packages (Titanium): kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch -...

Sat Apr 30 11:59:15 CEST 2011

Author: hawk                         Date: Sat Apr 30 09:59:15 2011 GMT
Module: packages                      Tag: Titanium
---- Log message:
- updated from http://www.grsecurity.net/~spender/grsecurity-2.2.2-2.6.38.4-201104232142.patch
  not tested yet

---- Files affected:
packages/kernel-bare-vserver:
   linux-2.6-grsec-vs-minimal.patch (1.1.2.8.2.16 -> 1.1.2.8.2.17) 

---- Diffs:

================================================================
Index: packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch
diff -u packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.16 packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.17

--- packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch:1.1.2.8.2.16	Thu Feb 25 22:41:06 2010
+++ packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch	Sat Apr 30 11:59:10 2011
@@ -1,6 +1,6 @@
-diff -urNp linux-2.6.32.9/arch/sparc/Makefile linux-2.6.32.9/arch/sparc/Makefile
---- linux-2.6.32.9/arch/sparc/Makefile	2010-02-25 20:13:59.579045959 +0100
-+++ linux-2.6.32.9/arch/sparc/Makefile	2010-02-25 20:23:36.975085587 +0100
+diff -urNp linux-2.6.38.4/arch/sparc/Makefile linux-2.6.38.4/arch/sparc/Makefile
+--- linux-2.6.38.4/arch/sparc/Makefile	2011-03-14 21:20:32.000000000 -0400
++++ linux-2.6.38.4/arch/sparc/Makefile	2011-04-17 15:57:32.000000000 -0400
 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE)	+= arch/sparc
  # Export what is needed by arch/sparc/boot/Makefile
  export VMLINUX_INIT VMLINUX_MAIN
@@ -10,397 +10,273 @@
  VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
  VMLINUX_MAIN += $(drivers-y) $(net-y)
  
-diff -urNp linux-2.6.32.9/drivers/char/keyboard.c linux-2.6.32.9/drivers/char/keyboard.c
---- linux-2.6.32.9/drivers/char/keyboard.c	2010-02-25 20:14:17.008419188 +0100
-+++ linux-2.6.32.9/drivers/char/keyboard.c	2010-02-25 20:23:36.991904837 +0100
-@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
- 	     kbd->kbdmode == VC_MEDIUMRAW) &&
- 	     value != KVAL(K_SAK))
- 		return;		/* SAK is allowed even in raw mode */
+diff -urNp linux-2.6.38.4/grsecurity/Makefile linux-2.6.38.4/grsecurity/Makefile
+--- linux-2.6.38.4/grsecurity/Makefile	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.38.4/grsecurity/Makefile	2011-04-17 15:57:32.000000000 -0400
+@@ -0,0 +1,11 @@
++# All code in this directory and various hooks inserted throughout the kernel
++# are copyright Brad Spengler - Open Source Security, Inc., and released 
++# under the GPL v2 or higher
 +
-+#if defined(CONFIG_GRKERNSEC_PROC)
-+	{
-+		void *func = fn_handler[value];
-+		if (func == fn_show_state || func == fn_show_ptregs ||
-+		    func == fn_show_mem)
-+			return;
-+	}
-+#endif
++obj-y = grsec_fifo.o grsec_sock.o grsec_sysctl.o grsec_link.o
 +
- 	fn_handler[value](vc);
- }
++obj-$(CONFIG_GRKERNSEC) += grsec_init.o
++
++ifndef CONFIG_GRKERNSEC
++obj-y += grsec_disabled.o
++endif
+diff -urNp linux-2.6.38.4/Makefile linux-2.6.38.4/Makefile
+--- linux-2.6.38.4/Makefile	2011-04-22 19:20:59.000000000 -0400
++++ linux-2.6.38.4/Makefile	2011-04-23 12:47:27.000000000 -0400
+@@ -681,7 +682,7 @@ export mod_strip_cmd
  
