core revision

26 files changed, 1417 insertions, 562 deletions

diff --git a/core/conf/fstab b/core/conf/fstab
index da3c9dd..d3fc878 100644
--- a/core/conf/fstab
+++ b/core/conf/fstab
@@ -13,9 +13,20 @@
 #/dev/cdrom            /cdrom    iso9660   ro,user,noauto,unhide            0      0
 #/dev/dvd              /dvd      udf       ro,user,noauto,unhide            0      0
 #/dev/floppy/0         /floppy   vfat      user,noauto,unhide               0      0
-devpts                 /dev/pts  devpts    noexec,nosuid,gid=tty,mode=0620  0      0
 #tmp                   /tmp      tmpfs     defaults                         0      0
 #shm                   /dev/shm  tmpfs     defaults                         0      0
 #usb                   /proc/bus/usb usbfs defaults                         0      0
 
 # End of file
+#/dev/sda3 on / type ext4 (rw,relatime,data=ordered)
+#UUID=3bab76f8-e714-45f1-8e30-04cc8a09c3d1 / 		ext4	ro,relatime,data=ordered			0	1
+/dev/sda3  				   / 		ext4	defaults,noatime,ro				0	1
+devpts                 		           /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
+UUID=3b408790-65e1-4638-9591-7ba61f266913  /boot	ext4	defaults,ro,noatime		  		0	0
+UUID=962D-0DE1				   /boot/efi	vfat	ro,noauto,umask=0077      			0	0  
+UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237  /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	0
+UUID=20bd3948-0877-4192-af52-ad87d6f96db0  /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	0
+UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	defaults,ro,nodev,errors=remount-ro		0	0
+pkgmk                                      /usr/ports/work tmpfs   size=30G,gid=101,uid=100,defaults 		0 	0
+UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	defaults,nodev,errors=remount-ro		0	0
+UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4    defaults,nodev,nosuid,errors=remount-ro		0	0
diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf
index 3533ba7..4ef372e 100644
--- a/core/conf/pkgmk.conf
+++ b/core/conf/pkgmk.conf
@@ -2,7 +2,7 @@
 # /etc/pkgmk.conf: pkgmk(8) configuration
 #
 
-export CFLAGS="-O2 -march=x86-64"
+export CFLAGS="-O2 -march=native -mtune=native"
 export CXXFLAGS="${CFLAGS}"
 
 export MAKEFLAGS="-j4"
@@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in
 		;;
 esac
 
-PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
 PKGMK_SOURCE_DIR="/usr/ports/distfiles"
 PKGMK_PACKAGE_DIR="/usr/ports/packages"
 PKGMK_WORK_DIR="/usr/ports/work/$name"
diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf
index f6b6d16..0504d3e 100644
--- a/core/conf/prt-get.conf
+++ b/core/conf/prt-get.conf
@@ -38,7 +38,7 @@ logfile  /usr/ports/pkgbuild/%n-%v-%r.log
 readme verbose           # (verbose|compact|disabled)
 
 ### prefer higher versions in sysup / diff
-preferhigher no      # (yes|no)
+#preferhigher yes      # (yes|no)
 
 ### use regexp search
 # useregex no        # (yes|no)
@@ -51,7 +51,7 @@ runscripts yes            # (no|yes)
 ### EXPERT SECTION ###
 
 ### alternative commands
-makecommand      sudo -H -u pkgmk fakeroot pkgmk
+makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
 addcommand       sudo pkgadd
 removecommand    sudo pkgrm
 runscriptcommand sudo sh
diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan
index 8800148..86910bc 100755
--- a/core/conf/rc.d/wlan
+++ b/core/conf/rc.d/wlan
@@ -15,7 +15,6 @@ PID_WIFI=/var/run/wpa_supplicant.pid
 OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV"
 OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV"
 
-
 print_status() {
 	$SSD --status --pidfile $2
 	case $? in
@@ -35,7 +34,13 @@ case $1 in
 	stop)
 		( $SSD --stop --retry 10 --pidfile $PID_DHCP 
 		  $SSD --stop --retry 10 --pidfile $PID_WIFI )
+
 		RETVAL=$?
+		  /sbin/ip route del default dev ${DEV}
+                  /sbin/ip route flush dev ${DEV}
+                  /sbin/ip link set ${DEV} down
+                  /sbin/ip addr flush dev ${DEV}
+
 		;;
 	restart)
 		$0 stop
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index b419628..b60d3e6 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -3,20 +3,420 @@
 #
 
 kernel.printk = 15 1 1 4
+kernel.randomize_va_space = 1
+kernel.shmmax = 500000000
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+
+#
+# Memory Protections
+#
+
+#  If you say Y here, all ioperm and iopl calls will return an error.
+#  Ioperm and iopl can be used to modify the running kernel.
+#  Unfortunately, some programs need this access to operate properly,
+#  the most notable of which are XFree86 and hwclock.  hwclock can be
+#  remedied by having RTC support in the kernel, so real-time 
+#  clock support is enabled if this option is enabled, to ensure 
+#  that hwclock operates correctly.
+#  
+#  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+#  you may not be able to boot into a graphical environment with this
+#  option enabled.  In this case, you should use the RBAC system instead.
+#kernel.grsecurity.disable_priv_io = 1
+kernel.grsecurity.disable_priv_io = 0
+
+#  If you say Y here, attempts to bruteforce exploits against forking
+#  daemons such as apache or sshd, as well as against suid/sgid binaries
+#  will be deterred.  When a child of a forking daemon is killed by PaX
+#  or crashes due to an illegal instruction or other suspicious signal,
+#  the parent process will be delayed 30 seconds upon every subsequent
+#  fork until the administrator is able to assess the situation and
+#  restart the daemon.
+#  In the suid/sgid case, the attempt is logged, the user has all their
+#  existing instances of the suid/sgid binary terminated and will
+#  be unable to execute any suid/sgid binaries for 15 minutes.
+#  
+#  It is recommended that you also enable signal logging in the auditing
+#  section so that logs are generated when a process triggers a suspicious
+#  signal.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "deter_bruteforce" is created.
+#kernel.grsecurity.deter_bruteforce = 1
+
+#
+# Filesystem Protections
+#
+
+# Optimization for port usefor LBs
+# Increase system file descriptor limit
+fs.file-max = 65535
+
+#  If you say Y here, /tmp race exploits will be prevented, since users
+#  will no longer be able to follow symlinks owned by other users in
+#  world-writable +t directories (e.g. /tmp), unless the owner of the
+#  symlink is the owner of the directory. users will also not be
+#  able to hardlink to files they do not own.  If the sysctl option is
+#  enabled, a sysctl option with name "linking_restrictions" is created.
+kernel.grsecurity.linking_restrictions = 1
+
+
+#  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+#  that prevents it from being used as a security feature.  As Apache
+#  verifies the symlink by performing a stat() against the target of
+#  the symlink before it is followed, an attacker can setup a symlink
+#  to point to a same-owned file, then replace the symlink with one
+#  that targets another user's file just after Apache "validates" the
+#  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+#  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+#  will be in place for the group you specify. If the sysctl option
+#  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+#  created.
+#kernel.grsecurity.enforce_symlinksifowner = 1
+#kernel.grsecurity.symlinkown_gid = 33
+
+#  if you say Y here, users will not be able to write to FIFOs they don't
+#  own in world-writable +t directories (e.g. /tmp), unless the owner of
+#  the FIFO is the same owner of the directory it's held in.  If the sysctl
+#  option is enabled, a sysctl option with name "fifo_restrictions" is
+#  created.
+#kernel.grsecurity.fifo_restrictions = 1
+
+#  If you say Y here, a sysctl option with name "romount_protect" will
+#  be created.  By setting this option to 1 at runtime, filesystems
+#  will be protected in the following ways:
+#  * No new writable mounts will be allowed
+#  * Existing read-only mounts won't be able to be remounted read/write
+#  * Write operations will be denied on all block devices
+#  This option acts independently of grsec_lock: once it is set to 1,
+#  it cannot be turned off.  Therefore, please be mindful of the resulting
+#  behavior if this option is enabled in an init script on a read-only
+#  filesystem.
+#  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+#  and GRKERNSEC_IO should be enabled and module loading disabled via
+#  config or at runtime.
+#  This feature is mainly intended for secure embedded systems.
+#kernel.grsecurity.romount_protect = 0
+
+#  if you say Y here, the capabilities on all processes within a
+#  chroot jail will be lowered to stop module insertion, raw i/o,
+#  system and net admin tasks, rebooting the system, modifying immutable
+#  files, modifying IPC owned by another, and changing the system time.
+#  This is left an option because it can break some apps.  Disable this
+#  if your chrooted apps are having problems performing those kinds of
+#  tasks.  If the sysctl option is enabled, a sysctl option with
+#  name "chroot_caps" is created.
+kernel.grsecurity.chroot_caps = 1
+
+#kernel.grsecurity.chroot_deny_bad_rename = 1
+
+#  If you say Y here, processes inside a chroot will not be able to chmod
+#  or fchmod files to make them have suid or sgid bits.  This protects
+#  against another published method of breaking a chroot.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+#  created.
+kernel.grsecurity.chroot_deny_chmod     = 1
+
+#  If you say Y here, processes inside a chroot will not be able to chroot
+#  again outside the chroot.  This is a widely used method of breaking
+#  out of a chroot jail and should not be allowed.  If the sysctl 
+#  option is enabled, a sysctl option with name 
+#  "chroot_deny_chroot" is created.
+kernel.grsecurity.chroot_deny_chroot    = 1
+
+#  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+#  to a file descriptor of the chrooting process that points to a directory
+#  outside the filesystem will be stopped.  If the sysctl option
+#  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+kernel.grsecurity.chroot_deny_fchdir = 1
+
+#  If you say Y here, processes inside a chroot will not be allowed to
+#  mknod.  The problem with using mknod inside a chroot is that it
+#  would allow an attacker to create a device entry that is the same
+#  as one on the physical root of your system, which could range from
+#  anything from the console device to a device for your harddrive (which
+#  they could then use to wipe the drive or steal data).  It is recommended
+#  that you say Y here, unless you run into software incompatibilities.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "chroot_deny_mknod" is created.
+kernel.grsecurity.chroot_deny_mknod = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  mount or remount filesystems.  If the sysctl option is enabled, a
+#  sysctl option with name "chroot_deny_mount" is created.
+kernel.grsecurity.chroot_deny_mount = 1
+
+#  If you say Y here, processes inside a chroot will not be able to use
+#  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+#  works similar to chroot in that it changes the root filesystem.  This
+#  function could be misused in a chrooted process to attempt to break out
+#  of the chroot, and therefore should not be allowed.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+#  created.
+kernel.grsecurity.chroot_deny_pivot     = 1
+
+#  If you say Y here, processes inside a chroot will not be able to attach
+#  to shared memory segments that were created outside of the chroot jail.
+#  It is recommended that you say Y here.  If the sysctl option is enabled,
+#  a sysctl option with name "chroot_deny_shmat" is created.
+kernel.grsecurity.chroot_deny_shmat = 1
+
+#  If you say Y here, an attacker in a chroot will not be able to
+#  write to sysctl entries, either by sysctl(2) or through a /proc
+#  interface.  It is strongly recommended that you say Y here. If the
+#  sysctl option is enabled, a sysctl option with name
+#  "chroot_deny_sysctl" is created.
+kernel.grsecurity.chroot_deny_sysctl = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  connect to abstract (meaning not belonging to a filesystem) Unix
+#  domain sockets that were bound outside of a chroot.  It is recommended
+#  that you say Y here.  If the sysctl option is enabled, a sysctl option
+#  with name "chroot_deny_unix" is created.
+kernel.grsecurity.chroot_deny_unix = 1
+
+#  If you say Y here, the current working directory of all newly-chrooted
+#  applications will be set to the the root directory of the chroot.
+#  The man page on chroot(2) states:
+#  Note that usually chhroot does not change  the  current  working
+#  directory,  so  that `.' can be outside the tree rooted at
+#  `/'.  In particular, the  super-user  can  escape  from  a
+#  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+#  
+#  It is recommended that you say Y here, since it's not known to break
+#  any software.  If the sysctl option is enabled, a sysctl option with
+#  name "chroot_enforce_chdir" is created.
+kernel.grsecurity.chroot_enforce_chdir  = 1
+
+#  If you say Y here, processes inside a chroot will not be able to
+#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
+#  getsid, or view any process outside of the chroot.  If the sysctl
+#  option is enabled, a sysctl option with name "chroot_findtask" is
+#  created.
+kernel.grsecurity.chroot_findtask = 1
+
+#  If you say Y here, processes inside a chroot will not be able to raise
+#  the priority of processes in the chroot, or alter the priority of
+#  processes outside the chroot.  This provides more security than simply
+#  removing CAP_SYS_NICE from the process' capability set.  If the
+#  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+#  is created.
+kernel.grsecurity.chroot_restrict_nice = 1
+
+#
+# Kernel Auditing
+#
+
+#  If you say Y here, the exec and chdir logging features will only operate
+#  on a group you specify.  This option is recommended if you only want to
+#  watch certain users instead of having a large amount of logs from the
+#  entire system.  If the sysctl option is enabled, a sysctl option with
+#  name "audit_group" is created.
+kernel.grsecurity.audit_group = 0		
+
+#  If you say Y here, the exec and chdir logging features will only operate
+#  on a group you specify.  This option is recommended if you only want to
+#  watch certain users instead of having a large amount of logs from the
+#  entire system.  If the sysctl option is enabled, a sysctl option with
+#  name "audit_group" is created.
+#kernel.grsecurity.audit_gid = 201
+
+#  If you say Y here, all execve() calls will be logged (since the
+#  other exec*() calls are frontends to execve(), all execution
+#  will be logged).  Useful for shell-servers that like to keep track
+#  of their users.  If the sysctl option is enabled, a sysctl option with
+#  name "exec_logging" is created.
+#  WARNING: This option when enabled will produce a LOT of logs, especially
+#  on an active system.
+kernel.grsecurity.exec_logging = 0				
+
+#  If you say Y here, all attempts to overstep resource limits will
+#  be logged with the resource name, the requested size, and the current
+#  limit.  It is highly recommended that you say Y here.  If the sysctl
+#  option is enabled, a sysctl option with name "resource_logging" is
+#  created.  If the RBAC system is enabled, the sysctl value is ignored.
+#kernel.grsecurity.resource_logging = 1
+kernel.grsecurity.resource_logging = 0
+
+#  If you say Y here, all executions inside a chroot jail will be logged
+#  to syslog.  This can cause a large amount of logs if certain
+#  applications (eg. djb's daemontools) are installed on the system, and
+#  is therefore left as an option.  If the sysctl option is enabled, a
+#  sysctl option with name "chroot_execlog" is created.
+kernel.grsecurity.chroot_execlog = 0	
+
+#  If you say Y here, all attempts to attach to a process via ptrace
+#  will be logged.  If the sysctl option is enabled, a sysctl option
+#  with name "audit_ptrace" is created.
+#kernel.grsecurity.audit_ptrace = 1
+kernel.grsecurity.audit_ptrace = 0
+
+#  If you say Y here, all attempts to attach to a process via ptrace
+#  will be logged.  If the sysctl option is enabled, a sysctl option
+#  with name "audit_ptrace" is created.
+kernel.grsecurity.audit_chdir = 0				
+
+#  If you say Y here, all mounts and unmounts will be logged.  If the
+#  sysctl option is enabled, a sysctl option with name "audit_mount" is
+#  created.
+#kernel.grsecurity.audit_mount = 1
+kernel.grsecurity.audit_mount = 0
+
+#  If you say Y here, certain important signals will be logged, such as
+#  SIGSEGV, which will as a result inform you of when a error in a program
+#  occurred, which in some cases could mean a possible exploit attempt.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "signal_logging" is created.
+kernel.grsecurity.signal_logging = 0
+
+#  If you say Y here, all failed fork() attempts will be logged.
+#  This could suggest a fork bomb, or someone attempting to overstep
+#  their process limit.  If the sysctl option is enabled, a sysctl option
+#  with name "forkfail_logging" is created.
+#kernel.grsecurity.forkfail_logging = 1
+kernel.grsecurity.forkfail_logging = 0
+
+#  If you say Y here, any changes of the system clock will be logged.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "timechange_logging" is created.
+#kernel.grsecurity.timechange_logging = 1
+
+#  if you say Y here, calls to mmap() and mprotect() with explicit
+#  usage of PROT_WRITE and PROT_EXEC together will be logged when
+#  denied by the PAX_MPROTECT feature.  This feature will also
+#  log other problematic scenarios that can occur when PAX_MPROTECT
+#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
+#  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+#  is created.
+#kernel.grsecurity.rwxmap_logging = 1
+
+#
+# Executable Protections
+#
+
 
