel/sysenter.c
72041 +@@ -278,9 +278,11 @@ int arch_setup_additional_pages(struct l
72042 +
72043 + map_compat_vdso(compat);
72044 +
72045 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
72046 + if (compat)
72047 + addr = VDSO_HIGH_BASE;
72048 + else {
72049 ++#endif
72050 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
72051 + if (IS_ERR_VALUE(addr)) {
72052 + ret = addr;
72053 +@@ -304,7 +306,9 @@ int arch_setup_additional_pages(struct l
72054 +
72055 + if (ret)
72056 + goto up_fail;
72057 ++#if !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_MEMORY_UDEREF)
72058 + }
72059 ++#endif
72060 +
72061 + current->mm->context.vdso = addr;
72062 + current_thread_info()->sysenter_return =
72063
72064 Deleted: hardened-sources/2.6/trunk/2.6.23/4450_selinux-avc_audit-log-curr_ip.patch
72065 ===================================================================
72066 --- hardened-sources/2.6/trunk/2.6.23/4450_selinux-avc_audit-log-curr_ip.patch 2008-04-07 12:57:31 UTC (rev 89)
72067 +++ hardened-sources/2.6/trunk/2.6.23/4450_selinux-avc_audit-log-curr_ip.patch 2008-04-30 11:22:14 UTC (rev 90)
72068 @@ -1,26 +0,0 @@
72069 -
72070 -Provides support for a new field ipaddr within the SELinux
72071 -AVC audit log, relying in task_struct->curr_ip (ipv4 only)
72072 -provided by grSecurity patch to be applied before.
72073 -
72074 -Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@×××.org>
72075 ----
72076 -
72077 - security/selinux/avc.c | 6 ++++++
72078 - 1 file changed, 6 insertions(+)
72079 -
72080 ---- a/security/selinux/avc.c
72081 -+++ b/security/selinux/avc.c
72082 -@@ -202,6 +202,12 @@ static void avc_dump_query(struct audit_
72083 - char *scontext;
72084 - u32 scontext_len;
72085 -
72086 -+/* CONFIG_PROC_IPADDR if task-signal-curr_ip patch from lorenzo@×××.org is present */
72087 -+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
72088 -+ if (current->signal->curr_ip)
72089 -+ audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip));
72090 -+#endif /* CONFIG_GRKERNSEC_PROC_IPADDR */
72091 -+
72092 - rc = security_sid_to_context(ssid, &scontext, &scontext_len);
72093 - if (rc)
72094 - audit_log_format(ab, "ssid=%d", ssid);
72095
72096 Deleted: hardened-sources/2.6/trunk/2.6.23/4455_grsec-kconfig-default-gids.patch
72097 ===================================================================
72098 --- hardened-sources/2.6/trunk/2.6.23/4455_grsec-kconfig-default-gids.patch 2008-04-07 12:57:31 UTC (rev 89)
72099 +++ hardened-sources/2.6/trunk/2.6.23/4455_grsec-kconfig-default-gids.patch 2008-04-30 11:22:14 UTC (rev 90)
72100 @@ -1,76 +0,0 @@
72101 -From: Kerin Millar <kerframil@×××××.com>
72102 -
72103 -grsecurity contains a number of options which allow certain protections
72104 -to be applied to or exempted from members of a given group. However, the
72105 -default GIDs specified in the upstream patch are entirely arbitrary and
72106 -there is no telling which (if any) groups the GIDs will correlate with
72107 -on an end-user's system. Because some users don't pay a great deal of
72108 -attention to the finer points of kernel configuration, it is probably
72109 -wise to specify some reasonable defaults so as to stop careless users
72110 -from shooting themselves in the foot.
72111 -
72112 ---- a/grsecurity/Kconfig 2008-03-22 17:26:35.000000000 +0000
72113 -+++ b/grsecurity/Kconfig 2008-03-22 17:27:48.000000000 +0000
72114 -@@ -355,7 +355,7 @@
72115 - config GRKERNSEC_PROC_GID
72116 - int "GID for special group"
72117 - depends on GRKERNSEC_PROC_USERGROUP
72118 -- default 1001
72119 -+ default 10
72120 -
72121 - config GRKERNSEC_PROC_ADD
72122 - bool "Additional restrictions"
72123 -@@ -550,7 +550,7 @@
72124 - config GRKERNSEC_AUDIT_GID
72125 - int "GID for auditing"
72126 - depends on GRKERNSEC_AUDIT_GROUP
72127 -- default 1007
72128 -+ default 100
72129 -
72130 - config GRKERNSEC_EXECLOG
72131 - bool "Exec logging"
72132 -@@ -714,7 +714,7 @@
72133 - config GRKERNSEC_TPE_GID
72134 - int "GID for untrusted users"
72135 - depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
72136 -- default 1005
72137 -+ default 100
72138 - help
72139 - If you have selected the "Invert GID option" above, setting this
72140 - GID determines what group TPE restrictions will be *disabled* for.
72141 -@@ -726,7 +726,7 @@
72142 - config GRKERNSEC_TPE_GID
72143 - int "GID for trusted users"
72144 - depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
72145 -- default 1005
72146 -+ default 10
72147 - help
72148 - If you have selected the "Invert GID option" above, setting this
72149 - GID determines what group TPE restrictions will be *disabled* for.
72150 -@@ -768,7 +768,7 @@
72151 - config GRKERNSEC_SOCKET_ALL_GID
72152 - int "GID to deny all sockets for"
72153 - depends on GRKERNSEC_SOCKET_ALL
72154 -- default 1004
72155 -+ default 65534
72156 - help
72157 - Here you can choose the GID to disable socket access for. Remember to
72158 - add the users you want socket access disabled for to the GID
72159 -@@ -789,7 +789,7 @@
72160 - config GRKERNSEC_SOCKET_CLIENT_GID
72161 - int "GID to deny client sockets for"
72162 - depends on GRKERNSEC_SOCKET_CLIENT
72163 -- default 1003
72164 -+ default 65534
72165 - help
72166 - Here you can choose the GID to disable client socket access for.
72167 - Remember to add the users you want client socket access disabled for to
72168 -@@ -807,7 +807,7 @@
72169 - config GRKERNSEC_SOCKET_SERVER_GID
72170 - int "GID to deny server sockets for"
72171 - depends on GRKERNSEC_SOCKET_SERVER
72172 -- default 1002
72173 -+ default 65534
72174 - help
72175 - Here you can choose the GID to disable server socket access for.
72176 - Remember to add the users you want server socket access disabled for to
72177
72178 Added: hardened-sources/2.6/trunk/2.6.23/4455_pax-hook-build-error.patch
72179 ===================================================================
72180 --- hardened-sources/2.6/trunk/2.6.23/4455_pax-hook-build-error.patch (rev 0)
72181 +++ hardened-sources/2.6/trunk/2.6.23/4455_pax-hook-build-error.patch 2008-04-30 11:22:14 UTC (rev 90)
72182 @@ -0,0 +1,33 @@
72183 +From: Kerin Millar <kerframil@×××××.com>
72184 +
72185 +Fix build error where PAX_HOOK_ACL_FLAGS is enabled along with 32-bit
72186 +ELF support on x86_64/ia64 platforms. Closes gentoo bug 208331.
72187 +
72188 +--- a/fs/binfmt_elf.c 2008-02-09 00:01:18.000000000 +0100
72189 ++++ b/fs/binfmt_elf.c 2008-03-08 01:49:25.000000000 +0100
72190 +@@ -47,11 +47,6 @@
72191 + #include <asm/desc.h>
72192 + #endif
72193 +
72194 +-#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72195 +-void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72196 +-EXPORT_SYMBOL(pax_set_initial_flags_func);
72197 +-#endif
72198 +-
72199 + static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
72200 + static int load_elf_library(struct file *);
72201 + static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
72202 +--- a/fs/exec.c 2008-02-09 00:01:18.000000000 +0100
72203 ++++ b/fs/exec.c 2008-03-08 01:49:02.000000000 +0100
72204 +@@ -61,6 +61,11 @@
72205 + #include <linux/kmod.h>
72206 + #endif
72207 +
72208 ++#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72209 ++void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72210 ++EXPORT_SYMBOL(pax_set_initial_flags_func);
72211 ++#endif
72212 ++
72213 + int core_uses_pid;
72214 + char core_pattern[CORENAME_MAX_SIZE] = "core";
72215 + int suid_dumpable = 0;
72216 \ No newline at end of file
72217
72218 Added: hardened-sources/2.6/trunk/2.6.23/4460_acct_stack_growth-null-deref.patch
72219 ===================================================================
72220 --- hardened-sources/2.6/trunk/2.6.23/4460_acct_stack_growth-null-deref.patch (rev 0)
72221 +++ hardened-sources/2.6/trunk/2.6.23/4460_acct_stack_growth-null-deref.patch 2008-04-30 11:22:14 UTC (rev 90)
72222 @@ -0,0 +1,42 @@
72223 +At some point the execve() code was changed in terms of how it sets up
72224 +the new task's address space, in particular, how the initial stack was
72225 +initialized, allowing "unlimited" number of args/env/etc. This was done
72226 +by making use of the already present and established mm struct of the
72227 +new task and the normal VM logic that deals with automatic userland
72228 +stack expansion.
72229 +
72230 +However, this broke assumptions elsewhere in the kernel where
72231 +current->mm was used in accounting code and which happened to be NULL
72232 +for kernel threads. In this case, acct_stack_growth() wasn't making use
72233 +of the new security_vm_enough_memory_mm() function as needed. This is
72234 +pertinent to PaX users because only PaX performs "sub-page" stack
72235 +randomization, so it can cause the one page of the initial stack to run
72236 +out and trigger a stack expansion. Unfortunately, it may be a kernel
72237 +thread that does this.
