aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2012-10-24 09:59:10 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2012-10-24 09:59:10 +0000
commit7451dee480466d800eb4297b4a38ccd10c7cfa9a (patch)
treee13604f6acbcb96deba654d6ab254e414157fa1e /main/linux-grsec
parent91d5e5becbb8a0f8998d707208eb1f63ae826e42 (diff)
downloadaports-7451dee480466d800eb4297b4a38ccd10c7cfa9a.tar.bz2
aports-7451dee480466d800eb4297b4a38ccd10c7cfa9a.tar.xz
main/linux-grsec: upgrade to 3.6.3 kernel
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/APKBUILD8
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.6.3-201210231942.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.2-201210151829.patch)107
2 files changed, 57 insertions, 58 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index dd8ba03fe5..53f7802d6c 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -2,7 +2,7 @@
_flavor=grsec
pkgname=linux-${_flavor}
-pkgver=3.6.2
+pkgver=3.6.3
_kernver=3.6
pkgrel=0
pkgdesc="Linux kernel with grsecurity"
@@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.6.2-201210151829.patch
+ grsecurity-2.9.1-3.6.3-201210231942.patch
0004-arp-flush-arp-cache-on-device-change.patch
@@ -139,8 +139,8 @@ dev() {
}
md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz
-ad1020c82a71ee1ef2416a0d12e724df patch-3.6.2.xz
-c64b40d5b75594c066e014c19dad244c grsecurity-2.9.1-3.6.2-201210151829.patch
+96701113d37ef4f9b785206ab8bcc71e patch-3.6.3.xz
+854e121b7f805e7a6b862d49d4f7b420 grsecurity-2.9.1-3.6.3-201210231942.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
80def301b4cf710e0855d4058efe46bb kernelconfig.x86
8eddcd9b36f4c2580e0b2db91eed3366 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.2-201210151829.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.3-201210231942.patch
index 26ec9d198f..667fa189ce 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.6.2-201210151829.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.6.3-201210231942.patch
@@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644
pcd. [PARIDE]
diff --git a/Makefile b/Makefile
-index af5d6a9..4ccd9fb 100644
+index 6cdadf4..02df425 100644
--- a/Makefile
+++ b/Makefile
@@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
@@ -7666,7 +7666,7 @@ index b322f12..652d0d9 100644
Enabling this option turns a certain set of sanity checks for user
copy operations into compile time failures.
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index 58790bd..fc2f239 100644
+index 05afcca..b6ecb51 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -50,6 +50,7 @@ else
@@ -27270,7 +27270,7 @@ index 00aaf04..4a26505 100644
-}
-__setup("vdso=", vdso_setup);
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
-index 1fbe75a..c22e01f 100644
+index c1461de..355f120 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -98,8 +98,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
@@ -27317,7 +27317,7 @@ index 1fbe75a..c22e01f 100644
#endif
}
-@@ -1205,30 +1203,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
+@@ -1221,30 +1219,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
#endif
};
@@ -27355,7 +27355,7 @@ index 1fbe75a..c22e01f 100644
{
if (pm_power_off)
pm_power_off();
-@@ -1331,7 +1329,17 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1347,7 +1345,17 @@ asmlinkage void __init xen_start_kernel(void)
__userpte_alloc_gfp &= ~__GFP_HIGHMEM;
/* Work out if we support NX */
@@ -27374,7 +27374,7 @@ index 1fbe75a..c22e01f 100644
xen_setup_features();
-@@ -1362,13 +1370,6 @@ asmlinkage void __init xen_start_kernel(void)
+@@ -1378,13 +1386,6 @@ asmlinkage void __init xen_start_kernel(void)
machine_ops = xen_machine_ops;
@@ -30040,7 +30040,7 @@ index f877805..403375a 100644
return 0;
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
