summaryrefslogtreecommitdiff
path: root/sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch
diff options
context:
space:
mode:
authorV3n3RiX <venerix@redcorelinux.org>2021-05-02 18:25:10 +0100
committerV3n3RiX <venerix@redcorelinux.org>2021-05-02 18:25:10 +0100
commitdf59e1ecc8569b9f48acc22a7e5649f96df33219 (patch)
tree9380f8bf5bec35a23aeedfe48e501363a8488832 /sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch
parenteb365e9ca177b0e0165b4cde5c51b1862bf54a1d (diff)
sys-kernel/linux-{image,sources}-redcore : version bump
Diffstat (limited to 'sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch')
-rw-r--r--sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch79
1 files changed, 33 insertions, 46 deletions
diff --git a/sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch b/sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch
index d2f62db2..2fb3da83 100644
--- a/sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch
+++ b/sys-kernel/linux-sources-redcore/files/5.11-linux-hardened.patch
@@ -101,19 +101,6 @@ index 1b7f8debada6..05f722d7d065 100644
tcp_slow_start_after_idle - BOOLEAN
If set, provide RFC2861 behavior and time out the congestion
window after an idle period. An idle period is defined at
-diff --git a/Makefile b/Makefile
-index d8a39ece170d..a1023be11847 100644
---- a/Makefile
-+++ b/Makefile
-@@ -2,7 +2,7 @@
- VERSION = 5
- PATCHLEVEL = 11
- SUBLEVEL = 8
--EXTRAVERSION =
-+EXTRAVERSION = -hardened1
- NAME = 💕 Valentine's Day Edition 💕
-
- # *DOCUMENTATION*
diff --git a/arch/Kconfig b/arch/Kconfig
index 24862d15f3a3..ea5030c6dc46 100644
--- a/arch/Kconfig
@@ -137,10 +124,10 @@ index 24862d15f3a3..ea5030c6dc46 100644
help
This value can be used to select the number of bits to use to
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
-index e42da99db91f..569b9ea44ba0 100644
+index cd7f725b80d4..f02334b3c5ac 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
-@@ -1196,6 +1196,7 @@ config RODATA_FULL_DEFAULT_ENABLED
+@@ -1206,6 +1206,7 @@ config RODATA_FULL_DEFAULT_ENABLED
config ARM64_SW_TTBR0_PAN
bool "Emulate Privileged Access Never using TTBR0_EL1 switching"
@@ -148,7 +135,7 @@ index e42da99db91f..569b9ea44ba0 100644
help
Enabling this option prevents the kernel from accessing
user-space memory directly by pointing TTBR0_EL1 to a reserved
-@@ -1774,6 +1775,7 @@ config RANDOMIZE_BASE
+@@ -1788,6 +1789,7 @@ config RANDOMIZE_BASE
bool "Randomize the address of the kernel image"
select ARM64_MODULE_PLTS if MODULES
select RELOCATABLE
@@ -752,7 +739,7 @@ index 6442d97d9a4a..1ae285075f9f 100644
{
return -ENXIO;
diff --git a/fs/namei.c b/fs/namei.c
-index dd85e12ac85a..a200b0144970 100644
+index b7c0dcc25bd4..14fba31826c0 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -932,10 +932,10 @@ static inline void put_link(struct nameidata *nd)
@@ -771,7 +758,7 @@ index dd85e12ac85a..a200b0144970 100644
/**
* may_follow_link - Check symlink following for unsafe situations
diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig
-index e2a488d403a6..ce54c1c693a8 100644
+index 14a72224b657..080a8027c6b1 100644
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -195,7 +195,6 @@ config NFS_DEBUG
@@ -1035,7 +1022,7 @@ index 2b5b64256cf4..8cdce21dce0f 100644
const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent);
const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj);
diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 24b292fce8e5..e7224299eaa5 100644
+index 992c18d5e85d..19d0c045a94c 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -775,7 +775,7 @@ static inline int is_vmalloc_or_module_addr(const void *x)
@@ -1304,10 +1291,10 @@ index 244208f6f6c2..764da159ccab 100644
#define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */
#define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */
diff --git a/init/Kconfig b/init/Kconfig
-index b7d3c6a12196..29ae7c93f608 100644
+index a3d27421de8f..208a3c8951d0 100644
--- a/init/Kconfig
+++ b/init/Kconfig
-@@ -418,6 +418,7 @@ config USELIB
+@@ -417,6 +417,7 @@ config USELIB
config AUDIT
bool "Auditing support"
depends on NET
@@ -1315,7 +1302,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
-@@ -1172,6 +1173,22 @@ config USER_NS
+@@ -1171,6 +1172,22 @@ config USER_NS
If unsure, say N.
@@ -1338,7 +1325,7 @@ index b7d3c6a12196..29ae7c93f608 100644
config PID_NS
bool "PID Namespaces"
default y
-@@ -1402,9 +1419,8 @@ menuconfig EXPERT
+@@ -1401,9 +1418,8 @@ menuconfig EXPERT
Only use this if you really know what you are doing.
config UID16
@@ -1349,7 +1336,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
This enables the legacy 16-bit UID syscall wrappers.
-@@ -1433,14 +1449,13 @@ config SGETMASK_SYSCALL
+@@ -1432,14 +1448,13 @@ config SGETMASK_SYSCALL
If unsure, leave the default option here.
config SYSFS_SYSCALL
@@ -1366,7 +1353,7 @@ index b7d3c6a12196..29ae7c93f608 100644
config FHANDLE
bool "open by fhandle syscalls" if EXPERT
-@@ -1591,8 +1606,7 @@ config SHMEM
+@@ -1590,8 +1605,7 @@ config SHMEM
which may be appropriate on small systems without swap.
config AIO
@@ -1376,7 +1363,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
This option enables POSIX asynchronous I/O which may by used
by some high performance threaded applications. Disabling
-@@ -1853,7 +1867,7 @@ config VM_EVENT_COUNTERS
+@@ -1852,7 +1866,7 @@ config VM_EVENT_COUNTERS
config SLUB_DEBUG
default y
@@ -1385,7 +1372,7 @@ index b7d3c6a12196..29ae7c93f608 100644
depends on SLUB && SYSFS
help
SLUB has extensive debug support features. Disabling these can
-@@ -1877,7 +1891,6 @@ config SLUB_MEMCG_SYSFS_ON
+@@ -1876,7 +1890,6 @@ config SLUB_MEMCG_SYSFS_ON
config COMPAT_BRK
bool "Disable heap randomization"
@@ -1393,7 +1380,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
Randomizing heap placement makes heap exploits harder, but it
also breaks ancient binaries (including anything libc5 based).
-@@ -1924,7 +1937,6 @@ endchoice
+@@ -1923,7 +1936,6 @@ endchoice
config SLAB_MERGE_DEFAULT
bool "Allow slab caches to be merged"
@@ -1401,7 +1388,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
For reduced kernel memory fragmentation, slab caches can be
merged when they share the same size and other characteristics.
-@@ -1939,6 +1951,7 @@ config SLAB_MERGE_DEFAULT
+@@ -1938,6 +1950,7 @@ config SLAB_MERGE_DEFAULT
config SLAB_FREELIST_RANDOM
bool "Randomize slab freelist"
depends on SLAB || SLUB
@@ -1409,7 +1396,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
Randomizes the freelist order used on creating new pages. This
security feature reduces the predictability of the kernel slab
-@@ -1947,6 +1960,7 @@ config SLAB_FREELIST_RANDOM
+@@ -1946,6 +1959,7 @@ config SLAB_FREELIST_RANDOM
config SLAB_FREELIST_HARDENED
bool "Harden slab freelist metadata"
depends on SLAB || SLUB
@@ -1417,7 +1404,7 @@ index b7d3c6a12196..29ae7c93f608 100644
help
Many kernel heap attacks try to target slab cache metadata and
other infrastructure. This options makes minor performance
-@@ -1955,6 +1969,23 @@ config SLAB_FREELIST_HARDENED
+@@ -1954,6 +1968,23 @@ config SLAB_FREELIST_HARDENED
sanity-checking than others. This option is most effective with
CONFIG_SLUB.
@@ -1456,7 +1443,7 @@ index 1ffc2e059027..0eb5de8d177e 100644
pr_err("audit: error setting audit state (%d)\n",
audit_default);
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
-index 261f8692d0d2..6e3c2148e3f4 100644
+index 1de87fcaeabd..8d844eef1d69 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -516,7 +516,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp)
@@ -1469,7 +1456,7 @@ index 261f8692d0d2..6e3c2148e3f4 100644
static void
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
-index e5999d86c76e..0fe9f6fef7a2 100644
+index 32ca33539052..07c18d1d6f20 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock);
@@ -1526,7 +1513,7 @@ index 8425dbc1d239..7ce0ad5cead5 100644
return err;
diff --git a/kernel/fork.c b/kernel/fork.c
-index d66cd1014211..cd4cd6ff7392 100644
+index 808af2cc8ab6..0948177da180 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -82,6 +82,7 @@
@@ -1537,7 +1524,7 @@ index d66cd1014211..cd4cd6ff7392 100644
#include <linux/oom.h>
#include <linux/khugepaged.h>
#include <linux/signalfd.h>
-@@ -1864,6 +1865,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1872,6 +1873,10 @@ static __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@@ -1548,7 +1535,7 @@ index d66cd1014211..cd4cd6ff7392 100644
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
-@@ -2933,6 +2938,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -2941,6 +2946,12 @@ int ksys_unshare(unsigned long unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
@@ -1867,7 +1854,7 @@ index 62fbd09b5dc1..36470990b2e6 100644
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
-index 788b9d137de4..371d160251fb 100644
+index 5c9d968187ae..80156280360f 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -1605,7 +1605,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now,
@@ -1911,7 +1898,7 @@ index af612945a4d0..95c54dae4aa1 100644
static DEFINE_MUTEX(userns_state_mutex);
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
-index 7937265ef879..151000ca0f4c 100644
+index 431b6b7ec04d..160ecfd7b45c 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -375,6 +375,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B
@@ -2683,10 +2670,10 @@ index 8c9b7d1e7c49..b74af3a4435e 100644
unsigned long arch_mmap_rnd(void)
diff --git a/net/core/dev.c b/net/core/dev.c
-index a5a1dbe66b76..b0af65c213cc 100644
+index 3c0d3b6d674d..93387bfaf741 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
-@@ -4867,7 +4867,7 @@ int netif_rx_any_context(struct sk_buff *skb)
+@@ -4879,7 +4879,7 @@ int netif_rx_any_context(struct sk_buff *skb)
}
EXPORT_SYMBOL(netif_rx_any_context);
@@ -2695,7 +2682,7 @@ index a5a1dbe66b76..b0af65c213cc 100644
{
struct softnet_data *sd = this_cpu_ptr(&softnet_data);
-@@ -6863,7 +6863,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
+@@ -6876,7 +6876,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
return work;
}
@@ -2952,7 +2939,7 @@ index 87983e70f03f..d1584b4b39f9 100644
+
+ If unsure, say N.
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
-index 3e5f4f2e705e..791329c77dea 100644
+index 08829809e88b..d06be35bacbe 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = {
@@ -3207,7 +3194,7 @@ index 7561f6f99f1d..ccae931a1c6c 100644
Detect overflows of buffers in common string and memory functions
where the compiler can determine and validate the buffer sizes.
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
-index 269967c4fc1b..7dede18f1074 100644
+index a56c36470cb1..ea4c4aeed9cd 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE
@@ -3319,10 +3306,10 @@ index 95a3c1eda9e4..75addbf621da 100644
/**
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
-index 4bde570d56a2..cc5caffc07fa 100644
+index 2b745ae8cb98..de739d432da6 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
-@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
+@@ -724,7 +724,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
@@ -3330,7 +3317,7 @@ index 4bde570d56a2..cc5caffc07fa 100644
char *page;
ssize_t length;
unsigned int new_value;
-@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
+@@ -748,18 +747,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
return PTR_ERR(page);
length = -EINVAL;