72238 +
72239 +This patch closes bug 210022. For further information:
72240 +
72241 + http://bugs.gentoo.org/show_bug.cgi?id=210022 and
72242 + http://forums.grsecurity.net/viewtopic.php?f=3&t=1873
72243 +
72244 +Thanks to cilly <cilly@××××××××××.nu> for raising the matter and tracking down
72245 +the appropriate patch.
72246 +
72247 +This patch is present in upstream grsecurity patches as of
72248 +pax-linux-2.6.24-test9.patch. This patch can be dropped for any
72249 +hardened-sources-2.6.24 based upon pax-linux-2.6.24-test9.patch or
72250 +later.
72251 +
72252 +Acked-by: Kerin Millar <kerframil@×××××.com>
72253 +
72254 +--- a/mm/mmap.c 2008-02-14 20:14:52.000000000 +0000
72255 ++++ b/mm/mmap.c 2008-02-14 20:40:19.000000000 +0000
72256 +@@ -1742,7 +1742,7 @@ static int acct_stack_growth(struct vm_a
72257 + * Overcommit.. This must be the final test, as it will
72258 + * update security statistics.
72259 + */
72260 +- if (security_vm_enough_memory(grow))
72261 ++ if (security_vm_enough_memory_mm(mm, grow))
72262 + return -ENOMEM;
72263 +
72264 + /* Ok, everything looks good - let it rip */
72265
72266 Deleted: hardened-sources/2.6/trunk/2.6.23/4460_disable-compat_vdso.patch
72267 ===================================================================
72268 --- hardened-sources/2.6/trunk/2.6.23/4460_disable-compat_vdso.patch 2008-04-07 12:57:31 UTC (rev 89)
72269 +++ hardened-sources/2.6/trunk/2.6.23/4460_disable-compat_vdso.patch 2008-04-30 11:22:14 UTC (rev 90)
72270 @@ -1,29 +0,0 @@
72271 -From: Kerin Millar <kerframil@×××××.com>
72272 -
72273 -Disable CONFIG_COMPAT_VDSO entirely. It is inappropriate for any Gentoo
72274 -user to activate this option. Moreover, it prevents users from selecting
72275 -a number of important PaX options - notably PAX_PAGEEXEC and
72276 -PAX_SEGMEXEC. Under these circumstances, it is impossible for the user
72277 -to enforce non-executable pages. Unfortunately, this is far from obvious
72278 -to first-time users. Closes bug 210138.
72279 -
72280 ---- a/arch/i386/Kconfig 2008-02-14 17:46:47.000000000 +0000
72281 -+++ b/arch/i386/Kconfig 2008-02-14 17:57:03.000000000 +0000
72282 -@@ -915,16 +915,8 @@
72283 - /sys/devices/system/cpu.
72284 -
72285 - config COMPAT_VDSO
72286 -- bool "Compat VDSO support"
72287 -+ bool
72288 - default n
72289 -- help
72290 -- Map the VDSO to the predictable old-style address too.
72291 -- ---help---
72292 -- Say N here if you are running a sufficiently recent glibc
72293 -- version (2.3.3 or later), to remove the high-mapped
72294 -- VDSO mapping and to exclusively use the randomized VDSO.
72295 --
72296 -- If unsure, say Y.
72297 -
72298 - endmenu
72299 -
72300
72301 Deleted: hardened-sources/2.6/trunk/2.6.23/4465_pax-hook-build-error.patch
72302 ===================================================================
72303 --- hardened-sources/2.6/trunk/2.6.23/4465_pax-hook-build-error.patch 2008-04-07 12:57:31 UTC (rev 89)
72304 +++ hardened-sources/2.6/trunk/2.6.23/4465_pax-hook-build-error.patch 2008-04-30 11:22:14 UTC (rev 90)
72305 @@ -1,33 +0,0 @@
72306 -From: Kerin Millar <kerframil@×××××.com>
72307 -
72308 -Fix build error where PAX_HOOK_ACL_FLAGS is enabled along with 32-bit
72309 -ELF support on x86_64/ia64 platforms. Closes gentoo bug 208331.
72310 -
72311 ---- a/fs/binfmt_elf.c 2008-02-09 00:01:18.000000000 +0100
72312 -+++ b/fs/binfmt_elf.c 2008-03-08 01:49:25.000000000 +0100
72313 -@@ -47,11 +47,6 @@
72314 - #include <asm/desc.h>
72315 - #endif
72316 -
72317 --#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72318 --void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72319 --EXPORT_SYMBOL(pax_set_initial_flags_func);
72320 --#endif
72321 --
72322 - static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs);
72323 - static int load_elf_library(struct file *);
72324 - static unsigned long elf_map (struct file *, unsigned long, struct elf_phdr *, int, int);
72325 ---- a/fs/exec.c 2008-02-09 00:01:18.000000000 +0100
72326 -+++ b/fs/exec.c 2008-03-08 01:49:02.000000000 +0100
72327 -@@ -61,6 +61,11 @@
72328 - #include <linux/kmod.h>
72329 - #endif
72330 -
72331 -+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
72332 -+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
72333 -+EXPORT_SYMBOL(pax_set_initial_flags_func);
72334 -+#endif
72335 -+
72336 - int core_uses_pid;
72337 - char core_pattern[CORENAME_MAX_SIZE] = "core";
72338 - int suid_dumpable = 0;
72339 \ No newline at end of file
72340
72341 Added: hardened-sources/2.6/trunk/2.6.23/4465_pax-vma-mirroring-fixes.patch
72342 ===================================================================
72343 --- hardened-sources/2.6/trunk/2.6.23/4465_pax-vma-mirroring-fixes.patch (rev 0)
72344 +++ hardened-sources/2.6/trunk/2.6.23/4465_pax-vma-mirroring-fixes.patch 2008-04-30 11:22:14 UTC (rev 90)
72345 @@ -0,0 +1,190 @@
72346 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72347 +
72348 +Backport of various fixes for vma mirroring bugs in SEGMEXEC from 2.6.24
72349 +branch. Closes gentoo bug 198051.
72350 +
72351 +These patches are present in upstream grsecurity patches as of
72352 +pax-linux-2.6.24.2-test29.patch. This patch can be dropped for any
72353 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test29.patch or
72354 +later.
72355 +
72356 +Acked-by: Kerin Millar <kerframil@×××××.com>
72357 +
72358 +diff -urP linux-2.6.23-hardened-r7-orig/mm/memory.c linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72359 +--- linux-2.6.23-hardened-r7-orig/mm/memory.c
72360 ++++ linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72361 +@@ -1777,13 +1777,13 @@
72362 + pte_unmap_nested(pte_m);
72363 + }
72364 +
72365 +-static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
72366 ++static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72367 + {
72368 + struct page *page_m;
72369 + pte_t entry;
72370 +
72371 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72372 +- return;
72373 ++ goto out;
72374 +
72375 + entry = *pte;
72376 + page_m = vm_normal_page(vma, address, entry);
72377 +@@ -1791,9 +1791,9 @@
72378 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72379 + else if (PageAnon(page_m)) {
72380 + if (pax_find_mirror_vma(vma)) {
72381 +- spin_unlock(ptl);
72382 ++ pte_unmap_unlock(pte, ptl);
72383 + lock_page(page_m);
72384 +- spin_lock(ptl);
72385 ++ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72386 + if (pte_same(entry, *pte))
72387 + pax_mirror_anon_pte(vma, address, page_m, ptl);
72388 + else
72389 +@@ -1801,6 +1801,9 @@
72390 + }
72391 + } else
72392 + pax_mirror_file_pte(vma, address, page_m, ptl);
72393 ++
72394 ++out:
72395 ++ pte_unmap_unlock(pte, ptl);
72396 + }
72397 + #endif
72398 +
72399 +@@ -2871,7 +2874,8 @@
72400 + }
72401 +
72402 + #ifdef CONFIG_PAX_SEGMEXEC
72403 +- pax_mirror_pte(vma, address, pte, ptl);
72404 ++ pax_mirror_pte(vma, address, pte, pmd, ptl);
72405 ++ return 0;
72406 + #endif
72407 +
72408 + unlock:
72409 +diff -urP linux-2.6.23-hardened-r7-orig/mm/mmap.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72410 +--- linux-2.6.23-hardened-r7-orig/mm/mmap.c
72411 ++++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72412 +@@ -877,6 +877,19 @@
72413 + if (area_m)
72414 + vma_adjust(area_m, addr_m, next_m->vm_end,
72415 + next_m->vm_pgoff - pglen, NULL);
72416 ++ else if (next_m) {
72417 ++ vma_adjust(next_m, addr_m, next_m->vm_end,
72418 ++ next_m->vm_pgoff - pglen, NULL);
72419 ++ BUG_ON(area == next);
72420 ++ BUG_ON(area->vm_mirror);
72421 ++ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
72422 ++ area->vm_mirror = next_m;
72423 ++ next_m->vm_mirror = area;
72424 ++ if (area->anon_vma && !next_m->anon_vma) {
72425 ++ next_m->anon_vma = area->anon_vma;
72426 ++ anon_vma_link(next_m);
72427 ++ }
72428 ++ }
72429 + #endif
72430 +
72431 + }
72432 +@@ -1244,9 +1257,8 @@
72433 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72434 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72435 + if (!vma_m) {
72436 +- kmem_cache_free(vm_area_cachep, vma);
72437 + error = -ENOMEM;
72438 +- goto unacct_error;
72439 ++ goto free_vma;
72440 + }
72441 + }
72442 + #endif
72443 +@@ -1274,6 +1286,19 @@
72444 + if (error)
72445 + goto unmap_and_free_vma;
72446 +
72447 ++#ifdef CONFIG_PAX_SEGMEXEC
72448 ++ if (vma_m) {
72449 ++ struct mempolicy *pol;
72450 ++
72451 ++ pol = mpol_copy(vma_policy(vma));
72452 ++ if (IS_ERR(pol)) {
72453 ++ mpol_free(vma_policy(vma));
72454 ++ goto unmap_and_free_vma;
72455 ++ }
72456 ++ vma_set_policy(vma_m, pol);
72457 ++ }
72458 ++#endif
72459 ++
72460 + #if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72461 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72462 + vma->vm_flags |= VM_PAGEEXEC;
72463 +@@ -1328,6 +1353,14 @@
72464 + mpol_free(vma_policy(vma));
72465 + kmem_cache_free(vm_area_cachep, vma);
72466 + vma = NULL;
72467 ++
72468 ++#ifdef CONFIG_PAX_SEGMEXEC
72469 ++ if (vma_m) {
72470 ++ mpol_free(vma_policy(vma_m));
72471 ++ kmem_cache_free(vm_area_cachep, vma_m);
72472 ++ }
72473 ++#endif
72474 ++
72475 + }
72476 + out:
72477 + mm->total_vm += len >> PAGE_SHIFT;
72478 +@@ -2539,6 +2572,8 @@
72479 + struct rb_node **rb_link, *rb_parent;
72480 + struct mempolicy *pol;
72481 +
72482 ++ BUG_ON(vma->vm_mirror);
72483 ++
72484 + /*
72485 + * If anonymous vma has not yet been faulted, update new pgoff
72486 + * to match new location, to increase its chance of merging.
