main/*-grsec: updated grsec kernel to 200908281917

fd16ce47 · Natanael Copa · 8bdd83b2 · fd16ce47 · fd16ce47 · fd16ce47
Commit fd16ce47 authored Aug 31, 2009 by Natanael Copa
7 changed files
--- a/main/dahdi-linux-grsec/APKBUILD
+++ b/main/dahdi-linux-grsec/APKBUILD
@@ -14,7 +14,7 @@ _realname=dahdi-linux

 pkgname=${_realname}-${_flavor}
 pkgver=2.2.0
-pkgrel=9
+pkgrel=10
 pkgdesc="Digium Asterisk Hardware Device Interface drivers"
 url="http://www.asterisk.org"
 license="GPL"

--- a/main/iscsitarget-grsec/APKBUILD
+++ b/main/iscsitarget-grsec/APKBUILD
@@ -15,7 +15,7 @@ if [ -f ../iscsitarget/APKBUILD ]; then
 fi
 pkgname=${_realname}-${_flavor}
 pkgver=${pkgver:-0.4.17}
-pkgrel=8
+pkgrel=9
 pkgdesc="$_flavor kernel modules for iscsitarget"
 url="http://iscsitarget.sourceforge.net/"
 license="GPL-2"

--- a/main/kqemu-grsec/APKBUILD
+++ b/main/kqemu-grsec/APKBUILD
@@ -12,7 +12,7 @@ _abi_release=$pkgver-${_flavor}
 pkgname=${_realname}-${_flavor}
 pkgver=1.4.0_pre1
 _realver=1.4.0pre1
-pkgrel=1
+pkgrel=2
 pkgdesc="$_flavor kernel modules for kemu"
 url="http://www.nongnu.org/qemu/"
 license="GPL"

--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=2.6.30.5
 _kernver=2.6.30
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs"
@@ -13,8 +13,7 @@ _config=${config:-kernelconfig}
 install="$pkgname.post-install $pkgname.post-upgrade"
 source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
 	ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
-	grsecurity-2.1.14-2.6.30.5-200908261614.patch
-	linux-nbma-mroute-v4-2.6.30.diff
+	grsecurity-2.1.14-2.6.30.5-200908281917.patch
 	net-next-2.6.git-5ef12d98a19254ee5dc851bd83e214b43ec1f725.patch
 	$_config
 	"
@@ -30,6 +29,7 @@ _prepare() {
 	fi

 	for i in ../*.diff ../*.patch; do
+		[ -f $i ] || continue
 		msg "Applying $i..."
 		patch -p1 -N < $i || return 1
 	done
@@ -112,7 +112,6 @@ dev() {

