main/linux-grsec: upgrade to grsecurity-2.9.1-3.9.8-201306302052

author: Natanael Copa <ncopa@alpinelinux.org> 2013-07-02 07:24:16 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-07-02 09:20:23 +0000
commit: 99142aeaac41d3fa49f8af96ffd547719a515352 (patch)
tree: 85df32a55f4db37bcae759dd44adecaaf2088c67 /main/linux-grsec
parent: 3b6b41b9cb552be36a10d61e6626512f8fe1be38 (diff)
download: aports-99142aeaac41d3fa49f8af96ffd547719a515352.tar.bz2
aports-99142aeaac41d3fa49f8af96ffd547719a515352.tar.xz
2 files changed, 108 insertions, 17 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index ebbddba2a3..7e148c4015 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
 esac
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
 install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
-	grsecurity-2.9.1-3.9.8-201306272057.patch
+	grsecurity-2.9.1-3.9.8-201306302052.patch
 
 	0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 	0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -150,7 +150,7 @@ dev() {
 
 md5sums="4348c9b6b2eb3144d601e87c19d5d909  linux-3.9.tar.xz
 c5f2166686a913abf550bfed8b77df27  patch-3.9.8.xz
-53d60133a86b812060b048275f928041  grsecurity-2.9.1-3.9.8-201306272057.patch
+647f77555169969b4245c62c0fd0f1ab  grsecurity-2.9.1-3.9.8-201306302052.patch
 a16f11b12381efb3bec79b9bfb329836  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 656ae7b10dd2f18dbfa1011041d08d60  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -161,7 +161,7 @@ d89089b3c7eb94dd9f65cf8a357fc36d  kernelconfig.x86
 eb147f09fef5996a488c247790205cd6  kernelconfig.x86_64"
 sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541  linux-3.9.tar.xz
 2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7  patch-3.9.8.xz
-587022b1fc72157e43011551404c7d664dcc3b6c95b72a853ef2ce721e474057  grsecurity-2.9.1-3.9.8-201306272057.patch
+b111346072b7907d3a284f12a08c490cbfe35592537bc59442014c95080c3a33  grsecurity-2.9.1-3.9.8-201306302052.patch
 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -172,7 +172,7 @@ de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6  kernelconfig.x
 e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e  kernelconfig.x86_64"
 sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790  linux-3.9.tar.xz
 60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c  patch-3.9.8.xz
-4ca36180a1fc325a558acf73ec9fe3808542498a8f808f73b87a9f6b05ff290d5a5ab20ce39c547a18ce37d093a9857f5c77c495796e62fef986dfa301a9e566  grsecurity-2.9.1-3.9.8-201306272057.patch
+81912f5c19b8bc891a1ad8ed57bfe91d79c6c301410eb4ef9e58f57caefba2661d9732b306d695e712fd8e7c9b5bbb67659759fade26f4ec853d9cb96d347df9  grsecurity-2.9.1-3.9.8-201306302052.patch
 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch
index 3efd0e4c4b..9c80933310 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306272057.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.8-201306302052.patch
@@ -2312,7 +2312,7 @@ index 60d3b73..d27ee09 100644
  EXPORT_SYMBOL(__get_user_1);
  EXPORT_SYMBOL(__get_user_2);
 diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
-index 0f82098..3dbd3ee 100644
+index 0f82098..fb3d3d5 100644
 --- a/arch/arm/kernel/entry-armv.S
 +++ b/arch/arm/kernel/entry-armv.S
 @@ -47,6 +47,87 @@
@@ -2484,7 +2484,7 @@ index 0f82098..3dbd3ee 100644
   THUMB(	str	sp, [ip], #4		   )
   THUMB(	str	lr, [ip], #4		   )
 -#ifdef CONFIG_CPU_USE_DOMAINS
-+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
  	ldr	r6, [r2, #TI_CPU_DOMAIN]
  #endif
  	set_tls	r3, r4, r5
@@ -2493,7 +2493,7 @@ index 0f82098..3dbd3ee 100644
  	ldr	r7, [r7, #TSK_STACK_CANARY]
  #endif
 -#ifdef CONFIG_CPU_USE_DOMAINS
-+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC)
++#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
  	mcr	p15, 0, r6, c3, c0, 0		@ Set domain register
  #endif
  	mov	r5, r0
@@ -50560,7 +50560,7 @@ index 6a16053..2155147 100644
  	return rc;
  }
 diff --git a/fs/exec.c b/fs/exec.c
-index 6d56ff2..3bc6638 100644
+index 6d56ff2..f65b4ca 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -55,8 +55,20 @@
@@ -50862,7 +50862,37 @@ index 6d56ff2..3bc6638 100644
  	set_fs(old_fs);
  	return result;
  }
-@@ -1250,7 +1325,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
+@@ -1136,13 +1211,6 @@ void setup_new_exec(struct linux_binprm * bprm)
+ 			set_dumpable(current->mm, suid_dumpable);
+ 	}
+ 
+-	/*
+-	 * Flush performance counters when crossing a
+-	 * security domain:
+-	 */
+-	if (!get_dumpable(current->mm))
+-		perf_event_exit_task(current);
+-
+ 	/* An exec changes our domain. We are no longer part of the thread
+ 	   group */
+ 
+@@ -1206,6 +1274,15 @@ void install_exec_creds(struct linux_binprm *bprm)
+ 
+ 	commit_creds(bprm->cred);
+ 	bprm->cred = NULL;
++
++	/*
++	 * Disable monitoring for regular users
++	 * when executing setuid binaries. Must
++	 * wait until new credentials are committed
++	 * by commit_creds() above
++	 */
++	if (get_dumpable(current->mm) != SUID_DUMP_USER)
++		perf_event_exit_task(current);
+ 	/*
+ 	 * cred_guard_mutex must be held at least to this point to prevent
+ 	 * ptrace_attach() from altering our determination of the task's
+@@ -1250,7 +1327,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
  	}
  	rcu_read_unlock();
  
