Grsec/PaX: 2.9.1-{2.6.32.59,3.2.30,3.5.5}-201210070828

author: Anthony G. Basile <blueness@gentoo.org> 2012-10-08 23:07:16 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2012-10-08 23:07:16 -0400
commit: f3b586a8eabe83219c8eefb0ed30dcd725aa5efc (patch)
tree: 16564550044987ee06d66fe2c3fdd7a08d8306ea
parent: Grsec/PaX: 2.9.1-{2.6.32.59,3.2.30,3.5.5}-201210022020 (diff)
download: hardened-patchset-f3b586a8eabe83219c8eefb0ed30dcd725aa5efc.tar.gz
hardened-patchset-f3b586a8eabe83219c8eefb0ed30dcd725aa5efc.tar.bz2
hardened-patchset-f3b586a8eabe83219c8eefb0ed30dcd725aa5efc.zip
6 files changed, 258 insertions, 132 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 2cf0326..42845f1 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -30,7 +30,7 @@ Patch:	1058_linux-2.6.32.59.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.59
 
-Patch:	4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch
+Patch:	4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
index 675d03a..d90002f 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210022016.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.59-201210070827.patch
@@ -189,10 +189,20 @@ index e1efc40..3569a2f 100644
  zconf.hash.c
 +zoffset.h
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index c840e7d..30f0efe 100644
+index c840e7d..0f7d099 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
-@@ -856,6 +856,12 @@ and is between 256 and 4096 characters. It is defined in the file
+@@ -806,6 +806,9 @@ and is between 256 and 4096 characters. It is defined in the file
+ 	gpt		[EFI] Forces disk with valid GPT signature but
+ 			invalid Protective MBR to be treated as GPT.
+ 
++	grsec_proc_gid=	[GRKERNSEC_PROC_USERGROUP] Chooses GID to
++			ignore grsecurity's /proc restrictions
++
+ 	gvp11=		[HW,SCSI]
+ 
+ 	hashdist=	[KNL,NUMA] Large hashes allocated during boot
+@@ -856,6 +859,12 @@ and is between 256 and 4096 characters. It is defined in the file
  			       If specified, z/VM IUCV HVC accepts connections
  			       from listed z/VM user IDs only.
  
@@ -205,7 +215,7 @@ index c840e7d..30f0efe 100644
  	i2c_bus=	[HW] Override the default board specific I2C bus speed
  			     or register an additional I2C bus that is not
  			     registered from board initialization code.
-@@ -1725,6 +1731,11 @@ and is between 256 and 4096 characters. It is defined in the file
+@@ -1725,6 +1734,11 @@ and is between 256 and 4096 characters. It is defined in the file
  
  	noresidual	[PPC] Don't use residual data on PReP machines.
  
@@ -217,7 +227,7 @@ index c840e7d..30f0efe 100644
  	noresume	[SWSUSP] Disables resume and restores original swap
  			space.
  
-@@ -1837,6 +1848,13 @@ and is between 256 and 4096 characters. It is defined in the file
+@@ -1837,6 +1851,13 @@ and is between 256 and 4096 characters. It is defined in the file
  			the specified number of seconds.  This is to be used if
  			your oopses keep scrolling off the screen.
  
@@ -74831,7 +74841,7 @@ index c5ef152..28c94f7 100644
 +}
 +#endif
 diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 67f7dc0..071d058 100644
+index 67f7dc0..a6663de 100644
 --- a/fs/proc/base.c
 +++ b/fs/proc/base.c
 @@ -102,6 +102,22 @@ struct pid_entry {
@@ -75106,7 +75116,7 @@ index 67f7dc0..071d058 100644
  		cred = __task_cred(task);
  		inode->i_uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++		inode->i_gid = grsec_proc_gid;
 +#else
  		inode->i_gid = cred->egid;
 +#endif
@@ -75138,7 +75148,7 @@ index 67f7dc0..071d058 100644
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +		if (!tmpcred->uid || (tmpcred->uid == cred->uid)
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		    || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++		    || in_group_p(grsec_proc_gid)
 +#endif
 +		) {
 +#endif
@@ -75152,7 +75162,7 @@ index 67f7dc0..071d058 100644
 -			cred = __task_cred(task);
  			stat->uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++			stat->gid = grsec_proc_gid;
 +#else
  			stat->gid = cred->egid;
 +#endif
@@ -75180,7 +75190,7 @@ index 67f7dc0..071d058 100644
  			cred = __task_cred(task);
  			inode->i_uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++			inode->i_gid = grsec_proc_gid;
 +#else
  			inode->i_gid = cred->egid;
 +#endif
@@ -75348,7 +75358,7 @@ index 67f7dc0..071d058 100644
 +#ifdef CONFIG_GRKERNSEC_PROC_USER
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++	inode->i_gid = grsec_proc_gid;
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
 +#else
  	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
@@ -75392,7 +75402,7 @@ index 67f7dc0..071d058 100644
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +		    || (tmpcred->uid && (itercred->uid != tmpcred->uid)
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++			&& !in_group_p(grsec_proc_gid)
 +#endif
 +			)
 +#endif
@@ -75464,7 +75474,7 @@ index 59ee7da..469b4b6 100644
  }
  module_init(proc_devices_init);
 diff --git a/fs/proc/inode.c b/fs/proc/inode.c
-index d78ade3..81767f9 100644
+index d78ade3..6820c1b 100644
 --- a/fs/proc/inode.c
 +++ b/fs/proc/inode.c
 @@ -18,12 +18,19 @@
@@ -75506,7 +75516,7 @@ index d78ade3..81767f9 100644
  			inode->i_mode = de->mode;
  			inode->i_uid = de->uid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++			inode->i_gid = grsec_proc_gid;
 +#else
  			inode->i_gid = de->gid;
 +#endif
@@ -75683,7 +75693,7 @@ index 9fe7d7e..cdb62c9 100644
  
