commit: b4080ad173c578b2afe704d9453b59536991f1f3
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Feb 23 21:12:34 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Feb 23 21:12:34 2015 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=b4080ad1
Grsec/PaX: 3.1-{3.2.67,3.14.33,3.18.7}-201502222138
---
3.14.33/0000_README | 2 +-
...4420_grsecurity-3.1-3.14.33-201502222137.patch} | 191 +++++++++++++--------
3.14.33/4427_force_XATTR_PAX_tmpfs.patch | 4 +-
3.14.33/4450_grsec-kconfig-default-gids.patch | 12 +-
3.14.33/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
3.14.33/4470_disable-compat_vdso.patch | 2 +-
3.18.7/0000_README | 2 +-
... 4420_grsecurity-3.1-3.18.7-201502222138.patch} | 191 +++++++++++++--------
3.18.7/4470_disable-compat_vdso.patch | 2 +-
3.2.67/0000_README | 2 +-
... 4420_grsecurity-3.1-3.2.67-201502222131.patch} | 191 +++++++++++++--------
3.2.67/4450_grsec-kconfig-default-gids.patch | 12 +-
3.2.67/4465_selinux-avc_audit-log-curr_ip.patch | 2 +-
13 files changed, 375 insertions(+), 240 deletions(-)
diff --git a/3.14.33/0000_README b/3.14.33/0000_README
index 0785237..d79223a 100644
--- a/3.14.33/0000_README
+++ b/3.14.33/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.14.33-201502200812.patch
+Patch: 4420_grsecurity-3.1-3.14.33-201502222137.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch
b/3.14.33/4420_grsecurity-3.1-3.14.33-201502222137.patch
similarity index 99%
rename from 3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch
rename to 3.14.33/4420_grsecurity-3.1-3.14.33-201502222137.patch
index 6f66607..ae236cc 100644
--- a/3.14.33/4420_grsecurity-3.0-3.14.33-201502200812.patch
+++ b/3.14.33/4420_grsecurity-3.1-3.14.33-201502222137.patch
@@ -64169,7 +64169,7 @@ index b29e42f..5ea7fdf 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index 0dd72c8..b058c6d 100644
+index 0dd72c8..07c6710 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -331,17 +331,34 @@ int generic_permission(struct inode *inode, int mask)
@@ -64613,7 +64613,7 @@ index 0dd72c8..b058c6d 100644
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
-+ ino_t saved_ino = 0;
++ u64 saved_ino = 0;
+ dev_t saved_dev = 0;
unsigned int lookup_flags = 0;
retry:
@@ -64623,7 +64623,7 @@ index 0dd72c8..b058c6d 100644
goto exit3;
}
+
-+ saved_ino = dentry->d_inode->i_ino;
++ saved_ino = gr_get_ino_from_dentry(dentry);
+ saved_dev = gr_get_dev_from_dentry(dentry);
+
+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
@@ -64644,7 +64644,7 @@ index 0dd72c8..b058c6d 100644
struct nameidata nd;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
-+ ino_t saved_ino = 0;
++ u64 saved_ino = 0;
+ dev_t saved_dev = 0;
unsigned int lookup_flags = 0;
retry:
@@ -64655,7 +64655,7 @@ index 0dd72c8..b058c6d 100644
ihold(inode);
+
+ if (inode->i_nlink <= 1) {
-+ saved_ino = inode->i_ino;
++ saved_ino = gr_get_ino_from_dentry(dentry);
+ saved_dev = gr_get_dev_from_dentry(dentry);
+ }
+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
@@ -70424,10 +70424,10 @@ index 0000000..30ababb
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..c83525f
+index 0000000..24d5a4c
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,2697 @@
+@@ -0,0 +1,2725 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -70535,11 +70535,26 @@ index 0000000..c83525f
+ return dentry->d_sb->s_dev;
+}
+
++static inline u64 __get_ino(const struct dentry *dentry)
++{
++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
++ return btrfs_ino(dentry->d_inode);
++ else
++#endif
++ return dentry->d_inode->i_ino;
++}
++
+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
+{
+ return __get_dev(dentry);
+}
+
++u64 gr_get_ino_from_dentry(struct dentry *dentry)
++{
++ return __get_ino(dentry);
++}
++
+static char gr_task_roletype_to_char(struct task_struct *task)
+{
+ switch (task->role->roletype &
@@ -70878,7 +70893,7 @@ index 0000000..c83525f
+}
+
+struct acl_subject_label *
-+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
++lookup_acl_subj_label(const u64 ino, const dev_t dev,
+ const struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
@@ -70898,7 +70913,7 @@ index 0000000..c83525f
+}
+
+struct acl_subject_label *
-+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
++lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev,
+ const struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
@@ -70918,7 +70933,7 @@ index 0000000..c83525f
+}
+
+static struct acl_object_label *
-+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
++lookup_acl_obj_label(const u64 ino, const dev_t dev,
+ const struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
@@ -70938,7 +70953,7 @@ index 0000000..c83525f
+}
+
+static struct acl_object_label *
-+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
++lookup_acl_obj_label_create(const u64 ino, const dev_t dev,
+ const struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
@@ -71019,7 +71034,7 @@ index 0000000..c83525f
+}
+
+static struct inodev_entry *
-+lookup_inodev_entry(const ino_t ino, const dev_t dev)
++lookup_inodev_entry(const u64 ino, const dev_t dev)
+{
+ unsigned int index = gr_fhash(ino, dev,
running_polstate.inodev_set.i_size);
+ struct inodev_entry *match;
@@ -71244,7 +71259,7 @@ index 0000000..c83525f
+
+static struct acl_object_label *
+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount
*orig_mnt,
-+ const ino_t curr_ino, const dev_t curr_dev,
++ const u64 curr_ino, const dev_t curr_dev,
+ const struct acl_subject_label *subj, char **path, const int
checkglob)
+{
+ struct acl_subject_label *tmpsubj;
@@ -71275,7 +71290,7 @@ index 0000000..c83525f
+ const struct acl_subject_label *subj, char **path, const int
checkglob)
+{
+ int newglob = checkglob;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+
+ /* if we aren't checking a subdirectory of the original path yet, don't
do glob checking
@@ -71287,7 +71302,7 @@ index 0000000..c83525f
+ newglob = GR_NO_GLOB;
+
+ spin_lock(&curr_dentry->d_lock);
-+ inode = curr_dentry->d_inode->i_ino;
++ inode = __get_ino(curr_dentry);
+ device = __get_dev(curr_dentry);
+ spin_unlock(&curr_dentry->d_lock);
+
@@ -71420,7 +71435,7 @@ index 0000000..c83525f
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
+ retval =
-+ lookup_acl_subj_label(dentry->d_inode->i_ino,
++ lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ spin_unlock(&dentry->d_lock);
@@ -71435,7 +71450,7 @@ index 0000000..c83525f
+
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
-+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ parent = dentry->d_parent;
@@ -71449,7 +71464,7 @@ index 0000000..c83525f
+
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
-+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ spin_unlock(&dentry->d_lock);
@@ -71457,7 +71472,7 @@ index 0000000..c83525f
+ if (unlikely(retval == NULL)) {
+ /* gr_real_root is pinned, we don't need to hold a reference */
+ read_lock(&gr_inode_lock);
-+ retval =
lookup_acl_subj_label(gr_real_root.dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry),
+ __get_dev(gr_real_root.dentry), role);
+ read_unlock(&gr_inode_lock);
+ }
@@ -71584,14 +71599,27 @@ index 0000000..c83525f
+ return;
+
+ for (i = 0; i < RLIM_NLIMITS; i++) {
++ unsigned long rlim_cur, rlim_max;
++
+ if (!(proc->resmask & (1U << i)))
+ continue;
+
-+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
-+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++ rlim_cur = proc->res[i].rlim_cur;
++ rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_NOFILE) {
++ unsigned long saved_sysctl_nr_open = sysctl_nr_open;
++ if (rlim_cur > saved_sysctl_nr_open)
++ rlim_cur = saved_sysctl_nr_open;
++ if (rlim_max > saved_sysctl_nr_open)
++ rlim_max = saved_sysctl_nr_open;
++ }
++
++ task->signal->rlim[i].rlim_cur = rlim_cur;
++ task->signal->rlim[i].rlim_max = rlim_max;
+
+ if (i == RLIMIT_CPU)
-+ update_rlimit_cpu(task, proc->res[i].rlim_cur);
++ update_rlimit_cpu(task, rlim_cur);
+ }
+
+ return;
@@ -72294,7 +72322,7 @@ index 0000000..c83525f
+