+#  if you say Y here, non-root users will not be able to use dmesg(8)
+#  to view the contents of the kernel's circular log buffer.
+#  The kernel's log buffer often contains kernel addresses and other
+#  identifying information useful to an attacker in fingerprinting a
+#  system for a targeted exploit.
+#  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+#  created.
+kernel.grsecurity.dmesg = 1
+
+# Hide symbol addresses in /proc/kallsyms
+kernel.kptr_restrict = 1
+
+#  If you say Y here, TTY sniffers and other malicious monitoring
+#  programs implemented through ptrace will be defeated.  If you
+#  have been using the RBAC system, this option has already been
+#  enabled for several years for all users, with the ability to make
+#  fine-grained exceptions.
+#  
+#  This option only affects the ability of non-root users to ptrace
+#  processes that are not a descendent of the ptracing process.
+#  This means that strace ./binary and gdb ./binary will still work,
+#  but attaching to arbitrary processes will not.  If the sysctl
+#  option is enabled, a sysctl option with name "harden_ptrace" is
+#  created.
+kernel.grsecurity.harden_ptrace = 1
+
+#  If you say Y here, unprivileged users will not be able to ptrace unreadable
+#  binaries.  This option is useful in environments that
+#  remove the read bits (e.g. file mode 4711) from suid binaries to
+#  prevent infoleaking of their contents.  This option adds
+#  consistency to the use of that file mode, as the binary could normally
+#  be read out when run without privileges while ptracing.
+#  
+#  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+#  is created.
+kernel.grsecurity.ptrace_readexec = 1
+
+#  If you say Y here, a change from a root uid to a non-root uid
+#  in a multithreaded application will cause the resulting uids,
+#  gids, supplementary groups, and capabilities in that thread
+#  to be propagated to the other threads of the process.  In most
+#  cases this is unnecessary, as glibc will emulate this behavior
+#  on behalf of the application.  Other libcs do not act in the
+#  same way, allowing the other threads of the process to continue
+#  running with root privileges.  If the sysctl option is enabled,
+#  a sysctl option with name "consistent_setxid" is created.
+#kernel.grsecurity.consistent_setxid = 1
+
+#  If you say Y here, access to overly-permissive IPC objects (shared
+#  memory, message queues, and semaphores) will be denied for processes
+#  given the following criteria beyond normal permission checks:
+#  1) If the IPC object is world-accessible and the euid doesn't match
+#     that of the creator or current uid for the IPC object
+#  2) If the IPC object is group-accessible and the egid doesn't
+#     match that of the creator or current gid for the IPC object
+#  It's a common error to grant too much permission to these objects,
+#  with impact ranging from denial of service and information leaking to
+#  privilege escalation.  This feature was developed in response to
+#  research by Tim Brown:
+#  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+#  who found hundreds of such insecure usages.  Processes with
+#  CAP_IPC_OWNER are still permitted to access these IPC objects.
+#  If the sysctl option is enabled, a sysctl option with name
+#  "harden_ipc" is created.
+kernel.grsecurity.harden_ipc = 1
+
+#  If you say Y here, you will be able to choose a gid to add to the
+#  supplementary groups of users you want to mark as "untrusted."
+#  These users will not be able to execute any files that are not in
+#  root-owned directories writable only by root.  If the sysctl option
+#  is enabled, a sysctl option with name "tpe" is created.
+kernel.grsecurity.tpe = 1
+kernel.grsecurity.tpe_gid = 101
+
+#  If you say Y here, the group you specify in the TPE configuration will
+#  decide what group TPE restrictions will be *disabled* for.  This
+#  option is useful if you want TPE restrictions to be applied to most
+#  users on the system.  If the sysctl option is enabled, a sysctl option
+#  with name "tpe_invert" is created.  Unlike other sysctl options, this
+#  entry will default to on for backward-compatibility.
+kernel.grsecurity.tpe_invert = 1
+
+#  If you say Y here, all non-root users will be covered under
+#  a weaker TPE restriction.  This is separate from, and in addition to,
+#  the main TPE options that you have selected elsewhere.  Thus, if a
+#  "trusted" GID is chosen, this restriction applies to even that GID.
+#  Under this restriction, all non-root users will only be allowed to
+#  execute files in directories they own that are not group or
+#  world-writable, or in directories owned by root and writable only by
+#  root.  If the sysctl option is enabled, a sysctl option with name
+#  "tpe_restrict_all" is created.
+kernel.grsecurity.tpe_restrict_all = 0
+
+
+#kernel.grsecurity.harden_tty = 1
+#
+# Network Protections
+#
+
+# Increase Linux auto tuning TCP buffer limits
+# min, default, and max number of bytes to use
+# set max to at least 4MB, or higher if you use very high BDP paths
+# Tcp Windows etc
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1
+
+# Both ports linux-blob and linux-libre don't build with ipv6
 # Disable ipv6
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 
 # Tuen IPv6
-net.ipv6.conf.default.router_solicitations = 0
-net.ipv6.conf.default.accept_ra_rtr_pref = 0
-net.ipv6.conf.default.accept_ra_pinfo = 0
-net.ipv6.conf.default.accept_ra_defrtr = 0
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.default.dad_transmits = 0
-net.ipv6.conf.default.max_addresses = 0
+#net.ipv6.conf.default.router_solicitations = 0
+#net.ipv6.conf.default.accept_ra_rtr_pref = 0
+#net.ipv6.conf.default.accept_ra_pinfo = 0
+#net.ipv6.conf.default.accept_ra_defrtr = 0
+#net.ipv6.conf.default.autoconf = 0
+#net.ipv6.conf.default.dad_transmits = 0
+#net.ipv6.conf.default.max_addresses = 0
 
 # Avoid a smurf attack
 net.ipv4.icmp_echo_ignore_broadcasts = 1
@@ -56,8 +456,8 @@ net.ipv4.conf.default.accept_source_route = 0
 ## protects from attackers that are using ip spoofing methods to do harm
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
-net.ipv6.conf.default.rp_filter = 1
-net.ipv6.conf.all.rp_filter = 1
+#net.ipv6.conf.default.rp_filter = 1
+#net.ipv6.conf.all.rp_filter = 1
 
 # Make sure no one can alter the routing tables
 net.ipv4.conf.all.accept_redirects = 0
@@ -70,18 +470,6 @@ net.ipv4.ip_forward = 1
 net.ipv4.conf.all.send_redirects = 1
 net.ipv4.conf.default.send_redirects = 1
 
-kernel.shmmax = 500000000
-# Turn on execshild
-kernel.exec-shield = 1
-kernel.randomize_va_space = 1
-
-# Optimization for port usefor LBs
-# Increase system file descriptor limit
-fs.file-max = 65535
-
-# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-kernel.pid_max = 65536
-
 # Increase system IP port limits
 net.ipv4.ip_local_port_range = 2000 65000
 
@@ -89,25 +477,99 @@ net.ipv4.ip_local_port_range = 2000 65000
 net.ipv4.tcp_rmem = 4096 87380 8388608
 net.ipv4.tcp_wmem = 4096 87380 8388608
 
-# Increase Linux auto tuning TCP buffer limits
-# min, default, and max number of bytes to use
-# set max to at least 4MB, or higher if you use very high BDP paths
-# Tcp Windows etc
-net.core.rmem_max = 8388608
-net.core.wmem_max = 8388608
-net.core.netdev_max_backlog = 5000
-net.ipv4.tcp_window_scaling = 1
 
-# Grsecurity stuff
+#  If you say Y here, neither TCP resets nor ICMP
+#  destination-unreachable packets will be sent in response to packets
+#  sent to ports for which no associated listening process exists.
+#  This feature supports both IPV4 and IPV6 and exempts the 
+#  loopback interface from blackholing.  Enabling this feature 
+#  makes a host more resilient to DoS attacks and reduces network
+#  visibility against scanners.
+#  
+#  The blackhole feature as-implemented is equivalent to the FreeBSD
+#  blackhole feature, as it prevents RST responses to all packets, not
+#  just SYNs.  Under most application behavior this causes no
+#  problems, but applications (like haproxy) may not close certain
+#  connections in a way that cleanly terminates them on the remote
+#  end, leaving the remote host in LAST_ACK state.  Because of this
+#  side-effect and to prevent intentional LAST_ACK DoSes, this
+#  feature also adds automatic mitigation against such attacks.
+#  The mitigation drastically reduces the amount of time a socket
+#  can spend in LAST_ACK state.  If you're using haproxy and not
+#  all servers it connects to have this option enabled, consider
+#  disabling this feature on the haproxy host.
+#  
+#  If the sysctl option is enabled, two sysctl options with names
+#  "ip_blackhole" and "lastack_retries" will be created.
+#  While "ip_blackhole" takes the standard zero/non-zero on/off
+#  toggle, "lastack_retries" uses the same kinds of values as
+#  "tcp_retries1" and "tcp_retries2".  The default value of 4
+#  prevents a socket from lasting more than 45 seconds in LAST_ACK
+#  state.
+#kernel.grsecurity.ip_blackhole = 1
+#kernel.grsecurity.lastack_retries = 4
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine or run server
+#  applications from your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_all" is created.
+#kernel.grsecurity.socket_all = 1
+
+#  Here you can choose the GID to disable socket access for. Remember to
+#  add the users you want socket access disabled for to the GID
+#  specified here.  If the sysctl option is enabled, a sysctl option
+#  with name "socket_all_gid" is created.
+#kernel.grsecurity.socket_all_gid = 202
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine, but will be
+#  able to run servers.  If this option is enabled, all users in the group
+#  you specify will have to use passive mode when initiating ftp transfers
+#  from the shell on your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_client" is created.
+#kernel.grsecurity.socket_client = 1
+
+#  Here you can choose the GID to disable client socket access for.
+#  Remember to add the users you want client socket access disabled for to
+#  the GID specified here.  If the sysctl option is enabled, a sysctl
+#  option with name "socket_client_gid" is created.
+#kernel.grsecurity.socket_client_gid = 203
+
+#  If you say Y here, you will be able to choose a GID of whose users will
+#  be unable to connect to other hosts from your machine, but will be
+#  able to run servers.  If this option is enabled, all users in the group
+#  you specify will have to use passive mode when initiating ftp transfers
+#  from the shell on your machine.  If the sysctl option is enabled, a
+#  sysctl option with name "socket_client" is created.
+#kernel.grsecurity.socket_server = 1
+
+#  Here you can choose the GID to disable server socket access for.
+#  Remember to add the users you want server socket access disabled for to
+#  the GID specified here.  If the sysctl option is enabled, a sysctl
+#  option with name "socket_server_gid" is created.
+#kernel.grsecurity.socket_server_gid = 204
+
+#
+# Physical Protections
+#
+
+#  If you say Y here, a new sysctl option with name "deny_new_usb"
+#  will be created.  Setting its value to 1 will prevent any new
+#  USB devices from being recognized by the OS.  Any attempted USB
+#  device insertion will be logged.  This option is intended to be
+#  used against custom USB devices designed to exploit vulnerabilities
+#  in various USB device drivers.
+#  
+#  For greatest effectiveness, this sysctl should be set after any
+#  relevant init scripts.  This option is safe to enable in distros
+#  as each user can choose whether or not to toggle the sysctl.
+#kernel.grsecurity.deny_new_usb = 0
+
+#
+# Restrict grsec sysctl changes after this was set
+#
+#kernel.grsecurity.grsec_lock = 1
 
