diff options
Diffstat (limited to 'libre')
-rw-r--r-- | libre/linux-libre-grsec/0013-efistub-fix.patch | 177 | ||||
-rw-r--r-- | libre/linux-libre-grsec/PKGBUILD | 33 | ||||
-rw-r--r-- | libre/linux-libre-grsec/config.i686 | 11 | ||||
-rw-r--r-- | libre/linux-libre-grsec/config.x86_64 | 9 | ||||
-rw-r--r-- | libre/linux-libre-grsec/linux-libre-grsec.install | 25 |
5 files changed, 207 insertions, 48 deletions
diff --git a/libre/linux-libre-grsec/0013-efistub-fix.patch b/libre/linux-libre-grsec/0013-efistub-fix.patch new file mode 100644 index 000000000..a2da3b63a --- /dev/null +++ b/libre/linux-libre-grsec/0013-efistub-fix.patch @@ -0,0 +1,177 @@ +From c7fb93ec51d462ec3540a729ba446663c26a0505 Mon Sep 17 00:00:00 2001 +From: Michael Brown <mbrown@fensystems.co.uk> +Date: Thu, 10 Jul 2014 12:26:20 +0100 +Subject: x86/efi: Include a .bss section within the PE/COFF headers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The PE/COFF headers currently describe only the initialised-data +portions of the image, and result in no space being allocated for the +uninitialised-data portions. Consequently, the EFI boot stub will end +up overwriting unexpected areas of memory, with unpredictable results. + +Fix by including a .bss section in the PE/COFF headers (functionally +equivalent to the init_size field in the bzImage header). + +Signed-off-by: Michael Brown <mbrown@fensystems.co.uk> +Cc: Thomas Bächler <thomas@archlinux.org> +Cc: Josh Boyer <jwboyer@fedoraproject.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Matt Fleming <matt.fleming@intel.com> + +diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S +index 84c2234..7a6d43a 100644 +--- a/arch/x86/boot/header.S ++++ b/arch/x86/boot/header.S +@@ -91,10 +91,9 @@ bs_die: + + .section ".bsdata", "a" + bugger_off_msg: +- .ascii "Direct floppy boot is not supported. " +- .ascii "Use a boot loader program instead.\r\n" ++ .ascii "Use a boot loader.\r\n" + .ascii "\n" +- .ascii "Remove disk and press any key to reboot ...\r\n" ++ .ascii "Remove disk and press any key to reboot...\r\n" + .byte 0 + + #ifdef CONFIG_EFI_STUB +@@ -108,7 +107,7 @@ coff_header: + #else + .word 0x8664 # x86-64 + #endif +- .word 3 # nr_sections ++ .word 4 # nr_sections + .long 0 # TimeDateStamp + .long 0 # PointerToSymbolTable + .long 1 # NumberOfSymbols +@@ -250,6 +249,25 @@ section_table: + .word 0 # NumberOfLineNumbers + .long 0x60500020 # Characteristics (section flags) + ++ # ++ # The offset & size fields are filled in by build.c. ++ # ++ .ascii ".bss" ++ .byte 0 ++ .byte 0 ++ .byte 0 ++ .byte 0 ++ .long 0 ++ .long 0x0 ++ .long 0 # Size of initialized data ++ # on disk ++ .long 0x0 ++ .long 0 # PointerToRelocations ++ .long 0 # PointerToLineNumbers ++ .word 0 # NumberOfRelocations ++ .word 0 # NumberOfLineNumbers ++ .long 0xc8000080 # Characteristics (section flags) ++ + #endif /* CONFIG_EFI_STUB */ + + # Kernel attributes; used by setup. This is part 1 of the +diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c +index 1a2f212..a7661c4 100644 +--- a/arch/x86/boot/tools/build.c ++++ b/arch/x86/boot/tools/build.c +@@ -143,7 +143,7 @@ static void usage(void) + + #ifdef CONFIG_EFI_STUB + +-static void update_pecoff_section_header(char *section_name, u32 offset, u32 size) ++static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset) + { + unsigned int pe_header; + unsigned short num_sections; +@@ -164,10 +164,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz + put_unaligned_le32(size, section + 0x8); + + /* section header vma field */ +- put_unaligned_le32(offset, section + 0xc); ++ put_unaligned_le32(vma, section + 0xc); + + /* section header 'size of initialised data' field */ +- put_unaligned_le32(size, section + 0x10); ++ put_unaligned_le32(datasz, section + 0x10); + + /* section header 'file offset' field */ + put_unaligned_le32(offset, section + 0x14); +@@ -179,6 +179,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz + } + } + ++static void update_pecoff_section_header(char *section_name, u32 offset, u32 size) ++{ ++ update_pecoff_section_header_fields(section_name, offset, size, size, offset); ++} ++ + static void update_pecoff_setup_and_reloc(unsigned int size) + { + u32 setup_offset = 0x200; +@@ -203,9 +208,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz) + + pe_header = get_unaligned_le32(&buf[0x3c]); + +- /* Size of image */ +- put_unaligned_le32(file_sz, &buf[pe_header + 0x50]); +- + /* + * Size of code: Subtract the size of the first sector (512 bytes) + * which includes the header. +@@ -220,6 +222,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz) + update_pecoff_section_header(".text", text_start, text_sz); + } + ++static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz) ++{ ++ unsigned int pe_header; ++ unsigned int bss_sz = init_sz - file_sz; ++ ++ pe_header = get_unaligned_le32(&buf[0x3c]); ++ ++ /* Size of uninitialized data */ ++ put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]); ++ ++ /* Size of image */ ++ put_unaligned_le32(init_sz, &buf[pe_header + 0x50]); ++ ++ update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0); ++} ++ + static int reserve_pecoff_reloc_section(int c) + { + /* Reserve 0x20 bytes for .reloc section */ +@@ -259,6 +277,8 @@ static void efi_stub_entry_update(void) + static inline void update_pecoff_setup_and_reloc(unsigned int size) {} + static inline void update_pecoff_text(unsigned int text_start, + unsigned int file_sz) {} ++static inline void update_pecoff_bss(unsigned int file_sz, ++ unsigned int init_sz) {} + static inline void efi_stub_defaults(void) {} + static inline void efi_stub_entry_update(void) {} + +@@ -310,7 +330,7 @@ static void parse_zoffset(char *fname) + + int main(int argc, char ** argv) + { +- unsigned int i, sz, setup_sectors; ++ unsigned int i, sz, setup_sectors, init_sz; + int c; + u32 sys_size; + struct stat sb; +@@ -376,7 +396,9 @@ int main(int argc, char ** argv) + buf[0x1f1] = setup_sectors-1; + put_unaligned_le32(sys_size, &buf[0x1f4]); + +- update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz)); ++ update_pecoff_text(setup_sectors * 512, i + (sys_size * 16)); ++ init_sz = get_unaligned_le32(&buf[0x260]); ++ update_pecoff_bss(i + (sys_size * 16), init_sz); + + efi_stub_entry_update(); + +-- +cgit v0.10.1 + diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD index 3531e60d9..91c02221c 100644 --- a/libre/linux-libre-grsec/PKGBUILD +++ b/libre/linux-libre-grsec/PKGBUILD @@ -8,17 +8,18 @@ # Contributor: Sorin-Mihai Vârgolici <smv@yobicore.org> # Contributor: Michał Masłowski <mtjm@mtjm.eu> # Contributor: Márcio Silva <coadde@parabola.nu> +# Contributor: Luke Shumaker <lukeshu@sbcglobal.net> -pkgbase=linux-libre-grsec # Build stock -LIBRE-GRSEC kernel +pkgbase=linux-libre-grsec # Build stock -libre-grsec kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.15 -_sublevel=3 +_sublevel=5 _grsecver=3.0 -_timestamp=201407012153 +_timestamp=201407131211 _pkgver=${_basekernel}.