commit: f272a817905cb0b69974160972aef87eaabb197e
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 20 13:47:33 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Mar 20 13:47:33 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=f272a817
Grsec/PaX: 3.0-{3.2.55,3.13.6}-201403192228
---
3.13.6/0000_README | 2 +-
... 4420_grsecurity-3.0-3.13.6-201403192228.patch} | 162 ++++++++++++++++++++-
3.13.6/4450_grsec-kconfig-default-gids.patch | 12 +-
3.13.6/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
3.2.55/0000_README | 2 +-
... 4420_grsecurity-3.0-3.2.55-201403192223.patch} | 100 ++++++++++---
3.2.55/4450_grsec-kconfig-default-gids.patch | 12 +-
3.2.55/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
8 files changed, 258 insertions(+), 36 deletions(-)
diff --git a/3.13.6/0000_README b/3.13.6/0000_README
index 4b2085f..e099035 100644
--- a/3.13.6/0000_README
+++ b/3.13.6/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.13.6-201403172032.patch
+Patch: 4420_grsecurity-3.0-3.13.6-201403192228.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.13.6/4420_grsecurity-3.0-3.13.6-201403172032.patch
b/3.13.6/4420_grsecurity-3.0-3.13.6-201403192228.patch
similarity index 99%
rename from 3.13.6/4420_grsecurity-3.0-3.13.6-201403172032.patch
rename to 3.13.6/4420_grsecurity-3.0-3.13.6-201403192228.patch
index 6142d59..fb3fba9 100644
--- a/3.13.6/4420_grsecurity-3.0-3.13.6-201403172032.patch
+++ b/3.13.6/4420_grsecurity-3.0-3.13.6-201403192228.patch
@@ -6416,6 +6416,64 @@ index c1f6afa..38cc6e9 100644
+#define arch_align_stack(x) ((x) & ~0xfUL)
#endif /* _ASM_EXEC_H */
+diff --git a/arch/mips/include/asm/ftrace.h b/arch/mips/include/asm/ftrace.h
+index ce35c9a..434321c 100644
+--- a/arch/mips/include/asm/ftrace.h
++++ b/arch/mips/include/asm/ftrace.h
+@@ -22,12 +22,12 @@ extern void _mcount(void);
+ #define safe_load(load, src, dst, error) \
+ do { \
+ asm volatile ( \
+- "1: " load " %[" STR(dst) "], 0(%[" STR(src) "])\n"\
+- " li %[" STR(error) "], 0\n" \
++ "1: " load " %[dest], 0(%[source])\n" \
++ " li %[err], 0\n" \
+ "2:\n" \
+ \
+ ".section .fixup, \"ax\"\n" \
+- "3: li %[" STR(error) "], 1\n" \
++ "3: li %[err], 1\n" \
+ " j 2b\n" \
+ ".previous\n" \
+ \
+@@ -35,8 +35,8 @@ do { \
+ STR(PTR) "\t1b, 3b\n\t" \
+ ".previous\n" \
+ \
+- : [dst] "=&r" (dst), [error] "=r" (error)\
+- : [src] "r" (src) \
++ : [dest] "=&r" (dst), [err] "=r" (error)\
++ : [source] "r" (src) \
+ : "memory" \
+ ); \
+ } while (0)
+@@ -44,12 +44,12 @@ do {
\
+ #define safe_store(store, src, dst, error) \
+ do { \
+ asm volatile ( \
+- "1: " store " %[" STR(src) "], 0(%[" STR(dst) "])\n"\
+- " li %[" STR(error) "], 0\n" \
++ "1: " store " %[source], 0(%[dest])\n"\
++ " li %[err], 0\n" \
+ "2:\n" \
+ \
+ ".section .fixup, \"ax\"\n" \
+- "3: li %[" STR(error) "], 1\n" \
++ "3: li %[err], 1\n" \
+ " j 2b\n" \
+ ".previous\n" \
+ \
+@@ -57,8 +57,8 @@ do { \
+ STR(PTR) "\t1b, 3b\n\t" \
+ ".previous\n" \
+ \
+- : [error] "=r" (error) \
+- : [dst] "r" (dst), [src] "r" (src)\
++ : [err] "=r" (error) \
++ : [dest] "r" (dst), [source] "r" (src)\
+ : "memory" \
+ ); \
+ } while (0)
diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h
index 9e8ef59..1139d6b 100644
--- a/arch/mips/include/asm/hw_irq.h
@@ -6549,6 +6607,20 @@ index b336037..5b874cc 100644
#endif
/*
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index 008324d..f67c239 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -20,6 +20,9 @@
+ #include <asm/io.h>
+ #include <asm/pgtable-bits.h>
+
++#define ktla_ktva(addr) (addr)
++#define ktva_ktla(addr) (addr)
++
+ struct mm_struct;
+ struct vm_area_struct;
+
diff --git a/arch/mips/include/asm/smtc_proc.h
b/arch/mips/include/asm/smtc_proc.h
index 25da651..ae2a259 100644
--- a/arch/mips/include/asm/smtc_proc.h
@@ -6561,6 +6633,49 @@ index 25da651..ae2a259 100644
+extern atomic_unchecked_t smtc_fpu_recoveries;
#endif /* __ASM_SMTC_PROC_H */
+diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
+index 81c8913..81d8432 100644
+--- a/arch/mips/include/asm/syscall.h
++++ b/arch/mips/include/asm/syscall.h
+@@ -29,7 +29,7 @@ static inline long syscall_get_nr(struct task_struct *task,