-# cant chroot to outside chroot used to break chroot
-kernel.grsecurity.chroot_deny_chroot    = 1
-# function related to filesystems used to exploit
-kernel.grsecurity.chroot_deny_pivot     = 1
-# enforce current directory to chroot
-kernel.grsecurity.chroot_enforce_chdir  = 1
-# cant chmod inside chroot used to break chroot
-kernel.grsecurity.chroot_deny_chmod     = 0
 
 
 # End of file
diff --git a/core/configure.html b/core/configure.html
index ffcb0f7..1ca655f 100644
--- a/core/configure.html
+++ b/core/configure.html
@@ -215,7 +215,7 @@
         <a href="install.html#step2">target partition</a>,
         blkid list all while vol_id --uuid /dev/sdb1 returns
         only uuid. Add all block ids to the end of file
-        /etc/fstab
+        /etc/fstab;
         </p>
 
         <pre>
@@ -223,27 +223,40 @@
         </pre>
 
         <p>Read <a href="http://linux-audit.com/securing-mount-points-on-linux/" title="Securing mount points">Securing mount points</a>,
-        and edit /etc/fstab according to your disk layout.</p>
+        and edit /etc/fstab according to your disk layout. Blocks with uuid will later be created at lvm</p>
 
         <pre>
         #
         # /etc/fstab: static file system information
         #
         # &lt;file system&gt;        &lt;dir&gt;     &lt;type&gt;    &lt;options&gt;                        &lt;dump&gt; &lt;pass&gt;
-        /dev/sda4 on / type ext4 (rw,relatime,data=ordered)
-        /dev/sda3 on /boot type ext4 (rw,relatime,data=ordered)
-        /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
-        /dev/sda5 on /var type ext4 (rw,relatime,data=ordered)
-        /dev/sda6 on /usr type ext4 (rw,relatime,data=ordered)
-        /dev/sda8 on /home type ext4 (rw,relatime,data=ordered)
-
-        devtmpfs on /dev type devtmpfs (rw,nosuid,noatime,size=8192k,nr_inodes=16384,mode=755)
-        devpts on /dev/pts type devpts (rw,relatime,mode=600)
-        shm on /dev/shm type tmpfs (rw,relatime)
-        proc on /proc type proc (rw,relatime)
-        sysfs on /sys type sysfs (rw,relatime)
-
-        pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0
+
+        #/dev/#EXT4FS_ROOT#    /         ext4      defaults                         0      1
+        #/dev/#BTRFS_ROOT#     /         btrfs     defaults                         0      0
+        #/dev/#XFS_ROOT#       /         xfs       defaults                         0      0
+        #/dev/#SWAP#           swap      swap      defaults                         0      0
+        #/dev/#EXT4FS_HOME#    /home     ext4      defaults                         0      2
+        #/dev/#BTRFS_HOME#     /home     btrfs     defaults                         0      0
+        #/dev/#XFS_HOME#       /home     xfs       defaults                         0      0
+        #/dev/cdrom            /cdrom    iso9660   ro,user,noauto,unhide            0      0
+        #/dev/dvd              /dvd      udf       ro,user,noauto,unhide            0      0
+        #/dev/floppy/0         /floppy   vfat      user,noauto,unhide               0      0
+        #tmp                   /tmp      tmpfs     defaults                         0      0
+        #shm                   /dev/shm  tmpfs     defaults                         0      0
+        #usb                   /proc/bus/usb usbfs defaults                         0      0
+
+        /dev/sda3               / 		ext4	defaults,noatime,ro				0	1
+        devpts                  /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
+        /dev/sda2               /boot	ext4	defaults,ro,noatime     		  		0	0
+        /dev/sda1               /boot/efi	vfat	ro,noauto,umask=0077      			0	0
+        /dev/sda4               /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	0
+        /dev/sda5               /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	0
+
+        UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	        defaults,ro,nodev,errors=remount-ro     0	0
+        pkgmk                                      /usr/ports/work tmpfs        size=30G,gid=101,uid=100,defaults       0       0
+        UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	        defaults,nodev,errors=remount-ro	0	0
+        UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4            defaults,nodev,nosuid,errors=remount-ro	0	0
+
         # End of file
         </pre>
 
diff --git a/core/dash.html b/core/dash.html
index 18045e5..ed6dbab 100644
--- a/core/dash.html
+++ b/core/dash.html
@@ -20,7 +20,7 @@
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the c9 Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
diff --git a/core/exim.html b/core/exim.html
index c4b3c95..c1fd494 100644
--- a/core/exim.html
+++ b/core/exim.html
@@ -216,7 +216,7 @@
         <a href="index.html">Core OS Index</a>
         <p>
         This is part of the c9 Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
diff --git a/core/index.html b/core/index.html
index bc8dad5..abff93d 100644
--- a/core/index.html
+++ b/core/index.html
@@ -59,8 +59,7 @@
 
             <li><a href="reboot.html">1.4. Prepare for reboot</a>
                 <ul>
-                    <li><a href="reboot.html#linux">1.4.1. Linux Kernel</a></li>
-                    <li><a href="reboot.html#dracut">1.4.2. Dracut - Initramfs</a></li>
+                    <li><a href="reboot.html#linux">1.4.1. Kernel Ports</a></li>
                     <li><a href="reboot.html#grub">1.4.3. Configuring Grub</a></li>
                     <li><a href="reboot.html#checkup">1.4.4. Checkup</a></li>
                 </ul>
@@ -70,32 +69,33 @@
         <h2>2. System Administration</h2>
 
         <ul>
-            <li><a href="network.html">2.1. Network</a>
+
+            <li><a href="linux.html">2.1. Linux Kernel</a>
                 <ul>
-                    <li><a href="network.html#resolv">2.1.1. Resolver</a></li>
-                    <li><a href="network.html#static">2.1.2. Static ip</a></li>
-                    <li><a href="network.html#iptables">2.1.3. Iptables</a></li>
-                    <li><a href="network.html#wpa">2.1.4. Wpa and dhcpd</a></li>
-                    <li><a href="network.html#sysctl">2.1.5. Sysctl</a></li>
+                    <li><a href="linux.html#linuxlibre">2.1.1. Port Linux libre</a></li>
+                    <li><a href="linux.html#kinstall">2.1.2. Manual install</a></li>
+                    <li><a href="linux.html#kuninstall">2.1.3. Manual remove</a></li>
+                    <li><a href="linux.html#sysctl">2.1.4. Sysctl</a></li>
                 </ul>
             </li>
 
-            <li><a href="package.html">2.2. Package Management</a>
+            <li><a href="network.html">2.2. Network</a>
                 <ul>
-                    <li><a href="package.html#sysup">2.2.1. Update system</a></li>
-                    <li><a href="package.html#depinst">2.2.2. Install ports and dependencies</a></li>
-                    <li><a href="package.html#ports">2.2.3. Ports collections</a></li>
-                    <li><a href="package.html#info">2.2.3. Show port information</a></li>
-                    <li><a href="package.html#depends">2.2.4. Show port dependencies</a></li>
-                    <li><a href="package.html#printf">2.2.5. Print information</a></li>
+                    <li><a href="network.html#resolv">2.2.1. Resolver</a></li>
+                    <li><a href="network.html#static">2.2.2. Static ip</a></li>
+                    <li><a href="network.html#iptables">2.2.3. Iptables</a></li>
+                    <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li>
                 </ul>
             </li>
 
-            <li><a href="linux.html">2.3. Linux Kernel</a>
+            <li><a href="package.html">2.3. Package Management</a>
                 <ul>
-                    <li><a href="linux.html#linuxlibre">2.3.1. Port Linux libre</a></li>
-                    <li><a href="linux.html#kinstall">2.3.2. Manual install</a></li>
-                    <li><a href="linux.html#kuninstall">2.3.3. Manual remove</a></li>
+                    <li><a href="package.html#sysup">2.3.1. Update system</a></li>
+                    <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li>
+                    <li><a href="package.html#ports">2.3.3. Ports collections</a></li>
+                    <li><a href="package.html#info">2.3.3. Show port information</a></li>
+                    <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li>
+                    <li><a href="package.html#printf">2.3.5. Print information</a></li>
                 </ul>
             </li>
 
diff --git a/core/linux.html b/core/linux.html
index 53fc304..0304884 100644
--- a/core/linux.html
+++ b/core/linux.html
@@ -2,12 +2,12 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.3. Kernel Linux</title>
+        <title>2.1. Kernel Linux</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
-        <h1 id="kernel">2.3. Kernel Linux</h1>
+        <h1 id="kernel">2.1. Kernel Linux</h1>
 
         <p>Linux is a monolith kernel, a big one ! Visit
         <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
@@ -15,58 +15,41 @@
         <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
         and information.</p>
 
-        <h2 id="#linuxlibre">2.3.1. Port Linux Libre</h2>
+        <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2>
 
-        <p>Collection c9-ports have linux-libre port with default crux
-        configuration, this port depends on dracut and grub but is not
-        required to install them. To build and install this port using
-        prt-get;</p>
+        <p>Default crux configuration can be obtained from iso, this port depends
+        on dracut and grub but is not required to install them. To build and install
+        this port using prt-get;</p>
 
         <pre>
         $ prt-get depinst linux-libre
         </pre>
 
-        <h2 id="kinstall">2.3.2. Manual Install</h2>
+        <h2 id="kinstall">2.1.2. Manual Install</h2>
 
         <p>Download Linux Source from
         <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
         or using the port system;</p>
 
-        <pre>
-        $ cd /usr/ports/c9-ports/linux-libre
-        $ sudo -u pkgmk pkgmk -do
-        </pre>
-
-        <p>Crux iso comes with config that is used in this port, is
-        a good starting point to personalize according to your needs;</p>
+        <p>Crux iso comes with config that is more generic than used on linux-libre
+        port, crux default is a good starting point to personalize according to your
+        needs (build default, detect modules needed);</p>
 
         <pre>
         $ mkdir ~/kernel
         $ cd ~/kernel
-        $ cp /usr/ports/c9-ports/linux-libre/linux-4.1.32.defconfig .
-        $ cp /usr/ports/distfiles/linux-libre-4.1.32-gnu.tar.xz .
-        $ tar xf linux-libre-4.1.32-gnu.tar.xz
-        $ cp linux-4.1.32.defconfig linux-4.1.32/.config
+        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
+        $ tar xf linux-libre-4.9.11-gnu.tar.xz
+        $ cd linux-4.9.11/
         </pre>
 
-        <p>If you like <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">download master</a>) that adds more cpu options (FLAGS native)</p>
-
-        <pre>
-        $ cp /usr/ports/distfiles/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch cpu_optimizations.patch
-        </pre>
-
-        <pre>
-        $ cd ~/linux-4.1.32/
-        $ patch -p1 &lt; ../cpu_optimizations.patch
-        patching file arch/x86/include/asm/module.h
-        patching file arch/x86/Kconfig.cpu
-        patching file arch/x86/Makefile
-        Hunk #1 succeeded at 85 with fuzz 1 (offset -9 lines).
-        patching file arch/x86/Makefile_32.cpu
-        $
-        </pre>
-
-        <p>Read <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">Gresecurity</a>.</p>
+        <p><a href="grsecurity.net">Grsecurity</a> patch for
+        <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch">4.9.11</a>.
+        Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
+        that adds more cpu options (FLAGS native).
+        Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> for instructions and
+        more patches used on linux-libre port. Read patching your kernel with
+        <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">gresecurity</a>.</p>
 
         <p>Configure kernel according to your current kernel
         hardware support;</p>
@@ -77,11 +60,10 @@
 
