SOURCES (LINUX_2_6_20): grsecurity-2.1.10-2.6.20.3.patch - merged ...

zbyniu zbyniu at pld-linux.org
Tue Apr 10 21:13:02 CEST 2007


Author: zbyniu                       Date: Tue Apr 10 19:13:02 2007 GMT
Module: SOURCES                       Tag: LINUX_2_6_20
---- Log message:
- merged changes from grsecurity-2.1.10-2.6.20.6-200704091818.patch
- cleanups

---- Files affected:
SOURCES:
   grsecurity-2.1.10-2.6.20.3.patch (1.1.2.5 -> 1.1.2.6) 

---- Diffs:

================================================================
Index: SOURCES/grsecurity-2.1.10-2.6.20.3.patch
diff -u SOURCES/grsecurity-2.1.10-2.6.20.3.patch:1.1.2.5 SOURCES/grsecurity-2.1.10-2.6.20.3.patch:1.1.2.6
--- SOURCES/grsecurity-2.1.10-2.6.20.3.patch:1.1.2.5	Mon Apr  9 22:36:11 2007
+++ SOURCES/grsecurity-2.1.10-2.6.20.3.patch	Tue Apr 10 21:12:57 2007
@@ -46,7 +46,7 @@
  
  #include <asm/uaccess.h>
  #include <asm/pgtable.h>
-@@ -283,6 +284,9 @@ do_sys_ptrace(long request, long pid, lo
+@@ -289,6 +290,9 @@ do_sys_ptrace(long request, long pid, lo
  		goto out;
  	}
  
@@ -3563,6 +3563,15 @@
  	unsigned long base = (kesp - uesp) & -THREAD_SIZE;
  	unsigned long new_kesp = kesp - base;
  	unsigned long lim_pages = (new_kesp | (THREAD_SIZE - 1)) >> PAGE_SHIFT;
+@@ -1076,7 +1095,7 @@ void __init trap_init_f00f_bug(void)
+ 	 * Update the IDT descriptor and reload the IDT so that
+ 	 * it uses the read-only mapped virtual address.
+ 	 */
+-	idt_descr.address = fix_to_virt(FIX_F00F_IDT);
++	idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
+ 	load_idt(&idt_descr);
+ }
+ #endif
 diff -urNp linux-2.6.20.3/arch/i386/kernel/tsc.c linux-2.6.20.3/arch/i386/kernel/tsc.c
 --- linux-2.6.20.3/arch/i386/kernel/tsc.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/arch/i386/kernel/tsc.c	2007-03-23 08:10:06.000000000 -0400
@@ -5913,7 +5922,16 @@
  	/* User mode accesses just cause a SIGSEGV */
  	if (error_code & 4) {
  		/* 
-@@ -551,6 +708,22 @@ no_context:
+@@ -508,7 +666,7 @@ bad_area_nosemaphore:
+ 	if (boot_cpu_data.f00f_bug) {
+ 		unsigned long nr;
+ 		
+-		nr = (address - idt_descr.address) >> 3;
++		nr = (address - (unsigned long)idt_descr.address) >> 3;
+ 
+ 		if (nr == 6) {
+ 			do_invalid_op(regs, 0);
+@@ -551,6 +709,22 @@ no_context:
  		if (address < PAGE_SIZE)
  			printk(KERN_ALERT "BUG: unable to handle kernel NULL "
  					"pointer dereference");
@@ -5936,7 +5954,7 @@
  		else
  			printk(KERN_ALERT "BUG: unable to handle kernel paging"
  					" request");
-@@ -558,24 +731,34 @@ no_context:
+@@ -558,24 +732,34 @@ no_context:
  		printk(KERN_ALERT " printing eip:\n");
  		printk("%08lx\n", regs->eip);
  	}
@@ -5987,7 +6005,7 @@
  	tsk->thread.cr2 = address;
  	tsk->thread.trap_no = 14;
  	tsk->thread.error_code = error_code;
-@@ -652,3 +835,101 @@ void vmalloc_sync_all(void)
+@@ -653,3 +837,101 @@ void vmalloc_sync_all(void)
  	}
  }
  #endif
@@ -13429,7 +13447,7 @@
 diff -urNp linux-2.6.20.3/fs/namespace.c linux-2.6.20.3/fs/namespace.c
 --- linux-2.6.20.3/fs/namespace.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/fs/namespace.c	2007-03-23 08:11:31.000000000 -0400
-@@ -25,6 +25,7 @@
+@@ -30,6 +30,7 @@
  #include <linux/vs_tag.h>
  #include <linux/vserver/space.h>
  #include <linux/vserver/global.h>
@@ -13437,8 +13455,8 @@
  #include <asm/uaccess.h>
  #include <asm/unistd.h>
  #include "pnode.h"
-@@ -599,6 +600,8 @@ static int do_umount(struct vfsmount *mn
- 			DQUOT_OFF(sb);
+@@ -658,6 +659,8 @@ static int do_umount(struct vfsmount *mn
+ 			DQUOT_OFF(sb->s_dqh);
  			retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
  			unlock_kernel();
 +
@@ -13446,7 +13464,7 @@
  		}
  		up_write(&sb->s_umount);
  		return retval;
-@@ -619,6 +622,9 @@ static int do_umount(struct vfsmount *mn
+@@ -678,6 +681,9 @@ static int do_umount(struct vfsmount *mn
  		security_sb_umount_busy(mnt);
  	up_write(&namespace_sem);
  	release_mounts(&umount_list);
@@ -13456,7 +13474,7 @@
  	return retval;
  }
  
