Commit 99142aea authored by Natanael Copa's avatar Natanael Copa
Browse files

main/linux-grsec: upgrade to grsecurity-2.9.1-3.9.8-201306302052

parent 3b6b41b9
......@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
pkgrel=0
pkgrel=1
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
......@@ -17,7 +17,7 @@ _config=${config:-kernelconfig.${CARCH}}
install=
source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
http://ftp.kernel.org/pub/linux/kernel/v3.x/patch-$pkgver.xz
grsecurity-2.9.1-3.9.8-201306272057.patch
grsecurity-2.9.1-3.9.8-201306302052.patch
0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
......@@ -150,7 +150,7 @@ dev() {
md5sums="4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz
c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz
53d60133a86b812060b048275f928041 grsecurity-2.9.1-3.9.8-201306272057.patch
647f77555169969b4245c62c0fd0f1ab grsecurity-2.9.1-3.9.8-201306302052.patch
a16f11b12381efb3bec79b9bfb329836 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
656ae7b10dd2f18dbfa1011041d08d60 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
aa454ffb96428586447775c21449e284 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -161,7 +161,7 @@ d89089b3c7eb94dd9f65cf8a357fc36d kernelconfig.x86
eb147f09fef5996a488c247790205cd6 kernelconfig.x86_64"
sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
2eda9068e81269467e3c247f3343a146731fc45284b12b4bc546bc44dbb263e7 patch-3.9.8.xz
587022b1fc72157e43011551404c7d664dcc3b6c95b72a853ef2ce721e474057 grsecurity-2.9.1-3.9.8-201306272057.patch
b111346072b7907d3a284f12a08c490cbfe35592537bc59442014c95080c3a33 grsecurity-2.9.1-3.9.8-201306302052.patch
6af3757ac36a6cd3cda7b0a71b08143726383b19261294a569ad7f4042c72df3 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
dc8e82108615657f1fb9d641efd42255a5761c06edde1b00a41ae0d314d548f0 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
0985caa0f3ee8ed0959aeaa4214f5f8057ae8e61d50dcae39194912d31e14892 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......@@ -172,7 +172,7 @@ de3c17420664ae4e52826c6e602aade0deeae94f72253f85b3e48771491ed5d6 kernelconfig.x
e1cce320f207cc2ba72b9d154c7060c8cbed52c664319dfd21f24e8956d0bf3e kernelconfig.x86_64"
sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
60b7d694d39faf937e7b732eb3117b8442059c5c8857c9d439eec8a87d5bc185505e64062f5ae02c3512acf5af778caf615c35d3499cb8089a4569c05da65b9c patch-3.9.8.xz
4ca36180a1fc325a558acf73ec9fe3808542498a8f808f73b87a9f6b05ff290d5a5ab20ce39c547a18ce37d093a9857f5c77c495796e62fef986dfa301a9e566 grsecurity-2.9.1-3.9.8-201306272057.patch
81912f5c19b8bc891a1ad8ed57bfe91d79c6c301410eb4ef9e58f57caefba2661d9732b306d695e712fd8e7c9b5bbb67659759fade26f4ec853d9cb96d347df9 grsecurity-2.9.1-3.9.8-201306302052.patch
81e78593288e8b0fd2c03ea9fc1450323887707f087e911f172450a122bc9b591ee83394836789730d951aeec13d0b75a64e1c05f04364abf8f80d883ddc4a02 0001-net-inform-NETDEV_CHANGE-callbacks-which-flags-were-.patch
51ecb15b669f6a82940a13a38939116e003bf5dfd24496771c8279e907b72adcc63d607f0340a2940d757e12ddadb7d45c7af78ae311d284935a6296dbcac00c 0002-arp-flush-arp-cache-on-IFF_NOARP-change.patch
57d0a8bd35d19cf657ded58efe24517d2252aec6984040713ba173a34edb5887ececaa2985076bc6a149eaa57639fd98a042c1c2d226ed4ad8dd5ed0e230717e 0003-ipv4-properly-refresh-rtable-entries-on-pmtu-redirec.patch
......
......@@ -2312,7 +2312,7 @@ index 60d3b73..d27ee09 100644
EXPORT_SYMBOL(__get_user_1);
EXPORT_SYMBOL(__get_user_2);
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 0f82098..3dbd3ee 100644
index 0f82098..fb3d3d5 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -47,6 +47,87 @@
......@@ -2484,7 +2484,7 @@ index 0f82098..3dbd3ee 100644
THUMB( str sp, [ip], #4 )
THUMB( str lr, [ip], #4 )
-#ifdef CONFIG_CPU_USE_DOMAINS
+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC)
+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
ldr r6, [r2, #TI_CPU_DOMAIN]
#endif
set_tls r3, r4, r5
......@@ -2493,7 +2493,7 @@ index 0f82098..3dbd3ee 100644
ldr r7, [r7, #TSK_STACK_CANARY]
#endif
-#ifdef CONFIG_CPU_USE_DOMAINS
+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC)
+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
mcr p15, 0, r6, c3, c0, 0 @ Set domain register
#endif
mov r5, r0
......@@ -50560,7 +50560,7 @@ index 6a16053..2155147 100644
return rc;
}
diff --git a/fs/exec.c b/fs/exec.c
index 6d56ff2..3bc6638 100644
index 6d56ff2..f65b4ca 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -55,8 +55,20 @@
......@@ -50862,7 +50862,37 @@ index 6d56ff2..3bc6638 100644
set_fs(old_fs);
return result;
}
@@ -1250,7 +1325,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
@@ -1136,13 +1211,6 @@ void setup_new_exec(struct linux_binprm * bprm)
set_dumpable(current->mm, suid_dumpable);
}
- /*
- * Flush performance counters when crossing a
- * security domain:
- */
- if (!get_dumpable(current->mm))
- perf_event_exit_task(current);
-
/* An exec changes our domain. We are no longer part of the thread
group */
@@ -1206,6 +1274,15 @@ void install_exec_creds(struct linux_binprm *bprm)
commit_creds(bprm->cred);
bprm->cred = NULL;
+
+ /*
+ * Disable monitoring for regular users
+ * when executing setuid binaries. Must
+ * wait until new credentials are committed
+ * by commit_creds() above
+ */
+ if (get_dumpable(current->mm) != SUID_DUMP_USER)
+ perf_event_exit_task(current);
/*
* cred_guard_mutex must be held at least to this point to prevent
* ptrace_attach() from altering our determination of the task's
@@ -1250,7 +1327,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
}
rcu_read_unlock();
......@@ -50871,7 +50901,7 @@ index 6d56ff2..3bc6638 100644
bprm->unsafe |= LSM_UNSAFE_SHARE;
} else {
res = -EAGAIN;
@@ -1450,6 +1525,31 @@ int search_binary_handler(struct linux_binprm *bprm)
@@ -1450,6 +1527,31 @@ int search_binary_handler(struct linux_binprm *bprm)
EXPORT_SYMBOL(search_binary_handler);
......@@ -50903,7 +50933,7 @@ index 6d56ff2..3bc6638 100644
/*
* sys_execve() executes a new program.
