diff options
-rw-r--r-- | .SRCINFO | 22 | ||||
-rw-r--r-- | 4.14.15.a--ReadMe | 18 | ||||
-rw-r--r-- | CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch | 78 | ||||
-rw-r--r-- | CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch | 60 | ||||
-rw-r--r-- | PKGBUILD | 16 | ||||
-rw-r--r-- | config.x86_64 | 3 |
6 files changed, 17 insertions, 180 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-hardened-apparmor - pkgver = 4.14.15.a - pkgrel = 2 + pkgver = 4.14.17.a + pkgrel = 1 url = https://github.com/copperhead/linux-hardened arch = x86_64 license = GPL2 @@ -13,10 +13,10 @@ pkgbase = linux-hardened-apparmor options = !strip source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.xz source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.14.tar.sign - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.15.xz - source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.15.sign - source = https://github.com/thestinger/linux-hardened/releases/download/4.14.15.a/linux-hardened-4.14.15.a.patch - source = https://github.com/thestinger/linux-hardened/releases/download/4.14.15.a/linux-hardened-4.14.15.a.patch.sig + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.17.xz + source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.14.17.sign + source = https://github.com/thestinger/linux-hardened/releases/download/4.14.17.a/linux-hardened-4.14.17.a.patch + source = https://github.com/thestinger/linux-hardened/releases/download/4.14.17.a/linux-hardened-4.14.17.a.patch.sig source = config.x86_64 source = 60-linux.hook source = 90-linux.hook @@ -24,26 +24,22 @@ pkgbase = linux-hardened-apparmor source = xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch source = drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch source = CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch - source = CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch - source = CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A sha256sums = f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7 sha256sums = SKIP - sha256sums = 54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030 + sha256sums = 1e62d56e37bd15daec7c3d20a605624e1e0a21c44856880c6dbe0c9e41cabfa8 sha256sums = SKIP - sha256sums = 55f4dfaf88a98368f29c7503b8a67a35105a11376cd91a1096ed18eabed5a288 + sha256sums = 77b6c3188a029d3a03164b2ca75bcd9781ea8a32b1e021114667e4a39c1b4bd1 sha256sums = SKIP - sha256sums = 2fdd2497e3df02a0624a068605007dc91d92304562977279d54b3381ad6e2ef0 + sha256sums = 1c09d2e73fc7940ff7304141430403ea5ba91453abe94755acc361148fe6ff04 sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 sha256sums = 294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45 sha256sums = c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148 sha256sums = 6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9 - sha256sums = b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5 - sha256sums = 72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435 pkgname = linux-hardened-apparmor pkgdesc = The Linux-hardened-apparmor kernel and modules diff --git a/4.14.15.a--ReadMe b/4.14.15.a--ReadMe deleted file mode 100644 index 55cb349c7644..000000000000 --- a/4.14.15.a--ReadMe +++ /dev/null @@ -1,18 +0,0 @@ -Note: Upstream didn't provided the usual linux-hardened patch for 4.14.15. So, the initial release was built directly from the source code found at https://github.com/copperhead/linux-hardened/releases/tag/4.14.15.a Also, upstream failed to sign the above release.... - -However, on the plus side, I have calculated the proper sha256sum for the release, and also applied the appropriate Arch patch sets. - -If upstream updates the release with a rolling patch and/or signatures, I will update the PKGBUILD accordingly - -See https://github.com/copperhead/linux-hardened/releases - -UPDATE: -The signed patch was finally released, and I have updated the PKGBUILD accordingly. However, possibly because linux-hardened-apparmor is now slightly ahead of linux-hardened, I had to make a choice about whether or not to enable "CONFIG_LOCAL_SANITIZE", which zero-fills uninitialized local variables. The default is 'NO'. and since the option requires compiler support, I went with this choice. If this is a problem, let me know. (Note: When linux-hardened is next updated, whether or not this option is enabled will be up to @Anthrax) - -Hopefully, 4.14.16 will see a return to the normal release cycle and linux-hardened-apparmor will be fully in sync with linux-hardened... I apologise for any inconvenience, but it was brought about by things beyond my control and the only alternative would have been to delay the update. - -Irvine - - - - diff --git a/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch b/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch deleted file mode 100644 index 60ead713127e..000000000000 --- a/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <cernekee@chromium.org> -Date: Sun, 3 Dec 2017 12:12:45 -0800 -Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, nfnl_cthelper_list is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - $ nfct helper list - nfct v1.4.4: netlink error: Operation not permitted - $ vpnns -- nfct helper list - { - .name = ftp, - .queuenum = 0, - .l3protonum = 2, - .l4protonum = 6, - .priv_data_len = 24, - .status = enabled, - }; - -Add capable() checks in nfnetlink_cthelper, as this is cleaner than -trying to generalize the solution. - -Signed-off-by: Kevin Cernekee <cernekee@chromium.