diff options
| -rw-r--r-- | .SRCINFO | 26 | ||||
| -rw-r--r-- | 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch | 154 | ||||
| -rw-r--r-- | PKGBUILD | 24 | ||||
| -rw-r--r-- | pci-enable-overrides-for-missing-acs-capabilities.patch | 193 |
4 files changed, 25 insertions, 372 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-clear pkgdesc = Clear Linux - pkgver = 5.13.19 + pkgver = 5.14.8 pkgrel = 1 url = https://github.com/clearlinux-pkgs/linux arch = x86_64 @@ -12,22 +12,22 @@ pkgbase = linux-clear makedepends = libelf makedepends = xmlto options = !strip - source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.13.tar.xz - source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.13.tar.sign - source = https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.13.19.xz - source = clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=5.13.17-1074 - source = more-uarches-20210818.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20210818.tar.gz - source = pci-enable-overrides-for-missing-acs-capabilities.patch - source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch + source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.14.tar.xz + source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.14.tar.sign + source = https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.14.8.xz + source = clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=5.14.8-1078 + source = more-uarches-20210914.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20210914.tar.gz + source = 0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/pci_acso/0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch + source = 0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/userns/0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E - sha256sums = 3f6baa97f37518439f51df2e4f3d65a822ca5ff016aa8e60d2cc53b95a6c89d9 + sha256sums = 7e068b5e0d26a62b10e5320b25dce57588cbbc6f781c090442138c9c9c3271b2 sha256sums = SKIP - sha256sums = 6fadc31348a0c0bbce86b067811d1dadae307bbde5b712c688b3193d73f0fb71 + sha256sums = 3ad8bc71d6fe35982e75dd60744f775159bc7f2d89fe1458ffe2f6aed03b6bd9 sha256sums = SKIP - sha256sums = d361171032ec9fce11c53bfbd667d0c3f0cb4004a17329ab195d6dcc5aa88caf - sha256sums = 2c98de0814366b041aeee4cbf82b82620c7834bc33752d50f089e8bd7ea5cf5e - sha256sums = 34614e92ed29d11f5f6150ee8ed6c5ffe7f8f3d99a2fed6aebe40e513749c3ba + sha256sums = b70720e7537a0b6455edaeb198d52151fb3b3c3a91631b8f43d2e71b694da611 + sha256sums = 1c7aee7bccb1d848887b0cef273518badb09021788b148db1c6168d4c761f1fd + sha256sums = ece72251dacc37d239a5bbf170629c155cee634c05febd8d654b110077d29f28 pkgname = linux-clear pkgdesc = The Clear Linux kernel and modules diff --git a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch deleted file mode 100644 index cda2acbc21ed..000000000000 --- a/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch +++ /dev/null @@ -1,154 +0,0 @@ -From a0a84528e06b99d83046fd16d2fa132c8d20a46c Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Mon, 16 Sep 2019 04:53:20 +0200 -Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged - CLONE_NEWUSER - -Our default behavior continues to match the vanilla kernel. ---- - include/linux/user_namespace.h | 4 ++++ - init/Kconfig | 16 ++++++++++++++++ - kernel/fork.c | 14 ++++++++++++++ - kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 7 +++++++ - 5 files changed, 53 insertions(+) - -diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h -index 1d08dbbcf..180da8f71 100644 ---- a/include/linux/user_namespace.h -+++ b/include/linux/user_namespace.h -@@ -112,6 +112,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); - - #ifdef CONFIG_USER_NS - -+extern int unprivileged_userns_clone; -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - if (ns) -@@ -145,6 +147,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); - struct ns_common *ns_get_owner(struct ns_common *ns); - #else - -+#define unprivileged_userns_clone 