main/linux-grsec: upgrade to grsecurity-3.0-3.14.28-201501142323

and update the gre fix inner mac header in nbma tunnel xmit patch
author: Natanael Copa <ncopa@alpinelinux.org> 2015-01-16 14:56:13 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-01-16 16:05:13 +0000
commit: 971ff2230214b831cfd5f887cc1b36438ae71efe (patch)
tree: de6736931d1be8f600fd5a6dfbf5b26e9753914b
parent: 3a796f8c20500f1b810cdeeacac727a7605e5d49 (diff)
download: aports-971ff2230214b831cfd5f887cc1b36438ae71efe.tar.bz2
aports-971ff2230214b831cfd5f887cc1b36438ae71efe.tar.xz
4 files changed, 132 insertions, 65 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 0cf77bff23..0a71251df2 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
 esac
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -17,11 +17,11 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
-	grsecurity-3.0-3.14.28-201501120819.patch
+	grsecurity-3.0-3.14.28-201501142323.patch
 
 	fix-memory-map-for-PIE-applications.patch
 	imx6q-no-unclocked-sleep.patch
-	gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch
+	net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch
 
 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -167,28 +167,28 @@ dev() {
 
 md5sums="b621207b3f6ecbb67db18b13258f8ea8  linux-3.14.tar.xz
 502a4ee34af04e9b9e375e254f7b9a8f  patch-3.14.28.xz
-14277edb3cc6b593f80bf0e62ba8ec70  grsecurity-3.0-3.14.28-201501120819.patch
+ec66b87cfa54e5b5bc5b1a3f762d7441  grsecurity-3.0-3.14.28-201501142323.patch
 c6a4ae7e8ca6159e1631545515805216  fix-memory-map-for-PIE-applications.patch
 1a307fc1d63231bf01d22493a4f14378  imx6q-no-unclocked-sleep.patch
-59a78a67677e25540028414bb5eb6330  gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch
+1ced4011e09c6e0a72101d65670f0b5c  net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch
 870b91f0eb07294ba453ac61b052c0b6  kernelconfig.x86
 38b50cd1a7670f886c5e9fe9f1f91496  kernelconfig.x86_64
 6709c83fbbd38d40f31d39f0022d4ce9  kernelconfig.armhf"
 sha256sums="61558aa490855f42b6340d1a1596be47454909629327c49a5e4e10268065dffa  linux-3.14.tar.xz
 e3c79a30ac959c84c329be5461da88a5c79c6463da30d376c27bb103aee79b51  patch-3.14.28.xz
-487f4b17658ab037586e9106bca355ad35195d1e78e73ceb2cc7feb55c54ef46  grsecurity-3.0-3.14.28-201501120819.patch
+55484132973b1c65a335a2f42cd87b59d45c7044fcaddae9698ce8e5c6d47373  grsecurity-3.0-3.14.28-201501142323.patch
 500f3577310be52e87b9fecdc2e9c4ca43210fd97d69089f9005d484563f74c7  fix-memory-map-for-PIE-applications.patch
 21179fbb22a5b74af0a609350ae1a170e232908572b201d02e791d2ce0a685d3  imx6q-no-unclocked-sleep.patch
-f04d0f6610398f3657ddb2e6926113c43ec331ae256704bca4de11f432881ec5  gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch
+2c8158a2a4042ac1bcbfa046eb1c7966de56d3797eee99d153d2b176dfff165c  net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch
 bf953a65ba047b5316509da5bc7a6dbcee12767e343d26e8360369d27bfdbe78  kernelconfig.x86
