diff options
Diffstat (limited to 'sys-kernel')
832 files changed, 53050 insertions, 2291 deletions
diff --git a/sys-kernel/cairn-sources/Manifest b/sys-kernel/cairn-sources/Manifest new file mode 100644 index 000000000000..8444786b9e5b --- /dev/null +++ b/sys-kernel/cairn-sources/Manifest @@ -0,0 +1,774 @@ +AUX 5.10.10/gentoo-patches/0000_README 3616 BLAKE2B def9567673a5e0e4361ddb95fd8b6421e25c9ad03210b8717217d31a08f13aa5998945fc0cc60c1c7be6e02997f136af960f83d43f29152a52c78fc76e4e18d6 SHA512 fd16c8742e0ea5b3c0cbade4dd3e41c325080ae510c5f754709c08b43a7a3be5121267e9bfeb2cbb522d032be6f53ae27aa5009750437ace989757824853eabe +AUX 5.10.10/gentoo-patches/1500_XATTR_USER_PREFIX.patch 2293 BLAKE2B c2bde13ef40e7066340afefe55454dc933ac3b65dda4dcf81d9958ba84d9531143e58c4d35151d912bfe21a43aaed35fd99571a769ca8e823fc0d99797a96f4b SHA512 3ed100909f9aed72836a3c712e45e0116cd3c4331961a76a27b867a7098d0df9458387b656c9ea01385c3c37585436e48168ac35666b0e46dca7da05e5e38a61 +AUX 5.10.10/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch 810 BLAKE2B bb749b365f37988253206ddff130651e1042af49a6c773ba6f93642d5927af9a9926eab278979e048c13d2ca683e726a5d0cd509de9e6177d59c85197051e230 SHA512 c97a3799a2d5e4da9c9dfe129756da629fba8183479b02ca82f9b6d9993f17a165a96bd35ac50eb25fb293785b9b529a95165b1a2eb79c05134bee8ccf22a5d3 +AUX 5.10.10/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch 1290 BLAKE2B 35f8f2a707da3bdb4df74844f72244dc6cb9fb0d41ac2034af61ce61c96e4bd472fb5bc5c687611356d06f3940e9f6669c80f4261165809592173bf5dac54b61 SHA512 dc47b18749d95a456f8bc47fd6a0618c286b646b38466c3d950dfbeb25adf3fc1a794e95552e4da1abb58e49f0bd841f7222e71c4d04cb0264ca23476ca9caef +AUX 5.10.10/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch 958 BLAKE2B 095d70ef085c6200b3ac69695339b8937e54b49c45acb7a741d0f471f66c1fe1bedf0b7df0951eff6ccd53ade10abcc66d5d2bca994e28a49d3e4296d7332e55 SHA512 4e637935c2f37cc18f347293e3c94b18f90e2caccca726304a95c4891257a5b2bb3093aee7a97571038b29c0c987cc60a9a80aefd0d4c9a063b33d102f03579e +AUX 5.10.10/gentoo-patches/2920_sign-file-patch-for-libressl.patch 565 BLAKE2B ea33143cebfccbc5fdeab46161ab28c8ed6dbe265b35454659ba87f09705ed80219e9a9e47f7fc3df51292a3a7656c7a6d633e24a37911c35e47d039da530ad5 SHA512 79eaf814d76402a445efc961666a7c7c74207e552b0cb32d93d5cb828da580f7dbe93509dc9f53321c7844663205a8dce4e518ba047e4c57fc55f5c3498088ec +AUX 5.10.10/gentoo-patches/4567_distro-Gentoo-Kconfig.patch 4784 BLAKE2B ccbb902ac828a26a69bda7f7eb7c69770bca7685ed5e58459e473b7a8ac0f396ac9f1aa1ee23a9248de22c5aebbfecf76930420b640cf6307a4d1e73bc9add0a SHA512 bf681566831b583537eda1df1db9c9d1b310cf54a974dcdc437c8da11b65cda423ac86a1a8ae56c84cfc947a6ad363adb25983e51933cf7acb494934c1ad3eb5 +AUX 5.10.10/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch 55494 BLAKE2B 5c56cb45b70a340d6eb65140f3772f3c4a26e30811645d471d0db7a389c813edbfe6f46ed2fb5fa8c96596c9486c1040948d3074b4fc5ebdc8080c4b02b0992b SHA512 e832d44d4a450c45eb7a517d6cd849258985aed08349d18ea21cf4d1eb37dcbac9153f50ca8b910955bfe64169298c631a7ec7857e9235bbce0167d97d69e55b +AUX 5.10.10/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch 840 BLAKE2B 4f49d7c3c7ebc330f86ef3916ec53125f1885fe56f4629b7b1b63e5af8f3891b23ce16597013ceed25de09396252e4e58f177cd3f164d1d96917fe21e4f797d4 SHA512 c8785eb26a595e8166e9ac30144306ff782f2e96d03feabdbd0ce450b164de48e979df79914229fe8f228fe44e50688caf4caa02b9ba457d9d03c1fbb444cc30 +AUX 5.10.10/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch 790 BLAKE2B 6b5852cb66a36fec47e1ecdb9e2d37ac76b2fb2144ecc030b2b279da161febacf873673ec47c9070fb14f66960eaaf3e72fa77de399e4b47f1848e3bd03b21d2 SHA512 9e199b8fe4b1fb13d8367afd3ce011766b011e9e2fe9e0216dddb8bf71734c3cd8bc5ec5f6e5996e31b4beb0ba62d0ab50710c19827ea8dca62b35508ef5564a +AUX 5.10.10/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch 768 BLAKE2B bbd6b4902c80b5338dda8fde96bbfedb2488b17d27ab97e52b71aeb85d3847f741a95adc5691be024473c219593dfa32fa3ab271c73ff6732eca343fc28b42e6 SHA512 1047a2f0e75aa466f4ba5b5aee76bd23076276100417a0152bf922d7e0d0e87ec73faba0646ef5cad19959ef29b6beced4f0241a2c3d30307b8dd0638fd19980 +AUX 5.10.10/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch 763 BLAKE2B 23a6440b582ceb71788c7edb2b80abaf09902d8f7f63f2f765b7e624e18bad21950e6b659447b73df0a2e5bf856ecff374a60de8b5d4b38bd474dc89e2180932 SHA512 56391ede6af002eb96ce8330515a2f3ca34df785611bb045729be6ce30878689f78c9e98812a2d3ad105d6118e22609f02d6156e71f9d1315c0d87c034288c4d +AUX 5.10.10/hardened-patches/0005-set-kptr_restrict-2-by-default.patch 791 BLAKE2B 62cf4b1a5f6edeaa95fecf84e263ff045976fa161dd97f1759a83bf411fd5a98ed2956b5ac825b86792c65774e2f184daa4b68a90eabd13fb9af1e935be4bb0a SHA512 5600d4f2aa9aa788faf8d38964527480a2312a5360ec9b5c3faa4f2a531010c5e85580ec16758ec0dfe56b3a89b22340c47ec33d7cdb516f4b7a311d581b6024 +AUX 5.10.10/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch 743 BLAKE2B 083aad4480250beb036a141eb015aab6107f847ba580ac72446e3d75eb112b933079786b57cba6dbb5f4de7c2ae086bdf7f3ae31ea04973b0f7e519e189d38b7 SHA512 a6524a743b01a44dd9940375ce4dea0ee31abb77db57803bd91aaeeb151213673d861ab05b49a981bf9ba3ad514a5591cc7f5f7acf1c9fd05178c611c96dfb7a +AUX 5.10.10/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch 792 BLAKE2B c5cd54190be3dda215939ac581d0e134d25d851db0495ac2edb0438778842cbff46cac011d74ff97257dfd2dde244047544c67b4be77ba27288cfd4c025e0d83 SHA512 cbdfd95103ee0d0ecf8049ec5132e14c5c38134fd6389f981ffc057c14d819a34ddb4f72401c24878f7f8ffe0e23cf01f45779e0ec5a85f74f9e08859ab33906 +AUX 5.10.10/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch 732 BLAKE2B 3593fc85a766e85fa82019d31d3e33043989f4df644f28a9d00e35c3129887e3811b95be74fe8be794553ec2951ae1cdf0c03586058340b44a4385ffa96d48f2 SHA512 6a289d3b3d6b07754afc11e93fa2cc582cd5352b2521b97a2f796d47909216569347c98cabb845ac86697af964bca6566a938b4ec9b7857155228f83fc550eff +AUX 5.10.10/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch 736 BLAKE2B 8a5d772b97eeb6c9b6ee5b3dc862dfd3b57aa2f3412200d36c287291e62123cb53c491064ab552eaf396c4c341594b29cbf6647144b87975becc4657a2abd050 SHA512 ce6eee9e5573dbc013bfa7bc8974195532c2b326444203446bab61360d1ea0eaa76149239b4d2d1471d8c68e79e698a0e74d55f7d9f25964281535e4e37cda8c +AUX 