diff options
author | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2014-07-27 14:23:21 -0300 |
---|---|---|
committer | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2014-07-27 14:23:21 -0300 |
commit | 101d891e1e20dfc47a7dc12f114dbb60a1403c3c (patch) | |
tree | dfd9fff8968fe35d4c5ddae9541d6e5229a96d50 | |
parent | e8116f07470108729c24c9526c1398c8c57eb370 (diff) | |
download | abslibre-101d891e1e20dfc47a7dc12f114dbb60a1403c3c.tar.gz abslibre-101d891e1e20dfc47a7dc12f114dbb60a1403c3c.tar.bz2 abslibre-101d891e1e20dfc47a7dc12f114dbb60a1403c3c.zip |
linux-libre-grsec-3.15.6.201407232200-2: updating revision
* increase CONFIG_PAX_KERNEXEC_MODULE_TEXT to 12M for the i686 kernel
* enable CONFIG_PAX_MEMORY_UDEREF for the x86_64 kernel + add warning
-rw-r--r-- | libre/linux-libre-grsec/PKGBUILD | 6 | ||||
-rw-r--r-- | libre/linux-libre-grsec/config.i686 | 4 | ||||
-rw-r--r-- | libre/linux-libre-grsec/config.x86_64 | 53 | ||||
-rw-r--r-- | libre/linux-libre-grsec/linux-libre-grsec.install | 16 |
4 files changed, 28 insertions, 51 deletions
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD index f957c8981..d8812907b 100644 --- a/libre/linux-libre-grsec/PKGBUILD +++ b/libre/linux-libre-grsec/PKGBUILD @@ -18,7 +18,7 @@ _grsecver=3.0 _timestamp=201407232200 _pkgver=${_basekernel}.${_sublevel} pkgver=${_basekernel}.${_sublevel}.${_timestamp} -pkgrel=1 +pkgrel=2 _lxopkgver=${_basekernel}.6 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="https://grsecurity.net/" @@ -44,8 +44,8 @@ sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688' '1966964395bd9331843c8d6dacbf661c9061e90c81bf8609d995ed458d57e358' '90c7a7d4666ae4807eb45b766f73e649e4fcf9fdcb983b710fe33e3f80f7b546' 'SKIP' - 'd6254dfca781a732d277ea22d67843dbe7ff1c8da5f77705a7783cd8ccdddc05' - '4c24d148ac4c21271b33b14013ba234a7dd8af417f505ef226b9da04fa91a6e7' + '9d926dcaf6ae07359619337ba2e17e36e8b23837b9e423e391f304f21c95de75' + '5037a8058ee020195d99b7c127d8634e77a281e31fa56c656b7d8661cac63665' '9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486' 'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b' '55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9' diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686 index 7fb6a2cd4..d0db896c0 100644 --- a/libre/linux-libre-grsec/config.i686 +++ b/libre/linux-libre-grsec/config.i686 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.15.5.201407170639-2 Kernel Configuration +# Linux/x86 3.15.6.201407232200-2 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -6498,7 +6498,7 @@ CONFIG_PAX_MPROTECT=y # CONFIG_PAX_ELFRELOCS is not set CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" -CONFIG_PAX_KERNEXEC_MODULE_TEXT=4 +CONFIG_PAX_KERNEXEC_MODULE_TEXT=12 # # Address