         <p>This will disable all unloaded modules,
         you can use localyesconfig mark all loaded
-        to be built in the kernel.</p>
-
-        <p>To get information about your hardware,
-        for example information about which graphic
-        module (driver) is in use as root run;</p>
+        to be built in the kernel. To get information
+        about your hardware, for example information
+        about which graphic module (driver) is in use
+        as root run;</p>
 
         <pre>
         # lspci -nnk | grep -i vga -A3 | grep 'in use'
@@ -95,16 +77,16 @@
         </pre>
 
         <pre>
-        $ make -j $(nproc) all
+        $ make -j $(nproc) bzImage modules
         $ sudo make modules_install
-        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.1.32-gnu_crux
-        $ sudo cp System.map /boot/System.map-4.1.32-gnu_crux
+        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
+        $ sudo cp System.map /boot/System.map-4.9.11-gnu
         </pre>
 
         <p>Create dracut initramfs;</p>
 
         <pre>
-        $sudo dracut --fstab /boot/initramfs-4.1.32-gnu_crux.img 4.1.32-gnu_crux
+        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
         </pre>
 
         <p>Update grub;</p>
@@ -113,17 +95,609 @@
         # grub-mkconfig -o /boot/grub/grub.cfg
         </pre>
 
-        <h2 id="kuninstall">2.3.3. Manual Remove</h2>
+        <h2 id="kuninstall">2.1.3. Manual Remove</h2>
 
         <pre>
-        $ sudo rm -r /lib/modules/4.1.12-gnu_crux
-        $ sudo rm /boot/vmlinuz-4.1.12-gnu_crux
-        $ sudo rm /boot/System.map-4.1.12-gnu_crux
+        $ sudo rm -r /lib/modules/4.9.11-gnu
+        $ sudo rm /boot/vmlinuz-4.9.11-gnu
+        $ sudo rm /boot/System.map-4.9.11-gnu
         </pre>
 
+        <h2 id="sysctl">2.1.4. Sysctl</h2>
+
+        <p>Sysctl references
+        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
+        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
+        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
+        <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p>
+
+        <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a>
+        and <a href="http://grsecurity.net/announce.php">grsecurity</a>,
+        <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow
+        values;</p>
+
+        <pre>
+        #
+        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+        #
+
+        kernel.printk = 15 1 1 4
+        kernel.randomize_va_space = 1
+        kernel.shmmax = 500000000
+        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+        kernel.pid_max = 65536
+
+        #
+        # Memory Protections
+        #
+
+        #  If you say Y here, all ioperm and iopl calls will return an error.
+        #  Ioperm and iopl can be used to modify the running kernel.
+        #  Unfortunately, some programs need this access to operate properly,
+        #  the most notable of which are XFree86 and hwclock.  hwclock can be
+        #  remedied by having RTC support in the kernel, so real-time
+        #  clock support is enabled if this option is enabled, to ensure
+        #  that hwclock operates correctly.
+        #
+        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
+        #  you may not be able to boot into a graphical environment with this
+        #  option enabled.  In this case, you should use the RBAC system instead.
+        #kernel.grsecurity.disable_priv_io = 1
+        kernel.grsecurity.disable_priv_io = 0
+
+        #  If you say Y here, attempts to bruteforce exploits against forking
+        #  daemons such as apache or sshd, as well as against suid/sgid binaries
+        #  will be deterred.  When a child of a forking daemon is killed by PaX
+        #  or crashes due to an illegal instruction or other suspicious signal,
+        #  the parent process will be delayed 30 seconds upon every subsequent
+        #  fork until the administrator is able to assess the situation and
+        #  restart the daemon.
+        #  In the suid/sgid case, the attempt is logged, the user has all their
+        #  existing instances of the suid/sgid binary terminated and will
+        #  be unable to execute any suid/sgid binaries for 15 minutes.
+        #
+        #  It is recommended that you also enable signal logging in the auditing
+        #  section so that logs are generated when a process triggers a suspicious
+        #  signal.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "deter_bruteforce" is created.
+        #kernel.grsecurity.deter_bruteforce = 1
+
+        #
+        # Filesystem Protections
+        #
+
+        # Optimization for port usefor LBs
+        # Increase system file descriptor limit
+        fs.file-max = 65535
+
+        #  If you say Y here, /tmp race exploits will be prevented, since users
+        #  will no longer be able to follow symlinks owned by other users in
+        #  world-writable +t directories (e.g. /tmp), unless the owner of the
+        #  symlink is the owner of the directory. users will also not be
+        #  able to hardlink to files they do not own.  If the sysctl option is
+        #  enabled, a sysctl option with name "linking_restrictions" is created.
+        kernel.grsecurity.linking_restrictions = 1
+
+
+        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
+        #  that prevents it from being used as a security feature.  As Apache
+        #  verifies the symlink by performing a stat() against the target of
+        #  the symlink before it is followed, an attacker can setup a symlink
+        #  to point to a same-owned file, then replace the symlink with one
+        #  that targets another user's file just after Apache "validates" the
+        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
+        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
+        #  will be in place for the group you specify. If the sysctl option
+        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
+        #  created.
+        #kernel.grsecurity.enforce_symlinksifowner = 1
+        #kernel.grsecurity.symlinkown_gid = 33
+
+        #  if you say Y here, users will not be able to write to FIFOs they don't
+        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
+        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
+        #  option is enabled, a sysctl option with name "fifo_restrictions" is
+        #  created.
+        #kernel.grsecurity.fifo_restrictions = 1
+
+        #  If you say Y here, a sysctl option with name "romount_protect" will
+        #  be created.  By setting this option to 1 at runtime, filesystems
+        #  will be protected in the following ways:
+        #  * No new writable mounts will be allowed
+        #  * Existing read-only mounts won't be able to be remounted read/write
+        #  * Write operations will be denied on all block devices
+        #  This option acts independently of grsec_lock: once it is set to 1,
+        #  it cannot be turned off.  Therefore, please be mindful of the resulting
+        #  behavior if this option is enabled in an init script on a read-only
+        #  filesystem.
+        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
+        #  and GRKERNSEC_IO should be enabled and module loading disabled via
+        #  config or at runtime.
+        #  This feature is mainly intended for secure embedded systems.
+        #kernel.grsecurity.romount_protect = 0
+
+        #  if you say Y here, the capabilities on all processes within a
+        #  chroot jail will be lowered to stop module insertion, raw i/o,
+        #  system and net admin tasks, rebooting the system, modifying immutable
+        #  files, modifying IPC owned by another, and changing the system time.
+        #  This is left an option because it can break some apps.  Disable this
+        #  if your chrooted apps are having problems performing those kinds of
+        #  tasks.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_caps" is created.
+        kernel.grsecurity.chroot_caps = 1
+
+        #kernel.grsecurity.chroot_deny_bad_rename = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chmod
+        #  or fchmod files to make them have suid or sgid bits.  This protects
+        #  against another published method of breaking a chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
+        #  created.
+        kernel.grsecurity.chroot_deny_chmod     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to chroot
+        #  again outside the chroot.  This is a widely used method of breaking
+        #  out of a chroot jail and should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name
+        #  "chroot_deny_chroot" is created.
+        kernel.grsecurity.chroot_deny_chroot    = 1
+
+        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
+        #  to a file descriptor of the chrooting process that points to a directory
+        #  outside the filesystem will be stopped.  If the sysctl option
+        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
+        kernel.grsecurity.chroot_deny_fchdir = 1
+
+        #  If you say Y here, processes inside a chroot will not be allowed to
+        #  mknod.  The problem with using mknod inside a chroot is that it
+        #  would allow an attacker to create a device entry that is the same
+        #  as one on the physical root of your system, which could range from
+        #  anything from the console device to a device for your harddrive (which
+        #  they could then use to wipe the drive or steal data).  It is recommended
+        #  that you say Y here, unless you run into software incompatibilities.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_mknod" is created.
+        kernel.grsecurity.chroot_deny_mknod = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  mount or remount filesystems.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_deny_mount" is created.
+        kernel.grsecurity.chroot_deny_mount = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to use
+        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
+        #  works similar to chroot in that it changes the root filesystem.  This
+        #  function could be misused in a chrooted process to attempt to break out
+        #  of the chroot, and therefore should not be allowed.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
+        #  created.
+        kernel.grsecurity.chroot_deny_pivot     = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to attach
+        #  to shared memory segments that were created outside of the chroot jail.
+        #  It is recommended that you say Y here.  If the sysctl option is enabled,
+        #  a sysctl option with name "chroot_deny_shmat" is created.
+        kernel.grsecurity.chroot_deny_shmat = 1
+
+        #  If you say Y here, an attacker in a chroot will not be able to
+        #  write to sysctl entries, either by sysctl(2) or through a /proc
+        #  interface.  It is strongly recommended that you say Y here. If the
+        #  sysctl option is enabled, a sysctl option with name
+        #  "chroot_deny_sysctl" is created.
+        kernel.grsecurity.chroot_deny_sysctl = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  connect to abstract (meaning not belonging to a filesystem) Unix
+        #  domain sockets that were bound outside of a chroot.  It is recommended
+        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
+        #  with name "chroot_deny_unix" is created.
+        kernel.grsecurity.chroot_deny_unix = 1
+
+        #  If you say Y here, the current working directory of all newly-chrooted
+        #  applications will be set to the the root directory of the chroot.
+        #  The man page on chroot(2) states:
+        #  Note that usually chhroot does not change  the  current  working
+        #  directory,  so  that `.' can be outside the tree rooted at
+        #  `/'.  In particular, the  super-user  can  escape  from  a
+        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
+        #
+        #  It is recommended that you say Y here, since it's not known to break
+        #  any software.  If the sysctl option is enabled, a sysctl option with
+        #  name "chroot_enforce_chdir" is created.
+        kernel.grsecurity.chroot_enforce_chdir  = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to
+        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
+        #  getsid, or view any process outside of the chroot.  If the sysctl
+        #  option is enabled, a sysctl option with name "chroot_findtask" is
+        #  created.
+        kernel.grsecurity.chroot_findtask = 1
+
+        #  If you say Y here, processes inside a chroot will not be able to raise
+        #  the priority of processes in the chroot, or alter the priority of
+        #  processes outside the chroot.  This provides more security than simply
+        #  removing CAP_SYS_NICE from the process' capability set.  If the
+        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
+        #  is created.
+        kernel.grsecurity.chroot_restrict_nice = 1
+
+        #
+        # Kernel Auditing
+        #
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        kernel.grsecurity.audit_group = 0
+
+        #  If you say Y here, the exec and chdir logging features will only operate
+        #  on a group you specify.  This option is recommended if you only want to
+        #  watch certain users instead of having a large amount of logs from the
+        #  entire system.  If the sysctl option is enabled, a sysctl option with
+        #  name "audit_group" is created.
+        #kernel.grsecurity.audit_gid = 201
+
+        #  If you say Y here, all execve() calls will be logged (since the
+        #  other exec*() calls are frontends to execve(), all execution
+        #  will be logged).  Useful for shell-servers that like to keep track
+        #  of their users.  If the sysctl option is enabled, a sysctl option with
+        #  name "exec_logging" is created.
+        #  WARNING: This option when enabled will produce a LOT of logs, especially
+        #  on an active system.
+        kernel.grsecurity.exec_logging = 0
+
+        #  If you say Y here, all attempts to overstep resource limits will
+        #  be logged with the resource name, the requested size, and the current
+        #  limit.  It is highly recommended that you say Y here.  If the sysctl
+        #  option is enabled, a sysctl option with name "resource_logging" is
+        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
+        #kernel.grsecurity.resource_logging = 1
+        kernel.grsecurity.resource_logging = 0
+
+        #  If you say Y here, all executions inside a chroot jail will be logged
+        #  to syslog.  This can cause a large amount of logs if certain
+        #  applications (eg. djb's daemontools) are installed on the system, and
+        #  is therefore left as an option.  If the sysctl option is enabled, a
+        #  sysctl option with name "chroot_execlog" is created.
+        kernel.grsecurity.chroot_execlog = 0
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        #kernel.grsecurity.audit_ptrace = 1
+        kernel.grsecurity.audit_ptrace = 0
+
+        #  If you say Y here, all attempts to attach to a process via ptrace
+        #  will be logged.  If the sysctl option is enabled, a sysctl option
+        #  with name "audit_ptrace" is created.
+        kernel.grsecurity.audit_chdir = 0
+
+        #  If you say Y here, all mounts and unmounts will be logged.  If the
+        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
+        #  created.
+        #kernel.grsecurity.audit_mount = 1
+        kernel.grsecurity.audit_mount = 0
+
+        #  If you say Y here, certain important signals will be logged, such as
+        #  SIGSEGV, which will as a result inform you of when a error in a program
+        #  occurred, which in some cases could mean a possible exploit attempt.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "signal_logging" is created.
+        kernel.grsecurity.signal_logging = 0
+
+        #  If you say Y here, all failed fork() attempts will be logged.
+        #  This could suggest a fork bomb, or someone attempting to overstep
+        #  their process limit.  If the sysctl option is enabled, a sysctl option
+        #  with name "forkfail_logging" is created.
+        #kernel.grsecurity.forkfail_logging = 1
+        kernel.grsecurity.forkfail_logging = 0
+
+        #  If you say Y here, any changes of the system clock will be logged.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "timechange_logging" is created.
+        #kernel.grsecurity.timechange_logging = 1
+
+        #  if you say Y here, calls to mmap() and mprotect() with explicit
+        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
+        #  denied by the PAX_MPROTECT feature.  This feature will also
+        #  log other problematic scenarios that can occur when PAX_MPROTECT
+        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
+        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
+        #  is created.
+        #kernel.grsecurity.rwxmap_logging = 1
+
+        #
+        # Executable Protections
+        #
+
+
+        #  if you say Y here, non-root users will not be able to use dmesg(8)
+        #  to view the contents of the kernel's circular log buffer.
+        #  The kernel's log buffer often contains kernel addresses and other
+        #  identifying information useful to an attacker in fingerprinting a
+        #  system for a targeted exploit.
+        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
+        #  created.
+        kernel.grsecurity.dmesg = 1
+
+        # Hide symbol addresses in /proc/kallsyms
+        kernel.kptr_restrict = 1
+
+        #  If you say Y here, TTY sniffers and other malicious monitoring
+        #  programs implemented through ptrace will be defeated.  If you
+        #  have been using the RBAC system, this option has already been
+        #  enabled for several years for all users, with the ability to make
+        #  fine-grained exceptions.
+        #
+        #  This option only affects the ability of non-root users to ptrace
+        #  processes that are not a descendent of the ptracing process.
+        #  This means that strace ./binary and gdb ./binary will still work,
+        #  but attaching to arbitrary processes will not.  If the sysctl
+        #  option is enabled, a sysctl option with name "harden_ptrace" is
+        #  created.
+        kernel.grsecurity.harden_ptrace = 1
+
+        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
+        #  binaries.  This option is useful in environments that
+        #  remove the read bits (e.g. file mode 4711) from suid binaries to
+        #  prevent infoleaking of their contents.  This option adds
+        #  consistency to the use of that file mode, as the binary could normally
+        #  be read out when run without privileges while ptracing.
+        #
+        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
+        #  is created.
+        kernel.grsecurity.ptrace_readexec = 1
+
+        #  If you say Y here, a change from a root uid to a non-root uid
+        #  in a multithreaded application will cause the resulting uids,
+        #  gids, supplementary groups, and capabilities in that thread
+        #  to be propagated to the other threads of the process.  In most
+        #  cases this is unnecessary, as glibc will emulate this behavior
+        #  on behalf of the application.  Other libcs do not act in the
+        #  same way, allowing the other threads of the process to continue
+        #  running with root privileges.  If the sysctl option is enabled,
+        #  a sysctl option with name "consistent_setxid" is created.
+        #kernel.grsecurity.consistent_setxid = 1
+
+        #  If you say Y here, access to overly-permissive IPC objects (shared
+        #  memory, message queues, and semaphores) will be denied for processes
+        #  given the following criteria beyond normal permission checks:
+        #  1) If the IPC object is world-accessible and the euid doesn't match
+        #     that of the creator or current uid for the IPC object
+        #  2) If the IPC object is group-accessible and the egid doesn't
+        #     match that of the creator or current gid for the IPC object
+        #  It's a common error to grant too much permission to these objects,
+        #  with impact ranging from denial of service and information leaking to
+        #  privilege escalation.  This feature was developed in response to
+        #  research by Tim Brown:
+        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
+        #  who found hundreds of such insecure usages.  Processes with
+        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
+        #  If the sysctl option is enabled, a sysctl option with name
+        #  "harden_ipc" is created.
+        kernel.grsecurity.harden_ipc = 1
+
+        #  If you say Y here, you will be able to choose a gid to add to the
+        #  supplementary groups of users you want to mark as "untrusted."
+        #  These users will not be able to execute any files that are not in
+        #  root-owned directories writable only by root.  If the sysctl option
+        #  is enabled, a sysctl option with name "tpe" is created.
+        kernel.grsecurity.tpe = 1
+        kernel.grsecurity.tpe_gid = 101
+
+        #  If you say Y here, the group you specify in the TPE configuration will
+        #  decide what group TPE restrictions will be *disabled* for.  This
+        #  option is useful if you want TPE restrictions to be applied to most
+        #  users on the system.  If the sysctl option is enabled, a sysctl option
+        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
+        #  entry will default to on for backward-compatibility.
+        kernel.grsecurity.tpe_invert = 1
+
+        #  If you say Y here, all non-root users will be covered under
+        #  a weaker TPE restriction.  This is separate from, and in addition to,
+        #  the main TPE options that you have selected elsewhere.  Thus, if a
+        #  "trusted" GID is chosen, this restriction applies to even that GID.
+        #  Under this restriction, all non-root users will only be allowed to
+        #  execute files in directories they own that are not group or
+        #  world-writable, or in directories owned by root and writable only by
+        #  root.  If the sysctl option is enabled, a sysctl option with name
+        #  "tpe_restrict_all" is created.
+        kernel.grsecurity.tpe_restrict_all = 0
+
+
+        #kernel.grsecurity.harden_tty = 1
+        #
+        # Network Protections
+        #
+
+        # Increase Linux auto tuning TCP buffer limits
+        # min, default, and max number of bytes to use
+        # set max to at least 4MB, or higher if you use very high BDP paths
+        # Tcp Windows etc
+        net.core.rmem_max = 8388608
+        net.core.wmem_max = 8388608
+        net.core.netdev_max_backlog = 5000
+        net.ipv4.tcp_window_scaling = 1
+
+        # Both ports linux-blob and linux-libre don't build with ipv6
+        # Disable ipv6
+        net.ipv6.conf.all.disable_ipv6 = 1
+        net.ipv6.conf.default.disable_ipv6 = 1
+        net.ipv6.conf.lo.disable_ipv6 = 1
+
+        # Tuen IPv6
+        #net.ipv6.conf.default.router_solicitations = 0
+        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
+        #net.ipv6.conf.default.accept_ra_pinfo = 0
+        #net.ipv6.conf.default.accept_ra_defrtr = 0
+        #net.ipv6.conf.default.autoconf = 0
+        #net.ipv6.conf.default.dad_transmits = 0
+        #net.ipv6.conf.default.max_addresses = 0
+
+        # Avoid a smurf attack
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # Turn on protection for bad icmp error messages
+        net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+        # Turn on syncookies for SYN flood attack protection
+        net.ipv4.tcp_syncookies = 1
+
+        ## protect against tcp time-wait assassination hazards
+        ## drop RST packets for sockets in the time-wait state
+        ## (not widely supported outside of linux, but conforms to RFC)
+        net.ipv4.tcp_rfc1337 = 1
+
+        ## tcp timestamps
+        ## + protect against wrapping sequence numbers (at gigabit speeds)
+        ## + round trip time calculation implemented in TCP
+        ## - causes extra overhead and allows uptime detection by scanners like nmap
+        ## enable @ gigabit speeds
+        net.ipv4.tcp_timestamps = 0
+        #net.ipv4.tcp_timestamps = 1
+
+        # Turn on and log spoofed, source routed, and redirect packets
+        net.ipv4.conf.all.log_martians = 1
+        net.ipv4.conf.default.log_martians = 1
+
+        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # No source routed packets here
+        net.ipv4.conf.all.accept_source_route = 0
+        net.ipv4.conf.default.accept_source_route = 0
+
+        ## sets the kernels reverse path filtering mechanism to value 1(on)
+        ## will do source validation of the packet's recieved from all the interfaces on the machine
+        ## protects from attackers that are using ip spoofing methods to do harm
+        net.ipv4.conf.all.rp_filter = 1
+        net.ipv4.conf.default.rp_filter = 1
+        #net.ipv6.conf.default.rp_filter = 1
+        #net.ipv6.conf.all.rp_filter = 1
+
+        # Make sure no one can alter the routing tables
+        net.ipv4.conf.all.accept_redirects = 0
+        net.ipv4.conf.default.accept_redirects = 0
+        net.ipv4.conf.all.secure_redirects = 0
+        net.ipv4.conf.default.secure_redirects = 0
+
+        # Act as a router, necessary for Access Point
+        net.ipv4.ip_forward = 1
+        net.ipv4.conf.all.send_redirects = 1
+        net.ipv4.conf.default.send_redirects = 1
+
+        # Increase system IP port limits
+        net.ipv4.ip_local_port_range = 2000 65000
+
+        # Increase TCP max buffer size setable using setsockopt()
+        net.ipv4.tcp_rmem = 4096 87380 8388608
+        net.ipv4.tcp_wmem = 4096 87380 8388608
+
+
+        #  If you say Y here, neither TCP resets nor ICMP
+        #  destination-unreachable packets will be sent in response to packets
+        #  sent to ports for which no associated listening process exists.
+        #  This feature supports both IPV4 and IPV6 and exempts the
+        #  loopback interface from blackholing.  Enabling this feature
+        #  makes a host more resilient to DoS attacks and reduces network
+        #  visibility against scanners.
+        #
+        #  The blackhole feature as-implemented is equivalent to the FreeBSD
+        #  blackhole feature, as it prevents RST responses to all packets, not
+        #  just SYNs.  Under most application behavior this causes no
+        #  problems, but applications (like haproxy) may not close certain
+        #  connections in a way that cleanly terminates them on the remote
+        #  end, leaving the remote host in LAST_ACK state.  Because of this
+        #  side-effect and to prevent intentional LAST_ACK DoSes, this
+        #  feature also adds automatic mitigation against such attacks.
+        #  The mitigation drastically reduces the amount of time a socket
+        #  can spend in LAST_ACK state.  If you're using haproxy and not
+        #  all servers it connects to have this option enabled, consider
+        #  disabling this feature on the haproxy host.
+        #
+        #  If the sysctl option is enabled, two sysctl options with names
+        #  "ip_blackhole" and "lastack_retries" will be created.
+        #  While "ip_blackhole" takes the standard zero/non-zero on/off
+        #  toggle, "lastack_retries" uses the same kinds of values as
+        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
+        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
+        #  state.
+        #kernel.grsecurity.ip_blackhole = 1
+        #kernel.grsecurity.lastack_retries = 4
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine or run server
+        #  applications from your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_all" is created.
+        #kernel.grsecurity.socket_all = 1
+
+        #  Here you can choose the GID to disable socket access for. Remember to
+        #  add the users you want socket access disabled for to the GID
+        #  specified here.  If the sysctl option is enabled, a sysctl option
+        #  with name "socket_all_gid" is created.
+        #kernel.grsecurity.socket_all_gid = 202
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        #kernel.grsecurity.socket_client = 1
+
+        #  Here you can choose the GID to disable client socket access for.
+        #  Remember to add the users you want client socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_client_gid" is created.
+        #kernel.grsecurity.socket_client_gid = 203
+
+        #  If you say Y here, you will be able to choose a GID of whose users will
+        #  be unable to connect to other hosts from your machine, but will be
+        #  able to run servers.  If this option is enabled, all users in the group
+        #  you specify will have to use passive mode when initiating ftp transfers
+        #  from the shell on your machine.  If the sysctl option is enabled, a
+        #  sysctl option with name "socket_client" is created.
+        #kernel.grsecurity.socket_server = 1
+
+        #  Here you can choose the GID to disable server socket access for.
+        #  Remember to add the users you want server socket access disabled for to
+        #  the GID specified here.  If the sysctl option is enabled, a sysctl
+        #  option with name "socket_server_gid" is created.
+        #kernel.grsecurity.socket_server_gid = 204
+
+        #
+        # Physical Protections
+        #
+
+        #  If you say Y here, a new sysctl option with name "deny_new_usb"
+        #  will be created.  Setting its value to 1 will prevent any new
+        #  USB devices from being recognized by the OS.  Any attempted USB
+        #  device insertion will be logged.  This option is intended to be
+        #  used against custom USB devices designed to exploit vulnerabilities
+        #  in various USB device drivers.
+        #
+        #  For greatest effectiveness, this sysctl should be set after any
+        #  relevant init scripts.  This option is safe to enable in distros
+        #  as each user can choose whether or not to toggle the sysctl.
+        #kernel.grsecurity.deny_new_usb = 0
+
+        #
+        # Restrict grsec sysctl changes after this was set
+        #
+        #kernel.grsecurity.grsec_lock = 1
+
+
+
+        # End of file
+        </pre>
+
+
         <a href="index.html">Core OS Index</a>
         <p>This is part of the c9-doc Manual.
-Copyright (C) 2016
+Copyright (C) 2017
 c9 team.
 See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
 for copying conditions.</p>
diff --git a/core/network.html b/core/network.html
index c14f3db..ebea495 100644
--- a/core/network.html
+++ b/core/network.html
@@ -49,7 +49,7 @@
         described scripts then proceed to
         <a href="package.html#sysup">update system.</a></p>
 
-        <h2 id="resolv">2.1.1. Resolver</h2>
+        <h2 id="resolv">2.2.1. Resolver</h2>
 
         <p>This example will use
         <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
@@ -65,7 +65,7 @@
         # chattr +i /etc/resolv.conf
         </pre>
 
-        <h2 id="static">2.1.2. Static IP</h2>
+        <h2 id="static">2.2.2. Static IP</h2>
 
