From df59e1ecc8569b9f48acc22a7e5649f96df33219 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sun, 2 May 2021 18:25:10 +0100 Subject: sys-kernel/linux-{image,sources}-redcore : version bump --- .../files/5.11-linux-hardened.patch | 79 +++++++++------------- 1 file changed, 33 insertions(+), 46 deletions(-) (limited to 'sys-kernel/linux-image-redcore/files') diff --git a/sys-kernel/linux-image-redcore/files/5.11-linux-hardened.patch b/sys-kernel/linux-image-redcore/files/5.11-linux-hardened.patch index d2f62db2..2fb3da83 100644 --- a/sys-kernel/linux-image-redcore/files/5.11-linux-hardened.patch +++ b/sys-kernel/linux-image-redcore/files/5.11-linux-hardened.patch @@ -101,19 +101,6 @@ index 1b7f8debada6..05f722d7d065 100644 tcp_slow_start_after_idle - BOOLEAN If set, provide RFC2861 behavior and time out the congestion window after an idle period. An idle period is defined at -diff --git a/Makefile b/Makefile -index d8a39ece170d..a1023be11847 100644 ---- a/Makefile -+++ b/Makefile -@@ -2,7 +2,7 @@ - VERSION = 5 - PATCHLEVEL = 11 - SUBLEVEL = 8 --EXTRAVERSION = -+EXTRAVERSION = -hardened1 - NAME = 💕 Valentine's Day Edition 💕 - - # *DOCUMENTATION* diff --git a/arch/Kconfig b/arch/Kconfig index 24862d15f3a3..ea5030c6dc46 100644 --- a/arch/Kconfig @@ -137,10 +124,10 @@ index 24862d15f3a3..ea5030c6dc46 100644 help This value can be used to select the number of bits to use to diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig -index e42da99db91f..569b9ea44ba0 100644 +index cd7f725b80d4..f02334b3c5ac 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig -@@ -1196,6 +1196,7 @@ config RODATA_FULL_DEFAULT_ENABLED +@@ -1206,6 +1206,7 @@ config RODATA_FULL_DEFAULT_ENABLED config ARM64_SW_TTBR0_PAN bool "Emulate Privileged Access Never using TTBR0_EL1 switching" @@ -148,7 +135,7 @@ index e42da99db91f..569b9ea44ba0 100644 help Enabling this option prevents the kernel from accessing user-space memory directly by pointing TTBR0_EL1 to a reserved -@@ -1774,6 +1775,7 @@ config RANDOMIZE_BASE +@@ -1788,6 +1789,7 @@ config RANDOMIZE_BASE bool "Randomize the address of the kernel image" select ARM64_MODULE_PLTS if MODULES select RELOCATABLE @@ -752,7 +739,7 @@ index 6442d97d9a4a..1ae285075f9f 100644 { return -ENXIO; diff --git a/fs/namei.c b/fs/namei.c -index dd85e12ac85a..a200b0144970 100644 +index b7c0dcc25bd4..14fba31826c0 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -932,10 +932,10 @@ static inline void put_link(struct nameidata *nd) @@ -771,7 +758,7 @@ index dd85e12ac85a..a200b0144970 100644 /** * may_follow_link - Check symlink following for unsafe situations diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig -index e2a488d403a6..ce54c1c693a8 100644 +index 14a72224b657..080a8027c6b1 100644 --- a/fs/nfs/Kconfig +++ b/fs/nfs/Kconfig @@ -195,7 +195,6 @@ config NFS_DEBUG @@ -1035,7 +1022,7 @@ index 2b5b64256cf4..8cdce21dce0f 100644 const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); diff --git a/include/linux/mm.h b/include/linux/mm.h -index 24b292fce8e5..e7224299eaa5 100644 +index 992c18d5e85d..19d0c045a94c 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -775,7 +775,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) @@ -1304,10 +1291,10 @@ index 244208f6f6c2..764da159ccab 100644 #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ diff --git a/init/Kconfig b/init/Kconfig -index b7d3c6a12196..29ae7c93f608 100644 +index a3d27421de8f..208a3c8951d0 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -418,6 +418,7 @@ config USELIB +@@ -417,6 +417,7 @@ config USELIB config AUDIT bool "Auditing support" depends on NET @@ -1315,7 +1302,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help Enable auditing infrastructure that can be used with another kernel subsystem, such as SELinux (which requires this for -@@ -1172,6 +1173,22 @@ config USER_NS +@@ -1171,6 +1172,22 @@ config USER_NS If unsure, say N. @@ -1338,7 +1325,7 @@ index b7d3c6a12196..29ae7c93f608 100644 config PID_NS bool "PID Namespaces" default y -@@ -1402,9 +1419,8 @@ menuconfig EXPERT +@@ -1401,9 +1418,8 @@ menuconfig EXPERT Only use this if you really know what you are doing. config UID16 @@ -1349,7 +1336,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help This enables the legacy 16-bit UID syscall wrappers. -@@ -1433,14 +1449,13 @@ config SGETMASK_SYSCALL +@@ -1432,14 +1448,13 @@ config SGETMASK_SYSCALL If unsure, leave the default option here. config SYSFS_SYSCALL @@ -1366,7 +1353,7 @@ index b7d3c6a12196..29ae7c93f608 100644 config FHANDLE bool "open by fhandle syscalls" if EXPERT -@@ -1591,8 +1606,7 @@ config SHMEM +@@ -1590,8 +1605,7 @@ config SHMEM which may be appropriate on small systems without swap. config AIO @@ -1376,7 +1363,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help This option enables POSIX asynchronous I/O which may by used by some high performance threaded applications. Disabling -@@ -1853,7 +1867,7 @@ config VM_EVENT_COUNTERS +@@ -1852,7 +1866,7 @@ config VM_EVENT_COUNTERS config SLUB_DEBUG default y @@ -1385,7 +1372,7 @@ index b7d3c6a12196..29ae7c93f608 100644 depends on SLUB && SYSFS help SLUB has extensive debug support features. Disabling these can -@@ -1877,7 +1891,6 @@ config SLUB_MEMCG_SYSFS_ON +@@ -1876,7 +1890,6 @@ config SLUB_MEMCG_SYSFS_ON config COMPAT_BRK bool "Disable heap randomization" @@ -1393,7 +1380,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help Randomizing heap placement makes heap exploits harder, but it also breaks ancient binaries (including anything libc5 based). -@@ -1924,7 +1937,6 @@ endchoice +@@ -1923,7 +1936,6 @@ endchoice config SLAB_MERGE_DEFAULT bool "Allow slab caches to be merged" @@ -1401,7 +1388,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help For reduced kernel memory fragmentation, slab caches can be merged when they share the same size and other characteristics. -@@ -1939,6 +1951,7 @@ config SLAB_MERGE_DEFAULT +@@ -1938,6 +1950,7 @@ config SLAB_MERGE_DEFAULT config SLAB_FREELIST_RANDOM bool "Randomize slab freelist" depends on SLAB || SLUB @@ -1409,7 +1396,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help Randomizes the freelist order used on creating new pages. This security feature reduces the predictability of the kernel slab -@@ -1947,6 +1960,7 @@ config SLAB_FREELIST_RANDOM +@@ -1946,6 +1959,7 @@ config SLAB_FREELIST_RANDOM config SLAB_FREELIST_HARDENED bool "Harden slab freelist metadata" depends on SLAB || SLUB @@ -1417,7 +1404,7 @@ index b7d3c6a12196..29ae7c93f608 100644 help Many kernel heap attacks try to target slab cache metadata and other infrastructure. This options makes minor performance -@@ -1955,6 +1969,23 @@ config SLAB_FREELIST_HARDENED +@@ -1954,6 +1968,23 @@ config SLAB_FREELIST_HARDENED sanity-checking than others. This option is most effective with CONFIG_SLUB. @@ -1456,7 +1443,7 @@ index 1ffc2e059027..0eb5de8d177e 100644 pr_err("audit: error setting audit state (%d)\n", audit_default); diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c -index 261f8692d0d2..6e3c2148e3f4 100644 +index 1de87fcaeabd..8d844eef1d69 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -516,7 +516,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) @@ -1469,7 +1456,7 @@ index 261f8692d0d2..6e3c2148e3f4 100644 static void diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index e5999d86c76e..0fe9f6fef7a2 100644 +index 32ca33539052..07c18d1d6f20 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); @@ -1526,7 +1513,7 @@ index 8425dbc1d239..7ce0ad5cead5 100644 return err; diff --git a/kernel/fork.c b/kernel/fork.c -index d66cd1014211..cd4cd6ff7392 100644 +index 808af2cc8ab6..0948177da180 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -82,6 +82,7 @@ @@ -1537,7 +1524,7 @@ index d66cd1014211..cd4cd6ff7392 100644 #include #include #include -@@ -1864,6 +1865,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1872,6 +1873,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -1548,7 +1535,7 @@ index d66cd1014211..cd4cd6ff7392 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2933,6 +2938,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -2941,6 +2946,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -1867,7 +1854,7 @@ index 62fbd09b5dc1..36470990b2e6 100644 EXPORT_SYMBOL(proc_dointvec_ms_jiffies); EXPORT_SYMBOL(proc_dostring); diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c -index 788b9d137de4..371d160251fb 100644 +index 5c9d968187ae..80156280360f 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -1605,7 +1605,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, @@ -1911,7 +1898,7 @@ index af612945a4d0..95c54dae4aa1 100644 static DEFINE_MUTEX(userns_state_mutex); diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug -index 7937265ef879..151000ca0f4c 100644 +index 431b6b7ec04d..160ecfd7b45c 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -375,6 +375,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B @@ -2683,10 +2670,10 @@ index 8c9b7d1e7c49..b74af3a4435e 100644 unsigned long arch_mmap_rnd(void) diff --git a/net/core/dev.c b/net/core/dev.c -index a5a1dbe66b76..b0af65c213cc 100644 +index 3c0d3b6d674d..93387bfaf741 100644 --- a/net/core/dev.c +++ b/net/core/dev.c -@@ -4867,7 +4867,7 @@ int netif_rx_any_context(struct sk_buff *skb) +@@ -4879,7 +4879,7 @@ int netif_rx_any_context(struct sk_buff *skb) } EXPORT_SYMBOL(netif_rx_any_context); @@ -2695,7 +2682,7 @@ index a5a1dbe66b76..b0af65c213cc 100644 { struct softnet_data *sd = this_cpu_ptr(&softnet_data); -@@ -6863,7 +6863,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) +@@ -6876,7 +6876,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) return work; } @@ -2952,7 +2939,7 @@ index 87983e70f03f..d1584b4b39f9 100644 + + If unsure, say N. diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c -index 3e5f4f2e705e..791329c77dea 100644 +index 08829809e88b..d06be35bacbe 100644 --- a/net/ipv4/sysctl_net_ipv4.c +++ b/net/ipv4/sysctl_net_ipv4.c @@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { @@ -3207,7 +3194,7 @@ index 7561f6f99f1d..ccae931a1c6c 100644 Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening -index 269967c4fc1b..7dede18f1074 100644 +index a56c36470cb1..ea4c4aeed9cd 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE @@ -3319,10 +3306,10 @@ index 95a3c1eda9e4..75addbf621da 100644 /** * selinux_secmark_enabled - Check to see if SECMARK is currently enabled diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index 4bde570d56a2..cc5caffc07fa 100644 +index 2b745ae8cb98..de739d432da6 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c -@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, +@@ -724,7 +724,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { @@ -3330,7 +3317,7 @@ index 4bde570d56a2..cc5caffc07fa 100644 char *page; ssize_t length; unsigned int new_value; -@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, +@@ -748,18 +747,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, return PTR_ERR(page); length = -EINVAL; -- cgit v1.2.3