diff options
author | Chris Severance | 2020-03-19 22:08:16 -0400 |
---|---|---|
committer | Chris Severance | 2020-03-19 22:08:16 -0400 |
commit | a6998d891998785ba88d5db86388e7579ad9d685 (patch) | |
tree | f5dd9ae0f26673b0b0ba3ccdef738d0de5d3ccad | |
parent | 59734d1cfc8369fffe61bac6d4863706c5d09a0f (diff) | |
download | aur-a6998d891998785ba88d5db86388e7579ad9d685.tar.gz |
autu: Update to 3.16.82-1
-rw-r--r-- | .SRCINFO | 21 | ||||
-rw-r--r-- | 0002-binutils.2.34.sysexit.patch | 18 | ||||
-rw-r--r-- | 0003-systemd.245.kernel.316.ambient.capabilities.patch | 541 | ||||
-rw-r--r-- | PKGBUILD | 27 |
4 files changed, 590 insertions, 17 deletions
@@ -1,5 +1,5 @@ pkgbase = linux-lts316 - pkgver = 3.16.81 + pkgver = 3.16.82 pkgrel = 1 url = https://www.kernel.org/ arch = i686 @@ -12,34 +12,37 @@ pkgbase = linux-lts316 makedepends = bc options = !strip source = https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.16.81.xz + source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.16.82.xz source = config source = config.x86_64 source = 99-linux.hook source = linux.preset source = change-default-console-loglevel.patch - source = 0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch source = 0001-binutils.2.31.max-page-size.patch + source = 0002-binutils.2.34.sysexit.patch + source = 0003-systemd.245.kernel.316.ambient.capabilities.patch source = update.sh md5sums = 5c569ed649a0c9711879f333e90c5386 - md5sums = 40d08732754c661356ca5a8e86005a58 + md5sums = 8da6a4c655cecd0f2657436334a60d9c md5sums = 5c85a1cef25029a8eb87d0edeec0cb04 md5sums = f45197ec50bb5f7a85991f6e99ad49c6 md5sums = 90cd68710e3064d9b65f5549570f7821 md5sums = eb14dcfd80c00852ef81ded6e826826a md5sums = df7fceae6ee5d7e7be7b60ecd7f6bb35 - md5sums = faaee4c0db3a87bb45aa4e964727f308 md5sums = 07dc499a909a3bb63fc3fdc0d0652e64 + md5sums = 43d62abf4cd27fa1863759ac87b62ac5 + md5sums = 4f2248545c0a3997a1d301195b7dcfe7 md5sums = e6a1be64b190d846648d671c012d6dd3 sha256sums = 4813ad7927a7d92e5339a873ab16201b242b2748934f12cb5df9ba2cfe1d77a0 - sha256sums = 9eee44021dc9e229c2d1b1601cec0d6e623e00147fd27b0fd0cf624fcdcee24d + sha256sums = 82bd3706afe2beff9ff9a00fae0dd7f92e6f8f300ba0bbe8cc778c2bced20a11 sha256sums = 3bce3e9adce8ae3f826eebab75e9784ca92a914e526ae352de61c1da93aab8d3 sha256sums = 328539797005cb43362b75ca9965791a1ed34525101c286e4fb49694faa40e4c sha256sums = 834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0 sha256sums = f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c sha256sums = 1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99 - sha256sums = b0f101562baca5f8aed72ba90638763ef2be8f4618c111a50334970dd03dfb4b sha256sums = f71e0de924013fe60c3cbed45f322e6a09942db978daeddd18adb8582373b5ed + sha256sums = 2c80046fa78bfa6e26ae6d8ac312142d9d67b394914fee423578583fe7ab15db + sha256sums = abbb27b46cf00bf6d4859c4d8dfcf1d6f32e385d3dbf04790abda8b4dae6540a sha256sums = 4dad3093e0c2bd7dafd30a0344b4df6432c3a7d1422edc4e0d1e6201aa513648 pkgname = linux-lts316 @@ -50,12 +53,12 @@ pkgname = linux-lts316 depends = kmod depends = mkinitcpio>=0.7 optdepends = crda: to set the correct wireless channels of your country - provides = linux=3.16.81 + provides = linux=3.16.82 backup = etc/mkinitcpio.d/linux-lts316.preset pkgname = linux-lts316-headers pkgdesc = Header files and scripts for building modules for Linux-lts316 kernel - provides = linux-headers=3.16.81 + provides = linux-headers=3.16.82 pkgname = linux-lts316-docs pkgdesc = Kernel hackers manual - HTML documentation that comes with the Linux-lts316 kernel diff --git a/0002-binutils.2.34.sysexit.patch b/0002-binutils.2.34.sysexit.patch new file mode 100644 index 000000000000..dcaf62b1520d --- /dev/null +++ b/0002-binutils.2.34.sysexit.patch @@ -0,0 +1,18 @@ +diff -up linux-4.4/arch/x86/Makefile.orig linux-4.4/arch/x86/Makefile +--- linux-4.4/arch/x86/Makefile.orig 2020-03-19 03:08:53.569999999 -0600 ++++ linux-4.4/arch/x86/Makefile 2020-03-19 03:38:57.889999999 -0600 +@@ -218,6 +218,14 @@ KBUILD_CFLAGS += -fno-asynchronous-unwin + KBUILD_CFLAGS += $(mflags-y) + KBUILD_AFLAGS += $(mflags-y) + ++# ++# Binutils 2.34 cannot handle sysexit, this corrects for now. ++# ++ifdef CONFIG_X86_64 ++KBUILD_AFLAGS += -Wa,-mintel64 ++KBUILD_CFLAGS += -Wa,-mintel64 ++endif ++ + # Avoid indirect branches in kernel to deal with Spectre + ifdef CONFIG_RETPOLINE + RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register) diff --git a/0003-systemd.245.kernel.316.ambient.capabilities.patch b/0003-systemd.245.kernel.316.ambient.capabilities.patch new file mode 100644 index 000000000000..ca81cf96c7a2 --- /dev/null +++ b/0003-systemd.245.kernel.316.ambient.capabilities.patch @@ -0,0 +1,541 @@ +From 2ddfe869e9964afe1175919557e6b4f18b78941a Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski <luto@kernel.org> +Date: Fri, 4 Sep 2015 15:42:45 -0700 +Subject: [PATCH] UPSTREAM: capabilities: ambient capabilities + +Credit where credit is due: this idea comes from Christoph Lameter with +a lot of valuable input from Serge Hallyn. This patch is heavily based +on Christoph's patch. + +===== The status quo ===== + +On Linux, there are a number of capabilities defined by the kernel. To +perform various privileged tasks, processes can wield capabilities that +they hold. + +Each task has four capability masks: effective (pE), permitted (pP), +inheritable (pI), and a bounding set (X). When the kernel checks for a +capability, it checks pE. The other capability masks serve to modify +what capabilities can be in pE. + +Any task can remove capabilities from pE, pP, or pI at any time. If a +task has a capability in pP, it can add that capability to pE and/or pI. +If a task has CAP_SETPCAP, then it can add any capability to pI, and it +can remove capabilities from X. + +Tasks are not the only things that can have capabilities; files can also +have capabilities. A file can have no capabilty information at all [1]. +If a file has capability information, then it has a permitted mask (fP) +and an inheritable mask (fI) as well as a single effective bit (fE) [2]. +File capabilities modify the capabilities of tasks that execve(2) them. + +A task that successfully calls execve has its capabilities modified for +the file ultimately being excecuted (i.e. the binary itself if that +binary is ELF or for the interpreter if the binary is a script.) [3] In +the capability evolution rules, for each mask Z, pZ represents the old +value and pZ' represents the new value. The rules are: + + pP' = (X & fP) | (pI & fI) + pI' = pI + pE' = (fE ? pP' : 0) + X is unchanged + +For setuid binaries, fP, fI, and fE are modified by a moderately +complicated set of rules that emulate POSIX behavior. Similarly, if +euid == 0 or ruid == 0, then fP, fI, and fE are modified differently +(primary, fP and fI usually end up being the full set). For nonroot +users executing binaries with neither setuid nor file caps, fI and fP +are empty and fE is false. + +As an extra complication, if you execute a process as nonroot and fE is +set, then the "secure exec" rules are in effect: AT_SECURE gets set, +LD_PRELOAD doesn't work, etc. + +This is rather messy. We've learned that making any changes is +dangerous, though: if a new kernel version allows an unprivileged +program to change its security state in a way that persists cross +execution of a setuid program or a program with file caps, this +persistent state is surprisingly likely to allow setuid or file-capped +programs to be exploited for privilege escalation. + +===== The problem ===== + +Capability inheritance is basically useless. + +If you aren't root and you execute an ordinary binary, fI is zero, so +your capabilities have no effect whatsoever on pP'. This means that you +can't usefully execute a helper process or a shell command with elevated +capabilities if you aren't root. + +On current kernels, you can sort of work around this by setting fI to +the full set for most or all non-setuid executable files. This causes +pP' = pI for nonroot, and inheritance works. No one does this because +it's a PITA and it isn't even supported on most filesystems. + +If you try this, you'll discover that every nonroot program ends up with +secure exec rules, breaking many things. + +This is a problem that has bitten many people who have tried to use +capabilities for anything useful. + +===== The proposed change ===== + +This patch adds a fifth capability mask called the ambient mask (pA). +pA does what most people expect pI to do. + +pA obeys the invariant that no bit can ever be set in pA if it is not +set in both pP and pI. Dropping a bit from pP or pI drops that bit from +pA. This ensures that existing programs that try to drop capabilities +still do so, with a complication. Because capability inheritance is so +broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and +then calling execve effectively drops capabilities. Therefore, +setresuid from root to nonroot conditionally clears pA unless +SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can +re-add bits to pA afterwards. + +The capability evolution rules are changed: + + pA' = (file caps or setuid or setgid ? 0 : pA) + pP' = (X & fP) | (pI & fI) | pA' + pI' = pI + pE' = (fE ? pP' : pA') + X is unchanged + +If you are nonroot but you have a capability, you can add it to pA. If +you do so, your children get that capability in pA, pP, and pE. For +example, you can set pA = CAP_NET_BIND_SERVICE, and your children can +automatically bind low-numbered ports. Hallelujah! + +Unprivileged users can create user namespaces, map themselves to a +nonzero uid, and create both privileged (relative to their namespace) +and unprivileged process trees. This is currently more or less +impossible. Hallelujah! + +You cannot use pA to try to subvert a setuid, setgid, or file-capped +program: if you execute any such program, pA gets cleared and the +resulting evolution rules are unchanged by this patch. + +Users with nonzero pA are unlikely to unintentionally leak that +capability. If they run programs that try to drop privileges, dropping +privileges will still work. + +It's worth noting that the degree of paranoia in this patch could +possibly be reduced without causing serious problems. Specifically, if +we allowed pA to persist across executing non-pA-aware setuid binaries +and across setresuid, then, naively, the only capabilities that could +leak as a result would be the capabilities in pA, and any attacker +*already* has those capabilities. This would make me nervous, though -- +setuid binaries that tried to privilege-separate might fail to do so, +and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have +unexpected side effects. (Whether these unexpected side effects would +be exploitable is an open question.) I've therefore taken the more +paranoid route. We can revisit this later. + +An alternative would be to require PR_SET_NO_NEW_PRIVS before setting +ambient capabilities. I think that this would be annoying and would +make granting otherwise unprivileged users minor ambient capabilities +(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than +it is with this patch. + +===== Footnotes ===== + +[1] Files that are missing the "security.capability" xattr or that have +unrecognized values for that xattr end up with has_cap set to false. +The code that does that appears to be complicated for no good reason. + +[2] The libcap capability mask parsers and formatters are dangerously +misleading and the documentation is flat-out wrong. fE is *not* a mask; +it's a single bit. This has probably confused every single person who +has