[gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.4/

[gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.4/

[Anthony G. Basile]

commit:     37cbbcacda2762cc7a054330ae8df40dd5ec9e62
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb  5 16:40:33 2012 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 16:40:33 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=37cbbcac

Renumbered patches

---
 2.6.32/0000_README                                 |   27 +++++++++++--------
 ... => 4430_grsec-remove-localversion-grsec.patch} |    0
 ...rnings.patch => 4435_grsec-mute-warnings.patch} |    0
 ...tch => 4440_grsec-remove-protected-paths.patch} |    0
 ...ec.patch => 4445_grsec-pax-without-grsec.patch} |    0
 ...patch => 4450_grsec-kconfig-default-gids.patch} |    0
 ...entoo.patch => 4455_grsec-kconfig-gentoo.patch} |    0
 ...er.patch => 4460-grsec-kconfig-proc-user.patch} |    0
 ...ch => 4465_selinux-avc_audit-log-curr_ip.patch} |    0
 ...t_vdso.patch => 4470_disable-compat_vdso.patch} |    0
 ...heck_ssp_fix.patch => 4475_check_ssp_fix.patch} |    0
 3.2.4/0000_README                                  |   21 +++++++++------
 ... => 4430_grsec-remove-localversion-grsec.patch} |    0
 ...rnings.patch => 4435_grsec-mute-warnings.patch} |    0
 ...tch => 4440_grsec-remove-protected-paths.patch} |    0
 ...ec.patch => 4445_grsec-pax-without-grsec.patch} |    0
 ...patch => 4450_grsec-kconfig-default-gids.patch} |    0
 ...entoo.patch => 4455_grsec-kconfig-gentoo.patch} |    0
 ...er.patch => 4460-grsec-kconfig-proc-user.patch} |    0
 ...ch => 4465_selinux-avc_audit-log-curr_ip.patch} |    0
 ...t_vdso.patch => 4470_disable-compat_vdso.patch} |    0
 21 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index f0c7190..ecd453e 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -22,46 +22,51 @@ Patch:	4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
-Patch:	4421_grsec-remove-localversion-grsec.patch
+Patch:	4430_grsec-remove-localversion-grsec.patch
 From:	Kerin Millar <kerframil@gmail.com>
 Desc:	Removes grsecurity's localversion-grsec file
 
-Patch:	4422_grsec-mute-warnings.patch
+Patch:	4435_grsec-mute-warnings.patch
 From:	Alexander Gabert <gaberta@fh-trier.de>
 	Gordon Malm <gengor@gentoo.org>
 Desc:	Removes verbose compile warning settings from grsecurity, restores
 	mainline Linux kernel behavior
 
-Patch:	4423_grsec-remove-protected-paths.patch
+Patch:	4440_grsec-remove-protected-paths.patch
 From:	Anthony G. Basile <blueness@gentoo.org>
 Desc:	Removes chmod statements from grsecurity/Makefile
 
-Patch:	4425_grsec-pax-without-grsec.patch
+Patch:	4445_grsec-pax-without-grsec.patch
 From:	Gordon Malm <gengor@gentoo.org>
 Desc:	Allows PaX features to be selected without enabling GRKERNSEC
 
-Patch:	4430_grsec-kconfig-default-gids.patch
+Patch:	4450_grsec-kconfig-default-gids.patch
 From:	Kerin Millar <kerframil@gmail.com>
 Desc:	Sets sane(r) default GIDs on various grsecurity group-dependent
 	features
 
-Patch:	4435_grsec-kconfig-gentoo.patch
+Patch:	4455_grsec-kconfig-gentoo.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 	Anthony G. Basile <blueness@gentoo.org>
-Desc:	Adds Hardened Gentoo [server/workstation/virtualization] security levels,
-	sets Hardened Gentoo [workstation] as default
+Desc:	Adds Hardened Gentoo [server/workstation/virtualization] security
+	levels, sets Hardened Gentoo [workstation] as default
 
-Patch:	4440_selinux-avc_audit-log-curr_ip.patch
+Patch:	4460-grsec-kconfig-proc-user.patch
+From:	Anthony G. Basile <blueness@gentoo.org>
+Desc:	Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
+	exclusive to avoid bug #366019.
+
+Patch:	4465_selinux-avc_audit-log-curr_ip.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Anthony G. Basile <blueness@gentoo.org>
 Desc:	Configurable option to add src IP address to SELinux log messages
 
