summaryrefslogtreecommitdiff
path: root/2.6.32
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2013-04-11 18:48:09 -0400
committerAnthony G. Basile <blueness@gentoo.org>2013-04-11 20:57:26 -0400
commit105861ea220b674c7d4833551cf63194fd26f222 (patch)
treec58ae303925039982edc5b621485443b808439df /2.6.32
parentGrsec/PaX: 2.9.1-{2.6.32.60,3.2.42,3.8.6}-201304052305 (diff)
downloadhardened-patchset-105861ea220b674c7d4833551cf63194fd26f222.tar.gz
hardened-patchset-105861ea220b674c7d4833551cf63194fd26f222.tar.bz2
hardened-patchset-105861ea220b674c7d4833551cf63194fd26f222.zip
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.43,3.8.6}-201304102034
Diffstat (limited to '2.6.32')
-rw-r--r--2.6.32/0000_README2
-rw-r--r--2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304102018.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304052259.patch)225
-rw-r--r--2.6.32/4450_grsec-kconfig-default-gids.patch12
-rw-r--r--2.6.32/4465_selinux-avc_audit-log-curr_ip.patch2
4 files changed, 168 insertions, 73 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 913d7a0..3154c9f 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201304052259.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201304102018.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304052259.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304102018.patch
index 5300fa4..a2bcf7d 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304052259.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201304102018.patch
@@ -1297,19 +1297,10 @@ index 2dfb7d7..8fadd73 100644
/*
* Change these and you break ASM code in entry-common.S
diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
-index 1d6bd40..fba0cb9 100644
+index 1d6bd40..159316f 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
-@@ -22,6 +22,8 @@
- #define VERIFY_READ 0
- #define VERIFY_WRITE 1
-
-+extern void check_object_size(const void *ptr, unsigned long n, bool to);
-+
- /*
- * The exception table consists of pairs of addresses: the first is the
- * address of an instruction that is allowed to fault, and the second is
-@@ -387,8 +389,23 @@ do { \
+@@ -387,8 +387,23 @@ do { \
#ifdef CONFIG_MMU
@@ -1335,7 +1326,7 @@ index 1d6bd40..fba0cb9 100644
extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
-@@ -403,6 +420,9 @@ extern unsigned long __must_check __strnlen_user(const char __user *s, long n);
+@@ -403,6 +418,9 @@ extern unsigned long __must_check __strnlen_user(const char __user *s, long n);
static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
{
@@ -1345,7 +1336,7 @@ index 1d6bd40..fba0cb9 100644
if (access_ok(VERIFY_READ, from, n))
n = __copy_from_user(to, from, n);
else /* security hole - plug it */
-@@ -412,6 +432,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
+@@ -412,6 +430,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
{
@@ -2501,19 +2492,10 @@ index 239ecdc..f94170e 100644
static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
-index 449c8c0..50cdf87 100644
+index 449c8c0..18965fb 100644
--- a/arch/ia64/include/asm/uaccess.h
+++ b/arch/ia64/include/asm/uaccess.h
-@@ -42,6 +42,8 @@
- #include <asm/pgtable.h>
- #include <asm/io.h>
-
-+extern void check_object_size(const void *ptr, unsigned long n, bool to);
-+
- /*
- * For historical reasons, the following macros are grossly misnamed:
- */
-@@ -240,12 +242,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
+@@ -240,12 +240,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
static inline unsigned long
__copy_to_user (void __user *to, const void *from, unsigned long count)
{
@@ -2538,7 +2520,7 @@ index 449c8c0..50cdf87 100644
return __copy_user((__force void __user *) to, from, count);
}
-@@ -255,10 +269,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
+@@ -255,10 +267,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
({ \
void __user *__cu_to = (to); \
const void *__cu_from = (from); \
@@ -2554,7 +2536,7 @@ index 449c8c0..50cdf87 100644