0 -+ - static inline struct user_namespace *get_user_ns(struct user_namespace *ns) - { - return &init_user_ns; -diff --git a/init/Kconfig b/init/Kconfig -index a61c92066..6a2920f2e 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1195,6 +1195,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/fork.c b/kernel/fork.c -index a070caed5..03baafd70 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -98,6 +98,10 @@ - #include <linux/io_uring.h> - #include <linux/bpf.h> - -+#ifdef CONFIG_USER_NS -+#include <linux/user_namespace.h> -+#endif -+ - #include <asm/pgalloc.h> - #include <linux/uaccess.h> - #include <asm/mmu_context.h> -@@ -1871,6 +1875,10 @@ static __latent_entropy struct task_struct *copy_process( - if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) - return ERR_PTR(-EINVAL); - -+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) -+ if (!capable(CAP_SYS_ADMIN)) -+ return ERR_PTR(-EPERM); -+ - /* - * Thread groups must share signals as well, and detached threads - * can only be started up within the thread group. -@@ -2973,6 +2981,12 @@ int ksys_unshare(unsigned long unshare_flags) - if (unshare_flags & CLONE_NEWNS) - unshare_flags |= CLONE_FS; - -+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { -+ err = -EPERM; -+ if (!capable(CAP_SYS_ADMIN)) -+ goto bad_unshare_out; -+ } -+ - err = check_unshare_flags(unshare_flags); - if (err) - goto bad_unshare_out; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index d4a78e08f..0260dfe2d 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -103,6 +103,9 @@ - #ifdef CONFIG_LOCKUP_DETECTOR - #include <linux/nmi.h> - #endif -+#ifdef CONFIG_USER_NS -+#include <linux/user_namespace.h> -+#endif - - #if defined(CONFIG_SYSCTL) - -@@ -1896,6 +1899,15 @@ static struct ctl_table kern_table[] = { - .proc_handler = proc_dointvec, - }, - #endif -+#ifdef CONFIG_USER_NS -+ { -+ .procname = "unprivileged_userns_clone", -+ .data = &unprivileged_userns_clone, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec, -+ }, -+#endif - #ifdef CONFIG_PROC_SYSCTL - { - .procname = "tainted", -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 8d6286372..5ca391b2b 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -21,6 +21,13 @@ - #include <linux/bsearch.h> - #include <linux/sort.h> - -+/* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else -+int unprivileged_userns_clone; -+#endif -+ - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); - --- -2.32.0.93.g670b81a890 - @@ -73,10 +73,10 @@ _use_current= ### IMPORTANT: Do no edit below this line unless you know what you're doing -_major=5.13 -_minor=19 +_major=5.14 +_minor=8 _srcname=linux-${_major} -_clr=${_major}.17-1074 +_clr=${_major}.8-1078 pkgbase=linux-clear pkgver=${_major}.${_minor} pkgrel=1 @@ -86,15 +86,15 @@ url="https://github.com/clearlinux-pkgs/linux" license=('GPL2') makedepends=('bc' 'cpio' 'git' 'kmod' 'libelf' 'xmlto') options=('!strip') -_gcc_more_v='20210818' +_gcc_more_v='20210914' source=( "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.xz" "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.sign" "https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-${pkgver}.xz" "clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=${_clr}" "more-uarches-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/$_gcc_more_v.tar.gz" - 'pci-enable-overrides-for-missing-acs-capabilities.patch' - '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch' + "0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/pci_acso/0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch" + "0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/userns/0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch" ) export KBUILD_BUILD_HOST=archlinux @@ -185,7 +185,7 @@ prepare() { # https://github.com/graysky2/kernel_compiler_patch # make sure to apply after olddefconfig to allow the next section echo "Patching to enable GCC optimization for other uarchs..." - patch -Np1 -i "$srcdir/kernel_compiler_patch-$_gcc_more_v/more-uarches-for-kernel-5.8+.patch" + patch -Np1 -i "$srcdir/kernel_compiler_patch-$_gcc_more_v/more-uarches-for-kernel-5.8-5.14.patch" if [ -n "$_subarch" ]; then # user wants a subarch so apply choice defined above interactively via 'yes' @@ -351,13 +351,13 @@ for _p in "${pkgname[@]}"; do }" done -sha256sums=('3f6baa97f37518439f51df2e4f3d65a822ca5ff016aa8e60d2cc53b95a6c89d9' +sha256sums=('7e068b5e0d26a62b10e5320b25dce57588cbbc6f781c090442138c9c9c3271b2' 'SKIP' - '6fadc31348a0c0bbce86b067811d1dadae307bbde5b712c688b3193d73f0fb71' + '3ad8bc71d6fe35982e75dd60744f775159bc7f2d89fe1458ffe2f6aed03b6bd9' 'SKIP' - 'd361171032ec9fce11c53bfbd667d0c3f0cb4004a17329ab195d6dcc5aa88caf' - '2c98de0814366b041aeee4cbf82b82620c7834bc33752d50f089e8bd7ea5cf5e' - '34614e92ed29d11f5f6150ee8ed6c5ffe7f8f3d99a2fed6aebe40e513749c3ba') + 'b70720e7537a0b6455edaeb198d52151fb3b3c3a91631b8f43d2e71b694da611' + '1c7aee7bccb1d848887b0cef273518badb09021788b148db1c6168d4c761f1fd' + 'ece72251dacc37d239a5bbf170629c155cee634c05febd8d654b110077d29f28') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds diff --git a/pci-enable-overrides-for-missing-acs-capabilities.patch b/pci-enable-overrides-for-missing-acs-capabilities.patch deleted file mode 100644 index 26b999268ea6..000000000000 --- a/pci-enable-overrides-for-missing-acs-capabilities.patch +++ /dev/null @@ -1,193 +0,0 @@ -From f56f33917f418568141184eb2503ec65309a8255 Mon Sep 17 00:00:00 2001 -From: Mark Weiman <mark.weiman@markzz.com> -Date: Thu, 13 Dec 2018 13:15:16 -0500 -Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.18) - -This an updated version of Alex Williamson's patch from: -https://lkml.org/lkml/2013/5/30/513 - -Original commit message follows: ---- -PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that -allows us to control whether transactions are allowed to be redirected -in various subnodes of a PCIe topology. For instance, if two -endpoints are below a root port or downsteam switch port, the -downstream port may optionally redirect transactions between the -devices, bypassing upstream devices. The same can happen internally -on multifunction devices. The transaction may never be visible to the -upstream devices. - -One upstream device that we particularly care about is the IOMMU. If -a redirection occurs in the topology below the IOMMU, then the IOMMU -cannot provide isolation between devices. This is why the PCIe spec -encourages topologies to include ACS support. Without it, we have to -assume peer-to-peer DMA within a hierarchy can bypass IOMMU isolation. - -Unfortunately, far too many topologies do not support ACS to make this -a steadfast requirement. Even the latest chipsets from Intel are only -sporadically supporting ACS. We have trouble getting interconnect -vendors to include the PCIe spec required PCIe capability, let alone -suggested features. - -Therefore, we need to add some flexibility. The pcie_acs_override= -boot option lets users opt-in specific devices or sets of devices to -assume ACS support. The "downstream" option assumes full ACS support -on root ports and downstream switch ports. The "multifunction" -option assumes the subset of ACS features available on multifunction -endpoints and upstream switch ports are supported. The "id:nnnn:nnnn" -option enables ACS support on devices matching the provided vendor -and device IDs, allowing more strategic ACS overrides. These options -may be combined in any order. A maximum of 16 id specific overrides -are available. It's suggested to use the most limited set of options -necessary to avoid completely disabling ACS across the topology. -Note to hardware vendors, we have facilities to permanently quirk -specific devices which enforce isolation but not provide an ACS -capability. Please contact me to have your devices added and save -your customers the hassle of this boot option. ---- - .../admin-guide/kernel-parameters.txt | 8 ++ - drivers/pci/quirks.c | 102 ++++++++++++++++++ - 2 files changed, 110 insertions(+) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 0c404cda531a..0d45f0014f4a 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -3408,6 +3408,14 @@ - nomsi [MSI] If the PCI_MSI kernel config parameter is - enabled, this kernel boot option can be used to - disable the use of MSI interrupts system-wide. -+ pci_acs_override [PCIE] Override missing PCIe ACS support for: -+ downstream -+ All downstream ports - full ACS capabilities -+ multifunction -+ Add multifunction devices - multifunction ACS subset -+ id:nnnn:nnnn -+ Specific device - full ACS capabilities -+ Specified as vid:did (vendor/device ID) in hex - noioapicquirk [APIC] Disable all boot interrupt quirks. - Safety option to keep boot IRQs enabled. This - should never be necessary. -diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c -index c0673a717239..695d99b390f7 100644 ---- a/drivers/pci/quirks.c -+++ b/drivers/pci/quirks.c -@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void) - } - fs_initcall_sync(pci_apply_final_quirks); - -+static bool acs_on_downstream; -+static bool acs_on_multifunction; -+ -+#define NUM_ACS_IDS 16 -+struct acs_on_id { -+ unsigned short vendor; -+ unsigned short device; -+}; -+static struct acs_on_id acs_on_ids[NUM_ACS_IDS]; -+static u8 max_acs_id; -+ -+static __init int pcie_acs_override_setup(char *p) -+{ -+ if (!p) -+ return -EINVAL; -+ -+ while (*p) { -+ if (!strncmp(p, "downstream", 10)) -+ acs_on_downstream = true; -+ if (!strncmp(p, "multifunction", 13)) -+ acs_on_multifunction = true; -+ if (!strncmp(p, "id:", 3)) { -+ char opt[5]; -+ int ret; -+ long val; -+ -+ if (max_acs_id >= NUM_ACS_IDS - 1) { -+ pr_warn("Out of PCIe ACS override slots (%d)\n", -+ NUM_ACS_IDS); -+ goto next; -+ } -+ -+ p += 3; -+ snprintf(opt, 5, "%s", p); -+ ret = kstrtol(opt, 16, &val); -+ if (ret) { -+ pr_warn("PCIe ACS ID parse error %d\n", ret); -+ goto next; -+ } -+ acs_on_ids[max_acs_id].vendor = val; -+ p += strcspn(p, ":"); -+ if (*p != ':') { -+ pr_warn("PCIe ACS invalid ID\n"); -+ goto next; -+ } -+ -+ p++; -+ snprintf(opt, 5, "%s", p); -+ ret = kstrtol(opt, 16, &val); -+ if (ret) { -+ pr_warn("PCIe ACS ID parse error %d\n", ret); -+ goto next; -+ } -+ acs_on_ids[max_acs_id].device = val; -+ max_acs_id++; -+ } -+next: -+ p += strcspn(p, ","); -+ if (*p == ',') -+ p++; -+ } -+ -+ if (acs_on_downstream || acs_on_multifunction || max_acs_id) -+ pr_warn("Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n"); -+ -+ return 0; -+} -+early_param("pcie_acs_override", pcie_acs_override_setup); -+ -+static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags) -+{ -+ int i; -+ -+ /* Never override ACS for legacy devices or devices with ACS caps */ -+ if (!pci_is_pcie(dev) || -+ pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS)) -+ return -ENOTTY; -+ -+ for (i = 0; i < max_acs_id; i++) -+ if (acs_on_ids[i].vendor == dev->vendor && -+ acs_on_ids[i].device == dev->device) -+ return 1; -+ -+switch (pci_pcie_type(dev)) { -+ case PCI_EXP_TYPE_DOWNSTREAM: -+ case PCI_EXP_TYPE_ROOT_PORT: -+ if (acs_on_downstream) -+ return 1; -+ break; -+ case PCI_EXP_TYPE_ENDPOINT: -+ case PCI_EXP_TYPE_UPSTREAM: -+ case PCI_EXP_TYPE_LEG_END: -+ case PCI_EXP_TYPE_RC_END: -+ if (acs_on_multifunction && dev->multifunction) -+ return 1; -+ } -+ -+ return -ENOTTY; -+} -+ - /* - * Decoding should be disabled for a PCI device during BAR sizing to avoid - * conflict. But doing so may cause problems on host bridge and perhaps other -@@ -4674,6 +4674,8 @@ static const struct pci_dev_acs_enabled { - { PCI_VENDOR_ID_ZHAOXIN, 0x9083, pci_quirk_mf_endpoint_acs }, - /* Zhaoxin Root/Downstream Ports */ - { PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs }, -+ /* allow acs for any */ -+ { PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides }, - { 0 } - }; - --- -2.20.0 - |