6 files changed, 101 insertions, 31 deletions
diff --git a/libre/linux-libre-lts/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/libre/linux-libre-lts/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
index 22e12e4b0..d78d38ade 100644
--- a/libre/linux-libre-lts/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ b/libre/linux-libre-lts/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -1,7 +1,8 @@
-From 1ce3e84fdf0b56f477d30acdc8797dedd7330e37 Mon Sep 17 00:00:00 2001
+From 96161597803746c97c43e0703ca2a059bdd7a8f7 Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge.hallyn@canonical.com>
 Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
+Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by
+ default
 
 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
 [bwh: Remove unneeded binary sysctl bits]
@@ -13,7 +14,7 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com>
  3 files changed, 30 insertions(+)
 
 diff --git a/kernel/fork.c b/kernel/fork.c
-index f0b58479534f..8b2d927125c5 100644
+index 2628f3773ca8..a2da35b446a6 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -103,6 +103,11 @@
@@ -28,7 +29,7 @@ index f0b58479534f..8b2d927125c5 100644
  
  /*
   * Minimum number of threads to boot the kernel
-@@ -1649,6 +1654,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1719,6 +1724,10 @@ static __latent_entropy struct task_struct *copy_process(
  	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  		return ERR_PTR(-EINVAL);
  
@@ -39,7 +40,7 @@ index f0b58479534f..8b2d927125c5 100644
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -2467,6 +2476,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -2554,6 +2563,12 @@ int ksys_unshare(unsigned long unshare_flags)
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  
@@ -53,10 +54,10 @@ index f0b58479534f..8b2d927125c5 100644
  	if (err)
  		goto bad_unshare_out;
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index cc02050fd0c4..ce2ad2b92897 100644
+index 387efbaf464a..b393beb76f34 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
-@@ -105,6 +105,9 @@ extern int core_uses_pid;
+@@ -108,6 +108,9 @@ extern int core_uses_pid;
  extern char core_pattern[];
  extern unsigned int core_pipe_limit;
  #endif
@@ -66,7 +67,7 @@ index cc02050fd0c4..ce2ad2b92897 100644
  extern int pid_max;
  extern int pid_max_min, pid_max_max;
  extern int percpu_pagelist_fraction;
-@@ -514,6 +517,15 @@ static struct ctl_table kern_table[] = {
+@@ -535,6 +538,15 @@ static struct ctl_table kern_table[] = {
  		.proc_handler	= proc_dointvec,
  	},
  #endif
@@ -97,5 +98,5 @@ index 923414a246e9..6b9dbc257e34 100644
  static DEFINE_MUTEX(userns_state_mutex);
  
 -- 
-2.19.1
+2.22.0
 
diff --git a/libre/linux-libre-lts/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/libre/linux-libre-lts/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
new file mode 100644
index 000000000..7fa619f1c
--- /dev/null
+++ b/libre/linux-libre-lts/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
@@ -0,0 +1,57 @@
+From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Thu, 7 Dec 2017 13:50:48 +0100
+Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone
+
+This way our default behavior continues to match the vanilla kernel.
+---
+ init/Kconfig            | 16 ++++++++++++++++
+ kernel/user_namespace.c |  4 ++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 4592bf7997c0..f3df02990aff 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1004,6 +1004,22 @@ config USER_NS
+ 
+ 	  If unsure, say N.
+ 
++config USER_NS_UNPRIVILEGED
++	bool "Allow unprivileged users to create namespaces"
++	default y
++	depends on USER_NS
++	help
++	  When disabled, unprivileged users will not be able to create
++	  new namespaces. Allowing users to create their own namespaces
++	  has been part of several recent local privilege escalation
++	  exploits, so if you need user namespaces but are
++	  paranoid^Wsecurity-conscious you want to disable this.
++
++	  This setting can be overridden at runtime via the
++	  kernel.unprivileged_userns_clone sysctl.
++
++	  If unsure, say Y.
++
+ config PID_NS
+ 	bool "PID Namespaces"
+ 	default y
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 6b9dbc257e34..107b17f0d528 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -27,7 +27,11 @@
+ #include <linux/sort.h>
+ 
+ /* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+ int unprivileged_userns_clone;
++#endif
+ 
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+-- 
+2.22.0
+
diff --git a/libre/linux-libre-lts/PKGBUILD b/libre/linux-libre-lts/PKGBUILD
index 7a4f613ce..9d950678d 100644
--- a/libre/linux-libre-lts/PKGBUILD
+++ b/libre/linux-libre-lts/PKGBUILD
@@ -11,7 +11,7 @@
 
 pkgbase=linux-libre-lts
 _srcbasever=4.19-gnu
-_srcver=4.19.45-gnu
+_srcver=4.19.59-gnu
 