  	seq_putc(m, '\n');
 diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index 04d1270..25e1173 100644
+index 04d1270..ca49aa3 100644
 --- a/fs/proc/proc_net.c
 +++ b/fs/proc/proc_net.c
 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(struct inode *dir)
@@ -75698,7 +75708,7 @@ index 04d1270..25e1173 100644
 +	if (cred->fsuid)
 +		return net;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++	if (cred->fsuid && !in_group_p(grsec_proc_gid))
 +		return net;
 +#endif
  
@@ -77237,10 +77247,10 @@ index 8f32f50..5db8d65 100644
  		link[pathlen] = '\0';
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..bbbfa1c
+index 0000000..5012f34
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,940 @@
+@@ -0,0 +1,946 @@
 +#
 +# grecurity configuration
 +#
@@ -77487,7 +77497,8 @@ index 0000000..bbbfa1c
 +	  able to view all processes and network-related information.  If you've
 +	  enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
 +	  remain hidden.  This option is useful if you want to run identd as
-+	  a non-root user.
++	  a non-root user.  The group you select may also be chosen at boot time
++	  via "grsec_proc_gid=" on the kernel commandline.
 +
 +config GRKERNSEC_PROC_GID
 +	int "GID for special group"
@@ -77976,7 +77987,12 @@ index 0000000..bbbfa1c
 +	  entry will default to on for backward-compatibility.
 +
 +config GRKERNSEC_TPE_GID
-+	int "GID for untrusted users"
++	int
++	default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
++	default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
++	
++config GRKERNSEC_TPE_UNTRUSTED_GID
++	int "GID for TPE-untrusted users"
 +	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
 +	default 1005
 +	help
@@ -77984,8 +78000,8 @@ index 0000000..bbbfa1c
 +	  *enabled* for.  If the sysctl option is enabled, a sysctl option
 +	  with name "tpe_gid" is created.
 +
-+config GRKERNSEC_TPE_GID
-+	int "GID for trusted users"
++config GRKERNSEC_TPE_TRUSTED_GID
++	int "GID for TPE-trusted users"
 +	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
 +	default 1005
 +	help
@@ -78227,7 +78243,7 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..af10280
+index 0000000..7724cb1
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,4175 @@
@@ -82289,7 +82305,7 @@ index 0000000..af10280
 +		if (cred->uid != 0)
 +			ret = -EACCES;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
++		if (cred->uid != 0 && !groups_search(cred->group_info, grsec_proc_gid))
 +			ret = -EACCES;
 +#endif
 +#endif
@@ -89879,10 +89895,10 @@ index 0000000..ac88734
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..29ccfc4
+index 0000000..d44d8a6
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,225 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -90094,6 +90110,11 @@ index 0000000..29ccfc4
 +
 +extern int grsec_enable_dmesg;
 +extern int grsec_disable_privio;
++
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++extern int grsec_proc_gid;
++#endif
++
 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
 +extern int grsec_enable_chroot_findtask;
 +#endif
@@ -93906,7 +93927,7 @@ index 1fd59b8..a01b079 100644
  	next_state = Reset;
  	return 0;
 diff --git a/init/main.c b/init/main.c
-index 1eb4bd5..da072fc 100644
+index 1eb4bd5..a2cb48e 100644
 --- a/init/main.c
 +++ b/init/main.c
 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) { }
@@ -93917,10 +93938,20 @@ index 1eb4bd5..da072fc 100644
  
  enum system_states system_state __read_mostly;
  EXPORT_SYMBOL(system_state);
-@@ -183,6 +184,51 @@ static int __init set_reset_devices(char *str)
+@@ -183,6 +184,61 @@ static int __init set_reset_devices(char *str)
  
  __setup("reset_devices", set_reset_devices);
  
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++int grsec_proc_gid = CONFIG_GRKERNSEC_PROC_GID;
++static int __init setup_grsec_proc_gid(char *str)
++{
++	grsec_proc_gid = (int)simple_strtol(str, NULL, 0);
++	return 1;
++}
++__setup("grsec_proc_gid=", setup_grsec_proc_gid);
++#endif
++
 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
 +extern char pax_enter_kernel_user[];
 +extern char pax_exit_kernel_user[];
@@ -93969,7 +94000,7 @@ index 1eb4bd5..da072fc 100644
  static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
  char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
  static const char *panic_later, *panic_param;
-@@ -705,52 +751,53 @@ int initcall_debug;
+@@ -705,52 +761,53 @@ int initcall_debug;
  core_param(initcall_debug, initcall_debug, bool, 0644);
  
  static char msgbuf[64];
@@ -94039,7 +94070,7 @@ index 1eb4bd5..da072fc 100644
  }
  