 d555a01f2b464e20cfa71c67ea6d571f80c707c5a3fea33879de09b085e2d7b6  kernelconfig.x86_64
 01a6c90cf0643f8727d120aede2267ca7303c4ebe548c5d19222d4387ceb98cc  kernelconfig.armhf"
 sha512sums="5730d83a7a81134c1e77c0bf89e42dee4f8251ad56c1ac2be20c59e26fdfaa7bea55f277e7af156b637f22e1584914a46089af85039177cb43485089c74ac26e  linux-3.14.tar.xz
 ae4dc86ff594f1a4c1a2a8786a1ad1293e539c8225ae202b87ad474c22dbe1906cd919566307a69ae48f2e3819d1024e6997adaff48a2184ac87ec61a38b6a34  patch-3.14.28.xz
-633acca6d98d8a33ee34fcc5c4e51dffe30a682d39ad55bddcee196c15773dc410a59fa70691a73a638cfff7c74379b178952c69e30606435cc6dfae21775ef7  grsecurity-3.0-3.14.28-201501120819.patch
+4e5d53f2a15011e51b538863cd9d36619bd6452151d99275b67f5942537b03f0e1d5cb06594e301ae3ee294461d891656023b793eeafcabcaec9e55a26bdfae2  grsecurity-3.0-3.14.28-201501142323.patch
 4665c56ae1bbac311f9205d64918e84ee8b01d47d6e2396ff6b8adfb10aada7f7254531ce62e31edbb65c2a54a830f09ad05d314dfcd75d6272f4068945ad7c7  fix-memory-map-for-PIE-applications.patch
 87d1ad59732f265a5b0db54490dc1762c14ea4b868e7eb1aedc3ce57b48046de7bbc08cf5cfcf6f1380fa84063b0edb16ba3d5e3c5670be9bbb229275c88b221  imx6q-no-unclocked-sleep.patch
-ddc32533bd519db5298895eb2da5eb95390999bd3f6d27b5eee38551387df4a43f537235d6a9be859ee1f433420f3afbf01e2c1e7ca0175b27460598c5c385f9  gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch
+ce0429ba660fa010252e09fc812680b8dafb7b6b213c8eabde89e289f3db536253b81841ec1a73de5408e5556dd5e99c3536dc48457750bfdf7845a3df2b9a79  net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch
 dde402be39f68955f9395f807631f1457e90cda76a80e0e198695c8f946cdba02a00fe12a59a77bf5e8b40f5ecb52efbe364449f3e58d8996f27e07b719ac6a4  kernelconfig.x86
 f23749a1cd59c1de769141cef1a358ba3be0985abbfb2fdd065e033c5166f30728192fbf8805b150cf0b1b72a794990da2d9e6e511213cf00d2f0dc47ca61135  kernelconfig.x86_64
 64e421a07bd42e83553338bfdbe16a68dbe94fdb3cb1b3658311f79e002345cc9c8edfcc807d4f989a64f8be4b3a48b4a0b7582ac860f5eacb9ff325a3d36fc5  kernelconfig.armhf"
diff --git a/main/linux-grsec/gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch b/main/linux-grsec/gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch
deleted file mode 100644
index 92ee9a9689..0000000000
--- a/main/linux-grsec/gre-fix-the-inner-mac-header-in-nbma-gre-tunnels-xmit-path.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From a09d1e25a3f333dfb0034f2812750fdb0506ba5d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Wed, 10 Dec 2014 08:57:23 +0200
-Subject: [PATCH] gre: fix the inner mac header in nbma gre tunnels xmit path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The NBMA GRE tunnels temporarily push GRE header that contain the
-per-packet NBMA destination on the skb via header ops early in xmit
-path. It is the later pulled before the real GRE header is constructed.
-
-The inner mac was thus set differently in nbma case. Fix this be
-reordering the pull before calling offload handler to make sure
-both tunnel types have inner mac header set same way.
