summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec
diff options
context:
space:
mode:
authorAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-06-11 22:29:54 -0300
committerAndré Fabian Silva Delgado <emulatorman@parabola.nu>2014-06-11 22:29:54 -0300
commit721160f8acc254448e3c9cc6b533ec2e183867d6 (patch)
treebb2ddb1423223776140e7d7ac1e740ead5ca8e1a /libre/linux-libre-grsec
parent67320d963187273bd845a938a64460c3ee0b34ec (diff)
linux-libre-grsec-3.14.6.201406101411-1: updating version
* enable chroot_enforce_chdir by default * reword chroot restrictions comment
Diffstat (limited to 'libre/linux-libre-grsec')
-rw-r--r--libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch33
-rw-r--r--libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch52
-rw-r--r--libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch13
-rw-r--r--libre/linux-libre-grsec/0015-fix-xsdt-validation.patch42
-rw-r--r--libre/linux-libre-grsec/PKGBUILD44
-rw-r--r--libre/linux-libre-grsec/config.i6865
-rw-r--r--libre/linux-libre-grsec/config.x86_645
-rw-r--r--libre/linux-libre-grsec/sysctl.conf4
8 files changed, 17 insertions, 181 deletions
diff --git a/libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch b/libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch
deleted file mode 100644
index 74283b57c..000000000
--- a/libre/linux-libre-grsec/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 71d4f3022d1f625d94187f7cda682d2233a692d8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Thomas=20B=C3=A4chler?= <thomas@archlinux.org>
-Date: Thu, 3 Apr 2014 23:59:49 +0200
-Subject: [PATCH 05/10] Revert "Bluetooth: Enable autosuspend for Intel
- Bluetooth device"
-
-This reverts commit d2bee8fb6e18f6116aada39851918473761f7ab1.
-
-USB autosuspend still breaks on some xhci controllers, so disable
-it by default as long as no solution is found.
----
- drivers/bluetooth/btusb.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
-index baeaaed..6d6e09e 100644
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -1478,10 +1478,8 @@ static int btusb_probe(struct usb_interface *intf,
- if (id->driver_info & BTUSB_BCM92035)
- hdev->setup = btusb_setup_bcm92035;
-
-- if (id->driver_info & BTUSB_INTEL) {
-- usb_enable_autosuspend(data->udev);
-+ if (id->driver_info & BTUSB_INTEL)
- hdev->setup = btusb_setup_intel;
-- }
-
- /* Interface numbers are hardcoded in the specification */
- data->isoc = usb_ifnum_to_if(data->udev, 1);
---
-1.9.2
-
diff --git a/libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch b/libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch
deleted file mode 100644
index 7f18091a4..000000000
--- a/libre/linux-libre-grsec/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 784c4f0b18f89922ddc0fe21e5ec64cc370bb3f2 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 19 Mar 2014 18:36:39 +0100
-Subject: [PATCH 10/10] iwlwifi: mvm: delay enabling smart FIFO until after
- beacon RX
-
-If we have no beacon data before association, delay smart FIFO
-enablement until after we have this data.
-
-Not doing so can cause association failures in extremely silent
-environments (usually only a shielded box/room) as beacon RX is
-not sent to the host immediately, and then the association time
-event ends without the host receiving any beacon even though it
-was on the air - it's just stuck on the FIFO.
