Grsec/PaX: 2.9-{2.6.32.59,3.2.21,3.4.4}-20120702192120120702

5 files changed, 290 insertions, 171 deletions

diff --git a/3.4.4/0000_README b/3.4.4/0000_README
index 61e9d20..0d09685 100644
--- a/3.4.4/0000_README
+++ b/3.4.4/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.4.4-201206251759.patch
+Patch:	4420_grsecurity-2.9.1-3.4.4-201207021921.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.4.4/2600_FW_MIPS_FILE_06_regression.patch b/3.4.4/2600_FW_MIPS_FILE_06_regression.patch
new file mode 100644
index 0000000..0ad48d4
--- /dev/null
+++ b/3.4.4/2600_FW_MIPS_FILE_06_regression.patch
@@ -0,0 +1,12 @@
+diff -Naur linux-3.4.2-hardened.orig//drivers/net/ethernet/broadcom/bnx2.c linux-3.4.2-hardened/drivers/net/ethernet/broadcom/bnx2.c
+--- linux-3.4.2-hardened.orig//drivers/net/ethernet/broadcom/bnx2.c	2012-05-20 22:29:13.000000000 +0000
++++ linux-3.4.2-hardened/drivers/net/ethernet/broadcom/bnx2.c	2012-07-03 11:38:35.437623841 +0000
+@@ -59,7 +59,7 @@
+ #define DRV_MODULE_NAME		"bnx2"
+ #define DRV_MODULE_VERSION	"2.2.1"
+ #define DRV_MODULE_RELDATE	"Dec 18, 2011"
+-#define FW_MIPS_FILE_06		"bnx2/bnx2-mips-06-6.2.3.fw"
++#define FW_MIPS_FILE_06		"bnx2/bnx2-mips-06-6.2.1.fw"
+ #define FW_RV2P_FILE_06		"bnx2/bnx2-rv2p-06-6.0.15.fw"
+ #define FW_MIPS_FILE_09		"bnx2/bnx2-mips-09-6.2.1b.fw"
+ #define FW_RV2P_FILE_09_Ax	"bnx2/bnx2-rv2p-09ax-6.0.17.fw"
diff --git a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207021921.patch
index 083b3e1..8901db2 100644
--- a/3.4.4/4420_grsecurity-2.9.1-3.4.4-201206251759.patch
+++ b/3.4.4/4420_grsecurity-2.9.1-3.4.4-201207021921.patch
@@ -41631,7 +41631,7 @@ index d146e18..12d1bd1 100644
  				fd_offset + ex.a_text);
  		if (error != N_DATADDR(ex)) {
 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index 16f7354..185d8dc 100644
+index 16f7354..666524e 100644
 --- a/fs/binfmt_elf.c
 +++ b/fs/binfmt_elf.c
 @@ -32,6 +32,7 @@
@@ -41762,17 +41762,16 @@ index 16f7354..185d8dc 100644
  				error = -ENOMEM;
  				goto out_close;
  			}
-@@ -525,6 +549,351 @@ out:
+@@ -525,6 +549,349 @@ out:
  	return error;
  }
  