+ static inline unsigned long mips_get_syscall_arg(unsigned long *arg,
+ struct task_struct *task, struct pt_regs *regs, unsigned int n)
+ {
+- unsigned long usp = regs->regs[29];
++ unsigned long usp __maybe_unused = regs->regs[29];
+
+ switch (n) {
+ case 0: case 1: case 2: case 3:
+@@ -39,14 +39,14 @@ static inline unsigned long mips_get_syscall_arg(unsigned
long *arg,
+
+ #ifdef CONFIG_32BIT
+ case 4: case 5: case 6: case 7:
+- return get_user(*arg, (int *)usp + 4 * n);
++ return get_user(*arg, (int *)usp + n);
+ #endif
+
+ #ifdef CONFIG_64BIT
+ case 4: case 5: case 6: case 7:
+ #ifdef CONFIG_MIPS32_O32
+ if (test_thread_flag(TIF_32BIT_REGS))
+- return get_user(*arg, (int *)usp + 4 * n);
++ return get_user(*arg, (int *)usp + n);
+ else
+ #endif
+ *arg = regs->regs[4 + n];
+@@ -83,11 +83,10 @@ static inline void syscall_get_arguments(struct
task_struct *task,
+ unsigned int i, unsigned int n,
+ unsigned long *args)
+ {
+- unsigned long arg;
+ int ret;
+
+ while (n--)
+- ret |= mips_get_syscall_arg(&arg, task, regs, i++);
++ ret |= mips_get_syscall_arg(args++, task, regs, i++);
+
+ /*
+ * No way to communicate an error because this is a void function.
diff --git a/arch/mips/include/asm/thread_info.h
b/arch/mips/include/asm/thread_info.h
index 4f58ef6..5e7081b 100644
--- a/arch/mips/include/asm/thread_info.h
@@ -6636,6 +6751,24 @@ index 202e581..689ca79 100644
#include <asm/processor.h>
/*
+diff --git a/arch/mips/kernel/ftrace.c b/arch/mips/kernel/ftrace.c
+index 185ba25..374ed74 100644
+--- a/arch/mips/kernel/ftrace.c
++++ b/arch/mips/kernel/ftrace.c
+@@ -111,11 +111,10 @@ static int ftrace_modify_code_2(unsigned long ip,
unsigned int new_code1,
+ safe_store_code(new_code1, ip, faulted);
+ if (unlikely(faulted))
+ return -EFAULT;
+- ip += 4;
+- safe_store_code(new_code2, ip, faulted);
++ safe_store_code(new_code2, ip + 4, faulted);
+ if (unlikely(faulted))
+ return -EFAULT;
+- flush_icache_range(ip, ip + 8); /* original ip + 12 */
++ flush_icache_range(ip, ip + 8);
+ return 0;
+ }
+ #endif
diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c
index 2b91fe8..fe4f6b4 100644
--- a/arch/mips/kernel/i8259.c
@@ -9409,6 +9542,19 @@ index bcfe063..b333142 100644
static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
{
+diff --git a/arch/sparc/include/asm/pgtable.h
b/arch/sparc/include/asm/pgtable.h
+index 59ba6f6..4518128 100644
+--- a/arch/sparc/include/asm/pgtable.h
++++ b/arch/sparc/include/asm/pgtable.h
+@@ -5,4 +5,8 @@
+ #else
+ #include <asm/pgtable_32.h>
+ #endif
++
++#define ktla_ktva(addr) (addr)
++#define ktva_ktla(addr) (addr)
++
+ #endif
diff --git a/arch/sparc/include/asm/pgtable_32.h
b/arch/sparc/include/asm/pgtable_32.h
index 502f632..da1917f 100644
--- a/arch/sparc/include/asm/pgtable_32.h
@@ -65824,10 +65970,10 @@ index 0000000..5307c8a
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..364a9d7
+index 0000000..e56396f
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,2678 @@
+@@ -0,0 +1,2679 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -65856,6 +66002,7 @@ index 0000000..364a9d7
+#include <linux/lglock.h>
+#include <linux/hugetlb.h>
+#include <linux/posix-timers.h>
++#include <linux/prefetch.h>
+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
+#include <linux/magic.h>
+#include <linux/pagemap.h>
@@ -99433,7 +99580,7 @@ index 4f26ee4..6a9d7c3 100644
if (ipvs->sync_state & IP_VS_STATE_MASTER)
ip_vs_sync_conn(net, cp, pkts);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 35be035..dad174b 100644
+index 35be035..50f8834 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -794,7 +794,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct
ip_vs_dest *dest,
@@ -99490,6 +99637,15 @@ index 35be035..dad174b 100644
IP_VS_CONN_F_FWD_MASK)) ||
nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
atomic_read(&dest->weight)) ||
+@@ -3580,7 +3580,7 @@ out:
+ }
+
+
+-static const struct genl_ops ip_vs_genl_ops[] __read_mostly = {
++static const struct genl_ops ip_vs_genl_ops[] = {
+ {
+ .cmd = IPVS_CMD_NEW_SERVICE,
+ .flags = GENL_ADMIN_PERM,
@@ -3697,7 +3697,7 @@ static int __net_init
ip_vs_control_net_init_sysctl(struct net *net)
{
int idx;
diff --git a/3.13.6/4450_grsec-kconfig-default-gids.patch