-diff -urNp linux-2.6.32.9/drivers/pci/proc.c linux-2.6.32.9/drivers/pci/proc.c
---- linux-2.6.32.9/drivers/pci/proc.c	2010-02-25 20:14:53.945498856 +0100
-+++ linux-2.6.32.9/drivers/pci/proc.c	2010-02-25 20:23:36.991904837 +0100
-@@ -480,7 +480,16 @@ static const struct file_operations proc
- static int __init pci_proc_init(void)
- {
- 	struct pci_dev *dev = NULL;
+ 
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
+ 
+ vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ 		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff -urNp linux-2.6.38.4/grsecurity/Kconfig linux-2.6.38.4/grsecurity/Kconfig
+--- linux-2.6.38.4/grsecurity/Kconfig	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.38.4/grsecurity/Kconfig	2011-04-17 15:57:32.000000000 -0400
+@@ -0,0 +1,143 @@
++#
++# grecurity configuration
++#
 +
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+	proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
-+#endif
-+#else
- 	proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
-+#endif
- 	proc_create("devices", 0, proc_bus_pci_dir,
- 		    &proc_bus_pci_dev_operations);
- 	proc_initialized = 1;
-diff -urNp linux-2.6.32.9/fs/namei.c linux-2.6.32.9/fs/namei.c
---- linux-2.6.32.9/fs/namei.c	2010-02-25 20:15:31.426076417 +0100
-+++ linux-2.6.32.9/fs/namei.c	2010-02-25 20:23:36.981697288 +0100
-@@ -755,6 +755,13 @@ static inline int do_follow_link(struct 
- 	err = security_inode_follow_link(path->dentry, nd);
- 	if (err)
- 		goto loop;
++menu "Grsecurity"
 +
-+	if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
-+				  path->dentry->d_inode, path->dentry, nd->path.mnt)) {
-+		err = -EACCES;
-+		goto loop;
-+	}
++config GRKERNSEC
++	bool "Grsecurity"
++	select CRYPTO
++	select CRYPTO_SHA256
++	help
++	  If you say Y here, you will be able to configure many features
++	  that will enhance the security of your system.  It is highly
++	  recommended that you say Y here and read through the help
++	  for each option so that you fully understand the features and
++	  can evaluate their usefulness for your machine.
 +
- 	current->link_count++;
- 	current->total_link_count++;
- 	nd->depth++;
-@@ -1898,6 +1905,12 @@ do_last:
- 	/*
- 	 * It already exists.
- 	 */
++menu "Filesystem Protections"
++depends on GRKERNSEC
 +
-+	if (gr_handle_fifo(path.dentry, nd.path.mnt, dir, flag, acc_mode)) {
-+		error = -EACCES;
-+		goto exit_mutex_unlock;
-+	}
++config GRKERNSEC_PROC
++	bool "Proc restrictions"
++	help
++	  If you say Y here, the permissions of the /proc filesystem
++	  will be altered to enhance system security and privacy.  You MUST
++  	  choose either a user only restriction or a user and group restriction.
++	  Depending upon the option you choose, you can either restrict users to
++	  see only the processes they themselves run, or choose a group that can
++	  view all processes and files normally restricted to root if you choose
++	  the "restrict to user only" option.  NOTE: If you're running identd as
++	  a non-root user, you will have to run it as the group you specify here.
 +
- 	mutex_unlock(&dir->d_inode->i_mutex);
- 	audit_inode(pathname, path.dentry);
- 
-@@ -2009,6 +2022,13 @@ do_link:
- 	error = security_inode_follow_link(path.dentry, &nd);
- 	if (error)
- 		goto exit_dput;
++config GRKERNSEC_PROC_USER
++	bool "Restrict /proc to user only"
++	depends on GRKERNSEC_PROC
++	help
++	  If you say Y here, non-root users will only be able to view their own
++	  processes, and restricts them from viewing network-related information,
++	  and viewing kernel symbol and module information.
 +
-+	if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
-+				  path.dentry, nd.path.mnt)) {
-+		error = -EACCES;
-+		goto exit_dput;
-+	}
++config GRKERNSEC_PROC_USERGROUP
++	bool "Allow special group"
++	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
++	help
++	  If you say Y here, you will be able to select a group that will be
++          able to view all processes and network-related information.  If you've
++          enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
++          remain hidden.  This option is useful if you want to run identd as
++          a non-root user.
 +
- 	error = __do_follow_link(&path, &nd);
- 	if (error) {
- 		/* Does someone understand code flow here? Or it is only
-@@ -2654,6 +2674,14 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
- 	error = PTR_ERR(new_dentry);
- 	if (IS_ERR(new_dentry))
- 		goto out_unlock;
++config GRKERNSEC_PROC_GID
++	int "GID for special group"
