aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/linux-grsec/APKBUILD10
-rw-r--r--main/linux-grsec/grsecurity-2.9.1-3.9.2-201305142035.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.2-201305132026.patch)100
2 files changed, 90 insertions, 20 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 3cce8c8c92..5540cbef54 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=0
+pkgrel=1
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
- grsecurity-2.9.1-3.9.2-201305132026.patch
+ grsecurity-2.9.1-3.9.2-201305142035.patch
0004-arp-flush-arp-cache-on-device-change.patch
@@ -145,19 +145,19 @@ dev() {
md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
adeb2556568f79e827e7a0ce4c483605 patch-3.9.2.xz
-b94f0de970e1808e1ec6c2d97a9bcfbc grsecurity-2.9.1-3.9.2-201305132026.patch
+cfecbd87d5123f77b3adb8b9d83b4282 grsecurity-2.9.1-3.9.2-201305142035.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
ae4d8b3e917cdea5330ec52048080de3 kernelconfig.x86
839de81fedd3a6294d42da70a3fb99e0 kernelconfig.x86_64"
sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
069126b2b70acbc27fada2bf67235238fd90ff103267b1bb392244a301321996 patch-3.9.2.xz
-3a99a4111203c42fbf524e306f04784ff199322825d51c6dd4d0aaa4bbd9d930 grsecurity-2.9.1-3.9.2-201305132026.patch
+d4e3fdf0893e671b4108ac45053a6e8d3f8832965a56aa9ecac0032f9eebdd09 grsecurity-2.9.1-3.9.2-201305142035.patch
e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde 0004-arp-flush-arp-cache-on-device-change.patch
513a5f387e7453169a7f41c1ba42da3229e47edd58b5ac18da31f04905c5c0bf kernelconfig.x86
e842cf49decc9a8f5c0f2e4b431382f521fe41db22f2c2e6a1c077b2b158b3ab kernelconfig.x86_64"
sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
439e32edab86f8b1bd49bc4c9325e11520d78b8182ae88aebf46a4be319c4633d6d896e2ecd3fe0363d9247f5af88a989aafca9103b8e1544262bd191440dae9 patch-3.9.2.xz
-84cac525eabf87d71c99ca46442de8e7701c33052867dfa0049714b40841c921f1281081d66fdf315467a9cb70700eba2daad6bc9dd30c722305301f1b782261 grsecurity-2.9.1-3.9.2-201305132026.patch
+8b4fdb6d79ca3e25414064f1b303bb9f840b8a65778cda84c33063567dceff5dc46c265d1976b1e0e0aedb1f45547267e8bf3d92c25c8049ebf619268350204d grsecurity-2.9.1-3.9.2-201305142035.patch
b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e 0004-arp-flush-arp-cache-on-device-change.patch
57dc79b8b08a81993e1050197886c7f91a609843ed2f919eabd6769860fb1383e87a433def8f6b544a8c6382180822b863869ef76183c4d9df421465fe13c220 kernelconfig.x86
0ce361b417821fc3795c4d8e4b3a8eeecbdc7df66261f744c55d288186f9a7d2a367f80bac2ff29c0d5c54f133cbbd74f3ec5e0147b0e7c04462627724dd3572 kernelconfig.x86_64"
diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305132026.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305142035.patch
index edba3abbc1..7808b2716d 100644
--- a/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305132026.patch
+++ b/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305142035.patch
@@ -69806,7 +69806,7 @@ index 45fc162..01a4068 100644
/**
* struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
-index 1d795df..5df1246 100644
+index 1d795df..727aa7b 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -333,8 +333,8 @@ struct perf_event {
@@ -69831,6 +69831,36 @@ index 1d795df..5df1246 100644
/*
* Protect attach/detach and child_list:
+@@ -704,7 +704,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
+ entry->ip[entry->nr++] = ip;
+ }
+
+-extern int sysctl_perf_event_paranoid;
++extern int sysctl_perf_event_legitimately_concerned;
+ extern int sysctl_perf_event_mlock;
+ extern int sysctl_perf_event_sample_rate;
+
+@@ -714,17 +714,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write,
+
+ static inline bool perf_paranoid_tracepoint_raw(void)
+ {
+- return sysctl_perf_event_paranoid > -1;
++ return sysctl_perf_event_legitimately_concerned > -1;
+ }
+
+ static inline bool perf_paranoid_cpu(void)
+ {
+- return sysctl_perf_event_paranoid > 0;
++ return sysctl_perf_event_legitimately_concerned > 0;
+ }
+
+ static inline bool perf_paranoid_kernel(void)
+ {
+- return sysctl_perf_event_paranoid > 1;
++ return sysctl_perf_event_legitimately_concerned > 1;
+ }
+
+ extern void perf_event_init(void);
@@ -812,7 +812,7 @@ static inline void perf_restore_debug_store(void) { }
*/
#define perf_cpu_notifier(fn) \
@@ -73909,10 +73939,23 @@ index 00eb8f7..d7e3244 100644
#ifdef CONFIG_MODULE_UNLOAD
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
-index 9fcb094..44cda04 100644
+index 9fcb094..5c06aeb 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
-@@ -182,7 +182,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
+@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu;
+ * 1 - disallow cpu events for unpriv
+ * 2 - disallow kernel profiling for unpriv
+ */
+-int sysctl_perf_event_paranoid __read_mostly = 1;
++#ifdef CONFIG_GRKERNSEC_HIDESYM
++int sysctl_perf_event_legitimately_concerned __read_mostly = 2;
++#else
++int sysctl_perf_event_legitimately_concerned __read_mostly = 1;
++#endif
+
+ /* Minimum for 512 kiB + 1 user control page */
+ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
+@@ -182,7 +186,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write,
return 0;
}
