diff options
Diffstat (limited to 'sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch')
| -rw-r--r-- | sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..48e39a20c760 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From 1c835635f9bd5b5bfa0fb5773fbbe99169561b26 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 041/112] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.30.0 + |