5.10.10/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch 745 BLAKE2B 01bb07dc3b355dd73d4207c6d7e149620075a16c682d64d2f0fe2654e7fbd3f9907d38e4d3b3982cf130742614a63981715e31d8b20f25d1673978b5411f9772 SHA512 593d311e8fc16109535b8cb3847f8b65a399b7312fd89b7e430cdb0ed033cb884ecccbcc48de02b40de4f947f61871621b85041a15c390d70f1fc0868158e2b2 +AUX 5.10.10/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch 702 BLAKE2B fc5b1ed7e87c824d0e377ff2a64db3cc2cc1802c3af2b83f5662407d908e5b907985d4a20c44a4b218b559bad89e879cf83555a50a4eb8bfdb945bdebe9a8331 SHA512 8cc2acd4ce553a7d958b340824190eb95253b7c898c5f67e1036588fae1e698498fec6a0e9ceca11077cb48f72b0f7f214a5eeb14f09d026b3853339ef0b62bb +AUX 5.10.10/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch 654 BLAKE2B 950e228918c96790f7210c1ae3a1fc1e2f244f1eab04c8ff1dccf5a64cfb6e2fab7aa33c2c9358415db8103b3e3f676781628adf1a301200b6ca6edb502e2a7a SHA512 23e6a31280374b605bdd67ad0711d4dd25bc622508751ec8c26786d3350ebd4c6df991082c5921e3bba439d0f165a2ba02832320a7906031f805c8cf89fd4e7c +AUX 5.10.10/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch 807 BLAKE2B 3797e3ac419820a295aeeb3c364f31c62ecb1fee6557571aea0d982bc5720c4075b328c5b2f7c03367bf1097643de93748d38d574b00e12421a44b5905fbf6b4 SHA512 cd088ca9a63050472a6eb127498a13b97ce364c003a42113cf5797006167d990f7ecc9fc83f9c5d21ec3ab17259b8dd0d808226304f6313e5f37926623655fe6 +AUX 5.10.10/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch 966 BLAKE2B 471f925484a240fbab81af70914eedbe713e59fc7d35613a5bbab564a22826f8cb394f928729063ecfbe0b01b2e5585104a17d9c4fbcb9266a5103ffeeba1c59 SHA512 c31f9f286e260fb6e09afd2e6e25c747f8acfcfb5f4ec7818e8509a13b035cb7c4b9ab70125bfa42048d4239f3621e97c1526ad8f726682086157e03ea57bf43 +AUX 5.10.10/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch 761 BLAKE2B 9484e8845346977f9bb5ca06bc68d79f2960c6148129ab89f2c36d0abb7548cce850d59794ed7fe80217d8e6fd2fd8ce48e8e48c344c42b7ce76fc57373f137a SHA512 05d7c93140c2785d755f2093e001fd17a590e92cf423fd6c08470fededdeb219134a02d90a91747209220870efcfab12727684c8e4c92e1d52f49c603cb77838 +AUX 5.10.10/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch 666 BLAKE2B 3016041c70f93adb7e82a7a164ddf02aef91fb1ca254280b40055c67531925ef0c14ee43730e7a1ac8d6fd49179755da87c83c976072d5c0a438353168dbccea SHA512 f3bbd57c985ed384fc49d8411d075f11ca5846e4dc9e67fe468a2b78d06f041b5aa5d0c6f57da9aedc2db31fca95df9d0e86c56733da63fadeee21b3e022d3d0 +AUX 5.10.10/hardened-patches/0017-disable-X86_16BIT-by-default.patch 678 BLAKE2B 5c0dfab0ffee7287c30f0d44ca83f2b410631d216fb171eac26a5ce6591e5fc105b88906556ae620c5dfbfdc94da0311bde2138a81066d6a596e2a0bc0399163 SHA512 53ae39e18ef0c2721676d55565c998af95dc483c1692df8f32e2431a1e5188c389543cae817d10acf33eb6e0b5407c595e60d03c5708de72587865a4b2cf049f +AUX 5.10.10/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch 754 BLAKE2B 310ad6eb0ba98107b5bc471dc2b9b4de28d30a73fef50174bc86dd2537c294b99dca75ea1b6ecba20fd2bffc7a9bd1b022ff3056f6c8e263aa9baf4206815e0d SHA512 022fdd391c401fa37cc0f816ff6e5a6b36d317be7abe32d1951bf0c7dafe7db1497f86f6f4b9d5a8109cfa45112ed4faf6dfaa9997325a3413c9f70cced21c5e +AUX 5.10.10/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch 802 BLAKE2B e54b4b0d2ed003987a975a289ff40c41323898e0455ad29aa6bdcec35ec33307f4dbb81e8eb81aa1103a4edc8da3fba27f700704d41886edc0abcf03ca84249e SHA512 8714d4560fd0826ecad799a4abde989e7e08df2a636f54eb7dc2ed3dde8f9dab43465aaa95d883eaa5e1e4348001a401efe77d0cee5509bc508a0e3be677143f +AUX 5.10.10/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch 765 BLAKE2B 0e42cd264c654004106805ddec21d94879be3c0aba1fbc023f5e722d5a252da5db995f5273ef00bddffa7de9538c624bdcbd6d50bf1c0857e1f88ff54f687300 SHA512 09366c4278d7f3cc4b430b6b3e9610351f47810ba903393de5e349ce28cec3de68ff5067411d8e2931044bc2f6190c0bed7838faef10d0b9617a6d4cb883148c +AUX 5.10.10/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch 691 BLAKE2B 8f31c2df4ed8bb6f5b3cc0d342c983235836ece04c1b9ea2d84f204c8caff221b6186ac59efc125c66684ff6f76584d25ab33b5ee85ae6c20a000a893e583b42 SHA512 8f369e2f8187b4d99e72fe9439174964389f7a7efdaf8a0f7aca2334b42fcaaa62e51edd4eae1431d288fa42892dc769b56f852a89f8d8f7217bff5cc2c37105 +AUX 5.10.10/hardened-patches/0022-disable-AIO-by-default.patch 631 BLAKE2B e6fdfd103549589493d4e0309ad304c0a215027b1d02bbbc7d2d082533ef9d2ded5c01e8092c13e04e367dea669f5c96ff84ca6e12a2993b3b84e7239863beaa SHA512 b76344122895359b25c47a49a7897ae358c22b457e9f9ef682c5379fb07e8b74091fcf5e32d5a9d686022270d671f08b7908335a6bc8fea7990263f5034d7e67 +AUX 5.10.10/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch 962 BLAKE2B 6d65c0c9d2540b086a01461bf9babc30f55056d892633bbeef0772e3c1df09d31af650d323350d9c4d01725c6829f171c552e17b55c03296b3d07c2652b54604 SHA512 42e4cab061d236aa1b25ad2bfbba381297661ed7556e3f9dbfa2334dfcf88313af01d3326c45af3e1f818850154d6e6840d2c63254294d76b199d6c02594675e +AUX 5.10.10/hardened-patches/0024-disable-DEVPORT-by-default.patch 695 BLAKE2B 4f9736998ca03e4117a8cc8fa921bfda79005acec4b41a98df7e49c01b7a676f3c79c24b86e087fd0f39e263a5810c895be7c0158bd13e6e770c9d52cef4c5b3 SHA512 b2ec68735814b0c8508283905e455781e568d83a34879faf0abd59ab5886d746e491f3d3ea4173eebd5d59b0bf05de48a39e02df1b7b21b489910f7bf5f8299b +AUX 5.10.10/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch 613 BLAKE2B d78ee8e224acdb008edefaa243ac9cb2a36156c5d5031668e6d39be22986eb8cc2490b505e95933f85d1da203adb02b2c45a560243e182c9f9fb27b4a9293f4f SHA512 0c0f088c47053e4ff1c496a9964aef6edce07ea73bad27bb59512799da68de31bcfad824562449a1e1fd3e4560c4d9ea9c37c23b4bc3f59df316cec43ef1a3be +AUX 5.10.10/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch 598 BLAKE2B b88f019eb1ec1cc4fee656d2143a3d6b1a82a26558befbf3d24bccb7253c1bcf8e8204d940a45bd553eff75b27e754fe32c318eb5a189bd191e6b09eab8a8dbf SHA512 839dc09b7613493d66875e3908f614f17bfa6fc17e407fb74d9b9bcfd86fb5b727a6f6a50b1069687dcf153759397a834e8eaf509bba4ccd78737af71d9446ae +AUX 5.10.10/hardened-patches/0027-enable-DEBUG_WX-by-default.patch 653 BLAKE2B 3b98d58d92737b6f68cf6b070ce8ca8b5b21e57c16e3430f1e3c3a576c309a60283042a8f38a575ac1d2779fdda0a143b490bc8c16e91cf55a019751afb8fc36 SHA512 97994f58fb26655f583181d2c119673bf472ae1ec3ef34d8a7c5e03041a5e242684faa2ed1bcdf7289347de7b53b48bd8c9806b9574ff3a6cf98b86c9ef0b807 +AUX 5.10.10/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch 683 BLAKE2B 5481d8664412ff9f85fd329d74403803bfa0d25c9973a47f2f3b9897212c8053117343efb8603fb7460dc8043f328827cf4d0b858ecd0e20096718d99aeea346 SHA512 09652910bf71b005b6ecf6354c967f8e550322a4b9df07273cfe7504dc8faf3260b4805688099b133d012331a04da9cf17a909ffe3f2479e892ac5c36afad780 +AUX 5.10.10/hardened-patches/0029-disable-DEVMEM-by-default.patch 662 BLAKE2B 6b8b8855addece4a6979f6e97493e105bb9e4a3c1f74475998920a9c5f4dc87f06472a78e88e66b10a5e2867e46e48a5731f22f71327fd9cb5b65ad5a536ea5e SHA512 f21e9ff511041aaab25ca3187901714f0ef4ef989ef583c5bfab43d6ac7a2d2a32ac6cae794b4a70d63e65b2b754f299949fd275e439fd288e7d8b9d3272d76e +AUX 5.10.10/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch 719 BLAKE2B 20a77306c5113e129cba8e8b9fa4c33a921992ae732a2b7a11538318bac90b77a212b619e9fc91913907602616216e41019e95b33c9ff3bfe3c4854732d85355 SHA512 6b10f8c855977a24d6b132e6edcf5fa3dae22325bd5ea10446d59ea5a96c3f11b8986d7498b66e824490c07964c6167e011c5baa7e9aaa6316ec0fb18c03086b +AUX 5.10.10/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch 652 BLAKE2B 8e99b59acc1eb279fc6c8a9851e2a58648d32c63aa6ae416a283d98a2314285cf0ac154347b7b4f192fd7a7a857b21527d776418e8a1006872e536fac8130130 SHA512 c4fd44e520c333fb5df56887ec7afe033cd017820b1a9e329f4c5134d2aa6c25ed4d0f0da6b42bc0a26b14530b1d82f74154a4b8c065c428e371a1f40e504d4f +AUX 5.10.10/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch 1397 BLAKE2B c1fe6e8f9c1f2e082d5db712d23856e288115cf481a36608ab2b112a36bf45d1ab83e1275abc9dd5fe7275f451e31c42ceb4b4fdadf38806adf3afb0a2e935b4 SHA512 65edf35df337564e04a1b56af837338f9bc11b55294011d2292cec3ac6fd03fbf3c398dad88914506f44a83bc2ff35e2f0b03aade1b59f71298469aa1cd782e2 +AUX 5.10.10/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch 818 BLAKE2B 010e36e299ac17cf241cbbff612822c45db690da53f040a104d3dacae68ce8c5de7ca48564fafb4a572d079220ae4ca650a87560c2e25744fa3bab6319b58865 SHA512 b103087df3c5be66b428ebf85f052d6f43f65ac2ebb1c63d09daa1caf6c28a613cb7d8278e3ffa3312f02f3119e74b73b7a076b4a7847eed77385458794afac8 +AUX 5.10.10/hardened-patches/0034-enable-SECURITY-by-default.patch 646 BLAKE2B 4d900af0b77850b18b2c5cd90ceac770096be1f12bee423415ae863b3ae02372740f048eb67412932f73dff4c4177eb972a32caf49c89df17bd7fc29ec3acdcb SHA512 1e2cbad737830f714d9ca09fb310e43be2c19d66179a4578ebc3444be08cd07d486cde0b6afc8c2c4af62253416f0126359c1b9482191b78504746c439af386c +AUX 5.10.10/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch 706 BLAKE2B d99b674f5e9e1459b2c55773e960051c4ef8225b432749e2a5765799bef38bd22d5f25cc7fd721696d0dd3df05ba6efb9cf66ec25c4c2060fb8d3db943e2eac4 SHA512 4c7f733b99e97c50a1d9cd760b811ce5300bddbfd00eeb67a00b106dd2f26cecbb3ef7d4be8a9e29c643a41c5afdd3b34232e3edab66fa02a523a7b602bf5e59 +AUX 5.10.10/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch 685 BLAKE2B 90507c8f6f8309cd6d16988f994e77b6d6ac9016891ea66abcaa522b2f3af8a73b5a15355690b6e83d8765894a3f24dfb21d65b34273aad4eb16b34f1f72d8fb SHA512 3e6abfcddaeeab7ce33be76fb4c1e83d64bceb18b673d05d7af6a4e16173674cbe94b22539720198bbcff12341d7c05331ecd5c24ffd3ed513c3f4efb2ac9b61 +AUX 5.10.10/hardened-patches/0037-enable-AUDIT-by-default.patch 628 BLAKE2B f71b1ec5420572c1dcb4eaa5bc27278f379611ae8c42c60d5580d1608d639e2a2f44aa2beb5d135d6a3bf94f6679aa7062fecfb869e57c83caa64795bc61bedb SHA512 77b9f099dfdfe4837fcb2812690be6bc6957911294c328b0b70b18338e585c6c306dc6a8136e9c4ced4a931cf5c47ff4b921409e30d42e4d9bc6811c0ce0fb5a +AUX 5.10.10/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch 784 BLAKE2B f41981a72a29706e29ecdc5ff7046d376474e78a84dea0a27719c3823f67b2ae3c8d485efe067c49617fae114bb7ad7116fb1af3a44a484f893f02e1200268c8 SHA512 4784bd7cdba6abe4e56b5ce8a1deb115288769fccc7c02f05a0e231f068d0169f5ed23d7616aa24e7be887683337f4d2afa06757fbbdcbc5d3a10ce415f6a343 +AUX 5.10.10/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch 666 BLAKE2B 5254c06d0ac6f7fb360fd983ac3abbc1e6688e1f50500e3115306f7a5256be1c2c2c01088a31782a47c3b717b22855dcdf2b41a88e31ab43b61b5335349d4a4b SHA512 6d3db875b2eca00614d247ee101541e65381b4d06a4267b14619b69ddc26ef6d483cba549088de6bb1f16b240209922bbcf5849120f2a51a688bbe8ed6ba8099 +AUX 5.10.10/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch 785 BLAKE2B 232f9ce10aa413544aa82b94a0fe14454a9dc7ace0f300359089cce0f379fb45a69d25ea13cba794655b86af1f7f9ed14eada2be6fce6bdeb10437d0afb8c2dc SHA512 038cf5fff6f6d27aca818d2ef0db3eec47345def0aa4134cd597f3ac2556160d3f8fb44d9a3a0ba57c954516a8ab8ea546d317ce86a663a7b41b20fc4aab19d9 +AUX 5.10.10/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch 774 BLAKE2B 31e1535f5bec782730bd346a61e13983ee192209b5c9f85345070dc375fa5b88e8bc9f2b825860e5828b361620ac45b2f2b673d71f5f7b1b07b58cd3f09fb1a2 SHA512 38204fb21382215791fc44d31989afda3ca7f83d0321dcda340d507bff84c3275e8aa6b28fc798eec66d7fc2454082c530ebd305ac85ac6599551c477bc68795 +AUX 5.10.10/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch 827 BLAKE2B 6490e4e97ba4e488f8ca523bd5b55cca8a78fd50a4cc34de52a8cae4289d63409d2708411d10f12afebc80aceb06875fe4f539797ba0c1690d5667034476b154 SHA512 54dc48265ade76456f6ecf81183efe62e541ee7f3cbedc10a0dc39e048a9c2804fb1c3d40a45cc92aeec9511823594a32c9caf38b89f0353d7c1919233ed5c5e +AUX 5.10.10/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch 705 BLAKE2B 4855862623c5c5d6533be87b2c03e51829ae32cee40f9e0588fff2d7af6fc420756fec933965cccab55cd8e18a4a5e8bb3a25d4dbb75fba0fa38a91d769fff71 SHA512 bb8028174cd4170743ca3df843af12565a0aa231f112027b818ac260eced9ba8fe499afdfaf8586f040a6b033eddfbc0c99369f12e587e4ae36ea6c2ccdf9b19 +AUX 5.10.10/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch 835 BLAKE2B 18cb48cf70a301f37b0ca5dc2d00d385dff078ff0de177147cc6b1a795fc9feaa67a032ae1ea7ff66a994507a15a266743c591804d37cd8157321e9951fd4368 SHA512 ea06f250dc832364696867d3468cb7a4788afbb7a45d29a29f99c53b831d0f1691af7c187754ad51599487a050f2521b751162ffd70bfc510418b3798460ac7a +AUX 5.10.10/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch 679 BLAKE2B f618227b4b821f52b6a32972ddb3241aed758b4824dab77848f3a033029ba25bd6d3dda2757929e207b4190f3d7b25687bf252d9242c4328bc668590d119cdc4 SHA512 