@@ -73921,7 +73964,7 @@ index 9fcb094..44cda04 100644
static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
enum event_type_t event_type);
-@@ -2677,7 +2677,7 @@ static void __perf_event_read(void *info)
+@@ -2677,7 +2681,7 @@ static void __perf_event_read(void *info)
static inline u64 perf_event_count(struct perf_event *event)
{
@@ -73930,7 +73973,7 @@ index 9fcb094..44cda04 100644
}
static u64 perf_event_read(struct perf_event *event)
-@@ -3007,9 +3007,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
+@@ -3007,9 +3011,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
mutex_lock(&event->child_mutex);
total += perf_event_read(event);
*enabled += event->total_time_enabled +
@@ -73942,7 +73985,7 @@ index 9fcb094..44cda04 100644
list_for_each_entry(child, &event->child_list, child_list) {
total += perf_event_read(child);
-@@ -3412,10 +3412,10 @@ void perf_event_update_userpage(struct perf_event *event)
+@@ -3412,10 +3416,10 @@ void perf_event_update_userpage(struct perf_event *event)
userpg->offset -= local64_read(&event->hw.prev_count);
userpg->time_enabled = enabled +
@@ -73955,7 +73998,7 @@ index 9fcb094..44cda04 100644
arch_perf_update_userpage(userpg, now);
-@@ -3974,11 +3974,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
+@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
values[n++] = perf_event_count(event);
if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
values[n++] = enabled +
@@ -73969,7 +74012,7 @@ index 9fcb094..44cda04 100644
}
if (read_format & PERF_FORMAT_ID)
values[n++] = primary_event_id(event);
-@@ -4726,12 +4726,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
+@@ -4726,12 +4730,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event)
* need to add enough zero bytes after the string to handle
* the 64bit alignment we do later.
*/
@@ -73984,7 +74027,7 @@ index 9fcb094..44cda04 100644
if (IS_ERR(name)) {
name = strncpy(tmp, "//toolong", sizeof(tmp));
goto got_name;
-@@ -6167,7 +6167,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
+@@ -6167,7 +6171,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
event->parent = parent_event;
event->ns = get_pid_ns(task_active_pid_ns(current));
@@ -73993,7 +74036,7 @@ index 9fcb094..44cda04 100644
event->state = PERF_EVENT_STATE_INACTIVE;
-@@ -6795,10 +6795,10 @@ static void sync_child_event(struct perf_event *child_event,
+@@ -6795,10 +6799,10 @@ static void sync_child_event(struct perf_event *child_event,
/*
* Add back the child's count to the parent's count:
*/
@@ -77802,7 +77845,7 @@ index 0da73cf..a22106a 100644
if (!retval) {
if (old_rlim)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index afc1dc6..71b5c39 100644
+index afc1dc6..5e28bbf 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -93,7 +93,6 @@
@@ -77908,6 +77951,17 @@ index afc1dc6..71b5c39 100644
{
.procname = "ngroups_max",
.data = &ngroups_max,
+@@ -1026,8 +1059,8 @@ static struct ctl_table kern_table[] = {
+ */
+ {
+ .procname = "perf_event_paranoid",
+- .data = &sysctl_perf_event_paranoid,
+- .maxlen = sizeof(sysctl_perf_event_paranoid),
++ .data = &sysctl_perf_event_legitimately_concerned,
++ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
@@ -1283,6 +1316,13 @@ static struct ctl_table vm_table[] = {
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
@@ -86537,7 +86591,7 @@ index fff5bdd..15194fb 100644
table = kmemdup(ipv6_icmp_table_template,
sizeof(ipv6_icmp_table_template),
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
-index e4efffe..d415772 100644
+index e4efffe..791fe2f 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -73,7 +73,7 @@ struct ip6gre_net {
@@ -86549,7 +86603,23 @@ index e4efffe..d415772 100644
static int ip6gre_tunnel_init(struct net_device *dev);
static void ip6gre_tunnel_setup(struct net_device *dev);
static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
-@@ -1335,7 +1335,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
+@@ -1135,6 +1135,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
+ }
+ if (t == NULL)
+ t = netdev_priv(dev);
++ memset(&p, 0, sizeof(p));
+ ip6gre_tnl_parm_to_user(&p, &t->parms);
+ if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
+ err = -EFAULT;
+@@ -1182,6 +1183,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev,
+ if (t) {
+ err = 0;
+
++ memset(&p, 0, sizeof(p));
+ ip6gre_tnl_parm_to_user(&p, &t->parms);
+ if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
+ err = -EFAULT;
+@@ -1335,7 +1337,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
}
@@ -86558,7 +86628,7 @@ index e4efffe..d415772 100644
.handler = ip6gre_rcv,
.err_handler = ip6gre_err,
.flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
-@@ -1669,7 +1669,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = {
+@@ -1669,7 +1671,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = {
[IFLA_GRE_FLAGS] = { .type = NLA_U32 },
};
@@ -86567,7 +86637,7 @@ index e4efffe..d415772 100644
.kind = "ip6gre",
.maxtype = IFLA_GRE_MAX,
.policy = ip6gre_policy,
-@@ -1682,7 +1682,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
+@@ -1682,7 +1684,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
.fill_info = ip6gre_fill_info,
};