--- ./kernel/sysctl.c.mps	Wed Nov  5 23:41:29 2003
+++ ./kernel/sysctl.c	Wed Nov  5 23:44:37 2003
@@ -300,7 +300,7 @@
 GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID, 
 GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC,
-GS_FINDTASK, GS_LOCK};
+GS_FINDTASK, GS_IO, GS_LOCK};
 
 static ctl_table grsecurity_table[] = {
 	{GS_ACL,"acl", NULL, sizeof(int), 0600, NULL, &gr_proc_handler},
@@ -466,6 +466,10 @@
 	{GS_FINDTASK, "chroot_findtask", &grsec_enable_chroot_findtask, 
 	 sizeof (int), 0600, NULL, &proc_dointvec},
 #endif
+#ifdef CONFIG_GRKERNSEC_IO
+	{GS_IO, "secure_io", &grsec_enable_secure_io, 
+	 sizeof (int), 0600, NULL, &proc_dointvec},
+#endif
 	{GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
 	 &proc_dointvec},
 #endif
--- ./grsecurity/grsec_init.c.mps	Wed Nov  5 23:48:04 2003
+++ ./grsecurity/grsec_init.c	Wed Nov  5 23:50:44 2003
@@ -46,6 +46,7 @@
 int grsec_socket_client_gid;
 int grsec_enable_socket_server;
 int grsec_socket_server_gid;
+int grsec_enable_secure_io;
 int grsec_lock;
 
 spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
@@ -198,6 +199,9 @@
 	grsec_enable_socket_server = 1;
 	grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
 #endif
+#ifdef CONFIG_GRKERNSEC_IO
+	grsec_enable_secure_io = 1;
+#endif
 #endif
 
 	return;
--- arch/i386/kernel/ioport.c.mps	Mon Dec  8 16:35:39 2003
+++ arch/i386/kernel/ioport.c	Mon Dec  8 17:03:27 2003
@@ -60,16 +60,15 @@
 
 	if ((from + num <= from) || (from + num > IO_BITMAP_SIZE*32))
 		return -EINVAL;
-#ifdef CONFIG_GRKERNSEC_IO
+	if (grsec_enable_secure_io) {
 	if (turn_on) {
 		gr_handle_ioperm();
-#else
+		return -EPERM;
+	} else
 	if (turn_on && !capable(CAP_SYS_RAWIO))
-#endif
 		return -EPERM;
-#ifdef CONFIG_GRKERNSEC_IO
 	}
-#endif
+
 	/*
 	 * If it's the first ioperm() call in this thread's lifetime, set the
 	 * IO bitmap up. ioperm() is much less timing critical than clone(),
@@ -118,13 +117,12 @@
 		return -EINVAL;
 	/* Trying to gain more privileges? */
 	if (level > old) {
-#ifdef CONFIG_GRKERNSEC_IO
+	    if (grsec_enable_secure_io) {
 		gr_handle_iopl();
 		return -EPERM;
-#else
+	    } else
 		if (!capable(CAP_SYS_RAWIO))
 			return -EPERM;
-#endif
 	}
 	regs->eflags = (regs->eflags & 0xffffcfff) | (level << 12);
 	return 0;
--- include/linux/grsecurity.h.mps	Mon Dec  8 17:10:23 2003
+++ include/linux/grsecurity.h	Mon Dec  8 17:08:38 2003
@@ -164,6 +164,7 @@
 extern int grsec_enable_randisn;
 extern int grsec_enable_randsrc;
 extern int grsec_enable_randrpc;
+extern int grsec_enable_secure_io;
 #endif
 
 #endif