-
-Fixes: 14051f0452a2 ("gre: Use inner mac length when computing tunnel length"
-Signed-off-by: Timo Teräs <timo.teras@iki.fi>
----
- net/ipv4/ip_gre.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
-index 94213c8..afedb52 100644
---- a/net/ipv4/ip_gre.c
-+++ b/net/ipv4/ip_gre.c
-@@ -250,10 +250,6 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
- 	struct ip_tunnel *tunnel = netdev_priv(dev);
- 	const struct iphdr *tnl_params;
- 
--	skb = gre_handle_offloads(skb, !!(tunnel->parms.o_flags&TUNNEL_CSUM));
--	if (IS_ERR(skb))
--		goto out;
--
- 	if (dev->header_ops) {
- 		/* Need space for new headers */
- 		if (skb_cow_head(skb, dev->needed_headroom -
-@@ -273,6 +269,10 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
- 		tnl_params = &tunnel->parms.iph;
- 	}
- 
-+	skb = gre_handle_offloads(skb, !!(tunnel->parms.o_flags&TUNNEL_CSUM));
-+	if (IS_ERR(skb))
-+		goto out;
-+
- 	__gre_xmit(skb, dev, tnl_params, skb->protocol);
- 
- 	return NETDEV_TX_OK;
--- 
-2.2.0
-
-
diff --git a/main/linux-grsec/grsecurity-3.0-3.14.28-201501120819.patch b/main/linux-grsec/grsecurity-3.0-3.14.28-201501142323.patch
index 2e17d7508a..7a014f0e61 100644
--- a/main/linux-grsec/grsecurity-3.0-3.14.28-201501120819.patch
+++ b/main/linux-grsec/grsecurity-3.0-3.14.28-201501142323.patch
@@ -51781,7 +51781,7 @@ index 236ed66..dd9cd74 100644
  		goto err_busy;
  	}
 diff --git a/drivers/staging/line6/driver.c b/drivers/staging/line6/driver.c
-index 7a6d85e..4c55a18 100644
+index 7a6d85e..1304fbe 100644
 --- a/drivers/staging/line6/driver.c
 +++ b/drivers/staging/line6/driver.c
 @@ -458,7 +458,7 @@ int line6_read_data(struct usb_line6 *line6, int address, void *data,
@@ -51832,6 +51832,89 @@ index 7a6d85e..4c55a18 100644
  
  	/* receive the result: */
  	ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), 0x67,
+@@ -515,7 +522,7 @@ int line6_write_data(struct usb_line6 *line6, int address, void *data,
+ {
+ 	struct usb_device *usbdev = line6->usbdev;
+ 	int ret;
+-	unsigned char status;
++	unsigned char *status;
+ 
+ 	ret = usb_control_msg(usbdev, usb_sndctrlpipe(usbdev, 0), 0x67,
+ 			      USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
+@@ -528,26 +535,34 @@ int line6_write_data(struct usb_line6 *line6, int address, void *data,
+ 		return ret;
+ 	}
+ 
++	status = kmalloc(1, GFP_KERNEL);
++	if (status == NULL)
++		return -ENOMEM;
++
+ 	do {
+ 		ret = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0),
+ 				      0x67,
+ 				      USB_TYPE_VENDOR | USB_RECIP_DEVICE |
+ 				      USB_DIR_IN,
+ 				      0x0012, 0x0000,
+-				      &status, 1, LINE6_TIMEOUT * HZ);
++				      status, 1, LINE6_TIMEOUT * HZ);
+ 
+ 		if (ret < 0) {
+ 			dev_err(line6->ifcdev,
+ 				"receiving status failed (error %d)\n", ret);
++			kfree(status);
+ 			return ret;
+ 		}
+-	} while (status == 0xff);
++	} while (*status == 0xff);
+ 
+-	if (status != 0) {
++	if (*status != 0) {
+ 		dev_err(line6->ifcdev, "write failed (error %d)\n", ret);
++		kfree(status);
+ 		return -EINVAL;
+ 	}
+ 
++	kfree(status);
++
+ 	return 0;
+ }
+ 
+diff --git a/drivers/staging/line6/toneport.c b/drivers/staging/line6/toneport.c
+index af2e7e5..e558d65 100644
+--- a/drivers/staging/line6/toneport.c
++++ b/drivers/staging/line6/toneport.c
+@@ -11,6 +11,7 @@
+  */
+ 
+ #include <linux/wait.h>
++#include <linux/slab.h>
+ #include <sound/control.h>
+ 
+ #include "audio.h"
