File: grsecurity-1.9.4-2.4.18.patch

package info (click to toggle)
kernel-patch-2.4-grsecurity 1.9.15-2
links: PTS
area: main
in suites: sarge
size: 4,372 kB
sloc: makefile: 35; sh: 4
file content (10988 lines) | stat: -rw-r--r-- 345,262 bytes
diff -Nru kernel-source-2.4.18/Documentation/Configure.help kernel-source-2.4.18.fixed/Documentation/Configure.help
--- kernel-source-2.4.18/Documentation/Configure.help	2002-02-27 11:12:19.000000000 +0100
+++ kernel-source-2.4.18.fixed/Documentation/Configure.help	2003-09-21 12:22:59.000000000 +0200
@@ -2404,6 +2404,20 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+stealth networking support
+CONFIG_IP_NF_MATCH_STEALTH
+  Enabling this option will drop all syn packets coming to unserved tcp
+  ports as well as all packets coming to unserved udp ports.  If you
+  are using your system to route any type of packets (ie. via NAT)
+  you should put this module at the end of your ruleset, since it will 
+  drop packets that aren't going to ports that are listening on your 
+  machine itself, it doesn't take into account that the packet might be 
+  destined for someone on your internal network if you're using NAT for 
+  instance.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 MAC address match support
 CONFIG_IP_NF_MATCH_MAC
   MAC matching allows you to match packets based on the source
@@ -19916,6 +19930,828 @@
 
   "Area6" will work for most boards. For ADX, select "Area5".
 
+Grsecurity
+CONFIG_GRKERNSEC
+  If you say Y here, you will be able to configure many features that
+  will enhance the security of your system.  It is highly recommended
+  that you say Y here and read through the help for each option so
+  you fully understand what it's doing and can evaluate its usefulness
+  for your machine.
+
+Additional security levels
+CONFIG_GRKERNSEC_LOW
+
+  Low additional security
+  -----------------------------------------------------------------------
+  If you choose this option, several of the grsecurity options will
+  be enabled that will give you greater protection against a number
+  of attacks, while assuring that none of your software will have any 
+  conflicts with the additional security measures.  If you run a lot of 
+  unusual software, or you are having problems with the higher security 
+  levels, you should say Y here.  With this option, the following features
+  are enabled:
+  
+  linking restrictions
+  fifo restrictions
+  secure fds
+  random pids
+  enforcing nproc on execve()
+  restricted dmesg
+  random ip ids
+  enforced chdir("/") on chroot
+  secure keymap loading
+
+  Medium additional security
+  -----------------------------------------------------------------------
+  If you say Y here, several features in addition to those included in the 
+  low additional security level will be enabled.  These features provide
+  even more security to your system, though in rare cases they may
+  be incompatible with very old or poorly written software.  If you 
+  enable this option, make sure that your auth service (identd) is 
+  running as gid 10 (usually group wheel). With this option the following 
+  features (in addition to those provided in the low additional security 
+  level) will be enabled:
+
+  random tcp source ports
+  altered ping ids
+  failed fork logging
+  time change logging
+  signal logging
+  deny mounts in chroot
+  deny double chrooting
+  deny mknod in chroot
+  /proc restrictions with special gid set to 10 (usually wheel)
+  pax's random mmap
+
+  High additional security
+  ----------------------------------------------------------------------
+  If you say Y here, many of the features of grsecurity will be enabled,
+  that will protect you against virtually all kinds of attacks against
+  your system.  The much hightened security comes at a cost of an 
+  increased chance of incompatabilities with rare software on your 
+  machine.  It is highly recommended that you view 
+  <http://grsecurity.net/features.htm> and read about each option.  Since 
+  this security level enabled PaX, you should also view 
+  <http://pageexec.virtualave.net> and read about the PaX project.  While 
+  you are there, download chpax.c and run chpax -p on binaries that cause 
+  problems with PaX.  Also remember that since the /proc restrictions are 
+  enabled, you must run your identd as group wheel (gid 10).  The 
+  grsecurity ACL system is also enabled in this level.  To learn how to 
+  correctly configure it, view the ACL documentation on 
+  <http://grsecurity.net>.  This security level enables the following 
+  features in addition to those listed in the low and medium security 
+  levels:
+
+  grsecurity ACL system
+  additional /proc restrictions
+  signal restrictions in chroot
+  chmod restrictions in chroot
+  no ptrace in chroot
+  priority restrictions in chroot
+  PaX - random mmap, noexec on all memory pages, restricted mprotect
+  fixed mmap restrictions
+  mount/unmount/remount logging
+  restricted ptrace (only root and users in group wheel (gid 10) are 
+  allowed to ptrace)
+
+Customized additional security
+CONFIG_GRKERNSEC_CUSTOM
+  If you say Y here, you will be able to configure every grsecurity 
+  option, which allows you to enable many more features that aren't 
+  covered in the basic security levels.  These additional features include 
+  TPE, socket restrictions, and the sysctl system for grsecurity.  It is 
+  advised that you read through the help for each option to determine its 
+  usefulness in your situation.
+
+OpenWall Non-executable Stack
+CONFIG_GRKERNSEC_STACK
+  If you say Y here, your system will not allow execution of
+  code on the stack, making buffer overflow exploitation more difficult.
+  The code for this protection is taken from the Openwall patch for
+  linux 2.2 by Solar Designer. You can view his projects at 
+  <http://www.openwall.com/linux>.
+  Exploits against your machine with this protection will have to dabble 
+  in more obscure methods of exploitation(bss,got,heap..)
+
+Gcc trampoline support
+CONFIG_GRKERNSEC_STACK_GCC
+  If you say Y here, the system will support trampoline code along
+  with the stack protection.  If you do not have any programs on
+  your system that require this (glibc 2.0 users must say YES to
+  this option) you may say no here.
+
+PaX protection
+CONFIG_GRKERNSEC_PAX 
+  By design the IA-32 architecture does not allow for protecting
+  memory pages against execution, i.e. if a page is readable (such
+  as the stack or heap) it is also executable.  There is a well
+  known exploit technique that makes use of this fact and a common
+  programming mistake where an attacker can introduce executable
+  code of his choice somewhere in the attacked program's memory
+  (typically the stack or the heap) and then execute it.  If the
+  attacked program was running with different (typically higher)
+  privileges than that of the attacker, then he can elevate his
+  own privilege level (e.g. get a root shell, write to files for
+  which he does not have write access to, etc).
+
+  Since the implementation is software based, it comes with a
+  performance impact, you should evaluate your system carefully
+  before deciding to use this feature on production systems.
+
+  Enabling this feature will enforce the non-executable flag on
+  memory pages thereby making it harder to execute 'foreign' code
+  in a program.  This will also break programs that rely on the
+  old behaviour and expect that dynamically allocated memory via
+  the malloc() family of functions is executable (which it is not).
+  Notable examples are the XFree86 4.x server, the java runtime
+  and wine.
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis.  chpax is available at
+  <http://pageexec.virtualave.net>
+
+Emulate trampolines
+CONFIG_GRKERNSEC_PAX_EMUTRAMP
+  There are some programs and libraries that for one reason or
+  another attempt to execute special small code snippets from
+  non-executable memory pages.  Most notable examples are the
+  signal handler return code generated by the kernel itself and
+  the GCC trampolines.
+
+  If you enabled CONFIG_GRKERNSEC_PAX then such programs will no
+  longer work under your kernel.  As a remedy you can say Y here
+  and use the 'chpax' utility to enable trampoline emulation for
+  the affected programs yet still have the protection provided by
+  CONFIG_GRKERNSEC_PAX.  Alternatively you can say N here and use
+  the 'chpax' utility to disable CONFIG_GRKERNSEC_PAX for the
+  affected files.  chpax is available at 
+  <http://pageexec.virtualave.net>
+
+  NOTE: enabling this feature *may* open up a loophole in the
+  protection provided by CONFIG_GRKERNSEC_PAX that an attacker
+  could abuse.  Therefore the best solution is to not have any
+  files on your system that would require this option.  This can
+  be achieved by not using libc5 (which relies on the kernel
+  signal handler return code) and not using or rewriting programs
+  that make use of the nested function implementation of GCC.
+  Skilled users can just fix GCC itself so that it implements
+  nested function calls in a way that does not interfere with PaX.
+
+Restrict mprotect()
+CONFIG_GRKERNSEC_PAX_MPROTECT
+  Enabling this option will prevent programs from changing the
+  executable status of memory pages that were not originally
+  created as executable.  The kernel will also prevent programs
+  from making read-only executable pages writable again.
+
+  You should say Y here to complete the protection provided by
+  the enforcement of the PAGE_EXEC flag (CONFIG_GRKERNSEC_PAX).
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis. chpax is available at
+  <http://pageexec.virtualave.net>
+
+Randomize mmap() base
+CONFIG_GRKERNSEC_PAX_RANDMMAP
+  By saying Y here the kernel will somewhat randomize the address
+  space layout of programs at each execution (the top of the stack, the
+  base address for mmap() requests that do not specify one themselves
+  and the base address of dynamic ELF executables).
+
+  As a result all dynamically loaded libraries will appear at random
+  addresses and therefore be harder to exploit by a technique where
+  an attacker attempts to execute library code for his purposes
+  (e.g. spawn a shell from an exploited program that is running at
+  an elevated privilege level).
+
+  Furthermore, if a program is relinked as a dynamic ELF file, its
+  base address layout will be randomized as well, completing the full
+  randomization of the address space.  Attacking such programs becomes
+  a guess game.
+
+  It is strongly recommended to say Y here even if CONFIG_GRKERNSEC_PAX
+  is not enabled as address space layout randomization has negligible 
+  impact on performance yet it provides a very effective protection.
+
+  NOTE: you can use the 'chpax' utility to enable/disable this
+  feature on a per file basis.  chpax is available at
+  <http://pageexec.virtualave.net>
+
+Read-only kernel memory
+CONFIG_GRKERNSEC_KMEM
+  If you say Y here, root will not be able to modify the contents of
+  kernel memory.  If module support is removed in addition to enabling 
+  this option, the ability of an attacker to insert foreign code into 
+  a running kernel is removed.
+
+Fixed mmap restrictions
+CONFIG_GRKERNSEC_MMAPFIXED
+  If you say Y here, it will be impossible for an attacker to bypass the
+  PaX buffer overflow protection by mmaping an executable memory region
+  with a specific address set.
+
+Proc Restrictions
+CONFIG_GRKERNSEC_PROC
+  If you say Y here, the permissions of the /proc filesystem
+  will be altered to enhance system security and privacy.  Depending
+  upon the options you choose, you can either restrict users to see
+  only the processes they themselves run, or choose a group that can
+  view all processes and files normally restricted to root if you choose
+  the "restrict to user only" option.  NOTE: If you're running identd as 
+  a non-root user, you will have to run it as the group you specify here.
+
+Restrict /proc to user only
+CONFIG_GRKERNSEC_PROC_USER
+  If you say Y here, non-root users will only be able to view their own 
+  processes, and restricts them from viewing network-related information,  
+  and viewing kernel symbol and module information.
+
+Restrict /proc to user and group
+CONFIG_GRKERNSEC_PROC_USERGROUP
+  If you say Y here, you will be able to select a group that will be
+  able to view all processes, network-related information, and
+  kernel and symbol information.  This option is useful if you want
+  to run identd as a non-root user.
+
+Additional proc restrictions
+CONFIG_GRKERNSEC_PROC_ADD
+  If you say Y here, additional restrictions will be placed on
+  /proc that keep normal users from viewing cpu and device information.
+
+Dmesg(8) Restriction
+CONFIG_GRKERNSEC_DMESG
+  If you say Y here, non-root users will not be able to use dmesg(8)
+  to view up to the last 4kb of messages in the kernel's log buffer.
+  If the sysctl option is enabled, a sysctl option with name "dmesg" is 
+  created.
+
+Linking restrictions
+CONFIG_GRKERNSEC_LINK
+  If you say Y here, /tmp race exploits will be prevented, since users
+  will no longer be able to follow symlinks owned by other users in 
+  world-writeable +t directories (i.e. /tmp), unless the owner of the 
+  symlink is the owner of the directory. users will also not be
+  able to hardlink to files they do not own.  If the sysctl option is
+  enabled, a sysctl option with name "linking_restrictions" is created.
+
+FIFO restrictions
+CONFIG_GRKERNSEC_FIFO
+  If you say Y here, users will not be able to write to FIFOs they don't
+  own in world-writeable +t directories (i.e. /tmp), unless the owner of
+  the FIFO is the same owner of the directory it's held in.  If the sysctl
+  option is enabled, a sysctl option with name "fifo_restrictions" is 
+  created.
+
+Secure file descriptors
+CONFIG_GRKERNSEC_FD
+  If you say Y here, binaries will be protected from data spoofing
+  attacks (eg. making a program read /etc/shadow).  The patches do this
+  by opening up /dev/null to any of the stdin, stdout, stderr file descriptors
+  for binaries that are open.  If the sysctl option is enabled, a sysctl 
+  option with name "secure_fds" is created.
+
+Exec process limiting
+CONFIG_GRKERNSEC_EXECVE
+  If you say Y here, users with a resource limit on processes will
+  have the value checked during execve() calls.  The current system
+  only checks the system limit during fork() calls.  If the sysctl option
+  is enabled, a sysctl option with name "execve_limiting" is created.
+
+Fork-bombing protection
+CONFIG_GRKERNSEC_FORKBOMB
+  If you say Y here, you will be able to configure a group to add to users
+  on your system that you want to be unable to fork-bomb the system.
+  You will be able to specify a maximum process limit for the user and
+  set a rate limit for all forks under their uid. (Fork-bombing is a
+  tactic used by attackers that can be enacted in two ways, (1) loading
+  up thousands of processes until the system can't take any more (this
+  method can be stopped outside of the kernel with PAM, however we place
+  protection for it in the kernel to be more complete and reduce overhead),
+  and (2), by forking processes at a rapid rate, and then killing them
+  off, which cannot be protected against in the same way at tactic 1)
+  The rate limit is specified in forks allowed per second.  Set this
+  limit low enough to stop tactic 2, but high enough to allow for
+  normal operation.  The protection will kill the offending process.
+  If the sysctl option is enabled, a sysctl option with name 
+  "fork_bomb_prot" is created.
+
+Max processes for fork-bomb protection
+CONFIG_GRKERNSEC_FORKBOMB_MAX
+  Here you can configure the maximum number of processes users in the
+  fork-bomb protected group can run.  I would not recommend setting a
+  value lower than 8, since some programs like man(1) spawn up to 8
+  processes to run.  The default value should be fine for most purposes.
+  If the sysctl option is enabled, a sysctl option with name
+  "fork_bomb_max" is created.
+
+Forks allowed per second
+CONFIG_GRKERNSEC_FORKBOMB_SEC
+  Here you can specify the maximum number of forks allowed per second.
+  You don't want to set this value too low, or else you'll hinder
+  normal operation of your system.  The default value should be fine for
+  most users.  If the sysctl option is enabled, a sysctl option with name
+  "fork_bomb_sec" is created.
+
+Group for fork-bomb protection
+CONFIG_GRKERNSEC_FORKBOMB_GID
+  Here you can choose the GID to enable fork-bomb protection for.
+  Remember to add the users you want protection enabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "fork_bomb_gid" is created.
+
+Single group for auditing
+CONFIG_GRKERNSEC_AUDIT_GROUP
+  If you say Y here, the exec, chdir, (un)mount, and ipc logging features
+  will only operate on a group you specify.  This option is recommended
+  if you only want to watch certain users instead of having a large
+  amount of logs from the entire system.  If the sysctl option is enabled,
+  a sysctl option with name "audit_group" is created.
+
+GID for auditing
+CONFIG_GRKERNSEC_AUDIT_GID
+  Here you can choose the GID that will be the target of kernel auditing.
+  Remember to add the users you want to log to the GID specified here.
+  If the sysctl option is enabled, whatever you choose here won't matter. 
+  You'll have to specify the GID in your bootup script by echoing the GID 
+  to the proper /proc entry.  View the help on the sysctl option for more 
+  information.  If the sysctl option is enabled, a sysctl option with name 
+  "audit_gid" is created.
+
+Chdir logging
+CONFIG_GRKERNSEC_AUDIT_CHDIR
+  If you say Y here, all chdir() calls will be logged.  If the sysctl 
+  option is enabled, a sysctl option with name "audit_chdir" is created.
+
+(Un)Mount logging
+CONFIG_GRKERNSEC_AUDIT_MOUNT
+  If you say Y here, all mounts and unmounts will be logged.  If the 
+  sysctl option is enabled, a sysctl option with name "audit_mount" is 
+  created.
+
+IPC logging
+CONFIG_GRKERNSEC_AUDIT_IPC
+  If you say Y here, creation and removal of message queues, semaphores,
+  and shared memory will be logged.  If the sysctl option is enabled, a
+  sysctl option with name "audit_ipc" is created.
+
+Exec logging
+CONFIG_GRKERNSEC_EXECLOG
+  If you say Y here, all execve() calls will be logged (since the
+  other exec*() calls are frontends to execve(), all execution
+  will be logged).  Useful for shell-servers that like to keep track
+  of their users.  If the sysctl option is enabled, a sysctl option with
+  name "exec_logging" is created.
+  WARNING: This option when enabled will produce a LOT of logs, especially
+  on an active system.
+
+Set*id logging
+CONFIG_GRKERNSEC_SUID
+  If you say Y here, all set*id() calls will be logged.  Such information
+  could be useful when detecting a possible intrusion attempt.  This 
+  option can produce a lot of logs on an active system.  If the sysctl
+  option is enabled, a sysctl option with name "suid_logging" is created.
+
+Log set*ids to root
+CONFIG_GRKERNSEC_SUID_ROOT
+  If you say Y here, only set*id() calls where a user is changing to the
+  gid or uid of the root user will be logged.  Such information
+  could be useful when detecting a possible intrusion attempt.  This
+  option will produce less logs than logging all calls.  If the sysctl
+  option is enabled, a sysctl option with name "suid_root_logging" is
+  created.
+
+Altered default IPC permissions
+CONFIG_GRKERNSEC_IPC
+  If you say Y here, the default permissions for IPC objects will be
+  set based on the filesystem umask of the user creating the object.
+  By default linux sets the permissions to ugo+rwx, which can be
+  a security problem if the application doesn't explicitly set the
+  permissions of the IPC object.  Since this change affects programs
+  using IPC, it might break some programs that are expecting the
+  default permission behavior.  It is known to break Apache 1.3.22.
+
+Signal logging
+CONFIG_GRKERNSEC_SIGNAL
+  If you say Y here, certain important signals will be logged, such as
+  SIGSEGV, which will as a result inform you of when a error in a program
+  occurred, which in some cases could mean a possible exploit attempt.
+  If the sysctl option is enabled, a sysctl option with name 
+  "signal_logging" is created.
+
+BSD-style coredumps
+CONFIG_GRKERNSEC_COREDUMP
+  If you say Y here, linux will use a style similar to BSD for
+  coredumps, core.processname.  Not a security feature, just
+  a useful one.  If the sysctl option is enabled, a sysctl option with 
+  name "coredump" is created.
+
+Fork failure logging
+CONFIG_GRKERNSEC_FORKFAIL
+  If you say Y here, all failed fork() attempts will be logged.
+  This could suggest a fork bomb, or someone attempting to overstep
+  their process limit.  If the sysctl option is enabled, a sysctl option
+  with name "forkfail_logging" is created.
+
+Time change logging
+CONFIG_GRKERNSEC_TIME
+  If you say Y here, any changes of the system clock will be logged.
+  If the sysctl option is enabled, a sysctl option with name 
+  "timechange_logging" is created.
+
+Secure keymap loading
+CONFIG_GRKERNSEC_KBMAP
+  If you say Y here, KDSKBENT and KDSKBSENT ioctl calls being
+  called by unprivileged users will be denied. If you answer N,
+  everyone with access to the console will be able to modify keyboard 
+  bindings.  If the sysctl option is enabled, a sysctl option with name
+  "secure_kbmap" is created.
+
+Chroot jail restrictions
+CONFIG_GRKERNSEC_CHROOT
+  If you say Y here, you will be able to choose several options that will
+  make breaking out of a chrooted jail much more difficult.  If you
+  encounter no software incompatibilities with the following options, it
+  is recommended that you enable each one.
+
+Restricted signals in chroot
+CONFIG_GRKERNSEC_CHROOT_SIG
+  If you say Y here, processes inside a chroot will not be able to send
+  signals outside of the chroot.  The only signals allowed are null 
+  signals which perform no action, and the parent process sending 
+  a certain signal to its child.  If the sysctl option is enabled, a
+  sysctl option with name "chroot_restrict_sigs" is created.
+
+Deny mounts in chroot
+CONFIG_GRKERNSEC_CHROOT_MOUNT
+  If you say Y here, processes inside a chroot will not be able to
+  mount or remount filesystems.  If the sysctl option is enabled, a 
+  sysctl option with name "chroot_deny_mount" is created.
+
+Deny double-chroots
+CONFIG_GRKERNSEC_CHROOT_DOUBLE
+  If you say Y here, processes inside a chroot will not be able to chroot
+  again.  This is a widely used method of breaking out of a chroot jail
+  and should not be allowed.  If the sysctl option is enabled, a sysctl
+  option with name "chroot_deny_chroot" is created.
+
+Enforce chdir("/") on all chroots
+CONFIG_GRKERNSEC_CHROOT_CHDIR
+  If you say Y here, the current working directory of all newly-chrooted
+  applications will be set to the the root directory of the chroot.
+  The man page on chroot(2) states:
+  Note that this call does not change  the  current  working
+  directory,  so  that `.' can be outside the tree rooted at
+  `/'.  In particular, the  super-user  can  escape  from  a
+  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.  
+
+  It is recommended that you say Y here, since it's not known to break
+  any software.  If the sysctl option is enabled, a sysctl option with
+  name "chroot_enforce_chdir" is created.
+
+Deny (f)chmod +s in chroot
+CONFIG_GRKERNSEC_CHROOT_CHMOD
+  If you say Y here, processes inside a chroot will not be able to chmod
+  or fchmod files to make them have suid or sgid bits.  This protects 
+  against another published method of breaking a chroot.  If the sysctl 
+  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+  created.
+
+Deny mknod in chroot
+CONFIG_GRKERNSEC_CHROOT_MKNOD
+  If you say Y here, processes inside a chroot will not be allowed to
+  mknod.  The problem with using mknod inside a chroot is that it
+  would allow an attacker to create a device entry that is the same
+  as one on the physical root of your system, which could range from
+  anyhing from the console device to a device for your harddrive (which
+  they could then use to wipe the drive or steal data).  It is recommended
+  that you say Y here, unless you run into software incompatibilities.
+  If the sysctl option is enabled, a sysctl option with name
+  "chroot_deny_mknod" is created.
+
+Deny ptraces in chroot
+CONFIG_GRKERNSEC_CHROOT_PTRACE
+  If you say Y here, processes inside a chroot will not be able to ptrace
+  other processes.  Ptracing a process allows one to attach and alter the
+  flow of execution for the process.  It is strongly recommended that you
+  say Y here.  If the sysctl option is enabled, a sysctl option with name
+  "chroot_deny_ptrace" is created.
+
+Restrict priority changes in chroot
+CONFIG_GRKERNSEC_CHROOT_NICE
+  If you say Y here, processes inside a chroot will not be able to raise
+  the priority of processes in the chroot, or alter the priority of 
+  processes outside the chroot.  This provides more security than simply
+  removing CAP_SYS_NICE from the process' capability set.  If the
+  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+  is created.
+
+Log all execs within chroot
+CONFIG_GRKERNSEC_CHROOT_EXECLOG
+  If you say Y here, all executions inside a chroot jail will be logged 
+  to syslog.  If the sysctl option is enabled, a sysctl option with name
+  "chroot_execlog" is created.
+
+Chroot jail capability restrictions
+CONFIG_GRKERNSEC_CHROOT_CAPS
+  If you say Y here, the capabilities on all root processes within a
+  chroot jail will be lowered to stop module insertion, raw i/o,
+  system and net admin tasks, rebooting the system, modifying immutable 
+  files, and changing the system time.  This is left an option because it 
+  can break some apps.  Disable this if your chrooted apps are having
+  problems performing those kinds of tasks.  If the sysctl option is 
+  enabled, a sysctl option with name "chroot_caps" is created.
+
+Trusted path execution
+CONFIG_GRKERNSEC_TPE
+  If you say Y here, you will be able to choose a gid to add to the
+  supplementary groups of users you want to mark as "untrusted."
+  These users will not be able to execute any files that are not in
+  root-owned directories writeable only by root.  If the sysctl option
+  is enabled, a sysctl option with name "tpe" is created.
+
+Group for trusted path execution
+CONFIG_GRKERNSEC_TPE_GID
+  Here you can choose the GID to enable trusted path protection for.
+  Remember to add the users you want protection enabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "tpe_gid" is created.
+
+Partially restrict non-root users
+CONFIG_GRKERNSEC_TPE_ALL
+  If you say Y here, All non-root users other than the ones in the 
+  group specified in the main TPE option will only be allowed to
+  execute files in directories they own that are not group or
+  world-writeable, or in directories owned by root and writeable only by
+  root.  If the sysctl option is enabled, a sysctl option with name 
+  "tpe_restrict_all" is created.
+
+Trusted path execution glibc protection
+CONFIG_GRKERNSEC_TPE_GLIBC
+  If you say Y here, all non-root users executing any files while 
+  glibc specific environment variables such as LD_PRELOAD are set, 
+  will have their environment cleared of these variables, since they 
+  could be used to evade the trusted path execution protection.  It also 
+  protects against evasion through executing the dynamic linker to run a 
+  rogue binary.  It is recommended you say Y here also. If the sysctl 
+  option is enabled, a sysctl option with name "tpe_glibc" is created.
+
+Ptrace logging
+CONFIG_GRKERNSEC_AUDIT_PTRACE
+  If you say Y here, all successful ptraces will be logged.  Ptraces are 
+  special operations performed when programs like strace or gdb are run.  
+  They have also been the focus of some kernel vulnerabilities.  If the 
+  sysctl option is enabled, a sysctl option with name "audit_ptrace" is 
+  created.
+
+Restricted ptrace
+CONFIG_GRKERNSEC_PTRACE
+  If you say Y here, no one but root will be able to ptrace processes.
+  Tracing syscalls inside the kernel will also be disabled.  If the 
+  sysctl option is enabled, a sysctl option with name "restrict_ptrace" 
+  is created.
+
+Allow ptrace for group
+CONFIG_GRKERNSEC_PTRACE_GROUP
+  If you say Y here, you will be able to choose a GID of whose users
+  will be able to ptrace.  If the sysctl option is enabled, a sysctl 
+  option with name "allow_ptrace_group" is created.
+
+GID for ptrace
+CONFIG_GRKERNSEC_PTRACE_GID
+  Here you can choose the GID of whose users will be able to ptrace.
+  Remember to add the users you want ptrace enabled for to the GID
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "ptrace_gid" is created.
+
+Randomized PIDs
+CONFIG_GRKERNSEC_RANDPID
+  If you say Y here, all PIDs created on the system will be
+  pseudo-randomly generated.  This is extremely effective along
+  with the /proc restrictions to disallow an attacker from guessing
+  pids of daemons, etc.  PIDs are also used in some cases as part
+  of a naming system for temporary files, so this option would keep
+  those filenames from being predicted as well.  We also use code
+  to make sure that PID numbers aren't reused too soon.  If the sysctl
+  option is enabled, a sysctl option with name "rand_pids" is created.
+
+Limit uid/gid changes to root
+CONFIG_GRKERNSEC_TTYROOT
+  If you say Y here, you will be able choose from three option that
+  will allow you to restrict access to the root account by console
+  type.  These options should only be enabled if you are sure of what
+  you're doing.  Also note that they only apply to processes that have
+  ttys, which generally involves some kind of user-interaction.  The
+  options are basically in place to keep users on a system who have a
+  (stolen) password for root from using it unless their console
+  credentials match.
+
+Deny physical consoles (tty)
+CONFIG_GRKERNSEC_TTYROOT_PHYS
+  If you say Y here, access to root from physical consoles will be
+  denied. This is only recommended for rare cases where you will
+  never need to be physically at the machine.  If the sysctl option
+  is enabled, a sysctl option with name "deny_phys_root" is created.
+
+Deny serial consoles (ttyS)
+CONFIG_GRKERNSEC_TTYROOT_SERIAL
+  If you say Y here, access to root from serial consoles will be
+  denied. Most people can say Y here, since most don't use serial
+  devices for their console access.  If you are unsure, say N.  If
+  the sysctl option is enabled, a sysctl option with name 
+  "deny_serial_root" is created.
+
+Deny pseudo consoles (pty)
+CONFIG_GRKERNSEC_TTYROOT_PSEUDO
+  If you say Y here, access to root from pseudo consoles will be
+  denied. Pseudo consoles include consoles from telnet, ssh, or any other
+  kind of interactive shell initiated from the network.  Pseudo consoles
+  also include any terminals you use in XFree86.  If you will only be
+  accessing the machine for root access from the physical console, you
+  can say Y here.  Only say Y here if you're sure of what you're doing.
+  If the sysctl option is enabled, a sysctl option with name 
+  "deny_pseudo_root" is created.
+
+Randomized IP IDs
+CONFIG_GRKERNSEC_RANDID
+  If you say Y here, all the id field on all outgoing packets
+  will be randomized.  This hinders os fingerprinters and
+  keeps your machine from being used as a bounce for an untraceable
+  portscan.  Ids are used for fragmented packets, fragments belonging
+  to the same packet have the same id.  By default linux only
+  increments the id value on each packet sent to an individual host.
+  We use a port of the OpenBSD random ip id code to achieve the
+  randomness, while keeping the possibility of id duplicates to
+  near none.  If the sysctl option is enabled, a sysctl option with name
+  "rand_ip_ids" is created.
+
+Randomized TCP source ports
+CONFIG_GRKERNSEC_RANDSRC
+  If you say Y here, situations where a source port is generated on the
+  fly for the TCP protocol (ie. with connect() ) will be altered so that
+  the source port is generated at random, instead of a simple incrementing
+  algorithm.  If the sysctl option is enabled, a sysctl option with name
+  "rand_tcp_src_ports" is created.
+
+Randomized RPC XIDs
+CONFIG_GRKERNSEC_RANDRPC
+  If you say Y here, the method of determining XIDs for RPC requests will
+  be randomized, instead of using linux's default behavior of simply
+  incrementing the XID.  If you want your RPC connections to be more
+  secure, say Y here.  If the sysctl option is enabled, a sysctl option 
+  with name "rand_rpc" is created.
+
+Altered Ping IDs
+CONFIG_GRKERNSEC_RANDPING
+  If you say Y here, the way Linux handles echo replies will be changed
+  so that the reply uses an ID equal to the ID of the echo request.
+  This will help in confusing OS detection.  If the sysctl option is
+  enabled, a sysctl option with name "altered_pings" is created.
+
+Randomized TTL
+CONFIG_GRKERNSEC_RANDTTL
+  If you say Y here, your TTL (time to live) for packets will be set at
+  random, with a base of the sysctl ttl default, to further confuse OS 
+  detection. If the sysctl option is enabled, a sysctl option with name 
+  "rand_ttl" is created.
+
+Socket restrictions
+CONFIG_GRKERNSEC_SOCKET
+  If you say Y here, you will be able to choose from several options.
+  If you assign a GID on your system and add it to the supplementary
+  groups of users you want to restrict socket access to, this patch
+  will perform up to three things, based on the option(s) you choose.
+
+Deny all socket access
+CONFIG_GRKERNSEC_SOCKET_ALL
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to connect to other hosts from your machine or run server
+  applications from your machine.  If the sysctl option is enabled, a
+  sysctl option with name "socket_all" is created.
+
+Group for disabled socket access
+CONFIG_GRKERNSEC_SOCKET_ALL_GID
+  Here you can choose the GID to disable socket access for. Remember to 
+  add the users you want socket access disabled for to the GID 
+  specified here.  If the sysctl option is enabled, whatever you choose
+  here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_all_gid" is created.
+
+Deny all client socket access
+CONFIG_GRKERNSEC_SOCKET_CLIENT
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to connect to other hosts from your machine, but will be
+  able to run servers.  If this option is enabled, all users in the group
+  you specify will have to use passive mode when initiating ftp transfers
+  from the shell on your machine.  If the sysctl option is enabled, a
+  sysctl option with name "socket_client" is created.
+
+Group for disabled client socket access
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID
+  Here you can choose the GID to disable client socket access for. 
+  Remember to add the users you want client socket access disabled for to 
+  the GID specified here.  If the sysctl option is enabled, whatever you 
+  choose here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_client_gid" is created.
+
+Deny all server socket access
+CONFIG_GRKERNSEC_SOCKET_SERVER
+  If you say Y here, you will be able to choose a GID of whose users will
+  be unable to run server applications from your machine.  If the sysctl 
+  option is enabled, a sysctl option with name "socket_server" is created.
+
+Group for disabled server socket access
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID
+  Here you can choose the GID to disable server socket access for. 
+  Remember to add the users you want server socket access disabled for to 
+  the GID specified here.  If the sysctl option is enabled, whatever you 
+  choose here won't matter. You'll have to specify the GID in your bootup 
+  script by echoing the GID to the proper /proc entry.  View the help
+  on the sysctl option for more information.  If the sysctl option is
+  enabled, a sysctl option with name "socket_server_gid" is created.
+
+Sysctl support
+CONFIG_GRKERNSEC_SYSCTL
+  If you say Y here, you will be able to change the options that
+  grsecurity runs with at bootup, without having to recompile your
+  kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
+  to enable (1) or disable (0) various features.  All the sysctl entries
+  are mutable until the "grsec_lock" entry is set to a non-zero value.
+  All features are disabled by default. Please note that this option could 
+  reduce the effectiveness of the added security of this patch if an ACL 
+  system is not put in place.  Your init scripts should be read-only, and 
+  root should not have access to adding modules or performing raw i/o 
+  operations.  All options should be set at startup, and the grsec_lock 
+  entry should be set to a non-zero value after all the options are set.  
+  *THIS IS EXTREMELY IMPORTANT*
+
+Grsecurity ACL System
+CONFIG_GRKERNSEC_ACL
+  If you say Y here, you enable the Access Control List system for 
+  grsecurity. Unlike many other popular ACL systems, it allows both 
+  process and file ACLs. To use the ACL system, you must also download the 
+  userspace code and documentation off the grsecurity website: 
+  <http://grsecurity.net>  You will then need to run gradm setup to set 
+  your password and create your config files.
+  
+Denied capability logging
+CONFIG_GRKERNSEC_ACL_CAPLOG
+  If you say Y here, logs will be produced when a root-owned process does 
+  not have a needed capability raised in his set.  This information is 
+  useful when creating ACLs for your system.
+
+Seconds in between log messages
+CONFIG_GRKERNSEC_FLOODTIME
+  This option allows you to enforce the number of seconds between
+  grsecurity log messages.  The default should be suitable for most 
+  people, however, if you choose to change it, choose a value small enough
+  to allow informative logs to be produced, but large enough to
+  prevent flooding.
+
+ACL Debugging Messages
+CONFIG_GR_DEBUG
+  This option allows the grsecurity ACL system to print debugging messages 
+  as an aid to finding problems in your ACL sets.
+
+Extra ACL Debugging Messages
+CONFIG_GR_SUPERDEBUG
+  This option allows you to enable additional debugging messages that can 
+  also help you in finding problems in your ACL sets or to gain a better 
+  understanding of the internal workings of the ACL system.
+
+Path to gradm
+CONFIG_GRADM_PATH
+  This should be set to the path of the gradm binary installed on your
+  system.  If gradm is not yet installed on your system, download
+  gradm from <http://grsecurity.net> and follow the directions in the
+  README.
+
+Maximum tries before password lockout
+CONFIG_GR_MAXTRIES
+  This option enforces the maximum number of times a user can attempt
+  to authorize themselves with the grsecurity ACL system before being
+  denied the ability to attempt authorization again for a specified time.  
+  The lower the number, the harder it will be to brute-force a password.
+
+Time to wait after max password tries, in seconds
+CONFIG_GR_TIMEOUT
+  This option specifies the time the user must wait after attempting to 
+  authorize to the ACL system with the maximum number of invalid 
+  passwords.  The higher the number, the harder it will be to brute-force 
+  a password.
+
 #
 # m68k-specific kernel options
 # Documented by Chris Lawrence <mailto:quango@themall.net> et al.
diff -Nru kernel-source-2.4.18/arch/alpha/config.in kernel-source-2.4.18.fixed/arch/alpha/config.in
--- kernel-source-2.4.18/arch/alpha/config.in	2001-11-21 00:49:31.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/alpha/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -393,3 +393,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/arm/config.in kernel-source-2.4.18.fixed/arch/arm/config.in
--- kernel-source-2.4.18/arch/arm/config.in	2001-11-09 22:58:02.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/arm/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -606,3 +606,12 @@
 dep_bool '  Kernel low-level debugging messages via footbridge serial port' CONFIG_DEBUG_DC21285_PORT $CONFIG_DEBUG_LL $CONFIG_FOOTBRIDGE
 dep_bool '  kernel low-level debugging messages via UART2' CONFIG_DEBUG_CLPS711X_UART2 $CONFIG_DEBUG_LL $CONFIG_ARCH_CLPS711X
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/cris/config.in kernel-source-2.4.18.fixed/arch/cris/config.in
--- kernel-source-2.4.18/arch/cris/config.in	2002-02-25 20:37:52.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/cris/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -254,3 +254,12 @@
   int ' Profile shift count' CONFIG_PROFILE_SHIFT 2
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/i386/config.in kernel-source-2.4.18.fixed/arch/i386/config.in
--- kernel-source-2.4.18/arch/i386/config.in	2002-02-25 20:37:52.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -425,3 +425,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/i386/kernel/entry.S kernel-source-2.4.18.fixed/arch/i386/kernel/entry.S
--- kernel-source-2.4.18/arch/i386/kernel/entry.S	2002-11-18 12:46:08.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/kernel/entry.S	2003-09-21 12:22:59.000000000 +0200
@@ -45,6 +45,7 @@
 #include <linux/linkage.h>
 #include <asm/segment.h>
 #include <asm/smp.h>
+#include <asm/page.h>
 
 EBX		= 0x00
 ECX		= 0x04
@@ -389,8 +390,52 @@
 	jmp error_code
 
 ENTRY(page_fault)
+#ifdef CONFIG_GRKERNSEC_PAX
+	ALIGN
+	pushl $ SYMBOL_NAME(pax_do_page_fault)
+	pushl %ds
+	pushl %eax
+	xorl %eax,%eax
+	pushl %ebp
+	pushl %edi
+	pushl %esi
+	pushl %edx
+	decl %eax			# eax = -1
+	pushl %ecx
+	pushl %ebx
+	cld
+	movl %es,%ecx
+	movl ORIG_EAX(%esp), %esi	# get the error code
+	movl ES(%esp), %edi		# get the function address
+	movl %eax, ORIG_EAX(%esp)
+	movl %ecx, ES(%esp)
+	movl %esp,%edx
+	pushl %esi			# push the error code
+	pushl %edx			# push the pt_regs pointer
+	movl $(__KERNEL_DS),%edx
+	movl %edx,%ds
+	movl %edx,%es
+	GET_CURRENT(%ebx)
+	call *%edi
+	addl $8,%esp
+	decl %eax
+	jnz ret_from_exception
+
+	popl %ebx
+	popl %ecx
+	popl %edx
+	popl %esi
+	popl %edi
+	popl %ebp
+	popl %eax
+	popl %ds
+	popl %es
+	addl $4,%esp
+	jmp system_call
+#else
 	pushl $ SYMBOL_NAME(do_page_fault)
 	jmp error_code
+#endif
 
 ENTRY(machine_check)
 	pushl $0
diff -Nru kernel-source-2.4.18/arch/i386/kernel/head.S kernel-source-2.4.18.fixed/arch/i386/kernel/head.S
--- kernel-source-2.4.18/arch/i386/kernel/head.S	2002-02-25 20:37:53.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/kernel/head.S	2003-09-21 12:22:59.000000000 +0200
@@ -433,7 +433,11 @@
 	.quad 0x0000000000000000	/* not used */
 	.quad 0x00cf9a000000ffff	/* 0x10 kernel 4GB code at 0x00000000 */
 	.quad 0x00cf92000000ffff	/* 0x18 kernel 4GB data at 0x00000000 */
+#ifdef CONFIG_GRKERNSEC_STACK
+        .quad 0x00cbfa000000f7ff        /* 0x23 user   3GB-8MB code at 0 */
+#else
 	.quad 0x00cffa000000ffff	/* 0x23 user   4GB code at 0x00000000 */
+#endif
 	.quad 0x00cff2000000ffff	/* 0x2b user   4GB data at 0x00000000 */
 	.quad 0x0000000000000000	/* not used */
 	.quad 0x0000000000000000	/* not used */
diff -Nru kernel-source-2.4.18/arch/i386/kernel/ptrace.c kernel-source-2.4.18.fixed/arch/i386/kernel/ptrace.c
--- kernel-source-2.4.18/arch/i386/kernel/ptrace.c	2001-11-21 19:42:41.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/kernel/ptrace.c	2003-09-21 12:22:59.000000000 +0200
@@ -21,6 +21,10 @@
 #include <asm/i387.h>
 #include <asm/debugreg.h>
 
+#if defined(CONFIG_GRKERNSEC_CHROOT_PTRACE) || defined(CONFIG_GRKERNSEC_PTRACE) \
+ || defined(CONFIG_GRKERNSEC_AUDIT_PTRACE)
+#include <linux/grsecurity.h>
+#endif
 /*
  * does not yet catch signals sent when the child dies.
  * in exit.c or in signal.c.
@@ -177,6 +181,40 @@
 	if (pid == 1)		/* you may not mess with init */
 		goto out_tsk;
 
+#ifdef CONFIG_GRKERNSEC_PTRACE
+	if(grsec_enable_ptrace && current->uid
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+	   && ((grsec_enable_ptrace_group && !in_group_p(grsec_ptrace_gid))
+	   || !grsec_enable_ptrace_group)
+#endif
+	) {
+		security_alert("denied ptrace of (%.16s:%d) by " DEFAULTSECMSG,
+				"denied ptraces", child->comm, child->pid, DEFAULTSECARGS);
+		goto out_tsk;
+	}
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
+	if(grsec_enable_audit_ptrace
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+	&& grsec_enable_group && in_group_p(grsec_audit_gid)
+#endif
+	) {
+		printk(KERN_INFO "grsec: ptrace of (%.16s:%d) by " DEFAULTSECMSG "\n",
+				child->comm, child->pid, DEFAULTSECARGS);
+	}
+#endif		
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+	if(grsec_enable_chroot_ptrace && proc_is_chrooted(current) &&
+	   have_same_root(current,child)) {
+		security_alert("denied ptrace of process(%.16s:%d) within chroot jail "
+                               "(%.32s:%lu) by " DEFAULTSECMSG, 
+                               "ptrace from chroot",
+                               child->comm,child->pid,kdevname(current->fs->root->d_inode->i_dev),
+                               current->fs->root->d_inode->i_ino, 
+			       DEFAULTSECARGS);
+		goto out_tsk;
+	}
+#endif
 	if (request == PTRACE_ATTACH) {
 		ret = ptrace_attach(child);
 		goto out_tsk;
@@ -439,11 +477,23 @@
 	return ret;
 }
 
+#ifdef CONFIG_GRKERNSEC_PTRACE
+asmlinkage void syscall_trace(int unused)
+#else
 asmlinkage void syscall_trace(void)
+#endif
 {
+#ifdef CONFIG_GRKERNSEC_PTRACE
+	struct pt_regs *regs = (struct pt_regs *) &unused;
+#endif
+
 	if ((current->ptrace & (PT_PTRACED|PT_TRACESYS)) !=
 			(PT_PTRACED|PT_TRACESYS))
 		return;
+#ifdef CONFIG_GRKERNSEC_PTRACE
+	if(!user_mode(regs))
+		return;
+#endif
 	/* the 0x80 provides a way for the tracing parent to distinguish
 	   between a syscall stop and SIGTRAP delivery */
 	current->exit_code = SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD)
diff -Nru kernel-source-2.4.18/arch/i386/kernel/signal.c kernel-source-2.4.18.fixed/arch/i386/kernel/signal.c
--- kernel-source-2.4.18/arch/i386/kernel/signal.c	2002-02-25 20:37:53.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/kernel/signal.c	2003-09-21 12:22:59.000000000 +0200
@@ -7,6 +7,7 @@
  *  2000-06-20  Pentium III FXSR, SSE support by Gareth Hughes
  */
 
+#include <linux/config.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
 #include <linux/smp.h>
@@ -421,11 +422,15 @@
 	if (ka->sa.sa_flags & SA_RESTORER) {
 		err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
 	} else {
+#ifdef CONFIG_GRKERNSEC_STACK
+		err |= __put_user(MAGIC_SIGRETURN, &frame->pretcode);
+#else
 		err |= __put_user(frame->retcode, &frame->pretcode);
 		/* This is popl %eax ; movl $,%eax ; int $0x80 */
 		err |= __put_user(0xb858, (short *)(frame->retcode+0));
 		err |= __put_user(__NR_sigreturn, (int *)(frame->retcode+2));
 		err |= __put_user(0x80cd, (short *)(frame->retcode+6));
+#endif
 	}
 
 	if (err)
@@ -496,11 +501,15 @@
 	if (ka->sa.sa_flags & SA_RESTORER) {
 		err |= __put_user(ka->sa.sa_restorer, &frame->pretcode);
 	} else {
+#ifdef CONFIG_GRKERNSEC_STACK
+		err |= __put_user(MAGIC_RT_SIGRETURN, &frame->pretcode);
+#else
 		err |= __put_user(frame->retcode, &frame->pretcode);
 		/* This is movl $,%eax ; int $0x80 */
 		err |= __put_user(0xb8, (char *)(frame->retcode+0));
 		err |= __put_user(__NR_rt_sigreturn, (int *)(frame->retcode+1));
 		err |= __put_user(0x80cd, (short *)(frame->retcode+5));
+#endif
 	}
 
 	if (err)
@@ -558,6 +567,18 @@
 		}
 	}
 
+#ifdef CONFIG_GRKERNSEC_PAX
+	/* PaX: clean up as our trace attempt became obsolete */
+	if ((current->flags & PF_PAX_PAGEEXEC) && (current->ptrace & PT_PAX_TRACE)) {
+		if (!(current->ptrace & PT_PAX_OLDTF)) {
+			regs->eflags &= ~TF_MASK;
+		}
+		current->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+		current->thread.pax_faults.eip = 0;
+		current->thread.pax_faults.count = 0;
+	}
+#endif
+
 	/* Set up the stack frame */
 	if (ka->sa.sa_flags & SA_SIGINFO)
 		setup_rt_frame(sig, ka, info, oldset, regs);
diff -Nru kernel-source-2.4.18/arch/i386/kernel/traps.c kernel-source-2.4.18.fixed/arch/i386/kernel/traps.c
--- kernel-source-2.4.18/arch/i386/kernel/traps.c	2001-09-30 21:26:08.000000000 +0200
+++ kernel-source-2.4.18.fixed/arch/i386/kernel/traps.c	2003-09-21 12:22:59.000000000 +0200
@@ -49,6 +49,9 @@
 
 #include <linux/irq.h>
 #include <linux/module.h>
+#ifdef CONFIG_GRKERNSEC_STACK
+#include <linux/grsecurity.h>
+#endif
 
 asmlinkage int system_call(void);
 asmlinkage void lcall7(void);
@@ -348,14 +351,183 @@
 DO_ERROR(12, SIGBUS,  "stack segment", stack_segment)
 DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, get_cr2())
 
+#if defined(CONFIG_GRKERNSEC_STACK) && defined(CONFIG_GRKERNSEC_STACK_GCC)
+static unsigned long *get_reg(struct pt_regs *regs, unsigned char regnum)
+{
+    switch (regnum) {
+	case 0: return &regs->eax;
+	case 1: return &regs->ecx;
+	case 2: return &regs->edx;
+	case 3: return &regs->ebx;
+	case 4: return &regs->esp;
+	case 5: return &regs->ebp;
+	case 6: return &regs->esi;
+	case 7: return &regs->edi;
+    }
+    return NULL;
+}
+static unsigned long get_modrm(struct pt_regs *regs, int *err)
+{
+       unsigned char modrm, sib;
+       signed char rel8;
+       unsigned long rel32;
+       int size, regnum, scale;
+       unsigned long index, base, addr, value;
+
+       *err |= __get_user(modrm, (unsigned char *)(regs->eip + 1));
+       size = 2;
+       regnum = modrm & 7;
+       addr = *get_reg(regs, regnum);
+       if (regnum == 4 && (modrm & 0xC0) != 0xC0) {
+               *err |= __get_user(sib, (unsigned char *)(regs->eip + 2));
+               size = 3;
+               scale = sib >> 6;
+               index = *get_reg(regs, (sib >> 3) & 7);
+               base = *get_reg(regs, sib & 7);
+               addr = base + (index << scale);
+       }
+
+       switch (modrm & 0xC0) {
+       case 0x00:
+               if (regnum == 5) {
+                       *err |= __get_user(addr,
+                               (unsigned long *)(regs->eip + 2));
+                       size = 6;
+               }
+               *err |= __get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0x40:
+               *err |= __get_user(rel8, (signed char *)(regs->eip + size));
+               size++;
+               addr += rel8;
+               *err |= __get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0x80:
+               *err |= __get_user(rel32, (unsigned long *)(regs->eip + size));
+               size += 4;
+               addr += rel32;
+               *err |= __get_user(value, (unsigned long *)addr);
+               break;
+
+       case 0xC0:
+       default:
+               value = addr;
+       }
+
+       if (*err) return 0;
+       regs->eip += size;
+       return value;
+}
+#endif
 asmlinkage void do_general_protection(struct pt_regs * regs, long error_code)
 {
+#ifdef CONFIG_GRKERNSEC_STACK
+    unsigned long addr;
+#ifdef CONFIG_GRKERNSEC_STACK_GCC
+    unsigned char insn;
+    int err, count;
+#endif
+#endif
 	if (regs->eflags & VM_MASK)
 		goto gp_in_vm86;
 
 	if (!(regs->xcs & 3))
 		goto gp_in_kernel;
 