+/* always called with valid inodev ptr */
+static void
-+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t
dev)
++do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev)
+{
+ struct acl_object_label *matchpo;
+ struct acl_subject_label *matchps;
@@ -72322,7 +72350,7 @@ index 0000000..c83525f
+}
+
+void
-+gr_handle_delete(const ino_t ino, const dev_t dev)
++gr_handle_delete(const u64 ino, const dev_t dev)
+{
+ struct inodev_entry *inodev;
+
@@ -72339,8 +72367,8 @@ index 0000000..c83525f
+}
+
+static void
-+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice,
++update_acl_obj_label(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice,
+ struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
@@ -72378,8 +72406,8 @@ index 0000000..c83525f
+}
+
+static void
-+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice,
++update_acl_subj_label(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice,
+ struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice,
role->subj_hash_size);
@@ -72417,8 +72445,8 @@ index 0000000..c83525f
+}
+
+static void
-+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice)
++update_inodev_entry(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice,
running_polstate.inodev_set.i_size);
+ struct inodev_entry *match;
@@ -72454,7 +72482,7 @@ index 0000000..c83525f
+}
+
+static void
-+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
++__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev)
+{
+ struct acl_subject_label *subj;
+ struct acl_role_label *role;
@@ -72487,7 +72515,7 @@ index 0000000..c83525f
+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
+ const struct vfsmount *mnt)
+{
-+ ino_t ino = dentry->d_inode->i_ino;
++ u64 ino = __get_ino(dentry);
+ dev_t dev = __get_dev(dentry);
+
+ __do_handle_create(matchn, ino, dev);
@@ -72546,7 +72574,7 @@ index 0000000..c83525f
+ struct name_entry *matchn;
+ struct inodev_entry *inodev;
+ struct inode *inode = new_dentry->d_inode;
-+ ino_t old_ino = old_dentry->d_inode->i_ino;
++ u64 old_ino = __get_ino(old_dentry);
+ dev_t old_dev = __get_dev(old_dentry);
+
+ /* vfs_rename swaps the name and parent link for old_dentry and
@@ -72569,7 +72597,7 @@ index 0000000..c83525f
+
+ write_lock(&gr_inode_lock);
+ if (unlikely(replace && inode)) {
-+ ino_t new_ino = inode->i_ino;
++ u64 new_ino = __get_ino(new_dentry);
+ dev_t new_dev = __get_dev(new_dentry);
+
+ inodev = lookup_inodev_entry(new_ino, new_dev);
@@ -73026,7 +73054,7 @@ index 0000000..c83525f
+ return 0;
+}
+
-+int gr_acl_handle_filldir(const struct file *file, const char *name, const
unsigned int namelen, const ino_t ino)
++int gr_acl_handle_filldir(const struct file *file, const char *name, const
unsigned int namelen, const u64 ino)
+{
+ struct task_struct *task = current;
+ struct dentry *dentry = file->f_path.dentry;
@@ -73371,10 +73399,10 @@ index 0000000..1a94c11
+
diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
new file mode 100644
-index 0000000..ca25605
+index 0000000..a43dd06
--- /dev/null
+++ b/grsecurity/gracl_compat.c
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,269 @@
+#include <linux/kernel.h>
+#include <linux/gracl.h>
+#include <linux/compat.h>
@@ -73389,8 +73417,7 @@ index 0000000..ca25605
+ if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
+ return -EFAULT;
+
-+ if (((uwrapcompat.version != GRSECURITY_VERSION) &&
-+ (uwrapcompat.version != 0x2901)) ||
++ if ((uwrapcompat.version != GRSECURITY_VERSION) ||
+ (uwrapcompat.size != sizeof(struct gr_arg_compat)))
+ return -EINVAL;
+
@@ -74697,10 +74724,10 @@ index 0000000..25f54ef
+};
diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
new file mode 100644
-index 0000000..7949dcd
+index 0000000..fd26052
--- /dev/null
+++ b/grsecurity/gracl_policy.c
-@@ -0,0 +1,1782 @@
+@@ -0,0 +1,1781 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -74780,8 +74807,8 @@ index 0000000..7949dcd
+extern void insert_acl_subj_label(struct acl_subject_label *obj, struct
acl_role_label *role);
+extern struct name_entry * __lookup_name_entry(const struct gr_policy_state
*state, const char *name);
+extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct
vfsmount *mnt);
-+extern struct acl_subject_label *lookup_acl_subj_label(const ino_t ino, const
dev_t dev, const struct acl_role_label *role);
-+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const ino_t
ino, const dev_t dev, const struct acl_role_label *role);
++extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const
dev_t dev, const struct acl_role_label *role);
++extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino,
const dev_t dev, const struct acl_role_label *role);
+extern void assign_special_role(const char *rolename);
+extern struct acl_subject_label *chk_subj_label(const struct dentry
*l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role);
+extern int gr_rbac_disable(void *unused);
@@ -74864,8 +74891,7 @@ index 0000000..7949dcd
+ if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
+ return -EFAULT;
+
-+ if (((uwrap->version != GRSECURITY_VERSION) &&
-+ (uwrap->version != 0x2901)) ||
++ if ((uwrap->version != GRSECURITY_VERSION) ||
+ (uwrap->size != sizeof(struct gr_arg)))
+ return -EINVAL;
+
@@ -75050,7 +75076,7 @@ index 0000000..7949dcd
+}
+
+static int
-+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8
deleted)
++insert_name_entry(char *name, const u64 inode, const dev_t device, __u8
deleted)
+{
+ struct name_entry **curr, *nentry;
+ struct inodev_entry *ientry;
@@ -76559,10 +76585,10 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..2040e61
+index 0000000..218b66b
--- /dev/null
+++ b/grsecurity/gracl_segv.c
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,324 @@
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <asm/uaccess.h>
@@ -76593,7 +76619,7 @@ index 0000000..2040e61
+static DEFINE_SPINLOCK(gr_uid_lock);
+extern rwlock_t gr_inode_lock;
+extern struct acl_subject_label *
-+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
++ lookup_acl_subj_label(const u64 inode, const dev_t dev,
+ struct acl_role_label *role);
+
+static inline dev_t __get_dev(const struct dentry *dentry)
@@ -76606,6 +76632,16 @@ index 0000000..2040e61
+ return dentry->d_sb->s_dev;
+}
+
++static inline u64 __get_ino(const struct dentry *dentry)
++{
++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
++ return btrfs_ino(dentry->d_inode);
++ else
++#endif
++ return dentry->d_inode->i_ino;
++}
++
+int
+gr_init_uidset(void)
+{
@@ -76826,13 +76862,14 @@ index 0000000..2040e61
+gr_check_crash_exec(const struct file *filp)
+{
+ struct acl_subject_label *curr;
++ struct dentry *dentry;
+
+ if (unlikely(!gr_acl_is_enabled()))
+ return 0;
+
+ read_lock(&gr_inode_lock);
-+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
-+ __get_dev(filp->f_path.dentry),
++ dentry = filp->f_path.dentry;
++ curr = lookup_acl_subj_label(__get_ino(dentry), __get_dev(dentry),
+ current->role);
+ read_unlock(&gr_inode_lock);
+
@@ -77424,10 +77461,10 @@ index 0000000..2a43673
+}
diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
new file mode 100644
-index 0000000..1e028d7
+index 0000000..7e8cbe4
--- /dev/null
+++ b/grsecurity/grsec_disabled.c
-@@ -0,0 +1,439 @@
+@@ -0,0 +1,444 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -77549,7 +77586,7 @@ index 0000000..1e028d7
+}
+
+void
-+gr_handle_delete(const ino_t ino, const dev_t dev)
++gr_handle_delete(const u64 ino, const dev_t dev)
+{
+ return;
+}
@@ -77749,7 +77786,7 @@ index 0000000..1e028d7
+
+int
+gr_acl_handle_filldir(const struct file *file, const char *name,
-+ const int namelen, const ino_t ino)
++ const int namelen, const u64 ino)
+{
+ return 1;
+}
@@ -77858,6 +77895,11 @@ index 0000000..1e028d7
+ return dentry->d_sb->s_dev;
+}
+
++u64 gr_get_ino_from_dentry(struct dentry *dentry)
++{
++ return dentry->d_inode->i_ino;
++}
++
+void gr_put_exec_file(struct task_struct *task)
+{
+ return;
@@ -82279,10 +82321,10 @@ index 3824ac6..f3932a3 100644
{
diff --git a/include/linux/gracl.h b/include/linux/gracl.h
