From 15247b8595a5a378c8be0043bb785f8fb4eb47f1 Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Wed, 30 Jul 2014 20:38:35 -0300 Subject: linux-libre-grsec-3.15.7.201407282112-2: updating version * enable CONFIG_USER_NS, but revert the commit allowing unprivileged user namespaces to avoid adding attack surface --- libre/linux-libre-grsec/0013-efistub-fix.patch | 177 --------------------- libre/linux-libre-grsec/PKGBUILD | 27 ++-- ...ns-Allow-unprivileged-users-to-create-use.patch | 41 +++++ libre/linux-libre-grsec/config.i686 | 2 +- libre/linux-libre-grsec/config.x86_64 | 2 +- 5 files changed, 56 insertions(+), 193 deletions(-) delete mode 100644 libre/linux-libre-grsec/0013-efistub-fix.patch create mode 100644 libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch (limited to 'libre') diff --git a/libre/linux-libre-grsec/0013-efistub-fix.patch b/libre/linux-libre-grsec/0013-efistub-fix.patch deleted file mode 100644 index a2da3b63a..000000000 --- a/libre/linux-libre-grsec/0013-efistub-fix.patch +++ /dev/null @@ -1,177 +0,0 @@ -From c7fb93ec51d462ec3540a729ba446663c26a0505 Mon Sep 17 00:00:00 2001 -From: Michael Brown -Date: Thu, 10 Jul 2014 12:26:20 +0100 -Subject: x86/efi: Include a .bss section within the PE/COFF headers -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The PE/COFF headers currently describe only the initialised-data -portions of the image, and result in no space being allocated for the -uninitialised-data portions. Consequently, the EFI boot stub will end -up overwriting unexpected areas of memory, with unpredictable results. - -Fix by including a .bss section in the PE/COFF headers (functionally -equivalent to the init_size field in the bzImage header). - -Signed-off-by: Michael Brown -Cc: Thomas Bächler -Cc: Josh Boyer -Cc: -Signed-off-by: Matt Fleming - -diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S -index 84c2234..7a6d43a 100644 ---- a/arch/x86/boot/header.S -+++ b/arch/x86/boot/header.S -@@ -91,10 +91,9 @@ bs_die: - - .section ".bsdata", "a" - bugger_off_msg: -- .ascii "Direct floppy boot is not supported. " -- .ascii "Use a boot loader program instead.\r\n" -+ .ascii "Use a boot loader.\r\n" - .ascii "\n" -- .ascii "Remove disk and press any key to reboot ...\r\n" -+ .ascii "Remove disk and press any key to reboot...\r\n" - .byte 0 - - #ifdef CONFIG_EFI_STUB -@@ -108,7 +107,7 @@ coff_header: - #else - .word 0x8664 # x86-64 - #endif -- .word 3 # nr_sections -+ .word 4 # nr_sections - .long 0 # TimeDateStamp - .long 0 # PointerToSymbolTable - .long 1 # NumberOfSymbols -@@ -250,6 +249,25 @@ section_table: - .word 0 # NumberOfLineNumbers - .long 0x60500020 # Characteristics (section flags) - -+ # -+ # The offset & size fields are filled in by build.c. -+ # -+ .ascii ".bss" -+ .byte 0 -+ .byte 0 -+ .byte 0 -+ .byte 0 -+ .long 0 -+ .long 0x0 -+ .long 0 # Size of initialized data -+ # on disk -+ .long 0x0 -+ .long 0 # PointerToRelocations -+ .long 0 # PointerToLineNumbers -+ .word 0 # NumberOfRelocations -+ .word 0 # NumberOfLineNumbers -+ .long 0xc8000080 # Characteristics (section flags) -+ - #endif /* CONFIG_EFI_STUB */ - - # Kernel attributes; used by setup. This is part 1 of the -diff --git a/arch/x86/boot/tools/build.c b/arch/x86/boot/tools/build.c -index 1a2f212..a7661c4 100644 ---- a/arch/x86/boot/tools/build.c -+++ b/arch/x86/boot/tools/build.c -@@ -143,7 +143,7 @@ static void usage(void) - - #ifdef CONFIG_EFI_STUB - --static void update_pecoff_section_header(char *section_name, u32 offset, u32 size) -+static void update_pecoff_section_header_fields(char *section_name, u32 vma, u32 size, u32 datasz, u32 offset) - { - unsigned int pe_header; - unsigned short num_sections; -@@ -164,10 +164,10 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz - put_unaligned_le32(size, section + 0x8); - - /* section header vma field */ -- put_unaligned_le32(offset, section + 0xc); -+ put_unaligned_le32(vma, section + 0xc); - - /* section