summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2011-09-15 13:56:05 -0400
committerAnthony G. Basile <blueness@gentoo.org>2011-09-15 13:56:05 -0400
commit2d55c386371d094e542fe96e90ba4ff3c2278fe3 (patch)
treee0a306d5cd8e7bf6d266de5e48f1dd49f21b74e8
parentGrsec/PaX: grsecurity-2.2.2-2.6.32.46-201109021814 + grsecurity-2.2.2-3.0.4-2... (diff)
downloadhardened-patchset-2d55c386371d094e542fe96e90ba4ff3c2278fe3.tar.gz
hardened-patchset-2d55c386371d094e542fe96e90ba4ff3c2278fe3.tar.bz2
hardened-patchset-2d55c386371d094e542fe96e90ba4ff3c2278fe3.zip
Grsec/PaX: grsecurity-2.2.2-2.6.32.46-201109150655 + grsecurity-2.2.2-3.0.4-20110915065520110915
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch (renamed from 2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch)264
-rw-r--r--2.6.32/4423_grsec-remove-protected-paths.patch18
-rw-r--r--3.0.4/0000_README2
-rw-r--r--3.0.4/4420_grsecurity-2.2.2-3.0.4-201109150655.patch (renamed from 3.0.4/4420_grsecurity-2.2.2-3.0.4-201109011725.patch)757
-rw-r--r--3.0.4/4423_grsec-remove-protected-paths.patch18
6 files changed, 705 insertions, 356 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index ca3d4a1..160c256 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -11,7 +11,7 @@ Patch: 1044_linux-2.6.32.45.patch
From: http://www.kernel.org
Desc: Linux 2.6.39.45
-Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch
+Patch: 4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch
index 505eaa4..bcff015 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109021814.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.46-201109150655.patch
@@ -37671,25 +37671,25 @@ diff -urNp linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c linux-2.6.32.4
.read = vme_user_read,
diff -urNp linux-2.6.32.46/drivers/staging/vt6655/hostap.c linux-2.6.32.46/drivers/staging/vt6655/hostap.c
--- linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-09-02 18:13:56.000000000 -0400
++++ linux-2.6.32.46/drivers/staging/vt6655/hostap.c 2011-09-14 09:51:07.000000000 -0400
@@ -84,7 +84,7 @@ static int hostap_enable_hostapd(PSDevic
PSDevice apdev_priv;
struct net_device *dev = pDevice->dev;
int ret;
- const struct net_device_ops apdev_netdev_ops = {
-+ static net_device_ops_no_const apdev_netdev_ops = {
++ net_device_ops_no_const apdev_netdev_ops = {
.ndo_start_xmit = pDevice->tx_80211,
};
diff -urNp linux-2.6.32.46/drivers/staging/vt6656/hostap.c linux-2.6.32.46/drivers/staging/vt6656/hostap.c
--- linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-09-02 18:13:35.000000000 -0400
++++ linux-2.6.32.46/drivers/staging/vt6656/hostap.c 2011-09-14 09:49:53.000000000 -0400
@@ -86,7 +86,7 @@ static int hostap_enable_hostapd(PSDevic
PSDevice apdev_priv;
struct net_device *dev = pDevice->dev;
int ret;
- const struct net_device_ops apdev_netdev_ops = {
-+ static net_device_ops_no_const apdev_netdev_ops = {
++ net_device_ops_no_const apdev_netdev_ops = {
.ndo_start_xmit = pDevice->tx_80211,
};
@@ -47045,7 +47045,7 @@ diff -urNp linux-2.6.32.46/fs/ocfs2/super.c linux-2.6.32.46/fs/ocfs2/super.c
osb->osb_ecc_stats = *stats;
diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
--- linux-2.6.32.46/fs/open.c 2011-03-27 14:31:47.000000000 -0400
-+++ linux-2.6.32.46/fs/open.c 2011-04-17 15:56:46.000000000 -0400
++++ linux-2.6.32.46/fs/open.c 2011-09-13 16:03:56.000000000 -0400
@@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
error = locks_verify_truncate(inode, NULL, length);
if (!error)
@@ -47090,18 +47090,13 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
if (!error)
set_fs_pwd(current->fs, &file->f_path);
out_putf:
-@@ -588,7 +604,18 @@ SYSCALL_DEFINE1(chroot, const char __use
+@@ -588,7 +604,13 @@ SYSCALL_DEFINE1(chroot, const char __use
if (!capable(CAP_SYS_CHROOT))
goto dput_and_out;
+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
+ goto dput_and_out;
+
-+ if (gr_handle_chroot_caps(&path)) {
-+ error = -ENOMEM;
-+ goto dput_and_out;
-+ }
-+
set_fs_root(current->fs, &path);
+
+ gr_handle_chroot_chdir(&path);
@@ -47109,7 +47104,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
error = 0;
dput_and_out:
path_put(&path);
-@@ -616,12 +643,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
+@@ -616,12 +638,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
err = mnt_want_write_file(file);
if (err)
goto out_putf;
@@ -47137,7 +47132,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
mutex_unlock(&inode->i_mutex);
mnt_drop_write(file->f_path.mnt);
out_putf:
-@@ -645,12 +687,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
+@@ -645,12 +682,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
error = mnt_want_write(path.mnt);
if (error)
goto dput_and_out;
@@ -47165,7 +47160,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
mutex_unlock(&inode->i_mutex);
mnt_drop_write(path.mnt);
dput_and_out:
-@@ -664,12 +721,15 @@ SYSCALL_DEFINE2(chmod, const char __user
+@@ -664,12 +716,15 @@ SYSCALL_DEFINE2(chmod, const char __user
return sys_fchmodat(AT_FDCWD, filename, mode);
}
@@ -47182,7 +47177,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -700,7 +760,7 @@ SYSCALL_DEFINE3(chown, const char __user
+@@ -700,7 +755,7 @@ SYSCALL_DEFINE3(chown, const char __user
error = mnt_want_write(path.mnt);
if (error)
goto out_release;
@@ -47191,7 +47186,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
-@@ -725,7 +785,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
+@@ -725,7 +780,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
error = mnt_want_write(path.mnt);
if (error)
goto out_release;
@@ -47200,7 +47195,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
-@@ -744,7 +804,7 @@ SYSCALL_DEFINE3(lchown, const char __use
+@@ -744,7 +799,7 @@ SYSCALL_DEFINE3(lchown, const char __use
error = mnt_want_write(path.mnt);
if (error)
goto out_release;
@@ -47209,7 +47204,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
mnt_drop_write(path.mnt);
out_release:
path_put(&path);
-@@ -767,7 +827,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
+@@ -767,7 +822,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
goto out_fput;
dentry = file->f_path.dentry;
audit_inode(NULL, dentry);
@@ -47218,7 +47213,7 @@ diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
mnt_drop_write(file->f_path.mnt);
out_fput:
fput(file);
-@@ -1036,7 +1096,10 @@ long do_sys_open(int dfd, const char __u
+@@ -1036,7 +1091,10 @@ long do_sys_open(int dfd, const char __u
if (!IS_ERR(tmp)) {
fd = get_unused_fd_flags(flags);
if (fd >= 0) {
@@ -47520,7 +47515,7 @@ diff -urNp linux-2.6.32.46/fs/proc/array.c linux-2.6.32.46/fs/proc/array.c
+#endif
diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c
--- linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:35:30.000000000 -0400
-+++ linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:34:33.000000000 -0400
++++ linux-2.6.32.46/fs/proc/base.c 2011-09-13 14:51:06.000000000 -0400
@@ -102,6 +102,22 @@ struct pid_entry {
union proc_op op;
};
@@ -47586,7 +47581,7 @@ diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c
+ if (PAX_RAND_FLAGS(mm) &&
+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
+ mmput(mm);
-+ return res;
++ return 0;
+ }
+#endif
+
@@ -53525,8 +53520,8 @@ diff -urNp linux-2.6.32.46/grsecurity/gracl.c linux-2.6.32.46/grsecurity/gracl.c
+
diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gracl_cap.c
--- linux-2.6.32.46/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-04-17 15:56:46.000000000 -0400
-@@ -0,0 +1,138 @@
++++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-09-14 08:53:50.000000000 -0400
+@@ -0,0 +1,101 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -53534,48 +53529,11 @@ diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gra
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
-+static const char *captab_log[] = {
-+ "CAP_CHOWN",
-+ "CAP_DAC_OVERRIDE",
-+ "CAP_DAC_READ_SEARCH",
-+ "CAP_FOWNER",
-+ "CAP_FSETID",
-+ "CAP_KILL",
-+ "CAP_SETGID",
-+ "CAP_SETUID",
-+ "CAP_SETPCAP",
-+ "CAP_LINUX_IMMUTABLE",
-+ "CAP_NET_BIND_SERVICE",
-+ "CAP_NET_BROADCAST",
-+ "CAP_NET_ADMIN",
-+ "CAP_NET_RAW",
-+ "CAP_IPC_LOCK",
-+ "CAP_IPC_OWNER",
-+ "CAP_SYS_MODULE",
-+ "CAP_SYS_RAWIO",
-+ "CAP_SYS_CHROOT",
-+ "CAP_SYS_PTRACE",
-+ "CAP_SYS_PACCT",
-+ "CAP_SYS_ADMIN",
-+ "CAP_SYS_BOOT",
-+ "CAP_SYS_NICE",
-+ "CAP_SYS_RESOURCE",
-+ "CAP_SYS_TIME",
-+ "CAP_SYS_TTY_CONFIG",
-+ "CAP_MKNOD",
-+ "CAP_LEASE",
-+ "CAP_AUDIT_WRITE",
-+ "CAP_AUDIT_CONTROL",
-+ "CAP_SETFCAP",
-+ "CAP_MAC_OVERRIDE",
-+ "CAP_MAC_ADMIN"
-+};
-+
-+EXPORT_SYMBOL(gr_is_capable);
-+EXPORT_SYMBOL(gr_is_capable_nolog);
++extern const char *captab_log[];
++extern int captab_log_entries;
+
+int
-+gr_is_capable(const int cap)
++gr_acl_is_capable(const int cap)
+{
+ struct task_struct *task = current;
+ const struct cred *cred = current_cred();
@@ -53627,13 +53585,13 @@ diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gra
+ return 1;
+ }
+
-+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
++ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
+ return 0;
+}
+
+int
-+gr_is_capable_nolog(const int cap)
++gr_acl_is_capable_nolog(const int cap)
+{
+ struct acl_subject_label *curracl;
+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
@@ -55126,8 +55084,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chdir.c linux-2.6.32.46/grsecurity/g
+}
diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/grsec_chroot.c
--- linux-2.6.32.46/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-07-18 17:14:10.000000000 -0400
-@@ -0,0 +1,384 @@
++++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-09-15 06:48:16.000000000 -0400
+@@ -0,0 +1,386 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -55443,33 +55401,39 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/
+ return 0;
+}
+
++extern const char *captab_log[];
++extern int captab_log_entries;
++
+int
-+gr_handle_chroot_caps(struct path *path)
++gr_chroot_is_capable(const int cap)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
-+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
-+ (init_task.fs->root.dentry != path->dentry) &&
-+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
-+
++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
-+ const struct cred *old = current_cred();
-+ struct cred *new = prepare_creds();
-+ if (new == NULL)
-+ return 1;
-+
-+ new->cap_permitted = cap_drop(old->cap_permitted,
-+ chroot_caps);
-+ new->cap_inheritable = cap_drop(old->cap_inheritable,
-+ chroot_caps);
-+ new->cap_effective = cap_drop(old->cap_effective,
-+ chroot_caps);
-+
-+ commit_creds(new);
++ if (cap_raised(chroot_caps, cap)) {
++ const struct cred *creds = current_cred();
++ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
++ }
++ return 0;
++ }
++ }
++#endif
++ return 1;
++}
+
-+ return 0;
++int
++gr_chroot_is_capable_nolog(const int cap)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
++ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
++ if (cap_raised(chroot_caps, cap)) {
++ return 0;
++ }
+ }
+#endif
-+ return 0;
++ return 1;
+}
+
+int
@@ -55508,10 +55472,6 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/
+#endif
+ return 0;
+}
-+
-+#ifdef CONFIG_SECURITY
-+EXPORT_SYMBOL(gr_handle_chroot_caps);
-+#endif
diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c
--- linux-2.6.32.46/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-04-17 15:56:46.000000000 -0400
@@ -55965,8 +55925,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurit
+#endif
diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/grsec_exec.c
--- linux-2.6.32.46/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-08-11 19:57:19.000000000 -0400
-@@ -0,0 +1,132 @@
++++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-09-13 22:54:27.000000000 -0400
+@@ -0,0 +1,204 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -55978,6 +55938,7 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/gr
+#include <linux/grinternal.h>
+#include <linux/capability.h>
+#include <linux/compat.h>
++#include <linux/module.h>
+
+#include <asm/uaccess.h>
+
@@ -56099,6 +56060,77 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/gr
+ return;
+}
+#endif
++
++#ifdef CONFIG_GRKERNSEC
++extern int gr_acl_is_capable(const int cap);
++extern int gr_acl_is_capable_nolog(const int cap);
++extern int gr_chroot_is_capable(const int cap);
++extern int gr_chroot_is_capable_nolog(const int cap);
++#endif
++
++const char *captab_log[] = {
++ "CAP_CHOWN",
++ "CAP_DAC_OVERRIDE",
++ "CAP_DAC_READ_SEARCH",
++ "CAP_FOWNER",
++ "CAP_FSETID",
++ "CAP_KILL",
++ "CAP_SETGID",
++ "CAP_SETUID",
++ "CAP_SETPCAP",
++ "CAP_LINUX_IMMUTABLE",
++ "CAP_NET_BIND_SERVICE",
++ "CAP_NET_BROADCAST",
++ "CAP_NET_ADMIN",
++ "CAP_NET_RAW",
++ "CAP_IPC_LOCK",
++ "CAP_IPC_OWNER",
++ "CAP_SYS_MODULE",
++ "CAP_SYS_RAWIO",
++ "CAP_SYS_CHROOT",
++ "CAP_SYS_PTRACE",
++ "CAP_SYS_PACCT",
++ "CAP_SYS_ADMIN",
++ "CAP_SYS_BOOT",
++ "CAP_SYS_NICE",
++ "CAP_SYS_RESOURCE",
++ "CAP_SYS_TIME",
++ "CAP_SYS_TTY_CONFIG",
++ "CAP_MKNOD",
++ "CAP_LEASE",
++ "CAP_AUDIT_WRITE",
++ "CAP_AUDIT_CONTROL",
++ "CAP_SETFCAP",
++ "CAP_MAC_OVERRIDE",
++ "CAP_MAC_ADMIN"
++};
++
++int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
++
++int gr_is_capable(const int cap)
++{
++#ifdef CONFIG_GRKERNSEC
++ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
++ return 1;
++ return 0;
++#else
++ return 1;
++#endif
++}
++
++int gr_is_capable_nolog(const int cap)
++{
++#ifdef CONFIG_GRKERNSEC
++ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
++ return 1;
++ return 0;
++#else
++ return 1;
++#endif
++}
++
++EXPORT_SYMBOL(gr_is_capable);
++EXPORT_SYMBOL(gr_is_capable_nolog);
diff -urNp linux-2.6.32.46/grsecurity/grsec_fifo.c linux-2.6.32.46/grsecurity/grsec_fifo.c
--- linux-2.6.32.46/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-2.6.32.46/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400
@@ -56477,8 +56509,8 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_link.c linux-2.6.32.46/grsecurity/gr
+}
diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grsec_log.c
--- linux-2.6.32.46/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-05-10 21:58:49.000000000 -0400
-@@ -0,0 +1,310 @@
++++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-09-14 23:16:01.000000000 -0400
+@@ -0,0 +1,313 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -56531,20 +56563,23 @@ diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grs
+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
++ unsigned long curr_secs = get_seconds();
+
+ if (audit == GR_DO_AUDIT)
+ goto set_fmt;
+
-+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
-+ grsec_alert_wtime = jiffies;
++ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
++ grsec_alert_wtime = curr_secs;
+ grsec_alert_fyet = 0;
-+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
-+ grsec_alert_fyet++;
-+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
-+ grsec_alert_wtime = jiffies;
-+ grsec_alert_fyet++;
-+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
-+ return FLOODING;
++ } else if (time_before(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
++ if (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST) {
++ grsec_alert_fyet++;
++ } else if (grsec_alert_fyet && grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
++ grsec_alert_wtime = curr_secs;
++ grsec_alert_fyet++;
++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
++ return FLOODING;
++ }
+ } else return FLOODING;
+
+set_fmt:
@@ -58051,7 +58086,7 @@ diff -urNp linux-2.6.32.46/grsecurity/grsum.c linux-2.6.32.46/grsecurity/grsum.c
+}
diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
--- linux-2.6.32.46/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/Kconfig 2011-08-17 19:04:25.000000000 -0400
++++ linux-2.6.32.46/grsecurity/Kconfig 2011-09-15 00:00:38.000000000 -0400
@@ -0,0 +1,1037 @@
+#
+# grecurity configuration
@@ -58686,7 +58721,7 @@ diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
+ bool "Capability restrictions"
+ depends on GRKERNSEC_CHROOT
+ help
-+ If you say Y here, the capabilities on all root processes within a
++ If you say Y here, the capabilities on all processes within a
+ chroot jail will be lowered to stop module insertion, raw i/o,
+ system and net admin tasks, rebooting the system, modifying immutable
+ files, modifying IPC owned by another, and changing the system time.
@@ -59079,7 +59114,7 @@ diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
+
+config GRKERNSEC_FLOODBURST
+ int "Number of messages in a burst (maximum)"
-+ default 4
++ default 6
+ help
+ This option allows you to choose the maximum number of messages allowed
+ within the flood time interval you chose in a separate option. The
@@ -59092,8 +59127,8 @@ diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
+endmenu
diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefile
--- linux-2.6.32.46/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/grsecurity/Makefile 2011-08-21 18:54:34.000000000 -0400
-@@ -0,0 +1,34 @@
++++ linux-2.6.32.46/grsecurity/Makefile 2011-09-14 23:29:39.000000000 -0400
+@@ -0,0 +1,35 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001-2009 it has been completely redesigned by Brad Spengler
+# into an RBAC system
@@ -59125,6 +59160,7 @@ diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefi
+$(obj)/grsec_hidesym.o:
+ @-chmod -f 500 /boot
+ @-chmod -f 500 /lib/modules
++ @-chmod -f 500 /lib64/modules
+ @-chmod -f 700 .
+ @echo ' grsec: protected kernel image paths'
+endif
@@ -61290,8 +61326,8 @@ diff -urNp linux-2.6.32.46/include/linux/grinternal.h linux-2.6.32.46/include/li
+#endif
diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/grmsg.h
--- linux-2.6.32.46/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/include/linux/grmsg.h 2011-08-25 17:28:11.000000000 -0400
-@@ -0,0 +1,107 @@
++++ linux-2.6.32.46/include/linux/grmsg.h 2011-09-13 15:44:53.000000000 -0400
+@@ -0,0 +1,108 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -61384,6 +61420,7 @@ diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/g
+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
+#define GR_CAP_ACL_MSG "use of %s denied for "
++#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
@@ -61401,8 +61438,8 @@ diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/g
+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/linux/grsecurity.h
--- linux-2.6.32.46/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-2.6.32.46/include/linux/grsecurity.h 2011-08-11 19:58:57.000000000 -0400
-@@ -0,0 +1,217 @@
++++ linux-2.6.32.46/include/linux/grsecurity.h 2011-09-13 16:03:42.000000000 -0400
+@@ -0,0 +1,216 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -61454,7 +61491,6 @@ diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/li
+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
+int gr_handle_chroot_chroot(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+int gr_handle_chroot_caps(struct path *path);
+void gr_handle_chroot_chdir(struct path *path);
+int gr_handle_chroot_chmod(const struct dentry *dentry,
+ const struct vfsmount *mnt, const int mode);
diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4423_grsec-remove-protected-paths.patch
index da4c861..abd9b99 100644
--- a/2.6.32/4423_grsec-remove-protected-paths.patch
+++ b/2.6.32/4423_grsec-remove-protected-paths.patch
@@ -1,20 +1,18 @@
-From: Anthony G. Basile <basile@opensource.dyc.edu>
+From: Anthony G. Basile <blueness@gentoo.org>
-We don't want to allow GRSEC's Makefile to change permissions on
-paths in the filesystem.
+We don't want GRSEC's Makefile to change permissions on paths in
+the filesystem.
---- a/grsecurity/Makefile 2010-05-21 06:52:24.000000000 -0400
-+++ b/grsecurity/Makefile 2010-05-21 06:54:54.000000000 -0400
-@@ -27,8 +27,8 @@
+diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
+--- a/grsecurity/Makefile 2011-09-15 13:36:25.000000000 -0400
++++ b/grsecurity/Makefile 2011-09-15 13:44:58.000000000 -0400
+@@ -27,9 +27,4 @@
ifdef CONFIG_GRKERNSEC_HIDESYM
extra-y := grsec_hidesym.o
$(obj)/grsec_hidesym.o:
- @-chmod -f 500 /boot
- @-chmod -f 500 /lib/modules
+- @-chmod -f 500 /lib64/modules
- @-chmod -f 700 .
- @echo ' grsec: protected kernel image paths'
-+ # @-chmod -f 500 /boot
-+ # @-chmod -f 500 /lib/modules
-+ # @-chmod -f 700 .
