summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-image-redcore
diff options
context:
space:
mode:
authorV3n3RiX <venerix@redcorelinux.org>2018-05-22 20:14:20 +0100
committerV3n3RiX <venerix@redcorelinux.org>2018-05-22 20:14:20 +0100
commite9a57433e76076ae340cb150045b550b40141175 (patch)
tree64a129fd5750408f0bd4591b7cd4a568620f24a8 /sys-kernel/linux-image-redcore
parent912e114b9da5236d68092f09c36cc5a08d6fa448 (diff)
sys-kernel/linux-{image,sources}-redcore : version bump
Diffstat (limited to 'sys-kernel/linux-image-redcore')
-rw-r--r--sys-kernel/linux-image-redcore/Manifest2
-rw-r--r--sys-kernel/linux-image-redcore/files/linux-hardened-v3.patch (renamed from sys-kernel/linux-image-redcore/files/linux-hardened-v2.patch)816
-rw-r--r--sys-kernel/linux-image-redcore/files/redcore-amd64.config3
-rw-r--r--sys-kernel/linux-image-redcore/linux-image-redcore-4.16.11.ebuild (renamed from sys-kernel/linux-image-redcore/linux-image-redcore-4.16.10.ebuild)2
4 files changed, 294 insertions, 529 deletions
diff --git a/sys-kernel/linux-image-redcore/Manifest b/sys-kernel/linux-image-redcore/Manifest
index 350f6422..8119aa2d 100644
--- a/sys-kernel/linux-image-redcore/Manifest
+++ b/sys-kernel/linux-image-redcore/Manifest
@@ -1 +1 @@
-DIST linux-4.16.10.tar.xz 103032160 BLAKE2B 79d7fbaa2d4cd3276a4496dde0da32f127fc3321d693f5fb983f18097d9644ef8fad49a8794cdfae0b0309d4b495ff0a4ffee5ef7c83fe6845b881f319f65047 SHA512 15554010d6e10ed1eb0dc6f1aadb2ce43fa4ca5978f737e44afc011bf1bdca6b03930fc5f07506e59f8b64f23c975ffc36b117836d103f5c529c27eb661c0290
+DIST linux-4.16.11.tar.xz 103047692 BLAKE2B 4f8d56f0817f210c353fab172db439352277030d51427419af199df85a7d3bec92dfde06c87c98daa8d3c1b60c994a0c60e225d47d6e93fcad8439dedefd3b79 SHA512 c14ffdbab29660c58d53bfbed6a897479bf4f451868c8d5b8c71f01b7e854182f3268c80ec5cd9df2330fef81b43be30082084304eee529e85e06dec40517d94
diff --git a/sys-kernel/linux-image-redcore/files/linux-hardened-v2.patch b/sys-kernel/linux-image-redcore/files/linux-hardened-v3.patch
index 8ec7b812..53bb313f 100644
--- a/sys-kernel/linux-image-redcore/files/linux-hardened-v2.patch
+++ b/sys-kernel/linux-image-redcore/files/linux-hardened-v3.patch
@@ -1,14 +1,14 @@
-diff -Naur linux-4.16/arch/arm64/configs/defconfig linux-4.16-p/arch/arm64/configs/defconfig
---- linux-4.16/arch/arm64/configs/defconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/arm64/configs/defconfig 2018-04-12 15:57:20.805694357 +0200
+diff -Nur a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig
+--- a/arch/arm64/configs/defconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/arm64/configs/defconfig 2018-05-22 19:56:23.693071674 +0100
@@ -1,4 +1,3 @@
-CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
CONFIG_AUDIT=y
CONFIG_NO_HZ_IDLE=y
-diff -Naur linux-4.16/arch/arm64/include/asm/elf.h linux-4.16-p/arch/arm64/include/asm/elf.h
---- linux-4.16/arch/arm64/include/asm/elf.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/arm64/include/asm/elf.h 2018-04-12 15:57:20.806694357 +0200
+diff -Nur a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h
+--- a/arch/arm64/include/asm/elf.h 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/arm64/include/asm/elf.h 2018-05-22 19:56:23.693071674 +0100
@@ -114,10 +114,10 @@
/*
@@ -36,10 +36,10 @@ diff -Naur linux-4.16/arch/arm64/include/asm/elf.h linux-4.16-p/arch/arm64/inclu
#endif
#ifdef __AARCH64EB__
-diff -Naur linux-4.16/arch/arm64/Kconfig linux-4.16-p/arch/arm64/Kconfig
---- linux-4.16/arch/arm64/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/arm64/Kconfig 2018-04-12 15:57:20.806694357 +0200
-@@ -974,6 +974,7 @@
+diff -Nur a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+--- a/arch/arm64/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/arm64/Kconfig 2018-05-22 19:56:23.692071641 +0100
+@@ -988,6 +988,7 @@
config ARM64_SW_TTBR0_PAN
bool "Emulate Privileged Access Never using TTBR0_EL1 switching"
@@ -47,7 +47,7 @@ diff -Naur linux-4.16/arch/arm64/Kconfig linux-4.16-p/arch/arm64/Kconfig
help
Enabling this option prevents the kernel from accessing
user-space memory directly by pointing TTBR0_EL1 to a reserved
-@@ -1127,6 +1128,7 @@
+@@ -1141,6 +1142,7 @@
bool "Randomize the address of the kernel image"
select ARM64_MODULE_PLTS if MODULES
select RELOCATABLE
@@ -55,9 +55,9 @@ diff -Naur linux-4.16/arch/arm64/Kconfig linux-4.16-p/arch/arm64/Kconfig
help
Randomizes the virtual address at which the kernel image is
loaded, as a security feature that deters exploit attempts
-diff -Naur linux-4.16/arch/arm64/Kconfig.debug linux-4.16-p/arch/arm64/Kconfig.debug
---- linux-4.16/arch/arm64/Kconfig.debug 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/arm64/Kconfig.debug 2018-04-12 15:57:20.807694356 +0200
+diff -Nur a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
+--- a/arch/arm64/Kconfig.debug 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/arm64/Kconfig.debug 2018-05-22 19:56:23.692071641 +0100
@@ -45,6 +45,7 @@
config DEBUG_WX
bool "Warn on W+X mappings at boot"
@@ -66,9 +66,9 @@ diff -Naur linux-4.16/arch/arm64/Kconfig.debug linux-4.16-p/arch/arm64/Kconfig.d
---help---
Generate a warning if any W+X mappings are found at boot.
-diff -Naur linux-4.16/arch/arm64/kernel/process.c linux-4.16-p/arch/arm64/kernel/process.c
---- linux-4.16/arch/arm64/kernel/process.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/arm64/kernel/process.c 2018-04-12 15:57:20.807694356 +0200
+diff -Nur a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+--- a/arch/arm64/kernel/process.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/arm64/kernel/process.c 2018-05-22 19:56:23.693071674 +0100
@@ -481,9 +481,9 @@
unsigned long arch_randomize_brk(struct mm_struct *mm)
{
@@ -81,9 +81,9 @@ diff -Naur linux-4.16/arch/arm64/kernel/process.c linux-4.16-p/arch/arm64/kernel
}
/*
-diff -Naur linux-4.16/arch/Kconfig linux-4.16-p/arch/Kconfig
---- linux-4.16/arch/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/Kconfig 2018-04-12 15:57:20.808694356 +0200
+diff -Nur a/arch/Kconfig b/arch/Kconfig
+--- a/arch/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/Kconfig 2018-05-22 19:56:23.692071641 +0100
@@ -454,6 +454,11 @@
is some slowdown of the boot process (about 0.5%) and fork and
irq processing.
@@ -96,15 +96,6 @@ diff -Naur linux-4.16/arch/Kconfig linux-4.16-p/arch/Kconfig
Note that entropy extracted this way is not cryptographically
secure!