new file mode 100644
-index 0000000..edb2cb6
+index 0000000..91858e4
--- /dev/null
+++ b/include/linux/gracl.h
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,342 @@
+#ifndef GR_ACL_H
+#define GR_ACL_H
+
@@ -82294,8 +82336,8 @@ index 0000000..edb2cb6
+
+/* Major status information */
+
-+#define GR_VERSION "grsecurity 3.0"
-+#define GRSECURITY_VERSION 0x3000
++#define GR_VERSION "grsecurity 3.1"
++#define GRSECURITY_VERSION 0x3100
+
+enum {
+ GR_SHUTDOWN = 0,
@@ -82340,7 +82382,7 @@ index 0000000..edb2cb6
+
+struct name_entry {
+ __u32 key;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ char *name;
+ __u16 len;
@@ -82388,7 +82430,7 @@ index 0000000..edb2cb6
+
+struct acl_subject_label {
+ char *filename;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ __u32 mode;
+ kernel_cap_t cap_mask;
@@ -82476,7 +82518,7 @@ index 0000000..edb2cb6
+
+struct acl_object_label {
+ char *filename;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ __u32 mode;
+
@@ -82512,7 +82554,7 @@ index 0000000..edb2cb6
+ unsigned char sp_role[GR_SPROLE_LEN];
+ struct sprole_pw *sprole_pws;
+ dev_t segv_device;
-+ ino_t segv_inode;
++ u64 segv_inode;
+ uid_t segv_uid;
+ __u16 num_sprole_pws;
+ __u16 mode;
@@ -82584,9 +82626,11 @@ index 0000000..edb2cb6
+}
+
+static __inline__ unsigned int
-+gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
++gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz)
+{
-+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
++ unsigned int rem;
++ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz,
&rem);
++ return rem;
+}
+
+static __inline__ unsigned int
@@ -82625,7 +82669,7 @@ index 0000000..edb2cb6
+
diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
new file mode 100644
-index 0000000..33ebd1f
+index 0000000..af64092
--- /dev/null
+++ b/include/linux/gracl_compat.h
@@ -0,0 +1,156 @@
@@ -82652,7 +82696,7 @@ index 0000000..33ebd1f
+
+struct acl_subject_label_compat {
+ compat_uptr_t filename;
-+ compat_ino_t inode;
++ compat_u64 inode;
+ __u32 device;
+ __u32 mode;
+ kernel_cap_t cap_mask;
@@ -82740,7 +82784,7 @@ index 0000000..33ebd1f
+
+struct acl_object_label_compat {
+ compat_uptr_t filename;
-+ compat_ino_t inode;
++ compat_u64 inode;
+ __u32 device;
+ __u32 mode;
+
@@ -82772,7 +82816,7 @@ index 0000000..33ebd1f
+ unsigned char sp_role[GR_SPROLE_LEN];
+ compat_uptr_t sprole_pws;
+ __u32 segv_device;
-+ compat_ino_t segv_inode;
++ compat_u64 segv_inode;
+ uid_t segv_uid;
+ __u16 num_sprole_pws;
+ __u16 mode;
@@ -83308,10 +83352,10 @@ index 0000000..26ef560
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..40e9e6a
+index 0000000..0fb332e
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,259 @@
+@@ -0,0 +1,260 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -83479,7 +83523,7 @@ index 0000000..40e9e6a
+ const struct vfsmount *parent_mnt);
+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+void gr_handle_delete(const ino_t ino, const dev_t dev);
++void gr_handle_delete(const u64 ino, const dev_t dev);
+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
+ const struct vfsmount *mnt);
+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
@@ -83508,7 +83552,7 @@ index 0000000..40e9e6a
+ const struct dentry *old_dentry,
+ const struct vfsmount *old_mnt);
+int gr_acl_handle_filldir(const struct file *file, const char *name,
-+ const unsigned int namelen, const ino_t ino);
++ const unsigned int namelen, const u64 ino);
+
+__u32 gr_acl_handle_unix(const struct dentry *dentry,
+ const struct vfsmount *mnt);
@@ -83519,6 +83563,7 @@ index 0000000..40e9e6a
+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt,
int acc_mode);
+void gr_audit_ptrace(struct task_struct *task);
+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
++u64 gr_get_ino_from_dentry(struct dentry *dentry);
+void gr_put_exec_file(struct task_struct *task);
+
+int gr_ptrace_readexec(struct file *file, int unsafe_flags);
diff --git a/3.14.33/4427_force_XATTR_PAX_tmpfs.patch
b/3.14.33/4427_force_XATTR_PAX_tmpfs.patch
index aa540ad..4c236cc 100644
--- a/3.14.33/4427_force_XATTR_PAX_tmpfs.patch
+++ b/3.14.33/4427_force_XATTR_PAX_tmpfs.patch
@@ -6,7 +6,7 @@ namespace supported on tmpfs so that the PaX markings survive
emerge.
diff -Naur a/mm/shmem.c b/mm/shmem.c
--- a/mm/shmem.c 2013-06-11 21:00:18.000000000 -0400
+++ b/mm/shmem.c 2013-06-11 21:08:18.000000000 -0400
-@@ -2240,11 +2240,7 @@
+@@ -2249,11 +2249,7 @@
static int shmem_xattr_validate(const char *name)
{
struct { const char *prefix; size_t len; } arr[] = {
@@ -18,7 +18,7 @@ diff -Naur a/mm/shmem.c b/mm/shmem.c
{ XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
{ XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
};
-@@ -2300,14 +2296,12 @@
+@@ -2309,14 +2305,12 @@
if (err)
return err;
diff --git a/3.14.33/4450_grsec-kconfig-default-gids.patch
b/3.14.33/4450_grsec-kconfig-default-gids.patch
index 722821b..8c878fc 100644
--- a/3.14.33/4450_grsec-kconfig-default-gids.patch
+++ b/3.14.33/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -680,7 +680,7 @@
+@@ -696,7 +696,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -911,7 +911,7 @@
+@@ -927,7 +927,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -920,7 +920,7 @@
+@@ -936,7 +936,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -1005,7 +1005,7 @@
+@@ -1021,7 +1021,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -1026,7 +1026,7 @@
+@@ -1042,7 +1042,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for
to
-@@ -1044,7 +1044,7 @@
+@@ -1060,7 +1060,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch
b/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch
index f92c155..bba906e 100644
--- a/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.14.33/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro
<lore...@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1139,6 +1139,27 @@
+@@ -1155,6 +1155,27 @@
menu "Logging Options"
depends on GRKERNSEC
diff --git a/3.14.33/4470_disable-compat_vdso.patch
b/3.14.33/4470_disable-compat_vdso.patch
index cc7c122..3b3953b 100644
--- a/3.14.33/4470_disable-compat_vdso.patch
+++ b/3.14.33/4470_disable-compat_vdso.patch
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
-@@ -1862,17 +1862,8 @@
+@@ -1866,17 +1866,8 @@
config COMPAT_VDSO
def_bool n
diff --git a/3.18.7/0000_README b/3.18.7/0000_README
index ee63631..366e930 100644
--- a/3.18.7/0000_README
+++ b/3.18.7/0000_README
@@ -2,7 +2,7 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-3.0-3.18.7-201502200813.patch
+Patch: 4420_grsecurity-3.1-3.18.7-201502222138.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch
b/3.18.7/4420_grsecurity-3.1-3.18.7-201502222138.patch
similarity index 99%
rename from 3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch
rename to 3.18.7/4420_grsecurity-3.1-3.18.7-201502222138.patch
index 544940a..1db1bc3 100644
--- a/3.18.7/4420_grsecurity-3.0-3.18.7-201502200813.patch
+++ b/3.18.7/4420_grsecurity-3.1-3.18.7-201502222138.patch
@@ -64135,7 +64135,7 @@ index f82c628..9492b99 100644
#define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
diff --git a/fs/namei.c b/fs/namei.c
-index db5fe86..ac769e4 100644
+index db5fe86..8bce5f0 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -331,17 +331,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -64516,7 +64516,7 @@ index db5fe86..ac769e4 100644
struct filename *name;
struct dentry *dentry;
struct nameidata nd;
-+ ino_t saved_ino = 0;
++ u64 saved_ino = 0;
+ dev_t saved_dev = 0;
unsigned int lookup_flags = 0;
retry:
@@ -64526,7 +64526,7 @@ index db5fe86..ac769e4 100644
goto exit3;
}
+
-+ saved_ino = dentry->d_inode->i_ino;
++ saved_ino = gr_get_ino_from_dentry(dentry);
+ saved_dev = gr_get_dev_from_dentry(dentry);
+
+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
@@ -64547,7 +64547,7 @@ index db5fe86..ac769e4 100644
struct nameidata nd;
struct inode *inode = NULL;
struct inode *delegated_inode = NULL;
-+ ino_t saved_ino = 0;
++ u64 saved_ino = 0;
+ dev_t saved_dev = 0;
unsigned int lookup_flags = 0;