  
-@@ -760,9 +807,15 @@ static void __init do_initcalls(void)
+@@ -760,9 +817,15 @@ static void __init do_initcalls(void)
  {
  	initcall_t *call;
  
@@ -94056,7 +94087,7 @@ index 1eb4bd5..da072fc 100644
  	/* Make sure there is no pending stuff from the initcall sequence */
  	flush_scheduled_work();
  }
-@@ -790,8 +843,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -790,8 +853,14 @@ static void __init do_pre_smp_initcalls(void)
  {
  	initcall_t *call;
  
@@ -94072,7 +94103,7 @@ index 1eb4bd5..da072fc 100644
  }
  
  static void run_init_process(char *init_filename)
-@@ -893,11 +952,13 @@ static int __init kernel_init(void * unused)
+@@ -893,11 +962,13 @@ static int __init kernel_init(void * unused)
  	if (!ramdisk_execute_command)
  		ramdisk_execute_command = "/init";
  
@@ -95425,7 +95456,7 @@ index fb98c9f..f8c336d 100644
  		futex_cmpxchg_enabled = 1;
  
 diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
-index 2357165..eb25501 100644
+index 2357165..eb25501b 100644
 --- a/kernel/futex_compat.c
 +++ b/kernel/futex_compat.c
 @@ -10,6 +10,7 @@
@@ -109644,10 +109675,10 @@ index d52f7a0..b66cdd9 100755
  		rm -f tags
  		xtags ctags
 diff --git a/security/Kconfig b/security/Kconfig
-index fb363cd..19e2105 100644
+index fb363cd..0e9112e 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,879 @@
+@@ -4,6 +4,890 @@
  
  menu "Security options"
  
@@ -109843,18 +109874,29 @@ index fb363cd..19e2105 100644
 +	  Setting this GID determines which group will be exempted from
 +	  grsecurity's /proc restrictions, allowing users of the specified
 +	  group  to view network statistics and the existence of other users'
-+	  processes on the system.
++	  processes on the system.  This GID may also be chosen at boot time
++	  via "grsec_proc_gid=" on the kernel commandline.
 +
-+config GRKERNSEC_TPE_GID
-+	int "GID for untrusted users"
-+	depends on GRKERNSEC_CONFIG_SERVER
-+	default 1005
-+	help
++config GRKERNSEC_TPE_UNTRUSTED_GID
++        int "GID for TPE-untrusted users"
++        depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
++        default 1005
++        help
 +	  Setting this GID determines which group untrusted users should
 +	  be added to.  These users will be placed under grsecurity's Trusted Path
 +	  Execution mechanism, preventing them from executing their own binaries.
 +	  The users will only be able to execute binaries in directories owned and
-+	  writable only by the root user.
++	  writable only by the root user.  If the sysctl option is enabled, a sysctl
++	  option with name "tpe_gid" is created.
++
++config GRKERNSEC_TPE_TRUSTED_GID
++        int "GID for TPE-trusted users"
++        depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
++        default 1005
++        help
++          Setting this GID determines what group TPE restrictions will be
++          *disabled* for.  If the sysctl option is enabled, a sysctl option
++          with name "tpe_gid" is created.
 +
 +config GRKERNSEC_SYMLINKOWN_GID
 +        int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
@@ -110527,7 +110569,7 @@ index fb363cd..19e2105 100644
  config KEYS
  	bool "Enable access key retention support"
  	help
-@@ -146,7 +1019,7 @@ config INTEL_TXT
+@@ -146,7 +1030,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
diff --git a/3.2.30/0000_README b/3.2.30/0000_README
index b35474f..69b9c98 100644
--- a/3.2.30/0000_README
+++ b/3.2.30/0000_README
@@ -38,7 +38,7 @@ Patch:	1029_linux-3.2.30.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.30
 
-Patch:	4420_grsecurity-2.9.1-3.2.30-201210022019.patch
+Patch:	4420_grsecurity-2.9.1-3.2.30-201210070828.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210022019.patch b/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210070828.patch
index 7913a68..431e878 100644
--- a/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210022019.patch
+++ b/3.2.30/4420_grsecurity-2.9.1-3.2.30-201210070828.patch
@@ -194,10 +194,20 @@ index dfa6fc6..65f7dbe 100644
 +zconf.lex.c
  zoffset.h
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index 81c287f..d456d02 100644
+index 81c287f..8c5ad74 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
-@@ -1935,6 +1935,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -848,6 +848,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 	gpt		[EFI] Forces disk with valid GPT signature but
+ 			invalid Protective MBR to be treated as GPT.
+ 
++	grsec_proc_gid=	[GRKERNSEC_PROC_USERGROUP] Chooses GID to
++			ignore grsecurity's /proc restrictions
++
+ 	hashdist=	[KNL,NUMA] Large hashes allocated during boot
+ 			are distributed across NUMA nodes.  Defaults on
+ 			for 64-bit NUMA, off otherwise.
+@@ -1935,6 +1938,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
  			the specified number of seconds.  This is to be used if
  			your oopses keep scrolling off the screen.
  
