diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2012-10-24 09:59:10 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-10-24 09:59:10 +0000 |
| commit | 7451dee480466d800eb4297b4a38ccd10c7cfa9a (patch) | |
| tree | e13604f6acbcb96deba654d6ab254e414157fa1e | |
| parent | 91d5e5becbb8a0f8998d707208eb1f63ae826e42 (diff) | |
| download | aports-7451dee480466d800eb4297b4a38ccd10c7cfa9a.tar.bz2 aports-7451dee480466d800eb4297b4a38ccd10c7cfa9a.tar.xz | |
main/linux-grsec: upgrade to 3.6.3 kernel
| -rw-r--r-- | main/linux-grsec/APKBUILD | 8 | ||||
| -rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.6.3-201210231942.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.6.2-201210151829.patch) | 107 |
2 files changed, 57 insertions, 58 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index dd8ba03fe..53f7802d6 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -2,7 +2,7 @@ _flavor=grsec pkgname=linux-${_flavor} -pkgver=3.6.2 +pkgver=3.6.3 _kernver=3.6 pkgrel=0 pkgdesc="Linux kernel with grsecurity" @@ -14,7 +14,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.6.2-201210151829.patch + grsecurity-2.9.1-3.6.3-201210231942.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -139,8 +139,8 @@ dev() { } md5sums="1a1760420eac802c541a20ab51a093d1 linux-3.6.tar.xz -ad1020c82a71ee1ef2416a0d12e724df patch-3.6.2.xz -c64b40d5b75594c066e014c19dad244c grsecurity-2.9.1-3.6.2-201210151829.patch +96701113d37ef4f9b785206ab8bcc71e patch-3.6.3.xz +854e121b7f805e7a6b862d49d4f7b420 grsecurity-2.9.1-3.6.3-201210231942.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch 80def301b4cf710e0855d4058efe46bb kernelconfig.x86 8eddcd9b36f4c2580e0b2db91eed3366 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.6.2-201210151829.patch b/main/linux-grsec/grsecurity-2.9.1-3.6.3-201210231942.patch index 26ec9d198..667fa189c 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.6.2-201210151829.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.6.3-201210231942.patch @@ -251,7 +251,7 @@ index ad7e2e5..199f49e 100644 pcd. [PARIDE] diff --git a/Makefile b/Makefile -index af5d6a9..4ccd9fb 100644 +index 6cdadf4..02df425 100644 --- a/Makefile +++ b/Makefile @@ -241,8 +241,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \ @@ -7666,7 +7666,7 @@ index b322f12..652d0d9 100644 Enabling this option turns a certain set of sanity checks for user copy operations into compile time failures. diff --git a/arch/x86/Makefile b/arch/x86/Makefile -index 58790bd..fc2f239 100644 +index 05afcca..b6ecb51 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -50,6 +50,7 @@ else @@ -27270,7 +27270,7 @@ index 00aaf04..4a26505 100644 -} -__setup("vdso=", vdso_setup); diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c -index 1fbe75a..c22e01f 100644 +index c1461de..355f120 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -98,8 +98,6 @@ EXPORT_SYMBOL_GPL(xen_start_info); @@ -27317,7 +27317,7 @@ index 1fbe75a..c22e01f 100644 #endif } -@@ -1205,30 +1203,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { +@@ -1221,30 +1219,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = { #endif }; @@ -27355,7 +27355,7 @@ index 1fbe75a..c22e01f 100644 { if (pm_power_off) pm_power_off(); -@@ -1331,7 +1329,17 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1347,7 +1345,17 @@ asmlinkage void __init xen_start_kernel(void) __userpte_alloc_gfp &= ~__GFP_HIGHMEM; /* Work out if we support NX */ @@ -27374,7 +27374,7 @@ index 1fbe75a..c22e01f 100644 xen_setup_features(); -@@ -1362,13 +1370,6 @@ asmlinkage void __init xen_start_kernel(void) +@@ -1378,13 +1386,6 @@ asmlinkage void __init xen_start_kernel(void) machine_ops = xen_machine_ops; @@ -30040,7 +30040,7 @@ index f877805..403375a 100644 return 0; diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c -index 817f0ee..cd3b75d 100644 +index 4dc8024..90108d1 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -415,7 +415,7 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, @@ -30235,7 +30235,7 @@ index 57ea7f4..789e3c3 100644 card->driver->update_phy_reg(card, 4, PHY_LINK_ACTIVE | PHY_CONTENDER, 0); diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c -index 2783f69..9f4b0cc 100644 +index f8d2287..5aaf4db 100644 --- a/drivers/firewire/core-cdev.c +++ b/drivers/firewire/core-cdev.c @@ -1365,8 +1365,7 @@ static int init_iso_resource(struct client *client, @@ -30819,7 +30819,7 @@ index 73fa3e1..ab2e9b9 100644 iir = I915_READ(IIR); diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 0c7f4aa..c4771ed 100644 +index b634f6f..84bb8ba 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c @@ -2182,7 +2182,7 @@ intel_finish_fb(struct drm_framebuffer *old_fb) @@ -33808,7 +33808,7 @@ index 611b5f7..cee0bfb 100644 "md/raid1:%s: read error corrected " "(%d sectors at %llu on %s)\n", diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c -index 0138a72..eab8fc6 100644 +index a48c215..6bda6f4 100644 --- a/drivers/md/raid10.c +++ b/drivers/md/raid10.c @@ -1810,7 +1810,7 @@ static void end_sync_read(struct bio *bio, int error) @@ -34965,19 +34965,6 @@ index 9d71c9c..0e4a0ac 100644 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR }, { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR }, { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR }, -diff --git a/drivers/net/ethernet/intel/e1000e/e1000.h b/drivers/net/ethernet/intel/e1000e/e1000.h -index cb3356c..c302a98 100644 ---- a/drivers/net/ethernet/intel/e1000e/e1000.h -+++ b/drivers/net/ethernet/intel/e1000e/e1000.h -@@ -181,7 +181,7 @@ struct e1000_info; - #define E1000_TXDCTL_DMA_BURST_ENABLE \ - (E1000_TXDCTL_GRAN | /* set descriptor granularity */ \ - E1000_TXDCTL_COUNT_DESC | \ -- (5 << 16) | /* wthresh must be +1 more than desired */\ -+ (1 << 16) | /* wthresh must be +1 more than desired */\ - (1 << 8) | /* hthresh */ \ - 0x1f) /* pthresh */ - diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h index ed5b409..ec37828 100644 --- a/drivers/net/ethernet/intel/e1000e/hw.h @@ -42277,7 +42264,7 @@ index 3c14e43..eafa544 100644 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 +4 4 4 4 4 4 diff --git a/drivers/video/udlfb.c b/drivers/video/udlfb.c -index 8af6414..658c030 100644 +index 38fcfff..0072dcd 100644 --- a/drivers/video/udlfb.c +++ b/drivers/video/udlfb.c @@ -620,11 +620,11 @@ int dlfb_handle_damage(struct dlfb_data *dev, int x, int y, @@ -47549,7 +47536,7 @@ index 7e81bfc..c3649aa 100644 lock_flocks(); diff --git a/fs/namei.c b/fs/namei.c -index dd1ed1b..875e998 100644 +index 81bd546..80149d9 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -265,16 +265,32 @@ int generic_permission(struct inode *inode, int mask) @@ -51551,10 +51538,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..07cd799 +index 0000000..3d58260 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4017 @@ +@@ -0,0 +1,4029 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -53036,6 +53023,7 @@ index 0000000..07cd799 +copy_user_acl(struct gr_arg *arg) +{ + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2; ++ struct acl_subject_label *subj_list; + struct sprole_pw *sptmp; + struct gr_hash_struct *ghash; + uid_t *domainlist; @@ -53164,14 +53152,21 @@ index 0000000..07cd799 + r_tmp->subj_hash_size * + sizeof (struct acl_subject_label *)); + -+ err = copy_user_subjs(r_tmp->hash->first, r_tmp); -+ -+ if (err) -+ return err; ++ /* acquire the list of subjects, then NULL out ++ the list prior to parsing the subjects for this role, ++ as during this parsing the list is replaced with a list ++ of *nested* subjects for the role ++ */ ++ subj_list = r_tmp->hash->first; + + /* set