diff options
-rw-r--r-- | main/linux-grsec/APKBUILD | 10 | ||||
-rw-r--r-- | main/linux-grsec/grsecurity-2.9.1-3.9.2-201305142035.patch (renamed from main/linux-grsec/grsecurity-2.9.1-3.9.2-201305132026.patch) | 100 |
2 files changed, 90 insertions, 20 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 3cce8c8c92..5540cbef54 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -7,7 +7,7 @@ case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=0 +pkgrel=1 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}} install= source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz - grsecurity-2.9.1-3.9.2-201305132026.patch + grsecurity-2.9.1-3.9.2-201305142035.patch 0004-arp-flush-arp-cache-on-device-change.patch @@ -145,19 +145,19 @@ dev() { md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz adeb2556568f79e827e7a0ce4c483605 patch-3.9.2.xz -b94f0de970e1808e1ec6c2d97a9bcfbc grsecurity-2.9.1-3.9.2-201305132026.patch +cfecbd87d5123f77b3adb8b9d83b4282 grsecurity-2.9.1-3.9.2-201305142035.patch 776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch ae4d8b3e917cdea5330ec52048080de3 kernelconfig.x86 839de81fedd3a6294d42da70a3fb99e0 kernelconfig.x86_64" sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz 069126b2b70acbc27fada2bf67235238fd90ff103267b1bb392244a301321996 patch-3.9.2.xz -3a99a4111203c42fbf524e306f04784ff199322825d51c6dd4d0aaa4bbd9d930 grsecurity-2.9.1-3.9.2-201305132026.patch +d4e3fdf0893e671b4108ac45053a6e8d3f8832965a56aa9ecac0032f9eebdd09 grsecurity-2.9.1-3.9.2-201305142035.patch e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde 0004-arp-flush-arp-cache-on-device-change.patch 513a5f387e7453169a7f41c1ba42da3229e47edd58b5ac18da31f04905c5c0bf kernelconfig.x86 e842cf49decc9a8f5c0f2e4b431382f521fe41db22f2c2e6a1c077b2b158b3ab kernelconfig.x86_64" sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz 439e32edab86f8b1bd49bc4c9325e11520d78b8182ae88aebf46a4be319c4633d6d896e2ecd3fe0363d9247f5af88a989aafca9103b8e1544262bd191440dae9 patch-3.9.2.xz -84cac525eabf87d71c99ca46442de8e7701c33052867dfa0049714b40841c921f1281081d66fdf315467a9cb70700eba2daad6bc9dd30c722305301f1b782261 grsecurity-2.9.1-3.9.2-201305132026.patch +8b4fdb6d79ca3e25414064f1b303bb9f840b8a65778cda84c33063567dceff5dc46c265d1976b1e0e0aedb1f45547267e8bf3d92c25c8049ebf619268350204d grsecurity-2.9.1-3.9.2-201305142035.patch b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e 0004-arp-flush-arp-cache-on-device-change.patch 57dc79b8b08a81993e1050197886c7f91a609843ed2f919eabd6769860fb1383e87a433def8f6b544a8c6382180822b863869ef76183c4d9df421465fe13c220 kernelconfig.x86 0ce361b417821fc3795c4d8e4b3a8eeecbdc7df66261f744c55d288186f9a7d2a367f80bac2ff29c0d5c54f133cbbd74f3ec5e0147b0e7c04462627724dd3572 kernelconfig.x86_64" diff --git a/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305132026.patch b/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305142035.patch index edba3abbc1..7808b2716d 100644 --- a/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305132026.patch +++ b/main/linux-grsec/grsecurity-2.9.1-3.9.2-201305142035.patch @@ -69806,7 +69806,7 @@ index 45fc162..01a4068 100644 /** * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h -index 1d795df..5df1246 100644 +index 1d795df..727aa7b 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -333,8 +333,8 @@ struct perf_event { @@ -69831,6 +69831,36 @@ index 1d795df..5df1246 100644 /* * Protect attach/detach and child_list: +@@ -704,7 +704,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64 + entry->ip[entry->nr++] = ip; + } + +-extern int sysctl_perf_event_paranoid; ++extern int sysctl_perf_event_legitimately_concerned; + extern int sysctl_perf_event_mlock; + extern int sysctl_perf_event_sample_rate; + +@@ -714,17 +714,17 @@ extern int perf_proc_update_handler(struct ctl_table *table, int write, + + static inline bool perf_paranoid_tracepoint_raw(void) + { +- return sysctl_perf_event_paranoid > -1; ++ return sysctl_perf_event_legitimately_concerned > -1; + } + + static inline bool perf_paranoid_cpu(void) + { +- return sysctl_perf_event_paranoid > 0; ++ return sysctl_perf_event_legitimately_concerned > 0; + } + + static inline bool perf_paranoid_kernel(void) + { +- return sysctl_perf_event_paranoid > 1; ++ return sysctl_perf_event_legitimately_concerned > 1; + } + + extern void perf_event_init(void); @@ -812,7 +812,7 @@ static inline void perf_restore_debug_store(void) { } */ #define perf_cpu_notifier(fn) \ @@ -73909,10 +73939,23 @@ index 00eb8f7..d7e3244 100644 #ifdef CONFIG_MODULE_UNLOAD { diff --git a/kernel/events/core.c b/kernel/events/core.c -index 9fcb094..44cda04 100644 +index 9fcb094..5c06aeb 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c -@@ -182,7 +182,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write, +@@ -155,7 +155,11 @@ static struct srcu_struct pmus_srcu; + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv + */ +-int sysctl_perf_event_paranoid __read_mostly = 1; ++#ifdef CONFIG_GRKERNSEC_HIDESYM ++int sysctl_perf_event_legitimately_concerned __read_mostly = 2; ++#else ++int sysctl_perf_event_legitimately_concerned __read_mostly = 1; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -182,7 +186,7 @@ int perf_proc_update_handler(struct ctl_table *table, int write, return 0; } @@ -73921,7 +73964,7 @@ index 