${_sublevel} pkgver=${_basekernel}.${_sublevel}.${_timestamp} pkgrel=1 -_lxopkgver=${_basekernel}.2 # nearly always the same as pkgver +_lxopkgver=${_basekernel}.5 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="https://grsecurity.net/" license=('GPL2') @@ -36,21 +37,23 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'Kbuild.platforms' 'boot-logo.patch' 'change-default-console-loglevel.patch' + '0013-efistub-fix.patch' 'sysctl.conf' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688' - 'dfd23e705edfc0f6fcf0df1a98e58ec7ae835ec780d7092810b664093d91cd5f' - '753d4983413740ca7d901724e11885462f2876caae6706463987e53b95578c2d' + '17ee14d488733298eef21d4a82986376199d92150ed9de00c25f5d9997eb02ae' + 'b7b65ff2ab0ff7f4d7f91e7b26060c1832de50eb35eeac1b835e5190ffaf2645' 'SKIP' - '20d7aa7723620bcdefc0828c2ba0c5b17049e7ecb8475703ddccd9f3e84c30d7' - 'e686e05416e6060d1345f58c0b77eff9d554c412d97df086bbcf2a97a39564ae' + '63e0b77252fb881ec0d1ee97ec78fd243a56bf79bf35e7e650d59631dfe9096d' + '434816aaaa635115b7f44b06dcd6f4037431378b4b0e9282803263c9288ab663' '9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486' 'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b' '55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9' 'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6' 'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182' + '937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c' 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31' - '09210211de26e59dcc20e48b355233fdaa572aea8e80e17acc915defc7aa7166') + 'ca0399ad601efd926a3d6e328d6457a7e945fe982e4f13ed39fff31982082f28') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. unset source[${#source[@]}-1] @@ -58,7 +61,7 @@ if [ "$CARCH" != "mips64el" ]; then fi _kernelname=${pkgbase#linux-libre} -_localversionname=-LIBRE-GRSEC +_localversionname=-libre-grsec prepare() { cd "${srcdir}/linux-${_basekernel}" @@ -82,6 +85,10 @@ prepare() { # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227) patch -p1 -i "${srcdir}/change-default-console-loglevel.patch" + # fix efistub hang #33745 + # https://git.kernel.org/cgit/linux/kernel/git/mfleming/efi.git/patch/?id=c7fb93ec51d462ec3540a729ba446663c26a0505 + patch -Np1 -i "${srcdir}/0013-efistub-fix.patch" + if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \ @@ -214,10 +221,10 @@ _package() { # gzip -9 all modules to save 100MB of space find "${pkgdir}" -name '*.ko' -exec gzip -9 {} \; # make room for external modules - ln -s "../extramodules-${_basekernel}${_localversionname:--LIBRE-GRSEC}" "${pkgdir}/lib/modules/${_kernver}/extramodules" + ln -s "../extramodules-${_basekernel}${_localversionname:--libre-grsec}" "${pkgdir}/lib/modules/${_kernver}/extramodules" # add real version for building modules and running depmod from post_install/upgrade - mkdir -p "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--LIBRE-GRSEC}" - echo "${_kernver}" > "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--LIBRE-GRSEC}/version" + mkdir -p "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--libre-grsec}" + echo "${_kernver}" > "${pkgdir}/lib/modules/extramodules-${_basekernel}${_localversionname:--libre-grsec}/version" # Now we call depmod... depmod -b "${pkgdir}" -F System.map "${_kernver}" diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686 index 0723b0a06..462fb89d7 100644 --- a/libre/linux-libre-grsec/config.i686 +++ b/libre/linux-libre-grsec/config.i686 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.15.1.201406222112-1 Kernel Configuration +# Linux/x86 3.15.3.201407012153-2 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -48,7 +48,7 @@ CONFIG_BUILDTIME_EXTABLE_SORT=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" # CONFIG_COMPILE_TEST is not set -CONFIG_LOCALVERSION="-LIBRE-GRSEC" +CONFIG_LOCALVERSION="-libre-grsec" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y @@ -493,7 +493,8 @@ CONFIG_SCHED_HRTICK=y # CONFIG_CRASH_DUMP is not set CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x20000000 CONFIG_X86_NEED_RELOCS=y CONFIG_PHYSICAL_ALIGN=0x1000000 CONFIG_HOTPLUG_CPU=y @@ -6330,10 +6331,6 @@ CONFIG_TIMER_STATS=y # CONFIG_RT_MUTEX_TESTER is not set # CONFIG_DEBUG_SPINLOCK is not set # CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_LOCK_STAT is not set # CONFIG_DEBUG_ATOMIC_SLEEP is not set # CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set # CONFIG_LOCK_TORTURE_TEST is not set diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64 index 8b5501a57..6d2def186 100644 --- a/libre/linux-libre-grsec/config.x86_64 +++ b/libre/linux-libre-grsec/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.15.1.201406222112-1 Kernel Configuration +# Linux/x86 3.15.3.201407012153-2 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -49,7 +49,7 @@ CONFIG_BUILDTIME_EXTABLE_SORT=y CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_CROSS_COMPILE="" # CONFIG_COMPILE_TEST is not set -CONFIG_LOCALVERSION="-LIBRE-GRSEC" +CONFIG_LOCALVERSION="-libre-grsec" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_HAVE_KERNEL_GZIP=y CONFIG_HAVE_KERNEL_BZIP2=y @@ -456,6 +456,7 @@ CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y CONFIG_MIGRATION=y +CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y CONFIG_PHYS_ADDR_T_64BIT=y CONFIG_ZONE_DMA_FLAG=1 CONFIG_BOUNCE=y @@ -501,7 +502,9 @@ CONFIG_SCHED_HRTICK=y # CONFIG_CRASH_DUMP is not set CONFIG_PHYSICAL_START=0x1000000 CONFIG_RELOCATABLE=y -# CONFIG_RANDOMIZE_BASE is not set +CONFIG_RANDOMIZE_BASE=y +CONFIG_RANDOMIZE_BASE_MAX_OFFSET=0x40000000 +CONFIG_X86_NEED_RELOCS=y CONFIG_PHYSICAL_ALIGN=0x1000000 CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set diff --git a/libre/linux-libre-grsec/linux-libre-grsec.install b/libre/linux-libre-grsec/linux-libre-grsec.install index cff18d020..637577244 100644 --- a/libre/linux-libre-grsec/linux-libre-grsec.install +++ b/libre/linux-libre-grsec/linux-libre-grsec.install @@ -44,29 +44,6 @@ _remove_groups() { done } -_help() { -cat <<EOF - -Configuration of grsecurity features via sysctl is possible in -"/etc/sysctl.d/05-grsecurity.conf". - -Trusted Path Execution is disabled by default and can be enabled via the -kernel.grsecurity.tpe sysctl option. The tpe group can be used either to build -a whitelist for users free from the restrictions (tpe_invert = 1) or a -blacklist of users with the restrictions (tpe_invert = 0). - -To prevent certain socket access to users, there are three groups: -socket-deny-server, socket-deny-client and socket-deny-all. - -There is an extensive wikibook on grsecurity and some documentation in the -Parabola GNU/Linux-libre Wiki: - -https://en.wikibooks.org/wiki/Grsecurity -https://wiki.parabolagnulinux.org/Grsecurity - -EOF -} - post_install () { # updating module dependencies echo ">>> Updating module dependencies. Please wait ..." @@ -77,7 +54,6 @@ post_install () { fi _add_groups - _help } post_upgrade() { @@ -104,7 +80,6 @@ post_upgrade() { fi _add_groups - _help } post_remove() { |