diff options
| -rw-r--r-- | .SRCINFO | 20 | ||||
| -rw-r--r-- | 0001-nf_tables-fix-set-double-free-in-abort-path.patch | 130 | ||||
| -rw-r--r-- | PKGBUILD | 28 | ||||
| -rw-r--r-- | config | 16 |
4 files changed, 29 insertions, 165 deletions
@@ -1,7 +1,7 @@ # Generated by makepkg 5.1.3 -# Wed Apr 3 08:37:29 UTC 2019 +# Mon Apr 15 19:16:22 UTC 2019 pkgbase = linux-rt - pkgver = 5.0.5_rt3 + pkgver = 5.0.7_rt5 pkgrel = 1 url = https://git.archlinux.org/linux.git/log/?h=v arch = x86_64 @@ -15,32 +15,30 @@ pkgbase = linux-rt makedepends = python-sphinx makedepends = graphviz options = !strip - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.5.tar.xz - source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.5.tar.sign - source = https://www.kernel.org/pub/linux/kernel/projects/rt/5.0/older/patch-5.0.5-rt3.patch.xz - source = https://www.kernel.org/pub/linux/kernel/projects/rt/5.0/older/patch-5.0.5-rt3.patch.sign + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.7.tar.xz + source = https://www.kernel.org/pub/linux/kernel/v5.x/linux-5.0.7.tar.sign + source = https://www.kernel.org/pub/linux/kernel/projects/rt/5.0/older/patch-5.0.7-rt5.patch.xz + source = https://www.kernel.org/pub/linux/kernel/projects/rt/5.0/older/patch-5.0.7-rt5.patch.sign source = config source = 60-linux-rt.hook source = 90-linux-rt.hook source = linux-rt.preset source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - source = 0001-nf_tables-fix-set-double-free-in-abort-path.patch validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 8218F88849AAC522E94CF470A5E9288C4FA415FA validpgpkeys = 64254695FFF0AA4466CC19E67B96E8162A8CF5D1 validpgpkeys = 5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73 validpgpkeys = E644E2F1D45FA0B2EAA02F33109F098506FF0B14 - sha256sums = 5fbd807bf2aa0a80a0bf165692d89aaf3463d03043419b0a9b104f55f12c94d0 + sha256sums = 16e177662b9fc7255bfc51018513979f6effcbe52e459c543aa83a5b15ef54ec sha256sums = SKIP - sha256sums = 4b4e2ac4c77c2780215dcbb96c00b3c6cab01e4cd9be06dd4bae11b5831b4b9f + sha256sums = 3d8dd432da73196488991d7f289a6e96e3c36df4d46ec76c468e30593e93ac14 sha256sums = SKIP - sha256sums = 9e4a6f0233fb9721b5cafff7e95f59149f14acbc958a7956bcfda0c9c5db7fd4 + sha256sums = fee121cf51bfe83544aa7705b985b0204c814b19b3e3423de4d859ca58b9c2f8 sha256sums = ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21 sha256sums = 75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919 sha256sums = ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65 sha256sums = 75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc - sha256sums = 1ad551e3ef276c3ee9c9ebb5f0475d5f5fce0f13fed8ab083a1daf5fe0577e41 pkgname = linux-rt pkgdesc = The Linux-rt kernel and modules diff --git a/0001-nf_tables-fix-set-double-free-in-abort-path.patch b/0001-nf_tables-fix-set-double-free-in-abort-path.patch deleted file mode 100644 index c2ca24ed479f..000000000000 --- a/0001-nf_tables-fix-set-double-free-in-abort-path.patch +++ /dev/null @@ -1,130 +0,0 @@ -From baaea85921178f1bbfcc68d637126e5ea05343e2 Mon Sep 17 00:00:00 2001 -From: Pablo Neira Ayuso <pablo@netfilter.org> -Date: Fri, 8 Mar 2019 00:58:53 +0100 -Subject: netfilter: nf_tables: fix set double-free in abort path - -The abort path can cause a double-free of an anonymous set. -Added-and-to-be-aborted rule looks like this: - -udp dport { 137, 138 } drop - -The to-be-aborted transaction list looks like this: - -newset -newsetelem -newsetelem -rule - -This gets walked in reverse order, so first pass disables the rule, the -set elements, then the set. - -After synchronize_rcu(), we then destroy those in same order: rule, set -element, set element, newset. - -Problem is that the anonymous set has already been bound to the rule, so -the rule (lookup expression destructor) already frees the set, when then -cause use-after-free when trying to delete the elements from this set, -then try to free the set again when handling the newset expression. - -Rule releases the bound set in first place from the abort path, this -causes the use-after-free on set element removal when undoing the new -element transactions. To handle this, skip new element transaction if -set is bound from the abort path. - -This is still causes the use-after-free on set element removal. To -handle this, remove transaction from the list when the set is already -bound. - -Joint work with Florian Westphal. - -Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path") -Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325 -Acked-by: Florian Westphal <fw@strlen.de> -Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> ---- - include/net/netfilter/nf_tables.h | 6 ++---- - net/netfilter/nf_tables_api.c | 17 +++++++++++------ - 2 files changed, 13 insertions(+), 10 deletions(-) - -diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h -index b4984bbbe157..3d58acf94dd2 100644 ---- a/include/net/netfilter/nf_tables.h -+++ b/include/net/netfilter/nf_tables.h -@@ -416,7 +416,8 @@ struct nft_set { - unsigned char *udata; - /* runtime data below here */ - const struct nft_set_ops *ops ____cacheline_aligned; -- u16 flags:14, -+ u16 flags:13, -+ bound:1, - genmask:2; - u8 klen; - u8 dlen; -@@ -1329,15 +1330,12 @@ struct nft_trans_rule { - struct nft_trans_set { - struct nft_set *set; - u32 set_id; -- bool bound; - }; - - #define nft_trans_set(trans) \ - (((struct nft_trans_set *)trans->data)->set) - #define nft_trans_set_id(trans) \ - (((struct nft_trans_set *)trans->data)->set_id) --#define nft_trans_set_bound(trans) \ -- (((struct nft_trans_set *)trans->data)->bound) - - struct nft_trans_chain { - bool update; -diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c -index 4893f248dfdc..e1724f9d8b9d 100644 ---- a/net/netfilter/nf_tables_api.c -+++ b/net/netfilter/nf_tables_api.c -@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) - list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { - if (trans->msg_type == NFT_MSG_NEWSET && - nft_trans_set(trans) == set) { -- nft_trans_set_bound(trans) = true; -+ set->bound = true; - break; - } - } -@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans) - nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans)); - break; - case NFT_MSG_NEWSET: -- if (!nft_trans_set_bound(trans)) -- nft_set_destroy(nft_trans_set(trans)); -+ nft_set_destroy(nft_trans_set(trans)); - break; - case NFT_MSG_NEWSETELEM: - nft_set_elem_destroy(nft_trans_elem_set(trans), -@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net) - break; - case NFT_MSG_NEWSET: - trans->ctx.table->use--; -- if (!nft_trans_set_bound(trans)) -- list_del_rcu(&nft_trans_set(trans)->list); -+ if (nft_trans_set(trans)->bound) { -+ nft_trans_destroy(trans); -+ break; -+ } -+ list_del_rcu(&nft_trans_set(trans)->list); - break; - case NFT_MSG_DELSET: - trans->ctx.table->use++; -@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net) - nft_trans_destroy(trans); - break; - case NFT_MSG_NEWSETELEM: -+ if (nft_trans_elem_set(trans)->bound) { -+ nft_trans_destroy(trans); -+ break; -+ } - te = (struct nft_trans_elem *)trans->data; -- - te->set->ops->remove(net, te->set, &te->elem); - atomic_dec(&te->set->nelems); - break; --- -cgit v1.2.1-1-g437b @@ -7,8 +7,8 @@ #pkgbase=linux # Build stock -ARCH kernel pkgbase=linux-rt # Build kernel with a different name -_pkgver=5.0.5 -_rtpatchver=rt3 +_pkgver=5.0.7 +_rtpatchver=rt5 pkgver=${_pkgver}_${_rtpatchver} pkgrel=1 arch=(x86_64) @@ -27,7 +27,6 @@ source=( 90-${pkgbase}.hook # pacman hook for initramfs regeneration ${pkgbase}.preset # standard config files for mkinitcpio ramdisk 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0001-nf_tables-fix-set-double-free-in-abort-path.patch ) validpgpkeys=( 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds @@ -37,16 +36,15 @@ validpgpkeys=( '5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73' # Steven Rostedt 'E644E2F1D45FA0B2EAA02F33109F098506FF0B14' # Thomas Gleixner ) -sha256sums=('5fbd807bf2aa0a80a0bf165692d89aaf3463d03043419b0a9b104f55f12c94d0' +sha256sums=('16e177662b9fc7255bfc51018513979f6effcbe52e459c543aa83a5b15ef54ec' 'SKIP' - '4b4e2ac4c77c2780215dcbb96c00b3c6cab01e4cd9be06dd4bae11b5831b4b9f' + '3d8dd432da73196488991d7f289a6e96e3c36df4d46ec76c468e30593e93ac14' 'SKIP' - '9e4a6f0233fb9721b5cafff7e95f59149f14acbc958a7956bcfda0c9c5db7fd4' + 'fee121cf51bfe83544aa7705b985b0204c814b19b3e3423de4d859ca58b9c2f8' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65' - '75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc' - '1ad551e3ef276c3ee9c9ebb5f0475d5f5fce0f13fed8ab083a1daf5fe0577e41') + '75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc') _kernelname=${pkgbase#linux} : ${_kernelname:=-ARCH} @@ -83,7 +81,7 @@ prepare() { build() { cd $_srcname - make bzImage modules htmldocs + make bzImage modules } _package() { @@ -234,18 +232,6 @@ _package-docs() { mkdir -p "$builddir" cp -t "$builddir" -a Documentation - msg2 "Removing doctrees..." - rm -r "$builddir/Documentation/output/.doctrees" - - msg2 "Moving HTML docs..." - local src dst - while read -rd '' src; do - dst="$builddir/Documentation/${src#$builddir/Documentation/output/}" - mkdir -p "${dst%/*}" - mv "$src" "$dst" - rmdir -p --ignore-fail-on-non-empty "${src%/*}" - done < <(find "$builddir/Documentation/output" -type f -print0) - msg2 "Adding symlink..." mkdir -p "$pkgdir/usr/share/doc" ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase" @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.0.3 Kernel Configuration +# Linux/x86 5.0.7 Kernel Configuration # # @@ -9249,8 +9249,16 @@ CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0 CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 -# CONFIG_SECURITY_SMACK is not set -# CONFIG_SECURITY_TOMOYO is not set +CONFIG_SECURITY_SMACK=y +CONFIG_SECURITY_SMACK_BRINGUP=y +CONFIG_SECURITY_SMACK_NETFILTER=y +CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y +CONFIG_SECURITY_TOMOYO=y +CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 +CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 +# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set +CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init" +CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init" CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=0 CONFIG_SECURITY_APPARMOR_HASH=y @@ -9264,6 +9272,8 @@ CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set +# CONFIG_DEFAULT_SECURITY_SMACK is not set +# CONFIG_DEFAULT_SECURITY_TOMOYO is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" |