-index 817f0ee..cd3b75d 100644
+index 4dc8024..90108d1 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -415,7 +415,7 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
@@ -30235,7 +30235,7 @@ index 57ea7f4..789e3c3 100644
card->driver->update_phy_reg(card, 4,
PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
-index 2783f69..9f4b0cc 100644
+index f8d2287..5aaf4db 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1365,8 +1365,7 @@ static int init_iso_resource(struct client *client,
@@ -30819,7 +30819,7 @@ index 73fa3e1..ab2e9b9 100644
iir = I915_READ(IIR);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index 0c7f4aa..c4771ed 100644
+index b634f6f..84bb8ba 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2182,7 +2182,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb)
@@ -33808,7 +33808,7 @@ index 611b5f7..cee0bfb 100644
"md/raid1:%s: read error corrected "
"(%d sectors at %llu on %s)\n",
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
-index 0138a72..eab8fc6 100644
+index a48c215..6bda6f4 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1810,7 +1810,7 @@ static void end_sync_read(struct bio *bio, int error)
@@ -34965,19 +34965,6 @@ index 9d71c9c..0e4a0ac 100644
{ "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
{ "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
{ "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
-diff --git a/drivers/net/ethernet/intel/e1000e/e1000.h b/drivers/net/ethernet/intel/e1000e/e1000.h
-index cb3356c..c302a98 100644
---- a/drivers/net/ethernet/intel/e1000e/e1000.h
-+++ b/drivers/net/ethernet/intel/e1000e/e1000.h
-@@ -181,7 +181,7 @@ struct e1000_info;
- #define E1000_TXDCTL_DMA_BURST_ENABLE \
- (E1000_TXDCTL_GRAN | /* set descriptor granularity */ \
- E1000_TXDCTL_COUNT_DESC | \
-- (5 << 16) | /* wthresh must be +1 more than desired */\
-+ (1 << 16) | /* wthresh must be +1 more than desired */\
- (1 << 8) | /* hthresh */ \
- 0x1f) /* pthresh */
-
diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h
index ed5b409..ec37828 100644
--- a/drivers/net/ethernet/intel/e1000e/hw.h
@@ -42277,7 +42264,7 @@ index 3c14e43..eafa544 100644
+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
+4 4 4 4 4 4
diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c
-index 8af6414..658c030 100644
+index 38fcfff..0072dcd 100644
--- a/drivers/video/udlfb.c
+++ b/drivers/video/udlfb.c
@@ -620,11 +620,11 @@ int dlfb_handle_damage(struct dlfb_data *dev, int x, int y,
@@ -47549,7 +47536,7 @@ index 7e81bfc..c3649aa 100644
lock_flocks();
diff --git a/fs/namei.c b/fs/namei.c
-index dd1ed1b..875e998 100644
+index 81bd546..80149d9 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask)
@@ -51551,10 +51538,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..07cd799
+index 0000000..3d58260
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4017 @@
+@@ -0,0 +1,4029 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -53036,6 +53023,7 @@ index 0000000..07cd799
+copy_user_acl(struct gr_arg *arg)
+{
+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
++ struct acl_subject_label *subj_list;
+ struct sprole_pw *sptmp;
+ struct gr_hash_struct *ghash;
+ uid_t *domainlist;
@@ -53164,14 +53152,21 @@ index 0000000..07cd799
+ r_tmp->subj_hash_size *
+ sizeof (struct acl_subject_label *));
+
-+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
-+
-+ if (err)
-+ return err;
++ /* acquire the list of subjects, then NULL out
++ the list prior to parsing the subjects for this role,
++ as during this parsing the list is replaced with a list
++ of *nested* subjects for the role
++ */
++ subj_list = r_tmp->hash->first;
+
+ /* set nested subject list to null */
+ r_tmp->hash->first = NULL;
+
++ err = copy_user_subjs(subj_list, r_tmp);