 _replacesarchkernel=('linux%') # '%' gets replaced with _kernelname
 _replacesoldkernels=() # '%' gets replaced with _kernelname
@@ -21,7 +21,7 @@ _srcname=linux-${_srcbasever%-*}
 _archpkgver=${_srcver%-*}
 pkgver=${_srcver//-/_}
 pkgrel=1
-rcnrel=armv7-x32
+rcnrel=armv7-x35
 arch=('x86_64' 'i686' 'armv7h')
 url='https://linux-libre.fsfla.org/'
 license=('GPL2')
@@ -50,6 +50,7 @@ source=(
   0001-usb-serial-gadget-no-TTY-hangup-on-USB-disconnect-WI.patch
   0002-fix-Atmel-maXTouch-touchscreen-support.patch
   0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
 )
 validpgpkeys=(
   '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
@@ -57,7 +58,7 @@ validpgpkeys=(
 )
 sha512sums=('5bc800b3beff43a8c15bd5515f4e0babe2beb5fa600491b7b37110e22d9b739d293f1e38753ed681be289c51390e0e64b3e60ce0db0a3bfe1f94ee5c014579a3'
             'SKIP'
-            'aa6a15041403f9c7769882e5b708dde0a0be98840c7cd5d1496cbbb3774855a5fa50a58ebe9a684c3c688127c2aba660f9a70a66f977904126e73daabf9fb96b'
+            '3eda5e39556157dbbe11f4577d471070fe32bf079b2c0057ecdfc0e4d1c7a45c4b1376ddbc6a859293a580e57499ac76e1f8fa46b76fd663fcc7b27245594790'
             'SKIP'
             '13cb5bc42542e7b8bb104d5f68253f6609e463b6799800418af33eb0272cc269aaa36163c3e6f0aacbdaaa1d05e2827a4a7c4a08a029238439ed08b89c564bb3'
             'SKIP'
@@ -65,9 +66,9 @@ sha512sums=('5bc800b3beff43a8c15bd5515f4e0babe2beb5fa600491b7b37110e22d9b739d293
             'SKIP'
             '267295aa0cea65684968420c68b32f1a66a22d018b9d2b2c1ef14267bcf4cb68aaf7099d073cbfefe6c25c8608bdcbbd45f7ac8893fdcecbf1e621abdfe9ecc1'
             'SKIP'
-            '99aabd2645a44a9f83367f130b844d196804414afdab7a7e88d1f475ac0f1ed2de418e5426b1a9a15d09534ab27fbe77b5cb4d775924e7faf953ef3bb50dccde'
-            'd6eabaf73d7f1532a5eac03cde8e7f73c9adf5abb1fe5708b7cda3e2f09bb7fb8f705a3de47b871d918f26b8dd977f2c6357e573550bd8748eeb44edac211721'
-            'ea2c425942ebd88fe2271cd1563488f8669d9bda5468739a0299a8572b4a4af98497b4a837b3d01d4ee24a7134675d78d4a2211235bd1843cc9926a140e3850a'
+            '73884f92076aed6211184c58a5834083137638d605b7dcfa5cf82caf62fcdf41dfa21f1a4906a3d354ad7ef4bee62c8a2fa68879f6ebb76ade339aca9957b4cc'
+            'fad4de15397bb28cf26800d0a2d907a46d3efd978af3c253f098d4fbd4f83c08c14af55b4057e67acb986e60a9498f0e2360ec9b049ee72819fc124be9c9fb00'
+            '309fead206abf03dd4832f720108974ecc935b376fab6fca0c1d9197aea44bf074348768ae469c82d30b388678b72017db5e4aebac0f2a85f8691bbf13fd00e7'
             '7ad5be75ee422dda3b80edd2eb614d8a9181e2c8228cd68b3881e2fb95953bf2dea6cbe7900ce1013c9de89b2802574b7b24869fc5d7a95d3cc3112c4d27063a'
             '4a8b324aee4cccf3a512ad04ce1a272d14e5b05c8de90feb82075f55ea3845948d817e1b0c6f298f5816834ddd3e5ce0a0e2619866289f3c1ab8fd2f35f04f44'
             '2dc6b0ba8f7dbf19d2446c5c5f1823587de89f4e28e9595937dd51a87755099656f2acec50e3e2546ea633ad1bfd1c722e0c2b91eef1d609103d8abdc0a7cbaf'
@@ -84,7 +85,8 @@ sha512sums=('5bc800b3beff43a8c15bd5515f4e0babe2beb5fa600491b7b37110e22d9b739d293
             'a123747792417d3760ca40d7f913c2cdd194da2ea5778352eedebc80097b7b8dce4428a8fe8bd75cab92972f599c25bcf18a740856fc2990351234b0d7ebf9f5'
             '02af4dd2a007e41db0c63822c8ab3b80b5d25646af1906dc85d0ad9bb8bbf5236f8e381d7f91cf99ed4b0978c50aee37cb9567cdeef65b7ec3d91b882852b1af'
             'b8fe56e14006ab866970ddbd501c054ae37186ddc065bb869cf7d18db8c0d455118d5bda3255fb66a0dde38b544655cfe9040ffe46e41d19830b47959b2fb168'
-            'ba561ef861c56002de25ec6f63211e758f3d26eaa7ff0e4a16ffd096d5fe7019d9df343658adc0535684303888d022aa816fc0b282da27ac1ca29dfc0b0e2be0')
+            'ded54d11289f9080995c81446d377052b528e99ff119c163031153c5af2e3bb92c3879c225d1b7ecb76d2c9ea45e002b21eae304f0f702facd6f9f75941fcbcb'
+            '9b0fb3d51b4c1ef576eb1bae59d1508c483aa0e46ecfeb7b55028b0c7ce6b3a309f377decfd3a94ac68b944c7b8724a4b3927e396bc5c7f16b3624c103194bd7')
 
