diff options
| author | Andrew Manison <amanison@anselsystems.com> | 2010-07-02 08:08:13 +0000 |
|---|---|---|
| committer | Andrew Manison <amanison@anselsystems.com> | 2010-07-02 08:08:13 +0000 |
| commit | 79765211f6541090c4f8e629a34732e9ccaa24fd (patch) | |
| tree | 6c392c706ba919497e641f14595e8aae4ca375f3 | |
| parent | 00630fd78516f529daf3005c7defcd6baf4b95f9 (diff) | |
| parent | 2da022a8f0642c8990ba999256fc8b9ccada29f2 (diff) | |
| download | aports-79765211f6541090c4f8e629a34732e9ccaa24fd.tar.bz2 aports-79765211f6541090c4f8e629a34732e9ccaa24fd.tar.xz | |
Merge remote branch 'alpine/master'; fixes for build problems.
Conflicts:
main/abuild/APKBUILD
41 files changed, 745 insertions, 402 deletions
diff --git a/main/abuild/APKBUILD b/main/abuild/APKBUILD index 8c684d6b93..4ad26188c4 100644 --- a/main/abuild/APKBUILD +++ b/main/abuild/APKBUILD @@ -2,13 +2,27 @@ pkgdesc="Script to build Alpine Packages" pkgname=abuild pkgver=2.3 -pkgrel=0 +pkgrel=1 url=http://git.alpinelinux.org/cgit/abuild/ -source="http://git.alpinelinux.org/cgit/abuild/snapshot/abuild-$pkgver.tar.bz2" -depends="fakeroot file sudo pax-utils apk-tools" +source="http://git.alpinelinux.org/cgit/abuild/snapshot/abuild-$pkgver.tar.bz2 + abuild-conflict-message.patch + " +depends="fakeroot file sudo pax-utils openssl apk-tools" makedepends="openssl-dev pkgconfig" license=GPL-2 +prepare() { + cd "$srcdir/$pkgname-$pkgver" + for i in $source; do + case $i in + *.patch) + msg "Applying $i" + patch -p1 -i "$srcdir"/$i || return 1 + ;; + esac + done +} + build() { cd "$srcdir/$pkgname-$pkgver" make @@ -19,4 +33,6 @@ package() { make install DESTDIR="$pkgdir" install -m 644 abuild.conf "$pkgdir"/etc/abuild.conf } -md5sums="7c738e0018202160366b8329ec693502 abuild-2.3.tar.bz2" + +md5sums="7c738e0018202160366b8329ec693502 abuild-2.3.tar.bz2 +45ee7aa6e00732a8c36d7740fb8d2aeb abuild-conflict-message.patch" diff --git a/main/abuild/abuild-conflict-message.patch b/main/abuild/abuild-conflict-message.patch new file mode 100644 index 0000000000..b560634adb --- /dev/null +++ b/main/abuild/abuild-conflict-message.patch @@ -0,0 +1,30 @@ +commit c30c346362223658980275d54d5b7911a3a7486c +Author: Natanael Copa <ncopa@alpinelinux.org> +Date: Wed Jun 30 14:59:07 2010 +0000 + + abuild: detect and report conflicting dependencies properly + +diff --git a/abuild.in b/abuild.in +index 0c94653..4034a86 100755 +--- a/abuild.in ++++ b/abuild.in +@@ -841,15 +841,16 @@ builddeps() { + # find which deps are missing + for i in $deps; do + if [ "${i#\!}" != "$i" ]; then +- list_has ${i#\!} $installed_deps \ ++ $APK info -q -e "${i#\!}" \ + && conflicts="$conflicts ${i#\!}" + elif ! deplist_has $i $installed_deps || [ -n "$upgrade" ]; then + missing="$missing $i" + fi + done +- ++ + if [ -n "$conflicts" ]; then +- die "Conflicting package(s) installed:$conflics" ++ error "Conflicting package(s) installed:$conflicts" ++ return 1 + fi + + if [ -z "$install_deps" ] && [ -z "$recursive" ]; then diff --git a/main/apk-tools/APKBUILD b/main/apk-tools/APKBUILD index 2c96805b48..90cff68dc2 100644 --- a/main/apk-tools/APKBUILD +++ b/main/apk-tools/APKBUILD @@ -1,13 +1,14 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=apk-tools pkgver=2.0.5 -pkgrel=0 +pkgrel=1 pkgdesc="Alpine Package Keeper - package manager for alpine" subpackages="$pkgname-static" depends= makedepends="zlib-dev openssl-dev pkgconfig" source="http://git.alpinelinux.org/cgit/$pkgname/snapshot/$pkgname-$pkgver.tar.bz2 0001-Makefile-do-not-require-lua-pkgconfig-unless-you-int.patch + apk-tools-static.patch " url="http://git.alpinelinux.org/cgit/apk-tools/" @@ -21,6 +22,9 @@ prepare() { *.patch) patch -p1 -i "$srcdir"/$i || return 1 esac done + # the patch includes a symlink + rm -f src/apk-static.c + ln -s apk.c src/apk-static.c } build() { @@ -49,4 +53,5 @@ static() { } md5sums="7f9234ab210557b064d7bd9b42833f0a apk-tools-2.0.5.tar.bz2 -f63d483b724e8e9344ce8cb965d5ed22 0001-Makefile-do-not-require-lua-pkgconfig-unless-you-int.patch" +f63d483b724e8e9344ce8cb965d5ed22 0001-Makefile-do-not-require-lua-pkgconfig-unless-you-int.patch +3c1f21719a6c4aba51333cf0d88c5600 apk-tools-static.patch" diff --git a/main/apk-tools/apk-tools-static.patch b/main/apk-tools/apk-tools-static.patch new file mode 100644 index 0000000000..c122964b45 --- /dev/null +++ b/main/apk-tools/apk-tools-static.patch @@ -0,0 +1,65 @@ +commit dd6008995a8e8509d71ffa906c837e7a320e8a15 +Author: Timo Teräs <timo.teras@iki.fi> +Date: Wed Jun 30 16:53:56 2010 +0300 + + static build: do not use openssl engines + + We want minimal static build. And this now also breaks with our openssl + since it tries to automatically dlopen some of the engine modules. + +diff --git a/.gitignore b/.gitignore +index f6f9cf6..2b22f52 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -1,4 +1,5 @@ + apk ++apk.static + *.o + *.d + *.cmd +diff --git a/src/Makefile b/src/Makefile +index bea288e..c9cda6a 100644 +--- a/src/Makefile ++++ b/src/Makefile +@@ -41,9 +41,10 @@ endif + + CFLAGS_ALL += -D_ATFILE_SOURCE + CFLAGS_apk.o := -DAPK_VERSION=\"$(FULL_VERSION)\" ++CFLAGS_apk-static.o := -DAPK_VERSION=\"$(FULL_VERSION)\" -DOPENSSL_NO_ENGINE + + progs-$(STATIC) += apk.static +-apk.static-objs := $(apk-objs) ++apk.static-objs := $(filter-out apk.o,$(apk-objs)) apk-static.o + LDFLAGS_apk.static := -static + LDFLAGS_apk += -nopie -L$(obj) + +diff --git a/src/apk-static.c b/src/apk-static.c +new file mode 120000 +index 0000000..bf745af +--- /dev/null ++++ b/src/apk-static.c +@@ -0,0 +1 @@ ++apk.c +\ No newline at end of file +diff --git a/src/apk.c b/src/apk.c +index 81bb950..4196f74 100644 +--- a/src/apk.c ++++ b/src/apk.c +@@ -12,13 +12,17 @@ + #include <stdio.h> + #include <fcntl.h> + #include <ctype.h> ++#include <errno.h> + #include <stdarg.h> + #include <stdlib.h> + #include <string.h> + #include <getopt.h> + #include <sys/stat.h> + ++#include <openssl/crypto.h> ++#ifndef OPENSSL_NO_ENGINE + #include <openssl/engine.h> ++#endif + + #include "apk_defines.h" + #include "apk_database.h" diff --git a/main/apr-util/APKBUILD b/main/apr-util/APKBUILD index 45133a2c29..8730607a5c 100644 --- a/main/apr-util/APKBUILD +++ b/main/apr-util/APKBUILD @@ -7,7 +7,7 @@ url="http://apr.apache.org/" license="APACHE" depends= subpackages="$pkgname-dev" -makedepends="apr-dev expat-dev e2fsprogs-dev" +makedepends="apr-dev expat-dev e2fsprogs-dev bash" source="http://www.apache.org/dist/apr/$pkgname-$pkgver.tar.bz2" build() { diff --git a/main/cmake/APKBUILD b/main/cmake/APKBUILD index bbd1b5885d..64faab3cf5 100644 --- a/main/cmake/APKBUILD +++ b/main/cmake/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=cmake -pkgver=2.8.1 -pkgrel=1 +pkgver=2.8.2 +pkgrel=0 pkgdesc="CMake is a cross-platform open-source make system" url="http://www.cmake.org" license="CMake" @@ -42,4 +42,4 @@ package() { make DESTDIR="$pkgdir" install } -md5sums="a92ad653f9ccc1595d16cd9707f49acc cmake-2.8.1.tar.gz" +md5sums="8c967d5264657a798f22ee23976ff0d9 cmake-2.8.2.tar.gz" diff --git a/main/cracklib/APKBUILD b/main/cracklib/APKBUILD index f7fda7960c..c82e9038f3 100644 --- a/main/cracklib/APKBUILD +++ b/main/cracklib/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: Michael Mason <ms13sp@gmail.com> pkgname=cracklib -pkgver=2.8.13 -pkgrel=1 +pkgver=2.8.16 +pkgrel=0 pkgdesc="A library used to enforce strong passwords" url="http://sourceforge.net/projects/cracklib" license="GPL" @@ -11,7 +11,14 @@ makedepends="" install= subpackages="$pkgname-dev" source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz + cracklib-nls.patch " + +prepare() { + cd "$srcdir"/$pkgname-$pkgver + patch -p1 -i "$srcdir"/cracklib-nls.patch +} + build() { cd "$srcdir/$pkgname-$pkgver" @@ -24,8 +31,13 @@ build() { --disable-nls \ --with-default-dict make -j1 all || return 1 +} + +package() { + cd "$srcdir/$pkgname-$pkgver" make -j1 DESTDIR="$pkgdir" install } -md5sums="5beb4c6b3c31c83fc98c4c225b25cd94 cracklib-2.8.13.tar.gz" +md5sums="3bfb22db8fcffd019463ee415a1b25b7 cracklib-2.8.16.tar.gz +239b1b7b59bee4dee7577aa9df18ba46 cracklib-nls.patch" diff --git a/main/cracklib/cracklib-nls.patch b/main/cracklib/cracklib-nls.patch new file mode 100644 index 0000000000..3792b741c4 --- /dev/null +++ b/main/cracklib/cracklib-nls.patch @@ -0,0 +1,12 @@ +--- ./util/check.c.orig ++++ ./util/check.c +@@ -22,7 +22,9 @@ + int i; + + setlocale(LC_ALL, ""); ++#if defined(ENABLE_NLS) + textdomain(PACKAGE); ++#endif + + while (fgets(buf, sizeof(buf), stdin) != NULL) { + while (((i = strlen(buf)) > 0) && (i > 0)) { diff --git a/main/dialog/APKBUILD b/main/dialog/APKBUILD index b17527f69a..1035f0d442 100644 --- a/main/dialog/APKBUILD +++ b/main/dialog/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Michael Mason <ms13sp@gmail.com> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=dialog -pkgver=1.1.20100119 -_ver=${pkgver%.*}-${pkgver##*.} +pkgver=1.1.20100428 +_pkgver=1.1-20100428 pkgrel=1 pkgdesc="A script-interpreter which provides a set of curses" url="http://invisible-island.net/dialog/dialog.html" @@ -11,10 +11,10 @@ depends= makedepends="ncurses-dev" install= subpackages="$pkgname-doc" -source="ftp://invisible-island.net/dialog/$pkgname.tar.gz" +source="ftp://ftp.us.debian.org/debian/pool/main/d/$pkgname/dialog_$_pkgver.orig.tar.gz" build() { - cd "$srcdir/$pkgname-$_ver" + cd "$srcdir/$pkgname-$_pkgver" ./configure --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/share/man \ @@ -23,8 +23,8 @@ build() { } package() { - cd "$srcdir/$pkgname-$_ver" + cd "$srcdir/$pkgname-$_pkgver" make DESTDIR="$pkgdir" install } -md5sums="3d62219658fdddf3c6247fb45831a5d0 dialog.tar.gz" +md5sums="519c0a0cbac28ddb992111ec2c3f82aa dialog_1.1-20100428.orig.tar.gz" diff --git a/main/gcc/APKBUILD b/main/gcc/APKBUILD index a5fb49a921..da7f662485 100644 --- a/main/gcc/APKBUILD +++ b/main/gcc/APKBUILD @@ -6,12 +6,12 @@ _specsver=0.1.7 _espfver=0.3.6 _uclibc_abiver=0.9.32 -pkgrel=2 +pkgrel=3 pkgdesc="The GNU Compiler Collection" url="http://gcc.gnu.org" license="GPL LGPL" depends="binutils libgcc libgomp" -makedepends="bison flex gmp5-dev mpfr-dev texinfo" +makedepends="bison flex gmp-dev mpfr-dev texinfo" subpackages="$pkgname-doc libstdc++:libcxx g++:gpp libgcc libgomp" source="ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-core-$pkgver.tar.bz2 ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-g++-$pkgver.tar.bz2 @@ -21,6 +21,7 @@ source="ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-core-$pkgver.tar.bz2 pt_gnu_eh_frame.patch uclibc-getipinfo.patch gcc-dynamic-linker.patch + PR32219.patch " # ftp://gcc.gnu.org/pub/gcc/releases/gcc-$pkgver/gcc-objc-$pkgver.tar.bz2 build () @@ -133,4 +134,5 @@ d51a6ec3eac1a90e7fc280d976ce7f80 gcc-g++-4.4.4.tar.bz2 c4045bfa85d8be780affd465be9d8ca8 gcc-spec-env.patch 2db1e3482c5dd59dab70f701afa2ca80 pt_gnu_eh_frame.patch 6cc2385c5bbd6d0da6eaedd53c8bf547 uclibc-getipinfo.patch -6db5c87887beee75cde3cce86625b9ed gcc-dynamic-linker.patch" +6db5c87887beee75cde3cce86625b9ed gcc-dynamic-linker.patch +6c866c7fb8d56deb8f6d652bee64e228 PR32219.patch" diff --git a/main/gcc/PR32219.patch b/main/gcc/PR32219.patch new file mode 100644 index 0000000000..b926e941fc --- /dev/null +++ b/main/gcc/PR32219.patch @@ -0,0 +1,101 @@ +From gcc-patches-return-258497-listarch-gcc-patches=gcc dot gnu dot org at gcc dot gnu dot org Tue Mar 16 13:32:55 2010 +Return-Path: <gcc-patches-return-258497-listarch-gcc-patches=gcc dot gnu dot org at gcc dot gnu dot org> +Delivered-To: listarch-gcc-patches at gcc dot gnu dot org +Received: (qmail 25550 invoked by alias); 16 Mar 2010 13:32:54 -0000 +Received: (qmail 25534 invoked by uid 22791); 16 Mar 2010 13:32:53 -0000 +X-SWARE-Spam-Status: No, hits=-1.1 required=5.0 tests=AWL,BAYES_00,SUBJ_ALL_CAPS +X-Spam-Check-By: sourceware.org +Received: from mail-bw0-f210.google.com (HELO mail-bw0-f210.google.com) (209.85.218.210) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Tue, 16 Mar 2010 13:32:48 +0000 +Received: by bwz2 with SMTP id 2so4002140bwz.30 for <multiple recipients>; Tue, 16 Mar 2010 06:32:45 -0700 (PDT) +Received: by 10.204.14.84 with SMTP id f20mr2900449bka.209.1268746365293; Tue, 16 Mar 2010 06:32:45 -0700 (PDT) +Received: from s42.loc (85-127-85-230.dynamic.xdsl-line.inode.at [85.127.85.230]) by mx.google.com with ESMTPS id 14sm3626793bwz.14.2010.03.16.06.32.