retry:
@@ -64558,7 +64558,7 @@ index db5fe86..ac769e4 100644
ihold(inode);
+
+ if (inode->i_nlink <= 1) {
-+ saved_ino = inode->i_ino;
++ saved_ino = gr_get_ino_from_dentry(dentry);
+ saved_dev = gr_get_dev_from_dentry(dentry);
+ }
+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
@@ -69512,10 +69512,10 @@ index 0000000..30ababb
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..9c2d930
+index 0000000..6c1e154
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,2721 @@
+@@ -0,0 +1,2749 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -69623,11 +69623,26 @@ index 0000000..9c2d930
+ return dentry->d_sb->s_dev;
+}
+
++static inline u64 __get_ino(const struct dentry *dentry)
++{
++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
++ return btrfs_ino(dentry->d_inode);
++ else
++#endif
++ return dentry->d_inode->i_ino;
++}
++
+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
+{
+ return __get_dev(dentry);
+}
+
++u64 gr_get_ino_from_dentry(struct dentry *dentry)
++{
++ return __get_ino(dentry);
++}
++
+static char gr_task_roletype_to_char(struct task_struct *task)
+{
+ switch (task->role->roletype &
@@ -69966,7 +69981,7 @@ index 0000000..9c2d930
+}
+
+struct acl_subject_label *
-+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
++lookup_acl_subj_label(const u64 ino, const dev_t dev,
+ const struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
@@ -69986,7 +70001,7 @@ index 0000000..9c2d930
+}
+
+struct acl_subject_label *
-+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
++lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev,
+ const struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
@@ -70006,7 +70021,7 @@ index 0000000..9c2d930
+}
+
+static struct acl_object_label *
-+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
++lookup_acl_obj_label(const u64 ino, const dev_t dev,
+ const struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
@@ -70026,7 +70041,7 @@ index 0000000..9c2d930
+}
+
+static struct acl_object_label *
-+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
++lookup_acl_obj_label_create(const u64 ino, const dev_t dev,
+ const struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
@@ -70107,7 +70122,7 @@ index 0000000..9c2d930
+}
+
+static struct inodev_entry *
-+lookup_inodev_entry(const ino_t ino, const dev_t dev)
++lookup_inodev_entry(const u64 ino, const dev_t dev)
+{
+ unsigned int index = gr_fhash(ino, dev,
running_polstate.inodev_set.i_size);
+ struct inodev_entry *match;
@@ -70332,7 +70347,7 @@ index 0000000..9c2d930
+
+static struct acl_object_label *
+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount
*orig_mnt,
-+ const ino_t curr_ino, const dev_t curr_dev,
++ const u64 curr_ino, const dev_t curr_dev,
+ const struct acl_subject_label *subj, char **path, const int
checkglob)
+{
+ struct acl_subject_label *tmpsubj;
@@ -70363,7 +70378,7 @@ index 0000000..9c2d930
+ const struct acl_subject_label *subj, char **path, const int
checkglob)
+{
+ int newglob = checkglob;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+
+ /* if we aren't checking a subdirectory of the original path yet, don't
do glob checking
@@ -70375,7 +70390,7 @@ index 0000000..9c2d930
+ newglob = GR_NO_GLOB;
+
+ spin_lock(&curr_dentry->d_lock);
-+ inode = curr_dentry->d_inode->i_ino;
++ inode = __get_ino(curr_dentry);
+ device = __get_dev(curr_dentry);
+ spin_unlock(&curr_dentry->d_lock);
+
@@ -70508,7 +70523,7 @@ index 0000000..9c2d930
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
+ retval =
-+ lookup_acl_subj_label(dentry->d_inode->i_ino,
++ lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ spin_unlock(&dentry->d_lock);
@@ -70523,7 +70538,7 @@ index 0000000..9c2d930
+
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
-+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ parent = dentry->d_parent;
@@ -70537,7 +70552,7 @@ index 0000000..9c2d930
+
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
-+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ spin_unlock(&dentry->d_lock);
@@ -70545,7 +70560,7 @@ index 0000000..9c2d930
+ if (unlikely(retval == NULL)) {
+ /* gr_real_root is pinned, we don't need to hold a reference */
+ read_lock(&gr_inode_lock);
-+ retval =
lookup_acl_subj_label(gr_real_root.dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry),
+ __get_dev(gr_real_root.dentry), role);
+ read_unlock(&gr_inode_lock);
+ }
@@ -70672,14 +70687,27 @@ index 0000000..9c2d930
+ return;
+
+ for (i = 0; i < RLIM_NLIMITS; i++) {
++ unsigned long rlim_cur, rlim_max;
++
+ if (!(proc->resmask & (1U << i)))
+ continue;
+
-+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
-+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++ rlim_cur = proc->res[i].rlim_cur;
++ rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_NOFILE) {
++ unsigned long saved_sysctl_nr_open = sysctl_nr_open;
++ if (rlim_cur > saved_sysctl_nr_open)
++ rlim_cur = saved_sysctl_nr_open;
++ if (rlim_max > saved_sysctl_nr_open)
++ rlim_max = saved_sysctl_nr_open;
++ }
++
++ task->signal->rlim[i].rlim_cur = rlim_cur;
++ task->signal->rlim[i].rlim_max = rlim_max;
+
+ if (i == RLIMIT_CPU)
-+ update_rlimit_cpu(task, proc->res[i].rlim_cur);
++ update_rlimit_cpu(task, rlim_cur);
+ }
+
+ return;
@@ -71382,7 +71410,7 @@ index 0000000..9c2d930
+
+/* always called with valid inodev ptr */
+static void
-+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t
dev)
++do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev)
+{
+ struct acl_object_label *matchpo;
+ struct acl_subject_label *matchps;
@@ -71410,7 +71438,7 @@ index 0000000..9c2d930
+}
+
+void
-+gr_handle_delete(const ino_t ino, const dev_t dev)
++gr_handle_delete(const u64 ino, const dev_t dev)
+{
+ struct inodev_entry *inodev;
+
@@ -71427,8 +71455,8 @@ index 0000000..9c2d930
+}
+
+static void
-+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice,
++update_acl_obj_label(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice,
+ struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
@@ -71466,8 +71494,8 @@ index 0000000..9c2d930
+}
+
+static void
-+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice,
++update_acl_subj_label(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice,
+ struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice,
role->subj_hash_size);
@@ -71505,8 +71533,8 @@ index 0000000..9c2d930
+}
+
+static void
-+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice)
++update_inodev_entry(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice,
running_polstate.inodev_set.i_size);
+ struct inodev_entry *match;
@@ -71542,7 +71570,7 @@ index 0000000..9c2d930
+}
+
+static void
-+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
++__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev)
+{
+ struct acl_subject_label *subj;
+ struct acl_role_label *role;
@@ -71575,7 +71603,7 @@ index 0000000..9c2d930
+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
+ const struct vfsmount *mnt)
+{
-+ ino_t ino = dentry->d_inode->i_ino;
++ u64 ino = __get_ino(dentry);
+ dev_t dev = __get_dev(dentry);
+
+ __do_handle_create(matchn, ino, dev);
@@ -71635,7 +71663,7 @@ index 0000000..9c2d930
+ struct name_entry *matchn2 = NULL;
+ struct inodev_entry *inodev;
+ struct inode *inode = new_dentry->d_inode;
-+ ino_t old_ino = old_dentry->d_inode->i_ino;
++ u64 old_ino = __get_ino(old_dentry);
+ dev_t old_dev = __get_dev(old_dentry);
+ unsigned int exchange = flags & RENAME_EXCHANGE;
+
@@ -71677,7 +71705,7 @@ index 0000000..9c2d930
+
+ write_lock(&gr_inode_lock);
+ if (unlikely((replace || exchange) && inode)) {
-+ ino_t new_ino = inode->i_ino;
++ u64 new_ino = __get_ino(new_dentry);
+ dev_t new_dev = __get_dev(new_dentry);
+
+ inodev = lookup_inodev_entry(new_ino, new_dev);
@@ -72138,7 +72166,7 @@ index 0000000..9c2d930
+ return 0;
+}
+
-+int gr_acl_handle_filldir(const struct file *file, const char *name, const
unsigned int namelen, const ino_t ino)
++int gr_acl_handle_filldir(const struct file *file, const char *name, const
unsigned int namelen, const u64 ino)
+{
+ struct task_struct *task = current;
+ struct dentry *dentry = file->f_path.dentry;
@@ -72483,10 +72511,10 @@ index 0000000..1a94c11
+
diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
new file mode 100644
-index 0000000..ca25605
+index 0000000..a43dd06
--- /dev/null
+++ b/grsecurity/gracl_compat.c
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,269 @@
+#include <linux/kernel.h>
+#include <linux/gracl.h>
+#include <linux/compat.h>
@@ -72501,8 +72529,7 @@ index 0000000..ca25605
+ if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
+ return -EFAULT;
+
-+ if (((uwrapcompat.version != GRSECURITY_VERSION) &&
-+ (uwrapcompat.version != 0x2901)) ||
++ if ((uwrapcompat.version != GRSECURITY_VERSION) ||
+ (uwrapcompat.size != sizeof(struct gr_arg_compat)))
+ return -EINVAL;
+
@@ -73817,10 +73844,10 @@ index 0000000..25f54ef
+};
diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
new file mode 100644
-index 0000000..7949dcd
+index 0000000..fd26052
--- /dev/null
+++ b/grsecurity/gracl_policy.c
-@@ -0,0 +1,1782 @@
+@@ -0,0 +1,1781 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -73900,8 +73927,8 @@ index 0000000..7949dcd
+extern void insert_acl_subj_label(struct acl_subject_label *obj, struct
acl_role_label *role);
+extern struct name_entry * __lookup_name_entry(const struct gr_policy_state
*state, const char *name);
+extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct
vfsmount *mnt);
-+extern struct acl_subject_label *lookup_acl_subj_label(const ino_t ino, const
dev_t dev, const struct acl_role_label *role);
-+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const ino_t
ino, const dev_t dev, const struct acl_role_label *role);
++extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const
dev_t dev, const struct acl_role_label *role);
++extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino,
const dev_t dev, const struct acl_role_label *role);
+extern void assign_special_role(const char *rolename);
+extern struct acl_subject_label *chk_subj_label(const struct dentry
*l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role);
+extern int gr_rbac_disable(void *unused);
@@ -73984,8 +74011,7 @@ index 0000000..7949dcd
+ if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
+ return -EFAULT;
+
-+ if (((uwrap->version != GRSECURITY_VERSION) &&
-+ (uwrap->version != 0x2901)) ||
++ if ((uwrap->version != GRSECURITY_VERSION) ||
+ (uwrap->size != sizeof(struct gr_arg)))
+ return -EINVAL;
+
@@ -74170,7 +74196,7 @@ index 0000000..7949dcd
+}
+
+static int
-+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8
deleted)
++insert_name_entry(char *name, const u64 inode, const dev_t device, __u8
deleted)
+{
+ struct name_entry **curr, *nentry;
+ struct inodev_entry *ientry;
@@ -75679,10 +75705,10 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..2040e61
+index 0000000..218b66b
--- /dev/null
+++ b/grsecurity/gracl_segv.c
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,324 @@
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <asm/uaccess.h>
@@ -75713,7 +75739,7 @@ index 0000000..2040e61
+static DEFINE_SPINLOCK(gr_uid_lock);
+extern rwlock_t gr_inode_lock;
+extern struct acl_subject_label *
-+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
++ lookup_acl_subj_label(const u64 inode, const dev_t dev,
+ struct acl_role_label *role);
+
+static inline dev_t __get_dev(const struct dentry *dentry)
@@ -75726,6 +75752,16 @@ index 0000000..2040e61
+ return dentry->d_sb->s_dev;
+}
+
++static inline u64 __get_ino(const struct dentry *dentry)
++{
++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
++ return btrfs_ino(dentry->d_inode);
++ else
++#endif
++ return dentry->d_inode->i_ino;
++}
++
+int
+gr_init_uidset(void)
+{
@@ -75946,13 +75982,14 @@ index 0000000..2040e61
+gr_check_crash_exec(const struct file *filp)
+{
+ struct acl_subject_label *curr;
++ struct dentry *dentry;
+
+ if (unlikely(!gr_acl_is_enabled()))
+ return 0;
+
+ read_lock(&gr_inode_lock);
-+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
-+ __get_dev(filp->f_path.dentry),
++ dentry = filp->f_path.dentry;
++ curr = lookup_acl_subj_label(__get_ino(dentry), __get_dev(dentry),
+ current->role);
+ read_unlock(&gr_inode_lock);
+
@@ -76542,10 +76579,10 @@ index 0000000..114ea4f
+}
diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
new file mode 100644
-index 0000000..0f9ac91
+index 0000000..946f750
--- /dev/null
+++ b/grsecurity/grsec_disabled.c
-@@ -0,0 +1,440 @@
+@@ -0,0 +1,445 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -76667,7 +76704,7 @@ index 0000000..0f9ac91
+}
+
+void
-+gr_handle_delete(const ino_t ino, const dev_t dev)
++gr_handle_delete(const u64 ino, const dev_t dev)
+{
+ return;
+}
@@ -76868,7 +76905,7 @@ index 0000000..0f9ac91
+
+int
+gr_acl_handle_filldir(const struct file *file, const char *name,
-+ const int namelen, const ino_t ino)
++ const int namelen, const u64 ino)
+{
+ return 1;
+}
@@ -76977,6 +77014,11 @@ index 0000000..0f9ac91
+ return dentry->d_sb->s_dev;
+}
+
++u64 gr_get_ino_from_dentry(struct dentry *dentry)
++{
++ return dentry->d_inode->i_ino;
++}
++
+void gr_put_exec_file(struct task_struct *task)
+{
+ return;
@@ -81399,10 +81441,10 @@ index 41b30fd..a3718cf 100644
{
diff --git a/include/linux/gracl.h b/include/linux/gracl.h
new file mode 100644
-index 0000000..edb2cb6
+index 0000000..91858e4
--- /dev/null
+++ b/include/linux/gracl.h
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,342 @@
+#ifndef GR_ACL_H
+#define GR_ACL_H
+
@@ -81414,8 +81456,8 @@ index 0000000..edb2cb6
+
+/* Major status information */
+
-+#define GR_VERSION "grsecurity 3.0"
-+#define GRSECURITY_VERSION 0x3000
++#define GR_VERSION "grsecurity 3.1"
++#define GRSECURITY_VERSION 0x3100
+
+enum {
+ GR_SHUTDOWN = 0,
@@ -81460,7 +81502,7 @@ index 0000000..edb2cb6
+
+struct name_entry {
+ __u32 key;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ char *name;
+ __u16 len;
@@ -81508,7 +81550,7 @@ index 0000000..edb2cb6
+
+struct acl_subject_label {
+ char *filename;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ __u32 mode;
+ kernel_cap_t cap_mask;
@@ -81596,7 +81638,7 @@ index 0000000..edb2cb6
+
+struct acl_object_label {
+ char *filename;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ __u32 mode;
+
@@ -81632,7 +81674,7 @@ index 0000000..edb2cb6
+ unsigned char sp_role[GR_SPROLE_LEN];
+ struct sprole_pw *sprole_pws;
+ dev_t segv_device;
-+ ino_t segv_inode;
++ u64 segv_inode;
+ uid_t segv_uid;
+ __u16 num_sprole_pws;
+ __u16 mode;
@@ -81704,9 +81746,11 @@ index 0000000..edb2cb6
+}
+
+static __inline__ unsigned int
-+gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
++gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz)
+{
-+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
++ unsigned int rem;
++ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz,
&rem);
++ return rem;
+}
+
+static __inline__ unsigned int
@@ -81745,7 +81789,7 @@ index 0000000..edb2cb6
+
diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
new file mode 100644
-index 0000000..33ebd1f
+index 0000000..af64092
--- /dev/null
+++ b/include/linux/gracl_compat.h
@@ -0,0 +1,156 @@
@@ -81772,7 +81816,7 @@ index 0000000..33ebd1f
+
+struct acl_subject_label_compat {
+ compat_uptr_t filename;
-+ compat_ino_t inode;
++ compat_u64 inode;
+ __u32 device;
+ __u32 mode;
+ kernel_cap_t cap_mask;
@@ -81860,7 +81904,7 @@ index 0000000..33ebd1f
+
+struct acl_object_label_compat {
+ compat_uptr_t filename;
-+ compat_ino_t inode;
++ compat_u64 inode;
+ __u32 device;
+ __u32 mode;
+
@@ -81892,7 +81936,7 @@ index 0000000..33ebd1f
+ unsigned char sp_role[GR_SPROLE_LEN];
+ compat_uptr_t sprole_pws;
+ __u32 segv_device;
-+ compat_ino_t segv_inode;
++ compat_u64 segv_inode;
+ uid_t segv_uid;
+ __u16 num_sprole_pws;
+ __u16 mode;
@@ -82428,10 +82472,10 @@ index 0000000..26ef560
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..6c76fcb
+index 0000000..63c1850
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,250 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -82599,7 +82643,7 @@ index 0000000..6c76fcb
+ const struct vfsmount *parent_mnt);
+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+void gr_handle_delete(const ino_t ino, const dev_t dev);
++void gr_handle_delete(const u64 ino, const dev_t dev);
+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
+ const struct vfsmount *mnt);
+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
@@ -82628,7 +82672,7 @@ index 0000000..6c76fcb
+ const struct dentry *old_dentry,
+ const struct vfsmount *old_mnt);
+int gr_acl_handle_filldir(const struct file *file, const char *name,
-+ const unsigned int namelen, const ino_t ino);
++ const unsigned int namelen, const u64 ino);
+
+__u32 gr_acl_handle_unix(const struct dentry *dentry,
+ const struct vfsmount *mnt);
@@ -82639,6 +82683,7 @@ index 0000000..6c76fcb
+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt,
int acc_mode);
+void gr_audit_ptrace(struct task_struct *task);
+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
++u64 gr_get_ino_from_dentry(struct dentry *dentry);
+void gr_put_exec_file(struct task_struct *task);
+
+int gr_ptrace_readexec(struct file *file, int unsafe_flags);
diff --git a/3.18.7/4470_disable-compat_vdso.patch
b/3.18.7/4470_disable-compat_vdso.patch
index df785ab..0a0c524 100644
--- a/3.18.7/4470_disable-compat_vdso.patch
+++ b/3.18.7/4470_disable-compat_vdso.patch
@@ -26,7 +26,7 @@ Closes bug: http://bugs.gentoo.org/show_bug.cgi?id=210138
diff -urp a/arch/x86/Kconfig b/arch/x86/Kconfig
--- a/arch/x86/Kconfig 2009-07-31 01:36:57.323857684 +0100
+++ b/arch/x86/Kconfig 2009-07-31 01:51:39.395749681 +0100
-@@ -1904,29 +1904,8 @@
+@@ -1908,29 +1908,8 @@
config COMPAT_VDSO
def_bool n
diff --git a/3.2.67/0000_README b/3.2.67/0000_README
index deb8dff..c7f6e15 100644
--- a/3.2.67/0000_README
+++ b/3.2.67/0000_README
@@ -186,7 +186,7 @@ Patch: 1066_linux-3.2.67.patch
From: http://www.kernel.org
Desc: Linux 3.2.67
-Patch: 4420_grsecurity-3.0-3.2.67-201502200807.patch
+Patch: 4420_grsecurity-3.1-3.2.67-201502222131.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch
b/3.2.67/4420_grsecurity-3.1-3.2.67-201502222131.patch
similarity index 99%
rename from 3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch
rename to 3.2.67/4420_grsecurity-3.1-3.2.67-201502222131.patch
index 880a085..f77ebd7 100644
--- a/3.2.67/4420_grsecurity-3.0-3.2.67-201502200807.patch
+++ b/3.2.67/4420_grsecurity-3.1-3.2.67-201502222131.patch
@@ -62235,7 +62235,7 @@ index 4d46a6a..dee1cdf 100644
static int __init init_minix_fs(void)
{
diff --git a/fs/namei.c b/fs/namei.c
-index c8b13a9..09cc61e 100644
+index c8b13a9..2ec69cd 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -279,16 +279,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -62645,7 +62645,7 @@ index c8b13a9..09cc61e 100644
char * name;
struct dentry *dentry;
struct nameidata nd;
-+ ino_t saved_ino = 0;
++ u64 saved_ino = 0;
+ dev_t saved_dev = 0;
error = user_path_parent(dfd, pathname, &nd, &name);
@@ -62655,7 +62655,7 @@ index c8b13a9..09cc61e 100644
goto exit3;
}
+
-+ saved_ino = dentry->d_inode->i_ino;
++ saved_ino = gr_get_ino_from_dentry(dentry);
+ saved_dev = gr_get_dev_from_dentry(dentry);
+
+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
@@ -62679,7 +62679,7 @@ index c8b13a9..09cc61e 100644
struct dentry *dentry;
struct nameidata nd;
struct inode *inode = NULL;
-+ ino_t saved_ino = 0;
++ u64 saved_ino = 0;
+ dev_t saved_dev = 0;
error = user_path_parent(dfd, pathname, &nd, &name);
@@ -62690,7 +62690,7 @@ index c8b13a9..09cc61e 100644
ihold(inode);
+
+ if (inode->i_nlink <= 1) {
-+ saved_ino = inode->i_ino;
++ saved_ino = gr_get_ino_from_dentry(dentry);
+ saved_dev = gr_get_dev_from_dentry(dentry);
+ }
+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
@@ -68659,10 +68659,10 @@ index 0000000..30ababb
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..99cbce0
+index 0000000..1b75b8a
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,2845 @@
+@@ -0,0 +1,2873 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -68774,11 +68774,26 @@ index 0000000..99cbce0
+ return dentry->d_sb->s_dev;
+}
+
++static inline u64 __get_ino(const struct dentry *dentry)
++{
++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
++ return btrfs_ino(dentry->d_inode);
++ else
++#endif
++ return dentry->d_inode->i_ino;
++}
++
+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
+{
+ return __get_dev(dentry);
+}
+
++u64 gr_get_ino_from_dentry(struct dentry *dentry)
++{
++ return __get_ino(dentry);
++}
++
+static char gr_task_roletype_to_char(struct task_struct *task)
+{
+ switch (task->role->roletype &
@@ -69115,7 +69130,7 @@ index 0000000..99cbce0
+}
+
+struct acl_subject_label *
-+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
++lookup_acl_subj_label(const u64 ino, const dev_t dev,
+ const struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
@@ -69135,7 +69150,7 @@ index 0000000..99cbce0
+}
+
+struct acl_subject_label *
-+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
++lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev,
+ const struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
@@ -69155,7 +69170,7 @@ index 0000000..99cbce0
+}
+
+static struct acl_object_label *
-+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
++lookup_acl_obj_label(const u64 ino, const dev_t dev,
+ const struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
@@ -69175,7 +69190,7 @@ index 0000000..99cbce0
+}
+
+static struct acl_object_label *
-+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
++lookup_acl_obj_label_create(const u64 ino, const dev_t dev,
+ const struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
@@ -69256,7 +69271,7 @@ index 0000000..99cbce0
+}
+
+static struct inodev_entry *
-+lookup_inodev_entry(const ino_t ino, const dev_t dev)
++lookup_inodev_entry(const u64 ino, const dev_t dev)
+{
+ unsigned int index = gr_fhash(ino, dev,
running_polstate.inodev_set.i_size);
+ struct inodev_entry *match;
@@ -69481,7 +69496,7 @@ index 0000000..99cbce0
+
+static struct acl_object_label *
+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount
*orig_mnt,
-+ const ino_t curr_ino, const dev_t curr_dev,
++ const u64 curr_ino, const dev_t curr_dev,
+ const struct acl_subject_label *subj, char **path, const int
checkglob)
+{
+ struct acl_subject_label *tmpsubj;
@@ -69512,7 +69527,7 @@ index 0000000..99cbce0
+ const struct acl_subject_label *subj, char **path, const int
checkglob)
+{
+ int newglob = checkglob;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+
+ /* if we aren't checking a subdirectory of the original path yet, don't
do glob checking
@@ -69524,7 +69539,7 @@ index 0000000..99cbce0
+ newglob = GR_NO_GLOB;
+
+ spin_lock(&curr_dentry->d_lock);
-+ inode = curr_dentry->d_inode->i_ino;
++ inode = __get_ino(curr_dentry);
+ device = __get_dev(curr_dentry);
+ spin_unlock(&curr_dentry->d_lock);
+
@@ -69640,7 +69655,7 @@ index 0000000..99cbce0
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
+ retval =
-+ lookup_acl_subj_label(dentry->d_inode->i_ino,
++ lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ spin_unlock(&dentry->d_lock);
@@ -69654,7 +69669,7 @@ index 0000000..99cbce0
+
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
-+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ parent = dentry->d_parent;
@@ -69668,7 +69683,7 @@ index 0000000..99cbce0
+
+ spin_lock(&dentry->d_lock);
+ read_lock(&gr_inode_lock);
-+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(dentry),
+ __get_dev(dentry), role);
+ read_unlock(&gr_inode_lock);
+ spin_unlock(&dentry->d_lock);
@@ -69676,7 +69691,7 @@ index 0000000..99cbce0
+ if (unlikely(retval == NULL)) {
+ /* gr_real_root is pinned, we don't need to hold a reference */
+ read_lock(&gr_inode_lock);
-+ retval =
lookup_acl_subj_label(gr_real_root.dentry->d_inode->i_ino,
++ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry),
+ __get_dev(gr_real_root.dentry), role);
+ read_unlock(&gr_inode_lock);
+ }