-@@ -1421,6 +1427,11 @@ long do_mount(char *dev_name, char *dir_
+@@ -1504,6 +1510,11 @@ long do_mount(char *dev_name, char *dir_
  	if (retval)
  		goto dput_out;
  
@@ -13467,8 +13485,8 @@
 +
  	if (flags & MS_REMOUNT)
  		retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
- 				    data_page);
-@@ -1435,6 +1446,9 @@ long do_mount(char *dev_name, char *dir_
+ 				    data_page, tag);
+@@ -1518,6 +1529,9 @@ long do_mount(char *dev_name, char *dir_
  				      dev_name, data_page);
  dput_out:
  	path_release(&nd);
@@ -13478,7 +13496,7 @@
  	return retval;
  }
  
-@@ -1688,6 +1702,9 @@ asmlinkage long sys_pivot_root(const cha
+@@ -1772,6 +1786,9 @@ asmlinkage long sys_pivot_root(const cha
  	if (!capable(CAP_SYS_ADMIN))
  		return -EPERM;
  
@@ -13676,8 +13694,8 @@
 diff -urNp linux-2.6.20.3/fs/proc/array.c linux-2.6.20.3/fs/proc/array.c
 --- linux-2.6.20.3/fs/proc/array.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/fs/proc/array.c	2007-03-23 08:11:31.000000000 -0400
-@@ -291,6 +291,21 @@ static inline char *task_cap(struct task
- 			    cap_t(p->cap_effective));
+@@ -304,6 +304,21 @@ static inline char *task_cap(struct task
+ 		(unsigned)vx_info_mbcap(vxi, p->cap_effective));
  }
  
 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
@@ -13773,7 +13791,7 @@
 diff -urNp linux-2.6.20.3/fs/proc/base.c linux-2.6.20.3/fs/proc/base.c
 --- linux-2.6.20.3/fs/proc/base.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/fs/proc/base.c	2007-03-23 08:11:31.000000000 -0400
-@@ -73,6 +73,7 @@
+@@ -75,6 +75,7 @@
  #include <linux/oom.h>
  #include <linux/vs_context.h>
  #include <linux/vs_network.h>
@@ -13781,7 +13799,7 @@
  
  #include "internal.h"
  
-@@ -194,7 +195,7 @@ static int proc_root_link(struct inode *
+@@ -197,7 +198,7 @@ static int proc_root_link(struct inode *
  	(task->parent == current && \
  	(task->ptrace & PT_PTRACED) && \
  	 (task->state == TASK_STOPPED || task->state == TASK_TRACED) && \
@@ -13930,9 +13948,9 @@
  			files = get_files_struct(p);
  			if (!files)
  				goto out;
-@@ -1486,6 +1542,9 @@ static struct dentry *proc_pident_lookup
+@@ -1479,6 +1535,9 @@ static struct dentry *proc_pident_lookup
  		!memcmp(dentry->d_name.name, "ninfo", 5)))
- 		goto out_no_task;
+ 		goto out;
  