-Patch:	4445_disable-compat_vdso.patch
+Patch:	4470_disable-compat_vdso.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 Desc:	Disables VDSO_COMPAT operation completely
 
-Patch:	4450_check_ssp_fix.patch
+Patch:	4475_check_ssp_fix.patch
 From:	Magnus Granberg <zorry@gentoo.org>
 Desc:	Fixes kernel check script for ssp

diff --git a/2.6.32/4421_grsec-remove-localversion-grsec.patch b/2.6.32/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 2.6.32/4421_grsec-remove-localversion-grsec.patch
rename to 2.6.32/4430_grsec-remove-localversion-grsec.patch

diff --git a/2.6.32/4422_grsec-mute-warnings.patch b/2.6.32/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 2.6.32/4422_grsec-mute-warnings.patch
rename to 2.6.32/4435_grsec-mute-warnings.patch

diff --git a/2.6.32/4423_grsec-remove-protected-paths.patch b/2.6.32/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 2.6.32/4423_grsec-remove-protected-paths.patch
rename to 2.6.32/4440_grsec-remove-protected-paths.patch

diff --git a/2.6.32/4425_grsec-pax-without-grsec.patch b/2.6.32/4445_grsec-pax-without-grsec.patch
similarity index 100%
rename from 2.6.32/4425_grsec-pax-without-grsec.patch
rename to 2.6.32/4445_grsec-pax-without-grsec.patch

diff --git a/2.6.32/4430_grsec-kconfig-default-gids.patch b/2.6.32/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 2.6.32/4430_grsec-kconfig-default-gids.patch
rename to 2.6.32/4450_grsec-kconfig-default-gids.patch

diff --git a/2.6.32/4435_grsec-kconfig-gentoo.patch b/2.6.32/4455_grsec-kconfig-gentoo.patch
similarity index 100%
rename from 2.6.32/4435_grsec-kconfig-gentoo.patch
rename to 2.6.32/4455_grsec-kconfig-gentoo.patch

diff --git a/2.6.32/4437-grsec-kconfig-proc-user.patch b/2.6.32/4460-grsec-kconfig-proc-user.patch
similarity index 100%
rename from 2.6.32/4437-grsec-kconfig-proc-user.patch
rename to 2.6.32/4460-grsec-kconfig-proc-user.patch

diff --git a/2.6.32/4440_selinux-avc_audit-log-curr_ip.patch b/2.6.32/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 2.6.32/4440_selinux-avc_audit-log-curr_ip.patch
rename to 2.6.32/4465_selinux-avc_audit-log-curr_ip.patch

diff --git a/2.6.32/4445_disable-compat_vdso.patch b/2.6.32/4470_disable-compat_vdso.patch
similarity index 100%
rename from 2.6.32/4445_disable-compat_vdso.patch
rename to 2.6.32/4470_disable-compat_vdso.patch

diff --git a/2.6.32/4450_check_ssp_fix.patch b/2.6.32/4475_check_ssp_fix.patch
similarity index 100%
rename from 2.6.32/4450_check_ssp_fix.patch
rename to 2.6.32/4475_check_ssp_fix.patch

diff --git a/3.2.4/0000_README b/3.2.4/0000_README
index 97fce67..ce0507d 100644
--- a/3.2.4/0000_README
+++ b/3.2.4/0000_README
@@ -14,42 +14,47 @@ Patch:	4420_grsecurity-2.2.2-3.2.4-201202032052.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
-Patch:	4421_grsec-remove-localversion-grsec.patch
+Patch:	4430_grsec-remove-localversion-grsec.patch
 From:	Kerin Millar <kerframil@gmail.com>
 Desc:	Removes grsecurity's localversion-grsec file
 
-Patch:	4422_grsec-mute-warnings.patch
+Patch:	4435_grsec-mute-warnings.patch
 From:	Alexander Gabert <gaberta@fh-trier.de>
 	Gordon Malm <gengor@gentoo.org>
 Desc:	Removes verbose compile warning settings from grsecurity, restores
 	mainline Linux kernel behavior
 