@@ -69804,14 +69819,27 @@ index 0000000..99cbce0
+ return;
+
+ for (i = 0; i < RLIM_NLIMITS; i++) {
++ unsigned long rlim_cur, rlim_max;
++
+ if (!(proc->resmask & (1U << i)))
+ continue;
+
-+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
-+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
++ rlim_cur = proc->res[i].rlim_cur;
++ rlim_max = proc->res[i].rlim_max;
++
++ if (i == RLIMIT_NOFILE) {
++ unsigned long saved_sysctl_nr_open = sysctl_nr_open;
++ if (rlim_cur > saved_sysctl_nr_open)
++ rlim_cur = saved_sysctl_nr_open;
++ if (rlim_max > saved_sysctl_nr_open)
++ rlim_max = saved_sysctl_nr_open;
++ }
++
++ task->signal->rlim[i].rlim_cur = rlim_cur;
++ task->signal->rlim[i].rlim_max = rlim_max;
+
+ if (i == RLIMIT_CPU)
-+ update_rlimit_cpu(task, proc->res[i].rlim_cur);
++ update_rlimit_cpu(task, rlim_cur);
+ }
+
+ return;
@@ -70479,7 +70507,7 @@ index 0000000..99cbce0
+
+/* always called with valid inodev ptr */
+static void
-+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t
dev)
++do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev)
+{
+ struct acl_object_label *matchpo;
+ struct acl_subject_label *matchps;
@@ -70507,7 +70535,7 @@ index 0000000..99cbce0
+}
+
+void
-+gr_handle_delete(const ino_t ino, const dev_t dev)
++gr_handle_delete(const u64 ino, const dev_t dev)
+{
+ struct inodev_entry *inodev;
+
@@ -70524,8 +70552,8 @@ index 0000000..99cbce0
+}
+
+static void
-+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice,
++update_acl_obj_label(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice,
+ struct acl_subject_label *subj)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
@@ -70563,8 +70591,8 @@ index 0000000..99cbce0
+}
+
+static void
-+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice,
++update_acl_subj_label(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice,
+ struct acl_role_label *role)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice,
role->subj_hash_size);
@@ -70602,8 +70630,8 @@ index 0000000..99cbce0
+}
+
+static void
-+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
-+ const ino_t newinode, const dev_t newdevice)
++update_inodev_entry(const u64 oldinode, const dev_t olddevice,
++ const u64 newinode, const dev_t newdevice)
+{
+ unsigned int index = gr_fhash(oldinode, olddevice,
running_polstate.inodev_set.i_size);
+ struct inodev_entry *match;
@@ -70639,7 +70667,7 @@ index 0000000..99cbce0
+}
+
+static void
-+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
++__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev)
+{
+ struct acl_subject_label *subj;
+ struct acl_role_label *role;
@@ -70672,7 +70700,7 @@ index 0000000..99cbce0
+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
+ const struct vfsmount *mnt)
+{
-+ ino_t ino = dentry->d_inode->i_ino;
++ u64 ino = __get_ino(dentry);
+ dev_t dev = __get_dev(dentry);
+
+ __do_handle_create(matchn, ino, dev);
@@ -70731,7 +70759,7 @@ index 0000000..99cbce0
+ struct name_entry *matchn;
+ struct inodev_entry *inodev;
+ struct inode *inode = new_dentry->d_inode;
-+ ino_t old_ino = old_dentry->d_inode->i_ino;
++ u64 old_ino = __get_ino(old_dentry);
+ dev_t old_dev = __get_dev(old_dentry);
+
+ /* vfs_rename swaps the name and parent link for old_dentry and
@@ -70754,7 +70782,7 @@ index 0000000..99cbce0
+
+ write_lock(&gr_inode_lock);
+ if (unlikely(replace && inode)) {
-+ ino_t new_ino = inode->i_ino;
++ u64 new_ino = __get_ino(new_dentry);
+ dev_t new_dev = __get_dev(new_dentry);
+
+ inodev = lookup_inodev_entry(new_ino, new_dev);
@@ -71408,7 +71436,7 @@ index 0000000..99cbce0
+ return 0;
+}
+
-+int gr_acl_handle_filldir(const struct file *file, const char *name, const
unsigned int namelen, const ino_t ino)
++int gr_acl_handle_filldir(const struct file *file, const char *name, const
unsigned int namelen, const u64 ino)
+{
+ struct task_struct *task = current;
+ struct dentry *dentry = file->f_path.dentry;
@@ -71745,10 +71773,10 @@ index 0000000..b2ec14c
+
diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
new file mode 100644
-index 0000000..ca25605
+index 0000000..a43dd06
--- /dev/null
+++ b/grsecurity/gracl_compat.c
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,269 @@
+#include <linux/kernel.h>
+#include <linux/gracl.h>
+#include <linux/compat.h>
@@ -71763,8 +71791,7 @@ index 0000000..ca25605
+ if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
+ return -EFAULT;
+
-+ if (((uwrapcompat.version != GRSECURITY_VERSION) &&
-+ (uwrapcompat.version != 0x2901)) ||
++ if ((uwrapcompat.version != GRSECURITY_VERSION) ||
+ (uwrapcompat.size != sizeof(struct gr_arg_compat)))
+ return -EINVAL;
+
@@ -73071,10 +73098,10 @@ index 0000000..25f54ef
+};
diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
new file mode 100644
-index 0000000..94ef7e60
+index 0000000..62916b2
--- /dev/null
+++ b/grsecurity/gracl_policy.c
-@@ -0,0 +1,1781 @@
+@@ -0,0 +1,1780 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -73153,8 +73180,8 @@ index 0000000..94ef7e60
+extern void insert_acl_subj_label(struct acl_subject_label *obj, struct
acl_role_label *role);
+extern struct name_entry * __lookup_name_entry(const struct gr_policy_state
*state, const char *name);
+extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct
vfsmount *mnt);
-+extern struct acl_subject_label *lookup_acl_subj_label(const ino_t ino, const
dev_t dev, const struct acl_role_label *role);
-+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const ino_t
ino, const dev_t dev, const struct acl_role_label *role);
++extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const
dev_t dev, const struct acl_role_label *role);
++extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino,
const dev_t dev, const struct acl_role_label *role);
+extern void assign_special_role(const char *rolename);
+extern struct acl_subject_label *chk_subj_label(const struct dentry
*l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role);
+extern int gr_rbac_disable(void *unused);
@@ -73237,8 +73264,7 @@ index 0000000..94ef7e60
+ if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
+ return -EFAULT;
+
-+ if (((uwrap->version != GRSECURITY_VERSION) &&
-+ (uwrap->version != 0x2901)) ||
++ if ((uwrap->version != GRSECURITY_VERSION) ||
+ (uwrap->size != sizeof(struct gr_arg)))
+ return -EINVAL;
+
@@ -73423,7 +73449,7 @@ index 0000000..94ef7e60
+}
+
+static int
-+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8
deleted)
++insert_name_entry(char *name, const u64 inode, const dev_t device, __u8
deleted)
+{
+ struct name_entry **curr, *nentry;
+ struct inodev_entry *ientry;
@@ -74932,10 +74958,10 @@ index 0000000..39645c9
+}
diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
new file mode 100644
-index 0000000..266766a
+index 0000000..275df2d
--- /dev/null
+++ b/grsecurity/gracl_segv.c
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,320 @@
+#include <linux/kernel.h>
+#include <linux/mm.h>
+#include <asm/uaccess.h>
@@ -74966,7 +74992,7 @@ index 0000000..266766a
+static DEFINE_SPINLOCK(gr_uid_lock);
+extern rwlock_t gr_inode_lock;
+extern struct acl_subject_label *
-+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
++ lookup_acl_subj_label(const u64 inode, const dev_t dev,
+ struct acl_role_label *role);
+
+static inline dev_t __get_dev(const struct dentry *dentry)
@@ -74979,6 +75005,16 @@ index 0000000..266766a
+ return dentry->d_sb->s_dev;
+}
+
++static inline u64 __get_ino(const struct dentry *dentry)
++{
++#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
++ if (dentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
++ return btrfs_ino(dentry->d_inode);
++ else
++#endif
++ return dentry->d_inode->i_ino;
++}
++
+int
+gr_init_uidset(void)
+{
@@ -75195,13 +75231,14 @@ index 0000000..266766a
+gr_check_crash_exec(const struct file *filp)
+{
+ struct acl_subject_label *curr;
++ struct dentry *dentry;
+
+ if (unlikely(!gr_acl_is_enabled()))
+ return 0;
+
+ read_lock(&gr_inode_lock);
-+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
-+ __get_dev(filp->f_path.dentry),