+#ifdef CONFIG_GRKERNSEC_STACK
+/* Check if it was return from a signal handler */
+        if ((regs->xcs & 0xFFFF) == __USER_CS)
+        if (*(unsigned char *)regs->eip == 0xC3)
+        if (!__get_user(addr, (unsigned long *)regs->esp)) {
+                if ((addr & 0xFFFFFFFE) == MAGIC_SIGRETURN) {
+/* Call sys_sigreturn() or sys_rt_sigreturn() to restore the context */
+                        regs->esp += 8;
+                        __asm__("movl %3,%%esi\n\t"
+                                "subl %1,%%esp\n\t"
+                                "movl %2,%%ecx\n\t"
+                                "movl %%esp,%%edi\n\t"
+                                "rep; movsl\n\t"
+                                "testl $1,%4\n\t"
+                                "jnz 1f\n\t"
+                                "call sys_sigreturn\n\t"
+                                "leal %3,%%edi\n\t"
+                                "jmp 2f\n\t"
+                                "1:\n\t"
+                                "call sys_rt_sigreturn\n\t"
+                                "leal %3,%%edi\n\t"
+                                "2:\n\t"
+                                "addl %1,%%edi\n\t"
+                                "movl %%esp,%%esi\n\t"
+                                "movl %2,%%ecx\n\t"
+                                "movl (%%edi),%%edi\n\t"
+                                "rep; movsl\n\t"
+                                "movl %%esi,%%esp"
+                        :
+/* %eax is returned separately */
+                        "=a" (regs->eax)
+                        :
+                        "i" (sizeof(*regs)),
+                        "i" (sizeof(*regs) >> 2),
+                        "m" (regs),
+                        "r" (addr)
+                        :
+                        "cx", "dx", "si", "di", "cc", "memory");
+                        return;
+                }
+/*
+ *  * Check if we're returning to the stack area, which is only likely to happen
+ *   * when attempting to exploit a buffer overflow.
+ *    */
+                if ((addr & 0xFF800000) == 0xBF800000 ||
+                    (addr >= PAGE_OFFSET - _STK_LIM && addr < PAGE_OFFSET))
+                        security_alert("return onto stack by " DEFAULTSECMSG,
+                                "returns onto stack", DEFAULTSECARGS);
+        }
+ 
+#ifdef CONFIG_GRKERNSEC_STACK_GCC
+/* Check if it could have been a trampoline call */
+        if ((regs->xcs & 0xFFFF) == __USER_CS)
+        if (*(unsigned char *)regs->eip == 0xFF)
+        if (!__get_user(insn, (unsigned char *)(regs->eip + 1)))
+        if ((insn & 0x38) == 0x10 && insn != 0xD4) {    /* call mod r/m */
+/* First, emulate the call */
+                err = 0;
+                addr = get_modrm(regs, &err);
+                if (!err) {
+                        regs->esp -= 4;
+                        err = __put_user(regs->eip, (unsigned long *)regs->esp);
+                        regs->eip = addr;
+                }  
+/* Then, start emulating the trampoline itself */
+               count = 0;
+               while (!err && !__get_user(insn, (unsigned char *)regs->eip++))
+               if ((insn & 0xF8) == 0xB8) {            /* movl imm32,%reg */
+/* We only have 8 GP registers, no reason to initialize one twice */
+                        if (count++ >= 8) break;
+                        err |= __get_user(addr, (unsigned long *)regs->eip);
+                        regs->eip += 4;
+                        *get_reg(regs, insn & 7) = addr;
+                } else
+                if (insn == 0xFF) {
+                        err |= __get_user(insn, (unsigned char *)regs->eip);
+                        if ((insn & 0xF8) == 0xE0) {    /* jmp *%reg */
+                                regs->eip = *get_reg(regs, insn & 7);
+                                if (err) break; else return;
+                        }
+                        break;
+                } else
+               if (insn == 0xE9) {                     /* jmp rel32 */
+                       err |= __get_user(addr, (unsigned long *)regs->eip);
+                       if (err) break;
+                       regs->eip += 4 + addr;
+                       return;
+               } else
+                       break;
+       }                        
+#endif
+#endif
 	current->thread.error_code = error_code;
 	current->thread.trap_no = 13;
 	force_sig(SIGSEGV, current);
@@ -452,6 +624,10 @@
 	inb(0x71);		/* dummy */
 }
 
+#ifdef CONFIG_GRKERNSEC_PAX
+void pax_handle_ptes(struct task_struct *tsk);
+#endif
+
 /*
  * Our handling of the processor debug registers is non-trivial.
  * We do not clear them on entry and exit from the kernel. Therefore
@@ -482,6 +658,22 @@
 
 	__asm__ __volatile__("movl %%db6,%0" : "=r" (condition));
 
+#ifdef CONFIG_GRKERNSEC_PAX
+	/* PaX: clean up */
+	if ((tsk->flags & PF_PAX_PAGEEXEC) && (condition & DR_STEP) && (tsk->ptrace & PT_PAX_TRACE)) {
+		tsk->ptrace &= ~PT_PAX_TRACE;
+		pax_handle_ptes(tsk);
+		if (!(tsk->ptrace & PT_PAX_KEEPTF) && !(tsk->ptrace & PT_PAX_OLDTF))
+			regs->eflags &= ~TF_MASK;
+		tsk->ptrace &= ~PT_PAX_KEEPTF;
+		if (!(tsk->ptrace & PT_PAX_OLDTF)) {
+			condition &= ~DR_STEP;
+			if (!(condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)))
+				return;
+		}
+		tsk->ptrace &= ~PT_PAX_OLDTF;
+	}
+#endif
 	/* Mask out spurious debug traps due to lazy DR7 setting */
 	if (condition & (DR_TRAP0|DR_TRAP1|DR_TRAP2|DR_TRAP3)) {
 		if (!tsk->thread.debugreg[7])
diff -Nru kernel-source-2.4.18/arch/i386/mm/fault.c kernel-source-2.4.18.fixed/arch/i386/mm/fault.c
--- kernel-source-2.4.18/arch/i386/mm/fault.c	2002-02-25 20:37:53.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/mm/fault.c	2003-09-21 12:22:59.000000000 +0200
@@ -4,6 +4,7 @@
  *  Copyright (C) 1995  Linus Torvalds
  */
 
+#include <linux/config.h>
 #include <linux/signal.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
@@ -19,6 +20,9 @@
 #include <linux/init.h>
 #include <linux/tty.h>
 #include <linux/vt_kern.h>		/* For unblank_screen() */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_RANDMMAP)
+#include <linux/unistd.h>
+#endif
 
 #include <asm/system.h>
 #include <asm/uaccess.h>
@@ -144,23 +148,31 @@
  *	bit 1 == 0 means read, 1 means write
  *	bit 2 == 0 means kernel, 1 means user-mode
  */
+#ifdef CONFIG_GRKERNSEC_PAX
+asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
+#else
 asmlinkage void do_page_fault(struct pt_regs *regs, unsigned long error_code)
+#endif
 {
 	struct task_struct *tsk;
 	struct mm_struct *mm;
 	struct vm_area_struct * vma;
+#ifndef CONFIG_GRKERNSEC_PAX
 	unsigned long address;
+#endif
 	unsigned long page;
 	unsigned long fixup;
 	int write;
 	siginfo_t info;
 
+#ifndef CONFIG_GRKERNSEC_PAX
 	/* get the address */
 	__asm__("movl %%cr2,%0":"=r" (address));
 
 	/* It's safe to allow irq's after cr2 has been saved */
 	if (regs->eflags & X86_EFLAGS_IF)
 		local_irq_enable();
+#endif
 
 	tsk = current;
 
@@ -218,21 +230,37 @@
 good_area:
 	info.si_code = SEGV_ACCERR;
 	write = 0;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+	switch (error_code & 7) {
+#else
 	switch (error_code & 3) {
+#endif
 		default:	/* 3: write, present */
 #ifdef TEST_VERIFY_AREA
 			if (regs->cs == KERNEL_CS)
 				printk("WP fault at %08lx\n", regs->eip);
 #endif
 			/* fall through */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		case 7:		/* PaX: write, present, some protection violation */
+#endif
 		case 2:		/* write, not present */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		case 6:
+#endif
 			if (!(vma->vm_flags & VM_WRITE))
 				goto bad_area;
 			write++;
 			break;
 		case 1:		/* read, present */
 			goto bad_area;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		case 5:		/* PaX: read, present, protection violation */
+#endif
 		case 0:		/* read, not present */
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		case 4:
+#endif
 			if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
 				goto bad_area;
 	}
@@ -407,3 +435,441 @@
 		return;
 	}
 }
+#ifdef CONFIG_GRKERNSEC_PAX
+/* PaX: called with the page_table_lock spinlock held */
+static inline pte_t * pax_get_pte(struct mm_struct *mm, unsigned long address)
+{
+	pgd_t *pgd;
+	pmd_t *pmd;
+
+	pgd = pgd_offset(mm, address);
+	if (!pgd || !pgd_present(*pgd))
+		return 0;
+	pmd = pmd_offset(pgd, address);
+	if (!pmd || !pmd_present(*pmd))
+		return 0;
+	return pte_offset(pmd, address);
+}
+
+/*
+ * PaX: decide what to do with offenders
+ *
+ * returns 0 when access should be allowed
+ *         1 when task should be killed
+ *         2 when sigreturn trampoline was detected
+ *         3 when rt_sigreturn trampoline was detected
+ *         4 when gcc trampoline was detected
+ */
+static int pax_handle_read_fault(struct pt_regs *regs, unsigned long address)
+{
+	static unsigned char trans[8] = {6, 1, 2, 0, 13, 5, 3, 4};
+	int err;
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+	if (!(current->flags & PF_PAX_EMUTRAMP))
+		return 1;
+
+	{ /* PaX: sigreturn emulation */
+		unsigned char pop, mov;
+		unsigned short sys;
+		unsigned long nr;
+
+		err = __get_user(pop, (unsigned char *)(regs->eip));
+		err |= __get_user(mov, (unsigned char *)(regs->eip + 1));
+		err |= __get_user(nr, (unsigned long *)(regs->eip + 2));
+		err |= __get_user(sys, (unsigned short *)(regs->eip + 6));
+
+		if (!err) {
+			if (pop == 0x58 &&
+			    mov == 0xb8 &&
+			    nr == __NR_sigreturn &&
+			    sys == 0x80cd)
+			{
+				regs->esp += 4;
+				regs->eax = nr;
+				regs->eip += 8;
+				return 2;
+			}
+		}
+	}
+
+	{ /* PaX: rt_sigreturn emulation */
+		unsigned char mov;
+		unsigned short sys;
+		unsigned long nr;
+
+		err = __get_user(mov, (unsigned char *)(regs->eip));
+		err |= __get_user(nr, (unsigned long *)(regs->eip + 1));
+		err |= __get_user(sys, (unsigned short *)(regs->eip + 5));
+
+		if (!err) {
+			if (mov == 0xb8 &&
+			    nr == __NR_rt_sigreturn &&
+			    sys == 0x80cd)
+			{
+				regs->eax = nr;
+				regs->eip += 7;
+				return 3;
+			}
+		}
+	}
+
+	{ /* PaX: gcc trampoline emulation #1 */
+		unsigned char mov1, mov2;
+		unsigned short jmp;
+		unsigned long addr1, addr2, ret;
+
+		err = __get_user(mov1, (unsigned char *)(regs->eip));
+		err |= __get_user(addr1, (unsigned long *)(regs->eip + 1));
+		err |= __get_user(mov2, (unsigned char *)(regs->eip + 5));
+		err |= __get_user(addr2, (unsigned long *)(regs->eip + 6));
+		err |= __get_user(jmp, (unsigned short *)(regs->eip + 10));
+		err |= __get_user(ret, (unsigned long *)(regs->esp));
+
+		if (!err) {
+			unsigned short call;
+
+			err = __get_user(call, (unsigned short *)(ret-2));
+			if (!err) {
+				if ((mov1 & 0xF8) == 0xB8 &&
+				    (mov2 & 0xF8) == 0xB8 &&
+				    (mov1 & 0x07) != (mov2 & 0x07) &&
+				    (jmp & 0xF8FF) == 0xE0FF &&
+				    (mov2 & 0x07) == ((jmp>>8) & 0x07) &&
+				    (call & 0xF8FF) == 0xD0FF &&
+				    (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]]))
+				{
+					((unsigned long *)regs)[trans[mov1 & 0x07]] = addr1;
+					((unsigned long *)regs)[trans[mov2 & 0x07]] = addr2;
+					regs->eip = addr2;
+					return 4;
+				}
+			}
+		}
+	}
+
+	{ /* PaX: gcc trampoline emulation #2 */
+		unsigned char mov, jmp;
+		unsigned long addr1, addr2, ret;
+
+		err = __get_user(mov, (unsigned char *)(regs->eip));
+		err |= __get_user(addr1, (unsigned long *)(regs->eip + 1));
+		err |= __get_user(jmp, (unsigned char *)(regs->eip + 5));
+		err |= __get_user(addr2, (unsigned long *)(regs->eip + 6));
+		err |= __get_user(ret, (unsigned long *)(regs->esp));
+
+		if (!err) {
+			unsigned short call;
+
+			err = __get_user(call, (unsigned short *)(ret-2));
+			if (!err) {
+				if ((mov & 0xF8) == 0xB8 &&
+				    jmp == 0xE9 &&
+				    (call & 0xF8FF) == 0xD0FF &&
+				    (regs->eip == ((unsigned long*)regs)[trans[(call>>8) & 0x07]]))
+				{
+					((unsigned long *)regs)[trans[mov & 0x07]] = addr1;
+					regs->eip += addr2 + 10;
+					return 4;
+				}
+			}
+		}
+	}
+#endif
+
+	return 1; /* PaX in action */
+}
+
+static int pax_handle_opcode(struct task_struct *tsk, struct pt_regs *regs)
+{
+	unsigned long opsize = 1;
+	unsigned long opsize_override = 0;
+	unsigned long i;
+
+	if (regs->eflags & TF_MASK)
+		tsk->ptrace |= PT_PAX_OLDTF;
+	else
+		tsk->ptrace &= ~PT_PAX_OLDTF;
+	tsk->ptrace &= ~PT_PAX_KEEPTF;
+
+	for (i=0; i<15; i++) {
+		unsigned char opcode;
+		if (__get_user(opcode, (unsigned char*)(regs->eip+i)))
+			break;
+		switch (opcode) {
+		case 0x26:
+		case 0x2E:
+		case 0x36:
+		case 0x3E:
+		case 0x64:
+		case 0x65:
+		case 0x67:
+		case 0xF0:
+		case 0xF2:
+		case 0xF3:
+			break;
+
+		case 0x66:
+			opsize_override = 1;
+			break;
+
+		case 0x9C: /* PUSHF */
+			if (opsize ^ opsize_override) {
+				__put_user(regs->eflags & 0x00FCFFFFul, (unsigned long*)(regs->esp-4));
+				regs->esp -= 4;
+			} else {
+				__put_user(regs->eflags, (unsigned short*)(regs->esp-2));
+				regs->esp -= 2;
+			}
+			regs->eip += i + 1;
+			return 1;
+
+		case 0x9D: /* POPF */
+		case 0xCF: /* IRET */
+			tsk->ptrace |= PT_PAX_KEEPTF;
+			return 0;
+
+		default:
+			return 0;
+		}
+ 	}
+	return 0;
+}
+
+static inline void pax_handle_pte(struct mm_struct *mm, unsigned long address)
+{
+	pte_t *pte;
+	pte = pax_get_pte(mm, address);
+	if (pte) {
+		set_pte(pte, pte_exprotect(*pte));
+		__flush_tlb_one(address);
+	}
+}
+
+#define PAX_SPIN_COUNT 256
+
+void pax_handle_ptes(struct task_struct *tsk)
+{
+	struct mm_struct *mm;
+
+	mm = tsk->mm;
+	spin_lock(&mm->page_table_lock);
+	switch (tsk->thread.pax_faults.count) {
+	default:
+		printk(KERN_ERR "PAX: wtf: %s:%d, %ld\n", tsk->comm, tsk->pid, tsk->thread.pax_faults.count);
+		break;
+
+	case PAX_SPIN_COUNT+4:
+		pax_handle_pte(mm, tsk->thread.pax_faults.addresses[3]);
+
+	case PAX_SPIN_COUNT+3:
+		pax_handle_pte(mm, tsk->thread.pax_faults.addresses[2]);
+
+	case PAX_SPIN_COUNT+2:
+		pax_handle_pte(mm, tsk->thread.pax_faults.addresses[1]);
+
+	case PAX_SPIN_COUNT+1:
+		pax_handle_pte(mm, tsk->thread.pax_faults.addresses[0]);
+	}
+	spin_unlock(&mm->page_table_lock);
+	tsk->thread.pax_faults.eip = 0;
+	tsk->thread.pax_faults.count = 0;
+}
+
+/*
+ * PaX: handle the extra page faults or pass it down to the original handler
+ *
+ * returns 0 when nothing special was detected
+ *         1 when sigreturn trampoline (syscall) has to be emulated
+ */
+asmlinkage int pax_do_page_fault(struct pt_regs *regs, unsigned long error_code)
+{
+	struct task_struct *tsk = current;
+	struct mm_struct *mm = current->mm;
+	unsigned long address;
+	pte_t *pte;
+	unsigned char pte_mask = _PAGE_ACCESSED | _PAGE_USER;
+	int ret;
+	unsigned long i;
+
+	__asm__("movl %%cr2,%0":"=r" (address));
+
+	/* It's safe to allow irq's after cr2 has been saved */
+	if (regs->eflags & X86_EFLAGS_IF)
+		local_irq_enable();
+
+	if ((error_code & 5) != 5 || address >= TASK_SIZE || regs->xcs != __USER_CS || (VM_MASK & regs->eflags))
+		goto chain;
+
+	/* PaX: it's our fault, let's handle it if we can */
+
+	if (error_code == 7) {
+		pte_mask |= _PAGE_DIRTY;
+	/* PaX: take a look at read faults before acquiring any locks */
+	} else if (regs->eip == address) { /* read/instruction fetch attempt from a protected page in user mode */
+		ret = pax_handle_read_fault(regs, address);
+		switch (ret) {
+		case 4:
+			tsk->thread.pax_faults.eip = 0;
+			tsk->thread.pax_faults.count = 0;
+			return 0;
+
+		case 3:
+		case 2:
+			tsk->thread.pax_faults.eip = 0;
+			tsk->thread.pax_faults.count = 0;
+			return 1;
+
+		default:
+		case 1: {
+			char* buffer = (char*)__get_free_page(GFP_KERNEL);
+			char* path=NULL;
+
+			if (buffer) {
+				struct vm_area_struct* vma;
+
+				down_read(&mm->mmap_sem);
+				vma = mm->mmap;
+				while (vma) {
+					if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file) {
+						break;
+					}
+					vma = vma->vm_next;
+				}
+				if (vma)
+					path = d_path(vma->vm_file->f_dentry, vma->vm_file->f_vfsmnt, buffer, PAGE_SIZE);
+				up_read(&mm->mmap_sem);
+			}
+			printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, EIP: %08lX, ESP: %08lX\n", path, tsk->comm, tsk->pid, tsk->uid, tsk->euid, regs->eip, regs->esp);
+			if (buffer) free_page((unsigned long)buffer);
+			printk(KERN_ERR "PAX: bytes at EIP: ");
+			for (i = 0; i < 20; i++) {
+				unsigned char c;
+				if (__get_user(c, (unsigned char*)(regs->eip+i))) {
+					printk("<invalid address>.");
+					break;
+				}
+				printk("%02x ", c);
+			}
+			printk("\n");
+
+			tsk->thread.pax_faults.eip = 0;
+			tsk->thread.pax_faults.count = 0;
+			tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+			regs->eflags &= ~TF_MASK;
+			tsk->thread.cr2 = address;
+			tsk->thread.error_code = error_code;
+			tsk->thread.trap_no = 14;
+			force_sig(SIGKILL,tsk);
+			return 0;
+		}
+
+		case 0:
+		}
+	}
+
+	spin_lock(&mm->page_table_lock);
+	pte = pax_get_pte(mm, address);
+	if (!pte || !(pte_val(*pte) & _PAGE_PRESENT) || pte_exec(*pte)) {
+		spin_unlock(&mm->page_table_lock);
+		goto chain;
+	}
+
+	if ((error_code == 7) && !pte_write(*pte)) { /* write attempt to a protected page in user mode */
+		spin_unlock(&mm->page_table_lock);
+		goto chain;
+	}
+
+	/*
+	 * PaX: fill DTLB with user rights and retry
+	 */
+	if (regs->eip != tsk->thread.pax_faults.eip) { /* detect DTLB trashing */
+		tsk->thread.pax_faults.eip = regs->eip;
+		tsk->thread.pax_faults.count = 0;
+
+pax_emu:
+		__asm__ __volatile__ (
+			"orb %2,%1\n"
+			"invlpg %0\n"
+			"testb $0,%0\n"
+			"xorb %3,%1\n"
+			:
+			: "m" (*(char*)address), "m" (*(char*)pte) , "r" (pte_mask) , "i" (_PAGE_USER)
+			: "memory", "cc");
+		spin_unlock(&mm->page_table_lock);
+		return 0;
+	}
+
+	if (tsk->thread.pax_faults.count < PAX_SPIN_COUNT) {
+		++tsk->thread.pax_faults.count;
+		goto pax_emu;
+	}
+	spin_unlock(&mm->page_table_lock);
+
+	if (tsk->thread.pax_faults.count == PAX_SPIN_COUNT) {
+		if (pax_handle_opcode(tsk, regs)) {
+			tsk->thread.pax_faults.eip = 0;
+			tsk->thread.pax_faults.count = 0;
+			tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+			return 0;
+		} else {
+			++tsk->thread.pax_faults.count;
+		}
+	}
+
+	if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+3) {
+		printk(KERN_ERR "PAX: preventing DoS: %s:%d, EIP: %08lX, ESP: %08lX\n", tsk->comm, tsk->pid, regs->eip, regs->esp);
+		printk(KERN_ERR "PAX: bytes at EIP: ");
+		for (i = 0; i < 20; i++) {
+			unsigned char c;
+			if (__get_user(c, (unsigned char*)(regs->eip+i))) {
+				printk("<invalid address>.");
+				break;
+			}
+			printk("%02x ", c);
+		}
+		printk("\n");
+
+		tsk->thread.pax_faults.eip = 0;
+		tsk->thread.pax_faults.count = 0;
+		tsk->ptrace &= ~(PT_PAX_TRACE | PT_PAX_KEEPTF | PT_PAX_OLDTF);
+		regs->eflags &= ~TF_MASK;
+		tsk->thread.cr2 = address;
+		tsk->thread.error_code = error_code;
+		tsk->thread.trap_no = 14;
+		force_sig(SIGKILL,tsk);
+		return 0;
+	}
+
+	spin_lock(&mm->page_table_lock);
+	pte = pax_get_pte(mm, address);
+	if (pte) {
+		set_pte(pte, pte_mkexec(*pte));
+		__flush_tlb_one(address);
+		tsk->thread.pax_faults.addresses[tsk->thread.pax_faults.count-PAX_SPIN_COUNT-1] = address;
+		++tsk->thread.pax_faults.count;
+	}
+	spin_unlock(&mm->page_table_lock);
+	tsk->ptrace |= PT_PAX_TRACE;
+	regs->eflags |= TF_MASK;
+
+#if 0
+	if (tsk->thread.pax_faults.count > PAX_SPIN_COUNT+1+1) {
+		printk(KERN_ERR "PAX: DTLB trashing, level %ld: %s:%d,"
+				"EIP: %08lX, ESP: %08lX, cr2: %08lX\n",
+				tsk->thread.pax_faults.count - (PAX_SPIN_COUNT+1),
+				tsk->comm, tsk->pid, regs->eip, regs->esp, address);
+		printk(KERN_ERR "PAX: DTLB trashing, %08lX, %08lX, %08lX\n",
+				tsk->thread.pax_faults.addresses[0],
+				tsk->thread.pax_faults.addresses[1],
+				tsk->thread.pax_faults.addresses[2]);
+	}
+#endif
+	return 0;
+
+chain:
+	do_page_fault(regs, error_code, address);
+	return 0;
+}
+#endif
+
diff -Nru kernel-source-2.4.18/arch/i386/mm/init.c kernel-source-2.4.18.fixed/arch/i386/mm/init.c
--- kernel-source-2.4.18/arch/i386/mm/init.c	2001-12-21 18:41:53.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/i386/mm/init.c	2003-09-21 12:22:59.000000000 +0200
@@ -400,7 +400,11 @@
 	pmd = pmd_offset(pgd, vaddr);
 	pte = pte_offset(pmd, vaddr);
 	old_pte = *pte;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+	*pte = mk_pte_phys(0, PAGE_READONLY_EXEC);
+#else
 	*pte = mk_pte_phys(0, PAGE_READONLY);
+#endif
 	local_flush_tlb();
 
 	boot_cpu_data.wp_works_ok = do_test_wp_bit(vaddr);
diff -Nru kernel-source-2.4.18/arch/ia64/config.in kernel-source-2.4.18.fixed/arch/ia64/config.in
--- kernel-source-2.4.18/arch/ia64/config.in	2001-11-09 23:26:17.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/ia64/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -276,3 +276,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/m68k/config.in kernel-source-2.4.18.fixed/arch/m68k/config.in
--- kernel-source-2.4.18/arch/m68k/config.in	2001-06-12 04:15:27.000000000 +0200
+++ kernel-source-2.4.18.fixed/arch/m68k/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -546,3 +546,12 @@
 #bool 'Debug kmalloc/kfree' CONFIG_DEBUG_MALLOC
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/mips/config.in kernel-source-2.4.18.fixed/arch/mips/config.in
--- kernel-source-2.4.18/arch/mips/config.in	2001-10-15 22:41:34.000000000 +0200
+++ kernel-source-2.4.18.fixed/arch/mips/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -520,3 +520,12 @@
    bool 'Run uncached' CONFIG_MIPS_UNCACHED
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/mips64/config.in kernel-source-2.4.18.fixed/arch/mips64/config.in
--- kernel-source-2.4.18/arch/mips64/config.in	2001-09-09 19:43:02.000000000 +0200
+++ kernel-source-2.4.18.fixed/arch/mips64/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -276,3 +276,12 @@
    bool 'Run uncached' CONFIG_MIPS_UNCACHED
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/parisc/config.in kernel-source-2.4.18.fixed/arch/parisc/config.in
--- kernel-source-2.4.18/arch/parisc/config.in	2001-04-18 02:19:25.000000000 +0200
+++ kernel-source-2.4.18.fixed/arch/parisc/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -208,3 +208,11 @@
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
 
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/ppc/config.in kernel-source-2.4.18.fixed/arch/ppc/config.in
--- kernel-source-2.4.18/arch/ppc/config.in	2002-02-25 20:37:55.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/ppc/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -400,3 +400,12 @@
 bool 'Include kgdb kernel debugger' CONFIG_KGDB
 bool 'Include xmon kernel debugger' CONFIG_XMON
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/s390/config.in kernel-source-2.4.18.fixed/arch/s390/config.in
--- kernel-source-2.4.18/arch/s390/config.in	2002-02-25 20:37:56.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/s390/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -73,3 +73,11 @@
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
 
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/s390x/config.in kernel-source-2.4.18.fixed/arch/s390x/config.in
--- kernel-source-2.4.18/arch/s390x/config.in	2002-02-25 20:37:56.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/s390x/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -77,3 +77,11 @@
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
 
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/sh/config.in kernel-source-2.4.18.fixed/arch/sh/config.in
--- kernel-source-2.4.18/arch/sh/config.in	2002-02-25 20:37:56.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/sh/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -386,3 +386,12 @@
    bool 'Early printk support' CONFIG_SH_EARLY_PRINTK
 fi
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/sparc/config.in kernel-source-2.4.18.fixed/arch/sparc/config.in
--- kernel-source-2.4.18/arch/sparc/config.in	2001-06-12 04:15:27.000000000 +0200
+++ kernel-source-2.4.18.fixed/arch/sparc/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -266,3 +266,12 @@
 
 bool 'Magic SysRq key' CONFIG_MAGIC_SYSRQ
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/arch/sparc64/config.in kernel-source-2.4.18.fixed/arch/sparc64/config.in
--- kernel-source-2.4.18/arch/sparc64/config.in	2001-12-21 18:41:53.000000000 +0100
+++ kernel-source-2.4.18.fixed/arch/sparc64/config.in	2003-09-21 12:22:59.000000000 +0200
@@ -306,3 +306,12 @@
 fi
 
 endmenu
+
+mainmenu_option next_comment
+comment 'Grsecurity'
+bool 'Grsecurity' CONFIG_GRKERNSEC
+if [ "$CONFIG_GRKERNSEC" = "y" ]; then
+    source grsecurity/Config.in
+fi
+endmenu
+
diff -Nru kernel-source-2.4.18/drivers/char/mem.c kernel-source-2.4.18.fixed/drivers/char/mem.c
--- kernel-source-2.4.18/drivers/char/mem.c	2001-12-21 18:41:54.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/char/mem.c	2003-09-21 12:22:59.000000000 +0200
@@ -25,6 +25,9 @@
 #include <asm/uaccess.h>
 #include <asm/io.h>
 #include <asm/pgalloc.h>
+#ifdef CONFIG_GRKERNSEC_KMEM
+#include <linux/grsecurity.h>
+#endif
 
 #ifdef CONFIG_I2C
 extern int i2c_init_all(void);
@@ -46,6 +49,12 @@
 			    const char * buf, size_t count, loff_t *ppos)
 {
 	ssize_t written;
+#ifdef CONFIG_GRKERNSEC_KMEM
+		security_alert("attempted write to read-only kernel memory by "
+				 DEFAULTSECMSG, "attempted kernel writes", 
+				 DEFAULTSECARGS);
+		return -EPERM;
+#endif
 
 	written = 0;
 #if defined(__sparc__) || defined(__mc68000__)
@@ -200,9 +209,21 @@
 	/*
 	 * Don't dump addresses that are not real memory to a core file.
 	 */
+#ifdef CONFIG_GRKERNSEC_PAX
+	if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC)) {
+#else 
 	if (offset >= __pa(high_memory) || (file->f_flags & O_SYNC))
+#endif
 		vma->vm_flags |= VM_IO;
 
+#ifdef CONFIG_GRKERNSEC_PAX
+		/* it turned out to be device memory (eg. video RAM), don't apply PaX */
+		if ((current->flags & PF_PAX_PAGEEXEC) &&!(vma->vm_flags & VM_EXEC)) {
+			vma->vm_flags |= VM_EXEC | VM_MAYEXEC;
+			vma->vm_page_prot = protection_map[vma->vm_flags & 0x0f];
+		}                                                                                                          
+	}
+#endif
 	if (remap_page_range(vma->vm_start, offset, vma->vm_end-vma->vm_start,
 			     vma->vm_page_prot))
 		return -EAGAIN;
@@ -291,7 +312,9 @@
 			wrote = (unsigned long) high_memory - p;
 
 		wrote = do_write_mem(file, (void*)p, p, buf, wrote, ppos);
-
+#ifdef CONFIG_GRKERNSEC_KMEM
+	if(wrote == -EPERM) return -EPERM;
+#endif
 		p += wrote;
 		buf += wrote;
 		count -= wrote;
@@ -401,8 +424,12 @@
 			count = size;
 
 		zap_page_range(mm, addr, count);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+	        zeromap_page_range(addr, count, vma->vm_page_prot); 
+#else
         	zeromap_page_range(addr, count, PAGE_COPY);
 
+#endif
 		size -= count;
 		buf += count;
 		addr += count;
diff -Nru kernel-source-2.4.18/drivers/char/vt.c kernel-source-2.4.18.fixed/drivers/char/vt.c
--- kernel-source-2.4.18/drivers/char/vt.c	2001-11-16 19:08:28.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/char/vt.c	2003-09-21 12:22:59.000000000 +0200
@@ -37,6 +37,10 @@
 #include <asm/vc_ioctl.h>
 #endif /* CONFIG_FB_COMPAT_XPMAC */
 
+#ifdef CONFIG_GRKERNSEC_KBMAP
+#include <linux/grsecurity.h>
+#endif
+
 char vt_dont_switch;
 extern struct tty_driver console_driver;
 
@@ -177,7 +181,11 @@
 		    val = (i ? K_HOLE : K_NOSUCHMAP);
 		return put_user(val, &user_kbe->kb_value);
 	case KDSKBENT:
+#ifdef CONFIG_GRKERNSEC_KBMAP
+		if (!perm || (grsec_enable_kbmap && !suser()))
+#else 
 		if (!perm)
+#endif
 			return -EPERM;
 		if (!i && v == K_NOSUCHMAP) {
 			/* disallocate map */
@@ -298,7 +306,11 @@
 			return -EFAULT;
 		return ((p && *p) ? -EOVERFLOW : 0);
 	case KDSKBSENT:
+#ifdef CONFIG_GRKERNSEC_KBMAP
+		if (!perm || (grsec_enable_kbmap && !suser()))
+#else 
 		if (!perm)
+#endif
 			return -EPERM;
 
 		q = func_table[i];
diff -Nru kernel-source-2.4.18/drivers/ieee1394/video1394.c kernel-source-2.4.18.fixed/drivers/ieee1394/video1394.c
--- kernel-source-2.4.18/drivers/ieee1394/video1394.c	2002-02-25 20:37:58.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/ieee1394/video1394.c	2003-09-21 12:22:59.000000000 +0200
@@ -843,7 +843,11 @@
         pos=(unsigned long) d->buf;
         while (size > 0) {
                 page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                 if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                         return -EAGAIN;
                 start+=PAGE_SIZE;
                 pos+=PAGE_SIZE;
diff -Nru kernel-source-2.4.18/drivers/media/video/bttv-driver.c kernel-source-2.4.18.fixed/drivers/media/video/bttv-driver.c
--- kernel-source-2.4.18/drivers/media/video/bttv-driver.c	2002-02-25 20:37:58.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/media/video/bttv-driver.c	2003-09-21 12:22:59.000000000 +0200
@@ -2052,7 +2052,11 @@
         pos=(unsigned long) btv->fbuffer;
         while (size > 0) {
                 page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+                if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
                 if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
                         return -EAGAIN;
                 start+=PAGE_SIZE;
                 pos+=PAGE_SIZE;
diff -Nru kernel-source-2.4.18/drivers/media/video/cpia.c kernel-source-2.4.18.fixed/drivers/media/video/cpia.c
--- kernel-source-2.4.18/drivers/media/video/cpia.c	2001-10-25 22:53:47.000000000 +0200
+++ kernel-source-2.4.18.fixed/drivers/media/video/cpia.c	2003-09-21 12:22:59.000000000 +0200
@@ -3005,7 +3005,11 @@
 	pos = (unsigned long)(cam->frame_buf);
 	while (size > 0) {
 		page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
 			up(&cam->busy_lock);
 			return -EAGAIN;
 		}
diff -Nru kernel-source-2.4.18/drivers/media/video/meye.c kernel-source-2.4.18.fixed/drivers/media/video/meye.c
--- kernel-source-2.4.18/drivers/media/video/meye.c	2001-12-21 18:41:54.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/media/video/meye.c	2003-09-21 12:22:59.000000000 +0200
@@ -1263,7 +1263,11 @@
 
 	while (size > 0) {
 		page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
 			up(&meye.lock);
 			return -EAGAIN;
 		}
diff -Nru kernel-source-2.4.18/drivers/media/video/planb.c kernel-source-2.4.18.fixed/drivers/media/video/planb.c
--- kernel-source-2.4.18/drivers/media/video/planb.c	2002-02-25 20:37:58.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/media/video/planb.c	2003-09-21 12:22:59.000000000 +0200
@@ -2008,7 +2008,11 @@
 	}
 	for (i = 0; i < pb->rawbuf_size; i++) {
 		if (remap_page_range(start, virt_to_phys((void *)pb->rawbuf[i]),
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+						PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
 						PAGE_SIZE, PAGE_SHARED))
+#endif
 			return -EAGAIN;
 		start += PAGE_SIZE;
 		if (size <= PAGE_SIZE)
diff -Nru kernel-source-2.4.18/drivers/media/video/zr36067.c kernel-source-2.4.18.fixed/drivers/media/video/zr36067.c
--- kernel-source-2.4.18/drivers/media/video/zr36067.c	2002-02-25 20:37:58.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/media/video/zr36067.c	2003-09-21 12:22:59.000000000 +0200
@@ -4322,7 +4322,11 @@
 				    frag_tab[2 * j];
 				page = virt_to_phys(bus_to_virt(pos));	/* should just be pos on i386 */
 				if (remap_page_range
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+				    (start, page, todo, PAGE_SHARED_EXEC)) {
+#else
 				    (start, page, todo, PAGE_SHARED)) {
+#endif
 					printk(KERN_ERR
 					       "%s: zoran_mmap(V4L): remap_page_range failed\n",
 					       zr->name);
@@ -4363,7 +4367,11 @@
 			       ("V4L remap page range %d 0x%lx %ld to 0x%lx\n",
 				i, page, todo, start));
 			if (remap_page_range
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+			    (start, page, todo, PAGE_SHARED_EXEC)) {
+#else
 			    (start, page, todo, PAGE_SHARED)) {
+#endif
 				printk(KERN_ERR
 				       "%s: zoran_mmap(V4L): remap_page_range failed\n",
 				       zr->name);
diff -Nru kernel-source-2.4.18/drivers/media/video/zr36120.c kernel-source-2.4.18.fixed/drivers/media/video/zr36120.c
--- kernel-source-2.4.18/drivers/media/video/zr36120.c	2002-02-25 20:37:58.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/media/video/zr36120.c	2003-09-21 12:22:59.000000000 +0200
@@ -1484,7 +1484,11 @@
 	pos = (unsigned long)ztv->fbuffer;
 	while (size>0) {
 		unsigned long page = virt_to_phys((void*)pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
 			return -EAGAIN;
 		start += PAGE_SIZE;
 		pos += PAGE_SIZE;
diff -Nru kernel-source-2.4.18/drivers/pci/proc.c kernel-source-2.4.18.fixed/drivers/pci/proc.c
--- kernel-source-2.4.18/drivers/pci/proc.c	2001-11-17 03:38:39.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/pci/proc.c	2003-09-21 12:22:59.000000000 +0200
@@ -6,6 +6,7 @@
  *	Copyright (c) 1997--1999 Martin Mares <mj@ucw.cz>
  */
 
+#include <linux/config.h>
 #include <linux/types.h>
 #include <linux/kernel.h>
 #include <linux/pci.h>
@@ -562,7 +563,15 @@
 		pci_for_each_dev(dev) {
 			pci_proc_attach_device(dev);
 		}
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+		entry = create_proc_entry("pci", S_IRUSR, NULL);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+		entry = create_proc_entry("pci", S_IRUSR | S_IRGRP, NULL);
+#endif
+#else
 		entry = create_proc_entry("pci", 0, NULL);
+#endif
 		if (entry)
 			entry->proc_fops = &proc_pci_operations;
 	}
diff -Nru kernel-source-2.4.18/drivers/usb/ov511.c kernel-source-2.4.18.fixed/drivers/usb/ov511.c
--- kernel-source-2.4.18/drivers/usb/ov511.c	2002-02-27 11:12:22.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/usb/ov511.c	2003-09-21 12:22:59.000000000 +0200
@@ -5578,7 +5578,11 @@
 	pos = (unsigned long)ov511->fbuf;
 	while (size > 0) {
 		page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
 			up(&ov511->lock);
 			return -EAGAIN;
 		}
diff -Nru kernel-source-2.4.18/drivers/usb/pwc-if.c kernel-source-2.4.18.fixed/drivers/usb/pwc-if.c
--- kernel-source-2.4.18/drivers/usb/pwc-if.c	2002-02-25 20:38:07.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/usb/pwc-if.c	2003-09-21 12:22:59.000000000 +0200
@@ -1593,7 +1593,11 @@
 	pos = (unsigned long)pdev->image_data;
 	while (size > 0) {
 		page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
 			return -EAGAIN;
 
 		start += PAGE_SIZE;
diff -Nru kernel-source-2.4.18/drivers/usb/se401.c kernel-source-2.4.18.fixed/drivers/usb/se401.c
--- kernel-source-2.4.18/drivers/usb/se401.c	2001-09-14 23:27:10.000000000 +0200
+++ kernel-source-2.4.18.fixed/drivers/usb/se401.c	2003-09-21 12:22:59.000000000 +0200
@@ -1374,7 +1374,11 @@
 	pos = (unsigned long)se401->fbuf;
 	while (size > 0) {
 		page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
 			up(&se401->lock);
 			return -EAGAIN;
 		}
diff -Nru kernel-source-2.4.18/drivers/usb/stv680.c kernel-source-2.4.18.fixed/drivers/usb/stv680.c
--- kernel-source-2.4.18/drivers/usb/stv680.c	2002-02-25 20:38:07.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/usb/stv680.c	2003-09-21 12:22:59.000000000 +0200
@@ -1450,7 +1450,11 @@
 	pos = (unsigned long) stv680->fbuf;
 	while (size > 0) {
 		page = kvirt_to_pa (pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range (start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
 		if (remap_page_range (start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
 			up (&stv680->lock);
 			return -EAGAIN;
 		}
diff -Nru kernel-source-2.4.18/drivers/usb/usbvideo.c kernel-source-2.4.18.fixed/drivers/usb/usbvideo.c
--- kernel-source-2.4.18/drivers/usb/usbvideo.c	2001-10-11 08:42:46.000000000 +0200
+++ kernel-source-2.4.18.fixed/drivers/usb/usbvideo.c	2003-09-21 12:22:59.000000000 +0200
@@ -1199,7 +1199,11 @@
 	pos = (unsigned long) uvd->fbuf;
 	while (size > 0) {
 		page = usbvideo_kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC))
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED))
+#endif
 			return -EAGAIN;
 
 		start += PAGE_SIZE;
diff -Nru kernel-source-2.4.18/drivers/usb/vicam.c kernel-source-2.4.18.fixed/drivers/usb/vicam.c
--- kernel-source-2.4.18/drivers/usb/vicam.c	2002-02-25 20:38:07.000000000 +0100
+++ kernel-source-2.4.18.fixed/drivers/usb/vicam.c	2003-09-21 12:22:59.000000000 +0200
@@ -691,7 +691,11 @@
 	pos = (unsigned long)vicam->fbuf;
 	while (size > 0) {
 		page = kvirt_to_pa(pos);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED_EXEC)) {
+#else
 		if (remap_page_range(start, page, PAGE_SIZE, PAGE_SHARED)) {
+#endif
 			up(&vicam->sem);
 			return -EAGAIN;
 		}
diff -Nru kernel-source-2.4.18/fs/binfmt_aout.c kernel-source-2.4.18.fixed/fs/binfmt_aout.c
--- kernel-source-2.4.18/fs/binfmt_aout.c	2001-11-03 02:39:20.000000000 +0100
+++ kernel-source-2.4.18.fixed/fs/binfmt_aout.c	2003-09-21 12:22:59.000000000 +0200
@@ -5,6 +5,7 @@
  */
 
 #include <linux/module.h>
+#include <linux/config.h>
 
 #include <linux/sched.h>
 #include <linux/kernel.h>
@@ -307,6 +308,25 @@
 	current->mm->mmap = NULL;
 	compute_creds(bprm);
  	current->flags &= ~PF_FORKNOEXEC;
+#ifdef CONFIG_GRKERNSEC_STACK
+       if (N_FLAGS(ex) & F_STACKEXEC) current->flags |= PF_STACKEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+      if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC))
+              current->flags |= PF_PAX_PAGEEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+      if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
+              current->flags |= PF_PAX_EMUTRAMP;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+      if (!(N_FLAGS(ex) & F_PAX_MPROTECT))        
+              current->flags |= PF_PAX_MPROTECT;
+#endif
+
 #ifdef __sparc__
 	if (N_MAGIC(ex) == NMAGIC) {
 		loff_t pos = fd_offset;
@@ -393,7 +413,11 @@
 
 		down_write(&current->mm->mmap_sem);
  		error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+				PROT_READ | PROT_WRITE,
+#else
 				PROT_READ | PROT_WRITE | PROT_EXEC,
+#endif
 				MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
 				fd_offset + ex.a_text);
 		up_write(&current->mm->mmap_sem);
diff -Nru kernel-source-2.4.18/fs/binfmt_elf.c kernel-source-2.4.18.fixed/fs/binfmt_elf.c
--- kernel-source-2.4.18/fs/binfmt_elf.c	2003-08-10 01:05:15.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/binfmt_elf.c	2003-09-21 12:22:59.000000000 +0200
@@ -11,6 +11,7 @@
 
 #include <linux/module.h>
 
+#include <linux/config.h>
 #include <linux/fs.h>
 #include <linux/stat.h>
 #include <linux/sched.h>
@@ -33,6 +34,9 @@
 #include <linux/smp_lock.h>
 #include <linux/compiler.h>
 #include <linux/highmem.h>
+#if defined(CONFIG_GRKERNSEC_PAX_RANDMMAP) || defined(CONFIG_GRKERNSEC_PAX)
+#include <linux/random.h>
+#endif
 
 #include <asm/uaccess.h>
 #include <asm/param.h>
@@ -73,7 +77,10 @@
 #define ELF_PAGEOFFSET(_v) ((_v) & (ELF_MIN_ALIGN-1))
 #define ELF_PAGEALIGN(_v) (((_v) + ELF_MIN_ALIGN - 1) & ~(ELF_MIN_ALIGN - 1))
 
-static struct linux_binfmt elf_format = {
+#ifndef CONFIG_GRKERNSEC_STACK
+static
+#endif
+struct linux_binfmt elf_format = {
 	NULL, THIS_MODULE, load_elf_binary, load_elf_library, elf_core_dump, ELF_EXEC_PAGESIZE
 };
 
@@ -154,6 +161,11 @@
 		u_platform = u_platform - ((current->pid % 64) << 7);
 #endif	
 
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+	if (current->flags & PF_PAX_RANDMMAP)
+		u_platform -= (current->mm->delta_stack & ~PAGE_MASK);
+#endif
+
 	/*
 	 * Force 16 byte _final_ alignment here for generality.
 	 */
@@ -616,7 +628,49 @@
 	current->mm->end_data = 0;
 	current->mm->end_code = 0;
 	current->mm->mmap = NULL;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+	current->mm->delta_mmap = 0;
+	current->mm->delta_exec = 0;
+	current->mm->delta_stack = 0;
+#endif
 	current->flags &= ~PF_FORKNOEXEC;
+
+#ifdef CONFIG_GRKERNSEC_STACK
+       if (elf_ex.e_flags & EF_STACKEXEC)
+	current->flags |= PF_STACKEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+	if (!(elf_ex.e_flags & EF_PAX_PAGEEXEC))
+		current->flags |= PF_PAX_PAGEEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+	if (elf_ex.e_flags & EF_PAX_EMUTRAMP)
+		current->flags |= PF_PAX_EMUTRAMP;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+	if (!(elf_ex.e_flags & EF_PAX_MPROTECT))
+		current->flags |= PF_PAX_MPROTECT;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+	if (!(elf_ex.e_flags & EF_PAX_RANDMMAP)) {
+		unsigned short delta;
+		current->flags |= PF_PAX_RANDMMAP;
+
+		get_random_bytes(&delta, sizeof(delta));
+		current->mm->delta_mmap = (unsigned long)delta << PAGE_SHIFT;
+
+		get_random_bytes(&delta, sizeof(delta));
+		current->mm->delta_exec = (unsigned long)delta << PAGE_SHIFT;
+
+		get_random_bytes(&delta, sizeof(delta));
+		current->mm->delta_stack = (unsigned long)delta << 4;
+	}
+#endif
+
 	elf_entry = (unsigned long) elf_ex.e_entry;
 
 	/* Do this so that we can load the interpreter, if need be.  We will
@@ -667,6 +721,13 @@
 			   base, as well as whatever program they might try to exec.  This
 		           is because the brk will follow the loader, and is not movable.  */
 			load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+			/* PaX: randomize base address at the default exe base if requested */
+			if (current->flags | PF_PAX_RANDMMAP) {
+				load_bias = ELF_PAGESTART(0x08048000 - vaddr + current->mm->delta_exec);
+			}
+#endif
+
 		}
 
 		error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt, elf_prot, elf_flags);
diff -Nru kernel-source-2.4.18/fs/exec.c kernel-source-2.4.18.fixed/fs/exec.c
--- kernel-source-2.4.18/fs/exec.c	2003-08-10 01:05:15.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/exec.c	2003-09-21 12:22:59.000000000 +0200
@@ -48,6 +48,20 @@
 
 int core_uses_pid;
 