72487 +@@ -2584,10 +2619,14 @@
72488 + {
72489 + struct vm_area_struct *prev_m;
72490 + struct rb_node **rb_link_m, *rb_parent_m;
72491 ++ struct mempolicy *pol_m;
72492 +
72493 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
72494 +- BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
72495 ++ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
72496 ++ BUG_ON(!vma_mpol_equal(vma, vma_m));
72497 ++ pol_m = vma_policy(vma_m);
72498 + *vma_m = *vma;
72499 ++ vma_set_policy(vma_m, pol_m);
72500 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
72501 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
72502 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
72503 +diff -urP linux-2.6.23-hardened-r7-orig/mm/mprotect.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72504 +--- linux-2.6.23-hardened-r7-orig/mm/mprotect.c
72505 ++++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72506 +@@ -208,6 +208,8 @@
72507 + error = split_vma(mm, vma, start, 1);
72508 + if (error)
72509 + return -ENOMEM;
72510 ++ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
72511 ++ *pprev = (*pprev)->vm_next;
72512 + }
72513 +
72514 + if (end != vma->vm_end) {
72515 +@@ -266,11 +268,20 @@
72516 +
72517 + #ifdef CONFIG_PAX_SEGMEXEC
72518 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
72519 ++ struct mempolicy *pol;
72520 ++
72521 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72522 + if (!vma_m) {
72523 + error = -ENOMEM;
72524 + goto fail;
72525 + }
72526 ++ pol = mpol_copy(vma_policy(vma));
72527 ++ if (IS_ERR(pol)) {
72528 ++ kmem_cache_free(vm_area_cachep, vma_m);
72529 ++ error = -ENOMEM;
72530 ++ goto fail;
72531 ++ }
72532 ++ vma_set_policy(vma_m, pol);
72533 + }
72534 + #endif
72535 +
72536
72537 Deleted: hardened-sources/2.6/trunk/2.6.23/4470_acct_stack_growth-null-deref.patch
72538 ===================================================================
72539 --- hardened-sources/2.6/trunk/2.6.23/4470_acct_stack_growth-null-deref.patch 2008-04-07 12:57:31 UTC (rev 89)
72540 +++ hardened-sources/2.6/trunk/2.6.23/4470_acct_stack_growth-null-deref.patch 2008-04-30 11:22:14 UTC (rev 90)
72541 @@ -1,42 +0,0 @@
72542 -At some point the execve() code was changed in terms of how it sets up
72543 -the new task's address space, in particular, how the initial stack was
72544 -initialized, allowing "unlimited" number of args/env/etc. This was done
72545 -by making use of the already present and established mm struct of the
72546 -new task and the normal VM logic that deals with automatic userland
72547 -stack expansion.
72548 -
72549 -However, this broke assumptions elsewhere in the kernel where
72550 -current->mm was used in accounting code and which happened to be NULL
72551 -for kernel threads. In this case, acct_stack_growth() wasn't making use
72552 -of the new security_vm_enough_memory_mm() function as needed. This is
72553 -pertinent to PaX users because only PaX performs "sub-page" stack
72554 -randomization, so it can cause the one page of the initial stack to run
72555 -out and trigger a stack expansion. Unfortunately, it may be a kernel
72556 -thread that does this.
72557 -
72558 -This patch closes bug 210022. For further information:
72559 -
72560 - http://bugs.gentoo.org/show_bug.cgi?id=210022 and
72561 - http://forums.grsecurity.net/viewtopic.php?f=3&t=1873
72562 -
72563 -Thanks to cilly <cilly@××××××××××.nu> for raising the matter and tracking down
72564 -the appropriate patch.
72565 -
72566 -This patch is present in upstream grsecurity patches as of
72567 -pax-linux-2.6.24-test9.patch. This patch can be dropped for any
72568 -hardened-sources-2.6.24 based upon pax-linux-2.6.24-test9.patch or
72569 -later.
72570 -
72571 -Acked-by: Kerin Millar <kerframil@×××××.com>
72572 -
72573 ---- a/mm/mmap.c 2008-02-14 20:14:52.000000000 +0000
72574 -+++ b/mm/mmap.c 2008-02-14 20:40:19.000000000 +0000
72575 -@@ -1742,7 +1742,7 @@ static int acct_stack_growth(struct vm_a
72576 - * Overcommit.. This must be the final test, as it will
72577 - * update security statistics.
72578 - */
72579 -- if (security_vm_enough_memory(grow))
72580 -+ if (security_vm_enough_memory_mm(mm, grow))
72581 - return -ENOMEM;
72582 -
72583 - /* Ok, everything looks good - let it rip */
72584
72585 Added: hardened-sources/2.6/trunk/2.6.23/4470_vesafb-pmi-kernexec-fix.patch
72586 ===================================================================
72587 --- hardened-sources/2.6/trunk/2.6.23/4470_vesafb-pmi-kernexec-fix.patch (rev 0)
72588 +++ hardened-sources/2.6/trunk/2.6.23/4470_vesafb-pmi-kernexec-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
72589 @@ -0,0 +1,60 @@
72590 +From: Kerin Millar <kerframil@×××××.com>
72591 +
72592 +Disable the use of pmi in the vesafb framebuffer driver where the kernel
72593 +is non-modular and PAX_KERNEXEC is enabled, thus resolving a compile
72594 +error. Closes bug 197626.
72595 +
72596 +This patch is present in upstream grsecurity patches as of
72597 +pax-linux-2.6.24.2-test24.patch. This patch can be dropped for any
72598 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test24.patch or
72599 +later.
72600 +
72601 +--- a/drivers/video/vesafb.c 2008-02-14 20:14:52.000000000 +0000
72602 ++++ b/drivers/video/vesafb.c 2008-02-17 21:37:44.000000000 +0000
72603 +@@ -302,10 +302,10 @@ static int __init vesafb_probe(struct pl
72604 +
72605 + #ifdef __i386__
72606 +
72607 +-#ifdef CONFIG_PAX_KERNEXEC
72608 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72609 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
72610 + if (!pmi_code)
72611 +-#else
72612 ++#elif !defined(CONFIG_PAX_KERNEXEC)
72613 + if (0)
72614 + #endif
72615 +
72616 +@@ -323,13 +323,13 @@ static int __init vesafb_probe(struct pl
72617 + if (ypan || pmi_setpal) {
72618 + unsigned short *pmi_base;
72619 +
72620 +-#ifdef CONFIG_PAX_KERNEXEC
72621 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72622 + unsigned long cr0;
72623 + #endif
72624 +
72625 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
72626 +
72627 +-#ifdef CONFIG_PAX_KERNEXEC
72628 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72629 + pax_open_kernel(cr0);
72630 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
72631 + pax_close_kernel(cr0);
72632 +@@ -340,7 +340,7 @@ static int __init vesafb_probe(struct pl
72633 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
72634 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
72635 +
72636 +-#ifdef CONFIG_PAX_KERNEXEC
72637 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72638 + pmi_start -= __KERNEL_TEXT_OFFSET;
72639 + pmi_pal -= __KERNEL_TEXT_OFFSET;
72640 + #endif
72641 +@@ -487,7 +487,7 @@ static int __init vesafb_probe(struct pl
72642 + return 0;
72643 + err:
72644 +
72645 +-#ifdef CONFIG_PAX_KERNEXEC
72646 ++#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72647 + module_free_exec(NULL, pmi_code);
72648 + #endif
72649 +
72650
72651 Added: hardened-sources/2.6/trunk/2.6.23/4475_deselect-kernexec-on-unsupported-arches.patch
72652 ===================================================================
72653 --- hardened-sources/2.6/trunk/2.6.23/4475_deselect-kernexec-on-unsupported-arches.patch (rev 0)
72654 +++ hardened-sources/2.6/trunk/2.6.23/4475_deselect-kernexec-on-unsupported-arches.patch 2008-04-30 11:22:14 UTC (rev 90)
72655 @@ -0,0 +1,28 @@
72656 +From: nixnut <nixnut@g.o>
72657 +
72658 +KERNEXEC should probably only be enabled on x86 because otherwise
72659 +module.c will look for a header file that doesn't exist on most arches:
72660 +
72661 +#ifdef CONFIG_PAX_KERNEXEC
72662 +#include <asm/desc.h>
72663 +#endif
72664 +
72665 +KERNEXEC is supported on amd64/x86-64 in grsecurity upstream for
72666 +kernel 2.6.24.2 and the KERNEXEC feature selection logic has been
72667 +fixed. This patch should therefore probably be dropped for any
72668 +hardened-sources-2.6.24 based upon grsecurity for linux 2.6.24.2
72669 +or later.