++	depends on GRKERNSEC_PROC_USERGROUP
++	default 1001
 +
-+	if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
-+			       old_path.dentry->d_inode,
-+			       old_path.dentry->d_inode->i_mode, to)) {
-+		error = -EACCES;
-+		goto out_dput;
-+	}
++config GRKERNSEC_PROC_ADD
++	bool "Additional restrictions"
++	depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
++	help
++	  If you say Y here, additional restrictions will be placed on
++	  /proc that keep normal users from viewing device information and 
++	  slabinfo information that could be useful for exploits.
 +
- 	error = mnt_want_write(nd.path.mnt);
- 	if (error)
- 		goto out_dput;
-diff -urNp linux-2.6.32.9/fs/proc/array.c linux-2.6.32.9/fs/proc/array.c
---- linux-2.6.32.9/fs/proc/array.c	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/array.c	2010-02-25 20:23:36.991904837 +0100
-@@ -679,3 +679,10 @@ int proc_pid_statm(struct seq_file *m, s
++config GRKERNSEC_LINK
++	bool "Linking restrictions"
++	help
++	  If you say Y here, /tmp race exploits will be prevented, since users
++	  will no longer be able to follow symlinks owned by other users in
++	  world-writable +t directories (e.g. /tmp), unless the owner of the
++	  symlink is the owner of the directory. users will also not be
++	  able to hardlink to files they do not own.  If the sysctl option is
++	  enabled, a sysctl option with name "linking_restrictions" is created.
++
++config GRKERNSEC_FIFO
++	bool "FIFO restrictions"
++	help
++	  If you say Y here, users will not be able to write to FIFOs they don't
++	  own in world-writable +t directories (e.g. /tmp), unless the owner of
++	  the FIFO is the same owner of the directory it's held in.  If the sysctl
++	  option is enabled, a sysctl option with name "fifo_restrictions" is
++	  created.
++
++endmenu
++
++menu "Other Protections"
++depends on GRKERNSEC
++
++config GRKERNSEC_PROC_IPADDR
++	bool "/proc/<pid>/ipaddr support"
++	help
++	  If you say Y here, a new entry will be added to each /proc/<pid>
++	  directory that contains the IP address of the person using the task.
++	  The IP is carried across local TCP and AF_UNIX stream sockets.
++	  This information can be useful for IDS/IPSes to perform remote response
++	  to a local attack.  The entry is readable by only the owner of the
++	  process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
++	  the RBAC system), and thus does not create privacy concerns.
++
++config GRKERNSEC_DMESG
++	bool "Dmesg(8) restriction"
++	help
++	  If you say Y here, non-root users will not be able to use dmesg(8)
++	  to view up to the last 4kb of messages in the kernel's log buffer.
++	  The kernel's log buffer often contains kernel addresses and other
++	  identifying information useful to an attacker in fingerprinting a
++	  system for a targeted exploit.
++	  If the sysctl option is enabled, a sysctl option with name "dmesg" is
++	  created.
++
++endmenu
++
++menu "Sysctl support"
++depends on GRKERNSEC && SYSCTL
++
++config GRKERNSEC_SYSCTL
++	bool "Sysctl support"
++	help
++	  If you say Y here, you will be able to change the options that
++	  grsecurity runs with at bootup, without having to recompile your
++	  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
++	  to enable (1) or disable (0) various features.  All the sysctl entries
++	  are mutable until the "grsec_lock" entry is set to a non-zero value.
++	  All features enabled in the kernel configuration are disabled at boot
++	  if you do not say Y to the "Turn on features by default" option.
++	  All options should be set at startup, and the grsec_lock entry should
++	  be set to a non-zero value after all the options are set.
++	  *THIS IS EXTREMELY IMPORTANT*
++
++config GRKERNSEC_SYSCTL_ON
++	bool "Turn on features by default"
++	depends on GRKERNSEC_SYSCTL
++	help
++	  If you say Y here, instead of having all features enabled in the
++	  kernel configuration disabled at boot time, the features will be
++	  enabled at boot time.  It is recommended you say Y here unless
++	  there is some reason you would want all sysctl-tunable features to
++	  be disabled by default.  As mentioned elsewhere, it is important
++	  to enable the grsec_lock entry once you have finished modifying
++	  the sysctl entries.
++
++endmenu
++
++endmenu
+diff -urNp linux-2.6.38.4/security/Kconfig linux-2.6.38.4/security/Kconfig
+--- linux-2.6.38.4/security/Kconfig	2011-03-14 21:20:32.000000000 -0400
++++ linux-2.6.38.4/security/Kconfig	2011-04-17 15:57:33.000000000 -0400
+@@ -4,6 +4,8 @@
  