-+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS)
++#ifdef CONFIG_PAX_PT_PAX_FLAGS
++#ifdef CONFIG_PAX_SOFTMODE
 +static unsigned long pax_parse_pt_pax_softmode(const struct elf_phdr * const elf_phdata)
 +{
 +	unsigned long pax_flags = 0UL;
 +
-+#ifdef CONFIG_PAX_PT_PAX_FLAGS
-+
 +#ifdef CONFIG_PAX_PAGEEXEC
 +	if (elf_phdata->p_flags & PF_PAGEEXEC)
 +		pax_flags |= MF_PAX_PAGEEXEC;
@@ -41807,17 +41806,14 @@ index 16f7354..185d8dc 100644
 +		pax_flags |= MF_PAX_RANDMMAP;
 +#endif
 +
-+#endif
-+
 +	return pax_flags;
 +}
++#endif
 +
 +static unsigned long pax_parse_pt_pax_hardmode(const struct elf_phdr * const elf_phdata)
 +{
 +	unsigned long pax_flags = 0UL;
 +
-+#ifdef CONFIG_PAX_PT_PAX_FLAGS
-+
 +#ifdef CONFIG_PAX_PAGEEXEC
 +	if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
 +		pax_flags |= MF_PAX_PAGEEXEC;
@@ -41852,24 +41848,23 @@ index 16f7354..185d8dc 100644
 +		pax_flags |= MF_PAX_RANDMMAP;
 +#endif
 +
-+#endif
-+
 +	return pax_flags;
 +}
++#endif
 +
-+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
++#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
++#ifdef CONFIG_PAX_SOFTMODE
++static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode)
 +{
 +	unsigned long pax_flags = 0UL;
 +
-+#ifdef CONFIG_PAX_EI_PAX
-+
 +#ifdef CONFIG_PAX_PAGEEXEC
-+	if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
++	if (pax_flags_softmode & MF_PAX_PAGEEXEC)
 +		pax_flags |= MF_PAX_PAGEEXEC;
 +#endif
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
-+	if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
++	if (pax_flags_softmode & MF_PAX_SEGMEXEC)
 +		pax_flags |= MF_PAX_SEGMEXEC;
 +#endif
 +
@@ -41883,87 +41878,35 @@ index 16f7354..185d8dc 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_EMUTRAMP
-+	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
++	if (pax_flags_softmode & MF_PAX_EMUTRAMP)
 +		pax_flags |= MF_PAX_EMUTRAMP;
 +#endif
 +
 +#ifdef CONFIG_PAX_MPROTECT
-+	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
++	if (pax_flags_softmode & MF_PAX_MPROTECT)
 +		pax_flags |= MF_PAX_MPROTECT;
 +#endif
 +
-+#ifdef CONFIG_PAX_ASLR
-+	if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
++#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
++	if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP))
 +		pax_flags |= MF_PAX_RANDMMAP;
 +#endif
 +
-+#else
-+
-+#ifdef CONFIG_PAX_PAGEEXEC
-+	pax_flags |= MF_PAX_PAGEEXEC;
-+#endif
-+
-+#ifdef CONFIG_PAX_MPROTECT
-+	pax_flags |= MF_PAX_MPROTECT;
-+#endif
-+
-+#ifdef CONFIG_PAX_RANDMMAP
-+	pax_flags |= MF_PAX_RANDMMAP;
-+#endif
-+
-+#ifdef CONFIG_PAX_SEGMEXEC
-+	if (!(pax_flags & MF_PAX_PAGEEXEC) || !(__supported_pte_mask & _PAGE_NX)) {
-+		pax_flags &= ~MF_PAX_PAGEEXEC;
-+		pax_flags |= MF_PAX_SEGMEXEC;
-+	}
-+#endif
-+
-+#endif
-+
 +	return pax_flags;
 +}
-+
-+static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
-+{
-+
-+#ifdef CONFIG_PAX_PT_PAX_FLAGS
-+	unsigned long i;
-+
-+	for (i = 0UL; i < elf_ex->e_phnum; i++)
-+		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
-+			if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
-+			    ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
-+			    ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
-+			    ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
-+			    ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
-+				return ~0UL;
-+
-+#ifdef CONFIG_PAX_SOFTMODE
-+			if (pax_softmode)
-+				return pax_parse_pt_pax_softmode(&elf_phdata[i]);
-+			else
-+#endif
-+
-+				return pax_parse_pt_pax_hardmode(&elf_phdata[i]);
-+			break;
-+		}
 +#endif
 +
-+	return ~0UL;
-+}
-+
-+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
-+static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode)
++static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode)
 +{
 +	unsigned long pax_flags = 0UL;
 +
 +#ifdef CONFIG_PAX_PAGEEXEC
-+	if (pax_flags_softmode & MF_PAX_PAGEEXEC)
++	if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC))
 +		pax_flags |= MF_PAX_PAGEEXEC;
 +#endif
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
-+	if (pax_flags_softmode & MF_PAX_SEGMEXEC)
++	if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC))
 +		pax_flags |= MF_PAX_SEGMEXEC;
 +#endif
 +
@@ -41977,34 +41920,38 @@ index 16f7354..185d8dc 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_EMUTRAMP
-+	if (pax_flags_softmode & MF_PAX_EMUTRAMP)
++	if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP))
 +		pax_flags |= MF_PAX_EMUTRAMP;
 +#endif
 +
 +#ifdef CONFIG_PAX_MPROTECT
-+	if (pax_flags_softmode & MF_PAX_MPROTECT)
++	if (!(pax_flags_hardmode & MF_PAX_MPROTECT))
 +		pax_flags |= MF_PAX_MPROTECT;
 +#endif
 +
 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
-+	if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP))
++	if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP))
 +		pax_flags |= MF_PAX_RANDMMAP;
 +#endif
 +
 +	return pax_flags;
 +}
++#endif
 +
-+static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode)
++#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_XATTR_PAX_FLAGS)
++static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
 +{
 +	unsigned long pax_flags = 0UL;
 +
++#ifdef CONFIG_PAX_EI_PAX
++
 +#ifdef CONFIG_PAX_PAGEEXEC
-+	if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC))
++	if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
 +		pax_flags |= MF_PAX_PAGEEXEC;
 +#endif
 +
 +#ifdef CONFIG_PAX_SEGMEXEC
-+	if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC))
++	if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
 +		pax_flags |= MF_PAX_SEGMEXEC;
 +#endif
 +
@@ -42018,24 +41965,75 @@ index 16f7354..185d8dc 100644
 +#endif
 +
 +#ifdef CONFIG_PAX_EMUTRAMP
-+	if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP))
++	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
 +		pax_flags |= MF_PAX_EMUTRAMP;
 +#endif
 +
 +#ifdef CONFIG_PAX_MPROTECT
-+	if (!(pax_flags_hardmode & MF_PAX_MPROTECT))
++	if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
 +		pax_flags |= MF_PAX_MPROTECT;
 +#endif
 +
-+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
-+	if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP))
++#ifdef CONFIG_PAX_ASLR
++	if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
 +		pax_flags |= MF_PAX_RANDMMAP;
 +#endif
 +
++#else
++
++#ifdef CONFIG_PAX_PAGEEXEC
++	pax_flags |= MF_PAX_PAGEEXEC;
++#endif
++
++#ifdef CONFIG_PAX_MPROTECT
++	pax_flags |= MF_PAX_MPROTECT;
++#endif
++
++#ifdef CONFIG_PAX_RANDMMAP
++	pax_flags |= MF_PAX_RANDMMAP;
++#endif
++
++#ifdef CONFIG_PAX_SEGMEXEC
++	if (!(pax_flags & MF_PAX_PAGEEXEC) || !(__supported_pte_mask & _PAGE_NX)) {
++		pax_flags &= ~MF_PAX_PAGEEXEC;
++		pax_flags |= MF_PAX_SEGMEXEC;
++	}
++#endif
++
++#endif
++
 +	return pax_flags;
 +}
++
++static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
++{
++
++#ifdef CONFIG_PAX_PT_PAX_FLAGS
++	unsigned long i;
++
++	for (i = 0UL; i < elf_ex->e_phnum; i++)
++		if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
++			if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
++			    ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
++			    ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
++			    ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
++			    ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
++				return ~0UL;
++
++#ifdef CONFIG_PAX_SOFTMODE
++			if (pax_softmode)
++				return pax_parse_pt_pax_softmode(&elf_phdata[i]);
++			else
 +#endif
 +
++				return pax_parse_pt_pax_hardmode(&elf_phdata[i]);
++			break;
++		}
++#endif
++
++	return ~0UL;
++}
++
 +static unsigned long pax_parse_xattr_pax(struct file * const file)
 +{
 +
@@ -42114,7 +42112,7 @@ index 16f7354..185d8dc 100644
  /*
   * These are the functions used to load ELF style executables and shared
   * libraries.  There is no binary dependent code anywhere else.
-@@ -541,6 +910,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
+@@ -541,6 +908,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
  {
  	unsigned int random_variable = 0;
  