b/3.13.6/4450_grsec-kconfig-default-gids.patch
index 88f1f9b..abff221 100644
--- a/3.13.6/4450_grsec-kconfig-default-gids.patch
+++ b/3.13.6/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -657,7 +657,7 @@
+@@ -661,7 +661,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -888,7 +888,7 @@
+@@ -892,7 +892,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -897,7 +897,7 @@
+@@ -901,7 +901,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -990,7 +990,7 @@
+@@ -994,7 +994,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -1011,7 +1011,7 @@
+@@ -1015,7 +1015,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for
to
-@@ -1029,7 +1029,7 @@
+@@ -1033,7 +1033,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
b/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
index 0648169..6caf9de 100644
--- a/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.13.6/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro
<[email protected]>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1124,6 +1124,27 @@
+@@ -1128,6 +1128,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/3.2.55/0000_README b/3.2.55/0000_README
index f880076..3b0b54e 100644
--- a/3.2.55/0000_README
+++ b/3.2.55/0000_README
@@ -138,7 +138,7 @@ Patch: 1054_linux-3.2.55.patch
From: http://www.kernel.org
Desc: Linux 3.2.55
-Patch: 4420_grsecurity-3.0-3.2.55-201403172027.patch
+Patch: 4420_grsecurity-3.0-3.2.55-201403192223.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.55/4420_grsecurity-3.0-3.2.55-201403172027.patch
b/3.2.55/4420_grsecurity-3.0-3.2.55-201403192223.patch
similarity index 99%
rename from 3.2.55/4420_grsecurity-3.0-3.2.55-201403172027.patch
rename to 3.2.55/4420_grsecurity-3.0-3.2.55-201403192223.patch
index 5cd450a..1ab434c 100644
--- a/3.2.55/4420_grsecurity-3.0-3.2.55-201403172027.patch
+++ b/3.2.55/4420_grsecurity-3.0-3.2.55-201403192223.patch
@@ -3742,19 +3742,6 @@ index d46f1da..d72dc10 100644
help
kexec is a system call that implements the ability to shutdown your
current kernel, and to start another kernel. It is like a reboot
-diff --git a/arch/mips/cavium-octeon/dma-octeon.c
b/arch/mips/cavium-octeon/dma-octeon.c
-index ea4feba..1960ddd 100644
---- a/arch/mips/cavium-octeon/dma-octeon.c
-+++ b/arch/mips/cavium-octeon/dma-octeon.c
-@@ -189,7 +189,7 @@ static void octeon_dma_free_coherent(struct device *dev,
size_t size,
- if (dma_release_from_coherent(dev, order, vaddr))
- return;
-
-- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
-+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
- }
-
- static dma_addr_t octeon_unity_phys_to_dma(struct device *dev, phys_addr_t
paddr)
diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
index 1d93f81..67794d0 100644
--- a/arch/mips/include/asm/atomic.h
@@ -3842,6 +3829,57 @@ index 9e8ef59..1139d6b 100644
/*
* interrupt-retrigger: NOP for now. This may not be appropriate for all
+diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
+index 94fde8d..d5825cf 100644
+--- a/arch/mips/include/asm/local.h
++++ b/arch/mips/include/asm/local.h
+@@ -12,15 +12,25 @@ typedef struct
+ atomic_long_t a;
+ } local_t;
+
++typedef struct {
++ atomic_long_unchecked_t a;
++} local_unchecked_t;
++
+ #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
+
+ #define local_read(l) atomic_long_read(&(l)->a)
++#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
+ #define local_set(l, i) atomic_long_set(&(l)->a, (i))
++#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
+
+ #define local_add(i, l) atomic_long_add((i), (&(l)->a))
++#define local_add_unchecked(i, l) atomic_long_add_unchecked((i),
(&(l)->a))
+ #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
++#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i),
(&(l)->a))
+ #define local_inc(l) atomic_long_inc(&(l)->a)
++#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
+ #define local_dec(l) atomic_long_dec(&(l)->a)
++#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
+
+ /*
+ * Same as above, but return the result value
+@@ -69,6 +79,7 @@ static __inline__ long local_add_return(long i, local_t * l)
+
+ return result;
+ }
++#define local_add_return_unchecked(i, l)