9fcb094..44cda04 100644 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx, enum event_type_t event_type); -@@ -2677,7 +2677,7 @@ static void __perf_event_read(void *info) +@@ -2677,7 +2681,7 @@ static void __perf_event_read(void *info) static inline u64 perf_event_count(struct perf_event *event) { @@ -73930,7 +73973,7 @@ index 9fcb094..44cda04 100644 } static u64 perf_event_read(struct perf_event *event) -@@ -3007,9 +3007,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) +@@ -3007,9 +3011,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running) mutex_lock(&event->child_mutex); total += perf_event_read(event); *enabled += event->total_time_enabled + @@ -73942,7 +73985,7 @@ index 9fcb094..44cda04 100644 list_for_each_entry(child, &event->child_list, child_list) { total += perf_event_read(child); -@@ -3412,10 +3412,10 @@ void perf_event_update_userpage(struct perf_event *event) +@@ -3412,10 +3416,10 @@ void perf_event_update_userpage(struct perf_event *event) userpg->offset -= local64_read(&event->hw.prev_count); userpg->time_enabled = enabled + @@ -73955,7 +73998,7 @@ index 9fcb094..44cda04 100644 arch_perf_update_userpage(userpg, now); -@@ -3974,11 +3974,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, +@@ -3974,11 +3978,11 @@ static void perf_output_read_one(struct perf_output_handle *handle, values[n++] = perf_event_count(event); if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) { values[n++] = enabled + @@ -73969,7 +74012,7 @@ index 9fcb094..44cda04 100644 } if (read_format & PERF_FORMAT_ID) values[n++] = primary_event_id(event); -@@ -4726,12 +4726,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) +@@ -4726,12 +4730,12 @@ static void perf_event_mmap_event(struct perf_mmap_event *mmap_event) * need to add enough zero bytes after the string to handle * the 64bit alignment we do later. */ @@ -73984,7 +74027,7 @@ index 9fcb094..44cda04 100644 if (IS_ERR(name)) { name = strncpy(tmp, "//toolong", sizeof(tmp)); goto got_name; -@@ -6167,7 +6167,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, +@@ -6167,7 +6171,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu, event->parent = parent_event; event->ns = get_pid_ns(task_active_pid_ns(current)); @@ -73993,7 +74036,7 @@ index 9fcb094..44cda04 100644 event->state = PERF_EVENT_STATE_INACTIVE; -@@ -6795,10 +6795,10 @@ static void sync_child_event(struct perf_event *child_event, +@@ -6795,10 +6799,10 @@ static void sync_child_event(struct perf_event *child_event, /* * Add back the child's count to the parent's count: */ @@ -77802,7 +77845,7 @@ index 0da73cf..a22106a 100644 if (!retval) { if (old_rlim) diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index afc1dc6..71b5c39 100644 +index afc1dc6..5e28bbf 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -93,7 +93,6 @@ @@ -77908,6 +77951,17 @@ index afc1dc6..71b5c39 100644 { .procname = "ngroups_max", .data = &ngroups_max, +@@ -1026,8 +1059,8 @@ static struct ctl_table kern_table[] = { + */ + { + .procname = "perf_event_paranoid", +- .data = &sysctl_perf_event_paranoid, +- .maxlen = sizeof(sysctl_perf_event_paranoid), ++ .data = &sysctl_perf_event_legitimately_concerned, ++ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned), + .mode = 0644, + .proc_handler = proc_dointvec, + }, @@ -1283,6 +1316,13 @@ static struct ctl_table vm_table[] = { .proc_handler = proc_dointvec_minmax, .extra1 = &zero, @@ -86537,7 +86591,7 @@ index fff5bdd..15194fb 100644 table = kmemdup(ipv6_icmp_table_template, sizeof(ipv6_icmp_table_template), diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c -index e4efffe..d415772 100644 +index e4efffe..791fe2f 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -73,7 +73,7 @@ struct ip6gre_net { @@ -86549,7 +86603,23 @@ index e4efffe..d415772 100644 static int ip6gre_tunnel_init(struct net_device *dev); static void ip6gre_tunnel_setup(struct net_device *dev); static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t); -@@ -1335,7 +1335,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev) +@@ -1135,6 +1135,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev, + } + if (t == NULL) + t = netdev_priv(dev); ++ memset(&p, 0, sizeof(p)); + ip6gre_tnl_parm_to_user(&p, &t->parms); + if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p))) + err = -EFAULT; +@@ -1182,6 +1183,7 @@ static int ip6gre_tunnel_ioctl(struct net_device *dev, + if (t) { + err = 0; + ++ memset(&p, 0, sizeof(p)); + ip6gre_tnl_parm_to_user(&p, &t->parms); + if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p))) + err = -EFAULT; +@@ -1335,7 +1337,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev) } @@ -86558,7 +86628,7 @@ index e4efffe..d415772 100644 .handler = ip6gre_rcv, .err_handler = ip6gre_err, .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL, -@@ -1669,7 +1669,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = { +@@ -1669,7 +1671,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = { [IFLA_GRE_FLAGS] = { .type = NLA_U32 }, }; @@ -86567,7 +86637,7 @@ index e4efffe..d415772 100644 .kind = "ip6gre", .maxtype = IFLA_GRE_MAX, .policy = ip6gre_policy, -@@ -1682,7 +1682,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = { +@@ -1682,7 +1684,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = { .fill_info = ip6gre_fill_info, }; |