diff options
-rw-r--r-- | main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch | 40 | ||||
-rw-r--r-- | main/linux-grsec/APKBUILD | 24 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.10.18-unofficial.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.10.17-unofficial.patch) | 143 | ||||
-rw-r--r-- | main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch | 14 |
4 files changed, 77 insertions, 144 deletions
diff --git a/main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch b/main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch deleted file mode 100644 index da442aae39..0000000000 --- a/main/linux-grsec/0001-pax-x86_64-fix-copy_user_generic.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b8bf456d13988fb38cfe248676327f44a2d2ed2e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> -Date: Wed, 23 Oct 2013 09:54:54 +0300 -Subject: [PATCH] pax: x86_64: fix copy_user_generic -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Pax patch removed r10 from clobbers list as all assembly code was -updated to not use it. However, in the error path the assembly code -ends up calling copy_user_handle_tail() C-function that can clobber -r10. This broke things for certain gcc optimizations (at least for gcc -4.8.x), as copy_user_generic() is inline function, and the inline -assembly incorrectly guaranteed not to clobber r10. - -Add r10 back to clobbers list like vanilla kernel has it. It is -needed always due to the possibly C-function call in error path. - -Signed-off-by: Timo Teräs <timo.teras@iki.f> -Acked-by: Natanael Copa <ncopa@alpinelinux.org> ---- - arch/x86/include/asm/uaccess_64.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index 1dbe82f..9d398f4 100644 ---- a/arch/x86/include/asm/uaccess_64.h -+++ b/arch/x86/include/asm/uaccess_64.h -@@ -44,7 +44,7 @@ copy_user_generic(void *to, const void *from, unsigned len) - ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), - "=d" (len)), - "1" (to), "2" (from), "3" (len) -- : "memory", "rcx", "r8", "r9", "r11"); -+ : "memory", "rcx", "r8", "r9", "r10", "r11"); - return ret; - } - --- -1.8.4.1 - diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 03c9105c1f..c98b66b788 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,12 +2,12 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.10.17 +pkgver=3.10.18 case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=2 +pkgrel=0 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -18,8 +18,6 @@ install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz grsecurity-2.9.1-$pkgver-unofficial.patch - 0001-pax-x86_64-fix-copy_user_generic.patch - remove-cap-sys-admin-for-proc-sys.patch 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch @@ -152,10 +150,8 @@ dev() { } md5sums="4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -8431ee4e2467fdfde47e31701813a265 patch-3.10.17.xz -6894537e9ccc2b296b27b42c39c64b31 grsecurity-2.9.1-3.10.17-unofficial.patch -51607abf0a105aebbe65e3df6fb415bd 0001-pax-x86_64-fix-copy_user_generic.patch -ebb624500d0b89fbf2daadfc7151c693 remove-cap-sys-admin-for-proc-sys.patch +e39b75595bf61d758087e1ddecd01a12 patch-3.10.18.xz +8b397a34483c0a5209f473049f1c21b8 grsecurity-2.9.1-3.10.18-unofficial.patch a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -166,10 +162,8 @@ c6a4ae7e8ca6159e1631545515805216 fix-memory-map-for-PIE-applications.patch cb5c938dccbee36cfb8bb7ee3546b8af kernelconfig.x86 daa81b89f18254155ac33c5239abf3a4 kernelconfig.x86_64" sha256sums="df27fa92d27a9c410bfe6c4a89f141638500d7eadcca5cce578954efc2ad3544 linux-3.10.tar.xz -5552fc6f24a56d13d603ddc7759114a7b52e92ad2fb84a23a1b80b37b739a33b patch-3.10.17.xz -8e82e71c0da392a601a952aa712b56a5116fcf626c19d69ae9d86dda2d200852 grsecurity-2.9.1-3.10.17-unofficial.patch -0742780b41ded0837d25f0b2f646b954da9362ac5956886427ad630000c0e335 