72670 +
72671 +Acked-by: Kerin Millar <kerframil@×××××.com>
72672 +
72673 +--- a/grsecurity/Kconfig 2008-02-14 22:07:34.000000000 +0100
72674 ++++ b/grsecurity/Kconfig 2008-02-15 17:34:37.000000000 +0100
72675 +@@ -143,7 +143,7 @@
72676 + select PAX_EI_PAX
72677 + select PAX_PT_PAX_FLAGS
72678 + select PAX_HAVE_ACL_FLAGS
72679 +- select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
72680 ++ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
72681 + select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
72682 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
72683 + select PAX_SEGMEXEC if (X86 && !X86_64)
72684
72685 Deleted: hardened-sources/2.6/trunk/2.6.23/4475_pax-vma-mirroring-fixes.patch
72686 ===================================================================
72687 --- hardened-sources/2.6/trunk/2.6.23/4475_pax-vma-mirroring-fixes.patch 2008-04-07 12:57:31 UTC (rev 89)
72688 +++ hardened-sources/2.6/trunk/2.6.23/4475_pax-vma-mirroring-fixes.patch 2008-04-30 11:22:14 UTC (rev 90)
72689 @@ -1,190 +0,0 @@
72690 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72691 -
72692 -Backport of various fixes for vma mirroring bugs in SEGMEXEC from 2.6.24
72693 -branch. Closes gentoo bug 198051.
72694 -
72695 -These patches are present in upstream grsecurity patches as of
72696 -pax-linux-2.6.24.2-test29.patch. This patch can be dropped for any
72697 -hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test29.patch or
72698 -later.
72699 -
72700 -Acked-by: Kerin Millar <kerframil@×××××.com>
72701 -
72702 -diff -urP linux-2.6.23-hardened-r7-orig/mm/memory.c linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72703 ---- linux-2.6.23-hardened-r7-orig/mm/memory.c
72704 -+++ linux-2.6.23-hardened-r7-allfixes-r2/mm/memory.c
72705 -@@ -1777,13 +1777,13 @@
72706 - pte_unmap_nested(pte_m);
72707 - }
72708 -
72709 --static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, spinlock_t *ptl)
72710 -+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
72711 - {
72712 - struct page *page_m;
72713 - pte_t entry;
72714 -
72715 - if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
72716 -- return;
72717 -+ goto out;
72718 -
72719 - entry = *pte;
72720 - page_m = vm_normal_page(vma, address, entry);
72721 -@@ -1791,9 +1791,9 @@
72722 - pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
72723 - else if (PageAnon(page_m)) {
72724 - if (pax_find_mirror_vma(vma)) {
72725 -- spin_unlock(ptl);
72726 -+ pte_unmap_unlock(pte, ptl);
72727 - lock_page(page_m);
72728 -- spin_lock(ptl);
72729 -+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
72730 - if (pte_same(entry, *pte))
72731 - pax_mirror_anon_pte(vma, address, page_m, ptl);
72732 - else
72733 -@@ -1801,6 +1801,9 @@
72734 - }
72735 - } else
72736 - pax_mirror_file_pte(vma, address, page_m, ptl);
72737 -+
72738 -+out:
72739 -+ pte_unmap_unlock(pte, ptl);
72740 - }
72741 - #endif
72742 -
72743 -@@ -2871,7 +2874,8 @@
72744 - }
72745 -
72746 - #ifdef CONFIG_PAX_SEGMEXEC
72747 -- pax_mirror_pte(vma, address, pte, ptl);
72748 -+ pax_mirror_pte(vma, address, pte, pmd, ptl);
72749 -+ return 0;
72750 - #endif
72751 -
72752 - unlock:
72753 -diff -urP linux-2.6.23-hardened-r7-orig/mm/mmap.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72754 ---- linux-2.6.23-hardened-r7-orig/mm/mmap.c
72755 -+++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mmap.c
72756 -@@ -877,6 +877,19 @@
72757 - if (area_m)
72758 - vma_adjust(area_m, addr_m, next_m->vm_end,
72759 - next_m->vm_pgoff - pglen, NULL);
72760 -+ else if (next_m) {
72761 -+ vma_adjust(next_m, addr_m, next_m->vm_end,
72762 -+ next_m->vm_pgoff - pglen, NULL);
72763 -+ BUG_ON(area == next);
72764 -+ BUG_ON(area->vm_mirror);
72765 -+ BUG_ON(next_m->anon_vma && next_m->anon_vma != area->anon_vma);
72766 -+ area->vm_mirror = next_m;
72767 -+ next_m->vm_mirror = area;
72768 -+ if (area->anon_vma && !next_m->anon_vma) {
72769 -+ next_m->anon_vma = area->anon_vma;
72770 -+ anon_vma_link(next_m);
72771 -+ }
72772 -+ }
72773 - #endif
72774 -
72775 - }
72776 -@@ -1244,9 +1257,8 @@
72777 - if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
72778 - vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72779 - if (!vma_m) {
72780 -- kmem_cache_free(vm_area_cachep, vma);
72781 - error = -ENOMEM;
72782 -- goto unacct_error;
72783 -+ goto free_vma;
72784 - }
72785 - }
72786 - #endif
72787 -@@ -1274,6 +1286,19 @@
72788 - if (error)
72789 - goto unmap_and_free_vma;
72790 -
72791 -+#ifdef CONFIG_PAX_SEGMEXEC
72792 -+ if (vma_m) {
72793 -+ struct mempolicy *pol;
72794 -+
72795 -+ pol = mpol_copy(vma_policy(vma));
72796 -+ if (IS_ERR(pol)) {
72797 -+ mpol_free(vma_policy(vma));
72798 -+ goto unmap_and_free_vma;
72799 -+ }
72800 -+ vma_set_policy(vma_m, pol);
72801 -+ }
72802 -+#endif
72803 -+
72804 - #if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
72805 - if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
72806 - vma->vm_flags |= VM_PAGEEXEC;
72807 -@@ -1328,6 +1353,14 @@
72808 - mpol_free(vma_policy(vma));
72809 - kmem_cache_free(vm_area_cachep, vma);
72810 - vma = NULL;
72811 -+
72812 -+#ifdef CONFIG_PAX_SEGMEXEC
72813 -+ if (vma_m) {
72814 -+ mpol_free(vma_policy(vma_m));
72815 -+ kmem_cache_free(vm_area_cachep, vma_m);
72816 -+ }
72817 -+#endif
72818 -+
72819 - }
72820 - out:
72821 - mm->total_vm += len >> PAGE_SHIFT;
72822 -@@ -2539,6 +2572,8 @@
72823 - struct rb_node **rb_link, *rb_parent;
72824 - struct mempolicy *pol;
72825 -
72826 -+ BUG_ON(vma->vm_mirror);
72827 -+
72828 - /*
72829 - * If anonymous vma has not yet been faulted, update new pgoff
72830 - * to match new location, to increase its chance of merging.
72831 -@@ -2584,10 +2619,14 @@
72832 - {
72833 - struct vm_area_struct *prev_m;
72834 - struct rb_node **rb_link_m, *rb_parent_m;
72835 -+ struct mempolicy *pol_m;
72836 -
72837 - BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
72838 -- BUG_ON(vma->vm_mirror || vma_m->vm_mirror || vma_policy(vma));
72839 -+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
72840 -+ BUG_ON(!vma_mpol_equal(vma, vma_m));
72841 -+ pol_m = vma_policy(vma_m);
72842 - *vma_m = *vma;
72843 -+ vma_set_policy(vma_m, pol_m);
72844 - vma_m->vm_start += SEGMEXEC_TASK_SIZE;
72845 - vma_m->vm_end += SEGMEXEC_TASK_SIZE;
72846 - vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
72847 -diff -urP linux-2.6.23-hardened-r7-orig/mm/mprotect.c linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72848 ---- linux-2.6.23-hardened-r7-orig/mm/mprotect.c
72849 -+++ linux-2.6.23-hardened-r7-allfixes-r2/mm/mprotect.c
72850 -@@ -208,6 +208,8 @@
72851 - error = split_vma(mm, vma, start, 1);
72852 - if (error)
72853 - return -ENOMEM;
72854 -+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
72855 -+ *pprev = (*pprev)->vm_next;
72856 - }
72857 -
72858 - if (end != vma->vm_end) {
72859 -@@ -266,11 +268,20 @@
72860 -
72861 - #ifdef CONFIG_PAX_SEGMEXEC
72862 - if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(oldflags & VM_EXEC) && (newflags & VM_EXEC)) {
72863 -+ struct mempolicy *pol;
72864 -+
72865 - vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72866 - if (!vma_m) {
72867 - error = -ENOMEM;
72868 - goto fail;
72869 - }
72870 -+ pol = mpol_copy(vma_policy(vma));
72871 -+ if (IS_ERR(pol)) {
72872 -+ kmem_cache_free(vm_area_cachep, vma_m);
72873 -+ error = -ENOMEM;
72874 -+ goto fail;
72875 -+ }
72876 -+ vma_set_policy(vma_m, pol);
72877 - }
72878 - #endif
72879 -
72880
72881 Added: hardened-sources/2.6/trunk/2.6.23/4480_ia64-modular-kernel-compile-fix.patch
72882 ===================================================================
72883 --- hardened-sources/2.6/trunk/2.6.23/4480_ia64-modular-kernel-compile-fix.patch (rev 0)
72884 +++ hardened-sources/2.6/trunk/2.6.23/4480_ia64-modular-kernel-compile-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
72885 @@ -0,0 +1,22 @@
72886 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
72887 +
72888 +ia64: Fix kernel compile failure with loadable module support enabled.
