--- linux-2.4.28/kernel/sysctl.c.secure_kmem~	2005-01-07 20:52:44.000000000 +0100
+++ linux-2.4.28/kernel/sysctl.c	2005-01-07 21:00:20.000000000 +0100
@@ -322,7 +322,7 @@
 GS_SOCKET_ALL, GS_SOCKET_ALL_GID, GS_SOCKET_CLIENT,
 GS_SOCKET_CLIENT_GID, GS_SOCKET_SERVER, GS_SOCKET_SERVER_GID,
 GS_GROUP, GS_GID, GS_ACHDIR, GS_AMOUNT, GS_AIPC, GS_DMSG, GS_RANDRPC,
-GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_LOCK};
+GS_TEXTREL, GS_FINDTASK, GS_SHM, GS_IO, GS_KMEM, GS_LOCK};
 
 static ctl_table grsecurity_table[] = {
 #ifdef CONFIG_GRKERNSEC_LINK
@@ -498,6 +498,10 @@
 	{GS_IO, "secure_io", &grsec_enable_secure_io, 
 	 sizeof (int), 0600, NULL, &proc_dointvec},
 #endif
+#ifdef CONFIG_GRKERNSEC_KMEM
+	{GS_KMEM, "secure_kmem", &grsec_enable_secure_kmem, 
+	 sizeof (int), 0600, NULL, &proc_dointvec},
+#endif
 	{GS_LOCK, "grsec_lock", &grsec_lock, sizeof (int), 0600, NULL,
 	 &proc_dointvec},
 	{0}
--- linux-2.4.28/include/linux/grsecurity.h.secure_kmem~	2005-01-07 20:52:44.000000000 +0100
+++ linux-2.4.28/include/linux/grsecurity.h	2005-01-07 21:00:20.000000000 +0100
@@ -175,6 +175,7 @@
 extern unsigned long get_random_long(void);
 
 extern int grsec_enable_secure_io;
+extern int grsec_enable_secure_kmem;
 extern int grsec_enable_dmesg;
 extern int grsec_enable_randid;
 extern int grsec_enable_randisn;
--- linux-2.4.28/drivers/char/mem.c.secure_kmem~	2005-01-07 20:39:27.000000000 +0100
+++ linux-2.4.28/drivers/char/mem.c	2005-01-07 21:00:20.000000000 +0100
@@ -123,9 +123,11 @@
 	unsigned long p = *ppos;
 	unsigned long end_mem;
 
-#ifdef CONFIG_GRKERNSEC_KMEM
+#ifdef CONFIG_GRKERNSEC
+   if (grsec_enable_secure_kmem) {
 	gr_handle_mem_write();
 	return -EPERM;
+   }
 #endif
 
 	end_mem = __pa(high_memory);
@@ -200,9 +202,11 @@
 {
 	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
 
-#ifdef CONFIG_GRKERNSEC_KMEM
+#ifdef CONFIG_GRKERNSEC
+   if (grsec_enable_secure_kmem) {
 	if (gr_handle_mem_mmap(offset, vma))
 		return -EPERM;
+   }
 #endif
 
 
@@ -305,9 +309,11 @@
 	ssize_t virtr = 0;
 	char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
 
-#ifdef CONFIG_GRKERNSEC_KMEM
+#ifdef CONFIG_GRKERNSEC
+   if (grsec_enable_secure_kmem) {
 	gr_handle_kmem_write();
 	return -EPERM;
+   }
 #endif
 
 	if (p < (unsigned long) high_memory) {
@@ -565,9 +571,11 @@
 
 static int open_port(struct inode * inode, struct file * filp)
 {
-#ifdef CONFIG_GRKERNSEC_KMEM
+#ifdef CONFIG_GRKERNSEC
+   if (grsec_enable_secure_kmem) {
 	gr_handle_open_port();
 	return -EPERM;
+   }
 #endif
 	return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
 }
@@ -631,9 +639,11 @@
 	unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
 	unsigned long size = vma->vm_end - vma->vm_start;
 
-#ifdef CONFIG_GRKERNSEC_KMEM
+#ifdef CONFIG_GRKERNSEC
+   if (grsec_enable_secure_kmem) {
 	if (gr_handle_mem_mmap(offset, vma))
 		return -EPERM;
+   }
 #endif
 
 	/*
--- linux-2.4.28/grsecurity/grsec_init.c.secure_kmem~	2005-01-07 20:52:44.000000000 +0100
+++ linux-2.4.28/grsecurity/grsec_init.c	2005-01-07 21:00:20.000000000 +0100
@@ -50,6 +50,7 @@
 int grsec_enable_socket_server;
 int grsec_socket_server_gid;
 int grsec_enable_secure_io;
+int grsec_enable_secure_kmem;
 int grsec_lock;
 
 spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED;
@@ -245,6 +246,9 @@
 #ifdef CONFIG_GRKERNSEC_IO
 	grsec_enable_secure_io = 1;
 #endif
+#ifdef CONFIG_GRKERNSEC_KMEM
+	grsec_enable_secure_kmem = 1;
+#endif
 #endif
 
 	return;