 _kernelname=${pkgbase#linux-libre}
 _replacesarchkernel=("${_replacesarchkernel[@]/\%/${_kernelname}}")
@@ -133,8 +135,9 @@ prepare() {
   # add latest fixes from stable queue, if needed
   # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
 
-  # disable USER_NS for non-root users by default
+  # allow disabling USER_NS via sysctl
   patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  patch -Np1 -i ../0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
 
   # maintain the TTY over USB disconnects
   # http://www.coreboot.org/EHCI_Gadget_Debug
diff --git a/libre/linux-libre-lts/config.armv7h b/libre/linux-libre-lts/config.armv7h
index ed813a4d7..c1b27d000 100644
--- a/libre/linux-libre-lts/config.armv7h
+++ b/libre/linux-libre-lts/config.armv7h
@@ -1,14 +1,15 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm 4.19.25-gnu Kernel Configuration
+# Linux/arm 4.19.59-gnu Kernel Configuration
 #
 
 #
-# Compiler: gcc (GCC) 8.2.0
+# Compiler: gcc (GCC) 9.1.0
 #
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=80200
+CONFIG_GCC_VERSION=90100
 CONFIG_CLANG_VERSION=0
+CONFIG_CC_HAS_ASM_GOTO=y
 CONFIG_IRQ_WORK=y
 CONFIG_BUILDTIME_EXTABLE_SORT=y
 
@@ -51,6 +52,7 @@ CONFIG_GENERIC_IRQ_PROBE=y
 CONFIG_GENERIC_IRQ_SHOW=y
 CONFIG_GENERIC_IRQ_SHOW_LEVEL=y
 CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK=y
+CONFIG_GENERIC_IRQ_MIGRATION=y
 CONFIG_HARDIRQS_SW_RESEND=y
 CONFIG_GENERIC_IRQ_CHIP=y
 CONFIG_IRQ_DOMAIN=y
@@ -140,6 +142,7 @@ CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 # CONFIG_CHECKPOINT_RESTORE is not set
@@ -335,7 +338,6 @@ CONFIG_PLAT_SAMSUNG=y
 #
 # Power management
 #
-# CONFIG_SAMSUNG_PM_CHECK is not set
 # CONFIG_ARCH_HIGHBANK is not set
 # CONFIG_ARCH_HISI is not set
 CONFIG_ARCH_MXC=y
@@ -2989,7 +2991,7 @@ CONFIG_LED_TRIGGER_PHY=y
 CONFIG_SFP=m
 CONFIG_AMD_PHY=m
 CONFIG_AQUANTIA_PHY=m
-CONFIG_ASIX_PHY=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AT803X_PHY=m
 CONFIG_BCM7XXX_PHY=m
 CONFIG_BCM87XX_PHY=m
@@ -3616,6 +3618,7 @@ CONFIG_UNIX98_PTYS=y
 CONFIG_NOZOMI=m
 CONFIG_N_GSM=m
 # CONFIG_TRACE_SINK is not set
+CONFIG_LDISC_AUTOLOAD=y
 CONFIG_DEVMEM=y
 CONFIG_DEVKMEM=y
 