atomic_long_add_return_unchecked((i), (&(l)->a))
+
+ static __inline__ long local_sub_return(long i, local_t * l)
+ {
+@@ -114,9 +125,12 @@ static __inline__ long local_sub_return(long i, local_t *
l)
+
+ return result;
+ }
++#define local_sub_return_unchecked(i, l)
atomic_long_sub_return_unchecked((i), (&(l)->a))
+
+ #define local_cmpxchg(l, o, n) \
+ ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
++#define local_cmpxchg_unchecked(l, o, n) \
++ ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
+ #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
+
+ /**
diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
index e59cd1a..8e329d6 100644
--- a/arch/mips/include/asm/page.h
@@ -3871,6 +3909,20 @@ index 881d18b..cea38bc 100644
#endif
/*
+diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
+index b2202a6..6780030 100644
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -18,6 +18,9 @@
+ #include <asm/io.h>
+ #include <asm/pgtable-bits.h>
+
++#define ktla_ktva(addr) (addr)
++#define ktva_ktla(addr) (addr)
++
+ struct mm_struct;
+ struct vm_area_struct;
+
diff --git a/arch/mips/include/asm/system.h b/arch/mips/include/asm/system.h
index 6018c80..7c37203 100644
--- a/arch/mips/include/asm/system.h
@@ -7022,6 +7074,19 @@ index 40b2d7a..22a665b 100644
static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
{
+diff --git a/arch/sparc/include/asm/pgtable.h
b/arch/sparc/include/asm/pgtable.h
+index 59ba6f6..4518128 100644
+--- a/arch/sparc/include/asm/pgtable.h
++++ b/arch/sparc/include/asm/pgtable.h
+@@ -5,4 +5,8 @@
+ #else
+ #include <asm/pgtable_32.h>
+ #endif
++
++#define ktla_ktva(addr) (addr)
++#define ktva_ktla(addr) (addr)
++
+ #endif
diff --git a/arch/sparc/include/asm/pgtable_32.h
b/arch/sparc/include/asm/pgtable_32.h
index a790cc6..091ed94 100644
--- a/arch/sparc/include/asm/pgtable_32.h
@@ -58531,7 +58596,7 @@ index f590b11..414cf4b 100644
static int __init init_hppfs(void)
{
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
-index 0aa424a..c5563a6 100644
+index 0aa424a..0725236 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -134,6 +134,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long
addr,
@@ -58555,7 +58620,7 @@ index 0aa424a..c5563a6 100644
vma = find_vma(mm, addr);
- if (TASK_SIZE - len >= addr &&
- (!vma || addr + len <= vma->vm_start))
-+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr,
len, offset))
++ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, &addr,
len, offset))
return addr;
}
@@ -64336,10 +64401,10 @@ index 0000000..5307c8a
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..8532ed2
+index 0000000..0069a59
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,2826 @@
+@@ -0,0 +1,2827 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -64366,6 +64431,7 @@ index 0000000..8532ed2
+#include <linux/fdtable.h>
+#include <linux/percpu.h>
+#include <linux/posix-timers.h>
++#include <linux/prefetch.h>
+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
+#include <linux/magic.h>
+#include <linux/pagemap.h>
diff --git a/3.2.55/4450_grsec-kconfig-default-gids.patch
b/3.2.55/4450_grsec-kconfig-default-gids.patch
index 4f345d6..2c2c6ec 100644
--- a/3.2.55/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.55/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -643,7 +643,7 @@
+@@ -647,7 +647,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -874,7 +874,7 @@
+@@ -878,7 +878,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -883,7 +883,7 @@
+@@ -887,7 +887,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -976,7 +976,7 @@
+@@ -980,7 +980,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -997,7 +997,7 @@
+@@ -1001,7 +1001,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for
to
-@@ -1015,7 +1015,7 @@
+@@ -1019,7 +1019,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
b/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
index 0545d51..610fb07 100644
--- a/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.55/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro
<[email protected]>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1110,6 +1110,27 @@
+@@ -1114,6 +1114,27 @@
menu "Logging Options"
depends on GRKERNSEC