@@ -42126,7 +42124,7 @@ index 16f7354..185d8dc 100644
  	if ((current->flags & PF_RANDOMIZE) &&
  		!(current->personality & ADDR_NO_RANDOMIZE)) {
  		random_variable = get_random_int() & STACK_RND_MASK;
-@@ -559,7 +933,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -559,7 +931,7 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
   	unsigned long load_addr = 0, load_bias = 0;
  	int load_addr_set = 0;
  	char * elf_interpreter = NULL;
@@ -42135,7 +42133,7 @@ index 16f7354..185d8dc 100644
  	struct elf_phdr *elf_ppnt, *elf_phdata;
  	unsigned long elf_bss, elf_brk;
  	int retval, i;
-@@ -569,11 +943,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -569,11 +941,11 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  	unsigned long start_code, end_code, start_data, end_data;
  	unsigned long reloc_func_desc __maybe_unused = 0;
  	int executable_stack = EXSTACK_DEFAULT;
@@ -42148,7 +42146,7 @@ index 16f7354..185d8dc 100644
  
  	loc = kmalloc(sizeof(*loc), GFP_KERNEL);
  	if (!loc) {
-@@ -709,11 +1083,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -709,11 +1081,81 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  		goto out_free_dentry;
  
  	/* OK, This is the point of no return */
@@ -42231,7 +42229,7 @@ index 16f7354..185d8dc 100644
  	if (elf_read_implies_exec(loc->elf_ex, executable_stack))
  		current->personality |= READ_IMPLIES_EXEC;
  
-@@ -804,6 +1248,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -804,6 +1246,20 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  #else
  			load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
  #endif
@@ -42252,7 +42250,7 @@ index 16f7354..185d8dc 100644
  		}
  
  		error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
-@@ -836,9 +1294,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -836,9 +1292,9 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  		 * allowed task size. Note that p_filesz must always be
  		 * <= p_memsz so it is only necessary to check p_memsz.
  		 */
@@ -42265,7 +42263,7 @@ index 16f7354..185d8dc 100644
  			/* set_brk can never work. Avoid overflows. */
  			send_sig(SIGKILL, current, 0);
  			retval = -EINVAL;
-@@ -877,11 +1335,40 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+@@ -877,11 +1333,40 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
  		goto out_free_dentry;
  	}
  	if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
@@ -42309,7 +42307,7 @@ index 16f7354..185d8dc 100644
  	if (elf_interpreter) {
  		unsigned long uninitialized_var(interp_map_addr);
  
-@@ -1109,7 +1596,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
+@@ -1109,7 +1594,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
   * Decide what to dump of a segment, part, all or none.
   */
  static unsigned long vma_dump_size(struct vm_area_struct *vma,
@@ -42318,7 +42316,7 @@ index 16f7354..185d8dc 100644
  {
  #define FILTER(type)	(mm_flags & (1UL << MMF_DUMP_##type))
  
-@@ -1146,7 +1633,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
+@@ -1146,7 +1631,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
  	if (vma->vm_file == NULL)
  		return 0;
  
@@ -42327,7 +42325,7 @@ index 16f7354..185d8dc 100644
  		goto whole;
  
  	/*
-@@ -1368,9 +1855,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
+@@ -1368,9 +1853,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
  {
  	elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
  	int i = 0;
@@ -42339,7 +42337,7 @@ index 16f7354..185d8dc 100644
  	fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
  }
  
-@@ -1892,14 +2379,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
+@@ -1892,14 +2377,14 @@ static void fill_extnum_info(struct elfhdr *elf, struct elf_shdr *shdr4extnum,
  }
  
  static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
@@ -42356,7 +42354,7 @@ index 16f7354..185d8dc 100644
  	return size;
  }
  
-@@ -1993,7 +2480,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -1993,7 +2478,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  
  	dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
  
@@ -42365,7 +42363,7 @@ index 16f7354..185d8dc 100644
  	offset += elf_core_extra_data_size();
  	e_shoff = offset;
  