-
-Cc: <stable@vger.kernel.org> [3.14]
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
----
- drivers/net/wireless/iwlwifi/mvm/mac80211.c | 1 +
- drivers/net/wireless/iwlwifi/mvm/sf.c | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
-index c35b866..45e861e 100644
---- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
-@@ -971,6 +971,7 @@ static void iwl_mvm_bss_info_changed_station(struct iwl_mvm *mvm,
- */
- iwl_mvm_remove_time_event(mvm, mvmvif,
- &mvmvif->time_event_data);
-+ iwl_mvm_sf_update(mvm, vif, false);
- } else if (changes & (BSS_CHANGED_PS | BSS_CHANGED_P2P_PS |
- BSS_CHANGED_QOS)) {
- ret = iwl_mvm_power_update_mode(mvm, vif);
-diff --git a/drivers/net/wireless/iwlwifi/mvm/sf.c b/drivers/net/wireless/iwlwifi/mvm/sf.c
-index 8401627..88809b2 100644
---- a/drivers/net/wireless/iwlwifi/mvm/sf.c
-+++ b/drivers/net/wireless/iwlwifi/mvm/sf.c
-@@ -274,7 +274,8 @@ int iwl_mvm_sf_update(struct iwl_mvm *mvm, struct ieee80211_vif *changed_vif,
- return -EINVAL;
- if (changed_vif->type != NL80211_IFTYPE_STATION) {
- new_state = SF_UNINIT;
-- } else if (changed_vif->bss_conf.assoc) {
-+ } else if (changed_vif->bss_conf.assoc &&
-+ changed_vif->bss_conf.dtim_period) {
- mvmvif = iwl_mvm_vif_from_mac80211(changed_vif);
- sta_id = mvmvif->ap_sta_id;
- new_state = SF_FULL_ON;
---
-1.9.2
-
diff --git a/libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch b/libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch
deleted file mode 100644
index b597595c6..000000000
--- a/libre/linux-libre-grsec/0011-kernfs-fix-removed-error-check.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
-index 8034706..e01ea4a 100644
---- a/fs/kernfs/file.c
-+++ b/fs/kernfs/file.c
-@@ -484,6 +484,8 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma)
-
- ops = kernfs_ops(of->kn);
- rc = ops->mmap(of, vma);
-+ if (rc)
-+ goto out_put;
-
- /*
- * PowerPC's pci_mmap of legacy_mem uses shmem_zero_setup()
diff --git a/libre/linux-libre-grsec/0015-fix-xsdt-validation.patch b/libre/linux-libre-grsec/0015-fix-xsdt-validation.patch
deleted file mode 100644
index 82dd2be25..000000000
--- a/libre/linux-libre-grsec/0015-fix-xsdt-validation.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-@@ -, +, @@
- acpi_tb_parse_root_table().
- Commit: 671cc68dc61f029d44b43a681356078e02d8dab8
- Subject: ACPICA: Back port and refine validation of the XSDT root table.
----
- drivers/acpi/acpica/tbutils.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
---- a/drivers/acpi/acpica/tbutils.c
-+++ a/drivers/acpi/acpica/tbutils.c
-@@ -461,6 +461,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
- u32 table_count;
- struct acpi_table_header *table;
- acpi_physical_address address;
-+ acpi_physical_address rsdt_address;
- u32 length;
- u8 *table_entry;
- acpi_status status;
-@@ -488,11 +489,13 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
- * as per the ACPI specification.
- */
- address = (acpi_physical_address) rsdp->xsdt_physical_address;
-+ rsdt_address = (acpi_physical_address) rsdp->rsdt_physical_address;
- table_entry_size = ACPI_XSDT_ENTRY_SIZE;
- } else {
- /* Root table is an RSDT (32-bit physical addresses) */
-
- address = (acpi_physical_address) rsdp->rsdt_physical_address;
-+ rsdt_address = address;
- table_entry_size = ACPI_RSDT_ENTRY_SIZE;
- }
-