+@@ -304,14 +305,20 @@ static void toneport_destruct(struct usb_interface *interface)
+ */
+ static void toneport_setup(struct usb_line6_toneport *toneport)
+ {
+-	int ticks;
++	int *ticks;
+ 	struct usb_line6 *line6 = &toneport->line6;
+ 	struct usb_device *usbdev = line6->usbdev;
+ 	u16 idProduct = le16_to_cpu(usbdev->descriptor.idProduct);
+ 
++	ticks = kmalloc(sizeof(int), GFP_KERNEL);
++	if (ticks == NULL)
++		return;
++
+ 	/* sync time on device with host: */
+-	ticks = (int)get_seconds();
+-	line6_write_data(line6, 0x80c6, &ticks, 4);
++	*ticks = (int)get_seconds();
++	line6_write_data(line6, 0x80c6, ticks, sizeof(int));
++
++	kfree(ticks);
+ 
+ 	/* enable device: */
+ 	toneport_send_cmd(usbdev, 0x0301, 0x0000);
 diff --git a/drivers/staging/lustre/lnet/selftest/brw_test.c b/drivers/staging/lustre/lnet/selftest/brw_test.c
 index 3f8020c..649fded 100644
 --- a/drivers/staging/lustre/lnet/selftest/brw_test.c
@@ -73265,10 +73348,10 @@ index 0000000..ca25605
 +
 diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c
 new file mode 100644
-index 0000000..a89b1f4
+index 0000000..4c7e00a
 --- /dev/null
 +++ b/grsecurity/gracl_fs.c
-@@ -0,0 +1,437 @@
+@@ -0,0 +1,439 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/types.h>
@@ -73701,7 +73784,9 @@ index 0000000..a89b1f4
 +	if (unlikely(!gr_acl_is_enabled()))
 +		return 0;
 +
-+	if (task != current && task->acl->mode & GR_PROTPROCFD)
++	if (task != current && (task->acl->mode & GR_PROTPROCFD) &&
++	    !(current->acl->mode & GR_POVERRIDE) &&
++	    !(current->role->roletype & GR_ROLE_GOD))
 +		return -EACCES;
 +
 +	return 0;
diff --git a/main/linux-grsec/net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch b/main/linux-grsec/net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch
new file mode 100644
index 0000000000..579ba6dc7e
--- /dev/null
+++ b/main/linux-grsec/net-v2-gre-fix-the-inner-mac-header-in-nbma-tunnel-xmit-path.patch
@@ -0,0 +1,34 @@
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 94213c8..b40b90d 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -250,10 +250,6 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
+ 	struct ip_tunnel *tunnel = netdev_priv(dev);
+ 	const struct iphdr *tnl_params;
+ 
+-	skb = gre_handle_offloads(skb, !!(tunnel->parms.o_flags&TUNNEL_CSUM));
+-	if (IS_ERR(skb))
+-		goto out;
+-
+ 	if (dev->header_ops) {
+ 		/* Need space for new headers */
+ 		if (skb_cow_head(skb, dev->needed_headroom -
+@@ -266,6 +262,7 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
+ 		 * to gre header.
+ 		 */
+ 		skb_pull(skb, tunnel->hlen + sizeof(struct iphdr));
++		skb_reset_mac_header(skb);
+ 	} else {
+ 		if (skb_cow_head(skb, dev->needed_headroom))
+ 			goto free_skb;
+@@ -273,6 +270,10 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
+ 		tnl_params = &tunnel->parms.iph;
+ 	}
+ 
++	skb = gre_handle_offloads(skb, !!(tunnel->parms.o_flags&TUNNEL_CSUM));
++	if (IS_ERR(skb))
++		goto out;
++
+ 	__gre_xmit(skb, dev, tnl_params, skb->protocol);
+ 
+ 	return NETDEV_TX_OK;
author	Natanael Copa <ncopa@alpinelinux.org>	2015-01-16 14:56:13 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-01-16 16:05:13 +0000
commit	971ff2230214b831cfd5f887cc1b36438ae71efe (patch)
tree	de6736931d1be8f600fd5a6dfbf5b26e9753914b
parent	3a796f8c20500f1b810cdeeacac727a7605e5d49 (diff)
download	aports-971ff2230214b831cfd5f887cc1b36438ae71efe.tar.bz2 aports-971ff2230214b831cfd5f887cc1b36438ae71efe.tar.xz