diff options
author | dysphoria | 2019-07-11 18:03:07 +0100 |
---|---|---|
committer | dysphoria | 2019-07-11 18:03:07 +0100 |
commit | 446ca38fb3057dc2e5c45dac6a18196868da3b7b (patch) | |
tree | 06234eca2fd8913178f9727f8b5b7d73cedef0d3 | |
parent | 9280c2bdb5f28ea467eab1553ab78f29712c7572 (diff) | |
download | aur-446ca38fb3057dc2e5c45dac6a18196868da3b7b.tar.gz |
[upd] bump to latest
-rw-r--r-- | .SRCINFO | 18 | ||||
-rw-r--r-- | 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch | 29 | ||||
-rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 | ||||
-rw-r--r-- | PKGBUILD | 13 | ||||
-rw-r--r-- | config | 9 |
5 files changed, 95 insertions, 31 deletions
@@ -1,5 +1,5 @@ pkgbase = linux-lts-tomoyo - pkgver = 4.19.46 + pkgver = 4.19.58 pkgrel = 1 url = https://www.kernel.org/ arch = x86_64 @@ -12,22 +12,24 @@ pkgbase = linux-lts-tomoyo options = !strip source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.tar.xz source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.19.46.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.19.58.xz source = config source = 60-linux.hook source = 90-linux.hook source = linux-lts.preset source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E sha256sums = 0c68f5655528aed4f99dae71a5b259edc93239fa899e2df79c055275c21749a1 sha256sums = SKIP - sha256sums = 3df7f072065b35abaa86e752a1ee2a6488a1d980a4e116b6a5750a9112203b20 - sha256sums = dfd03045db0fd87adeda3397ee25d6d75d22ca686ffc167161d286d5bffb38de + sha256sums = 018584229e0522aa94cb7af7b7f0775cf42ae3873a8d4cbc8715d807719bfad5 + sha256sums = af7e7687a91b210e803697ef9509faaf3b7955a6094350212944a598b29f2c58 sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 - sha256sums = 36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98 + sha256sums = bc3dab5594735fb56bdb39c1630a470fd2e65fcf0d81a5db31bab3b91944225d + sha256sums = 67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d pkgname = linux-lts-tomoyo pkgdesc = The Linux-lts kernel with TOMOYO Linux configuration @@ -38,14 +40,14 @@ pkgname = linux-lts-tomoyo depends = mkinitcpio>=0.7 optdepends = crda: to set the correct wireless channels of your country optdepends = tomoyo-tools-25: the TOMOYO Linux 2.5.x userspace tools - provides = linux-lts-tomoyo=4.19.46 + provides = linux-lts-tomoyo=4.19.58 backup = etc/mkinitcpio.d/linux-lts-tomoyo.preset pkgname = linux-lts-tomoyo-headers pkgdesc = Header files and scripts for building modules for Linux-lts-tomoyo kernel - provides = linux-lts-tomoyo-headers=4.19.46 + provides = linux-lts-tomoyo-headers=4.19.58 pkgname = linux-lts-tomoyo-docs pkgdesc = Kernel hackers manual - HTML documentation that comes with the Linux-lts-tomoyo kernel - provides = linux-lts-tomoyo-docs=4.19.46 + provides = linux-lts-tomoyo-docs=4.19.58 diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch index a989d666aa76..d78d38ade4af 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -1,8 +1,7 @@ -From 4e54373158caa50df5402fdd3db1794c5394026b Mon Sep 17 00:00:00 2001 -Message-Id: <4e54373158caa50df5402fdd3db1794c5394026b.1516188238.git.jan.steffens@gmail.com> +From 96161597803746c97c43e0703ca2a059bdd7a8f7 Mon Sep 17 00:00:00 2001 From: Serge Hallyn <serge.hallyn@canonical.com> Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/4] add sysctl to disallow unprivileged CLONE_NEWUSER by +Subject: [PATCH 1/2] add sysctl to disallow unprivileged CLONE_NEWUSER by default Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> @@ -15,10 +14,10 @@ Signed-off-by: Daniel Micay <danielmicay@gmail.com> 3 files changed, 30 insertions(+) diff --git a/kernel/fork.c b/kernel/fork.c -index 500ce64517d9..35f5860958b4 100644 +index 2628f3773ca8..a2da35b446a6 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -102,6 +102,11 @@ +@@ -103,6 +103,11 @@ #define CREATE_TRACE_POINTS #include <trace/events/task.h> @@ -30,7 +29,7 @@ index 500ce64517d9..35f5860958b4 100644 /* * Minimum number of threads to boot the kernel -@@ -1554,6 +1559,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1719,6 +1724,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -41,7 +40,7 @@ index 500ce64517d9..35f5860958b4 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2347,6 +2356,12 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags) +@@ -2554,6 +2563,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -55,10 +54,10 @@ index 500ce64517d9..35f5860958b4 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index 56aca862c4f5..e8402ba393c1 100644 +index 387efbaf464a..b393beb76f34 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c -@@ -105,6 +105,9 @@ extern int core_uses_pid; +@@ -108,6 +108,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif @@ -68,7 +67,7 @@ index 56aca862c4f5..e8402ba393c1 100644 extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction; -@@ -513,6 +516,15 @@ static struct ctl_table kern_table[] = { +@@ -535,6 +538,15 @@ static struct ctl_table kern_table[] = { .proc_handler = proc_dointvec, }, #endif @@ -85,12 +84,12 @@ index 56aca862c4f5..e8402ba393c1 100644 { .procname = "tainted", diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index c490f1e4313b..dd03bd39d7bf 100644 +index 923414a246e9..6b9dbc257e34 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -24,6 +24,9 @@ - #include <linux/projid.h> - #include <linux/fs_struct.h> +@@ -26,6 +26,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> +/* sysctl */ +int unprivileged_userns_clone; @@ -99,5 +98,5 @@ index c490f1e4313b..dd03bd39d7bf 100644 static DEFINE_MUTEX(userns_state_mutex); -- -2.15.1 +2.22.0 diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..7fa619f1c84c --- /dev/null +++ b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,57 @@ +From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Thu, 7 Dec 2017 13:50:48 +0100 +Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone + +This way our default behavior continues to match the vanilla kernel. +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4592bf7997c0..f3df02990aff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1004,6 +1004,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 6b9dbc257e34..107b17f0d528 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -27,7 +27,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.22.0 + @@ -6,7 +6,7 @@ pkgbase=linux-lts-tomoyo _srcname=linux-4.19 -pkgver=4.19.46 +pkgver=4.19.58 pkgrel=1 arch=('x86_64') url="https://www.kernel.org/" @@ -21,6 +21,7 @@ source=( '90-linux.hook' # pacman hook for initramfs regeneration 'linux-lts.preset' # standard config files for mkinitcpio ramdisk '0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch' + '0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch' ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -29,12 +30,13 @@ validpgpkeys=( # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('0c68f5655528aed4f99dae71a5b259edc93239fa899e2df79c055275c21749a1' 'SKIP' - '3df7f072065b35abaa86e752a1ee2a6488a1d980a4e116b6a5750a9112203b20' - 'dfd03045db0fd87adeda3397ee25d6d75d22ca686ffc167161d286d5bffb38de' + '018584229e0522aa94cb7af7b7f0775cf42ae3873a8d4cbc8715d807719bfad5' + 'af7e7687a91b210e803697ef9509faaf3b7955a6094350212944a598b29f2c58' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' - '36b1118c8dedadc4851150ddd4eb07b1c58ac5bbf3022cc2501a27c2b476da98') + 'bc3dab5594735fb56bdb39c1630a470fd2e65fcf0d81a5db31bab3b91944225d' + '67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d') _kernelname=${pkgbase#linux} @@ -50,8 +52,9 @@ prepare() { # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git - # disable USER_NS for non-root users by default + # allow disabling USER_NS via sysctl patch -Np1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + patch -Np1 -i ../0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch cp -Tf ../config .config @@ -1,14 +1,15 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.19.36-1 Kernel Configuration +# Linux/x86 4.19.55-2 Kernel Configuration # # -# Compiler: gcc (GCC) 8.3.0 +# Compiler: gcc (GCC) 9.1.0 # CONFIG_CC_IS_GCC=y -CONFIG_GCC_VERSION=80300 +CONFIG_GCC_VERSION=90100 CONFIG_CLANG_VERSION=0 +CONFIG_CC_HAS_ASM_GOTO=y CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_EXTABLE_SORT=y CONFIG_THREAD_INFO_IN_TASK=y @@ -158,6 +159,7 @@ CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y +CONFIG_USER_NS_UNPRIVILEGED=y CONFIG_PID_NS=y CONFIG_NET_NS=y # CONFIG_CHECKPOINT_RESTORE is not set @@ -5986,6 +5988,7 @@ CONFIG_CHASH=m # CONFIG_CHASH_STATS is not set # CONFIG_CHASH_SELFTEST is not set CONFIG_DRM_NOUVEAU=m +CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT=y CONFIG_NOUVEAU_DEBUG=5 CONFIG_NOUVEAU_DEBUG_DEFAULT=3 # CONFIG_NOUVEAU_DEBUG_MMU is not set |