@@ -50871,7 +50901,7 @@ index 6d56ff2..3bc6638 100644
  		bprm->unsafe |= LSM_UNSAFE_SHARE;
  	} else {
  		res = -EAGAIN;
-@@ -1450,6 +1525,31 @@ int search_binary_handler(struct linux_binprm *bprm)
+@@ -1450,6 +1527,31 @@ int search_binary_handler(struct linux_binprm *bprm)
  
  EXPORT_SYMBOL(search_binary_handler);
  
@@ -50903,7 +50933,7 @@ index 6d56ff2..3bc6638 100644
  /*
   * sys_execve() executes a new program.
   */
-@@ -1457,6 +1557,11 @@ static int do_execve_common(const char *filename,
+@@ -1457,6 +1559,11 @@ static int do_execve_common(const char *filename,
  				struct user_arg_ptr argv,
  				struct user_arg_ptr envp)
  {
@@ -50915,7 +50945,7 @@ index 6d56ff2..3bc6638 100644
  	struct linux_binprm *bprm;
  	struct file *file;
  	struct files_struct *displaced;
-@@ -1464,6 +1569,8 @@ static int do_execve_common(const char *filename,
+@@ -1464,6 +1571,8 @@ static int do_execve_common(const char *filename,
  	int retval;
  	const struct cred *cred = current_cred();
  
@@ -50924,7 +50954,7 @@ index 6d56ff2..3bc6638 100644
  	/*
  	 * We move the actual failure in case of RLIMIT_NPROC excess from
  	 * set*uid() to execve() because too many poorly written programs
-@@ -1504,12 +1611,27 @@ static int do_execve_common(const char *filename,
+@@ -1504,12 +1613,27 @@ static int do_execve_common(const char *filename,
  	if (IS_ERR(file))
  		goto out_unmark;
  