0d87adbc48356a03746a15d0e1eca365f298f2f6f95bcd44995f094ba665773a6be0f5579e916cb221a4b4abb31ea94a25a993aa2d38318873d306f13137a1eb +AUX 5.10.10/hardened-patches/0046-disable-UID16-by-default.patch 605 BLAKE2B 00ef27d9c0b9809d2eec6f33f6683f101d16146766d1900085fac29a902a454a4566de690866b1a60bd9c6eafe379f08b288181d9e63c0ca02166485a29a98a4 SHA512 d91d9e5285b708a99889c71379cd2e2a2a20fca05adcc64d91ba20067dbd76cb5b00ecf47f9c21a08d6e215877c7961085964e1fac878d747f21d553fc27d6ff +AUX 5.10.10/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch 697 BLAKE2B 773a9542881b4ddce2fe2b9b2faecb335f662bcfee42e4ee52ad28e3710b6ef58ed6d0eba70a3cc424c549ff4dc72540a43e60f15f65ad290fc5211914e167ab SHA512 2efa76bdcb388d7555ff957306d18f6165c4febd499a67fc3aedeaf18347474ac91d11d54c186d387ee28ece419b9362c3110a812b0d0c2313523bfd11719a9d +AUX 5.10.10/hardened-patches/0048-make-sysctl-constants-read-only.patch 3971 BLAKE2B 87c815f350459a24e352c37959ade2927360b9d4ffc45d2eb84d530fb194d64df585a71fb32eab897019047c8d1c12ada6e53e6f558a3ad09dbdc226f0dbc840 SHA512 cf7274b1f2a3db5ab8f8f99379c17fc4638fadddf461ac030159b2df940da92a0689e364c67e080c22e749301628fec718d010688180945e441668f87f65ad9c +AUX 5.10.10/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch 2089 BLAKE2B 77cd3ba9b11d80b9a1cc2a68bdf51f5a989126a6d084f5b73840cf0e5ce61a32a5fdb405e77ffcce2dca64b6808d70b4766a94757860ce09a8b9fb52993101b5 SHA512 d0bdfe3872832b7614a71f9e5910685b9c3ef529f621a385709bc38dac527f23338baad1aba52199d1e5645bb3bfcd537cf07a7406d4aaabdc646c35564ce3ee +AUX 5.10.10/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch 2171 BLAKE2B b87c7ef65decc37b8e6066a8896d4e471f3af79d70da74c42cbeb1742e8b2a0b34150e7205d8c21f0e6208b25932c1ef994f91d0f3ad744175836b0a7a857b2a SHA512 7b8ec458bd09fa84c782554dccb7b9f6b861de20751ede46f35c70e7dbd068d19370dd3aed6852b0edcaad22573a92bab111d0c6b9daac9e8ca516e5b3f4f30a +AUX 5.10.10/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch 2004 BLAKE2B c7abb1d166d66f6e67d485774ba16edaae0b78ef9aa4b1f9fd30e3687a094c297495aceb810a80bae723dfeaf0f760533d55b9fb4b91ce8e1cb77c9d07df1064 SHA512 fd0cdb298f11f939e8bbe14850d29ec54e18672b822ef3deffd01fc6102ad6d3e436a73afcc1f058a30b647c5b5c518e004908390957bfb1fb54a5ea0013c293 +AUX 5.10.10/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch 1165 BLAKE2B f2aa45dcd6f64418d59cfc85deb61dc7bb6c813f906b67ca30e7e83fcd040b6c5c7d78815194b3bd2eea3ef6debc63b263dd589433b927ec12ad0635aa8865e4 SHA512 ca630058878e64fcf83c2c32d29d31e49b77ec7fa9279bd6b7201d96ac948a31f5114b7c8a747fa31249a822e1906df41bfdec90c9048b3e1f99ec52c9aa228d +AUX 5.10.10/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch 709 BLAKE2B 488441855e68b18a5c144e2539fc53c1b1a943b7db64c0ffa7deb5356c4becdc75289358bdd55fed4046fec78f1348942b7034d15ca51591b36efb545faac1e2 SHA512 97038b879974ee4c97d3ef4cd6f3bc8b0fa2b73b62b550c7b0ce2d692cb5b29bf192509b94f652793f9f22c51be78aa7d399b4b59c4783320dc559adb0de80b1 +AUX 5.10.10/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch 1954 BLAKE2B d6224332c8c13527d2aebd8b100563a81a0cbaade22e2585e794789996bc9b865206dc3099ef096d90bf3dcc583be19222da7e65ea58acdde0ab8f27d224644e SHA512 08d5941f33094677c502efec5707f30ac51b9092f0be1e0614667eb521b296b60b4221f89e2bfdad41967bb71ad4ed3b76d695bd45fcd192b1ea16013c28942b +AUX 5.10.10/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch 1663 BLAKE2B 5c95e8239c6983570fb0f49b58949488a34b46cbd0030991be440143a9b44cfe2bd404be3c8895cc92056bf849de70f2ee0a9b1b7865fd769fd3dd5939ced3f5 SHA512 cb98bfbf372f5724ef7b033bf6dcbff239abcfe4ef9148509eb56895cebada73a155d8ffd41db957b0412e09c1c0c879c67eab7fa73319df7b0fb3c052655a87 +AUX 5.10.10/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch 1272 BLAKE2B 94212cc0fc4b70801c15a68782fd36b0758d79c98364151d256b5bca8e17848fd4ef6926990f5b5b072b7a10c83a1a6ed27d65e6495b889c3e2b8852ed08b9d8 SHA512 1c021d53853b182f7b9812e0dee721d886deda819f1cd0c22624f86e173bd5cb057b853a4550187b15616eb6570f96f75d4f452f5ecb662bc98e37cb87b08eef +AUX 5.10.10/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch 7357 BLAKE2B 39f807b4a0ab8aca5a02e51be4c7c410b1a828a5dc0b76889b428422837ad770fdf2617729784ce49aba3625f1fb812236d5777fe3c26b73282b64ebfe4f93ff SHA512 45331f0b16743c940b119d3138fdae4b43ebba1432caeded49707aa6a4986e2b99cbde2715b0bc289350e31defc400b6c6f7b2ed4d0893e494fa3bad330b0c0f +AUX 5.10.10/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch 871 BLAKE2B 0f1d33f62b97689f355cd2aa311673baa659c455f72e788b2d36e8c84fa0ecd12b93ef9387efcfdbafbd47ddac159bfa033c8291a2cf6149ee7b7c5b8d5b1de9 SHA512 c74316f2c291183fbae5596f61a4e5cbb8067e78faadf8051b955309b472a7da363d382b296dc9f8709ea60874922bbc68ecc2ab867adbb1726350d390d3cfc9 +AUX 5.10.10/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch 947 BLAKE2B 6335431ed70abbca9cf62d3dd1a38c29e0fad0706d7e30589975872a1326765bbd0264b0132dd7efd78aa9636acb8514490f2a6f0ea446b2c88e94653d4490d1 SHA512 5dab9ba916f13a37a6c8792a8c6ceca3f487ef33a89acad9333a9cad9a7a9426b97673994e3d0de26510f4331b38ec80bbe807b229e3d35a2a21779d7bfced4f +AUX 5.10.10/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch 1180 BLAKE2B 4d20d77422eaf4bdd48179225f6d3fd6e49ac089a0f9d48acd39984f7c09c4eee74fc52902bebeaa5defd753c666772971700fc4dccb7761a9931853d7598c8b SHA512 0c32ccb3975c2e94060f28bfc3ee5b759c63f799b77459df3103b39140868c056a28a51a3524ce0cab1cfcdb7b3e3d67b5805b78b29db88026f2f73d831079e2 +AUX 5.10.10/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch 788 BLAKE2B fe3fda70494f009f3faf3657b18f3051fbcfd33e91203a18757b9b96a0bd00c7ba42ac86b2153568c5db4d2fe3487fc7824499cbe75a0bf5aae8a3e0d6f8b818 SHA512 e1ab9535ee54efc5d558853ed0e3b4b3904155414aa668751d3de5d97797847d85d77a93db6ead0f8852fe00c035dde492adde8d09eee2534c2f331bbe87ce26 +AUX 5.10.10/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch 2256 BLAKE2B 6ace4cc02cf976660effb783477fba4f8e9d59ba2559214deeab8cc1d4a16556c5d1e750b3552dd8d2cc7cc84f65affa52ecf31f862d2092e3fd1704f21701f0 SHA512 ca551ef1cbc33bb21b5325542559c97dfaef40125e04022e30e349b3d4cb4a19d011deaaf470cc38eb1dff74068db7acd326861f9622b1b51757e7d05a835e2e +AUX 5.10.10/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch 2454 BLAKE2B 92cc661bae578cab33b80d07354231814068272c55637e6b5355deecb25d3f414b85198435f2e0431619f2228bbe2e078fd972e170436ed15aecd8de42168628 