         <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p>
 
@@ -112,7 +112,7 @@
         # ip route add default via ${GW}
         </pre>
 
-        <h2 id="iptables">2.1.3. Iptables</h2>
+        <h2 id="iptables">2.2.3. Iptables</h2>
 
         <p>For more information about iptables read
         <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
@@ -147,7 +147,7 @@
 
         <p>
 
-        <h2 id="wpa">2.1.4. Wpa and dhcpd</h2>
+        <h2 id="wpa">2.2.4. Wpa and dhcpd</h2>
 
         <p>There is more information on
         <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
@@ -165,7 +165,7 @@
         # iwconfig wlp2s0 essid NAME key s:ABCDE12345
         </pre>
 
-        <h3>2.1.4.1. Wpa Supplicant</h3>
+        <h3>2.2.4.1. Wpa Supplicant</h3>
 
         <p>Configure wpa supplicant edit;</p>
 
@@ -195,7 +195,7 @@
         init script to auto load wpa configuration and dhcp
         client.</p>
 
-        <h3>2.1.4.2. Wpa Cli</h3>
+        <h3>2.2.4.2. Wpa Cli</h3>
 
         <pre>
         # wpa_cli
@@ -235,137 +235,10 @@
         </pre>
 
 
-        <h2 id="sysctl">2.1.5. Sysctl</h2>
-
-        <p>Sysctl references
-        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
-        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
-        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
-        edit /etc/sysctl.conf;</p>
-
-        <pre>
-        #
-        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
-        #
-
-        kernel.printk = 1 4 1 7
-
-        # Disable ipv6
-        net.ipv6.conf.all.disable_ipv6 = 1
-        net.ipv6.conf.default.disable_ipv6 = 1
-        net.ipv6.conf.lo.disable_ipv6 = 1
-
-        # Tuen IPv6
-        # net.ipv6.conf.default.router_solicitations = 0
-        # net.ipv6.conf.default.accept_ra_rtr_pref = 0
-        # net.ipv6.conf.default.accept_ra_pinfo = 0
-        # net.ipv6.conf.default.accept_ra_defrtr = 0
-        # net.ipv6.conf.default.autoconf = 0
-        # net.ipv6.conf.default.dad_transmits = 0
-        # net.ipv6.conf.default.max_addresses = 0
-
-        # Avoid a smurf attack
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # Turn on protection for bad icmp error messages
-        net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-        # Turn on syncookies for SYN flood attack protection
-        net.ipv4.tcp_syncookies = 1
-
-        ## protect against tcp time-wait assassination hazards
-        ## drop RST packets for sockets in the time-wait state
-        ## (not widely supported outside of linux, but conforms to RFC)
-        net.ipv4.tcp_rfc1337 = 1
-
-        ## tcp timestamps
-        ## + protect against wrapping sequence numbers (at gigabit speeds)
-        ## + round trip time calculation implemented in TCP
-        ## - causes extra overhead and allows uptime detection by scanners like nmap
-        ## enable @ gigabit speeds
-        net.ipv4.tcp_timestamps = 0
-        #net.ipv4.tcp_timestamps = 1
-
-        # Turn on and log spoofed, source routed, and redirect packets
-        net.ipv4.conf.all.log_martians = 1
-        net.ipv4.conf.default.log_martians = 1
-
-        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # No source routed packets here
-        net.ipv4.conf.all.accept_source_route = 0
-        net.ipv4.conf.default.accept_source_route = 0
-
-        ## sets the kernels reverse path filtering mechanism to value 1(on)
-        ## will do source validation of the packet's recieved from all the interfaces on the machine
-        ## protects from attackers that are using ip spoofing methods to do harm
-        net.ipv4.conf.all.rp_filter = 1
-        net.ipv4.conf.default.rp_filter = 1
-        net.ipv6.conf.default.rp_filter = 1
-        net.ipv6.conf.all.rp_filter = 1
-
-        # Make sure no one can alter the routing tables
-        net.ipv4.conf.all.accept_redirects = 0
-        net.ipv4.conf.default.accept_redirects = 0
-        net.ipv4.conf.all.secure_redirects = 0
-        net.ipv4.conf.default.secure_redirects = 0
-
-        # Don't act as a router
-        net.ipv4.ip_forward = 0
-        net.ipv4.conf.all.send_redirects = 0
-        net.ipv4.conf.default.send_redirects = 0
-
-        kernel.shmmax = 500000000
-        # Turn on execshild
-        kernel.exec-shield = 1
-        kernel.randomize_va_space = 1
-
-        # Optimization for port usefor LBs
-        # Increase system file descriptor limit
-        fs.file-max = 65535
-
-        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-        kernel.pid_max = 65536
-
-        # Increase system IP port limits
-        net.ipv4.ip_local_port_range = 2000 65000
-
-        # Increase TCP max buffer size setable using setsockopt()
-        net.ipv4.tcp_rmem = 4096 87380 8388608
-        net.ipv4.tcp_wmem = 4096 87380 8388608
-
-        # Increase Linux auto tuning TCP buffer limits
-        # min, default, and max number of bytes to use
-        # set max to at least 4MB, or higher if you use very high BDP paths
-        # Tcp Windows etc
-        net.core.rmem_max = 8388608
-        net.core.wmem_max = 8388608
-        net.core.netdev_max_backlog = 5000
-        net.ipv4.tcp_window_scaling = 1
-
-        # End of file
-        </pre>
-
-        <p>Change to act as a router (default of conf/sysctl.conf);</p>
-
-        <pre>
-        # Act as a router, necessary for Access Point
-        net.ipv4.ip_forward = 1
-        net.ipv4.conf.all.send_redirects = 1
-        net.ipv4.conf.default.send_redirects = 1
-        </pre>
-
-        <p>Load new settings;</p>
-
-        <pre>
-        # sysctl -p
-        </pre>
-
         <a href="index.html">Core OS Index</a>
         <p>
         This is part of the c9-doc Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
diff --git a/core/package.html b/core/package.html
index 475d94b..3c59669 100644
--- a/core/package.html
+++ b/core/package.html
@@ -2,13 +2,13 @@
 <html dir="ltr" lang="en">
     <head>
         <meta charset='utf-8'>
-        <title>2.2. Package Management</title>
+        <title>2.3. Package Management</title>
     </head>
     <body>
 
         <a href="index.html">Core OS Index</a>
 
-        <h1>2.2. Package Management</h1>
+        <h1>2.3. Package Management</h1>
 
         <p>For more information read crux handbook Package management
         front-end:
@@ -57,7 +57,7 @@
         $ prt-get depinst prt-utils prt-get-bashcompletion
         </pre>
 
-        <h2 id="sysup">2.2.1. Update System</h2>
+        <h2 id="sysup">2.3.1. Update System</h2>
 
         <p>Before build software get latest version of port collections;</p>
 
@@ -87,7 +87,7 @@
         $ prt-get update -fr $(revdep)
         </pre>
 
-        <h2 id="depinst">2.2.2. Install port and dependencies</h2>
+        <h2 id="depinst">2.3.2. Install port and dependencies</h2>
 
         <p>Installing using prt-get tool;</p>
 
@@ -111,7 +111,7 @@
         <p>If you user pkgmk and pkgadd allways check if README, pre and post 
         instal files exist.</p>
 
-        <h3 id="ports">2.2.3. Ports collections</h3>
+        <h3 id="ports">2.3.3. Ports collections</h3>
 
         <p>Clone this documentation;</p>
 
@@ -146,7 +146,7 @@
         $ sudo ports -u 6c37
         </pre>
 
-        <h2 id="info">2.2.4. Show port information</h2>
+        <h2 id="info">2.3.4. Show port information</h2>
 
         <pre>
         $ prt-get info port_name
@@ -164,13 +164,13 @@
         $ pkginfo -o filename
         </pre>
 
-        <h2 id="depends">2.2.5. Show port dependencies</h2>
+        <h2 id="depends">2.3.5. Show port dependencies</h2>
 
         <pre>
         $ prt-get depends port_name
         </pre>
 
-        <h2 id="printf">2.2.6. Print information</h2>
+        <h2 id="printf">2.3.6. Print information</h2>
 
         <p>Example how to get ports installed from contrib. Maybe there is
         a "cleaner" way to this, for now is ok;</p>
@@ -181,7 +181,7 @@
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the c9-doc Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>
diff --git a/core/ports.html b/core/ports.html
index 489e728..98ccbba 100644
--- a/core/ports.html
+++ b/core/ports.html
@@ -23,7 +23,8 @@
         # useradd -U -M -d /usr/ports -s /bin/false pkgmk
         </pre>
 
-        <p>You can add your self to group pkgmk,</p>
+        <p>You can add your self to group pkgmk, Members of this group will
+        not be under <a href="linux.html#sysctl">tpe</a> protection.</p>
 
         <pre>
         # usermod -a -G pkgmk c9admin
@@ -85,6 +86,8 @@
         export CFLAGS="-O2 -march=native -mtune=native"
         </pre>
 
+        <p>"-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen</p>
+
         <p>Discover number of cores/cpus to hard code -j option.</p>
 
         <pre>
@@ -107,7 +110,7 @@
         # /etc/pkgmk.conf: pkgmk(8) configuration
         #
 
-        export CFLAGS="-O2 -march=x86-64"
+        export CFLAGS="-O2 -march=native -mtune=native"
         export CXXFLAGS="${CFLAGS}"
 
         export MAKEFLAGS="-j4"
@@ -127,7 +130,7 @@
                         ;;
         esac
 
-        PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
+        #PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/)
         PKGMK_SOURCE_DIR="/usr/ports/distfiles"
         PKGMK_PACKAGE_DIR="/usr/ports/packages"
         PKGMK_WORK_DIR="/usr/ports/work/$name"
@@ -163,6 +166,9 @@
         # the following line enables the user maintained contrib collection
         prtdir /usr/ports/contrib
 
+        # ports described on this documentation
+        #prtdir /usr/ports/c9-ports
+
         # 6c37 team provides a collection with freetype-iu, fontconfig-iu
         # and cairo-iu ports.
         #prtdir /usr/ports/6c37
@@ -185,7 +191,7 @@
         readme verbose           # (verbose|compact|disabled)
 
         ### prefer higher versions in sysup / diff
-        preferhigher no      # (yes|no)
+        preferhigher yes      # (yes|no)
 
         ### use regexp search
         # useregex no        # (yes|no)
@@ -198,7 +204,7 @@
         ### EXPERT SECTION ###
 
         ### alternative commands
-        makecommand      sudo -H -u pkgmk fakeroot pkgmk
+        makecommand      sudo -H -u pkgmk -g pkgmk fakeroot pkgmk
         addcommand       sudo pkgadd
         removecommand    sudo pkgrm
         runscriptcommand sudo sh
diff --git a/core/ports/linux-blob/.footprint b/core/ports/linux-blob/.footprint
index f00d7fc..02c767e 100644
--- a/core/ports/linux-blob/.footprint
+++ b/core/ports/linux-blob/.footprint
@@ -1,61 +1,56 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.9.10-blob
--rw-r--r--	root/root	boot/config-4.9.10-blob
--rw-r--r--	root/root	boot/vmlinuz-4.9.10-blob
+-rw-r--r--	root/root	boot/System.map-4.9.11-blob
+-rw-r--r--	root/root	boot/config-4.9.11-blob
+-rw-r--r--	root/root	boot/vmlinuz-4.9.11-blob
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/
-lrwxrwxrwx	root/root	lib/modules/<kernel-version>/build -> /usr/src/linux-4.9.10
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/platform/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/soc_camera.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/usb/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/usb/gspca/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/usb/gspca/gspca_main.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/usb/uvc/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/usb/uvc/uvcvideo.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf-core.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-core.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/misc/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/misc/eeprom/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/misc/eeprom/eeprom_93cx6.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/fs/
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/fs/ntfs/ntfs.ko
-drwxr-xr-x	root/root	lib/modules/<kernel-version>/kernel/lib/
--rw-r--r--	root/root	lib/modules/<kernel-version>/kernel/lib/crc-ccitt.ko
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.alias
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.alias.bin
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.builtin
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.builtin.bin
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.dep
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.dep.bin
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.devname (EMPTY)
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.order
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.softdep
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.symbols
--rw-r--r--	root/root	lib/modules/<kernel-version>/modules.symbols.bin
-lrwxrwxrwx	root/root	lib/modules/<kernel-version>/source -> /usr/src/linux-4.9.10
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/
+lrwxrwxrwx	root/root	lib/modules/4.9.11-blob/build -> /usr/src/linux-4.9.11
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/gspca/gspca_main.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/usb/uvc/uvcvideo.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/fs/
+drwxr-xr-x	root/root	lib/modules/4.9.11-blob/kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/kernel/fs/ntfs/ntfs.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.alias
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.alias.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.builtin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.builtin.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.dep
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.dep.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.order
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.softdep
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.symbols
+-rw-r--r--	root/root	lib/modules/4.9.11-blob/modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules/4.9.11-blob/source -> /usr/src/linux-4.9.11
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/4.9.10-blob-config
--rw-r--r--	root/root	usr/src/4.9.10-cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.9-201702122044.patch
+-rw-r--r--	root/root	usr/src/4.9.11-blob-config
+-rw-r--r--	root/root	usr/src/4.9.11-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.11-201702181444.patch
diff --git a/core/ports/linux-blob/.md5sum b/core/ports/linux-blob/.md5sum
index 614a350..8516def 100644
--- a/core/ports/linux-blob/.md5sum
+++ b/core/ports/linux-blob/.md5sum
@@ -1,7 +1,7 @@
-7140b24a6e9e13286515e807c2fd4572  config-c9
+dc71c8f55df123437c468dad7be88757  config-c9
 00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-85155985089acdb7c77e8e30fa135c86  grsecurity-3.1-4.9.9-201702122044.patch
-ce5ab2a86c9b880617e36e84aa2deb6c  linux-4.9.10.tar.xz
+e4eb7eab3a40968c3bd4a0a19339a6a1  grsecurity-3.1-4.9.11-201702181444.patch
+98761ce71c603199fe6fcce600c60772  linux-4.9.11.tar.xz
 bcf38b0fbf7bd83323f3202ec082b15a  port-blob-cpu.patch
-8f47b022540141ceb6a3ac5bc2a3531e  port-blob-grsecurity.patch
-712ea2454ba5181e999661c94d12c629  port-blob-make.patch
+48908f447c73e31c2428cb68b00d1e9c  port-blob-grsecurity.patch
+4a443bf320ede9f5cb183843e85b3b62  port-blob-make.patch
diff --git a/core/ports/linux-blob/Pkgfile b/core/ports/linux-blob/Pkgfile
index ecb228d..b312361 100644
--- a/core/ports/linux-blob/Pkgfile
+++ b/core/ports/linux-blob/Pkgfile
@@ -4,11 +4,11 @@
 # Depends on:   grub2 dracut
 