-+ # @echo ' grsec: protected kernel image paths'
endif
diff --git a/3.0.4/0000_README b/3.0.4/0000_README
index af75e4e..2fff4cc 100644
--- a/3.0.4/0000_README
+++ b/3.0.4/0000_README
@@ -3,7 +3,7 @@ README
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.2.2-3.0.4-201109011725.patch
+Patch: 4420_grsecurity-2.2.2-3.0.4-201109150655.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109011725.patch b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109150655.patch
index 1e39265..97156c7 100644
--- a/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109011725.patch
+++ b/3.0.4/4420_grsecurity-2.2.2-3.0.4-201109150655.patch
@@ -3055,7 +3055,7 @@ diff -urNp linux-3.0.4/arch/sparc/include/asm/elf_32.h linux-3.0.4/arch/sparc/in
instruction set this cpu supports. This can NOT be done in userspace
on Sparc. */
diff -urNp linux-3.0.4/arch/sparc/include/asm/elf_64.h linux-3.0.4/arch/sparc/include/asm/elf_64.h
---- linux-3.0.4/arch/sparc/include/asm/elf_64.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/arch/sparc/include/asm/elf_64.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/arch/sparc/include/asm/elf_64.h 2011-08-23 21:47:55.000000000 -0400
@@ -180,6 +180,13 @@ typedef struct {
#define ELF_ET_DYN_BASE 0x0000010000000000UL
@@ -3794,7 +3794,7 @@ diff -urNp linux-3.0.4/arch/sparc/kernel/traps_64.c linux-3.0.4/arch/sparc/kerne
}
EXPORT_SYMBOL(die_if_kernel);
diff -urNp linux-3.0.4/arch/sparc/kernel/unaligned_64.c linux-3.0.4/arch/sparc/kernel/unaligned_64.c
---- linux-3.0.4/arch/sparc/kernel/unaligned_64.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/arch/sparc/kernel/unaligned_64.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/arch/sparc/kernel/unaligned_64.c 2011-08-23 21:48:14.000000000 -0400
@@ -279,7 +279,7 @@ static void log_unaligned(struct pt_regs
static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
@@ -4065,7 +4065,7 @@ diff -urNp linux-3.0.4/arch/sparc/lib/ksyms.c linux-3.0.4/arch/sparc/lib/ksyms.c
/* Atomic bit operations. */
diff -urNp linux-3.0.4/arch/sparc/lib/Makefile linux-3.0.4/arch/sparc/lib/Makefile
---- linux-3.0.4/arch/sparc/lib/Makefile 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/arch/sparc/lib/Makefile 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/arch/sparc/lib/Makefile 2011-08-23 21:47:55.000000000 -0400
@@ -2,7 +2,7 @@
#
@@ -10706,7 +10706,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/cpu/common.c linux-3.0.4/arch/x86/kernel/
if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
diff -urNp linux-3.0.4/arch/x86/kernel/cpu/intel.c linux-3.0.4/arch/x86/kernel/cpu/intel.c
---- linux-3.0.4/arch/x86/kernel/cpu/intel.c 2011-08-29 23:26:13.000000000 -0400
+--- linux-3.0.4/arch/x86/kernel/cpu/intel.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/arch/x86/kernel/cpu/intel.c 2011-08-29 23:30:14.000000000 -0400
@@ -172,7 +172,7 @@ static void __cpuinit trap_init_f00f_bug
* Update the IDT descriptor and reload the IDT so that
@@ -10850,7 +10850,7 @@ diff -urNp linux-3.0.4/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-3.0.4/arch/
return 0;
}
diff -urNp linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c
---- linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c 2011-08-29 23:26:13.000000000 -0400
+--- linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/arch/x86/kernel/cpu/mtrr/main.c 2011-08-29 23:26:21.000000000 -0400
@@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
u64 size_or_mask, size_and_mask;
@@ -20538,7 +20538,7 @@ diff -urNp linux-3.0.4/arch/x86/net/bpf_jit_comp.c linux-3.0.4/arch/x86/net/bpf_
sizeof(struct work_struct)));
if (!image)
diff -urNp linux-3.0.4/arch/x86/oprofile/backtrace.c linux-3.0.4/arch/x86/oprofile/backtrace.c
---- linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/arch/x86/oprofile/backtrace.c 2011-08-23 21:47:55.000000000 -0400
@@ -148,7 +148,7 @@ x86_backtrace(struct pt_regs * const reg
{
@@ -21313,7 +21313,7 @@ diff -urNp linux-3.0.4/arch/x86/vdso/vma.c linux-3.0.4/arch/x86/vdso/vma.c
-}
-__setup("vdso=", vdso_setup);
diff -urNp linux-3.0.4/arch/x86/xen/enlighten.c linux-3.0.4/arch/x86/xen/enlighten.c
---- linux-3.0.4/arch/x86/xen/enlighten.c 2011-08-29 23:26:13.000000000 -0400
+--- linux-3.0.4/arch/x86/xen/enlighten.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/arch/x86/xen/enlighten.c 2011-08-29 23:26:21.000000000 -0400
@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -21388,7 +21388,7 @@ diff -urNp linux-3.0.4/arch/x86/xen/enlighten.c linux-3.0.4/arch/x86/xen/enlight
#ifdef CONFIG_ACPI_NUMA
diff -urNp linux-3.0.4/arch/x86/xen/mmu.c linux-3.0.4/arch/x86/xen/mmu.c
---- linux-3.0.4/arch/x86/xen/mmu.c 2011-08-29 23:26:13.000000000 -0400
+--- linux-3.0.4/arch/x86/xen/mmu.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/arch/x86/xen/mmu.c 2011-08-29 23:26:21.000000000 -0400
@@ -1683,6 +1683,8 @@ pgd_t * __init xen_setup_kernel_pagetabl
convert_pfn_mfn(init_level4_pgt);
@@ -21427,7 +21427,7 @@ diff -urNp linux-3.0.4/arch/x86/xen/mmu.c linux-3.0.4/arch/x86/xen/mmu.c
.alloc_pud = xen_alloc_pmd_init,
.release_pud = xen_release_pmd_init,
diff -urNp linux-3.0.4/arch/x86/xen/smp.c linux-3.0.4/arch/x86/xen/smp.c
---- linux-3.0.4/arch/x86/xen/smp.c 2011-08-29 23:26:13.000000000 -0400
+--- linux-3.0.4/arch/x86/xen/smp.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/arch/x86/xen/smp.c 2011-08-29 23:26:21.000000000 -0400
@@ -193,11 +193,6 @@ static void __init xen_smp_prepare_boot_
{
@@ -21519,7 +21519,7 @@ diff -urNp linux-3.0.4/arch/x86/xen/xen-head.S linux-3.0.4/arch/x86/xen/xen-head
mov %rsi,xen_start_info
mov $init_thread_union+THREAD_SIZE,%rsp
diff -urNp linux-3.0.4/arch/x86/xen/xen-ops.h linux-3.0.4/arch/x86/xen/xen-ops.h
---- linux-3.0.4/arch/x86/xen/xen-ops.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/arch/x86/xen/xen-ops.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/arch/x86/xen/xen-ops.h 2011-08-23 21:47:55.000000000 -0400
@@ -10,8 +10,6 @@
extern const char xen_hypervisor_callback[];
@@ -23175,7 +23175,7 @@ diff -urNp linux-3.0.4/drivers/block/cciss.c linux-3.0.4/drivers/block/cciss.c
}
diff -urNp linux-3.0.4/drivers/block/cciss.h linux-3.0.4/drivers/block/cciss.h
---- linux-3.0.4/drivers/block/cciss.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/block/cciss.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/block/cciss.h 2011-08-23 21:47:55.000000000 -0400
@@ -100,7 +100,7 @@ struct ctlr_info
/* information about each logical volume */
@@ -23880,7 +23880,7 @@ diff -urNp linux-3.0.4/drivers/char/nvram.c linux-3.0.4/drivers/char/nvram.c
*ppos = i;
diff -urNp linux-3.0.4/drivers/char/random.c linux-3.0.4/drivers/char/random.c
---- linux-3.0.4/drivers/char/random.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/char/random.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/char/random.c 2011-08-23 21:48:14.000000000 -0400
@@ -261,8 +261,13 @@
/*
@@ -24172,7 +24172,7 @@ diff -urNp linux-3.0.4/drivers/firewire/core-card.c linux-3.0.4/drivers/firewire
card->driver->update_phy_reg(card, 4,
PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
diff -urNp linux-3.0.4/drivers/firewire/core-cdev.c linux-3.0.4/drivers/firewire/core-cdev.c
---- linux-3.0.4/drivers/firewire/core-cdev.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/firewire/core-cdev.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/firewire/core-cdev.c 2011-08-23 21:47:55.000000000 -0400
@@ -1313,8 +1313,7 @@ static int init_iso_resource(struct clie
int ret;
@@ -24515,7 +24515,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_debugfs.c linux-3.0.4/drivers/g
if (IS_GEN6(dev)) {
seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c
---- linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/gpu/drm/i915/i915_dma.c 2011-08-23 21:47:55.000000000 -0400
@@ -1169,7 +1169,7 @@ static bool i915_switcheroo_can_switch(s
bool can_switch;
@@ -24578,7 +24578,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-3.0.4/dr
/* The actual obj->write_domain will be updated with
* pending_write_domain after we emit the accumulated flush for all
diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c
---- linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c 2011-08-23 21:47:55.000000000 -0400
@@ -473,7 +473,7 @@ static irqreturn_t ivybridge_irq_handler
u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
@@ -24626,7 +24626,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/i915/i915_irq.c linux-3.0.4/drivers/gpu/d
INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
INIT_WORK(&dev_priv->error_work, i915_error_work_func);
diff -urNp linux-3.0.4/drivers/gpu/drm/i915/intel_display.c linux-3.0.4/drivers/gpu/drm/i915/intel_display.c
---- linux-3.0.4/drivers/gpu/drm/i915/intel_display.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/gpu/drm/i915/intel_display.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/gpu/drm/i915/intel_display.c 2011-08-23 21:47:55.000000000 -0400
@@ -1961,7 +1961,7 @@ intel_pipe_set_base(struct drm_crtc *crt
@@ -24974,7 +24974,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_atombios.c linux-3.0.4/driv
return false;
diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c
---- linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c 2011-08-23 21:47:55.000000000 -0400
@@ -678,7 +678,7 @@ static bool radeon_switcheroo_can_switch
bool can_switch;
@@ -24986,7 +24986,7 @@ diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_device.c linux-3.0.4/driver
return can_switch;
}
diff -urNp linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c
---- linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/gpu/drm/radeon/radeon_display.c 2011-08-23 21:48:14.000000000 -0400
@@ -946,6 +946,8 @@ void radeon_compute_pll_legacy(struct ra
uint32_t post_div;
@@ -26766,7 +26766,7 @@ diff -urNp linux-3.0.4/drivers/lguest/x86/switcher_32.S linux-3.0.4/drivers/lgue
// Every interrupt can come to us here
// But we must truly tell each apart.
diff -urNp linux-3.0.4/drivers/md/dm.c linux-3.0.4/drivers/md/dm.c
---- linux-3.0.4/drivers/md/dm.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/md/dm.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/md/dm.c 2011-08-23 21:47:55.000000000 -0400
@@ -164,9 +164,9 @@ struct mapped_device {
/*
@@ -28836,7 +28836,7 @@ diff -urNp linux-3.0.4/drivers/net/mlx4/main.c linux-3.0.4/drivers/net/mlx4/main
if (err) {
if (err == -EACCES)
diff -urNp linux-3.0.4/drivers/net/niu.c linux-3.0.4/drivers/net/niu.c
---- linux-3.0.4/drivers/net/niu.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/net/niu.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/net/niu.c 2011-08-23 21:48:14.000000000 -0400
@@ -9056,6 +9056,8 @@ static void __devinit niu_try_msix(struc
int i, num_irqs, err;
@@ -29494,7 +29494,7 @@ diff -urNp linux-3.0.4/drivers/net/ppp_generic.c linux-3.0.4/drivers/net/ppp_gen
err = 0;
break;
diff -urNp linux-3.0.4/drivers/net/r8169.c linux-3.0.4/drivers/net/r8169.c
---- linux-3.0.4/drivers/net/r8169.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/net/r8169.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/net/r8169.c 2011-08-23 21:47:55.000000000 -0400
@@ -645,12 +645,12 @@ struct rtl8169_private {
struct mdio_ops {
@@ -29838,7 +29838,7 @@ diff -urNp linux-3.0.4/drivers/net/wimax/i2400m/usb-fw.c linux-3.0.4/drivers/net
i2400m, ack, ack_size);
BUG_ON(_ack == i2400m->bm_ack_buf);
diff -urNp linux-3.0.4/drivers/net/wireless/airo.c linux-3.0.4/drivers/net/wireless/airo.c
---- linux-3.0.4/drivers/net/wireless/airo.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/net/wireless/airo.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/net/wireless/airo.c 2011-08-23 21:48:14.000000000 -0400
@@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
BSSListElement * loop_net;
@@ -30063,7 +30063,7 @@ diff -urNp linux-3.0.4/drivers/net/wireless/ath/ath9k/htc_drv_debug.c linux-3.0.