@@ -49395,7 +49405,7 @@ index 3a1dafd..dbcf51d 100644
 +}
 +#endif
 diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 1ace83d..afa2ac0 100644
+index 1ace83d..a2bc635 100644
 --- a/fs/proc/base.c
 +++ b/fs/proc/base.c
 @@ -107,6 +107,22 @@ struct pid_entry {
@@ -49738,7 +49748,7 @@ index 1ace83d..afa2ac0 100644
  		cred = __task_cred(task);
  		inode->i_uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++		inode->i_gid = grsec_proc_gid;
 +#else
  		inode->i_gid = cred->egid;
 +#endif
@@ -49770,7 +49780,7 @@ index 1ace83d..afa2ac0 100644
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +		if (!tmpcred->uid || (tmpcred->uid == cred->uid)
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		    || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++		    || in_group_p(grsec_proc_gid)
 +#endif
 +		) {
 +#endif
@@ -49784,7 +49794,7 @@ index 1ace83d..afa2ac0 100644
 -			cred = __task_cred(task);
  			stat->uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++			stat->gid = grsec_proc_gid;
 +#else
  			stat->gid = cred->egid;
 +#endif
@@ -49812,7 +49822,7 @@ index 1ace83d..afa2ac0 100644
  			cred = __task_cred(task);
  			inode->i_uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++			inode->i_gid = grsec_proc_gid;
 +#else
  			inode->i_gid = cred->egid;
 +#endif
@@ -49921,7 +49931,7 @@ index 1ace83d..afa2ac0 100644
 +#ifdef CONFIG_GRKERNSEC_PROC_USER
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++	inode->i_gid = grsec_proc_gid;
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
 +#else
  	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
@@ -49965,7 +49975,7 @@ index 1ace83d..afa2ac0 100644
 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
 +		    || (tmpcred->uid && (itercred->uid != tmpcred->uid)
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			&& !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++			&& !in_group_p(grsec_proc_gid)
 +#endif
 +			)
 +#endif
@@ -50037,7 +50047,7 @@ index b143471..bb105e5 100644
  }
  module_init(proc_devices_init);
 diff --git a/fs/proc/inode.c b/fs/proc/inode.c
-index 7737c54..7172574 100644
+index 7737c54..d155c87 100644
 --- a/fs/proc/inode.c
 +++ b/fs/proc/inode.c
 @@ -18,12 +18,18 @@
@@ -50078,7 +50088,7 @@ index 7737c54..7172574 100644
  			inode->i_mode = de->mode;
  			inode->i_uid = de->uid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++			inode->i_gid = grsec_proc_gid;
 +#else
  			inode->i_gid = de->gid;
 +#endif
@@ -50197,7 +50207,7 @@ index b1822dd..df622cb 100644
  
  	seq_putc(m, '\n');
 diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index f738024..876984a 100644
+index f738024..8e3f141 100644
 --- a/fs/proc/proc_net.c
 +++ b/fs/proc/proc_net.c
 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(struct inode *dir)
@@ -50212,7 +50222,7 @@ index f738024..876984a 100644
 +	if (cred->fsuid)
 +		return net;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++	if (cred->fsuid && !in_group_p(grsec_proc_gid))
 +		return net;
 +#endif
  
@@ -51257,10 +51267,10 @@ index 87323f1..dab9d00 100644
  	ip = issum ? mp->m_rsumip : mp->m_rbmip;
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..cb7b8ea
+index 0000000..ae8456d
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,941 @@
+@@ -0,0 +1,947 @@
 +#
 +# grecurity configuration
 +#
@@ -51505,10 +51515,11 @@ index 0000000..cb7b8ea
 +	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
 +	help
 +	  If you say Y here, you will be able to select a group that will be
-+          able to view all processes and network-related information.  If you've
-+          enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
-+          remain hidden.  This option is useful if you want to run identd as
-+          a non-root user.
++	  able to view all processes and network-related information.  If you've
++	  enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
++	  remain hidden.  This option is useful if you want to run identd as
++	  a non-root user.  The group you select may also be chosen at boot time
++	  via "grsec_proc_gid=" on the kernel commandline.
 +
 +config GRKERNSEC_PROC_GID
 +	int "GID for special group"
@@ -51997,7 +52008,12 @@ index 0000000..cb7b8ea
 +	  entry will default to on for backward-compatibility.
 +
 +config GRKERNSEC_TPE_GID
-+	int "GID for untrusted users"
++	int
++	default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
++	default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
++	
++config GRKERNSEC_TPE_UNTRUSTED_GID
++	int "GID for TPE-untrusted users"
 +	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
 +	default 1005
 +	help
@@ -52005,8 +52021,8 @@ index 0000000..cb7b8ea
 +	  *enabled* for.  If the sysctl option is enabled, a sysctl option
 +	  with name "tpe_gid" is created.
 +
-+config GRKERNSEC_TPE_GID
-+	int "GID for trusted users"
++config GRKERNSEC_TPE_TRUSTED_GID
++	int "GID for TPE-trusted users"
 +	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
 +	default 1005
 +	help
@@ -52248,7 +52264,7 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..929fd63
+index 0000000..34026bb
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,4190 @@
@@ -56325,7 +56341,7 @@ index 0000000..929fd63
 +		if (cred->uid != 0)
 +			ret = -EACCES;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
++		if (cred->uid != 0 && !groups_search(cred->group_info, grsec_proc_gid))
 +			ret = -EACCES;
 +#endif
 +#endif
@@ -63389,10 +63405,10 @@ index 0000000..54f4e85
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..12bf493
+index 0000000..c14f3fb
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,230 @@
+@@ -0,0 +1,235 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -63614,6 +63630,11 @@ index 0000000..12bf493
 +
 +extern int grsec_enable_dmesg;
 +extern int grsec_disable_privio;
++
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++extern int grsec_proc_gid;
++#endif
++
 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
 +extern int grsec_enable_chroot_findtask;
 +#endif
@@ -67033,7 +67054,7 @@ index 2531811..040d4d4 100644
  	next_state = Reset;
  	return 0;
 diff --git a/init/main.c b/init/main.c
-index cb08fea2..b51973d 100644
+index cb08fea2..a290416 100644
 --- a/init/main.c
 +++ b/init/main.c
 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void) { }
@@ -67045,10 +67066,20 @@ index cb08fea2..b51973d 100644
  /*
   * Debug helper: via this flag we know that we are in 'early bootup code'
   * where only the boot processor is running with IRQ disabled.  This means
-@@ -149,6 +151,51 @@ static int __init set_reset_devices(char *str)
+@@ -149,6 +151,61 @@ static int __init set_reset_devices(char *str)
  