-@@ -515,8 +518,7 @@ acpi_status __init acpi_tb_parse_root_table(acpi_physical_address rsdp_address)
-
- /* Fall back to the RSDT */
-
-- address =
-- (acpi_physical_address) rsdp->rsdt_physical_address;
-+ address = rsdt_address;
- table_entry_size = ACPI_RSDT_ENTRY_SIZE;
- }
- }
-
diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD
index b3c73dcef..9fac0ece5 100644
--- a/libre/linux-libre-grsec/PKGBUILD
+++ b/libre/linux-libre-grsec/PKGBUILD
@@ -12,13 +12,13 @@
pkgbase=linux-libre-grsec # Build stock -LIBRE-GRSEC kernel
#pkgbase=linux-libre-custom # Build kernel with a different name
_basekernel=3.14
-_sublevel=5
+_sublevel=6
_grsecver=3.0
-_timestamp=201406051310
+_timestamp=201406101411
_pkgver=${_basekernel}.${_sublevel}
pkgver=${_basekernel}.${_sublevel}.${_timestamp}
pkgrel=1
-_lxopkgver=${_basekernel}.5 # nearly always the same as pkgver
+_lxopkgver=${_basekernel}.6 # nearly always the same as pkgver
arch=('i686' 'x86_64' 'mips64el')
url="https://grsecurity.net/"
license=('GPL2')
@@ -39,20 +39,16 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn
'0001-Bluetooth-allocate-static-minor-for-vhci.patch'
'0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch'
'0003-module-remove-MODULE_GENERIC_TABLE.patch'
- '0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch'
'0006-genksyms-fix-typeof-handling.patch'
- '0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch'
- '0011-kernfs-fix-removed-error-check.patch'
'0012-fix-saa7134.patch'
- '0015-fix-xsdt-validation.patch'
'sysctl.conf'
"http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz")
sha256sums=('477555c709b9407fe37dbd70d3331ff9dde1f9d874aba2741f138d07ae6f281b'
- '0bc9acbcc6d5fcabcc133a767c55e3040475e950ef80f866038d4ba0033e78d8'
- '4011302ac77541893ff1350f02255b45aa6b3ee5c4cb38581d063152dabb5e5a'
+ 'ae83fbc10c77ed665f029502c90a458a711f9188216e34a1354073dba31a1b26'
+ 'abefdcbacb2c78c0de1168915dc26d16e35ec0e6158e0bbbc84fad819b234404'
'SKIP'
- 'a82a5b673dae3f1aa8124e91c485cb8648623d560b7543da63fffab2606443d6'
- '51e86aeeb4fadbb2ead2b4af115f0bfd04afb83c9959856e3495d704cec55db6'
+ '670869cdfc522e452332ec953fe860cf1a2974edfe8d0c851fbdba70b6167921'
+ '64a457c3d7cc4ef530359f2f5132697ab3bf9ea3cb64d13d9dbf68ed66325606'
'9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486'
'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b'
'55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9'
@@ -61,14 +57,10 @@ sha256sums=('477555c709b9407fe37dbd70d3331ff9dde1f9d874aba2741f138d07ae6f281b'
'6d72e14552df59e6310f16c176806c408355951724cd5b48a47bf01591b8be02'
'52dec83a8805a8642d74d764494acda863e0aa23e3d249e80d4b457e20a3fd29'
'65d58f63215ee3c5f9c4fc6bce36fc5311a6c7dbdbe1ad29de40647b47ff9c0d'
- '3fffb01cf97a5a7ab9601cb277d2468c0fb1e1cceba4225915f3ffae3a5694ec'
'cf2e7a2d00787f754028e7459688c2755a406e632ce48b60952fa4ff7ed6f4b7'
- 'c0af4622f75c89fef62183e18b7d49998228d4eaa906c6accaf4aa4ff0134f85'
- '04f44bf5c181d6dc31905937c1bdccb0f5aecaad3a579e99b302502b9cbe0f7a'
'79359454c9d8446eb55add2b1cdbf8332bd67dafb01fefb5b1ca090225f64d18'
- '384dd13fd4248fd6809da8c6ae29ced55d4a5cacc33ac2ae7522093ec0fb26d4'
- 'e734ac2a6e865b70dbe1e55ce55a5bd1b1e0cedea903c6341b9cfbabe420c763'
- '4f1db7c68dbff6d80258de4074af46b989cedcda175776b567cd4658b33c9f99')
+ '763f9323cdefc9ddf74ffeffd856f9eaec4d8d4ef702c88ee1aab429c2d0b389'
+ 'ce3b8b43ff2650eab53cb790c403392358dad7461c512d4f9c43c523e42f6643')
if [ "$CARCH" != "mips64el" ]; then
# don't use the Loongson-specific patches on non-mips64el arches.
unset source[${#source[@]}-1]
@@ -107,33 +99,15 @@ prepare() {
patch -p1 -i "${srcdir}/0002-module-allow-multiple-calls-to-MODULE_DEVICE_TABLE-p.patch"
patch -p1 -i "${srcdir}/0003-module-remove-MODULE_GENERIC_TABLE.patch"
- # Disable usb autosuspend for intel btusb
- # See http://www.spinics.net/lists/kernel/msg1716461.html
- # Until a solution is found, make sure the driver leaves autosuspend alone
- patch -p1 -i "${srcdir}/0005-Revert-Bluetooth-Enable-autosuspend-for-Intel-Blueto.patch"
-
# Fix generation of symbol CRCs
# http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dc53324060f324e8af6867f57bf4891c13c6ef18
patch -p1 -i "${srcdir}/0006-genksyms-fix-typeof-handling.patch"
- # https://git.kernel.org/cgit/linux/kernel/git/iwlwifi/iwlwifi-fixes.git/commit/?id=12f853a89e29f50b17698e17e73c328a35f1498d
- # FS#39815
- patch -p1 -i "${srcdir}/0010-iwlwifi-mvm-delay-enabling-smart-FIFO-until-after-be.patch"
-
- # fix Xorg crash with i810 chipset due to wrong removed error check
- # References: http://lkml.kernel.org/g/533D01BD.1010200@googlemail.com
- patch -Np1 -i "${srcdir}/0011-kernfs-fix-removed-error-check.patch"
-
# fix saa7134 video
# https://bugs.archlinux.org/task/39904
# https://bugzilla.kernel.org/show_bug.cgi?id=73361
patch -Np1 -i "${srcdir}/0012-fix-saa7134.patch"
- # fix xsdt validation bug
- # https://bugs.archlinux.org/task/39811
- # https://bugzilla.kernel.org/show_bug.cgi?id=73911
- patch -Np1 -i "${srcdir}/0015-fix-xsdt-validation.patch"
-
if [ "$CARCH" == "mips64el" ]; then
sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile
sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \
diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686
index 99ccdb5bf..288f1caca 100644
--- a/libre/linux-libre-grsec/config.i686
+++ b/libre/linux-libre-grsec/config.i686
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.14.4.201405281922-1 Kernel Configuration
+# Linux/x86 3.14.6.201406101411-1 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -207,6 +207,7 @@ CONFIG_SLUB_DEBUG=y
# CONFIG_SLAB is not set
CONFIG_SLUB=y
CONFIG_SLUB_CPU_PARTIAL=y
+# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
CONFIG_PROFILING=y
CONFIG_TRACEPOINTS=y
CONFIG_OPROFILE=m
@@ -265,7 +266,6 @@ CONFIG_HAVE_GENERIC_DMA_COHERENT=y
CONFIG_SLABINFO=y
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
-# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
CONFIG_MODULES=y
CONFIG_MODULE_FORCE_LOAD=y
CONFIG_MODULE_UNLOAD=y
@@ -523,6 +523,7 @@ CONFIG_PM_CLK=y
CONFIG_ACPI=y
CONFIG_ACPI_SLEEP=y
# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
CONFIG_ACPI_EC_DEBUGFS=m
CONFIG_ACPI_AC=m
CONFIG_ACPI_BATTERY=m
diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64
index 2e13102ee..fc26220ea 100644
--- a/libre/linux-libre-grsec/config.x86_64
+++ b/libre/linux-libre-grsec/config.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.14.4.201405281922-1 Kernel Configuration
+# Linux/x86 3.14.6.201406101411-1 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -216,6 +216,7 @@ CONFIG_SLUB_DEBUG=y
# CONFIG_SLAB is not set
CONFIG_SLUB=y
CONFIG_SLUB_CPU_PARTIAL=y
+# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
CONFIG_PROFILING=y
CONFIG_TRACEPOINTS=y
CONFIG_OPROFILE=m
@@ -280,7 +281,6 @@ CONFIG_COMPAT_OLD_SIGACTION=y
CONFIG_SLABINFO=y
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
-# CONFIG_SYSTEM_TRUSTED_KEYRING is not set
CONFIG_MODULES=y
CONFIG_MODULE_FORCE_LOAD=y
CONFIG_MODULE_UNLOAD=y
@@ -534,6 +534,7 @@ CONFIG_PM_CLK=y
CONFIG_ACPI=y
CONFIG_ACPI_SLEEP=y
# CONFIG_ACPI_PROCFS is not set
+# CONFIG_ACPI_PROCFS_POWER is not set
CONFIG_ACPI_EC_DEBUGFS=m
CONFIG_ACPI_AC=m
CONFIG_ACPI_BATTERY=m
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
index bef8e350d..ebd4dd574 100644
--- a/libre/linux-libre-grsec/sysctl.conf
+++ b/libre/linux-libre-grsec/sysctl.conf
@@ -44,7 +44,7 @@ kernel.grsecurity.fifo_restrictions = 1
#kernel.grsecurity.romount_protect = 1
#
-# chroot restrictions (these will break containers)
+# chroot restrictions (many of these will break containers)
#
#kernel.grsecurity.chroot_caps = 1
@@ -57,7 +57,7 @@ kernel.grsecurity.fifo_restrictions = 1
#kernel.grsecurity.chroot_deny_shmat = 1
#kernel.grsecurity.chroot_deny_sysctl = 1
#kernel.grsecurity.chroot_deny_unix = 1
-#kernel.grsecurity.chroot_enforce_chdir = 1
+kernel.grsecurity.chroot_enforce_chdir = 1
#kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1