- 	return 0;
- }
+ menu "Security options"
+ 
++source grsecurity/Kconfig
 +
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
-+{
-+	return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
-+}
-+#endif
-diff -urNp linux-2.6.32.9/fs/proc/base.c linux-2.6.32.9/fs/proc/base.c
---- linux-2.6.32.9/fs/proc/base.c	2010-02-25 20:15:33.908620148 +0100
-+++ linux-2.6.32.9/fs/proc/base.c	2010-02-25 22:19:25.208430293 +0100
-@@ -104,6 +104,22 @@ struct pid_entry {
- 	union proc_op op;
- };
+ config KEYS
+ 	bool "Enable access key retention support"
+ 	help
+diff -urNp linux-2.6.38.4/include/linux/security.h linux-2.6.38.4/include/linux/security.h
+--- linux-2.6.38.4/include/linux/security.h	2011-03-14 21:20:32.000000000 -0400
++++ linux-2.6.38.4/include/linux/security.h	2011-04-17 15:57:32.000000000 -0400
+@@ -35,6 +35,7 @@
+ #include <linux/key.h>
+ #include <linux/xfrm.h>
+ #include <linux/slab.h>
++#include <linux/grsecurity.h>
+ #include <net/flow.h>
  
-+struct getdents_callback {
-+	struct linux_dirent __user * current_dir;
-+	struct linux_dirent __user * previous;
-+	struct file * file;
-+	int count;
-+	int error;
-+};
+ /* Maximum number of letters for an LSM name string */
+diff -urNp linux-2.6.38.4/include/linux/grinternal.h linux-2.6.38.4/include/linux/grinternal.h
+--- linux-2.6.38.4/include/linux/grinternal.h	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.38.4/include/linux/grinternal.h	2011-04-17 15:57:32.000000000 -0400
+@@ -0,0 +1,14 @@
++#ifndef __GRINTERNAL_H
++#define __GRINTERNAL_H
 +
-+static int gr_fake_filldir(void * __buf, const char *name, int namlen, 
-+			   loff_t offset, u64 ino, unsigned int d_type)
-+{
-+	struct getdents_callback * buf = (struct getdents_callback *) __buf;
-+	buf->error = -EINVAL;
-+	return 0;
-+}
++#ifdef CONFIG_GRKERNSEC
++
++#include <linux/fs.h>
++
++extern int grsec_enable_link;
++extern int grsec_enable_fifo;
++extern int grsec_lock;
 +
- #define NOD(NAME, MODE, IOP, FOP, OP) {			\
- 	.name = (NAME),					\
- 	.len  = sizeof(NAME) - 1,			\
-@@ -1462,7 +1478,11 @@ static struct inode *proc_pid_make_inode
- 		rcu_read_lock();
- 		cred = __task_cred(task);
- 		inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 		inode->i_gid = cred->egid;
 +#endif
- 		rcu_read_unlock();
- 	}
- 	/* procfs is xid tagged */
-@@ -1482,6 +1502,9 @@ static int pid_getattr(struct vfsmount *
- 	struct inode *inode = dentry->d_inode;
- 	struct task_struct *task;
- 	const struct cred *cred;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	const struct cred *tmpcred = current_cred();
-+#endif
- 
- 	generic_fillattr(inode, stat);
- 
-@@ -1490,11 +1513,27 @@ static int pid_getattr(struct vfsmount *
- 	stat->gid = 0;
- 	task = pid_task(proc_pid(inode), PIDTYPE_PID);
- 	if (task) {
-+		cred = __task_cred(task);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		if (!tmpcred->uid || (tmpcred->uid == cred->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		    || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+		)
-+#endif
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- 		    task_dumpable(task)) {
--			cred = __task_cred(task);
- 			stat->uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			stat->gid = cred->egid;
-+#endif
- 		}
- 	}
- 	rcu_read_unlock();
-@@ -1526,11 +1565,20 @@ static int pid_revalidate(struct dentry 
- 
- 	if (task) {