-@@ -541,7 +546,7 @@
- choice
- prompt "Stack Protector buffer overflow detection"
- depends on HAVE_CC_STACKPROTECTOR
-- default CC_STACKPROTECTOR_AUTO
-+ default CC_STACKPROTECTOR_STRONG
- help
- This option turns on the "stack-protector" GCC feature. This
- feature puts, at the beginning of functions, a canary value on
@@ -747,7 +752,7 @@
int "Number of bits to use for ASLR of mmap base address" if EXPERT
range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
@@ -131,18 +122,18 @@ diff -Naur linux-4.16/arch/Kconfig linux-4.16-p/arch/Kconfig
help
Enabling this switches the refcounting infrastructure from a fast
unchecked atomic_t implementation to a fully state checked
-diff -Naur linux-4.16/arch/x86/configs/x86_64_defconfig linux-4.16-p/arch/x86/configs/x86_64_defconfig
---- linux-4.16/arch/x86/configs/x86_64_defconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/configs/x86_64_defconfig 2018-04-12 15:57:20.808694356 +0200
+diff -Nur a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
+--- a/arch/x86/configs/x86_64_defconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/configs/x86_64_defconfig 2018-05-22 19:56:23.694071707 +0100
@@ -1,5 +1,4 @@
# CONFIG_LOCALVERSION_AUTO is not set
-CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
CONFIG_BSD_PROCESS_ACCT=y
CONFIG_TASKSTATS=y
-diff -Naur linux-4.16/arch/x86/entry/vdso/vma.c linux-4.16-p/arch/x86/entry/vdso/vma.c
---- linux-4.16/arch/x86/entry/vdso/vma.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/entry/vdso/vma.c 2018-04-12 15:57:20.808694356 +0200
+diff -Nur a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
+--- a/arch/x86/entry/vdso/vma.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/entry/vdso/vma.c 2018-05-22 19:56:23.694071707 +0100
@@ -204,55 +204,9 @@
}
@@ -200,9 +191,9 @@ diff -Naur linux-4.16/arch/x86/entry/vdso/vma.c linux-4.16-p/arch/x86/entry/vdso
}
#endif
-diff -Naur linux-4.16/arch/x86/include/asm/elf.h linux-4.16-p/arch/x86/include/asm/elf.h
---- linux-4.16/arch/x86/include/asm/elf.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/include/asm/elf.h 2018-04-12 15:57:20.809694356 +0200
+diff -Nur a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
+--- a/arch/x86/include/asm/elf.h 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/include/asm/elf.h 2018-05-22 19:56:23.694071707 +0100
@@ -249,11 +249,11 @@
/*
@@ -247,9 +238,9 @@ diff -Naur linux-4.16/arch/x86/include/asm/elf.h linux-4.16-p/arch/x86/include/a
extern struct va_alignment va_align;
-extern unsigned long align_vdso_addr(unsigned long);
#endif /* _ASM_X86_ELF_H */
-diff -Naur linux-4.16/arch/x86/include/asm/tlbflush.h linux-4.16-p/arch/x86/include/asm/tlbflush.h
---- linux-4.16/arch/x86/include/asm/tlbflush.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/include/asm/tlbflush.h 2018-04-12 15:57:20.809694356 +0200
+diff -Nur a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
+--- a/arch/x86/include/asm/tlbflush.h 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/include/asm/tlbflush.h 2018-05-22 19:56:23.694071707 +0100
@@ -261,6 +261,7 @@
local_irq_save(flags);
@@ -282,9 +273,9 @@ diff -Naur linux-4.16/arch/x86/include/asm/tlbflush.h linux-4.16-p/arch/x86/incl
/* toggle PGE */
native_write_cr4(cr4 ^ X86_CR4_PGE);
/* write old PGE again and flush TLBs */
-diff -Naur linux-4.16/arch/x86/Kconfig linux-4.16-p/arch/x86/Kconfig
---- linux-4.16/arch/x86/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/Kconfig 2018-04-12 15:57:20.810694356 +0200
+diff -Nur a/arch/x86/Kconfig b/arch/x86/Kconfig
+--- a/arch/x86/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/Kconfig 2018-05-22 19:56:23.694071707 +0100
@@ -1208,8 +1208,7 @@
default X86_LEGACY_VM86
@@ -314,9 +305,9 @@ diff -Naur linux-4.16/arch/x86/Kconfig linux-4.16-p/arch/x86/Kconfig
---help---
Linux can allow user programs to install a per-process x86
Local Descriptor Table (LDT) using the modify_ldt(2) system
-diff -Naur linux-4.16/arch/x86/Kconfig.debug linux-4.16-p/arch/x86/Kconfig.debug
---- linux-4.16/arch/x86/Kconfig.debug 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/Kconfig.debug 2018-04-12 15:57:20.810694356 +0200
+diff -Nur a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
+--- a/arch/x86/Kconfig.debug 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/Kconfig.debug 2018-05-22 19:56:23.694071707 +0100
@@ -101,6 +101,7 @@
config DEBUG_WX
bool "Warn on W+X mappings at boot"
@@ -325,10 +316,10 @@ diff -Naur linux-4.16/arch/x86/Kconfig.debug linux-4.16-p/arch/x86/Kconfig.debug
---help---
Generate a warning if any W+X mappings are found at boot.
-diff -Naur linux-4.16/arch/x86/kernel/cpu/common.c linux-4.16-p/arch/x86/kernel/cpu/common.c
---- linux-4.16/arch/x86/kernel/cpu/common.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/kernel/cpu/common.c 2018-04-12 15:57:20.811694355 +0200
-@@ -1617,7 +1617,6 @@
+diff -Nur a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+--- a/arch/x86/kernel/cpu/common.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/kernel/cpu/common.c 2018-05-22 19:56:23.695071739 +0100
+@@ -1662,7 +1662,6 @@
wrmsrl(MSR_KERNEL_GS_BASE, 0);
barrier();
@@ -336,19 +327,19 @@ diff -Naur linux-4.16/arch/x86/kernel/cpu/common.c linux-4.16-p/arch/x86/kernel/
x2apic_setup();
/*
-diff -Naur linux-4.16/arch/x86/kernel/process.c linux-4.16-p/arch/x86/kernel/process.c
---- linux-4.16/arch/x86/kernel/process.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/kernel/process.c 2018-04-12 15:57:20.812694355 +0200
-@@ -38,6 +38,8 @@
- #include <asm/switch_to.h>
+diff -Nur a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+--- a/arch/x86/kernel/process.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/kernel/process.c 2018-05-22 19:58:08.019495182 +0100
+@@ -39,6 +39,8 @@
#include <asm/desc.h>
#include <asm/prctl.h>
+ #include <asm/spec-ctrl.h>
+#include <asm/elf.h>
+#include <linux/sizes.h>
/*
* per-CPU TSS segments. Threads are completely 'soft' on Linux,
-@@ -572,7 +574,10 @@
+@@ -718,7 +720,10 @@
unsigned long arch_randomize_brk(struct mm_struct *mm)
{
@@ -360,9 +351,9 @@ diff -Naur linux-4.16/arch/x86/kernel/process.c linux-4.16-p/arch/x86/kernel/pro
}
/*
-diff -Naur linux-4.16/arch/x86/kernel/sys_x86_64.c linux-4.16-p/arch/x86/kernel/sys_x86_64.c
---- linux-4.16/arch/x86/kernel/sys_x86_64.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/kernel/sys_x86_64.c 2018-04-12 15:57:20.812694355 +0200
+diff -Nur a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
+--- a/arch/x86/kernel/sys_x86_64.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/kernel/sys_x86_64.c 2018-05-22 19:56:23.695071739 +0100
@@ -54,13 +54,6 @@
return va_align.bits & get_align_mask();
}
@@ -398,9 +389,9 @@ diff -Naur linux-4.16/arch/x86/kernel/sys_x86_64.c linux-4.16-p/arch/x86/kernel/
info.high_limit = get_mmap_base(0);
/*
-diff -Naur linux-4.16/arch/x86/mm/init_32.c linux-4.16-p/arch/x86/mm/init_32.c
---- linux-4.16/arch/x86/mm/init_32.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/mm/init_32.c 2018-04-12 15:57:20.812694355 +0200
+diff -Nur a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
+--- a/arch/x86/mm/init_32.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/mm/init_32.c 2018-05-22 19:56:23.695071739 +0100
@@ -558,7 +558,7 @@
permanent_kmaps_init(pgd_base);
}
@@ -433,9 +424,9 @@ diff -Naur linux-4.16/arch/x86/mm/init_32.c linux-4.16-p/arch/x86/mm/init_32.c
#ifdef CONFIG_CPA_DEBUG
printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n",
start, start+size);
-diff -Naur linux-4.16/arch/x86/mm/init_64.c linux-4.16-p/arch/x86/mm/init_64.c
---- linux-4.16/arch/x86/mm/init_64.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/arch/x86/mm/init_64.c 2018-04-12 15:57:20.813694355 +0200
+diff -Nur a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
+--- a/arch/x86/mm/init_64.c 2018-05-22 17:56:31.000000000 +0100
++++ b/arch/x86/mm/init_64.c 2018-05-22 19:56:23.696071772 +0100
@@ -65,7 +65,7 @@
* around without checking the pgd every time.
*/
@@ -465,9 +456,9 @@ diff -Naur linux-4.16/arch/x86/mm/init_64.c linux-4.16-p/arch/x86/mm/init_64.c
/*
* The rodata/data/bss/brk section (but not the kernel text!)
-diff -Naur linux-4.16/block/blk-softirq.c linux-4.16-p/block/blk-softirq.c
---- linux-4.16/block/blk-softirq.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/block/blk-softirq.c 2018-04-12 15:57:20.813694355 +0200
+diff -Nur a/block/blk-softirq.c b/block/blk-softirq.c
+--- a/block/blk-softirq.c 2018-05-22 17:56:31.000000000 +0100
++++ b/block/blk-softirq.c 2018-05-22 19:56:23.696071772 +0100
@@ -20,7 +20,7 @@
* Softirq action handler - move entries to local list and loop over them
* while passing them to the queue registered handler.
@@ -477,9 +468,9 @@ diff -Naur linux-4.16/block/blk-softirq.c linux-4.16-p/block/blk-softirq.c
{
struct list_head *cpu_list, local_list;
-diff -Naur linux-4.16/Documentation/admin-guide/kernel-parameters.txt linux-4.16-p/Documentation/admin-guide/kernel-parameters.txt
---- linux-4.16/Documentation/admin-guide/kernel-parameters.txt 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/Documentation/admin-guide/kernel-parameters.txt 2018-04-12 15:57:20.815694354 +0200
+diff -Nur a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+--- a/Documentation/admin-guide/kernel-parameters.txt 2018-05-22 17:56:31.000000000 +0100
++++ b/Documentation/admin-guide/kernel-parameters.txt 2018-05-22 19:56:23.691071608 +0100
@@ -496,16 +496,6 @@
nosocket -- Disable socket memory accounting.
nokmem -- Disable kernel memory accounting.
@@ -497,7 +488,7 @@ diff -Naur linux-4.16/Documentation/admin-guide/kernel-parameters.txt linux-4.16
cio_ignore= [S390]
See Documentation/s390/CommonIO for details.
clk_ignore_unused
-@@ -2943,6 +2933,11 @@
+@@ -2946,6 +2936,11 @@
the specified number of seconds. This is to be used if
your oopses keep scrolling off the screen.
@@ -509,48 +500,10 @@ diff -Naur linux-4.16/Documentation/admin-guide/kernel-parameters.txt linux-4.16
pcbit= [HW,ISDN]
pcd. [PARIDE]
-diff -Naur linux-4.16/Documentation/sysctl/kernel.txt linux-4.16-p/Documentation/sysctl/kernel.txt
---- linux-4.16/Documentation/sysctl/kernel.txt 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/Documentation/sysctl/kernel.txt 2018-04-12 15:57:20.815694354 +0200
-@@ -92,6 +92,7 @@
- - sysctl_writes_strict
- - tainted
- - threads-max
-+- tiocsti_restrict
- - unknown_nmi_panic
- - watchdog
- - watchdog_thresh
-@@ -1014,6 +1015,26 @@
-
- ==============================================================
-
-+tiocsti_restrict:
-+
-+This toggle indicates whether unprivileged users are prevented
-+from using the TIOCSTI ioctl to inject commands into other processes
-+which share a tty session.
