diff -Nrup linux-2.6.16/grsecurity/Kconfig linux-2.6.16-reslog/grsecurity/Kconfig --- linux-2.6.16/grsecurity/Kconfig 2006-07-06 15:36:47.000000000 -0400 +++ linux-2.6.16-reslog/grsecurity/Kconfig 2006-07-06 15:34:41.000000000 -0400 @@ -573,7 +573,9 @@ config GRKERNSEC_RESLOG help If you say Y here, all attempts to overstep resource limits will be logged with the resource name, the requested size, and the current - limit. It is highly recommended that you say Y here. + limit. It is highly recommended that you say Y here. If the sysctl + option is enabled, a sysctl option with name "resource_logging" is + created. If the RBAC system is enabled this option is always on. config GRKERNSEC_CHROOT_EXECLOG bool "Log execs within chroot" diff -Nrup linux-2.6.16/grsecurity/gracl_res.c linux-2.6.16-reslog/grsecurity/gracl_res.c --- linux-2.6.16/grsecurity/gracl_res.c 2006-07-06 15:36:47.000000000 -0400 +++ linux-2.6.16-reslog/grsecurity/gracl_res.c 2006-07-06 14:30:28.000000000 -0400 @@ -35,7 +35,8 @@ gr_log_resource(const struct task_struct if (unlikely(((gt && wanted > task->signal->rlim[res].rlim_cur) || (!gt && wanted >= task->signal->rlim[res].rlim_cur)) && task->signal->rlim[res].rlim_cur != RLIM_INFINITY)) - gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur); + if (gr_acl_is_enabled() || grsec_resource_logging) + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], task->signal->rlim[res].rlim_cur); preempt_enable_no_resched(); return; diff -Nrup linux-2.6.16/grsecurity/grsec_init.c linux-2.6.16-reslog/grsecurity/grsec_init.c --- linux-2.6.16/grsecurity/grsec_init.c 2006-07-06 15:36:47.000000000 -0400 +++ linux-2.6.16-reslog/grsecurity/grsec_init.c 2006-07-06 14:32:04.000000000 -0400 @@ -47,6 +47,7 @@ int grsec_socket_client_gid; int grsec_enable_socket_server; int grsec_socket_server_gid; int grsec_lock; +int grsec_resource_logging; spinlock_t grsec_alert_lock = SPIN_LOCK_UNLOCKED; unsigned long grsec_alert_wtime = 0; @@ -162,6 +163,9 @@ grsecurity_init(void) #ifdef CONFIG_GRKERNSEC_TIME grsec_enable_time = 1; #endif +#ifdef CONFIG_GRKERNSEC_RELOG + grsec_resource_logging = 1; +#endif #ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK grsec_enable_chroot_findtask = 1; #endif diff -Nrup linux-2.6.16/grsecurity/grsec_sysctl.c linux-2.6.16-reslog/grsecurity/grsec_sysctl.c --- linux-2.6.16/grsecurity/grsec_sysctl.c 2006-07-06 15:36:47.000000000 -0400 +++ linux-2.6.16-reslog/grsecurity/grsec_sysctl.c 2006-07-06 15:31:02.000000000 -0400 @@ -29,7 +29,7 @@ gr_handle_sysctl_mod(const char *dirname #if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_MODSTOP) enum {GS_LINK=1, GS_FIFO, GS_EXECVE, GS_EXECLOG, GS_SIGNAL, -GS_FORKFAIL, GS_TIME, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT, +GS_FORKFAIL, GS_TIME, GS_RESLOG, GS_CHROOT_SHMAT, GS_CHROOT_UNIX, GS_CHROOT_MNT, GS_CHROOT_FCHDIR, GS_CHROOT_DBL, GS_CHROOT_PVT, GS_CHROOT_CD, GS_CHROOT_CM, GS_CHROOT_MK, GS_CHROOT_NI, GS_CHROOT_EXECLOG, GS_CHROOT_CAPS, GS_CHROOT_SYSCTL, GS_TPE, GS_TPE_GID, GS_TPE_ALL, GS_SIDCAPS, @@ -111,6 +111,16 @@ ctl_table grsecurity_table[] = { .proc_handler = &proc_dointvec, }, #endif +#ifdef CONFIG_GRKERNSEC_RESLOG + { + .ctl_name = GS_RESLOG, + .procname = "resource_logging", + .data = &grsec_resource_logging, + .maxlen = sizeof(int), + .mode = 0600, + .proc_handler = &proc_dointvec, + }, +#endif #ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT { .ctl_name = GS_CHROOT_SHMAT, diff -Nrup linux-2.6.16/include/linux/grinternal.h linux-2.6.16-reslog/include/linux/grinternal.h --- linux-2.6.16/include/linux/grinternal.h 2006-07-06 15:36:47.000000000 -0400 +++ linux-2.6.16-reslog/include/linux/grinternal.h 2006-07-06 14:32:53.000000000 -0400 @@ -71,6 +71,7 @@ extern int grsec_enable_audit_textrel; extern int grsec_enable_mount; extern int grsec_enable_chdir; extern int grsec_lock; +extern int grsec_resource_logging; extern struct task_struct *child_reaper;