 +	if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
 +		goto out;
@@ -14007,7 +14025,7 @@
  	struct task_struct *task;
  	int tgid;
  
-@@ -2100,6 +2182,18 @@ int proc_pid_readdir(struct file * filp,
+@@ -2117,6 +2199,18 @@ int proc_pid_readdir(struct file * filp,
  	     task;
  	     put_task_struct(task), task = next_tgid(tgid + 1)) {
  		tgid = task->pid;
@@ -14024,8 +14042,8 @@
 +			continue;
 +
  		filp->f_pos = tgid + TGID_OFFSET;
- 		if (proc_pid_fill_cache(filp, dirent, filldir, task, tgid) < 0) {
- 			put_task_struct(task);
+ 		if (!vx_proc_task_visible(task))
+ 			continue;
 diff -urNp linux-2.6.20.3/fs/proc/inode.c linux-2.6.20.3/fs/proc/inode.c
 --- linux-2.6.20.3/fs/proc/inode.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/fs/proc/inode.c	2007-03-23 08:11:31.000000000 -0400
@@ -14492,15 +14510,15 @@
 diff -urNp linux-2.6.20.3/fs/utimes.c linux-2.6.20.3/fs/utimes.c
 --- linux-2.6.20.3/fs/utimes.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/fs/utimes.c	2007-03-23 08:11:31.000000000 -0400
-@@ -5,6 +5,7 @@
- #include <linux/sched.h>
+@@ -6,6 +6,7 @@
  #include <linux/utime.h>
+ #include <linux/mount.h>
  #include <linux/vs_cowbl.h>
 +#include <linux/grsecurity.h>
  #include <asm/uaccess.h>
  #include <asm/unistd.h>
  
-@@ -61,6 +62,12 @@ asmlinkage long sys_utime(char __user * 
+@@ -63,6 +64,12 @@ asmlinkage long sys_utime(char __user * 
  		    (error = vfs_permission(&nd, MAY_WRITE)) != 0)
  			goto dput_and_out;
  	}
@@ -14513,7 +14531,7 @@
  	mutex_lock(&inode->i_mutex);
  	error = notify_change(nd.dentry, &newattrs);
  	mutex_unlock(&inode->i_mutex);
-@@ -114,6 +121,12 @@ long do_utimes(int dfd, char __user *fil
+@@ -115,6 +122,12 @@ long do_utimes(int dfd, char __user *fil
  		    (error = vfs_permission(&nd, MAY_WRITE)) != 0)
  			goto dput_and_out;
  	}
@@ -27422,7 +27440,7 @@
  #include <asm/uaccess.h>
  
  unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
-@@ -234,14 +235,25 @@ out:
+@@ -237,14 +238,25 @@ out:
       return ret;
  }
  
@@ -27448,7 +27466,7 @@
 +}
  EXPORT_SYMBOL(__capable);
  
- int capable(int cap)
+ #include <linux/vserver/base.h>
 @@ -249,3 +261,4 @@ int capable(int cap)
  	return __capable(current, cap);
  }
@@ -28256,7 +28274,7 @@
  
  #include <asm/pgtable.h>
  #include <asm/uaccess.h>
-@@ -137,12 +138,12 @@ static int may_attach(struct task_struct
+@@ -138,12 +139,12 @@ static int may_attach(struct task_struct
  	     (current->uid != task->uid) ||
  	     (current->gid != task->egid) ||
  	     (current->gid != task->sgid) ||
@@ -28269,9 +28287,9 @@
 -	if (!dumpable && !capable(CAP_SYS_PTRACE))
 +	if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
  		return -EPERM;
- 
- 	return security_ptrace(current, task);
-@@ -477,6 +478,11 @@ asmlinkage long sys_ptrace(long request,
+ 	if (!vx_check(task->xid, VS_ADMIN_P|VS_IDENT))
+ 		return -EPERM;
+@@ -487,6 +488,11 @@ asmlinkage long sys_ptrace(long request,
  	if (ret < 0)
  		goto out_put_task_struct;
  