+#if defined(CONFIG_GRKERNSEC_FD) || defined(CONFIG_GRKERNSEC_EXECVE) ||\
+    defined(CONFIG_GRKERNSEC_COREDUMP)||defined(CONFIG_GRKERNSEC_TPE) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_EXECLOG) || \
+    defined(CONFIG_GRKERNSEC_EXECLOG) ||\
+    defined(CONFIG_GRKERNSEC_PTRACE) || defined(CONFIG_GRKERNSEC_ACL) ||\
+    defined(CONFIG_GRKERNSEC_AUDIT_PTRACE)
+#include <linux/grsecurity.h>
+#endif
+
+#ifdef CONFIG_GRKERNSEC_FD
+#include <linux/major.h>
+extern struct file_operations def_chr_fops;
+#endif
+
 static struct linux_binfmt *formats;
 static rwlock_t binfmt_lock = RW_LOCK_UNLOCKED;
 
@@ -278,7 +292,12 @@
 	lru_cache_add(page);
 	flush_dcache_page(page);
 	flush_page_to_ram(page);
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+	set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page,
+		(tsk->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC))));
+#else
 	set_pte(pte, pte_mkdirty(pte_mkwrite(mk_pte(page, PAGE_COPY))));
+#endif
 	tsk->mm->rss++;
 	spin_unlock(&tsk->mm->page_table_lock);
 
@@ -299,6 +318,12 @@
 
 	stack_base = STACK_TOP - MAX_ARG_PAGES*PAGE_SIZE;
 
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+	if (current->flags & PF_PAX_RANDMMAP)
+		stack_base = PAGE_MASK & (stack_base - current->mm->delta_stack);
+
+#endif
+ 
 	bprm->p += stack_base;
 	if (bprm->loader)
 		bprm->loader += stack_base;
@@ -312,9 +337,15 @@
 	{
 		mpnt->vm_mm = current->mm;
 		mpnt->vm_start = PAGE_MASK & (unsigned long) bprm->p;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+		mpnt->vm_end = stack_base + MAX_ARG_PAGES*PAGE_SIZE;
+		mpnt->vm_page_prot = (current->flags & PF_PAX_PAGEEXEC)?PAGE_COPY_NOEXEC:PAGE_COPY_EXEC;
+		mpnt->vm_flags = (current->flags & PF_PAX_PAGEEXEC)?VM_STACK_FLAGS:(VM_STACK_FLAGS|VM_EXEC|VM_MAYEXEC);
+#else
 		mpnt->vm_end = STACK_TOP;
 		mpnt->vm_page_prot = PAGE_COPY;
 		mpnt->vm_flags = VM_STACK_FLAGS;
+#endif
 		mpnt->vm_ops = NULL;
 		mpnt->vm_pgoff = 0;
 		mpnt->vm_file = NULL;
@@ -473,6 +504,67 @@
 	if (atomic_dec_and_test(&oldsig->count))
 		kmem_cache_free(sigact_cachep, oldsig);
 }
+#ifdef CONFIG_GRKERNSEC_FD
+static inline int tweak_fd_open_null(struct linux_binprm *bprm)
+{
+	struct inode *i;
+	struct dentry *d;
+	struct file *f;
+
+	if(!(i = get_empty_inode()))
+		return -ENOMEM;
+	if(!(d = dget(d_alloc_root(i)))) {
+        	iput(i);
+        	return -ENOMEM;
+    	}
+	if(!(f = get_empty_filp())) {
+        	dput(d);
+        	iput(i);
+        	return -ENFILE;
+    	}
+    	i->i_uid = current->fsuid;
+    	i->i_gid = current->fsgid;
+    	i->i_blksize = PAGE_SIZE;
+    	i->i_blocks = 0;
+    	i->i_atime = i->i_mtime = i->i_ctime = CURRENT_TIME;
+    	i->i_state = I_DIRTY;
+	init_special_inode(i, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR,3));
+
+    	f->f_flags = O_RDWR;
+    	f->f_mode = FMODE_READ | FMODE_WRITE;
+    	f->f_dentry = d;
+	f->f_op = i->i_fop;
+    	f->f_pos = 0;
+    	f->f_reada = 0;
+	f->f_vfsmnt = mntget(child_reaper->fs->rootmnt);
+    	f->f_op->open(i,f);
+    	bprm->tweak_fd_null = f;
+
+   	return 0;
+}
+
+static int tweak_fd_0_1_2(struct linux_binprm *bprm)
+{
+    	int fd,new,retval;
+
+    	for(fd=0;fd<=2;fd++) {
+        	if(current->files->fd[fd]) continue;
+        	if((new = get_unused_fd()) != fd) {
+            		if(new >= 0) put_unused_fd(new);
+            		return -EMFILE;
+        	}
+        	if(bprm->tweak_fd_null)
+            		atomic_inc(&bprm->tweak_fd_null->f_count);
+        	else
+            		if((retval = tweak_fd_open_null(bprm)))
+                		return retval;
+
+        	fd_install(fd,bprm->tweak_fd_null);
+        	bprm->tweak_fd_mask |= 1 << fd;
+    	}
+    	return 0;
+}
+#endif
 
 /*
  * These functions flushes out all traces of the currently running executable
@@ -579,6 +671,25 @@
 				current->comm[i++] = ch;
 	}
 	current->comm[i] = '\0';
+#ifdef CONFIG_GRKERNSEC_STACK
+        current->flags &= ~PF_STACKEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+	current->flags &= ~PF_PAX_PAGEEXEC;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_EMUTRAMP
+	current->flags &= ~PF_PAX_EMUTRAMP;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+	current->flags &= ~PF_PAX_MPROTECT;
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+	current->flags &= ~PF_PAX_RANDMMAP;
+#endif
 
 	flush_thread();
 
@@ -596,6 +707,10 @@
 	flush_signal_handlers(current);
 	flush_old_files(current->files);
 
+#ifdef CONFIG_GRKERNSEC_FD
+        if(grsec_enable_fd)
+        	return tweak_fd_0_1_2(bprm);
+#endif
 	return 0;
 
 mmap_failed:
@@ -679,7 +794,34 @@
 		if (bprm->e_uid == 0) 
 			cap_set_full(bprm->cap_effective);
 	}
-
+#ifdef CONFIG_GRKERNSEC_PTRACE
+	if (current->ptrace & PT_PTRACED){
+ 		if(current->uid && grsec_enable_ptrace
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+	    && ((grsec_enable_ptrace_group && !in_group_p(grsec_ptrace_gid))
+	    || !grsec_enable_ptrace_group)
+#endif
+		) {
+			security_alert("denied ptrace of [%.32s:%lu] (%s) by " DEFAULTSECMSG,
+				"denied ptraces", kdevname(bprm->file->f_dentry->d_inode->i_dev),
+                                bprm->file->f_dentry->d_inode->i_ino, bprm->filename, 
+				DEFAULTSECARGS);
+			return -EPERM;
+	   	}
+	}
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
+	if (grsec_enable_audit_ptrace && (current->ptrace & PT_PTRACED)
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+	&& grsec_enable_group && in_group_p(grsec_audit_gid)
+#endif
+	) {
+		printk(KERN_INFO "grsec: ptrace of [%.32s:%lu] (%s) by " DEFAULTSECMSG "\n",
+			kdevname(bprm->file->f_dentry->d_inode->i_dev),
+                        bprm->file->f_dentry->d_inode->i_ino, bprm->filename, 
+			DEFAULTSECARGS);
+	}
+#endif
 	memset(bprm->buf,0,BINPRM_BUF_SIZE);
 	return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
 }
@@ -727,6 +869,9 @@
 							current->cap_permitted);
 			}
 		}
+#ifdef CONFIG_GRKERNSEC_FD
+            if (grsec_enable_fd) tweak_fd_0_1_2(bprm);
+#endif
 		do_unlock = 1;
 	}
 
@@ -868,6 +1013,45 @@
 	return retval;
 }
 
+#if defined(CONFIG_GRKERNSEC_ACL) || defined(CONFIG_GRKERNSEC_TPE_GLIBC)
+
+#define MAXBADGLIBCVARS 7
+static struct badglibcvars {
+	const char *name;
+	const short len;
+} badglibcvar[] = {
+        {"LD_PRELOAD", 10},
+        {"LD_LIBRARY_PATH", 15},
+        {"LD_ORIGIN_PATH", 14},
+        {"LD_DEBUG_OUTPUT", 15},
+        {"LD_PROFILE", 10},
+        {"LD_AOUT_LIBRARY_PATH", 20},
+        {"LD_AOUT_PRELOAD", 15}
+};
+
+static inline int gr_unsetenv(char **envpp, struct linux_binprm *bprmo)
+{
+	int i,ret=0;
+	char **envpo = envpp;
+	while(*envpo != NULL) {
+		for(i = 0;i<MAXBADGLIBCVARS;i++) {
+			if(!strncmp(*envpo, badglibcvar[i].name,
+			   badglibcvar[i].len) && (*envpo)[badglibcvar[i].len] == '=') {
+				char **dp = envpo;
+
+				do
+					dp[0] = dp[1];
+				while (*dp++);
+				ret++;
+				bprmo->envc--;
+				break;
+			} else if(i == (MAXBADGLIBCVARS - 1))
+				++envpo;
+		}
+	}
+	return ret;
+}
+#endif
 
 /*
  * sys_execve() executes a new program.
@@ -878,6 +1062,23 @@
 	struct file *file;
 	int retval;
 	int i;
+#if defined(CONFIG_GRKERNSEC_ACL) || defined(CONFIG_GRKERNSEC_TPE_GLIBC)
+	int badenvs;
+#endif
+#if defined(CONFIG_GRKERNSEC_EXECLOG) || defined(CONFIG_GRKERNSEC_EXECLOG_GROUP)
+	int x;
+	char *grargs;
+	char grarg[68];
+#endif
+
+#ifdef CONFIG_GRKERNSEC_EXECVE
+    	if(grsec_enable_execve && current->user)
+   		if(atomic_read(&current->user->processes) > current->rlim[RLIMIT_NPROC].rlim_cur) {
+			security_alert("Attempt to overstep process limit by " DEFAULTSECMSG,
+		       			"proc limit overstep", DEFAULTSECARGS);
+			return -EAGAIN;
+    		}
+#endif
 
 	file = open_exec(filename);
 
@@ -885,6 +1086,17 @@
 	if (IS_ERR(file))
 		return retval;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( ( (gr_search_file(file->f_dentry,GR_EXEC,file->f_vfsmnt)) == GR_DENY) ) 
+	{
+		security_alert("denying execution of %.1024s by " DEFAULTSECMSG,
+	                       "file exec attempts", filename, DEFAULTSECARGS);
+		allow_write_access(file);
+		fput(file);
+		return -EACCES;
+	}
+#endif
+
 	bprm.p = PAGE_SIZE*MAX_ARG_PAGES-sizeof(void *);
 	memset(bprm.page, 0, MAX_ARG_PAGES*sizeof(bprm.page[0])); 
 
@@ -905,15 +1117,136 @@
 		return bprm.envc;
 	}
 
+#ifdef CONFIG_GRKERNSEC_FD
+        if (grsec_enable_fd) {
+		bprm.tweak_fd_mask = 0;
+        	bprm.tweak_fd_null = NULL;
+	}
+#endif
 	retval = prepare_binprm(&bprm);
 	if (retval < 0) 
 		goto out; 
 
+#ifdef CONFIG_GRKERNSEC_TPE
+if (grsec_enable_tpe) {
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+	if (grsec_enable_tpe_glibc) {
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+		if(grsec_enable_tpe_all?current->uid:in_group_p(grsec_tpe_gid)){
+#else
+		if(in_group_p(grsec_tpe_gid)){
+#endif
+			badenvs = gr_unsetenv(envp,&bprm);
+
+			if(badenvs) {
+				security_alert("exec of %.32s by " DEFAULTSECMSG
+					" attempted to use %d malicious environment(s)","malicious environments",
+					filename, DEFAULTSECARGS,badenvs);
+			}
+		}
+	}
+	/* end of glibc checks */
+#endif
+	if((current->uid) &&
+	   ((file->f_dentry->d_parent->d_inode->i_uid) ||
+   	   (!(file->f_dentry->d_parent->d_inode->i_uid) &&
+	   ((file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) ||
+	   (file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH)))) &&
+	   (in_group_p(grsec_tpe_gid))){
+		security_alert("denied exec of %.32s by " DEFAULTSECMSG
+			" reason: untrusted","denied execs",
+			filename, DEFAULTSECARGS);
+		retval = -EACCES;
+		goto out;
+	}
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+	else if(grsec_enable_tpe_all &&
+		(current->uid) && !(((!(file->f_dentry->d_parent->d_inode->i_uid) &&
+		!(file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) &&
+		!(file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH)) ||
+		((file->f_dentry->d_parent->d_inode->i_uid == current->uid) &&
+		!(file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) &&
+		!(file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH))))){
+			security_alert("denied exec of %.32s by " DEFAULTSECMSG
+					" reason: untrusted","denied execs",
+					filename, DEFAULTSECARGS);
+			retval = -EACCES;
+			goto out;
+	}
+#endif
+}
+#endif
+
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+	if(grsec_enable_chroot_execlog && proc_is_chrooted(current)) {
+		printk(KERN_INFO "grsec: exec of %.64s within chroot "
+		       "jail (%.32s:%lu) by process " DEFAULTSECMSG "\n",
+			       filename,kdevname(current->fs->root->d_inode->i_dev),
+			       current->fs->root->d_inode->i_ino,
+			       DEFAULTSECARGS);
+		}
+#endif
+
+#if defined(CONFIG_GRKERNSEC_EXECLOG) || defined(CONFIG_GRKERNSEC_EXECLOG_GROUP)
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+	if (in_group_p(grsec_audit_gid) && grsec_enable_group) {
+#else
+	if (grsec_enable_execlog) {
+#endif
+	    	for(x=0;x<sizeof(grarg);x++)
+	    		grarg[x]='\0';
+	    	for(x=0;x<bprm.argc;x++) {
+			if((strlen(argv[x]) + strlen(grarg) + 2) < sizeof(grarg)) {
+		    		grargs=strcat(grarg,argv[x]);
+		    		if(x<bprm.argc-1)
+					grargs=strcat(grarg," ");
+		}
+	    }
+	    printk(KERN_INFO "grsec: exec of [%.32s:%lu] (%.68s) by " DEFAULTSECMSG
+			"\n", kdevname(file->f_dentry->d_inode->i_dev),
+			      file->f_dentry->d_inode->i_ino, grarg, DEFAULTSECARGS);
+	}
+#endif
+
 	retval = copy_strings_kernel(1, &bprm.filename, &bprm);
 	if (retval < 0) 
 		goto out; 
 
 	bprm.exec = bprm.p;
+
+#ifdef CONFIG_GRKERNSEC_ACL
+	if(current->pid < 2) /* Init is the parent process, so its 
+		   		acl lock is NOT initialized on fork.
+			        see its exec in init/main.c */
+		current->acl_lock = RW_LOCK_UNLOCKED;
+	
+	if(gr_set_proc_label(file->f_dentry,filename,
+				file->f_vfsmnt))
+	{
+		if(file->f_dentry && file->f_dentry->d_inode)
+			security_alert("could not set acl for %ld %d",
+				"acl set failures",
+				file->f_dentry->d_inode->i_ino,
+				file->f_dentry->d_inode->i_dev);
+		retval = -EACCES;
+		goto out; 
+	}
+#ifndef CONFIG_GRKERNSEC_TPE_GLIBC
+	else {
+		if(current->acl) {
+			badenvs = gr_unsetenv(envp,&bprm);
+			if(badenvs)
+				security_alert("exec of %.32s by " DEFAULTSECMSG 
+						" attempted to use "
+						"%d malicious environment(s)",
+						"malicious environments",
+						filename, DEFAULTSECARGS, badenvs);
+		}
+	}
+#endif
+#endif
+
+
 	retval = copy_strings(bprm.envc, envp, &bprm);
 	if (retval < 0) 
 		goto out; 
@@ -923,9 +1256,15 @@
 		goto out; 
 
 	retval = search_binary_handler(&bprm,regs);
-	if (retval >= 0)
+#ifdef CONFIG_GRKERNSEC_ACL
+	if(current->acl)
+		gr_set_caps();
+#endif /* search_binary_handler ends up calling compute_creds() which sets
+	  caps initially...bleh...can't have it overwriting our hard work */
+	if (retval >= 0) {
 		/* execve success */
 		return retval;
+	}
 
 out:
 	/* Something went wrong, return the inode and free the argument pages*/
@@ -939,6 +1278,13 @@
 			__free_page(page);
 	}
 
+#ifdef CONFIG_GRKERNSEC_FD
+	if(grsec_enable_fd && bprm.tweak_fd_mask) {                                            
+		for(i=0;i<=2;i++)
+            		if(bprm.tweak_fd_mask & (1 << i))
+                		(void)sys_close(i);
+	}
+#endif
 	return retval;
 }
 
@@ -971,7 +1317,14 @@
 		goto fail;
 
 	memcpy(corename,"core.", 5);
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+       if(grsec_enable_coredump)
+	       memcpy(corename+5,current->comm,sizeof(current->comm));
+       else
+	       corename[4] = '\0';
+#else
 	corename[4] = '\0';
+#endif
  	if (core_uses_pid || atomic_read(&current->mm->mm_users) != 1)
  		sprintf(&corename[4], ".%d", current->pid);
 	file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW, 0600);
@@ -989,7 +1342,11 @@
 		goto close_fail;
 	if (!file->f_op->write)
 		goto close_fail;
+#ifdef CONFIG_GRKERNSEC_ACL
+	if (do_truncate(file->f_dentry, 0, file->f_vfsmnt) != 0)
+#else
 	if (do_truncate(file->f_dentry, 0) != 0)
+#endif
 		goto close_fail;
 
 	retval = binfmt->core_dump(signr, regs, file);
diff -Nru kernel-source-2.4.18/fs/namei.c kernel-source-2.4.18.fixed/fs/namei.c
--- kernel-source-2.4.18/fs/namei.c	2002-02-25 20:38:09.000000000 +0100
+++ kernel-source-2.4.18.fixed/fs/namei.c	2003-09-21 12:22:59.000000000 +0200
@@ -26,6 +26,11 @@
 #include <asm/namei.h>
 #include <asm/uaccess.h>
 
+#if defined(CONFIG_GRKERNSEC_LINK) || defined(CONFIG_GRKERNSEC_FIFO) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_MKNOD) || defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
+
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
 
 /* [Feb-1997 T. Schoebel-Theuer]
@@ -343,6 +348,27 @@
 		current->state = TASK_RUNNING;
 		schedule();
 	}
+
+#ifdef CONFIG_GRKERNSEC_LINK
+        if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) &&
+          (dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
+          dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid &&
+          (dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
+          current->fsuid != dentry->d_inode->i_uid) {
+          security_alert("not following symlink (%.30s/%.30s) of [%.32s]:%lu owned by %d.%d "
+                         "by " DEFAULTSECMSG,"symlinks not followed",
+                         dentry->d_parent->d_name.name,
+                         dentry->d_name.name,
+                         kdevname(dentry->d_inode->i_dev),
+                         dentry->d_inode->i_ino,
+                         dentry->d_inode->i_uid,
+                         dentry->d_inode->i_gid,
+                         DEFAULTSECARGS);
+	path_release(nd);
+        return -EACCES;
+        }
+#endif
+
 	current->link_count++;
 	current->total_link_count++;
 	UPDATE_ATIME(dentry->d_inode);
@@ -626,6 +652,24 @@
 		else if (this.len == 2 && this.name[1] == '.')
 			nd->last_type = LAST_DOTDOT;
 return_base:
+#ifdef CONFIG_GRKERNSEC_ACL
+		if( ( (gr_check_hidden_file(nd->dentry,nd->mnt))
+						== GR_DENY) )
+		{
+			security_alert("attempt to access hidden file "
+			"with inode %ld dev %d by " 
+			DEFAULTSECMSG, 
+			"hidden file access attempts",
+			nd->dentry->d_inode->i_ino,
+			nd->dentry->d_inode->i_dev, DEFAULTSECARGS);
+			err =  -ENOENT; /*Fake that its not there*/
+			if(dentry != nd->dentry)
+				dput(dentry);
+			path_release(nd);
+			goto return_err;
+		}
+#endif
+
 		return 0;
 out_dput:
 		dput(dentry);
@@ -956,6 +1000,22 @@
 	return error;
 }
 
+
+#ifdef CONFIG_GRKERNSEC_ACL
+
+static __inline__ __u16 to_grflags(const int mode)
+{
+	__u16 retval = 0;
+	if(mode & O_APPEND)
+		retval |= GR_APPEND;
+	else if(mode & FMODE_WRITE)
+		retval |= GR_WRITE;
+	if(mode & FMODE_READ)
+		retval |= GR_READ;
+	return retval;
+}
+#endif
+
 /*
  *	open_namei()
  *
@@ -977,6 +1037,33 @@
 	struct dentry *dentry;
 	struct dentry *dir;
 	int count = 0;
+#ifdef CONFIG_GRKERNSEC_ACL
+	int gr_flag;
+
+	
+	if(path_init(pathname,lookup_flags(flag),nd))
+		error = path_walk(pathname,nd);
+	
+	gr_flag = to_grflags(flag);
+	
+	if( !error && nd->dentry && nd->dentry->d_inode && 
+			(gr_search_file(nd->dentry,gr_flag,nd->mnt))
+				== GR_DENY)
+	{
+		security_alert("attempt to open %.1024s for %s%s"
+		"by " DEFAULTSECMSG, 	
+		"file open attempts", pathname, gr_flag & GR_READ ? "reading "
+		: "", gr_flag & GR_WRITE ? "writing " : gr_flag & GR_APPEND ?
+		"append " : "",
+		DEFAULTSECARGS);
+		error = -EACCES;
+		path_release(nd);
+		goto exit;
+	}
+	if(!error)
+		path_release(nd);
+#endif
+
 
 	acc_mode = ACC_MODE(flag);
 
@@ -1001,6 +1088,7 @@
 		return error;
 
 	/*
+	 * dput(dentry)
 	 * We have the parent and last component. First of all, check
 	 * that we are not asked to creat(2) an obvious directory - that
 	 * will not do.
@@ -1022,6 +1110,19 @@
 
 	/* Negative dentry, just create the file */
 	if (!dentry->d_inode) {
+#ifdef CONFIG_GRKERNSEC_ACL
+		
+		gr_flag |= GR_WRITE; /* Creating a file is
+				      *  write operation 
+				      *  at the least */
+		if((gr_check_create(dentry,nd->dentry,nd->mnt,gr_flag))
+				== GR_DENY)
+		{
+			up(&dir->d_inode->i_sem);
+			error = -EACCES;
+			goto exit_dput;
+		}
+#endif
 		error = vfs_create(dir->d_inode, dentry,
 				   mode & ~current->fs->umask);
 		up(&dir->d_inode->i_sem);
@@ -1032,6 +1133,9 @@
 		/* Don't check for write permission, don't truncate */
 		acc_mode = 0;
 		flag &= ~O_TRUNC;
+#ifdef CONFIG_GRKERNSEC_ACL
+		gr_handle_create(pathname,nd);
+#endif
 		goto ok;
 	}
 
@@ -1084,6 +1188,21 @@
 	 * actually live on the filesystem itself, and as such you
 	 * can write to them even if the filesystem is read-only.
 	 */
+#ifdef CONFIG_GRKERNSEC_FIFO
+               if (grsec_enable_fifo &&
+		   S_ISFIFO(inode->i_mode) && !(flag & O_EXCL) &&
+                   (dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
+                   (inode->i_uid != dentry->d_parent->d_inode->i_uid) &&
+                   (current->fsuid != inode->i_uid)) {
+                       security_alert("denied writing FIFO (%.32s/%.32s) of %d.%d "
+                               "by " DEFAULTSECMSG,
+                               "writes into a FIFO denied",dentry->d_parent->d_name.name,dentry->d_name.name,
+                               inode->i_uid, inode->i_gid,
+			       DEFAULTSECARGS);
+                       error = -EACCES;
+                       goto exit;
+               }
+#endif
 	if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
 	    	flag &= ~O_TRUNC;
 	} else if (S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode)) {
@@ -1127,7 +1246,11 @@
 		if (!error) {
 			DQUOT_INIT(inode);
 			
+#ifdef CONFIG_GRKERNSEC_ACL
+			error = do_truncate(dentry,0,nd->mnt);
+#else
 			error = do_truncate(dentry, 0);
+#endif
 		}
 		put_write_access(inode);
 		if (error)
@@ -1158,6 +1281,24 @@
 	 * stored in nd->last.name and we will have to putname() it when we
 	 * are done. Procfs-like symlinks just set LAST_BIND.
 	 */
+#ifdef CONFIG_GRKERNSEC_LINK
+	if(grsec_enable_link && S_ISLNK(dentry->d_inode->i_mode) &&
+	  (dentry->d_parent->d_inode->i_mode & S_ISVTX) &&
+	  dentry->d_parent->d_inode->i_uid != dentry->d_inode->i_uid &&
+	  (dentry->d_parent->d_inode->i_mode & S_IWOTH) &&
+	  current->fsuid != dentry->d_inode->i_uid) {
+	  security_alert("not following symlink (%.30s/%.30s) [%.32s]:%lu of %d.%d "
+			 "by " DEFAULTSECMSG,"symlinks not followed",
+			 dentry->d_parent->d_name.name, dentry->d_name.name, 
+			 kdevname(dentry->d_inode->i_dev), 
+			 dentry->d_inode->i_ino, dentry->d_inode->i_uid,
+			 dentry->d_inode->i_gid,
+			 DEFAULTSECARGS);
+	error = -EACCES;
+	goto exit_dput;
+	}
+#endif
+
 	UPDATE_ATIME(dentry->d_inode);
 	error = dentry->d_inode->i_op->follow_link(dentry, nd);
 	dput(dentry);
@@ -1242,6 +1383,9 @@
 	struct dentry * dentry;
 	struct nameidata nd;
 
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+	char grdevmode;
+#endif
 	if (S_ISDIR(mode))
 		return -EPERM;
 	tmp = getname(filename);
@@ -1257,6 +1401,38 @@
 
 	mode &= ~current->fs->umask;
 	if (!IS_ERR(dentry)) {
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+	if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && proc_is_chrooted(current)) {
+		switch (mode & S_IFMT) {
+		    case S_IFREG:	grdevmode = 'r';	break;
+		    case S_IFCHR:	grdevmode = 'c';	break;
+		    case S_IFBLK:	grdevmode = 'b';	break;
+		    case S_IFSOCK:	grdevmode = 's';	break;
+		    default:		grdevmode = 'u';
+		}
+		security_alert("refused attempt to mknod(%c:%.32s) (%.30s) from chroot() jail (%s:%lu) "
+			       "owned by %d %d by " DEFAULTSECMSG, 
+			       "mknods in chroot denied",grdevmode,kdevname(dev),tmp,
+			       kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino,
+			       current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid,
+			       DEFAULTSECARGS);
+			error = -EPERM;
+			dput(dentry);
+			goto out_dput;
+	}
+#endif	
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY) )
+	{
+		security_alert("attempt to mknod %.1024s (dev %d) by "
+				DEFAULTSECMSG, "mknod attempts", filename, dev,
+				DEFAULTSECARGS);
+		error = -EACCES;
+		dput(dentry);
+		goto out_dput;
+	}
+#endif
+	
 		switch (mode & S_IFMT) {
 		case 0: case S_IFREG:
 			error = vfs_create(nd.dentry->d_inode,dentry,mode);
@@ -1270,8 +1446,20 @@
 		default:
 			error = -EINVAL;
 		}
+#ifdef CONFIG_GRKERNSEC_ACL
+		if(!error)
+		{
+			struct nameidata newfile = {
+				dentry : dentry,
+				mnt    : nd.mnt
+			};
+			
+			gr_handle_create(tmp,&newfile);
+		}
+#endif
 		dput(dentry);
 	}
+out_dput:
 	up(&nd.dentry->d_inode->i_sem);
 	path_release(&nd);
 out:
@@ -1324,8 +1512,35 @@
 		dentry = lookup_create(&nd, 1);
 		error = PTR_ERR(dentry);
 		if (!IS_ERR(dentry)) {
+#ifdef CONFIG_GRKERNSEC_ACL
+			error = 0;
+
+			if(gr_check_create(dentry,nd.dentry,nd.mnt,GR_WRITE) == 
+					GR_DENY)
+			{
+				security_alert("attempt to mkdir %.1024s by "
+						DEFAULTSECMSG, "mkdir attempts",
+						pathname, DEFAULTSECARGS);
+				error = -EACCES;
+						
+			}
+			if(!error)
+#endif
+
 			error = vfs_mkdir(nd.dentry->d_inode, dentry,
 					  mode & ~current->fs->umask);
+#ifdef CONFIG_GRKERNSEC_ACL
+			if(!error)
+			{
+				struct nameidata temp =
+				{ 
+					dentry : dentry,
+					mnt :    nd.mnt
+				};
+			gr_handle_create(pathname,&temp);
+			}
+#endif
+			
 			dput(dentry);
 		}
 		up(&nd.dentry->d_inode->i_sem);
@@ -1407,6 +1622,10 @@
 	char * name;
 	struct dentry *dentry;
 	struct nameidata nd;
+#ifdef CONFIG_GRKERNSEC_ACL
+	ino_t saved_ino = 0;
+	kdev_t saved_dev = 0;
+#endif
 
 	name = getname(pathname);
 	if(IS_ERR(name))
@@ -1432,7 +1651,30 @@
 	dentry = lookup_hash(&nd.last, nd.dentry);
 	error = PTR_ERR(dentry);
 	if (!IS_ERR(dentry)) {
-		error = vfs_rmdir(nd.dentry->d_inode, dentry);
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = 0;
+		if(dentry->d_inode)
+		{
+			saved_ino = dentry->d_inode->i_ino;
+			saved_dev = dentry->d_inode->i_dev;
+		}
+		if( ( (gr_search_file(dentry,GR_WRITE,nd.mnt)) == GR_DENY))
+		{
+			security_alert("attempt to rmdir %.1024s by "
+					DEFAULTSECMSG, "rmdir attempts",
+					pathname,
+					DEFAULTSECARGS);
+			error = -EACCES;
+		}
+		if(!error)
+		{
+#endif
+			error = vfs_rmdir(nd.dentry->d_inode, dentry);
+#ifdef CONFIG_GRKERNSEC_ACL
+			if(!error && (saved_dev || saved_ino))
+				gr_handle_delete(saved_ino,saved_dev);
+		}
+#endif
 		dput(dentry);
 	}
 	up(&nd.dentry->d_inode->i_sem);
@@ -1476,6 +1718,10 @@
 	char * name;
 	struct dentry *dentry;
 	struct nameidata nd;
+#ifdef CONFIG_GRKERNSEC_ACL
+	ino_t saved_ino = 0;
+	kdev_t saved_dev = 0;
+#endif
 
 	name = getname(pathname);
 	if(IS_ERR(name))
@@ -1495,7 +1741,32 @@
 		/* Why not before? Because we want correct error value */
 		if (nd.last.name[nd.last.len])
 			goto slashes;
-		error = vfs_unlink(nd.dentry->d_inode, dentry);
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = 0;
+		if(dentry->d_inode)
+		{
+			saved_ino = dentry->d_inode->i_ino;
+			saved_dev = dentry->d_inode->i_dev;
+		}
+		if( ( (gr_search_file(dentry,GR_WRITE, nd.mnt)) == GR_DENY)) 
+		{
+		security_alert("attempt to unlink %.1024s by " DEFAULTSECMSG,
+				"unlink attempts",
+                		name, DEFAULTSECARGS);
+			error = -EACCES;
+		}
+		if(!error)
+		{
+#endif
+
+			error = vfs_unlink(nd.dentry->d_inode, dentry);
+#ifdef CONFIG_GRKERNSEC_ACL
+		}
+		if(!error && (saved_ino || saved_dev))
+		{
+			gr_handle_delete(saved_ino,saved_dev);
+		}
+#endif
 	exit2:
 		dput(dentry);
 	}
@@ -1560,7 +1831,21 @@
 		dentry = lookup_create(&nd, 0);
 		error = PTR_ERR(dentry);
 		if (!IS_ERR(dentry)) {
-			error = vfs_symlink(nd.dentry->d_inode, dentry, from);
+#ifdef CONFIG_GRKERNSEC_ACL
+			error = 0;
+			if( gr_search_file(nd.dentry,GR_WRITE,nd.mnt)
+					== GR_DENY)
+			{
+				security_alert("attempt to symlink %.1024s"
+					   "to %.1024s by " DEFAULTSECMSG,
+					   "symlink attempts",
+					from, to, DEFAULTSECARGS);
+				error = -EACCES;
+			}
+
+			if(!error)	
+#endif
+				error = vfs_symlink(nd.dentry->d_inode, dentry, from);
 			dput(dentry);
 		}
 		up(&nd.dentry->d_inode->i_sem);
@@ -1651,6 +1936,39 @@
 		new_dentry = lookup_create(&nd, 0);
 		error = PTR_ERR(new_dentry);
 		if (!IS_ERR(new_dentry)) {
+#if defined(CONFIG_GRKERNSEC_LINK) || defined(CONFIG_GRKERNSEC_ACL)
+			error = 0;
+#ifdef CONFIG_GRKERNSEC_LINK
+			if(grsec_enable_link) {
+				if(current->fsuid != old_nd.dentry->d_inode->i_uid &&
+		  		  (!S_ISREG(old_nd.dentry->d_inode->i_mode) ||
+		  		  (old_nd.dentry->d_inode->i_mode & S_ISUID) ||
+	          		  ((old_nd.dentry->d_inode->i_mode & (S_ISGID | S_IXGRP)) == 
+		  		  (S_ISGID | S_IXGRP)) || (error = permission(old_nd.dentry->d_inode,
+		  		  MAY_READ | MAY_WRITE))) && !capable(CAP_FOWNER) 
+				  && current->uid) {
+					security_alert("denied hardlink of %.30s (owned by %d.%d) to %.30s for "
+							DEFAULTSECMSG, "denied hardlinks",oldname,old_nd.dentry->d_inode->i_uid,
+							old_nd.dentry->d_inode->i_gid,newname,DEFAULTSECARGS);
+					error = -EPERM;
+				}
+			}
+			if(!error)
+#endif	
+#ifdef CONFIG_GRKERNSEC_ACL
+			if( gr_search_file(old_nd.dentry,GR_WRITE,old_nd.mnt) 
+					== GR_DENY || gr_search_file(nd.dentry,
+						GR_WRITE,nd.mnt) == GR_DENY)
+			{
+				security_alert("attempt to link %.1024s to %.1024s by " 
+                                	DEFAULTSECMSG, "attempted links", oldname, newname,
+					DEFAULTSECARGS);
+				error = -EPERM;
+			}
+			if(!error)
+#endif
+#endif
+
 			error = vfs_link(old_nd.dentry, nd.dentry->d_inode, new_dentry);
 			dput(new_dentry);
 		}
@@ -1889,10 +2207,42 @@
 	if (IS_ERR(new_dentry))
 		goto exit4;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+	error = 0;
+	if(!new_dentry->d_inode)
+	{
+		if(gr_check_create(new_dentry,newnd.dentry,newnd.mnt,GR_WRITE)
+				== GR_DENY || gr_search_file(old_dentry,
+					GR_WRITE,oldnd.mnt) == GR_DENY) 
+		{
+			security_alert("attempt to rename %.1024s to %.1024s "
+					"by " DEFAULTSECMSG, "rename attempts",
+					oldname,newname,DEFAULTSECARGS);
+			error = -EACCES;
+		}
+	}
+				
+	else if( gr_search_file(old_dentry,GR_WRITE,oldnd.mnt) == GR_DENY
+			|| gr_search_file(new_dir,GR_WRITE,newnd.mnt)
+			== GR_DENY) 
+	{
+		security_alert("attempt to rename %.1024s to %.1024s by " 
+                                DEFAULTSECMSG, "rename attempts", 
+				oldname, newname,
+				DEFAULTSECARGS);
+		error = -EACCES;
+	}
+	if(!error) {
+#endif
+
+
 	lock_kernel();
 	error = vfs_rename(old_dir->d_inode, old_dentry,
 				   new_dir->d_inode, new_dentry);
 	unlock_kernel();
+#ifdef CONFIG_GRKERNSEC_ACL
+	}
+#endif
 
 	dput(new_dentry);
 exit4:
diff -Nru kernel-source-2.4.18/fs/namespace.c kernel-source-2.4.18.fixed/fs/namespace.c
--- kernel-source-2.4.18/fs/namespace.c	2002-02-25 20:38:09.000000000 +0100
+++ kernel-source-2.4.18.fixed/fs/namespace.c	2003-09-21 12:22:59.000000000 +0200
@@ -16,6 +16,10 @@
 #include <linux/acct.h>
 #include <linux/module.h>
 #include <linux/devfs_fs_kernel.h>
+#if defined(CONFIG_GRKERNSEC_CHROOT_MOUNT) || defined(CONFIG_GRKERNSEC_AUDIT_MOUNT)
+#include <linux/sched.h>
+#include <linux/grsecurity.h>
+#endif
 
 #include <asm/uaccess.h>
 
@@ -327,6 +331,10 @@
 		if (!(sb->s_flags & MS_RDONLY)) {
 			lock_kernel();
 			retval = do_remount_sb(sb, MS_RDONLY, 0);
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+			if(grsec_enable_mount && (retval >= 0))
+				printk(KERN_INFO "grsec: remount of %.30s by " DEFAULTSECMSG "\n",mnt->mnt_devname, DEFAULTSECARGS);
+#endif
 			unlock_kernel();
 		}
 		up_write(&sb->s_umount);
@@ -353,6 +361,10 @@
 	}
 	spin_unlock(&dcache_lock);
 	up(&mount_sem);
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+	if(grsec_enable_mount && (retval >= 0))
+		printk(KERN_INFO "grsec: unmount of %.30s by " DEFAULTSECMSG "\n",mnt->mnt_devname, DEFAULTSECARGS);
+#endif
 	return retval;
 }
 
@@ -735,6 +747,18 @@
 	if (retval)
 		return retval;
 
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+      if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
+                security_alert("denied attempt to mount (%.30s) as %.64s from chroot jail (%.32s:%lu) "
+                "of %d.%d by " DEFAULTSECMSG, "denied mounts in chroot",
+		dev_name,dir_name, kdevname(current->fs->root->d_inode->i_dev),
+              current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid,
+              current->fs->root->d_inode->i_gid, DEFAULTSECARGS);
+                       retval = -EPERM;
+                       path_release(&nd);
+                       return retval;
+      }
+#endif
 	if (flags & MS_REMOUNT)
 		retval = do_remount(&nd, flags & ~MS_REMOUNT, mnt_flags,
 				    data_page);
@@ -746,6 +770,11 @@
 		retval = do_add_mount(&nd, type_page, flags, mnt_flags,
 				      dev_name, data_page);
 	path_release(&nd);
+
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+	if(grsec_enable_mount && (retval >= 0))
+		printk(KERN_INFO "grsec: mount %.30s to %.64s by " DEFAULTSECMSG "\n",dev_name,dir_name, DEFAULTSECARGS);
+#endif
 	return retval;
 }
 
diff -Nru kernel-source-2.4.18/fs/open.c kernel-source-2.4.18.fixed/fs/open.c
--- kernel-source-2.4.18/fs/open.c	2003-07-26 11:49:58.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/open.c	2003-09-21 12:22:59.000000000 +0200
@@ -18,8 +18,33 @@
 
 #include <asm/uaccess.h>
 
+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE)||\
+    defined(CONFIG_GRKERNSEC_CHROOT_CAPS) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_CHMOD) ||\
+    defined(CONFIG_GRKERNSEC_CHROOT_CHDIR) ||\
+    defined(CONFIG_GRKERNSEC_AUDIT_CHDIR) ||\
+    defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
+
+
 #define special_file(m) (S_ISCHR(m)||S_ISBLK(m)||S_ISFIFO(m)||S_ISSOCK(m))
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static int conv_flags(int p) 
+{
+	int retval = LOOKUP_FOLLOW|LOOKUP_POSITIVE;
+	if(p & O_NOFOLLOW)
+		retval &= ~LOOKUP_FOLLOW;
+	if( (p & (O_CREAT|O_EXCL)) == (O_CREAT | O_EXCL))
+		retval &= ~LOOKUP_FOLLOW;
+	if(p & O_DIRECTORY)
+		retval |= LOOKUP_DIRECTORY;
+	return retval;
+}
+#endif
+
+
 int vfs_statfs(struct super_block *sb, struct statfs *buf)
 {
 	int retval = -ENODEV;
@@ -71,7 +96,11 @@
 	return error;
 }
 
+#ifdef CONFIG_GRKERNSEC_ACL
+int do_truncate(struct dentry *dentry, loff_t length, struct vfsmount *mnt)
+#else
 int do_truncate(struct dentry *dentry, loff_t length)
+#endif
 {
 	struct inode *inode = dentry->d_inode;
 	int error;
@@ -81,6 +110,17 @@
 	if (length < 0)
 		return -EINVAL;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( ( (gr_search_file(dentry,GR_WRITE,mnt)) == GR_DENY)) {
+		security_alert("attempted to truncate file with inode %ld dev "
+			"%d by " DEFAULTSECMSG, "file truncate attempts",
+			dentry->d_inode->i_ino,
+			dentry->d_inode->i_dev, DEFAULTSECARGS);
+		return -EACCES;
+	}
+#endif
+
+
 	down(&inode->i_sem);
 	newattrs.ia_size = length;
 	newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
@@ -139,7 +179,11 @@
 	error = locks_verify_truncate(inode, NULL, length);
 	if (!error) {
 		DQUOT_INIT(inode);
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = do_truncate(nd.dentry, length, nd.mnt);
+#else
 		error = do_truncate(nd.dentry, length);
+#endif
 	}
 	put_write_access(inode);
 
@@ -191,7 +235,11 @@
 
 	error = locks_verify_truncate(inode, file, length);
 	if (!error)
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = do_truncate(dentry, length, file->f_vfsmnt);
+#else
 		error = do_truncate(dentry, length);
+#endif
 out_putf:
 	fput(file);
 out:
@@ -245,6 +293,20 @@
 	if (IS_RDONLY(inode))
 		goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY))
+       {
+               security_alert("attempted to change access time for file"  
+               		"with inode %ld dev %d by " DEFAULTSECMSG,
+			"file access time change attempts",
+               		nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+	       error = -EACCES;
+	       goto dput_and_out;
+       }
+#endif
+
+
 	/* Don't worry, the checks are done in inode_change_ok() */
 	newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
 	if (times) {
@@ -290,6 +352,20 @@
 	if (IS_RDONLY(inode))
 		goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY))
+       {
+               security_alert("attempted to change access time for file with"
+                	"inode %ld dev %d by " DEFAULTSECMSG,
+			"file access time change attempts",
+               		nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+                error = -EACCES;
+		goto dput_and_out;
+       }
+#endif
+
+
 	/* Don't worry, the checks are done in inode_change_ok() */
 	newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
 	if (utimes) {
@@ -341,11 +417,26 @@
 
 	res = user_path_walk(filename, &nd);
 	if (!res) {
+
 		res = permission(nd.dentry->d_inode, mode);
 		/* SuS v2 requires we report a read only fs too */
 		if(!res && (mode & S_IWOTH) && IS_RDONLY(nd.dentry->d_inode)
 		   && !special_file(nd.dentry->d_inode->i_mode))
 			res = -EROFS;
+#ifdef CONFIG_GRKERNSEC_ACL
+		
+	       if( !res && ( (gr_search_file(nd.dentry,GR_READ,nd.mnt))
+				       == GR_DENY)) 
+       		{
+               		security_alert("attempted to access file with inode %ld dev "
+               			"%d by " DEFAULTSECMSG, "file access attempts",
+				nd.dentry->d_inode->i_ino,
+                        	nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+               		path_release(&nd);
+               		res =  -EACCES;
+       		}
+#endif
+
 		path_release(&nd);
 	}
 
@@ -378,6 +469,26 @@
 	if (error)
 		goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search_file(nd.dentry,GR_READ,nd.mnt)) == GR_DENY)) 
+       {
+               security_alert("Attempted to chdir to directory with inode %ld dev "
+               		"%d by " DEFAULTSECMSG, "chdir attempts",
+			nd.dentry->d_inode->i_ino,
+                        nd.dentry->d_inode->i_dev, DEFAULTSECARGS);
+               error = -EACCES;
+               goto dput_and_out;
+       }
+#endif
+
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+	if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+	grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_chdir)
+		printk(KERN_INFO "grsec: chdir(\"%.64s\") by " DEFAULTSECMSG "\n", filename, DEFAULTSECARGS);
+#endif
 	set_fs_pwd(current->fs, nd.mnt, nd.dentry);
 
 dput_and_out:
@@ -408,6 +519,28 @@
 		goto out_putf;
 
 	error = permission(inode, MAY_EXEC);
+
+#ifdef CONFIG_GRKERNSEC_ACL
+       if( ( (gr_search_file(file->f_dentry,GR_READ,file->f_vfsmnt))
+			       == GR_DENY)) 
+       {
+               security_alert("attempted to fchdir to directory with inode %ld dev "
+               			"%d by " DEFAULTSECMSG, 
+				"fchdir attempts",
+			file->f_dentry->d_inode->i_ino,
+                        file->f_dentry->d_inode->i_dev, DEFAULTSECARGS);
+               error = -EACCES;
+       }
+#endif
+
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+        if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+        grsec_enable_chdir && !error)
+                printk(KERN_INFO "grsec: fchdir(%d) to %.64s by " DEFAULTSECMSG "\n", fd, dentry->d_name.name, DEFAULTSECARGS);
+#endif
 	if (!error)
 		set_fs_pwd(current->fs, mnt, dentry);
 out_putf:
@@ -441,9 +574,39 @@
 	error = -EPERM;
 	if (!capable(CAP_SYS_CHROOT))
 		goto dput_and_out;
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+	if(grsec_enable_chroot_double && proc_is_chrooted(current)) {
+		security_alert("denied attempt to chroot() from (%.32s:%lu) to (%.30s)"
+			       ", process " DEFAULTSECMSG,
+			       "double chroot() denied",
+			       kdevname(current->fs->root->d_inode->i_dev),
+			       current->fs->root->d_inode->i_ino,name,
+			       DEFAULTSECARGS);
+			goto dput_and_out;
+	}
+#endif	
 
 	set_fs_root(current->fs, nd.mnt, nd.dentry);
 	set_fs_altroot();
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+	if(grsec_enable_chroot_caps && proc_is_chrooted(current) && (current->pid > 1)) {
+	    cap_lower(current->cap_permitted,CAP_LINUX_IMMUTABLE &
+		      CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT &
+		      CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_TIME & CAP_NET_RAW &
+		      CAP_SYS_TTY_CONFIG);
+	    cap_lower(current->cap_inheritable,CAP_LINUX_IMMUTABLE &
+		      CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT &
+		      CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_TIME & CAP_NET_RAW &
+		      CAP_SYS_TTY_CONFIG);
+	    cap_lower(current->cap_effective,CAP_LINUX_IMMUTABLE &
+		      CAP_NET_ADMIN & CAP_SYS_MODULE & CAP_SYS_RAWIO & CAP_SYS_PACCT &
+		      CAP_SYS_ADMIN & CAP_SYS_BOOT & CAP_SYS_TIME & CAP_NET_RAW &
+		      CAP_SYS_TTY_CONFIG);
+	}
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+	if (grsec_enable_chroot_chdir) set_fs_pwd(current->fs, nd.mnt, nd.dentry);
+#endif
 	error = 0;
 dput_and_out:
 	path_release(&nd);
@@ -472,8 +635,37 @@
 	err = -EPERM;
 	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto out_putf;
+
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( ( (gr_search_file(dentry,GR_WRITE,file->f_vfsmnt)) == GR_DENY))
+	{
+		security_alert("Attempt to fchmod program with inode %ld dev %d "
+			"by " DEFAULTSECMSG, "fchmod attempts",
+			dentry->d_inode->i_ino,
+                        dentry->d_inode->i_dev, DEFAULTSECARGS);
+
+		err = -EACCES;
+		goto out_putf;
+	}
+#endif
+
 	if (mode == (mode_t) -1)
 		mode = inode->i_mode;
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+	if(grsec_enable_chroot_chmod && ((mode & S_ISUID) || (mode & S_ISGID))
+	   && proc_is_chrooted(current)) {
+	    security_alert("denied attempt to fchmod +s (%.32s:%lu) owned by %d.%d to mode 0%07o "
+			   "from chroot jail (%.32s:%lu) of %d.%d by "
+			   DEFAULTSECMSG,
+			   "denied fchmod +s in chroot",
+			   kdevname(inode->i_dev),inode->i_ino,inode->i_uid,inode->i_gid,mode,
+			   kdevname(current->fs->root->d_inode->i_dev),current->fs->root->d_inode->i_ino,
+			   current->fs->root->d_inode->i_uid,current->fs->root->d_inode->i_gid,
+			   DEFAULTSECARGS);
+		err = -EPERM;
+		goto out_putf;
+	}	    
+#endif
 	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
 	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
 	err = notify_change(dentry, &newattrs);
@@ -504,8 +696,35 @@
 	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto dput_and_out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( ( (gr_search_file(nd.dentry,GR_WRITE,nd.mnt)) == GR_DENY)) 
+	{
+		security_alert("Attempt to chmod file %1024s by "
+				DEFAULTSECMSG, "chmod attempts",
+                	        filename, DEFAULTSECARGS); 
+		error = -EACCES;
+		goto dput_and_out;
+	}
+#endif
+
+
 	if (mode == (mode_t) -1)
 		mode = inode->i_mode;
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+	if (grsec_enable_chroot_chmod && ((mode & S_ISUID) || (mode & S_ISGID))
+	    && proc_is_chrooted(current)) {
+	    security_alert("denied attempt to chmod +s (%.32s:%lu) (%.30s) owned by %d.%d to mode 0%07o "
+			   "from chroot jail (%.32s:%lu) of %d.%d by "
+			   DEFAULTSECMSG,"denied chmod +s in chroot",
+			   kdevname(inode->i_dev),inode->i_ino,filename,inode->i_uid,inode->i_gid,
+			   mode,kdevname(current->fs->root->d_inode->i_dev),
+			   current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid,
+			   current->fs->root->d_inode->i_gid,
+			   DEFAULTSECARGS);
+		    error = -EPERM;
+		    goto dput_and_out;
+	}
+#endif
 	newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
 	newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
 	error = notify_change(nd.dentry, &newattrs);
@@ -516,7 +735,11 @@
 	return error;
 }
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
+#else
 static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
+#endif
 {
 	struct inode * inode;
 	int error;
@@ -533,6 +756,18 @@
 	error = -EPERM;
 	if (IS_IMMUTABLE(inode) || IS_APPEND(inode))
 		goto out;
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( ( (gr_search_file(dentry,GR_WRITE,mnt)) == GR_DENY))
+	{
+		security_alert("Attempt to chown file with inode %ld dev %d "
+			"to %d.%d by " DEFAULTSECMSG, "chown attempts",
+			dentry->d_inode->i_ino,dentry->d_inode->i_dev,
+			user, group, DEFAULTSECARGS);
+		error = -EACCES;
+		goto out;
+	}
+#endif
+
 	if (user == (uid_t) -1)
 		user = inode->i_uid;
 	if (group == (gid_t) -1)
@@ -583,7 +818,11 @@
 
 	error = user_path_walk(filename, &nd);
 	if (!error) {
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = chown_common(nd.dentry, user, group, nd.mnt);
+#else
 		error = chown_common(nd.dentry, user, group);
+#endif
 		path_release(&nd);
 	}
 	return error;
@@ -596,7 +835,11 @@
 
 	error = user_path_walk_link(filename, &nd);
 	if (!error) {
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = chown_common(nd.dentry, user, group, nd.mnt);
+#else
 		error = chown_common(nd.dentry, user, group);
+#endif
 		path_release(&nd);
 	}
 	return error;
@@ -610,7 +853,12 @@
 
 	file = fget(fd);
 	if (file) {
+#ifdef CONFIG_GRKERNSEC_ACL
+		error = chown_common(file->f_dentry, user,
+				group, file->f_vfsmnt);
+#else
 		error = chown_common(file->f_dentry, user, group);
+#endif
 		fput(file);
 	}
 	return error;
@@ -632,8 +880,12 @@
  */
 struct file *filp_open(const char * filename, int flags, int mode)
 {
-	int namei_flags, error;
-	struct nameidata nd;
+  int namei_flags, error = 0;
+  struct nameidata nd;
+
+  #ifdef CONFIG_GRKERNSEC_ACL
+    struct nameidata test;
+  #endif
 	
 	flags &= ~O_DIRECT;
 