-@@ -2007,10 +2494,12 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2007,10 +2492,12 @@ static int elf_core_dump(struct coredump_params *cprm)
  	offset = dataoff;
  
  	size += sizeof(*elf);
@@ -42378,7 +42376,7 @@ index 16f7354..185d8dc 100644
  	if (size > cprm->limit
  	    || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
  		goto end_coredump;
-@@ -2024,7 +2513,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2024,7 +2511,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		phdr.p_offset = offset;
  		phdr.p_vaddr = vma->vm_start;
  		phdr.p_paddr = 0;
@@ -42387,7 +42385,7 @@ index 16f7354..185d8dc 100644
  		phdr.p_memsz = vma->vm_end - vma->vm_start;
  		offset += phdr.p_filesz;
  		phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
-@@ -2035,6 +2524,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2035,6 +2522,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		phdr.p_align = ELF_EXEC_PAGESIZE;
  
  		size += sizeof(phdr);
@@ -42395,7 +42393,7 @@ index 16f7354..185d8dc 100644
  		if (size > cprm->limit
  		    || !dump_write(cprm->file, &phdr, sizeof(phdr)))
  			goto end_coredump;
-@@ -2059,7 +2549,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2059,7 +2547,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  		unsigned long addr;
  		unsigned long end;
  
@@ -42404,7 +42402,7 @@ index 16f7354..185d8dc 100644
  
  		for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
  			struct page *page;
-@@ -2068,6 +2558,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2068,6 +2556,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  			page = get_dump_page(addr);
  			if (page) {
  				void *kaddr = kmap(page);
@@ -42412,7 +42410,7 @@ index 16f7354..185d8dc 100644
  				stop = ((size += PAGE_SIZE) > cprm->limit) ||
  					!dump_write(cprm->file, kaddr,
  						    PAGE_SIZE);
-@@ -2085,6 +2576,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+@@ -2085,6 +2574,7 @@ static int elf_core_dump(struct coredump_params *cprm)
  
  	if (e_phnum == PN_XNUM) {
  		size += sizeof(*shdr4extnum);
@@ -42420,7 +42418,7 @@ index 16f7354..185d8dc 100644
  		if (size > cprm->limit
  		    || !dump_write(cprm->file, shdr4extnum,
  				   sizeof(*shdr4extnum)))
-@@ -2105,6 +2597,97 @@ out:
+@@ -2105,6 +2595,97 @@ out:
  
  #endif		/* CONFIG_ELF_CORE */
  
@@ -46233,7 +46231,7 @@ index 0d68f1f..f216b79 100644
  
  	lock_flocks();
 diff --git a/fs/namei.c b/fs/namei.c
-index c427919..e37fd3f 100644
+index c427919..232326c 100644
 --- a/fs/namei.c
 +++ b/fs/namei.c
 @@ -278,16 +278,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -46308,7 +46306,27 @@ index c427919..e37fd3f 100644
  		error = 0;
  		if (s)
  			error = __vfs_follow_link(nd, s);
-@@ -1753,6 +1769,21 @@ static int path_lookupat(int dfd, const char *name,
+@@ -1355,6 +1371,9 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
+ 		if (!res)
+ 			res = walk_component(nd, path, &nd->last,
+ 					     nd->last_type, LOOKUP_FOLLOW);
++		if (res >= 0 && gr_handle_symlink_owner(&link, nd->inode)) {
++			res = -EACCES;
++		}
+ 		put_link(nd, &link, cookie);
+ 	} while (res > 0);
+ 
+@@ -1746,6 +1765,9 @@ static int path_lookupat(int dfd, const char *name,
+ 			err = follow_link(&link, nd, &cookie);
+ 			if (!err)
+ 				err = lookup_last(nd, &path);
++			if (!err && gr_handle_symlink_owner(&link, nd->inode)) {
++				err = -EACCES;
++			}
+ 			put_link(nd, &link, cookie);
+ 		}
+ 	}
+@@ -1753,6 +1775,21 @@ static int path_lookupat(int dfd, const char *name,
  	if (!err)
  		err = complete_walk(nd);
  
@@ -46330,7 +46348,7 @@ index c427919..e37fd3f 100644
  	if (!err && nd->flags & LOOKUP_DIRECTORY) {
  		if (!nd->inode->i_op->lookup) {
  			path_put(&nd->path);
-@@ -1780,6 +1811,15 @@ static int do_path_lookup(int dfd, const char *name,
+@@ -1780,6 +1817,15 @@ static int do_path_lookup(int dfd, const char *name,
  		retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
  
  	if (likely(!retval)) {
@@ -46346,7 +46364,7 @@ index c427919..e37fd3f 100644
  		if (unlikely(!audit_dummy_context())) {
  			if (nd->path.dentry && nd->inode)
  				audit_inode(name, nd->path.dentry);
-@@ -2126,6 +2166,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
+@@ -2126,6 +2172,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
  	if (flag & O_NOATIME && !inode_owner_or_capable(inode))
  		return -EPERM;
  