nested subject list to null */ + r_tmp->hash->first = NULL; + ++ err = copy_user_subjs(subj_list, r_tmp); ++ ++ if (err) ++ return err; ++ + insert_acl_role_label(r_tmp); + } + @@ -54180,8 +54175,9 @@ index 0000000..07cd799 + matchpo->mode |= GR_DELETED; + FOR_EACH_SUBJECT_END(subj,x) + FOR_EACH_NESTED_SUBJECT_START(role, subj) -+ if (subj->inode == ino && subj->device == dev) -+ subj->mode |= GR_DELETED; ++ /* nested subjects aren't in the role's subj_hash table */ ++ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL) ++ matchpo->mode |= GR_DELETED; + FOR_EACH_NESTED_SUBJECT_END(subj) + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL) + matchps->mode |= GR_DELETED; @@ -54339,6 +54335,9 @@ index 0000000..07cd799 + subj->inode = ino; + subj->device = dev; + } ++ /* nested subjects aren't in the role's subj_hash table */ ++ update_acl_obj_label(matchn->inode, matchn->device, ++ ino, dev, subj); + FOR_EACH_NESTED_SUBJECT_END(subj) + FOR_EACH_SUBJECT_START(role, subj, x) + update_acl_obj_label(matchn->inode, matchn->device, @@ -66364,7 +66363,7 @@ index 02e6167..54824f7 100644 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim; set_fs(fs); diff --git a/kernel/audit.c b/kernel/audit.c -index ea3b7b6..c260d34 100644 +index a8c84be..8bd034c 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -115,7 +115,7 @@ u32 audit_sig_sid = 0; @@ -67990,7 +67989,7 @@ index 91c32a0..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 4edbd9c..165e780 100644 +index 9ad9ee9..de7a157 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -58,6 +58,7 @@ @@ -68516,7 +68515,7 @@ index 4edbd9c..165e780 100644 pr_debug("\t0x%lx %s\n", (long)shdr->sh_addr, info->secstrings + shdr->sh_name); } -@@ -2759,12 +2859,12 @@ static void flush_module_icache(const struct module *mod) +@@ -2763,12 +2863,12 @@ static void flush_module_icache(const struct module *mod) * Do it before processing of module parameters, so the module * can provide parameter accessor functions of its own. */ @@ -68535,7 +68534,7 @@ index 4edbd9c..165e780 100644 set_fs(old_fs); } -@@ -2834,8 +2934,10 @@ out: +@@ -2838,8 +2938,10 @@ out: static void module_deallocate(struct module *mod, struct load_info *info) { percpu_modfree(mod); @@ -68548,7 +68547,7 @@ index 4edbd9c..165e780 100644 } int __weak module_finalize(const Elf_Ehdr *hdr, -@@ -2848,7 +2950,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, +@@ -2852,7 +2954,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr, static int post_relocation(struct module *mod, const struct load_info *info) { /* Sort exception table now relocations are done. */ @@ -68558,7 +68557,7 @@ index 4edbd9c..165e780 100644 /* Copy relocated percpu area over. */ percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr, -@@ -2899,9 +3003,38 @@ static struct module *load_module(void __user *umod, +@@ -2903,9 +3007,38 @@ static struct module *load_module(void __user *umod, if (err) goto free_unload; @@ -68597,7 +68596,7 @@ index 4edbd9c..165e780 100644 /* Fix up syms, so that st_value is a pointer to location. */ err = simplify_symbols(mod, &info); if (err < 0) -@@ -2917,13 +3050,6 @@ static struct module *load_module(void __user *umod, +@@ -2921,13 +3054,6 @@ static struct module *load_module(void __user *umod, flush_module_icache(mod); @@ -68611,7 +68610,7 @@ index 4edbd9c..165e780 100644 /* Mark state as coming so strong_try_module_get() ignores us. */ mod->state = MODULE_STATE_COMING; -@@ -2981,11 +3107,10 @@ static struct module *load_module(void __user *umod, +@@ -2985,11 +3111,10 @@ static struct module *load_module(void __user *umod, unlock: mutex_unlock(&module_mutex); synchronize_sched(); @@ -68624,7 +68623,7 @@ index 4edbd9c..165e780 100644 free_unload: module_unload_free(mod); free_module: -@@ -3026,16 +3151,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, +@@ -3030,16 +3155,16 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, MODULE_STATE_COMING, mod); /* Set RO and NX regions for core */ @@ -68649,7 +68648,7 @@ index 4edbd9c..165e780 100644 do_mod_ctors(mod); /* Start the module */ -@@ -3081,11 +3206,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, +@@ -3085,11 +3210,12 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, mod->strtab = mod->core_strtab; #endif unset_module_init_ro_nx(mod); @@ -68667,7 +68666,7 @@ index 4edbd9c..165e780 100644 mutex_unlock(&module_mutex); return 0; -@@ -3116,10 +3242,16 @@ static const char *get_ksymbol(struct module *mod, +@@ -3120,10 +3246,16 @@ static const char *get_ksymbol(struct module *mod, unsigned long nextval; /* At worse, next value is at end of module */ @@ -68687,7 +68686,7 @@ index 4edbd9c..165e780 100644 /* Scan for closest preceding symbol, and next symbol. (ELF starts real symbols at 1). */ -@@ -3354,7 +3486,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3358,7 +3490,7 @@ static int m_show(struct seq_file *m, void *p) char buf[8]; seq_printf(m, "%s %u", @@ -68696,7 +68695,7 @@ index 4edbd9c..165e780 100644 print_unload_info(m, mod); /* Informative for users. */ -@@ -3363,7 +3495,7 @@ static int m_show(struct seq_file *m, void *p) +@@ -3367,7 +3499,7 @@ static int m_show(struct seq_file *m, void *p) mod->state == MODULE_STATE_COMING ? "Loading": "Live"); /* Used by oprofile and other similar tools. */ @@ -68705,7 +68704,7 @@ index 4edbd9c..165e780 100644 /* Taints info */ if (mod->taints) -@@ -3399,7 +3531,17 @@ static const struct file_operations proc_modules_operations = { +@@ -3403,7 +3535,17 @@ static const struct file_operations proc_modules_operations = { static int __init proc_modules_init(void) { @@ -68723,7 +68722,7 @@ index 4edbd9c..165e780 100644 return 0; } module_init(proc_modules_init); -@@ -3458,12 +3600,12 @@ struct module *__module_address(unsigned long addr) +@@ -3462,12 +3604,12 @@ struct module *__module_address(unsigned long addr) { struct module *mod; @@ -68739,7 +68738,7 @@ index 4edbd9c..165e780 100644 return mod; return NULL; } -@@ -3497,11 +3639,20 @@ bool is_module_text_address(unsigned long addr) +@@ -3501,11 +3643,20 @@ bool is_module_text_address(unsigned long addr) */ struct module *__module_text_address(unsigned long addr) { @@ -70660,7 +70659,7 @@ index f113755..ec24223 100644 cpumask_clear_cpu(cpu, tick_get_broadcast_mask()); tick_broadcast_clear_oneshot(cpu); diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c -index d3b91e7..2a4be68 100644 +index f791637..00051de 100644 --- a/kernel/time/timekeeping.c +++ b/kernel/time/timekeeping.c @@ -14,6 +14,7 @@ @@ -70799,10 +70798,10 @@ index 0b537f2..40d6c20 100644 return -ENOMEM; return 0; diff --git a/kernel/timer.c b/kernel/timer.c -index 8c5e7b9..968d02c 100644 +index 46ef2b1..ad081f144 100644 --- a/kernel/timer.c +++ b/kernel/timer.c -@@ -1375,7 +1375,7 @@ void update_process_times(int user_tick) +@@ -1377,7 +1377,7 @@ void update_process_times(int user_tick) /* * This function runs timers and the timer-tq in bottom half context. */ @@ -74469,7 +74468,7 @@ index 0f3b7cd..c5652b6 100644 struct anon_vma_chain *avc; struct anon_vma *anon_vma; diff --git a/mm/shmem.c b/mm/shmem.c -index d4e184e..9953cdd 100644 +index d2eeca1..3f160be 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -31,7 +31,7 @@ @@ -74490,7 +74489,7 @@ index d4e184e..9953cdd 100644 struct shmem_xattr { struct list_head list; /* anchored by shmem_inode_info->xattr_list */ -@@ -2592,8 +2592,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) +@@ -2594,8 +2594,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent) int err = -ENOMEM; /* Round up to L1_CACHE_BYTES to resist false sharing */ |