-Patch:	4423_grsec-remove-protected-paths.patch
+Patch:	4440_grsec-remove-protected-paths.patch
 From:	Anthony G. Basile <blueness@gentoo.org>
 Desc:	Removes chmod statements from grsecurity/Makefile
 
-Patch:	4425_grsec-pax-without-grsec.patch
+Patch:	4445_grsec-pax-without-grsec.patch
 From:	Gordon Malm <gengor@gentoo.org>
 Desc:	Allows PaX features to be selected without enabling GRKERNSEC
 
-Patch:	4430_grsec-kconfig-default-gids.patch
+Patch:	4450_grsec-kconfig-default-gids.patch
 From:	Kerin Millar <kerframil@gmail.com>
 Desc:	Sets sane(r) default GIDs on various grsecurity group-dependent
 	features
 
-Patch:	4435_grsec-kconfig-gentoo.patch
+Patch:	4455_grsec-kconfig-gentoo.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 	Anthony G. Basile <blueness@gentoo.org>
 Desc:	Adds Hardened Gentoo [server/workstation/virtualization] security levels,
 	sets Hardened Gentoo [workstation] as default
 
-Patch:	4440_selinux-avc_audit-log-curr_ip.patch
+Patch:	4460-grsec-kconfig-proc-user.patch
+From:	Anthony G. Basile <blueness@gentoo.org>
+Desc:	Make GRKERNSEC_PROC_USER, and GRKERNSEC_PROC_USERGROUP mutually
+	exclusive to avoid bug #366019.
+
+Patch:	4465_selinux-avc_audit-log-curr_ip.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Anthony G. Basile <blueness@gentoo.org>
 Desc:	Configurable option to add src IP address to SELinux log messages
 
-Patch:	4445_disable-compat_vdso.patch
+Patch:	4470_disable-compat_vdso.patch
 From:	Gordon Malm <gengor@gentoo.org>
 	Kerin Millar <kerframil@gmail.com>
 Desc:	Disables VDSO_COMPAT operation completely

diff --git a/3.2.4/4421_grsec-remove-localversion-grsec.patch b/3.2.4/4430_grsec-remove-localversion-grsec.patch
similarity index 100%
rename from 3.2.4/4421_grsec-remove-localversion-grsec.patch
rename to 3.2.4/4430_grsec-remove-localversion-grsec.patch

diff --git a/3.2.4/4422_grsec-mute-warnings.patch b/3.2.4/4435_grsec-mute-warnings.patch
similarity index 100%
rename from 3.2.4/4422_grsec-mute-warnings.patch
rename to 3.2.4/4435_grsec-mute-warnings.patch

diff --git a/3.2.4/4423_grsec-remove-protected-paths.patch b/3.2.4/4440_grsec-remove-protected-paths.patch
similarity index 100%
rename from 3.2.4/4423_grsec-remove-protected-paths.patch
rename to 3.2.4/4440_grsec-remove-protected-paths.patch

diff --git a/3.2.4/4425_grsec-pax-without-grsec.patch b/3.2.4/4445_grsec-pax-without-grsec.patch
similarity index 100%
rename from 3.2.4/4425_grsec-pax-without-grsec.patch
rename to 3.2.4/4445_grsec-pax-without-grsec.patch

diff --git a/3.2.4/4430_grsec-kconfig-default-gids.patch b/3.2.4/4450_grsec-kconfig-default-gids.patch
similarity index 100%
rename from 3.2.4/4430_grsec-kconfig-default-gids.patch
rename to 3.2.4/4450_grsec-kconfig-default-gids.patch

diff --git a/3.2.4/4435_grsec-kconfig-gentoo.patch b/3.2.4/4455_grsec-kconfig-gentoo.patch
similarity index 100%
rename from 3.2.4/4435_grsec-kconfig-gentoo.patch
rename to 3.2.4/4455_grsec-kconfig-gentoo.patch

diff --git a/3.2.4/4437-grsec-kconfig-proc-user.patch b/3.2.4/4460-grsec-kconfig-proc-user.patch
similarity index 100%
rename from 3.2.4/4437-grsec-kconfig-proc-user.patch
rename to 3.2.4/4460-grsec-kconfig-proc-user.patch

diff --git a/3.2.4/4440_selinux-avc_audit-log-curr_ip.patch b/3.2.4/4465_selinux-avc_audit-log-curr_ip.patch
similarity index 100%
rename from 3.2.4/4440_selinux-avc_audit-log-curr_ip.patch
rename to 3.2.4/4465_selinux-avc_audit-log-curr_ip.patch

diff --git a/3.2.4/4445_disable-compat_vdso.patch b/3.2.4/4470_disable-compat_vdso.patch
similarity index 100%
rename from 3.2.4/4445_disable-compat_vdso.patch
rename to 3.2.4/4470_disable-compat_vdso.patch

[gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.4/

[Anthony G. Basile]

commit:     75455382c3059eef047c91f69b9c93cc9c6641ed
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Sun Feb  5 17:57:22 2012 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 17:57:22 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=75455382

Added patch to unlock PAX_XATTR_PAX_FLAGS option

---
 2.6.32/0000_README                   |    4 ++++
 2.6.32/4425_grsec_enable_xtpax.patch |   16 ++++++++++++++++
 3.2.4/0000_README                    |    4 ++++
 3.2.4/4425_grsec_enable_xtpax.patch  |   16 ++++++++++++++++
 4 files changed, 40 insertions(+), 0 deletions(-)

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index ecd453e..cb858f1 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -22,6 +22,10 @@ Patch:	4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
+Patch:	4425_grsec_enable_xtpax.patch
+From:	Anthony G. Basile <blueness@gentoo.org>
+Desc:	Unlock PAX_XATTR_PAX_FLAGS option
+
 Patch:	4430_grsec-remove-localversion-grsec.patch
 From:	Kerin Millar <kerframil@gmail.com>
 Desc:	Removes grsecurity's localversion-grsec file

diff --git a/2.6.32/4425_grsec_enable_xtpax.patch b/2.6.32/4425_grsec_enable_xtpax.patch
new file mode 100644
index 0000000..9735ecf
--- /dev/null
+++ b/2.6.32/4425_grsec_enable_xtpax.patch
@@ -0,0 +1,16 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Unlock PAX_XATTR_PAX_FLAGS option
+
+diff -Naur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig	2012-02-05 12:24:37.000000000 -0500
++++ b/security/Kconfig	2012-02-05 12:25:04.000000000 -0500
+@@ -92,7 +92,7 @@
+ 
+ config PAX_XATTR_PAX_FLAGS
+ 	bool 'Use filesystem extended attributes marking'
+-	depends on EXPERT
++#	depends on EXPERT
+ 	select CIFS_XATTR if CIFS
+ 	select EXT2_FS_XATTR if EXT2_FS
+ 	select EXT3_FS_XATTR if EXT3_FS

diff --git a/3.2.4/0000_README b/3.2.4/0000_README
index ce0507d..39e914d 100644
--- a/3.2.4/0000_README
+++ b/3.2.4/0000_README
@@ -14,6 +14,10 @@ Patch:	4420_grsecurity-2.2.2-3.2.4-201202032052.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 
+Patch:	4425_grsec_enable_xtpax.patch
+From:	Anthony G. Basile <blueness@gentoo.org>
+Desc:	Unlock PAX_XATTR_PAX_FLAGS option
+
 Patch:	4430_grsec-remove-localversion-grsec.patch
 From:	Kerin Millar <kerframil@gmail.com>
 Desc:	Removes grsecurity's localversion-grsec file

diff --git a/3.2.4/4425_grsec_enable_xtpax.patch b/3.2.4/4425_grsec_enable_xtpax.patch
new file mode 100644
index 0000000..9735ecf
--- /dev/null
+++ b/3.2.4/4425_grsec_enable_xtpax.patch
@@ -0,0 +1,16 @@
+From: Anthony G. Basile <blueness@gentoo.org>
+
+Unlock PAX_XATTR_PAX_FLAGS option
+
+diff -Naur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig	2012-02-05 12:24:37.000000000 -0500
++++ b/security/Kconfig	2012-02-05 12:25:04.000000000 -0500
+@@ -92,7 +92,7 @@
+ 
+ config PAX_XATTR_PAX_FLAGS
+ 	bool 'Use filesystem extended attributes marking'
+-	depends on EXPERT
++#	depends on EXPERT
+ 	select CIFS_XATTR if CIFS
+ 	select EXT2_FS_XATTR if EXT2_FS
+ 	select EXT3_FS_XATTR if EXT3_FS

[gentoo-commits] proj/hardened-patchset:master commit in: 2.6.32/, 3.2.4/

[Anthony G. Basile]

commit:     857b85562ea0d3b6d3011f743cfa70fcd2a73ebc
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Mon Feb  6 23:14:55 2012 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Feb  6 23:14:55 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=857b8556

Grsec/PaX: 2.2.2-2.6.32.56-201202051926 + 2.2.2-3.2.4-201202051927

---
 2.6.32/0000_README                                 |    2 +-
 ..._grsecurity-2.2.2-2.6.32.56-201202051926.patch} |   56 +++++++++++++++----
 3.2.4/0000_README                                  |    2 +-
 ...4420_grsecurity-2.2.2-3.2.4-201202051927.patch} |   56 +++++++++++++++----
 4 files changed, 90 insertions(+), 26 deletions(-)

diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index cb858f1..6a881db 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -18,7 +18,7 @@ Patch:	1055_linux-2.6.32.56.patch
 From:	http://www.kernel.org
 Desc:	Linux 2.6.32.56
 
-Patch:	4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
+Patch:	4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
rename to 2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
index c0e9b3a..b3de8e3 100644
--- a/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202032051.patch
+++ b/2.6.32/4420_grsecurity-2.2.2-2.6.32.56-201202051926.patch
@@ -64705,7 +64705,7 @@ index 0000000..0dc13c3
 +EXPORT_SYMBOL(gr_log_timechange);
 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
 new file mode 100644
-index 0000000..a35ba33
+index 0000000..07e0dc0
 --- /dev/null
 +++ b/grsecurity/grsec_tpe.c
 @@ -0,0 +1,73 @@
@@ -64756,7 +64756,7 @@ index 0000000..a35ba33
 +		msg2 = "file in group-writable directory";
 +
 +	if (msg && msg2) {
-+		char fullmsg[64] = {0};
++		char fullmsg[70] = {0};
 +		snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
 +		gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
 +		return 0;
@@ -67139,7 +67139,7 @@ index 0000000..3826b91
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..b3347e2
+index 0000000..7f62b30
 --- /dev/null
 +++ b/include/linux/grmsg.h
 @@ -0,0 +1,109 @@
@@ -67177,7 +67177,7 @@ index 0000000..b3347e2
 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "
++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
@@ -67254,10 +67254,10 @@ index 0000000..b3347e2
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..ebba836
+index 0000000..c597c46
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,217 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -67273,12 +67273,6 @@ index 0000000..ebba836
 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
 +#endif
-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
-+#endif
-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
-+#endif
 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
 +#endif
@@ -69462,6 +69456,44 @@ index a8cc4e1..98d3b85 100644
  			u32 val;
  			u32 flags;
  			u32 bitset;
+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h
+index 1eb44a9..f582df3 100644
+--- a/include/linux/tracehook.h
++++ b/include/linux/tracehook.h
+@@ -69,12 +69,12 @@ static inline int tracehook_expect_breakpoints(struct task_struct *task)
+ /*
+  * ptrace report for syscall entry and exit looks identical.
+  */
+-static inline void ptrace_report_syscall(struct pt_regs *regs)
++static inline int ptrace_report_syscall(struct pt_regs *regs)
+ {
+ 	int ptrace = task_ptrace(current);
+ 
+ 	if (!(ptrace & PT_PTRACED))
+-		return;
++		return 0;
+ 
+ 	ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));
+ 
+@@ -87,6 +87,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
+ 		send_sig(current->exit_code, current, 1);
+ 		current->exit_code = 0;
+ 	}
++
++	return fatal_signal_pending(current);
+ }
+ 
+ /**
+@@ -111,8 +113,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
+ static inline __must_check int tracehook_report_syscall_entry(
+ 	struct pt_regs *regs)
+ {
+-	ptrace_report_syscall(regs);
+-	return 0;
++	return ptrace_report_syscall(regs);
+ }
+ 
+ /**
 diff --git a/include/linux/tty.h b/include/linux/tty.h
 index e9c57e9..ee6d489 100644
 --- a/include/linux/tty.h

diff --git a/3.2.4/0000_README b/3.2.4/0000_README
index 39e914d..285da06 100644
--- a/3.2.4/0000_README
+++ b/3.2.4/0000_README
@@ -10,7 +10,7 @@ Patch:	1003_linux-3.2.4.patch
 From:	http://www.kernel.org
 Desc:	Linux 3.2.4
 
-Patch:	4420_grsecurity-2.2.2-3.2.4-201202032052.patch
+Patch:	4420_grsecurity-2.2.2-3.2.4-201202051927.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch
similarity index 99%
rename from 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
rename to 3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch
index 9b95205..b2dcf41 100644
--- a/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202032052.patch
+++ b/3.2.4/4420_grsecurity-2.2.2-3.2.4-201202051927.patch
@@ -56770,7 +56770,7 @@ index 0000000..0dc13c3
 +EXPORT_SYMBOL(gr_log_timechange);
 diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
 new file mode 100644
-index 0000000..a35ba33
+index 0000000..07e0dc0
 --- /dev/null
 +++ b/grsecurity/grsec_tpe.c
 @@ -0,0 +1,73 @@
@@ -56821,7 +56821,7 @@ index 0000000..a35ba33
 +		msg2 = "file in group-writable directory";
 +
 +	if (msg && msg2) {
-+		char fullmsg[64] = {0};
++		char fullmsg[70] = {0};
 +		snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
 +		gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
 +		return 0;
@@ -58870,7 +58870,7 @@ index 0000000..da390f1
 +#endif
 diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
 new file mode 100644
-index 0000000..b3347e2
+index 0000000..7f62b30
 --- /dev/null
 +++ b/include/linux/grmsg.h
 @@ -0,0 +1,109 @@
@@ -58908,7 +58908,7 @@ index 0000000..b3347e2
 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
-+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.64s) of %.950s by "
++#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
@@ -58985,10 +58985,10 @@ index 0000000..b3347e2
 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
 diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
 new file mode 100644
-index 0000000..eb4885f
+index 0000000..cb9f1c1
 --- /dev/null
 +++ b/include/linux/grsecurity.h
-@@ -0,0 +1,233 @@
+@@ -0,0 +1,227 @@
 +#ifndef GR_SECURITY_H
 +#define GR_SECURITY_H
 +#include <linux/fs.h>
@@ -59003,12 +59003,6 @@ index 0000000..eb4885f
 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
 +#endif
-+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
-+#endif
-+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
-+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
-+#endif
 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
 +#endif
@@ -60895,6 +60889,44 @@ index 703cfa3..0b8ca72ac 100644
  extern int proc_dointvec(struct ctl_table *, int,
  			 void __user *, size_t *, loff_t *);
  extern int proc_dointvec_minmax(struct ctl_table *, int,
+diff --git a/include/linux/tracehook.h b/include/linux/tracehook.h
+index a71a292..51bd91d 100644
+--- a/include/linux/tracehook.h
++++ b/include/linux/tracehook.h
+@@ -54,12 +54,12 @@ struct linux_binprm;
+ /*
+  * ptrace report for syscall entry and exit looks identical.
+  */
+-static inline void ptrace_report_syscall(struct pt_regs *regs)
++static inline int ptrace_report_syscall(struct pt_regs *regs)
+ {
+ 	int ptrace = current->ptrace;
+ 
+ 	if (!(ptrace & PT_PTRACED))
+-		return;
++		return 0;
+ 
+ 	ptrace_notify(SIGTRAP | ((ptrace & PT_TRACESYSGOOD) ? 0x80 : 0));
+ 
+@@ -72,6 +72,8 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
+ 		send_sig(current->exit_code, current, 1);
+ 		current->exit_code = 0;
+ 	}
++
++	return fatal_signal_pending(current);
+ }
+ 
+ /**
+@@ -96,8 +98,7 @@ static inline void ptrace_report_syscall(struct pt_regs *regs)
+ static inline __must_check int tracehook_report_syscall_entry(
+ 	struct pt_regs *regs)
+ {
+-	ptrace_report_syscall(regs);
+-	return 0;
++	return ptrace_report_syscall(regs);
+ }
+ 
+ /**
 diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h
 index ff7dc08..893e1bd 100644
 --- a/include/linux/tty_ldisc.h