72889 +
72890 +This patch is present in upstream grsecurity patches as of
72891 +pax-linux-2.6.24.1-test12.patch. This patch can be dropped for any
72892 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.1-test12.patch or
72893 +later.
72894 +
72895 +Acked-by: Kerin Millar <kerframil@×××××.com>
72896 +
72897 +--- a/arch/ia64/kernel/module.c
72898 ++++ b/arch/ia64/kernel/module.c
72899 +@@ -531,7 +531,7 @@ in_core_rw (const struct module *mod, ui
72900 + static inline int
72901 + in_core (const struct module *mod, uint64_t addr)
72902 + {
72903 +- return in_core_rx(mod, value) || in_core_rw(mod, value);
72904 ++ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
72905 + }
72906 +
72907 + static inline int
72908
72909 Deleted: hardened-sources/2.6/trunk/2.6.23/4480_vesafb-pmi-kernexec-fix.patch
72910 ===================================================================
72911 --- hardened-sources/2.6/trunk/2.6.23/4480_vesafb-pmi-kernexec-fix.patch 2008-04-07 12:57:31 UTC (rev 89)
72912 +++ hardened-sources/2.6/trunk/2.6.23/4480_vesafb-pmi-kernexec-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
72913 @@ -1,60 +0,0 @@
72914 -From: Kerin Millar <kerframil@×××××.com>
72915 -
72916 -Disable the use of pmi in the vesafb framebuffer driver where the kernel
72917 -is non-modular and PAX_KERNEXEC is enabled, thus resolving a compile
72918 -error. Closes bug 197626.
72919 -
72920 -This patch is present in upstream grsecurity patches as of
72921 -pax-linux-2.6.24.2-test24.patch. This patch can be dropped for any
72922 -hardened-sources-2.6.24 based upon pax-linux-2.6.24.2-test24.patch or
72923 -later.
72924 -
72925 ---- a/drivers/video/vesafb.c 2008-02-14 20:14:52.000000000 +0000
72926 -+++ b/drivers/video/vesafb.c 2008-02-17 21:37:44.000000000 +0000
72927 -@@ -302,10 +302,10 @@ static int __init vesafb_probe(struct pl
72928 -
72929 - #ifdef __i386__
72930 -
72931 --#ifdef CONFIG_PAX_KERNEXEC
72932 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72933 - pmi_code = module_alloc_exec(screen_info.vesapm_size);
72934 - if (!pmi_code)
72935 --#else
72936 -+#elif !defined(CONFIG_PAX_KERNEXEC)
72937 - if (0)
72938 - #endif
72939 -
72940 -@@ -323,13 +323,13 @@ static int __init vesafb_probe(struct pl
72941 - if (ypan || pmi_setpal) {
72942 - unsigned short *pmi_base;
72943 -
72944 --#ifdef CONFIG_PAX_KERNEXEC
72945 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72946 - unsigned long cr0;
72947 - #endif
72948 -
72949 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
72950 -
72951 --#ifdef CONFIG_PAX_KERNEXEC
72952 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72953 - pax_open_kernel(cr0);
72954 - memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
72955 - pax_close_kernel(cr0);
72956 -@@ -340,7 +340,7 @@ static int __init vesafb_probe(struct pl
72957 - pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
72958 - pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
72959 -
72960 --#ifdef CONFIG_PAX_KERNEXEC
72961 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72962 - pmi_start -= __KERNEL_TEXT_OFFSET;
72963 - pmi_pal -= __KERNEL_TEXT_OFFSET;
72964 - #endif
72965 -@@ -487,7 +487,7 @@ static int __init vesafb_probe(struct pl
72966 - return 0;
72967 - err:
72968 -
72969 --#ifdef CONFIG_PAX_KERNEXEC
72970 -+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
72971 - module_free_exec(NULL, pmi_code);
72972 - #endif
72973 -
72974
72975 Deleted: hardened-sources/2.6/trunk/2.6.23/4485_deselect-kernexec-on-unsupported-arches.patch
72976 ===================================================================
72977 --- hardened-sources/2.6/trunk/2.6.23/4485_deselect-kernexec-on-unsupported-arches.patch 2008-04-07 12:57:31 UTC (rev 89)
72978 +++ hardened-sources/2.6/trunk/2.6.23/4485_deselect-kernexec-on-unsupported-arches.patch 2008-04-30 11:22:14 UTC (rev 90)
72979 @@ -1,30 +0,0 @@
72980 -From: nixnut <nixnut@g.o>
72981 -
72982 -KERNEXEC should probably only be enabled on x86 because otherwise
72983 -module.c will look for a header file that doesn't exist on most arches:
72984 -
72985 -#ifdef CONFIG_PAX_KERNEXEC
72986 -#include <asm/desc.h>
72987 -#endif
72988 -
72989 -Currently it is also enabled on ppc if the security level is set to
72990 -'high' (GRKERNSEC_HIGH).
72991 -
72992 -KERNEXEC is supported on amd64/x86-64 in grsecurity upstream for
72993 -linux kernel 2.6.24.2. This patch should therefore probably be
72994 -dropped for any hardened-sources-2.6.24 based upon grsecurity
72995 -patches for linux kernel 2.6.24.2.
72996 -
72997 -Acked-by: Kerin Millar <kerframil@×××××.com>
72998 -
72999 ---- a/grsecurity/Kconfig 2008-02-14 22:07:34.000000000 +0100
73000 -+++ b/grsecurity/Kconfig 2008-02-15 17:34:37.000000000 +0100
73001 -@@ -143,7 +143,7 @@
73002 - select PAX_EI_PAX
73003 - select PAX_PT_PAX_FLAGS
73004 - select PAX_HAVE_ACL_FLAGS
73005 -- select PAX_KERNEXEC if (!X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
73006 -+ select PAX_KERNEXEC if (X86 && !X86_64 && !EFI && !COMPAT_VDSO && !PARAVIRT && X86_WP_WORKS_OK)
73007 - select PAX_MEMORY_UDEREF if (!X86_64 && !COMPAT_VDSO)
73008 - select PAX_RANDKSTACK if (X86_TSC && !X86_64)
73009 - select PAX_SEGMEXEC if (X86 && !X86_64)
73010
73011 Added: hardened-sources/2.6/trunk/2.6.23/4485_grsec-ptrace-recursive-lock-fix.patch
73012 ===================================================================
73013 --- hardened-sources/2.6/trunk/2.6.23/4485_grsec-ptrace-recursive-lock-fix.patch (rev 0)
73014 +++ hardened-sources/2.6/trunk/2.6.23/4485_grsec-ptrace-recursive-lock-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
73015 @@ -0,0 +1,22 @@
73016 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73017 +
73018 +Fix a recursive lock -- call to capable() within ptrace_attach().
73019 +
73020 +This patch is present in upstream grsecurity patches as of
73021 +grsecurity-2.1.11-2.6.24.3-200803131725.patch. This patch can
73022 +be dropped for any hardened-sources-2.6.24 based on
73023 +grsecurity-2.1.11-2.6.24.3-200803131725.patch or later.
73024 +
73025 +Acked-by: Kerin Millar <kerframil@×××××.com>
73026 +
73027 +--- a/kernel/ptrace.c
73028 ++++ b/kernel/ptrace.c
73029 +@@ -203,7 +203,7 @@ repeat:
73030 + /* Go */
73031 + task->ptrace |= PT_PTRACED | ((task->real_parent != current)
73032 + ? PT_ATTACHED : 0);
73033 +- if (capable(CAP_SYS_PTRACE))
73034 ++ if (capable_nolog(CAP_SYS_PTRACE))
73035 + task->ptrace |= PT_PTRACE_CAP;
73036 +
73037 + __ptrace_link(task, current);
73038
73039 Added: hardened-sources/2.6/trunk/2.6.23/4490_grsec-netlink-security-fixes.patch
73040 ===================================================================
73041 --- hardened-sources/2.6/trunk/2.6.23/4490_grsec-netlink-security-fixes.patch (rev 0)
73042 +++ hardened-sources/2.6/trunk/2.6.23/4490_grsec-netlink-security-fixes.patch 2008-04-30 11:22:14 UTC (rev 90)
73043 @@ -0,0 +1,162 @@
73044 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73045 +
73046 +Fix bug that allows audit and iscsi operations to be controlled
73047 +via netlink; it should be disallowed by grsec.
73048 +
73049 +More info @ https://bugs.gentoo.org/show_bug.cgi?id=213254
73050 +
73051 +This is grsecurity upstreams' version of the patch submitted
73052 +in the aforementioned bug.
73053 +
73054 +Thanks to cilly <cilly@××××××××××.nu> for bringing the patch to
73055 +our attention. Thanks to Kerin Millar <kerframil@×××××.com> for
73056 +following up with the author of the original patch and reporting
73057 +the matter upstream.
73058 +
73059 +This patch is present in upstream grsecurity patches as of
73060 +grsecurity-2.1.11-2.6.24.3-200803172136.patch. This patch can
73061 +be dropped for any hardened-sources-2.6.24 based on
73062 +grsecurity-2.1.11-2.6.24.3-200803172136.patch or later.