@@ -28363,8 +28381,8 @@
 +#include <linux/grsecurity.h>
  #include <linux/nsproxy.h>
  #include <linux/vs_context.h>
- 
-@@ -595,11 +596,11 @@ static int check_kill_permission(int sig
+ #include <linux/vs_pid.h>
+@@ -596,11 +597,11 @@ static int check_kill_permission(int sig
  		sig, info, t, vx_task_xid(t), t->pid);
  
  	error = -EPERM;
@@ -28378,7 +28396,7 @@
  		return error;
  
  	error = -ESRCH;
-@@ -611,8 +612,10 @@ static int check_kill_permission(int sig
+@@ -612,8 +613,10 @@ static int check_kill_permission(int sig
  	}
  skip:
  	error = security_task_kill(t, info, sig, 0);
@@ -28390,7 +28408,7 @@
  	return error;
  }
  
-@@ -790,7 +793,7 @@ out_set:
+@@ -791,7 +794,7 @@ out_set:
  	(((sig) < SIGRTMIN) && sigismember(&(sigptr)->signal, (sig)))
  
  
@@ -28399,7 +28417,7 @@
  specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
  {
  	int ret = 0;
-@@ -844,6 +847,10 @@ force_sig_info(int sig, struct siginfo *
+@@ -845,6 +848,10 @@ force_sig_info(int sig, struct siginfo *
  		}
  	}
  	ret = specific_send_sig_info(sig, info, t);
@@ -28421,8 +28439,8 @@
  
  #include <linux/compat.h>
  #include <linux/syscalls.h>
-@@ -579,6 +580,12 @@ static int set_one_prio(struct task_stru
- 		error = -EACCES;
+@@ -583,6 +584,12 @@ static int set_one_prio(struct task_stru
+ 			error = -EACCES;
  		goto out;
  	}
 +
@@ -28525,7 +28543,7 @@
  
  /* External variables not in a header file. */
  extern int C_A_D;
-@@ -155,7 +163,7 @@ static int proc_do_cad_pid(ctl_table *ta
+@@ -156,7 +164,7 @@ static int proc_do_cad_pid(ctl_table *ta
  
  static ctl_table root_table[];
  static struct ctl_table_header root_table_header =
@@ -28534,7 +28552,7 @@
  
  static ctl_table kern_table[];
  static ctl_table vm_table[];
-@@ -169,6 +177,7 @@ extern ctl_table pty_table[];
+@@ -170,6 +178,7 @@ extern ctl_table pty_table[];
  #ifdef CONFIG_INOTIFY_USER
  extern ctl_table inotify_table[];
  #endif
@@ -28542,7 +28560,7 @@
  
  #ifdef HAVE_ARCH_PICK_MMAP_LAYOUT
  int sysctl_legacy_va_layout;
-@@ -208,6 +217,21 @@ static void *get_ipc(ctl_table *table, i
+@@ -209,6 +218,21 @@ static void *get_ipc(ctl_table *table, i
  #define get_ipc(T,W) ((T)->data)
  #endif
  
@@ -28564,7 +28582,7 @@
  /* /proc declarations: */
  
  #ifdef CONFIG_PROC_SYSCTL
-@@ -269,7 +293,6 @@ static ctl_table root_table[] = {
+@@ -270,7 +294,6 @@ static ctl_table root_table[] = {
  		.mode		= 0555,
  		.child		= dev_table,
  	},
@@ -28572,7 +28590,7 @@
  	{ .ctl_name = 0 }
  };
  
-@@ -781,6 +804,23 @@ static ctl_table kern_table[] = {
+@@ -791,6 +814,23 @@ static ctl_table kern_table[] = {
  	},
  #endif
  
@@ -28596,7 +28614,7 @@
  	{ .ctl_name = 0 }
  };
  