__cu_len; \
})
-@@ -266,11 +283,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
+@@ -266,11 +281,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
({ \
void *__cu_to = (to); \
const void __user *__cu_from = (from); \
@@ -2685,6 +2667,19 @@ index 1481b0a..e7d38ff 100644
mod->arch.gp = gp;
DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
}
+diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
+index fdf6f9d..dae10ed 100644
+--- a/arch/ia64/kernel/palinfo.c
++++ b/arch/ia64/kernel/palinfo.c
+@@ -977,7 +977,7 @@ create_palinfo_proc_entries(unsigned int cpu)
+ struct proc_dir_entry **pdir;
+ struct proc_dir_entry *cpu_dir;
+ int j;
+- char cpustr[sizeof(CPUSTR)];
++ char cpustr[3+4+1];
+
+
+ /*
diff --git a/arch/ia64/kernel/pci-dma.c b/arch/ia64/kernel/pci-dma.c
index f6b1ff0..de773fb 100644
--- a/arch/ia64/kernel/pci-dma.c
@@ -4374,19 +4369,10 @@ index aa9d383..0380a05 100644
#define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
_TIF_NOTIFY_RESUME)
diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
-index bd0fb84..a42a14b 100644
+index bd0fb84..1f2d065 100644
--- a/arch/powerpc/include/asm/uaccess.h
+++ b/arch/powerpc/include/asm/uaccess.h
-@@ -13,6 +13,8 @@
- #define VERIFY_READ 0
- #define VERIFY_WRITE 1
-
-+extern void check_object_size(const void *ptr, unsigned long n, bool to);
-+
- /*
- * The fs value determines whether argument validity checking should be
- * performed or not. If get_fs() == USER_DS, checking is performed, with
-@@ -327,52 +329,6 @@ do { \
+@@ -327,52 +327,6 @@ do { \
extern unsigned long __copy_tofrom_user(void __user *to,
const void __user *from, unsigned long size);
@@ -4439,7 +4425,7 @@ index bd0fb84..a42a14b 100644
static inline unsigned long __copy_from_user_inatomic(void *to,
const void __user *from, unsigned long n)
{
-@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
+@@ -396,6 +350,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
if (ret == 0)
return 0;
}
@@ -4450,7 +4436,7 @@ index bd0fb84..a42a14b 100644
return __copy_tofrom_user((__force void __user *)to, from, n);
}
-@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
+@@ -422,6 +380,10 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
if (ret == 0)
return 0;
}
@@ -4461,7 +4447,7 @@ index bd0fb84..a42a14b 100644
return __copy_tofrom_user(to, (__force const void __user *)from, n);
}
-@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_user(void __user *to,
+@@ -439,6 +401,92 @@ static inline unsigned long __copy_to_user(void __user *to,
return __copy_to_user_inatomic(to, from, size);
}
@@ -6564,20 +6550,13 @@ index f78ad9a..a3213ed 100644
* Thread-synchronous status.
*
diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
-index e88fbe5..96b0ce5 100644
+index e88fbe5..bd0eda7 100644
--- a/arch/sparc/include/asm/uaccess.h
+++ b/arch/sparc/include/asm/uaccess.h
-@@ -1,5 +1,13 @@
+@@ -1,5 +1,6 @@
#ifndef ___ASM_SPARC_UACCESS_H
#define ___ASM_SPARC_UACCESS_H
+
-+#ifdef __KERNEL__
-+#ifndef __ASSEMBLY__
-+#include <linux/types.h>
-+extern void check_object_size(const void *ptr, unsigned long n, bool to);
-+#endif
-+#endif
-+
#if defined(__sparc__) && defined(__arch64__)
#include <asm/uaccess_64.h>
#else
@@ -7365,6 +7344,82 @@ index 3792099..2af17d8 100644
regs->tpc, (void *) regs->tpc);
}
}
+diff --git a/arch/sparc/kernel/us3_cpufreq.c b/arch/sparc/kernel/us3_cpufreq.c
+index 365b646..624f037 100644
+--- a/arch/sparc/kernel/us3_cpufreq.c
++++ b/arch/sparc/kernel/us3_cpufreq.c
+@@ -197,6 +197,20 @@ static int us3_freq_cpu_exit(struct cpufreq_policy *policy)
+ return 0;
+ }
+
++static int __init us3_freq_init(void);
++static void __exit us3_freq_exit(void);
++
++static struct cpufreq_driver _cpufreq_us3_driver = {
++ .init = us3_freq_cpu_init,
++ .verify = us3_freq_verify,
++ .target = us3_freq_target,
++ .get = us3_freq_get,
++ .exit = us3_freq_cpu_exit,
++ .owner = THIS_MODULE,
++ .name = "UltraSPARC-III",
++
++};
++
+ static int __init us3_freq_init(void)
