diff options
author | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2014-06-11 22:29:54 -0300 |
---|---|---|
committer | André Fabian Silva Delgado <emulatorman@parabola.nu> | 2014-06-11 22:29:54 -0300 |
commit | 721160f8acc254448e3c9cc6b533ec2e183867d6 (patch) | |
tree | bb2ddb1423223776140e7d7ac1e740ead5ca8e1a | |
parent | 67320d963187273bd845a938a64460c3ee0b34ec (diff) |
linux-libre-grsec-3.14.6.201406101411-1: updating version
* enable chroot_enforce_chdir by default
* reword chroot restrictions comment
8 files changed, 17 insertions, 181 deletions
diff --git a/libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch b/libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch deleted file mode 100644 index 74283b57c..000000000 --- a/libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 71d4f3022d1f625d94187f7cda682d2233a692d8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Thomas=20B=C3=A4chler?= <thomas@archlinux.org> -Date: Thu, 3 Apr 2014 23:59:49 +0200 -Subject: [PATCH 05/10] Revert "Bluetooth: Enable autosuspend for Intel - Bluetooth device" - -This reverts commit d2bee8fb6e18f6116aada39851918473761f7ab1. - -USB autosuspend still breaks on some xhci controllers, so disable -it by default as long as no solution is found. ---- - drivers/bluetooth/btusb.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index baeaaed..6d6e09e 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -1478,10 +1478,8 @@ static int btusb_probe(struct usb_interface *intf, - if (id->driver_info & BTUSB_BCM92035) - hdev->setup = btusb_setup_bcm92035; - -- if (id->driver_info & BTUSB_INTEL) { -- usb_enable_autosuspend(data->udev); -+ if (id->driver_info & BTUSB_INTEL) - hdev->setup = btusb_setup_intel; -- } - - /* Interface numbers are hardcoded in the specification */ - data->isoc = usb_ifnum_to_if(data->udev, 1); --- -1.9.2 - diff --git a/libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch b/libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch deleted file mode 100644 index 7f18091a4..000000000 --- a/libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 784c4f0b18f89922ddc0fe21e5ec64cc370bb3f2 Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 19 Mar 2014 18:36:39 +0100 -Subject: [PATCH 10/10] iwlwifi: mvm: delay enabling smart FIFO until after - beacon RX - -If we have no beacon data before association, delay smart FIFO -enablement until after we have this data. - -Not doing so can cause association failures in extremely silent -environments (usually only a shielded box/room) as beacon RX is -not sent to the host immediately, and then the association time -event ends without the host receiving any beacon even though it -was on the air - it's just stuck on the FIFO. - -Cc: <stable@vger.kernel.org> [3.14] -Signed-off-by: Johannes Berg <johannes.berg@intel.com> -Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> ---- - drivers/net/wireless/iwlwifi/mvm/mac80211.c | 1 + - drivers/net/wireless/iwlwifi/mvm/sf.c | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -index c35b866..45e861e 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c -+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c -@@ -971,6 +971,7 @@ static void iwl_mvm_bss_info_changed_station(struct iwl_mvm *mvm, - */ - iwl_mvm_remove_time_event(mvm, mvmvif, - &mvmvif->time_event_data); -+ iwl_mvm_sf_update(mvm, vif, false); - } else if (changes & (BSS_CHANGED_PS | BSS_CHANGED_P2P_PS | - BSS_CHANGED_QOS)) { - ret = iwl_mvm_power_update_mode(mvm, vif); -diff --git a/drivers/net/wireless/iwlwifi/mvm/sf.c b/drivers/net/wireless/iwlwifi/mvm/sf.c -index 8401627..88809b2 100644 ---- a/drivers/net/wireless/iwlwifi/mvm/sf.c -+++ b/drivers/net/wireless/iwlwifi/mvm/sf.c -@@ -274,7 +274,8 @@ int iwl_mvm_sf_update(struct iwl_mvm *mvm, struct ieee80211_vif *changed_vif, - return -EINVAL; - if (changed_vif->type != NL80211_IFTYPE_STATION) { - new_state = SF_UNINIT; -- } else if (changed_vif->bss_conf.assoc) { -+ } else if (changed_vif->bss_conf.assoc && -+ changed_vif->bss_conf.dtim_period) { - mvmvif = iwl_mvm_vif_from_mac80211(changed_vif); - sta_id = mvmvif->ap_sta_id; - new_state = SF_FULL_ON; --- -1.9.2 - diff --git a/libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch b/libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch deleted file mode 100644 index b597595c6..000000000 --- a/libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c -index 8034706..e01ea4a 100644 ---- a/fs/kernfs/file.c -+++ b/fs/kernfs/file.c -@@ -484,6 +484,8 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma) - - ops = kernfs_ops(of->kn); - rc = ops->mmap(of, vma); -+ if (rc) -+ goto out_put; - - /* - * PowerPC's pci_mmap of legacy_mem uses shmem_zero_setup() diff --git a/libre/linux-libre-grsec/0015-fix-xsdt-validation.patch b/libre/linux-libre-grsec/0015-fix-xsdt-validation.patch deleted file mode 100644 index 82dd2be25..000000000 --- a/libre/linux-libre-grsec/0015-fix-xsdt-validation.patch +++ /dev/null @@ -1,42 +0,0 @@ -@@ -, +, @@ - acpi_tb_parse_root_table(). - Commit: 671cc68dc61f029d44b43a681356078e02d8dab8 - Subject: ACPICA: Back port and refine validation of the XSDT root table. ---- - drivers/acpi/acpica/tbutils.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) ---- a/drivers/acpi/acpica/tbutils.c -+++ a/drivers/acpi/acpica/tbutils.c -@@ -461,6 +461,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) - u32 table_count; - struct acpi_table_header *table; - acpi_physical_address address; -+ acpi_physical_address rsdt_address; - u32 length; - u8 *table_entry; - acpi_status status; -@@ -488,11 +489,13 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) - * as per the ACPI specification. - */ - address = (acpi_physical_address) rsdp->xsdt_physical_address; -+ rsdt_address = (acpi_physical_address) rsdp->rsdt_physical_address; - table_entry_size = ACPI_XSDT_ENTRY_SIZE; - } else { - /* Root table is an RSDT (32-bit physical addresses) */ - - address = (acpi_physical_address) rsdp->rsdt_physical_address; -+ rsdt_address = address; - table_entry_size = ACPI_RSDT_ENTRY_SIZE; - } - -@@ -515,8 +518,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address) - - /* Fall back to the RSDT */ - -- address = -- (acpi_physical_address) rsdp->rsdt_physical_address; -+ address = rsdt_address; - table_entry_size = ACPI_RSDT_ENTRY_SIZE; - } - } - diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD index b3c73dcef..9fac0ece5 100644 --- a/libre/linux-libre-grsec/PKGBUILD +++ b/libre/linux-libre-grsec/PKGBUILD @@ -12,13 +12,13 @@ pkgbase=linux-libre-grsec # Build stock -LIBRE-GRSEC kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.14 -_sublevel=5 +_sublevel=6 _grsecver=3.0 -_timestamp=201406051310 +_timestamp=201406101411 _pkgver=${_basekernel}.${_sublevel} pkgver=${_basekernel}.${_sublevel}.${_timestamp} pkgrel=1 -_lxopkgver=${_basekernel}.5 # nearly always the same as pkgver +_lxopkgver=${_basekernel}.6 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="https://grsecurity.net/" license=('GPL2') @@ -39,20 +39,16 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn '0001-Bluetooth-allocate-static-minor-for-vhci.patch' '0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch' '0003-module-remove-MODULE_GENERIC_TABLE.patch' - '0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch' '0006-genksyms-fix-typeof-handling.patch' - '0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch' - '0011-kernfs-fix-removed-error-check.patch' '0012-fix-saa7134.patch' - '0015-fix-xsdt-validation.patch' 'sysctl.conf' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") sha256sums=('477555c709b9407fe37dbd70d3331ff9dde1f9d874aba2741f138d07ae6f281b' - '0bc9acbcc6d5fcabcc133a767c55e3040475e950ef80f866038d4ba0033e78d8' - '4011302ac77541893ff1350f02255b45aa6b3ee5c4cb38581d063152dabb5e5a' + 'ae83fbc10c77ed665f029502c90a458a711f9188216e34a1354073dba31a1b26' + 'abefdcbacb2c78c0de1168915dc26d16e35ec0e6158e0bbbc84fad819b234404' 'SKIP' - 'a82a5b673dae3f1aa8124e91c485cb8648623d560b7543da63fffab2606443d6' - '51e86aeeb4fadbb2ead2b4af115f0bfd04afb83c9959856e3495d704cec55db6' + '670869cdfc522e452332ec953fe860cf1a2974edfe8d0c851fbdba70b6167921' + '64a457c3d7cc4ef530359f2f5132697ab3bf9ea3cb64d13d9dbf68ed66325606' '9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486' 'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b' '55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9' @@ -61,14 +57,10 @@ sha256sums=('477555c709b9407fe37dbd70d3331ff9dde1f9d874aba2741f138d07ae6f281b' '6d72e14552df59e6310f16c176806c408355951724cd5b48a47bf01591b8be02' '52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29' '65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d' - '3fffb01cf97a5a7ab9601cb277d2468c0fb1e1cceba4225915f3ffae3a5694ec' 'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7' - 'c0af4622f75c89fef62183e18b7d49998228d4eaa906c6accaf4aa4ff0134f85' - '04f44bf5c181d6dc31905937c1bdccb0f5aecaad3a579e99b302502b9cbe0f7a' '79359454c9d8446eb55add2b1cdbf8332bd67dafb01fefb5b1ca090225f64d18' - '384dd13fd4248fd6809da8c6ae29ced55d4a5cacc33ac2ae7522093ec0fb26d4' - 'e734ac2a6e865b70dbe1e55ce55a5bd1b1e0cedea903c6341b9cfbabe420c763' - '4f1db7c68dbff6d80258de4074af46b989cedcda175776b567cd4658b33c9f99') + '763f9323cdefc9ddf74ffeffd856f9eaec4d8d4ef702c88ee1aab429c2d0b389' + 'ce3b8b43ff2650eab53cb790c403392358dad7461c512d4f9c43c523e42f6643') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. unset source[${#source[@]}-1] @@ -107,33 +99,15 @@ prepare() { patch -p1 -i "${srcdir}/0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch" patch -p1 -i "${srcdir}/0003-module-remove-MODULE_GENERIC_TABLE.patch" - # Disable usb autosuspend for intel btusb - # See http://www.spinics.net/lists/kernel/msg1716461.html - # Until a solution is found, make sure the driver leaves autosuspend alone - patch -p1 -i "${srcdir}/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch" - # Fix generation of symbol CRCs # http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dc53324060f324e8af6867f57bf4891c13c6ef18 patch -p1 -i "${srcdir}/0006-genksyms-fix-typeof-handling.patch" - # https://git.kernel.org/cgit/linux/kernel/git/iwlwifi/iwlwifi-fixes.git/commit/?id=12f853a89e29f50b17698e17e73c328a35f1498d - # FS#39815 - patch -p1 -i "${srcdir}/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch" - - # fix Xorg crash with i810 chipset due to wrong removed error check - # References: http://lkml.kernel.org/g/533D01BD.1010200@googlemail.com - patch -Np1 -i "${srcdir}/0011-kernfs-fix-removed-error-check.patch" - # fix saa7134 video # https://bugs.archlinux.org/task/39904 # https://bugzilla.kernel.org/show_bug.cgi?id=73361 patch -Np1 -i "${srcdir}/0012-fix-saa7134.patch" - # fix xsdt validation bug - # https://bugs.archlinux.org/task/39811 - # https://bugzilla.kernel.org/show_bug.cgi?id=73911 - patch -Np1 -i "${srcdir}/0015-fix-xsdt-validation.patch" - if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \ diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686 index 99ccdb5bf..288f1caca 100644 --- a/libre/linux-libre-grsec/config.i686 +++ b/libre/linux-libre-grsec/config.i686 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.4.201405281922-1 Kernel Configuration +# Linux/x86 3.14.6.201406101411-1 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -207,6 +207,7 @@ CONFIG_SLUB_DEBUG=y # CONFIG_SLAB is not set CONFIG_SLUB=y CONFIG_SLUB_CPU_PARTIAL=y +# CONFIG_SYSTEM_TRUSTED_KEYRING is not set CONFIG_PROFILING=y CONFIG_TRACEPOINTS=y CONFIG_OPROFILE=m @@ -265,7 +266,6 @@ CONFIG_HAVE_GENERIC_DMA_COHERENT=y CONFIG_SLABINFO=y CONFIG_RT_MUTEXES=y CONFIG_BASE_SMALL=0 -# CONFIG_SYSTEM_TRUSTED_KEYRING is not set CONFIG_MODULES=y CONFIG_MODULE_FORCE_LOAD=y CONFIG_MODULE_UNLOAD=y @@ -523,6 +523,7 @@ CONFIG_PM_CLK=y CONFIG_ACPI=y CONFIG_ACPI_SLEEP=y # CONFIG_ACPI_PROCFS is not set +# CONFIG_ACPI_PROCFS_POWER is not set CONFIG_ACPI_EC_DEBUGFS=m CONFIG_ACPI_AC=m CONFIG_ACPI_BATTERY=m diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64 index 2e13102ee..fc26220ea 100644 --- a/libre/linux-libre-grsec/config.x86_64 +++ b/libre/linux-libre-grsec/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.4.201405281922-1 Kernel Configuration +# Linux/x86 3.14.6.201406101411-1 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -216,6 +216,7 @@ CONFIG_SLUB_DEBUG=y # CONFIG_SLAB is not set CONFIG_SLUB=y CONFIG_SLUB_CPU_PARTIAL=y +# CONFIG_SYSTEM_TRUSTED_KEYRING is not set CONFIG_PROFILING=y CONFIG_TRACEPOINTS=y CONFIG_OPROFILE=m @@ -280,7 +281,6 @@ CONFIG_COMPAT_OLD_SIGACTION=y CONFIG_SLABINFO=y CONFIG_RT_MUTEXES=y CONFIG_BASE_SMALL=0 -# CONFIG_SYSTEM_TRUSTED_KEYRING is not set CONFIG_MODULES=y CONFIG_MODULE_FORCE_LOAD=y CONFIG_MODULE_UNLOAD=y @@ -534,6 +534,7 @@ CONFIG_PM_CLK=y CONFIG_ACPI=y CONFIG_ACPI_SLEEP=y # CONFIG_ACPI_PROCFS is not set +# CONFIG_ACPI_PROCFS_POWER is not set CONFIG_ACPI_EC_DEBUGFS=m CONFIG_ACPI_AC=m CONFIG_ACPI_BATTERY=m diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf index bef8e350d..ebd4dd574 100644 --- a/libre/linux-libre-grsec/sysctl.conf +++ b/libre/linux-libre-grsec/sysctl.conf @@ -44,7 +44,7 @@ kernel.grsecurity.fifo_restrictions = 1 #kernel.grsecurity.romount_protect = 1 # -# chroot restrictions (these will break containers) +# chroot restrictions (many of these will break containers) # #kernel.grsecurity.chroot_caps = 1 @@ -57,7 +57,7 @@ kernel.grsecurity.fifo_restrictions = 1 #kernel.grsecurity.chroot_deny_shmat = 1 #kernel.grsecurity.chroot_deny_sysctl = 1 #kernel.grsecurity.chroot_deny_unix = 1 -#kernel.grsecurity.chroot_enforce_chdir = 1 +kernel.grsecurity.chroot_enforce_chdir = 1 #kernel.grsecurity.chroot_findtask = 1 #kernel.grsecurity.chroot_restrict_nice = 1 |