73063 +
73064 +Acked-by: Kerin Millar <kerframil@×××××.com>
73065 +
73066 +--- a/drivers/pci/proc.c
73067 ++++ b/drivers/pci/proc.c
73068 +@@ -469,7 +469,7 @@ static int __init pci_proc_init(void)
73069 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73070 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73071 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
73072 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73073 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73074 + proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
73075 + #endif
73076 + #else
73077 +--- a/fs/proc/base.c
73078 ++++ b/fs/proc/base.c
73079 +@@ -1102,7 +1102,7 @@ static int pid_getattr(struct vfsmount *
73080 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73081 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73082 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73083 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73084 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73085 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73086 + #endif
73087 + task_dumpable(task)) {
73088 +@@ -1144,7 +1144,7 @@ static int pid_revalidate(struct dentry
73089 + if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73090 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73091 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73092 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73093 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73094 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73095 + #endif
73096 + task_dumpable(task)) {
73097 +@@ -2265,7 +2265,7 @@ static struct dentry *proc_pid_instantia
73098 +
73099 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73100 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
73101 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73102 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73103 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
73104 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
73105 + #else
73106 +--- a/grsecurity/grsec_sock.c
73107 ++++ b/grsecurity/grsec_sock.c
73108 +@@ -16,6 +16,7 @@ extern struct sock *udp_v4_lookup(u32 sa
73109 + EXPORT_SYMBOL(udp_v4_lookup);
73110 + #endif
73111 +
73112 ++__u32 gr_cap_rtnetlink(struct sock *sock);
73113 + EXPORT_SYMBOL(gr_cap_rtnetlink);
73114 +
73115 + extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
73116 +@@ -247,11 +248,21 @@ gr_handle_sock_client(const struct socka
73117 + }
73118 +
73119 + __u32
73120 +-gr_cap_rtnetlink(void)
73121 ++gr_cap_rtnetlink(struct sock *sock)
73122 + {
73123 + #ifdef CONFIG_GRKERNSEC
73124 + if (!gr_acl_is_enabled())
73125 + return current->cap_effective;
73126 ++ else if (sock->sk_protocol == NETLINK_ISCSI &&
73127 ++ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
73128 ++ gr_task_is_capable(current, CAP_SYS_ADMIN))
73129 ++ return current->cap_effective;
73130 ++ else if (sock->sk_protocol == NETLINK_AUDIT &&
73131 ++ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
73132 ++ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
73133 ++ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
73134 ++ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
73135 ++ return current->cap_effective;
73136 + else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
73137 + gr_task_is_capable(current, CAP_NET_ADMIN))
73138 + return current->cap_effective;
73139 +--- a/include/linux/grsecurity.h
73140 ++++ b/include/linux/grsecurity.h
73141 +@@ -167,7 +167,6 @@ __u32 gr_acl_handle_unix(const struct de
73142 + void gr_acl_handle_exit(void);
73143 + void gr_acl_handle_psacct(struct task_struct *task, const long code);
73144 + int gr_acl_handle_procpidmem(const struct task_struct *task);
73145 +-__u32 gr_cap_rtnetlink(void);
73146 +
73147 + #ifdef CONFIG_SYSVIPC
73148 + void gr_shm_exit(struct task_struct *task);
73149 +--- a/kernel/configs.c
73150 ++++ b/kernel/configs.c
73151 +@@ -82,7 +82,7 @@ static int __init ikconfig_init(void)
73152 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73153 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73154 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
73155 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73156 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73157 + entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
73158 + #endif
73159 + #else
73160 +--- a/kernel/kallsyms.c
73161 ++++ b/kernel/kallsyms.c
73162 +@@ -496,7 +496,7 @@ static int __init kallsyms_init(void)
73163 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73164 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73165 + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
73166 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73167 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73168 + entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
73169 + #endif
73170 + #else
73171 +--- a/kernel/resource.c
73172 ++++ b/kernel/resource.c
73173 +@@ -136,7 +136,7 @@ static int __init ioresources_init(void)
73174 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73175 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73176 + entry = create_proc_entry("ioports", S_IRUSR, NULL);
73177 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73178 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73179 + entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
73180 + #endif
73181 + #else
73182 +@@ -148,7 +148,7 @@ static int __init ioresources_init(void)
73183 + #ifdef CONFIG_GRKERNSEC_PROC_ADD
73184 + #ifdef CONFIG_GRKERNSEC_PROC_USER
73185 + entry = create_proc_entry("iomem", S_IRUSR, NULL);
73186 +-#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73187 ++#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73188 + entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
73189 + #endif
73190 + #else
73191 +--- a/security/commoncap.c
73192 ++++ b/security/commoncap.c
73193 +@@ -24,9 +24,11 @@
73194 + #include <linux/hugetlb.h>
73195 + #include <linux/grsecurity.h>
73196 +
73197 ++extern __u32 gr_cap_rtnetlink(struct sock *sk);
73198 ++
73199 + int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
73200 + {
73201 +- NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
73202 ++ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
73203 + return 0;
73204 + }
73205 +
73206
73207 Deleted: hardened-sources/2.6/trunk/2.6.23/4490_ia64-modular-kernel-compile-fix.patch
73208 ===================================================================
73209 --- hardened-sources/2.6/trunk/2.6.23/4490_ia64-modular-kernel-compile-fix.patch 2008-04-07 12:57:31 UTC (rev 89)
73210 +++ hardened-sources/2.6/trunk/2.6.23/4490_ia64-modular-kernel-compile-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
73211 @@ -1,22 +0,0 @@
73212 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73213 -
73214 -ia64: Fix kernel compile failure with loadable module support enabled.
73215 -
73216 -This patch is present in upstream grsecurity patches as of
73217 -pax-linux-2.6.24.1-test12.patch. This patch can be dropped for any
73218 -hardened-sources-2.6.24 based upon pax-linux-2.6.24.1-test12.patch or
73219 -later.
73220 -
73221 -Acked-by: Kerin Millar <kerframil@×××××.com>
73222 -
73223 ---- a/arch/ia64/kernel/module.c
73224 -+++ b/arch/ia64/kernel/module.c
73225 -@@ -531,7 +531,7 @@ in_core_rw (const struct module *mod, ui
73226 - static inline int
73227 - in_core (const struct module *mod, uint64_t addr)
73228 - {
73229 -- return in_core_rx(mod, value) || in_core_rw(mod, value);
73230 -+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
73231 - }
73232 -
73233 - static inline int
73234
73235 Deleted: hardened-sources/2.6/trunk/2.6.23/4495_grsec-ptrace-recursive-lock-fix.patch
73236 ===================================================================
73237 --- hardened-sources/2.6/trunk/2.6.23/4495_grsec-ptrace-recursive-lock-fix.patch 2008-04-07 12:57:31 UTC (rev 89)
73238 +++ hardened-sources/2.6/trunk/2.6.23/4495_grsec-ptrace-recursive-lock-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
73239 @@ -1,22 +0,0 @@
73240 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73241 -
73242 -Fix a recursive lock -- call to capable() within ptrace_attach().
73243 -
73244 -This patch is present in upstream grsecurity patches as of
73245 -grsecurity-2.1.11-2.6.24.3-200803131725.patch. This patch can
73246 -be dropped for any hardened-sources-2.6.24 based on
73247 -grsecurity-2.1.11-2.6.24.3-200803131725.patch or later.
73248 -
73249 -Acked-by: Kerin Millar <kerframil@×××××.com>
73250 -
73251 ---- a/kernel/ptrace.c
73252 -+++ b/kernel/ptrace.c
73253 -@@ -203,7 +203,7 @@ repeat:
73254 - /* Go */
73255 - task->ptrace |= PT_PTRACED | ((task->real_parent != current)
73256 - ? PT_ATTACHED : 0);
73257 -- if (capable(CAP_SYS_PTRACE))
73258 -+ if (capable_nolog(CAP_SYS_PTRACE))
73259 - task->ptrace |= PT_PTRACE_CAP;
73260 -
73261 - __ptrace_link(task, current);
73262
73263 Added: hardened-sources/2.6/trunk/2.6.23/4495_pax-hang-when-coredump-disabled-fix.patch
73264 ===================================================================
73265 --- hardened-sources/2.6/trunk/2.6.23/4495_pax-hang-when-coredump-disabled-fix.patch (rev 0)
73266 +++ hardened-sources/2.6/trunk/2.6.23/4495_pax-hang-when-coredump-disabled-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
73267 @@ -0,0 +1,167 @@
73268 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73269 +
73270 +Fix bug where processes that have triggered a kill by PaX hang
73271 +instead when ELF_CORE is disabled.
73272 +
73273 +More info @ http://forums.grsecurity.net/viewtopic.php?f=3&t=1934
73274 +
73275 +This patch is present in upstream grsecurity patches as of
73276 +pax-linux-2.6.24.4-test37.patch. This patch can be dropped for any
73277 +hardened-sources-2.6.24 based upon pax-linux-2.6.24.4-test37.patch
73278 +or later.