- 		if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		    (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
-+#endif
- 		    task_dumpable(task)) {
- 			rcu_read_lock();
- 			cred = __task_cred(task);
- 			inode->i_uid = cred->euid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			inode->i_gid = cred->egid;
-+#endif
- 			rcu_read_unlock();
- 		} else {
- 			inode->i_uid = 0;
-@@ -2708,7 +2756,14 @@ static struct dentry *proc_pid_instantia
- 	if (!inode)
- 		goto out;
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_USER
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
-+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
-+#else
- 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
-+#endif
- 	inode->i_op = &proc_tgid_base_inode_operations;
- 	inode->i_fop = &proc_tgid_base_operations;
- 	inode->i_flags|=S_IMMUTABLE;
-@@ -2815,6 +2870,11 @@ int proc_pid_readdir(struct file * filp,
- {
- 	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
- 	struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	const struct cred *tmpcred = current_cred();
-+	const struct cred *itercred;
-+#endif
-+	filldir_t __filldir = filldir;
- 	struct tgid_iter iter;
- 	struct pid_namespace *ns;
- 
-@@ -2833,10 +2893,27 @@ int proc_pid_readdir(struct file * filp,
- 	for (iter = next_tgid(ns, iter);
- 	     iter.task;
- 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		rcu_read_lock();
-+		itercred = __task_cred(iter.task);
-+		if (
-+		    (tmpcred->uid && (itercred->uid != tmpcred->uid)
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
-+#endif
-+			)
-+#endif
-+		)
-+			__filldir = &gr_fake_filldir;
-+		else
-+			__filldir = filldir;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		rcu_read_unlock();
-+#endif
- 		filp->f_pos = iter.tgid + TGID_OFFSET;
- 		if (!vx_proc_task_visible(iter.task))
- 			continue;
--		if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
-+		if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
- 			put_task_struct(iter.task);
- 			goto out;
- 		}
-@@ -2916,6 +2993,9 @@ static const struct pid_entry tid_base_s
- #ifdef CONFIG_TASK_IO_ACCOUNTING
- 	INF("io",	S_IRUGO, proc_tid_io_accounting),
- #endif
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+	INF("ipaddr",	  S_IRUSR, proc_pid_ipaddr),
-+#endif
- };
- 
- static int proc_tid_base_readdir(struct file * filp,
-diff -urNp linux-2.6.32.9/fs/proc/cmdline.c linux-2.6.32.9/fs/proc/cmdline.c
---- linux-2.6.32.9/fs/proc/cmdline.c	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/cmdline.c	2010-02-25 20:23:36.991904837 +0100
-@@ -23,7 +23,11 @@ static const struct file_operations cmdl
- 
- static int __init proc_cmdline_init(void)
- {
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+	proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
-+#else
- 	proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
-+#endif
- 	return 0;
- }
- module_init(proc_cmdline_init);
-diff -urNp linux-2.6.32.9/fs/proc/devices.c linux-2.6.32.9/fs/proc/devices.c
---- linux-2.6.32.9/fs/proc/devices.c	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/devices.c	2010-02-25 20:23:36.991904837 +0100
-@@ -64,7 +64,11 @@ static const struct file_operations proc
- 
- static int __init proc_devices_init(void)
- {
-+#ifdef CONFIG_GRKERNSEC_PROC_ADD
-+	proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
-+#else