@@ -46360,7 +46378,7 @@ index c427919..e37fd3f 100644
  	return 0;
  }
  
-@@ -2187,6 +2234,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2187,6 +2240,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  		error = complete_walk(nd);
  		if (error)
  			return ERR_PTR(error);
@@ -46377,7 +46395,7 @@ index c427919..e37fd3f 100644
  		audit_inode(pathname, nd->path.dentry);
  		if (open_flag & O_CREAT) {
  			error = -EISDIR;
-@@ -2197,6 +2254,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2197,6 +2260,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  		error = complete_walk(nd);
  		if (error)
  			return ERR_PTR(error);
@@ -46394,7 +46412,7 @@ index c427919..e37fd3f 100644
  		audit_inode(pathname, dir);
  		goto ok;
  	}
-@@ -2218,6 +2285,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2218,6 +2291,16 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  		error = complete_walk(nd);
  		if (error)
  			return ERR_PTR(error);
@@ -46411,7 +46429,7 @@ index c427919..e37fd3f 100644
  
  		error = -ENOTDIR;
  		if (nd->flags & LOOKUP_DIRECTORY) {
-@@ -2258,6 +2335,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2258,6 +2341,12 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  	/* Negative dentry, just create the file */
  	if (!dentry->d_inode) {
  		umode_t mode = op->mode;
@@ -46424,7 +46442,7 @@ index c427919..e37fd3f 100644
  		if (!IS_POSIXACL(dir->d_inode))
  			mode &= ~current_umask();
  		/*
-@@ -2281,6 +2364,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2281,6 +2370,8 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  		error = vfs_create(dir->d_inode, dentry, mode, nd);
  		if (error)
  			goto exit_mutex_unlock;
@@ -46433,7 +46451,7 @@ index c427919..e37fd3f 100644
  		mutex_unlock(&dir->d_inode->i_mutex);
  		dput(nd->path.dentry);
  		nd->path.dentry = dentry;
-@@ -2290,6 +2375,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
+@@ -2290,6 +2381,19 @@ static struct file *do_last(struct nameidata *nd, struct path *path,
  	/*
  	 * It already exists.
  	 */
@@ -46453,7 +46471,23 @@ index c427919..e37fd3f 100644
  	mutex_unlock(&dir->d_inode->i_mutex);
  	audit_inode(pathname, path->dentry);
  
-@@ -2502,6 +2600,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
+@@ -2407,8 +2511,14 @@ static struct file *path_openat(int dfd, const char *pathname,
+ 		error = follow_link(&link, nd, &cookie);
+ 		if (unlikely(error))
+ 			filp = ERR_PTR(error);
+-		else
++		else {
+ 			filp = do_last(nd, &path, op, pathname);
++			if (!IS_ERR(filp) && gr_handle_symlink_owner(&link, nd->inode)) {
++				if (filp)
++					fput(filp);
++				filp = ERR_PTR(-EACCES);
++			}
++		}
+ 		put_link(nd, &link, cookie);
+ 	}
+ out:
+@@ -2502,6 +2612,11 @@ struct dentry *kern_path_create(int dfd, const char *pathname, struct path *path
  	*path = nd.path;
  	return dentry;
  eexist:
@@ -46465,7 +46499,7 @@ index c427919..e37fd3f 100644
  	dput(dentry);
  	dentry = ERR_PTR(-EEXIST);
  fail:
-@@ -2524,6 +2627,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
+@@ -2524,6 +2639,20 @@ struct dentry *user_path_create(int dfd, const char __user *pathname, struct pat
  }
  EXPORT_SYMBOL(user_path_create);
  
@@ -46486,7 +46520,7 @@ index c427919..e37fd3f 100644
  int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
  {
  	int error = may_create(dir, dentry);
-@@ -2591,6 +2708,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
+@@ -2591,6 +2720,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
  	error = mnt_want_write(path.mnt);
  	if (error)
  		goto out_dput;
@@ -46504,7 +46538,7 @@ index c427919..e37fd3f 100644
  	error = security_path_mknod(&path, dentry, mode, dev);
  	if (error)
  		goto out_drop_write;
-@@ -2608,6 +2736,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
+@@ -2608,6 +2748,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const char __user *, filename, umode_t, mode,
  	}
  out_drop_write:
  	mnt_drop_write(path.mnt);
@@ -46514,7 +46548,7 @@ index c427919..e37fd3f 100644
  out_dput:
  	dput(dentry);
  	mutex_unlock(&path.dentry->d_inode->i_mutex);
-@@ -2661,12 +2792,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
+@@ -2661,12 +2804,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const char __user *, pathname, umode_t, mode)
  	error = mnt_want_write(path.mnt);
  	if (error)
  		goto out_dput;
@@ -46536,7 +46570,7 @@ index c427919..e37fd3f 100644
  out_dput:
  	dput(dentry);
  	mutex_unlock(&path.dentry->d_inode->i_mutex);
-@@ -2746,6 +2886,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2746,6 +2898,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
  	char * name;
  	struct dentry *dentry;
  	struct nameidata nd;
@@ -46545,7 +46579,7 @@ index c427919..e37fd3f 100644
  
  	error = user_path_parent(dfd, pathname, &nd, &name);
  	if (error)
-@@ -2774,6 +2916,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2774,6 +2928,15 @@ static long do_rmdir(int dfd, const char __user *pathname)
  		error = -ENOENT;
  		goto exit3;
  	}
@@ -46561,7 +46595,7 @@ index c427919..e37fd3f 100644
  	error = mnt_want_write(nd.path.mnt);
  	if (error)
  		goto exit3;
-@@ -2781,6 +2932,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
+@@ -2781,6 +2944,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
  	if (error)
  		goto exit4;
  	error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
@@ -46570,7 +46604,7 @@ index c427919..e37fd3f 100644
  exit4:
  	mnt_drop_write(nd.path.mnt);
  exit3:
-@@ -2843,6 +2996,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2843,6 +3008,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  	struct dentry *dentry;
  	struct nameidata nd;
  	struct inode *inode = NULL;
@@ -46579,7 +46613,7 @@ index c427919..e37fd3f 100644
  