@@ -643,6 +895,28 @@
 	if (namei_flags & O_TRUNC)
 		namei_flags |= 2;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+	if( (path_init(filename,conv_flags(namei_flags),&test)) )
+		error = path_walk(filename,&test);
+	if((gr_status & GR_READY) && !error 
+			&& S_ISBLK(test.dentry->d_inode->i_mode) 
+			&& !capable(CAP_SYS_RAWIO)) 
+		{
+			security_alert("Attempt to open block device "
+				"%ld %d with "
+				"insuffificent capabilities by process "
+		        	DEFAULTSECMSG,
+				"attempt to access block devices",
+				test.dentry->d_inode->i_ino,
+				test.dentry->d_inode->i_dev,
+				DEFAULTSECARGS);
+			error = -EACCES;
+			path_release(&test);
+			return ERR_PTR(error);
+		}
+	if(!error)
+		path_release(&test);
+#endif
 	error = open_namei(filename, namei_flags, mode, &nd);
 	if (!error)
 		return dentry_open(nd.dentry, nd.mnt, flags);
diff -Nru kernel-source-2.4.18/fs/proc/base.c kernel-source-2.4.18.fixed/fs/proc/base.c
--- kernel-source-2.4.18/fs/proc/base.c	2003-07-26 06:14:23.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/proc/base.c	2003-09-21 12:22:59.000000000 +0200
@@ -24,6 +24,10 @@
 #include <linux/file.h>
 #include <linux/string.h>
 
+#ifdef CONFIG_GRKERNSEC_ACL
+#include <linux/grsecurity.h>
+#endif
+
 /*
  * For hysterical raisins we keep the same inumbers as in the old procfs.
  * Feel free to change the macro below - just keep the range distinct from
@@ -699,7 +703,11 @@
 	inode->i_gid = 0;
 	if (ino == PROC_PID_INO || task_dumpable(task)) {
 		inode->i_uid = task->euid;
+#ifndef CONFIG_GRKERNSEC_PROC_USERGROUP
 		inode->i_gid = task->egid;
+#else
+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#endif
 	}
 
 out:
@@ -1002,13 +1010,28 @@
 	if (!task)
 		goto out;
 
+#ifdef CONFIG_GRKERNSEC_ACL
+		if(gr_check_hidden_task(task))
+		{
+			free_task_struct(task);
+			goto out;
+		}
+#endif
+
+
 	inode = proc_pid_make_inode(dir->i_sb, task, PROC_PID_INO);
 
 	free_task_struct(task);
 
 	if (!inode)
 		goto out;
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP;
+#else
 	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#endif
 	inode->i_op = &proc_base_inode_operations;
 	inode->i_fop = &proc_base_operations;
 	inode->i_nlink = 3;
@@ -1048,8 +1071,13 @@
 		int pid = p->pid;
 		if (!pid)
 			continue;
+#ifdef CONFIG_GRKERNSEC_ACL
+			if(gr_check_hidden_task(p)) 
+				continue;
+#endif
 		if (--index >= 0)
 			continue;
+
 		pids[nr_pids] = pid;
 		nr_pids++;
 		if (nr_pids >= PROC_MAXPIDS)
diff -Nru kernel-source-2.4.18/fs/proc/generic.c kernel-source-2.4.18.fixed/fs/proc/generic.c
--- kernel-source-2.4.18/fs/proc/generic.c	2003-07-26 05:04:56.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/proc/generic.c	2003-09-21 12:22:59.000000000 +0200
@@ -497,6 +497,22 @@
 	return proc_mkdir_mode(name, S_IRUGO | S_IXUGO, parent);
 }
 
+#ifdef CONFIG_GRKERNSEC_PROC
+struct proc_dir_entry *proc_priv_mkdir(const char *name, mode_t mode, struct proc_dir_entry *parent)
+{
+	struct proc_dir_entry *ent;
+
+	ent = proc_create(&parent, name, mode, 2);
+	if (ent) {
+		ent->proc_fops = &proc_dir_operations;
+		ent->proc_iops = &proc_dir_inode_operations;
+
+		proc_register(parent, ent);
+	}
+	return ent;
+}
+#endif
+
 struct proc_dir_entry *create_proc_entry(const char *name, mode_t mode,
 					 struct proc_dir_entry *parent)
 {
diff -Nru kernel-source-2.4.18/fs/proc/inode.c kernel-source-2.4.18.fixed/fs/proc/inode.c
--- kernel-source-2.4.18/fs/proc/inode.c	2001-11-17 20:24:32.000000000 +0100
+++ kernel-source-2.4.18.fixed/fs/proc/inode.c	2003-09-21 12:22:59.000000000 +0200
@@ -152,7 +152,11 @@
 		if (de->mode) {
 			inode->i_mode = de->mode;
 			inode->i_uid = de->uid;
+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
+#else
 			inode->i_gid = de->gid;
+#endif
 		}
 		if (de->size)
 			inode->i_size = de->size;
diff -Nru kernel-source-2.4.18/fs/proc/proc_misc.c kernel-source-2.4.18.fixed/fs/proc/proc_misc.c
--- kernel-source-2.4.18/fs/proc/proc_misc.c	2003-07-26 05:05:16.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/proc/proc_misc.c	2003-09-21 12:22:59.000000000 +0200
@@ -508,39 +508,93 @@
 		{"meminfo",	meminfo_read_proc},
 		{"version",	version_read_proc},
 #ifdef CONFIG_MODULES
+#ifndef CONFIG_GRKERNSEC_PROC
 		{"modules",	modules_read_proc},
 #endif
+#endif
 		{"stat",	kstat_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
 		{"devices",	devices_read_proc},
+#endif
 		{"partitions",	partitions_read_proc},
 #if !defined(CONFIG_ARCH_S390)
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
 		{"interrupts",	interrupts_read_proc},
 #endif
+#endif
 		{"filesystems",	filesystems_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
 		{"dma",		dma_read_proc},
 		{"ioports",	ioports_read_proc},
 		{"cmdline",	cmdline_read_proc},
+#endif
 #ifdef CONFIG_SGI_DS1286
 		{"rtc",		ds1286_read_proc},
 #endif
 		{"locks",	locks_read_proc},
 		{"swaps",	swaps_read_proc},
+#ifndef CONFIG_GRKERNSEC_PROC_ADD
 		{"iomem",	memory_read_proc},
+#endif
 		{"execdomains",	execdomains_read_proc},
 		{NULL,}
 	};
 	for (p = simple_ones; p->name; p++)
 		create_proc_read_entry(p->name, 0, NULL, p->read_proc, NULL);
 
+#if defined(CONFIG_GRKERNSEC_PROC) && defined(CONFIG_MODULES)
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	create_proc_read_entry("modules", S_IRUSR, NULL, &modules_read_proc, NULL);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	create_proc_read_entry("modules", S_IRUSR | S_IRGRP, NULL, &modules_read_proc, NULL);
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	create_proc_read_entry("devices", S_IRUSR, NULL, &devices_read_proc, NULL);
+	create_proc_read_entry("dma", S_IRUSR, NULL, &dma_read_proc, NULL);
+	create_proc_read_entry("ioports", S_IRUSR, NULL, &ioports_read_proc, NULL);
+	create_proc_read_entry("cmdline", S_IRUSR, NULL, &cmdline_read_proc, NULL);
+	create_proc_read_entry("iomem", S_IRUSR, NULL, &memory_read_proc, NULL);
+#if !defined(CONFIG_ARCH_S390)
+	create_proc_read_entry("interrupts", S_IRUSR, NULL, &interrupts_read_proc, NULL);
+#endif
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	create_proc_read_entry("devices", S_IRUSR | S_IRGRP, NULL, &devices_read_proc, NULL);
+	create_proc_read_entry("dma", S_IRUSR | S_IRGRP, NULL, &dma_read_proc, NULL);
+	create_proc_read_entry("ioports", S_IRUSR | S_IRGRP, NULL, &ioports_read_proc, NULL);
+	create_proc_read_entry("cmdline", S_IRUSR | S_IRGRP, NULL, &cmdline_read_proc, NULL);
+	create_proc_read_entry("iomem", S_IRUSR | S_IRGRP, NULL, &memory_read_proc, NULL);
+#if !defined(CONFIG_ARCH_S390)
+	create_proc_read_entry("interrupts", S_IRUSR | S_IRGRP, NULL, &interrupts_read_proc, NULL);
+#endif
+#endif
+#endif
 	/* And now for trickier ones */
 	entry = create_proc_entry("kmsg", S_IRUSR, &proc_root);
 	if (entry)
 		entry->proc_fops = &proc_kmsg_operations;
 	create_seq_entry("mounts", 0, &proc_mounts_operations);
+
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	create_seq_entry("cpuinfo", S_IRUSR, &proc_cpuinfo_operations);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	create_seq_entry("cpuinfo", S_IRUSR | S_IRGRP, &proc_cpuinfo_operations);
+#endif
+#else
 	create_seq_entry("cpuinfo", 0, &proc_cpuinfo_operations);
+#endif
+
 #ifdef CONFIG_MODULES
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	create_seq_entry("ksyms", S_IRUSR, &proc_ksyms_operations);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	create_seq_entry("ksyms", S_IRUSR | S_IRGRP, &proc_ksyms_operations);
+#else
 	create_seq_entry("ksyms", 0, &proc_ksyms_operations);
 #endif
+#endif
 	proc_root_kcore = create_proc_entry("kcore", S_IRUSR, NULL);
 	if (proc_root_kcore) {
 		proc_root_kcore->proc_fops = &proc_kcore_operations;
@@ -562,7 +616,15 @@
 			entry->proc_fops = &ppc_htab_operations;
 	}
 #endif
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	entry = create_proc_read_entry("slabinfo", S_IWUSR | S_IRUSR, NULL,
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	entry = create_proc_read_entry("slabinfo", S_IWUSR | S_IRUSR | S_IRGRP, NULL,
+#endif
+#else
 	entry = create_proc_read_entry("slabinfo", S_IWUSR | S_IRUGO, NULL,
+#endif
 				       slabinfo_read_proc, NULL);
 	if (entry)
 		entry->write_proc = slabinfo_write_proc;
diff -Nru kernel-source-2.4.18/fs/proc/proc_tty.c kernel-source-2.4.18.fixed/fs/proc/proc_tty.c
--- kernel-source-2.4.18/fs/proc/proc_tty.c	2003-07-26 05:04:56.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/proc/proc_tty.c	2003-09-21 12:22:59.000000000 +0200
@@ -180,7 +180,13 @@
 	 * password lengths and inter-keystroke timings during password
 	 * entry.
 	 */
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+  proc_tty_driver = proc_priv_mkdir("tty/driver", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+  proc_tty_driver = proc_priv_mkdir("tty/driver", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0);
+#else
 	proc_tty_driver = proc_mkdir_mode("tty/driver", S_IRUSR | S_IXUSR, 0);
+#endif
 
 	create_proc_read_entry("tty/ldiscs", 0, 0, tty_ldiscs_read_proc,NULL);
 	create_proc_read_entry("tty/drivers", 0, 0, tty_drivers_read_proc,NULL);
diff -Nru kernel-source-2.4.18/fs/proc/root.c kernel-source-2.4.18.fixed/fs/proc/root.c
--- kernel-source-2.4.18/fs/proc/root.c	2001-10-26 13:10:46.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/proc/root.c	2003-09-21 12:22:59.000000000 +0200
@@ -37,13 +37,25 @@
 		return;
 	}
 	proc_misc_init();
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	proc_net = proc_priv_mkdir("net", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	proc_net = proc_priv_mkdir("net", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0);
+#else
 	proc_net = proc_mkdir("net", 0);
+#endif
 #ifdef CONFIG_SYSVIPC
 	proc_mkdir("sysvipc", 0);
 #endif
 #ifdef CONFIG_SYSCTL
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	proc_sys_root = proc_priv_mkdir("sys", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	proc_sys_root = proc_priv_mkdir("sys", S_IFDIR|S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP, 0);
+#else
 	proc_sys_root = proc_mkdir("sys", 0);
 #endif
+#endif
 #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
 	proc_mkdir("sys/fs", 0);
 	proc_mkdir("sys/fs/binfmt_misc", 0);
@@ -61,7 +73,16 @@
 #ifdef CONFIG_PPC_RTAS
 	proc_rtas_init();
 #endif
+
+#ifdef CONFIG_GRKERNSEC_PROC_ADD
+#ifdef CONFIG_GRKERNSEC_PROC_USER
+	proc_bus = proc_priv_mkdir("bus", S_IFDIR|S_IRUSR|S_IXUSR, 0);
+#elif CONFIG_GRKERNSEC_PROC_USERGROUP
+	proc_bus = proc_priv_mkdir("bus", S_IFDIR|S_IRUSR|S_IXUSR|S_IXGRP|S_IRGRP, 0);
+#endif
+#else
 	proc_bus = proc_mkdir("bus", 0);
+#endif
 }
 
 static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry)
@@ -132,6 +153,9 @@
 EXPORT_SYMBOL(proc_symlink);
 EXPORT_SYMBOL(proc_mknod);
 EXPORT_SYMBOL(proc_mkdir);
+#ifdef CONFIG_GRKERNSEC_PROC
+EXPORT_SYMBOL(proc_priv_mkdir);
+#endif
 EXPORT_SYMBOL(create_proc_entry);
 EXPORT_SYMBOL(remove_proc_entry);
 EXPORT_SYMBOL(proc_root);
diff -Nru kernel-source-2.4.18/fs/readdir.c kernel-source-2.4.18.fixed/fs/readdir.c
--- kernel-source-2.4.18/fs/readdir.c	2001-08-17 13:07:00.000000000 +0200
+++ kernel-source-2.4.18.fixed/fs/readdir.c	2003-09-21 12:22:59.000000000 +0200
@@ -13,6 +13,10 @@
 
 #include <asm/uaccess.h>
 
+#ifdef CONFIG_GRKERNSEC_ACL
+#include <linux/grsecurity.h>
+#endif
+
 int vfs_readdir(struct file *file, filldir_t filler, void *buf)
 {
 	struct inode *inode = file->f_dentry->d_inode;
@@ -120,6 +124,10 @@
 struct readdir_callback {
 	struct old_linux_dirent * dirent;
 	int count;
+#ifdef CONFIG_GRKERNSEC_ACL
+	struct dentry *dentry;
+	struct vfsmount *mnt;
+#endif
 };
 
 static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -127,9 +135,26 @@
 {
 	struct readdir_callback * buf = (struct readdir_callback *) __buf;
 	struct old_linux_dirent * dirent;
+#ifdef CONFIG_GRKERNSEC_ACL
+	ino_t old_ino;
+#endif
 
 	if (buf->count)
 		return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_ACL
+	if(buf->dentry && buf->dentry->d_inode)
+	{
+		old_ino = buf->dentry->d_inode->i_ino;
+		buf->dentry->d_inode->i_ino = ino;
+	if( gr_check_hidden_file(buf->dentry,buf->mnt) == GR_DENY)
+	{
+		buf->dentry->d_inode->i_ino = old_ino;
+		return 0;
+	}
+	buf->dentry->d_inode->i_ino = ino;
+	}
+#endif
+	    
 	buf->count++;
 	dirent = buf->dirent;
 	put_user(ino, &dirent->d_ino);
@@ -153,6 +178,10 @@
 
 	buf.count = 0;
 	buf.dirent = dirent;
+#ifdef CONFIG_GRKERNSEC_ACL
+	buf.dentry = file->f_dentry;
+	buf.mnt = file->f_vfsmnt;
+#endif
 
 	error = vfs_readdir(file, fillonedir, &buf);
 	if (error >= 0)
@@ -181,6 +210,10 @@
 	struct linux_dirent * previous;
 	int count;
 	int error;
+#ifdef CONFIG_GRKERNSEC_ACL
+	struct dentry *dentry;
+	struct vfsmount *mnt;
+#endif
 };
 
 static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
@@ -189,10 +222,26 @@
 	struct linux_dirent * dirent;
 	struct getdents_callback * buf = (struct getdents_callback *) __buf;
 	int reclen = ROUND_UP(NAME_OFFSET(dirent) + namlen + 1);
+#ifdef CONFIG_GRKERNSEC_ACL
+	ino_t old_ino;
+#endif
 
 	buf->error = -EINVAL;	/* only used if we fail.. */
 	if (reclen > buf->count)
 		return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_ACL
+	if(buf->dentry && buf->dentry->d_inode)
+	{
+		old_ino = buf->dentry->d_inode->i_ino;
+		buf->dentry->d_inode->i_ino = ino;
+	if( gr_check_hidden_file(buf->dentry,buf->mnt) == GR_DENY) 
+	{
+		buf->dentry->d_inode->i_ino = old_ino;
+		return 0;
+	}
+	buf->dentry->d_inode->i_ino = old_ino;
+	}
+#endif
 	dirent = buf->previous;
 	if (dirent)
 		put_user(offset, &dirent->d_off);
@@ -224,6 +273,10 @@
 	buf.previous = NULL;
 	buf.count = count;
 	buf.error = 0;
+#ifdef CONFIG_GRKERNSEC_ACL
+	buf.dentry = file->f_dentry;
+	buf.mnt = file->f_vfsmnt;
+#endif
 
 	error = vfs_readdir(file, filldir, &buf);
 	if (error < 0)
@@ -259,6 +312,10 @@
 	struct linux_dirent64 * previous;
 	int count;
 	int error;
+#ifdef CONFIG_GRKERNSEC_ACL
+	struct dentry *dentry;
+	struct vfsmount *mnt;
+#endif
 };
 
 static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
@@ -268,9 +325,27 @@
 	struct getdents_callback64 * buf = (struct getdents_callback64 *) __buf;
 	int reclen = ROUND_UP64(NAME_OFFSET(dirent) + namlen + 1);
 
+#ifdef CONFIG_GRKERNSEC_ACL
+	ino_t old_ino;
+#endif
 	buf->error = -EINVAL;	/* only used if we fail.. */
 	if (reclen > buf->count)
 		return -EINVAL;
+#ifdef CONFIG_GRKERNSEC_ACL
+	if(buf->dentry && buf->dentry->d_inode)
+	{
+		old_ino = buf->dentry->d_inode->i_ino;
+		buf->dentry->d_inode->i_ino = ino;
+		if((gr_check_hidden_file(buf->dentry,buf->mnt)) == GR_DENY) {
+			buf->dentry->d_inode->i_ino = old_ino;
+			return 0;
+		}
+		buf->dentry->d_inode->i_ino = old_ino;
+	}
+#endif
+
+
+	
 	dirent = buf->previous;
 	if (dirent) {
 		d.d_off = offset;
@@ -307,6 +382,11 @@
 	buf.previous = NULL;
 	buf.count = count;
 	buf.error = 0;
+#ifdef CONFIG_GRKERNSEC_ACL
+	buf.mnt = file->f_vfsmnt;
+	buf.dentry = file->f_dentry;
+#endif
+
 
 	error = vfs_readdir(file, filldir64, &buf);
 	if (error < 0)
diff -Nru kernel-source-2.4.18/grsecurity/Config.in kernel-source-2.4.18.fixed/grsecurity/Config.in
--- kernel-source-2.4.18/grsecurity/Config.in	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/grsecurity/Config.in	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,306 @@
+choice 'Security level' \
+        "Low		CONFIG_GRKERNSEC_LOW \
+         Medium		CONFIG_GRKERNSEC_MID \
+         High		CONFIG_GRKERNSEC_HI \
+	  Customized	CONFIG_GRKERNSEC_CUSTOM" Customized
+if [ "$CONFIG_GRKERNSEC_LOW" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_RANDSRC n
+define_bool CONFIG_GRKERNSEC_RANDRPC n
+define_bool CONFIG_GRKERNSEC_RANDPING n
+define_bool CONFIG_GRKERNSEC_FORKFAIL n
+define_bool CONFIG_GRKERNSEC_TIME n
+define_bool CONFIG_GRKERNSEC_SIGNAL n
+define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT n
+define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE n
+define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD n
+define_bool CONFIG_GRKERNSEC_PROC n
+define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n
+define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP n
+fi
+define_bool CONFIG_GRKERNSEC_KMEM n
+define_bool CONFIG_GRKERNSEC_ACL n
+define_bool CONFIG_GRKERNSEC_PROC_ADD n
+define_bool CONFIG_GRKERNSEC_CHROOT_SIG n
+define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n
+define_bool CONFIG_GRKERNSEC_CHROOT_NICE n
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP n
+define_bool CONFIG_GRKERNSEC_PAX n
+define_bool CONFIG_GRKERNSEC_PAX_MPROTECT n
+define_bool CONFIG_GRKERNSEC_MMAPFIXED n
+define_bool CONFIG_GRKERNSEC_CHROOT_PTRACE n
+define_bool CONFIG_GRKERNSEC_AUDIT_PTRACE n
+fi
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n
+define_bool CONFIG_GRKERNSEC_PTRACE n
+define_bool CONFIG_GRKERNSEC_PTRACE_GROUP n
+
+define_int  CONFIG_GRKERNSEC_FLOODTIME 30
+define_bool CONFIG_GRKERNSEC_LINK y
+define_bool CONFIG_GRKERNSEC_FIFO y
+define_bool CONFIG_GRKERNSEC_FD y
+define_bool CONFIG_GRKERNSEC_KBMAP y
+define_bool CONFIG_GRKERNSEC_RANDPID y
+define_bool CONFIG_GRKERNSEC_EXECVE y
+define_bool CONFIG_GRKERNSEC_DMESG y
+define_bool CONFIG_GRKERNSEC_RANDID y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y
+fi
+if [ "$CONFIG_GRKERNSEC_MID" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_KMEM n
+define_bool CONFIG_GRKERNSEC_ACL n
+define_bool CONFIG_GRKERNSEC_PROC_ADD n
+define_bool CONFIG_GRKERNSEC_CHROOT_SIG n
+define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n
+define_bool CONFIG_GRKERNSEC_CHROOT_NICE n
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_PAX n
+define_bool CONFIG_GRKERNSEC_PAX_MPROTECT n
+define_bool CONFIG_GRKERNSEC_MMAPFIXED n
+define_bool CONFIG_GRKERNSEC_CHROOT_PTRACE n
+define_bool CONFIG_GRKERNSEC_AUDIT_PTRACE n
+fi
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT n
+define_bool CONFIG_GRKERNSEC_PTRACE n
+define_bool CONFIG_GRKERNSEC_PTRACE_GROUP n
+define_bool CONFIG_GRKERNSEC_CHROOT_CAPS n
+
+define_int  CONFIG_GRKERNSEC_FLOODTIME 30
+define_bool CONFIG_GRKERNSEC_LINK y
+define_bool CONFIG_GRKERNSEC_FIFO y
+define_bool CONFIG_GRKERNSEC_FD y
+define_bool CONFIG_GRKERNSEC_KBMAP y
+define_bool CONFIG_GRKERNSEC_RANDPID y
+define_bool CONFIG_GRKERNSEC_EXECVE y
+define_bool CONFIG_GRKERNSEC_DMESG y
+define_bool CONFIG_GRKERNSEC_RANDID y
+define_bool CONFIG_GRKERNSEC_RANDSRC y
+define_bool CONFIG_GRKERNSEC_RANDRPC y
+define_bool CONFIG_GRKERNSEC_RANDPING y
+define_bool CONFIG_GRKERNSEC_FORKFAIL y
+define_bool CONFIG_GRKERNSEC_TIME y
+define_bool CONFIG_GRKERNSEC_SIGNAL y
+define_bool CONFIG_GRKERNSEC_CHROOT y
+define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y
+define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y
+define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y
+define_bool CONFIG_GRKERNSEC_PROC y
+define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y
+define_int  CONFIG_GRKERNSEC_PROC_GID 10
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP y
+fi
+fi
+if [ "$CONFIG_GRKERNSEC_HI" = "y" ]; then
+define_int CONFIG_GRKERNSEC_FLOODTIME 30
+define_bool CONFIG_GRKERNSEC_LINK y
+define_bool CONFIG_GRKERNSEC_FIFO y
+define_bool CONFIG_GRKERNSEC_FD y
+define_bool CONFIG_GRKERNSEC_KBMAP y
+define_bool CONFIG_GRKERNSEC_RANDPID y
+define_bool CONFIG_GRKERNSEC_EXECVE y
+define_bool CONFIG_GRKERNSEC_DMESG y
+define_bool CONFIG_GRKERNSEC_RANDID y
+define_bool CONFIG_GRKERNSEC_RANDSRC y
+define_bool CONFIG_GRKERNSEC_RANDRPC y
+define_bool CONFIG_GRKERNSEC_RANDPING y
+define_bool CONFIG_GRKERNSEC_FORKFAIL y
+define_bool CONFIG_GRKERNSEC_TIME y
+define_bool CONFIG_GRKERNSEC_SIGNAL y
+define_bool CONFIG_GRKERNSEC_CHROOT_MOUNT y
+define_bool CONFIG_GRKERNSEC_CHROOT_DOUBLE y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHDIR y
+define_bool CONFIG_GRKERNSEC_CHROOT_MKNOD y
+define_bool CONFIG_GRKERNSEC_CHROOT_CAPS y
+define_bool CONFIG_GRKERNSEC_PROC y
+define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y
+define_int  CONFIG_GRKERNSEC_PROC_GID 10
+define_bool CONFIG_GRKERNSEC_KMEM y
+define_bool CONFIG_GRKERNSEC_ACL y
+define_string CONFIG_GRADM_PATH "/sbin/gradm"
+define_int CONFIG_GR_MAXTRIES 3
+define_int CONFIG_GR_TIMEOUT 30
+define_bool CONFIG_GRKERNSEC_PROC_ADD y
+define_bool CONFIG_GRKERNSEC_CHROOT_SIG y
+define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD y
+define_bool CONFIG_GRKERNSEC_CHROOT_NICE y
+if [ "$CONFIG_X86" = "y" ]; then
+define_bool CONFIG_GRKERNSEC_PAX_RANDMMAP y
+define_bool CONFIG_GRKERNSEC_PAX y
+define_bool CONFIG_GRKERNSEC_PAX_MPROTECT y
+define_bool CONFIG_GRKERNSEC_MMAPFIXED y
+define_bool CONFIG_GRKERNSEC_CHROOT_PTRACE y
+define_bool CONFIG_GRKERNSEC_AUDIT_PTRACE y
+fi
+define_bool CONFIG_GRKERNSEC_AUDIT_MOUNT y
+define_bool CONFIG_GRKERNSEC_PTRACE y
+define_bool CONFIG_GRKERNSEC_PTRACE_GROUP y
+define_int CONFIG_GRKERNSEC_PTRACE_GID 10
+fi
+if [ "$CONFIG_GRKERNSEC_CUSTOM" = "y" ]; then
+mainmenu_option next_comment
+comment 'Buffer Overflow Protection'
+if [ "$CONFIG_X86" = "y" ]; then
+if [ "$CONFIG_GRKERNSEC_PAX" != "y" ]; then
+bool 'Openwall non-executable stack' CONFIG_GRKERNSEC_STACK
+if [ "$CONFIG_GRKERNSEC_STACK" != "n" ]; then
+bool '   Gcc trampoline support' CONFIG_GRKERNSEC_STACK_GCC
+fi
+fi
+if [ "$CONFIG_GRKERNSEC_STACK" != "y" ]; then
+bool 'PaX protection' CONFIG_GRKERNSEC_PAX
+if [ "$CONFIG_GRKERNSEC_PAX" = "y" ]; then
+  bool '   Emulate trampolines' CONFIG_GRKERNSEC_PAX_EMUTRAMP
+  bool '   Restrict mprotect()' CONFIG_GRKERNSEC_PAX_MPROTECT
+  bool 'Fixed mmap restrictions' CONFIG_GRKERNSEC_MMAPFIXED
+fi
+  bool 'Randomize mmap() base' CONFIG_GRKERNSEC_PAX_RANDMMAP
+fi
+fi
+bool 'Read-only kernel memory' CONFIG_GRKERNSEC_KMEM
+endmenu
+mainmenu_option next_comment
+comment 'Access Control Lists'
+   bool 'Grsecurity ACL system' CONFIG_GRKERNSEC_ACL
+if [ "$CONFIG_GRKERNSEC_ACL" = "y" ]; then
+   bool 'ACL Debugging Messages' CONFIG_GR_DEBUG
+   if [ "$CONFIG_GR_DEBUG" = "y" ]; then
+   	bool 'Extra ACL Debugging Messages' CONFIG_GR_SUPERDEBUG
+   fi	
+   bool 'Denied capability logging' CONFIG_GRKERNSEC_ACL_CAPLOG
+   string 'Path to gradm' CONFIG_GRADM_PATH "/sbin/gradm"
+   int 'Maximum tries before password lockout' CONFIG_GR_MAXTRIES 3
+   int 'Time to wait after max password tries, in seconds' CONFIG_GR_TIMEOUT 30
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Filesystem Protections'
+bool 'Proc restrictions' CONFIG_GRKERNSEC_PROC
+if [ "$CONFIG_GRKERNSEC_PROC" != "n" ]; then
+bool '   Restrict to user only' CONFIG_GRKERNSEC_PROC_USER
+if [ "$CONFIG_GRKERNSEC_PROC_USER" = "y" ]; then
+bool '      Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD
+fi
+if [ "$CONFIG_GRKERNSEC_PROC_USER" != "y" ]; then
+bool '   Allow special group' CONFIG_GRKERNSEC_PROC_USERGROUP
+if [ "$CONFIG_GRKERNSEC_PROC_USERGROUP" != "n" ]; then
+int  '   GID for special group' CONFIG_GRKERNSEC_PROC_GID 1001
+bool '      Additional restrictions' CONFIG_GRKERNSEC_PROC_ADD
+fi
+fi
+fi
+bool 'Linking restrictions' CONFIG_GRKERNSEC_LINK
+bool 'FIFO restrictions' CONFIG_GRKERNSEC_FIFO
+bool 'Secure file descriptors' CONFIG_GRKERNSEC_FD
+bool 'Chroot jail restrictions' CONFIG_GRKERNSEC_CHROOT
+if [ "$CONFIG_GRKERNSEC_CHROOT" != "n" ]; then
+bool '   Restricted signals' CONFIG_GRKERNSEC_CHROOT_SIG
+bool '   Deny mounts' CONFIG_GRKERNSEC_CHROOT_MOUNT
+bool '   Deny double-chroots' CONFIG_GRKERNSEC_CHROOT_DOUBLE
+bool '   Enforce chdir("/") on all chroots' CONFIG_GRKERNSEC_CHROOT_CHDIR
+bool '   Deny (f)chmod +s' CONFIG_GRKERNSEC_CHROOT_CHMOD
+bool '   Deny mknod' CONFIG_GRKERNSEC_CHROOT_MKNOD
+if [ "$CONFIG_X86" != "n" ]; then
+bool '   Deny ptraces' CONFIG_GRKERNSEC_CHROOT_PTRACE
+fi
+bool '   Restrict priority changes' CONFIG_GRKERNSEC_CHROOT_NICE
+fi
+bool 'Capability restrictions within chroot' CONFIG_GRKERNSEC_CHROOT_CAPS
+bool 'Secure keymap loading' CONFIG_GRKERNSEC_KBMAP
+endmenu
+mainmenu_option next_comment
+comment 'Kernel Auditing'
+bool 'Single group for auditing' CONFIG_GRKERNSEC_AUDIT_GROUP
+if [ "$CONFIG_GRKERNSEC_AUDIT_GROUP" != "n" ]; then
+int  '   GID for auditing' CONFIG_GRKERNSEC_AUDIT_GID 1007
+fi
+bool 'Exec logging' CONFIG_GRKERNSEC_EXECLOG
+bool 'Log execs within chroot' CONFIG_GRKERNSEC_CHROOT_EXECLOG
+bool 'Chdir logging' CONFIG_GRKERNSEC_AUDIT_CHDIR
+bool '(Un)Mount logging' CONFIG_GRKERNSEC_AUDIT_MOUNT
+bool 'IPC logging' CONFIG_GRKERNSEC_AUDIT_IPC
+if [ "$CONFIG_X86" != "n" ]; then
+bool 'Ptrace logging' CONFIG_GRKERNSEC_AUDIT_PTRACE
+fi
+bool 'Signal logging' CONFIG_GRKERNSEC_SIGNAL
+bool 'Fork failure logging' CONFIG_GRKERNSEC_FORKFAIL
+if [ "$CONFIG_GRKERNSEC_SUID_ROOT" != "y" ]; then
+bool 'Set*id logging' CONFIG_GRKERNSEC_SUID
+fi
+if [ "$CONFIG_GRKERNSEC_SUID" != "y" ]; then
+bool 'Log set*ids to root' CONFIG_GRKERNSEC_SUID_ROOT
+fi
+bool 'Time change logging' CONFIG_GRKERNSEC_TIME
+endmenu
+mainmenu_option next_comment
+comment 'Executable Protections'
+bool 'Exec process limiting' CONFIG_GRKERNSEC_EXECVE
+bool 'Dmesg(8) restriction' CONFIG_GRKERNSEC_DMESG
+bool 'Randomized PIDs' CONFIG_GRKERNSEC_RANDPID
+bool 'Altered default IPC permissions' CONFIG_GRKERNSEC_IPC
+bool 'Limit uid/gid changes to root' CONFIG_GRKERNSEC_TTYROOT
+if [ "$CONFIG_GRKERNSEC_TTYROOT" != "n" ]; then
+bool '  Deny physical consoles (tty)' CONFIG_GRKERNSEC_TTYROOT_PHYS
+bool '  Deny serial consoles (ttyS)' CONFIG_GRKERNSEC_TTYROOT_SERIAL
+bool '  Deny pseudo consoles (pty)' CONFIG_GRKERNSEC_TTYROOT_PSEUDO
+fi
+bool 'Fork-bomb protection' CONFIG_GRKERNSEC_FORKBOMB
+if [ "$CONFIG_GRKERNSEC_FORKBOMB" != "n" ]; then
+int '   GID for restricted users' CONFIG_GRKERNSEC_FORKBOMB_GID 1006
+int '   Forks allowed per second' CONFIG_GRKERNSEC_FORKBOMB_SEC 40
+int '   Maximum processes allowed' CONFIG_GRKERNSEC_FORKBOMB_MAX 20
+fi
+bool 'Trusted path execution' CONFIG_GRKERNSEC_TPE
+if [ "$CONFIG_GRKERNSEC_TPE" != "n" ]; then
+bool '   Glibc protection' CONFIG_GRKERNSEC_TPE_GLIBC
+bool '   Partially restrict non-root users' CONFIG_GRKERNSEC_TPE_ALL
+int  '   GID for untrusted users:' CONFIG_GRKERNSEC_TPE_GID 1005
+fi
+if [ "$CONFIG_X86" != "n" ]; then
+bool 'Restricted ptrace' CONFIG_GRKERNSEC_PTRACE
+if [ "$CONFIG_GRKERNSEC_PTRACE" != "n" ]; then
+bool '   Allow ptrace for group' CONFIG_GRKERNSEC_PTRACE_GROUP
+if [ "$CONFIG_GRKERNSEC_PTRACE_GROUP" != "n" ]; then
+int  '   GID for ptrace' CONFIG_GRKERNSEC_PTRACE_GID 1008
+fi
+fi
+fi
+endmenu
+mainmenu_option next_comment
+comment 'Network Protections'
+bool 'Randomized IP IDs' CONFIG_GRKERNSEC_RANDID
+bool 'Randomized TCP source ports' CONFIG_GRKERNSEC_RANDSRC
+bool 'Randomized RPC XIDs' CONFIG_GRKERNSEC_RANDRPC
+bool 'Altered Ping IDs' CONFIG_GRKERNSEC_RANDPING
+bool 'Randomized TTL' CONFIG_GRKERNSEC_RANDTTL
+bool 'Socket restrictions' CONFIG_GRKERNSEC_SOCKET
+if [ "$CONFIG_GRKERNSEC_SOCKET" != "n" ]; then
+bool '  Deny any sockets to group' CONFIG_GRKERNSEC_SOCKET_ALL
+if [ "$CONFIG_GRKERNSEC_SOCKET_ALL" != "n" ]; then
+int  '   GID to deny all sockets for:' CONFIG_GRKERNSEC_SOCKET_ALL_GID 1004
+fi
+bool '  Deny client sockets to group' CONFIG_GRKERNSEC_SOCKET_CLIENT
+if [ "$CONFIG_GRKERNSEC_SOCKET_CLIENT" != "n" ]; then
+int  '   GID to deny client sockets for:' CONFIG_GRKERNSEC_SOCKET_CLIENT_GID 1003
+fi
+bool '  Deny server sockets to group' CONFIG_GRKERNSEC_SOCKET_SERVER
+if [ "$CONFIG_GRKERNSEC_SOCKET_SERVER" != "n" ]; then
+int  '   GID to deny server sockets for:' CONFIG_GRKERNSEC_SOCKET_SERVER_GID 1002
+fi
+fi
+endmenu
+if [ "$CONFIG_SYSCTL" != "n" ]; then
+mainmenu_option next_comment
+comment 'Sysctl support'
+bool 'Sysctl support' CONFIG_GRKERNSEC_SYSCTL
+endmenu
+fi
+mainmenu_option next_comment
+comment 'Miscellaneous Features'
+int 'Seconds in between log messages(minimum)' CONFIG_GRKERNSEC_FLOODTIME 30
+bool 'BSD-style coredumps' CONFIG_GRKERNSEC_COREDUMP
+endmenu
+fi
diff -Nru kernel-source-2.4.18/include/asm-i386/a.out.h kernel-source-2.4.18.fixed/include/asm-i386/a.out.h
--- kernel-source-2.4.18/include/asm-i386/a.out.h	1995-06-16 20:33:06.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/asm-i386/a.out.h	2003-09-21 12:22:59.000000000 +0200
@@ -19,8 +19,12 @@
 
 #ifdef __KERNEL__
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define STACK_TOP 	((current->flags & PF_STACKEXEC) ? TASK_SIZE - _STK_LIM : TASK_SIZE)
+#else
 #define STACK_TOP	TASK_SIZE
 
 #endif
+#endif
 
 #endif /* __A_OUT_GNU_H__ */
diff -Nru kernel-source-2.4.18/include/asm-i386/pgtable.h kernel-source-2.4.18.fixed/include/asm-i386/pgtable.h
--- kernel-source-2.4.18/include/asm-i386/pgtable.h	2001-11-22 20:46:19.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/asm-i386/pgtable.h	2003-09-21 12:22:59.000000000 +0200
@@ -192,9 +192,26 @@
 #define _PAGE_CHG_MASK	(PTE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY)
 
 #define PAGE_NONE	__pgprot(_PAGE_PROTNONE | _PAGE_ACCESSED)
+
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define PAGE_SHARED_EXEC  __pgprot(_PAGE_PRESENT | _PAGE_RW |_PAGE_USER |_PAGE_ACCESSED)
+#define PAGE_COPY_EXEC  __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+#define PAGE_READONLY_EXEC  __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+#else
 #define PAGE_SHARED	__pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_USER | _PAGE_ACCESSED)
 #define PAGE_COPY	__pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
 #define PAGE_READONLY	__pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_ACCESSED)
+#endif
+
+#ifdef CONFIG_GRKERNSEC_PAX
+#define PAGE_SHARED_NOEXEC  __pgprot(_PAGE_PRESENT | _PAGE_RW | _PAGE_ACCESSED)
+#define PAGE_COPY_NOEXEC  __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED)
+#define PAGE_READONLY_NOEXEC  __pgprot(_PAGE_PRESENT | _PAGE_ACCESSED) 
+#else
+#define PAGE_SHARED_NOEXEC    PAGE_SHARED_EXEC
+#define PAGE_COPY_NOEXEC      PAGE_COPY_EXEC
+#define PAGE_READONLY_NOEXEC  PAGE_READONLY_EXEC
+#endif
 
 #define __PAGE_KERNEL \
 	(_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED)
@@ -228,6 +245,15 @@
  * This is the closest we can get..
  */
 #define __P000	PAGE_NONE
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define __P001  PAGE_READONLY_NOEXEC
+#define __P010  PAGE_COPY_NOEXEC
+#define __P011  PAGE_COPY_NOEXEC
+#define __P100  PAGE_READONLY_EXEC
+#define __P101  PAGE_READONLY_EXEC
+#define __P110  PAGE_COPY_EXEC
+#define __P111  PAGE_COPY_EXEC
+#else
 #define __P001	PAGE_READONLY
 #define __P010	PAGE_COPY
 #define __P011	PAGE_COPY
@@ -235,8 +261,18 @@
 #define __P101	PAGE_READONLY
 #define __P110	PAGE_COPY
 #define __P111	PAGE_COPY
+#endif
 
 #define __S000	PAGE_NONE
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define __S001  PAGE_READONLY_NOEXEC
+#define __S010  PAGE_SHARED_NOEXEC
+#define __S011  PAGE_SHARED_NOEXEC
+#define __S100  PAGE_READONLY_EXEC
+#define __S101  PAGE_READONLY_EXEC
+#define __S110  PAGE_SHARED_EXEC
+#define __S111  PAGE_SHARED_EXEC
+#else
 #define __S001	PAGE_READONLY
 #define __S010	PAGE_SHARED
 #define __S011	PAGE_SHARED
@@ -244,6 +280,7 @@
 #define __S101	PAGE_READONLY
 #define __S110	PAGE_SHARED
 #define __S111	PAGE_SHARED
+#endif
 
 /*
  * Define this if things work differently on an i386 and an i486:
diff -Nru kernel-source-2.4.18/include/asm-i386/processor.h kernel-source-2.4.18.fixed/include/asm-i386/processor.h
--- kernel-source-2.4.18/include/asm-i386/processor.h	2003-04-04 12:45:12.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/asm-i386/processor.h	2003-09-21 12:22:59.000000000 +0200
@@ -267,11 +267,25 @@
  */
 #define TASK_SIZE	(PAGE_OFFSET)
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define MAGIC_SIGRETURN		(PAGE_OFFSET + 0xDE0000)
+#define MAGIC_RT_SIGRETURN	(PAGE_OFFSET + 0xDE0001)
+#endif
 /* This decides where the kernel will search for a free chunk of vm
  * space during mmap's.
  */
+#ifdef CONFIG_GRKERNSEC_STACK
+extern struct linux_binfmt elf_format;
+#define TASK_UNMAPPED_BASE(size) ( \
+       current->binfmt == &elf_format && \
+       !(current->flags & PF_STACKEXEC) && \
+       (size) < 0x00ef0000UL \
+       ? 0x00110000UL \
+       : TASK_SIZE / 3 )     
+#else
 #define TASK_UNMAPPED_BASE	(TASK_SIZE / 3)
 
+#endif
 /*
  * Size of io_bitmap in longwords: 32 is ports 0-0x3ff.
  */
@@ -362,6 +376,14 @@
 	unsigned long __cacheline_filler[5];
 };
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+struct pax_fault_info {
+	unsigned long eip;
+	unsigned long addresses[4];
+	unsigned long count;
+};
+#endif
+
 struct thread_struct {
 	unsigned long	esp0;
 	unsigned long	eip;
@@ -372,6 +394,11 @@
 	unsigned long	debugreg[8];  /* %%db0-7 debug registers */
 /* fault info */
 	unsigned long	cr2, trap_no, error_code;
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* PaX fault info */
+	struct pax_fault_info pax_faults;
+#endif
+
 /* floating point info */
 	union i387_union	i387;
 /* virtual 86 mode info */
@@ -383,15 +410,28 @@
 	unsigned long	io_bitmap[IO_BITMAP_SIZE+1];
 };
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
 #define INIT_THREAD  {						\
 	0,							\
 	0, 0, 0, 0, 						\
 	{ [0 ... 7] = 0 },	/* debugging registers */	\
 	0, 0, 0,						\
+	{0, {0}, 0},		/* PaX fault info */		\
 	{ { 0, }, },		/* 387 state */			\
 	0,0,0,0,0,0,						\
 	0,{~0,}			/* io permissions */		\
 }
+#else
+#define INIT_THREAD  {						\
+	0,							\
+	0, 0, 0, 0, 						\
+	{ [0 ... 7] = 0 },	/* debugging registers */	\
+	0, 0, 0,						\
+	{ { 0, }, },		/* 387 state */			\
+	0,0,0,0,0,0,						\
+	0,{~0,}			/* io permissions */		\
+}
+#endif
 
 #define INIT_TSS  {						\
 	0,0, /* back_link, __blh */				\
diff -Nru kernel-source-2.4.18/include/linux/a.out.h kernel-source-2.4.18.fixed/include/linux/a.out.h
--- kernel-source-2.4.18/include/linux/a.out.h	2000-06-24 06:30:20.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/a.out.h	2003-09-21 12:22:59.000000000 +0200
@@ -37,6 +37,14 @@
   M_MIPS2 = 152		/* MIPS R6000/R4000 binary */
 };
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* Constants for the N_FLAGS field */
+#define F_PAX_PAGEEXEC        1       /* Enforce PAGE_EXEC */
+#define F_PAX_EMUTRAMP        2       /* Emulate trampolines */
+#define F_PAX_MPROTECT        4       /* Restrict mprotect() */
+#define F_PAX_RANDMMAP        8       /* Randomize mmap() base */   
+#endif
+
 #if !defined (N_MAGIC)
 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
 #endif
@@ -57,6 +65,9 @@
 	((exec).a_info = \
 	 ((exec).a_info&0x00ffffff) | (((flags) & 0xff) << 24))
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define F_STACKEXEC	1
+#endif
 /* Code indicating object file or impure executable.  */
 #define OMAGIC 0407
 /* Code indicating pure executable.  */
diff -Nru kernel-source-2.4.18/include/linux/binfmts.h kernel-source-2.4.18.fixed/include/linux/binfmts.h
--- kernel-source-2.4.18/include/linux/binfmts.h	2000-11-19 05:56:59.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/linux/binfmts.h	2003-09-21 12:22:59.000000000 +0200
@@ -1,6 +1,7 @@
 #ifndef _LINUX_BINFMTS_H
 #define _LINUX_BINFMTS_H
 
