summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-07-27 14:23:21 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-07-27 14:23:21 -0300
commit101d891e1e20dfc47a7dc12f114dbb60a1403c3c (patch)
treedfd9fff8968fe35d4c5ddae9541d6e5229a96d50
parente8116f07470108729c24c9526c1398c8c57eb370 (diff)
downloadabslibre-101d891e1e20dfc47a7dc12f114dbb60a1403c3c.tar.gz
abslibre-101d891e1e20dfc47a7dc12f114dbb60a1403c3c.tar.bz2
abslibre-101d891e1e20dfc47a7dc12f114dbb60a1403c3c.zip
linux-libre-grsec-3.15.6.201407232200-2: updating revision
* increase CONFIG_PAX_KERNEXEC_MODULE_TEXT to 12M for the i686 kernel * enable CONFIG_PAX_MEMORY_UDEREF for the x86_64 kernel + add warning
-rw-r--r--libre/linux-libre-grsec/PKGBUILD6
-rw-r--r--libre/linux-libre-grsec/config.i6864
-rw-r--r--libre/linux-libre-grsec/config.x86_6453
-rw-r--r--libre/linux-libre-grsec/linux-libre-grsec.install16
4 files changed, 28 insertions, 51 deletions
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index f957c8981..d8812907b 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -18,7 +18,7 @@ _grsecver=3.0
_timestamp=201407232200
_pkgver=${_basekernel}.${_sublevel}
pkgver=${_basekernel}.${_sublevel}.${_timestamp}
-pkgrel=1
+pkgrel=2
_lxopkgver=${_basekernel}.6 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="https://grsecurity.net/"
@@ -44,8 +44,8 @@ sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
'1966964395bd9331843c8d6dacbf661c9061e90c81bf8609d995ed458d57e358'
'90c7a7d4666ae4807eb45b766f73e649e4fcf9fdcb983b710fe33e3f80f7b546'
'SKIP'
- 'd6254dfca781a732d277ea22d67843dbe7ff1c8da5f77705a7783cd8ccdddc05'
- '4c24d148ac4c21271b33b14013ba234a7dd8af417f505ef226b9da04fa91a6e7'
+ '9d926dcaf6ae07359619337ba2e17e36e8b23837b9e423e391f304f21c95de75'
+ '5037a8058ee020195d99b7c127d8634e77a281e31fa56c656b7d8661cac63665'
'9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486'
'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b'
'55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9'
diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686
index 7fb6a2cd4..d0db896c0 100644
--- a/libre/linux-libre-grsec/config.i686
+++ b/libre/linux-libre-grsec/config.i686
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.5.201407170639-2 Kernel Configuration
+# Linux/x86 3.15.6.201407232200-2 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -6498,7 +6498,7 @@ CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
-CONFIG_PAX_KERNEXEC_MODULE_TEXT=4
+CONFIG_PAX_KERNEXEC_MODULE_TEXT=12
#
# Address Space Layout Randomization
diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64
index ba786a3fe..d42ce144f 100644
--- a/libre/linux-libre-grsec/config.x86_64
+++ b/libre/linux-libre-grsec/config.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.5.201407170639-2 Kernel Configuration
+# Linux/x86 3.15.6.201407232200-2 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -357,13 +357,7 @@ CONFIG_HYPERVISOR_GUEST=y
CONFIG_PARAVIRT=y
# CONFIG_PARAVIRT_DEBUG is not set
# CONFIG_PARAVIRT_SPINLOCKS is not set
-CONFIG_XEN=y
-CONFIG_XEN_DOM0=y
-CONFIG_XEN_PVHVM=y
-CONFIG_XEN_MAX_DOMAIN_MEMORY=500
-CONFIG_XEN_SAVE_RESTORE=y
-# CONFIG_XEN_DEBUG_FS is not set
-CONFIG_XEN_PVH=y
+# CONFIG_XEN is not set
CONFIG_KVM_GUEST=y
# CONFIG_KVM_DEBUG_FS is not set
CONFIG_PARAVIRT_TIME_ACCOUNTING=y
@@ -519,7 +513,6 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y
#
CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y
-CONFIG_HIBERNATE_CALLBACKS=y
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
CONFIG_PM_AUTOSLEEP=y
@@ -630,7 +623,6 @@ CONFIG_I7300_IDLE=m
CONFIG_PCI=y
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
-CONFIG_PCI_XEN=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
@@ -647,7 +639,6 @@ CONFIG_PCI_MSI=y
# CONFIG_PCI_DEBUG is not set
CONFIG_PCI_REALLOC_ENABLE_AUTO=y