73279 +
73280 +--- a/arch/alpha/mm/fault.c
73281 ++++ b/arch/alpha/mm/fault.c
73282 +@@ -267,7 +267,7 @@ do_page_fault(unsigned long address, uns
73283 +
73284 + }
73285 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
73286 +- do_exit(SIGKILL);
73287 ++ do_group_exit(SIGKILL);
73288 + #else
73289 + goto bad_area;
73290 + #endif
73291 +--- a/arch/avr32/mm/fault.c
73292 ++++ b/arch/avr32/mm/fault.c
73293 +@@ -179,7 +179,7 @@ bad_area:
73294 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
73295 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
73296 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
73297 +- do_exit(SIGKILL);
73298 ++ do_group_exit(SIGKILL);
73299 + }
73300 + }
73301 + #endif
73302 +--- a/arch/i386/mm/fault.c
73303 ++++ b/arch/i386/mm/fault.c
73304 +@@ -436,7 +436,7 @@ fastcall void __kprobes do_page_fault(st
73305 + #endif
73306 +
73307 + pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
73308 +- do_exit(SIGKILL);
73309 ++ do_group_exit(SIGKILL);
73310 + }
73311 +
73312 + pmd = pax_get_pmd(mm, address);
73313 +@@ -609,7 +609,7 @@ bad_area_nosemaphore:
73314 + if ((nx_enabled && (error_code & 16)) ||
73315 + ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(error_code & 3) && (regs->eip == address))) {
73316 + pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
73317 +- do_exit(SIGKILL);
73318 ++ do_group_exit(SIGKILL);
73319 + }
73320 + #endif
73321 +
73322 +@@ -624,7 +624,7 @@ bad_area_nosemaphore:
73323 + #endif
73324 +
73325 + pax_report_fault(regs, (void *)regs->eip, (void *)regs->esp);
73326 +- do_exit(SIGKILL);
73327 ++ do_group_exit(SIGKILL);
73328 + }
73329 + #endif
73330 +
73331 +@@ -775,7 +775,7 @@ no_context:
73332 + tsk->thread.error_code = error_code;
73333 + die("Oops", regs, error_code);
73334 + bust_spinlocks(0);
73335 +- do_exit(SIGKILL);
73336 ++ do_group_exit(SIGKILL);
73337 +
73338 + /*
73339 + * We ran out of memory, or some other thing happened to us that made
73340 +@@ -790,7 +790,7 @@ out_of_memory:
73341 + }
73342 + printk("VM: killing process %s\n", tsk->comm);
73343 + if (error_code & 4)
73344 +- do_exit(SIGKILL);
73345 ++ do_group_exit(SIGKILL);
73346 + goto no_context;
73347 +
73348 + do_sigbus:
73349 +--- a/arch/ia64/mm/fault.c
73350 ++++ b/arch/ia64/mm/fault.c
73351 +@@ -172,7 +172,7 @@ ia64_do_page_fault (unsigned long addres
73352 +
73353 + up_read(&mm->mmap_sem);
73354 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
73355 +- do_exit(SIGKILL);
73356 ++ do_group_exit(SIGKILL);
73357 + }
73358 + #endif
73359 +
73360 +--- a/arch/parisc/mm/fault.c
73361 ++++ b/arch/parisc/mm/fault.c
73362 +@@ -298,7 +298,7 @@ good_area:
73363 +
73364 + }
73365 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
73366 +- do_exit(SIGKILL);
73367 ++ do_group_exit(SIGKILL);
73368 + }
73369 + #endif
73370 +
73371 +--- a/arch/powerpc/mm/fault.c
73372 ++++ b/arch/powerpc/mm/fault.c
73373 +@@ -747,7 +747,7 @@ bad_area_nosemaphore:
73374 + }
73375 +
73376 + pax_report_fault(regs, (void*)regs->nip, (void*)regs->gpr[PT_R1]);
73377 +- do_exit(SIGKILL);
73378 ++ do_group_exit(SIGKILL);
73379 + }
73380 + }
73381 + #endif
73382 +--- a/arch/ppc/mm/fault.c
73383 ++++ b/arch/ppc/mm/fault.c
73384 +@@ -663,7 +663,7 @@ bad_area:
73385 + }
73386 +
73387 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[1]);
73388 +- do_exit(SIGKILL);
73389 ++ do_group_exit(SIGKILL);
73390 + }
73391 + }
73392 + #endif
73393 +--- a/arch/sparc/mm/fault.c
73394 ++++ b/arch/sparc/mm/fault.c
73395 +@@ -544,7 +544,7 @@ good_area:
73396 +
73397 + }
73398 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
73399 +- do_exit(SIGKILL);
73400 ++ do_group_exit(SIGKILL);
73401 + }
73402 + #endif
73403 +
73404 +--- a/arch/sparc64/mm/fault.c
73405 ++++ b/arch/sparc64/mm/fault.c
73406 +@@ -717,7 +717,7 @@ asmlinkage void __kprobes do_sparc64_fau
73407 +
73408 + }
73409 + pax_report_fault(regs, (void*)regs->tpc, (void*)(regs->u_regs[UREG_FP] + STACK_BIAS));
73410 +- do_exit(SIGKILL);
73411 ++ do_group_exit(SIGKILL);
73412 + }
73413 + #endif
73414 +
73415 +--- a/arch/x86_64/mm/fault.c
73416 ++++ b/arch/x86_64/mm/fault.c
73417 +@@ -649,7 +649,7 @@ bad_area_nosemaphore:
73418 + #endif
73419 +
73420 + pax_report_fault(regs, (void*)regs->rip, (void*)regs->rsp);
73421 +- do_exit(SIGKILL);
73422 ++ do_group_exit(SIGKILL);
73423 + }
73424 + #endif
73425 +
73426 +@@ -727,7 +727,7 @@ no_context:
73427 + /* Executive summary in case the body of the oops scrolled away */
73428 + printk(KERN_EMERG "CR2: %016lx\n", address);
73429 + oops_end(flags);
73430 +- do_exit(SIGKILL);
73431 ++ do_group_exit(SIGKILL);
73432 +
73433 + /*
73434 + * We ran out of memory, or some other thing happened to us that made
73435
73436 Deleted: hardened-sources/2.6/trunk/2.6.23/4500_grsec-netlink-security-fixes.patch
73437 ===================================================================
73438 --- hardened-sources/2.6/trunk/2.6.23/4500_grsec-netlink-security-fixes.patch 2008-04-07 12:57:31 UTC (rev 89)
73439 +++ hardened-sources/2.6/trunk/2.6.23/4500_grsec-netlink-security-fixes.patch 2008-04-30 11:22:14 UTC (rev 90)
73440 @@ -1,162 +0,0 @@
73441 -From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73442 -
73443 -Fix bug that allows audit and iscsi operations to be controlled
73444 -via netlink; it should be disallowed by grsec.
73445 -
73446 -More info @ https://bugs.gentoo.org/show_bug.cgi?id=213254
73447 -
73448 -This is grsecurity upstreams' version of the patch submitted
73449 -in the aforementioned bug.
73450 -
73451 -Thanks to cilly <cilly@××××××××××.nu> for bringing the patch to
73452 -our attention. Thanks to Kerin Millar <kerframil@×××××.com> for
73453 -following up with the author of the original patch and reporting
73454 -the matter upstream.
73455 -
73456 -This patch is present in upstream grsecurity patches as of
73457 -grsecurity-2.1.11-2.6.24.3-200803172136.patch. This patch can
73458 -be dropped for any hardened-sources-2.6.24 based on
73459 -grsecurity-2.1.11-2.6.24.3-200803172136.patch or later.
73460 -
73461 -Acked-by: Kerin Millar <kerframil@×××××.com>
73462 -
73463 ---- a/drivers/pci/proc.c
73464 -+++ b/drivers/pci/proc.c
73465 -@@ -469,7 +469,7 @@ static int __init pci_proc_init(void)
73466 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73467 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73468 - proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR, proc_bus);
73469 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73470 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73471 - proc_bus_pci_dir = proc_mkdir_mode("pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, proc_bus);
73472 - #endif
73473 - #else
73474 ---- a/fs/proc/base.c
73475 -+++ b/fs/proc/base.c
73476 -@@ -1102,7 +1102,7 @@ static int pid_getattr(struct vfsmount *
73477 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73478 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73479 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73480 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73481 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73482 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73483 - #endif
73484 - task_dumpable(task)) {
73485 -@@ -1144,7 +1144,7 @@ static int pid_revalidate(struct dentry
73486 - if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
73487 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73488 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
73489 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73490 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73491 - (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
73492 - #endif
73493 - task_dumpable(task)) {
73494 -@@ -2265,7 +2265,7 @@ static struct dentry *proc_pid_instantia
73495 -
73496 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73497 - inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
73498 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73499 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73500 - inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
73501 - inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
73502 - #else
73503 ---- a/grsecurity/grsec_sock.c
73504 -+++ b/grsecurity/grsec_sock.c
73505 -@@ -16,6 +16,7 @@ extern struct sock *udp_v4_lookup(u32 sa
73506 - EXPORT_SYMBOL(udp_v4_lookup);
73507 - #endif
73508 -
73509 -+__u32 gr_cap_rtnetlink(struct sock *sock);
73510 - EXPORT_SYMBOL(gr_cap_rtnetlink);
73511 -
73512 - extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
73513 -@@ -247,11 +248,21 @@ gr_handle_sock_client(const struct socka
73514 - }
73515 -
73516 - __u32
73517 --gr_cap_rtnetlink(void)
73518 -+gr_cap_rtnetlink(struct sock *sock)
73519 - {
73520 - #ifdef CONFIG_GRKERNSEC
73521 - if (!gr_acl_is_enabled())
73522 - return current->cap_effective;
73523 -+ else if (sock->sk_protocol == NETLINK_ISCSI &&
73524 -+ cap_raised(current->cap_effective, CAP_SYS_ADMIN) &&
73525 -+ gr_task_is_capable(current, CAP_SYS_ADMIN))
73526 -+ return current->cap_effective;
73527 -+ else if (sock->sk_protocol == NETLINK_AUDIT &&
73528 -+ cap_raised(current->cap_effective, CAP_AUDIT_WRITE) &&
73529 -+ gr_task_is_capable(current, CAP_AUDIT_WRITE) &&
73530 -+ cap_raised(current->cap_effective, CAP_AUDIT_CONTROL) &&
73531 -+ gr_task_is_capable(current, CAP_AUDIT_CONTROL))
73532 -+ return current->cap_effective;