-@@ -1295,6 +1335,10 @@ static int test_perm(int mode, int op)
+@@ -1305,6 +1345,10 @@ static int test_perm(int mode, int op)
  static inline int ctl_perm(ctl_table *table, int op)
  {
  	int error;
@@ -28607,7 +28625,7 @@
  	error = security_sysctl(table, op);
  	if (error)
  		return error;
-@@ -1334,6 +1378,10 @@ repeat:
+@@ -1344,6 +1388,10 @@ repeat:
  				table = table->child;
  				goto repeat;
  			}
@@ -28996,7 +29014,7 @@
  unlock:
  	pte_unmap_unlock(page_table, ptl);
  	if (dirty_page) {
-@@ -2438,6 +2562,12 @@ static inline int handle_pte_fault(struc
+@@ -2464,6 +2588,12 @@ static inline int handle_pte_fault(struc
  			flush_tlb_page(vma, address);
  	}
  unlock:
@@ -29007,8 +29025,8 @@
 +#endif
 +
  	pte_unmap_unlock(pte, ptl);
- 	return VM_FAULT_MINOR;
- }
+ 	ret = VM_FAULT_MINOR;
+ out:
 @@ -2460,6 +2590,49 @@ int __handle_mm_fault(struct mm_struct *
  	if (unlikely(is_vm_hugetlb_page(vma)))
  		return hugetlb_fault(mm, vma, address, write_access);
@@ -29529,11 +29547,11 @@
  			vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
 @@ -1143,6 +1262,7 @@ munmap_back:
  out:	
- 	mm->total_vm += len >> PAGE_SHIFT;
+ 	vx_vmpages_add(mm, len >> PAGE_SHIFT);
  	vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
 +	track_exec_limit(mm, addr, addr + len, vm_flags);
  	if (vm_flags & VM_LOCKED) {
- 		mm->locked_vm += len >> PAGE_SHIFT;
+ 		vx_vmlocked_add(mm, len >> PAGE_SHIFT);
  		make_pages_present(addr, addr + len);
 @@ -1197,6 +1317,10 @@ arch_get_unmapped_area(struct file *filp
  	if (len > TASK_SIZE)
@@ -29873,8 +29891,8 @@
 +		gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
  		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
  			return -EAGAIN;
- 	}
-@@ -1918,12 +2120,12 @@ unsigned long do_brk(unsigned long addr,
+ 		if (!vx_vmlocked_avail(mm, len >> PAGE_SHIFT))
+@@ -1920,12 +2122,12 @@ unsigned long do_brk(unsigned long addr,
  	/*
  	 * Clear old maps.  this also does some error checking for us
  	 */
@@ -29889,7 +29907,7 @@
  	}
  
  	/* Check against address space limits *after* clearing old maps... */
-@@ -1955,6 +2157,13 @@ unsigned long do_brk(unsigned long addr,
+@@ -1958,6 +2160,13 @@ unsigned long do_brk(unsigned long addr,
  	vma->vm_end = addr + len;
  	vma->vm_pgoff = pgoff;
  	vma->vm_flags = flags;
@@ -29903,15 +29921,15 @@
  	vma->vm_page_prot = protection_map[flags &
  				(VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
  	vma_link(mm, vma, prev, rb_link, rb_parent);
-@@ -1964,6 +2173,7 @@ out:
- 		mm->locked_vm += len >> PAGE_SHIFT;
+@@ -1967,6 +2176,7 @@ out:
+ 		vx_vmlocked_add(mm, len >> PAGE_SHIFT);
  		make_pages_present(addr, addr + len);
  	}
 +	track_exec_limit(mm, addr, addr + len, flags);
  	return addr;
  }
  