+#include <linux/config.h>
 #include <linux/ptrace.h>
 #include <linux/capability.h>
 
@@ -30,6 +31,10 @@
 	int argc, envc;
 	char * filename;	/* Name of binary */
 	unsigned long loader, exec;
+#ifdef CONFIG_GRKERNSEC_FD
+        int tweak_fd_mask;
+        struct file *tweak_fd_null;
+#endif
 };
 
 /*
diff -Nru kernel-source-2.4.18/include/linux/dcache.h kernel-source-2.4.18.fixed/include/linux/dcache.h
--- kernel-source-2.4.18/include/linux/dcache.h	2001-10-11 08:44:33.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/dcache.h	2003-09-21 12:22:59.000000000 +0200
@@ -124,6 +124,10 @@
 					 */
 #define DCACHE_REFERENCED	0x0008  /* Recently used, don't discard. */
 
+#define OBJECT_LEVEL_1	0x00010000
+#define OBJECT_LEVEL_2	0x00020000
+#define OBJECT_LEVEL_BITS (OBJECT_LEVEL_1 | OBJECT_LEVEL_2)
+
 extern spinlock_t dcache_lock;
 
 /**
diff -Nru kernel-source-2.4.18/include/linux/elf.h kernel-source-2.4.18.fixed/include/linux/elf.h
--- kernel-source-2.4.18/include/linux/elf.h	2001-09-23 19:33:41.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/elf.h	2003-09-21 12:22:59.000000000 +0200
@@ -87,6 +87,9 @@
  */
 #define EM_ALPHA	0x9026
 
+#ifdef CONFIG_GRKERNSEC_STACK
+#define EF_STACKEXEC	1
+#endif
 /*
  * This is the old interim value for S/390 architecture
  */
@@ -255,6 +258,13 @@
 #define R_MIPS_LOVENDOR		100
 #define R_MIPS_HIVENDOR		127
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* Constants for the e_flags field */
+#define EF_PAX_PAGEEXEC               1       /* 0: Enforce PAGE_EXEC */
+#define EF_PAX_EMUTRAMP               2       /* 0: Emulate trampolines */
+#define EF_PAX_MPROTECT               4       /* 0: Restrict mprotect() */
+#define EF_PAX_RANDMMAP               8       /* 0: Randomize mmap() base */ 
+#endif
 
 /*
  * Sparc ELF relocation types
diff -Nru kernel-source-2.4.18/include/linux/fs.h kernel-source-2.4.18.fixed/include/linux/fs.h
--- kernel-source-2.4.18/include/linux/fs.h	2003-07-26 05:05:07.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/fs.h	2003-09-21 12:22:59.000000000 +0200
@@ -1049,7 +1049,11 @@
 
 asmlinkage long sys_open(const char *, int, int);
 asmlinkage long sys_close(unsigned int);	/* yes, it's really unsigned */
+#ifdef CONFIG_GRKERNSEC_ACL
+extern int do_truncate(struct dentry *, loff_t start, struct vfsmount *);
+#else
 extern int do_truncate(struct dentry *, loff_t start);
+#endif
 
 extern struct file *filp_open(const char *, int, int);
 extern struct file * dentry_open(struct dentry *, struct vfsmount *, int);
diff -Nru kernel-source-2.4.18/include/linux/gracl.h kernel-source-2.4.18.fixed/include/linux/gracl.h
--- kernel-source-2.4.18/include/linux/gracl.h	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/linux/gracl.h	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,265 @@
+#ifndef GR_ACL_H
+#define GR_ACL_H
+#endif
+#include <linux/grsecurity.h>
+#include <linux/grdefs.h>
+
+/* * * * * * * * * * * * * * * * * * * * *
+ * GrSecurity ACL System
+ * Main header file
+ * Purpose: define most gracl data structures 
+ * * * * * * * * * * * * * * * * * * * * */
+
+/* Major status information */
+
+#define GR_VERSION  "grsecurity 2.0"
+
+enum
+{
+
+	SHUTDOWN   = 0,
+	ENABLE     = 1,
+	CHCAPS     = 2,
+	AUTH       = 3,
+	GOD        = 4,
+	RELOAD     = 5,
+	
+	/* Number of capabilities 
+	 * see include/linux/capability.h */
+	CAP_COUNT = 30
+};
+
+/* Internal status definitions
+ * gr_set_proc_label() in kernel/gracl.c
+ * */
+enum
+{
+	GR_SET_INHERIT,
+	GR_SET_AUTH,   
+	GR_SET_PROC
+};
+
+/* Password setup definitions
+ * kernel/grhash.c */
+enum
+{
+	GR_PW_LEN    = 129,
+	GR_SHA_SIZE  = 20,
+	GR_EXTRA_LEN = 1025
+};
+
+/* Begin Data Structures */
+
+
+
+struct admin_pw
+{
+	char 				pw[GR_PW_LEN];
+	char 				extra[GR_EXTRA_LEN];
+	__u8 				sum[GR_SHA_SIZE];  /* 160-bit SHA hash of the password*/
+	__u8 				mode; /* On/Off/Restart*/
+};
+
+struct file_label
+{
+	ino_t 				inode;
+	kdev_t 				device;
+	__u32 				mode;
+};
+
+/* Begin TBD */
+#if 0
+struct socket_label 
+{
+	unsigned int 			port;
+	__u8 				mode:1; /* Connect or Bind */
+};
+
+struct id_label 
+{
+	__u32 				id;
+	__u8 				id_type:1; /* UID or GID */
+	__u8 				mode; /* execlog/ptrace/etc.*/
+						      
+	struct mac_socket *		sockets;
+};
+#endif
+/* end TBD */
+
+struct file_db 
+{
+	struct file_label *         	file_hash;
+	unsigned long             	file_size;
+	unsigned long			file_used;
+};
+
+
+struct proc_subject_label
+{
+	ino_t                     	inode;
+	kdev_t                    	device;
+	__u16                      	mode; 
+	kernel_cap_t              	cap_raise; 
+	kernel_cap_t			cap_lower;
+	kernel_cap_t			cap_raise_inherit;
+	kernel_cap_t			cap_lower_inherit;
+	/* Keeps track of the capabilities to raise and lower. 
+	 * Have to store it this way because users my change the default
+	 * capabilities, and we want to change with them(but still
+	 * keep our custom raised/lowered caps) */
+	unsigned long 			pos; 
+	/* .. used for process object
+	hashing. Position (i.e.
+	subject acl number 1..n) */
+};
+
+
+struct proc_object_label
+{
+	ino_t                     	inode;
+	kdev_t                    	device; 
+	__u16                     	mode; 
+	unsigned long			parent_pos;
+};
+
+struct name_entry
+{
+	ino_t inode;
+	kdev_t device;
+	__u8 mode;
+	char * name;
+};
+	
+struct proc_subject_db
+{
+	struct proc_subject_label  *	proc_hash;
+	unsigned long            	proc_size;
+	unsigned long			proc_used;
+};
+
+struct proc_object_db
+{
+	struct proc_object_label  * 	proc_hash;
+	unsigned long            	proc_size;
+	unsigned long			proc_used;
+};
+
+struct name_db
+{
+	struct name_entry *		 name_hash;
+	unsigned long			 name_size;
+	unsigned long			 name_used;
+};
+
+struct temp_file_label
+{
+	ino_t 				inode;
+	kdev_t 				device;
+	__u32 				mode;
+};
+
+struct proc_info
+{
+	ino_t				inode;
+	kdev_t				device;
+	unsigned long			pos;
+};
+
+struct temp_socket_label
+{
+	unsigned int 			port;
+	__u8 				mode;
+};
+
+struct label_info 
+{
+	ino_t inode;
+	kdev_t device;
+};
+
+
+
+
+struct cap_entry 
+{
+	char * 				capname;
+	kernel_cap_t 			capval;
+};
+
+struct capset
+{
+	struct cap_entry 		table[CAP_COUNT];
+};
+
+/* End Data Structures Section */
+
+static __inline__ unsigned long  fhash(const ino_t ino,const kdev_t dev,
+		const unsigned long sz)
+{
+return  (ino ^ (dev * 797) )  % sz;
+}
+
+static __inline__ unsigned long phash(const ino_t ino, const kdev_t dev, 
+		const unsigned long parent_pos, const unsigned long sz)
+{
+	/* Okay...parent_pos is the subject acl # (0..n-1 for n subject acls)
+	 * We reuse fhash here for the parent_pos portion of phash() for
+	 * simplicity's sake */
+	return ( fhash(ino,dev,~0UL) ^ fhash((ino_t)(parent_pos),0,~0UL) ) 
+		% sz;
+}
+
+static __inline__ unsigned long nhash(const char * name, const unsigned long sz)
+{
+	return full_name_hash(name,strlen(name)) % sz;
+}
+			
+			
+
+
+
+
+/* * * * * * * * * * * * * * * * * * * *
+ * From this point on, the header
+ * file for the SHA-1 algorithm
+ * is defined. This is slightly
+ * adapted from gnupg. All errors
+ * are mine, all features are theirs:).
+ * That is why there is a style
+ * difference. See kernel/grhash.c 
+ * * * * * * * * * * * * * * * * * * * */
+
+
+
+
+
+
+/* Begin SHA hash section */
+#define GR_SHA1HANDSOFF /* Copies data before messing with it. */
+
+struct gr_SHA1_CTX {
+	unsigned long 			state[5];
+	unsigned long 			count[2];
+	unsigned char 			buffer[64];
+};
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/* blk0() and blk() perform the initial expand. */
+/* I got the idea of expanding during the round function from SSLeay */
+#ifdef __LITTLE_ENDIAN
+#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+		|(rol(block->l[i],8)&0x00FF00FF))
+#else
+#define blk0(i) block->l[i]
+#endif /* __LITTLE_ENDIAN */
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+			^block->l[(i+2)&15]^block->l[i&15],1))
+
+	/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+/* End SHA hash section */		       
diff -Nru kernel-source-2.4.18/include/linux/grdefs.h kernel-source-2.4.18.fixed/include/linux/grdefs.h
--- kernel-source-2.4.18/include/linux/grdefs.h	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/linux/grdefs.h	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,162 @@
+
+/* Begin Status/Return value declarations */
+
+enum
+{
+	GR_ALLOW    =  1,
+	GR_NOTFOUND = -1,
+	GR_DENY     =  0
+};
+
+/* Begin GrSecurity status declarations */
+
+enum
+{
+	GR_READY    = 0x01,
+	GR_1ST      = 0x02,
+	GR_LOADING  = 0x04,
+	GR_PROCFULL = 0x08,
+	/* Out of memory: Process label tables can no
+	  longer have entries added*/
+	GR_NAMEFULL = 0x10,
+	GR_FILEFULL = 0x20,
+	GR_STATUS_INIT = GR_1ST
+};
+
+/* Table Size Defaults (in the form of 2^GR_TABLE_SIZE). Since
+ * our tables are dynamic, this is just the starting point, set to
+ * a reasonable value for the predicted number of MAC labels */
+enum 
+{
+	GR_TABLE_SIZE = 8 /* 256 entries by default */
+};
+
+
+/* Begin  ACL declarations */
+enum 
+{
+	GR_READ        = 0x01,
+	GR_APPEND      = 0x02,
+	GR_WRITE       = 0x04,
+	GR_EXEC        = 0x08,
+	GR_HIDDEN      = 0x10,
+	GR_OVERRIDE    = 0x20, /* Override File ACL, useful for proc only*/
+	GR_PROTECTED   = 0x40,
+	GR_EXISTS      = 0x80, /* ACL exists....since our hash table 
+			  will have blank entries */
+	GR_DELETED     = 0x100,
+	GR_NONEXISTANT = 0x40000000    /*  fs/namei.c
+				   	*  Used to indicate that the file
+				   	*  we are opening is nonexistant so we 
+			 	   	*  should examine its parent 
+					*  for acl rules */
+};
+
+/* File Label declarations (right now used in case we need to combine
+ * any of preceding flags....like we do for GR_PROC_WRITE below) */
+enum
+{
+	GR_FILE_READ   = GR_READ,
+	GR_FILE_APPEND = GR_APPEND,
+	GR_FILE_WRITE  = (GR_WRITE | GR_APPEND),
+	GR_FILE_EXEC   = GR_EXEC,
+	GR_FILE_HIDDEN = GR_HIDDEN
+};
+
+/* Process label declarations */
+
+enum
+{
+	GR_PROC_READ         = GR_READ,
+	GR_PROC_APPEND       = GR_APPEND,
+	GR_PROC_WRITE        = (GR_WRITE|GR_APPEND),
+	/* write access implies append access*/
+	GR_PROC_EXEC         = GR_EXEC,
+	GR_PROC_ACCESS       = GR_HIDDEN,
+	GR_PROC_OVERRIDE     = GR_OVERRIDE,
+	GR_PROC_HIDDEN       = GR_HIDDEN,
+		/* Hidden, unkillable(except by init) process.
+		 * Good for hiding your IDSes / logging daemons:)*/
+	GR_PROC_PROTECTED    = GR_PROTECTED,
+	GR_INHERIT           = 0x400, 
+	/* Children inherit parent's process acls*/
+	GR_AUTH              = 0x100,  
+	/* Require secondary authentication before execution*/
+	GR_AUTH_IF_ROOT      = 0x800,
+	/* Require secondary authentication IF the user has root privileges */
+	GR_PROC_INHERIT      = GR_INHERIT,
+	GR_PROC_AUTH         = GR_AUTH,
+	GR_PROC_AUTH_IF_ROOT = GR_AUTH_IF_ROOT,
+	GR_PROC_KILL 	     = 0x1000,
+	GR_PROC_VIEW         = 0x2000,
+	GR_PROC_EXTRA        = (GR_PROC_OVERRIDE|GR_PROC_INHERIT|GR_PROC_AUTH)
+	/* Extra things that must be checked after a search*/
+};
+
+/* To be implemented : ID based rulesets */
+
+enum
+{
+	GR_UID            = 0x01,
+	GR_GID            = 0x02,
+	/* for ID acls(to distinguish between UID and GID) */
+	GR_ALL            = 0x04, 
+	/* for the 1 UID or GID * ACL the user is allowed to set */
+	GR_ID_TPE         = 0x01,
+	GR_ID_FORKBOMB    = 0x02,
+	GR_ID_PTRACE      = 0x04,
+	GR_ID_EXECLOG     = 0x08
+};
+
+
+enum
+{
+	/* For ID acls using ports. Specifies whether a port 
+	 * is for binding or connecting */
+	GR_SOCKET_BIND    = 0x01,
+	GR_SOCKET_CONNECT = 0x02
+};
+
+/* Name hash table declarations. Used when mapping filename->inode/dev
+ * and to tell whether a particular inode/dev/filename triplet has 
+ * a process subject, process label, and/or file label assigned to it */
+enum
+{
+	GR_NAME_PROC_SUBJECT = 0x01,
+	GR_NAME_PROC_OBJECT  = 0x02,
+	GR_NAME_FILE         = 0x04
+};
+
+
+/* If we have an acl for a file that did not exist at initialization,
+ * set the inode/dev pair to something that will not conflict with
+ * anything else (since device 0 is the NULL device we're fine :) */
+enum
+{
+	GR_NOFILE_INODE = 42,
+	GR_NOFILE_DEVICE = 0
+};
+
+#define PROC_CONF	"/etc/grsec/proc.acl"
+#define FILE_CONF	"/etc/grsec/file.acl"
+#define PW_CONF		"/etc/grsec/pw"
+#define ID_CONF		"/etc/grsec/id.acl"
+
+
+#define GRADM_ACL           CONFIG_GRADM_PATH " fxi"
+#define GODMODE_ACL         "/ frwxoi"
+
+enum 
+{
+	SET_AUTH     =        1,
+	SET_INHERIT  =        2,
+	SET_PROC     =        3	
+};
+
+enum
+{
+	PROC_SUBJ_LABEL_OFFSET = 2
+/* The first two labels, position 0 and 1, are authentication and god modes
+ * respectively, therefore all added process subject labels must begin
+ * at offset 2 */
+};
diff -Nru kernel-source-2.4.18/include/linux/grhash.h kernel-source-2.4.18.fixed/include/linux/grhash.h
--- kernel-source-2.4.18/include/linux/grhash.h	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/linux/grhash.h	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,4 @@
+extern void gr_SHA1Init(struct gr_SHA1_CTX *context);
+extern void gr_SHA1Update(struct gr_SHA1_CTX *context, unsigned char *data,unsigned  int len);
+extern void gr_SHA1Final(unsigned char digest[20],struct gr_SHA1_CTX *context);
+extern int chkpw(struct admin_pw *entry);
diff -Nru kernel-source-2.4.18/include/linux/grsecurity.h kernel-source-2.4.18.fixed/include/linux/grsecurity.h
--- kernel-source-2.4.18/include/linux/grsecurity.h	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/linux/grsecurity.h	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,142 @@
+/* * * * * * * * * * * * * * * * * * * *
+ * Main GrSecurity header file
+ * * * * * * * * * * * * * * * * * * * */
+
+/* Because this header file is used by the other sections of the kernel
+ * it defines external functions. The actual code in kernel/gracl.c
+ * uses include/linux/gracl.h. We make sure that that code ignores our
+ * extern declarations to avoid conflicts */
+
+#ifndef GR_ACL_H
+
+#include <linux/dcache.h>
+#include <linux/sysctl.h>
+#include <linux/grdefs.h>
+
+extern int gr_disable;
+extern unsigned long gr_status;
+extern int gr_check_hidden_file(struct dentry *dentry, struct vfsmount *mnt);
+extern int gr_search_file(struct dentry *dentry, __u16 mode, struct vfsmount *mnt);
+extern int gr_search_id(uid_t uid, gid_t gid, __u8 mode);
+extern int gr_search_socket(uid_t uid, gid_t gid, __u8 mode, unsigned int port);
+extern int gr_set_proc_label(struct dentry *dentry,char *filename, struct vfsmount *mnt);
+extern int gr_check_hidden_task(struct task_struct *tsk);
+extern int gr_check_protected_task(struct task_struct *tsk);
+extern int gr_copy_label(struct task_struct *tsk);
+extern int gr_in_auth_mode(void *acl);
+extern int gr_proc_handler(ctl_table *table,int write, struct file *filp, void *buffer, size_t *lenp);
+extern void gr_handle_delete(const ino_t ino, const kdev_t dev);
+extern void gr_handle_create(const char * filename, const struct nameidata *nd);
+extern void gr_set_caps(void);
+extern int gr_check_create(struct dentry * new_dentry, struct dentry * parent,
+		struct vfsmount *mnt, __u16 mode);
+#endif
+
+extern spinlock_t task_capability_lock;
+
+extern __u16 ip_randomid(void);
+
+extern int grsec_enable_link;
+extern int grsec_enable_fifo;    
+extern int grsec_enable_fd;
+extern int grsec_enable_execve;
+extern int grsec_enable_forkbomb;
+extern int grsec_forkbomb_gid;
+extern int grsec_forkbomb_sec;
+extern int grsec_forkbomb_max;
+extern int grsec_enable_execlog;
+extern int grsec_enable_suid;
+extern int grsec_enable_suid_root;
+extern int grsec_enable_signal;
+extern int grsec_enable_coredump;
+extern int grsec_enable_forkfail;
+extern int grsec_enable_time;
+extern int grsec_enable_kbmap;
+extern int grsec_enable_dmesg;
+extern int grsec_enable_chroot_sig;
+extern int grsec_enable_chroot_mount;
+extern int grsec_enable_chroot_double;
+extern int grsec_enable_chroot_chdir;
+extern int grsec_enable_chroot_chmod;
+extern int grsec_enable_chroot_mknod;
+extern int grsec_enable_chroot_ptrace;
+extern int grsec_enable_chroot_nice;
+extern int grsec_enable_chroot_execlog;
+extern int grsec_enable_chroot_caps;
+extern int grsec_enable_tpe;
+extern int grsec_tpe_gid;
+extern int grsec_enable_tpe_glibc;
+extern int grsec_enable_tpe_all; 
+extern int grsec_enable_ptrace; 
+extern int grsec_enable_ptrace_group; 
+extern int grsec_ptrace_gid; 
+extern int grsec_enable_sidcaps;
+extern int grsec_enable_randpid;
+extern int grsec_enable_randid; 
+extern int grsec_enable_randsrc;
+extern int grsec_enable_randrpc;
+extern int grsec_enable_randping;
+extern int grsec_enable_randttl; 
+extern int grsec_enable_socket_all;
+extern int grsec_socket_all_gid;
+extern int grsec_enable_socket_client;
+extern int grsec_socket_client_gid;
+extern int grsec_enable_socket_server; 
+extern int grsec_socket_server_gid; 
+extern int grsec_enable_serial_deny;
+extern int grsec_enable_phys_deny;
+extern int grsec_enable_pseudo_deny;
+extern int grsec_enable_ipc;
+extern int grsec_audit_gid;
+extern int grsec_enable_group;
+extern int grsec_enable_audit_ipc;
+extern int grsec_enable_audit_ptrace;
+extern int grsec_enable_mount;
+extern int grsec_enable_chdir;
+extern int grsec_lock;
+
+extern const char *captab_log[30];
+extern struct task_struct *child_reaper;
+
+#define proc_is_chrooted(tsk_a)  ((tsk_a->fs->root->d_inode->i_dev != \
+			  child_reaper->fs->root->d_inode->i_dev) || \
+			  (tsk_a->fs->root->d_inode->i_ino != \
+			  child_reaper->fs->root->d_inode->i_ino)) 
+
+#define have_same_root(tsk_a,tsk_b) ((tsk_a->fs->root->d_inode->i_dev == \
+			  tsk_b->fs->root->d_inode->i_dev) && \
+			  (tsk_a->fs->root->d_inode->i_ino == \
+			  tsk_b->fs->root->d_inode->i_ino)) 
+
+#define DEFAULTSECMSG "(%.16s:%d) UID(%d) EUID(%d), parent (%.16s:%d) " \
+		      "UID(%d) EUID(%d)"
+
+#define DEFAULTSECARGS current->comm, current->pid, current->uid, \
+		       current->euid, current->p_pptr->comm, \
+		       current->p_pptr->pid, current->p_pptr->uid, \
+		       current->p_pptr->euid
+
+#define CHROOTLONGCHECK t->pid && t->fs && t->fs->root && \
+			t->fs->root->d_inode && t->p_pptr && \
+              		current->pid && current->fs && current->fs->root && \
+			current->fs->root->d_inode && \
+              		current->p_pptr && child_reaper && child_reaper->pid && \
+			child_reaper->fs && child_reaper->fs->root && \
+			child_reaper->fs->root->d_inode && \
+			grsec_enable_chroot_sig
+
+#define is_tty_allowed_for_setid(t_uid,t_uid2,t_uid3,f_name) 		\
+        if(current->tty && (!t_uid || !t_uid2 || !t_uid3) && 		\
+	((grsec_enable_serial_deny && 	 				\
+        (current->tty->driver.type == TTY_DRIVER_TYPE_SERIAL)) || 	\
+	(grsec_enable_pseudo_deny && 					\
+        (current->tty->driver.type == TTY_DRIVER_TYPE_PTY)) || 		\
+	(grsec_enable_phys_deny && 					\
+        (current->tty->driver.type == TTY_DRIVER_TYPE_CONSOLE))) 	\
+        ) { 								\
+                security_alert("attempted " f_name " root on "		\
+				"illegal console by " DEFAULTSECMSG, 	\
+                                "attempted " f_name " roots", 		\
+                                DEFAULTSECARGS); 			\
+                return -EPERM; 						\
+        }
diff -Nru kernel-source-2.4.18/include/linux/kernel.h kernel-source-2.4.18.fixed/include/linux/kernel.h
--- kernel-source-2.4.18/include/linux/kernel.h	2003-05-08 11:24:15.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/kernel.h	2003-09-21 12:22:59.000000000 +0200
@@ -128,6 +128,29 @@
 	((unsigned char *)&addr)[2], \
 	((unsigned char *)&addr)[3]
 
+#if !defined(CONFIG_GR_DEBUG) && defined(CONFIG_GRKERNSEC)
+#define security_alert(normal_msg,flood_msg,args...) \
+({ \
+	static unsigned long warning_time = 0, no_flood_yet = 0; \
+	static spinlock_t security_alert_lock = SPIN_LOCK_UNLOCKED; \
+	\
+	spin_lock(&security_alert_lock); \
+	if(!warning_time || jiffies - warning_time > CONFIG_GRKERNSEC_FLOODTIME * HZ) { \
+	    warning_time = jiffies; no_flood_yet = 1; \
+	    printk(KERN_ALERT "grsec: " normal_msg "\n", ## args); \
+	} else if (no_flood_yet) { \
+	    warning_time = jiffies; no_flood_yet = 0; \
+	    printk(KERN_ALERT "grsec: more " flood_msg \
+		    ", logging disabled for %d seconds\n",CONFIG_GRKERNSEC_FLOODTIME); \
+	} \
+	\
+	spin_unlock(&security_alert_lock); \
+})
+#else
+#define security_alert(normal_msg, flood_msg, args...) \
+printk(KERN_INFO normal_msg "\n", ## args)
+#endif
+
 #define HIPQUAD(addr) \
 	((unsigned char *)&addr)[3], \
 	((unsigned char *)&addr)[2], \
diff -Nru kernel-source-2.4.18/include/linux/mm.h kernel-source-2.4.18.fixed/include/linux/mm.h
--- kernel-source-2.4.18/include/linux/mm.h	2001-12-21 18:42:03.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/linux/mm.h	2003-09-21 12:22:59.000000000 +0200
@@ -103,7 +103,11 @@
 #define VM_DONTEXPAND	0x00040000	/* Cannot expand with mremap() */
 #define VM_RESERVED	0x00080000	/* Don't unmap it from swap_out */
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define VM_STACK_FLAGS  0x00000133 
+#else
 #define VM_STACK_FLAGS	0x00000177
+#endif
 
 #define VM_READHINTMASK			(VM_SEQ_READ | VM_RAND_READ)
 #define VM_ClearReadHint(v)		(v)->vm_flags &= ~VM_READHINTMASK
diff -Nru kernel-source-2.4.18/include/linux/proc_fs.h kernel-source-2.4.18.fixed/include/linux/proc_fs.h
--- kernel-source-2.4.18/include/linux/proc_fs.h	2003-07-26 05:04:56.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/proc_fs.h	2003-09-21 12:22:59.000000000 +0200
@@ -138,6 +138,9 @@
 		struct proc_dir_entry *,kdev_t);
 extern struct proc_dir_entry *proc_mkdir_mode(const char *,mode_t,struct proc_dir_entry *);
 extern struct proc_dir_entry *proc_mkdir(const char *,struct proc_dir_entry *);
+#ifdef CONFIG_GRKERNSEC_PROC
+extern struct proc_dir_entry *proc_priv_mkdir(const char *, mode_t mode, struct proc_dir_entry *);
+#endif
 
 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
 	mode_t mode, struct proc_dir_entry *base, 
diff -Nru kernel-source-2.4.18/include/linux/sched.h kernel-source-2.4.18.fixed/include/linux/sched.h
--- kernel-source-2.4.18/include/linux/sched.h	2003-08-02 01:15:35.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/sched.h	2003-09-21 12:22:59.000000000 +0200
@@ -29,6 +29,7 @@
 
 struct exec_domain;
 
+
 /*
  * cloning flags:
  */
@@ -225,6 +226,12 @@
 	unsigned long cpu_vm_mask;
 	unsigned long swap_address;
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+	unsigned long delta_mmap;		/* PaX: randomized offset */
+	unsigned long delta_exec;		/* PaX: randomized offset */
+	unsigned long delta_stack;		/* PaX: randomized offset */
+#endif
+ 
 	unsigned dumpable:1;
 
 	/* Architecture-specific MM context */
@@ -278,6 +285,14 @@
 extern struct user_struct root_user;
 #define INIT_USER (&root_user)
 
+#ifdef CONFIG_GRKERNSEC_ACL
+struct proc_label_info
+{
+	ino_t inode;
+	kdev_t device;
+};
+#endif
+
 struct task_struct {
 	/*
 	 * offsets of these are hardcoded elsewhere - touch with care
@@ -402,6 +417,12 @@
 	int (*notifier)(void *priv);
 	void *notifier_data;
 	sigset_t *notifier_mask;
+
+#ifdef CONFIG_GRKERNSEC_ACL
+	volatile void * acl;
+	struct proc_label_info proc_info;
+	rwlock_t acl_lock;
+#endif
 	
 /* Thread group tracking */
    	u32 parent_exec_id;
@@ -431,6 +452,13 @@
 
 #define PF_USEDFPU	0x00100000	/* task used FPU this quantum (SMP) */
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+#define PF_PAX_PAGEEXEC       0x01000000      /* PaX: Enforce PAGE_EXEC */
+#define PF_PAX_EMUTRAMP       0x02000000      /* PaX: Emulate trampolines */
+#define PF_PAX_MPROTECT       0x04000000      /* PaX: Restrict mprotect() */
+#define PF_PAX_RANDMMAP       0x08000000      /* PaX: Randomize mmap() base */
+#endif
+
 /*
  * Ptrace flags
  */
@@ -438,9 +466,19 @@
 #define PT_PTRACED	0x00000001
 #define PT_TRACESYS	0x00000002
 #define PT_DTRACE	0x00000004	/* delayed trace (used on m68k, i386) */
+#ifdef CONFIG_GRKERNSEC_STACK
+#define PF_STACKEXEC    0x01000000
+#endif
 #define PT_TRACESYSGOOD	0x00000008
 #define PT_PTRACE_CAP	0x00000010	/* ptracer can follow suid-exec */
 
+#if defined(CONFIG_GRKERNSEC_PAX) || defined(CONFIG_GRKERNSEC_PAX_RANDMMAP)
+/* PaX: for handling DTLB trashing */
+#define PT_PAX_TRACE    0x00000020
+#define PT_PAX_KEEPTF   0x00000040
+#define PT_PAX_OLDTF    0x00000080
+#endif
+
 #define is_dumpable(tsk)	((tsk)->task_dumpable && (tsk)->mm && (tsk)->mm->dumpable)
 
 /*
@@ -463,6 +501,52 @@
  *  INIT_TASK is used to set up the first task table, touch at
  * your own risk!. Base=0, limit=0x1fffff (=2MB)
  */
+#ifdef CONFIG_GRKERNSEC_ACL
+#define INIT_TASK(tsk)	\
+{									\
+    state:		0,						\
+    flags:		0,						\
+    sigpending:		0,						\
+    addr_limit:		KERNEL_DS,					\
+    exec_domain:	&default_exec_domain,				\
+    lock_depth:		-1,						\
+    counter:		DEF_COUNTER,					\
+    nice:		DEF_NICE,					\
+    policy:		SCHED_OTHER,					\
+    mm:			NULL,						\
+    active_mm:		&init_mm,					\
+    cpus_runnable:	-1,						\
+    cpus_allowed:	-1,						\
+    run_list:		LIST_HEAD_INIT(tsk.run_list),			\
+    next_task:		&tsk,						\
+    prev_task:		&tsk,						\
+    p_opptr:		&tsk,						\
+    p_pptr:		&tsk,						\
+    thread_group:	LIST_HEAD_INIT(tsk.thread_group),		\
+    wait_chldexit:	__WAIT_QUEUE_HEAD_INITIALIZER(tsk.wait_chldexit),\
+    real_timer:		{						\
+	function:		it_real_fn				\
+    },									\
+    cap_effective:	CAP_INIT_EFF_SET,				\
+    cap_inheritable:	CAP_INIT_INH_SET,				\
+    cap_permitted:	CAP_FULL_SET,					\
+    keep_capabilities:	0,						\
+    rlim:		INIT_RLIMITS,					\
+    user:		INIT_USER,					\
+    comm:		"swapper",					\
+    thread:		INIT_THREAD,					\
+    fs:			&init_fs,					\
+    files:		&init_files,					\
+    sigmask_lock:	SPIN_LOCK_UNLOCKED,				\
+    sig:		&init_signals,					\
+    pending:		{ NULL, &tsk.pending.head, {{0}}},		\
+    blocked:		{{0}},						\
+    alloc_lock:		SPIN_LOCK_UNLOCKED,				\
+    journal_info:	NULL,                                           \
+    acl:               NULL,                                            \
+    acl_lock:          RW_LOCK_UNLOCKED,                                \
+}
+#else
 #define INIT_TASK(tsk)	\
 {									\
     state:		0,						\
@@ -503,8 +587,12 @@
     pending:		{ NULL, &tsk.pending.head, {{0}}},		\
     blocked:		{{0}},						\
     alloc_lock:		SPIN_LOCK_UNLOCKED,				\
-    journal_info:	NULL,						\
+    journal_info:	NULL,                                           \
 }
+#endif
+
+
+
 
 
 #ifndef INIT_TASK_SIZE
@@ -726,6 +814,10 @@
 	return 0;
 }
 
+#ifdef CONFIG_GRKERNSEC_ACL_CAPLOG
+extern const char *captab_log[30];
+#endif
+
 /*
  * capable() checks for a particular capability.  
  * New privilege checks should use this interface, rather than suser() or
@@ -743,6 +835,16 @@
 		current->flags |= PF_SUPERPRIV;
 		return 1;
 	}
+#ifdef CONFIG_GRKERNSEC_ACL_CAPLOG
+	if(!current->euid)
+		printk(KERN_INFO "grsec: %s not raised for "
+			"(%.16s:%d) UID(%d) EUID(%d), parent (%.16s:%d) "
+                        "UID(%d) EUID(%d)\n", captab_log[cap],
+			current->comm, current->pid, current->uid,
+			current->euid, current->p_pptr->comm,
+			current->p_pptr->pid, current->p_pptr->uid,
+			current->p_pptr->euid);
+#endif
 	return 0;
 }
 
@@ -924,9 +1026,9 @@
 	rootmnt = mntget(current->fs->rootmnt);
 	root = dget(current->fs->root);
 	read_unlock(&current->fs->lock);
-	spin_lock(&dcache_lock);
+//	spin_lock(&dcache_lock);
 	res = __d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
-	spin_unlock(&dcache_lock);
+//	spin_unlock(&dcache_lock);
 	dput(root);
 	mntput(rootmnt);
 	return res;
diff -Nru kernel-source-2.4.18/include/linux/spinlock.h kernel-source-2.4.18.fixed/include/linux/spinlock.h
--- kernel-source-2.4.18/include/linux/spinlock.h	2001-10-24 06:59:06.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/spinlock.h	2003-09-21 12:22:59.000000000 +0200
@@ -41,7 +41,7 @@
 #elif !defined(spin_lock_init) /* !SMP and spin_lock_init not previously
                                   defined (e.g. by including asm/spinlock.h */
 
-#define DEBUG_SPINLOCKS	0	/* 0 == no debugging, 1 == maintain lock state, 2 == full debug */
+#define DEBUG_SPINLOCKS	0     /* 0 == no debugging, 1 == maintain lock state, 2 == full debug */
 
 #if (DEBUG_SPINLOCKS < 1)
 
diff -Nru kernel-source-2.4.18/include/linux/sysctl.h kernel-source-2.4.18.fixed/include/linux/sysctl.h
--- kernel-source-2.4.18/include/linux/sysctl.h	2003-05-17 06:11:52.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/linux/sysctl.h	2003-09-21 12:22:59.000000000 +0200
@@ -124,6 +124,7 @@
 	KERN_CORE_USES_PID=52,		/* int: use core or core.%pid */
 	KERN_TAINTED=53,	/* int: various kernel tainted flags */
 	KERN_CADPID=54,		/* int: PID of the process to notify on CAD */
+        KERN_GRSECURITY=68,              /* grsecurity */
 };
 
 
diff -Nru kernel-source-2.4.18/include/net/inetpeer.h kernel-source-2.4.18.fixed/include/net/inetpeer.h
--- kernel-source-2.4.18/include/net/inetpeer.h	2002-02-25 20:38:13.000000000 +0100
+++ kernel-source-2.4.18.fixed/include/net/inetpeer.h	2003-09-21 12:22:59.000000000 +0200
@@ -14,6 +14,11 @@
 #include <linux/sched.h>
 #include <linux/spinlock.h>
 #include <asm/atomic.h>
+#include <linux/config.h>
+#ifdef CONFIG_GRKERNSEC_RANDID
+extern int grsec_enable_randid;
+extern __u16 ip_randomid(void);
+#endif
 
 struct inet_peer
 {
@@ -58,6 +63,11 @@
 	__u16 id;
 
 	spin_lock_bh(&inet_peer_idlock);
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid)
+		id = htons(ip_randomid());
+	else
+#endif
 	id = p->ip_id_count++;
 	spin_unlock_bh(&inet_peer_idlock);
 	return id;
diff -Nru kernel-source-2.4.18/include/net/ip.h kernel-source-2.4.18.fixed/include/net/ip.h
--- kernel-source-2.4.18/include/net/ip.h	2001-04-28 00:49:41.000000000 +0200
+++ kernel-source-2.4.18.fixed/include/net/ip.h	2003-09-21 12:22:59.000000000 +0200
@@ -196,6 +196,11 @@
 		 * does not change, they drop every other packet in
 		 * a TCP stream using header compression.
 		 */
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid)
+		iph->id = htons(ip_randomid());
+	else
+#endif
 		iph->id = ((sk && sk->daddr) ? htons(sk->protinfo.af_inet.id++) : 0);
 	} else
 		__ip_select_ident(iph, dst);
diff -Nru kernel-source-2.4.18/init/main.c kernel-source-2.4.18.fixed/init/main.c
--- kernel-source-2.4.18/init/main.c	2002-04-13 10:07:27.000000000 +0200
+++ kernel-source-2.4.18.fixed/init/main.c	2003-09-21 12:22:59.000000000 +0200
@@ -69,6 +69,11 @@
 #include <asm/smp.h>
 #endif
 
+#ifdef CONFIG_GRKERNSEC_ACL
+#include <linux/grsecurity.h>
+#endif
+
+
 /*
  * Versions of gcc older than that listed below may actually compile
  * and link okay, but the end product can have subtle run time bugs.
@@ -110,6 +115,12 @@
 extern void perfmon_init(void);
 #endif
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static __init int gr_setup(char *line);
+#endif
+
+
+
 /*
  * Boot command-line arguments
  */
@@ -316,6 +327,20 @@
 
 __setup("root=", root_dev_setup);
 
+#ifdef CONFIG_GRKERNSEC_ACL
+static int __init gr_setup(char *str) 
+{
+#ifdef CONFIG_GR_DEBUG
+	security_alert("gracl: got %.3s at startup","",str);
+#endif
+	if(  *str == '0' || ( !(strcmp(str,"off")) )  ) 
+		gr_disable = 1;
+	return 1;
+}
+__setup("gracl",gr_setup);
+#endif
+
+
 static int __init checksetup(char *line)
 {
 	struct kernel_param *p;
diff -Nru kernel-source-2.4.18/ipc/msg.c kernel-source-2.4.18.fixed/ipc/msg.c
--- kernel-source-2.4.18/ipc/msg.c	2001-09-14 23:17:00.000000000 +0200
+++ kernel-source-2.4.18.fixed/ipc/msg.c	2003-09-21 12:22:59.000000000 +0200
@@ -23,6 +23,9 @@
 #include <linux/proc_fs.h>
 #include <linux/list.h>
 #include <asm/uaccess.h>
+#if defined(CONFIG_GRKERNSEC_IPC) || defined(CONFIG_GRKERNSEC_AUDIT_IPC)
+#include <linux/grsecurity.h>
+#endif
 #include "util.h"
 
 /* sysctl: */
@@ -127,7 +130,14 @@
 		kfree(msq);
 		return -ENOSPC;
 	}
+#ifdef CONFIG_GRKERNSEC_IPC
+	if(grsec_enable_ipc)
+		msq->q_perm.mode = (msgflg & ~current->fs->umask);
+	else
+		msq->q_perm.mode = (msgflg & S_IRWXUGO);
+#else
 	msq->q_perm.mode = (msgflg & S_IRWXUGO);
+#endif
 	msq->q_perm.key = key;
 
 	msq->q_stime = msq->q_rtime = 0;
@@ -326,6 +336,16 @@
 		msg_unlock(id);
 	}
 	up(&msg_ids.sem);
+
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+	if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_audit_ipc && (ret >= 0) && (msgflg & IPC_CREAT))
+		printk(KERN_INFO "grsec: message queue created by " DEFAULTSECMSG "\n", DEFAULTSECARGS);
+#endif
+
 	return ret;
 }
 
@@ -545,8 +565,17 @@
 
 		ipcp->uid = setbuf.uid;
 		ipcp->gid = setbuf.gid;
+#ifdef CONFIG_GRKERNSEC_IPC
+		if(grsec_enable_ipc)
+			ipcp->mode = (ipcp->mode & ~current->fs->umask) | 
+				(~current->fs->umask & setbuf.mode);
+		else
+			ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | 
+				(S_IRWXUGO & setbuf.mode);
+#else
 		ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | 
 			(S_IRWXUGO & setbuf.mode);
+#endif
 		msq->q_ctime = CURRENT_TIME;
 		/* sleeping receivers might be excluded by
 		 * stricter permissions.
@@ -560,6 +589,14 @@
 		break;
 	}
 	case IPC_RMID:
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+	if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_audit_ipc)
+		printk(KERN_INFO "grsec: message queue of uid:%d euid:%d removed by " DEFAULTSECMSG "\n", ipcp->uid,ipcp->cuid, DEFAULTSECARGS);
+#endif
 		freeque (msqid); 
 		break;
 	}
diff -Nru kernel-source-2.4.18/ipc/sem.c kernel-source-2.4.18.fixed/ipc/sem.c
--- kernel-source-2.4.18/ipc/sem.c	2001-09-30 21:26:42.000000000 +0200
+++ kernel-source-2.4.18.fixed/ipc/sem.c	2003-09-21 12:22:59.000000000 +0200
@@ -63,6 +63,9 @@
 #include <linux/init.h>
 #include <linux/proc_fs.h>
 #include <asm/uaccess.h>
+#if defined(CONFIG_GRKERNSEC_IPC) || defined(CONFIG_GRKERNSEC_AUDIT_IPC)
+#include <linux/grsecurity.h>
+#endif
 #include "util.h"
 
 
@@ -135,7 +138,14 @@
 	}
 	used_sems += nsems;
 
+#ifdef CONFIG_GRKERNSEC_IPC
+	if(grsec_enable_ipc)
+		sma->sem_perm.mode = (semflg & ~current->fs->umask);
+	else
+		sma->sem_perm.mode = (semflg & S_IRWXUGO);
+#else
 	sma->sem_perm.mode = (semflg & S_IRWXUGO);
+#endif
 	sma->sem_perm.key = key;
 
 	sma->sem_base = (struct sem *) &sma[1];
@@ -181,6 +191,15 @@
 	}
 
 	up(&sem_ids.sem);
+
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+	if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_audit_ipc && (err >= 0) && (semflg & IPC_CREAT))
+		printk(KERN_INFO "grsec: semaphore created by " DEFAULTSECMSG "\n", DEFAULTSECARGS);
+#endif
 	return err;
 }
 
@@ -727,14 +746,31 @@
 
 	switch(cmd){
 	case IPC_RMID:
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+	if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_audit_ipc)
+		printk(KERN_INFO "grsec: semaphore of uid:%d euid:%d removed by " DEFAULTSECMSG "\n", ipcp->uid, ipcp->cuid, DEFAULTSECARGS);
+#endif
 		freeary(semid);
 		err = 0;
 		break;
 	case IPC_SET:
 		ipcp->uid = setbuf.uid;
 		ipcp->gid = setbuf.gid;
+#ifdef CONFIG_GRKERNSEC_IPC
+		if(grsec_enable_ipc)
+			ipcp->mode = (ipcp->mode & ~current->fs->umask)
+					| (setbuf.mode & ~current->fs->umask);
+		else
+			ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
+					| (setbuf.mode & S_IRWXUGO);
+#else
 		ipcp->mode = (ipcp->mode & ~S_IRWXUGO)
 				| (setbuf.mode & S_IRWXUGO);
+#endif
 		sma->sem_ctime = CURRENT_TIME;
 		sem_unlock(semid);
 		err = 0;
diff -Nru kernel-source-2.4.18/ipc/shm.c kernel-source-2.4.18.fixed/ipc/shm.c
--- kernel-source-2.4.18/ipc/shm.c	2001-12-21 18:42:04.000000000 +0100
+++ kernel-source-2.4.18.fixed/ipc/shm.c	2003-09-21 12:22:59.000000000 +0200
@@ -23,6 +23,9 @@
 #include <linux/mman.h>
 #include <linux/proc_fs.h>
 #include <asm/uaccess.h>
+#if defined(CONFIG_GRKERNSEC_IPC) || defined(CONFIG_GRKERNSEC_AUDIT_IPC)
+#include <linux/grsecurity.h>
+#endif
 
 #include "util.h"
 
@@ -202,7 +205,14 @@
 	if(id == -1) 
 		goto no_id;
 	shp->shm_perm.key = key;
+#ifdef CONFIG_GRKERNSEC_IPC
+	if(grsec_enable_ipc)
+		shp->shm_flags = (shmflg & ~current->fs->umask);
+	else
+		shp->shm_flags = (shmflg & S_IRWXUGO);
+#else
 	shp->shm_flags = (shmflg & S_IRWXUGO);
+#endif	
 	shp->shm_cprid = current->pid;
 	shp->shm_lprid = 0;
 	shp->shm_atim = shp->shm_dtim = 0;
@@ -252,6 +262,15 @@
 		shm_unlock(id);
 	}
 	up(&shm_ids.sem);
+
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+	if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_audit_ipc && (err >= 0) && (shmflg & IPC_CREAT))
+		printk(KERN_INFO "grsec: shared memory of size %d created by " DEFAULTSECMSG "\n", size, DEFAULTSECARGS);
+#endif
 	return err;
 }
 
@@ -507,6 +526,16 @@
 			err=-EPERM;
 			goto out_unlock_up;
 		}
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+        if(
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+        grsec_enable_group && in_group_p(grsec_audit_gid) &&
+#endif
+	grsec_enable_audit_ipc && !err)
+                printk(KERN_INFO "grsec: shared memory of uid:%d euid:%d removed by " DEFAULTSECMSG "\n", shp->shm_perm.uid, shp->shm_perm.cuid, DEFAULTSECARGS);
+#endif
+
+
 		if (shp->shm_nattch){
 			shp->shm_flags |= SHM_DEST;
 			/* Do not find it any more */
@@ -541,8 +570,17 @@
 
 		shp->shm_perm.uid = setbuf.uid;
 		shp->shm_perm.gid = setbuf.gid;
+#ifdef CONFIG_GRKERNSEC_IPC
+		if(grsec_enable_ipc)
+			shp->shm_flags = (shp->shm_flags & ~current->fs->umask)
+				| (setbuf.mode & ~current->fs->umask);
+		else
+			shp->shm_flags = (shp->shm_flags & ~S_IRWXUGO)
+				| (setbuf.mode & S_IRWXUGO);
+#else
 		shp->shm_flags = (shp->shm_flags & ~S_IRWXUGO)
 			| (setbuf.mode & S_IRWXUGO);
+#endif
 		shp->shm_ctim = CURRENT_TIME;
 		break;
 	}
diff -Nru kernel-source-2.4.18/kernel/Makefile kernel-source-2.4.18.fixed/kernel/Makefile
--- kernel-source-2.4.18/kernel/Makefile	2001-09-17 06:22:40.000000000 +0200
+++ kernel-source-2.4.18.fixed/kernel/Makefile	2003-09-21 12:22:59.000000000 +0200
@@ -14,11 +14,12 @@
 obj-y     = sched.o dma.o fork.o exec_domain.o panic.o printk.o \
 	    module.o exit.o itimer.o info.o time.o softirq.o resource.o \
 	    sysctl.o acct.o capability.o ptrace.o timer.o user.o \
-	    signal.o sys.o kmod.o context.o
+	    signal.o sys.o grsecurity.o kmod.o context.o
 
 obj-$(CONFIG_UID16) += uid16.o
 obj-$(CONFIG_MODULES) += ksyms.o
 obj-$(CONFIG_PM) += pm.o
+obj-$(CONFIG_GRKERNSEC_ACL) += gracl.o grhash.o
 
 ifneq ($(CONFIG_IA64),y)
 # According to Alan Modra <alan@linuxcare.com.au>, the -fno-omit-frame-pointer is
diff -Nru kernel-source-2.4.18/kernel/fork.c kernel-source-2.4.18.fixed/kernel/fork.c
--- kernel-source-2.4.18/kernel/fork.c	2003-07-26 05:05:07.000000000 +0200
+++ kernel-source-2.4.18.fixed/kernel/fork.c	2003-09-21 12:22:59.000000000 +0200
@@ -22,6 +22,11 @@
 #include <linux/personality.h>
 #include <linux/mman.h>
 