  __setup("reset_devices", set_reset_devices);
  
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++int grsec_proc_gid = CONFIG_GRKERNSEC_PROC_GID;
++static int __init setup_grsec_proc_gid(char *str)
++{
++	grsec_proc_gid = (int)simple_strtol(str, NULL, 0);
++	return 1;
++}
++__setup("grsec_proc_gid=", setup_grsec_proc_gid);
++#endif
++
 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
 +extern char pax_enter_kernel_user[];
 +extern char pax_exit_kernel_user[];
@@ -67097,7 +67128,7 @@ index cb08fea2..b51973d 100644
  static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
  const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
  static const char *panic_later, *panic_param;
-@@ -678,6 +725,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -678,6 +735,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
  {
  	int count = preempt_count();
  	int ret;
@@ -67105,7 +67136,7 @@ index cb08fea2..b51973d 100644
  
  	if (initcall_debug)
  		ret = do_one_initcall_debug(fn);
-@@ -690,15 +738,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -690,15 +748,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
  		sprintf(msgbuf, "error code %d ", ret);
  
  	if (preempt_count() != count) {
@@ -67125,7 +67156,7 @@ index cb08fea2..b51973d 100644
  	}
  
  	return ret;
-@@ -711,8 +759,14 @@ static void __init do_initcalls(void)
+@@ -711,8 +769,14 @@ static void __init do_initcalls(void)
  {
  	initcall_t *fn;
  
@@ -67141,7 +67172,7 @@ index cb08fea2..b51973d 100644
  }
  
  /*
-@@ -738,8 +792,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -738,8 +802,14 @@ static void __init do_pre_smp_initcalls(void)
  {
  	initcall_t *fn;
  
@@ -67157,7 +67188,7 @@ index cb08fea2..b51973d 100644
  }
  
  static void run_init_process(const char *init_filename)
-@@ -821,7 +881,7 @@ static int __init kernel_init(void * unused)
+@@ -821,7 +891,7 @@ static int __init kernel_init(void * unused)
  	do_basic_setup();
  
  	/* Open the /dev/console on the rootfs, this should never fail */
@@ -67166,7 +67197,7 @@ index cb08fea2..b51973d 100644
  		printk(KERN_WARNING "Warning: unable to open an initial console.\n");
  
  	(void) sys_dup(0);
-@@ -834,11 +894,13 @@ static int __init kernel_init(void * unused)
+@@ -834,11 +904,13 @@ static int __init kernel_init(void * unused)
  	if (!ramdisk_execute_command)
  		ramdisk_execute_command = "/init";
  
@@ -81971,10 +82002,10 @@ index 38f6617..e70b72b 100755
  
  exuberant()
 diff --git a/security/Kconfig b/security/Kconfig
-index 51bd5a0..560318a 100644
+index 51bd5a0..77d3608 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,885 @@
+@@ -4,6 +4,896 @@
  
  menu "Security options"
  
