summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-07-30 20:38:35 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-07-30 20:38:35 -0300
commit15247b8595a5a378c8be0043bb785f8fb4eb47f1 (patch)
tree066608dd9a55239b300b1e9dd09ec093a2604571
parent6fb74af4b079b3a8213d61ca0b440e0647231683 (diff)
downloadabslibre-15247b8595a5a378c8be0043bb785f8fb4eb47f1.tar.gz
abslibre-15247b8595a5a378c8be0043bb785f8fb4eb47f1.tar.bz2
abslibre-15247b8595a5a378c8be0043bb785f8fb4eb47f1.zip
linux-libre-grsec-3.15.7.201407282112-2: updating version
* enable CONFIG_USER_NS, but revert the commit allowing unprivileged user namespaces to avoid adding attack surface
-rw-r--r--libre/linux-libre-grsec/0013-efistub-fix.patch177
-rw-r--r--libre/linux-libre-grsec/PKGBUILD27
-rw-r--r--libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch41
-rw-r--r--libre/linux-libre-grsec/config.i6862
-rw-r--r--libre/linux-libre-grsec/config.x86_642
5 files changed, 56 insertions, 193 deletions
diff --git a/libre/linux-libre-grsec/0013-efistub-fix.patch b/libre/linux-libre-grsec/0013-efistub-fix.patch
deleted file mode 100644
index a2da3b63a..000000000
--- a/libre/linux-libre-grsec/0013-efistub-fix.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From c7fb93ec51d462ec3540a729ba446663c26a0505 Mon Sep 17 00:00:00 2001
-From: Michael Brown <mbrown@fensystems.co.uk>
-Date: Thu, 10 Jul 2014 12:26:20 +0100
-Subject: x86/efi: Include a .bss section within the PE/COFF headers
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The PE/COFF headers currently describe only the initialised-data
-portions of the image, and result in no space being allocated for the
-uninitialised-data portions. Consequently, the EFI boot stub will end
-up overwriting unexpected areas of memory, with unpredictable results.
-
-Fix by including a .bss section in the PE/COFF headers (functionally
-equivalent to the init_size field in the bzImage header).
-
-Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
-Cc: Thomas Bächler <thomas@archlinux.org>
-Cc: Josh Boyer <jwboyer@fedoraproject.org>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Matt Fleming <matt.fleming@intel.com>
-
-diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
-index 84c2234..7a6d43a 100644
---- a/arch/x86/boot/header.S
-+++ b/arch/x86/boot/header.S
-@@ -91,10 +91,9 @@ bs_die:
-
- .section ".bsdata", "a"
- bugger_off_msg:
-- .ascii "Direct floppy boot is not supported. "
-- .ascii "Use a boot loader program instead.\r\n"
-+ .ascii "Use a boot loader.\r\n"
- .ascii "\n"
-- .ascii "Remove disk and press any key to reboot ...\r\n"
-+ .ascii "Remove disk and press any key to reboot...\r\n"
- .byte 0
-
- #ifdef CONFIG_EFI_STUB
-@@ -108,7 +107,7 @@ coff_header:
- #else
- .word 0x8664 # x86-64
- #endif
-- .word 3 # nr_sections
-+ .word 4 # nr_sections
- .long 0 # TimeDateStamp
- .long 0 # PointerToSymbolTable
- .long 1 # NumberOfSymbols
-@@ -250,6 +249,25 @@ section_table:
- .word 0 # NumberOfLineNumbers
- .long 0x60500020 # Characteristics (section flags)
-
-+ #
-+ # The offset & size fields are filled in by build.c.
-+ #
-+ .ascii ".bss"
-+ .byte 0
-+ .byte 0
-+ .byte 0
-+ .byte 0
-+ .long 0
-+ .long 0x0
-+ .long 0 # Size of initialized data
-+ # on disk
-+ .long 0x0
-+ .long 0 # PointerToRelocations
-+ .long 0 # PointerToLineNumbers
-+ .word 0 # NumberOfRelocations
-+ .word 0 # NumberOfLineNumbers
-+ .long 0xc8000080 # Characteristics (section flags)
-+
- #endif /* CONFIG_EFI_STUB */
-
- # Kernel attributes; used by setup. This is part 1 of the
-diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c
-index 1a2f212..a7661c4 100644
---- a/arch/x86/boot/tools/build.c
-+++ b/arch/x86/boot/tools/build.c
-@@ -143,7 +143,7 @@ static void usage(void)
-
- #ifdef CONFIG_EFI_STUB
-
--static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
-+static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset)
- {
- unsigned int pe_header;
- unsigned short num_sections;
-@@ -164,10 +164,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
- put_unaligned_le32(size, section + 0x8);
-
- /* section header vma field */
-- put_unaligned_le32(offset, section + 0xc);
-+ put_unaligned_le32(vma, section + 0xc);
-
- /* section header 'size of initialised data' field */
-- put_unaligned_le32(size, section + 0x10);
-+ put_unaligned_le32(datasz, section + 0x10);
-
- /* section header 'file offset' field */
- put_unaligned_le32(offset, section + 0x14);
-@@ -179,6 +179,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz
- }
- }
-
-+static void update_pecoff_section_header(char *section_name, u32 offset, u32 size)
-+{
-+ update_pecoff_section_header_fields(section_name, offset, size, size, offset);
-+}
-+
- static void update_pecoff_setup_and_reloc(unsigned int size)
- {
- u32 setup_offset = 0x200;
-@@ -203,9 +208,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
-
- pe_header = get_unaligned_le32(&buf[0x3c]);
-
-- /* Size of image */
-- put_unaligned_le32(file_sz, &buf[pe_header + 0x50]);
--
- /*
- * Size of code: Subtract the size of the first sector (512 bytes)
- * which includes the header.
-@@ -220,6 +222,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz)
- update_pecoff_section_header(".text", text_start, text_sz);
- }
-
-+static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz)
-+{
-+ unsigned int pe_header;
-+ unsigned int bss_sz = init_sz - file_sz;
-+
-+ pe_header = get_unaligned_le32(&buf[0x3c]);
-+
-+ /* Size of uninitialized data */
-+ put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]);
-+
-+ /* Size of image */
-+ put_unaligned_le32(init_sz, &buf[pe_header + 0x50]);
-+
-+ update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0);
-+}
-+
- static int reserve_pecoff_reloc_section(int c)
- {
- /* Reserve 0x20 bytes for .reloc section */
-@@ -259,6 +277,8 @@ static void efi_stub_entry_update(void)
- static inline void update_pecoff_setup_and_reloc(unsigned int size) {}
- static inline void update_pecoff_text(unsigned int text_start,
- unsigned int file_sz) {}
-+static inline void update_pecoff_bss(unsigned int file_sz,
-+ unsigned int init_sz) {}
- static inline void efi_stub_defaults(void) {}
- static inline void efi_stub_entry_update(void) {}
-
-@@ -310,7 +330,7 @@ static void parse_zoffset(char *fname)
-
- int main(int argc, char ** argv)
- {
-- unsigned int i, sz, setup_sectors;
-+ unsigned int i, sz, setup_sectors, init_sz;
- int c;
- u32 sys_size;
- struct stat sb;
-@@ -376,7 +396,9 @@ int main(int argc, char ** argv)
- buf[0x1f1] = setup_sectors-1;
- put_unaligned_le32(sys_size, &buf[0x1f4]);
-
-- update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz));
-+ update_pecoff_text(setup_sectors * 512, i + (sys_size * 16));
-+ init_sz = get_unaligned_le32(&buf[0x260]);
-+ update_pecoff_bss(i + (sys_size * 16), init_sz);
-
- efi_stub_entry_update();
-
---
-cgit v0.10.1
-
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index 9d404588d..60f60a8b4 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -13,13 +13,13 @@
pkgbase=linux-libre-grsec # Build stock -libre-grsec kernel
#pkgbase=linux-libre-custom # Build kernel with a different name
_basekernel=3.15
-_sublevel=6
+_sublevel=7
_grsecver=3.0
-_timestamp=201407280729
+_timestamp=201407282112
_pkgver=${_basekernel}.${_sublevel}
pkgver=${_basekernel}.${_sublevel}.${_timestamp}
-pkgrel=1
-_lxopkgver=${_basekernel}.6 # nearly always the same as pkgver
+pkgrel=2
+_lxopkgver=${_basekernel}.7 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="https://grsecurity.net/"
license=('GPL2')
@@ -37,23 +37,23 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
'Kbuild.platforms'
'boot-logo.patch'
'change-default-console-loglevel.patch'
- '0013-efistub-fix.patch'
+ 'Revert-userns-Allow-unprivileged-users-to-create-use.patch'
'sysctl.conf'
"http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688'
- '1966964395bd9331843c8d6dacbf661c9061e90c81bf8609d995ed458d57e358'
- '28f31111afab6e7d23c1bf486537c68ef0bb72f90e8504ef7202d6cb85b27cfd'
+ 'ffc3b2c30f38bcdaac32f2236651d1339ef4a9c2a70669938cdc1768440ce5d0'
+ '6f9c45339b6801e7021505c569c47b480fcde1f36aba34b89b3615fec0a59532'
'SKIP'
- '9d926dcaf6ae07359619337ba2e17e36e8b23837b9e423e391f304f21c95de75'
- '5037a8058ee020195d99b7c127d8634e77a281e31fa56c656b7d8661cac63665'
+ '346723e7937fc11550ed341eccd7170b9d7fa04a5c700e3f9f0dafca4333dccc'
+ '2c882c979bc20fab3782357aefddd083d3255832afb8dc76ab0724284d517ffe'
'9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486'
'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b'
'55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9'
'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6'
'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
- '937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c'
+ '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754'
'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31'
- '38beb22b3d9f548fff897c0690dad330443ef24e48d414cf8dbc682f40501fab')
+ '78a6e45c598d89475c8e7768e3965d3ab184c067fd6211adca272ac91b8e5e14')
if [ "$CARCH" != "mips64el" ]; then
# don't use the Loongson-specific patches on non-mips64el arches.
unset source[${#source[@]}-1]
@@ -85,9 +85,8 @@ prepare() {
# (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227)
patch -p1 -i "${srcdir}/change-default-console-loglevel.patch"
- # fix efistub hang #33745
- # https://git.kernel.org/cgit/linux/kernel/git/mfleming/efi.git/patch/?id=c7fb93ec51d462ec3540a729ba446663c26a0505
- patch -Np1 -i "${srcdir}/0013-efistub-fix.patch"
+ # forbid unprivileged user namespaces
+ patch -p1 -i "$srcdir/Revert-userns-Allow-unprivileged-users-to-create-use.patch"
if [ "$CARCH" == "mips64el" ]; then
sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile
diff --git a/libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch
new file mode 100644
index 000000000..5713dbb20
--- /dev/null
+++ b/libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch
@@ -0,0 +1,41 @@
+From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 13 Nov 2013 10:21:18 -0500
+Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
+ namespaces."
+
+This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
+
+Conflicts:
+ kernel/fork.c
+---
+ kernel/fork.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index f6d11fc..e04c9a7 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
+ long nr;
+
+ /*
++ * Do some preliminary argument and permissions checking before we
++ * actually start allocating stuff
++ */
++ if (clone_flags & CLONE_NEWUSER) {
++ /* hopefully this check will go away when userns support is
++ * complete
++ */
++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
++ !capable(CAP_SETGID))
++ return -EPERM;
++ }
++
++ /*
+ * Determine whether and which event to report to ptracer. When
+ * called from kernel_thread or CLONE_UNTRACED is explicitly
+ * requested, no event is reported; otherwise, report if the event
+--
+1.8.3.1
+
diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686
index d0db896c0..b22b7edea 100644
--- a/libre/linux-libre-grsec/config.i686
+++ b/libre/linux-libre-grsec/config.i686
@@ -157,7 +157,7 @@ CONFIG_BLK_CGROUP=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_SCHED_AUTOGROUP=y
diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64
index d42ce144f..9392245d8 100644
--- a/libre/linux-libre-grsec/config.x86_64
+++ b/libre/linux-libre-grsec/config.x86_64
@@ -164,7 +164,7 @@ CONFIG_BLK_CGROUP=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
-# CONFIG_USER_NS is not set
+CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_SCHED_AUTOGROUP=y