+#if defined(CONFIG_GRKERNSEC_FORKFAIL)||defined(CONFIG_GRKERNSEC_RANDPID) \
+ || defined(CONFIG_GRKERNSEC_FORKBOMB) || defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
+
 #include <asm/pgtable.h>
 #include <asm/pgalloc.h>
 #include <asm/uaccess.h>
@@ -94,32 +99,62 @@
 
 	spin_lock(&lastpid_lock);
 	if((++last_pid) & 0xffff8000) {
+#ifdef CONFIG_GRKERNSEC_RANDPID
+	if(!grsec_enable_randpid || (current->p_pptr->pid < 1))
+#endif
 		last_pid = 300;		/* Skip daemons etc. */
 		goto inside;
 	}
-	if(last_pid >= next_safe) {
+	if(last_pid >= 
+#ifdef CONFIG_GRKERNSEC_RANDPID
+	(grsec_enable_randpid && (current->p_pptr->pid >= 1))?2:
+#endif
+	next_safe) {
 inside:
+#ifdef CONFIG_GRKERNSEC_RANDPID
+	if(!grsec_enable_randpid || (current->p_pptr->pid < 1))
+#endif
 		next_safe = PID_MAX;
 		read_lock(&tasklist_lock);
 	repeat:
+#ifdef CONFIG_GRKERNSEC_RANDPID
+	if (grsec_enable_randpid && (current->p_pptr->pid >= 1)) {
+		do {
+			last_pid = ip_randomid() % PID_MAX;
+		} while (last_pid <= 1);
+	}
+#endif
+
 		for_each_task(p) {
 			if(p->pid == last_pid	||
 			   p->pgrp == last_pid	||
 			   p->tgid == last_pid	||
 			   p->session == last_pid) {
-				if(++last_pid >= next_safe) {
+				if(
+#ifdef CONFIG_GRKERNSEC_RANDPID
+				(!grsec_enable_randpid || 
+				(current->p_pptr->pid < 1)) &&
+#endif
+				++last_pid >= next_safe) {
 					if(last_pid & 0xffff8000)
 						last_pid = 300;
 					next_safe = PID_MAX;
 				}
 				goto repeat;
 			}
+#ifdef CONFIG_GRKERNSEC_RANDPID
+                       if(!grsec_enable_randpid || 
+			(current->p_pptr->pid < 1)){
+#endif
 			if(p->pid > last_pid && next_safe > p->pid)
 				next_safe = p->pid;
 			if(p->pgrp > last_pid && next_safe > p->pgrp)
 				next_safe = p->pgrp;
 			if(p->session > last_pid && next_safe > p->session)
 				next_safe = p->session;
+#ifdef CONFIG_GRKERNSEC_RANDPID
+			}
+#endif
 		}
 		read_unlock(&tasklist_lock);
 	}
@@ -622,6 +657,39 @@
 	int retval;
 	struct task_struct *p;
 	struct completion vfork;
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+	int fork_user;
+	int sec_forks = 0;
+	int user_tasks = 0;
+	unsigned long curr_time = jiffies;
+
+fork_user = current->uid;
+if(grsec_enable_forkbomb) {
+if(in_group_p(grsec_forkbomb_gid) && fork_user){
+        read_lock(&tasklist_lock);
+        for_each_task(p)
+        {
+                if ((p->uid) == fork_user)
+                {
+                user_tasks++;
+                if ( (curr_time - (p->start_time)) <= 100)
+                        sec_forks++;
+                }
+        }
+        read_unlock(&tasklist_lock);
+
+       if (user_tasks >= grsec_forkbomb_max){
+	security_alert("max process limit reached with "
+		DEFAULTSECMSG,"max proc limits reached",DEFAULTSECARGS);
+	return(kill_pg(current->pgrp,SIGKILL,0));
+       } else if (sec_forks >= grsec_forkbomb_sec){
+	security_alert("fork rate-limit reached with "
+		DEFAULTSECMSG,"fork rate-limits reached", DEFAULTSECARGS);
+	return(kill_pg(current->pgrp,SIGKILL,0));
+       }
+}
+}
+#endif
 
 	retval = -EPERM;
 
@@ -725,6 +793,11 @@
 		goto bad_fork_cleanup_fs;
 	if (copy_mm(clone_flags, p))
 		goto bad_fork_cleanup_sighand;
+#if CONFIG_GRKERNSEC_ACL
+	if (gr_copy_label(p))
+	    goto bad_fork_cleanup_sighand;
+#endif
+
 	retval = copy_thread(0, clone_flags, stack_start, stack_size, p, regs);
 	if (retval)
 		goto bad_fork_cleanup_mm;
@@ -811,6 +884,11 @@
 	free_uid(p->user);
 bad_fork_free:
 	free_task_struct(p);
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+	if(grsec_enable_forkfail)
+    		security_alert("failed fork with errno %d by " DEFAULTSECMSG,
+                  	       "failed forks",retval, DEFAULTSECARGS);
+#endif
 	goto fork_out;
 }
 
diff -Nru kernel-source-2.4.18/kernel/gracl.c kernel-source-2.4.18.fixed/kernel/gracl.c
--- kernel-source-2.4.18/kernel/gracl.c	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/gracl.c	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,2415 @@
+/* 
+ * linux/kernel/gracl.c
+ * Copyright Michael Dalton, 2000, 2001, 2002
+ *
+ */
+
+/*
+ * Reimplemented pretty much everything. dynamic hash tables rock.
+ * 2/23/2001 - <michael@grsecurity.net>
+ */
+
+/* The ACLs here can be thought of as a lattice of 
+ * type, program, and UID/GID. When attempting to access
+ * X, we check X's restrction(file restrictions for file labels, 
+ * in later versions, socket/port restrictions for their respective type),
+ * as well as the program accessing X's restrctions, and the user running
+ * that program's restrction.
+ * So for X, P(X), and U(X) where P(X) is the process running X and
+ * U(X) is the User running P(X), 
+ * Permission Check(X) && Permission Check(P(X)) && Permission Check(U(X))
+ * must all succeed for the action to be allowed. See documentation
+ * for more information:). */
+
+
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <linux/ctype.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/capability.h>
+#include <linux/sched.h>
+#include <linux/gracl.h>
+#include <linux/grhash.h>
+#include <linux/sysctl.h>
+
+static struct proc_subject_db		proc_subj_set;
+static struct proc_object_db     	proc_obj_set;      
+static struct file_db 	   		file_set;
+static struct name_db			name_set;
+
+
+static rwlock_t 			gr_list_lock = RW_LOCK_UNLOCKED;
+
+unsigned long gr_status = 		GR_STATUS_INIT;
+
+int gr_disable =			0;
+
+struct admin_pw 			pwent;
+static struct capset 			caplist =
+{
+	{
+		{ "CAP_CHOWN", CAP_CHOWN},
+                { "CAP_DAC_OVERRIDE",CAP_DAC_OVERRIDE},
+                { "CAP_DAC_READ_SEARCH",CAP_DAC_READ_SEARCH},
+                { "CAP_FOWNER", CAP_FOWNER},
+                { "CAP_FSETID", CAP_FSETID},
+                { "CAP_FS_MASK",CAP_FS_MASK},
+                { "CAP_KILL", CAP_KILL},
+                { "CAP_SETGID", CAP_SETGID},
+                { "CAP_SETUID", CAP_SETUID},
+                { "CAP_SETPCAP", CAP_SETPCAP},
+                { "CAP_LINUX_IMMUTABLE", CAP_LINUX_IMMUTABLE},
+                { "CAP_NET_BIND_SERVICE", CAP_NET_BIND_SERVICE},
+                { "CAP_NET_BROADCAST", CAP_NET_BROADCAST},
+                { "CAP_NET_ADMIN", CAP_NET_ADMIN},
+                { "CAP_NET_RAW", CAP_NET_RAW},
+                { "CAP_IPC_LOCK", CAP_IPC_LOCK},
+                { "CAP_IPC_OWNER", CAP_IPC_OWNER},
+                { "CAP_SYS_MODULE", CAP_SYS_MODULE},
+                { "CAP_SYS_RAWIO", CAP_SYS_RAWIO},
+                { "CAP_SYS_CHROOT", CAP_SYS_CHROOT},
+                { "CAP_SYS_PTRACE", CAP_SYS_PTRACE},
+                { "CAP_SYS_PACCT", CAP_SYS_PACCT},
+                { "CAP_SYS_ADMIN", CAP_SYS_ADMIN},
+		{ "CAP_SYS_BOOT", CAP_SYS_BOOT},
+                { "CAP_SYS_NICE", CAP_SYS_NICE},
+                { "CAP_SYS_RESOURCE", CAP_SYS_RESOURCE},
+                { "CAP_SYS_TIME", CAP_SYS_TIME},
+                { "CAP_SYS_TTY_CONFIG", CAP_SYS_TTY_CONFIG},
+                { "CAP_MKNOD", CAP_MKNOD},
+                { "CAP_LEASE", CAP_LEASE}
+	}
+};
+
+
+
+static struct proc_subject_label 		god = 
+					{ 
+						inode : 1,
+						mode: GR_PROC_KILL
+							      |GR_PROC_VIEW,
+						cap_raise:	CAP_FULL_SET,
+							
+					};
+static struct proc_subject_label 		auth =
+					{ 
+						inode:  2,
+						pos:    1
+					};
+
+extern kdev_t 				ROOT_DEV;
+
+static unsigned long table_sizes [] = 
+{
+	1,2,3,7,13,31,61,127,
+	251,509,1021,2039,4093,8191,16381,32749,
+	65521,131071,262139,524287,1048573,2097143,
+	4194301,8388593,16777213,33554393,67108859,
+	134217689,268435399,536870909,1073741789,
+	2147483647
+
+};
+
+/* The table_sizes array maps requests for tables of size 2^0 through 2^31
+ * Starting at 2^2 all requests are met with prime numbers. We stop at 2^31
+ * for sanity's sake, and since most machines use 32-bit words. Extending
+ * this to 64-bit words would be trivial. After a request for tables of
+ * 2^31 in size, we simply return the previous table size * 2. For
+ * empirical information on this, see Algorithms in C, Vol. 3
+ * (Sedgewick, 606) which details a setup with dynamic hash tables and
+ * linear probing, much like our setup. Notice that our prime number
+ * sizes are table_sizes[n] is the prime number closest to but < 2^n 
+ * For example table_sizes[7] = 127 and 2^7 = 128 */
+
+
+static void realloc_proc_object_table(unsigned long pwr);
+static void realloc_proc_subject_table(unsigned long pwr);
+static void realloc_file_table(unsigned long pwr);
+static void realloc_name_table(unsigned long pwr);
+#ifdef CONFIG_GR_SUPERDEBUG
+static void list_procs(void);
+static void list_files(void);
+static void list_names(void);
+#endif
+
+static __inline__ struct proc_subject_label * lookup_proc_subj_label(const 
+		ino_t ino, const kdev_t dev)
+{
+	struct proc_subject_label * match = 
+		&proc_subj_set.proc_hash[fhash(ino,dev,proc_subj_set.proc_size)];
+	while(match->inode != ino || match->device !=dev)
+	{
+		match += 1 % proc_subj_set.proc_size;
+		if(!(match->mode & GR_EXISTS)) break;
+	}
+	return ( (match->inode == ino) && (match->device == dev) ) 
+		? match : NULL;
+}
+
+
+static __inline__ struct proc_object_label * lookup_proc_obj_label(const 
+		ino_t ino, const kdev_t dev, const unsigned long parent_pos)
+{
+	struct proc_object_label * match = 
+		&proc_obj_set.proc_hash[phash(ino,dev,parent_pos,
+				proc_obj_set.proc_size)];
+	while(match->inode != ino || match->device != dev 
+			|| match->parent_pos != parent_pos)
+	{
+		match += 1 % proc_obj_set.proc_size;
+		if(!(match->mode & GR_EXISTS)) break;
+	}
+	return ( (match->inode == ino) && (match->device == dev)
+		&& (match->parent_pos == parent_pos) )? match : NULL;
+}
+
+
+static __inline__ struct file_label * lookup_file_label(const ino_t ino,
+		const kdev_t dev)
+{
+	struct file_label * match = 
+		&file_set.file_hash[fhash(ino,dev,file_set.file_size)];
+	while(match->inode != ino || match->device !=dev)
+	{
+		match += 1 % file_set.file_size;
+		if(!(match->mode & GR_EXISTS)) break;
+	}
+	return ( (match->inode == ino) && (match->device == dev) ) 
+		? match : NULL;
+}
+
+static __inline__ struct name_entry * lookup_name_entry(const char * name)
+{
+	struct name_entry * match =
+		&name_set.name_hash[nhash(name,name_set.name_size)];
+	while( (match->mode & GR_EXISTS) && (strcmp(match->name,name)) != 0) 
+	{
+		match += 1 % name_set.name_size;
+	}
+	if(!match->name) return NULL;
+	return ( (strcmp(name,match->name)) == 0 ) ? match : NULL;
+}
+
+static int insert_proc_obj_label(struct proc_object_label *obj, 
+		const char * conffile, unsigned int linenum)
+{
+        static int reallocs; /* the bss is set to 0 on boot..no need to do = 0 */
+	struct proc_object_label * curr  =
+		&proc_obj_set.proc_hash[phash(obj->inode,obj->device,
+		obj->parent_pos,proc_obj_set.proc_size)];
+	unsigned long old_size = proc_obj_set.proc_size;
+       while(curr->mode & GR_EXISTS)
+       {
+#ifdef CONFIG_GR_DEBUG
+	       static int once = 0;
+	       if(!once)
+	       {
+		security_alert("Hey, I had a process object label collision(I am %ld "
+			"%d)","",obj->inode,obj->device);
+			once = 1;
+	       }
+#endif
+	       if(curr->inode == obj->inode && curr->device == obj->device
+			       && curr->parent_pos == obj->parent_pos)
+	       {
+		       security_alert("Duplicate entries in config file %s"
+				       " at line %d","duplicate entries",
+				       conffile,linenum);
+			       return 1;
+	       }
+		curr = ++curr > &proc_obj_set.proc_hash[proc_obj_set.proc_size-1]
+			? proc_obj_set.proc_hash : curr;
+	}
+        curr->inode = obj->inode;
+	curr->device = obj->device;
+	curr->mode = obj->mode;
+	curr->parent_pos = obj->parent_pos;
+	if(++proc_obj_set.proc_used >= (proc_obj_set.proc_size / 2))
+	{
+		realloc_proc_object_table(GR_TABLE_SIZE + ++reallocs);
+		if(proc_obj_set.proc_size == old_size)
+		{
+			/* Hey..the reallocation failed..we're out of memory
+			 * so we are unable to add any more process MAC labels*/
+			gr_status |= GR_PROCFULL;
+		}
+	}
+			
+	return 0;
+
+}
+	
+
+static int insert_proc_subj_label(struct proc_subject_label *obj,
+		const char * conffile, unsigned int linenum)
+{
+	static int reallocs;
+	struct proc_subject_label * curr  =
+		&proc_subj_set.proc_hash[fhash(obj->inode,obj->device,
+		proc_subj_set.proc_size)];
+	unsigned long old_size = proc_subj_set.proc_size;
+       while(curr->mode & GR_EXISTS) 
+       {
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Hey, I had a process subject label collision(I am %ld "
+			"%d )","",curr->inode,curr->device);
+#endif
+		if(curr->inode == obj->inode && curr->device == obj->device)
+		{
+			security_alert("Duplicate entries in config file %s "
+					"at line %d","duplicate entries",
+					conffile,linenum);
+			return 1;
+		}
+
+		curr = ++curr > &proc_subj_set.proc_hash
+		[proc_subj_set.proc_size-1] ? proc_subj_set.proc_hash : curr;
+	}
+        curr->inode = obj->inode;
+	curr->device = obj->device;
+	curr->cap_raise = obj->cap_raise;
+	curr->cap_lower = obj->cap_lower;
+	curr->cap_raise_inherit = obj->cap_raise_inherit;
+	curr->cap_lower_inherit = obj->cap_lower_inherit;
+	curr->mode = obj->mode;
+	curr->pos = obj->pos;
+	if(++proc_subj_set.proc_used >= (proc_subj_set.proc_size / 2))
+	{
+		realloc_proc_subject_table(GR_TABLE_SIZE + ++reallocs);
+		if(proc_subj_set.proc_size == old_size)
+			gr_status |= GR_PROCFULL;
+	}
+
+	return 0;
+
+}
+
+static int insert_file_label(struct file_label *obj, const char * conffile, 
+		unsigned int linenum)
+{
+	static int reallocs;
+	struct file_label * curr  =
+		&file_set.file_hash[fhash(obj->inode,obj->device,
+		file_set.file_size)];
+	unsigned long old_size = file_set.file_size;
+       while(curr->mode & GR_EXISTS)
+       {
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Hey, I had a file label collision(I am %ld %d )","",
+				curr->inode,curr->device);
+#endif
+		if(curr->inode == obj->inode && curr->device == obj->device)
+		{
+			security_alert("Duplicate entries in config file %s"
+					" at line %d","duplicate entries",
+					conffile,linenum);
+			return 1;
+		}
+		curr = ++curr > &file_set.file_hash[file_set.file_size - 1] ?
+			file_set.file_hash : curr;
+	}  
+	curr->inode = obj->inode;
+	curr->device = obj->device;
+	curr->mode = obj->mode;
+
+	if(++file_set.file_used >= (file_set.file_size / 2))
+	{
+		realloc_file_table(GR_TABLE_SIZE + ++reallocs);
+		if(file_set.file_size == old_size)
+			gr_status |= GR_FILEFULL;
+	}
+	return 0;
+}
+
+
+static int insert_name_entry(char *name, ino_t ino,kdev_t dev, __u8 mode)
+		
+{
+	static int reallocs;
+	struct name_entry * curr  =
+		&name_set.name_hash[nhash(name,name_set.name_size)];
+	unsigned long old_size = name_set.name_size;
+       while(curr->mode & GR_EXISTS)
+       {
+		if(!(strcmp(name,curr->name))) break;
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Hey, I had a name entry collision(I am %s and "
+			"I collided with %s)","",
+				name,curr->name);
+#endif
+		curr = ++curr > &name_set.name_hash[name_set.name_size - 1] ?
+			name_set.name_hash : curr;
+	}  
+       
+       /* Duplicate entries are actually expected here..the same filename
+	* might be associated with a process subject acl and a file acl
+	* for instance */
+
+	curr->inode = ino;
+	curr->device = dev;
+	curr->mode |= mode;
+	if(!curr->name)
+	{
+		curr->name = kmalloc(strlen(name) + 1,GFP_KERNEL);
+		if(!curr->name) return 1;
+		strncpy(curr->name,name,strlen(name)+1);
+		curr->name[strlen(name)] = '\0';
+	}
+
+	if((++name_set.name_used >= name_set.name_size / 2))
+	{
+		realloc_name_table(GR_TABLE_SIZE + ++reallocs);
+		if(name_set.name_size == old_size)
+			gr_status |= GR_NAMEFULL;
+	}
+	return 0;
+}
+
+
+
+/* Create a table(requesting size close to 2^pwr entrie of member size)
+ * and replace the current table size with the new one.
+ * We use prime table sizes until we reach the bounds of 32-bit word machines 
+ * Once we reach there we simply double the table size */
+
+
+static void * create_table(unsigned long pwr, unsigned long * len, unsigned long member)
+{
+	void * newtable;
+	if(pwr > (sizeof(table_sizes)/sizeof(table_sizes[0]) - 1))
+	{
+		newtable = kmalloc((*len) * 2 * member,GFP_KERNEL);
+		*len = (*len) * 2;
+	}
+	else
+	{
+		newtable = kmalloc(table_sizes[pwr] * member,GFP_KERNEL);
+		*len = table_sizes[pwr];
+	}
+	return newtable;
+}
+
+
+static void realloc_proc_object_table(unsigned long pwr)
+{
+	struct proc_object_label * oldtable = proc_obj_set.proc_hash;
+	unsigned long oldlen = proc_obj_set.proc_size;
+	int i;
+
+	proc_obj_set.proc_hash = (struct proc_object_label *) create_table(pwr,
+			&proc_obj_set.proc_size,
+			sizeof(struct proc_object_label));
+	if(!proc_obj_set.proc_hash) 
+	{
+		proc_obj_set.proc_hash = oldtable;
+		proc_obj_set.proc_size = oldlen;
+		return;
+	}
+	memset(proc_obj_set.proc_hash,0,
+		(sizeof(struct proc_object_label) * (proc_obj_set.proc_size)));
+	for(i = 0; i < oldlen; i++)
+	{
+		if(oldtable[i].mode & GR_EXISTS) 
+		{
+			insert_proc_obj_label(&oldtable[i],"error",0);
+		}
+	}
+	
+	kfree(oldtable);
+	return;
+}
+
+
+static void realloc_proc_subject_table(unsigned long pwr)
+{
+	struct proc_subject_label * oldtable = proc_subj_set.proc_hash;
+	unsigned long oldlen = proc_subj_set.proc_size;
+	int i;
+
+
+	proc_subj_set.proc_hash = (struct proc_subject_label *) create_table(pwr,&proc_subj_set.proc_size,sizeof(struct proc_subject_label));
+	if(!proc_subj_set.proc_hash)
+	{
+		proc_subj_set.proc_hash = oldtable;
+		proc_subj_set.proc_size = oldlen;
+		return;
+	}
+	
+	memset(proc_subj_set.proc_hash,0,
+		(sizeof(struct proc_subject_label) * (proc_subj_set.proc_size)));
+	for(i = 0; i < oldlen; i++)
+		if(oldtable[i].mode & GR_EXISTS)
+		{
+		insert_proc_subj_label(&oldtable[i],"error",0);
+		}
+	kfree(oldtable);
+	return;
+}
+
+static void realloc_file_table(unsigned long pwr)
+{
+	struct file_label * oldtable = file_set.file_hash;
+	unsigned long oldlen = file_set.file_size;
+	int i;
+
+
+	file_set.file_hash = (struct file_label *) create_table(pwr,
+			&file_set.file_size,sizeof(struct file_label));
+	if(!file_set.file_hash)
+	{
+		file_set.file_hash = oldtable;
+		file_set.file_size = oldlen;
+		return;
+	}
+	
+	memset(file_set.file_hash,0,
+			(sizeof(struct file_label) * (file_set.file_size)));
+	for(i = 0; i < oldlen; i++)
+		if(oldtable[i].mode & GR_EXISTS)
+		{
+		insert_file_label(&oldtable[i],"error",0);
+		}
+	kfree(oldtable);
+	return;
+}
+
+
+static void realloc_name_table(unsigned long pwr)
+{
+	struct name_entry * oldtable = name_set.name_hash;
+	unsigned long oldlen = name_set.name_size;
+	int i;
+
+
+	name_set.name_hash = (struct name_entry *) create_table(pwr,
+			&name_set.name_size,sizeof(struct name_entry));
+	if(!name_set.name_hash)
+	{
+		name_set.name_hash = oldtable;
+		name_set.name_size = oldlen;
+		return;
+	}
+	
+	memset(name_set.name_hash,0,
+			(sizeof(struct name_entry) * (name_set.name_size)));
+	for(i = 0; i < oldlen; i++)
+		if(oldtable[i].mode & GR_EXISTS)
+		{
+		insert_name_entry(oldtable[i].name,oldtable[i].inode,
+				oldtable[i].device,oldtable[i].mode);
+		kfree(oldtable[i].name);
+		}
+	kfree(oldtable);
+	return;
+}
+
+
+#ifdef CONFIG_GR_SUPERDEBUG
+
+static void list_names(void)
+{
+	int i;
+	struct name_entry * curr;
+
+	for(i = 0; i < name_set.name_size;i++)
+	{
+		curr = &name_set.name_hash[i];
+		if( curr->mode & GR_EXISTS)
+			security_alert("Name Entry pos %d has inode %ld dev %d "
+					"mode %x name %s","",i,curr->inode,
+					curr->device,curr->mode,curr->name);
+	}
+}
+		
+static void list_files(void)
+{
+	int i; 
+	struct file_label *curr;
+	for(i=0;i<file_set.file_size;i++) 
+	{
+		curr = &file_set.file_hash[i];
+		if( curr->mode & GR_EXISTS) 
+			security_alert("File ACL pos %d has inode %ld dev %d mode %x","",
+					i,curr->inode,curr->device,
+					curr->mode);
+	}
+}
+
+static void list_procs(void) 
+{
+	int i;
+	struct proc_subject_label * curr;
+	struct proc_object_label *curr2;
+	for(i = 0; i < proc_subj_set.proc_size; i++)
+	{
+		curr = &proc_subj_set.proc_hash[i];
+		if(curr->mode & GR_EXISTS)
+			security_alert("MAC Subject pos %d has inode %ld dev %d "
+					"mode %x pos %ld","",i,curr->inode,
+					curr->device,
+					curr->mode,curr->pos);
+	}
+	for(i = 0; i < proc_obj_set.proc_size;i++) 
+	{
+		curr2 = &proc_obj_set.proc_hash[i];
+		if(curr2->mode & GR_EXISTS)
+			security_alert("MAC Object pos %d has inode %ld dev %d mode %x"
+					" parent %ld","",i,curr2->inode,curr2->device,curr2->mode,
+					curr2->parent_pos);
+	}
+
+
+}
+
+
+#else
+#define list_procs() do {} while(0);
+#define list_files() do{} while(0);
+#endif
+
+/* * * * * * * * * * * * * * * * * * * * * * * * * * *
+ * Config file management
+ * Yikes! If anyone has cleanup ideas I'd love to hear em
+ * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+
+static kernel_cap_t cap_conv(char *p)
+{
+	kernel_cap_t cap;
+	int i;
+	char tmp;
+	char *q;
+	cap_t(cap) = 0;
+	if(!p) return cap;
+	if( (q = memscan(p,'\n',strlen(p))) != p + strlen(p))
+		*q = '\0';
+
+	while(isspace(*p)) p++;
+	if( (strncmp(p,"CAP",3)) != 0) 
+		goto out;
+
+	q = p;
+	while(!isspace(*q) && (*q != '\0')) q++;
+	tmp = *q;
+	*q = '\0';
+
+	for(i=0;i<CAP_COUNT;i++)
+	{
+		if(!(strcmp(p,caplist.table[i].capname))) 
+		{
+			cap_t(cap) = CAP_TO_MASK(caplist.table[i].capval);
+			*q = tmp;
+			return cap;
+		}
+	}
+	*q = tmp;
+out:
+	return cap;
+}
+
+
+static __inline__ int is_blank(char * line)
+{
+	/* We don't want to give config parse errors on blank lines */
+	int i;
+	int retval = 0;
+
+	for(i = 0; i < strlen(line); i++)
+		if(isalpha(line[i]) || line[i] == '/')
+			retval = 1;
+	if(!(strlen(line)))
+		retval = 1;
+	return retval;
+}
+
+static __inline__ int is_valid_line(char *line)
+{
+	int i;
+	int retval = 1;
+	for(i=0;i<strlen(line);i++)
+		if(!(isprint(line[i]) || isspace(line[i]) || (line[i] == '/')
+			|| (line[i] == '{') || (line[i] == '}') 
+			|| (line[i] == '#') || (line[i] == '+')
+			|| (line[i] == '+') || (line[i] == '-')))
+			retval = 0;
+	return retval;
+}
+
+static int add_pw_conf(void)
+{
+	struct file *filp;
+	int retval;
+	mm_segment_t old_fs = get_fs();
+	filp = filp_open(PW_CONF, O_RDONLY, O_RDONLY);
+	if( ( IS_ERR(filp) ) || (filp == NULL) || (!(filp->f_op->read)) )
+	{
+		security_alert("Could not open config file %.1024s", 
+				"config file open errors",
+				PW_CONF);
+		return 1;
+	}
+	filp->f_pos = 0;
+	set_fs(KERNEL_DS);
+	retval = filp->f_op->read(filp,pwent.sum,sizeof(pwent.sum)/sizeof(pwent.sum[0]),
+			&filp->f_pos);
+	set_fs(old_fs);
+	if(retval != sizeof(pwent.sum)/sizeof(pwent.sum[0])) 
+	{
+		security_alert("Invalid pw entry detected, got %d wanted %d",
+				"password file errors",
+				retval,sizeof(pwent.sum));
+		retval = 1;
+	} else retval = 0;
+	filp_close(filp,NULL);
+	return retval;
+}
+
+static int add_file_label(char *line, const char *conffile, unsigned int linenum) 
+{
+	char *p, *q;
+	struct nameidata filedata;
+	int working = 1;
+	int null_perms = 0;
+	struct file_label curr;
+
+	if( (p = memscan(line,'/',strlen(line))) == line + strlen(line) ) 
+	{
+		if(is_blank(line))
+			return 0;
+		else {
+			security_alert("Could not find a '/' in \"%.1024s\" of" 
+					" line %d in config %.128s","",line,
+					linenum,conffile);
+			return 0;
+		}
+
+	}
+
+	q = p;
+	while(!isspace(*q))
+	{
+		if(*q == '\0') {
+			null_perms = 1;
+			break;
+		}
+		q++;
+	}
+	
+	*q++ = '\0';
+
+	if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filedata)) 
+		if(path_walk(p,&filedata)) 
+		{
+			security_alert("Unable to locate file %.1024s on line %d of %s","",p,linenum, conffile);
+			return 0;
+		}
+	curr.inode = filedata.dentry->d_inode->i_ino;
+	curr.device = filedata.dentry->d_inode->i_dev;
+	curr.mode = GR_EXISTS;
+
+	if(null_perms) goto create;
+
+	while(isspace(*q)) q++;
+
+	while(working) {	
+		switch(*q) {
+			case 'r' :
+				curr.mode |= GR_FILE_READ;
+				q++;
+				break;
+			case 'h' :
+				curr.mode |= GR_FILE_HIDDEN;
+				q++;
+				break;
+			case 'a' :
+				curr.mode |= GR_FILE_APPEND;
+				q++;
+				break;
+			case 'w' :
+				curr.mode |= GR_FILE_WRITE;
+				q++;
+				break;
+			case 'x':
+				curr.mode |= GR_FILE_EXEC;
+				q++;
+				break;
+			default:  /* if anything else, the '\0' at the end of the line will hit here and cause us to terminate, so it won't go on indefinately and start accessing memory it shouldn't*/
+				working = 0;
+				break;
+		}		
+	}
+#ifdef CONFIG_GR_DEBUG
+//	security_alert("Adding File ACL %ld %d mode %x","",
+//			curr.inode,curr.device,curr.mode);
+#endif
+create:
+	if(!(gr_status & GR_NAMEFULL))
+		insert_name_entry(p,curr.inode,curr.device, GR_EXISTS|GR_NAME_FILE);
+	insert_file_label(&curr,conffile,linenum);
+	path_release(&filedata); 
+	return 0;
+}
+
+
+
+
+static int add_proc_obj_label(char *line, struct proc_info *parent, const char *conffile, unsigned int linenum) 
+{
+	char *p, *q, *tmp;
+	struct nameidata nd;
+	int working = 1;
+	int null_perms = 0;
+	struct proc_object_label curr;
+
+	if ((p = memscan (line,'/',strlen(line))) == (line+strlen(line))) {
+		if( (p = memscan(line,'+',strlen(line)) ) != line + strlen(line) ) {
+			struct proc_subject_label *match = 
+				lookup_proc_subj_label(parent->inode, parent->device);
+			if(match)
+			{
+				q = p;
+				p++;
+				while(*q != 'i' && *q != '\0') 
+					q++;
+				if(*q == 'i')
+					match->cap_raise_inherit |=
+						cap_conv(p);
+				
+				match->cap_raise |= cap_conv(p);
+			}
+			return 0;
+		} else if ( (p = memscan(line,'-',strlen(line)) ) != 
+				line + strlen(line) ) {
+			struct proc_subject_label *match = 
+				lookup_proc_subj_label(parent->inode,
+						parent->device);
+			if(match)
+			{
+				q = p;
+				p++;
+				while(*q != 'i' && *q != '\0')
+					q++;
+				if(*q == 'i')
+					match->cap_lower_inherit |=
+						cap_conv(p);
+				
+				match->cap_lower |= cap_conv(p);
+			}
+			return 0;
+		} else if(is_blank(line))
+			return 0;
+		else {
+			security_alert("Could not find a '/' in \"%.1024s\" of" 
+					" line %d in config %.128s","",line,
+					linenum,conffile);
+			return 0;
+		}
+	}
+
+
+	q = p;
+	while(!(isspace(*q)) )
+	{
+		if(*q == '\0') {
+			null_perms = 1;
+			break;
+		}
+		q++;
+	}
+	*q = '\0';
+	tmp = q;
+	q++;
+
+	if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&nd))
+		if(path_walk(p,&nd)) 
+		{
+			security_alert("Unable to locate file %.1024s on line %d of %s","",p,linenum, conffile);
+			return 0;
+		}
+	
+	curr.inode = nd.dentry->d_inode->i_ino;
+	curr.device = nd.dentry->d_inode->i_dev;
+	curr.parent_pos = parent->pos;
+	curr.mode = GR_EXISTS;
+
+	if(null_perms) goto create;
+
+	while(isspace(*q)) q++;
+
+	while(working) {
+		switch(*q) {
+			case 'r' :
+				curr.mode |= GR_PROC_READ;
+				q++;
+				break;
+			case 'w' :
+				curr.mode |= GR_PROC_WRITE;
+				q++;
+				break;
+			case 'x' :
+				curr.mode |= GR_PROC_EXEC;
+				q++;
+				break;
+			case 'a' :
+				curr.mode |= GR_PROC_APPEND;
+				q++;
+				break;
+			case 'f':
+				curr.mode |= GR_PROC_ACCESS;
+				q++;
+				break;
+			case 'o':
+				curr.mode |= GR_PROC_OVERRIDE;
+				q++;
+				break;
+			case 'u' :
+				curr.mode |= GR_PROC_AUTH;
+				q++;
+				break;
+			case 'R' :
+				curr.mode |= GR_PROC_AUTH_IF_ROOT;
+				q++;
+				break;
+			case 'i' :
+				curr.mode |= GR_PROC_INHERIT;
+				q++;
+				break;
+			default: 
+				working = 0;
+				break;
+		}
+	}
+#ifdef CONFIG_GR_DEBUG
+	security_alert("About to insert Object %ld %d %.1024s mode %x parent %ld", "",
+			curr.inode,curr.device,line,curr.mode,curr.parent_pos);
+#endif
+create:
+	if(!(gr_status & GR_NAMEFULL))
+		insert_name_entry(p,curr.inode,curr.device,
+			GR_EXISTS|GR_NAME_PROC_OBJECT);
+	insert_proc_obj_label(&curr,conffile,linenum);
+	path_release(&nd);
+	if(!null_perms)
+		*tmp = ' ';
+	return 0;
+}
+
+static int add_proc_subj_label(char * line, struct proc_info * currinfo, const char *conffile, unsigned int linenum) 
+{
+	char *p, *q;
+	struct nameidata filed;
+	struct dentry * file;
+	int working;
+	struct proc_subject_label curr;
+	
+	if ((p = memscan (line,'/',strlen(line))) == (line+strlen(line))) 
+	{
+		if(is_blank(line))
+			return 1;
+		else
+		{
+			security_alert("Could not find a '/' in \"%.1024s\"" 
+					" of line %d in config %.128s","",
+					line,linenum,conffile);
+			return 1;
+		}
+	}
+
+	q = p;
+	
+	while(!isspace(*q))
+	{
+		if(*q == '\0') return 1;
+		q++;
+	}
+
+	*q++ = '\0';
+
+	if(path_init(p,LOOKUP_FOLLOW|LOOKUP_POSITIVE,&filed) ) 
+		if(path_walk(p,&filed)) 
+		{
+			security_alert("Add file error for file %.1024s","",p);
+				return 1;
+		}
+	file = filed.dentry;
+	curr.mode = GR_EXISTS;
+	currinfo->inode = curr.inode = file->d_inode->i_ino;
+	currinfo->device = curr.device = file->d_inode->i_dev;
+	curr.pos = currinfo->pos;
+		
+	while(isspace(*q)) q++;
+	working = 1;
+	while(working)
+	{	
+		switch(*q) 
+		{
+			case 'p':
+				curr.mode |= GR_PROC_PROTECTED;
+				q++;
+				break;
+			case 'h':
+				curr.mode |= GR_PROC_HIDDEN;
+				q++;
+				break;
+			case 'k':
+				curr.mode |= GR_PROC_KILL;
+				q++;
+				break;
+			case 'v' :
+				curr.mode |= GR_PROC_VIEW;
+				q++;
+				break;
+			default:
+				working = 0;
+		}
+	}
+	curr.cap_raise = CAP_EMPTY_SET;
+	curr.cap_lower = CAP_EMPTY_SET;
+	curr.cap_raise_inherit = CAP_EMPTY_SET;
+	curr.cap_lower_inherit = CAP_EMPTY_SET;
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Added program (full entry) with inode %ld dev %d "
+				"mode %x line %.1024s", "",
+				curr.inode,curr.device,curr.mode,line); 
+#endif
+	if(!(gr_status & GR_NAMEFULL))
+		insert_name_entry(p,curr.inode,curr.device,
+			GR_EXISTS|GR_NAME_PROC_SUBJECT);
+	insert_proc_subj_label(&curr,conffile,linenum);
+	path_release(&filed);
+	return 0;
+}
+
+	
+
+static int add_line(char *line, int type, const char *conffile, unsigned int linenum) 
+{
+	static int mode;
+	char *p;
+
+	static struct proc_info currinfo =
+	{
+		pos:		PROC_SUBJ_LABEL_OFFSET
+	};
+	
+	/* mode = 0 : we are ready for a new program acl
+	 * mode = 1 : we are in the middle of reading a program acl*/
+	switch(type)
+	{
+		case 1 : if(gr_status & GR_FILEFULL)
+			 	return 0;
+			 else
+				 return add_file_label(line,conffile,linenum);
+			 break;
+		case 0 : break; /* handled below*/
+		default: security_alert("Unknown type %d passed","",type);
+			 return 1;
+			 break;
+	}
+
+	if(gr_status & GR_PROCFULL)
+		return 0;
+	if(!mode)
+	{
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Adding process subject label %s","",line);
+#endif
+		if( !(add_proc_subj_label(line,&currinfo,conffile,linenum)) )
+			mode = 1;
+		return 0;
+	}
+	
+	else if( (p=memscan(line,'}',strlen(line))) != (line + strlen(line)) )
+	{
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Finishing process subject label (%s)","",line);
+#endif
+		currinfo.pos++;
+		mode = 0;
+		return 0;
+	} else
+	{
+		if( (p = memscan(line,'{',strlen(line))) != 
+				(line + strlen(line)))
+			*p = ' ';
+		/* Replace the { with a ' ' so that it will be ignored by
+		 * add_proc_obj_label. Reason is for lines like
+		 * { <acl here> where an acl and a { are on the same line */
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Adding process object label %s","",line);
+#endif
+		return add_proc_obj_label(line,&currinfo,conffile,linenum);
+	}
+}
+
+static int init_variables(void) 
+{
+	struct proc_info authinfo = 
+	{
+		inode : 	auth.inode,
+		device:  	auth.device,
+		pos:	 	auth.pos
+	};
+
+	struct proc_info godinfo =
+	{
+		inode:  	god.inode,
+		device:  	god.device,
+		pos:		god.pos
+	};
+
+
+	file_set.file_hash = create_table(GR_TABLE_SIZE,
+					&file_set.file_size,
+					sizeof(struct file_label));
+	proc_subj_set.proc_hash = create_table(GR_TABLE_SIZE,
+					&proc_subj_set.proc_size,
+					sizeof(struct proc_subject_label));
+	proc_obj_set.proc_hash = create_table(GR_TABLE_SIZE,
+					&proc_obj_set.proc_size,
+					sizeof(struct proc_object_label));
+	name_set.name_hash = create_table(GR_TABLE_SIZE,
+					&name_set.name_size,
+					sizeof(struct name_entry));
+	memset(file_set.file_hash,0,sizeof(struct file_label) *
+					file_set.file_size);
+	memset(proc_subj_set.proc_hash,0,sizeof(struct proc_subject_label) * 
+					proc_subj_set.proc_size);
+	memset(proc_obj_set.proc_hash,0,sizeof(struct proc_object_label) *
+					proc_obj_set.proc_size);
+	memset(name_set.name_hash,0,sizeof(struct name_entry) * 
+					name_set.name_size);
+	
+	proc_subj_set.proc_used = proc_obj_set.proc_used = 
+		file_set.file_used = name_set.name_used = 0;
+
+	if(!proc_subj_set.proc_hash || !proc_obj_set.proc_hash 
+			|| !file_set.file_hash || !name_set.name_hash)  
+		return 1;
+
+	if(insert_proc_subj_label(&god,"boot_conf",1))
+		return 1;
+	else if(insert_proc_subj_label(&auth,"boot_conf",2))
+		return 1;
+	else if( (add_proc_obj_label(GRADM_ACL,&authinfo,"boot_conf",1)) )
+		return 1;
+	else if( (add_proc_obj_label(GODMODE_ACL,&godinfo,"boot_conf", 2)) )
+		return 1;
+	else if( (add_proc_obj_label("/etc/ld.so.preload r",&authinfo, "boot_conf", 3)) )
+		return 1;
+	else if( (add_proc_obj_label("/etc/ld.so.conf r",&authinfo, "boot_conf", 4)) )
+		return 1;
+	else if( (add_proc_obj_label("/lib rxi",&authinfo, "boot_conf", 5)) )
+		return 1;
+	else if( (add_proc_obj_label("/usr/lib rxi",&authinfo, "boot_conf",6)) )
+		return 1;
+	else if( (add_proc_obj_label("/usr/local/lib rxi",&authinfo, "boot_conf", 7)))
+		return 1;
+	else if( (add_proc_obj_label("/dev/tty rw",&authinfo,"boot_conf",8)))
+		return 1;
+	else if( (add_proc_obj_label("/proc/sys/kernel/grsecurity w",&authinfo,"boot_conf",9)))
+		return 1;
+
+	/* The Authentication mode will take over before execve() completes.
+	* There it must allow programs access to their libraries. The
+	* programs will need to perform terminal i/o at least to inform
+	* the user that they are in authentication mode, although
+	* the user can do nothing but exec gradm. If there is some
+	* executable in any of the lib directories and the attacker
+	* manages to execute them, it matters not because this restrictive
+	* authentication acl is inherited. */
+	return  0;
+}
+
+static void free_variables(void)
+{
+	kfree(proc_subj_set.proc_hash);
+	kfree(proc_obj_set.proc_hash);
+	kfree(file_set.file_hash);
+	kfree(name_set.name_hash);
+}
+
+
+static int conf_parse(const char *conffile,const int type)
+{
+	/* Purpose: open and read from gracl config file */
+	struct file *filp;
+	int bytes_read = 0, end = 0, obv_fatal = 0;
+	unsigned int linenum = 0;
+	char buffer[1024];
+	char *filepos = NULL,*memscanp = NULL;
+	mm_segment_t old_fs = get_fs();
+	filepos = buffer;
+	filp = filp_open(conffile, O_RDONLY, O_RDONLY);
+	if( (filp == NULL) || !filp->f_op->read || IS_ERR(filp) ) 
+	{
+		security_alert("Could not open config file %.1024s","",conffile);
+
+		obv_fatal = 1;
+		return obv_fatal;
+	} else if ( filp->f_op->read == NULL ) 
+	{
+		fput(filp);
+		obv_fatal = 2;
+		return obv_fatal;
+	}
+	filp->f_pos = 0;
+	/* end error checking, now for the real work */
+	while ( ! end ) 
+	{
+		filepos = buffer;
+		/* if current task isn't from the kernel, we'll
+		   have a current->addr_limit.seg that isn't 0xFFFFFFFF
+
+		   and we can't have that */
+		set_fs(KERNEL_DS);
+		bytes_read = filp->f_op->read (filp,buffer,
+				(sizeof(buffer)/sizeof(buffer[0])),
+				&filp->f_pos);
+		filp->f_pos -= bytes_read;
+		set_fs(old_fs);
+		if(bytes_read < (sizeof(buffer)/sizeof(buffer[0]))  ) {
+			end = 1;
+			filepos[bytes_read++] = '\n'; /* make sure it ends on a '\n' */
+		}  
+
+		while ( bytes_read > 0 && ( memscanp = 
+					memscan(filepos,'\n',bytes_read) )   != 
+				        filepos + bytes_read ) 
+		{
+			linenum++;
+			*memscanp++ = '\0' ;
+			filp->f_pos += (int) (memscanp - filepos);
+			bytes_read -= (int) (memscanp - filepos);
+			/* necessary for later strlen()'s...*/
+			if(!is_valid_line(filepos)) {
+				security_alert("Invalid line in %s line %d", "", conffile, linenum);
+				return 1;
+			} else {	
+				if( (*filepos != '#')) 
+					if(add_line(filepos,type,conffile,linenum))
+						return 1;
+			}
+			filepos = memscanp; /* next area to search .. */
+		}
+	}
+	filp_close(filp,NULL);
+	return obv_fatal;
+}
+
+static int grsecurity_init(void) 
+{
+	int error = 0;
+
+	gr_status &= ~(GR_PROCFULL|GR_FILEFULL|GR_NAMEFULL);
+
+	if(init_variables() ) 
+	{
+		security_alert("init_variables() failed for %s","",GR_VERSION);
+		error = -1;
+	}
+	else if(add_pw_conf())
+	{
+		security_alert("add_pw_conf() failed for %s","",GR_VERSION);
+		error = -2;
+	}
+	else if (conf_parse(PROC_CONF,0))
+	{
+		security_alert("conf_parse(%s) failed for %s","",PROC_CONF,
+				GR_VERSION);
+		error = -3;
+	}
+	else if(conf_parse(FILE_CONF,1))
+	{
+		security_alert("conf_parse(%s) failed for %s","",FILE_CONF,
+				GR_VERSION);
+		error = -4;
+	}
+	//else if(conf_parse(ID_CONF,2))
+	//	error = -5;
+	
+	if(!error)
+	{
+		struct task_struct * task;
+		
+#ifdef CONFIG_GR_SUPERDEBUG
+		list_procs();
+		list_files();
+		list_names();
+#endif
+		
+		spin_lock(&task_capability_lock);
+		read_lock(&tasklist_lock);
+		for_each_task(task)
+		{
+			struct proc_subject_label * curr = NULL;  
+
+			if(task->acl != &god 
+					&& task->acl != &auth)
+			{			
+				write_lock(&task->acl_lock);
+				if(task->proc_info.inode >= PROC_SUBJ_LABEL_OFFSET 
+						|| task->proc_info.device >= 
+						PROC_SUBJ_LABEL_OFFSET)
+				curr =  lookup_proc_subj_label(
+						task->proc_info.inode,
+						task->proc_info.device);
+				if(curr)
+				{
+
+					task->acl = curr;
+					task->cap_permitted = 
+						cap_intersect(task->cap_permitted,
+								cap_bset);
+					task->cap_permitted =
+						cap_combine(task->cap_permitted,
+								curr->cap_raise);
+					task->cap_permitted = 
+						cap_drop(task->cap_permitted,
+								curr->cap_lower) ;
+					task->cap_effective = 
+						task->cap_permitted;
+					task->cap_inheritable = 
+						cap_combine(task->cap_inheritable, curr->cap_raise_inherit);
+
+					task->cap_inheritable = 
+						cap_drop(task->cap_inheritable, curr->cap_lower_inherit);
+				
+#ifdef CONFIG_GR_DEBUG
+					security_alert("Applied ACL to already "
+							"running process %s(%d):%ld %d"
+							,"",task->comm,task->pid,
+							curr->inode,
+							curr->device);
+						
+#endif
+				} else {
+					task->acl = NULL;
+					task->cap_permitted = 
+						cap_intersect(cap_bset,
+						task->cap_permitted);
+					task->cap_effective = 
+						cap_intersect(cap_bset, 
+						task->cap_effective);
+					task->cap_inheritable = 
+						cap_intersect(cap_bset,
+						task->cap_inheritable);
+				}
+				write_unlock(&task->acl_lock);
+			}
+		}
+		read_unlock(&tasklist_lock);
+		spin_unlock(&task_capability_lock);
+		gr_status |= GR_READY;
+	}else {
+		security_alert("Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader","error loading acls",GR_VERSION);
+	}
+	return error;
+}
+
+/* * * * * * * * * * * * * * * * * * * * * * *
+ * Begin Misc Section 
+ * * * * * * * * * * * * * * * * * * * * * * */
+
+/* Searching stuff, program exit cleanup, and sysctl parsing */
+
+
+static __inline__ int do_file_label_search(struct temp_file_label *curr) 
+{
+	struct file_label * match = lookup_file_label(curr->inode,curr->device);
+	if(!match || (match->mode & GR_DELETED)) return GR_NOTFOUND; 
+	if((match->mode & curr->mode) == curr->mode)
+	{
+#ifdef CONFIG_GR_DEBUG
+	//	security_alert("Program %s allowed for file with inode %ld %d"
+	//			" by file label",
+	//			 "",current->comm,curr->inode,curr->device);
+#endif
+		return GR_ALLOW;
+	}
+	else
+	{
+#ifdef CONFIG_GR_DEBUG
+		if(!(curr->mode & GR_HIDDEN))
+		{
+			security_alert("Program %s denied for file with inode "
+					"%ld %d by file label(requested %x,"
+				         "allowed %x)","", current->comm,
+					 curr->inode,curr->device,curr->mode,
+					 match->mode);
+		}
+#endif
+		return GR_DENY;
+	}
+}
+
+static __inline__ int do_proc_acl_search(struct proc_subject_label *proc,struct temp_file_label *curr) 
+{
+
+	struct proc_object_label * match = 
+		lookup_proc_obj_label(curr->inode,curr->device,proc->pos);
+			
+	if(!match || (match->mode & GR_DELETED)) return GR_NOTFOUND;
+	if( (match->mode & curr->mode) == curr->mode)
+	{
+#ifdef CONFIG_GR_DEBUG
+	//	security_alert("Program %s allowed for file with inode %ld %d"
+	//			" by program label",
+	//			"",current->comm,curr->inode,curr->device);
+#endif
+	        curr->mode |= (match->mode & GR_PROC_EXTRA);
+		return GR_ALLOW;
+	}
+	else
+	{
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Program %s denied for file with inode %ld %d"
+				" by program label(wanted %x got %x)",
+				"",current->comm,match->inode,match->device,
+				curr->mode,match->mode);
+#endif
+		return GR_DENY;
+	}
+}
+
+static __inline__ struct proc_subject_label * do_find_proc(struct proc_subject_label *curr)  
+{
+
+	struct proc_subject_label * retval =
+		lookup_proc_subj_label(curr->inode,curr->device);
+	if(retval && !(retval->mode & GR_DELETED) )
+		return retval;
+	return NULL;
+}
+
+
+
+	
+
+static __inline__ int chk_proc_obj_labels(struct dentry * dentry, struct temp_file_label *searchval, struct vfsmount *mnt)
+{
+	struct dentry *curr = dentry;
+	int retval = GR_NOTFOUND;
+	struct nameidata tmp = {NULL, NULL};
+	struct vfsmount *parent;
+	struct proc_subject_label *curracl = (struct proc_subject_label *) current->acl;
+
+loop :         
+	spin_lock(&dcache_lock);
+	do 
+	{
+		if(!curr || !curr->d_inode) break;
+		searchval->inode = curr->d_inode->i_ino;
+		searchval->device = curr->d_inode->i_dev;
+		read_lock(&gr_list_lock);
+		retval = do_proc_acl_search(curracl,searchval); 
+		read_unlock(&gr_list_lock);
+		if(curr->d_inode == curr->d_parent->d_inode) break;
+		curr = curr->d_parent;
+	} while( (curr) && (retval == GR_NOTFOUND) );
+
+	spin_unlock(&dcache_lock);
+	
+	if(retval == GR_NOTFOUND && curr->d_inode && curr->d_inode->i_dev != 
+			ROOT_DEV )
+	{
+		if(tmp.mnt)
+		{
+			if(tmp.mnt == tmp.mnt->mnt_parent) goto exit;
+		}
+		else if(mnt == mnt->mnt_parent) goto exit;
+
+
+		if(!tmp.mnt) 
+		{
+			tmp.mnt = mnt->mnt_parent;
+			tmp.dentry = dget(mnt->mnt_mountpoint);
+
+		}
+
+		else
+		{
+			parent = tmp.mnt->mnt_parent;
+			dput(tmp.dentry);
+			tmp.dentry = dget(tmp.mnt->mnt_mountpoint);
+			mntput(tmp.mnt);
+			tmp.mnt = parent;
+		}
+		mntget(tmp.mnt);
+		curr = tmp.dentry;
+		goto loop;
+	}
+exit:		
+	if(tmp.mnt) mntput(tmp.mnt);
+	if(tmp.dentry) dput(tmp.dentry);
+
+	return retval == GR_NOTFOUND ? GR_DENY : retval;
+	/* if its not in a program's ACL list it should be denied */
+
+}
+
+static __inline__ int chk_file_labels(struct dentry * dentry, struct temp_file_label *searchval, struct vfsmount *mnt) 
+{
+	struct dentry *curr = dentry;
+	int retval = GR_NOTFOUND;
+	struct vfsmount *parent;
+	struct nameidata tmp = {NULL,NULL};
+
+	
+loop:	
+	spin_lock(&dcache_lock);
+	do 
+	{
+		if(!curr || !curr->d_inode) break;
+		searchval->inode = curr->d_inode->i_ino;
+		searchval->device = curr->d_inode->i_dev;
+		read_lock(&gr_list_lock);
+		retval = do_file_label_search(searchval); 
+		read_unlock(&gr_list_lock);
+		if(curr->d_inode == curr->d_parent->d_inode) break;
+		curr = curr->d_parent;
+	} while( (curr) && (retval == GR_NOTFOUND) );
+
+	spin_unlock(&dcache_lock);
+
+	if(retval == GR_NOTFOUND && curr->d_inode && curr->d_inode->i_dev
+			!= ROOT_DEV )
+	{
+		if(tmp.mnt) 
+		{
+			if(tmp.mnt == tmp.mnt->mnt_parent) goto exit;
+		}
+		else if(mnt == mnt->mnt_parent) goto exit;
+		if(!tmp.mnt)
+		{
+			tmp.mnt = mnt->mnt_parent;
+			tmp.dentry = dget(mnt->mnt_mountpoint);
+
+		}
+
+		else
+		{
+			parent = tmp.mnt->mnt_parent;
+			dput(tmp.dentry);
+			tmp.dentry = dget(tmp.mnt->mnt_mountpoint);
+			mntput(tmp.mnt);
+			tmp.mnt = parent;
+		}
+		mntget(tmp.mnt);
+		curr = tmp.dentry;
+		goto loop;
+	}
+exit:		
+	if(tmp.mnt) mntput(tmp.mnt);
+	if(tmp.dentry) dput(tmp.dentry);
+
+	return retval;
+}
+
+static struct proc_subject_label * chk_proc_subj_labels(struct dentry *dentry, 
+		struct vfsmount *mnt) 
+{
+	struct vfsmount *parent;
+	struct nameidata tmp = {NULL, NULL};
+	struct proc_subject_label curracl, *retval = NULL;
+	struct dentry *curr = dentry;
+
+loop:	
+	spin_lock(&dcache_lock);
+	do 
+	{
+
+		if(!curr->d_inode) break;
+		curracl.inode = curr->d_inode->i_ino;
+		curracl.device = curr->d_inode->i_dev;
+		read_lock(&gr_list_lock);
+		retval = do_find_proc(&curracl); 
+		read_unlock(&gr_list_lock);
+		if(curr->d_inode == curr->d_parent->d_inode) break;
+		curr = curr->d_parent;
+	} while( (curr) && (!retval) );
+
+	spin_unlock(&dcache_lock);
+	
+	if(!retval && curr->d_inode && curr->d_inode->i_dev != ROOT_DEV) 
+	{
+		if(tmp.mnt)
+		{
+			if(tmp.mnt == tmp.mnt->mnt_parent) 
+				goto exit;
+		}
+		else if(mnt == mnt->mnt_parent) 
+			goto exit;
+
+		if(!tmp.mnt) 
+		{
+			tmp.mnt = mnt->mnt_parent;
+			tmp.dentry = dget(mnt->mnt_mountpoint);
+
+		}
+
+		else 
+		{
+			parent = tmp.mnt->mnt_parent;
+			dput(tmp.dentry);
+			tmp.dentry = dget(tmp.mnt->mnt_mountpoint);
+			mntput(tmp.mnt);
+			tmp.mnt = parent;
+		}
+		mntget(tmp.mnt);
+		curr = tmp.dentry;
+		goto loop;
+	}
+exit:
+	if(tmp.mnt) mntput(tmp.mnt);
+	if(tmp.dentry) dput(tmp.dentry);
+
+	return retval;
+
+}
+
+
+static int __inline__ chk_inherit(struct dentry *dentry, struct vfsmount *mnt)
+{
+	struct temp_file_label temp;
+	temp.mode = GR_PROC_INHERIT;
+	if( (chk_proc_obj_labels(dentry,&temp,mnt)) == GR_ALLOW) 
+		return 1;
+	return 0;
+}
+
+static int __inline__ chk_auth(struct dentry *dentry, struct vfsmount *mnt)
+{
+	struct temp_file_label temp;
+	temp.mode = GR_PROC_AUTH;
+	if( (chk_proc_obj_labels(dentry,&temp,mnt)) == GR_ALLOW)
+		return 1;
+	else if(!current->uid || !current->gid || !current->euid 
+			|| !current->egid || !current->suid || !current->sgid
+			|| !current->fsuid || !current->fsgid) 
+	{
+		temp.mode = GR_PROC_AUTH_IF_ROOT;
+		if( (chk_proc_obj_labels(dentry,&temp,mnt)) == GR_ALLOW)
+			return 1;
+	}
+	return 0;   
+}
+
+
+
+
+
+int gr_check_hidden_file(struct dentry *dentry, struct vfsmount *mnt) 
+{
+	/* This has to be done a little differently than a normal search.
+	 * If a file "allows" hidden access it is hidden, and thus requires 
+	 * a process that has hidden file access capabilities to access it.
+	 * If the file acl denies hidden access/has no acl then no proc acl 
+	 * check is needed*/
+	struct temp_file_label searchval;
+	int retval = GR_ALLOW;
+	if((gr_status & GR_READY) && dentry && mnt)
+	{
+		searchval.mode = GR_HIDDEN;
+	
+		if( (chk_file_labels(dentry,&searchval,mnt)) == GR_ALLOW)
+		{
+			if(current->acl)
+			{
+				read_lock(&current->acl_lock);
+				retval =  chk_proc_obj_labels(dentry,&searchval
+						,mnt);
+				read_unlock(&current->acl_lock);
+			}
+			else retval =  GR_DENY;
+		}
+	}
+	return retval;
+}
+
+int gr_search_file(struct dentry *dentry, __u16 mode, struct vfsmount *mnt);
+/* I will fix this later brad, bah, I'm tired :D */
+
+int gr_check_create(struct dentry * new_dentry, struct dentry * parent, 
+		struct vfsmount * mnt, __u16 mode)
+{
+	struct name_entry        * match;
+	struct proc_object_label * matchpo;
+	struct file_label        * matchf;
+	int                        retval = GR_NOTFOUND;
+	char                     * buffer;
+	char                     * pathname;
+	
+	if(!(gr_status & GR_READY)) return GR_ALLOW;
+
+	buffer = (char *) get_free_page(GFP_KERNEL);
+	if(!buffer) return GR_DENY; /* OOM : can't let anything get through */
+	
+	pathname = d_path(new_dentry,mnt,buffer,PAGE_SIZE);
+
+	read_lock(&gr_list_lock);
+
+	match = lookup_name_entry(pathname);
+
+	if(!match || !(match->mode & GR_EXISTS))
+	{
+		free_page((unsigned long)buffer);
+		goto check_parent;
+	}
+
+	if(current->acl && (match->mode & GR_NAME_PROC_OBJECT))
+	{
+		struct proc_subject_label * curracl;
+		read_lock(&current->acl_lock);
+		curracl = (struct proc_subject_label *) current->acl;
+		if(curracl && (  (matchpo = 
+			lookup_proc_obj_label(match->inode,match->device,
+			curracl->pos) ) != NULL) )
+		{
+			if((matchpo->mode & mode) != mode)
+			{
+				read_unlock(&current->acl_lock);
+				read_unlock(&gr_list_lock);
+				retval = GR_DENY;
+				goto exit;
+			} else retval = GR_ALLOW;
+		}
+		read_unlock(&current->acl_lock);
+	}
+
+	if( (match->mode & GR_NAME_FILE) && (
+			(matchf = lookup_file_label(match->inode,match->device))
+			!= NULL) )
+	{
+		if((matchf->mode & mode) != mode)
+		{
+			read_unlock(&gr_list_lock);
+			retval = GR_DENY;
+			goto exit;
+		} else retval = GR_ALLOW;
+	}
+check_parent:
+	read_unlock(&gr_list_lock);
+	if(retval != GR_NOTFOUND) goto exit;
+
+	retval = gr_search_file(parent,mode,mnt);
+
+exit:
+	free_page((unsigned long)buffer);
+	return retval;
+}
+				
+				
+int gr_check_hidden_task(struct task_struct * task) 
+{
+	struct proc_subject_label * acl; 
+	int retval = 0;
+	if( (gr_status & GR_READY) && task->acl) 
+	{
+		read_lock(&task->acl_lock);
+		acl = (struct proc_subject_label *) task->acl;
+		if(acl && (acl->mode & GR_PROC_HIDDEN)) 
+		{
+			struct proc_subject_label * curracl;
+			if(current->acl)
+			{
+				read_lock(&current->acl_lock);
+				curracl = (struct proc_subject_label *)
+					current->acl;
+				if(!curracl || !(curracl->mode & GR_PROC_VIEW))
+				{
+					retval = 1;
+				}
+				read_unlock(&current->acl_lock);
+			} else retval = 1;
+		} 
+		read_unlock(&task->acl_lock);
+	}
+	return retval;
+}
+
+int gr_check_protected_task(struct task_struct *tsk)
+{
+	int retval = 0;
+	
+	if( (gr_status & GR_READY) && tsk) 
+	{
+		struct proc_subject_label *acl;
+		if(tsk->acl)
+		{
+			read_lock(&tsk->acl_lock);
+			acl =  (struct proc_subject_label *) tsk->acl;
+			if(acl && (acl->mode & GR_PROC_PROTECTED))
+			{
+				if(current->acl)
+				{
+					struct proc_subject_label * curracl;
+					read_lock(&current->acl_lock);
+					curracl = (struct proc_subject_label *)
+						current->acl;
+					if(!curracl || !(curracl->mode &
+						GR_PROC_KILL))
+						retval = 1;
+					read_unlock(&current->acl_lock);
+				} else retval = 1; 
+					
+			}
+			read_unlock(&tsk->acl_lock);
+		} 
+
+	}
+	return retval;
+}
+
+
+int gr_search_file(struct dentry *dentry, __u16 mode, struct vfsmount *mnt) 
+{
+	int proc_retval = GR_NOTFOUND, file_retval = GR_NOTFOUND;
+	int retval = GR_ALLOW;
+	if(gr_status & GR_READY)
+	{
+		if(dentry && dentry->d_inode && mnt) 
+		{
+			struct temp_file_label searchval;
+
+			searchval.mode = mode;
+			if(current->acl) 
+			{
+				read_lock(&current->acl_lock);
+				if(!current->acl)
+				{
+					read_unlock(&current->acl_lock);
+					goto file_checks;
+				}
+				/* Okay..slight race condition but
+				 * nothing truly significant. current->acl
+				 * could change in between check and read_lock,
+				 * but its change would only reflect the
+				 * current status of the process AND
+				 * we read lock before we do any work,
+				 * so its rather insignificant */
+				
+				if( ( proc_retval = 
+						chk_proc_obj_labels(dentry,
+							&searchval, mnt) ) 
+						        == GR_DENY)
+				{
+					retval = GR_DENY;
+					goto out_unlock;
+				}
+			}
+
+			if( (proc_retval == GR_ALLOW) &&
+					(searchval.mode & GR_PROC_OVERRIDE))
+			{
+				retval = GR_ALLOW;
+				goto out_unlock;
+			}
+			searchval.mode &= ~GR_PROC_EXTRA;
+file_checks:
+
+			if( (file_retval = chk_file_labels(dentry,&searchval,
+							mnt)) == GR_DENY)
+			{
+				retval = GR_DENY;
+				goto out_unlock;
+			}
+
+			if( (proc_retval != file_retval)
+					|| (proc_retval == GR_NOTFOUND))
+			{
+				retval = GR_ALLOW;
+				goto out_unlock;
+			}
+		} else 
+			goto out;
+		 	/* hmm we got passed something funky..
+		    better safe than sorry */
+	} else
+		goto out;
+out_unlock:
+	if(current->acl)
+		read_unlock(&current->acl_lock);
+
+out:	return retval; /* Else both returned GR_NOTFOUND..must be the default*/
+}
+
+__inline__ int gr_copy_label(struct task_struct *tsk)
+{
+	/* We don't need to lock task...because task is being created
+	 * in do_fork() so it can't be modified anywhere else as it has
+	 * yet to be a true process. see kernel/fork.c
+	 * Also pointer assignmetn is atomic, either current->acl will
+	 * be there or be NULL, there is no reason to lock*/
+	tsk->acl = current->acl;
+	tsk->acl_lock = RW_LOCK_UNLOCKED;
+	read_lock(&tasklist_lock);
+	if(current->p_pptr->acl)
+	{
+		struct proc_subject_label * acl;
+		read_lock(&current->p_pptr->acl_lock);
+		acl = (struct proc_subject_label *) current->acl;
+		if(acl && (acl->cap_raise_inherit || acl->cap_lower_inherit))
+		{
+			tsk->cap_effective |= acl->cap_raise_inherit;
+			tsk->cap_permitted |= acl->cap_raise_inherit;
+			tsk->cap_inheritable |= acl->cap_raise_inherit;
+			tsk->cap_effective &= ~acl->cap_lower_inherit;
+			tsk->cap_permitted &= ~acl->cap_lower_inherit;
+			tsk->cap_inheritable &= ~acl->cap_lower_inherit;
+		}
+		read_unlock(&current->p_pptr->acl_lock);
+	}
+	read_unlock(&tasklist_lock);
+	return 0;
+}
+
+
+
+static int do_auth(struct task_struct *tsk)
+{
+#define GR_AUTH_MSG "Authorize yourself to GrSecurity please\n"
+
+	char *p = GR_AUTH_MSG;
+	int ret = 0;
+	if(!(tsk->tty) || (!tsk->tty->driver.write)) 
+	{
+		ret = 1;
+		goto out;
+	}
+	tsk->tty->driver.write(tsk->tty,0,p,strlen(p));
+	tsk->acl = (void *)&auth;
+	
+	
+out:
+	return ret;
+}
+
+
+static unsigned long do_set_proc_label(struct dentry * dentry, struct vfsmount * mnt, int mode)
+{
+	switch(mode)
+	{
+		case GR_SET_AUTH: 
+			return chk_auth(dentry,mnt);
+			break;
+		case GR_SET_INHERIT:
+			return chk_inherit(dentry,mnt);
+			break;
+		case GR_SET_PROC:
+			return (unsigned long) chk_proc_subj_labels(dentry,mnt);
+			break;
+	}
+	return 0;
+}
+
+
+static int do_inherit(struct task_struct *tsk) 
+{
+	return 0; 
+	/* Note: for copying due to fork() we use the code the gracl code in
+	 * kernel/fork.c. If we're inheriting then our current ACL
+	 * (that of the program calling execve) is the ACL we inherit, 
+	 * so no work needs to be done. Just return success 
+	 */
+}
+
+
+int gr_set_proc_label(struct dentry *dentry,char *filename, struct vfsmount *mnt) 
+{
+	struct task_struct *tsk = current;
+	int retval = 0;
+
+	if(dentry && dentry->d_inode)
+	{
+		tsk->proc_info.inode = dentry->d_inode->i_ino;
+		tsk->proc_info.device = dentry->d_inode->i_dev;
+	}
+	
+	else 
+	{
+		tsk->proc_info.inode = GR_NOFILE_INODE; 
+		tsk->proc_info.device  = GR_NOFILE_DEVICE;
+	}
+
+	read_lock(&gr_list_lock);
+	
+	if( (gr_status & GR_READY) && dentry && mnt)
+	{
+		struct proc_subject_label *curracl;
+
+		
+		curracl = (struct proc_subject_label *) tsk->acl;
+		if(curracl)
+		{
+			
+			if(do_set_proc_label(dentry,mnt,GR_SET_INHERIT))
+			{
+				read_unlock(&gr_list_lock);
+				 return do_inherit(tsk);
+			}
+
+			else if(do_set_proc_label(dentry,mnt,GR_SET_AUTH))
+			{
+				read_unlock(&gr_list_lock);
+				return do_auth(tsk);
+			}
+		}
+		tsk->acl = (struct proc_subject_label *)
+				do_set_proc_label(dentry,
+						mnt,GR_SET_PROC);
+		
+	} else tsk->acl = NULL;
+
+	read_unlock(&gr_list_lock);
+
+	return retval;
+}
+
+void gr_set_caps(void)
+{
+	if(gr_status & GR_READY)
+	{
+		read_lock(&gr_list_lock);
+		
+		if(current->acl)
+		{
+			struct proc_subject_label * curracl =
+				(struct proc_subject_label *) current->acl;
+			current->cap_permitted = cap_combine(
+					current->cap_permitted,
+					curracl->cap_raise);
+			current->cap_permitted = cap_drop(
+						current->cap_permitted, 
+						curracl->cap_lower);
+			current->cap_effective = 
+						current->cap_permitted;
+			current->cap_inheritable = cap_combine(
+					current->cap_inheritable, curracl->cap_raise_inherit);
+			current->cap_inheritable = cap_drop(
+					current->cap_inheritable, curracl->cap_lower_inherit);
+
+		}
+
+		read_unlock(&gr_list_lock);
+	}
+}
+
+int gr_in_auth_mode(void * acl)
+{
+	return (acl == &auth);
+}
+
+void gr_handle_delete(const ino_t ino, const kdev_t dev)
+{
+	struct file_label *matchf;
+	struct proc_object_label *matchpo;
+	struct proc_subject_label *matchps;
+	unsigned long i;
+
+	if(! (gr_status & GR_READY) ) return;
+
+
+	read_lock(&gr_list_lock);
+	
+	if( (matchf = lookup_file_label(ino,dev) ) != NULL )
+	{
+#ifdef CONFIG_GR_DEBUG
+		security_alert("File acl %ld %d deleted","",ino,dev);
+#endif
+		matchf->mode |= GR_DELETED;
+	}
+
+	for(i = 0; i < proc_subj_set.proc_used; i++)
+	{
+		if( (matchpo = lookup_proc_obj_label(ino,dev,
+						(unsigned long)i) ) != NULL)
+		{
+#ifdef CONFIG_GR_DEBUG
+			security_alert("Proc Obj acl %ld %d pos %ld deleted","",ino,dev,i);
+#endif
+			matchpo->mode |= GR_DELETED;
+		}
+	}
+
+	if( (matchps = lookup_proc_subj_label(ino,dev) ) != NULL)
+	{
+#ifdef CONFIG_GR_DEBUG
+		security_alert("Proc subj acl %ld %d deleted","",ino,dev);
+#endif
+		matchps->mode |= GR_DELETED;
+	}
+
+	read_unlock(&gr_list_lock);
+}
+
+static __inline__ void move_proc_obj_label(struct proc_object_label *po, 
+		const ino_t newino, const kdev_t newdev)
+{
+	struct proc_object_label insert = 
+	{
+                inode:      newino,
+                device:     newdev,
+		mode:       po->mode & ~GR_DELETED,
+                parent_pos: po->parent_pos
+	};
+
+	po->mode &= ~GR_EXISTS; 
+	proc_obj_set.proc_used--;
+	insert_proc_obj_label(&insert,"error",0);
+	
+}
+		       
+			       
+static __inline__ void move_proc_subj_label(struct proc_subject_label *ps, 
+		const ino_t newino, const kdev_t newdev)
+{
+	struct task_struct *p;
+	struct proc_subject_label insert = 
+	{
+                inode:   		newino,
+                device:  		newdev,
+		mode:    		ps->mode & ~GR_DELETED,
+		cap_raise:      	ps->cap_raise,
+		cap_lower:		ps->cap_lower,	
+		cap_raise_inherit:	ps->cap_raise_inherit,
+		cap_lower_inherit:	ps->cap_lower_inherit,		
+                pos:   	 		ps->pos
+	};
+
+	ps->mode &= ~GR_EXISTS; 
+	proc_subj_set.proc_used--;
+	insert_proc_subj_label(&insert,"error",0);
+	read_lock(&tasklist_lock);
+	for_each_task(p)
+	{
+		if(p->acl == ps)
+		{
+			write_lock(&p->acl_lock);
+			if(p->acl == ps)
+				p->acl = lookup_proc_subj_label(newino,newdev);
+			write_unlock(&p->acl_lock);
+		}
+	}
+	read_unlock(&tasklist_lock);
+}
+	
+
+static __inline__ void move_file_label(struct file_label *f, 
+		const ino_t newino, const kdev_t newdev)
+{
+	struct file_label insert = 
+	{
+                inode:   newino,
+                device:  newdev,
+		mode:    f->mode & ~GR_DELETED,
+	};
+
+	f->mode &= ~GR_EXISTS;
+	file_set.file_used--;
+	insert_file_label(&insert,"error",0);
+}
+
+
+void gr_handle_create(const char * filename, const struct nameidata *nd)
+{
+	struct name_entry *          matchn; 
+	struct proc_subject_label *  matchps;
+	struct proc_object_label  *  matchpo;
+	struct file_label *          matchf;
+	unsigned long i;
+	char * pathbuf;
+	char * pathname;
+
+
+	if(!(gr_status & GR_READY)) return;
+
+	if ( (pathbuf = (char * ) __get_free_page(GFP_KERNEL)) == NULL)
+		return;
+
+	pathname = d_path(nd->dentry,nd->mnt,pathbuf,PAGE_SIZE);
+
+	matchn = lookup_name_entry(pathname);
+
+	if(matchn)
+	{
+		write_lock(&gr_list_lock);
+		if(matchn->mode & GR_NAME_PROC_SUBJECT)
+		{
+			if( (matchps = lookup_proc_subj_label(matchn->inode,
+						matchn->device) ) != NULL)
+			{
+#ifdef CONFIG_GR_DEBUG
+				security_alert("Process Subj ACL %.1024s "
+						"recreated","",filename);
+#endif
+				move_proc_subj_label(matchps,
+						nd->dentry->d_inode->i_ino,
+						nd->dentry->d_inode->i_dev);
+			}
+		}
+
+		if(matchn->mode & GR_NAME_FILE)
+		{
+			if( (matchf = lookup_file_label(matchn->inode,
+						matchn->device) ) != NULL)
+			{ 
+#ifdef CONFIG_GR_DEBUG
+				security_alert("File ACL %.1024s recreated",
+						"",filename);
+#endif
+				move_file_label(matchf,
+						nd->dentry->d_inode->i_ino,
+						nd->dentry->d_inode->i_dev);
+			}
+		}
+
+		for(i = 0; i < proc_subj_set.proc_used; i++)
+		{
+			if( (matchpo = lookup_proc_obj_label(matchn->inode,
+						matchn->device,i) ) != NULL)
+			{
+#ifdef CONFIG_GR_DEBUG
+				security_alert("Process Obj ACL %.1024s pos %ld "
+						"recreated","",filename,i);
+#endif
+				move_proc_obj_label(matchpo,
+						nd->dentry->d_inode->i_ino,
+						nd->dentry->d_inode->i_dev);
+			}
+		}
+		matchn->inode = nd->dentry->d_inode->i_ino;
+		matchn->device = nd->dentry->d_inode->i_dev;
+		write_unlock(&gr_list_lock);
+	}
+	free_page((unsigned long)pathbuf);
+}
+		
+			
+				
+			
+
+
+static int chcaps(struct admin_pw *entry)
+{
+	char *p = entry->extra;
+	char *q;
+	char *mode;
+	
+	p[GR_EXTRA_LEN-1] = '\0'; /* take no chances*/
+	while( (q = memscan(p,'\n',strlen(p))) != p + strlen(p))
+	{
+		mode = p++;
+		*q++ = '\0';
+		switch(*mode) {
+			case '+' :
+				cap_bset |= cap_t(cap_conv(p));
+				break;
+			case '-' :
+				cap_bset &= ~cap_t(cap_conv(p));
+				break;
+			default:
+				break;
+		}
+		p = q;
+	}
+#ifdef CONFIG_GR_DEBUG
+	security_alert("cap bset is now %x","",cap_bset);
+#endif
+			
+	return 0;
+}
+
+static int grsecurity_reload(void)
+{
+	proc_subj_set.proc_size = proc_obj_set.proc_size =
+		file_set.file_size = name_set.name_size = 0;
+	free_variables();
+	return  grsecurity_init();
+}
+
+/* The following variables are needed for timer manipulation */
+static struct timer_list gr_badpw;
+static int failures = 0;
+static int during_wait = 0;
+
+static void gr_timer(unsigned long ignored)
+{
+	failures = 0;
+	during_wait = 0;
+	del_timer(&gr_badpw);          
+}
+
+int gr_proc_handler(ctl_table *table, int write, struct file *filp, void *buffer, size_t *lenp) 
+{
+	/* This is the main todo. simply I allow disabling gracl only
+	 * at bootup(after its turned on). I don't have time today to 
+	 * impelement a good pw scheme. The first thing I do when I get back is to do that.
+	 */
+	struct admin_pw *usermode = (struct admin_pw *) buffer;
+	int error = sizeof(struct admin_pw);
+	
+	if(*lenp != sizeof(struct admin_pw))
+	{
+		security_alert("Proc handler: being fed garbage %d byte send %d required","more garbage",*lenp,sizeof(struct admin_pw)); 
+		return -EINVAL;
+	}
+	if(during_wait) return -EPERM;
+	switch (usermode->mode)
+	{
+		case SHUTDOWN:
+			if(gr_status & GR_READY) 
+			{
+				if(!(chkpw(usermode)))
+				{
+					security_alert("shutdown auth success for "
+							DEFAULTSECMSG,"shutdown successes",DEFAULTSECARGS);
+					gr_status &= ~GR_READY;
+					break;
+				} else 
+					error = -EPERM;
+			}
+			break;
+		case ENABLE:
+			if(gr_disable)
+			{
+				security_alert("%s at boot time, ignoring load request","attempts to load gracl when disabled on boot time",GR_VERSION);
+				break;
+			}
+			else if(gr_status & GR_1ST)
+			{
+				if(grsecurity_init())
+					error = -EINVAL;
+				security_alert("Loaded %s","loaded "
+						"grsecurity",GR_VERSION);
+				gr_status &= ~GR_1ST;
+					break;
+			} 
+			else
+			{
+				security_alert("%.32s already loaded, re-enabling","",GR_VERSION);
+				gr_status |= GR_READY;
+				break;
+			}
+
+		case CHCAPS : 
+			if(gr_status & GR_1ST)
+			{
+				if(grsecurity_init())
+					error = -EINVAL;
+				if(!error)
+				security_alert("Loaded %s","loaded "
+						"grsecurity",GR_VERSION);
+			} 
+			
+			if( ( (gr_status & GR_READY) && !(chkpw(usermode)) ) 
+					|| (gr_status & GR_1ST))
+			{
+				if(gr_status & GR_1ST)
+					gr_status &= ~GR_1ST;
+
+				if(!(chcaps(usermode))) 
+				{
+					security_alert("successful capability change by "
+							DEFAULTSECMSG, "cap changes",
+							DEFAULTSECARGS);
+				} else 
+					error = -EPERM;
+			}
+
+			break;
+			
+		case GOD:
+			if(gr_status & GR_READY)
+			{
+				if(!(chkpw(usermode)))
+				{
+					security_alert("successful change to admin mode by "
+							DEFAULTSECMSG,"",
+							DEFAULTSECARGS);
+					spin_lock(&task_capability_lock);
+					read_lock(&tasklist_lock);
+					if(current->p_pptr)
+					{
+						current->p_pptr->acl = (void *)
+							&god;
+						current->p_pptr->cap_effective =
+							current->p_pptr->
+							cap_permitted =
+							CAP_FULL_SET;
+					}
+					read_unlock(&tasklist_lock);
+					spin_unlock(&task_capability_lock);
+				}
+				else
+					error = -EPERM;
+			}
+			break;
+
+		case RELOAD:
+			if(gr_status & GR_READY)
+			{
+				if(!(chkpw(usermode)))
+				{
+					security_alert("reload of gracl performed by" 
+							DEFAULTSECMSG,"",
+							DEFAULTSECARGS);
+					if(grsecurity_reload())
+						gr_status &= ~GR_READY;
+				}
+				else
+					error = -EPERM;
+			}
+			break;
+						
+		case AUTH:
+			if(gr_status & GR_READY)
+			{
+				if(!(chkpw(usermode)) )
+				{
+					security_alert("successful authentication by "
+							DEFAULTSECMSG, "",
+							DEFAULTSECARGS);
+					read_lock(&tasklist_lock);
+					if(current->p_pptr)
+					{
+						current->p_pptr->acl = NULL;
+					}
+					read_unlock(&tasklist_lock);
+					/* The parent invoked gradm, it is the
+					 * task that we must deal with */
+				}
+				else
+					error = -EPERM;
+			}
+			break;
+
+		default:
+			security_alert("Invalid value %d by " DEFAULTSECMSG, "",
+					usermode->mode, DEFAULTSECARGS);
+			break;
+	}
+
+	if(error < 0) 
+	{
+		failures++;
+		if(failures > CONFIG_GR_MAXTRIES) 
+		{
+			security_alert("Maximum pw attempts reached (%d), locking "
+					"password authentication","password attempt failed",CONFIG_GR_MAXTRIES);
+			init_timer(&gr_badpw);
+			gr_badpw.data = 0;
+			gr_badpw.function = gr_timer;
+			gr_badpw.expires = jiffies + CONFIG_GR_TIMEOUT*HZ;
+			add_timer(&gr_badpw);
+			during_wait = 1;
+		}
+	}
+
+	return error;
+}
diff -Nru kernel-source-2.4.18/kernel/grhash.c kernel-source-2.4.18.fixed/kernel/grhash.c
--- kernel-source-2.4.18/kernel/grhash.c	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/grhash.c	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,160 @@
+#include <linux/kernel.h>
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/capability.h>
+#include <linux/gracl.h>
+
+/*
+Modified for use in OPM by Michael Dalton <michael@linux.com> 
+Modified for kerneli by Andrew McDonald <andrew@mcdonald.org.uk>
+from:
+
+SHA-1 in C
+By Steve Reid <steve@edmweb.com>
+100% Public Domain
+Available from:
+ftp://ftp.zedz.net/pub/crypto/crypto/HASH/sha/sha1.c
+
+Test Vectors (from FIPS PUB 180-1)
+"abc"
+  A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
+"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+  84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
+A million repetitions of "a"
+  34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+*/
+
+
+extern struct admin_pw pwent;
+
+void gr_SHA1Transform(unsigned long state[5], unsigned char buffer[64])
+{
+	unsigned long a, b, c, d, e;
+	typedef union {
+		unsigned char c[64];
+		unsigned long l[16];
+	} CHAR64LONG16;
+	CHAR64LONG16* block;
+#ifdef SHA1HANDSOFF
+	static unsigned char workspace[64];
+	block = (CHAR64LONG16*)workspace;
+	memcpy(block, buffer, 64);
+#else
+	block = (CHAR64LONG16*)buffer;
+#endif
+	/* Copy context->state[] to working vars */
+	a = state[0];
+	b = state[1];
+	c = state[2];
+	d = state[3];
+	e = state[4];
+	/* 4 rounds of 20 operations each. Loop unrolled. */
+	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+	/* Add the working vars back into context.state[] */
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+	/* Wipe variables */
+	a = b = c = d = e = 0;
+}
+
+
+/* SHA1Init - Initialize new context */
+
+void gr_SHA1Init(struct gr_SHA1_CTX* context)
+{
+	/* SHA1 initialization constants */
+	context->state[0] = 0x67452301;
+	context->state[1] = 0xEFCDAB89;
+	context->state[2] = 0x98BADCFE;
+	context->state[3] = 0x10325476;
+	context->state[4] = 0xC3D2E1F0;
+	context->count[0] = context->count[1] = 0;
+}
+
+
+/* Run your data through this. */
+
+void gr_SHA1Update(struct gr_SHA1_CTX* context, unsigned char* data, unsigned int len)
+{
+	unsigned int i, j;
+
+	j = (context->count[0] >> 3) & 63;
+	if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++;
+	context->count[1] += (len >> 29);
+	if ((j + len) > 63) {
+		memcpy(&context->buffer[j], data, (i = 64-j));
+		gr_SHA1Transform(context->state, context->buffer);
+		for ( ; i + 63 < len; i += 64) {
+			gr_SHA1Transform(context->state, &data[i]);
+		}
+		j = 0;
+	}
+	else i = 0;
+	memcpy(&context->buffer[j], &data[i], len - i);
+}
+
+
+/* Add padding and return the message digest. */
+
+void gr_SHA1Final(unsigned char digest[20], struct gr_SHA1_CTX* context)
+{
+	unsigned long i, j;
+	unsigned char finalcount[8];
+
+	for (i = 0; i < 8; i++) {
+		finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
+				 >> ((3-(i & 3)) * 8) ) & 255); 
+                                 /* Endian independent */
+	}
+	gr_SHA1Update(context, (unsigned char *)"\200", 1);
+	while ((context->count[0] & 504) != 448) {
+		gr_SHA1Update(context, (unsigned char *)"\0", 1);
+	}
+	gr_SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
+	for (i = 0; i < 20; i++) {
+		digest[i] = (unsigned char)
+			((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+	}
+	/* Wipe variables */
+	i = j = 0;
+	memset(context->buffer, 0, 64);
+	memset(context->state, 0, 20);
+	memset(context->count, 0, 8);
+	memset(&finalcount, 0, 8);
+#ifdef GR_SHA1HANDSOFF  /* make SHA1Transform overwrite it's own static vars */
+	gr_SHA1Transform(context->state, context->buffer);
+#endif
+}
+
+int chkpw(struct admin_pw *entry) 
+{
+	struct gr_SHA1_CTX context;
+	char *pos = memscan(entry->pw,'\n',strlen(entry->pw));
+	if(pos != entry->pw + strlen(entry->pw)) *pos = '\0';
+	gr_SHA1Init(&context);
+	gr_SHA1Update(&context,entry->pw,strlen(entry->pw));
+	gr_SHA1Final(entry->sum,&context);
+	return memcmp(pwent.sum,entry->sum,GR_SHA_SIZE);
+}
diff -Nru kernel-source-2.4.18/kernel/grsecurity.c kernel-source-2.4.18.fixed/kernel/grsecurity.c
--- kernel-source-2.4.18/kernel/grsecurity.c	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/grsecurity.c	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,346 @@
+#include <linux/config.h>
+#include <linux/capability.h>
+
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+#ifdef CONFIG_GRKERNSEC_LINK
+int grsec_enable_link = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_DMESG
+int grsec_enable_dmesg = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+int grsec_enable_fifo = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FD
+int grsec_enable_fd = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+int grsec_enable_execve = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+int grsec_enable_forkbomb = 0;
+int grsec_forkbomb_gid = 0;
+int grsec_forkbomb_sec = 0;
+int grsec_forkbomb_max = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+int grsec_enable_execlog = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_IPC
+int grsec_enable_ipc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID
+int grsec_enable_suid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+int grsec_enable_suid_root = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+int grsec_enable_signal = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+int grsec_enable_coredump = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+int grsec_enable_forkfail = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+int grsec_enable_time = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+int grsec_enable_group = 0;
+int grsec_audit_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+int grsec_enable_chdir = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
+int grsec_enable_audit_ptrace = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+int grsec_enable_audit_ipc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+int grsec_enable_mount = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_KBMAP
+int grsec_enable_kbmap = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+int grsec_enable_chroot_sig = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+int grsec_enable_chroot_mount = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+int grsec_enable_chroot_double = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+int grsec_enable_chroot_chdir = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+int grsec_enable_chroot_chmod = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+int grsec_enable_chroot_mknod = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+int grsec_enable_chroot_ptrace = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+int grsec_enable_chroot_nice = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+int grsec_enable_chroot_execlog = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+int grsec_enable_chroot_caps = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+int grsec_enable_tpe = 0;
+int grsec_tpe_gid = 0;
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+int grsec_enable_tpe_glibc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+int grsec_enable_tpe_all = 0;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE
+int grsec_enable_ptrace = 0;
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+int grsec_enable_ptrace_group = 0;
+int grsec_ptrace_gid = 0;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+int grsec_enable_randpid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+int grsec_enable_phys_deny = 0;
+int grsec_enable_pseudo_deny = 0;
+int grsec_enable_serial_deny = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+int grsec_enable_randid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+int grsec_enable_randsrc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+int grsec_enable_randrpc = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPING
+int grsec_enable_randping = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+int grsec_enable_randttl = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+int grsec_enable_socket_all = 0;
+int grsec_socket_all_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+int grsec_enable_socket_client = 0;
+int grsec_socket_client_gid = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+int grsec_enable_socket_server = 0;
+int grsec_socket_server_gid = 0;
+#endif
+int grsec_lock = 0;
+#else
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+int grsec_enable_group = 1;
+int grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+int grsec_enable_chdir = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
+int grsec_enable_audit_ptrace = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+int grsec_enable_audit_ipc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+int grsec_enable_mount = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_LINK
+int grsec_enable_link = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_DMESG
+int grsec_enable_dmesg = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+int grsec_enable_fifo = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FD
+int grsec_enable_fd = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+int grsec_enable_execve = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+int grsec_enable_forkbomb = 1;
+int grsec_forkbomb_gid = CONFIG_GRKERNSEC_FORKBOMB_GID;
+int grsec_forkbomb_sec = CONFIG_GRKERNSEC_FORKBOMB_SEC;
+int grsec_forkbomb_max = CONFIG_GRKERNSEC_FORKBOMB_MAX;
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+int grsec_enable_execlog = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_IPC
+int grsec_enable_ipc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID
+int grsec_enable_suid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+int grsec_enable_suid_root = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+int grsec_enable_signal = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+int grsec_enable_coredump = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+int grsec_enable_forkfail = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+int grsec_enable_time = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_KBMAP
+int grsec_enable_kbmap = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+int grsec_enable_chroot_sig = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+int grsec_enable_chroot_mount = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+int grsec_enable_chroot_double = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+int grsec_enable_chroot_chdir = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+int grsec_enable_chroot_chmod = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+int grsec_enable_chroot_mknod = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+int grsec_enable_chroot_ptrace = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+int grsec_enable_chroot_nice = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+int grsec_enable_chroot_execlog = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+int grsec_enable_chroot_caps = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+int grsec_enable_tpe = 1;
+int grsec_tpe_gid= CONFIG_GRKERNSEC_TPE_GID;
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+int grsec_enable_tpe_glibc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+int grsec_enable_tpe_all = 1;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE
+int grsec_enable_ptrace = 1;
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+int grsec_enable_ptrace_group = 1;
+int grsec_ptrace_gid = CONFIG_GRKERNSEC_PTRACE_GID;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+int grsec_enable_randpid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+#ifdef CONFIG_GRKERNSEC_TTYROOT_SERIAL
+int grsec_enable_serial_deny = 1;
+#else
+int grsec_enable_serial_deny = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT_PHYS
+int grsec_enable_phys_deny = 1;
+#else
+int grsec_enable_phys_deny = 0;
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT_PSEUDO
+int grsec_enable_pseudo_deny = 1;
+#else
+int grsec_enable_pseudo_deny = 0;
+#endif
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+int grsec_enable_randid = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+int grsec_enable_randsrc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+int grsec_enable_randrpc = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPING
+int grsec_enable_randping = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+int grsec_enable_randttl = 1;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+int grsec_enable_socket_all = 1;
+int grsec_socket_all_gid= CONFIG_GRKERNSEC_SOCKET_ALL_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+int grsec_enable_socket_client = 1;
+int grsec_socket_client_gid= CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+int grsec_enable_socket_server = 1;
+int grsec_socket_server_gid= CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
+#endif
+#endif
+
+const char *captab_log[30] = {
+	"CAP_CHOWN",
+	"CAP_DAC_OVERRIDE",
+	"CAP_DAC_READ_SEARCH",
+	"CAP_FOWNER",
+	"CAP_FSETID",
+	"CAP_FS_MASK",
+	"CAP_KILL",
+	"CAP_SETGID",
+	"CAP_SETUID",
+	"CAP_SETPCAP",
+	"CAP_LINUX_IMMUTABLE",
+	"CAP_NET_BIND_SERVICE",
+	"CAP_NET_BROADCAST",
+	"CAP_NET_ADMIN",
+	"CAP_NET_RAW",
+	"CAP_IPC_LOCK",
+	"CAP_IPC_OWNER",
+	"CAP_SYS_MODULE",
+	"CAP_SYS_RAWIO",
+	"CAP_SYS_CHROOT",
+	"CAP_SYS_PTRACE",
+	"CAP_SYS_PACCT",
+	"CAP_SYS_ADMIN",
+	"CAP_SYS_BOOT",
+	"CAP_SYS_NICE",
+	"CAP_SYS_RESOURCE",
+	"CAP_SYS_TIME",
+	"CAP_SYS_TTY_CONFIG",
+	"CAP_MKNOD",  
+	"CAP_LEASE"
+};   
+
+
diff -Nru kernel-source-2.4.18/kernel/ksyms.c kernel-source-2.4.18.fixed/kernel/ksyms.c
--- kernel-source-2.4.18/kernel/ksyms.c	2002-02-27 11:12:21.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/ksyms.c	2003-09-21 12:22:59.000000000 +0200
@@ -559,3 +559,8 @@
 