"Mgmt endpoint", skb_queue_len(&priv->tx.mgmt_ep_queue));
diff -urNp linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h
---- linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/net/wireless/ath/ath9k/hw.h 2011-08-23 21:47:55.000000000 -0400
@@ -585,7 +585,7 @@ struct ath_hw_private_ops {
@@ -31061,7 +31061,7 @@ diff -urNp linux-3.0.4/drivers/scsi/hpsa.c linux-3.0.4/drivers/scsi/hpsa.c
}
diff -urNp linux-3.0.4/drivers/scsi/hpsa.h linux-3.0.4/drivers/scsi/hpsa.h
---- linux-3.0.4/drivers/scsi/hpsa.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/scsi/hpsa.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/scsi/hpsa.h 2011-08-23 21:47:55.000000000 -0400
@@ -73,7 +73,7 @@ struct ctlr_info {
unsigned int msix_vector;
@@ -31438,7 +31438,7 @@ diff -urNp linux-3.0.4/drivers/scsi/osd/osd_initiator.c linux-3.0.4/drivers/scsi
if (!or)
return -ENOMEM;
diff -urNp linux-3.0.4/drivers/scsi/pmcraid.c linux-3.0.4/drivers/scsi/pmcraid.c
---- linux-3.0.4/drivers/scsi/pmcraid.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/scsi/pmcraid.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/scsi/pmcraid.c 2011-08-23 21:47:56.000000000 -0400
@@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
res->scsi_dev = scsi_dev;
@@ -31640,7 +31640,7 @@ diff -urNp linux-3.0.4/drivers/scsi/scsi_debug.c linux-3.0.4/drivers/scsi/scsi_d
return errsts;
memset(arr, 0, sizeof(arr));
diff -urNp linux-3.0.4/drivers/scsi/scsi_lib.c linux-3.0.4/drivers/scsi/scsi_lib.c
---- linux-3.0.4/drivers/scsi/scsi_lib.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/scsi/scsi_lib.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/scsi/scsi_lib.c 2011-08-23 21:47:56.000000000 -0400
@@ -1412,7 +1412,7 @@ static void scsi_kill_request(struct req
shost = sdev->host;
@@ -31832,7 +31832,7 @@ diff -urNp linux-3.0.4/drivers/spi/spi.c linux-3.0.4/drivers/spi/spi.c
static u8 *buf;
diff -urNp linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c
---- linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-08-23 21:48:14.000000000 -0400
@@ -362,7 +362,7 @@ static struct ar_cookie s_ar_cookie_mem[
(((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0))
@@ -31963,7 +31963,7 @@ diff -urNp linux-3.0.4/drivers/staging/et131x/et131x_adapter.h linux-3.0.4/drive
u32 noxmtbuf; /* # Tx packets discarded */
diff -urNp linux-3.0.4/drivers/staging/hv/channel.c linux-3.0.4/drivers/staging/hv/channel.c
---- linux-3.0.4/drivers/staging/hv/channel.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/staging/hv/channel.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/staging/hv/channel.c 2011-08-23 21:47:56.000000000 -0400
@@ -433,8 +433,8 @@ int vmbus_establish_gpadl(struct vmbus_c
int ret = 0;
@@ -32017,7 +32017,7 @@ diff -urNp linux-3.0.4/drivers/staging/hv/hyperv_vmbus.h linux-3.0.4/drivers/sta
/*
* Represents channel interrupts. Each bit position represents a
diff -urNp linux-3.0.4/drivers/staging/hv/rndis_filter.c linux-3.0.4/drivers/staging/hv/rndis_filter.c
---- linux-3.0.4/drivers/staging/hv/rndis_filter.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/staging/hv/rndis_filter.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/staging/hv/rndis_filter.c 2011-08-23 21:47:56.000000000 -0400
@@ -43,7 +43,7 @@ struct rndis_device {
@@ -32251,7 +32251,7 @@ diff -urNp linux-3.0.4/drivers/staging/usbip/vhci.h linux-3.0.4/drivers/staging/
/*
* NOTE:
diff -urNp linux-3.0.4/drivers/staging/usbip/vhci_hcd.c linux-3.0.4/drivers/staging/usbip/vhci_hcd.c
---- linux-3.0.4/drivers/staging/usbip/vhci_hcd.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/staging/usbip/vhci_hcd.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/staging/usbip/vhci_hcd.c 2011-08-23 21:47:56.000000000 -0400
@@ -511,7 +511,7 @@ static void vhci_tx_urb(struct urb *urb)
return;
@@ -32828,7 +32828,7 @@ diff -urNp linux-3.0.4/drivers/tty/ipwireless/tty.c linux-3.0.4/drivers/tty/ipwi
ipwireless_disassociate_network_ttys(network,
ttyj->channel_idx);
diff -urNp linux-3.0.4/drivers/tty/n_gsm.c linux-3.0.4/drivers/tty/n_gsm.c
---- linux-3.0.4/drivers/tty/n_gsm.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/drivers/tty/n_gsm.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/drivers/tty/n_gsm.c 2011-08-23 21:47:56.000000000 -0400
@@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
return NULL;
@@ -36623,7 +36623,7 @@ diff -urNp linux-3.0.4/fs/attr.c linux-3.0.4/fs/attr.c
goto out_sig;
if (offset > inode->i_sb->s_maxbytes)
diff -urNp linux-3.0.4/fs/befs/linuxvfs.c linux-3.0.4/fs/befs/linuxvfs.c
---- linux-3.0.4/fs/befs/linuxvfs.c 2011-08-29 23:26:13.000000000 -0400
+--- linux-3.0.4/fs/befs/linuxvfs.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/fs/befs/linuxvfs.c 2011-08-29 23:26:27.000000000 -0400
@@ -503,7 +503,7 @@ static void befs_put_link(struct dentry
{
@@ -37856,7 +37856,7 @@ diff -urNp linux-3.0.4/fs/cifs/cifs_debug.c linux-3.0.4/fs/cifs/cifs_debug.c
}
}
diff -urNp linux-3.0.4/fs/cifs/cifsfs.c linux-3.0.4/fs/cifs/cifsfs.c
---- linux-3.0.4/fs/cifs/cifsfs.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/fs/cifs/cifsfs.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/fs/cifs/cifsfs.c 2011-08-25 17:18:05.000000000 -0400
@@ -994,7 +994,7 @@ cifs_init_request_bufs(void)
cifs_req_cachep = kmem_cache_create("cifs_request",
@@ -38223,7 +38223,7 @@ diff -urNp linux-3.0.4/fs/dcache.c linux-3.0.4/fs/dcache.c
dcache_init();
inode_init();
diff -urNp linux-3.0.4/fs/ecryptfs/inode.c linux-3.0.4/fs/ecryptfs/inode.c
---- linux-3.0.4/fs/ecryptfs/inode.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/fs/ecryptfs/inode.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/fs/ecryptfs/inode.c 2011-08-23 21:47:56.000000000 -0400
@@ -704,7 +704,7 @@ static int ecryptfs_readlink_lower(struc
old_fs = get_fs();
@@ -38945,7 +38945,7 @@ diff -urNp linux-3.0.4/fs/ext4/balloc.c linux-3.0.4/fs/ext4/balloc.c
if (free_blocks >= (nblocks + dirty_blocks))
return 1;
diff -urNp linux-3.0.4/fs/ext4/ext4.h linux-3.0.4/fs/ext4/ext4.h
---- linux-3.0.4/fs/ext4/ext4.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/fs/ext4/ext4.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/fs/ext4/ext4.h 2011-08-23 21:47:56.000000000 -0400
@@ -1177,19 +1177,19 @@ struct ext4_sb_info {
unsigned long s_mb_last_start;
@@ -38978,7 +38978,7 @@ diff -urNp linux-3.0.4/fs/ext4/ext4.h linux-3.0.4/fs/ext4/ext4.h
/* locality groups */
diff -urNp linux-3.0.4/fs/ext4/mballoc.c linux-3.0.4/fs/ext4/mballoc.c
---- linux-3.0.4/fs/ext4/mballoc.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/fs/ext4/mballoc.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/fs/ext4/mballoc.c 2011-08-23 21:48:14.000000000 -0400
@@ -1793,7 +1793,7 @@ void ext4_mb_simple_scan_group(struct ex
BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
@@ -40686,7 +40686,7 @@ diff -urNp linux-3.0.4/fs/fuse/cuse.c linux-3.0.4/fs/fuse/cuse.c
cuse_class = class_create(THIS_MODULE, "cuse");
if (IS_ERR(cuse_class))
diff -urNp linux-3.0.4/fs/fuse/dev.c linux-3.0.4/fs/fuse/dev.c
---- linux-3.0.4/fs/fuse/dev.c 2011-08-29 23:26:14.000000000 -0400
+--- linux-3.0.4/fs/fuse/dev.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/fs/fuse/dev.c 2011-08-29 23:26:27.000000000 -0400
@@ -1238,7 +1238,7 @@ static ssize_t fuse_dev_splice_read(stru
ret = 0;
@@ -41664,7 +41664,7 @@ diff -urNp linux-3.0.4/fs/nfs/inode.c linux-3.0.4/fs/nfs/inode.c
void nfs_fattr_init(struct nfs_fattr *fattr)
diff -urNp linux-3.0.4/fs/nfsd/nfs4state.c linux-3.0.4/fs/nfsd/nfs4state.c
---- linux-3.0.4/fs/nfsd/nfs4state.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/fs/nfsd/nfs4state.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/fs/nfsd/nfs4state.c 2011-08-23 21:48:14.000000000 -0400
@@ -3794,6 +3794,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
unsigned int strhashval;
@@ -41927,7 +41927,7 @@ diff -urNp linux-3.0.4/fs/ocfs2/symlink.c linux-3.0.4/fs/ocfs2/symlink.c
}
diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c
--- linux-3.0.4/fs/open.c 2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.4/fs/open.c 2011-08-23 21:48:14.000000000 -0400
++++ linux-3.0.4/fs/open.c 2011-09-14 09:16:46.000000000 -0400
@@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
error = locks_verify_truncate(inode, NULL, length);
if (!error)
@@ -41972,18 +41972,13 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c
if (!error)
set_fs_pwd(current->fs, &file->f_path);
out_putf:
-@@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
+@@ -438,7 +454,13 @@ SYSCALL_DEFINE1(chroot, const char __use
if (error)
goto dput_and_out;
+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
+ goto dput_and_out;
+
-+ if (gr_handle_chroot_caps(&path)) {
-+ error = -ENOMEM;
-+ goto dput_and_out;
-+ }
-+
set_fs_root(current->fs, &path);
+
+ gr_handle_chroot_chdir(&path);
@@ -41991,7 +41986,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c
error = 0;
dput_and_out:
path_put(&path);
-@@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
+@@ -466,12 +488,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
err = mnt_want_write_file(file);
if (err)
goto out_putf;
@@ -42017,7 +42012,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
err = notify_change(dentry, &newattrs);
-@@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
+@@ -499,12 +534,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
error = mnt_want_write(path.mnt);
if (error)
goto dput_and_out;
@@ -42043,7 +42038,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
error = notify_change(path.dentry, &newattrs);
-@@ -528,6 +581,9 @@ static int chown_common(struct path *pat
+@@ -528,6 +576,9 @@ static int chown_common(struct path *pat
int error;
struct iattr newattrs;
@@ -42053,7 +42048,7 @@ diff -urNp linux-3.0.4/fs/open.c linux-3.0.4/fs/open.c
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
newattrs.ia_valid |= ATTR_UID;
-@@ -998,7 +1054,10 @@ long do_sys_open(int dfd, const char __u
+@@ -998,7 +1049,10 @@ long do_sys_open(int dfd, const char __u
if (!IS_ERR(tmp)) {
fd = get_unused_fd_flags(flags);
if (fd >= 0) {
@@ -42338,8 +42333,8 @@ diff -urNp linux-3.0.4/fs/proc/array.c linux-3.0.4/fs/proc/array.c
+}
+#endif
diff -urNp linux-3.0.4/fs/proc/base.c linux-3.0.4/fs/proc/base.c
---- linux-3.0.4/fs/proc/base.c 2011-08-23 21:44:40.000000000 -0400
-+++ linux-3.0.4/fs/proc/base.c 2011-08-23 21:48:14.000000000 -0400
+--- linux-3.0.4/fs/proc/base.c 2011-09-02 18:11:21.000000000 -0400
++++ linux-3.0.4/fs/proc/base.c 2011-09-13 14:50:28.000000000 -0400
@@ -107,6 +107,22 @@ struct pid_entry {
union proc_op op;
};
@@ -42405,7 +42400,7 @@ diff -urNp linux-3.0.4/fs/proc/base.c linux-3.0.4/fs/proc/base.c
+ if (PAX_RAND_FLAGS(mm) &&
+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
+ mmput(mm);
-+ return res;