 name=linux-blob
-version=4.9.10
-release=1
+version=4.9.11
+release=3
 source=(https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-$version.tar.xz \
     https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-    https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \
+    http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \
     port-blob-grsecurity.patch \
     port-blob-make.patch \
     port-blob-cpu.patch \
@@ -18,12 +18,11 @@ build() {
 
     mkdir -p $PKG/usr/src
 
-
     # /usr/src/version-cpu_optimizations.patch
     install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
     # /usr/src/grsecurity-version.patch
-    install -m 0644  $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/
+    install -m 0644  $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/
 
     patch < port-blob-grsecurity.patch
     patch < port-blob-cpu.patch
@@ -34,7 +33,7 @@ build() {
 
     make distclean
 
-    patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch
+    patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch
     patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
 
     cp $SRC/config-c9 .config
diff --git a/core/ports/linux-blob/config-c9 b/core/ports/linux-blob/config-c9
index b6750ec..2b0bb4b 100644
--- a/core/ports/linux-blob/config-c9
+++ b/core/ports/linux-blob/config-c9
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.10-blob Kernel Configuration
+# Linux/x86 4.9.11-blob Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -215,7 +215,7 @@ CONFIG_EVENTFD=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
-CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_QUIRKS is not set
 CONFIG_MEMBARRIER=y
 # CONFIG_EMBEDDED is not set
 CONFIG_HAVE_PERF_EVENTS=y
@@ -329,7 +329,7 @@ CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
 # CONFIG_MODULE_COMPRESS is not set
-# CONFIG_TRIM_UNUSED_KSYMS is not set
+CONFIG_TRIM_UNUSED_KSYMS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@@ -455,7 +455,7 @@ CONFIG_SWIOTLB=y
 CONFIG_IOMMU_HELPER=y
 # CONFIG_MAXSMP is not set
 CONFIG_NR_CPUS=4
-# CONFIG_SCHED_SMT is not set
+CONFIG_SCHED_SMT=y
 CONFIG_SCHED_MC=y
 CONFIG_PREEMPT_NONE=y
 # CONFIG_PREEMPT_VOLUNTARY is not set
@@ -1357,7 +1357,7 @@ CONFIG_SRAM=y
 # CONFIG_EEPROM_AT25 is not set
 # CONFIG_EEPROM_LEGACY is not set
 # CONFIG_EEPROM_MAX6875 is not set
-CONFIG_EEPROM_93CX6=m
+# CONFIG_EEPROM_93CX6 is not set
 # CONFIG_EEPROM_93XX46 is not set
 # CONFIG_CB710_CORE is not set
 
@@ -4209,8 +4209,8 @@ CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_GRKERNSEC=y
 CONFIG_GRKERNSEC_CONFIG_AUTO=y
 # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
-CONFIG_GRKERNSEC_CONFIG_SERVER=y
-# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
+# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
+CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
 # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
 # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
 CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
@@ -4228,7 +4228,7 @@ CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
 # Default Special Groups
 #
 CONFIG_GRKERNSEC_PROC_GID=1001
-CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005
 CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
 
 #
@@ -4328,7 +4328,7 @@ CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
 CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
-# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_ROFS=y
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
 CONFIG_GRKERNSEC_CHROOT_MOUNT=y
@@ -4350,15 +4350,16 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y
 #
 # Kernel Auditing
 #
-# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
-# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_AUDIT_GROUP=y
+CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_EXECLOG=y
 CONFIG_GRKERNSEC_RESLOG=y
-# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
-# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
-# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
-# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
 CONFIG_GRKERNSEC_SIGNAL=y
-# CONFIG_GRKERNSEC_FORKFAIL is not set
+CONFIG_GRKERNSEC_FORKFAIL=y
 CONFIG_GRKERNSEC_TIME=y
 CONFIG_GRKERNSEC_PROC_IPADDR=y
 CONFIG_GRKERNSEC_RWXMAP_LOG=y
@@ -4373,8 +4374,8 @@ CONFIG_GRKERNSEC_SETXID=y
 CONFIG_GRKERNSEC_HARDEN_IPC=y
 CONFIG_GRKERNSEC_HARDEN_TTY=y
 CONFIG_GRKERNSEC_TPE=y
-# CONFIG_GRKERNSEC_TPE_ALL is not set
-# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
 CONFIG_GRKERNSEC_TPE_GID=1005
 
 #
@@ -4382,13 +4383,19 @@ CONFIG_GRKERNSEC_TPE_GID=1005
 #
 CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
-# CONFIG_GRKERNSEC_SOCKET is not set
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
 
 #
 # Physical Protections
 #
 CONFIG_GRKERNSEC_DENYUSB=y
-# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+CONFIG_GRKERNSEC_DENYUSB_FORCE=y
 
 #
 # Sysctl Support
@@ -4649,7 +4656,7 @@ CONFIG_GENERIC_IOMAP=y
 CONFIG_GENERIC_IO=y
 CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
+CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_CRC_ITU_T=y
diff --git a/core/ports/linux-blob/port-blob-grsecurity.patch b/core/ports/linux-blob/port-blob-grsecurity.patch
index 6d27cb4..22d4580 100644
--- a/core/ports/linux-blob/port-blob-grsecurity.patch
+++ b/core/ports/linux-blob/port-blob-grsecurity.patch
@@ -1,5 +1,5 @@
---- grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:14:08.682388834 +0000
-+++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:15:45.579051680 +0000
+--- grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:15:45.579051680 +0000
 -diff --git a/localversion-grsec b/localversion-grsec
 -new file mode 100644
 -index 0000000..7cd6065
@@ -10,8 +10,8 @@
  diff --git a/mm/Kconfig b/mm/Kconfig
  index 86e3e0e..ab679cf 100644
  --- a/mm/Kconfig
---- grsecurity-3.1-4.9.9-201702122044.patch.orig	2017-02-18 09:07:57.220274062 +0000
-+++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 09:08:16.380274647 +0000
+--- grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 09:07:57.220274062 +0000
++++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 09:08:16.380274647 +0000
 @@ -156547,13 +156547,6 @@
   			break;
   		}
diff --git a/core/ports/linux-blob/port-blob-make.patch b/core/ports/linux-blob/port-blob-make.patch
index 9184cb5..368d592 100644
--- a/core/ports/linux-blob/port-blob-make.patch
+++ b/core/ports/linux-blob/port-blob-make.patch
@@ -3,7 +3,7 @@
 @@ -1,7 +1,7 @@
  VERSION = 4
  PATCHLEVEL = 9
- SUBLEVEL = 10
+ SUBLEVEL = 11
 -EXTRAVERSION =
 +EXTRAVERSION = -blob
  NAME = Roaring Lionus
diff --git a/core/ports/linux-libre/.footprint b/core/ports/linux-libre/.footprint
index 5d223e7..1279a5d 100644
--- a/core/ports/linux-libre/.footprint
+++ b/core/ports/linux-libre/.footprint
@@ -1,64 +1,59 @@
 drwxr-xr-x	root/root	boot/
--rw-r--r--	root/root	boot/System.map-4.9.10-grsec
--rw-r--r--	root/root	boot/config-4.9.10-grsec
--rw-r--r--	root/root	boot/vmlinuz-4.9.10-grsec
+-rw-r--r--	root/root	boot/System.map-4.9.11-grsec
+-rw-r--r--	root/root	boot/config-4.9.11-grsec
+-rw-r--r--	root/root	boot/vmlinuz-4.9.11-grsec
 drwxr-xr-x	root/root	lib/
 drwxr-xr-x	root/root	lib/modules/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/
-lrwxrwxrwx	root/root	lib/modules/4.9.10-grsec/build -> /usr/src/linux-4.9.10
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/gspca/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/uvc/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/misc/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/misc/eeprom/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/misc/eeprom/eeprom_93cx6.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/fs/
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/fs/ntfs/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/fs/ntfs/ntfs.ko
-drwxr-xr-x	root/root	lib/modules/4.9.10-grsec/kernel/lib/
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/kernel/lib/crc-ccitt.ko
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.alias
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.alias.bin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.builtin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.builtin.bin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.dep
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.dep.bin
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.devname (EMPTY)
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.order
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.softdep
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.symbols
--rw-r--r--	root/root	lib/modules/4.9.10-grsec/modules.symbols.bin
-lrwxrwxrwx	root/root	lib/modules/4.9.10-grsec/source -> /usr/src/linux-4.9.10
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/
+lrwxrwxrwx	root/root	lib/modules/4.9.11-grsec/build -> /usr/src/linux-4.9.11
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_camera_platform.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/platform/soc_camera/soc_mediabus.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/gspca/gspca_main.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/usb/uvc/uvcvideo.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-core.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-memops.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-v4l2.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/media/v4l2-core/videobuf2-vmalloc.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/dvm/iwldvm.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/iwlwifi.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/drivers/net/wireless/intel/iwlwifi/mvm/iwlmvm.ko
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/fs/
+drwxr-xr-x	root/root	lib/modules/4.9.11-grsec/kernel/fs/ntfs/
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/kernel/fs/ntfs/ntfs.ko
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.alias
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.alias.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.builtin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.builtin.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.dep
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.dep.bin
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.devname (EMPTY)
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.order
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.softdep
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.symbols
+-rw-r--r--	root/root	lib/modules/4.9.11-grsec/modules.symbols.bin
+lrwxrwxrwx	root/root	lib/modules/4.9.11-grsec/source -> /usr/src/linux-4.9.11
 drwxr-xr-x	root/root	usr/
 drwxr-xr-x	root/root	usr/src/
--rw-r--r--	root/root	usr/src/4.9.10-cpu_optimizations.patch
--rw-r--r--	root/root	usr/src/4.9.10-libre-config
--rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.9-201702122044.patch
+-rw-r--r--	root/root	usr/src/4.9.11-cpu_optimizations.patch
+-rw-r--r--	root/root	usr/src/4.9.11-libre-config
+-rw-r--r--	root/root	usr/src/grsecurity-3.1-4.9.11-201702181444.patch
 -rw-r--r--	root/root	usr/src/port-libre-cpu.patch
 -rw-r--r--	root/root	usr/src/port-libre-grsecurity.patch
 -rw-r--r--	root/root	usr/src/port-libre-make.patch
diff --git a/core/ports/linux-libre/.md5sum b/core/ports/linux-libre/.md5sum
index b481c10..ddd1878 100644
--- a/core/ports/linux-libre/.md5sum
+++ b/core/ports/linux-libre/.md5sum
@@ -1,7 +1,7 @@
-7140b24a6e9e13286515e807c2fd4572  config-c9
+bf30b0af56c2621e317cab5e44d4235e  config-c9
 00bc0d70f200c2673fe7dd6f02053fa4  enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
-85155985089acdb7c77e8e30fa135c86  grsecurity-3.1-4.9.9-201702122044.patch
-d68753b73b7c87d53424146eceb291f8  linux-libre-4.9.10-gnu.tar.xz
+e4eb7eab3a40968c3bd4a0a19339a6a1  grsecurity-3.1-4.9.11-201702181444.patch
+2af743d6b73201d5db83c1ccb175ed30  linux-libre-4.9.11-gnu.tar.xz
 bcf38b0fbf7bd83323f3202ec082b15a  port-libre-cpu.patch
-470face301667e4a88a7664f69c1ae29  port-libre-grsecurity.patch
-f8ba546153f4cdcd47b97bd2f8785af1  port-libre-make.patch
+f9b2f7572adec2c46c1f1be2b784490e  port-libre-grsecurity.patch
+ce88c28573de7b41ef686f4201d0abfa  port-libre-make.patch
diff --git a/core/ports/linux-libre/Pkgfile b/core/ports/linux-libre/Pkgfile
index 9f7a3d0..154435f 100644
--- a/core/ports/linux-libre/Pkgfile
+++ b/core/ports/linux-libre/Pkgfile
@@ -4,11 +4,11 @@
 # Depends on:   grub2 dracut
 
 name=linux-libre
-version=4.9.10
-release=3
+version=4.9.11
+release=2
 source=(http://linux-libre.fsfla.org/pub/linux-libre/releases/$version-gnu/$name-$version-gnu.tar.xz \
     https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch \
-    https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch \
+    http://grsecurity.net/test/grsecurity-3.1-4.9.11-201702181444.patch \
     port-libre-grsecurity.patch \
     port-libre-cpu.patch \
     port-libre-make.patch \
@@ -24,7 +24,7 @@ build() {
     install -m 0644  $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch $PKG/usr/src/${version}-cpu_optimizations.patch
 