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Mar 2010 06:32:44 -0700 (PDT) +Received: from cow by s42.loc with local (Exim 4.71) (envelope-from <rep.dot.nop@gmail.com>) id 1NrX2W-0008Nj-5o; Tue, 16 Mar 2010 14:42:32 +0100 +From: Bernhard Reutner-Fischer <rep dot dot dot nop at gmail dot com> +To: gcc-patches at gcc dot gnu dot org +Cc: rguenth at gcc dot gnu dot org, Bernhard Reutner-Fischer <rep dot dot dot nop at gmail dot com> +Subject: [PATCH] PR32219 +Date: Tue, 16 Mar 2010 14:42:27 +0100 +Message-Id: <1268746947-32108-1-git-send-email-rep.dot.nop@gmail.com> +Mailing-List: contact gcc-patches-help at gcc dot gnu dot org; run by ezmlm +Precedence: bulk +List-Id: <gcc-patches.gcc.gnu.org> +List-Archive: <http://gcc.gnu.org/ml/gcc-patches/> +List-Post: <mailto:gcc-patches at gcc dot gnu dot org> +List-Help: <mailto:gcc-patches-help at gcc dot gnu dot org> +Sender: gcc-patches-owner at gcc dot gnu dot org +Delivered-To: mailing list gcc-patches at gcc dot gnu dot org + +Hi, + +As suggested by richi. +regtested on i686-linux-gnu with all default languages and no regressions. +Ok for trunk? + +gcc/ChangeLog +2010-03-15 Bernhard Reutner-Fischer <aldot@gcc.gnu.org> + + PR target/32219 + * varasm.c (default_binds_local_p_1): Weak data is not local. + +gcc/testsuite/ChangeLog +2010-03-15 Bernhard Reutner-Fischer <aldot@gcc.gnu.org> + + PR target/32219 + * gcc.dg/visibility-21.c: New test. + +Signed-off-by: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> +--- + gcc/testsuite/gcc.dg/visibility-21.c | 14 ++++++++++++++ + gcc/varasm.c | 8 ++++---- + 2 files changed, 18 insertions(+), 4 deletions(-) + create mode 100644 gcc/testsuite/gcc.dg/visibility-21.c + +diff --git a/gcc/testsuite/gcc.dg/visibility-21.c b/gcc/testsuite/gcc.dg/visibility-21.c +new file mode 100644 +index 0000000..be7deda +--- /dev/null ++++ b/gcc/testsuite/gcc.dg/visibility-21.c +@@ -0,0 +1,14 @@ ++/* PR target/32219 */ ++/* { dg-do run } */ ++/* { dg-require-visibility "" } */ ++/* { dg-options "-fPIC" { target fpic } } */ ++ ++extern void f() __attribute__((weak,visibility("hidden"))); ++extern int puts( char const* ); ++int main() ++{ ++ if (f) ++ f(); ++ return 0; ++} ++ +diff --git a/gcc/varasm.c b/gcc/varasm.c +index 6b8222f..6b9269a 100644 +--- a/gcc/varasm.c ++++ b/gcc/varasm.c +@@ -6613,6 +6613,10 @@ default_binds_local_p_1 (const_tree exp, int shlib) + /* Static variables are always local. */ + else if (! TREE_PUBLIC (exp)) + local_p = true; ++ /* Weak data can be overridden by a strong symbol ++ in another module and so are not local. */ ++ else if (DECL_WEAK (exp)) ++ local_p = false; + /* A variable is local if the user has said explicitly that it will + be. */ + else if (DECL_VISIBILITY_SPECIFIED (exp) +@@ -6625,10 +6629,6 @@ default_binds_local_p_1 (const_tree exp, int shlib) + local. */ + else if (DECL_VISIBILITY (exp) != VISIBILITY_DEFAULT) + local_p = true; +- /* Default visibility weak data can be overridden by a strong symbol +- in another module and so are not local. */ +- else if (DECL_WEAK (exp)) +- local_p = false; + /* If PIC, then assume that any global name can be overridden by + symbols resolved from other modules, unless we are compiling with + -fwhole-program, which assumes that names are local. */ +-- +1.7.0 + diff --git a/main/git/APKBUILD b/main/git/APKBUILD index f8d9e8bb0d..0e2b7e1ef9 100644 --- a/main/git/APKBUILD +++ b/main/git/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=git -pkgver=1.7.1 -pkgrel=2 +pkgver=1.7.1.1 +pkgrel=0 pkgdesc="GIT - the stupid content tracker" url="http://git.or.cz/" license="GPL2" @@ -10,7 +10,6 @@ subpackages="$pkgname-doc $pkgname-perl" makedepends="zlib-dev openssl-dev curl-dev expat-dev perl-dev python-dev" source="http://kernel.org/pub/software/scm/git/git-$pkgver.tar.bz2 bb-tar.patch - git-do-not-dump-core-when-iconv-fails.patch " _makeopts="NO_ICONV=YesPlease @@ -21,8 +20,6 @@ _makeopts="NO_ICONV=YesPlease build() { cd "$srcdir"/$pkgname-$pkgver patch -p1 -i "$srcdir"/bb-tar.patch || return 1 - patch -p1 -i "$srcdir"/git-do-not-dump-core-when-iconv-fails.patch \ - || return 1 make prefix=/usr DESTDIR="$pkgdir" $_makeopts || return 1 } @@ -45,6 +42,5 @@ perl() { } -md5sums="3da231dbe82ad103373cb530ae7475d5 git-1.7.1.tar.bz2 -e63a201556c4f089de790805c09a2e5b bb-tar.patch -7c660517316261b383a094ef03aad0aa git-do-not-dump-core-when-iconv-fails.patch" +md5sums="1b116a3e2ecce46a89e4272abf0de955 git-1.7.1.1.tar.bz2 +e63a201556c4f089de790805c09a2e5b bb-tar.patch" diff --git a/main/git/git-do-not-dump-core-when-iconv-fails.patch b/main/git/git-do-not-dump-core-when-iconv-fails.patch deleted file mode 100644 index b338ee4809..0000000000 --- a/main/git/git-do-not-dump-core-when-iconv-fails.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit 43acff34b902c38808ac0f326090f2516250e1f0 -Author: Jonathan Nieder <jrnieder@gmail.com> -Date: Sat May 8 18:17:29 2010 -0500 - - cherry-pick: do not dump core when iconv fails - - When cherry-picking, usually the new and old commit encodings are both - UTF-8. Most old iconv implementations do not support this trivial - conversion, so on old platforms, out->message remains NULL, and later - attempts to read it segfault. - - Fix this by noticing the input and output encodings match and skipping - the iconv step, like the other reencode_string() call sites already do. - Also stop segfaulting on other iconv failures: if iconv fails for some - other reason, the best we can do is to pass the old message through. - - This fixes a regression introduced in v1.7.1-rc0~15^2~2 (revert: - clarify label on conflict hunks, 2010-03-20). - - Reported-by: Andreas Krey <a.krey@gmx.de> - Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> - Signed-off-by: Junio C Hamano <gitster@pobox.com> - -diff --git a/builtin/revert.c b/builtin/revert.c -index 778a56e..7d68ef7 100644 ---- a/builtin/revert.c -+++ b/builtin/revert.c -@@ -109,8 +109,13 @@ static int get_message(const char *raw_message, struct commit_message *out) - encoding = "UTF-8"; - if (!git_commit_encoding) - git_commit_encoding = "UTF-8"; -- if ((out->reencoded_message = reencode_string(raw_message, -- git_commit_encoding, encoding))) -+ -+ out->reencoded_message = NULL; -+ out->message = raw_message; -+ if (strcmp(encoding, git_commit_encoding)) -+ out->reencoded_message = reencode_string(raw_message, -+ git_commit_encoding, encoding); -+ if (out->reencoded_message) - out->message = out->reencoded_message; - - abbrev = find_unique_abbrev(commit->object.sha1, DEFAULT_ABBREV); diff --git a/main/gmp/APKBUILD b/main/gmp/APKBUILD deleted file mode 100644 index 36ad708d4b..0000000000 --- a/main/gmp/APKBUILD +++ /dev/null @@ -1,39 +0,0 @@ -# Maintainer: Natanael Copa <ncopa@alpinelinux.org> -pkgname=gmp -pkgver=4.3.2 -pkgrel=1 -pkgdesc="A free library for arbitrary precision arithmetic" -url="http://gmplib.org/" -license="LGPL3" -makedepends="m4 texinfo" -depends= -subpackages="$pkgname-doc $pkgname-dev" -source="ftp://ftp.gnu.org/gnu/gmp/gmp-$pkgver.tar.bz2 - gmp-4.1.4-noexecstack.patch - " - -_builddir="$srcdir"/$pkgname-$pkgver -build() { - cd "$_builddir" - patch -p1 < ../gmp-4.1.4-noexecstack.patch || return 1 - - ABI="32" ./configure --prefix=/usr \ - --build=${CHOST} \ - --infodir=/usr/share/info \ - --mandir=/usr/share/man \ - --localstatedir=/var/state/gmp \ - --disable-mpfr \ - --disable-mpbsd \ - --disable-cxx \ - --with-pic \ - || return 1 - - make || return 1 -} - -package() { - cd "$_builddir" - make -j1 DESTDIR="${pkgdir}" install || return 1 -} -md5sums="dd60683d7057917e34630b4a787932e8 gmp-4.3.2.tar.bz2 -13c34f00e77ded6673270cfea06c35c3 gmp-4.1.4-noexecstack.patch" diff --git a/main/gmp/gmp-4.1.4-noexecstack.patch b/main/gmp/gmp-4.1.4-noexecstack.patch deleted file mode 100644 index 093bec1a5d..0000000000 --- a/main/gmp/gmp-4.1.4-noexecstack.patch +++ /dev/null @@ -1,20 +0,0 @@ -fixed executable stack - -http://bugs.gentoo.org/115038 - ---- gmp-4.1.4/configure -+++ gmp-4.1.4/configure -@@ -21689,6 +21689,13 @@ - fi - echo "')" >> $gmp_configm4 - echo "define(\`__CONFIG_M4_INCLUDED__')" >> $gmp_configm4 -+# Gentoo hack -+case $host_os in -+ *linux*) -+ echo '.section .note.GNU-stack,"",%progbits' >> $gmp_configm4 -+ echo '.previous' >> $gmp_configm4 -+ ;; -+esac - - # Create Makefiles - # FIXME: Upcoming version of autoconf/automake may not like broken lines. diff --git a/main/gmp5/APKBUILD b/main/gmp5/APKBUILD index c2a4ad6f45..e07bff62c7 100644 --- a/main/gmp5/APKBUILD +++ b/main/gmp5/APKBUILD @@ -3,13 +3,13 @@ _name=gmp pkgname=${_name}5 pkgver=5.0.1 -pkgrel=0 +pkgrel=1 pkgdesc="A free library for arbitrary precision arithmetic" url="http://gmplib.org/" license="LGPL3" makedepends="m4 texinfo" depends= -subpackages="$pkgname-doc $pkgname-dev" +subpackages="$pkgname-doc gmp-dev:dev" source="ftp://ftp.gnu.org/gnu/gmp/gmp-$pkgver.tar.bz2 gmp-4.1.4-noexecstack.patch " @@ -39,7 +39,7 @@ package() { } dev() { - replaces="gmp" + replaces="gmp gmp5-dev" default_dev } diff --git a/main/guile/APKBUILD b/main/guile/APKBUILD index 8850b0f1fa..6283d7e341 100644 --- a/main/guile/APKBUILD +++ b/main/guile/APKBUILD @@ -1,12 +1,12 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=guile pkgver=1.8.7 -pkgrel=2 +pkgrel=3 pkgdesc="Guile is a portable, embeddable Scheme implementation written in C" url="http://www.gnu.org/software/guile/" license="GPL" subpackages="$pkgname-dev $pkgname-doc" -makedepends="gmp5-dev libtool ncurses-dev texinfo" +makedepends="gmp-dev libtool ncurses-dev texinfo" depends= install= source="ftp://ftp.gnu.org/pub/gnu/$pkgname/$pkgname-$pkgver.tar.gz" diff --git a/main/iscsitarget-grsec/APKBUILD b/main/iscsitarget-grsec/APKBUILD index b593044200..184f8701bb 100644 --- a/main/iscsitarget-grsec/APKBUILD +++ b/main/iscsitarget-grsec/APKBUILD @@ -27,6 +27,7 @@ subpackages= source="http://downloads.sourceforge.net/$_realname/$_realname-$_iscsiver.tar.gz iscsitarget-1.4.18+linux-2.6.32.patch " +_ksrc=/usr/src/linux-headers-${_abi_release} prepare() { cd "$srcdir"/$_realname-$_iscsiver @@ -39,14 +40,12 @@ prepare() { build() { cd "$srcdir"/$_realname-$_iscsiver unset ARCH - local ksrc=/usr/src/linux-headers-${_abi_release} - make KSRC="$ksrc" kernel || return 1 + make KSRC="$_ksrc" kernel || return 1 } package() { cd "$srcdir"/$_realname-$_iscsiver - local ksrc=/usr/src/linux-headers-${_abi_release} - make KSRC="$ksrc" DISTDIR="$pkgdir" install-kernel || return 1 + make KSRC="$_ksrc" DISTDIR="$pkgdir" install-kernel || return 1 } md5sums="9beca214c28949cce1716b49fec57de4 iscsitarget-1.4.19.tar.gz diff --git a/main/libc0.9.32/APKBUILD b/main/libc0.9.32/APKBUILD index accdcaf3af..328368895b 100644 --- a/main/libc0.9.32/APKBUILD +++ b/main/libc0.9.32/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> _abiver=0.9.32 pkgname=libc$_abiver -_gitver=1006041126 +_gitver=1006300816 pkgver=${_abiver}_alpha0_git$_gitver pkgrel=1 pkgdesc="C library for developing embedded Linux systems" @@ -20,6 +20,7 @@ source="http://build.alpinelinux.org:8010/distfiles/$_snapfile uclibc-libm-pic.patch uclibc-lutimes.patch uclibc-resolv-tls.patch + uclibc-gcc-workaround.patch uclibcconfig.x86 uclibcconfig.i486 " @@ -96,10 +97,11 @@ utils() { mv "$pkgdir"/usr/bin/* "$subpkgdir"/usr/bin/ } -md5sums="048f92606460621d9402c43417392992 libc0.9.32-0.9.32_alpha0_git1006041126.tar.bz2 +md5sums="b7af86c013378888fbd345c47ad21c3a libc0.9.32-0.9.32_alpha0_git1006300816.tar.bz2 4d408f72142ce55a0754948cc9cfe447 compat-stack-guard.patch 2f9739a980be24a842c57516155c7885 uclibc-libm-pic.patch 4d0b8170e6580b47bf5775e65a6f081e uclibc-lutimes.patch d08831b452acdeaa3037525ee617edab uclibc-resolv-tls.patch +a88b7f394c86dc7aa606c9e338e35515 uclibc-gcc-workaround.patch e2eb3bb00a0fe4d6f3d5b5c56b027bab uclibcconfig.x86 e2eb3bb00a0fe4d6f3d5b5c56b027bab uclibcconfig.i486" diff --git a/main/libc0.9.32/uclibc-gcc-workaround.patch b/main/libc0.9.32/uclibc-gcc-workaround.patch new file mode 100644 index 0000000000..f698ecb79e --- /dev/null +++ b/main/libc0.9.32/uclibc-gcc-workaround.patch @@ -0,0 +1,58 @@ +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> +To: uclibc@uclibc.org +Subject: [PATCH] more workarounds for GCC PR32219 +Date: Wed, 30 Jun 2010 14:46:37 +0300 +Message-Id: <1277898397-10643-1-git-send-email-timo.teras@iki.fi> +X-Mailer: git-send-email 1.7.0.4 +MIME-Version: 1.0 +X-BeenThere: uclibc@uclibc.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: "Discussion and development of uClibc \(the embedded C library\)" + <uclibc.uclibc.org> +List-Unsubscribe: <http://lists.busybox.net/mailman/options/uclibc>, + <mailto:uclibc-request@uclibc.org?subject=unsubscribe> +List-Archive: <http://lists.busybox.net/pipermail/uclibc> +List-Post: <mailto:uclibc@uclibc.org> +List-Help: <mailto:uclibc-request@uclibc.org?subject=help> +List-Subscribe: <http://lists.busybox.net/mailman/listinfo/uclibc>, + <mailto:uclibc-request@uclibc.org?subject=subscribe> +Content-Type: text/plain; charset="utf-8" +Sender: uclibc-bounces@uclibc.org +Errors-To: uclibc-bounces@uclibc.org + +Commit 2e53dd645d5348f207cec7f8595969dc566c5a55 workarounds GCC +bug when accessing _locale_init and _stdio_init. We need the same +fix for __errno_location and __h_errno_location otherwise we crash +calling null with static and non-threaded builds. + +Signed-off-by: Timo TerĂƒÂ¤s <timo.teras@iki.fi> +--- + libc/misc/internals/__uClibc_main.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libc/misc/internals/__uClibc_main.c b/libc/misc/internals/__uClibc_main.c +index 44d1620..e8c470b 100644 +--- a/libc/misc/internals/__uClibc_main.c ++++ b/libc/misc/internals/__uClibc_main.c +@@ -447,11 +447,11 @@ void __uClibc_main(int (*main)(int, char **, char **), int argc, + * have resulted in errno being set nonzero, so set it to 0 before + * we call main. + */ +- if (likely(__errno_location!=NULL)) ++ if (likely(not_null_ptr(__errno_location))) + *(__errno_location()) = 0; + + /* Set h_errno to 0 as well */ +- if (likely(__h_errno_location!=NULL)) ++ if (likely(not_null_ptr(__h_errno_location))) + *(__h_errno_location()) = 0; + + #if defined HAVE_CLEANUP_JMP_BUF && defined __UCLIBC_HAS_THREADS_NATIVE__ +-- +1.7.0.4 + +_______________________________________________ +uClibc mailing list +uClibc@uclibc.org +http://lists.busybox.net/mailman/listinfo/uclibc diff --git a/main/libconfig/APKBUILD b/main/libconfig/APKBUILD index e4bf50072a..db88ca1ca7 100644 --- a/main/libconfig/APKBUILD +++ b/main/libconfig/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libconfig -pkgver=1.4.3 +pkgver=1.4.5 pkgrel=0 pkgdesc="a simple library for manipulating structured configuration files" url="http://www.hyperrealm.com/libconfig/" @@ -24,4 +24,4 @@ package() { make -j1 DESTDIR="$pkgdir/" install } -md5sums="295f580a7bc3a03a44d520d6ace55ee6 libconfig-1.4.3.tar.gz" +md5sums="f2219e1b2501e7296a7d3e971c63666a libconfig-1.4.5.tar.gz" diff --git a/main/libevent/APKBUILD b/main/libevent/APKBUILD index f744779856..4a627408f6 100644 --- a/main/libevent/APKBUILD +++ b/main/libevent/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libevent -pkgver=1.4.13 -pkgrel=1 +pkgver=1.4.14b +pkgrel=0 pkgdesc="An event notification library" url="http://www.monkey.org/~provos/libevent/" license="GPL-2" @@ -20,4 +20,4 @@ package() { cd $srcdir/$pkgname-$pkgver-stable make -j1 DESTDIR=$pkgdir install || return 1 } -md5sums="0b3ea18c634072d12b3c1ee734263664 libevent-1.4.13-stable.tar.gz" +md5sums="a00e037e4d3f9e4fe9893e8a2d27918c libevent-1.4.14b-stable.tar.gz" diff --git a/testing/libowfat/APKBUILD b/main/libowfat/APKBUILD index 8e3ee0eca0..8e3ee0eca0 100644 --- a/testing/libowfat/APKBUILD +++ b/main/libowfat/APKBUILD diff --git a/main/libpng/APKBUILD b/main/libpng/APKBUILD index 39a12f7cdf..db52574fbc 100644 --- a/main/libpng/APKBUILD +++ b/main/libpng/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Carlo Landmeter <clandmeter at gmail> # Maintainer: Carlo Landmeter <clandmeter at gmail> pkgname=libpng -pkgver=1.4.2 +pkgver=1.4.3 pkgrel=0 pkgdesc="Portable Network Graphics library" url="http://www.libpng.org/" @@ -27,4 +27,4 @@ package() { install -Dm644 LICENSE "${pkgdir}"/usr/share/licenses/${pkgname}/LICENSE || return 1 } -md5sums="89fd334dc5fc84ff146b9269c4fa452f libpng-1.4.2.tar.gz" +md5sums="df3521f61a1b8b69489d297c0ca8c1f8 libpng-1.4.3.tar.gz" diff --git a/main/lighttpd/APKBUILD b/main/lighttpd/APKBUILD index 5c03ed55a0..f229887b25 100644 --- a/main/lighttpd/APKBUILD +++ b/main/lighttpd/APKBUILD @@ -2,7 +2,7 @@ pkgname=lighttpd pkgver=1.4.26 _streamver=2.2.0 -pkgrel=4 +pkgrel=5 pkgdesc="a secure, fast, compliant and very flexible web-server" url="http://www.lighttpd.net/" license="custom" diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index cb94b01364..ef73e4958c 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=2.6.32.15 _kernver=2.6.32 -pkgrel=8 +pkgrel=9 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH:-x86}} install= source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2 - grsecurity-2.1.14-2.6.32.15-201006011506.patch + grsecurity-2.2.0-2.6.32.15-201006271253.patch 0001-grsec-revert-conflicting-flow-cache-changes.patch 0002-gre-fix-hard-header-destination-address-checking.patch 0003-ip_gre-include-route-header_len-in-max_headroom-calc.patch @@ -148,7 +148,7 @@ firmware() { md5sums="260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2 5c9251844c2819eddee4dba1293bd46d patch-2.6.32.15.bz2 -7f61d0de3d703c465bff03a20b2dbd30 grsecurity-2.1.14-2.6.32.15-201006011506.patch +98a8ab1e328d67e40657ef5e4b9d1b37 grsecurity-2.2.0-2.6.32.15-201006271253.patch 1d247140abec49b96250aec9aa59b324 0001-grsec-revert-conflicting-flow-cache-changes.patch 437317f88ec13ace8d39c31983a41696 0002-gre-fix-hard-header-destination-address-checking.patch 151b29a161178ed39d62a08f21f3484d 0003-ip_gre-include-route-header_len-in-max_headroom-calc.patch diff --git a/main/linux-grsec/grsecurity-2.1.14-2.6.32.15-201006011506.patch b/main/linux-grsec/grsecurity-2.2.0-2.6.32.15-201006271253.patch index 215c62b4e2..722e01f379 100644 --- a/main/linux-grsec/grsecurity-2.1.14-2.6.32.15-201006011506.patch +++ b/main/linux-grsec/grsecurity-2.2.0-2.6.32.15-201006271253.patch @@ -7562,7 +7562,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/page_64_types.h linux-2.6.32.15/ #define __VIRTUAL_MASK_SHIFT 47 diff -urNp linux-2.6.32.15/arch/x86/include/asm/paravirt.h linux-2.6.32.15/arch/x86/include/asm/paravirt.h --- linux-2.6.32.15/arch/x86/include/asm/paravirt.h 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/include/asm/paravirt.h 2010-05-28 21:27:14.915041226 -0400 ++++ linux-2.6.32.15/arch/x86/include/asm/paravirt.h 2010-06-19 10:03:50.008525890 -0400 @@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned pv_mmu_ops.set_fixmap(idx, phys, flags); } @@ -7765,7 +7765,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32. #define MODULES_LEN (MODULES_VADDR - MODULES_END) diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h --- linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h 2010-05-28 21:27:14.915041226 -0400 ++++ linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h 2010-06-19 10:03:50.008525890 -0400 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd) @@ -7785,7 +7785,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.15 /* diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h --- linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h 2010-05-28 21:27:14.915041226 -0400 ++++ linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h 2010-06-19 10:03:50.008525890 -0400 @@ -16,10 +16,13 @@ extern pud_t level3_kernel_pgt[512]; @@ -7812,7 +7812,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h linux-2.6.32.15/arc } static inline void native_pmd_clear(pmd_t *pmd) -@@ -94,12 +99,18 @@ static inline void native_pud_clear(pud_ +@@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_ static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd) { @@ -7822,15 +7822,6 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64.h linux-2.6.32.15/arc } static inline void native_pgd_clear(pgd_t *pgd) - { -+ -+#ifndef CONFIG_PAX_PER_CPU_PGD - native_set_pgd(pgd, native_make_pgd(0)); -+#endif -+ - } - - /* diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h --- linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h 2010-05-28 21:27:14.915041226 -0400 @@ -7844,7 +7835,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32. #endif /* _ASM_X86_PGTABLE_64_DEFS_H */ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable.h linux-2.6.32.15/arch/x86/include/asm/pgtable.h --- linux-2.6.32.15/arch/x86/include/asm/pgtable.h 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/include/asm/pgtable.h 2010-05-28 21:27:14.918896182 -0400 ++++ linux-2.6.32.15/arch/x86/include/asm/pgtable.h 2010-06-19 10:03:50.008525890 -0400 @@ -74,12 +74,51 @@ extern struct list_head pgd_list; #define arch_end_context_switch(prev) do {} while(0) @@ -7988,7 +7979,7 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable.h linux-2.6.32.15/arch/x #ifndef __ASSEMBLY__ extern int direct_gbpages; -@@ -611,11 +698,18 @@ static inline void ptep_set_wrprotect(st +@@ -611,11 +698,23 @@ static inline void ptep_set_wrprotect(st * dst and src can be on the same page, but the range must not overlap, * and must not cross a page boundary. */ @@ -8004,7 +7995,12 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/pgtable.h linux-2.6.32.15/arch/x +#ifdef CONFIG_PAX_PER_CPU_PGD +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count); ++#endif ++ ++#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count); ++#else ++static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {} +#endif #include <asm-generic/pgtable.h> @@ -9301,16 +9297,8 @@ diff -urNp linux-2.6.32.15/arch/x86/include/asm/xsave.h linux-2.6.32.15/arch/x86 ".section .fixup,\"ax\"\n" diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig --- linux-2.6.32.15/arch/x86/Kconfig 2010-05-15 13:20:18.407099662 -0400 -+++ linux-2.6.32.15/arch/x86/Kconfig 2010-05-28 21:27:14.922894828 -0400 -@@ -531,6 +531,7 @@ source "arch/x86/lguest/Kconfig" - - config PARAVIRT - bool "Enable paravirtualization code" -+ depends on !PAX_PER_CPU_PGD - ---help--- - This changes the kernel so it can modify itself when it is run - under a hypervisor, potentially improving performance significantly -@@ -1083,7 +1084,7 @@ config PAGE_OFFSET ++++ linux-2.6.32.15/arch/x86/Kconfig 2010-06-19 11:15:06.486972627 -0400 +@@ -1083,7 +1083,7 @@ config PAGE_OFFSET hex default 0xB0000000 if VMSPLIT_3G_OPT default 0x80000000 if VMSPLIT_2G @@ -9319,7 +9307,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig default 0x40000000 if VMSPLIT_1G default 0xC0000000 depends on X86_32 -@@ -1414,7 +1415,7 @@ config ARCH_USES_PG_UNCACHED +@@ -1414,7 +1414,7 @@ config ARCH_USES_PG_UNCACHED config EFI bool "EFI runtime service support" @@ -9328,7 +9316,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig ---help--- This enables the kernel to use EFI runtime services that are available (such as the EFI variable services). -@@ -1501,6 +1502,7 @@ config KEXEC_JUMP +@@ -1501,6 +1501,7 @@ config KEXEC_JUMP config PHYSICAL_START hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP) default "0x1000000" @@ -9336,7 +9324,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig ---help--- This gives the physical address where the kernel is loaded. -@@ -1565,6 +1567,7 @@ config PHYSICAL_ALIGN +@@ -1565,6 +1566,7 @@ config PHYSICAL_ALIGN hex prompt "Alignment value to which kernel should be aligned" if X86_32 default "0x1000000" @@ -9344,7 +9332,7 @@ diff -urNp linux-2.6.32.15/arch/x86/Kconfig linux-2.6.32.15/arch/x86/Kconfig range 0x2000 0x1000000 ---help--- This value puts the alignment restrictions on physical address -@@ -1596,9 +1599,10 @@ config HOTPLUG_CPU +@@ -1596,9 +1598,10 @@ config HOTPLUG_CPU Say N if you want to disable CPU hotplug. config COMPAT_VDSO @@ -10503,7 +10491,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/efi_stub_32.S linux-2.6.32.15/arch/x8 efi_rt_function_ptr: diff -urNp linux-2.6.32.15/arch/x86/kernel/entry_32.S linux-2.6.32.15/arch/x86/kernel/entry_32.S --- linux-2.6.32.15/arch/x86/kernel/entry_32.S 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/kernel/entry_32.S 2010-05-28 21:27:15.031137412 -0400 ++++ linux-2.6.32.15/arch/x86/kernel/entry_32.S 2010-06-19 10:03:50.008525890 -0400 @@ -191,7 +191,67 @@ #endif /* CONFIG_X86_32_LAZY_GS */ @@ -10780,15 +10768,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/entry_32.S linux-2.6.32.15/arch/x86/k #include "syscall_table_32.S" syscall_table_size=(.-sys_call_table) -@@ -1250,12 +1366,15 @@ error_code: - movl %ecx, %fs - UNWIND_ESPFIX_STACK - GS_TO_REG %ecx -+ -+ PAX_ENTER_KERNEL -+ - movl PT_GS(%esp), %edi # get the function address - movl PT_ORIG_EAX(%esp), %edx # get the error code +@@ -1255,9 +1371,12 @@ error_code: movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart REG_TO_PTGS %ecx SET_KERNEL_GS %ecx @@ -10796,7 +10776,12 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/entry_32.S linux-2.6.32.15/arch/x86/k + movl $(__KERNEL_DS), %ecx movl %ecx, %ds movl %ecx, %es ++ ++ PAX_ENTER_KERNEL ++ TRACE_IRQS_OFF + movl %esp,%eax # pt_regs pointer + call *%edi @@ -1351,6 +1470,9 @@ nmi_stack_correct: xorl %edx,%edx # zero error code movl %esp,%eax # pt_regs pointer @@ -11367,7 +11352,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head32.c linux-2.6.32.15/arch/x86/ker /* Reserve INITRD */ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/kernel/head_32.S --- linux-2.6.32.15/arch/x86/kernel/head_32.S 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/kernel/head_32.S 2010-05-28 21:27:15.039159907 -0400 ++++ linux-2.6.32.15/arch/x86/kernel/head_32.S 2010-06-19 10:03:50.008525890 -0400 @@ -19,10 +19,17 @@ #include <asm/setup.h> #include <asm/processor-flags.h> @@ -11658,7 +11643,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke pushl 16(%esp) pushl 24(%esp) pushl 32(%esp) -@@ -608,27 +679,45 @@ ENTRY(initial_code) +@@ -608,27 +679,38 @@ ENTRY(initial_code) /* * BSS section */ @@ -11699,17 +11684,22 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke - .align PAGE_SIZE_asm +.section .swapper_pg_dir,"a",@progbits + + ENTRY(swapper_pg_dir) + .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ + # if KPMDS == 3 +@@ -647,15 +729,24 @@ ENTRY(swapper_pg_dir) + # error "Kernel PMDs should be 1, 2 or 3" + # endif + .align PAGE_SIZE_asm /* needs to be page-sized too */ ++ +#ifdef CONFIG_PAX_PER_CPU_PGD +ENTRY(cpu_pgd) + .rept NR_CPUS -+ .fill 512,8,0 ++ .fill 4,8,0 + .endr +#endif + - ENTRY(swapper_pg_dir) - .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */ - # if KPMDS == 3 -@@ -651,11 +740,12 @@ ENTRY(swapper_pg_dir) + #endif .data ENTRY(stack_start) @@ -11723,7 +11713,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke early_recursion_flag: .long 0 -@@ -691,7 +781,7 @@ fault_msg: +@@ -691,7 +782,7 @@ fault_msg: .word 0 # 32 bit align gdt_desc.address boot_gdt_descr: .word __BOOT_DS+7 @@ -11732,7 +11722,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke .word 0 # 32-bit align idt_desc.address idt_descr: -@@ -702,7 +792,7 @@ idt_descr: +@@ -702,7 +793,7 @@ idt_descr: .word 0 # 32 bit align gdt_desc.address ENTRY(early_gdt_descr) .word GDT_ENTRIES*8-1 @@ -11741,7 +11731,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke /* * The boot_gdt must mirror the equivalent in setup.S and is -@@ -711,5 +801,65 @@ ENTRY(early_gdt_descr) +@@ -711,5 +802,65 @@ ENTRY(early_gdt_descr) .align L1_CACHE_BYTES ENTRY(boot_gdt) .fill GDT_ENTRY_BOOT_CS,8,0 @@ -11809,23 +11799,6 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/head_32.S linux-2.6.32.15/arch/x86/ke + /* Be sure this is zeroed to avoid false validations in Xen */ + .fill PAGE_SIZE_asm - GDT_SIZE,1,0 + .endr -diff -urNp linux-2.6.32.15/arch/x86/kernel/head64.c linux-2.6.32.15/arch/x86/kernel/head64.c ---- linux-2.6.32.15/arch/x86/kernel/head64.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/kernel/head64.c 2010-05-28 21:27:15.039159907 -0400 -@@ -29,7 +29,13 @@ - static void __init zap_identity_mappings(void) - { - pgd_t *pgd = pgd_offset_k(0UL); -+ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ set_pgd(pgd, native_make_pgd(0)); -+#else - pgd_clear(pgd); -+#endif -+ - __flush_tlb_all(); - } - diff -urNp linux-2.6.32.15/arch/x86/kernel/head_64.S linux-2.6.32.15/arch/x86/kernel/head_64.S --- linux-2.6.32.15/arch/x86/kernel/head_64.S 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/arch/x86/kernel/head_64.S 2010-05-28 21:27:15.039159907 -0400 @@ -12136,7 +12109,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/init_task.c linux-2.6.32.15/arch/x86/ +EXPORT_SYMBOL(init_tss); diff -urNp linux-2.6.32.15/arch/x86/kernel/ioport.c linux-2.6.32.15/arch/x86/kernel/ioport.c --- linux-2.6.32.15/arch/x86/kernel/ioport.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/kernel/ioport.c 2010-05-28 21:27:15.039159907 -0400 ++++ linux-2.6.32.15/arch/x86/kernel/ioport.c 2010-06-19 21:48:03.327550760 -0400 @@ -6,6 +6,7 @@ #include <linux/sched.h> #include <linux/kernel.h> @@ -12150,7 +12123,7 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/ioport.c linux-2.6.32.15/arch/x86/ker if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) return -EINVAL; +#ifdef CONFIG_GRKERNSEC_IO -+ if (turn_on) { ++ if (turn_on && grsec_disable_privio) { + gr_handle_ioperm(); + return -EPERM; + } @@ -12167,20 +12140,19 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/ioport.c linux-2.6.32.15/arch/x86/ker set_bitmap(t->io_bitmap_ptr, from, num, !turn_on); -@@ -111,8 +118,13 @@ static int do_iopl(unsigned int level, s +@@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { +#ifdef CONFIG_GRKERNSEC_IO -+ gr_handle_iopl(); -+ return -EPERM; -+#else ++ if (grsec_disable_privio) { ++ gr_handle_iopl(); ++ return -EPERM; ++ } ++#endif if (!capable(CAP_SYS_RAWIO)) return -EPERM; -+#endif } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); - diff -urNp linux-2.6.32.15/arch/x86/kernel/irq_32.c linux-2.6.32.15/arch/x86/kernel/irq_32.c --- linux-2.6.32.15/arch/x86/kernel/irq_32.c 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/arch/x86/kernel/irq_32.c 2010-05-28 21:27:15.039159907 -0400 @@ -12406,23 +12378,6 @@ diff -urNp linux-2.6.32.15/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.15/ar relocate_kernel_ptr = control_page; page_list[PA_CONTROL_PAGE] = __pa(control_page); -diff -urNp linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c ---- linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/kernel/machine_kexec_64.c 2010-05-28 21:27:15.043064911 -0400 -@@ -126,7 +126,13 @@ static int init_level4_page(struct kimag - } - /* clear the unused entries */ - while (addr < end_addr) { -+ -+#ifdef CONFIG_PAX_PER_CPU_PGD -+ set_pgd(level4p++, native_make_pgd(0)); -+#else - pgd_clear(level4p++); -+#endif -+ - addr += PGDIR_SIZE; - } - out: diff -urNp linux-2.6.32.15/arch/x86/kernel/microcode_amd.c linux-2.6.32.15/arch/x86/kernel/microcode_amd.c --- linux-2.6.32.15/arch/x86/kernel/microcode_amd.c 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/arch/x86/kernel/microcode_amd.c 2010-05-28 21:27:15.043064911 -0400 @@ -16982,7 +16937,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/extable.c linux-2.6.32.15/arch/x86/mm/ext pnp_bios_is_utter_crap = 1; diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault.c --- linux-2.6.32.15/arch/x86/mm/fault.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/mm/fault.c 2010-05-28 21:27:15.107152206 -0400 ++++ linux-2.6.32.15/arch/x86/mm/fault.c 2010-06-19 10:03:50.012498759 -0400 @@ -11,10 +11,19 @@ #include <linux/kprobes.h> /* __kprobes, ... */ #include <linux/mmiotrace.h> /* kmmio_handler, ... */ @@ -17069,17 +17024,19 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault break; } spin_unlock_irqrestore(&pgd_lock, flags); -@@ -257,6 +303,9 @@ static noinline int vmalloc_fault(unsign - * Do _not_ use "current" here. We might be inside +@@ -258,6 +304,11 @@ static noinline int vmalloc_fault(unsign * an interrupt in the middle of a task switch.. */ + pgd_paddr = read_cr3(); ++ +#ifdef CONFIG_PAX_PER_CPU_PGD -+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK)); ++ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK)); +#endif - pgd_paddr = read_cr3(); ++ pmd_k = vmalloc_sync_one(__va(pgd_paddr), address); if (!pmd_k) -@@ -332,15 +381,27 @@ void vmalloc_sync_all(void) + return -1; +@@ -332,15 +383,27 @@ void vmalloc_sync_all(void) const pgd_t *pgd_ref = pgd_offset_k(address); unsigned long flags; @@ -17107,7 +17064,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault if (pgd_none(*pgd)) set_pgd(pgd, *pgd_ref); else -@@ -373,7 +434,14 @@ static noinline int vmalloc_fault(unsign +@@ -373,7 +436,14 @@ static noinline int vmalloc_fault(unsign * happen within a race in page table update. In the later * case just flush: */ @@ -17122,7 +17079,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault pgd_ref = pgd_offset_k(address); if (pgd_none(*pgd_ref)) return -1; -@@ -535,7 +603,7 @@ static int is_errata93(struct pt_regs *r +@@ -535,7 +605,7 @@ static int is_errata93(struct pt_regs *r static int is_errata100(struct pt_regs *regs, unsigned long address) { #ifdef CONFIG_X86_64 @@ -17131,7 +17088,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault return 1; #endif return 0; -@@ -562,7 +630,7 @@ static int is_f00f_bug(struct pt_regs *r +@@ -562,7 +632,7 @@ static int is_f00f_bug(struct pt_regs *r } static const char nx_warning[] = KERN_CRIT @@ -17140,7 +17097,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault static void show_fault_oops(struct pt_regs *regs, unsigned long error_code, -@@ -571,15 +639,26 @@ show_fault_oops(struct pt_regs *regs, un +@@ -571,15 +641,26 @@ show_fault_oops(struct pt_regs *regs, un if (!oops_may_print()) return; @@ -17169,7 +17126,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault printk(KERN_ALERT "BUG: unable to handle kernel "); if (address < PAGE_SIZE) printk(KERN_CONT "NULL pointer dereference"); -@@ -704,6 +783,68 @@ __bad_area_nosemaphore(struct pt_regs *r +@@ -704,6 +785,68 @@ __bad_area_nosemaphore(struct pt_regs *r unsigned long address, int si_code) { struct task_struct *tsk = current; @@ -17238,7 +17195,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault /* User mode accesses just cause a SIGSEGV */ if (error_code & PF_USER) { -@@ -848,6 +989,106 @@ static int spurious_fault_check(unsigned +@@ -848,6 +991,106 @@ static int spurious_fault_check(unsigned return 1; } @@ -17345,7 +17302,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault /* * Handle a spurious fault caused by a stale TLB entry. * -@@ -914,6 +1155,9 @@ int show_unhandled_signals = 1; +@@ -914,6 +1157,9 @@ int show_unhandled_signals = 1; static inline int access_error(unsigned long error_code, int write, struct vm_area_struct *vma) { @@ -17355,7 +17312,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault if (write) { /* write, present and write, not present: */ if (unlikely(!(vma->vm_flags & VM_WRITE))) -@@ -947,17 +1191,31 @@ do_page_fault(struct pt_regs *regs, unsi +@@ -947,17 +1193,31 @@ do_page_fault(struct pt_regs *regs, unsi { struct vm_area_struct *vma; struct task_struct *tsk; @@ -17391,7 +17348,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault /* * Detect and handle instructions that would cause a page fault for * both a tracked kernel page and a userspace page. -@@ -1017,7 +1275,7 @@ do_page_fault(struct pt_regs *regs, unsi +@@ -1017,7 +1277,7 @@ do_page_fault(struct pt_regs *regs, unsi * User-mode registers count as a user access even for any * potential system fault or CPU buglet: */ @@ -17400,7 +17357,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault local_irq_enable(); error_code |= PF_USER; } else { -@@ -1071,6 +1329,11 @@ do_page_fault(struct pt_regs *regs, unsi +@@ -1071,6 +1331,11 @@ do_page_fault(struct pt_regs *regs, unsi might_sleep(); } @@ -17412,7 +17369,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault vma = find_vma(mm, address); if (unlikely(!vma)) { bad_area(regs, error_code, address); -@@ -1082,18 +1345,24 @@ do_page_fault(struct pt_regs *regs, unsi +@@ -1082,18 +1347,24 @@ do_page_fault(struct pt_regs *regs, unsi bad_area(regs, error_code, address); return; } @@ -17436,19 +17393,19 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/fault.c linux-2.6.32.15/arch/x86/mm/fault + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) { + bad_area(regs, error_code, address); + return; -+ } + } + +#ifdef CONFIG_PAX_SEGMEXEC + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) { + bad_area(regs, error_code, address); + return; - } ++ } +#endif + if (unlikely(expand_stack(vma, address))) { bad_area(regs, error_code, address); return; -@@ -1137,3 +1406,199 @@ good_area: +@@ -1137,3 +1408,199 @@ good_area: up_read(&mm->mmap_sem); } @@ -18182,7 +18139,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/init_64.c linux-2.6.32.15/arch/x86/mm/ini return "[vsyscall]"; diff -urNp linux-2.6.32.15/arch/x86/mm/init.c linux-2.6.32.15/arch/x86/mm/init.c --- linux-2.6.32.15/arch/x86/mm/init.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/mm/init.c 2010-05-28 21:27:15.114903294 -0400 ++++ linux-2.6.32.15/arch/x86/mm/init.c 2010-06-19 10:03:50.012498759 -0400 @@ -69,11 +69,7 @@ static void __init find_early_table_spac * cause a hotspot and fill up ZONE_DMA. The page tables * need roughly 0.5KB per GB. @@ -18211,7 +18168,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/init.c linux-2.6.32.15/arch/x86/mm/init.c return 1; if (iomem_is_exclusive(pagenr << PAGE_SHIFT)) return 0; -@@ -379,6 +381,87 @@ void free_init_pages(char *what, unsigne +@@ -379,6 +381,89 @@ void free_init_pages(char *what, unsigne void free_initmem(void) { @@ -18250,12 +18207,14 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/init.c linux-2.6.32.15/arch/x86/mm/init.c +*/ +#ifdef CONFIG_X86_PAE + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT); ++/* + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) { + pgd = pgd_offset_k(addr); + pud = pud_offset(pgd, addr); + pmd = pmd_offset(pud, addr); + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask))); + } ++*/ +#endif + +#ifdef CONFIG_MODULES @@ -18475,38 +18434,83 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/numa_32.c linux-2.6.32.15/arch/x86/mm/num #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE) diff -urNp linux-2.6.32.15/arch/x86/mm/pageattr.c linux-2.6.32.15/arch/x86/mm/pageattr.c --- linux-2.6.32.15/arch/x86/mm/pageattr.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/mm/pageattr.c 2010-05-28 21:27:15.118897735 -0400 -@@ -268,9 +268,10 @@ static inline pgprot_t static_protection ++++ linux-2.6.32.15/arch/x86/mm/pageattr.c 2010-06-19 10:03:50.012498759 -0400 +@@ -261,16 +261,17 @@ static inline pgprot_t static_protection + * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support. + */ + if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT)) +- pgprot_val(forbidden) |= _PAGE_NX; ++ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask; + + /* + * The kernel text needs to be executable for obvious reasons * Does not cover __inittext since that is gone later on. On * 64bit we do not enforce !NX on the low mapping */ - if (within(address, (unsigned long)_text, (unsigned long)_etext)) +- pgprot_val(forbidden) |= _PAGE_NX; + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext))) - pgprot_val(forbidden) |= _PAGE_NX; ++ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask; +#ifdef CONFIG_DEBUG_RODATA /* * The .rodata section needs to be read-only. Using the pfn * catches all aliases. -@@ -278,6 +279,7 @@ static inline pgprot_t static_protection +@@ -278,6 +279,14 @@ static inline pgprot_t static_protection if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT, __pa((unsigned long)__end_rodata) >> PAGE_SHIFT)) pgprot_val(forbidden) |= _PAGE_RW; +#endif ++ ++#ifdef CONFIG_PAX_KERNEXEC ++ if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) { ++ pgprot_val(forbidden) |= _PAGE_RW; ++ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask; ++ } ++#endif prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden)); -@@ -331,7 +333,10 @@ EXPORT_SYMBOL_GPL(lookup_address); +@@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address); static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte) { /* change init_mm */ + pax_open_kernel(); set_pte_atomic(kpte, pte); -+ pax_close_kernel(); + #ifdef CONFIG_X86_32 if (!SHARED_KERNEL_PMD) { ++ ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ unsigned long cpu; ++#else struct page *page; ++#endif + ++#ifdef CONFIG_PAX_PER_CPU_PGD ++ for (cpu = 0; cpu < NR_CPUS; ++cpu) { ++ pgd_t *pgd = get_cpu_pgd(cpu); ++#else + list_for_each_entry(page, &pgd_list, lru) { +- pgd_t *pgd; ++ pgd_t *pgd = (pgd_t *)page_address(page);; ++#endif ++ + pud_t *pud; + pmd_t *pmd; + +- pgd = (pgd_t *)page_address(page) + pgd_index(address); ++ pgd += pgd_index(address); + pud = pud_offset(pgd, address); + pmd = pmd_offset(pud, address); + set_pte_atomic((pte_t *)pmd, pte); + } + } + #endif ++ pax_close_kernel(); + } + + static int diff -urNp linux-2.6.32.15/arch/x86/mm/pageattr-test.c linux-2.6.32.15/arch/x86/mm/pageattr-test.c --- linux-2.6.32.15/arch/x86/mm/pageattr-test.c 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/arch/x86/mm/pageattr-test.c 2010-05-28 21:27:15.118897735 -0400 @@ -18577,28 +18581,22 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable_32.c linux-2.6.32.15/arch/x86/mm/ * It's enough to flush this one mapping. diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgtable.c --- linux-2.6.32.15/arch/x86/mm/pgtable.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/arch/x86/mm/pgtable.c 2010-05-28 21:27:15.118897735 -0400 -@@ -63,8 +63,12 @@ void ___pmd_free_tlb(struct mmu_gather * - #if PAGETABLE_LEVELS > 3 - void ___pud_free_tlb(struct mmu_gather *tlb, pud_t *pud) - { -+ -+#ifndef CONFIG_PAX_PER_CPU_PGD - paravirt_release_pud(__pa(pud) >> PAGE_SHIFT); - tlb_remove_page(tlb, virt_to_page(pud)); -+#endif -+ - } - #endif /* PAGETABLE_LEVELS > 3 */ - #endif /* PAGETABLE_LEVELS > 2 */ -@@ -83,8 +87,62 @@ static inline void pgd_list_del(pgd_t *p ++++ linux-2.6.32.15/arch/x86/mm/pgtable.c 2010-06-19 10:03:50.012498759 -0400 +@@ -83,8 +83,59 @@ static inline void pgd_list_del(pgd_t *p list_del(&page->lru); } -#define UNSHARED_PTRS_PER_PGD \ - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD) +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+pteval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT; ++pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT; ++ ++void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) ++{ ++ while (count--) ++ *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER); ++ ++} +#endif + +#ifdef CONFIG_PAX_PER_CPU_PGD @@ -18613,16 +18611,6 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt +#endif + +} -+ -+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) -+{ -+ -+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) -+ while (count--) -+ *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER); -+#endif -+ -+} +#endif + +#ifdef CONFIG_PAX_PER_CPU_PGD @@ -18656,7 +18644,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt static void pgd_ctor(pgd_t *pgd) { -@@ -119,6 +177,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -119,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd) pgd_list_del(pgd); spin_unlock_irqrestore(&pgd_lock, flags); } @@ -18664,7 +18652,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt /* * List of all pgd's needed for non-PAE so it can invalidate entries -@@ -131,7 +190,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -131,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd) * -- wli */ @@ -18673,7 +18661,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt /* * In PAE mode, we need to do a cr3 reload (=tlb flush) when * updating the top-level pagetable entries to guarantee the -@@ -143,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd) +@@ -143,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd) * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate * and initialize the kernel pmds here. */ @@ -18682,7 +18670,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd) { -@@ -162,36 +221,38 @@ void pud_populate(struct mm_struct *mm, +@@ -162,36 +214,38 @@ void pud_populate(struct mm_struct *mm, if (mm == current->active_mm) write_cr3(read_cr3()); } @@ -18732,7 +18720,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt return -ENOMEM; } -@@ -204,51 +265,56 @@ static int preallocate_pmds(pmd_t *pmds[ +@@ -204,51 +258,56 @@ static int preallocate_pmds(pmd_t *pmds[ * preallocate which never got a corresponding vma will need to be * freed manually. */ @@ -18806,7 +18794,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt unsigned long flags; pgd = (pgd_t *)__get_free_page(PGALLOC_GFP); -@@ -258,11 +324,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) +@@ -258,11 +317,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm) mm->pgd = pgd; @@ -18820,7 +18808,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt /* * Make sure that pre-populating the pmds is atomic with -@@ -272,14 +338,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) +@@ -272,14 +331,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm) spin_lock_irqsave(&pgd_lock, flags); pgd_ctor(pgd); @@ -18838,7 +18826,7 @@ diff -urNp linux-2.6.32.15/arch/x86/mm/pgtable.c linux-2.6.32.15/arch/x86/mm/pgt out_free_pgd: free_page((unsigned long)pgd); out: -@@ -288,7 +354,7 @@ out: +@@ -288,7 +347,7 @@ out: void pgd_free(struct mm_struct *mm, pgd_t *pgd) { @@ -20109,6 +20097,18 @@ diff -urNp linux-2.6.32.15/Documentation/kernel-parameters.txt linux-2.6.32.15/D pcbit= [HW,ISDN] pcd. [PARIDE] +diff -urNp linux-2.6.32.15/drivers/acpi/acpi_pad.c linux-2.6.32.15/drivers/acpi/acpi_pad.c +--- linux-2.6.32.15/drivers/acpi/acpi_pad.c 2010-03-15 11:52:04.000000000 -0400 ++++ linux-2.6.32.15/drivers/acpi/acpi_pad.c 2010-06-19 10:03:45.704801524 -0400 +@@ -30,7 +30,7 @@ + #include <acpi/acpi_bus.h> + #include <acpi/acpi_drivers.h> + +-#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator" ++#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad" + #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator" + #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80 + static DEFINE_MUTEX(isolated_cpus_lock); diff -urNp linux-2.6.32.15/drivers/acpi/battery.c linux-2.6.32.15/drivers/acpi/battery.c --- linux-2.6.32.15/drivers/acpi/battery.c 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/drivers/acpi/battery.c 2010-05-28 21:27:15.179152446 -0400 @@ -27801,6 +27801,18 @@ diff -urNp linux-2.6.32.15/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.15/drive .owner = THIS_MODULE, .open = blkvsc_open, .release = blkvsc_release, +diff -urNp linux-2.6.32.15/drivers/staging/hv/Hv.c linux-2.6.32.15/drivers/staging/hv/Hv.c +--- linux-2.6.32.15/drivers/staging/hv/Hv.c 2010-05-15 13:20:18.963900073 -0400 ++++ linux-2.6.32.15/drivers/staging/hv/Hv.c 2010-06-19 10:03:50.012498759 -0400 +@@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo + u64 outputAddress = (Output) ? virt_to_phys(Output) : 0; + u32 outputAddressHi = outputAddress >> 32; + u32 outputAddressLo = outputAddress & 0xFFFFFFFF; +- volatile void *hypercallPage = gHvContext.HypercallPage; ++ volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage); + + DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>", + Control, Input, Output); diff -urNp linux-2.6.32.15/drivers/staging/panel/panel.c linux-2.6.32.15/drivers/staging/panel/panel.c --- linux-2.6.32.15/drivers/staging/panel/panel.c 2010-03-15 11:52:04.000000000 -0400 +++ linux-2.6.32.15/drivers/staging/panel/panel.c 2010-05-28 21:27:15.842942312 -0400 @@ -34413,8 +34425,8 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_alloc.c linux-2.6.32.15/grsecurity/g +} diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c --- linux-2.6.32.15/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/gracl.c 2010-05-28 21:27:16.327077893 -0400 -@@ -0,0 +1,3897 @@ ++++ linux-2.6.32.15/grsecurity/gracl.c 2010-06-26 14:00:02.982610280 -0400 +@@ -0,0 +1,3899 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -38202,6 +38214,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c + who have the 'view' subject flag if the RBAC system is enabled + */ + ++ rcu_read_lock(); + read_lock(&tasklist_lock); + task = find_task_by_vpid(pid); + if (task) { @@ -38230,6 +38243,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c + ret = -ENOENT; + + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + + return ret; +} @@ -38314,8 +38328,8 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl.c linux-2.6.32.15/grsecurity/gracl.c + diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gracl_cap.c --- linux-2.6.32.15/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/gracl_cap.c 2010-05-28 21:27:16.327077893 -0400 -@@ -0,0 +1,131 @@ ++++ linux-2.6.32.15/grsecurity/gracl_cap.c 2010-06-19 21:06:17.097881201 -0400 +@@ -0,0 +1,138 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -38370,6 +38384,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra + const struct cred *cred = current_cred(); + struct acl_subject_label *curracl; + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set; ++ kernel_cap_t cap_audit = __cap_empty_set; + + if (!gr_acl_is_enabled()) + return 1; @@ -38378,6 +38393,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra + + cap_drop = curracl->cap_lower; + cap_mask = curracl->cap_mask; ++ cap_audit = curracl->cap_invert_audit; + + while ((curracl = curracl->parent_subject)) { + /* if the cap isn't specified in the current computed mask but is specified in the @@ -38389,11 +38405,16 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra + cap_raise(cap_mask, cap); + if (cap_raised(curracl->cap_lower, cap)) + cap_raise(cap_drop, cap); ++ if (cap_raised(curracl->cap_invert_audit, cap)) ++ cap_raise(cap_audit, cap); + } + } + -+ if (!cap_raised(cap_drop, cap)) ++ if (!cap_raised(cap_drop, cap)) { ++ if (cap_raised(cap_audit, cap)) ++ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]); + return 1; ++ } + + curracl = task->acl; + @@ -38409,7 +38430,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_cap.c linux-2.6.32.15/grsecurity/gra + return 1; + } + -+ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap)) ++ if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap)) + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]); + return 0; +} @@ -39818,8 +39839,8 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_segv.c linux-2.6.32.15/grsecurity/gr +} diff -urNp linux-2.6.32.15/grsecurity/gracl_shm.c linux-2.6.32.15/grsecurity/gracl_shm.c --- linux-2.6.32.15/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/gracl_shm.c 2010-05-28 21:27:16.331240103 -0400 -@@ -0,0 +1,37 @@ ++++ linux-2.6.32.15/grsecurity/gracl_shm.c 2010-06-26 14:01:55.746591444 -0400 +@@ -0,0 +1,40 @@ +#include <linux/kernel.h> +#include <linux/mm.h> +#include <linux/sched.h> @@ -39838,6 +39859,7 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_shm.c linux-2.6.32.15/grsecurity/gra + if (!gr_acl_is_enabled()) + return 1; + ++ rcu_read_lock(); + read_lock(&tasklist_lock); + + task = find_task_by_vpid(shm_cprid); @@ -39850,10 +39872,12 @@ diff -urNp linux-2.6.32.15/grsecurity/gracl_shm.c linux-2.6.32.15/grsecurity/gra + (task->acl->mode & GR_PROTSHM) && + (task->acl != current->acl))) { + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid); + return 0; + } + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + + return 1; +} @@ -39882,8 +39906,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chdir.c linux-2.6.32.15/grsecurity/g +} diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/grsec_chroot.c --- linux-2.6.32.15/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/grsec_chroot.c 2010-05-28 21:27:16.331240103 -0400 -@@ -0,0 +1,348 @@ ++++ linux-2.6.32.15/grsecurity/grsec_chroot.c 2010-06-26 14:05:26.054819575 -0400 +@@ -0,0 +1,355 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -39907,6 +39931,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/ + if (likely(!proc_is_chrooted(current))) + return 1; + ++ rcu_read_lock(); + read_lock(&tasklist_lock); + + spid = find_vpid(pid); @@ -39917,12 +39942,14 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/ + if (unlikely(!have_same_root(current, p))) { + gr_fs_read_unlock(p); + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG); + return 0; + } + gr_fs_read_unlock(p); + } + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); +#endif + return 1; +} @@ -40065,6 +40092,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/ + if (likely(!proc_is_chrooted(current))) + return 1; + ++ rcu_read_lock(); + read_lock(&tasklist_lock); + + pid = find_vpid(shm_cprid); @@ -40077,6 +40105,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/ + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) { + gr_fs_read_unlock(p); + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG); + return 0; + } @@ -40090,6 +40119,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/ + if (unlikely(!have_same_root(current, p))) { + gr_fs_read_unlock(p); + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG); + return 0; + } @@ -40098,6 +40128,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_chroot.c linux-2.6.32.15/grsecurity/ + } + + read_unlock(&tasklist_lock); ++ rcu_read_unlock(); +#endif + return 1; +} @@ -40804,8 +40835,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_fork.c linux-2.6.32.15/grsecurity/gr +} diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/grsec_init.c --- linux-2.6.32.15/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/grsec_init.c 2010-05-28 21:27:16.331240103 -0400 -@@ -0,0 +1,241 @@ ++++ linux-2.6.32.15/grsecurity/grsec_init.c 2010-06-27 12:52:54.615758098 -0400 +@@ -0,0 +1,258 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/mm.h> @@ -40814,6 +40845,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr +#include <linux/slab.h> +#include <linux/vmalloc.h> +#include <linux/percpu.h> ++#include <linux/module.h> + +int grsec_enable_link; +int grsec_enable_dmesg; @@ -40848,6 +40880,9 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr +int grsec_enable_tpe; +int grsec_tpe_gid; +int grsec_enable_blackhole; ++#ifdef CONFIG_IPV6_MODULE ++EXPORT_SYMBOL(grsec_enable_blackhole); ++#endif +int grsec_lastack_retries; +int grsec_enable_tpe_all; +int grsec_enable_socket_all; @@ -40857,6 +40892,7 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr +int grsec_enable_socket_server; +int grsec_socket_server_gid; +int grsec_resource_logging; ++int grsec_disable_privio; +int grsec_lock; + +DEFINE_SPINLOCK(grsec_alert_lock); @@ -40928,10 +40964,22 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_init.c linux-2.6.32.15/grsecurity/gr + return; + } + ++ ++#ifdef CONFIG_GRKERNSEC_IO ++#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO) ++ grsec_disable_privio = 1; ++#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON) ++ grsec_disable_privio = 1; ++#else ++ grsec_disable_privio = 0; ++#endif ++#endif ++ +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON) +#ifndef CONFIG_GRKERNSEC_SYSCTL + grsec_lock = 1; +#endif ++ +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL + grsec_enable_audit_textrel = 1; +#endif @@ -41913,8 +41961,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_sock.c linux-2.6.32.15/grsecurity/gr +} diff -urNp linux-2.6.32.15/grsecurity/grsec_sysctl.c linux-2.6.32.15/grsecurity/grsec_sysctl.c --- linux-2.6.32.15/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/grsec_sysctl.c 2010-05-28 21:27:16.331240103 -0400 -@@ -0,0 +1,447 @@ ++++ linux-2.6.32.15/grsecurity/grsec_sysctl.c 2010-06-19 21:32:37.093947224 -0400 +@@ -0,0 +1,459 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/sysctl.h> @@ -41940,6 +41988,18 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_sysctl.c linux-2.6.32.15/grsecurity/ +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) +ctl_table grsecurity_table[] = { +#ifdef CONFIG_GRKERNSEC_SYSCTL ++#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO ++#ifdef CONFIG_GRKERNSEC_IO ++ { ++ .ctl_name = CTL_UNNUMBERED, ++ .procname = "disable_priv_io", ++ .data = &grsec_disable_privio, ++ .maxlen = sizeof(int), ++ .mode = 0600, ++ .proc_handler = &proc_dointvec, ++ }, ++#endif ++#endif +#ifdef CONFIG_GRKERNSEC_LINK + { + .ctl_name = CTL_UNNUMBERED, @@ -42443,8 +42503,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsec_tpe.c linux-2.6.32.15/grsecurity/grs +} diff -urNp linux-2.6.32.15/grsecurity/grsum.c linux-2.6.32.15/grsecurity/grsum.c --- linux-2.6.32.15/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/grsum.c 2010-05-28 21:27:16.331240103 -0400 -@@ -0,0 +1,59 @@ ++++ linux-2.6.32.15/grsecurity/grsum.c 2010-06-26 13:55:39.510774424 -0400 +@@ -0,0 +1,61 @@ +#include <linux/err.h> +#include <linux/kernel.h> +#include <linux/sched.h> @@ -42470,6 +42530,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsum.c linux-2.6.32.15/grsecurity/grsum.c + volatile int dummy = 0; + unsigned int i; + ++ sg_init_table(&sg, 1); ++ + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(tfm)) { + /* should never happen, since sha256 should be built in */ @@ -42506,8 +42568,8 @@ diff -urNp linux-2.6.32.15/grsecurity/grsum.c linux-2.6.32.15/grsecurity/grsum.c +} diff -urNp linux-2.6.32.15/grsecurity/Kconfig linux-2.6.32.15/grsecurity/Kconfig --- linux-2.6.32.15/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/grsecurity/Kconfig 2010-05-28 21:27:16.331240103 -0400 -@@ -0,0 +1,965 @@ ++++ linux-2.6.32.15/grsecurity/Kconfig 2010-06-26 14:17:55.584309817 -0400 +@@ -0,0 +1,981 @@ +# +# grecurity configuration +# @@ -43342,7 +43404,7 @@ diff -urNp linux-2.6.32.15/grsecurity/Kconfig linux-2.6.32.15/grsecurity/Kconfig + all servers it connects to have this option enabled, consider + disabling this feature on the haproxy host. + -+ If this option is enabled, two sysctl options with names ++ If the sysctl option is enabled, two sysctl options with names + "ip_blackhole" and "lastack_retries" will be created. + While "ip_blackhole" takes the standard zero/non-zero on/off + toggle, "lastack_retries" uses the same kinds of values as @@ -43434,6 +43496,22 @@ diff -urNp linux-2.6.32.15/grsecurity/Kconfig linux-2.6.32.15/grsecurity/Kconfig + be set to a non-zero value after all the options are set. + *THIS IS EXTREMELY IMPORTANT* + ++config GRKERNSEC_SYSCTL_DISTRO ++ bool "Extra sysctl support for distro makers (READ HELP)" ++ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO ++ help ++ If you say Y here, additional sysctl options will be created ++ for features that affect processes running as root. Therefore, ++ it is critical when using this option that the grsec_lock entry be ++ enabled after boot. Only distros with prebuilt kernel packages ++ with this option enabled that can ensure grsec_lock is enabled ++ after boot should use this option. ++ *Failure to set grsec_lock after boot makes all grsec features ++ this option covers useless* ++ ++ Currently this option creates the following sysctl entries: ++ "Disable Privileged I/O": "disable_priv_io" ++ +config GRKERNSEC_SYSCTL_ON + bool "Turn on features by default" + depends on GRKERNSEC_SYSCTL @@ -44679,8 +44757,8 @@ diff -urNp linux-2.6.32.15/include/linux/genhd.h linux-2.6.32.15/include/linux/g struct blk_integrity *integrity; diff -urNp linux-2.6.32.15/include/linux/gracl.h linux-2.6.32.15/include/linux/gracl.h --- linux-2.6.32.15/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/include/linux/gracl.h 2010-05-28 21:27:16.355225759 -0400 -@@ -0,0 +1,309 @@ ++++ linux-2.6.32.15/include/linux/gracl.h 2010-06-19 21:06:17.097881201 -0400 +@@ -0,0 +1,310 @@ +#ifndef GR_ACL_H +#define GR_ACL_H + @@ -44692,8 +44770,8 @@ diff -urNp linux-2.6.32.15/include/linux/gracl.h linux-2.6.32.15/include/linux/g + +/* Major status information */ + -+#define GR_VERSION "grsecurity 2.1.14" -+#define GRSECURITY_VERSION 0x2114 ++#define GR_VERSION "grsecurity 2.2.0" ++#define GRSECURITY_VERSION 0x2200 + +enum { + GR_SHUTDOWN = 0, @@ -44784,6 +44862,7 @@ diff -urNp linux-2.6.32.15/include/linux/gracl.h linux-2.6.32.15/include/linux/g + __u32 mode; + kernel_cap_t cap_mask; + kernel_cap_t cap_lower; ++ kernel_cap_t cap_invert_audit; + + struct rlimit res[GR_NLIMITS]; + __u32 resmask; @@ -45145,7 +45224,7 @@ diff -urNp linux-2.6.32.15/include/linux/grdefs.h linux-2.6.32.15/include/linux/ +#endif diff -urNp linux-2.6.32.15/include/linux/grinternal.h linux-2.6.32.15/include/linux/grinternal.h --- linux-2.6.32.15/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/include/linux/grinternal.h 2010-05-28 21:27:16.355225759 -0400 ++++ linux-2.6.32.15/include/linux/grinternal.h 2010-06-19 21:46:05.111766483 -0400 @@ -0,0 +1,215 @@ +#ifndef __GRINTERNAL_H +#define __GRINTERNAL_H @@ -45364,8 +45443,8 @@ diff -urNp linux-2.6.32.15/include/linux/grinternal.h linux-2.6.32.15/include/li +#endif diff -urNp linux-2.6.32.15/include/linux/grmsg.h linux-2.6.32.15/include/linux/grmsg.h --- linux-2.6.32.15/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/include/linux/grmsg.h 2010-05-28 21:27:16.355225759 -0400 -@@ -0,0 +1,107 @@ ++++ linux-2.6.32.15/include/linux/grmsg.h 2010-06-19 21:06:17.097881201 -0400 +@@ -0,0 +1,108 @@ +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u" +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u" +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by " @@ -45461,6 +45540,7 @@ diff -urNp linux-2.6.32.15/include/linux/grmsg.h linux-2.6.32.15/include/linux/g +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4" +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process " +#define GR_CAP_ACL_MSG "use of %s denied for " ++#define GR_CAP_ACL_MSG2 "use of %s permitted for " +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for " +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for " +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by " @@ -45475,8 +45555,8 @@ diff -urNp linux-2.6.32.15/include/linux/grmsg.h linux-2.6.32.15/include/linux/g +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by " diff -urNp linux-2.6.32.15/include/linux/grsecurity.h linux-2.6.32.15/include/linux/grsecurity.h --- linux-2.6.32.15/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500 -+++ linux-2.6.32.15/include/linux/grsecurity.h 2010-05-28 21:27:16.355225759 -0400 -@@ -0,0 +1,199 @@ ++++ linux-2.6.32.15/include/linux/grsecurity.h 2010-06-19 21:45:41.506145931 -0400 +@@ -0,0 +1,200 @@ +#ifndef GR_SECURITY_H +#define GR_SECURITY_H +#include <linux/fs.h> @@ -45673,6 +45753,7 @@ diff -urNp linux-2.6.32.15/include/linux/grsecurity.h linux-2.6.32.15/include/li + struct vm_area_struct *vma); + +extern int grsec_enable_dmesg; ++extern int grsec_disable_privio; +#endif + +#endif @@ -47637,7 +47718,7 @@ diff -urNp linux-2.6.32.15/init/Kconfig linux-2.6.32.15/init/Kconfig also breaks ancient binaries (including anything libc5 based). diff -urNp linux-2.6.32.15/init/main.c linux-2.6.32.15/init/main.c --- linux-2.6.32.15/init/main.c 2010-04-04 20:41:50.060586306 -0400 -+++ linux-2.6.32.15/init/main.c 2010-05-28 21:27:16.427051097 -0400 ++++ linux-2.6.32.15/init/main.c 2010-06-19 10:03:39.368801195 -0400 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void) #ifdef CONFIG_TC extern void tc_init(void); @@ -47653,7 +47734,7 @@ diff -urNp linux-2.6.32.15/init/main.c linux-2.6.32.15/init/main.c +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF) +extern void pax_enter_kernel_user(void); +extern void pax_exit_kernel_user(void); -+extern pteval_t clone_pgd_mask; ++extern pgdval_t clone_pgd_mask; +#endif + +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF) @@ -47675,7 +47756,7 @@ diff -urNp linux-2.6.32.15/init/main.c linux-2.6.32.15/init/main.c + *p = 0xc3; + p = (char *)pax_exit_kernel_user; + *p = 0xc3; -+ clone_pgd_mask = ~(pteval_t)0UL; ++ clone_pgd_mask = ~(pgdval_t)0UL; +#endif + + return 0; @@ -50620,7 +50701,7 @@ diff -urNp linux-2.6.32.15/mm/madvise.c linux-2.6.32.15/mm/madvise.c goto out; diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c --- linux-2.6.32.15/mm/memory.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/mm/memory.c 2010-05-28 21:27:16.487251224 -0400 ++++ linux-2.6.32.15/mm/memory.c 2010-06-19 10:03:50.012498759 -0400 @@ -48,6 +48,7 @@ #include <linux/ksm.h> #include <linux/rmap.h> @@ -50629,7 +50710,33 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c #include <linux/delayacct.h> #include <linux/init.h> #include <linux/writeback.h> -@@ -1251,10 +1252,10 @@ int __get_user_pages(struct task_struct +@@ -187,8 +188,12 @@ static inline void free_pmd_range(struct + return; + + pmd = pmd_offset(pud, start); ++ ++#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD) + pud_clear(pud); + pmd_free_tlb(tlb, pmd, start); ++#endif ++ + } + + static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd, +@@ -220,8 +225,12 @@ static inline void free_pud_range(struct + return; + + pud = pud_offset(pgd, start); ++ ++#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD) + pgd_clear(pgd); + pud_free_tlb(tlb, pud, start); ++#endif ++ + } + + /* +@@ -1251,10 +1260,10 @@ int __get_user_pages(struct task_struct (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE); i = 0; @@ -50642,7 +50749,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c if (!vma && in_gate_area(tsk, start)) { unsigned long pg = start & PAGE_MASK; struct vm_area_struct *gate_vma = get_gate_vma(tsk); -@@ -1296,7 +1297,7 @@ int __get_user_pages(struct task_struct +@@ -1296,7 +1305,7 @@ int __get_user_pages(struct task_struct continue; } @@ -50651,7 +50758,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c (vma->vm_flags & (VM_IO | VM_PFNMAP)) || !(vm_flags & vma->vm_flags)) return i ? : -EFAULT; -@@ -1371,7 +1372,7 @@ int __get_user_pages(struct task_struct +@@ -1371,7 +1380,7 @@ int __get_user_pages(struct task_struct start += PAGE_SIZE; nr_pages--; } while (nr_pages && start < vma->vm_end); @@ -50660,7 +50767,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c return i; } -@@ -1967,6 +1968,186 @@ static inline void cow_user_page(struct +@@ -1967,6 +1976,186 @@ static inline void cow_user_page(struct copy_user_highpage(dst, src, va, vma); } @@ -50847,7 +50954,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c /* * This routine handles present pages, when users try to write * to a shared page. It is done by copying the page to a new address -@@ -2146,6 +2327,12 @@ gotten: +@@ -2146,6 +2335,12 @@ gotten: */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); if (likely(pte_same(*page_table, orig_pte))) { @@ -50860,7 +50967,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c if (old_page) { if (!PageAnon(old_page)) { dec_mm_counter(mm, file_rss); -@@ -2197,6 +2384,10 @@ gotten: +@@ -2197,6 +2392,10 @@ gotten: page_remove_rmap(old_page); } @@ -50871,7 +50978,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c /* Free the old page.. */ new_page = old_page; ret |= VM_FAULT_WRITE; -@@ -2594,6 +2785,11 @@ static int do_swap_page(struct mm_struct +@@ -2594,6 +2793,11 @@ static int do_swap_page(struct mm_struct swap_free(entry); if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); @@ -50883,7 +50990,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c unlock_page(page); if (flags & FAULT_FLAG_WRITE) { -@@ -2605,6 +2801,11 @@ static int do_swap_page(struct mm_struct +@@ -2605,6 +2809,11 @@ static int do_swap_page(struct mm_struct /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, pte); @@ -50895,7 +51002,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c unlock: pte_unmap_unlock(page_table, ptl); out: -@@ -2628,7 +2829,7 @@ static int do_anonymous_page(struct mm_s +@@ -2628,7 +2837,7 @@ static int do_anonymous_page(struct mm_s unsigned long address, pte_t *page_table, pmd_t *pmd, unsigned int flags) { @@ -50904,7 +51011,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c spinlock_t *ptl; pte_t entry; -@@ -2663,6 +2864,11 @@ static int do_anonymous_page(struct mm_s +@@ -2663,6 +2872,11 @@ static int do_anonymous_page(struct mm_s if (!pte_none(*page_table)) goto release; @@ -50916,7 +51023,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c inc_mm_counter(mm, anon_rss); page_add_new_anon_rmap(page, vma, address); setpte: -@@ -2670,6 +2876,12 @@ setpte: +@@ -2670,6 +2884,12 @@ setpte: /* No need to invalidate - it was non-present before */ update_mmu_cache(vma, address, entry); @@ -50929,7 +51036,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c unlock: pte_unmap_unlock(page_table, ptl); return 0; -@@ -2812,6 +3024,12 @@ static int __do_fault(struct mm_struct * +@@ -2812,6 +3032,12 @@ static int __do_fault(struct mm_struct * */ /* Only go through if we didn't race with anybody else... */ if (likely(pte_same(*page_table, orig_pte))) { @@ -50942,7 +51049,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c flush_icache_page(vma, page); entry = mk_pte(page, vma->vm_page_prot); if (flags & FAULT_FLAG_WRITE) -@@ -2831,6 +3049,14 @@ static int __do_fault(struct mm_struct * +@@ -2831,6 +3057,14 @@ static int __do_fault(struct mm_struct * /* no need to invalidate: a not-present page won't be cached */ update_mmu_cache(vma, address, entry); @@ -50957,7 +51064,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c } else { if (charged) mem_cgroup_uncharge_page(page); -@@ -2978,6 +3204,12 @@ static inline int handle_pte_fault(struc +@@ -2978,6 +3212,12 @@ static inline int handle_pte_fault(struc if (flags & FAULT_FLAG_WRITE) flush_tlb_page(vma, address); } @@ -50970,7 +51077,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c unlock: pte_unmap_unlock(pte, ptl); return 0; -@@ -2994,6 +3226,10 @@ int handle_mm_fault(struct mm_struct *mm +@@ -2994,6 +3234,10 @@ int handle_mm_fault(struct mm_struct *mm pmd_t *pmd; pte_t *pte; @@ -50981,7 +51088,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c __set_current_state(TASK_RUNNING); count_vm_event(PGFAULT); -@@ -3001,6 +3237,34 @@ int handle_mm_fault(struct mm_struct *mm +@@ -3001,6 +3245,34 @@ int handle_mm_fault(struct mm_struct *mm if (unlikely(is_vm_hugetlb_page(vma))) return hugetlb_fault(mm, vma, address, flags); @@ -51016,7 +51123,7 @@ diff -urNp linux-2.6.32.15/mm/memory.c linux-2.6.32.15/mm/memory.c pgd = pgd_offset(mm, address); pud = pud_alloc(mm, pgd, address); if (!pud) -@@ -3098,7 +3362,7 @@ static int __init gate_vma_init(void) +@@ -3098,7 +3370,7 @@ static int __init gate_vma_init(void) gate_vma.vm_start = FIXADDR_USER_START; gate_vma.vm_end = FIXADDR_USER_END; gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC; @@ -54054,36 +54161,72 @@ diff -urNp linux-2.6.32.15/net/ipv6/raw.c linux-2.6.32.15/net/ipv6/raw.c { diff -urNp linux-2.6.32.15/net/ipv6/tcp_ipv6.c linux-2.6.32.15/net/ipv6/tcp_ipv6.c --- linux-2.6.32.15/net/ipv6/tcp_ipv6.