 md5sums="7a80058a6382e5108cdb5554d1609615  linux-2.6.30.tar.bz2
 47841c7ff5c81a7b349a79f2fa8e9138  patch-2.6.30.5.bz2
-a725c0779f365787127c71810877586d  grsecurity-2.1.14-2.6.30.5-200908261614.patch
-7420c0b1095335990313656b114e1379  linux-nbma-mroute-v4-2.6.30.diff
+dee5a6292fb12018eb3bd3d014f89407  grsecurity-2.1.14-2.6.30.5-200908281917.patch
 ca05fd252783b82e01610e775cf56498  net-next-2.6.git-5ef12d98a19254ee5dc851bd83e214b43ec1f725.patch
 ede34b2613f54cf1eae8f37a61d0e085  kernelconfig"
--- a/main/linux-grsec/grsecurity-2.1.14-2.6.30.5-200908261614.patch
+++ b/main/linux-grsec/grsecurity-2.1.14-2.6.30.5-200908261614.patch
--- a/main/linux-grsec/linux-nbma-mroute-v4-2.6.30.diff
+++ b/main/linux-grsec/linux-nbma-mroute-v4-2.6.30.diff
-diff --git a/include/linux/mroute.h b/include/linux/mroute.h
-index 0d45b4e..406ef6f 100644
--- a/include/linux/mroute.h
-+++ b/include/linux/mroute.h
-@@ -33,7 +33,7 @@
- #define SIOCGETSGCNT	(SIOCPROTOPRIVATE+1)
- #define SIOCGETRPF	(SIOCPROTOPRIVATE+2)
- 
-#define MAXVIFS		32	
-+#define MAXVIFS		256
- typedef unsigned long vifbitmap_t;	/* User mode code depends on this lot */
- typedef unsigned short vifi_t;
- #define ALL_VIFS	((vifi_t)(-1))
-@@ -66,6 +66,7 @@ struct vifctl {
- #define VIFF_TUNNEL	0x1	/* IPIP tunnel */
- #define VIFF_SRCRT	0x2	/* NI */
- #define VIFF_REGISTER	0x4	/* register vif	*/
-+#define VIFF_NBMA	0x10
- 
- /*
-  *	Cache manipulation structures for mrouted and PIMd
-diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
-index 13e9dd3..43c988b 100644
--- a/net/ipv4/ipmr.c
-+++ b/net/ipv4/ipmr.c
-@@ -105,6 +105,31 @@ static struct net_protocol pim_protocol;
- 
- static struct timer_list ipmr_expire_timer;
- 
-+static __be32 ipmr_get_skb_nbma(struct sk_buff *skb)
-+{
-+	union {
-+		char addr[MAX_ADDR_LEN];
-+		__be32 inaddr;
-+	} u;
-+
-+	if (dev_parse_header(skb, u.addr) != 4)
-+		return INADDR_ANY;
-+
-+	return u.inaddr;
-+}
-+
-+static int ip_mr_match_vif_skb(struct vif_device *vif, struct sk_buff *skb)
-+{
-+	if (vif->dev != skb->dev)
-+		return 0;
-+
-+	if (vif->flags & VIFF_NBMA)
-+		return ipmr_get_skb_nbma(skb) == vif->remote;
-+
-+	return 1;
-+}
-+
-+
- /* Service routines creating virtual interfaces: DVMRP tunnels and PIMREG */
- 
- static void ipmr_del_tunnel(struct net_device *dev, struct vifctl *v)
-@@ -470,6 +495,7 @@ static int vif_add(struct net *net, struct vifctl *vifc, int mrtsock)
- 			return err;
- 		}
- 		break;
-+	case VIFF_NBMA:
- 	case 0:
- 		dev = ip_dev_find(net, vifc->vifc_lcl_addr.s_addr);
- 		if (!dev)
-@@ -504,7 +530,7 @@ static int vif_add(struct net *net, struct vifctl *vifc, int mrtsock)
- 	v->pkt_in = 0;
- 	v->pkt_out = 0;
- 	v->link = dev->ifindex;
-	if (v->flags&(VIFF_TUNNEL|VIFF_REGISTER))
-+	if (v->flags&(VIFF_TUNNEL|VIFF_REGISTER|VIFF_NBMA))
- 		v->link = dev->iflink;
- 
- 	/* And finish update writing critical data */
-@@ -1212,12 +1238,15 @@ static inline int ipmr_forward_finish(struct sk_buff *skb)
- {
- 	struct ip_options * opt	= &(IPCB(skb)->opt);
- 
-	IP_INC_STATS_BH(dev_net(skb->dst->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
-+	IP_INC_STATS_BH(dev_net(skb->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
- 
- 	if (unlikely(opt->optlen))
- 		ip_forward_options(skb);
- 
-	return dst_output(skb);
-+	if (skb->dst != NULL)
-+		return dst_output(skb);
-+	else
-+		return dev_queue_xmit(skb);
- }
- 
- /*
-@@ -1230,7 +1259,8 @@ static void ipmr_queue_xmit(struct sk_buff *skb, struct mfc_cache *c, int vifi)
- 	const struct iphdr *iph = ip_hdr(skb);
- 	struct vif_device *vif = &net->ipv4.vif_table[vifi];
- 	struct net_device *dev;
-	struct rtable *rt;
-+	struct net_device *fromdev = skb->dev;
-+	struct rtable *rt = NULL;
- 	int    encap = 0;
- 
- 	if (vif->dev == NULL)
-@@ -1257,6 +1287,19 @@ static void ipmr_queue_xmit(struct sk_buff *skb, struct mfc_cache *c, int vifi)
- 		if (ip_route_output_key(net, &rt, &fl))
- 			goto out_free;
- 		encap = sizeof(struct iphdr);
-+		dev = rt->u.dst.dev;
-+	} else if (vif->flags&VIFF_NBMA) {
-+		/* Fixme, we should take tunnel source address from the
-+		 * tunnel device binding if it exists */
-+		struct flowi fl = { .oif = vif->link,
-+				    .nl_u = { .ip4_u =
-+					      { .daddr = vif->remote,
-+						.tos = RT_TOS(iph->tos) } },
-+				    .proto = IPPROTO_GRE };
-+		if (ip_route_output_key(&init_net, &rt, &fl))
-+			goto out_free;
-+		encap = LL_RESERVED_SPACE(rt->u.dst.dev);
-+		dev = vif->dev;
- 	} else {
- 		struct flowi fl = { .oif = vif->link,
- 				    .nl_u = { .ip4_u =
-@@ -1265,34 +1308,39 @@ static void ipmr_queue_xmit(struct sk_buff *skb, struct mfc_cache *c, int vifi)
- 				    .proto = IPPROTO_IPIP };
- 		if (ip_route_output_key(net, &rt, &fl))
- 			goto out_free;
-+		dev = rt->u.dst.dev;
- 	}
- 
-	dev = rt->u.dst.dev;
-+	if (!(vif->flags & VIFF_NBMA)) {
-+		if (skb->len+encap > dst_mtu(&rt->u.dst) && (ntohs(iph->frag_off) & IP_DF)) {
-+			/* Do not fragment multicasts. Alas, IPv4 does not
-+			   allow to send ICMP, so that packets will disappear
-+			   to blackhole.
-+			*/
- 
-	if (skb->len+encap > dst_mtu(&rt->u.dst) && (ntohs(iph->frag_off) & IP_DF)) {
-		/* Do not fragment multicasts. Alas, IPv4 does not
-		   allow to send ICMP, so that packets will disappear
-		   to blackhole.
-		 */
-
-		IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
-		ip_rt_put(rt);
-		goto out_free;
-+			IP_INC_STATS_BH(dev_net(dev), IPSTATS_MIB_FRAGFAILS);
-+			goto out_free_rt;
-+		}
- 	}
- 
- 	encap += LL_RESERVED_SPACE(dev) + rt->u.dst.header_len;
- 
-	if (skb_cow(skb, encap)) {
-		ip_rt_put(rt);
-		goto out_free;
-	}
-+	if (skb_cow(skb, encap))
-+		goto out_free_rt;
- 
- 	vif->pkt_out++;
- 	vif->bytes_out += skb->len;
- 
- 	dst_release(skb->dst);
-	skb->dst = &rt->u.dst;
-+	if (vif->flags & VIFF_NBMA) {
-+		ip_rt_put(rt);
-+		skb->dst = NULL;
-+		rt = NULL;
-+	} else {
-+		skb->dst = &rt->u.dst;
-+	}
- 	ip_decrease_ttl(ip_hdr(skb));
-+	skb->dev = dev;
- 
- 	/* FIXME: forward and output firewalls used to be called here.
- 	 * What do we do with netfilter? -- RR */
-@@ -1301,6 +1349,10 @@ static void ipmr_queue_xmit(struct sk_buff *skb, struct mfc_cache *c, int vifi)
- 		/* FIXME: extra output firewall step used to be here. --RR */
- 		vif->dev->stats.tx_packets++;
- 		vif->dev->stats.tx_bytes += skb->len;
-+	} else if (vif->flags & VIFF_NBMA) {
-+		if (dev_hard_header(skb, dev, ntohs(skb->protocol),
-+				    &vif->remote, NULL, 4) < 0)
-+			goto out_free_rt;
- 	}
- 
- 	IPCB(skb)->flags |= IPSKB_FORWARDED;
-@@ -1316,21 +1368,30 @@ static void ipmr_queue_xmit(struct sk_buff *skb, struct mfc_cache *c, int vifi)
- 	 * not mrouter) cannot join to more than one interface - it will
- 	 * result in receiving multiple packets.
- 	 */
-	NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, dev,
-+	NF_HOOK(PF_INET, NF_INET_FORWARD, skb, fromdev, dev,
- 		ipmr_forward_finish);
- 	return;
- 
-+out_free_rt:
-+	if (rt != NULL)
-+		ip_rt_put(rt);
- out_free:
- 	kfree_skb(skb);
- 	return;
- }
- 
-static int ipmr_find_vif(struct net_device *dev)
-+static int ipmr_find_vif(struct net_device *dev, __be32 nbma_origin)
- {
- 	struct net *net = dev_net(dev);
- 	int ct;
- 	for (ct = net->ipv4.maxvif-1; ct >= 0; ct--) {
-		if (net->ipv4.vif_table[ct].dev == dev)
-+		if (net->ipv4.vif_table[ct].dev != dev)
-+			continue;
-+
-+		if (net->ipv4.vif_table[ct].flags & VIFF_NBMA) {
-+			if (net->ipv4.vif_table[ct].remote == nbma_origin)
-+				break;
-+		} else if (nbma_origin == INADDR_ANY)
- 			break;
- 	}
- 	return ct;
-@@ -1351,7 +1412,7 @@ static int ip_mr_forward(struct sk_buff *skb, struct mfc_cache *cache, int local
- 	/*
- 	 * Wrong interface: drop packet and (maybe) send PIM assert.
- 	 */
-	if (net->ipv4.vif_table[vif].dev != skb->dev) {
-+	if (!ip_mr_match_vif_skb(&net->ipv4.vif_table[vif], skb)) {
- 		int true_vifi;
- 
- 		if (skb->rtable->fl.iif == 0) {
-@@ -1370,7 +1431,7 @@ static int ip_mr_forward(struct sk_buff *skb, struct mfc_cache *cache, int local
- 		}
- 
- 		cache->mfc_un.res.wrong_if++;
-		true_vifi = ipmr_find_vif(skb->dev);
-+		true_vifi = ipmr_find_vif(skb->dev, ipmr_get_skb_nbma(skb));
- 
- 		if (true_vifi >= 0 && net->ipv4.mroute_do_assert &&
- 		    /* pimsm uses asserts, when switching from RPT to SPT,
-@@ -1479,7 +1540,7 @@ int ip_mr_input(struct sk_buff *skb)
- 			skb = skb2;
- 		}
- 
-		vif = ipmr_find_vif(skb->dev);
-+		vif = ipmr_find_vif(skb->dev, ipmr_get_skb_nbma(skb));
- 		if (vif >= 0) {
- 			int err = ipmr_cache_unresolved(net, vif, skb);
- 			read_unlock(&mrt_lock);
-@@ -1663,7 +1724,7 @@ int ipmr_get_route(struct net *net,
- 		}
- 
- 		dev = skb->dev;
-		if (dev == NULL || (vif = ipmr_find_vif(dev)) < 0) {
-+		if (dev == NULL || (vif = ipmr_find_vif(dev, INADDR_ANY)) < 0) {
- 			read_unlock(&mrt_lock);
- 			return -ENODEV;
- 		}
--- a/main/xtables-addons-grsec/APKBUILD
+++ b/main/xtables-addons-grsec/APKBUILD
@@ -16,7 +16,7 @@ fi

 pkgname=${_realname}-${_flavor}
 pkgver=${pkgver:-1.17}
-pkgrel=6
+pkgrel=7
 pkgdesc="Iptables extensions kernel modules"
 url="http://xtables-addons.sourceforge.net/"
 license="GPL"