 EXPORT_SYMBOL(tasklist_lock);
 EXPORT_SYMBOL(pidhash);
+
+#ifdef CONFIG_GRKERNSEC_ACL_CAPLOG
+#include <linux/grsecurity.h>
+EXPORT_SYMBOL(captab_log);
+#endif
diff -Nru kernel-source-2.4.18/kernel/printk.c kernel-source-2.4.18.fixed/kernel/printk.c
--- kernel-source-2.4.18/kernel/printk.c	2002-02-25 20:38:13.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/printk.c	2003-09-21 12:22:59.000000000 +0200
@@ -26,6 +26,9 @@
 #include <linux/module.h>
 #include <linux/interrupt.h>			/* For in_interrupt() */
 #include <linux/config.h>
+#ifdef CONFIG_GRKERNSEC_DMESG
+#include <linux/grsecurity.h>
+#endif
 
 #include <asm/uaccess.h>
 
@@ -294,6 +297,11 @@
 
 asmlinkage long sys_syslog(int type, char * buf, int len)
 {
+#ifdef CONFIG_GRKERNSEC_DMESG
+	if (!capable(CAP_SYS_ADMIN) && grsec_enable_dmesg)
+		return -EPERM;
+	else
+#endif
 	if ((type != 3) && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 	return do_syslog(type, buf, len);
diff -Nru kernel-source-2.4.18/kernel/sched.c kernel-source-2.4.18.fixed/kernel/sched.c
--- kernel-source-2.4.18/kernel/sched.c	2001-12-21 18:42:04.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/sched.c	2003-09-21 12:22:59.000000000 +0200
@@ -32,6 +32,9 @@
 
 #include <asm/uaccess.h>
 #include <asm/mmu_context.h>
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+#include <linux/grsecurity.h>
+#endif
 
 extern void timer_bh(void);
 extern void tqueue_bh(void);
@@ -874,6 +877,14 @@
 			return -EPERM;
 		if (increment < -40)
 			increment = -40;
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+		if(grsec_enable_chroot_nice && proc_is_chrooted(current)){
+			security_alert("attempted priority change by "
+				DEFAULTSECMSG, "attempted priority changes",
+				DEFAULTSECARGS);
+			return -EPERM;
+		}
+#endif
 	}
 	if (increment > 40)
 		increment = 40;
diff -Nru kernel-source-2.4.18/kernel/signal.c kernel-source-2.4.18.fixed/kernel/signal.c
--- kernel-source-2.4.18/kernel/signal.c	2001-11-22 01:26:27.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/signal.c	2003-09-21 12:22:59.000000000 +0200
@@ -16,6 +16,12 @@
 
 #include <asm/uaccess.h>
 
+#if defined(CONFIG_GRKERNSEC_SIGNAL) || defined(CONFIG_GRKERNSEC_CHROOT_SIG) \
+|| defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/fs.h>
+#include <linux/grsecurity.h>
+#endif
+
 /*
  * SLAB caches for signal bits.
  */
@@ -526,8 +532,37 @@
 		goto out_nolock;
 
 	spin_lock_irqsave(&t->sigmask_lock, flags);
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+	if(CHROOTLONGCHECK &&
+	      !( sig == SIGALRM || sig == SIGIO || !proc_is_chrooted(current) ||
+	      have_same_root(current,t) ||
+	      (t->pid == current->p_pptr->pid && sig == SIGCHLD) ) ) {
+	      security_alert("denied signal %d out of chroot jail (%.32s:%lu) of %d.%d "
+			     "by " DEFAULTSECMSG " to " DEFAULTSECMSG,
+			     "denied signals in chroot",sig,kdevname(current->fs->root->d_inode->i_dev),
+			     current->fs->root->d_inode->i_ino,current->fs->root->d_inode->i_uid,
+			     current->fs->root->d_inode->i_gid,DEFAULTSECARGS,
+			     t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,
+			     t->p_pptr->pid,t->p_pptr->uid,t->p_pptr->euid);
+			goto out;
+	      }
+#endif
 	handle_stop_signal(sig, t);
-
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+    if(grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) || 
+	(sig == SIGABRT) || (sig == SIGBUS))) {
+	if(t->pid == current->pid) {
+	    security_alert("signal %d  sent to " DEFAULTSECMSG,"signal warnings",sig,
+			   t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid,
+			   t->p_pptr->uid,t->p_pptr->euid);
+	} else {
+	    security_alert("signal %d sent to " DEFAULTSECMSG " by "
+			   DEFAULTSECMSG, "signal warnings",
+			   sig,t->comm,t->pid,t->uid,t->euid,t->p_pptr->comm,t->p_pptr->pid,
+			   t->p_pptr->uid,t->p_pptr->euid, DEFAULTSECARGS);
+	}
+    } 
+#endif
 	/* Optimize away the signal, if it's a signal that can be
 	   handled immediately (ie non-blocked and untraced) and
 	   that is ignored (either explicitly or by default).  */
@@ -592,6 +627,9 @@
 		retval = -ESRCH;
 		read_lock(&tasklist_lock);
 		for_each_task(p) {
+#ifdef CONFIG_GRKERNSEC_ACL
+			if( !(gr_check_protected_task(p)) || current->pid == 1)
+#endif
 			if (p->pgrp == pgrp) {
 				int err = send_sig_info(sig, info, p);
 				if (retval)
@@ -619,6 +657,9 @@
 		retval = -ESRCH;
 		read_lock(&tasklist_lock);
 		for_each_task(p) {
+#ifdef CONFIG_GRKERNSEC_ACL
+			if( !(gr_check_protected_task(p)) || current->pid == 1)
+#endif
 			if (p->leader && p->session == sess) {
 				int err = send_sig_info(sig, info, p);
 				if (retval)
@@ -640,6 +681,9 @@
 	p = find_task_by_pid(pid);
 	error = -ESRCH;
 	if (p)
+#ifdef CONFIG_GRKERNSEC_ACL
+		if( !(gr_check_protected_task(p)) || current->pid == 1)
+#endif
 		error = send_sig_info(sig, info, p);
 	read_unlock(&tasklist_lock);
 	return error;
@@ -663,6 +707,9 @@
 
 		read_lock(&tasklist_lock);
 		for_each_task(p) {
+#ifdef CONFIG_GRKERNSEC_ACL
+			if(!(gr_check_protected_task(p) || current->pid == 1))
+#endif
 			if (p->pid > 1 && p != current) {
 				int err = send_sig_info(sig, info, p);
 				++count;
diff -Nru kernel-source-2.4.18/kernel/sys.c kernel-source-2.4.18.fixed/kernel/sys.c
--- kernel-source-2.4.18/kernel/sys.c	2003-04-04 12:45:12.000000000 +0200
+++ kernel-source-2.4.18.fixed/kernel/sys.c	2003-09-21 12:22:59.000000000 +0200
@@ -4,6 +4,7 @@
  *  Copyright (C) 1991, 1992  Linus Torvalds
  */
 