  	error = user_path_parent(dfd, pathname, &nd, &name);
  	if (error)
-@@ -2865,6 +3020,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2865,6 +3032,16 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  		if (!inode)
  			goto slashes;
  		ihold(inode);
@@ -46596,7 +46630,7 @@ index c427919..e37fd3f 100644
  		error = mnt_want_write(nd.path.mnt);
  		if (error)
  			goto exit2;
-@@ -2872,6 +3037,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
+@@ -2872,6 +3049,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
  		if (error)
  			goto exit3;
  		error = vfs_unlink(nd.path.dentry->d_inode, dentry);
@@ -46605,7 +46639,7 @@ index c427919..e37fd3f 100644
  exit3:
  		mnt_drop_write(nd.path.mnt);
  	exit2:
-@@ -2947,10 +3114,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
+@@ -2947,10 +3126,18 @@ SYSCALL_DEFINE3(symlinkat, const char __user *, oldname,
  	error = mnt_want_write(path.mnt);
  	if (error)
  		goto out_dput;
@@ -46624,7 +46658,7 @@ index c427919..e37fd3f 100644
  out_drop_write:
  	mnt_drop_write(path.mnt);
  out_dput:
-@@ -3025,6 +3200,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3025,6 +3212,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  {
  	struct dentry *new_dentry;
  	struct path old_path, new_path;
@@ -46632,7 +46666,7 @@ index c427919..e37fd3f 100644
  	int how = 0;
  	int error;
  
-@@ -3048,7 +3224,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3048,7 +3236,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  	if (error)
  		return error;
  
@@ -46641,7 +46675,7 @@ index c427919..e37fd3f 100644
  	error = PTR_ERR(new_dentry);
  	if (IS_ERR(new_dentry))
  		goto out;
-@@ -3059,13 +3235,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
+@@ -3059,13 +3247,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
  	error = mnt_want_write(new_path.mnt);
  	if (error)
  		goto out_dput;
@@ -46672,7 +46706,7 @@ index c427919..e37fd3f 100644
  	dput(new_dentry);
  	mutex_unlock(&new_path.dentry->d_inode->i_mutex);
  	path_put(&new_path);
-@@ -3299,6 +3492,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -3299,6 +3504,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
  	if (new_dentry == trap)
  		goto exit5;
  
@@ -46685,7 +46719,7 @@ index c427919..e37fd3f 100644
  	error = mnt_want_write(oldnd.path.mnt);
  	if (error)
  		goto exit5;
-@@ -3308,6 +3507,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
+@@ -3308,6 +3519,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, const char __user *, oldname,
  		goto exit6;
  	error = vfs_rename(old_dir->d_inode, old_dentry,
  				   new_dir->d_inode, new_dentry);
@@ -46695,7 +46729,7 @@ index c427919..e37fd3f 100644
  exit6:
  	mnt_drop_write(oldnd.path.mnt);
  exit5:
-@@ -3333,6 +3535,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
+@@ -3333,6 +3547,8 @@ SYSCALL_DEFINE2(rename, const char __user *, oldname, const char __user *, newna
  
  int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
  {
@@ -46704,7 +46738,7 @@ index c427919..e37fd3f 100644
  	int len;
  