SHA512 dbd5264a359e46c4e62679e4a01e52aaaa97acee2500a518f8dd50793185097f31421bb4e21419b9611d48c55d7283ca9540495474d019d7ae9ab308a1fda7e4 +AUX 5.10.10/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch 4020 BLAKE2B be2021812257023812c687fdb02bb918dfe9bb3bf68e81266ad96a262c3c78218bf5c34fd5b3a7811cc861fca7e52d4f967c324e5197b30f92812b868ef50210 SHA512 45048ff53ecd126abc3122f3986eff47cc0aeef7361f2c79846524597e3afa3559cef9c25e27e1569aaf46349377b5aa3da9a4320f3464d57495a3d93fb2f2cb +AUX 5.10.10/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch 8811 BLAKE2B 049c91f0c4ba85334b41733db11e174d8f3dc1a333bad36755fe911247a0b7eebe49366f40d83518ea5d9da558e6681ac506b2ef7f82260d7466c99eae8a7850 SHA512 6287b97810d8e1fe8a2dff00025aee5b9be5a22eaee8568bc8f8585f87f6b22ea5c2b293282ba9422bcabef49596109edcb20a4c76af57c0c53f4d95e1c43ff0 +AUX 5.10.10/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch 4744 BLAKE2B 9fd57ccc7b4a999add639fb62412a36a2aebccbe69d171b0740a11d81caba80a10a7cead45d957af99810d36eefba7aa48e9b37c20c4a0aa26855a6b4e76a71d SHA512 cf32bd8983404704345496b064fcb40bf68277c7acc36d7087b13e7446dadc581953340f4d40f53cf831c52877b43c5903efc320b4864b691d717609971a7769 +AUX 5.10.10/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch 798 BLAKE2B 748562a882d63a08dbcc9a3ffe5cad8f47678402a932ce8eb0bfd8213e2ba65f06d4c6d3839388b9d42d3004f06e7b6d6aff9ed6ebdfc8fc95fb6c9e0acafac2 SHA512 55112112930fd2ba47c684c7f642df708d35a5c3b220ddfb05dfde9bb006c504ce3782dc2e49094603d810a61ac678073b33040dc87adb6da0d17dedf90e3185 +AUX 5.10.10/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 3791 BLAKE2B 9e9258fd53dfbd013b583c44f57d9e9819e545bd8e11a523e8f7cc25d65370af0dbc4a8a6bea8e1b36c55f03125a9874f068c0f5acf8fcc7e0749ed44bf53a21 SHA512 b4590689098696d47a4725d6eb815954ea65fc95073889ea9d60c07182a161ffc8e7f29029e10806226fdcd0b18abff7c6974552f42bbecbb3b995dc1cdc6c9c +AUX 5.10.10/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch 2070 BLAKE2B 8468afb5a1b756c372cf406f7c27285baa7cb9d645e8d996359a32a1c3a37147f79874019d427ea236576bb4b4d93c55a7fb1c648b7d9c47bd452f583cbc6a50 SHA512 d0b1fe70e2fe8b08083f90d2a65dcf24c9bd9de0ca37184c6992e41efa9f3fcb2ce3b87a67671b1eea75b2b0c7f1dc3d240e8fd27d8004f923f09f8757272207 +AUX 5.10.10/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch 2735 BLAKE2B 1c5641aff3dc84f4ef7ce62e9909dc0f17577b206b6bd1b7b80f14a1cc2ed97fd9421543d4afa658303e7d9b953806dcfea0ff8924ba30b4e33eccc005a975f6 SHA512 5fa2791682874785082d88ccb36b96670381333040ab03c94c357c3b338871020f743ab1a3b2df5c39086d0ae0c3eae5b7350eea6fc7bc03ad89b1b8cdc162e6 +AUX 5.10.10/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch 2249 BLAKE2B 54f92801ea3240c67e268ca4654d1526260f88f10ff34e6c026717b30a2efc15b2b5352caf4a3483c02a4a5f392188a7a945dee45b00aaf43a84745cbc0bed9c SHA512 cefd9a2369bda04a517e61a27b4d6fa10de69d2559b4f08807b2cfe4062cce2bb29b64c750ad653c8230981502fe4bd7f76ab92068089f312cb3ff7494902118 +AUX 5.10.10/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch 860 BLAKE2B 46ea739f7b80effdc33756057c17b9255ea1d12815248d584d0902b7c158e2bbf59724586e09fd41dc7a34607715ffbc0e7e12b1419749a30ea864314ccfe5bc SHA512 1f94850ed8d7269a016469ccb2adfa7fd9cfc3606e9df79dc86747f99e6784f8b90373803c8477b28b6c7a2b8269e150488826615d0512ab69eeca34742aab6d +AUX 5.10.10/hardened-patches/0073-add-percpu-alloc_size-attributes.patch 1588 BLAKE2B 2e3b3bc309f5163cbdcc25ab43ca5721c7e81fae9201ef91065fb6b66e82181386b959e4f669c8c405621d34b575070e560673bfd8d074ecab12a282b9848a33 SHA512 8cb12849ecedc7182a84a06832ad09c6f0bc8ae06255225dbd8ba548c6a2eed344f131ac41d30fc420bfd3e0322dc683d1df5180ff5a8dfc2f2b874e7bc180da +AUX 5.10.10/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch 1259 BLAKE2B e8dd5200235b01a844dec35182e0a0f0add8e8495fccf6e3450570fc8720022c6c9bb9edc90cb3273cd2852842b1cde036a04303f58fb69fa63cfbee2f93a43a SHA512 2adc85de84ae9f24360d843f8a2d1f40357da81049eac66e70ab2176028a81e22b9697fecde48cd0d33727dc58bc03d8306191278bf01bd292e41e12919b4270 +AUX 5.10.10/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch 3591 BLAKE2B 4ae1b3064ca7c3a0f21ef00446e70ecda3e8c881a7c6ceb201e05ee28637cf61863dbdc14e1159f109f1744c4b6249def0358b68a1fa51b4b13465040ff4b7d9 SHA512 04f5135e197fbffd0b6ca99a3e006eece56989e303b279e16cd3eaa898456d709efc98a2ddff432d57bbe6e388f5853523984034630de947ae09c9b2fe10c434 +AUX 5.10.10/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch 1191 BLAKE2B cc90e1f9421d93ee1e359e958dc1961f641e9f2173a3d7bde9a2059e104fd7e10704c761a5a356a3c14da2308ebb52a4859d2a69a64b9a7f29b05f24e4b3a30c SHA512 b0abe48fbcd33493573f41bc3be08cb5f3a21cbce59ba09dba6d262769e7325a1282e6078ab6829eca668a6fb17368097b26687d263917bec8193486d99932bc +AUX 5.10.10/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch 755 BLAKE2B 46581f933d5aea7dcdc06ae1bd2a8dff8d4bb32b1f0650832accc3876d63deb71dcdab8216afcf548d8b96b6e4a026d2d0ddb9c7fd8ead8615217c5d8f83b020 SHA512 cd532762596f3445a79bc7347962b1f10a5b70358f7be39fb01fe1b24deae3f7a66a21d6c435858352e9c0c8ab995208840de2513fd1bd7f3d750ba1d843a379 +AUX 5.10.10/hardened-patches/0078-add-page-destructor-sanity-check.patch 2205 BLAKE2B 411b1b86dbcb7afb9dcb288d53eddf8ede071b084dee444c996c433aad58af56eba932b250750af34c1cdd6b8dd5d36d61f1c14133f2d10466bc5016be90f6ad SHA512 b7560a0ed1be50a32c6b21ef49ab96e466fc20ce43031833d621609e1426752ec24e54f53097af41039915c736d705cf28af05eb5b6cfce991871be03b8eeb18 +AUX 5.10.10/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch 1793 BLAKE2B 3d5fc0774e7d0af3eed2ef37c0a6a6d19bb519a11f3b3b7841503f89287b4b06e9edd24b23682161ad47c1f2a4613f199e9c7cf1e119357c13ef00cae1c6fd99 SHA512 e19f4a0627e1a203a2bfb69f087fbbf0e270ede767a034feb3386db4dfcffc9a6e6b7c76ddccdd3f5d2e7db970d17f05cb60c4015bc4206209ba549cf9894f0f +AUX 5.10.10/hardened-patches/0080-add-writable-function-pointer-detection.patch 2688 BLAKE2B 8a78baffa7ca6037edca40d586d689fed6ca698533db78bd065caf07074eba93e04cd7ba178d0c5fd112175b5382fc99442560c63cb7fe6ccbe4ce4a62a5a48e SHA512 e32448dcc7f88ccfa0c7df83d481c3221efce4674bf367b713dcc2eb6cc6144e3b27114376314c4af989adf08432db405fcffb1fb50afe1cfb7a855fcaa145e3 +AUX 5.10.10/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch 760 BLAKE2B