0001-pax-x86_64-fix-copy_user_generic.patch -01c33a3093d23a6ef5ea50cb91174d524be5bfcc4f3dd9694844cf47697d5287 remove-cap-sys-admin-for-proc-sys.patch +6fe9123444e4803d2bdec0f89a969024813bd54ba9114471589d1326deee8d6f patch-3.10.18.xz +a7ed5e0ffe7efbfbd19596e7b3ba8b2d8703da48d7216b5ccd745d4ba038e480 grsecurity-2.9.1-3.10.18-unofficial.patch 6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch @@ -180,10 +174,8 @@ fc613ac466610b866b721c41836fd5bfb2d4b75bceb67972dc6369d7f62ff47e 0006-ipv4-use- 3e6c4101bfb90b6a30173ef81cd0d0bea51d6a995fc045ca67db7fed271d969d kernelconfig.x86 da67ef700372d080bffb12a86f0a16c987dc79e18fdfb1a88d2704660239e5f0 kernelconfig.x86_64" sha512sums="5fb109fcbd59bf3dffc911b853894f0a84afa75151368f783a1252c5ff60c7a1504de216c0012be446df983e2dea400ad8eeed3ce04f24dc61d0ef76c174dc35 linux-3.10.tar.xz -38f9085d67d59cb37c32db69b84714a96f327fe74b69bb4a7304861ea6e474614216067ee08093f41739ce803b83a70400c83f06c695cb1114cf41c0b2dc7aa7 patch-3.10.17.xz -6d27a986f32f42b12c4291ebb4b7365d8cd90b604ee9bc57344b9f9764efd7c5aae89c5ab4977878a24ae4b6e812c1db6030c3451bd15fdb2ea01a2a50e2ce41 grsecurity-2.9.1-3.10.17-unofficial.patch -b32903a59cd582c2acf95869640bb34fefee544d242702e04af1db188f381da3889c9db9475e8ffc31628cda0b0641828f609c5ac9a387dd86ac4917be26792f 0001-pax-x86_64-fix-copy_user_generic.patch -90d236cb79054751d9081c0ffc002c89cb855e0785c5419449563724e4f9de1c67f763923bdc8c1a5b336ab7850ad33d21fa41ad33b9e2e680badefe40c26626 remove-cap-sys-admin-for-proc-sys.patch +b891e6969a0628f760aebf04e7b4cfd9e93c73fd1f61d9c50a2e3b812bff4f35f2b2a13f88319a106fb6d9929b83bc59384ddb651b17ea158739523ad252575a patch-3.10.18.xz +f89d6f4e696dad5102e9062e027f3c1b91b6ffee52940507305f9b444461e3782800d1753c5b15498d95fb795d5f285d41678144eb9ecbe63eaac7609fd83965 grsecurity-2.9.1-3.10.18-unofficial.patch 81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch 51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch 57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch diff --git a/main/linux-grsec/grsecurity-2.9.1-3.10.17-unofficial.patch b/main/linux-grsec/grsecurity-2.9.1-3.10.18-unofficial.patch index 3a78478212..8b707fb747 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.10.17-unofficial.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.10.18-unofficial.patch @@ -281,7 +281,7 @@ index 2fe6e76..889ee23 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index 5c7d3d6..aa1c9c3 100644 +index 5fb14e5..9d12b9c 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -18579,7 +18579,7 @@ index 7f760a9..04b1c65 100644 } diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h -index 142810c..1dbe82f 100644 +index 142810c..9d398f4 100644 --- a/arch/x86/include/asm/uaccess_64.h +++ b/arch/x86/include/asm/uaccess_64.h @@ -10,6 +10,9 @@ @@ -18610,12 +18610,7 @@ index 142810c..1dbe82f 100644 copy_user_generic(void *to, const void *from, unsigned len) { unsigned ret; -@@ -41,142 +44,204 @@ copy_user_generic(void *to, const void *from, unsigned len) - ASM_OUTPUT2("=a" (ret), "=D" (to), "=S" (from), - "=d" (len)), - "1" (to), "2" (from), "3" (len) -- : "memory", "rcx", "r8", "r9", "r10", "r11"); -+ : "memory", "rcx", "r8", "r9", "r11"); +@@ -45,138 +48,200 @@ copy_user_generic(void *to, const void *from, unsigned len) return ret; } @@ -77273,7 +77268,7 @@ index 2ac423b..237c72e 100644 #define save_altstack_ex(uss, sp) do { \ stack_t __user *__uss = uss; \ diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index dec1748..112c1f9 100644 +index eaf6027..2266947 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -640,7 +640,7 @@ extern bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, @@ -77312,7 +77307,7 @@ index dec1748..112c1f9 100644 } /** -@@ -1848,7 +1848,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) +@@ -1853,7 +1853,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len) * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8) */ #ifndef NET_SKB_PAD @@ -77321,7 +77316,7 @@ index dec1748..112c1f9 100644 #endif extern int ___pskb_trim(struct sk_buff *skb, unsigned int len); -@@ -2443,7 +2443,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, +@@ -2448,7 +2448,7 @@ extern struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock, int *err); extern unsigned int datagram_poll(struct file *file, struct socket *sock, struct poll_table_struct *wait); @@ -77330,7 +77325,7 @@ index dec1748..112c1f9 100644 int offset, struct iovec *to, int size); extern int skb_copy_and_csum_datagram_iovec(struct sk_buff *skb, -@@ -2733,6 +2733,9 @@ static inline void nf_reset(struct sk_buff *skb) +@@ -2738,6 +2738,9 @@ static inline void nf_reset(struct sk_buff *skb) nf_bridge_put(skb->nf_bridge); skb->nf_bridge = NULL; #endif @@ -78881,10 +78876,10 @@ index 1bd4c41..9250b5b 100644 /* Structure to track chunk fragments that have been acked, but peer diff --git a/include/net/sock.h b/include/net/sock.h -index 66772cf..25bc45b 100644 +index cec4c72..66ba735 100644 --- a/include/net/sock.h +++ b/include/net/sock.h -@@ -325,7 +325,7 @@ struct sock { +@@ -326,7 +326,7 @@ struct sock { #ifdef CONFIG_RPS __u32 sk_rxhash; #endif @@ -78893,7 +78888,7 @@ index 66772cf..25bc45b 100644 int sk_rcvbuf; struct sk_filter __rcu *sk_filter; -@@ -1797,7 +1797,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags) +@@ -1799,7 +1799,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags) } static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb, @@ -78902,7 +78897,7 @@ index 66772cf..25bc45b 100644 int copy, int offset) { if (skb->ip_summed == CHECKSUM_NONE) { -@@ -2056,7 +2056,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk) +@@ -2058,7 +2058,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk) } } @@ -78912,10 +78907,10 @@ index 66772cf..25bc45b 100644 /** * sk_page_frag - return an appropriate page_frag diff --git a/include/net/tcp.h b/include/net/tcp.h -index 5bba80f..8520a82 100644 +index 3fc77e9..a20155c 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h -@@ -524,7 +524,7 @@ extern void tcp_retransmit_timer(struct sock *sk); +@@ -525,7 +525,7 @@ extern void tcp_retransmit_timer(struct sock *sk); extern void tcp_xmit_retransmit_queue(struct sock *); extern void tcp_simple_retransmit(struct sock *); extern int tcp_trim_head(struct sock *, struct sk_buff *, u32); @@ -78924,7 +78919,7 @@ index 5bba80f..8520a82 100644 extern void tcp_send_probe0(struct sock *); extern void tcp_send_partial(struct sock *); -@@ -697,8 +697,8 @@ struct tcp_skb_cb { +@@ -698,8 +698,8 @@ struct tcp_skb_cb { struct inet6_skb_parm h6; #endif } header; /* For incoming frames */ @@ -78935,7 +78930,7 @@ index 5bba80f..8520a82 100644 __u32 when; /* used to compute rtt's */ __u8 tcp_flags; /* TCP header flags. (tcp[13]) */ -@@ -712,7 +712,7 @@ struct tcp_skb_cb { +@@ -713,7 +713,7 @@ struct tcp_skb_cb { __u8 ip_dsfield; /* IPv4 tos or IPv6 dsfield */ /* 1 byte hole */ @@ -89779,7 +89774,7 @@ index 298884d..5f74980 100644 struct mm_struct *mm; diff --git a/mm/page-writeback.c b/mm/page-writeback.c -index 4514ad7..92eaa1c 100644 +index aca4364..09039c6 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -659,7 +659,7 @@ unsigned long bdi_dirty_limit(struct backing_dev_info *bdi, unsigned long dirty) @@ -92285,13 +92280,13 @@ index eb0a46a..5f3bae8 100644 switch (ss->ss_family) { diff --git a/net/compat.c b/net/compat.c -index f0a1ba6..0541331 100644 +index 8903258..24e30e5 100644 --- a/net/compat.c +++ b/net/compat.c -@@ -71,9 +71,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || - __get_user(kmsg->msg_flags, &umsg->msg_flags)) +@@ -73,9 +73,9 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) return -EFAULT; + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + return -EINVAL; - kmsg->msg_name = compat_ptr(tmp1); - kmsg->msg_iov = compat_ptr(tmp2); - kmsg->msg_control = compat_ptr(tmp3); @@ -92301,7 +92296,7 @@ index f0a1ba6..0541331 100644 return 0; } -@@ -85,7 +85,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -87,7 +87,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, if (kern_msg->msg_namelen) { if (mode == VERIFY_READ) { @@ -92310,7 +92305,7 @@ index f0a1ba6..0541331 100644 kern_msg->msg_namelen, kern_address); if (err < 0) -@@ -96,7 +96,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -98,7 +98,7 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, kern_msg->msg_name = NULL; tot_len = iov_from_user_compat_to_kern(kern_iov, @@ -92319,7 +92314,7 @@ index f0a1ba6..0541331 100644 kern_msg->msg_iovlen); if (tot_len >= 0) kern_msg->msg_iov = kern_iov; -@@ -116,20 +116,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, +@@ -118,20 +118,20 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, #define CMSG_COMPAT_FIRSTHDR(msg) \ (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \ @@ -92343,7 +92338,7 @@ index f0a1ba6..0541331 100644 msg->msg_controllen) return NULL; return (struct compat_cmsghdr __user *)ptr; -@@ -219,7 +219,7 @@ Efault: +@@ -221,7 +221,7 @@ Efault: int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data) { @@ -92352,7 +92347,7 @@ index f0a1ba6..0541331 100644 struct compat_cmsghdr cmhdr; struct compat_timeval ctv; struct compat_timespec cts[3]; -@@ -275,7 +275,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat +@@ -277,7 +277,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm) { @@ -92361,7 +92356,7 @@ index f0a1ba6..0541331 100644 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int); int fdnum = scm->fp->count; struct file **fp = scm->fp->fp; -@@ -363,7 +363,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, +@@ -365,7 +365,7 @@ static int do_set_sock_timeout(struct socket *sock, int level, return -EFAULT; old_fs = get_fs(); set_fs(KERNEL_DS); @@ -92370,7 +92365,7 @@ index f0a1ba6..0541331 100644 set_fs(old_fs); return err; -@@ -424,7 +424,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, +@@ -426,7 +426,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname, len = sizeof(ktime); old_fs = get_fs(); set_fs(KERNEL_DS); @@ -92379,7 +92374,7 @@ index f0a1ba6..0541331 100644 set_fs(old_fs); if (!err) { -@@ -567,7 +567,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -569,7 +569,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_JOIN_GROUP: case MCAST_LEAVE_GROUP: { @@ -92388,7 +92383,7 @@ index f0a1ba6..0541331 100644 struct group_req __user *kgr = compat_alloc_user_space(sizeof(struct group_req)); u32 interface; -@@ -588,7 +588,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -590,7 +590,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, case MCAST_BLOCK_SOURCE: case MCAST_UNBLOCK_SOURCE: { @@ -92397,7 +92392,7 @@ index f0a1ba6..0541331 100644 struct group_source_req __user *kgsr = compat_alloc_user_space( sizeof(struct group_source_req)); u32 interface; -@@ -609,7 +609,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, +@@ -611,7 +611,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname, } case MCAST_MSFILTER: { @@ -92406,7 +92401,7 @@ index f0a1ba6..0541331 100644 struct group_filter __user *kgf; u32 interface, fmode, numsrc; -@@ -647,7 +647,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, +@@ -649,7 +649,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname, char __user *optval, int __user *optlen, int (*getsockopt)(struct sock *, int, int, char __user *, int __user *)) { @@ -92415,7 +92410,7 @@ index f0a1ba6..0541331 100644 struct group_filter __user *kgf; int __user *koptlen; u32 interface, fmode, numsrc; -@@ -805,7 +805,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) +@@ -807,7 +807,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args) if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; @@ -92843,7 +92838,7 @@ index 1c1738c..4cab7f0 100644 } diff --git a/net/core/sock.c b/net/core/sock.c -index d6d024c..6ea7ab4 100644 +index 6565431..4012941 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -390,7 +390,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) @@ -92930,7 +92925,7 @@ index d6d024c..6ea7ab4 100644 return -EFAULT; lenout: if (put_user(len, optlen)) -@@ -2277,7 +2277,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) +@@ -2278,7 +2278,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) */ smp_wmb(); atomic_set(&sk->sk_refcnt, 1); @@ -93297,7 +93292,7 @@ index 6acb541..9ea617d 100644 void inet_get_local_port_range(int *low, int *high) diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c -index 6af375a..c493c74 100644 +index c95848d..e561cbd 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -18,12 +18,15 @@ @@ -93446,7 +93441,7 @@ index d9c4f11..02b82dbc 100644 msg.msg_flags = flags; diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c -index 17cc0ff..63856c4 100644 +index 0656041..d6ecb60 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -47,7 +47,7 @@ @@ -93458,7 +93453,7 @@ index 17cc0ff..63856c4 100644 static int vti_net_id __read_mostly; struct vti_net { -@@ -840,7 +840,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { +@@ -848,7 +848,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = { [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) }, }; @@ -93700,7 +93695,7 @@ index 6fb2337..9cd6b20 100644 static int raw_seq_show(struct seq_file *seq, void *v) diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index d35bbf0..faa3ab8 100644 +index d11e73c..25c1dc4 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2558,34 +2558,34 @@ static struct ctl_table ipv4_route_flush_table[] = { @@ -93756,10 +93751,10 @@ index d35bbf0..faa3ab8 100644 sizeof(net->ipv4.dev_addr_genid)); return 0; diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c -index 3f25e75..3ae0f4d 100644 +index 90b26be..268b217 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c -@@ -57,7 +57,7 @@ static int ipv4_local_port_range(ctl_table *table, int write, +@@ -58,7 +58,7 @@ static int ipv4_local_port_range(ctl_table *table, int write, { int ret; int range[2]; @@ -93768,7 +93763,7 @@ index 3f25e75..3ae0f4d 100644 .data = &range, .maxlen = sizeof(range), .mode = table->mode, -@@ -110,7 +110,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write, +@@ -111,7 +111,7 @@ static int ipv4_ping_group_range(ctl_table *table, int write, int ret; gid_t urange[2]; kgid_t low, high; @@ -93777,7 +93772,7 @@ index 3f25e75..3ae0f4d 100644 .data = &urange, .maxlen = sizeof(urange), .mode = table->mode, -@@ -141,7 +141,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write, +@@ -142,7 +142,7 @@ static int proc_tcp_congestion_control(ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { char val[TCP_CA_NAME_MAX]; @@ -93786,7 +93781,7 @@ index 3f25e75..3ae0f4d 100644 .data = val, .maxlen = TCP_CA_NAME_MAX, }; -@@ -160,7 +160,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl, +@@ -161,7 +161,7 @@ static int proc_tcp_available_congestion_control(ctl_table *ctl, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -93795,7 +93790,7 @@ index 3f25e75..3ae0f4d 100644 int ret; tbl.data = kmalloc(tbl.maxlen, GFP_USER); -@@ -177,7 +177,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl, +@@ -178,7 +178,7 @@ static int proc_allowed_congestion_control(ctl_table *ctl, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -93804,7 +93799,7 @@ index 3f25e75..3ae0f4d 100644 int ret; tbl.data = kmalloc(tbl.maxlen, GFP_USER); -@@ -203,15 +203,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, +@@ -204,15 +204,17 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, struct mem_cgroup *memcg; #endif @@ -93825,7 +93820,7 @@ index 3f25e75..3ae0f4d 100644 } ret = proc_doulongvec_minmax(&tmp, write, buffer, lenp, ppos); -@@ -238,7 +240,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, +@@ -239,7 +241,7 @@ static int ipv4_tcp_mem(ctl_table *ctl, int write, static int proc_tcp_fastopen_key(ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { @@ -93834,7 +93829,7 @@ index 3f25e75..3ae0f4d 100644 struct tcp_fastopen_context *ctxt; int ret; u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */ -@@ -481,7 +483,7 @@ static struct ctl_table ipv4_table[] = { +@@ -482,7 +484,7 @@ static struct ctl_table ipv4_table[] = { }, { .procname = "ip_local_reserved_ports", @@ -93843,7 +93838,7 @@ index 3f25e75..3ae0f4d 100644 .maxlen = 65536, .mode = 0644, .proc_handler = proc_do_large_bitmap, -@@ -846,11 +848,10 @@ static struct ctl_table ipv4_net_table[] = { +@@ -856,11 +858,10 @@ static struct ctl_table ipv4_net_table[] = { static __net_init int ipv4_sysctl_init_net(struct net *net) { @@ -93857,7 +93852,7 @@ index 3f25e75..3ae0f4d 100644 if (table == NULL) goto err_alloc; -@@ -885,15 +886,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) +@@ -895,15 +896,17 @@ static __net_init int ipv4_sysctl_init_net(struct net *net) tcp_init_mem(net); @@ -93878,7 +93873,7 @@ index 3f25e75..3ae0f4d 100644 err_alloc: return -ENOMEM; } -@@ -915,16 +918,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { +@@ -925,16 +928,6 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = { static __init int sysctl_ipv4_init(void) { struct ctl_table_header *hdr; @@ -93896,10 +93891,10 @@ index 3f25e75..3ae0f4d 100644 hdr = register_net_sysctl(&init_net, "net/ipv4", ipv4_table); if (hdr == NULL) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 4b75aad..a4b2833 100644 +index e15d330..c93711a 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c -@@ -4439,7 +4439,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, +@@ -4472,7 +4472,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb, * simplifies code) */ static void @@ -93908,7 +93903,7 @@ index 4b75aad..a4b2833 100644 struct sk_buff *head, struct sk_buff *tail, u32 start, u32 end) { -@@ -5525,6 +5525,7 @@ discard: +@@ -5558,6 +5558,7 @@ discard: tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -93916,7 +93911,7 @@ index 4b75aad..a4b2833 100644 if (th->syn) { /* We see SYN without ACK. It is attempt of * simultaneous connect with crossed SYNs. -@@ -5575,6 +5576,7 @@ discard: +@@ -5608,6 +5609,7 @@ discard: goto discard; #endif } @@ -93924,7 +93919,7 @@ index 4b75aad..a4b2833 100644 /* "fifth, if neither of the SYN or RST bits is set then * drop the segment and return." */ -@@ -5619,7 +5621,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, +@@ -5652,7 +5654,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, goto discard; if (th->syn) { @@ -94637,10 +94632,10 @@ index 1aeb473..bea761c 100644 return -ENOMEM; } diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index bacce6c..9d1741a 100644 +index 3c1f493..4129ccc 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c -@@ -2903,7 +2903,7 @@ ctl_table ipv6_route_table_template[] = { +@@ -2931,7 +2931,7 @@ ctl_table ipv6_route_table_template[] = { struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net) { @@ -96806,7 +96801,7 @@ index 098f1d5f..60da2f7 100644 /* Start T3_rtx timer if it is not already running and update the heartbeat diff --git a/net/socket.c b/net/socket.c -index 4ca1526..df83e47 100644 +index 9c467b2..f2cbd27 100644 --- a/net/socket.c +++ b/net/socket.c @@ -88,6 +88,7 @@ @@ -96977,7 +96972,7 @@ index 4ca1526..df83e47 100644 int err, err2; int fput_needed; -@@ -2023,7 +2085,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2036,7 +2098,7 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, * checking falls down on this. */ if (copy_from_user(ctl_buf, @@ -96986,7 +96981,7 @@ index 4ca1526..df83e47 100644 ctl_len)) goto out_freectl; msg_sys->msg_control = ctl_buf; -@@ -2174,7 +2236,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2187,7 +2249,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, int err, total_len, len; /* kernel mode address */ @@ -96995,7 +96990,7 @@ index 4ca1526..df83e47 100644 /* user mode address pointers */ struct sockaddr __user *uaddr; -@@ -2202,7 +2264,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, +@@ -2218,7 +2280,7 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, * kernel msghdr to use the kernel address space) */ @@ -97004,7 +96999,7 @@ index 4ca1526..df83e47 100644 uaddr_len = COMPAT_NAMELEN(msg); if (MSG_CMSG_COMPAT & flags) { err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -@@ -2955,7 +3017,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, +@@ -2971,7 +3033,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); err = dev_ioctl(net, cmd, @@ -97013,7 +97008,7 @@ index 4ca1526..df83e47 100644 set_fs(old_fs); return err; -@@ -3064,7 +3126,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, +@@ -3080,7 +3142,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd, old_fs = get_fs(); set_fs(KERNEL_DS); @@ -97022,7 +97017,7 @@ index 4ca1526..df83e47 100644 set_fs(old_fs); if (cmd == SIOCGIFMAP && !err) { -@@ -3169,7 +3231,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, +@@ -3185,7 +3247,7 @@ static int routing_ioctl(struct net *net, struct socket *sock, ret |= __get_user(rtdev, &(ur4->rt_dev)); if (rtdev) { ret |= copy_from_user(devname, compat_ptr(rtdev), 15); @@ -97031,7 +97026,7 @@ index 4ca1526..df83e47 100644 devname[15] = 0; } else r4.rt_dev = NULL; -@@ -3395,8 +3457,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, +@@ -3411,8 +3473,8 @@ int kernel_getsockopt(struct socket *sock, int level, int optname, int __user *uoptlen; int err; @@ -97042,7 +97037,7 @@ index 4ca1526..df83e47 100644 set_fs(KERNEL_DS); if (level == SOL_SOCKET) -@@ -3416,7 +3478,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, +@@ -3432,7 +3494,7 @@ int kernel_setsockopt(struct socket *sock, int level, int optname, char __user *uoptval; int err; @@ -97403,7 +97398,7 @@ index 6b42d47..2ac24d5 100644 sub->evt.event = htohl(event, sub->swap); diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index 826e099..4fa8c93 100644 +index 0258072..fc6d46d 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -783,6 +783,12 @@ static struct sock *unix_find_other(struct net *net, @@ -97452,7 +97447,7 @@ index 826e099..4fa8c93 100644 done_path_create(&path, dentry); return err; } -@@ -2324,9 +2343,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2334,9 +2353,13 @@ static int unix_seq_show(struct seq_file *seq, void *v) seq_puts(seq, "Num RefCount Protocol Flags Type St " "Inode Path\n"); else { @@ -97467,7 +97462,7 @@ index 826e099..4fa8c93 100644 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", s, -@@ -2353,8 +2376,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) +@@ -2363,8 +2386,10 @@ static int unix_seq_show(struct seq_file *seq, void *v) } for ( ; i < len; i++) seq_putc(seq, u->addr->name->sun_path[i]); diff --git a/main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch b/main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch deleted file mode 100644 index 6fa56ba134..0000000000 --- a/main/linux-grsec/remove-cap-sys-admin-for-proc-sys.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c -index 1e6dc7e..d65d119 100644 ---- a/fs/proc/proc_sysctl.c -+++ b/fs/proc/proc_sysctl.c -@@ -521,8 +521,6 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf, - dput(filp->f_path.dentry); - if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op)) - goto out; -- if (write && !capable(CAP_SYS_ADMIN)) -- goto out; - #endif - - /* careful: calling conventions are nasty here */ - |