  	len = PTR_ERR(link);
-@@ -3342,7 +3546,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
+@@ -3342,7 +3558,14 @@ int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const c
  	len = strlen(link);
  	if (len > (unsigned) buflen)
  		len = buflen;
@@ -49109,10 +49143,10 @@ index 3011b87..1ab03e9 100644
  		kfree(s);
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..2d6e3a8
+index 0000000..b9e7d6f
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,915 @@
+@@ -0,0 +1,940 @@
 +#
 +# grecurity configuration
 +#
@@ -49386,6 +49420,31 @@ index 0000000..2d6e3a8
 +	  able to hardlink to files they do not own.  If the sysctl option is
 +	  enabled, a sysctl option with name "linking_restrictions" is created.
 +
++config GRKERNSEC_SYMLINKOWN
++	bool "Kernel-enforced SymlinksIfOwnerMatch"
++	default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
++	help
++	  Apache's SymlinksIfOwnerMatch option has an inherent race condition
++	  that prevents it from being used as a security feature.  As Apache
++	  verifies the symlink by performing a stat() against the target of
++	  the symlink before it is followed, an attacker can setup a symlink
++	  to point to a same-owned file, then replace the symlink with one
++	  that targets another user's file just after Apache "validates" the
++	  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
++	  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
++	  will be in place for the group you specify. If the sysctl option
++	  is enabled, a sysctl option with name "enforce_symlinksifowner" is
++	  created.
++
++config GRKERNSEC_SYMLINKOWN_GID
++	int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
++	depends on GRKERNSEC_SYMLINKOWN
++	default 1006
++	help
++	  Setting this GID determines what group kernel-enforced
++	  SymlinksIfOwnerMatch will be enabled for.  If the sysctl option
++	  is enabled, a sysctl option with name "symlinkown_gid" is created.
++
 +config GRKERNSEC_FIFO
 +	bool "FIFO restrictions"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -49789,7 +49848,7 @@ index 0000000..2d6e3a8
 +
 +config GRKERNSEC_TPE
 +	bool "Trusted Path Execution (TPE)"
-+	default y if GRKERNSEC_CONFIG_AUTO
++	default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
 +	help
 +	  If you say Y here, you will be able to choose a gid to add to the
 +	  supplementary groups of users you want to mark as "untrusted."
@@ -50074,10 +50133,10 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..00b6c54
+index 0000000..dc0417e
 --- /dev/null
 +++ b/grsecurity/gracl.c
-@@ -0,0 +1,4012 @@
+@@ -0,0 +1,4016 @@
 +#include <linux/kernel.h>
 +#include <linux/module.h>
 +#include <linux/sched.h>
@@ -54032,11 +54091,15 @@ index 0000000..00b6c54
 +		return 1;
 +
 +	subj = task->acl;
++	read_lock(&gr_inode_lock);
 +	do {
 +		obj = lookup_acl_obj_label(ino, dev, subj);
-+		if (obj != NULL)
++		if (obj != NULL) {
++			read_unlock(&gr_inode_lock);
 +			return (obj->mode & GR_FIND) ? 1 : 0;
++		}
 +	} while ((subj = subj->parent_subject));
++	read_unlock(&gr_inode_lock);
 +	
 +	/* this is purely an optimization since we're looking for an object
 +	   for the directory we're doing a readdir on
@@ -56869,10 +56932,10 @@ index 0000000..8ca18bf
 +}
 diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
 new file mode 100644
-index 0000000..01ddde4
+index 0000000..05a6015
 --- /dev/null
 +++ b/grsecurity/grsec_init.c
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,283 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/mm.h>
@@ -56884,6 +56947,8 @@ index 0000000..01ddde4
 +
 +int grsec_enable_ptrace_readexec;
 +int grsec_enable_setxid;
++int grsec_enable_symlinkown;
++int grsec_symlinkown_gid;
 +int grsec_enable_brute;
 +int grsec_enable_link;
 +int grsec_enable_dmesg;
@@ -57127,6 +57192,10 @@ index 0000000..01ddde4
 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
 +	grsec_enable_chroot_sysctl = 1;
 +#endif
++#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
++	grsec_enable_symlinkown = 1;
++	grsec_symlinkown_gid = CONFIG_GRKERNSEC_SYMLINKOWN_GID;
++#endif
 +#ifdef CONFIG_GRKERNSEC_TPE
 +	grsec_enable_tpe = 1;
 +	grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
@@ -57152,16 +57221,32 @@ index 0000000..01ddde4
 +}
 diff --git a/grsecurity/grsec_link.c b/grsecurity/grsec_link.c
 new file mode 100644
-index 0000000..3efe141
+index 0000000..35a96d1
 --- /dev/null
 +++ b/grsecurity/grsec_link.c
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,59 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/fs.h>
 +#include <linux/file.h>
 +#include <linux/grinternal.h>
 +
++int gr_handle_symlink_owner(const struct path *link, const struct inode *target)
++{
++#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
++	const struct inode *link_inode = link->dentry->d_inode;
++
++	if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid) &&
++	   /* ignore root-owned links, e.g. /proc/self */
++	    link_inode->i_uid &&
++	    link_inode->i_uid != target->i_uid) {
++		gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, link_inode->i_uid, target->i_uid);
++		return 1;
++	}
++#endif
++	return 0;
++}
++
 +int
 +gr_handle_follow_link(const struct inode *parent,
 +		      const struct inode *inode,
@@ -58184,10 +58269,10 @@ index 0000000..4030d57
 +}
 diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
 new file mode 100644
-index 0000000..8316f6f
+index 0000000..f55ef0f
 --- /dev/null
 +++ b/grsecurity/grsec_sysctl.c
-@@ -0,0 +1,453 @@
+@@ -0,0 +1,469 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/sysctl.h>
@@ -58235,6 +58320,22 @@ index 0000000..8316f6f
 +		.proc_handler	= &proc_dointvec,
 +	},
 +#endif
++#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
++	{
++		.procname	= "enforce_symlinksifowner",
++		.data		= &grsec_enable_symlinkown,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= &proc_dointvec,
++	},
++	{
++		.procname	= "symlinkown_gid",
++		.data		= &grsec_symlinkown_gid,
++		.maxlen		= sizeof(int),
++		.mode		= 0600,
++		.proc_handler	= &proc_dointvec,
++	},
++#endif
 +#ifdef CONFIG_GRKERNSEC_BRUTE
 +	{
 +		.procname	= "deter_bruteforce",
@@ -60580,10 +60681,10 @@ index 0000000..b30e9bc
 +#endif
 diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
 new file mode 100644
-index 0000000..da390f1
+index 0000000..c9292f7
 --- /dev/null
 +++ b/include/linux/grinternal.h
-@@ -0,0 +1,221 @@
+@@ -0,0 +1,223 @@
 +#ifndef __GRINTERNAL_H
 +#define __GRINTERNAL_H
 +
@@ -60645,6 +60746,8 @@ index 0000000..da390f1
 +extern int grsec_enable_chroot_caps;
 +extern int grsec_enable_chroot_sysctl;
 +extern int grsec_enable_chroot_unix;
++extern int grsec_enable_symlinkown;
++extern int grsec_symlinkown_gid;
 +extern int grsec_enable_tpe;
 +extern int grsec_tpe_gid;
 +extern int grsec_enable_tpe_all;
@@ -60807,10 +60910,10 @@ index 0000000..da390f1
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..ae576a1
+index 0000000..54f4e85
 --- /dev/null
 +++ b/include/linux/grmsg.h
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,110 @@
 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
@@ -60920,12 +61023,13 @@ index 0000000..ae576a1
 +#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by "
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 +#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
++#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..acd05db
+index 0000000..38bfb04
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,232 @@
+@@ -0,0 +1,233 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -61110,6 +61214,7 @@ index 0000000..acd05db
 +				const struct vfsmount *parent_mnt,
 +				const struct dentry *old_dentry,
 +				const struct vfsmount *old_mnt, const char *to);
++int gr_handle_symlink_owner(const struct path *link, const struct inode *target);
 +int gr_acl_handle_rename(struct dentry *new_dentry,
 +				struct dentry *parent_dentry,
 +				const struct vfsmount *parent_mnt,
@@ -77602,10 +77707,10 @@ index 5c11312..72742b5 100644
      write_hex_cnt = 0;
      for (i = 0; i < logo_clutsize; i++) {
 diff --git a/security/Kconfig b/security/Kconfig
-index ccc61f8..3334dd6 100644
+index ccc61f8..d0e12f0 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,849 @@
+@@ -4,6 +4,860 @@
  