b9381b2b0a6034478841ec20d103da88e9ae93347c677cb04da69f70494f87c35882a6d509e8e3b287fa35d6e08675eb1c024456be761ff854f872b0c4dc3647 SHA512 7e59ad90c52f65d58d9a6b1654a10a59ec86386870bd8f5edb0cec0272df929e877b524756f75ebab1f474639fd55aa2ce753ddd30230078271e3b374798cecf +AUX 5.10.10/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch 5669 BLAKE2B d86dda53f29b7d918289e7592521620515ee7e4e8916d419f1f9e089ff9c9fa26d91c310f835d8d896f7ffb0265883630caf3820416b0469dfbbc06c4e0ed6b8 SHA512 c8b51f39069d1aa80c640f17ada84c634ec60b621da1f6d138cab2ad5a92e1c8eb315f1d38b904d784d68c36bd67e4b00eacb8c582822ebf75e500d2cae4748e +AUX 5.10.10/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch 1986 BLAKE2B 42215563e619a6fde8ffa44df28f91cd94f1f8316a0cb30e478080d593829d2398bace433efc989deeb0d70b586da516576539c8c1c65dc48d810cce63956edf SHA512 e0c9c773173dcf572b0cb544a02a2ef928bf92093f8e702f0723e08441f72816b38907fe5214633a79c5793fa0349a204c5db9e6d6e45098152641723a305336 +AUX 5.10.10/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch 3921 BLAKE2B 36aa38d9eabf38446d2e198d72928cdd5338fc349c054f7ad255cdcfafaf9a31a467ccc75824a423b421713a9319efc8f8d12ae5f1fa840a2667214075545a3c SHA512 f4ac300d5adb0908a5491e3ab45c26717cafaa6ad93b0aa5b4263fe5f496b2159c820fc43f2e8ce98d6f9ad9905f8a1f6c293ddbca4d0479fde128024221571a +AUX 5.10.10/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch 2502 BLAKE2B f41affd625f90cac2220c66c48b1d8854dc48d46663c809c4b166c457be52f49c9e48ba0bfb4bd175ce5521a51fcf6643646745f0ab2e762298c4dc5e98864a3 SHA512 9f234388dc8172d037518486ed17ce8a90a59ad570b598b5841d3cd70d5e36a609433b2d455e54cb4a32a16f6ffd6122c3803b62082a6c8efb458ebb9f159dd9 +AUX 5.10.10/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch 2224 BLAKE2B b8c3413518541a7e836f1f9a4c2b907f5e5ea2419fe2066f74a5ebed816e4c1886df9a3d007ff4b977d0c1ff27442d4d821c1d50c77b1aff35cce56233bf35a3 SHA512 fd7f016759c26ad468ce083bc1488d2f15e0ebb21c5f13cea44778219846516ff6fc06dff601d27157936b7e466086ac475bd1b4b467fbb2638e1fa9833f351d +AUX 5.10.10/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch 1466 BLAKE2B 4c85260dcd35e62d087fa291c957927454f54d8d7290cc68a2e25db5b10f77127c4be30ae422bc6688dcaf4a5ed982954e2da15f643a077697e658cf4ff77b05 SHA512 b1518c26fb19a036f9d791b6b0553061fb9ec9fde2f712709a8f3c1938d26ca81d86ee26075eb41ad9786cadae59d976e3c4244b6132c90a55c3a3af19cdb387 +AUX 5.10.10/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch 1019 BLAKE2B aff63e64a372c9fab2a62cf89dd6c3059985ca47988ca6d8c32e6769a8d6273edfd305f211fe5cbe0237f678060f19330365e5cbde13f093116c3bbdc12e4f08 SHA512 85466b2e3b3ebf97e01e9f8ad217932086765b6b8da6701a03f9d5dfb3a9b91993ff3c13c9059bcacf3d8aef5e77965024c1114da206a54ce6bd0ef40cbfaab2 +AUX 5.10.10/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch 1368 BLAKE2B 08e9fee2b4581b8ba2638ef623a5ba8f89f3beb46cb0430fb7274ae9b59d3d37cf3223c96b093e4bf3a7b4247edae1c4ec33c0e4a9bc740c0929f13ab7544366 SHA512 6f6aedeccf510092f4210fc77422a39386f50be209cb4322209c18715b14b744538e7c3f38330525aaf06a5c7075774324b1976ac9e106c762182f4dc0b740f6 +AUX 5.10.10/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch 902 BLAKE2B cb6c64dfb9b450e35f3530fa91583a6f09f5bdd1e0cd86d344abd79020d19148c4d5e96ce4e358e179e9bed047c67d3dca798c40bb41ff16eb8d27391be29476 SHA512 8d8f89daa8dee6aedebcffd23a87c335b8e9c2e13eedabcae34ae426261dbc24f83ee2776fb0b9371b25657f2b29359aa4dc4f31fe5f74affa87ed9f9427caf9 +AUX 5.10.10/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch 942 BLAKE2B 9819dd402a1496526cdb7998888601c77a0c608b94c324d073819159e543eb6c9bbff798c92d648bbeb171c897e21818b8093d4e4596a28e48dfac7193aba516 SHA512 fccbf5ea62b81f533a08a8973d39e6dc6dc8c029c66dec354a148b78d868521a12072821eeeb043b50cc52d21bca290be6613464c6ec18f5470221c5c8de5d2f +AUX 5.10.10/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch 947 BLAKE2B af23eac5116ad68936e24ffa0a48b7775de550a34680d747e6d0148a250614a86ff63a06c5faf9386ffeeb7e114fce6f37d1939013e93c46d6daaabbf50a46e5 SHA512 2d4e7d69fb8ac70330f7482e3f1ca839fe8c53c575a72f3c2b5a8162c3d084315d4c9d1b70c223ce302284a1d0ec4ab0afd5bd8ad57aab68cfea43a4c2b05dc6 +AUX 5.10.10/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch 987 BLAKE2B 1a75653ba443aa41d727e6336cc0056164217186873e3a1ee975a4fac86d3f13f255bba3b4f2a283013d57d46464c5ae883c291b1ea3fa33718cbd81f4827e8a SHA512 a1468621c02ff790d245746a73856f0822ee156f4eb398a0620c45fd7ae8e87214f4017ed494a98aff33a9e444224f8c1eb9b5afd8b287bb17eb5c59031c4b5d +AUX 5.10.10/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch 1075 BLAKE2B cfe6bc57dfb78d9274ceb78ea95e6ff374da08de0f3c89f4f30ab0bd5859af591e5d38235820bd1f6b5c7b972039e4dd82e653fbc0a5fa5e9f5d51961bf55754 SHA512 9f6d01d7fcaf49912e756e74ed1f863fd854eff34fd4082d562e1ad3d712a2b45cbfeaf997341da4ba3133b7f62bc97ff59435665b59585e4ccd9239b437613f +AUX 5.10.10/hardened-patches/0095-restrict-device-timing-side-channels.patch 5426 BLAKE2B e1ba845ddf03817bbf30b249dd16231b95ee28eba5d3d221f8a65ec78e1c02f74921660a43b214ad8c47b884ffde9667315f6361f4abe83b313d58dbc7cb5081 SHA512 8422c561ba407f030e5d31f4049f9aedca2ee5d73a57babffa344819b1fdb4c210b54b7bfafe6885535705cd7ff6032357103922f811666348adfc9cef90bdfb +AUX 5.10.10/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch 3572 BLAKE2B 94e286034fa36048ececd54970fefab94f965fb87013d27b78c7f6da47310590584d5a60d7e35a8deddc694e90f038c0bf562f0f42644b4b92fe29c19145c556 SHA512 8eeb8694808d1090891c56d386f9118dd3b0c7e23f595c3a6cc33921617411ffe09d6f7f9692e3090fc576e09fb2a687d14b7c0449eb7fc5fbfc5e18eeb8c5a8 +AUX 5.10.10/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch 2474 BLAKE2B c4893af476ce8c5ebd52cde659147308f6b48136385637e4dd10db60440a29c8e02b906ff768b2e9d75d1c3dfd1b9af764ccdfb780c8b238a53d53879e57d9a2 SHA512 add66a0436e431ea6400a5cfc2e84dd75430da908fdad146f75fd2988a67ac8b5f01846644f4cb6185015eee2abee5e07d41d6fddffa045b5770cd4c7fac5d7b +AUX 5.10.10/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch 5440 BLAKE2B 660caf3dc03382b6d5af91aadaaf7fc3cca9ba805fadfda73523845164ff3afab25aaa95b41940c36a04f1b83f16682f8d7971c0ce54d82067b7ef4850bd2364 SHA512 9983f74454d8c7a2374311d95bf79c77966248166562397cfe4d117bcf5175b22ee843612d6adecfac9d5469fcb248d2cce5eadbc2a3c698d6d5e39128182435 +AUX 5.10.10/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch 5154 BLAKE2B 7915828512ca808b6aa78462aa017c3683393914527cc90ce5bfc039e1851229dbf0707f91b959313eaa1045d2252dd9b2ecaf2b788d63be374a55228bc22e49 SHA512 7189d81b6384da9821e33a2f0ff2613e97a182d137946af0b6d29c55b871e124c05db891711754a7847272c8c62e4ebbab6f6b2b8d9ca479151c2e71b2ce3815 +AUX 5.10.10/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch 2194 BLAKE2B 5f97f5525c5428eb25295e1913679ab49b0c988015b489e7f5b81643eb60fd4ee26da0138b79b8ef18cd2669c27ba93c59423245ae0a16984b086ae93abdd65b SHA512 ccfc6199f83ac606f0b02d202430f8ee3a86a8ed74895a3dd9cdcb50602daefb816c578705ad49fa0291a6cf02a872e2036b7f03eee5a151155803d2417e9103 +AUX 5.10.10/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch 6822 BLAKE2B 449ecd052e99fe4ea8000872f5dba8c248742ef02d59215b79414909a6d73d8fbda6ab0cb849dc18921b34b72b62bafa18c07dc75eca0bc2dbc33d9d8e299fc6 SHA512 9bede73e630a584106e72339f008a715c66b16420ac8fba46ea53b62d5744c10969ea99510fb98685e7be8c4c6701019c8aede827812051fb6f2834e13e814c3 +AUX 5.10.10/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch 824 BLAKE2B b849a000837cd07a1910d7667a74ba901d60cd8be68f80958ce8787a9ef76011f3ce85f4732522387009d11fc02c48d7f7b9d93ceb23a24b63e1044d5e68d72e SHA512 85e60254c01473651a67128900a83d22b5b528d06aa6f85299cdb7b1929b867a65229bff9d313a0b5809f555ba33bdf2859566a464693a2f791f6fb5f5e39165 +AUX 5.10.10/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch 837 BLAKE2B a0ea9ef7f9de4d299e1f9a18edfc811351f4e4952f27aa34c07275982eeee8cd57c90f60af9e9e6112c97e5586b996f4c7251be3b160c0e531f394956a7023ac SHA512 2a276ef271b70f886df15edb459768a453b0725b8d4384d0af1f24f37efc967010f70be8bb5efc2a62094c83feb2ac0edb526e8c07541d53b900305190ee2eb8 +AUX 5.10.10/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch 857 BLAKE2B 2ccf3606e5fc9e885b592dfca4ede8f77caf6ff22828a7fa6a619855c83f63fee9eefdee34b442e85fcd995e85960ee7de680479b88cd039cd1907d15c50e93f SHA512 049bb950811d34c312547d571bfc7d9b346e46ef7559833fb42509d14bb1759ee6f6d3d750db0a1cb2eb9233b9b757c9677cf103cafe36a3f9750ca5aae2fc26 +AUX 5.10.10/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch 857 BLAKE2B 63c7eaf181059710421d1da602c5141fb1c212b6f72eb08c8487d691089ef865ef8d1b883c884018c276a098fa3b9312a27ebae70c6afdbff96cbf0b228c13d9 SHA512 cd25907312e6f137b24d7507d0de88e355f78724aee4f5e46fd72f10d07918485cba44b2eafccc1318d412c1c087dc1ef4b5c12658ed88085f9e8dfb18f5e92a +AUX 5.10.10/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch 4376 BLAKE2B 4f7ae4e29571fc6d8b7d3c73402191d4ba533a836cdc216e2576e5079ad4b5394435586df61feb7a0a42c063460d444be1dd11045c7d1dc68bd1eaa336f86957 SHA512 274eafd51c1bd7371f9343c547bb7ddf7d9999bccda2b49225515399e4d9ce0bf39644702d0ef822774de5369d116597c57cc2b63003cc3c0f15e59a49feccbd +AUX 5.10.10/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch 3878 BLAKE2B dc6bee0b46a91be7bdf8176bd8cf912e728a70c9aa1fa6224df7293b377d58ab1e15dc57ca2c993ad1190ea8a88d3e9c0adb1f88ca7209055918e5571a8622ed SHA512 19f26cc360140e3f5caf767b4ba3713fb5db7c829659fd7888f4e96172afb5e7935b0cff458faa18a2a0ba621a71dfcc7ec053fd94cbd4ea7dcbcb7e532fae2a +AUX 5.10.10/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch 2287 BLAKE2B 11a3f34851d2a1de54630737111a99c11ee8ceb5e4d06a7e782768c8f8cb5f96b09dfb879b93e0ebc734e2a1e5866fd5e1af314275ec03c845a4a6428ea55384 SHA512 94653dc6040e61ef7ce7ca7233c83469e9651086a5fe7398d4445aabdc73e17b180bfdf959bfba13fdfaa518251e9c216868e726b4eb72bef841b204e2ab801d +AUX 5.10.10/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch 2692 BLAKE2B d833b9080b357d6bf3c69c9af944daa31fa5dd906d307ba606e09588f916fda37a43f0dca75791e96c0d4429ce801e19bbedd9705aaabab100d6116e13dbf3ba SHA512 5fe61ce8947dd41330e3e40eeff0a1cb13f294d739b71aa422c7ead526f6234ba331c0b6464cd72be0fa2455a8db8472039b07067902e962d959a8eb988ca687 +AUX 5.10.10/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch 6075 BLAKE2B d5bbc1e3bf0c01e253e0f68542e6b690acfa67021d997a060c8a9fda0f6db0fdde813de46315fb954879216b18bc3d7d19f4b044d9cf2557ce8d7bb09809ab0c SHA512 e8a741c499be4521dceb0dc9dacc3b83e38227cedf382f019ed8962099bcf415443661383c8f063a0ac2f04fccf8da5972887a2517924e95ea407d37a25d3932 +AUX 5.10.10/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch 8416 BLAKE2B 264b95794ddfd3a8ef4a9d52c2943359effaf78d605fec8185b7e0225647dea14d9adf5564483d5f6ee51285bfbbdd3a6588c755403f371ae6b15630cc9730be SHA512 3afafd6acfa89ccada5c9628fffbfec0744dd73460391cab34c60620150640ab0ea0f480966cae3ab2a14a5bcccd6b495f0c1a1fd8e0623eaf951cb80ebf9522 +AUX 5.10.10/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch 1427 BLAKE2B 9acae557e3d3e77dc292697e24e30c28e0c158f854cac9d94abd26feec8bd350a89c9b9f76a9fa2fab513b59e7f71458c95f3f3f287ea98458d60886804683f0 SHA512 9b7d1e5132944801c486dc3b54814e4337aa42dcfcb83c5c7629579bdab07ab5e10036f84afa77653e61f49381c4b936f0b77fcde5189a2b410a2da530e53894 +AUX 5.10.4/export_kernel_fpu_functions.patch 1221 BLAKE2B 298964bf709ac9cf4553d0168aedf03b915c1f8add002d5aa1a9e5624b0cf4712f9dc855f3fdcce6376ede8fa2cc225d09c2edba0b9ec23903cb899528e84714 SHA512 073eb8a477d8f209e21c1a2492ba9907b2cac1d94fe42372a6e85dea60bfc6f122da0ae6922a5192886ac4b864c68447f122ec63f84c13610219b51e4e723633 +AUX 5.10.4/gentoo-patches/1500_XATTR_USER_PREFIX.patch 2286 BLAKE2B 57aace7f6a5e436d7326e92b0ec0fd243de10ee88da9e5ed28bfd89242dedbff6c1fb301659e681bae51659cfc4d80aaac5b5337aabdbfd3851b1c8e82262731 SHA512 9f484c98304ba38caeeb8ed411a4466889eee8a7f4f10d12736428e7cea8e551060e4a853a313a30c18f9531a93f9323ecfa3fd7bb0658400aa43fcd25984e0c +AUX 5.10.4/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch 807 BLAKE2B 1e0b4eb82b65566315635eaf94c73b1965eab194da528ebe9a1e5944ee4ebd412bee30166b153f3eb2d68403fae6d41797e8a26f33df26acb818e09d22205970 SHA512 89f75cef65be0814dee5926c352eba3e541bdd48876a238252b3119501cfb194c38d641188b3a2c2b883a094825f32deb6bc187cd6e3fd324b3dfe57572af47e +AUX 5.10.4/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch 1286 BLAKE2B 82af60c890c39c69d90983a4ebcf6d30146bba277ba19f370a22d535beaeb8e0f0415dd3777859e270c35a7fc0432730b55d6044a312e03f67c77c12c5474674 SHA512 7cd47e32fd33a8cdd4ee11d75caa1dfb6c9798e01d576178b6f008c1cc21711802707c53c992b7f56154132ffbfc51d45458e9288a80678bd5e3b05b79245629 +AUX 