++
++ if (err)
++ return err;
++
+ insert_acl_role_label(r_tmp);
+ }
+
@@ -54180,8 +54175,9 @@ index 0000000..07cd799
+ matchpo->mode |= GR_DELETED;
+ FOR_EACH_SUBJECT_END(subj,x)
+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
-+ if (subj->inode == ino && subj->device == dev)
-+ subj->mode |= GR_DELETED;
++ /* nested subjects aren't in the role's subj_hash table */
++ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
++ matchpo->mode |= GR_DELETED;
+ FOR_EACH_NESTED_SUBJECT_END(subj)
+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
+ matchps->mode |= GR_DELETED;
@@ -54339,6 +54335,9 @@ index 0000000..07cd799
+ subj->inode = ino;
+ subj->device = dev;
+ }
++ /* nested subjects aren't in the role's subj_hash table */
++ update_acl_obj_label(matchn->inode, matchn->device,
++ ino, dev, subj);
+ FOR_EACH_NESTED_SUBJECT_END(subj)
+ FOR_EACH_SUBJECT_START(role, subj, x)
+ update_acl_obj_label(matchn->inode, matchn->device,
@@ -66364,7 +66363,7 @@ index 02e6167..54824f7 100644
current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
set_fs(fs);
diff --git a/kernel/audit.c b/kernel/audit.c
-index ea3b7b6..c260d34 100644
+index a8c84be..8bd034c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -115,7 +115,7 @@ u32 audit_sig_sid = 0;
@@ -67990,7 +67989,7 @@ index 91c32a0..7b88d63 100644
seq_printf(m, "%40s %14lu %29s %pS\n",
name, stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 4edbd9c..165e780 100644
+index 9ad9ee9..de7a157 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -58,6 +58,7 @@
@@ -68516,7 +68515,7 @@ index 4edbd9c..165e780 100644
pr_debug("\t0x%lx %s\n",
(long)shdr->sh_addr, info->secstrings + shdr->sh_name);
}
-@@ -2759,12 +2859,12 @@ static void flush_module_icache(const struct module *mod)
+@@ -2763,12 +2863,12 @@ static void flush_module_icache(const struct module *mod)
* Do it before processing of module parameters, so the module
* can provide parameter accessor functions of its own.
*/
@@ -68535,7 +68534,7 @@ index 4edbd9c..165e780 100644
set_fs(old_fs);
}
-@@ -2834,8 +2934,10 @@ out:
+@@ -2838,8 +2938,10 @@ out:
static void module_deallocate(struct module *mod, struct load_info *info)
{
percpu_modfree(mod);
@@ -68548,7 +68547,7 @@ index 4edbd9c..165e780 100644
}
int __weak module_finalize(const Elf_Ehdr *hdr,
-@@ -2848,7 +2950,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
+@@ -2852,7 +2954,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
static int post_relocation(struct module *mod, const struct load_info *info)
{
/* Sort exception table now relocations are done. */
@@ -68558,7 +68557,7 @@ index 4edbd9c..165e780 100644
/* Copy relocated percpu area over. */
percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
-@@ -2899,9 +3003,38 @@ static struct module *load_module(void __user *umod,
+@@ -2903,9 +3007,38 @@ static struct module *load_module(void __user *umod,
if (err)
goto free_unload;
@@ -68597,7 +68596,7 @@ index 4edbd9c..165e780 100644
/* Fix up syms, so that st_value is a pointer to location. */
err = simplify_symbols(mod, &info);
if (err < 0)
-@@ -2917,13 +3050,6 @@ static struct module *load_module(void __user *umod,
+@@ -2921,13 +3054,6 @@ static struct module *load_module(void __user *umod,
flush_module_icache(mod);
@@ -68611,7 +68610,7 @@ index 4edbd9c..165e780 100644
/* Mark state as coming so strong_try_module_get() ignores us. */
mod->state = MODULE_STATE_COMING;
-@@ -2981,11 +3107,10 @@ static struct module *load_module(void __user *umod,
+@@ -2985,11 +3111,10 @@ static struct module *load_module(void __user *umod,
unlock:
mutex_unlock(&module_mutex);
synchronize_sched();
@@ -68624,7 +68623,7 @@ index 4edbd9c..165e780 100644
free_unload:
module_unload_free(mod);
free_module:
-@@ -3026,16 +3151,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
+@@ -3030,16 +3155,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
MODULE_STATE_COMING, mod);
/* Set RO and NX regions for core */
@@ -68649,7 +68648,7 @@ index 4edbd9c..165e780 100644
do_mod_ctors(mod);
/* Start the module */
-@@ -3081,11 +3206,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
+@@ -3085,11 +3210,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
mod->strtab = mod->core_strtab;
#endif
unset_module_init_ro_nx(mod);
@@ -68667,7 +68666,7 @@ index 4edbd9c..165e780 100644
mutex_unlock(&module_mutex);
return 0;
-@@ -3116,10 +3242,16 @@ static const char *get_ksymbol(struct module *mod,
+@@ -3120,10 +3246,16 @@ static const char *get_ksymbol(struct module *mod,
unsigned long nextval;
/* At worse, next value is at end of module */
@@ -68687,7 +68686,7 @@ index 4edbd9c..165e780 100644
/* Scan for closest preceding symbol, and next symbol. (ELF
starts real symbols at 1). */
-@@ -3354,7 +3486,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3358,7 +3490,7 @@ static int m_show(struct seq_file *m, void *p)
char buf[8];
seq_printf(m, "%s %u",
@@ -68696,7 +68695,7 @@ index 4edbd9c..165e780 100644
print_unload_info(m, mod);
/* Informative for users. */
-@@ -3363,7 +3495,7 @@ static int m_show(struct seq_file *m, void *p)
+@@ -3367,7 +3499,7 @@ static int m_show(struct seq_file *m, void *p)
mod->state == MODULE_STATE_COMING ? "Loading":
"Live");
/* Used by oprofile and other similar tools. */
@@ -68705,7 +68704,7 @@ index 4edbd9c..165e780 100644
/* Taints info */
if (mod->taints)
-@@ -3399,7 +3531,17 @@ static const struct file_operations proc_modules_operations = {
+@@ -3403,7 +3535,17 @@ static const struct file_operations proc_modules_operations = {
static int __init proc_modules_init(void)
{
@@ -68723,7 +68722,7 @@ index 4edbd9c..165e780 100644
return 0;
}
module_init(proc_modules_init);
-@@ -3458,12 +3600,12 @@ struct module *__module_address(unsigned long addr)
+@@ -3462,12 +3604,12 @@ struct module *__module_address(unsigned long addr)
{
struct module *mod;
@@ -68739,7 +68738,7 @@ index 4edbd9c..165e780 100644
return mod;
return NULL;
}
-@@ -3497,11 +3639,20 @@ bool is_module_text_address(unsigned long addr)
+@@ -3501,11 +3643,20 @@ bool is_module_text_address(unsigned long addr)
*/
struct module *__module_text_address(unsigned long addr)
{
@@ -70660,7 +70659,7 @@ index f113755..ec24223 100644
cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
tick_broadcast_clear_oneshot(cpu);
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
-index d3b91e7..2a4be68 100644
+index f791637..00051de 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -14,6 +14,7 @@
@@ -70799,10 +70798,10 @@ index 0b537f2..40d6c20 100644
return -ENOMEM;
return 0;
diff --git a/kernel/timer.c b/kernel/timer.c
-index 8c5e7b9..968d02c 100644
+index 46ef2b1..ad081f144 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
-@@ -1375,7 +1375,7 @@ void update_process_times(int user_tick)
+@@ -1377,7 +1377,7 @@ void update_process_times(int user_tick)
/*
* This function runs timers and the timer-tq in bottom half context.
*/
@@ -74469,7 +74468,7 @@ index 0f3b7cd..c5652b6 100644
struct anon_vma_chain *avc;
struct anon_vma *anon_vma;
diff --git a/mm/shmem.c b/mm/shmem.c
-index d4e184e..9953cdd 100644
+index d2eeca1..3f160be 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -31,7 +31,7 @@
@@ -74490,7 +74489,7 @@ index d4e184e..9953cdd 100644
struct shmem_xattr {
struct list_head list; /* anchored by shmem_inode_info->xattr_list */
-@@ -2592,8 +2592,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
+@@ -2594,8 +2594,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
int err = -ENOMEM;
/* Round up to L1_CACHE_BYTES to resist false sharing */