@@ -3708,7 +3711,6 @@ CONFIG_HW_RANDOM_IMX_RNGC=m
 CONFIG_HW_RANDOM_MESON=m
 CONFIG_HW_RANDOM_EXYNOS=m
 CONFIG_HW_RANDOM_KEYSTONE=m
-# CONFIG_R3964 is not set
 # CONFIG_APPLICOM is not set
 # CONFIG_RAW_DRIVER is not set
 CONFIG_TCG_TPM=m
@@ -5414,6 +5416,7 @@ CONFIG_DRM_MALI_DISPLAY=m
 # AMD Library routines
 #
 CONFIG_DRM_NOUVEAU=m
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=y
 CONFIG_NOUVEAU_PLATFORM_DRIVER=y
 CONFIG_NOUVEAU_DEBUG=5
 CONFIG_NOUVEAU_DEBUG_DEFAULT=3
@@ -5890,8 +5893,8 @@ CONFIG_SND_SOC_FSL_UTILS=m
 CONFIG_SND_SOC_IMX_PCM_DMA=m
 CONFIG_SND_SOC_IMX_AUDMUX=m
 CONFIG_SND_IMX_SOC=m
-CONFIG_SND_SOC_IMX_SSI=m
 CONFIG_SND_SOC_IMX_PCM_FIQ=m
+CONFIG_SND_SOC_IMX_SSI=m
 
 #
 # SoC Audio support for Freescale i.MX boards:
diff --git a/libre/linux-libre-lts/config.i686 b/libre/linux-libre-lts/config.i686
index b8801674e..7f55d595b 100644
--- a/libre/linux-libre-lts/config.i686
+++ b/libre/linux-libre-lts/config.i686
@@ -1,14 +1,15 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.44-gnu Kernel Configuration
+# Linux/x86 4.19.59-gnu Kernel Configuration
 #
 
 #
-# Compiler: gcc (GCC) 8.3.0
+# Compiler: gcc (GCC) 9.1.0
 #
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=80300
+CONFIG_GCC_VERSION=90100
 CONFIG_CLANG_VERSION=0
+CONFIG_CC_HAS_ASM_GOTO=y
 CONFIG_IRQ_WORK=y
 CONFIG_BUILDTIME_EXTABLE_SORT=y
 CONFIG_THREAD_INFO_IN_TASK=y
@@ -152,6 +153,7 @@ CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 # CONFIG_CHECKPOINT_RESTORE is not set
@@ -5938,6 +5940,7 @@ CONFIG_CHASH=m
 # CONFIG_CHASH_STATS is not set
 # CONFIG_CHASH_SELFTEST is not set
 CONFIG_DRM_NOUVEAU=m
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=y
 CONFIG_NOUVEAU_DEBUG=5
 CONFIG_NOUVEAU_DEBUG_DEFAULT=3
 # CONFIG_NOUVEAU_DEBUG_MMU is not set
diff --git a/libre/linux-libre-lts/config.x86_64 b/libre/linux-libre-lts/config.x86_64
index 94000faae..3ec5b7830 100644
--- a/libre/linux-libre-lts/config.x86_64
+++ b/libre/linux-libre-lts/config.x86_64
@@ -1,14 +1,15 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.44-gnu Kernel Configuration
+# Linux/x86 4.19.59-gnu Kernel Configuration
 #
 
 #
-# Compiler: gcc (GCC) 8.3.0
+# Compiler: gcc (GCC) 9.1.0
 #
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=80300
+CONFIG_GCC_VERSION=90100
 CONFIG_CLANG_VERSION=0
+CONFIG_CC_HAS_ASM_GOTO=y
 CONFIG_IRQ_WORK=y
 CONFIG_BUILDTIME_EXTABLE_SORT=y
 CONFIG_THREAD_INFO_IN_TASK=y
@@ -158,6 +159,7 @@ CONFIG_NAMESPACES=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 CONFIG_USER_NS=y
+CONFIG_USER_NS_UNPRIVILEGED=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
 # CONFIG_CHECKPOINT_RESTORE is not set
@@ -3169,7 +3171,7 @@ CONFIG_LED_TRIGGER_PHY=y
 CONFIG_SFP=m
 CONFIG_AMD_PHY=m
 CONFIG_AQUANTIA_PHY=m
-CONFIG_ASIX_PHY=m
+CONFIG_AX88796B_PHY=m
 CONFIG_AT803X_PHY=m
 CONFIG_BCM7XXX_PHY=m
 CONFIG_BCM87XX_PHY=m
@@ -5908,6 +5910,7 @@ CONFIG_CHASH=m
 # CONFIG_CHASH_STATS is not set
 # CONFIG_CHASH_SELFTEST is not set
 CONFIG_DRM_NOUVEAU=m
+CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=y
 CONFIG_NOUVEAU_DEBUG=5
 CONFIG_NOUVEAU_DEBUG_DEFAULT=3
 # CONFIG_NOUVEAU_DEBUG_MMU is not set