CONFIG_PCI_STUB=m
-CONFIG_XEN_PCIDEV_FRONTEND=m
CONFIG_HT_IRQ=y
CONFIG_PCI_ATS=y
CONFIG_PCI_IOV=y
@@ -1473,7 +1464,7 @@ CONFIG_EXTRA_FIRMWARE=""
CONFIG_FW_LOADER_USER_HELPER=y
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_DEBUG_DEVRES is not set
-CONFIG_SYS_HYPERVISOR=y
+# CONFIG_SYS_HYPERVISOR is not set
# CONFIG_GENERIC_CPU_DEVICES is not set
CONFIG_GENERIC_CPU_AUTOPROBE=y
CONFIG_REGMAP=y
@@ -1660,8 +1651,6 @@ CONFIG_CDROM_PKTCDVD=m
CONFIG_CDROM_PKTCDVD_BUFFERS=8
# CONFIG_CDROM_PKTCDVD_WCACHE is not set
CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
CONFIG_VIRTIO_BLK=m
# CONFIG_BLK_DEV_HD is not set
CONFIG_BLK_DEV_RBD=m
@@ -2662,8 +2651,6 @@ CONFIG_IEEE802154_FAKEHARD=m
CONFIG_IEEE802154_FAKELB=m
CONFIG_IEEE802154_AT86RF230=m
# CONFIG_IEEE802154_MRF24J40 is not set
-CONFIG_XEN_NETDEV_FRONTEND=m
-CONFIG_XEN_NETDEV_BACKEND=m
CONFIG_VMXNET3=m
CONFIG_HYPERV_NET=m
CONFIG_ISDN=y
@@ -3099,9 +3086,6 @@ CONFIG_PRINTER=m
# CONFIG_LP_CONSOLE is not set
CONFIG_PPDEV=m
CONFIG_HVC_DRIVER=y
-CONFIG_HVC_IRQ=y
-CONFIG_HVC_XEN=y
-CONFIG_HVC_XEN_FRONTEND=y
CONFIG_VIRTIO_CONSOLE=m
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
@@ -3146,7 +3130,6 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TCG_ST33_I2C=m
-CONFIG_TCG_XEN=m
CONFIG_TELCLOCK=m
CONFIG_I2C=m
CONFIG_I2C_BOARDINFO=y
@@ -3593,7 +3576,6 @@ CONFIG_W83977F_WDT=m
CONFIG_MACHZ_WDT=m
CONFIG_SBC_EPX_C3_WATCHDOG=m
CONFIG_MEN_A21_WDT=m
-CONFIG_XEN_WDT=m
#
# PCI-based Watchdog Cards
@@ -4424,7 +4406,6 @@ CONFIG_FB_VT8623=m
CONFIG_FB_UDL=m
# CONFIG_FB_GOLDFISH is not set
CONFIG_FB_VIRTUAL=m
-CONFIG_XEN_FBDEV_FRONTEND=m
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
# CONFIG_FB_BROADSHEET is not set
@@ -5322,29 +5303,6 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
CONFIG_HYPERV=m
CONFIG_HYPERV_UTILS=m
CONFIG_HYPERV_BALLOON=m
-
-#
-# Xen driver support
-#
-CONFIG_XEN_BALLOON=y
-# CONFIG_XEN_SELFBALLOONING is not set
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_SCRUB_PAGES=y
-CONFIG_XEN_DEV_EVTCHN=m
-CONFIG_XEN_BACKEND=y
-CONFIG_XENFS=m
-CONFIG_XEN_COMPAT_XENFS=y
-CONFIG_XEN_SYS_HYPERVISOR=y
-CONFIG_XEN_XENBUS_FRONTEND=y
-CONFIG_XEN_GNTDEV=m
-CONFIG_XEN_GRANT_DEV_ALLOC=m
-CONFIG_SWIOTLB_XEN=y
-CONFIG_XEN_TMEM=m
-CONFIG_XEN_PCIDEV_BACKEND=m
-CONFIG_XEN_PRIVCMD=m
-CONFIG_XEN_ACPI_PROCESSOR=m
-# CONFIG_XEN_MCE_LOG is not set
-CONFIG_XEN_HAVE_PVMMU=y
CONFIG_STAGING=y
CONFIG_ET131X=m
CONFIG_SLICOSS=m
@@ -6230,7 +6188,8 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0
#
# Grsecurity
#
-CONFIG_TASK_SIZE_MAX_SHIFT=47
+CONFIG_PAX_PER_CPU_PGD=y
+CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
@@ -6267,6 +6226,7 @@ CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
+# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
#
@@ -6283,6 +6243,7 @@ CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install
index 637577244..22a798dfa 100644
--- a/libre/linux-libre-grsec/linux-libre-grsec.install
+++ b/libre/linux-libre-grsec/linux-libre-grsec.install
@@ -4,6 +4,17 @@
KERNEL_NAME=-grsec
KERNEL_VERSION=
+_uderef_warning() {
+ if [[ $(uname -m) = x86_64 ]]; then
+ cat <<EOF
+CONFIG_PAX_MEMORY_UDEREF is now enabled on x86_64 and can be disabled by
+passing \`pax_nouderef\` on the kernel line. UDEREF's PCID support on Sandy
+Bridge and later is known to have issues with recent kernel versions and can be
+disabled by passing \`nopcid\` to use the legacy implementation.
+EOF
+ fi
+}
+
_add_groups() {
if getent group tpe-trusted >/dev/null; then
groupmod -g 200 -n tpe tpe-trusted
@@ -54,6 +65,7 @@ post_install () {
fi
_add_groups
+ _uderef_warning
}
post_upgrade() {
@@ -80,6 +92,10 @@ post_upgrade() {
fi
_add_groups
+
+ if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
+ _uderef_warning
+ fi
}
post_remove() {