  menu "Security options"
  
@@ -77781,6 +77886,7 @@ index ccc61f8..3334dd6 100644
 +
 +config GRKERNSEC_TPE_GID
 +	int "GID for untrusted users"
++	depends on GRKERNSEC_CONFIG_SERVER
 +	default 1005
 +	help
 +	  Setting this GID determines which group untrusted users should
@@ -77789,6 +77895,16 @@ index ccc61f8..3334dd6 100644
 +	  The users will only be able to execute binaries in directories owned and
 +	  writable only by the root user.
 +
++config GRKERNSEC_SYMLINKOWN_GID
++        int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
++        depends on GRKERNSEC_CONFIG_SERVER
++        default 1006
++        help
++          Setting this GID determines what group kernel-enforced
++          SymlinksIfOwnerMatch will be enabled for.  If the sysctl option
++          is enabled, a sysctl option with name "symlinkown_gid" is created.
++
++
 +endmenu
 +
 +menu "Customize Configuration"
@@ -78455,7 +78571,7 @@ index ccc61f8..3334dd6 100644
  config KEYS
  	bool "Enable access key retention support"
  	help
-@@ -169,7 +1012,7 @@ config INTEL_TXT
+@@ -169,7 +1023,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
diff --git a/3.4.4/4450_grsec-kconfig-default-gids.patch b/3.4.4/4450_grsec-kconfig-default-gids.patch
index a728d1a..bb24abe 100644
--- a/3.4.4/4450_grsec-kconfig-default-gids.patch
+++ b/3.4.4/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
 diff -Nuar a/grsecurity/Kconfig b/Kconfig
 --- a/grsecurity/Kconfig	2012-07-01 12:54:58.000000000 -0400
 +++ b/grsecurity/Kconfig	2012-07-01 13:00:04.000000000 -0400
-@@ -495,7 +495,7 @@
+@@ -520,7 +520,7 @@
  config GRKERNSEC_AUDIT_GID
  	int "GID for auditing"
  	depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  
  config GRKERNSEC_EXECLOG
  	bool "Exec logging"
-@@ -710,7 +710,7 @@
+@@ -735,7 +735,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for untrusted users"
  	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *enabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -719,7 +719,7 @@
+@@ -744,7 +744,7 @@
  config GRKERNSEC_TPE_GID
  	int "GID for trusted users"
  	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	help
  	  Setting this GID determines what group TPE restrictions will be
  	  *disabled* for.  If the sysctl option is enabled, a sysctl option
-@@ -794,7 +794,7 @@
+@@ -819,7 +819,7 @@
  config GRKERNSEC_SOCKET_ALL_GID
  	int "GID to deny all sockets for"
  	depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	help
  	  Here you can choose the GID to disable socket access for. Remember to
  	  add the users you want socket access disabled for to the GID
-@@ -815,7 +815,7 @@
+@@ -840,7 +840,7 @@
  config GRKERNSEC_SOCKET_CLIENT_GID
  	int "GID to deny client sockets for"
  	depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Nuar a/grsecurity/Kconfig b/Kconfig
  	help
  	  Here you can choose the GID to disable client socket access for.
  	  Remember to add the users you want client socket access disabled for to
-@@ -833,7 +833,7 @@
+@@ -858,7 +858,7 @@
  config GRKERNSEC_SOCKET_SERVER_GID
  	int "GID to deny server sockets for"
  	depends on GRKERNSEC_SOCKET_SERVER
@@ -82,12 +82,3 @@ diff -Nuar a/security/Kconfig b/security/Kconfig
  	help
  	  Setting this GID determines which group will be exempted from
  	  grsecurity's /proc restrictions, allowing users of the specified
-@@ -176,7 +176,7 @@
- 
- config GRKERNSEC_TPE_GID
- 	int "GID for untrusted users"
--	default 1005
-+	default 100
- 	help
- 	  Setting this GID determines which group untrusted users should
- 	  be added to.  These users will be placed under grsecurity's Trusted Path
diff --git a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch
index fe28523..48acad7 100644
--- a/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.4.4/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org>
 diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
 --- a/grsecurity/Kconfig	2011-04-17 19:25:54.000000000 -0400
 +++ b/grsecurity/Kconfig	2011-04-17 19:32:53.000000000 -0400
-@@ -892,6 +892,27 @@
+@@ -917,6 +917,27 @@
  menu "Logging Options"
  depends on GRKERNSEC