++ return 0;
+ }
+#endif
+
@@ -48198,8 +48193,8 @@ diff -urNp linux-3.0.4/grsecurity/gracl.c linux-3.0.4/grsecurity/gracl.c
+
diff -urNp linux-3.0.4/grsecurity/gracl_cap.c linux-3.0.4/grsecurity/gracl_cap.c
--- linux-3.0.4/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/gracl_cap.c 2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,139 @@
++++ linux-3.0.4/grsecurity/gracl_cap.c 2011-09-14 09:21:24.000000000 -0400
+@@ -0,0 +1,101 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -48207,49 +48202,11 @@ diff -urNp linux-3.0.4/grsecurity/gracl_cap.c linux-3.0.4/grsecurity/gracl_cap.c
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+
-+static const char *captab_log[] = {
-+ "CAP_CHOWN",
-+ "CAP_DAC_OVERRIDE",
-+ "CAP_DAC_READ_SEARCH",
-+ "CAP_FOWNER",
-+ "CAP_FSETID",
-+ "CAP_KILL",
-+ "CAP_SETGID",
-+ "CAP_SETUID",
-+ "CAP_SETPCAP",
-+ "CAP_LINUX_IMMUTABLE",
-+ "CAP_NET_BIND_SERVICE",
-+ "CAP_NET_BROADCAST",
-+ "CAP_NET_ADMIN",
-+ "CAP_NET_RAW",
-+ "CAP_IPC_LOCK",
-+ "CAP_IPC_OWNER",
-+ "CAP_SYS_MODULE",
-+ "CAP_SYS_RAWIO",
-+ "CAP_SYS_CHROOT",
-+ "CAP_SYS_PTRACE",
-+ "CAP_SYS_PACCT",
-+ "CAP_SYS_ADMIN",
-+ "CAP_SYS_BOOT",
-+ "CAP_SYS_NICE",
-+ "CAP_SYS_RESOURCE",
-+ "CAP_SYS_TIME",
-+ "CAP_SYS_TTY_CONFIG",
-+ "CAP_MKNOD",
-+ "CAP_LEASE",
-+ "CAP_AUDIT_WRITE",
-+ "CAP_AUDIT_CONTROL",
-+ "CAP_SETFCAP",
-+ "CAP_MAC_OVERRIDE",
-+ "CAP_MAC_ADMIN",
-+ "CAP_SYSLOG"
-+};
-+
-+EXPORT_SYMBOL(gr_is_capable);
-+EXPORT_SYMBOL(gr_is_capable_nolog);
++extern const char *captab_log[];
++extern int captab_log_entries;
+
+int
-+gr_is_capable(const int cap)
++gr_acl_is_capable(const int cap)
+{
+ struct task_struct *task = current;
+ const struct cred *cred = current_cred();
@@ -48301,13 +48258,13 @@ diff -urNp linux-3.0.4/grsecurity/gracl_cap.c linux-3.0.4/grsecurity/gracl_cap.c
+ return 1;
+ }
+
-+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
++ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
+ return 0;
+}
+
+int
-+gr_is_capable_nolog(const int cap)
++gr_acl_is_capable_nolog(const int cap)
+{
+ struct acl_subject_label *curracl;
+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
@@ -49814,8 +49771,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chdir.c linux-3.0.4/grsecurity/grsec_chd
+}
diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_chroot.c
--- linux-3.0.4/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/grsec_chroot.c 2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,349 @@
++++ linux-3.0.4/grsecurity/grsec_chroot.c 2011-09-15 06:47:48.000000000 -0400
+@@ -0,0 +1,351 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -50096,33 +50053,39 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch
+ return 0;
+}
+
++extern const char *captab_log[];
++extern int captab_log_entries;
++
+int
-+gr_handle_chroot_caps(struct path *path)
++gr_chroot_is_capable(const int cap)
+{
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
-+ if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
-+ (init_task.fs->root.dentry != path->dentry) &&
-+ (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
-+
++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
-+ const struct cred *old = current_cred();
-+ struct cred *new = prepare_creds();
-+ if (new == NULL)
-+ return 1;
-+
-+ new->cap_permitted = cap_drop(old->cap_permitted,
-+ chroot_caps);
-+ new->cap_inheritable = cap_drop(old->cap_inheritable,
-+ chroot_caps);
-+ new->cap_effective = cap_drop(old->cap_effective,
-+ chroot_caps);
-+
-+ commit_creds(new);
++ if (cap_raised(chroot_caps, cap)) {
++ const struct cred *creds = current_cred();
++ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
++ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
++ }
++ return 0;
++ }
++ }
++#endif
++ return 1;
++}
+
-+ return 0;
++int
++gr_chroot_is_capable_nolog(const int cap)
++{
++#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
++ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
++ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
++ if (cap_raised(chroot_caps, cap)) {
++ return 0;
++ }
+ }
+#endif
-+ return 0;
++ return 1;
+}
+
+int
@@ -50161,10 +50124,6 @@ diff -urNp linux-3.0.4/grsecurity/grsec_chroot.c linux-3.0.4/grsecurity/grsec_ch
+#endif
+ return 0;
+}
-+
-+#ifdef CONFIG_SECURITY
-+EXPORT_SYMBOL(gr_handle_chroot_caps);
-+#endif
diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_disabled.c
--- linux-3.0.4/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-3.0.4/grsecurity/grsec_disabled.c 2011-08-23 21:48:14.000000000 -0400
@@ -50618,8 +50577,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_disabled.c linux-3.0.4/grsecurity/grsec_
+#endif
diff -urNp linux-3.0.4/grsecurity/grsec_exec.c linux-3.0.4/grsecurity/grsec_exec.c
--- linux-3.0.4/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/grsec_exec.c 2011-08-25 17:25:59.000000000 -0400
-@@ -0,0 +1,72 @@
++++ linux-3.0.4/grsecurity/grsec_exec.c 2011-09-14 09:20:28.000000000 -0400
+@@ -0,0 +1,145 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -50630,6 +50589,7 @@ diff -urNp linux-3.0.4/grsecurity/grsec_exec.c linux-3.0.4/grsecurity/grsec_exec
+#include <linux/grsecurity.h>
+#include <linux/grinternal.h>
+#include <linux/capability.h>
++#include <linux/module.h>
+
+#include <asm/uaccess.h>
+
@@ -50692,6 +50652,78 @@ diff -urNp linux-3.0.4/grsecurity/grsec_exec.c linux-3.0.4/grsecurity/grsec_exec
+#endif
+ return;
+}
++
++#ifdef CONFIG_GRKERNSEC
++extern int gr_acl_is_capable(const int cap);
++extern int gr_acl_is_capable_nolog(const int cap);
++extern int gr_chroot_is_capable(const int cap);
++extern int gr_chroot_is_capable_nolog(const int cap);
++#endif
++
++const char *captab_log[] = {
++ "CAP_CHOWN",
++ "CAP_DAC_OVERRIDE",
++ "CAP_DAC_READ_SEARCH",
++ "CAP_FOWNER",
++ "CAP_FSETID",
++ "CAP_KILL",
++ "CAP_SETGID",
++ "CAP_SETUID",
++ "CAP_SETPCAP",
++ "CAP_LINUX_IMMUTABLE",
++ "CAP_NET_BIND_SERVICE",
++ "CAP_NET_BROADCAST",
++ "CAP_NET_ADMIN",
++ "CAP_NET_RAW",
++ "CAP_IPC_LOCK",
++ "CAP_IPC_OWNER",
++ "CAP_SYS_MODULE",
++ "CAP_SYS_RAWIO",
++ "CAP_SYS_CHROOT",
++ "CAP_SYS_PTRACE",
++ "CAP_SYS_PACCT",
++ "CAP_SYS_ADMIN",
++ "CAP_SYS_BOOT",
++ "CAP_SYS_NICE",
++ "CAP_SYS_RESOURCE",
++ "CAP_SYS_TIME",
++ "CAP_SYS_TTY_CONFIG",
++ "CAP_MKNOD",
++ "CAP_LEASE",
++ "CAP_AUDIT_WRITE",
++ "CAP_AUDIT_CONTROL",
++ "CAP_SETFCAP",
++ "CAP_MAC_OVERRIDE",
++ "CAP_MAC_ADMIN",
++ "CAP_SYSLOG"
++};
++
++int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
++
++int gr_is_capable(const int cap)
++{
++#ifdef CONFIG_GRKERNSEC
++ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
++ return 1;
++ return 0;
++#else
++ return 1;
++#endif
++}
++
++int gr_is_capable_nolog(const int cap)
++{
++#ifdef CONFIG_GRKERNSEC
++ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
++ return 1;
++ return 0;
++#else
++ return 1;
++#endif
++}
++
++EXPORT_SYMBOL(gr_is_capable);
++EXPORT_SYMBOL(gr_is_capable_nolog);
diff -urNp linux-3.0.4/grsecurity/grsec_fifo.c linux-3.0.4/grsecurity/grsec_fifo.c
--- linux-3.0.4/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
+++ linux-3.0.4/grsecurity/grsec_fifo.c 2011-08-23 21:48:14.000000000 -0400
@@ -51069,8 +51101,8 @@ diff -urNp linux-3.0.4/grsecurity/grsec_link.c linux-3.0.4/grsecurity/grsec_link
+}
diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c
--- linux-3.0.4/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/grsec_log.c 2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,310 @@
++++ linux-3.0.4/grsecurity/grsec_log.c 2011-09-14 23:17:55.000000000 -0400
+@@ -0,0 +1,313 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/file.h>
@@ -51123,20 +51155,23 @@ diff -urNp linux-3.0.4/grsecurity/grsec_log.c linux-3.0.4/grsecurity/grsec_log.c
+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
++ unsigned long curr_secs = get_seconds();
+
+ if (audit == GR_DO_AUDIT)
+ goto set_fmt;
+
-+ if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
-+ grsec_alert_wtime = jiffies;
++ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
++ grsec_alert_wtime = curr_secs;
+ grsec_alert_fyet = 0;
-+ } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
-+ grsec_alert_fyet++;
-+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
-+ grsec_alert_wtime = jiffies;
-+ grsec_alert_fyet++;
-+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
-+ return FLOODING;
++ } else if (time_before(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
++ if (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST) {
++ grsec_alert_fyet++;
++ } else if (grsec_alert_fyet && grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
++ grsec_alert_wtime = curr_secs;
++ grsec_alert_fyet++;
++ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
++ return FLOODING;
++ }
+ } else return FLOODING;
+
+set_fmt:
@@ -52567,7 +52602,7 @@ diff -urNp linux-3.0.4/grsecurity/grsum.c linux-3.0.4/grsecurity/grsum.c
+}
diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig
--- linux-3.0.4/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/Kconfig 2011-08-25 17:25:34.000000000 -0400
++++ linux-3.0.4/grsecurity/Kconfig 2011-09-15 00:00:57.000000000 -0400
@@ -0,0 +1,1038 @@
+#
+# grecurity configuration
@@ -53203,7 +53238,7 @@ diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig
+ bool "Capability restrictions"
+ depends on GRKERNSEC_CHROOT
+ help
-+ If you say Y here, the capabilities on all root processes within a
++ If you say Y here, the capabilities on all processes within a
+ chroot jail will be lowered to stop module insertion, raw i/o,
+ system and net admin tasks, rebooting the system, modifying immutable
+ files, modifying IPC owned by another, and changing the system time.
@@ -53596,7 +53631,7 @@ diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig
+
+config GRKERNSEC_FLOODBURST
+ int "Number of messages in a burst (maximum)"
-+ default 4
++ default 6
+ help
+ This option allows you to choose the maximum number of messages allowed
+ within the flood time interval you chose in a separate option. The
@@ -53609,8 +53644,8 @@ diff -urNp linux-3.0.4/grsecurity/Kconfig linux-3.0.4/grsecurity/Kconfig
+endmenu
diff -urNp linux-3.0.4/grsecurity/Makefile linux-3.0.4/grsecurity/Makefile
--- linux-3.0.4/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/grsecurity/Makefile 2011-08-23 21:48:14.000000000 -0400
-@@ -0,0 +1,34 @@
++++ linux-3.0.4/grsecurity/Makefile 2011-09-14 23:29:56.000000000 -0400
+@@ -0,0 +1,35 @@
+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
+# during 2001-2009 it has been completely redesigned by Brad Spengler
+# into an RBAC system
@@ -53642,6 +53677,7 @@ diff -urNp linux-3.0.4/grsecurity/Makefile linux-3.0.4/grsecurity/Makefile
+$(obj)/grsec_hidesym.o:
+ @-chmod -f 500 /boot
+ @-chmod -f 500 /lib/modules
++ @-chmod -f 500 /lib64/modules
+ @-chmod -f 700 .
+ @echo ' grsec: protected kernel image paths'
+endif
@@ -55417,8 +55453,8 @@ diff -urNp linux-3.0.4/include/linux/grinternal.h linux-3.0.4/include/linux/grin
+#endif
diff -urNp linux-3.0.4/include/linux/grmsg.h linux-3.0.4/include/linux/grmsg.h
--- linux-3.0.4/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/include/linux/grmsg.h 2011-08-25 17:27:26.000000000 -0400
-@@ -0,0 +1,107 @@
++++ linux-3.0.4/include/linux/grmsg.h 2011-09-14 09:16:54.000000000 -0400
+@@ -0,0 +1,108 @@
+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -55511,6 +55547,7 @@ diff -urNp linux-3.0.4/include/linux/grmsg.h linux-3.0.4/include/linux/grmsg.h
+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
+#define GR_CAP_ACL_MSG "use of %s denied for "
++#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
@@ -55528,8 +55565,8 @@ diff -urNp linux-3.0.4/include/linux/grmsg.h linux-3.0.4/include/linux/grmsg.h
+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
diff -urNp linux-3.0.4/include/linux/grsecurity.h linux-3.0.4/include/linux/grsecurity.h
--- linux-3.0.4/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/include/linux/grsecurity.h 2011-08-25 17:27:36.000000000 -0400
-@@ -0,0 +1,227 @@
++++ linux-3.0.4/include/linux/grsecurity.h 2011-09-14 09:16:54.000000000 -0400
+@@ -0,0 +1,226 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -55594,7 +55631,6 @@ diff -urNp linux-3.0.4/include/linux/grsecurity.h linux-3.0.4/include/linux/grse
+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
+int gr_handle_chroot_chroot(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+int gr_handle_chroot_caps(struct path *path);
+void gr_handle_chroot_chdir(struct path *path);
+int gr_handle_chroot_chmod(const struct dentry *dentry,
+ const struct vfsmount *mnt, const int mode);
@@ -56060,7 +56096,7 @@ diff -urNp linux-3.0.4/include/linux/mfd/abx500.h linux-3.0.4/include/linux/mfd/
int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
void abx500_remove_ops(struct device *dev);
diff -urNp linux-3.0.4/include/linux/mm.h linux-3.0.4/include/linux/mm.h
---- linux-3.0.4/include/linux/mm.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/include/linux/mm.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/include/linux/mm.h 2011-08-23 21:47:56.000000000 -0400
@@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
@@ -56444,7 +56480,7 @@ diff -urNp linux-3.0.4/include/linux/namei.h linux-3.0.4/include/linux/namei.h
return nd->saved_names[nd->depth];
}
diff -urNp linux-3.0.4/include/linux/netdevice.h linux-3.0.4/include/linux/netdevice.h
---- linux-3.0.4/include/linux/netdevice.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/include/linux/netdevice.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/include/linux/netdevice.h 2011-08-23 21:47:56.000000000 -0400
@@ -979,6 +979,7 @@ struct net_device_ops {
int (*ndo_set_features)(struct net_device *dev,
@@ -56634,7 +56670,7 @@ diff -urNp linux-3.0.4/include/linux/ptrace.h linux-3.0.4/include/linux/ptrace.h
static inline int ptrace_reparented(struct task_struct *child)
{
diff -urNp linux-3.0.4/include/linux/random.h linux-3.0.4/include/linux/random.h
---- linux-3.0.4/include/linux/random.h 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/include/linux/random.h 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/include/linux/random.h 2011-08-23 21:47:56.000000000 -0400
@@ -69,12 +69,17 @@ void srandom32(u32 seed);
@@ -58580,7 +58616,7 @@ diff -urNp linux-3.0.4/ipc/msg.c linux-3.0.4/ipc/msg.c
msg_params.flg = msgflg;
diff -urNp linux-3.0.4/ipc/sem.c linux-3.0.4/ipc/sem.c
---- linux-3.0.4/ipc/sem.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/ipc/sem.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/ipc/sem.c 2011-08-23 21:48:14.000000000 -0400
@@ -318,10 +318,15 @@ static inline int sem_more_checks(struct
return 0;
@@ -59134,8 +59170,8 @@ diff -urNp linux-3.0.4/kernel/debug/kdb/kdb_main.c linux-3.0.4/kernel/debug/kdb/
#ifdef CONFIG_MODULE_UNLOAD
{
diff -urNp linux-3.0.4/kernel/events/core.c linux-3.0.4/kernel/events/core.c
---- linux-3.0.4/kernel/events/core.c 2011-08-23 21:44:40.000000000 -0400
-+++ linux-3.0.4/kernel/events/core.c 2011-08-23 21:47:56.000000000 -0400
+--- linux-3.0.4/kernel/events/core.c 2011-09-02 18:11:21.000000000 -0400
++++ linux-3.0.4/kernel/events/core.c 2011-09-14 09:08:05.000000000 -0400
@@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
return 0;
}
@@ -59193,6 +59229,21 @@ diff -urNp linux-3.0.4/kernel/events/core.c linux-3.0.4/kernel/events/core.c
}
if (read_format & PERF_FORMAT_ID)
values[n++] = primary_event_id(event);
+@@ -4833,12 +4833,12 @@ static void perf_event_mmap_event(struct
+ * need to add enough zero bytes after the string to handle
+ * the 64bit alignment we do later.
+ */
+- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
++ buf = kzalloc(PATH_MAX, GFP_KERNEL);
+ if (!buf) {
+ name = strncpy(tmp, "//enomem", sizeof(tmp));
+ goto got_name;
+ }
+- name = d_path(&file->f_path, buf, PATH_MAX);
++ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
+ if (IS_ERR(name)) {
+ name = strncpy(tmp, "//toolong", sizeof(tmp));
+ goto got_name;
@@ -6190,7 +6190,7 @@ perf_event_alloc(struct perf_event_attr
event->parent = parent_event;
@@ -59633,7 +59684,7 @@ diff -urNp linux-3.0.4/kernel/fork.c linux-3.0.4/kernel/fork.c
else
new_fs = fs;
diff -urNp linux-3.0.4/kernel/futex.c linux-3.0.4/kernel/futex.c
---- linux-3.0.4/kernel/futex.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/kernel/futex.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/kernel/futex.c 2011-08-23 21:48:14.000000000 -0400
@@ -54,6 +54,7 @@
#include <linux/mount.h>
@@ -61630,7 +61681,80 @@ diff -urNp linux-3.0.4/kernel/rcutorture.c linux-3.0.4/kernel/rcutorture.c
per_cpu(rcu_torture_count, cpu)[i] = 0;
diff -urNp linux-3.0.4/kernel/rcutree.c linux-3.0.4/kernel/rcutree.c
--- linux-3.0.4/kernel/rcutree.c 2011-07-21 22:17:23.000000000 -0400
-+++ linux-3.0.4/kernel/rcutree.c 2011-08-23 21:47:56.000000000 -0400
++++ linux-3.0.4/kernel/rcutree.c 2011-09-14 09:08:05.000000000 -0400
+@@ -356,9 +356,9 @@ void rcu_enter_nohz(void)
+ }
+ /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
+ smp_mb__before_atomic_inc(); /* See above. */
+- atomic_inc(&rdtp->dynticks);
++ atomic_inc_unchecked(&rdtp->dynticks);
+ smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */
+- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
++ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
+ local_irq_restore(flags);
+
+ /* If the interrupt queued a callback, get out of dyntick mode. */
+@@ -387,10 +387,10 @@ void rcu_exit_nohz(void)
+ return;
+ }
+ smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */
+- atomic_inc(&rdtp->dynticks);
++ atomic_inc_unchecked(&rdtp->dynticks);
+ /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
+ smp_mb__after_atomic_inc(); /* See above. */
+- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
++ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
+ local_irq_restore(flags);
+ }
+
+@@ -406,14 +406,14 @@ void rcu_nmi_enter(void)
+ struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks);
+
+ if (rdtp->dynticks_nmi_nesting == 0 &&
+- (atomic_read(&rdtp->dynticks) & 0x1))
++ (atomic_read_unchecked(&rdtp->dynticks) & 0x1))
+ return;
+ rdtp->dynticks_nmi_nesting++;
+ smp_mb__before_atomic_inc(); /* Force delay from prior write. */
+- atomic_inc(&rdtp->dynticks);
++ atomic_inc_unchecked(&rdtp->dynticks);
+ /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
+ smp_mb__after_atomic_inc(); /* See above. */
+- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
++ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
+ }
+
+ /**
+@@ -432,9 +432,9 @@ void rcu_nmi_exit(void)
+ return;
+ /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
+ smp_mb__before_atomic_inc(); /* See above. */
+- atomic_inc(&rdtp->dynticks);
++ atomic_inc_unchecked(&rdtp->dynticks);
+ smp_mb__after_atomic_inc(); /* Force delay to next write. */
+- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
++ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
+ }
+
+ /**
+@@ -469,7 +469,7 @@ void rcu_irq_exit(void)
+ */
+ static int dyntick_save_progress_counter(struct rcu_data *rdp)
+ {
+- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
++ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
+ return 0;
+ }
+
+@@ -484,7 +484,7 @@ static int rcu_implicit_dynticks_qs(stru
+ unsigned long curr;
+ unsigned long snap;
+
+- curr = (unsigned long)atomic_add_return(0, &rdp->dynticks->dynticks);
++ curr = (unsigned long)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
+ snap = (unsigned long)rdp->dynticks_snap;
+
+ /*
@@ -1470,7 +1470,7 @@ __rcu_process_callbacks(struct rcu_state
/*
* Do softirq processing for the current CPU.
@@ -61640,6 +61764,18 @@ diff -urNp linux-3.0.4/kernel/rcutree.c linux-3.0.4/kernel/rcutree.c
{
__rcu_process_callbacks(&rcu_sched_state,
&__get_cpu_var(rcu_sched_data));
+diff -urNp linux-3.0.4/kernel/rcutree.h linux-3.0.4/kernel/rcutree.h
+--- linux-3.0.4/kernel/rcutree.h 2011-07-21 22:17:23.000000000 -0400
++++ linux-3.0.4/kernel/rcutree.h 2011-09-14 09:08:05.000000000 -0400
+@@ -86,7 +86,7 @@
+ struct rcu_dynticks {
+ int dynticks_nesting; /* Track irq/process nesting level. */
+ int dynticks_nmi_nesting; /* Track NMI nesting level. */
+- atomic_t dynticks; /* Even value for dynticks-idle, else odd. */
++ atomic_unchecked_t dynticks; /* Even value for dynticks-idle, else odd. */
+ };
+
+ /* RCU's kthread states for tracing. */
diff -urNp linux-3.0.4/kernel/rcutree_plugin.h linux-3.0.4/kernel/rcutree_plugin.h
--- linux-3.0.4/kernel/rcutree_plugin.h 2011-07-21 22:17:23.000000000 -0400
+++ linux-3.0.4/kernel/rcutree_plugin.h 2011-08-23 21:47:56.000000000 -0400
@@ -62123,7 +62259,7 @@ diff -urNp linux-3.0.4/kernel/softirq.c linux-3.0.4/kernel/softirq.c
struct tasklet_struct *list;
diff -urNp linux-3.0.4/kernel/sys.c linux-3.0.4/kernel/sys.c
---- linux-3.0.4/kernel/sys.c 2011-08-29 23:26:14.000000000 -0400
+--- linux-3.0.4/kernel/sys.c 2011-09-02 18:11:26.000000000 -0400
+++ linux-3.0.4/kernel/sys.c 2011-08-29 23:26:27.000000000 -0400
@@ -158,6 +158,12 @@ static int set_one_prio(struct task_stru
error = -EACCES;
@@ -62792,7 +62928,7 @@ diff -urNp linux-3.0.4/kernel/trace/trace.c linux-3.0.4/kernel/trace/trace.c
struct dentry *d_tracer;
diff -urNp linux-3.0.4/kernel/trace/trace_events.c linux-3.0.4/kernel/trace/trace_events.c
---- linux-3.0.4/kernel/trace/trace_events.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/kernel/trace/trace_events.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/kernel/trace/trace_events.c 2011-08-23 21:47:56.000000000 -0400
@@ -1318,10 +1318,6 @@ static LIST_HEAD(ftrace_module_file_list
struct ftrace_module_file_ops {
@@ -63140,8 +63276,8 @@ diff -urNp linux-3.0.4/localversion-grsec linux-3.0.4/localversion-grsec
@@ -0,0 +1 @@
+-grsec
diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
---- linux-3.0.4/Makefile 2011-08-29 23:26:13.000000000 -0400
-+++ linux-3.0.4/Makefile 2011-09-01 17:26:49.000000000 -0400
+--- linux-3.0.4/Makefile 2011-09-02 18:11:26.000000000 -0400
++++ linux-3.0.4/Makefile 2011-09-14 11:16:43.000000000 -0400
@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
HOSTCC = gcc
@@ -63167,23 +63303,30 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
KBUILD_AFLAGS_KERNEL :=
KBUILD_CFLAGS_KERNEL :=
KBUILD_AFLAGS := -D__ASSEMBLY__
-@@ -408,6 +411,7 @@ export RCS_TAR_IGNORE := --exclude SCCS
+@@ -407,8 +410,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
+ # Rules shared between *config targets and build targets
# Basic helpers built in scripts/
- PHONY += scripts_basic
-+scripts_basic: KBUILD_CFLAGS := $(filter-out $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN),$(KBUILD_CFLAGS))
- scripts_basic:
+-PHONY += scripts_basic
+-scripts_basic:
++PHONY += scripts_basic gcc-plugins
++scripts_basic: gcc-plugins
$(Q)$(MAKE) $(build)=scripts/basic
$(Q)rm -f .tmp_quiet_recordmcount
-@@ -564,6 +568,24 @@ else
+
+@@ -564,6 +567,28 @@ else
KBUILD_CFLAGS += -O2
endif
-+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC)), y)
++ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC) $(CC)), y)
+CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
++ifdef CONFIG_KALLOCSTAT_PLUGIN
++KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
++endif
+ifdef CONFIG_PAX_MEMORY_STACKLEAK
+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
+endif
++GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN)
+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN
+gcc-plugins:
+ $(Q)$(MAKE) $(build)=tools/gcc
@@ -63200,7 +63343,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
include $(srctree)/arch/$(SRCARCH)/Makefile
ifneq ($(CONFIG_FRAME_WARN),0)
-@@ -708,7 +730,7 @@ export mod_strip_cmd
+@@ -708,7 +733,7 @@ export mod_strip_cmd
ifeq ($(KBUILD_EXTMOD),)
@@ -63209,34 +63352,34 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
$(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-@@ -907,6 +929,8 @@ define rule_vmlinux-modpost
+@@ -907,6 +932,8 @@ define rule_vmlinux-modpost
endef
# vmlinux image - including updated kernel symbols
-+$(vmlinux-all): KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++$(vmlinux-all): KBUILD_CFLAGS += $(GCC_PLUGINS)
+$(vmlinux-all): gcc-plugins
vmlinux: $(vmlinux-lds) $(vmlinux-init) $(vmlinux-main) vmlinux.o $(kallsyms.o) FORCE
ifdef CONFIG_HEADERS_CHECK
$(Q)$(MAKE) -f $(srctree)/Makefile headers_check
-@@ -941,7 +965,8 @@ $(sort $(vmlinux-init) $(vmlinux-main))
+@@ -941,7 +968,8 @@ $(sort $(vmlinux-init) $(vmlinux-main))
# Error messages still appears in the original language
PHONY += $(vmlinux-dirs)
-$(vmlinux-dirs): prepare scripts
-+$(vmlinux-dirs): KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++$(vmlinux-dirs): KBUILD_CFLAGS += $(GCC_PLUGINS)
+$(vmlinux-dirs): gcc-plugins prepare scripts
$(Q)$(MAKE) $(build)=$@
# Store (new) KERNELRELASE string in include/config/kernel.release
-@@ -986,6 +1011,7 @@ prepare0: archprepare FORCE
+@@ -986,6 +1014,7 @@ prepare0: archprepare FORCE
$(Q)$(MAKE) $(build)=. missing-syscalls
# All the preparing..
-+prepare: KBUILD_CFLAGS := $(filter-out $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN),$(KBUILD_CFLAGS))
++prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
prepare: prepare0
# Generate some files
-@@ -1102,7 +1128,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu
+@@ -1102,7 +1131,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu
# Target to prepare building external modules
PHONY += modules_prepare
@@ -63245,7 +63388,7 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
# Target to install modules
PHONY += modules_install
-@@ -1198,7 +1224,7 @@ distclean: mrproper
+@@ -1198,7 +1227,7 @@ distclean: mrproper
@find $(srctree) $(RCS_FIND_IGNORE) \
\( -name '*.orig' -o -name '*.rej' -o -name '*~' \
-o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
@@ -63254,26 +63397,26 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
-o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
-type f -print | xargs rm -f
-@@ -1359,6 +1385,7 @@ PHONY += $(module-dirs) modules
+@@ -1359,6 +1388,7 @@ PHONY += $(module-dirs) modules
$(module-dirs): crmodverdir $(objtree)/Module.symvers
$(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
-+modules: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
modules: $(module-dirs)
@$(kecho) ' Building modules, stage 2.';
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-@@ -1485,17 +1512,19 @@ else
+@@ -1485,17 +1515,19 @@ else
target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
endif
-%.s: %.c prepare scripts FORCE
-+%.s: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
+%.s: %.c gcc-plugins prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.i: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-%.o: %.c prepare scripts FORCE
-+%.o: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
+%.o: %.c gcc-plugins prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.lst: %.c prepare scripts FORCE
@@ -63286,18 +63429,18 @@ diff -urNp linux-3.0.4/Makefile linux-3.0.4/Makefile
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
%.symtypes: %.c prepare scripts FORCE
$(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
-@@ -1505,11 +1534,13 @@ endif
+@@ -1505,11 +1537,13 @@ endif
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
$(build)=$(build-dir)
-%/: prepare scripts FORCE
-+%/: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
+%/: gcc-plugins prepare scripts FORCE
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
$(build)=$(build-dir)
-%.ko: prepare scripts FORCE
-+%.ko: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
++%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
+%.ko: gcc-plugins prepare scripts FORCE
$(cmd_crmodverdir)
$(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
@@ -63584,7 +63727,7 @@ diff -urNp linux-3.0.4/mm/madvise.c linux-3.0.4/mm/madvise.c
if (end == start)
goto out;
diff -urNp linux-3.0.4/mm/memory.c linux-3.0.4/mm/memory.c
---- linux-3.0.4/mm/memory.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/mm/memory.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/mm/memory.c 2011-08-23 21:47:56.000000000 -0400
@@ -457,8 +457,12 @@ static inline void free_pmd_range(struct
return;
@@ -67084,7 +67227,7 @@ diff -urNp linux-3.0.4/mm/util.c linux-3.0.4/mm/util.c
mm->unmap_area = arch_unmap_area;
}
diff -urNp linux-3.0.4/mm/vmalloc.c linux-3.0.4/mm/vmalloc.c
---- linux-3.0.4/mm/vmalloc.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/mm/vmalloc.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/mm/vmalloc.c 2011-08-23 21:47:56.000000000 -0400
@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
@@ -68157,7 +68300,7 @@ diff -urNp linux-3.0.4/net/ipv4/inet_diag.c linux-3.0.4/net/ipv4/inet_diag.c
tmo = req->expires - jiffies;
if (tmo < 0)
diff -urNp linux-3.0.4/net/ipv4/inet_hashtables.c linux-3.0.4/net/ipv4/inet_hashtables.c
---- linux-3.0.4/net/ipv4/inet_hashtables.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/ipv4/inet_hashtables.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/ipv4/inet_hashtables.c 2011-08-23 21:55:24.000000000 -0400
@@ -18,12 +18,15 @@
#include <linux/sched.h>
@@ -68185,7 +68328,7 @@ diff -urNp linux-3.0.4/net/ipv4/inet_hashtables.c linux-3.0.4/net/ipv4/inet_hash
inet_twsk_deschedule(tw, death_row);
while (twrefcnt) {
diff -urNp linux-3.0.4/net/ipv4/inetpeer.c linux-3.0.4/net/ipv4/inetpeer.c
---- linux-3.0.4/net/ipv4/inetpeer.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/ipv4/inetpeer.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/ipv4/inetpeer.c 2011-08-23 21:48:14.000000000 -0400
@@ -481,6 +481,8 @@ struct inet_peer *inet_getpeer(struct in
unsigned int sequence;
@@ -68327,7 +68470,7 @@ diff -urNp linux-3.0.4/net/ipv4/raw.c linux-3.0.4/net/ipv4/raw.c
static int raw_seq_show(struct seq_file *seq, void *v)
diff -urNp linux-3.0.4/net/ipv4/route.c linux-3.0.4/net/ipv4/route.c
---- linux-3.0.4/net/ipv4/route.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/ipv4/route.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/ipv4/route.c 2011-08-23 21:47:56.000000000 -0400
@@ -304,7 +304,7 @@ static inline unsigned int rt_hash(__be3
@@ -68378,7 +68521,7 @@ diff -urNp linux-3.0.4/net/ipv4/tcp.c linux-3.0.4/net/ipv4/tcp.c
return -EFAULT;
diff -urNp linux-3.0.4/net/ipv4/tcp_ipv4.c linux-3.0.4/net/ipv4/tcp_ipv4.c
---- linux-3.0.4/net/ipv4/tcp_ipv4.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/ipv4/tcp_ipv4.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/ipv4/tcp_ipv4.c 2011-08-23 21:48:14.000000000 -0400
@@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
int sysctl_tcp_low_latency __read_mostly;
@@ -68808,7 +68951,7 @@ diff -urNp linux-3.0.4/net/ipv6/raw.c linux-3.0.4/net/ipv6/raw.c
static int raw6_seq_show(struct seq_file *seq, void *v)
diff -urNp linux-3.0.4/net/ipv6/tcp_ipv6.c linux-3.0.4/net/ipv6/tcp_ipv6.c
---- linux-3.0.4/net/ipv6/tcp_ipv6.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/ipv6/tcp_ipv6.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/ipv6/tcp_ipv6.c 2011-08-23 21:48:14.000000000 -0400
@@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
}
@@ -68910,7 +69053,7 @@ diff -urNp linux-3.0.4/net/ipv6/tcp_ipv6.c linux-3.0.4/net/ipv6/tcp_ipv6.c
static int tcp6_seq_show(struct seq_file *seq, void *v)
diff -urNp linux-3.0.4/net/ipv6/udp.c linux-3.0.4/net/ipv6/udp.c
---- linux-3.0.4/net/ipv6/udp.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/ipv6/udp.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/ipv6/udp.c 2011-08-23 21:48:14.000000000 -0400
@@ -50,6 +50,10 @@
#include <linux/seq_file.h>
@@ -69250,7 +69393,7 @@ diff -urNp linux-3.0.4/net/mac80211/ieee80211_i.h linux-3.0.4/net/mac80211/ieee8
/* number of interfaces with corresponding FIF_ flags */
int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
diff -urNp linux-3.0.4/net/mac80211/iface.c linux-3.0.4/net/mac80211/iface.c
---- linux-3.0.4/net/mac80211/iface.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/mac80211/iface.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/mac80211/iface.c 2011-08-23 21:47:56.000000000 -0400
@@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
break;
@@ -69319,7 +69462,7 @@ diff -urNp linux-3.0.4/net/mac80211/main.c linux-3.0.4/net/mac80211/main.c
/*
* Goal:
diff -urNp linux-3.0.4/net/mac80211/mlme.c linux-3.0.4/net/mac80211/mlme.c
---- linux-3.0.4/net/mac80211/mlme.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/mac80211/mlme.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/mac80211/mlme.c 2011-08-23 21:48:14.000000000 -0400
@@ -1444,6 +1444,8 @@ static bool ieee80211_assoc_success(stru
bool have_higher_than_11mbit = false;
@@ -69439,7 +69582,7 @@ diff -urNp linux-3.0.4/net/netfilter/ipvs/ip_vs_core.c linux-3.0.4/net/netfilter
if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
cp->protocol == IPPROTO_SCTP) {
diff -urNp linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c
---- linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/netfilter/ipvs/ip_vs_ctl.c 2011-08-23 21:48:14.000000000 -0400
@@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
ip_vs_rs_hash(ipvs, dest);
@@ -70287,7 +70430,7 @@ diff -urNp linux-3.0.4/net/sctp/socket.c linux-3.0.4/net/sctp/socket.c
to += addrlen;
cnt++;
diff -urNp linux-3.0.4/net/socket.c linux-3.0.4/net/socket.c
---- linux-3.0.4/net/socket.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/net/socket.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/net/socket.c 2011-08-23 21:48:14.000000000 -0400
@@ -88,6 +88,7 @@
#include <linux/nsproxy.h>
@@ -70894,10 +71037,10 @@ diff -urNp linux-3.0.4/scripts/basic/fixdep.c linux-3.0.4/scripts/basic/fixdep.c
fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
diff -urNp linux-3.0.4/scripts/gcc-plugin.sh linux-3.0.4/scripts/gcc-plugin.sh
--- linux-3.0.4/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/scripts/gcc-plugin.sh 2011-08-31 18:39:25.000000000 -0400
++++ linux-3.0.4/scripts/gcc-plugin.sh 2011-09-14 09:08:05.000000000 -0400
@@ -0,0 +1,2 @@
+#!/bin/sh
-+echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $* -x c -shared - -o /dev/null -I`$* -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
++echo "#include \"gcc-plugin.h\"\n#include \"rtl.h\"" | $1 -x c -shared - -o /dev/null -I`$2 -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
diff -urNp linux-3.0.4/scripts/Makefile.build linux-3.0.4/scripts/Makefile.build
--- linux-3.0.4/scripts/Makefile.build 2011-07-21 22:17:23.000000000 -0400
+++ linux-3.0.4/scripts/Makefile.build 2011-08-23 21:47:56.000000000 -0400
@@ -71142,7 +71285,7 @@ diff -urNp linux-3.0.4/scripts/pnmtologo.c linux-3.0.4/scripts/pnmtologo.c
write_hex_cnt = 0;
for (i = 0; i < logo_clutsize; i++) {
diff -urNp linux-3.0.4/security/apparmor/lsm.c linux-3.0.4/security/apparmor/lsm.c
---- linux-3.0.4/security/apparmor/lsm.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/security/apparmor/lsm.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/security/apparmor/lsm.c 2011-08-23 21:48:14.000000000 -0400
@@ -621,7 +621,7 @@ static int apparmor_task_setrlimit(struc
return error;
@@ -72351,7 +72494,7 @@ diff -urNp linux-3.0.4/sound/pci/ymfpci/ymfpci_main.c linux-3.0.4/sound/pci/ymfp
chip->pci = pci;
chip->irq = -1;
diff -urNp linux-3.0.4/sound/soc/soc-core.c linux-3.0.4/sound/soc/soc-core.c
---- linux-3.0.4/sound/soc/soc-core.c 2011-08-23 21:44:40.000000000 -0400
+--- linux-3.0.4/sound/soc/soc-core.c 2011-09-02 18:11:21.000000000 -0400
+++ linux-3.0.4/sound/soc/soc-core.c 2011-08-23 21:47:56.000000000 -0400
@@ -1021,7 +1021,7 @@ static snd_pcm_uframes_t soc_pcm_pointer
}
@@ -72687,10 +72830,177 @@ diff -urNp linux-3.0.4/tools/gcc/constify_plugin.c linux-3.0.4/tools/gcc/constif
+
+ return 0;
+}
+diff -urNp linux-3.0.4/tools/gcc/kallocstat_plugin.c linux-3.0.4/tools/gcc/kallocstat_plugin.c
+--- linux-3.0.4/tools/gcc/kallocstat_plugin.c 1969-12-31 19:00:00.000000000 -0500
++++ linux-3.0.4/tools/gcc/kallocstat_plugin.c 2011-09-14 09:08:05.000000000 -0400
+@@ -0,0 +1,163 @@
++/*
++ * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
++ * Licensed under the GPL v2
++ *
++ * Note: the choice of the license means that the compilation process is
++ * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
++ * but for the kernel it doesn't matter since it doesn't link against
++ * any of the gcc libraries
++ *
++ * gcc plugin to find the distribution of k*alloc sizes
++ *
++ * TODO:
++ *
++ * BUGS:
++ * - none known
++ */
++#include "gcc-plugin.h"
++#include "config.h"
++#include "system.h"
++#include "coretypes.h"
++#include "tree.h"
++#include "tree-pass.h"
++#include "intl.h"
++#include "plugin-version.h"
++#include "tm.h"
++#include "toplev.h"
++#include "basic-block.h"
++#include "gimple.h"
++//#include "expr.h" where are you...