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/net/ipv6/tcp_ipv6.c 2010-05-28 21:27:16.624385427 -0400 -@@ -1578,6 +1578,9 @@ static int tcp_v6_do_rcv(struct sock *sk - return 0; ++++ linux-2.6.32.15/net/ipv6/tcp_ipv6.c 2010-06-26 14:14:12.642949877 -0400 +@@ -88,6 +88,10 @@ static struct tcp_md5sig_key *tcp_v6_md5 + } + #endif - reset: +#ifdef CONFIG_GRKERNSEC_BLACKHOLE -+ if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK)) ++extern int grsec_enable_blackhole; +#endif - tcp_v6_send_reset(sk, skb); - discard: - if (opt_skb) -@@ -1700,6 +1703,9 @@ no_tcp_socket: ++ + static void tcp_v6_hash(struct sock *sk) + { + if (sk->sk_state != TCP_CLOSE) { +@@ -1655,12 +1659,20 @@ static int tcp_v6_rcv(struct sk_buff *sk + TCP_SKB_CB(skb)->sacked = 0; + + sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest); +- if (!sk) ++ if (!sk) { ++#ifdef CONFIG_GRKERNSEC_BLACKHOLE ++ ret = 1; ++#endif + goto no_tcp_socket; ++ } + + process: +- if (sk->sk_state == TCP_TIME_WAIT) ++ if (sk->sk_state == TCP_TIME_WAIT) { ++#ifdef CONFIG_GRKERNSEC_BLACKHOLE ++ ret = 2; ++#endif + goto do_time_wait; ++ } + + if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) + goto discard_and_relse; +@@ -1700,6 +1712,10 @@ no_tcp_socket: bad_packet: TCP_INC_STATS_BH(net, TCP_MIB_INERRS); } else { +#ifdef CONFIG_GRKERNSEC_BLACKHOLE -+ if (skb->dev->flags & IFF_LOOPBACK) ++ if (!grsec_enable_blackhole || (ret == 1 && ++ (skb->dev->flags & IFF_LOOPBACK))) +#endif tcp_v6_send_reset(NULL, skb); } diff -urNp linux-2.6.32.15/net/ipv6/udp.c linux-2.6.32.15/net/ipv6/udp.c --- linux-2.6.32.15/net/ipv6/udp.c 2010-03-15 11:52:04.000000000 -0400 -+++ linux-2.6.32.15/net/ipv6/udp.c 2010-05-28 21:27:16.631258014 -0400 -@@ -587,6 +587,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, ++++ linux-2.6.32.15/net/ipv6/udp.c 2010-06-26 14:15:10.978789054 -0400 +@@ -49,6 +49,10 @@ + #include <linux/seq_file.h> + #include "udp_impl.h" + ++#ifdef CONFIG_GRKERNSEC_BLACKHOLE ++extern int grsec_enable_blackhole; ++#endif ++ + int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2) + { + const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr; +@@ -587,6 +591,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE); +#ifdef CONFIG_GRKERNSEC_BLACKHOLE -+ if (skb->dev->flags & IFF_LOOPBACK) ++ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK)) +#endif icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev); @@ -55299,7 +55442,7 @@ diff -urNp linux-2.6.32.15/security/Kconfig linux-2.6.32.15/security/Kconfig +config PAX_KERNEXEC + bool "Enforce non-executable kernel pages" + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN -+ select PAX_PER_CPU_PGD if X86_64 ++ select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE) + help + This is the kernel land equivalent of PAGEEXEC and MPROTECT, + that is, enabling this option will make it harder to inject diff --git a/main/lua-uuid/APKBUILD b/main/lua-uuid/APKBUILD index 6e760893c9..82f00bf3a7 100644 --- a/main/lua-uuid/APKBUILD +++ b/main/lua-uuid/APKBUILD @@ -28,4 +28,4 @@ package() { install -Dm755 uuid.so "$pkgdir"/usr/lib/lua/5.1/uuid.so } -md5sums="e5bd7c2cf563ac4192b793934f545f49 luuid.tar.gz" +md5sums="75f2e8c808c0fb375d9ec5255fd5d4de luuid.tar.gz" diff --git a/main/lvm2/APKBUILD b/main/lvm2/APKBUILD index 4be2a3f9bb..4316aadeaa 100644 --- a/main/lvm2/APKBUILD +++ b/main/lvm2/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=lvm2 -pkgver=2.02.66 +pkgver=2.02.68 pkgrel=0 pkgdesc="Logical Volume Manager 2 utilities" url="http://sourceware.org/lvm2/" @@ -47,6 +47,6 @@ dm() { mv "$pkgdir"/sbin/dm* "$subpkgdir"/sbin/ } -md5sums="59766571610a4298f8bedf9f73839050 LVM2.2.02.66.tgz +md5sums="20357ea7918c4e967e558de53ec74969 LVM2.2.02.68.tgz 6f65f902cf19f144a42b8d6aceadf395 lvm.initd ec36d5fe4561220304e406c5c797e71f lvm.confd" diff --git a/main/mlmmj/APKBUILD b/main/mlmmj/APKBUILD index 1a8e30b50e..fecf39625d 100644 --- a/main/mlmmj/APKBUILD +++ b/main/mlmmj/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mlmmj -pkgver=1.2.16 -pkgrel=2 +pkgver=1.2.17 +pkgrel=0 pkgdesc="Mailing list managing made joyful" url="http://mlmmj.org/" license="MIT" @@ -23,4 +23,4 @@ package() { install -d "$pkgdir"/usr/share/mlmmj/texts cp -r listtexts/* "$pkgdir"/usr/share/mlmmj/texts/ } -md5sums="9ea7ba91ccb55b9edf3e5148537364e3 mlmmj-1.2.16.tar.bz2" +md5sums="bff8050f14f2084d661421135be685ad mlmmj-1.2.17.tar.bz2" diff --git a/main/mpfr3/APKBUILD b/main/mpfr3/APKBUILD index 54e07b2832..31d912402d 100644 --- a/main/mpfr3/APKBUILD +++ b/main/mpfr3/APKBUILD @@ -1,12 +1,12 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=mpfr3 pkgver=3.0.0 -pkgrel=0 +pkgrel=1 pkgdesc="multiple-precision floating-point library" url="http://www.mpfr.org/" license="GPL LGPL" depends= -makedepends="gmp5-dev texinfo" +makedepends="gmp-dev texinfo" source="http://www.mpfr.org/mpfr-current/mpfr-$pkgver.tar.bz2" subpackages="$pkgname-doc mpfr-dev:dev" diff --git a/testing/opentracker/APKBUILD b/main/opentracker/APKBUILD index 642b0d0b54..681d552639 100644 --- a/testing/opentracker/APKBUILD +++ b/main/opentracker/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: pkgname=opentracker pkgver=0_cvs20100625 -pkgrel=0 +pkgrel=1 pkgdesc="an open and free bittorrent tracker" url="http://erdgeist.org/arts/software/opentracker/" license="GPL" diff --git a/testing/opentracker/opentracker.initd b/main/opentracker/opentracker.initd index 33d2817787..33d2817787 100644 --- a/testing/opentracker/opentracker.initd +++ b/main/opentracker/opentracker.initd diff --git a/main/opentracker/opentracker.pre-install b/main/opentracker/opentracker.pre-install new file mode 100644 index 0000000000..c6fc95ed1b --- /dev/null +++ b/main/opentracker/opentracker.pre-install @@ -0,0 +1,5 @@ +#!/bin/sh + +adduser -D -S -H -h /var/empty -s /sbin/false opentracker 2>/dev/null +exit 0 + diff --git a/main/pax-utils/APKBUILD b/main/pax-utils/APKBUILD index b01ea58cd6..4a7069bc0d 100644 --- a/main/pax-utils/APKBUILD +++ b/main/pax-utils/APKBUILD @@ -17,4 +17,4 @@ build() { make DESTDIR="$pkgdir/" install } -md5sums="a2097463fd5a34dd707b2d72d84aea89 pax-utils-0.2.tar.bz2" +md5sums="15a6f2ddadedac0ab6cd4b0683b767b9 pax-utils-0.2.tar.bz2" diff --git a/main/php/APKBUILD b/main/php/APKBUILD index 7c044c8c22..7078294843 100644 --- a/main/php/APKBUILD +++ b/main/php/APKBUILD @@ -3,7 +3,7 @@ pkgname=php pkgver=5.3.2 _suhosinver=${pkgver}-0.9.9.1 -pkgrel=6 +pkgrel=7 pkgdesc="The PHP language runtime engine" url="http://www.php.net/" license="PHP-3" @@ -12,7 +12,7 @@ install="$pkgname.post-upgrade" makedepends="pcre-dev libxml2-dev libiconv-dev openssl-dev zlib-dev bzip2-dev curl-dev libpng-dev jpeg-dev freetype-dev libmcrypt-dev mysql-dev sqlite-dev libtool libltdl postgresql-dev db-dev unixodbc-dev icu-dev - gd-dev gmp5-dev gettext-dev imap-dev aspell-dev + gd-dev gmp-dev gettext-dev imap-dev aspell-dev net-snmp-dev libxslt-dev cyrus-sasl-dev openldap-dev pkgconfig libgcrypt-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-cli $pkgname-pear diff --git a/main/syslinux/APKBUILD b/main/syslinux/APKBUILD index d4d8ca0002..bc55a97ec0 100644 --- a/main/syslinux/APKBUILD +++ b/main/syslinux/APKBUILD @@ -1,21 +1,19 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=syslinux -pkgver=3.86 -pkgrel=1 +pkgver=4.00 +pkgrel=0 pkgdesc="a boot loader for the Linux operating system which operates off an MS-DOS/Windows FAT filesystem." url="http://syslinux.org" license="GPL" makedepends="nasm perl" depends="mtools" -source="http://www.kernel.org/pub/linux/utils/boot/syslinux/3.xx/$pkgname-$pkgver.tar.bz2 - $pkgname-3.86-nopie.patch +source="http://www.kernel.org/pub/linux/utils/boot/syslinux/${pkgver%%.*}.xx/$pkgname-$pkgver.tar.bz2 " subpackages="$pkgname-doc" _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" - patch -p1 < ../$pkgname-3.86-nopie.patch || return 1 } build() { @@ -29,5 +27,4 @@ package() { make INSTALLROOT="$pkgdir" MANDIR=/usr/share/man local-install } -md5sums="d6fb0231e82190b4932b2aa20274911a syslinux-3.86.tar.bz2 -5852d62ba0772cf967156a75451e6066 syslinux-3.86-nopie.patch" +md5sums="5a475dc9a37ecf7b0beec93eca474f5c syslinux-4.00.tar.bz2" diff --git a/main/uiconv/APKBUILD b/main/uiconv/APKBUILD index ec563413de..1e4aac3b43 100644 --- a/main/uiconv/APKBUILD +++ b/main/uiconv/APKBUILD @@ -14,4 +14,4 @@ build() { make DESTDIR="$pkgdir" PREFIX=/usr/uiconv install } -md5sums="de2ce8da53f32bdec578e1f0270fa15d uiconv-0.3.tar.bz2" +md5sums="5cd7f80085324d08cb976fec674cd98d uiconv-0.3.tar.bz2" diff --git a/rebuild-alpine.sh b/rebuild-alpine.sh index a163e8a70b..5f975dd159 100755 --- a/rebuild-alpine.sh +++ b/rebuild-alpine.sh @@ -1,9 +1,11 @@ -rootdir=$(pwd) +rootdir=$(pwd -P) distclean () { + echo "Removing traces of previous builds from $rootdir" local allpkgs=$(find $rootdir -maxdepth 3 -name APKBUILD -print | sed -e 's/\/APKBUILD//g' | sort) for p in $allpkgs ; do cd $p + pwd abuild clean 2>&1 abuild cleanoldpkg 2>&1 abuild cleanpkg 2>&1 @@ -16,7 +18,7 @@ build () { local maintainer local pkgno local failed - pkgs=$(./aport.lua deplist $rootdir $1) + pkgs=$($rootdir/aport.lua deplist $rootdir $1) pktcnt=$(echo $pkgs | wc -w) pkgno=0 failed=0 @@ -42,14 +44,19 @@ build () { touch START_OF_BUILD.txt -if [ "$1" != "noclean" ] ; then - echo "Removing traces of previous builds" +if [ "$1" = "clean" ] ; then + echo "Invoked with 'clean' option. This will take a while ..." tmp=$(distclean) + echo "Done" fi echo "Refresh aports tree" git pull +#cd main/build-base +#abuild -Ru +#cd $rootdir + for s in main testing unstable ; do echo "Building packages in $s" build $s diff --git a/testing/opentracker/opentracker.pre-install b/testing/opentracker/opentracker.pre-install deleted file mode 100644 index 942fcd6706..0000000000 --- a/testing/opentracker/opentracker.pre-install +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -adduser -D -S -h /var/empty -s /sbin/false opentracker 2>/dev/null -exit 0 - diff --git a/testing/py-crypto/APKBUILD b/testing/py-crypto/APKBUILD index 75f31dd658..a1beecb8fd 100644 --- a/testing/py-crypto/APKBUILD +++ b/testing/py-crypto/APKBUILD @@ -1,12 +1,12 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=py-crypto pkgver=2.0.1 -pkgrel=2 +pkgrel=3 pkgdesc="A collection of cryptographic algorithms and protocols, implemented for use from Python." url="http://www.amk.ca/python/code/crypto.html" license="GPL" depends="python" -makedepends="gmp5-dev python-dev" +makedepends="gmp-dev python-dev" source="http://www.amk.ca/files/python/crypto/pycrypto-$pkgver.tar.gz" _builddir="$srcdir"/pycrypto-$pkgver |