+ {
+ unsigned long manuf, impl, ver;
+@@ -214,39 +228,22 @@ static int __init us3_freq_init(void)
+ impl == CHEETAH_PLUS_IMPL ||
+ impl == JAGUAR_IMPL ||
+ impl == PANTHER_IMPL)) {
+- struct cpufreq_driver *driver;
+-
+ ret = -ENOMEM;
+- driver = kzalloc(sizeof(struct cpufreq_driver), GFP_KERNEL);
+- if (!driver)
+- goto err_out;
+-
+ us3_freq_table = kzalloc(
+ (NR_CPUS * sizeof(struct us3_freq_percpu_info)),
+ GFP_KERNEL);
+ if (!us3_freq_table)
+ goto err_out;
+
+- driver->init = us3_freq_cpu_init;
+- driver->verify = us3_freq_verify;
+- driver->target = us3_freq_target;
+- driver->get = us3_freq_get;
+- driver->exit = us3_freq_cpu_exit;
+- driver->owner = THIS_MODULE,
+- strcpy(driver->name, "UltraSPARC-III");
+-
+- cpufreq_us3_driver = driver;
+- ret = cpufreq_register_driver(driver);
++ cpufreq_us3_driver = &_cpufreq_us3_driver;
++ ret = cpufreq_register_driver(cpufreq_us3_driver);
+ if (ret)
+ goto err_out;
+
+ return 0;
+
+ err_out:
+- if (driver) {
+- kfree(driver);
+- cpufreq_us3_driver = NULL;
+- }
++ cpufreq_us3_driver = NULL;
+ kfree(us3_freq_table);
+ us3_freq_table = NULL;
+ return ret;
+@@ -259,7 +256,6 @@ static void __exit us3_freq_exit(void)
+ {
+ if (cpufreq_us3_driver) {
+ cpufreq_unregister_driver(cpufreq_us3_driver);
+- kfree(cpufreq_us3_driver);
+ cpufreq_us3_driver = NULL;
+ kfree(us3_freq_table);
+ us3_freq_table = NULL;
diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile
index e75faf0..24f12f9 100644
--- a/arch/sparc/lib/Makefile
@@ -86339,7 +86394,7 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..1edd4b5
+index 0000000..8d867c7
--- /dev/null
+++ b/grsecurity/gracl.c
@@ -0,0 +1,4201 @@
@@ -88641,7 +88696,7 @@ index 0000000..1edd4b5
+ return;
+
+ for (i = 0; i < RLIM_NLIMITS; i++) {
-+ if (!(proc->resmask & (1 << i)))
++ if (!(proc->resmask & (1U << i)))
+ continue;
+
+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
@@ -89824,7 +89879,7 @@ index 0000000..1edd4b5
+ acl = task->acl;
+
+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
-+ !(acl->resmask & (1 << (unsigned short) res))))
++ !(acl->resmask & (1U << (unsigned short) res))))
+ return;
+
+ if (wanted >= acl->res[res].rlim_cur) {
@@ -91201,10 +91256,10 @@ index 0000000..5a3ac97
+}
diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
new file mode 100644
-index 0000000..dd925aa
+index 0000000..b6b5239
--- /dev/null
+++ b/grsecurity/gracl_ip.c
-@@ -0,0 +1,385 @@
+@@ -0,0 +1,388 @@
+#include <linux/kernel.h>
+#include <asm/uaccess.h>
+#include <asm/errno.h>
@@ -91312,7 +91367,7 @@ index 0000000..dd925aa
+
+ curr = current->acl;
+
-+ if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
++ if (curr->sock_families[domain / 32] & (1U << (domain % 32))) {
+ /* the family is allowed, if this is PF_INET allow it only if
+ the extra sock type/protocol checks pass */
+ if (domain == PF_INET)
@@ -91339,8 +91394,8 @@ index 0000000..dd925aa
+ if (!curr->ips)
+ goto exit;
+
-+ if ((curr->ip_type & (1 << type)) &&
-+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
++ if ((curr->ip_type & (1U << type)) &&
++ (curr->ip_proto[protocol / 32] & (1U << (protocol % 32))))
+ goto exit;
+
+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
@@ -91377,6 +91432,9 @@ index 0000000..dd925aa
+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
+ else
++#ifndef CONFIG_IPV6
++ if (domain != PF_INET6)
++#endif
+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
+ gr_socktype_to_name(type), protocol);
+
@@ -91392,8 +91450,8 @@ index 0000000..dd925aa
+ (ip_port <= ip->high) &&
+ ((ntohl(ip_addr) & our_netmask) ==
+ (ntohl(our_addr) & our_netmask))
-+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
-+ && (ip->type & (1 << type))) {
++ && (ip->proto[protocol / 32] & (1U << (protocol % 32)))
++ && (ip->type & (1U << type))) {
+ if (ip->mode & GR_INVERT)
+ return 2; // specifically denied
+ else
@@ -91879,7 +91937,7 @@ index 0000000..70b2179