tried to use file capabilities. + +[3] Linux very confusingly processes both the script and the interpreter +if applicable, for reasons that elude me. The results from thinking +about a script's file capabilities and/or setuid bits are mostly +discarded. + +Preliminary userspace code is here, but it needs updating: +https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2 + +Here is a test program that can be used to verify the functionality +(from Christoph): + +/* + * Test program for the ambient capabilities. This program spawns a shell + * that allows running processes with a defined set of capabilities. + * + * (C) 2015 Christoph Lameter <cl@linux.com> + * Released under: GPL v3 or later. + * + * + * Compile using: + * + * gcc -o ambient_test ambient_test.o -lcap-ng + * + * This program must have the following capabilities to run properly: + * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE + * + * A command to equip the binary with the right caps is: + * + * setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test + * + * + * To get a shell with additional caps that can be inherited by other processes: + * + * ./ambient_test /bin/bash + * + * + * Verifying that it works: + * + * From the bash spawed by ambient_test run + * + * cat /proc/$$/status + * + * and have a look at the capabilities. + */ + +/* + * Definitions from the kernel header files. These are going to be removed + * when the /usr/include files have these defined. + */ + +static void set_ambient_cap(int cap) +{ + int rc; + + capng_get_caps_process(); + rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap); + if (rc) { + printf("Cannot add inheritable cap\n"); + exit(2); + } + capng_apply(CAPNG_SELECT_CAPS); + + /* Note the two 0s at the end. Kernel checks for these */ + if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) { + perror("Cannot set cap"); + exit(1); + } +} + +int main(int argc, char **argv) +{ + int rc; + + set_ambient_cap(CAP_NET_RAW); + set_ambient_cap(CAP_NET_ADMIN); + set_ambient_cap(CAP_SYS_NICE); + + printf("Ambient_test forking shell\n"); + if (execv(argv[1], argv + 1)) + perror("Cannot exec"); + + return 0; +} + +Signed-off-by: Christoph Lameter <cl@linux.com> # Original author +Signed-off-by: Andy Lutomirski <luto@kernel.org> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> +Acked-by: Kees Cook <keescook@chromium.org> +Cc: Jonathan Corbet <corbet@lwn.net> +Cc: Aaron Jones <aaronmdjones@gmail.com> +Cc: Ted Ts'o <tytso@mit.edu> +Cc: Andrew G. Morgan <morgan@kernel.org> +Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> +Cc: Austin S Hemmelgarn <ahferroin7@gmail.com> +Cc: Markku Savela <msa@moth.iki.fi> +Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> +Cc: Michael Kerrisk <mtk.manpages@gmail.com> +Cc: James Morris <james.l.morris@oracle.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08) + +Bug: 31038224 +Change-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c +Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com> +--- + fs/proc/array.c | 5 +- + include/linux/cred.h | 8 +++ + include/uapi/linux/prctl.h | 7 +++ + kernel/user_namespace.c | 1 + + security/commoncap.c | 102 +++++++++++++++++++++++++++++++---- + security/keys/process_keys.c | 1 + + 6 files changed, 113 insertions(+), 11 deletions(-) + +diff --git a/fs/proc/array.c b/fs/proc/array.c +index 44a6da1a9d499..c260202549a4b 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -306,7 +306,8 @@ static void render_cap_t(struct seq_file *m, const char *header, + static inline void task_cap(struct seq_file *m, struct task_struct *p) + { + const struct cred *cred; +- kernel_cap_t cap_inheritable, cap_permitted, cap_effective, cap_bset; ++ kernel_cap_t cap_inheritable, cap_permitted, cap_effective, ++ cap_bset, cap_ambient; + + rcu_read_lock(); + cred = __task_cred(p); +@@ -314,12 +315,14 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p) + cap_permitted = cred->cap_permitted; + cap_effective = cred->cap_effective; + cap_bset = cred->cap_bset; ++ cap_ambient = cred->cap_ambient; + rcu_read_unlock(); + + render_cap_t(m, "CapInh:\t", &cap_inheritable); + render_cap_t(m, "CapPrm:\t", &cap_permitted); + render_cap_t(m, "CapEff:\t", &cap_effective); + render_cap_t(m, "CapBnd:\t", &cap_bset); ++ render_cap_t(m, "CapAmb:\t", &cap_ambient); + } + + static inline void task_seccomp(struct seq_file *m, struct task_struct *p) +diff --git a/include/linux/cred.h b/include/linux/cred.h +index e8b8574f57dc2..9bdb6a13c3379 100644 +--- a/include/linux/cred.h ++++ b/include/linux/cred.h +@@ -123,6 +123,7 @@ struct cred { + kernel_cap_t cap_permitted; /* caps we're permitted */ + kernel_cap_t cap_effective; /* caps we can actually use */ + kernel_cap_t cap_bset; /* capability bounding set */ ++ kernel_cap_t cap_ambient; /* Ambient capability set */ + #ifdef CONFIG_KEYS + unsigned char jit_keyring; /* default keyring to attach requested + * keys to */ +@@ -198,6 +199,13 @@ static inline void validate_process_creds(void) + } + #endif + ++static inline bool cap_ambient_invariant_ok(const struct cred *cred) ++{ ++ return cap_issubset(cred->cap_ambient, ++ cap_intersect(cred->cap_permitted, ++ cred->cap_inheritable)); ++} ++ + /** + * get_new_cred - Get a reference on a new set of credentials + * @cred: The new credentials to reference +diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h +index b873affd5f6e0..69e25ad49bbf0 100644 +--- a/include/uapi/linux/prctl.h ++++ b/include/uapi/linux/prctl.h +@@ -165,4 +165,11 @@ + # define PR_SPEC_DISABLE (1UL << 2) + # define PR_SPEC_FORCE_DISABLE (1UL << 3) + ++/* Control the ambient capability set */ ++#define PR_CAP_AMBIENT 47 ++# define PR_CAP_AMBIENT_IS_SET 1 ++# define PR_CAP_AMBIENT_RAISE 2 ++# define PR_CAP_AMBIENT_LOWER 3 ++# define PR_CAP_AMBIENT_CLEAR_ALL 4 ++ + #endif /* _LINUX_PRCTL_H */ +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 0d48e986cb360..fe5e2362c96bf 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -42,6 +42,7 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns) + cred->cap_inheritable = CAP_EMPTY_SET; + cred->cap_permitted = CAP_FULL_SET; + cred->cap_effective = CAP_FULL_SET; ++ cred->cap_ambient = CAP_EMPTY_SET; + cred->cap_bset = CAP_FULL_SET; + #ifdef CONFIG_KEYS + key_put(cred->request_key_auth); +diff --git a/security/commoncap.c b/security/commoncap.c +index 24c635fff5a4b..fc02de385bf94 100644 +--- a/security/commoncap.c ++++ b/security/commoncap.c +@@ -277,6 +277,16 @@ int cap_capset(struct cred *new, + new->cap_effective = *effective; + new->cap_inheritable = *inheritable; + new->cap_permitted = *permitted; ++ ++ /* ++ * Mask off ambient bits that are no longer both permitted and ++ * inheritable. ++ */ ++ new->cap_ambient = cap_intersect(new->cap_ambient, ++ cap_intersect(*permitted, ++ *inheritable)); ++ if (WARN_ON(!cap_ambient_invariant_ok(new))) ++ return -EINVAL; + return 0; + } + +@@ -357,6 +367,7 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps, + + /* + * pP' = (X & fP) | (pI & fI) ++ * The addition of pA' is handled later. + */ + new->cap_permitted.cap[i] = + (new->cap_bset.cap[i] & permitted) | +@@ -488,10 +499,13 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) + { + const struct cred *old = current_cred(); + struct cred *new = bprm->cred; +- bool effective, has_cap = false; ++ bool effective, has_cap = false, is_setid; + int ret; + kuid_t root_uid; + ++ if (WARN_ON(!cap_ambient_invariant_ok(old))) ++ return -EPERM; ++ + effective = false; + ret = get_file_caps(bprm, &effective, &has_cap); + if (ret < 0) +@@ -536,8 +550,9 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) + * + * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. + */ +- if ((!uid_eq(new->euid, old->uid) || +- !gid_eq(new->egid, old->gid) || ++ is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid); ++ ++ if ((is_setid || + !cap_issubset(new->cap_permitted, old->cap_permitted)) && + bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { + /* downgrade; they get no more than they had, and maybe less */ +@@ -553,10 +568,28 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) + new->suid = new->fsuid = new->euid; + new->sgid = new->fsgid = new->egid; + ++ /* File caps or setid cancels ambient. */ ++ if (has_cap || is_setid) ++ cap_clear(new->cap_ambient); ++ ++ /* ++ * Now that we've computed pA', update pP' to give: ++ * pP' = (X & fP) | (pI & fI) | pA' ++ */ ++ new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient); ++ ++ /* ++ * Set pE' = (fE ? pP' : pA'). Because pA' is zero if fE is set, ++ * this is the same as pE' = (fE ? pP' : 0) | pA'. ++ */ + if (effective) + new->cap_effective = new->cap_permitted; + else +- cap_clear(new->cap_effective); ++ new->cap_effective = new->cap_ambient; ++ ++ if (WARN_ON(!cap_ambient_invariant_ok(new))) ++ return -EPERM; ++ + bprm->cap_effective = effective; + + /* +@@ -571,7 +604,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) + * Number 1 above might fail if you don't have a full bset, but I think + * that is interesting information to audit. + */ +- if (!cap_isclear(new->cap_effective)) { ++ if (!cap_issubset(new->cap_effective, new->cap_ambient)) { + if (!cap_issubset(CAP_FULL_SET, new->cap_effective) || + !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) || + issecure(SECURE_NOROOT)) { +@@ -582,6 +615,10 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) + } + + new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); ++ ++ if (WARN_ON(!cap_ambient_invariant_ok(new))) ++ return -EPERM; ++ + return 0; + } + +@@ -603,7 +640,7 @@ int cap_bprm_secureexec(struct linux_binprm *bprm) + if (!uid_eq(cred->uid, root_uid)) { + if (bprm->cap_effective) + return 1; +- if (!cap_isclear(cred->cap_permitted)) ++ if (!cap_issubset(cred->cap_permitted, cred->cap_ambient)) + return 1; + } + +@@ -705,10 +742,18 @@ static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old) + uid_eq(old->suid, root_uid)) && + (!uid_eq(new->uid, root_uid) && + !uid_eq(new->euid, root_uid) && +- !uid_eq(new->suid, root_uid)) && +- !issecure(SECURE_KEEP_CAPS)) { +- cap_clear(new->cap_permitted); +- cap_clear(new->cap_effective); ++ !uid_eq(new->suid, root_uid))) { ++ if (!issecure(SECURE_KEEP_CAPS)) { ++ cap_clear(new->cap_permitted); ++ cap_clear(new->cap_effective); ++ } ++ ++ /* ++ * Pre-ambient programs expect setresuid to nonroot followed ++ * by exec to drop capabilities. We should make sure that ++ * this remains the case. ++ */ ++ cap_clear(new->cap_ambient); + } + if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid)) + cap_clear(new->cap_effective); +@@ -940,6 +985,43 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, + new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); + goto changed; + ++ case PR_CAP_AMBIENT: ++ if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) { ++ if (arg3 | arg4 | arg5) ++ return -EINVAL; ++ ++ new = prepare_creds(); ++ if (!new) ++ return -ENOMEM; ++ cap_clear(new->cap_ambient); ++ return commit_creds(new); ++ } ++ ++ if (((!cap_valid(arg3)) | arg4 | arg5)) ++ return -EINVAL; ++ ++ if (arg2 == PR_CAP_AMBIENT_IS_SET) { ++ return !!cap_raised(current_cred()->cap_ambient, arg3); ++ } else if (arg2 != PR_CAP_AMBIENT_RAISE && ++ arg2 != PR_CAP_AMBIENT_LOWER) { ++ return -EINVAL; ++ } else { ++ if (arg2 == PR_CAP_AMBIENT_RAISE && ++ (!cap_raised(current_cred()->cap_permitted, arg3) || ++ !cap_raised(current_cred()->cap_inheritable, ++ arg3))) ++ return -EPERM; ++ ++ new = prepare_creds(); ++ if (!new) ++ return -ENOMEM; ++ if (arg2 == PR_CAP_AMBIENT_RAISE) ++ cap_raise(new->cap_ambient, arg3); ++ else ++ cap_lower(new->cap_ambient, arg3); ++ return commit_creds(new); ++ } ++ + default: + /* No functionality available - continue with default */ + error = -ENOSYS; +diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c +index e56b57f04cf96..4dc18af8af116 100644 +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -862,6 +862,7 @@ void key_change_session_keyring(struct callback_head *twork) + new->cap_inheritable = old->cap_inheritable; + new->cap_permitted = old->cap_permitted; + new->cap_effective = old->cap_effective; ++ new->cap_ambient = old->cap_ambient; + new->cap_bset = old->cap_bset; + + new->jit_keyring = old->jit_keyring; @@ -6,7 +6,7 @@ set -u pkgbase="linux-lts316" _srcname="linux-3.16" -pkgver="3.16.81" +pkgver="3.16.82" pkgrel='1' arch=('i686' 'x86_64') url="https://www.kernel.org/" @@ -24,29 +24,33 @@ source=( # standard config files for mkinitcpio ramdisk 'linux.preset' 'change-default-console-loglevel.patch' - '0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch' # https://www.reddit.com/r/linuxquestions/comments/903xwq/unable_to_compile_working_kernel_modules_anymore/ + #'0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch' # https://www.reddit.com/r/linuxquestions/comments/903xwq/unable_to_compile_working_kernel_modules_anymore/ '0001-binutils.2.31.max-page-size.patch' # http://lists.gnu.org/archive/html/bug-binutils/2018-03/msg00193.html + '0002-binutils.2.34.sysexit.patch' # https://gist.github.com/bbidulock/263c5c3aee34e3a1b09dca0b937c210b + '0003-systemd.245.kernel.316.ambient.capabilities.patch' # https://github.com/hardkernel/linux/commit/2ddfe869e9964afe1175919557e6b4f18b78941a 'update.sh' ) md5sums=('5c569ed649a0c9711879f333e90c5386' - '40d08732754c661356ca5a8e86005a58' + '8da6a4c655cecd0f2657436334a60d9c' '5c85a1cef25029a8eb87d0edeec0cb04' 'f45197ec50bb5f7a85991f6e99ad49c6' '90cd68710e3064d9b65f5549570f7821' 'eb14dcfd80c00852ef81ded6e826826a' 'df7fceae6ee5d7e7be7b60ecd7f6bb35' - 'faaee4c0db3a87bb45aa4e964727f308' '07dc499a909a3bb63fc3fdc0d0652e64' + '43d62abf4cd27fa1863759ac87b62ac5' + '4f2248545c0a3997a1d301195b7dcfe7' 'e6a1be64b190d846648d671c012d6dd3') sha256sums=('4813ad7927a7d92e5339a873ab16201b242b2748934f12cb5df9ba2cfe1d77a0' - '9eee44021dc9e229c2d1b1601cec0d6e623e00147fd27b0fd0cf624fcdcee24d' + '82bd3706afe2beff9ff9a00fae0dd7f92e6f8f300ba0bbe8cc778c2bced20a11' '3bce3e9adce8ae3f826eebab75e9784ca92a914e526ae352de61c1da93aab8d3' '328539797005cb43362b75ca9965791a1ed34525101c286e4fb49694faa40e4c' '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0' 'f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' - 'b0f101562baca5f8aed72ba90638763ef2be8f4618c111a50334970dd03dfb4b' 'f71e0de924013fe60c3cbed45f322e6a09942db978daeddd18adb8582373b5ed' + '2c80046fa78bfa6e26ae6d8ac312142d9d67b394914fee423578583fe7ab15db' + 'abbb27b46cf00bf6d4859c4d8dfcf1d6f32e385d3dbf04790abda8b4dae6540a' '4dad3093e0c2bd7dafd30a0344b4df6432c3a7d1422edc4e0d1e6201aa513648') _kernelname=${pkgbase#linux} @@ -78,11 +82,18 @@ prepare() { # diff -pNaru5 'linux-3.16'{.61.orig,} > 'new_0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch' #(cd ..; cp -pr "${_srcname}"{,.61.orig}) - patch -Nup1 -i "${srcdir}/0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch" - # false + #patch -Nup1 -i "${srcdir}/0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch" patch -Nup1 -i "${srcdir}/0001-binutils.2.31.max-page-size.patch" + # Fix for binutils 2.34 + patch -Nup1 -i "${srcdir}/0002-binutils.2.34.sysexit.patch" + + # Fix for systemd 245 + # https://forum.odroid.com/viewtopic.php?f=141&t=38171 + # by stas-t Re: C2 won't boot up after upgrading systemd to 245-1 on Arch + patch -Nup1 -i "${srcdir}/0003-systemd.245.kernel.316.ambient.capabilities.patch" + declare -A _config=([i686]='config' [x86_64]='config.x86_64') cat "${srcdir}/${_config[${CARCH}]}" > './.config' if [ "${_kernelname}" != "" ]; then |