main/linux-grsec: fix x86_64 copy_user_generic

we also remove the requirement for CAP_SYS_ADMIN for /proc/sys so we can set ip_forward in a lxcontainer
author: Natanael Copa <ncopa@alpinelinux.org> 2013-10-23 07:42:50 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-10-23 09:03:30 +0000
commit: 4b0e04733d6f696392dc8ec213120e7508de88c9 (patch)
tree: c9ab446505acee91b4b1b12b8f9ce0fa198c4471 /main/linux-grsec
parent: 244667c408c035ba504efcedc10ffac325d673d4 (diff)
download: aports-4b0e04733d6f696392dc8ec213120e7508de88c9.tar.bz2
aports-4b0e04733d6f696392dc8ec213120e7508de88c9.tar.xz
3 files changed, 63 insertions, 1 deletions
diff --git a/main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch b/main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch
new file mode 100644
index 0000000000..da442aae39
--- /dev/null
+++ b/main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch
@@ -0,0 +1,40 @@
+From b8bf456d13988fb38cfe248676327f44a2d2ed2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Wed, 23 Oct 2013 09:54:54 +0300
+Subject: [PATCH] pax: x86_64: fix copy_user_generic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Pax patch removed r10 from clobbers list as all assembly code was
+updated to not use it. However, in the error path the assembly code
+ends up calling copy_user_handle_tail() C-function that can clobber
+r10. This broke things for certain gcc optimizations (at least for gcc
+4.8.x), as copy_user_generic() is inline function, and the inline
+assembly incorrectly guaranteed not to clobber r10.
+
+Add r10 back to clobbers list like vanilla kernel has it. It is
+needed always due to the possibly C-function call in error path.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.f>
+Acked-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ arch/x86/include/asm/uaccess_64.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
+index 1dbe82f..9d398f4 100644
+--- a/arch/x86/include/asm/uaccess_64.h
++++ b/arch/x86/include/asm/uaccess_64.h
+@@ -44,7 +44,7 @@ copy_user_generic(void *to, const void *from, unsigned len)
+ 			 ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from),
+ 				     "=d" (len)),
+ 			 "1" (to), "2" (from), "3" (len)
+-			 : "memory", "rcx", "r8", "r9", "r11");
++			 : "memory", "rcx", "r8", "r9", "r10", "r11");
+ 	return ret;
+ }
+ 
+-- 
+1.8.4.1
+
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 4c4350cff9..17d2dc4d2e 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
 *.*.*)	_kernver=${pkgver%.*};;
 *.*)	_kernver=${pkgver};;
 esac
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -18,6 +18,8 @@ install=
 source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
 	http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
 	grsecurity-2.9.1-$pkgver-unofficial.patch
+	0001-pax-x86_64-fix-copy_user_generic.patch
+	remove-cap-sys-admin-for-proc-sys.patch
 
 	0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 	0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
@@ -152,6 +154,8 @@ dev() {
 md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481  linux-3.10.tar.xz
 8431ee4e2467fdfde47e31701813a265  patch-3.10.17.xz
 6894537e9ccc2b296b27b42c39c64b31  grsecurity-2.9.1-3.10.17-unofficial.patch
+51607abf0a105aebbe65e3df6fb415bd  0001-pax-x86_64-fix-copy_user_generic.patch
+ebb624500d0b89fbf2daadfc7151c693  remove-cap-sys-admin-for-proc-sys.patch
 a16f11b12381efb3bec79b9bfb329836  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 656ae7b10dd2f18dbfa1011041d08d60  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 aa454ffb96428586447775c21449e284  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -164,6 +168,8 @@ c6a4ae7e8ca6159e1631545515805216  fix-memory-map-for-PIE-applications.patch
 sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544  linux-3.10.tar.xz
 5552fc6f24a56d13d603ddc7759114a7b52e92ad2fb84a23a1b80b37b739a33b  patch-3.10.17.xz
 8e82e71c0da392a601a952aa712b56a5116fcf626c19d69ae9d86dda2d200852  grsecurity-2.9.1-3.10.17-unofficial.patch
+0742780b41ded0837d25f0b2f646b954da9362ac5956886427ad630000c0e335  0001-pax-x86_64-fix-copy_user_generic.patch
+01c33a3093d23a6ef5ea50cb91174d524be5bfcc4f3dd9694844cf47697d5287  remove-cap-sys-admin-for-proc-sys.patch
 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
@@ -176,6 +182,8 @@ f2843ae4f9b3e3c27f3138ce4b740c2803bdab0c7a910c662d951843803b9554  kernelconfig.x
 sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35  linux-3.10.tar.xz
 38f9085d67d59cb37c32db69b84714a96f327fe74b69bb4a7304861ea6e474614216067ee08093f41739ce803b83a70400c83f06c695cb1114cf41c0b2dc7aa7  patch-3.10.17.xz
 6d27a986f32f42b12c4291ebb4b7365d8cd90b604ee9bc57344b9f9764efd7c5aae89c5ab4977878a24ae4b6e812c1db6030c3451bd15fdb2ea01a2a50e2ce41  grsecurity-2.9.1-3.10.17-unofficial.patch
+b32903a59cd582c2acf95869640bb34fefee544d242702e04af1db188f381da3889c9db9475e8ffc31628cda0b0641828f609c5ac9a387dd86ac4917be26792f  0001-pax-x86_64-fix-copy_user_generic.patch
+90d236cb79054751d9081c0ffc002c89cb855e0785c5419449563724e4f9de1c67f763923bdc8c1a5b336ab7850ad33d21fa41ad33b9e2e680badefe40c26626  remove-cap-sys-admin-for-proc-sys.patch
 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02  0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c  0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e  0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
diff --git a/main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch b/main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch
new file mode 100644
index 0000000000..6fa56ba134
--- /dev/null
+++ b/main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch
@@ -0,0 +1,14 @@
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index 1e6dc7e..d65d119 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -521,8 +521,6 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
+ 	dput(filp->f_path.dentry);
+ 	if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
+ 		goto out;
+-	if (write && !capable(CAP_SYS_ADMIN))
+-		goto out;
+ #endif
+ 
+ 	/* careful: calling conventions are nasty here */
+
author	Natanael Copa <ncopa@alpinelinux.org>	2013-10-23 07:42:50 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-10-23 09:03:30 +0000
commit	4b0e04733d6f696392dc8ec213120e7508de88c9 (patch)
tree	c9ab446505acee91b4b1b12b8f9ce0fa198c4471 /main/linux-grsec
parent	244667c408c035ba504efcedc10ffac325d673d4 (diff)
download	aports-4b0e04733d6f696392dc8ec213120e7508de88c9.tar.bz2 aports-4b0e04733d6f696392dc8ec213120e7508de88c9.tar.xz