++#include "diagnostic.h"
++#include "rtl.h"
++#include "emit-rtl.h"
++#include "function.h"
++
++int plugin_is_GPL_compatible;
++
++static const char * const kalloc_functions[] = {
++ "__kmalloc",
++ "kmalloc",
++ "kmalloc_large",
++ "kmalloc_node",
++ "kmalloc_order",
++ "kmalloc_order_trace",
++ "kmalloc_slab",
++ "kzalloc",
++ "kzalloc_node",
++};
++
++static struct plugin_info kallocstat_plugin_info = {
++ .version = "201109121100",
++};
++
++static unsigned int execute_kallocstat(void);
++
++static struct gimple_opt_pass kallocstat_pass = {
++ .pass = {
++ .type = GIMPLE_PASS,
++ .name = "kallocstat",
++ .gate = NULL,
++ .execute = execute_kallocstat,
++ .sub = NULL,
++ .next = NULL,
++ .static_pass_number = 0,
++ .tv_id = TV_NONE,
++ .properties_required = 0,
++ .properties_provided = 0,
++ .properties_destroyed = 0,
++ .todo_flags_start = 0,
++ .todo_flags_finish = 0
++ }
++};
++
++static bool is_kalloc(const char *fnname)
++{
++ size_t i;
++
++ for (i = 0; i < ARRAY_SIZE(kalloc_functions); i++)
++ if (!strcmp(fnname, kalloc_functions[i]))
++ return true;
++ return false;
++}
++
++static unsigned int execute_kallocstat(void)
++{
++ basic_block bb;
++ gimple_stmt_iterator gsi;
++
++ // 1. loop through BBs and GIMPLE statements
++ FOR_EACH_BB(bb) {
++ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
++ // gimple match:
++ tree fndecl, size;
++ gimple call_stmt;
++ const char *fnname;
++
++ // is it a call
++ call_stmt = gsi_stmt(gsi);
++ if (!is_gimple_call(call_stmt))
++ continue;
++ fndecl = gimple_call_fndecl(call_stmt);
++ if (fndecl == NULL_TREE)
++ continue;
++ if (TREE_CODE(fndecl) != FUNCTION_DECL)
++ continue;
++
++ // is it a call to k*alloc
++ fnname = IDENTIFIER_POINTER(DECL_NAME(fndecl));
++ if (!is_kalloc(fnname))
++ continue;
++
++ // is the size arg the result of a simple const assignment
++ size = gimple_call_arg(call_stmt, 0);
++ while (true) {
++ gimple def_stmt;
++ expanded_location xloc;
++ size_t size_val;
++
++ if (TREE_CODE(size) != SSA_NAME)
++ break;
++ def_stmt = SSA_NAME_DEF_STMT(size);
++ if (!def_stmt || !is_gimple_assign(def_stmt))
++ break;
++ if (gimple_num_ops(def_stmt) != 2)
++ break;
++ size = gimple_assign_rhs1(def_stmt);
++ if (!TREE_CONSTANT(size))
++ continue;
++ xloc = expand_location(gimple_location(def_stmt));
++ if (!xloc.file)
++ xloc = expand_location(DECL_SOURCE_LOCATION(current_function_decl));
++ size_val = TREE_INT_CST_LOW(size);
++ fprintf(stderr, "kallocsize: %8zu %8zx %s %s:%u\n", size_val, size_val, fnname, xloc.file, xloc.line);
++ break;
++ }
++//print_gimple_stmt(stderr, call_stmt, 0, TDF_LINENO);
++//debug_tree(gimple_call_fn(call_stmt));
++//print_node(stderr, "pax", fndecl, 4);
++ }
++ }
++
++ return 0;
++}
++
++int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
++{
++ const char * const plugin_name = plugin_info->base_name;
++ struct register_pass_info kallocstat_pass_info = {
++ .pass = &kallocstat_pass.pass,
++ .reference_pass_name = "ssa",
++ .ref_pass_instance_number = 0,
++ .pos_op = PASS_POS_INSERT_AFTER
++ };
++
++ if (!plugin_default_version_check(version, &gcc_version)) {
++ error(G_("incompatible gcc/plugin versions"));
++ return 1;
++ }
++
++ register_callback(plugin_name, PLUGIN_INFO, NULL, &kallocstat_plugin_info);
++ register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &kallocstat_pass_info);
++
++ return 0;
++}
diff -urNp linux-3.0.4/tools/gcc/Makefile linux-3.0.4/tools/gcc/Makefile
--- linux-3.0.4/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/tools/gcc/Makefile 2011-08-23 21:47:56.000000000 -0400
-@@ -0,0 +1,12 @@
++++ linux-3.0.4/tools/gcc/Makefile 2011-09-14 09:08:05.000000000 -0400
+@@ -0,0 +1,13 @@
+#CC := gcc
+#PLUGIN_SOURCE_FILES := pax_plugin.c
+#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
@@ -72699,14 +73009,15 @@ diff -urNp linux-3.0.4/tools/gcc/Makefile linux-3.0.4/tools/gcc/Makefile
+
+HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
+
-+hostlibs-y := stackleak_plugin.so constify_plugin.so
++hostlibs-y := stackleak_plugin.so constify_plugin.so kallocstat_plugin.so
+always := $(hostlibs-y)
+stackleak_plugin-objs := stackleak_plugin.o
+constify_plugin-objs := constify_plugin.o
++kallocstat_plugin-objs := kallocstat_plugin.o
diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackleak_plugin.c
--- linux-3.0.4/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
-+++ linux-3.0.4/tools/gcc/stackleak_plugin.c 2011-08-23 21:47:56.000000000 -0400
-@@ -0,0 +1,243 @@
++++ linux-3.0.4/tools/gcc/stackleak_plugin.c 2011-09-14 09:08:05.000000000 -0400
+@@ -0,0 +1,249 @@
+/*
+ * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
+ * Licensed under the GPL v2
@@ -72724,7 +73035,7 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl
+ * - initialize all local variables
+ *
+ * BUGS:
-+ * - cloned functions are instrumented twice
++ * - none known
+ */
+#include "gcc-plugin.h"
+#include "config.h"
@@ -72751,7 +73062,7 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl
+static bool init_locals;
+
+static struct plugin_info stackleak_plugin_info = {
-+ .version = "201106030000",
++ .version = "201109112100",
+ .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
+// "initialize-locals\t\tforcibly initialize all stack frames\n"
+};
@@ -72804,13 +73115,13 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl
+static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
+{
+ gimple call;
-+ tree decl, type;
++ tree fndecl, type;
+
+ // insert call to void pax_track_stack(void)
+ type = build_function_type_list(void_type_node, NULL_TREE);
-+ decl = build_fn_decl(track_function, type);
-+ DECL_ASSEMBLER_NAME(decl); // for LTO
-+ call = gimple_build_call(decl, 0);
++ fndecl = build_fn_decl(track_function, type);
++ DECL_ASSEMBLER_NAME(fndecl); // for LTO
++ call = gimple_build_call(fndecl, 0);
+ if (before)
+ gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
+ else
@@ -72819,40 +73130,46 @@ diff -urNp linux-3.0.4/tools/gcc/stackleak_plugin.c linux-3.0.4/tools/gcc/stackl
+
+static unsigned int execute_stackleak_tree_instrument(void)
+{
-+ basic_block bb;
++ basic_block bb, entry_bb;
+ gimple_stmt_iterator gsi;
++ bool prologue_instrumented = false;
++
++ entry_bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
+
+ // 1. loop through BBs and GIMPLE statements
+ FOR_EACH_BB(bb) {
+ for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
+ // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
-+ tree decl;
++ tree fndecl;
+ gimple stmt = gsi_stmt(gsi);
+
+ if (!is_gimple_call(stmt))
+ continue;
-+ decl = gimple_call_fndecl(stmt);
-+ if (!decl)
++ fndecl = gimple_call_fndecl(stmt);
++ if (!fndecl)
+ continue;
-+ if (TREE_CODE(decl) != FUNCTION_DECL)
++ if (TREE_CODE(fndecl) != FUNCTION_DECL)
+ continue;
-+ if (!DECL_BUILT_IN(decl))
++ if (!DECL_BUILT_IN(fndecl))
+ continue;
-+ if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
++ if (DECL_BUILT_IN_CLASS(fndecl) != BUILT_IN_NORMAL)
+ continue;
-+ if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
++ if (DECL_FUNCTION_CODE(fndecl) != BUILT_IN_ALLOCA)
+ continue;
+
+ // 2. insert track call after each __builtin_alloca call
+ stackleak_add_instrumentation(&gsi, false);
-+// print_node(stderr, "pax", decl, 4);
++ if (bb == entry_bb)
++ prologue_instrumented = true;
++// print_node(stderr, "pax", fndecl, 4);
+ }
+ }
+
+ // 3. insert track call at the beginning
-+ bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
-+ gsi = gsi_start_bb(bb);
-+ stackleak_add_instrumentation(&gsi, true);
++ if (!prologue_instrumented) {
++ gsi = gsi_start_bb(entry_bb);
++ stackleak_add_instrumentation(&gsi, true);
++ }
+
+ return 0;
+}
diff --git a/3.0.4/4423_grsec-remove-protected-paths.patch b/3.0.4/4423_grsec-remove-protected-paths.patch
index da4c861..abd9b99 100644
--- a/3.0.4/4423_grsec-remove-protected-paths.patch
+++ b/3.0.4/4423_grsec-remove-protected-paths.patch
@@ -1,20 +1,18 @@
-From: Anthony G. Basile <basile@opensource.dyc.edu>
+From: Anthony G. Basile <blueness@gentoo.org>
-We don't want to allow GRSEC's Makefile to change permissions on
-paths in the filesystem.
+We don't want GRSEC's Makefile to change permissions on paths in
+the filesystem.
---- a/grsecurity/Makefile 2010-05-21 06:52:24.000000000 -0400
-+++ b/grsecurity/Makefile 2010-05-21 06:54:54.000000000 -0400
-@@ -27,8 +27,8 @@
+diff -Naur a/grsecurity/Makefile b/grsecurity/Makefile
+--- a/grsecurity/Makefile 2011-09-15 13:36:25.000000000 -0400
++++ b/grsecurity/Makefile 2011-09-15 13:44:58.000000000 -0400
+@@ -27,9 +27,4 @@
ifdef CONFIG_GRKERNSEC_HIDESYM
extra-y := grsec_hidesym.o
$(obj)/grsec_hidesym.o:
- @-chmod -f 500 /boot
- @-chmod -f 500 /lib/modules
+- @-chmod -f 500 /lib64/modules
- @-chmod -f 700 .
- @echo ' grsec: protected kernel image paths'
-+ # @-chmod -f 500 /boot
-+ # @-chmod -f 500 /lib/modules
-+ # @-chmod -f 700 .
-+ # @echo ' grsec: protected kernel image paths'
endif