diff options
-rw-r--r-- | .SRCINFO | 9 | ||||
-rw-r--r-- | PKGBUILD | 9 | ||||
-rw-r--r-- | config | 40 | ||||
-rw-r--r-- | mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch | 48 | ||||
-rw-r--r-- | sphinx-workaround.patch | 13 |
5 files changed, 12 insertions, 107 deletions
@@ -1,6 +1,6 @@ pkgbase = linux-hardened-git pkgdesc = Security-Hardened Linux - pkgver = 5.9.6.r952626.gf86102e71f88 + pkgver = 5.10.0.r968847.g03e49cfe857e pkgrel = 1 url = https://github.com/anthraxx/linux-hardened arch = x86_64 @@ -15,17 +15,14 @@ pkgbase = linux-hardened-git makedepends = imagemagick makedepends = git options = !strip - source = linux-hardened::git+https://github.com/anthraxx/linux-hardened#branch=5.9?signed + source = linux-hardened::git+https://github.com/anthraxx/linux-hardened#branch=5.10?signed source = config - source = sphinx-workaround.patch - source = mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A validpgpkeys = E240B57E2C4630BA768E2F26FC1B547C8D8172C8 sha256sums = SKIP - sha256sums = 6194d19722b7f85e34002037fd9a4826fdf5ea317f9b49d463038f8a5ce2bf48 - sha256sums = 8cb21e0b3411327b627a9dd15b8eb773295a0d2782b1a41b2a8839d1b2f5778c + sha256sums = ce6e2d6ee77d3e0df88b74d7f205b75c452e414a945159c0b226431c3ce1208d pkgname = linux-hardened-git pkgdesc = The Security-Hardened Linux kernel and modules @@ -5,8 +5,8 @@ pkgbase=linux-hardened-git _srcname=${pkgbase/-git/} -_gitbranch=5.9 -pkgver=5.9.6.r952626.gf86102e71f88 +_gitbranch=5.10 +pkgver=5.10.0.r968847.g03e49cfe857e pkgrel=1 pkgdesc='Security-Hardened Linux' url='https://github.com/anthraxx/linux-hardened' @@ -21,8 +21,6 @@ options=('!strip') source=( "${_srcname}::git+https://github.com/anthraxx/linux-hardened#branch=${_gitbranch}?signed" config # the main kernel config files - sphinx-workaround.patch - mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -31,8 +29,7 @@ validpgpkeys=( 'E240B57E2C4630BA768E2F26FC1B547C8D8172C8' # Levente Polyak ) sha256sums=('SKIP' - '6194d19722b7f85e34002037fd9a4826fdf5ea317f9b49d463038f8a5ce2bf48' - '8cb21e0b3411327b627a9dd15b8eb773295a0d2782b1a41b2a8839d1b2f5778c') + 'ce6e2d6ee77d3e0df88b74d7f205b75c452e414a945159c0b226431c3ce1208d') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase @@ -1,11 +1,11 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.9.6 Kernel Configuration +# Linux/x86 5.9.9 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 10.2.0" CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=100200 -CONFIG_LD_VERSION=235000000 +CONFIG_LD_VERSION=235010000 CONFIG_CLANG_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -1542,32 +1542,8 @@ CONFIG_BRIDGE_EBT_SNAT=m CONFIG_BRIDGE_EBT_LOG=m CONFIG_BRIDGE_EBT_NFLOG=m # CONFIG_BPFILTER is not set -CONFIG_IP_DCCP=m -CONFIG_INET_DCCP_DIAG=m - -# -# DCCP CCIDs Configuration -# -# CONFIG_IP_DCCP_CCID2_DEBUG is not set -CONFIG_IP_DCCP_CCID3=y -# CONFIG_IP_DCCP_CCID3_DEBUG is not set -CONFIG_IP_DCCP_TFRC_LIB=y -# end of DCCP CCIDs Configuration - -# -# DCCP Kernel Hacking -# -# CONFIG_IP_DCCP_DEBUG is not set -# end of DCCP Kernel Hacking - -CONFIG_IP_SCTP=m -# CONFIG_SCTP_DBG_OBJCNT is not set -# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set -CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y -# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set -CONFIG_SCTP_COOKIE_HMAC_MD5=y -CONFIG_SCTP_COOKIE_HMAC_SHA1=y -CONFIG_INET_SCTP_DIAG=m +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set CONFIG_RDS=m CONFIG_RDS_RDMA=m CONFIG_RDS_TCP=m @@ -2875,7 +2851,6 @@ CONFIG_MD_RAID10=m CONFIG_MD_RAID456=m CONFIG_MD_MULTIPATH=m CONFIG_MD_FAULTY=m -CONFIG_MD_CLUSTER=m CONFIG_BCACHE=m # CONFIG_BCACHE_DEBUG is not set # CONFIG_BCACHE_CLOSURES_DEBUG is not set @@ -7782,7 +7757,6 @@ CONFIG_USB_FTDI_ELAN=m CONFIG_USB_APPLEDISPLAY=m CONFIG_APPLE_MFI_FASTCHARGE=m CONFIG_USB_SISUSBVGA=m -CONFIG_USB_SISUSBVGA_CON=y CONFIG_USB_LD=m CONFIG_USB_TRANCEVIBRATOR=m CONFIG_USB_IOWARRIOR=m @@ -8151,6 +8125,7 @@ CONFIG_INFINIBAND_USER_MEM=y CONFIG_INFINIBAND_ON_DEMAND_PAGING=y CONFIG_INFINIBAND_ADDR_TRANS=y CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y +CONFIG_INFINIBAND_VIRT_DMA=y CONFIG_INFINIBAND_MTHCA=m CONFIG_INFINIBAND_MTHCA_DEBUG=y CONFIG_INFINIBAND_QIB=m @@ -9865,10 +9840,8 @@ CONFIG_XFS_ONLINE_REPAIR=y # CONFIG_XFS_WARN is not set # CONFIG_XFS_DEBUG is not set CONFIG_GFS2_FS=m -CONFIG_GFS2_FS_LOCKING_DLM=y CONFIG_OCFS2_FS=m CONFIG_OCFS2_FS_O2CB=m -CONFIG_OCFS2_FS_USERSPACE_CLUSTER=m CONFIG_OCFS2_FS_STATS=y CONFIG_OCFS2_DEBUG_MASKLOG=y # CONFIG_OCFS2_DEBUG_FS is not set @@ -10210,8 +10183,7 @@ CONFIG_NLS_MAC_INUIT=m CONFIG_NLS_MAC_ROMANIAN=m CONFIG_NLS_MAC_TURKISH=m CONFIG_NLS_UTF8=m -CONFIG_DLM=m -# CONFIG_DLM_DEBUG is not set +# CONFIG_DLM is not set CONFIG_UNICODE=y # CONFIG_UNICODE_NORMALIZATION_SELFTEST is not set CONFIG_IO_WQ=y diff --git a/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch b/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch deleted file mode 100644 index 199ee80dc0f9..000000000000 --- a/mac80211-fix-regression-where-EAPOL-frames-were-sent-in-plaintext.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d30a6f983b360a08f962f5b3199b733df2e02418 Mon Sep 17 00:00:00 2001 -From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be> -Date: Sat, 17 Oct 2020 23:08:18 +0400 -Subject: mac80211: fix regression where EAPOL frames were sent in plaintext - -When sending EAPOL frames via NL80211 they are treated as injected -frames in mac80211. Due to commit 1df2bdba528b ("mac80211: never drop -injected frames even if normally not allowed") these injected frames -were not assigned a sta context in the function ieee80211_tx_dequeue, -causing certain wireless network cards to always send EAPOL frames in -plaintext. This may cause compatibility issues with some clients or -APs, which for instance can cause the group key handshake to fail and -in turn would cause the station to get disconnected. - -This commit fixes this regression by assigning a sta context in -ieee80211_tx_dequeue to injected frames as well. - -Note that sending EAPOL frames in plaintext is not a security issue -since they contain their own encryption and authentication protection. - -Fixes: 1df2bdba528b ("mac80211: never drop injected frames even if normally not allowed") ---- - net/mac80211/tx.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c -index 282b0bc201ee..aa486e202a57 100644 ---- a/net/mac80211/tx.c -+++ b/net/mac80211/tx.c -@@ -3613,13 +3613,14 @@ begin: - tx.skb = skb; - tx.sdata = vif_to_sdata(info->control.vif); - -- if (txq->sta && !(info->flags & IEEE80211_TX_CTL_INJECTED)) { -+ if (txq->sta) { - tx.sta = container_of(txq->sta, struct sta_info, sta); - /* - * Drop unicast frames to unauthorised stations unless they are -- * EAPOL frames from the local station. -+ * injected frames or EAPOL frames from the local station. - */ -- if (unlikely(ieee80211_is_data(hdr->frame_control) && -+ if (unlikely(!(info->flags & IEEE80211_TX_CTL_INJECTED) && -+ ieee80211_is_data(hdr->frame_control) && - !ieee80211_vif_is_mesh(&tx.sdata->vif) && - tx.sdata->vif.type != NL80211_IFTYPE_OCB && - !is_multicast_ether_addr(hdr->addr1) && --- diff --git a/sphinx-workaround.patch b/sphinx-workaround.patch deleted file mode 100644 index 1aa3f1c8f66e..000000000000 --- a/sphinx-workaround.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git i/Documentation/conf.py w/Documentation/conf.py -index 3c7bdf4cd31f..9a0ced58a3e9 100644 ---- i/Documentation/conf.py -+++ w/Documentation/conf.py -@@ -36,7 +36,7 @@ needs_sphinx = '1.3' - # Add any Sphinx extension module names here, as strings. They can be - # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom - # ones. --extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', 'cdomain', -+extensions = ['kerneldoc', 'rstFlatTable', 'kernel_include', - 'kfigure', 'sphinx.ext.ifconfig', 'automarkup', - 'maintainers_include'] - |