-+
-+When tiocsti_restrict is set to (0) there are no restrictions(accept
-+the default restriction of only being able to injection commands into
-+one's own tty). When tiocsti_restrict is set to (1), users must
-+have CAP_SYS_ADMIN to use the TIOCSTI ioctl.
-+
-+When user namespaces are in use, the check for the capability
-+CAP_SYS_ADMIN is done against the user namespace that originally
-+opened the tty.
-+
-+The kernel config option CONFIG_SECURITY_TIOCSTI_RESTRICT sets the
-+default value of tiocsti_restrict.
-+
-+==============================================================
-+
- unknown_nmi_panic:
-
- The value in this file affects behavior of handling NMI. When the
-diff -Naur linux-4.16/drivers/ata/libata-core.c linux-4.16-p/drivers/ata/libata-core.c
---- linux-4.16/drivers/ata/libata-core.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/ata/libata-core.c 2018-04-12 15:57:20.817694353 +0200
-@@ -5148,7 +5148,7 @@
+diff -Nur a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+--- a/drivers/ata/libata-core.c 2018-05-22 17:56:31.000000000 +0100
++++ b/drivers/ata/libata-core.c 2018-05-22 19:56:23.697071805 +0100
+@@ -5151,7 +5151,7 @@
struct ata_port *ap;
unsigned int tag;
@@ -559,7 +512,7 @@ diff -Naur linux-4.16/drivers/ata/libata-core.c linux-4.16-p/drivers/ata/libata-
ap = qc->ap;
qc->flags = 0;
-@@ -5165,7 +5165,7 @@
+@@ -5168,7 +5168,7 @@
struct ata_port *ap;
struct ata_link *link;
@@ -568,9 +521,9 @@ diff -Naur linux-4.16/drivers/ata/libata-core.c linux-4.16-p/drivers/ata/libata-
WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
ap = qc->ap;
link = qc->dev->link;
-diff -Naur linux-4.16/drivers/char/Kconfig linux-4.16-p/drivers/char/Kconfig
---- linux-4.16/drivers/char/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/char/Kconfig 2018-04-12 15:57:20.817694353 +0200
+diff -Nur a/drivers/char/Kconfig b/drivers/char/Kconfig
+--- a/drivers/char/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/drivers/char/Kconfig 2018-05-22 19:56:23.697071805 +0100
@@ -9,7 +9,6 @@
config DEVMEM
@@ -587,129 +540,9 @@ diff -Naur linux-4.16/drivers/char/Kconfig linux-4.16-p/drivers/char/Kconfig
help
Say Y here if you want to support the /dev/port device. The /dev/port
device is similar to /dev/mem, but for I/O ports.
-diff -Naur linux-4.16/drivers/media/dvb-frontends/cx24116.c linux-4.16-p/drivers/media/dvb-frontends/cx24116.c
---- linux-4.16/drivers/media/dvb-frontends/cx24116.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/cx24116.c 2018-04-12 15:57:20.818694353 +0200
-@@ -1456,7 +1456,7 @@
- return cx24116_read_status(fe, status);
- }
-
--static int cx24116_get_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo cx24116_get_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/dvb-frontends/cx24117.c linux-4.16-p/drivers/media/dvb-frontends/cx24117.c
---- linux-4.16/drivers/media/dvb-frontends/cx24117.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/cx24117.c 2018-04-12 15:57:20.818694353 +0200
-@@ -1555,7 +1555,7 @@
- return cx24117_read_status(fe, status);
- }
-
--static int cx24117_get_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo cx24117_get_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/dvb-frontends/cx24120.c linux-4.16-p/drivers/media/dvb-frontends/cx24120.c
---- linux-4.16/drivers/media/dvb-frontends/cx24120.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/cx24120.c 2018-04-12 15:57:20.818694353 +0200
-@@ -1491,7 +1491,7 @@
- return cx24120_read_status(fe, status);
- }
-
--static int cx24120_get_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo cx24120_get_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/dvb-frontends/cx24123.c linux-4.16-p/drivers/media/dvb-frontends/cx24123.c
---- linux-4.16/drivers/media/dvb-frontends/cx24123.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/cx24123.c 2018-04-12 15:57:20.819694353 +0200
-@@ -1005,7 +1005,7 @@
- return retval;
- }
-
--static int cx24123_get_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo cx24123_get_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/dvb-frontends/cxd2820r_core.c linux-4.16-p/drivers/media/dvb-frontends/cxd2820r_core.c
---- linux-4.16/drivers/media/dvb-frontends/cxd2820r_core.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/cxd2820r_core.c 2018-04-12 15:57:20.819694353 +0200
-@@ -403,7 +403,7 @@
- return DVBFE_ALGO_SEARCH_ERROR;
- }
-
--static int cxd2820r_get_frontend_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo cxd2820r_get_frontend_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_CUSTOM;
- }
-diff -Naur linux-4.16/drivers/media/dvb-frontends/mb86a20s.c linux-4.16-p/drivers/media/dvb-frontends/mb86a20s.c
---- linux-4.16/drivers/media/dvb-frontends/mb86a20s.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/mb86a20s.c 2018-04-12 15:57:20.819694353 +0200
-@@ -2055,7 +2055,7 @@
- kfree(state);
- }
-
--static int mb86a20s_get_frontend_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo mb86a20s_get_frontend_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/dvb-frontends/s921.c linux-4.16-p/drivers/media/dvb-frontends/s921.c
---- linux-4.16/drivers/media/dvb-frontends/s921.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/dvb-frontends/s921.c 2018-04-12 15:57:20.819694353 +0200
-@@ -464,7 +464,7 @@
- return rc;
- }
-
--static int s921_get_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo s921_get_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/pci/bt8xx/dst.c linux-4.16-p/drivers/media/pci/bt8xx/dst.c
---- linux-4.16/drivers/media/pci/bt8xx/dst.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/pci/bt8xx/dst.c 2018-04-12 15:57:20.820694352 +0200
-@@ -1657,7 +1657,7 @@
- return 0;
- }
-
--static int dst_get_tuning_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo dst_get_tuning_algo(struct dvb_frontend *fe)
- {
- return dst_algo ? DVBFE_ALGO_HW : DVBFE_ALGO_SW;
- }
-diff -Naur linux-4.16/drivers/media/pci/pt1/va1j5jf8007s.c linux-4.16-p/drivers/media/pci/pt1/va1j5jf8007s.c
---- linux-4.16/drivers/media/pci/pt1/va1j5jf8007s.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/pci/pt1/va1j5jf8007s.c 2018-04-12 15:57:20.820694352 +0200
-@@ -98,7 +98,7 @@
- return 0;
- }
-
--static int va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/media/pci/pt1/va1j5jf8007t.c linux-4.16-p/drivers/media/pci/pt1/va1j5jf8007t.c
---- linux-4.16/drivers/media/pci/pt1/va1j5jf8007t.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/media/pci/pt1/va1j5jf8007t.c 2018-04-12 15:57:20.820694352 +0200
-@@ -88,7 +88,7 @@
- return 0;
- }
-
--static int va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe)
-+static enum dvbfe_algo va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe)
- {
- return DVBFE_ALGO_HW;
- }
-diff -Naur linux-4.16/drivers/tty/Kconfig linux-4.16-p/drivers/tty/Kconfig
---- linux-4.16/drivers/tty/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/tty/Kconfig 2018-04-12 15:57:20.820694352 +0200
+diff -Nur a/drivers/tty/Kconfig b/drivers/tty/Kconfig
+--- a/drivers/tty/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/drivers/tty/Kconfig 2018-05-22 19:56:23.698071838 +0100
@@ -122,7 +122,6 @@
config LEGACY_PTYS
@@ -718,48 +551,9 @@ diff -Naur linux-4.16/drivers/tty/Kconfig linux-4.16-p/drivers/tty/Kconfig
---help---
A pseudo terminal (PTY) is a software device consisting of two
halves: a master and a slave. The slave device behaves identical to
-diff -Naur linux-4.16/drivers/tty/tty_io.c linux-4.16-p/drivers/tty/tty_io.c
---- linux-4.16/drivers/tty/tty_io.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/tty/tty_io.c 2018-04-12 15:57:20.820694352 +0200
-@@ -172,6 +172,7 @@
- put_device(tty->dev);
- kfree(tty->write_buf);
- tty->magic = 0xDEADDEAD;
-+ put_user_ns(tty->owner_user_ns);
- kfree(tty);
- }
-
-@@ -2155,11 +2156,19 @@
- * FIXME: may race normal receive processing
- */
-
-+int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT);
-+
- static int tiocsti(struct tty_struct *tty, char __user *p)
- {
- char ch, mbz = 0;
- struct tty_ldisc *ld;
-
-+ if (tiocsti_restrict &&
-+ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) {
-+ dev_warn_ratelimited(tty->dev,
-+ "Denied TIOCSTI ioctl for non-privileged process\n");
-+ return -EPERM;
-+ }
- if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN))
- return -EPERM;
- if (get_user(ch, p))
-@@ -2839,6 +2848,7 @@
- tty->index = idx;
- tty_line_name(driver, idx, tty->name);
- tty->dev = tty_get_device(tty);
-+ tty->owner_user_ns = get_user_ns(current_user_ns());