header 'size of initialised data' field */ -- put_unaligned_le32(size, section + 0x10); -+ put_unaligned_le32(datasz, section + 0x10); - - /* section header 'file offset' field */ - put_unaligned_le32(offset, section + 0x14); -@@ -179,6 +179,11 @@ static void update_pecoff_section_header(char *section_name, u32 offset, u32 siz - } - } - -+static void update_pecoff_section_header(char *section_name, u32 offset, u32 size) -+{ -+ update_pecoff_section_header_fields(section_name, offset, size, size, offset); -+} -+ - static void update_pecoff_setup_and_reloc(unsigned int size) - { - u32 setup_offset = 0x200; -@@ -203,9 +208,6 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz) - - pe_header = get_unaligned_le32(&buf[0x3c]); - -- /* Size of image */ -- put_unaligned_le32(file_sz, &buf[pe_header + 0x50]); -- - /* - * Size of code: Subtract the size of the first sector (512 bytes) - * which includes the header. -@@ -220,6 +222,22 @@ static void update_pecoff_text(unsigned int text_start, unsigned int file_sz) - update_pecoff_section_header(".text", text_start, text_sz); - } - -+static void update_pecoff_bss(unsigned int file_sz, unsigned int init_sz) -+{ -+ unsigned int pe_header; -+ unsigned int bss_sz = init_sz - file_sz; -+ -+ pe_header = get_unaligned_le32(&buf[0x3c]); -+ -+ /* Size of uninitialized data */ -+ put_unaligned_le32(bss_sz, &buf[pe_header + 0x24]); -+ -+ /* Size of image */ -+ put_unaligned_le32(init_sz, &buf[pe_header + 0x50]); -+ -+ update_pecoff_section_header_fields(".bss", file_sz, bss_sz, 0, 0); -+} -+ - static int reserve_pecoff_reloc_section(int c) - { - /* Reserve 0x20 bytes for .reloc section */ -@@ -259,6 +277,8 @@ static void efi_stub_entry_update(void) - static inline void update_pecoff_setup_and_reloc(unsigned int size) {} - static inline void update_pecoff_text(unsigned int text_start, - unsigned int file_sz) {} -+static inline void update_pecoff_bss(unsigned int file_sz, -+ unsigned int init_sz) {} - static inline void efi_stub_defaults(void) {} - static inline void efi_stub_entry_update(void) {} - -@@ -310,7 +330,7 @@ static void parse_zoffset(char *fname) - - int main(int argc, char ** argv) - { -- unsigned int i, sz, setup_sectors; -+ unsigned int i, sz, setup_sectors, init_sz; - int c; - u32 sys_size; - struct stat sb; -@@ -376,7 +396,9 @@ int main(int argc, char ** argv) - buf[0x1f1] = setup_sectors-1; - put_unaligned_le32(sys_size, &buf[0x1f4]); - -- update_pecoff_text(setup_sectors * 512, sz + i + ((sys_size * 16) - sz)); -+ update_pecoff_text(setup_sectors * 512, i + (sys_size * 16)); -+ init_sz = get_unaligned_le32(&buf[0x260]); -+ update_pecoff_bss(i + (sys_size * 16), init_sz); - - efi_stub_entry_update(); - --- -cgit v0.10.1 - diff --git a/libre/linux-libre-grsec/PKGBUILD b/libre/linux-libre-grsec/PKGBUILD index 9d404588d..60f60a8b4 100644 --- a/libre/linux-libre-grsec/PKGBUILD +++ b/libre/linux-libre-grsec/PKGBUILD @@ -13,13 +13,13 @@ pkgbase=linux-libre-grsec # Build stock -libre-grsec kernel #pkgbase=linux-libre-custom # Build kernel with a different name _basekernel=3.15 -_sublevel=6 +_sublevel=7 _grsecver=3.0 -_timestamp=201407280729 +_timestamp=201407282112 _pkgver=${_basekernel}.${_sublevel} pkgver=${_basekernel}.${_sublevel}.${_timestamp} -pkgrel=1 -_lxopkgver=${_basekernel}.6 # nearly always the same as pkgver +pkgrel=2 +_lxopkgver=${_basekernel}.7 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="https://grsecurity.net/" license=('GPL2') @@ -37,23 +37,23 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'Kbuild.platforms' 'boot-logo.patch' 'change-default-console-loglevel.patch' - '0013-efistub-fix.patch' + 'Revert-userns-Allow-unprivileged-users-to-create-use.patch' 'sysctl.conf' "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") sha256sums=('93450dc189131b6a4de862f35c5087a58cc7bae1c24caa535d2357cc3301b688' - '1966964395bd9331843c8d6dacbf661c9061e90c81bf8609d995ed458d57e358' - '28f31111afab6e7d23c1bf486537c68ef0bb72f90e8504ef7202d6cb85b27cfd' + 'ffc3b2c30f38bcdaac32f2236651d1339ef4a9c2a70669938cdc1768440ce5d0' + '6f9c45339b6801e7021505c569c47b480fcde1f36aba34b89b3615fec0a59532' 'SKIP' - '9d926dcaf6ae07359619337ba2e17e36e8b23837b9e423e391f304f21c95de75' - '5037a8058ee020195d99b7c127d8634e77a281e31fa56c656b7d8661cac63665' + '346723e7937fc11550ed341eccd7170b9d7fa04a5c700e3f9f0dafca4333dccc' + '2c882c979bc20fab3782357aefddd083d3255832afb8dc76ab0724284d517ffe' '9d2f34f1a8c514a7117b9b017a1f7312fb351f4d0b079eed102f89361534d486' 'c5451d5e1eafc4f8d28b1a2958ec3102c124433a414a86450fc32058e004156b' '55bf07738a3286168a7929ae16dbca29defd14e77b9d24c487ae4c3d12bb9eb9' 'f913384dd6dbafca476fcf4ccd35f0f497dda5f3074866022facdb92647771f6' 'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182' - '937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c' + '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754' 'd4d4ae0b9c510547f47d94582e4ca08a7f12e9baf324181cb54d328027305e31' - '38beb22b3d9f548fff897c0690dad330443ef24e48d414cf8dbc682f40501fab') + '78a6e45c598d89475c8e7768e3965d3ab184c067fd6211adca272ac91b8e5e14') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. unset source[${#source[@]}-1] @@ -85,9 +85,8 @@ prepare() { # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227) patch -p1 -i "${srcdir}/change-default-console-loglevel.patch" - # fix efistub hang #33745 - # https://git.kernel.org/cgit/linux/kernel/git/mfleming/efi.git/patch/?id=c7fb93ec51d462ec3540a729ba446663c26a0505 - patch -Np1 -i "${srcdir}/0013-efistub-fix.patch" + # forbid unprivileged user namespaces + patch -p1 -i "$srcdir/Revert-userns-Allow-unprivileged-users-to-create-use.patch" if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-grsec|" Makefile diff --git a/libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch b/libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch new file mode 100644 index 000000000..5713dbb20 --- /dev/null +++ b/libre/linux-libre-grsec/Revert-userns-Allow-unprivileged-users-to-create-use.patch @@ -0,0 +1,41 @@ +From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Wed, 13 Nov 2013 10:21:18 -0500 +Subject: [PATCH] Revert "userns: Allow unprivileged users to create user + namespaces." + +This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946. + +Conflicts: + kernel/fork.c +--- + kernel/fork.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/kernel/fork.c b/kernel/fork.c +index f6d11fc..e04c9a7 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags, + long nr; + + /* ++ * Do some preliminary argument and permissions checking before we ++ * actually start allocating stuff ++ */ ++ if (clone_flags & CLONE_NEWUSER) { ++ /* hopefully this check will go away when userns support is ++ * complete ++ */ ++ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) || ++ !capable(CAP_SETGID)) ++ return -EPERM; ++ } ++ ++ /* + * Determine whether and which event to report to ptracer. When + * called from kernel_thread or CLONE_UNTRACED is explicitly + * requested, no event is reported; otherwise, report if the event +-- +1.8.3.1 + diff --git a/libre/linux-libre-grsec/config.i686 b/libre/linux-libre-grsec/config.i686 index d0db896c0..b22b7edea 100644 --- a/libre/linux-libre-grsec/config.i686 +++ b/libre/linux-libre-grsec/config.i686 @@ -157,7 +157,7 @@ CONFIG_BLK_CGROUP=y CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y -# CONFIG_USER_NS is not set +CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_SCHED_AUTOGROUP=y diff --git a/libre/linux-libre-grsec/config.x86_64 b/libre/linux-libre-grsec/config.x86_64 index d42ce144f..9392245d8 100644 --- a/libre/linux-libre-grsec/config.x86_64 +++ b/libre/linux-libre-grsec/config.x86_64 @@ -164,7 +164,7 @@ CONFIG_BLK_CGROUP=y CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y -# CONFIG_USER_NS is not set +CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_SCHED_AUTOGROUP=y -- cgit v1.2.3-54-g00ecf