+#include <linux/config.h>
 #include <linux/module.h>
 #include <linux/mm.h>
 #include <linux/utsname.h>
@@ -18,6 +19,12 @@
 #include <asm/uaccess.h>
 #include <asm/io.h>
 
+#if defined(CONFIG_GRKERNSEC_SUID) ||\
+    defined(CONFIG_GRKERNSEC_SUID_ROOT) ||\
+    defined(CONFIG_GRKERNSEC_TTYROOT) || defined(CONFIG_GRKERNSEC_CHROOT_NICE)
+#include <linux/grsecurity.h>
+#endif
+
 /*
  * this is where the system-wide overflow UID and GID are defined, for
  * architectures that now have 32-bit UID/GID but didn't in the past
@@ -220,6 +227,15 @@
 		}
 		if (error == -ESRCH)
 			error = 0;
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+		if(grsec_enable_chroot_nice && (!have_same_root(p,current)
+		   || (have_same_root(p,current) && (niceval < p->nice) && proc_is_chrooted(current)))) {
+				security_alert("attempted priority change of "
+				"process (%.16s:%d) by " DEFAULTSECMSG,
+				"attempted priority changes",p->comm,p->pid,DEFAULTSECARGS);
+				return -ESRCH; /* be stealthy */
+		}
+#endif
 		if (niceval < p->nice && !capable(CAP_SYS_NICE))
 			error = -EACCES;
 		else
@@ -380,6 +396,20 @@
 	int new_rgid = old_rgid;
 	int new_egid = old_egid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(rgid,egid,1,"setregid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && (!rgid || !egid))
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setregid(rgid=%d/egid=%d) by " DEFAULTSECMSG
+		       "\n",rgid,egid, DEFAULTSECARGS);
+#endif		
+
 	if (rgid != (gid_t) -1) {
 		if ((old_rgid == rgid) ||
 		    (current->egid==rgid) ||
@@ -421,6 +451,20 @@
 {
 	int old_egid = current->egid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(gid,1,1,"setgid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && !gid)
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setgid(%d) by " DEFAULTSECMSG "\n",gid, 
+		DEFAULTSECARGS);
+#endif		
+
 	if (capable(CAP_SETGID))
 	{
 		if(old_egid != gid)
@@ -540,6 +584,20 @@
 	new_euid = old_euid = current->euid;
 	old_suid = current->suid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(ruid,euid,1,"setreuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && (!ruid || !euid))
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setreuid(ruid=%d/euid=%d) by " DEFAULTSECMSG
+		       "\n",ruid,euid, DEFAULTSECARGS);
+#endif		
+
 	if (ruid != (uid_t) -1) {
 		new_ruid = ruid;
 		if ((old_ruid != ruid) &&
@@ -599,7 +657,20 @@
 	old_ruid = new_ruid = current->uid;
 	old_suid = current->suid;
 	new_suid = old_suid;
-	
+
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(uid,1,1,"setuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && !uid)
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setuid(%d) by " DEFAULTSECMSG "\n", uid,
+		DEFAULTSECARGS);
+#endif		
 	if (capable(CAP_SETUID)) {
 		if (uid != old_ruid && set_user(uid, old_euid != uid) < 0)
 			return -EAGAIN;
@@ -633,6 +704,20 @@
 	int old_euid = current->euid;
 	int old_suid = current->suid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(ruid,euid,suid,"setresuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && (!ruid || !euid || !suid))
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setresuid(ruid=%d/suid=%d/euid=%d) by "
+			DEFAULTSECMSG "\n", ruid, suid, euid, DEFAULTSECARGS);
+#endif		
+
 	if (!capable(CAP_SETUID)) {
 		if ((ruid != (uid_t) -1) && (ruid != current->uid) &&
 		    (ruid != current->euid) && (ruid != current->suid))
@@ -683,6 +768,20 @@
  */
 asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
 {
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(rgid,egid,sgid,"setresgid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && (!rgid || !egid || !sgid))
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setresgid(rgid=%d/sgid=%d/egid=%d) by "
+			DEFAULTSECMSG "\n", rgid, sgid, egid, DEFAULTSECARGS);
+#endif		
+
 	if (!capable(CAP_SETGID)) {
 		if ((rgid != (gid_t) -1) && (rgid != current->gid) &&
 		    (rgid != current->egid) && (rgid != current->sgid))
@@ -732,6 +831,20 @@
 {
 	int old_fsuid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(uid,1,1,"setfsuid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && !uid)
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setfsuid(%d) by " DEFAULTSECMSG "\n", uid,
+			DEFAULTSECARGS);
+#endif		
+
 	old_fsuid = current->fsuid;
 	if (uid == current->uid || uid == current->euid ||
 	    uid == current->suid || uid == current->fsuid || 
@@ -774,6 +887,20 @@
 {
 	int old_fsgid;
 
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	is_tty_allowed_for_setid(gid,1,1,"setfsgid");
+#endif
+
+#if defined(CONFIG_GRKERNSEC_SUID) || defined(CONFIG_GRKERNSEC_SUID_ROOT)
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	if(grsec_enable_suid_root && current->uid && !gid)
+#else
+	if(grsec_enable_suid)
+#endif
+	printk(KERN_INFO "grsec: setfsgid(%d) by " DEFAULTSECMSG "\n", gid,
+			DEFAULTSECARGS);
+#endif		
+
 	old_fsgid = current->fsgid;
 	if (gid == current->gid || gid == current->egid ||
 	    gid == current->sgid || gid == current->fsgid || 
@@ -971,6 +1098,11 @@
 		return -EINVAL;
 	if(copy_from_user(current->groups, grouplist, gidsetsize * sizeof(gid_t)))
 		return -EFAULT;
+
+#ifdef CONFIG_GRKERNSEC_SUID
+	if(grsec_enable_suid)
+		printk(KERN_INFO "grsec: setgroups by " DEFAULTSECMSG "\n", DEFAULTSECARGS);
+#endif		
 	current->ngroups = gidsetsize;
 	return 0;
 }
diff -Nru kernel-source-2.4.18/kernel/sysctl.c kernel-source-2.4.18.fixed/kernel/sysctl.c
--- kernel-source-2.4.18/kernel/sysctl.c	2001-12-21 18:42:04.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/sysctl.c	2003-09-21 12:22:59.000000000 +0200
@@ -38,6 +38,7 @@
 #endif
 
 #if defined(CONFIG_SYSCTL)
+#include <linux/grsecurity.h>
 
 /* External variables not in a header file. */
 extern int panic_timeout;
@@ -117,6 +118,9 @@
 static ctl_table debug_table[];
 static ctl_table dev_table[];
 extern ctl_table random_table[];
+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ACL)
+static ctl_table grsecurity_table[];
+#endif
 
 /* /proc declarations: */
 
@@ -256,8 +260,259 @@
 	{KERN_S390_USER_DEBUG_LOGGING,"userprocess_debug",
 	 &sysctl_userprocess_debug,sizeof(int),0644,NULL,&proc_dointvec},
 #endif
+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ACL)
+	{KERN_GRSECURITY, "grsecurity", NULL, 0, 0500, grsecurity_table},
+#endif
+	{0}
+};
+
+#if !defined(CONFIG_GRKERNSEC_SYSCTL) && defined(CONFIG_GRKERNSEC_ACL)
+enum
+{
+	GS_ACL = 1
+};
+
+static ctl_table grsecurity_table[] = {
+	{GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler},
+	{0}
+};
+#endif
+
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+enum {GS_LINK=1,GS_FIFO, GS_FD, GS_EXECVE, GS_FORK,
+GS_FORK_GID, GS_FORK_SEC, GS_FORK_MAX, GS_EXECLOG, 
+GS_SUID, GS_SUID_ROOT, GS_SIGNAL, GS_COREDUMP, GS_FORKFAIL, 
+GS_TIME, GS_KBMAP, GS_CHROOT_SIG, GS_CHROOT_MNT, 
+GS_CHROOT_DBL, GS_CHROOT_CD, GS_CHROOT_CM, GS_CHROOT_MK, GS_CHROOT_PT, 
+GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, GS_TPE, GS_TPE_GID, 
+GS_TPE_GLIBC, GS_TPE_ALL, GS_PTRACE, GS_PTRACE_GRP, GS_PTRACE_GID, 
+GS_SIDCAPS, GS_RANDPID, GS_RANDID, GS_RANDSRC, GS_RANDPING, GS_RANDTTL, 
+GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT, 
+GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, GS_IPC, 
+GS_TTY, GS_TTYS, GS_PTY, GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, 
+GS_APTC, GS_DMSG, GS_RANDRPC, GS_ACL, GS_LOCK};
+
+static ctl_table grsecurity_table[] = {
+#ifdef CONFIG_GRKERNSEC_LINK
+	{GS_LINK, "linking_restrictions", &grsec_enable_link, sizeof (int),
+	 0600, NULL, &proc_dointvec}, 
+#endif
+#ifdef CONFIG_GRKERNSEC_FIFO
+	{GS_FIFO, "fifo_restrictions", &grsec_enable_fifo, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FD
+	{GS_FD, "secure_fds", &grsec_enable_fd, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECVE
+	{GS_EXECVE, "execve_limiting", &grsec_enable_execve, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKBOMB
+	{GS_FORK, "fork_bomb_prot", &grsec_enable_forkbomb, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_FORK_GID, "fork_bomb_gid", &grsec_forkbomb_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_FORK_SEC, "fork_bomb_sec", &grsec_forkbomb_sec, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_FORK_MAX, "fork_bomb_max", &grsec_forkbomb_max, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_EXECLOG
+	{GS_EXECLOG, "exec_logging", &grsec_enable_execlog, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID
+	{GS_SUID, "suid_logging", &grsec_enable_suid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SUID_ROOT
+	{GS_SUID_ROOT, "suid_root_logging", &grsec_enable_suid_root, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SIGNAL
+	{GS_SIGNAL, "signal_logging", &grsec_enable_signal, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_COREDUMP
+	{GS_COREDUMP, "coredump", &grsec_enable_coredump, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_FORKFAIL
+	{GS_FORKFAIL, "forkfail_logging", &grsec_enable_forkfail, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TIME
+	{GS_TIME, "timechange_logging", &grsec_enable_time, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_KBMAP
+	{GS_KBMAP, "secure_kbmap", &grsec_enable_kbmap, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_SIG
+	{GS_CHROOT_SIG, "chroot_restrict_sigs", &grsec_enable_chroot_sig, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
+	{GS_CHROOT_MNT, "chroot_deny_mount", &grsec_enable_chroot_mount, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
+	{GS_CHROOT_DBL, "chroot_deny_chroot", &grsec_enable_chroot_double, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
+	{GS_CHROOT_CD, "chroot_deny_chdir", &grsec_enable_chroot_chdir, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
+	{GS_CHROOT_CM, "chroot_deny_chmod", &grsec_enable_chroot_chmod, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
+	{GS_CHROOT_MK, "chroot_deny_mknod", &grsec_enable_chroot_mknod, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_PTRACE
+	{GS_CHROOT_PT, "chroot_deny_ptrace", &grsec_enable_chroot_ptrace, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
+	{GS_CHROOT_NI, "chroot_restrict_nice", &grsec_enable_chroot_nice, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
+	{GS_CHROOT_EXECLOG, "chroot_execlog",
+	 &grsec_enable_chroot_execlog, sizeof (int),
+         0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
+	{GS_CHROOT_CAPS, "chroot_caps", &grsec_enable_chroot_caps, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE
+	{GS_TPE, "tpe", &grsec_enable_tpe, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_TPE_GID, "tpe_gid", &grsec_tpe_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+	{GS_TPE_GLIBC, "tpe_glibc", &grsec_enable_tpe_glibc, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+	{GS_TPE_ALL, "tpe_restrict_all", &grsec_enable_tpe_all, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE
+	{GS_PTRACE, "restrict_ptrace", &grsec_enable_ptrace, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_PTRACE_GROUP
+	{GS_PTRACE_GRP, "allow_ptrace_group", &grsec_enable_ptrace_group, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_PTRACE_GID, "ptrace_gid", &grsec_ptrace_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPID
+	{GS_RANDPID, "rand_pids", &grsec_enable_randpid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+	{GS_RANDID, "rand_ip_ids", &grsec_enable_randid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+	{GS_RANDSRC, "rand_tcp_src_ports", &grsec_enable_randsrc, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDPING
+	{GS_RANDPING, "altered_pings", &grsec_enable_randping, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+	{GS_RANDTTL, "rand_ttl", &grsec_enable_randttl, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+	{GS_SOCKET_ALL, "socket_all", &grsec_enable_socket_all, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_SOCKET_ALL_GID, "socket_all_gid",
+	 &grsec_socket_all_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+	{GS_SOCKET_CLIENT, "socket_client", 
+	 &grsec_enable_socket_client, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_SOCKET_CLIENT_GID, "socket_client_gid", 
+	 &grsec_socket_client_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+	{GS_SOCKET_SERVER, "socket_server", 
+	 &grsec_enable_socket_server, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_SOCKET_SERVER_GID, "socket_server_gid",
+	 &grsec_socket_server_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_IPC
+	{GS_IPC, "alt_ipc_perms", &grsec_enable_ipc, sizeof (int), 0600,
+	 NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_TTYROOT
+	{GS_TTY, "deny_phys_root", 
+	 &grsec_enable_phys_deny, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_TTYS, "deny_serial_root", 
+	 &grsec_enable_serial_deny, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_PTY, "deny_pseudo_root", 
+	 &grsec_enable_pseudo_deny, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
+	{GS_GROUP, "audit_group", &grsec_enable_group, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+	{GS_GID, "audit_gid",
+	 &grsec_audit_gid, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
+	{GS_ACHDIR, "audit_chdir", &grsec_enable_chdir, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
+	{GS_AMOUNT, "audit_mount", &grsec_enable_mount, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_IPC
+	{GS_AIPC, "audit_ipc", &grsec_enable_audit_ipc, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
+	{GS_APTC, "audit_ptrace", &grsec_enable_audit_ptrace, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_DMESG
+	{GS_AIPC, "dmesg", &grsec_enable_dmesg, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+	{GS_RANDRPC, "rand_rpc", &grsec_enable_randrpc, sizeof (int),
+	 0600, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_GRKERNSEC_ACL
+	{GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler},
+#endif
+	{GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
+	 &proc_dointvec},
 	{0}
 };
+#endif
 
 static ctl_table vm_table[] = {
 	{VM_BDFLUSH, "bdflush", &bdf_prm, 9*sizeof(int), 0644, NULL,
@@ -828,6 +1083,17 @@
 	}
 	
 	i = (int *) table->data;
+#ifdef CONFIG_GRKERNSEC_SYSCTL
+	if(table->de->parent->name && strlen(table->de->parent->name) == 10) {
+		if((!strcmp(table->de->parent->name, "grsecurity")) && grsec_lock && write) { 
+                        security_alert("attempt to modify grsecurity "
+                        "sysctl value: %.32s by " DEFAULTSECMSG,
+                        "attempted sysctl changes", table->de->name,
+			DEFAULTSECARGS);
+                        return -EACCES;
+		}
+	}
+#endif
 	vleft = table->maxlen / sizeof(int);
 	left = *lenp;
 	
diff -Nru kernel-source-2.4.18/kernel/time.c kernel-source-2.4.18.fixed/kernel/time.c
--- kernel-source-2.4.18/kernel/time.c	2002-02-25 20:38:13.000000000 +0100
+++ kernel-source-2.4.18.fixed/kernel/time.c	2003-09-21 12:22:59.000000000 +0200
@@ -29,6 +29,9 @@
 #include <linux/smp_lock.h>
 
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_TIME
+#include <linux/grsecurity.h>
+#endif
 
 /* 
  * The timezone where the local system is located.  Used as a default by some
@@ -87,6 +90,11 @@
 	time_maxerror = NTP_PHASE_LIMIT;
 	time_esterror = NTP_PHASE_LIMIT;
 	write_unlock_irq(&xtime_lock);
+#ifdef CONFIG_GRKERNSEC_TIME
+   if(grsec_enable_time)
+   	security_alert("time set by " DEFAULTSECMSG, "time sets",
+			DEFAULTSECARGS);
+#endif
 	return 0;
 }
 
@@ -163,6 +171,11 @@
 		 * globally block out interrupts when it runs.
 		 */
 		do_settimeofday(tv);
+#ifdef CONFIG_GRKERNSEC_TIME
+    if(grsec_enable_time)
+    	security_alert("time set by " DEFAULTSECMSG, "time sets", 
+			DEFAULTSECARGS);
+#endif
 	}
 	return 0;
 }
diff -Nru kernel-source-2.4.18/mm/mmap.c kernel-source-2.4.18.fixed/mm/mmap.c
--- kernel-source-2.4.18/mm/mmap.c	2002-02-25 20:38:14.000000000 +0100
+++ kernel-source-2.4.18.fixed/mm/mmap.c	2003-09-21 12:22:59.000000000 +0200
@@ -14,9 +14,14 @@
 #include <linux/file.h>
 #include <linux/fs.h>
 #include <linux/personality.h>
+#include <linux/random.h>
 
 #include <asm/uaccess.h>
 #include <asm/pgalloc.h>
+#if defined(CONFIG_GRKERNSEC_MMAPFIXED) || defined(CONFIG_GRKERNSEC_TPE_GLIBC) \
+	|| defined(CONFIG_GRKERNSEC_ACL)
+#include <linux/grsecurity.h>
+#endif
 
 /*
  * WARNING: the debugging will use recursive algorithms so never enable this
@@ -419,7 +424,9 @@
 	/* Obtain the address to map to. we verify (or select) it and ensure
 	 * that it represents a valid section of the address space.
 	 */
+
 	addr = get_unmapped_area(file, addr, len, pgoff, flags);
+
 	if (addr & ~PAGE_MASK)
 		return addr;
 
@@ -429,6 +436,23 @@
 	 */
 	vm_flags = calc_vm_flags(prot,flags) | mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
 
+#ifdef CONFIG_GRKERNSEC_PAX
+	if (current->flags & PF_PAX_PAGEEXEC) {
+		if (flags & MAP_GROWSDOWN)
+			vm_flags &= ~VM_EXEC;
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+		if ((current->flags & PF_PAX_MPROTECT) && !(prot & PROT_EXEC))
+			vm_flags &= ~VM_MAYEXEC;
+		if ((current->flags & PF_PAX_MPROTECT) && (flags & MAP_GROWSDOWN))
+			vm_flags &= ~VM_MAYEXEC;
+#endif
+
+	} else {
+		if (prot & (PROT_READ | PROT_WRITE)) /* they imply PROT_EXEC on IA-32 */
+			vm_flags |= VM_EXEC;
+	}
+#endif
 	/* mlock MCL_FUTURE? */
 	if (vm_flags & VM_LOCKED) {
 		unsigned long locked = mm->locked_vm << PAGE_SHIFT;
@@ -476,6 +500,50 @@
 			break;
 		}
 	}
+#ifdef CONFIG_GRKERNSEC_MMAPFIXED
+	if ((current->pid > 1) && (current->flags & PF_PAX_PAGEEXEC) && (!file) && (flags & MAP_FIXED) && (prot & PROT_EXEC)) {
+		security_alert("Attempted loading of shellcode via mmap by " DEFAULTSECMSG, "attempted mmaps", DEFAULTSECARGS);
+		return -EACCES;
+	}
+#endif
+#ifdef CONFIG_GRKERNSEC_TPE_GLIBC
+	if(grsec_enable_tpe_glibc) {
+#ifdef CONFIG_GRKERNSEC_TPE_ALL
+		if(grsec_enable_tpe_all?current->uid:in_group_p(grsec_tpe_gid)) {
+#else
+		if(in_group_p(grsec_tpe_gid)) {
+#endif
+			if(file && (prot & PROT_EXEC) &&
+			 ((file->f_dentry->d_parent->d_inode->i_uid) ||
+           		 (!(file->f_dentry->d_parent->d_inode->i_uid) &&
+           		 ((file->f_dentry->d_parent->d_inode->i_mode & S_IWGRP) ||
+			 (file->f_dentry->d_parent->d_inode->i_mode & S_IWOTH))))) {
+				security_alert("denied exec of %.32s by " 
+				DEFAULTSECMSG " reason: tried to mmap binary", 
+				"denied execs", file->f_dentry->d_name.name, 
+				DEFAULTSECARGS);
+				return -EACCES;
+				goto out;
+			}
+		}
+	}
+#endif
+#ifdef CONFIG_GRKERNSEC_ACL
+	if(file && ( !gr_in_auth_mode((void *)current->acl)) )
+		if( (gr_search_file(file->f_dentry,GR_EXEC,file->f_vfsmnt))
+				== GR_DENY)
+		{
+			if(prot & PROT_EXEC) {
+				security_alert("attempt to mmap %ld %d executable"
+						"by " DEFAULTSECMSG,"mmap exec attempts",
+						file->f_dentry->d_inode->i_ino,
+						file->f_dentry->d_inode->i_dev,
+						DEFAULTSECARGS);
+				return -EACCES;
+			} else
+				vm_flags &= ~VM_MAYEXEC;
+		}
+#endif
 
 	/* Clear old maps */
 	error = -ENOMEM;
@@ -601,7 +669,20 @@
 		    (!vma || addr + len <= vma->vm_start))
 			return addr;
 	}
+#if defined(CONFIG_GRKERNSEC_STACK)
+        addr = TASK_UNMAPPED_BASE(len);
+	addr = PAGE_ALIGN(TASK_UNMAPPED_BASE(len));
+#else
+        addr = TASK_UNMAPPED_BASE;
 	addr = PAGE_ALIGN(TASK_UNMAPPED_BASE);
+#endif
+
+
+#ifdef CONFIG_GRKERNSEC_PAX_RANDMMAP
+               /* PaX: randomize base address if requested */
+               if (current->flags & PF_PAX_RANDMMAP)
+                       addr += current->mm->delta_mmap;
+#endif
 
 	for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) {
 		/* At this point:  (!vma || addr < vma->vm_end). */
@@ -1051,6 +1132,18 @@
 
 	flags |= VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
 
+#ifdef CONFIG_GRKERNSEC_PAX
+       if (current->flags & PF_PAX_PAGEEXEC) {
+               flags &= ~VM_EXEC;
+
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+              if (current->flags & PF_PAX_MPROTECT)
+                      flags &= ~VM_MAYEXEC;
+#endif
+	}
+#endif
+
+
 	/* Can we just expand an old anonymous mapping? */
 	if (rb_parent && vma_merge(mm, prev, rb_parent, addr, addr + len, flags))
 		goto out;
diff -Nru kernel-source-2.4.18/mm/mprotect.c kernel-source-2.4.18.fixed/mm/mprotect.c
--- kernel-source-2.4.18/mm/mprotect.c	2001-09-18 00:30:23.000000000 +0200
+++ kernel-source-2.4.18.fixed/mm/mprotect.c	2003-09-21 12:22:59.000000000 +0200
@@ -300,6 +300,12 @@
 			goto out;
 		}
 
+#ifdef CONFIG_GRKERNSEC_PAX_MPROTECT
+		/* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
+		if ((current->flags & PF_PAX_MPROTECT) && (prot & PROT_WRITE) && (vma->vm_flags & VM_MAYEXEC)) {
+			newflags &= ~VM_MAYWRITE;
+		}
+#endif
 		if (vma->vm_end > end) {
 			error = mprotect_fixup(vma, &prev, nstart, end, newflags);
 			goto out;
diff -Nru kernel-source-2.4.18/net/ipv4/Makefile kernel-source-2.4.18.fixed/net/ipv4/Makefile
--- kernel-source-2.4.18/net/ipv4/Makefile	2001-12-21 18:42:05.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/Makefile	2003-09-21 12:22:59.000000000 +0200
@@ -13,7 +13,7 @@
 
 obj-y     := utils.o route.o inetpeer.o proc.o protocol.o \
 	     ip_input.o ip_fragment.o ip_forward.o ip_options.o \
-	     ip_output.o ip_sockglue.o \
+	     ip_id.o ip_output.o ip_sockglue.o \
 	     tcp.o tcp_input.o tcp_output.o tcp_timer.o tcp_ipv4.o tcp_minisocks.o \
 	     tcp_diag.o raw.o udp.o arp.o icmp.o devinet.o af_inet.o igmp.o \
 	     sysctl_net_ipv4.o fib_frontend.o fib_semantics.o fib_hash.o
diff -Nru kernel-source-2.4.18/net/ipv4/af_inet.c kernel-source-2.4.18.fixed/net/ipv4/af_inet.c
--- kernel-source-2.4.18/net/ipv4/af_inet.c	2003-06-06 11:48:14.000000000 +0200
+++ kernel-source-2.4.18.fixed/net/ipv4/af_inet.c	2003-09-21 12:22:59.000000000 +0200
@@ -84,6 +84,10 @@
 #include <linux/poll.h>
 #include <linux/netfilter_ipv4.h>
 
+#if defined(CONFIG_GRKERNSEC_RANDTTL) || defined(CONFIG_GRKERNSEC_RANDID)
+#include <linux/grsecurity.h>
+#endif
+
 #include <asm/uaccess.h>
 #include <asm/system.h>
 
@@ -374,7 +378,14 @@
 	else
 		sk->protinfo.af_inet.pmtudisc = IP_PMTUDISC_WANT;
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid)
+		sk->protinfo.af_inet.id = htons(ip_randomid());
+	else
+		sk->protinfo.af_inet.id = 0;
+#else
 	sk->protinfo.af_inet.id = 0;
+#endif
 
 	sock_init_data(sock,sk);
 
@@ -386,8 +397,13 @@
 
 	sk->backlog_rcv = sk->prot->backlog_rcv;
 
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+if(grsec_enable_randttl){
+        sk->protinfo.af_inet.ttl = sysctl_ip_default_ttl +
+        (jiffies % (256 - sysctl_ip_default_ttl));
+} else
+#endif                  
 	sk->protinfo.af_inet.ttl	= sysctl_ip_default_ttl;
-
 	sk->protinfo.af_inet.mc_loop	= 1;
 	sk->protinfo.af_inet.mc_ttl	= 1;
 	sk->protinfo.af_inet.mc_index	= 0;
diff -Nru kernel-source-2.4.18/net/ipv4/icmp.c kernel-source-2.4.18.fixed/net/ipv4/icmp.c
--- kernel-source-2.4.18/net/ipv4/icmp.c	2002-02-25 20:38:14.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/icmp.c	2003-09-21 12:22:59.000000000 +0200
@@ -91,6 +91,10 @@
 #include <asm/uaccess.h>
 #include <net/checksum.h>
 
+#ifdef CONFIG_GRKERNSEC_RANDPING
+#include <linux/grsecurity.h>
+#endif
+
 /*
  *	Build xmit assembly blocks
  */
@@ -738,6 +742,11 @@
 
 		icmp_param.data.icmph=*skb->h.icmph;
 		icmp_param.data.icmph.type=ICMP_ECHOREPLY;
+#ifdef CONFIG_GRKERNSEC_RANDPING
+	if(grsec_enable_randping)
+		icmp_param.data.icmph.un.echo.id =
+		skb->h.icmph->un.echo.id;
+#endif
 		icmp_param.skb=skb;
 		icmp_param.offset=0;
 		icmp_param.data_len=skb->len;
diff -Nru kernel-source-2.4.18/net/ipv4/ip_gre.c kernel-source-2.4.18.fixed/net/ipv4/ip_gre.c
--- kernel-source-2.4.18/net/ipv4/ip_gre.c	2001-10-31 00:08:12.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/ip_gre.c	2003-09-21 12:22:59.000000000 +0200
@@ -28,6 +28,9 @@
 #include <linux/inetdevice.h>
 #include <linux/igmp.h>
 #include <linux/netfilter_ipv4.h>
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+#include <linux/grsecurity.h>
+#endif
 
 #include <net/sock.h>
 #include <net/ip.h>
@@ -849,6 +852,12 @@
 			iph->ttl = ((struct ipv6hdr*)old_iph)->hop_limit;
 #endif
 		else
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+			if(grsec_enable_randttl){
+			iph->ttl = sysctl_ip_default_ttl +
+			(jiffies % (256 - sysctl_ip_default_ttl)); 
+			} else
+#endif
 			iph->ttl = sysctl_ip_default_ttl;
 	}
 
diff -Nru kernel-source-2.4.18/net/ipv4/ip_id.c kernel-source-2.4.18.fixed/net/ipv4/ip_id.c
--- kernel-source-2.4.18/net/ipv4/ip_id.c	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/ip_id.c	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,146 @@
+/*
+ * This code is based on OpenBSD's ip_id.c, by Niels Provos.
+ * Ported to Linux 2.2 by Salvatore Sanfilippo.
+ * Ported to Linux 2.4 by Brad Spengler.
+ *
+ * 26-10-1999: Ported from OpenBSD's ip_id.c version 1.2
+ * (previous versions seems to be predictable
+ * after David Wagner's auditing)
+ * Salvatore Sanfilippo <antirez@invece.org>
+ *
+ * TODO:
+ * - Make this code SMP safe
+ */
+
+/*
+ * Copyright 1998 Niels Provos <provos@citi.umich.edu>
+ * All rights reserved.
+ * Theo de Raadt <deraadt@openbsd.org> came up with the idea of using
+ * such a mathematical system to generate more random (yet non-repeating)
+ * ids to solve the resolver/named problem.  But Niels designed the
+ * actual system based on the constraints.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer,
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/random.h>
+#include <linux/grsecurity.h>
+
+#define RU_OUT 180
+#define RU_MAX 30000
+#define RU_GEN 2
+#define RU_N 32749
+#define RU_AGEN 7
+#define RU_M 31104
+#define PFAC_N 3
+const static __u16 pfacts[PFAC_N] = { 2,3,2729 };
+
+static __u16 ru_x;
+static __u16 ru_seed, ru_seed2;
+static __u16 ru_a, ru_b;
+static __u16 ru_g;
+static __u16 ru_counter = 0;
+static __u16 ru_msb = 0;
+static __u32 ru_reseed;
+static __u32 tmp;
+
+static __u16 pmod(u_int16_t, u_int16_t, u_int16_t);
+static void ip_initid (void);
+__u16 ip_randomip (void);
+
+static __u16 pmod(__u16 gen, __u16 exp, __u16 mod) {
+	__u16 s, t, u;
+
+	s = 1;
+	t = gen;
+	u = exp;
+
+	while(u) {
+		if (u & 1)
+			s = (s*t) % mod;
+		u >>=1;
+		t = (t*t) % mod;
+	}
+	return(s);
+}
+
+static void ip_initid (void) { 	
+	__u16 j, i;
+	int noprime = 1;
+
+	get_random_bytes((void *) &tmp, sizeof(tmp));
+	ru_x = (tmp & 0xFFFF) % RU_M;
+	ru_seed = (tmp >> 16) & 0x7FFF;
+	get_random_bytes((void *) &tmp, sizeof(tmp));
+	ru_seed2 = tmp & 0x7FFF;
+	
+	get_random_bytes((void *) &tmp, sizeof(tmp));
+	
+	ru_b = (tmp & 0xfffe) | 1;
+	ru_a = pmod(RU_AGEN, (tmp >> 16) & 0xfffe, RU_M);
+	while (ru_b % 3 == 0)
+		ru_b += 2;
+
+	get_random_bytes((void *) &tmp, sizeof(tmp));
+	j = tmp % RU_N;
+	tmp = tmp >> 16;
+	
+	while(noprime) {
+		for (i=0; i<PFAC_N; i++)
+			if(j%pfacts[i] == 0)
+				break;
+		
+		if (i>=PFAC_N)
+			noprime = 0;
+		else
+			j = (j+1) % RU_N;
+	}
+
+	ru_g = pmod(RU_GEN,j,RU_N);
+	ru_counter = 0;
+	ru_reseed = jiffies + (RU_OUT * HZ);
+	ru_msb = ru_msb == 0x8000 ? 0 : 0x8000;
+}
+
+__u16 ip_randomid (void) {
+	int i, n;
+	
+	if (ru_counter >= RU_MAX || jiffies > ru_reseed)
+		ip_initid();
+
+	if (!tmp)
+		get_random_bytes((void *) &tmp, sizeof(tmp));
+
+	n = tmp & 0x3; tmp = tmp >> 2;
+	if (ru_counter + n >= RU_MAX)
+		ip_initid();
+	for (i=0; i <= n; i++)
+		ru_x = (ru_a*ru_x + ru_b) % RU_M;
+	ru_counter += i;
+	
+	return (ru_seed ^ pmod(ru_g,ru_seed2 ^ ru_x, RU_N)) | ru_msb;
+}
diff -Nru kernel-source-2.4.18/net/ipv4/ip_output.c kernel-source-2.4.18.fixed/net/ipv4/ip_output.c
--- kernel-source-2.4.18/net/ipv4/ip_output.c	2001-10-17 23:16:39.000000000 +0200
+++ kernel-source-2.4.18.fixed/net/ipv4/ip_output.c	2003-09-21 12:22:59.000000000 +0200
@@ -77,6 +77,9 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/mroute.h>
 #include <linux/netlink.h>
+#ifdef CONFIG_GRKERNSEC_RANDID
+#include <linux/grsecurity.h>
+#endif
 
 /*
  *      Shall we try to damage output packets if routing dev changes?
@@ -510,6 +513,12 @@
 	 *	Begin outputting the bytes.
 	 */
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid){ 
+		id = htons(ip_randomid());	
+		sk->protinfo.af_inet.id = id;
+	} else
+#endif
 	id = sk->protinfo.af_inet.id++;
 
 	do {
diff -Nru kernel-source-2.4.18/net/ipv4/ip_sockglue.c kernel-source-2.4.18.fixed/net/ipv4/ip_sockglue.c
--- kernel-source-2.4.18/net/ipv4/ip_sockglue.c	2001-10-31 00:08:12.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/ip_sockglue.c	2003-09-21 12:22:59.000000000 +0200
@@ -42,6 +42,9 @@
 
 #include <linux/errqueue.h>
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+#include <linux/grsecurity.h>
+#endif
 
 #define IP_CMSG_PKTINFO		1
 #define IP_CMSG_TTL		2
@@ -492,8 +495,15 @@
 		case IP_TTL:
 			if (optlen<1)
 				goto e_inval;
-			if(val==-1)
+			if(val==-1) {
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+                        if(grsec_enable_randttl){
+                        val = sysctl_ip_default_ttl +
+                        (jiffies % (256 - sysctl_ip_default_ttl));
+                        } else
+#endif
 				val = sysctl_ip_default_ttl;
+			}
 			if(val<1||val>255)
 				goto e_inval;
 			sk->protinfo.af_inet.ttl=val;
diff -Nru kernel-source-2.4.18/net/ipv4/netfilter/Config.in kernel-source-2.4.18.fixed/net/ipv4/netfilter/Config.in
--- kernel-source-2.4.18/net/ipv4/netfilter/Config.in	2002-02-25 20:38:14.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/netfilter/Config.in	2003-09-21 12:22:59.000000000 +0200
@@ -25,6 +25,7 @@
   dep_tristate '  LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES
   dep_tristate '  TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
   dep_tristate '  tcpmss match support' CONFIG_IP_NF_MATCH_TCPMSS $CONFIG_IP_NF_IPTABLES
+  dep_tristate '  stealth match support' CONFIG_IP_NF_MATCH_STEALTH $CONFIG_IP_NF_IPTABLES
   if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
     dep_tristate '  Connection state match support' CONFIG_IP_NF_MATCH_STATE $CONFIG_IP_NF_CONNTRACK $CONFIG_IP_NF_IPTABLES 
   fi
diff -Nru kernel-source-2.4.18/net/ipv4/netfilter/Makefile kernel-source-2.4.18.fixed/net/ipv4/netfilter/Makefile
--- kernel-source-2.4.18/net/ipv4/netfilter/Makefile	2002-02-25 20:38:14.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/netfilter/Makefile	2003-09-21 12:22:59.000000000 +0200
@@ -64,6 +64,7 @@
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
 obj-$(CONFIG_IP_NF_MATCH_UNCLEAN) += ipt_unclean.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+obj-$(CONFIG_IP_NF_MATCH_STEALTH) += ipt_stealth.o
 
 # targets
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
diff -Nru kernel-source-2.4.18/net/ipv4/netfilter/ipt_stealth.c kernel-source-2.4.18.fixed/net/ipv4/netfilter/ipt_stealth.c
--- kernel-source-2.4.18/net/ipv4/netfilter/ipt_stealth.c	1970-01-01 01:00:00.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/netfilter/ipt_stealth.c	2003-09-21 12:22:59.000000000 +0200
@@ -0,0 +1,102 @@
+/* Kernel module to add stealth support.
+ *
+ * Copyright (C) 2002 Brad Spengler  <spender@grsecurity.net>
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/net.h>
+#include <linux/sched.h>
+#include <linux/inet.h>
+#include <linux/stddef.h>
+
+#include <net/ip.h>
+#include <net/sock.h>
+#include <net/tcp.h>
+#include <net/udp.h>
+#include <net/route.h>
+#include <net/inet_common.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_LICENSE("GPL");
+
+#define TH_FIN  0x01
+#define TH_SYN  0x02
+#define TH_RST  0x04
+#define TH_ACK  0x10
+#define TH_ECE  0x40
+#define TH_CWR  0x80
+
+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	struct iphdr *ip = skb->nh.iph;
+	struct iphdr *udpip = (struct iphdr*)skb->data;
+        struct udphdr *uh = (struct udphdr*)(skb->data+(udpip->ihl<<2));
+	struct tcphdr *th = (struct tcphdr*)(skb->data+(ip->ihl<<2));
+	struct sock *sk = NULL;
+	u_int8_t tcpflags;
+
+	if(ip->protocol == IPPROTO_TCP) {
+		tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR));
+		if(tcpflags & TH_SYN)		
+			sk = tcp_v4_lookup_listener(ip->daddr, ntohs(th->dest), ((struct rtable*)skb->dst)->rt_iif);	
+	} else if(ip->protocol == IPPROTO_UDP)
+		sk = udp_v4_lookup(udpip->saddr, uh->source, udpip->daddr, uh->dest, skb->dev->ifindex);
+	else
+		return 0;
+
+	if(sk != NULL)
+		return 0;
+	else
+		return 1;
+}
+
+/* Called when user tries to insert an entry of this type. */
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+        if (matchsize != IPT_ALIGN(0))
+                return 0;
+
+	if((ip->proto == IPPROTO_TCP && !(ip->invflags & IPT_INV_PROTO)) ||
+		((ip->proto == IPPROTO_UDP) && !(ip->invflags & IPT_INV_PROTO)))
+			return 1;
+
+
+	printk("stealth: Only works on TCP and UDP\n");
+        return 0;
+}
+
+
+static struct ipt_match stealth_match
+= { { NULL, NULL }, "stealth", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_match(&stealth_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&stealth_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nru kernel-source-2.4.18/net/ipv4/tcp_ipv4.c kernel-source-2.4.18.fixed/net/ipv4/tcp_ipv4.c
--- kernel-source-2.4.18/net/ipv4/tcp_ipv4.c	2003-05-17 06:11:52.000000000 +0200
+++ kernel-source-2.4.18.fixed/net/ipv4/tcp_ipv4.c	2003-09-21 12:22:59.000000000 +0200
@@ -64,6 +64,11 @@
 #include <linux/stddef.h>
 #include <linux/ipsec.h>
 
+#if defined(CONFIG_GRKERNSEC_RANDID)||defined(CONFIG_GRKERNSEC_RANDSRC)
+#include <linux/grsecurity.h>
+#endif
+
+
 extern int sysctl_ip_dynaddr;
 
 /* Check TCP sequence numbers in ICMP packets. */
@@ -212,9 +217,20 @@
 
 		spin_lock(&tcp_portalloc_lock);
 		rover = tcp_port_rover;
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+                do {
+	if(grsec_enable_randsrc) {
+			rover = low + (ip_randomid() % (high - low));
+	} else {
+			rover++;
+			if ((rover < low) || (rover > high))
+				rover = low;
+	}
+#else
 		do {	rover++;
 			if ((rover < low) || (rover > high))
 				rover = low;
+#endif
 			head = &tcp_bhash[tcp_bhashfn(rover)];
 			spin_lock(&head->lock);
 			for (tb = head->chain; tb; tb = tb->next)
@@ -726,6 +742,11 @@
 	tp->ext_header_len = 0;
 	if (sk->protinfo.af_inet.opt)
 		tp->ext_header_len = sk->protinfo.af_inet.opt->optlen;
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid)
+		sk->protinfo.af_inet.id = htons(ip_randomid());
+	else
+#endif
 	sk->protinfo.af_inet.id = tp->write_seq^jiffies;
 
 	tp->mss_clamp = 536;
@@ -1448,6 +1469,11 @@
 	newtp->ext_header_len = 0;
 	if (newsk->protinfo.af_inet.opt)
 		newtp->ext_header_len = newsk->protinfo.af_inet.opt->optlen;
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid)
+		newsk->protinfo.af_inet.id = htons(ip_randomid());
+	else
+#endif
 	newsk->protinfo.af_inet.id = newtp->write_seq^jiffies;
 
 	tcp_sync_mss(newsk, dst->pmtu);
diff -Nru kernel-source-2.4.18/net/ipv4/udp.c kernel-source-2.4.18.fixed/net/ipv4/udp.c
--- kernel-source-2.4.18/net/ipv4/udp.c	2002-02-27 11:53:48.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/ipv4/udp.c	2003-09-21 12:22:59.000000000 +0200
@@ -94,6 +94,9 @@
 #include <net/inet_common.h>
 #include <net/checksum.h>
 
+#ifdef CONFIG_GRKERNSEC_RANDID
+#include <linux/grsecurity.h>
+#endif
 /*
  *	Snmp MIB for the UDP layer
  */
@@ -738,6 +741,12 @@
 	sk->daddr = rt->rt_dst;
 	sk->dport = usin->sin_port;
 	sk->state = TCP_ESTABLISHED;
+
+#ifdef CONFIG_GRKERNSEC_RANDID
+	if(grsec_enable_randid)
+		sk->protinfo.af_inet.id = htons(ip_randomid());
+	else
+#endif
 	sk->protinfo.af_inet.id = jiffies;
 
 	sk_dst_set(sk, &rt->u.dst);
diff -Nru kernel-source-2.4.18/net/netsyms.c kernel-source-2.4.18.fixed/net/netsyms.c
--- kernel-source-2.4.18/net/netsyms.c	2003-04-04 12:40:06.000000000 +0200
+++ kernel-source-2.4.18.fixed/net/netsyms.c	2003-09-21 12:22:59.000000000 +0200
@@ -589,4 +589,31 @@
 EXPORT_SYMBOL(net_call_rx_atomic);
 EXPORT_SYMBOL(softnet_data);
 
+#if defined(CONFIG_IP_NF_MATCH_STEALTH) || defined(CONFIG_IP_NF_MATCH_STEALTH_MODULE)
+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
+#if !defined (CONFIG_IPV6_MODULE) && !defined (CONFIG_KHTTPD) && !defined (CONFIG_KHTTPD_MODULE)
+EXPORT_SYMBOL(tcp_v4_lookup_listener);
+#endif
+EXPORT_SYMBOL(udp_v4_lookup);
+#endif
+
+#if defined(CONFIG_GRKERNSEC_RANDID) || defined(CONFIG_GRKERNSEC_RANDTTL) ||\
+    defined(CONFIG_GRKERNSEC_RANDSRC) || defined(CONFIG_GRKERNSEC_RANDPID) ||\
+    defined(CONFIG_GRKERNSEC_RANDRPC)
+#include <linux/grsecurity.h>
+EXPORT_SYMBOL(ip_randomid);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDID
+EXPORT_SYMBOL(grsec_enable_randid);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDSRC
+EXPORT_SYMBOL(grsec_enable_randsrc);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDTTL
+EXPORT_SYMBOL(grsec_enable_randttl);
+#endif
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+EXPORT_SYMBOL(grsec_enable_randrpc);
+#endif
+
 #endif  /* CONFIG_NET */
diff -Nru kernel-source-2.4.18/net/socket.c kernel-source-2.4.18.fixed/net/socket.c
--- kernel-source-2.4.18/net/socket.c	2001-12-21 18:42:06.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/socket.c	2003-09-21 12:22:59.000000000 +0200
@@ -85,6 +85,13 @@
 #include <net/scm.h>
 #include <linux/netfilter.h>
 
+#if defined(CONFIG_GRKERNSEC_SOCKET_ALL)||\
+    defined(CONFIG_GRKERNSEC_SOCKET_CLIENT)||\
+    defined(CONFIG_GRKERNSEC_SOCKET_SERVER)
+#include <linux/grsecurity.h>
+#endif
+
+
 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
 static loff_t sock_lseek(struct file *file, loff_t offset, int whence);
 static ssize_t sock_read(struct file *file, char *buf,
@@ -912,6 +919,16 @@
 	int retval;
 	struct socket *sock;
 
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+	if(grsec_enable_socket_all &&
+	(in_group_p(grsec_socket_all_gid)) && (family != AF_UNIX) && (family != AF_LOCAL)){
+		security_alert("attempted socket(%d,%d,%d) by "
+		DEFAULTSECMSG,"attempted sockets",family,type,protocol,
+		DEFAULTSECARGS);
+		retval = -EACCES;
+		goto out;
+	}
+#endif
 	retval = sock_create(family, type, protocol, &sock);
 	if (retval < 0)
 		goto out;
@@ -1009,6 +1026,14 @@
 	char address[MAX_SOCK_ADDR];
 	int err;
 
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+	if(grsec_enable_socket_server &&
+	(in_group_p(grsec_socket_server_gid)) && umyaddr && (umyaddr->sa_family != AF_UNIX) && (umyaddr->sa_family != AF_LOCAL)){
+		security_alert("attempted bind() by " DEFAULTSECMSG,
+		"attempted binds", DEFAULTSECARGS);
+		return -EACCES;
+	}
+#endif
 	if((sock = sockfd_lookup(fd,&err))!=NULL)
 	{
 		if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
@@ -1117,6 +1142,16 @@
 	char address[MAX_SOCK_ADDR];
 	int err;
 
+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
+	if(grsec_enable_socket_client &&
+	(in_group_p(grsec_socket_client_gid)) && uservaddr && (uservaddr->sa_family != AF_UNIX) && (uservaddr->sa_family != AF_LOCAL)){
+		security_alert("attempted connect() to fd %d by "
+				DEFAULTSECMSG, "attempted connects", fd, 
+				DEFAULTSECARGS);
+		err = -EACCES;
+		goto out;
+	}
+#endif
 	sock = sockfd_lookup(fd, &err);
 	if (!sock)
 		goto out;
diff -Nru kernel-source-2.4.18/net/sunrpc/xprt.c kernel-source-2.4.18.fixed/net/sunrpc/xprt.c
--- kernel-source-2.4.18/net/sunrpc/xprt.c	2001-12-21 18:42:06.000000000 +0100
+++ kernel-source-2.4.18.fixed/net/sunrpc/xprt.c	2003-09-21 12:22:59.000000000 +0200
@@ -65,6 +65,9 @@
 #include <net/udp.h>
 
 #include <asm/uaccess.h>
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+#include <linux/grsecurity.h>
+#endif
 
 /* Following value should be > 32k + RPC overhead */
 #define XPRT_MIN_WRITE_SPACE (35000 + SOCK_MIN_WRITE_SPACE)
@@ -1383,7 +1386,14 @@
 	req->rq_timeout = xprt->timeout;
 	req->rq_task	= task;
 	req->rq_xprt    = xprt;
+#ifdef CONFIG_GRKERNSEC_RANDRPC
+	if(grsec_enable_randrpc)
+		req->rq_xid = ip_randomid() * ip_randomid();
+	else
+		req->rq_xid = xid++;
+#else
 	req->rq_xid     = xid++;
+#endif
 	if (!xid)
 		xid++;
 }