- 	proc_create("devices", 0, NULL, &proc_devinfo_operations);
-+#endif
- 	return 0;
- }
- module_init(proc_devices_init);
-diff -urNp linux-2.6.32.9/fs/proc/inode.c linux-2.6.32.9/fs/proc/inode.c
---- linux-2.6.32.9/fs/proc/inode.c	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/inode.c	2010-02-25 20:23:36.991904837 +0100
-@@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
- 		if (de->mode) {
- 			inode->i_mode = de->mode;
- 			inode->i_uid = de->uid;
-+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
-+#else
- 			inode->i_gid = de->gid;
-+#endif
- 		}
- 		if (de->vx_flags)
- 			PROC_I(inode)->vx_flags = de->vx_flags;
-diff -urNp linux-2.6.32.9/fs/proc/internal.h linux-2.6.32.9/fs/proc/internal.h
---- linux-2.6.32.9/fs/proc/internal.h	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/internal.h	2010-02-25 20:23:36.995238172 +0100
-@@ -55,6 +55,9 @@ extern int proc_pid_statm(struct seq_fil
- extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
- 				struct pid *pid, struct task_struct *task);
- 
-+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
-+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
-+#endif
- extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
- 
- extern const struct file_operations proc_maps_operations;
-diff -urNp linux-2.6.32.9/fs/proc/kcore.c linux-2.6.32.9/fs/proc/kcore.c
---- linux-2.6.32.9/fs/proc/kcore.c	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/kcore.c	2010-02-25 20:23:36.995238172 +0100
-@@ -541,6 +541,9 @@ read_kcore(struct file *file, char __use
- 
- static int open_kcore(struct inode *inode, struct file *filp)
- {
-+#if defined(CONFIG_GRKERNSEC_PROC_ADD)
-+	return -EPERM;
-+#endif
- 	if (!capable(CAP_SYS_RAWIO))
- 		return -EPERM;
- 	if (kcore_need_update)
-diff -urNp linux-2.6.32.9/fs/proc/proc_net.c linux-2.6.32.9/fs/proc/proc_net.c
---- linux-2.6.32.9/fs/proc/proc_net.c	2010-02-25 20:15:33.905286575 +0100
-+++ linux-2.6.32.9/fs/proc/proc_net.c	2010-02-25 20:23:36.995238172 +0100
-@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
- 	struct task_struct *task;
- 	struct nsproxy *ns;
- 	struct net *net = NULL;
-+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	const struct cred *cred = current_cred();
++
 +#endif
+diff -urNp linux-2.6.38.4/include/linux/grsecurity.h linux-2.6.38.4/include/linux/grsecurity.h
+--- linux-2.6.38.4/include/linux/grsecurity.h	1969-12-31 19:00:00.000000000 -0500
++++ linux-2.6.38.4/include/linux/grsecurity.h	2011-04-17 15:57:32.000000000 -0400
+@@ -0,0 +1,24 @@
++#ifndef GR_SECURITY_H
++#define GR_SECURITY_H
++#include <linux/fs.h>
++#include <linux/fs_struct.h>
++#include <linux/binfmts.h>
++
++void gr_del_task_from_ip_table(struct task_struct *p);
++
++int gr_handle_follow_link(const struct inode *parent,
++				 const struct inode *inode,
++				 const struct dentry *dentry,
++				 const struct vfsmount *mnt);
++int gr_handle_fifo(const struct dentry *dentry,
++			  const struct vfsmount *mnt,
++			  const struct dentry *dir, const int flag,
++			  const int acc_mode);
++int gr_handle_hardlink(const struct dentry *dentry,
++			      const struct vfsmount *mnt,
++			      struct inode *inode,
++			      const int mode, const char *to);
<<Diff was trimmed, longer than 597 lines>>

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/kernel-bare-vserver/linux-2.6-grsec-vs-minimal.patch?r1=1.1.2.8.2.16&r2=1.1.2.8.2.17&f=u