Space Layout Randomization diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64 index ba786a3fe..d42ce144f 100644 --- a/libre/linux-libre-grsec/config.x86_64 +++ b/libre/linux-libre-grsec/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.15.5.201407170639-2 Kernel Configuration +# Linux/x86 3.15.6.201407232200-2 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -357,13 +357,7 @@ CONFIG_HYPERVISOR_GUEST=y CONFIG_PARAVIRT=y # CONFIG_PARAVIRT_DEBUG is not set # CONFIG_PARAVIRT_SPINLOCKS is not set -CONFIG_XEN=y -CONFIG_XEN_DOM0=y -CONFIG_XEN_PVHVM=y -CONFIG_XEN_MAX_DOMAIN_MEMORY=500 -CONFIG_XEN_SAVE_RESTORE=y -# CONFIG_XEN_DEBUG_FS is not set -CONFIG_XEN_PVH=y +# CONFIG_XEN is not set CONFIG_KVM_GUEST=y # CONFIG_KVM_DEBUG_FS is not set CONFIG_PARAVIRT_TIME_ACCOUNTING=y @@ -519,7 +513,6 @@ CONFIG_USE_PERCPU_NUMA_NODE_ID=y # CONFIG_SUSPEND=y CONFIG_SUSPEND_FREEZER=y -CONFIG_HIBERNATE_CALLBACKS=y CONFIG_PM_SLEEP=y CONFIG_PM_SLEEP_SMP=y CONFIG_PM_AUTOSLEEP=y @@ -630,7 +623,6 @@ CONFIG_I7300_IDLE=m CONFIG_PCI=y CONFIG_PCI_DIRECT=y CONFIG_PCI_MMCONFIG=y -CONFIG_PCI_XEN=y CONFIG_PCI_DOMAINS=y CONFIG_PCIEPORTBUS=y CONFIG_HOTPLUG_PCI_PCIE=y @@ -647,7 +639,6 @@ CONFIG_PCI_MSI=y # CONFIG_PCI_DEBUG is not set CONFIG_PCI_REALLOC_ENABLE_AUTO=y CONFIG_PCI_STUB=m -CONFIG_XEN_PCIDEV_FRONTEND=m CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y CONFIG_PCI_IOV=y @@ -1473,7 +1464,7 @@ CONFIG_EXTRA_FIRMWARE="" CONFIG_FW_LOADER_USER_HELPER=y # CONFIG_DEBUG_DRIVER is not set # CONFIG_DEBUG_DEVRES is not set -CONFIG_SYS_HYPERVISOR=y +# CONFIG_SYS_HYPERVISOR is not set # CONFIG_GENERIC_CPU_DEVICES is not set CONFIG_GENERIC_CPU_AUTOPROBE=y CONFIG_REGMAP=y @@ -1660,8 +1651,6 @@ CONFIG_CDROM_PKTCDVD=m CONFIG_CDROM_PKTCDVD_BUFFERS=8 # CONFIG_CDROM_PKTCDVD_WCACHE is not set CONFIG_ATA_OVER_ETH=m -CONFIG_XEN_BLKDEV_FRONTEND=m -CONFIG_XEN_BLKDEV_BACKEND=m CONFIG_VIRTIO_BLK=m # CONFIG_BLK_DEV_HD is not set CONFIG_BLK_DEV_RBD=m @@ -2662,8 +2651,6 @@ CONFIG_IEEE802154_FAKEHARD=m CONFIG_IEEE802154_FAKELB=m CONFIG_IEEE802154_AT86RF230=m # CONFIG_IEEE802154_MRF24J40 is not set -CONFIG_XEN_NETDEV_FRONTEND=m -CONFIG_XEN_NETDEV_BACKEND=m CONFIG_VMXNET3=m CONFIG_HYPERV_NET=m CONFIG_ISDN=y @@ -3099,9 +3086,6 @@ CONFIG_PRINTER=m # CONFIG_LP_CONSOLE is not set CONFIG_PPDEV=m CONFIG_HVC_DRIVER=y -CONFIG_HVC_IRQ=y -CONFIG_HVC_XEN=y -CONFIG_HVC_XEN_FRONTEND=y CONFIG_VIRTIO_CONSOLE=m CONFIG_IPMI_HANDLER=m # CONFIG_IPMI_PANIC_EVENT is not set @@ -3146,7 +3130,6 @@ CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_ST33_I2C=m -CONFIG_TCG_XEN=m CONFIG_TELCLOCK=m CONFIG_I2C=m CONFIG_I2C_BOARDINFO=y @@ -3593,7 +3576,6 @@ CONFIG_W83977F_WDT=m CONFIG_MACHZ_WDT=m CONFIG_SBC_EPX_C3_WATCHDOG=m CONFIG_MEN_A21_WDT=m -CONFIG_XEN_WDT=m # # PCI-based Watchdog Cards @@ -4424,7 +4406,6 @@ CONFIG_FB_VT8623=m CONFIG_FB_UDL=m # CONFIG_FB_GOLDFISH is not set CONFIG_FB_VIRTUAL=m -CONFIG_XEN_FBDEV_FRONTEND=m # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set # CONFIG_FB_BROADSHEET is not set @@ -5322,29 +5303,6 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y CONFIG_HYPERV=m CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m - -# -# Xen driver support -# -CONFIG_XEN_BALLOON=y -# CONFIG_XEN_SELFBALLOONING is not set -CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y -CONFIG_XEN_SCRUB_PAGES=y -CONFIG_XEN_DEV_EVTCHN=m -CONFIG_XEN_BACKEND=y -CONFIG_XENFS=m -CONFIG_XEN_COMPAT_XENFS=y -CONFIG_XEN_SYS_HYPERVISOR=y -CONFIG_XEN_XENBUS_FRONTEND=y -CONFIG_XEN_GNTDEV=m -CONFIG_XEN_GRANT_DEV_ALLOC=m -CONFIG_SWIOTLB_XEN=y -CONFIG_XEN_TMEM=m -CONFIG_XEN_PCIDEV_BACKEND=m -CONFIG_XEN_PRIVCMD=m -CONFIG_XEN_ACPI_PROCESSOR=m -# CONFIG_XEN_MCE_LOG is not set -CONFIG_XEN_HAVE_PVMMU=y CONFIG_STAGING=y CONFIG_ET131X=m CONFIG_SLICOSS=m @@ -6230,7 +6188,8 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0 # # Grsecurity # -CONFIG_TASK_SIZE_MAX_SHIFT=47 +CONFIG_PAX_PER_CPU_PGD=y +CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_PAX_USERCOPY_SLABS=y CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_CONFIG_AUTO is not set @@ -6267,6 +6226,7 @@ CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set # CONFIG_PAX_ELFRELOCS is not set +# CONFIG_PAX_KERNEXEC is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" # @@ -6283,6 +6243,7 @@ CONFIG_PAX_RANDMMAP=y CONFIG_PAX_MEMORY_SANITIZE=y CONFIG_PAX_MEMORY_STACKLEAK=y CONFIG_PAX_MEMORY_STRUCTLEAK=y +CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y # CONFIG_PAX_USERCOPY_DEBUG is not set diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install index 637577244..22a798dfa 100644 --- a/libre/linux-libre-grsec/linux-libre-grsec.install +++ b/libre/linux-libre-grsec/linux-libre-grsec.install @@ -4,6 +4,17 @@ KERNEL_NAME=-grsec KERNEL_VERSION= +_uderef_warning() { + if [[ $(uname -m) = x86_64 ]]; then + cat <<EOF +CONFIG_PAX_MEMORY_UDEREF is now enabled on x86_64 and can be disabled by +passing \`pax_nouderef\` on the kernel line. UDEREF's PCID support on Sandy +Bridge and later is known to have issues with recent kernel versions and can be +disabled by passing \`nopcid\` to use the legacy implementation. +EOF + fi +} + _add_groups() { if getent group tpe-trusted >/dev/null; then groupmod -g 200 -n tpe tpe-trusted @@ -54,6 +65,7 @@ post_install () { fi _add_groups + _uderef_warning } post_upgrade() { @@ -80,6 +92,10 @@ post_upgrade() { fi _add_groups + + if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then + _uderef_warning + fi } post_remove() { |