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c -index 41628b393673..d33ce6d5ebce 100644 ---- a/net/netfilter/nfnetlink_cthelper.c -+++ b/net/netfilter/nfnetlink_cthelper.c -@@ -17,6 +17,7 @@ - #include <linux/types.h> - #include <linux/list.h> - #include <linux/errno.h> -+#include <linux/capability.h> - #include <net/netlink.h> - #include <net/sock.h> - -@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - int ret = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) - return -EINVAL; - -@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth; - bool tuple_set = false; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (nlh->nlmsg_flags & NLM_F_DUMP) { - struct netlink_dump_control c = { - .dump = nfnl_cthelper_dump_table, -@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl, - struct nfnl_cthelper *nlcth, *n; - int j = 0, ret; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (tb[NFCTH_NAME]) - helper_name = nla_data(tb[NFCTH_NAME]); - --- -2.15.1 - diff --git a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch b/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch deleted file mode 100644 index 992c336373e3..000000000000 --- a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee <cernekee@chromium.org> -Date: Tue, 5 Dec 2017 15:42:41 -0800 -Subject: [PATCH] netfilter: xt_osf: Add missing permission checks - -The capability check in nfnetlink_rcv() verifies that the caller -has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. -However, xt_osf_fingers is shared by all net namespaces on the -system. An unprivileged user can create user and net namespaces -in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() -check: - - vpnns -- nfnl_osf -f /tmp/pf.os - - vpnns -- nfnl_osf -f /tmp/pf.os -d - -These non-root operations successfully modify the systemwide OS -fingerprint list. Add new capable() checks so that they can't. - -Signed-off-by: Kevin Cernekee <cernekee@chromium.org> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - net/netfilter/xt_osf.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c -index 36e14b1f061d..a34f314a8c23 100644 ---- a/net/netfilter/xt_osf.c -+++ b/net/netfilter/xt_osf.c -@@ -19,6 +19,7 @@ - #include <linux/module.h> - #include <linux/kernel.h> - -+#include <linux/capability.h> - #include <linux/if.h> - #include <linux/inetdevice.h> - #include <linux/ip.h> -@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl, - struct xt_osf_finger *kf = NULL, *sf; - int err = 0; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - -@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl, - struct xt_osf_finger *sf; - int err = -ENOENT; - -+ if (!capable(CAP_NET_ADMIN)) -+ return -EPERM; -+ - if (!osf_attrs[OSF_ATTR_FINGER]) - return -EINVAL; - --- -2.15.1 - @@ -2,9 +2,9 @@ pkgbase=linux-hardened-apparmor _srcname=linux-4.14 -_pkgver=4.14.15 +_pkgver=4.14.17 pkgver=${_pkgver}.a -pkgrel=2 +pkgrel=1 url='https://github.com/copperhead/linux-hardened' arch=('x86_64') license=('GPL2') @@ -26,25 +26,21 @@ source=(https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch - CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch - CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch ) replaces=('linux-grsec') sha256sums=('f81d59477e90a130857ce18dc02f4fbe5725854911db1e7ba770c7cd350f96a7' 'SKIP' - '54a6359ed333e619db8c5c88020ff20f1e25635337f01f50a7488ec2fc0fe030' + '1e62d56e37bd15daec7c3d20a605624e1e0a21c44856880c6dbe0c9e41cabfa8' 'SKIP' - '55f4dfaf88a98368f29c7503b8a67a35105a11376cd91a1096ed18eabed5a288' + '77b6c3188a029d3a03164b2ca75bcd9781ea8a32b1e021114667e4a39c1b4bd1' 'SKIP' - '2fdd2497e3df02a0624a068605007dc91d92304562977279d54b3381ad6e2ef0' + '1c09d2e73fc7940ff7304141430403ea5ba91453abe94755acc361148fe6ff04' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45' 'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148' - '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9' - 'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5' - '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435') + '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9') validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman diff --git a/config.x86_64 b/config.x86_64 index 8645e3cdf5e3..ae8b3486fa92 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.15 Kernel Configuration +# Linux/x86 4.14.17 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -228,6 +228,7 @@ CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_BPF_SYSCALL=y +CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y |