*/
@@ -1457,6 +1557,11 @@ static int do_execve_common(const char *filename,
@@ -1457,6 +1559,11 @@ static int do_execve_common(const char *filename,
struct user_arg_ptr argv,
struct user_arg_ptr envp)
{
......@@ -50915,7 +50945,7 @@ index 6d56ff2..3bc6638 100644
struct linux_binprm *bprm;
struct file *file;
struct files_struct *displaced;
@@ -1464,6 +1569,8 @@ static int do_execve_common(const char *filename,
@@ -1464,6 +1571,8 @@ static int do_execve_common(const char *filename,
int retval;
const struct cred *cred = current_cred();
......@@ -50924,7 +50954,7 @@ index 6d56ff2..3bc6638 100644
/*
* We move the actual failure in case of RLIMIT_NPROC excess from
* set*uid() to execve() because too many poorly written programs
@@ -1504,12 +1611,27 @@ static int do_execve_common(const char *filename,
@@ -1504,12 +1613,27 @@ static int do_execve_common(const char *filename,
if (IS_ERR(file))
goto out_unmark;
......@@ -50952,7 +50982,7 @@ index 6d56ff2..3bc6638 100644
retval = bprm_mm_init(bprm);
if (retval)
goto out_file;
@@ -1526,24 +1648,65 @@ static int do_execve_common(const char *filename,
@@ -1526,24 +1650,65 @@ static int do_execve_common(const char *filename,
if (retval < 0)
goto out;
......@@ -51022,7 +51052,7 @@ index 6d56ff2..3bc6638 100644
current->fs->in_exec = 0;
current->in_execve = 0;
acct_update_integrals(current);
@@ -1552,6 +1715,14 @@ static int do_execve_common(const char *filename,
@@ -1552,6 +1717,14 @@ static int do_execve_common(const char *filename,
put_files_struct(displaced);
return retval;
......@@ -51037,7 +51067,7 @@ index 6d56ff2..3bc6638 100644
out:
if (bprm->mm) {
acct_arg_size(bprm, 0);
@@ -1700,3 +1871,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
@@ -1700,3 +1873,283 @@ asmlinkage long compat_sys_execve(const char __user * filename,
return error;
}
#endif
......@@ -56758,6 +56788,67 @@ index 69d4889..a810bd4 100644
{
if (sbi->s_bytesex == BYTESEX_PDP)
return PDP_swab((__force __u32)n);
diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
index de08c92f..732cd63 100644
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -364,6 +364,24 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
*/
return 0;
+ if (file->f_version == 0) {
+ /*
+ * The file was seek'ed, which means that @file->private_data
+ * is now invalid. This may also be just the first
+ * 'ubifs_readdir()' invocation, in which case
+ * @file->private_data is NULL, and the below code is
+ * basically a no-op.
+ */
+ kfree(file->private_data);
+ file->private_data = NULL;
+ }
+
+ /*
+ * 'generic_file_llseek()' unconditionally sets @file->f_version to
+ * zero, and we use this for detecting whether the file was seek'ed.
+ */
+ file->f_version = 1;
+
/* File positions 0 and 1 correspond to "." and ".." */
if (file->f_pos == 0) {
ubifs_assert(!file->private_data);
@@ -438,6 +456,14 @@ static int ubifs_readdir(struct file *file, void *dirent, filldir_t filldir)
file->f_pos = key_hash_flash(c, &dent->key);
file->private_data = dent;
cond_resched();
+
+ if (file->f_version == 0)
+ /*
+ * The file was seek'ed meanwhile, lets return and start
+ * reading direntries from the new position on the next
+ * invocation.
+ */
+ return 0;
}
out:
@@ -448,15 +474,13 @@ out:
kfree(file->private_data);
file->private_data = NULL;
+ /* 2 is a special value indicating that there are no more direntries */
file->f_pos = 2;
return 0;
}
-/* If a directory is seeked, we have to free saved readdir() state */
static loff_t ubifs_dir_llseek(struct file *file, loff_t offset, int whence)
{
- kfree(file->private_data);
- file->private_data = NULL;
return generic_file_llseek(file, offset, whence);
}
diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
index e18b988..f1d4ad0f 100644
--- a/fs/ubifs/io.c
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment