--- zzzz-none-000/linux-2.6.19.2/fs/fcntl.c	2007-01-10 19:10:37.000000000 +0000
+++ davinci-8020-5505/linux-2.6.19.2/fs/fcntl.c	2007-01-19 14:42:56.000000000 +0000
@@ -18,6 +18,7 @@
 #include <linux/ptrace.h>
 #include <linux/signal.h>
 #include <linux/rcupdate.h>
+#include <linux/grsecurity.h>
 
 #include <asm/poll.h>
 #include <asm/siginfo.h>
@@ -63,6 +64,7 @@
 	struct fdtable *fdt;
 
 	error = -EINVAL;
+	gr_learn_resource(current, RLIMIT_NOFILE, orig_start, 0);
 	if (orig_start >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
 		goto out;
 
@@ -83,6 +85,7 @@
 	}
 	
 	error = -EMFILE;
+	gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
 	if (newfd >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
 		goto out;
 
@@ -141,6 +144,8 @@
 	struct files_struct * files = current->files;
 	struct fdtable *fdt;
 
+	gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
+
 	spin_lock(&files->file_lock);
 	if (!(file = fcheck(oldfd)))
 		goto out_unlock;
@@ -459,7 +464,8 @@
 	return (((fown->euid == 0) ||
 		 (fown->euid == p->suid) || (fown->euid == p->uid) ||
 		 (fown->uid == p->suid) || (fown->uid == p->uid)) &&
-		!security_file_send_sigiotask(p, fown, sig));
+		!security_file_send_sigiotask(p, fown, sig) &&
+		!gr_check_protected_task(p) && !gr_pid_is_chrooted(p));
 }
 
 static void send_sigio_to_task(struct task_struct *p,