     # /usr/src/grsecurity-version.patch
-    install -m 0644  $SRC/grsecurity-3.1-4.9.9-201702122044.patch $PKG/usr/src/
+    install -m 0644  $SRC/grsecurity-3.1-4.9.11-201702181444.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-grsecurity.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-cpu.patch $PKG/usr/src/
     install -m 0644  $SRC/port-libre-make.patch $PKG/usr/src/
@@ -38,7 +38,7 @@ build() {
 
     make distclean
 
-    patch -p1 < $SRC/grsecurity-3.1-4.9.9-201702122044.patch
+    patch -p1 < $SRC/grsecurity-3.1-4.9.11-201702181444.patch
     patch -p1 < $SRC/enable_additional_cpu_optimizations_for_gcc_v4.9%2B_kernel_v3.15%2B.patch
 
     cp $SRC/config-c9 .config
diff --git a/core/ports/linux-libre/config-c9 b/core/ports/linux-libre/config-c9
index b6750ec..236d79e 100644
--- a/core/ports/linux-libre/config-c9
+++ b/core/ports/linux-libre/config-c9
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.10-blob Kernel Configuration
+# Linux/x86 4.9.11-grsec Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -215,7 +215,7 @@ CONFIG_EVENTFD=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
-CONFIG_PCI_QUIRKS=y
+# CONFIG_PCI_QUIRKS is not set
 CONFIG_MEMBARRIER=y
 # CONFIG_EMBEDDED is not set
 CONFIG_HAVE_PERF_EVENTS=y
@@ -329,7 +329,7 @@ CONFIG_MODULE_SIG_SHA256=y
 # CONFIG_MODULE_SIG_SHA512 is not set
 CONFIG_MODULE_SIG_HASH="sha256"
 # CONFIG_MODULE_COMPRESS is not set
-# CONFIG_TRIM_UNUSED_KSYMS is not set
+CONFIG_TRIM_UNUSED_KSYMS=y
 CONFIG_MODULES_TREE_LOOKUP=y
 CONFIG_BLOCK=y
 CONFIG_BLK_DEV_BSG=y
@@ -455,7 +455,7 @@ CONFIG_SWIOTLB=y
 CONFIG_IOMMU_HELPER=y
 # CONFIG_MAXSMP is not set
 CONFIG_NR_CPUS=4
-# CONFIG_SCHED_SMT is not set
+CONFIG_SCHED_SMT=y
 CONFIG_SCHED_MC=y
 CONFIG_PREEMPT_NONE=y
 # CONFIG_PREEMPT_VOLUNTARY is not set
@@ -1357,7 +1357,7 @@ CONFIG_SRAM=y
 # CONFIG_EEPROM_AT25 is not set
 # CONFIG_EEPROM_LEGACY is not set
 # CONFIG_EEPROM_MAX6875 is not set
-CONFIG_EEPROM_93CX6=m
+# CONFIG_EEPROM_93CX6 is not set
 # CONFIG_EEPROM_93XX46 is not set
 # CONFIG_CB710_CORE is not set
 
@@ -4209,8 +4209,8 @@ CONFIG_TASK_SIZE_MAX_SHIFT=42
 CONFIG_GRKERNSEC=y
 CONFIG_GRKERNSEC_CONFIG_AUTO=y
 # CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
-CONFIG_GRKERNSEC_CONFIG_SERVER=y
-# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
+# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
+CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
 # CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
 # CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
 CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
@@ -4228,7 +4228,7 @@ CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
 # Default Special Groups
 #
 CONFIG_GRKERNSEC_PROC_GID=1001
-CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
+CONFIG_GRKERNSEC_TPE_TRUSTED_GID=1005
 CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006
 
 #
@@ -4328,7 +4328,7 @@ CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
 CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
-# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_ROFS=y
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
 CONFIG_GRKERNSEC_CHROOT_MOUNT=y
@@ -4350,15 +4350,16 @@ CONFIG_GRKERNSEC_CHROOT_INITRD=y
 #
 # Kernel Auditing
 #
-# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
-# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_AUDIT_GROUP=y
+CONFIG_GRKERNSEC_AUDIT_GID=1007
+CONFIG_GRKERNSEC_EXECLOG=y
 CONFIG_GRKERNSEC_RESLOG=y
-# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
-# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
-# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
-# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
+CONFIG_GRKERNSEC_AUDIT_PTRACE=y
+CONFIG_GRKERNSEC_AUDIT_CHDIR=y
+CONFIG_GRKERNSEC_AUDIT_MOUNT=y
 CONFIG_GRKERNSEC_SIGNAL=y
-# CONFIG_GRKERNSEC_FORKFAIL is not set
+CONFIG_GRKERNSEC_FORKFAIL=y
 CONFIG_GRKERNSEC_TIME=y
 CONFIG_GRKERNSEC_PROC_IPADDR=y
 CONFIG_GRKERNSEC_RWXMAP_LOG=y
@@ -4373,8 +4374,8 @@ CONFIG_GRKERNSEC_SETXID=y
 CONFIG_GRKERNSEC_HARDEN_IPC=y
 CONFIG_GRKERNSEC_HARDEN_TTY=y
 CONFIG_GRKERNSEC_TPE=y
-# CONFIG_GRKERNSEC_TPE_ALL is not set
-# CONFIG_GRKERNSEC_TPE_INVERT is not set
+CONFIG_GRKERNSEC_TPE_ALL=y
+CONFIG_GRKERNSEC_TPE_INVERT=y
 CONFIG_GRKERNSEC_TPE_GID=1005
 
 #
@@ -4382,13 +4383,19 @@ CONFIG_GRKERNSEC_TPE_GID=1005
 #
 CONFIG_GRKERNSEC_BLACKHOLE=y
 CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
-# CONFIG_GRKERNSEC_SOCKET is not set
+CONFIG_GRKERNSEC_SOCKET=y
+CONFIG_GRKERNSEC_SOCKET_ALL=y
+CONFIG_GRKERNSEC_SOCKET_ALL_GID=1004
+CONFIG_GRKERNSEC_SOCKET_CLIENT=y
+CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=1003
+CONFIG_GRKERNSEC_SOCKET_SERVER=y
+CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
 
 #
 # Physical Protections
 #
 CONFIG_GRKERNSEC_DENYUSB=y
-# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
+CONFIG_GRKERNSEC_DENYUSB_FORCE=y
 
 #
 # Sysctl Support
@@ -4649,7 +4656,7 @@ CONFIG_GENERIC_IOMAP=y
 CONFIG_GENERIC_IO=y
 CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-CONFIG_CRC_CCITT=m
+CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
 CONFIG_CRC_ITU_T=y
diff --git a/core/ports/linux-libre/port-libre-grsecurity.patch b/core/ports/linux-libre/port-libre-grsecurity.patch
index d437421..cecd956 100644
--- a/core/ports/linux-libre/port-libre-grsecurity.patch
+++ b/core/ports/linux-libre/port-libre-grsecurity.patch
@@ -1,5 +1,5 @@
---- grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:14:08.682388834 +0000
-+++ grsecurity-3.1-4.9.9-201702122044.patch	2017-02-18 05:15:45.579051680 +0000
+--- grsecurity-3.1-4.9.11-201702181444.patch 	2017-02-18 05:14:08.682388834 +0000
++++ grsecurity-3.1-4.9.11-201702181444.patch	2017-02-18 05:15:45.579051680 +0000
 @@ -90805,59 +90805,6 @@
   	if (!file->private_data)
   		return -ENOMEM;
diff --git a/core/ports/linux-libre/port-libre-make.patch b/core/ports/linux-libre/port-libre-make.patch
index 6a32ba8..dfbd8af 100644
--- a/core/ports/linux-libre/port-libre-make.patch
+++ b/core/ports/linux-libre/port-libre-make.patch
@@ -3,7 +3,7 @@
 @@ -1,7 +1,7 @@
  VERSION = 4
  PATCHLEVEL = 9
- SUBLEVEL = 10
+ SUBLEVEL = 11
 -EXTRAVERSION = -gnu
 +EXTRAVERSION = -grsec
  NAME = Roaring Lionus
diff --git a/core/reboot.html b/core/reboot.html
index c63f9bc..7bc22ea 100644
--- a/core/reboot.html
+++ b/core/reboot.html
@@ -33,109 +33,17 @@
 
         <h2 id="linux">1.4.1. Linux Kernel</h2>
 
-        <p>c9-ports have two kernels, linux libre and linux blob.
+        <p>Core ports have two kernels, linux-libre and linux-blob.
         Port linux-libre kernel is a true source based kernel that
         respects your freedoms, is x86_64 but not generic configured,
-        with all drivers as modules or correct graphic driver.
-        Port linux-blob contain blobs and loads firmware.</p>
+        select modules (drivers) for your hardware, for example
+        correct graphic driver and disk. Port linux-blob is dangerous,
+        contain blobs (from bad corporations).</p>
 
         <pre>
         # cd /usr/ports/c9-ports/linux-libre
         # pkgmk -d
-        # pkgadd /usr/ports/packages/linux-libre#4.9.9-3.pkg.tar.gz
-        </pre>
-
-        <h2 id="dracut">1.4.2. Dracut - Initramfs</h2>
-
-        <p>Install dracut;</p>
-
-        <pre>
-        # cd /usr/ports/c9-ports/dracut
-        # pkgmk -d
-        # pkgadd /usr/ports/packages/dracut#044-2.pkg.tar.gz
-        </pre>
-
-        <p>Review configuration file;</p>
-
-        <pre>
-        # PUT YOUR CONFIG IN separate files
-        # in /etc/dracut.conf.d named "<name>.conf"
-
-        # Equivalent to -H
-        hostonly="yes"
-
-        # Mount / and /usr read-only by default.
-        ro_mnt="no"
-
-        # Equivalent to -m "module module module"
-        dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown"
-
-        # Equivalent to -a "module"
-        add_dracutmodules+="caps debug"
-
-        # Equivalent to -o "module"
-        #omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd"
-
-        # SEE man dracut.conf(5) for options
-        </pre>
-
-        <p>Run dracut to create init ram filesystem for
-        port linux-blob kernel;</p>
-
-        <pre>
-        # dracut -v /boot/initramfs-4.9.9-blob.img 4.9.9-blob
-        </pre>
-
-        <h2 id="grub">1.4.3. Configuring Grub2</h2>
-
-        <p>Create grub file in /etc/default/grub with values;</p>
-
-        <pre>
-        GRUB_DISABLE_LINUX_UUID=false
-        GRUB_ENABLE_LINUX_LABEL=false
-        </pre>
-
-        <p><a href="http://www.gnu.org/software/grub/manual/grub.html">Grub Manual</a>,
-        install grub on MBR of disk sdb;</p>
-
-        <pre>
-        # grub-install /dev/sdb
-        Installation finished. No error reported.
-        </pre>
-
-        <p>If you are installing on removable media;</p>
-
-        <pre>
-        # grub-install --removable /dev/sdb
-        Installation finished. No error reported.
-        </pre>
-
-        <p>grub-mkconfig generates grub.cfg, it will try to discover
-        available kernels and attempt to generate menu entries for
-        them;</p>
-
-        <pre>
-        # grub-mkconfig -o /boot/grub/grub.cfg
-        Generating grub.cfg ...
-        Found linux image: /boot/vmlinuz-4.9.9-grsec
-        done
-        #
-        </pre>
-
-        <p>Check /boot/grub/grub.cfg, if is wrong add menu to
-        /etc/grub.d/40_custom, replace correct msdos partition
-        from grub-prob output and correct UUID from fstab or blkid</p>
-
-        <pre>
-        # grub-probe --target=hints_string /
-        </pre>
-
-        <p>To add rw as default edit /etc/grub.d/10_linux file, current
-        version change line 138 to;</p>
-
-        <pre>
-        echo    '$message'
-        linux   ${rel_dirname}/${basename} root=${linux_root_device_thisversion} rw ${args}
+        # pkgadd /usr/ports/packages/linux-libre#4.9.11-2.pkg.tar.gz
         </pre>
 
         <h2 id="checkup">1.4.4. Checkup</h2>
@@ -152,13 +60,13 @@
         <h3>Debug initram</h3>
 
         <pre>
-        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.9-blob.img | gunzip -c | cpio -i -d
+        /usr/lib/dracut/skipcpio /boot/initramfs-4.9.11-blob.img | gunzip -c | cpio -i -d
         36875 blocks
         </pre>
 
         <a href="index.html">Core OS Index</a>
         <p>This is part of the c9-doc Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>