73533 - else if (cap_raised(current->cap_effective, CAP_NET_ADMIN) &&
73534 - gr_task_is_capable(current, CAP_NET_ADMIN))
73535 - return current->cap_effective;
73536 ---- a/include/linux/grsecurity.h
73537 -+++ b/include/linux/grsecurity.h
73538 -@@ -167,7 +167,6 @@ __u32 gr_acl_handle_unix(const struct de
73539 - void gr_acl_handle_exit(void);
73540 - void gr_acl_handle_psacct(struct task_struct *task, const long code);
73541 - int gr_acl_handle_procpidmem(const struct task_struct *task);
73542 --__u32 gr_cap_rtnetlink(void);
73543 -
73544 - #ifdef CONFIG_SYSVIPC
73545 - void gr_shm_exit(struct task_struct *task);
73546 ---- a/kernel/configs.c
73547 -+++ b/kernel/configs.c
73548 -@@ -82,7 +82,7 @@ static int __init ikconfig_init(void)
73549 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73550 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73551 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR, &proc_root);
73552 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73553 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73554 - entry = create_proc_entry("config.gz", S_IFREG | S_IRUSR | S_IRGRP, &proc_root);
73555 - #endif
73556 - #else
73557 ---- a/kernel/kallsyms.c
73558 -+++ b/kernel/kallsyms.c
73559 -@@ -496,7 +496,7 @@ static int __init kallsyms_init(void)
73560 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73561 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73562 - entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR, NULL);
73563 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73564 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73565 - entry = create_proc_entry("kallsyms", S_IFREG | S_IRUSR | S_IRGRP, NULL);
73566 - #endif
73567 - #else
73568 ---- a/kernel/resource.c
73569 -+++ b/kernel/resource.c
73570 -@@ -136,7 +136,7 @@ static int __init ioresources_init(void)
73571 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73572 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73573 - entry = create_proc_entry("ioports", S_IRUSR, NULL);
73574 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73575 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73576 - entry = create_proc_entry("ioports", S_IRUSR | S_IRGRP, NULL);
73577 - #endif
73578 - #else
73579 -@@ -148,7 +148,7 @@ static int __init ioresources_init(void)
73580 - #ifdef CONFIG_GRKERNSEC_PROC_ADD
73581 - #ifdef CONFIG_GRKERNSEC_PROC_USER
73582 - entry = create_proc_entry("iomem", S_IRUSR, NULL);
73583 --#elif CONFIG_GRKERNSEC_PROC_USERGROUP
73584 -+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
73585 - entry = create_proc_entry("iomem", S_IRUSR | S_IRGRP, NULL);
73586 - #endif
73587 - #else
73588 ---- a/security/commoncap.c
73589 -+++ b/security/commoncap.c
73590 -@@ -24,9 +24,11 @@
73591 - #include <linux/hugetlb.h>
73592 - #include <linux/grsecurity.h>
73593 -
73594 -+extern __u32 gr_cap_rtnetlink(struct sock *sk);
73595 -+
73596 - int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
73597 - {
73598 -- NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink();
73599 -+ NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
73600 - return 0;
73601 - }
73602 -
73603
73604 Added: hardened-sources/2.6/trunk/2.6.23/4500_grsec-user_transition-bypass-fix.patch
73605 ===================================================================
73606 --- hardened-sources/2.6/trunk/2.6.23/4500_grsec-user_transition-bypass-fix.patch (rev 0)
73607 +++ hardened-sources/2.6/trunk/2.6.23/4500_grsec-user_transition-bypass-fix.patch 2008-04-30 11:22:14 UTC (rev 90)
73608 @@ -0,0 +1,121 @@
73609 +From: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73610 +
73611 +Permission checks for user_transition_{allow,deny} rules in grsecurity's
73612 +RBAC system went missing from kernel/sys.c sometime previous to kernel
73613 +2.6.23. Further, the functions sys_setfsgid() & sys_setfsuid() should
73614 +return old_{fsgid,fsuid} on error.
73615 +
73616 +Local users could possibly use the missing checks to bypass RBAC's
73617 +security restrictions and gain elevated privileges.
73618 +
73619 +This patch is a backport of the bits relevant to fixing this issue,
73620 +sourced from: grsecurity-2.1.11-2.6.24.5-200804211829.patch
73621 +
73622 +This has been fixed as of grsecurity-2.1.11-2.6.24.5-200804211829.patch.
73623 +This patch can be dropped for any hardened-sources release based on
73624 +grsecurity-2.1.11-2.6.24.5-200804211829.patch or later.
73625 +
73626 +Reported by: Robert Buchholz <rbu at gentoo.org>
73627 +
73628 +For more information, reference:
73629 +https://bugs.gentoo.org/show_bug.cgi?id=219089
73630 +http://secunia.com/advisories/29899/
73631 +
73632 +--- a/kernel/sys.c
73633 ++++ b/kernel/sys.c
73634 +@@ -1047,6 +1047,10 @@ asmlinkage long sys_setregid(gid_t rgid,
73635 + else
73636 + return -EPERM;
73637 + }
73638 ++
73639 ++ if (gr_check_group_change(new_rgid, new_egid, -1))
73640 ++ return -EPERM;
73641 ++
73642 + if (new_egid != old_egid) {
73643 + set_dumpable(current->mm, suid_dumpable);
73644 + smp_wmb();
73645 +@@ -1079,6 +1083,9 @@ asmlinkage long sys_setgid(gid_t gid)
73646 + if (retval)
73647 + return retval;
73648 +
73649 ++ if (gr_check_group_change(gid, gid, gid))
73650 ++ return -EPERM;
73651 ++
73652 + if (capable(CAP_SETGID)) {
73653 + if (old_egid != gid) {
73654 + set_dumpable(current->mm, suid_dumpable);
73655 +@@ -1176,6 +1183,9 @@ asmlinkage long sys_setreuid(uid_t ruid,
73656 + return -EPERM;
73657 + }
73658 +
73659 ++ if (gr_check_user_change(new_ruid, new_euid, -1))
73660 ++ return -EPERM;
73661 ++
73662 + if (new_ruid != old_ruid && set_user(new_ruid, new_euid != old_euid) < 0)
73663 + return -EAGAIN;
73664 +
73665 +@@ -1222,6 +1232,12 @@ asmlinkage long sys_setuid(uid_t uid)
73666 + old_suid = current->suid;
73667 + new_suid = old_suid;
73668 +
73669 ++ if (gr_check_crash_uid(uid))
73670 ++ return -EPERM;
73671 ++
73672 ++ if (gr_check_user_change(uid, uid, uid))
73673 ++ return -EPERM;
73674 ++
73675 + if (capable(CAP_SETUID)) {
73676 + if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
73677 + return -EAGAIN;
73678 +@@ -1229,9 +1245,6 @@ asmlinkage long sys_setuid(uid_t uid)
73679 + } else if ((uid != current->uid) && (uid != new_suid))
73680 + return -EPERM;
73681 +
73682 +- if (gr_check_crash_uid(uid))
73683 +- return -EPERM;
73684 +-
73685 + if (old_euid != uid) {
73686 + set_dumpable(current->mm, suid_dumpable);
73687 + smp_wmb();
73688 +@@ -1272,6 +1285,10 @@ asmlinkage long sys_setresuid(uid_t ruid
73689 + (suid != current->euid) && (suid != current->suid))
73690 + return -EPERM;
73691 + }
73692 ++
73693 ++ if (gr_check_user_change(ruid, euid, -1))
73694 ++ return -EPERM;
73695 ++
73696 + if (ruid != (uid_t) -1) {
73697 + if (ruid != current->uid && set_user(ruid, euid != current->euid) < 0)
73698 + return -EAGAIN;
73699 +@@ -1326,6 +1343,10 @@ asmlinkage long sys_setresgid(gid_t rgid
73700 + (sgid != current->egid) && (sgid != current->sgid))
73701 + return -EPERM;
73702 + }
73703 ++
73704 ++ if (gr_check_group_change(rgid, egid, -1))
73705 ++ return -EPERM;
73706 ++
73707 + if (egid != (gid_t) -1) {
73708 + if (egid != current->egid) {
73709 + set_dumpable(current->mm, suid_dumpable);
73710 +@@ -1372,6 +1393,9 @@ asmlinkage long sys_setfsuid(uid_t uid)
73711 + if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS))
73712 + return old_fsuid;
73713 +
73714 ++ if (gr_check_user_change(-1, -1, uid))
73715 ++ return old_fsuid;
73716 ++
73717 + if (uid == current->uid || uid == current->euid ||
73718 + uid == current->suid || uid == current->fsuid ||
73719 + capable(CAP_SETUID)) {
73720 +@@ -1404,6 +1428,9 @@ asmlinkage long sys_setfsgid(gid_t gid)
73721 + if (gid == current->gid || gid == current->egid ||
73722 + gid == current->sgid || gid == current->fsgid ||
73723 + capable(CAP_SETGID)) {
73724 ++ if (gr_check_group_change(-1, -1, gid))
73725 ++ return old_fsgid;
73726 ++
73727 + if (gid != old_fsgid) {
73728 + set_dumpable(current->mm, suid_dumpable);
73729 + smp_wmb();
73730
73731 Deleted: hardened-sources/2.6/trunk/2.6.23/4505_grsec-pax_emutramp.patch
73732 ===================================================================
73733 --- hardened-sources/2.6/trunk/2.6.23/4505_grsec-pax_emutramp.patch 2008-04-07 12:57:31 UTC (rev 89)
73734 +++ hardened-sources/2.6/trunk/2.6.23/4505_grsec-pax_emutramp.patch 2008-04-30 11:22:14 UTC (rev 90)
73735 @@ -1,21 +0,0 @@
73736 -From: Christian Heim <phreak@g.o>
73737 -
73738 -CONFIG_PAX_EMUTRAMP is somehow breaking sandbox on AMD64 (only multilib ?). Thus
73739 -only we only allow it for the 32bit variants of the X86 architecture.
73740 -
73741 -For a full history of the bug see #206678 (https://bugs.gentoo.org/206678).
73742 -
73743 -Acked-by: Kerin Millar <kerframil@×××××.com>
73744 -Acked-by: Gordon Malm <bugs-gentoo-org-02@××××××.org>
73745 -
73746 ---- a/security/Kconfig
73747 -+++ b/security/Kconfig
73748 -@@ -153,7 +153,7 @@ config PAX_SEGMEXEC
73749 - 3 GB.
73750 -
73751 - config PAX_EMUTRAMP
73752 -- bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86)
73753 -+ bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || PPC32 || X86_32)
73754 - default y if PARISC || PPC32
73755 - help
73756 - There are some programs and libraries that for one reason or
73757
73758 --
73759 gentoo-commits@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups