Update to 4.20.12-4

author: graysky 2019-02-23 14:14:04 -0500
committer: graysky 2019-02-23 14:14:04 -0500
commit: e46fb53095ad5970d53d9c3a2200a3c5f7e7f9d7 (patch)
tree: ea3d5667d60c3bcf0ebe7247c06df043f0392dd1
parent: 0411bf0858d2ef16a450915e02619f4389806175 (diff)
download: aur-e46fb53095ad5970d53d9c3a2200a3c5f7e7f9d7.tar.gz
4 files changed, 114 insertions, 8 deletions
diff --git a/.SRCINFO b/.SRCINFO
index a74f4c49c313..fde1491cdcea 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,8 +1,8 @@
 # Generated by mksrcinfo v8
-# Sat Feb 23 11:52:03 UTC 2019
+# Sat Feb 23 19:14:04 UTC 2019
 pkgbase = linux-ck
 	pkgver = 4.20.12
-	pkgrel = 3
+	pkgrel = 4
 	url = https://wiki.archlinux.org/index.php/Linux-ck
 	arch = x86_64
 	license = GPL2
@@ -20,7 +20,8 @@ pkgbase = linux-ck
 	source = enable_additional_cpu_optimizations-20180509.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/20180509.tar.gz
 	source = http://ck.kolivas.org/patches/4.0/4.20/4.20-ck1/patch-4.20-ck1.xz
 	source = 0000-unfuck-ck1-for-kvm-intel-symbol.patch
-	source = 0001-exec-Fix-mem-leak-in-kernel_read_file.patch
+	source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+	source = 0002-exec-Fix-mem-leak-in-kernel_read_file.patch
 	sha256sums = 1cf544308195250805e0731c716691bea4c1ed29e03e6f9ae5be6dc16785a504
 	sha256sums = SKIP
 	sha256sums = 4ff10c16fa729f808e812e3ff53ef8087ab9c220c84d860676d3bfb5c1c63c5d
@@ -30,7 +31,8 @@ pkgbase = linux-ck
 	sha256sums = 226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d
 	sha256sums = 4bd614333fcbe509118b5362889f76d241e1d33e1ee691bd24fd82384ce7f2de
 	sha256sums = 3e8c7d3015bb593e8a861be0b2b9f1de74fcb25e00c6e3eacee3165c6bec6f64
-	sha256sums = a8962ae10431de7c5eebe07a34fff5acd613904865dcabbcea03e8108d11b1fb
+	sha256sums = 55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316
+	sha256sums = bbf31b3a6af1db882cb63bd5e5385f174f2345272acaf18f129712a0a726689b
 
 pkgname = linux-ck
 	pkgdesc = The Linux-ck kernel and modules with the ck1 patchset featuring MuQSS CPU scheduler v0.185
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
new file mode 100644
index 000000000000..4a24f9ce9682
--- /dev/null
+++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
@@ -0,0 +1,102 @@
+From 884528c4629b0b333061c191d9b26081431dbfd3 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge.hallyn@canonical.com>
+Date: Fri, 31 May 2013 19:12:12 +0100
+Subject: [PATCH 1/3] add sysctl to disallow unprivileged CLONE_NEWUSER by
+ default
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+[bwh: Remove unneeded binary sysctl bits]
+Signed-off-by: Daniel Micay <danielmicay@gmail.com>
+---
+ kernel/fork.c           | 15 +++++++++++++++
+ kernel/sysctl.c         | 12 ++++++++++++
+ kernel/user_namespace.c |  3 +++
+ 3 files changed, 30 insertions(+)
+
+diff --git a/kernel/fork.c b/kernel/fork.c
+index 906cd0c13d15..0d1d30ad91e7 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -104,6 +104,11 @@
+ 
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#else
++#define unprivileged_userns_clone 0
++#endif
+ 
+ /*
+  * Minimum number of threads to boot the kernel
+@@ -1699,6 +1704,10 @@ static __latent_entropy struct task_struct *copy_process(
+ 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
+ 		return ERR_PTR(-EINVAL);
+ 
++	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
++		if (!capable(CAP_SYS_ADMIN))
++			return ERR_PTR(-EPERM);
++
+ 	/*
+ 	 * Thread groups must share signals as well, and detached threads
+ 	 * can only be started up within the thread group.
+@@ -2532,6 +2541,12 @@ int ksys_unshare(unsigned long unshare_flags)
+ 	if (unshare_flags & CLONE_NEWNS)
+ 		unshare_flags |= CLONE_FS;
+ 
++	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
++		err = -EPERM;
++		if (!capable(CAP_SYS_ADMIN))
++			goto bad_unshare_out;
++	}
++
+ 	err = check_unshare_flags(unshare_flags);
+ 	if (err)
+ 		goto bad_unshare_out;
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 9ee261fce89e..ab26ddeab33d 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -106,6 +106,9 @@ extern int core_uses_pid;
+ extern char core_pattern[];
+ extern unsigned int core_pipe_limit;
+ #endif
++#ifdef CONFIG_USER_NS
++extern int unprivileged_userns_clone;
++#endif
+ extern int pid_max;
+ extern int pid_max_min, pid_max_max;
+ extern int percpu_pagelist_fraction;
+@@ -515,6 +518,15 @@ static struct ctl_table kern_table[] = {
+ 		.proc_handler	= proc_dointvec,
+ 	},
+ #endif
++#ifdef CONFIG_USER_NS
++	{
++		.procname	= "unprivileged_userns_clone",
++		.data		= &unprivileged_userns_clone,
++		.maxlen		= sizeof(int),
++		.mode		= 0644,
++		.proc_handler	= proc_dointvec,
++	},
++#endif
+ #ifdef CONFIG_PROC_SYSCTL
+ 	{
+ 		.procname	= "tainted",
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 923414a246e9..6b9dbc257e34 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -26,6 +26,9 @@
+ #include <linux/bsearch.h>
+ #include <linux/sort.h>
+ 
++/* sysctl */
++int unprivileged_userns_clone;
++
+ static struct kmem_cache *user_ns_cachep __read_mostly;
+ static DEFINE_MUTEX(userns_state_mutex);
+ 
+-- 
+2.20.1
+
diff --git a/0001-exec-Fix-mem-leak-in-kernel_read_file.patch b/0002-exec-Fix-mem-leak-in-kernel_read_file.patch
index bed047b765a2..750e105d3741 100644
--- a/0001-exec-Fix-mem-leak-in-kernel_read_file.patch
+++ b/0002-exec-Fix-mem-leak-in-kernel_read_file.patch
@@ -1,4 +1,4 @@
-From 3096ba94fa87b22664baa91e71a55ce698bb8aed Mon Sep 17 00:00:00 2001
+From e4817043e07f7414acdb25aa0d0689cb30a5fc2b Mon Sep 17 00:00:00 2001
 From: YueHaibing <yuehaibing@huawei.com>
 Date: Tue, 19 Feb 2019 10:10:38 +0800
 Subject: [PATCH 2/3] exec: Fix mem leak in kernel_read_file
diff --git a/PKGBUILD b/PKGBUILD
index d5737dc5e5fd..0bc148b1d352 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -63,7 +63,7 @@ _localmodcfg=
 pkgbase=linux-ck
 _srcver=4.20.12-arch1
 pkgver=${_srcver%-*}
-pkgrel=3
+pkgrel=4
 _ckpatchversion=1
 arch=(x86_64)
 url="https://wiki.archlinux.org/index.php/Linux-ck"
@@ -81,7 +81,8 @@ source=(
   "enable_additional_cpu_optimizations-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/$_gcc_more_v.tar.gz"
   "http://ck.kolivas.org/patches/4.0/4.20/4.20-ck${_ckpatchversion}/$_ckpatch.xz"
   0000-unfuck-ck1-for-kvm-intel-symbol.patch
-  0001-exec-Fix-mem-leak-in-kernel_read_file.patch
+  0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+  0002-exec-Fix-mem-leak-in-kernel_read_file.patch
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
@@ -96,7 +97,8 @@ sha256sums=('1cf544308195250805e0731c716691bea4c1ed29e03e6f9ae5be6dc16785a504'
             '226e30068ea0fecdb22f337391385701996bfbdba37cdcf0f1dbf55f1080542d'
             '4bd614333fcbe509118b5362889f76d241e1d33e1ee691bd24fd82384ce7f2de'
             '3e8c7d3015bb593e8a861be0b2b9f1de74fcb25e00c6e3eacee3165c6bec6f64'
-            'a8962ae10431de7c5eebe07a34fff5acd613904865dcabbcea03e8108d11b1fb')
+            '55823bb3ca652d917ba79860d595b479ec20c22a7c6854cbef901d44b4196316'
+            'bbf31b3a6af1db882cb63bd5e5385f174f2345272acaf18f129712a0a726689b')
 
 _kernelname=${pkgbase#linux}
 : ${_kernelname:=-ARCH}
author	graysky	2019-02-23 14:14:04 -0500
committer	graysky	2019-02-23 14:14:04 -0500
commit	e46fb53095ad5970d53d9c3a2200a3c5f7e7f9d7 (patch)
tree	ea3d5667d60c3bcf0ebe7247c06df043f0392dd1
parent	0411bf0858d2ef16a450915e02619f4389806175 (diff)
download	aur-e46fb53095ad5970d53d9c3a2200a3c5f7e7f9d7.tar.gz