@@ -50952,7 +50982,7 @@ index 6d56ff2..3bc6638 100644
  	retval = bprm_mm_init(bprm);
  	if (retval)
  		goto out_file;
-@@ -1526,24 +1648,65 @@ static int do_execve_common(const char *filename,
+@@ -1526,24 +1650,65 @@ static int do_execve_common(const char *filename,
  	if (retval < 0)
  		goto out;
  
@@ -51022,7 +51052,7 @@ index 6d56ff2..3bc6638 100644
  	current->fs->in_exec = 0;
  	current->in_execve = 0;
  	acct_update_integrals(current);
-@@ -1552,6 +1715,14 @@ static int do_execve_common(const char *filename,
+@@ -1552,6 +1717,14 @@ static int do_execve_common(const char *filename,
  		put_files_struct(displaced);
  	return retval;
  
@@ -51037,7 +51067,7 @@ index 6d56ff2..3bc6638 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1700,3 +1871,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
+@@ -1700,3 +1873,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
  	return error;
  }
  #endif
@@ -56758,6 +56788,67 @@ index 69d4889..a810bd4 100644
  {
  	if (sbi->s_bytesex == BYTESEX_PDP)
  		return PDP_swab((__force __u32)n);
+diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
+index de08c92f..732cd63 100644
+--- a/fs/ubifs/dir.c
++++ b/fs/ubifs/dir.c
+@@ -364,6 +364,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ 		 */
+ 		return 0;
+ 
++	if (file->f_version == 0) {
++		/*
++		 * The file was seek'ed, which means that @file->private_data
++		 * is now invalid. This may also be just the first
++		 * 'ubifs_readdir()' invocation, in which case
++		 * @file->private_data is NULL, and the below code is
++		 * basically a no-op.
++		 */
++		kfree(file->private_data);
++		file->private_data = NULL;
++	}
++
++	/*
++	 * 'generic_file_llseek()' unconditionally sets @file->f_version to
++	 * zero, and we use this for detecting whether the file was seek'ed.
++	 */
++	file->f_version = 1;
++
+ 	/* File positions 0 and 1 correspond to "." and ".." */
+ 	if (file->f_pos == 0) {
+ 		ubifs_assert(!file->private_data);
+@@ -438,6 +456,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
+ 		file->f_pos = key_hash_flash(c, &dent->key);
+ 		file->private_data = dent;
+ 		cond_resched();
++
++		if (file->f_version == 0)
++			/*
++			 * The file was seek'ed meanwhile, lets return and start
++			 * reading direntries from the new position on the next
++			 * invocation.
++			 */
++			return 0;
+ 	}
+ 
+ out:
+@@ -448,15 +474,13 @@ out:
+ 
+ 	kfree(file->private_data);
+ 	file->private_data = NULL;
++	/* 2 is a special value indicating that there are no more direntries */
+ 	file->f_pos = 2;
+ 	return 0;
+ }
+ 
+-/* If a directory is seeked, we have to free saved readdir() state */
+ static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence)
+ {
+-	kfree(file->private_data);
+-	file->private_data = NULL;
+ 	return generic_file_llseek(file, offset, whence);
+ }
+ 
 diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
 index e18b988..f1d4ad0f 100644
 --- a/fs/ubifs/io.c
author	Natanael Copa <ncopa@alpinelinux.org>	2013-07-02 07:24:16 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-07-02 09:20:23 +0000
commit	99142aeaac41d3fa49f8af96ffd547719a515352 (patch)
tree	85df32a55f4db37bcae759dd44adecaaf2088c67 /main/linux-grsec
parent	3b6b41b9cb552be36a10d61e6626512f8fe1be38 (diff)
download	aports-99142aeaac41d3fa49f8af96ffd547719a515352.tar.bz2 aports-99142aeaac41d3fa49f8af96ffd547719a515352.tar.xz