@@ -82170,18 +82201,29 @@ index 51bd5a0..560318a 100644
 +	  Setting this GID determines which group will be exempted from
 +	  grsecurity's /proc restrictions, allowing users of the specified
 +	  group  to view network statistics and the existence of other users'
-+	  processes on the system.
++	  processes on the system.  This GID may also be chosen at boot time
++	  via "grsec_proc_gid=" on the kernel commandline.
 +
-+config GRKERNSEC_TPE_GID
-+	int "GID for untrusted users"
-+	depends on GRKERNSEC_CONFIG_SERVER
-+	default 1005
-+	help
++config GRKERNSEC_TPE_UNTRUSTED_GID
++        int "GID for TPE-untrusted users"
++        depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
++        default 1005
++        help
 +	  Setting this GID determines which group untrusted users should
 +	  be added to.  These users will be placed under grsecurity's Trusted Path
 +	  Execution mechanism, preventing them from executing their own binaries.
 +	  The users will only be able to execute binaries in directories owned and
-+	  writable only by the root user.
++	  writable only by the root user.  If the sysctl option is enabled, a sysctl
++	  option with name "tpe_gid" is created.
++
++config GRKERNSEC_TPE_TRUSTED_GID
++        int "GID for TPE-trusted users"
++        depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
++        default 1005
++        help
++          Setting this GID determines what group TPE restrictions will be
++          *disabled* for.  If the sysctl option is enabled, a sysctl option
++          with name "tpe_gid" is created.
 +
 +config GRKERNSEC_SYMLINKOWN_GID
 +        int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
@@ -82860,7 +82902,7 @@ index 51bd5a0..560318a 100644
  config KEYS
  	bool "Enable access key retention support"
  	help
-@@ -169,7 +1048,7 @@ config INTEL_TXT
+@@ -169,7 +1059,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
diff --git a/3.5.5/0000_README b/3.5.5/0000_README
index dcb4431..95939b8 100644
--- a/3.5.5/0000_README
+++ b/3.5.5/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-2.9.1-3.5.5-201210022020.patch
+Patch:	4420_grsecurity-2.9.1-3.5.5-201210070828.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
diff --git a/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210022020.patch b/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210070828.patch
index 3e664a6..5345b72 100644
--- a/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210022020.patch
+++ b/3.5.5/4420_grsecurity-2.9.1-3.5.5-201210070828.patch
@@ -224,10 +224,20 @@ index b4a898f..cd023f2 100644
 +zconf.lex.c
  zoffset.h
 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
-index a92c5eb..7530459 100644
+index a92c5eb..b91d3d5 100644
 --- a/Documentation/kernel-parameters.txt
 +++ b/Documentation/kernel-parameters.txt
-@@ -2051,6 +2051,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+@@ -905,6 +905,9 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
+ 	gpt		[EFI] Forces disk with valid GPT signature but
+ 			invalid Protective MBR to be treated as GPT.
+ 
++	grsec_proc_gid=	[GRKERNSEC_PROC_USERGROUP] Chooses GID to
++			ignore grsecurity's /proc restrictions
++
+ 	hashdist=	[KNL,NUMA] Large hashes allocated during boot
+ 			are distributed across NUMA nodes.  Defaults on
+ 			for 64-bit NUMA, off otherwise.
+@@ -2051,6 +2054,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
  			the specified number of seconds.  This is to be used if
  			your oopses keep scrolling off the screen.
  
@@ -48920,7 +48930,7 @@ index c1c207c..01ce725 100644
  static struct pid *
  get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
 diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 437195f..cd2210d 100644
+index 437195f..e1b6a2d 100644
 --- a/fs/proc/base.c
 +++ b/fs/proc/base.c
 @@ -110,6 +110,14 @@ struct pid_entry {
@@ -49040,7 +49050,7 @@ index 437195f..cd2210d 100644
 +
 +		if (!tmpcred->uid || (tmpcred->uid == cred->uid)
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			|| in_group_p(CONFIG_GRKERNSEC_PROC_GID)
++			|| in_group_p(grsec_proc_gid)
 +#endif
 +		) {
 +			rcu_read_unlock();
@@ -49203,7 +49213,7 @@ index 437195f..cd2210d 100644
  		cred = __task_cred(task);
  		inode->i_uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+		inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++		inode->i_gid = grsec_proc_gid;
 +#else
  		inode->i_gid = cred->egid;
 +#endif
@@ -49223,7 +49233,7 @@ index 437195f..cd2210d 100644
  			cred = __task_cred(task);
  			stat->uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			stat->gid = CONFIG_GRKERNSEC_PROC_GID;
++			stat->gid = grsec_proc_gid;
 +#else
  			stat->gid = cred->egid;
 +#endif
@@ -49244,7 +49254,7 @@ index 437195f..cd2210d 100644
  			cred = __task_cred(task);
  			inode->i_uid = cred->euid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++			inode->i_gid = grsec_proc_gid;
 +#else
  			inode->i_gid = cred->egid;
 +#endif
@@ -49353,7 +49363,7 @@ index 437195f..cd2210d 100644
 +#ifdef CONFIG_GRKERNSEC_PROC_USER
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++	inode->i_gid = grsec_proc_gid;
 +	inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
 +#else
  	inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
@@ -49437,7 +49447,7 @@ index b143471..bb105e5 100644
  }
  module_init(proc_devices_init);
 diff --git a/fs/proc/inode.c b/fs/proc/inode.c
-index 7ac817b..abab1a5 100644
+index 7ac817b..c5c9eb0 100644
 --- a/fs/proc/inode.c
 +++ b/fs/proc/inode.c
 @@ -21,11 +21,17 @@
@@ -49477,7 +49487,7 @@ index 7ac817b..abab1a5 100644
  			inode->i_mode = de->mode;
  			inode->i_uid = de->uid;
 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
-+			inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
++			inode->i_gid = grsec_proc_gid;
 +#else
  			inode->i_gid = de->gid;
 +#endif
@@ -49587,7 +49597,7 @@ index b1822dd..df622cb 100644
  
  	seq_putc(m, '\n');
 diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
-index 06e1cc1..177cd98 100644
+index 06e1cc1..aa6fbbf 100644
 --- a/fs/proc/proc_net.c
 +++ b/fs/proc/proc_net.c
 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(struct inode *dir)
@@ -49602,7 +49612,7 @@ index 06e1cc1..177cd98 100644
 +	if (cred->fsuid)
 +		return net;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+	if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
++	if (cred->fsuid && !in_group_p(grsec_proc_gid))
 +		return net;
 +#endif
  
@@ -50689,10 +50699,10 @@ index 92d4331..ca28a4b 100644
  	ip = issum ? mp->m_rsumip : mp->m_rbmip;
 diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
 new file mode 100644
-index 0000000..4d533f1
+index 0000000..d38b430
 --- /dev/null
 +++ b/grsecurity/Kconfig
-@@ -0,0 +1,941 @@
+@@ -0,0 +1,947 @@
 +#
 +# grecurity configuration
 +#
@@ -50937,10 +50947,11 @@ index 0000000..4d533f1
 +	depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
 +	help
 +	  If you say Y here, you will be able to select a group that will be
-+          able to view all processes and network-related information.  If you've
-+          enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
-+          remain hidden.  This option is useful if you want to run identd as
-+          a non-root user.
++	  able to view all processes and network-related information.  If you've
++	  enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
++	  remain hidden.  This option is useful if you want to run identd as
++	  a non-root user.  The group you select may also be chosen at boot time
++	  via "grsec_proc_gid=" on the kernel commandline.
 +
 +config GRKERNSEC_PROC_GID
 +	int "GID for special group"
@@ -51429,7 +51440,12 @@ index 0000000..4d533f1
 +	  entry will default to on for backward-compatibility.
 +
 +config GRKERNSEC_TPE_GID
-+	int "GID for untrusted users"
++	int
++	default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
++	default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
++	
++config GRKERNSEC_TPE_UNTRUSTED_GID
++	int "GID for TPE-untrusted users"
 +	depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
 +	default 1005
 +	help
@@ -51437,8 +51453,8 @@ index 0000000..4d533f1
 +	  *enabled* for.  If the sysctl option is enabled, a sysctl option
 +	  with name "tpe_gid" is created.
 +
-+config GRKERNSEC_TPE_GID
-+	int "GID for trusted users"
++config GRKERNSEC_TPE_TRUSTED_GID
++	int "GID for TPE-trusted users"
 +	depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
 +	default 1005
 +	help
@@ -51680,7 +51696,7 @@ index 0000000..1b9afa9
 +endif
 diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
 new file mode 100644
-index 0000000..1561617
+index 0000000..07cd799
 --- /dev/null
 +++ b/grsecurity/gracl.c
 @@ -0,0 +1,4017 @@
@@ -55584,7 +55600,7 @@ index 0000000..1561617
 +		if (!uid_eq(cred->uid, GLOBAL_ROOT_UID))
 +			ret = -EACCES;
 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
-+		if (!uid_eq(cred->uid, GLOBAL_ROOT_UID) && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
++		if (!uid_eq(cred->uid, GLOBAL_ROOT_UID) && !groups_search(cred->group_info, grsec_proc_gid))
 +			ret = -EACCES;
 +#endif
 +#endif
@@ -62676,10 +62692,10 @@ index 0000000..54f4e85
 +#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..38bfb04
+index 0000000..f9b9a21
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,233 @@
+@@ -0,0 +1,238 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -62904,6 +62920,11 @@ index 0000000..38bfb04
 +
 +extern int grsec_enable_dmesg;
 +extern int grsec_disable_privio;
++
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++extern int grsec_proc_gid;
++#endif
++
 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
 +extern int grsec_enable_chroot_findtask;
 +#endif
@@ -66163,7 +66184,7 @@ index 84c6bf1..8899338 100644
  	next_state = Reset;
  	return 0;
 diff --git a/init/main.c b/init/main.c
-index b5cc0a7..8e67244 100644
+index b5cc0a7..ed8e21f 100644
 --- a/init/main.c
 +++ b/init/main.c
 @@ -95,6 +95,8 @@ static inline void mark_rodata_ro(void) { }
@@ -66175,10 +66196,20 @@ index b5cc0a7..8e67244 100644
  /*
   * Debug helper: via this flag we know that we are in 'early bootup code'
   * where only the boot processor is running with IRQ disabled.  This means
-@@ -148,6 +150,51 @@ static int __init set_reset_devices(char *str)
+@@ -148,6 +150,61 @@ static int __init set_reset_devices(char *str)
  
  __setup("reset_devices", set_reset_devices);
  
++#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
++int grsec_proc_gid = CONFIG_GRKERNSEC_PROC_GID;
++static int __init setup_grsec_proc_gid(char *str)
++{
++	grsec_proc_gid = (int)simple_strtol(str, NULL, 0);
++	return 1;
++}
++__setup("grsec_proc_gid=", setup_grsec_proc_gid);
++#endif
++
 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
 +extern char pax_enter_kernel_user[];
 +extern char pax_exit_kernel_user[];
@@ -66227,7 +66258,7 @@ index b5cc0a7..8e67244 100644
  static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
  const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
  static const char *panic_later, *panic_param;
-@@ -674,6 +721,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -674,6 +731,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
  {
  	int count = preempt_count();
  	int ret;
@@ -66235,7 +66266,7 @@ index b5cc0a7..8e67244 100644
  
  	if (initcall_debug)
  		ret = do_one_initcall_debug(fn);
-@@ -686,15 +734,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
+@@ -686,15 +744,15 @@ int __init_or_module do_one_initcall(initcall_t fn)
  		sprintf(msgbuf, "error code %d ", ret);
  
  	if (preempt_count() != count) {
@@ -66255,7 +66286,7 @@ index b5cc0a7..8e67244 100644
  	}
  
  	return ret;
-@@ -747,8 +795,14 @@ static void __init do_initcall_level(int level)
+@@ -747,8 +805,14 @@ static void __init do_initcall_level(int level)
  		   level, level,
  		   &repair_env_string);
  
@@ -66271,7 +66302,7 @@ index b5cc0a7..8e67244 100644
  }
  
  static void __init do_initcalls(void)
-@@ -782,8 +836,14 @@ static void __init do_pre_smp_initcalls(void)
+@@ -782,8 +846,14 @@ static void __init do_pre_smp_initcalls(void)
  {
  	initcall_t *fn;
  
@@ -66287,7 +66318,7 @@ index b5cc0a7..8e67244 100644
  }
  
  static void run_init_process(const char *init_filename)
-@@ -865,7 +925,7 @@ static int __init kernel_init(void * unused)
+@@ -865,7 +935,7 @@ static int __init kernel_init(void * unused)
  	do_basic_setup();
  
  	/* Open the /dev/console on the rootfs, this should never fail */
@@ -66296,7 +66327,7 @@ index b5cc0a7..8e67244 100644
  		printk(KERN_WARNING "Warning: unable to open an initial console.\n");
  
  	(void) sys_dup(0);
-@@ -878,11 +938,13 @@ static int __init kernel_init(void * unused)
+@@ -878,11 +948,13 @@ static int __init kernel_init(void * unused)
  	if (!ramdisk_execute_command)
  		ramdisk_execute_command = "/init";
  
@@ -80505,10 +80536,10 @@ index 5c11312..72742b5 100644
      write_hex_cnt = 0;
      for (i = 0; i < logo_clutsize; i++) {
 diff --git a/security/Kconfig b/security/Kconfig
-index e9c6ac7..5ff1ad1 100644
+index e9c6ac7..e7feb0d 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,885 @@
+@@ -4,6 +4,896 @@
  
  menu "Security options"
  
@@ -80704,18 +80735,29 @@ index e9c6ac7..5ff1ad1 100644
 +	  Setting this GID determines which group will be exempted from
 +	  grsecurity's /proc restrictions, allowing users of the specified
 +	  group  to view network statistics and the existence of other users'
-+	  processes on the system.
++	  processes on the system.  This GID may also be chosen at boot time
++	  via "grsec_proc_gid=" on the kernel commandline.
 +
-+config GRKERNSEC_TPE_GID
-+	int "GID for untrusted users"
-+	depends on GRKERNSEC_CONFIG_SERVER
-+	default 1005
-+	help
++config GRKERNSEC_TPE_UNTRUSTED_GID
++        int "GID for TPE-untrusted users"
++        depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
++        default 1005
++        help
 +	  Setting this GID determines which group untrusted users should
 +	  be added to.  These users will be placed under grsecurity's Trusted Path
 +	  Execution mechanism, preventing them from executing their own binaries.
 +	  The users will only be able to execute binaries in directories owned and
-+	  writable only by the root user.
++	  writable only by the root user.  If the sysctl option is enabled, a sysctl
++	  option with name "tpe_gid" is created.
++
++config GRKERNSEC_TPE_TRUSTED_GID
++        int "GID for TPE-trusted users"
++        depends on GRKERNSEC_CONFIG_SERVER && GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
++        default 1005
++        help
++          Setting this GID determines what group TPE restrictions will be
++          *disabled* for.  If the sysctl option is enabled, a sysctl option
++          with name "tpe_gid" is created.
 +
 +config GRKERNSEC_SYMLINKOWN_GID
 +        int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
@@ -81394,7 +81436,7 @@ index e9c6ac7..5ff1ad1 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -103,7 +982,7 @@ config INTEL_TXT
+@@ -103,7 +993,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
author	Anthony G. Basile <blueness@gentoo.org>	2012-10-08 23:07:16 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2012-10-08 23:07:16 -0400
commit	f3b586a8eabe83219c8eefb0ed30dcd725aa5efc (patch)
tree	16564550044987ee06d66fe2c3fdd7a08d8306ea
parent	Grsec/PaX: 2.9.1-{2.6.32.59,3.2.30,3.5.5}-201210022020 (diff)
download	hardened-patchset-f3b586a8eabe83219c8eefb0ed30dcd725aa5efc.tar.gz hardened-patchset-f3b586a8eabe83219c8eefb0ed30dcd725aa5efc.tar.bz2 hardened-patchset-f3b586a8eabe83219c8eefb0ed30dcd725aa5efc.zip