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..1d1b734
+index 0000000..6bb1860
--- /dev/null
+++ b/grsecurity/gracl_segv.c
@@ -0,0 +1,284 @@
@@ -92061,7 +92119,7 @@ index 0000000..1d1b734
+
+ curr = task->acl;
+
-+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
++ if (!(curr->resmask & (1U << GR_CRASH_RES)))
+ return;
+
+ if (time_before_eq(curr->expires, get_seconds())) {
@@ -92127,7 +92185,7 @@ index 0000000..1d1b734
+ current->role);
+ read_unlock(&gr_inode_lock);
+
-+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
++ if (!curr || !(curr->resmask & (1U << GR_CRASH_RES)) ||
+ (!curr->crashes && !curr->expires))
+ return 0;
+
@@ -118260,7 +118318,7 @@ index e04c9f8..51bc18e 100644
+ (rtt >> sctp_rto_alpha);
} else {
diff --git a/net/socket.c b/net/socket.c
-index d449812..709474b 100644
+index d449812..4965545 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -87,6 +87,7 @@
@@ -118426,6 +118484,15 @@ index d449812..709474b 100644
err =
security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
if (err)
+@@ -1728,7 +1801,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ struct socket *sock;
+ struct iovec iov;
+ struct msghdr msg;
+- struct sockaddr_storage address;
++ struct sockaddr_storage address = { };
+ int err, err2;
+ int fput_needed;
+
@@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
int err, ctl_len, iov_size, total_len;
int fput_needed;
@@ -118453,6 +118520,34 @@ index d449812..709474b 100644
uaddr_len = COMPAT_NAMELEN(msg);
if (MSG_CMSG_COMPAT & flags) {
err = verify_compat_iovec(&msg_sys, iov,
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index b0c5646..f7b3ca7 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -166,10 +166,8 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, stru
+ err = rpciod_up();
+ if (err)
+ goto out_no_rpciod;
+- err = -EINVAL;
+- if (!xprt)
+- goto out_no_xprt;
+
++ err = -EINVAL;
+ if (args->version >= program->nrvers)
+ goto out_err;
+ version = program->version[args->version];
+@@ -262,10 +260,9 @@ out_no_stats:
+ kfree(clnt->cl_server);
+ kfree(clnt);
+ out_err:
+- xprt_put(xprt);
+-out_no_xprt:
+ rpciod_down();
+ out_no_rpciod:
++ xprt_put(xprt);
+ return ERR_PTR(err);
+ }
+
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 9b3941d..d80b670 100644
--- a/net/sunrpc/sched.c
@@ -119544,7 +119639,7 @@ index d52f7a0..b66cdd9 100755
rm -f tags
xtags ctags
diff --git a/security/Kconfig b/security/Kconfig
-index fb363cd..55a557a 100644
+index fb363cd..f289b7c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -4,6 +4,896 @@
@@ -120299,7 +120394,7 @@ index fb363cd..55a557a 100644
+
+config PAX_MEMORY_STACKLEAK
+ bool "Sanitize kernel stack"
-+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY)
++ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY && !(GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_XEN))
+ depends on X86
+ help
+ By saying Y here the kernel will erase the kernel stack before it
diff --git a/2.6.32/4450_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
index a8c8fed..dbd4565 100644
--- a/2.6.32/4450_grsec-kconfig-default-gids.patch
+++ b/2.6.32/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -554,7 +554,7 @@
+@@ -560,7 +560,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -774,7 +774,7 @@
+@@ -780,7 +780,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -783,7 +783,7 @@
+@@ -789,7 +789,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -876,7 +876,7 @@
+@@ -882,7 +882,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -897,7 +897,7 @@
+@@ -903,7 +903,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for to
-@@ -915,7 +915,7 @@
+@@ -921,7 +921,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
index 583259e..6273202 100644
--- a/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 18:47:02.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 18:51:15.000000000 -0400
-@@ -974,6 +974,27 @@
+@@ -980,6 +980,27 @@
menu "Logging Options"
depends on GRKERNSEC