++ dentry = filp->f_path.dentry;
++ curr = lookup_acl_subj_label(__get_ino(dentry), __get_dev(dentry),
+ current->role);
+ read_unlock(&gr_inode_lock);
+
@@ -75779,10 +75816,10 @@ index 0000000..bf944ab
+}
diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
new file mode 100644
-index 0000000..a9ab1fe
+index 0000000..7ef20f0
--- /dev/null
+++ b/grsecurity/grsec_disabled.c
-@@ -0,0 +1,447 @@
+@@ -0,0 +1,452 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -75911,7 +75948,7 @@ index 0000000..a9ab1fe
+}
+
+void
-+gr_handle_delete(const ino_t ino, const dev_t dev)
++gr_handle_delete(const u64 ino, const dev_t dev)
+{
+ return;
+}
@@ -76111,7 +76148,7 @@ index 0000000..a9ab1fe
+
+int
+gr_acl_handle_filldir(const struct file *file, const char *name,
-+ const int namelen, const ino_t ino)
++ const int namelen, const u64 ino)
+{
+ return 1;
+}
@@ -76220,6 +76257,11 @@ index 0000000..a9ab1fe
+ return dentry->d_sb->s_dev;
+}
+
++u64 gr_get_ino_from_dentry(struct dentry *dentry)
++{
++ return dentry->d_inode->i_ino;
++}
++
+void gr_put_exec_file(struct task_struct *task)
+{
+ return;
@@ -80885,10 +80927,10 @@ index 3a76faf..c0592c7 100644
{
diff --git a/include/linux/gracl.h b/include/linux/gracl.h
new file mode 100644
-index 0000000..edb2cb6
+index 0000000..91858e4
--- /dev/null
+++ b/include/linux/gracl.h
-@@ -0,0 +1,340 @@
+@@ -0,0 +1,342 @@
+#ifndef GR_ACL_H
+#define GR_ACL_H
+
@@ -80900,8 +80942,8 @@ index 0000000..edb2cb6
+
+/* Major status information */
+
-+#define GR_VERSION "grsecurity 3.0"
-+#define GRSECURITY_VERSION 0x3000
++#define GR_VERSION "grsecurity 3.1"
++#define GRSECURITY_VERSION 0x3100
+
+enum {
+ GR_SHUTDOWN = 0,
@@ -80946,7 +80988,7 @@ index 0000000..edb2cb6
+
+struct name_entry {
+ __u32 key;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ char *name;
+ __u16 len;
@@ -80994,7 +81036,7 @@ index 0000000..edb2cb6
+
+struct acl_subject_label {
+ char *filename;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ __u32 mode;
+ kernel_cap_t cap_mask;
@@ -81082,7 +81124,7 @@ index 0000000..edb2cb6
+
+struct acl_object_label {
+ char *filename;
-+ ino_t inode;
++ u64 inode;
+ dev_t device;
+ __u32 mode;
+
@@ -81118,7 +81160,7 @@ index 0000000..edb2cb6
+ unsigned char sp_role[GR_SPROLE_LEN];
+ struct sprole_pw *sprole_pws;
+ dev_t segv_device;
-+ ino_t segv_inode;
++ u64 segv_inode;
+ uid_t segv_uid;
+ __u16 num_sprole_pws;
+ __u16 mode;
@@ -81190,9 +81232,11 @@ index 0000000..edb2cb6
+}
+
+static __inline__ unsigned int
-+gr_fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
++gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz)
+{
-+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
++ unsigned int rem;
++ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz,
&rem);
++ return rem;
+}
+
+static __inline__ unsigned int
@@ -81231,7 +81275,7 @@ index 0000000..edb2cb6
+
diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
new file mode 100644
-index 0000000..33ebd1f
+index 0000000..af64092
--- /dev/null
+++ b/include/linux/gracl_compat.h
@@ -0,0 +1,156 @@
@@ -81258,7 +81302,7 @@ index 0000000..33ebd1f
+
+struct acl_subject_label_compat {
+ compat_uptr_t filename;
-+ compat_ino_t inode;
++ compat_u64 inode;
+ __u32 device;
+ __u32 mode;
+ kernel_cap_t cap_mask;
@@ -81346,7 +81390,7 @@ index 0000000..33ebd1f
+
+struct acl_object_label_compat {
+ compat_uptr_t filename;
-+ compat_ino_t inode;
++ compat_u64 inode;
+ __u32 device;
+ __u32 mode;
+
@@ -81378,7 +81422,7 @@ index 0000000..33ebd1f
+ unsigned char sp_role[GR_SPROLE_LEN];
+ compat_uptr_t sprole_pws;
+ __u32 segv_device;
-+ compat_ino_t segv_inode;
++ compat_u64 segv_inode;
+ uid_t segv_uid;
+ __u16 num_sprole_pws;
+ __u16 mode;
@@ -81922,10 +81966,10 @@ index 0000000..26ef560
+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
new file mode 100644
-index 0000000..083dbf1
+index 0000000..a9066b5
--- /dev/null
+++ b/include/linux/grsecurity.h
-@@ -0,0 +1,238 @@
+@@ -0,0 +1,239 @@
+#ifndef GR_SECURITY_H
+#define GR_SECURITY_H
+#include <linux/fs.h>
@@ -82092,7 +82136,7 @@ index 0000000..083dbf1
+ const struct vfsmount *parent_mnt);
+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
+ const struct vfsmount *mnt);
-+void gr_handle_delete(const ino_t ino, const dev_t dev);
++void gr_handle_delete(const u64 ino, const dev_t dev);
+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
+ const struct vfsmount *mnt);
+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
@@ -82121,7 +82165,7 @@ index 0000000..083dbf1
+ const struct dentry *old_dentry,
+ const struct vfsmount *old_mnt);
+int gr_acl_handle_filldir(const struct file *file, const char *name,
-+ const unsigned int namelen, const ino_t ino);
++ const unsigned int namelen, const u64 ino);
+
+__u32 gr_acl_handle_unix(const struct dentry *dentry,
+ const struct vfsmount *mnt);
@@ -82132,6 +82176,7 @@ index 0000000..083dbf1
+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt,
int acc_mode);
+void gr_audit_ptrace(struct task_struct *task);
+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
++u64 gr_get_ino_from_dentry(struct dentry *dentry);
+void gr_put_exec_file(struct task_struct *task);
+
+int gr_ptrace_readexec(struct file *file, int unsafe_flags);
diff --git a/3.2.67/4450_grsec-kconfig-default-gids.patch
b/3.2.67/4450_grsec-kconfig-default-gids.patch
index 9456d08..26dedae 100644
--- a/3.2.67/4450_grsec-kconfig-default-gids.patch
+++ b/3.2.67/4450_grsec-kconfig-default-gids.patch
@@ -16,7 +16,7 @@ from shooting themselves in the foot.
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2012-10-13 09:51:35.000000000 -0400
+++ b/grsecurity/Kconfig 2012-10-13 09:52:32.000000000 -0400
-@@ -666,7 +666,7 @@
+@@ -682,7 +682,7 @@
config GRKERNSEC_AUDIT_GID
int "GID for auditing"
depends on GRKERNSEC_AUDIT_GROUP
@@ -25,7 +25,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
config GRKERNSEC_EXECLOG
bool "Exec logging"
-@@ -897,7 +897,7 @@
+@@ -913,7 +913,7 @@
config GRKERNSEC_TPE_UNTRUSTED_GID
int "GID for TPE-untrusted users"
depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
@@ -34,7 +34,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*enabled* for. If the sysctl option is enabled, a sysctl option
-@@ -906,7 +906,7 @@
+@@ -922,7 +922,7 @@
config GRKERNSEC_TPE_TRUSTED_GID
int "GID for TPE-trusted users"
depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
@@ -43,7 +43,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Setting this GID determines what group TPE restrictions will be
*disabled* for. If the sysctl option is enabled, a sysctl option
-@@ -991,7 +991,7 @@
+@@ -1007,7 +1007,7 @@
config GRKERNSEC_SOCKET_ALL_GID
int "GID to deny all sockets for"
depends on GRKERNSEC_SOCKET_ALL
@@ -52,7 +52,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable socket access for. Remember to
add the users you want socket access disabled for to the GID
-@@ -1012,7 +1012,7 @@
+@@ -1028,7 +1028,7 @@
config GRKERNSEC_SOCKET_CLIENT_GID
int "GID to deny client sockets for"
depends on GRKERNSEC_SOCKET_CLIENT
@@ -61,7 +61,7 @@ diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
help
Here you can choose the GID to disable client socket access for.
Remember to add the users you want client socket access disabled for
to
-@@ -1030,7 +1030,7 @@
+@@ -1046,7 +1046,7 @@
config GRKERNSEC_SOCKET_SERVER_GID
int "GID to deny server sockets for"
depends on GRKERNSEC_SOCKET_SERVER
diff --git a/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch
b/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch
index ed1cb9b..f73d198 100644
--- a/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch
+++ b/3.2.67/4465_selinux-avc_audit-log-curr_ip.patch
@@ -28,7 +28,7 @@ Signed-off-by: Lorenzo Hernandez Garcia-Hierro
<lore...@gnu.org>
diff -Naur a/grsecurity/Kconfig b/grsecurity/Kconfig
--- a/grsecurity/Kconfig 2011-04-17 19:25:54.000000000 -0400
+++ b/grsecurity/Kconfig 2011-04-17 19:32:53.000000000 -0400
-@@ -1125,6 +1125,27 @@
+@@ -1141,6 +1141,27 @@
menu "Logging Options"
depends on GRKERNSEC