-
- return tty;
- }
-diff -Naur linux-4.16/drivers/usb/core/hub.c linux-4.16-p/drivers/usb/core/hub.c
---- linux-4.16/drivers/usb/core/hub.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/drivers/usb/core/hub.c 2018-04-12 15:57:20.821694352 +0200
+diff -Nur a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+--- a/drivers/usb/core/hub.c 2018-05-22 17:56:31.000000000 +0100
++++ b/drivers/usb/core/hub.c 2018-05-22 19:56:23.699071871 +0100
@@ -41,6 +41,8 @@
#define USB_TP_TRANSMISSION_DELAY 40 /* ns */
#define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */
@@ -769,7 +563,7 @@ diff -Naur linux-4.16/drivers/usb/core/hub.c linux-4.16-p/drivers/usb/core/hub.c
/* Protect struct usb_device->state and ->children members
* Note: Both are also protected by ->dev.sem, except that ->state can
* change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */
-@@ -4839,6 +4841,12 @@
+@@ -4847,6 +4849,12 @@
goto done;
return;
}
@@ -782,9 +576,9 @@ diff -Naur linux-4.16/drivers/usb/core/hub.c linux-4.16-p/drivers/usb/core/hub.c
if (hub_is_superspeed(hub->hdev))
unit_load = 150;
else
-diff -Naur linux-4.16/fs/exec.c linux-4.16-p/fs/exec.c
---- linux-4.16/fs/exec.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/fs/exec.c 2018-04-12 15:57:20.822694352 +0200
+diff -Nur a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c 2018-05-22 17:56:31.000000000 +0100
++++ b/fs/exec.c 2018-05-22 19:56:23.699071871 +0100
@@ -62,6 +62,7 @@
#include <linux/oom.h>
#include <linux/compat.h>
@@ -802,10 +596,10 @@ diff -Naur linux-4.16/fs/exec.c linux-4.16-p/fs/exec.c
return 0;
err:
up_write(&mm->mmap_sem);
-diff -Naur linux-4.16/fs/namei.c linux-4.16-p/fs/namei.c
---- linux-4.16/fs/namei.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/fs/namei.c 2018-04-12 15:57:20.822694352 +0200
-@@ -882,8 +882,8 @@
+diff -Nur a/fs/namei.c b/fs/namei.c
+--- a/fs/namei.c 2018-05-22 17:56:31.000000000 +0100
++++ b/fs/namei.c 2018-05-22 19:56:23.700071903 +0100
+@@ -883,8 +883,8 @@
path_put(&last->link);
}
@@ -816,17 +610,17 @@ diff -Naur linux-4.16/fs/namei.c linux-4.16-p/fs/namei.c
/**
* may_follow_link - Check symlink following for unsafe situations
-diff -Naur linux-4.16/fs/nfs/Kconfig linux-4.16-p/fs/nfs/Kconfig
---- linux-4.16/fs/nfs/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/fs/nfs/Kconfig 2018-04-12 15:57:20.822694352 +0200
+diff -Nur a/fs/nfs/Kconfig b/fs/nfs/Kconfig
+--- a/fs/nfs/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/fs/nfs/Kconfig 2018-05-22 19:56:23.700071903 +0100
@@ -195,4 +195,3 @@
bool
depends on NFS_FS && SUNRPC_DEBUG
select CRC32
- default y
-diff -Naur linux-4.16/fs/proc/Kconfig linux-4.16-p/fs/proc/Kconfig
---- linux-4.16/fs/proc/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/fs/proc/Kconfig 2018-04-12 15:57:20.822694352 +0200
+diff -Nur a/fs/proc/Kconfig b/fs/proc/Kconfig
+--- a/fs/proc/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/fs/proc/Kconfig 2018-05-22 19:56:23.700071903 +0100
@@ -39,7 +39,6 @@
config PROC_VMCORE
bool "/proc/vmcore support"
@@ -835,9 +629,9 @@ diff -Naur linux-4.16/fs/proc/Kconfig linux-4.16-p/fs/proc/Kconfig
help
Exports the dump image of crashed kernel in ELF format.
-diff -Naur linux-4.16/fs/stat.c linux-4.16-p/fs/stat.c
---- linux-4.16/fs/stat.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/fs/stat.c 2018-04-12 15:57:20.823694351 +0200
+diff -Nur a/fs/stat.c b/fs/stat.c
+--- a/fs/stat.c 2018-05-22 17:56:31.000000000 +0100
++++ b/fs/stat.c 2018-05-22 19:56:23.700071903 +0100
@@ -40,8 +40,13 @@
stat->gid = inode->i_gid;
stat->rdev = inode->i_rdev;
@@ -872,9 +666,9 @@ diff -Naur linux-4.16/fs/stat.c linux-4.16-p/fs/stat.c
generic_fillattr(inode, stat);
return 0;
-diff -Naur linux-4.16/include/linux/cache.h linux-4.16-p/include/linux/cache.h
---- linux-4.16/include/linux/cache.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/cache.h 2018-04-12 15:57:20.823694351 +0200
+diff -Nur a/include/linux/cache.h b/include/linux/cache.h
+--- a/include/linux/cache.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/cache.h 2018-05-22 19:56:23.700071903 +0100
@@ -31,6 +31,8 @@
#define __ro_after_init __attribute__((__section__(".data..ro_after_init")))
#endif
@@ -884,9 +678,9 @@ diff -Naur linux-4.16/include/linux/cache.h linux-4.16-p/include/linux/cache.h
#ifndef ____cacheline_aligned
#define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
#endif
-diff -Naur linux-4.16/include/linux/capability.h linux-4.16-p/include/linux/capability.h
---- linux-4.16/include/linux/capability.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/capability.h 2018-04-12 15:57:20.823694351 +0200
+diff -Nur a/include/linux/capability.h b/include/linux/capability.h
+--- a/include/linux/capability.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/capability.h 2018-05-22 19:56:23.700071903 +0100
@@ -207,6 +207,7 @@
extern bool has_ns_capability_noaudit(struct task_struct *t,
struct user_namespace *ns, int cap);
@@ -906,9 +700,9 @@ diff -Naur linux-4.16/include/linux/capability.h linux-4.16-p/include/linux/capa
static inline bool ns_capable(struct user_namespace *ns, int cap)
{
return true;
-diff -Naur linux-4.16/include/linux/fs.h linux-4.16-p/include/linux/fs.h
---- linux-4.16/include/linux/fs.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/fs.h 2018-04-12 15:57:20.823694351 +0200
+diff -Nur a/include/linux/fs.h b/include/linux/fs.h
+--- a/include/linux/fs.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/fs.h 2018-05-22 19:56:23.701071936 +0100
@@ -3407,4 +3407,15 @@
extern bool path_noexec(const struct path *path);
extern void inode_nohighmem(struct inode *inode);
@@ -925,9 +719,9 @@ diff -Naur linux-4.16/include/linux/fs.h linux-4.16-p/include/linux/fs.h
+}
+
#endif /* _LINUX_FS_H */
-diff -Naur linux-4.16/include/linux/fsnotify.h linux-4.16-p/include/linux/fsnotify.h
---- linux-4.16/include/linux/fsnotify.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/fsnotify.h 2018-04-12 15:57:20.823694351 +0200
+diff -Nur a/include/linux/fsnotify.h b/include/linux/fsnotify.h
+--- a/include/linux/fsnotify.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/fsnotify.h 2018-05-22 19:56:23.701071936 +0100
@@ -181,6 +181,9 @@
struct inode *inode = path->dentry->d_inode;
__u32 mask = FS_ACCESS;
@@ -948,9 +742,9 @@ diff -Naur linux-4.16/include/linux/fsnotify.h linux-4.16-p/include/linux/fsnoti
if (S_ISDIR(inode->i_mode))
mask |= FS_ISDIR;
-diff -Naur linux-4.16/include/linux/gfp.h linux-4.16-p/include/linux/gfp.h
---- linux-4.16/include/linux/gfp.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/gfp.h 2018-04-12 15:57:20.824694351 +0200
+diff -Nur a/include/linux/gfp.h b/include/linux/gfp.h
+--- a/include/linux/gfp.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/gfp.h 2018-05-22 19:56:23.701071936 +0100
@@ -513,9 +513,9 @@
extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order);
extern unsigned long get_zeroed_page(gfp_t gfp_mask);
@@ -963,9 +757,9 @@ diff -Naur linux-4.16/include/linux/gfp.h linux-4.16-p/include/linux/gfp.h
#define __get_free_page(gfp_mask) \
__get_free_pages((gfp_mask), 0)
-diff -Naur linux-4.16/include/linux/highmem.h linux-4.16-p/include/linux/highmem.h
---- linux-4.16/include/linux/highmem.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/highmem.h 2018-04-12 15:57:20.824694351 +0200
+diff -Nur a/include/linux/highmem.h b/include/linux/highmem.h
+--- a/include/linux/highmem.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/highmem.h 2018-05-22 19:56:23.702071969 +0100
@@ -191,6 +191,13 @@
kunmap_atomic(kaddr);
}
@@ -980,9 +774,9 @@ diff -Naur linux-4.16/include/linux/highmem.h linux-4.16-p/include/linux/highmem
static inline void zero_user_segments(struct page *page,
unsigned start1, unsigned end1,
unsigned start2, unsigned end2)
-diff -Naur linux-4.16/include/linux/interrupt.h linux-4.16-p/include/linux/interrupt.h
---- linux-4.16/include/linux/interrupt.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/interrupt.h 2018-04-12 15:57:20.824694351 +0200
+diff -Nur a/include/linux/interrupt.h b/include/linux/interrupt.h
+--- a/include/linux/interrupt.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/interrupt.h 2018-05-22 19:56:23.702071969 +0100
@@ -485,7 +485,7 @@
struct softirq_action
@@ -1001,9 +795,9 @@ diff -Naur linux-4.16/include/linux/interrupt.h linux-4.16-p/include/linux/inter
extern void softirq_init(void);
extern void __raise_softirq_irqoff(unsigned int nr);
-diff -Naur linux-4.16/include/linux/kobject_ns.h linux-4.16-p/include/linux/kobject_ns.h
---- linux-4.16/include/linux/kobject_ns.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/kobject_ns.h 2018-04-12 15:57:20.824694351 +0200
+diff -Nur a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h
+--- a/include/linux/kobject_ns.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/kobject_ns.h 2018-05-22 19:56:23.702071969 +0100
@@ -45,7 +45,7 @@
void (*drop_ns)(void *);
};
@@ -1013,9 +807,9 @@ diff -Naur linux-4.16/include/linux/kobject_ns.h linux-4.16-p/include/linux/kobj
int kobj_ns_type_registered(enum kobj_ns_type type);
const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent);
const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj);
-diff -Naur linux-4.16/include/linux/mm.h linux-4.16-p/include/linux/mm.h
---- linux-4.16/include/linux/mm.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/mm.h 2018-04-12 15:57:20.824694351 +0200
+diff -Nur a/include/linux/mm.h b/include/linux/mm.h
+--- a/include/linux/mm.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/mm.h 2018-05-22 19:56:23.702071969 +0100
@@ -535,7 +535,7 @@
}
#endif
@@ -1025,9 +819,9 @@ diff -Naur linux-4.16/include/linux/mm.h linux-4.16-p/include/linux/mm.h
static inline void *kvmalloc(size_t size, gfp_t flags)
{
return kvmalloc_node(size, flags, NUMA_NO_NODE);
-diff -Naur linux-4.16/include/linux/percpu.h linux-4.16-p/include/linux/percpu.h
---- linux-4.16/include/linux/percpu.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/percpu.h 2018-04-12 15:57:20.825694351 +0200
+diff -Nur a/include/linux/percpu.h b/include/linux/percpu.h
+--- a/include/linux/percpu.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/percpu.h 2018-05-22 19:56:23.702071969 +0100
@@ -129,7 +129,7 @@
pcpu_fc_populate_pte_fn_t populate_pte_fn);
#endif
@@ -1048,9 +842,9 @@ diff -Naur linux-4.16/include/linux/percpu.h linux-4.16-p/include/linux/percpu.h
extern void free_percpu(void __percpu *__pdata);
extern phys_addr_t per_cpu_ptr_to_phys(void *addr);
-diff -Naur linux-4.16/include/linux/perf_event.h linux-4.16-p/include/linux/perf_event.h
---- linux-4.16/include/linux/perf_event.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/perf_event.h 2018-04-12 15:57:20.825694351 +0200
+diff -Nur a/include/linux/perf_event.h b/include/linux/perf_event.h
+--- a/include/linux/perf_event.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/perf_event.h 2018-05-22 19:56:23.703072002 +0100
@@ -1151,6 +1151,11 @@
int perf_event_max_stack_handler(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos);
@@ -1063,9 +857,9 @@ diff -Naur linux-4.16/include/linux/perf_event.h linux-4.16-p/include/linux/perf
static inline bool perf_paranoid_tracepoint_raw(void)
{
return sysctl_perf_event_paranoid > -1;
-diff -Naur linux-4.16/include/linux/slab.h linux-4.16-p/include/linux/slab.h
---- linux-4.16/include/linux/slab.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/slab.h 2018-04-12 15:57:20.825694351 +0200
+diff -Nur a/include/linux/slab.h b/include/linux/slab.h
+--- a/include/linux/slab.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/slab.h 2018-05-22 19:56:23.703072002 +0100
@@ -177,8 +177,8 @@
/*
* Common kmalloc functions provided by all allocators
@@ -1113,9 +907,9 @@ diff -Naur linux-4.16/include/linux/slab.h linux-4.16-p/include/linux/slab.h
{
#ifndef CONFIG_SLOB
if (__builtin_constant_p(size) &&
-diff -Naur linux-4.16/include/linux/slub_def.h linux-4.16-p/include/linux/slub_def.h
---- linux-4.16/include/linux/slub_def.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/slub_def.h 2018-04-12 15:57:20.825694351 +0200
+diff -Nur a/include/linux/slub_def.h b/include/linux/slub_def.h
+--- a/include/linux/slub_def.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/slub_def.h 2018-05-22 19:56:23.703072002 +0100
@@ -120,6 +120,11 @@
unsigned long random;
#endif
@@ -1128,9 +922,9 @@ diff -Naur linux-4.16/include/linux/slub_def.h linux-4.16-p/include/linux/slub_d
#ifdef CONFIG_NUMA
/*
* Defragmentation by allocating from a remote node.
-diff -Naur linux-4.16/include/linux/string.h linux-4.16-p/include/linux/string.h
---- linux-4.16/include/linux/string.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/string.h 2018-04-12 15:57:20.825694351 +0200
+diff -Nur a/include/linux/string.h b/include/linux/string.h
+--- a/include/linux/string.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/string.h 2018-05-22 19:56:23.703072002 +0100
@@ -235,10 +235,16 @@
void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter");
void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter");
@@ -1209,37 +1003,9 @@ diff -Naur linux-4.16/include/linux/string.h linux-4.16-p/include/linux/string.h
if (p_size == (size_t)-1 && q_size == (size_t)-1)
return __builtin_strcpy(p, q);
memcpy(p, q, strlen(q) + 1);
-diff -Naur linux-4.16/include/linux/tty.h linux-4.16-p/include/linux/tty.h
---- linux-4.16/include/linux/tty.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/tty.h 2018-04-12 15:57:20.825694351 +0200
-@@ -13,6 +13,7 @@
- #include <uapi/linux/tty.h>
- #include <linux/rwsem.h>
- #include <linux/llist.h>
-+#include <linux/user_namespace.h>
-
-
- /*
-@@ -335,6 +336,7 @@
- /* If the tty has a pending do_SAK, queue it here - akpm */
- struct work_struct SAK_work;
- struct tty_port *port;
-+ struct user_namespace *owner_user_ns;
- } __randomize_layout;
-
- /* Each of a tty's open files has private_data pointing to tty_file_private */
-@@ -344,6 +346,8 @@
- struct list_head list;
- };
-
-+extern int tiocsti_restrict;
-+
- /* tty magic number */
- #define TTY_MAGIC 0x5401
-
-diff -Naur linux-4.16/include/linux/vmalloc.h linux-4.16-p/include/linux/vmalloc.h
---- linux-4.16/include/linux/vmalloc.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/include/linux/vmalloc.h 2018-04-12 15:57:20.826694350 +0200
+diff -Nur a/include/linux/vmalloc.h b/include/linux/vmalloc.h
+--- a/include/linux/vmalloc.h 2018-05-22 17:56:31.000000000 +0100
++++ b/include/linux/vmalloc.h 2018-05-22 19:56:23.703072002 +0100
@@ -68,19 +68,19 @@
}
#endif
@@ -1270,9 +1036,9 @@ diff -Naur linux-4.16/include/linux/vmalloc.h linux-4.16-p/include/linux/vmalloc
#ifndef CONFIG_MMU
extern void *__vmalloc_node_flags(unsigned long size, int node, gfp_t flags);
static inline void *__vmalloc_node_flags_caller(unsigned long size, int node,
-diff -Naur linux-4.16/init/Kconfig linux-4.16-p/init/Kconfig
---- linux-4.16/init/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/init/Kconfig 2018-04-12 15:57:20.826694350 +0200
+diff -Nur a/init/Kconfig b/init/Kconfig
+--- a/init/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/init/Kconfig 2018-05-22 19:56:23.704072035 +0100
@@ -296,6 +296,7 @@
config AUDIT
bool "Auditing support"
@@ -1397,9 +1163,9 @@ diff -Naur linux-4.16/init/Kconfig linux-4.16-p/init/Kconfig
config SLUB_CPU_PARTIAL
default y
depends on SLUB && SMP
-diff -Naur linux-4.16/kernel/audit.c linux-4.16-p/kernel/audit.c
---- linux-4.16/kernel/audit.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/audit.c 2018-04-12 15:57:20.826694350 +0200
+diff -Nur a/kernel/audit.c b/kernel/audit.c
+--- a/kernel/audit.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/audit.c 2018-05-22 19:56:23.704072035 +0100
@@ -1578,6 +1578,9 @@
if (audit_default == AUDIT_OFF)
@@ -1410,9 +1176,33 @@ diff -Naur linux-4.16/kernel/audit.c linux-4.16-p/kernel/audit.c
if (audit_set_enabled(audit_default))
panic("audit: error setting audit state (%d)\n", audit_default);
-diff -Naur linux-4.16/kernel/capability.c linux-4.16-p/kernel/capability.c
---- linux-4.16/kernel/capability.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/capability.c 2018-04-12 15:57:20.826694350 +0200
+diff -Nur a/kernel/bpf/core.c b/kernel/bpf/core.c
+--- a/kernel/bpf/core.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/bpf/core.c 2018-05-22 19:56:23.705072067 +0100
+@@ -302,7 +302,7 @@
+ #ifdef CONFIG_BPF_JIT
+ /* All BPF JIT sysctl knobs here. */
+ int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON);
+-int bpf_jit_harden __read_mostly;
++int bpf_jit_harden __read_mostly = 2;
+ int bpf_jit_kallsyms __read_mostly;
+
+ static __always_inline void
+diff -Nur a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+--- a/kernel/bpf/syscall.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/bpf/syscall.c 2018-05-22 19:56:23.705072067 +0100
+@@ -42,7 +42,7 @@
+ static DEFINE_IDR(map_idr);
+ static DEFINE_SPINLOCK(map_idr_lock);
+
+-int sysctl_unprivileged_bpf_disabled __read_mostly;
++int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
+
+ static const struct bpf_map_ops * const bpf_map_types[] = {
+ #define BPF_PROG_TYPE(_id, _ops)
+diff -Nur a/kernel/capability.c b/kernel/capability.c
+--- a/kernel/capability.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/capability.c 2018-05-22 19:56:23.705072067 +0100
@@ -431,6 +431,12 @@
return ns_capable(&init_user_ns, cap);
}
@@ -1426,9 +1216,9 @@ diff -Naur linux-4.16/kernel/capability.c linux-4.16-p/kernel/capability.c
#endif /* CONFIG_MULTIUSER */
/**
-diff -Naur linux-4.16/kernel/events/core.c linux-4.16-p/kernel/events/core.c
---- linux-4.16/kernel/events/core.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/events/core.c 2018-04-12 15:57:20.828694350 +0200
+diff -Nur a/kernel/events/core.c b/kernel/events/core.c
+--- a/kernel/events/core.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/events/core.c 2018-05-22 19:56:23.707072133 +0100
@@ -397,8 +397,13 @@
* 0 - disallow raw tracepoint access for unpriv
* 1 - disallow cpu events for unpriv
@@ -1443,7 +1233,7 @@ diff -Naur linux-4.16/kernel/events/core.c linux-4.16-p/kernel/events/core.c
/* Minimum for 512 kiB + 1 user control page */
int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
-@@ -9915,6 +9920,9 @@
+@@ -9921,6 +9926,9 @@
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
@@ -1453,9 +1243,9 @@ diff -Naur linux-4.16/kernel/events/core.c linux-4.16-p/kernel/events/core.c
err = perf_copy_attr(attr_uptr, &attr);
if (err)
return err;
-diff -Naur linux-4.16/kernel/fork.c linux-4.16-p/kernel/fork.c
---- linux-4.16/kernel/fork.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/fork.c 2018-04-12 15:57:20.828694350 +0200
+diff -Nur a/kernel/fork.c b/kernel/fork.c
+--- a/kernel/fork.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/fork.c 2018-05-22 19:56:23.708072166 +0100
@@ -103,6 +103,11 @@
#define CREATE_TRACE_POINTS
@@ -1492,9 +1282,9 @@ diff -Naur linux-4.16/kernel/fork.c linux-4.16-p/kernel/fork.c
err = check_unshare_flags(unshare_flags);
if (err)
goto bad_unshare_out;
-diff -Naur linux-4.16/kernel/power/snapshot.c linux-4.16-p/kernel/power/snapshot.c
---- linux-4.16/kernel/power/snapshot.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/power/snapshot.c 2018-04-12 15:57:20.828694350 +0200
+diff -Nur a/kernel/power/snapshot.c b/kernel/power/snapshot.c
+--- a/kernel/power/snapshot.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/power/snapshot.c 2018-05-22 19:56:23.708072166 +0100
@@ -1138,7 +1138,7 @@
void clear_free_pages(void)
@@ -1513,9 +1303,9 @@ diff -Naur linux-4.16/kernel/power/snapshot.c linux-4.16-p/kernel/power/snapshot
}
/**
-diff -Naur linux-4.16/kernel/rcu/tiny.c linux-4.16-p/kernel/rcu/tiny.c
---- linux-4.16/kernel/rcu/tiny.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/rcu/tiny.c 2018-04-12 15:57:20.829694349 +0200
+diff -Nur a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c
+--- a/kernel/rcu/tiny.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/rcu/tiny.c 2018-05-22 19:56:23.708072166 +0100
@@ -164,7 +164,7 @@
}
}
@@ -1525,9 +1315,9 @@ diff -Naur linux-4.16/kernel/rcu/tiny.c linux-4.16-p/kernel/rcu/tiny.c
{
__rcu_process_callbacks(&rcu_sched_ctrlblk);
__rcu_process_callbacks(&rcu_bh_ctrlblk);
-diff -Naur linux-4.16/kernel/rcu/tree.c linux-4.16-p/kernel/rcu/tree.c
---- linux-4.16/kernel/rcu/tree.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/rcu/tree.c 2018-04-12 15:57:20.829694349 +0200
+diff -Nur a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+--- a/kernel/rcu/tree.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/rcu/tree.c 2018-05-22 19:56:23.709072199 +0100
@@ -2906,7 +2906,7 @@
/*
* Do RCU core processing for the current CPU.
@@ -1537,9 +1327,9 @@ diff -Naur linux-4.16/kernel/rcu/tree.c linux-4.16-p/kernel/rcu/tree.c
{
struct rcu_state *rsp;
-diff -Naur linux-4.16/kernel/sched/fair.c linux-4.16-p/kernel/sched/fair.c
---- linux-4.16/kernel/sched/fair.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/sched/fair.c 2018-04-12 15:57:20.830694349 +0200
+diff -Nur a/kernel/sched/fair.c b/kernel/sched/fair.c
+--- a/kernel/sched/fair.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/sched/fair.c 2018-05-22 19:56:23.711072264 +0100
@@ -9387,7 +9387,7 @@
* run_rebalance_domains is triggered when needed from the scheduler tick.
* Also triggered for nohz idle balancing (with nohz_balancing_kick set).
@@ -1549,9 +1339,9 @@ diff -Naur linux-4.16/kernel/sched/fair.c linux-4.16-p/kernel/sched/fair.c
{
struct rq *this_rq = this_rq();
enum cpu_idle_type idle = this_rq->idle_balance ?
-diff -Naur linux-4.16/kernel/softirq.c linux-4.16-p/kernel/softirq.c
---- linux-4.16/kernel/softirq.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/softirq.c 2018-04-12 15:57:20.830694349 +0200
+diff -Nur a/kernel/softirq.c b/kernel/softirq.c
+--- a/kernel/softirq.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/softirq.c 2018-05-22 19:56:23.711072264 +0100
@@ -53,7 +53,7 @@
EXPORT_SYMBOL(irq_stat);
#endif
@@ -1597,18 +1387,10 @@ diff -Naur linux-4.16/kernel/softirq.c linux-4.16-p/kernel/softirq.c
{
struct tasklet_struct *list;
-diff -Naur linux-4.16/kernel/sysctl.c linux-4.16-p/kernel/sysctl.c
---- linux-4.16/kernel/sysctl.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/sysctl.c 2018-04-12 15:57:20.831694349 +0200
-@@ -67,6 +67,7 @@
- #include <linux/bpf.h>
- #include <linux/mount.h>
- #include <linux/pipe_fs_i.h>
-+#include <linux/tty.h>
-
- #include <linux/uaccess.h>
- #include <asm/processor.h>
-@@ -99,12 +100,19 @@
+diff -Nur a/kernel/sysctl.c b/kernel/sysctl.c
+--- a/kernel/sysctl.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/sysctl.c 2018-05-22 19:56:23.711072264 +0100
+@@ -99,12 +99,19 @@
#if defined(CONFIG_SYSCTL)
/* External variables not in a header file. */
@@ -1628,7 +1410,7 @@ diff -Naur linux-4.16/kernel/sysctl.c linux-4.16-p/kernel/sysctl.c
extern int pid_max;
extern int pid_max_min, pid_max_max;
extern int percpu_pagelist_fraction;
-@@ -116,40 +124,43 @@
+@@ -116,40 +123,43 @@
/* Constants used for minimum and maximum */
#ifdef CONFIG_LOCKUP_DETECTOR
@@ -1687,7 +1469,7 @@ diff -Naur linux-4.16/kernel/sysctl.c linux-4.16-p/kernel/sysctl.c
#ifdef CONFIG_INOTIFY_USER
#include <linux/inotify.h>
#endif
-@@ -289,19 +300,19 @@
+@@ -289,19 +299,19 @@
};
#ifdef CONFIG_SCHED_DEBUG
@@ -1715,7 +1497,7 @@ diff -Naur linux-4.16/kernel/sysctl.c linux-4.16-p/kernel/sysctl.c
#endif
static struct ctl_table kern_table[] = {
-@@ -515,6 +526,15 @@
+@@ -515,6 +525,15 @@
.proc_handler = proc_dointvec,
},
#endif
@@ -1731,22 +1513,10 @@ diff -Naur linux-4.16/kernel/sysctl.c linux-4.16-p/kernel/sysctl.c
#ifdef CONFIG_PROC_SYSCTL
{
.procname = "tainted",
-@@ -857,6 +877,37 @@
- .extra2 = &two,
+@@ -858,6 +877,26 @@
},
#endif
-+#if defined CONFIG_TTY
-+ {
-+ .procname = "tiocsti_restrict",
-+ .data = &tiocsti_restrict,
-+ .maxlen = sizeof(int),
-+ .mode = 0644,
-+ .proc_handler = proc_dointvec_minmax_sysadmin,
-+ .extra1 = &zero,
-+ .extra2 = &one,
-+ },
-+#endif
-+ {
+ {
+ .procname = "device_sidechannel_restrict",
+ .data = &device_sidechannel_restrict,
+ .maxlen = sizeof(int),
@@ -1766,12 +1536,13 @@ diff -Naur linux-4.16/kernel/sysctl.c linux-4.16-p/kernel/sysctl.c
+ .extra2 = &one,
+ },
+#endif
- {
++ {
.procname = "ngroups_max",
.data = &ngroups_max,
-diff -Naur linux-4.16/kernel/time/hrtimer.c linux-4.16-p/kernel/time/hrtimer.c
---- linux-4.16/kernel/time/hrtimer.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/time/hrtimer.c 2018-04-12 15:57:40.443687638 +0200
+ .maxlen = sizeof (int),
+diff -Nur a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+--- a/kernel/time/hrtimer.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/time/hrtimer.c 2018-05-22 19:56:23.712072297 +0100
@@ -1413,7 +1413,7 @@
}
}
@@ -1781,9 +1552,9 @@ diff -Naur linux-4.16/kernel/time/hrtimer.c linux-4.16-p/kernel/time/hrtimer.c
{
struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases);
unsigned long flags;
-diff -Naur linux-4.16/kernel/time/timer.c linux-4.16-p/kernel/time/timer.c
---- linux-4.16/kernel/time/timer.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/time/timer.c 2018-04-12 15:57:20.831694349 +0200
+diff -Nur a/kernel/time/timer.c b/kernel/time/timer.c
+--- a/kernel/time/timer.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/time/timer.c 2018-05-22 19:56:23.712072297 +0100
@@ -1672,7 +1672,7 @@
/*
* This function runs timers and the timer-tq in bottom half context.
@@ -1793,9 +1564,9 @@ diff -Naur linux-4.16/kernel/time/timer.c linux-4.16-p/kernel/time/timer.c
{
struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
-diff -Naur linux-4.16/kernel/user_namespace.c linux-4.16-p/kernel/user_namespace.c
---- linux-4.16/kernel/user_namespace.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/kernel/user_namespace.c 2018-04-12 15:57:20.831694349 +0200
+diff -Nur a/kernel/user_namespace.c b/kernel/user_namespace.c
+--- a/kernel/user_namespace.c 2018-05-22 17:56:31.000000000 +0100
++++ b/kernel/user_namespace.c 2018-05-22 19:56:23.713072330 +0100
@@ -26,6 +26,9 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
@@ -1806,9 +1577,9 @@ diff -Naur linux-4.16/kernel/user_namespace.c linux-4.16-p/kernel/user_namespace
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);
-diff -Naur linux-4.16/lib/irq_poll.c linux-4.16-p/lib/irq_poll.c
---- linux-4.16/lib/irq_poll.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/lib/irq_poll.c 2018-04-12 15:57:20.831694349 +0200
+diff -Nur a/lib/irq_poll.c b/lib/irq_poll.c
+--- a/lib/irq_poll.c 2018-05-22 17:56:31.000000000 +0100
++++ b/lib/irq_poll.c 2018-05-22 19:56:23.713072330 +0100
@@ -75,7 +75,7 @@
}
EXPORT_SYMBOL(irq_poll_complete);
@@ -1818,9 +1589,9 @@ diff -Naur linux-4.16/lib/irq_poll.c linux-4.16-p/lib/irq_poll.c
{
struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll);
int rearm = 0, budget = irq_poll_budget;
-diff -Naur linux-4.16/lib/Kconfig.debug linux-4.16-p/lib/Kconfig.debug
---- linux-4.16/lib/Kconfig.debug 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/lib/Kconfig.debug 2018-04-12 15:57:20.832694348 +0200
+diff -Nur a/lib/Kconfig.debug b/lib/Kconfig.debug
+--- a/lib/Kconfig.debug 2018-05-22 17:56:31.000000000 +0100
++++ b/lib/Kconfig.debug 2018-05-22 19:56:23.713072330 +0100
@@ -945,6 +945,7 @@
config PANIC_ON_OOPS
@@ -1862,10 +1633,10 @@ diff -Naur linux-4.16/lib/Kconfig.debug linux-4.16-p/lib/Kconfig.debug
---help---
If this option is disabled, you allow userspace (root) access to all
io-memory regardless of whether a driver is actively using that
-diff -Naur linux-4.16/lib/kobject.c linux-4.16-p/lib/kobject.c
---- linux-4.16/lib/kobject.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/lib/kobject.c 2018-04-12 15:57:20.832694348 +0200
-@@ -956,9 +956,9 @@
+diff -Nur a/lib/kobject.c b/lib/kobject.c
+--- a/lib/kobject.c 2018-05-22 17:56:31.000000000 +0100
++++ b/lib/kobject.c 2018-05-22 19:56:23.713072330 +0100
+@@ -954,9 +954,9 @@
static DEFINE_SPINLOCK(kobj_ns_type_lock);
@@ -1877,9 +1648,9 @@ diff -Naur linux-4.16/lib/kobject.c linux-4.16-p/lib/kobject.c
{
enum kobj_ns_type type = ops->type;
int error;
-diff -Naur linux-4.16/lib/nlattr.c linux-4.16-p/lib/nlattr.c
---- linux-4.16/lib/nlattr.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/lib/nlattr.c 2018-04-12 15:57:20.832694348 +0200
+diff -Nur a/lib/nlattr.c b/lib/nlattr.c
+--- a/lib/nlattr.c 2018-05-22 17:56:31.000000000 +0100
++++ b/lib/nlattr.c 2018-05-22 19:56:23.714072363 +0100
@@ -364,6 +364,8 @@
{
int minlen = min_t(int, count, nla_len(src));
@@ -1889,9 +1660,9 @@ diff -Naur linux-4.16/lib/nlattr.c linux-4.16-p/lib/nlattr.c
memcpy(dest, nla_data(src), minlen);
if (count > minlen)
memset(dest + minlen, 0, count - minlen);
-diff -Naur linux-4.16/lib/vsprintf.c linux-4.16-p/lib/vsprintf.c
---- linux-4.16/lib/vsprintf.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/lib/vsprintf.c 2018-04-12 15:57:20.832694348 +0200
+diff -Nur a/lib/vsprintf.c b/lib/vsprintf.c
+--- a/lib/vsprintf.c 2018-05-22 17:56:31.000000000 +0100
++++ b/lib/vsprintf.c 2018-05-22 19:56:23.714072363 +0100
@@ -1344,7 +1344,7 @@
return string(buf, end, uuid, spec);
}
@@ -1901,9 +1672,9 @@ diff -Naur linux-4.16/lib/vsprintf.c linux-4.16-p/lib/vsprintf.c
static noinline_for_stack
char *restricted_pointer(char *buf, char *end, const void *ptr,
-diff -Naur linux-4.16/Makefile linux-4.16-p/Makefile
---- linux-4.16/Makefile 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/Makefile 2018-04-12 15:57:20.833694348 +0200
+diff -Nur a/Makefile b/Makefile
+--- a/Makefile 2018-05-22 17:56:31.000000000 +0100
++++ b/Makefile 2018-05-22 19:56:23.692071641 +0100
@@ -734,6 +734,9 @@
endif
@@ -1914,9 +1685,9 @@ diff -Naur linux-4.16/Makefile linux-4.16-p/Makefile
KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,)
KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier)
KBUILD_CFLAGS += $(call cc-disable-warning, gnu)
-diff -Naur linux-4.16/mm/Kconfig linux-4.16-p/mm/Kconfig
---- linux-4.16/mm/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/Kconfig 2018-04-12 15:57:20.833694348 +0200
+diff -Nur a/mm/Kconfig b/mm/Kconfig
+--- a/mm/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/Kconfig 2018-05-22 19:56:23.714072363 +0100
@@ -319,7 +319,8 @@
config DEFAULT_MMAP_MIN_ADDR
int "Low address space to protect from user allocation"
@@ -1927,9 +1698,9 @@ diff -Naur linux-4.16/mm/Kconfig linux-4.16-p/mm/Kconfig
help
This is the portion of low virtual memory which should be protected
from userspace allocation. Keeping a user from writing to low pages
-diff -Naur linux-4.16/mm/mmap.c linux-4.16-p/mm/mmap.c
---- linux-4.16/mm/mmap.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/mmap.c 2018-04-12 15:57:20.833694348 +0200
+diff -Nur a/mm/mmap.c b/mm/mmap.c
+--- a/mm/mmap.c 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/mmap.c 2018-05-22 19:56:23.715072396 +0100
@@ -220,6 +220,13 @@
newbrk = PAGE_ALIGN(brk);
@@ -1944,9 +1715,9 @@ diff -Naur linux-4.16/mm/mmap.c linux-4.16-p/mm/mmap.c
if (oldbrk == newbrk)
goto set_brk;
-diff -Naur linux-4.16/mm/page_alloc.c linux-4.16-p/mm/page_alloc.c
---- linux-4.16/mm/page_alloc.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/page_alloc.c 2018-04-12 15:57:20.834694348 +0200
+diff -Nur a/mm/page_alloc.c b/mm/page_alloc.c
+--- a/mm/page_alloc.c 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/page_alloc.c 2018-05-22 19:56:23.716072429 +0100
@@ -68,6 +68,7 @@
#include <linux/ftrace.h>
#include <linux/lockdep.h>
@@ -2030,9 +1801,9 @@ diff -Naur linux-4.16/mm/page_alloc.c linux-4.16-p/mm/page_alloc.c
if (!free_pages_prezeroed() && (gfp_flags & __GFP_ZERO))
for (i = 0; i < (1 << order); i++)
clear_highpage(page + i);
-diff -Naur linux-4.16/mm/slab_common.c linux-4.16-p/mm/slab_common.c
---- linux-4.16/mm/slab_common.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/slab_common.c 2018-04-12 15:57:20.834694348 +0200
+diff -Nur a/mm/slab_common.c b/mm/slab_common.c
+--- a/mm/slab_common.c 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/slab_common.c 2018-05-22 19:56:23.717072461 +0100
@@ -26,10 +26,10 @@
#include "slab.h"
@@ -2064,9 +1835,9 @@ diff -Naur linux-4.16/mm/slab_common.c linux-4.16-p/mm/slab_common.c
3, /* 8 */
4, /* 16 */
5, /* 24 */
-diff -Naur linux-4.16/mm/slab.h linux-4.16-p/mm/slab.h
---- linux-4.16/mm/slab.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/slab.h 2018-04-12 15:57:20.835694347 +0200
+diff -Nur a/mm/slab.h b/mm/slab.h
+--- a/mm/slab.h 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/slab.h 2018-05-22 19:56:23.717072461 +0100
@@ -312,7 +312,11 @@
static inline bool slab_equal_or_root(struct kmem_cache *s,
struct kmem_cache *p)
@@ -2116,9 +1887,9 @@ diff -Naur linux-4.16/mm/slab.h linux-4.16-p/mm/slab.h
return s->inuse;
/*
* Else we can use all the padding etc for the allocation
-diff -Naur linux-4.16/mm/slub.c linux-4.16-p/mm/slub.c
---- linux-4.16/mm/slub.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/slub.c 2018-04-12 15:57:20.835694347 +0200
+diff -Nur a/mm/slub.c b/mm/slub.c
+--- a/mm/slub.c 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/slub.c 2018-05-22 19:56:23.718072494 +0100
@@ -125,6 +125,16 @@
#endif
}
@@ -2394,9 +2165,9 @@ diff -Naur linux-4.16/mm/slub.c linux-4.16-p/mm/slub.c
static int __init setup_slub_memcg_sysfs(char *str)
{
-diff -Naur linux-4.16/mm/swap.c linux-4.16-p/mm/swap.c
---- linux-4.16/mm/swap.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/mm/swap.c 2018-04-12 15:57:20.836694347 +0200
+diff -Nur a/mm/swap.c b/mm/swap.c
+--- a/mm/swap.c 2018-05-22 17:56:31.000000000 +0100
++++ b/mm/swap.c 2018-05-22 19:56:23.718072494 +0100
@@ -92,6 +92,13 @@
if (!PageHuge(page))
__page_cache_release(page);
@@ -2411,9 +2182,9 @@ diff -Naur linux-4.16/mm/swap.c linux-4.16-p/mm/swap.c
(*dtor)(page);
}
-diff -Naur linux-4.16/net/core/dev.c linux-4.16-p/net/core/dev.c
---- linux-4.16/net/core/dev.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/net/core/dev.c 2018-04-12 15:57:20.837694346 +0200
+diff -Nur a/net/core/dev.c b/net/core/dev.c
+--- a/net/core/dev.c 2018-05-22 17:56:31.000000000 +0100
++++ b/net/core/dev.c 2018-05-22 19:56:23.720072560 +0100
@@ -4196,7 +4196,7 @@
}
EXPORT_SYMBOL(netif_rx_ni);
@@ -2432,9 +2203,9 @@ diff -Naur linux-4.16/net/core/dev.c linux-4.16-p/net/core/dev.c
{
struct softnet_data *sd = this_cpu_ptr(&softnet_data);
unsigned long time_limit = jiffies +
-diff -Naur linux-4.16/net/ipv4/Kconfig linux-4.16-p/net/ipv4/Kconfig
---- linux-4.16/net/ipv4/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/net/ipv4/Kconfig 2018-04-12 15:57:20.837694346 +0200
+diff -Nur a/net/ipv4/Kconfig b/net/ipv4/Kconfig
+--- a/net/ipv4/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/net/ipv4/Kconfig 2018-05-22 19:56:23.720072560 +0100
@@ -261,6 +261,7 @@
config SYN_COOKIES
@@ -2443,9 +2214,9 @@ diff -Naur linux-4.16/net/ipv4/Kconfig linux-4.16-p/net/ipv4/Kconfig
---help---
Normal TCP/IP networking is open to an attack known as "SYN
flooding". This denial-of-service attack prevents legitimate remote
-diff -Naur linux-4.16/scripts/mod/modpost.c linux-4.16-p/scripts/mod/modpost.c
---- linux-4.16/scripts/mod/modpost.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/scripts/mod/modpost.c 2018-04-12 15:57:20.837694346 +0200
+diff -Nur a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+--- a/scripts/mod/modpost.c 2018-05-22 17:56:31.000000000 +0100
++++ b/scripts/mod/modpost.c 2018-05-22 19:56:23.721072593 +0100
@@ -37,6 +37,7 @@
static int warn_unresolved = 0;
/* How a symbol is exported */
@@ -2531,9 +2302,9 @@ diff -Naur linux-4.16/scripts/mod/modpost.c linux-4.16-p/scripts/mod/modpost.c
return err;
}
-diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
---- linux-4.16/security/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/security/Kconfig 2018-04-12 15:57:20.837694346 +0200
+diff -Nur a/security/Kconfig b/security/Kconfig
+--- a/security/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/security/Kconfig 2018-05-22 19:56:23.721072593 +0100
@@ -8,7 +8,7 @@
config SECURITY_DMESG_RESTRICT
@@ -2543,7 +2314,7 @@ diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
help
This enforces restrictions on unprivileged users reading the kernel
syslog via dmesg(8).
-@@ -18,10 +18,34 @@
+@@ -18,10 +18,21 @@
If you are unsure how to answer this question, answer N.
@@ -2557,19 +2328,6 @@ diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
+ perf_event_open syscall will be permitted unless it is
+ changed.
+
-+config SECURITY_TIOCSTI_RESTRICT
-+ bool "Restrict unprivileged use of tiocsti command injection"
-+ default y
-+ help
-+ This enforces restrictions on unprivileged users injecting commands
-+ into other processes which share a tty session using the TIOCSTI
-+ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN.
-+
-+ If this option is not selected, no restrictions will be enforced
-+ unless the tiocsti_restrict sysctl is explicitly set to (1).
-+
-+ If you are unsure how to answer this question, answer N.
-+
config SECURITY
bool "Enable different security models"
depends on SYSFS
@@ -2578,7 +2336,7 @@ diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
help
This allows you to choose different security modules to be
configured into your kernel.
-@@ -48,6 +72,7 @@
+@@ -48,6 +59,7 @@
config SECURITY_NETWORK
bool "Socket and Networking Security Hooks"
depends on SECURITY
@@ -2586,7 +2344,7 @@ diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
help
This enables the socket and networking security hooks.
If enabled, a security module can use these hooks to
-@@ -155,6 +180,7 @@
+@@ -155,6 +167,7 @@
depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
select BUG
imply STRICT_DEVMEM
@@ -2594,7 +2352,15 @@ diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
help
This option checks for obviously wrong memory regions when
copying memory to/from the kernel (via copy_to_user() and
-@@ -192,10 +218,36 @@
+@@ -167,7 +180,6 @@
+ config HARDENED_USERCOPY_FALLBACK
+ bool "Allow usercopy whitelist violations to fallback to object size"
+ depends on HARDENED_USERCOPY
+- default y
+ help
+ This is a temporary option that allows missing usercopy whitelists
+ to be discovered via a WARN() to the kernel log, instead of
+@@ -192,10 +204,36 @@
config FORTIFY_SOURCE
bool "Harden common str/mem functions against buffer overflows"
depends on ARCH_HAS_FORTIFY_SOURCE
@@ -2631,9 +2397,9 @@ diff -Naur linux-4.16/security/Kconfig linux-4.16-p/security/Kconfig
config STATIC_USERMODEHELPER
bool "Force all usermode helper calls through a single binary"
help
-diff -Naur linux-4.16/security/selinux/include/objsec.h linux-4.16-p/security/selinux/include/objsec.h
---- linux-4.16/security/selinux/include/objsec.h 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/security/selinux/include/objsec.h 2018-04-12 15:57:20.837694346 +0200
+diff -Nur a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
+--- a/security/selinux/include/objsec.h 2018-05-22 17:56:31.000000000 +0100
++++ b/security/selinux/include/objsec.h 2018-05-22 19:56:23.721072593 +0100
@@ -154,6 +154,6 @@
u32 sid; /*SID of bpf obj creater*/
};
@@ -2642,9 +2408,9 @@ diff -Naur linux-4.16/security/selinux/include/objsec.h linux-4.16-p/security/se
+extern const unsigned int selinux_checkreqprot;
#endif /* _SELINUX_OBJSEC_H_ */
-diff -Naur linux-4.16/security/selinux/Kconfig linux-4.16-p/security/selinux/Kconfig
---- linux-4.16/security/selinux/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/security/selinux/Kconfig 2018-04-12 15:57:20.838694346 +0200
+diff -Nur a/security/selinux/Kconfig b/security/selinux/Kconfig
+--- a/security/selinux/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/security/selinux/Kconfig 2018-05-22 19:56:23.721072593 +0100
@@ -2,7 +2,7 @@
bool "NSA SELinux Support"
depends on SECURITY_NETWORK && AUDIT && NET && INET
@@ -2678,9 +2444,9 @@ diff -Naur linux-4.16/security/selinux/Kconfig linux-4.16-p/security/selinux/Kco
- via /selinux/checkreqprot if authorized by policy.
-
- If you are unsure how to answer this question, answer 0.
-diff -Naur linux-4.16/security/selinux/selinuxfs.c linux-4.16-p/security/selinux/selinuxfs.c
---- linux-4.16/security/selinux/selinuxfs.c 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/security/selinux/selinuxfs.c 2018-04-12 15:57:20.838694346 +0200
+diff -Nur a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
+--- a/security/selinux/selinuxfs.c 2018-05-22 17:56:31.000000000 +0100
++++ b/security/selinux/selinuxfs.c 2018-05-22 19:56:23.721072593 +0100
@@ -41,16 +41,7 @@
#include "objsec.h"
#include "conditional.h"
@@ -2711,9 +2477,9 @@ diff -Naur linux-4.16/security/selinux/selinuxfs.c linux-4.16-p/security/selinux
length = count;
out:
kfree(page);
-diff -Naur linux-4.16/security/yama/Kconfig linux-4.16-p/security/yama/Kconfig
---- linux-4.16/security/yama/Kconfig 2018-04-01 23:20:27.000000000 +0200
-+++ linux-4.16-p/security/yama/Kconfig 2018-04-12 15:57:20.838694346 +0200
+diff -Nur a/security/yama/Kconfig b/security/yama/Kconfig
+--- a/security/yama/Kconfig 2018-05-22 17:56:31.000000000 +0100
++++ b/security/yama/Kconfig 2018-05-22 19:56:23.721072593 +0100
@@ -1,7 +1,7 @@
config SECURITY_YAMA
bool "Yama support"
diff --git a/sys-kernel/linux-image-redcore/files/redcore-amd64.config b/sys-kernel/linux-image-redcore/files/redcore-amd64.config
index b63e0158..f63178d1 100644
--- a/sys-kernel/linux-image-redcore/files/redcore-amd64.config
+++ b/sys-kernel/linux-image-redcore/files/redcore-amd64.config
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.16.6-redcore Kernel Configuration
+# Linux/x86 4.16.11-redcore Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -8838,7 +8838,6 @@ CONFIG_ENCRYPTED_KEYS=m
# CONFIG_KEY_DH_OPERATIONS is not set
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
-CONFIG_SECURITY_TIOCSTI_RESTRICT=y
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
CONFIG_PAGE_TABLE_ISOLATION=y
diff --git a/sys-kernel/linux-image-redcore/linux-image-redcore-4.16.10.ebuild b/sys-kernel/linux-image-redcore/linux-image-redcore-4.16.11.ebuild
index 041c90be..75f75ca2 100644
--- a/sys-kernel/linux-image-redcore/linux-image-redcore-4.16.10.ebuild
+++ b/sys-kernel/linux-image-redcore/linux-image-redcore-4.16.11.ebuild
@@ -41,7 +41,7 @@ PATCHES=( "${FILESDIR}"/enable_alx_wol.patch
"${FILESDIR}"/mute-pps_state_mismatch.patch
"${FILESDIR}"/drop_ancient-and-wrong-msg.patch
"${FILESDIR}"/nouveau-pascal-backlight.patch
- "${FILESDIR}"/linux-hardened-v2.patch
+ "${FILESDIR}"/linux-hardened-v3.patch
"${FILESDIR}"/uksm-for-linux-hardened.patch )
S="${WORKDIR}"/linux-"${PV}"