-@@ -2096,7 +2306,7 @@ int may_expand_vm(struct mm_struct *mm, 
+@@ -2105,7 +2315,7 @@ int may_expand_vm(struct mm_struct *mm, 
  	unsigned long lim;
  
  	lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
@@ -29919,7 +29937,7 @@
 +	gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
  	if (cur + npages > lim)
  		return 0;
- 	return 1;
+ 	if (!vx_vmpages_avail(mm, npages))
 diff -urNp linux-2.6.20.3/mm/mprotect.c linux-2.6.20.3/mm/mprotect.c
 --- linux-2.6.20.3/mm/mprotect.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/mm/mprotect.c	2007-03-23 08:27:30.000000000 -0400
@@ -30744,7 +30762,7 @@
 diff -urNp linux-2.6.20.3/net/ipv4/netfilter/Kconfig linux-2.6.20.3/net/ipv4/netfilter/Kconfig
 --- linux-2.6.20.3/net/ipv4/netfilter/Kconfig	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/net/ipv4/netfilter/Kconfig	2007-03-23 08:11:31.000000000 -0400
-@@ -312,6 +312,21 @@ config IP_NF_MATCH_ADDRTYPE
+@@ -330,6 +330,21 @@ config IP_NF_MATCH_ADDRTYPE
  	  If you want to compile it as a module, say M here and read
  	  <file:Documentation/modules.txt>.  If unsure, say `N'.
  
@@ -30766,22 +30784,17 @@
  # `filter', generic and specific targets
  config IP_NF_FILTER
  	tristate "Packet filtering"
-@@ -682,4 +697,3 @@ config IP_NF_ARP_MANGLE
- 	  hardware and network addresses.
- 
- endmenu
--
 diff -urNp linux-2.6.20.3/net/ipv4/netfilter/Makefile linux-2.6.20.3/net/ipv4/netfilter/Makefile
 --- linux-2.6.20.3/net/ipv4/netfilter/Makefile	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/net/ipv4/netfilter/Makefile	2007-03-23 08:11:31.000000000 -0400
-@@ -91,6 +91,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
- obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
+@@ -104,6 +104,7 @@ obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn
  obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
+ obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o
  obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 +obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
  
- # targets
- obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
+ obj-$(CONFIG_IP_NF_MATCH_LAYER7) += ipt_layer7.o
+ 
 diff -urNp linux-2.6.20.3/net/ipv4/tcp_ipv4.c linux-2.6.20.3/net/ipv4/tcp_ipv4.c
 --- linux-2.6.20.3/net/ipv4/tcp_ipv4.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/net/ipv4/tcp_ipv4.c	2007-03-23 08:11:31.000000000 -0400
@@ -31004,9 +31017,9 @@
  
  #include <asm/uaccess.h>
  #include <asm/unistd.h>
-@@ -93,6 +94,21 @@
- #include <net/sock.h>
- #include <linux/netfilter.h>
+@@ -95,6 +96,21 @@
+ #include <linux/vs_base.h>
+ #include <linux/vs_socket.h>
  
 +extern void gr_attach_curr_ip(const struct sock *sk);
 +extern int gr_handle_sock_all(const int family, const int type,
@@ -31026,7 +31039,7 @@
  static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
  static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
  			 unsigned long nr_segs, loff_t pos);
-@@ -295,7 +311,7 @@ static int sockfs_get_sb(struct file_sys
+@@ -297,7 +313,7 @@ static int sockfs_get_sb(struct file_sys
  			     mnt);
  }
  
@@ -31341,7 +31354,7 @@
  
  static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
  {
-@@ -138,8 +139,11 @@ static void dummy_bprm_apply_creds (stru
+@@ -139,8 +140,11 @@ static void dummy_bprm_apply_creds (stru
  		}
  	}
  
@@ -31790,7 +31803,7 @@
 +
  config KEYS
  	bool "Enable access key retention support"
- 	help
+ 	depends on !VSERVER_SECURITY
 diff -urNp linux-2.6.20.3/sound/core/oss/pcm_oss.c linux-2.6.20.3/sound/core/oss/pcm_oss.c
 --- linux-2.6.20.3/sound/core/oss/pcm_oss.c	2007-03-13 14:27:08.000000000 -0400
 +++ linux-2.6.20.3/sound/core/oss/pcm_oss.c	2007-03-23 08:10:06.000000000 -0400
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/SOURCES/grsecurity-2.1.10-2.6.20.3.patch?r1=1.1.2.5&r2=1.1.2.6&f=u



More information about the pld-cvs-commit mailing list