5.10.4/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch 956 BLAKE2B 71c80bcdca588e3ed5c13f639593e42d7b156c4c766afcb2e02a3bfabef55f0d079e687ba6dd4078fc60b38366fc6c99b4c8f7e2678d43a89ee3af311108e62a SHA512 f2f43249557cf0fdf5a63a5d2505a6159e8287274735076f9e7787b1be71c9100b53ca1b97ba00f645f588a82669f29dc001347e0818396a318f4bcb947e468a +AUX 5.10.4/gentoo-patches/2920_sign-file-patch-for-libressl.patch 564 BLAKE2B 7706f62290b76c23b288d54ffe797cdad8f37125c641e9dc55cd11a4c58ae3360191ac8de8ddd2107818cd873223437943efa3a3c9b2f65fdb715209f54cf39d SHA512 e5f88cd760981c1176608fdfc24380097b4b69b7b15b634456dc2b4dd98fa160a999c434bdf295e5d10bced9c410530cef3d55d5ff49ad8265e4a9b03a34a3ec +AUX 5.10.4/gentoo-patches/4567_distro-Gentoo-Kconfig.patch 4778 BLAKE2B 100c88bc678ab8189070c9d9d80fa8da413d6ad90e58eebbb60e5fccab5dba39c7b60e881c437f6c4a76b13a251f0626e431717707d0533b74445663cd03056e SHA512 59a76fb39647d60ca5c3c13559c808c8726286a73dc05046a41bf99390cf8013de92267e88afdb30b2d0307ab8cd4113146b3ce4a32b2bbefdb87177820a40d6 +AUX 5.10.4/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch 840 BLAKE2B 1b8bd5d251a858b427f0f9445784d72f1f171899beb63e1f45d156525c35b3bcf67e99a174390cc0969b5c81beacc8194243e95ed35320ce807b5699022835f8 SHA512 757997bc8732af81df77e5ff1784e75644aee97fe8e4b188a3bcf5a5e7c9de7ac9a4b6209492341cbfab7536ba55e30127515c489ba3e8597e1541053092268c +AUX 5.10.4/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch 790 BLAKE2B 260e661fbbe002adf3e957dfbe1dc4da46e1c4f19797390f386c639ca6bb5242867bae39aa9f850af114f916e65c42625b430bdaefabad656a0d47601ff1c45e SHA512 dd148be886de87e5ae46f290af93b2884edae908575844aeef8ea46901189c85a111b4f91d094dae28018f89625e3462248754cc876a0d472f9154b0f999012d +AUX 5.10.4/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch 768 BLAKE2B 9ad51ada3f59a87145a1d37f3016b11c264d6afefbe2f64ec266535b23ad052a2e1ea92619a444afc91d7900f1007e2936500374d778be61f808348d79c47a97 SHA512 aa2685c855d87ae58187a2da5ace6d4eddf71acf57ee143f25e584d183d41ed0d8c10123917dc1590a3978abbf51b7298ca78c3674fbfebbf890e34741b8b29b +AUX 5.10.4/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch 763 BLAKE2B a94a717c692882590e1a123e7fe7b7d14739ce4db3e73529415611055b5e0bf0dbbb612193b2230a31cb0295e5dd4eb2132acb4f8f4e8329f906dc93e290be9e SHA512 4fbe2da06ce3f83182628ec4bdd7c79278e08ae573504734afde0330040edd46d9582e55a844187f1b709d645fd074e170eaa4469c545d64aff37971d3459207 +AUX 5.10.4/hardened-patches/0005-set-kptr_restrict-2-by-default.patch 791 BLAKE2B 03f08ba32cb5d052e893c93f9a6b44ad49723a448851e9bc922267cc4a1137f804e1074cf3d1fd407fd2413606a13e0ed51de005e1813fb91bfc77dfbc926384 SHA512 04b7785a6428f779bc784e6d2b8b2dd16f2c64556dba81c14975d050c88eccf9e94aadd30f87348dbbd399330763c192ebd1f7307ca792619d89dbf0f2e062e3 +AUX 5.10.4/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch 743 BLAKE2B 8ff5320f14907b1e1ec2618c777e67496b6f3bd2522a8fda2f1cbc34135b8df6eca06670e3681f85cd054d39476ffdd9c80449f6c0e2dac18920ac2d9246048f SHA512 1ca741c127d40365f548b45665639d5156b288f1819ea4dc30798f3de5744b48fac5b1660ccce444ff8b1ad99586edcfc5b160a4038c70327b271ca155e105df +AUX 5.10.4/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch 792 BLAKE2B cb852780a572311c6c9ff7a053eb95bd92af1c2cff29a2d62969aa233c3e760247bc442a88789bc37adf1c5df306bd830d8e9bc5dd5558acbdbe68e6860e7f6f SHA512 3681029b6e66168dbd461bdbb4feed28e53ed6a489e751801fd9352168d79294d8d645393d780cb4a306e10c31f13add5254ac60506fd579dd247353f4c3c853 +AUX 5.10.4/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch 732 BLAKE2B 56a9bd42cfa458920edc715df6d9c68ec4f919d41458a36aefa85fe0bedc3a4ffac015507087f24020e274b4dfe8eb237fb9b3634f0002b8611a9e515323a6f2 SHA512 e765668891524d27205fbb2fa07d244c5c3ea0525cf5dea7b68814ad65b6a1ebe6f47fb3c29f8235a09745aa867b3312566848e68fbebe955e64043799cc6f43 +AUX 5.10.4/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch 736 BLAKE2B d3869d4e77799e0c4a81f96d32fd3a44e5450a7b63324f9b1166017eb9f56b6af5a9836587826706cd43c5de6acc88e9f84a883e12090942db9f4f5119903c32 SHA512 85ab14f5dfaf1a6610353cddc6f9a0de462b55a304aa5cbf98695b77db34246bb0056331ec2072f9031186961d862f5b25b56c23a6c547302f6f92594ba9eefe +AUX 5.10.4/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch 745 BLAKE2B 9e079bc95f4047d0ccac8da847e8f4e5cff12eaad9a5d101b9dde90880e708b57f003d908c0ec20c3a0f16c15f6dab52b8ffd27ff415f6526344cd7c59ce6763 SHA512 53319ad119adae74ba47c325c66401aed4f7296f12ea31372eefbf99563a5bcab7d71ba2454262c6fe53968ce0baa90b37f468ccf934a2bdf5469de45ffe1344 +AUX 5.10.4/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch 702 BLAKE2B 7a5f2e1b49435f06634c486c08dc0c457d7767fecfe438351387e13c97ae39814028f2c7c1dd8d4cde6b68f729457849bee4a814287caf48f14ca9aa8b4823f7 SHA512 94b711d7913077ce776f5eb159e345e961cad5ddc9c8e36e510bd75a1d05c3bdd785c37c102ede49c5c29fda6035055c4894b163c2346884d8580e789f449034 +AUX 5.10.4/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch 654 BLAKE2B fca6eec38b2dc1ddbef132f6749dbd5c08dd6c308004ac7dd52145df79a1ec612681020e90864a458978cad5efb8ba1f415a26b8e2eedca070613bf1b387742e SHA512 8feaa0cd36c2b997b6c3c4431c3488f8656e141ce28bac3306ba98b87a19661288b0f502034f55e378d75ac842bd8570c3cc366f455e0eb872d20d7d51e80ee4 +AUX 5.10.4/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch 807 BLAKE2B c8b6229baa5bf8d7c34e7e915223864daffc734189797a5d6b5dc6ed3f1a5c11dbd11f790a1feb6492822e980009ccc184193e24cb1403bfad935bb4e5e7b962 SHA512 c39290fe61af8499fa346e9281a47aa649f04ed1e2968b0fda4faac38df33714cecfcd1222cba02a39cc14ddae0875a2717da4858eb25c8b8c0760a172d0b4cc +AUX 5.10.4/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch 966 BLAKE2B a733a2fc8000d3908fd91ecbb3653a0410d197a57f89dd89bff8780f1096b63eda0661d2c54d31c1482b92867f639d7cbe0815689d8c2a4d37fbf967c62039c4 SHA512 cba84045765be0a95dc80375a9dce197852ac7ee150aba7c3e931b7fb5c4f8f16d455320044376c56a898cb972fee71584eae8450c6ebdf9081e8c1bd5a61c6e +AUX 5.10.4/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch 761 BLAKE2B 9890cb78473ed177bdf7b8522716058c99f4ecf4d4ae4b6e10e55d74fcc7fc60a4a911f2f26c0baf020e5bbb174aa9141b9951fd716c7b5366fa3a2c06ab0e59 SHA512 4e4e7726dae3bb1e1c6d73d0191737430a2c06b7f3e423a4ea8b863686c28feb6dfd995714584113a07286bd689fcb3dcbd273e43c8820f07b8cfc3fcf6f9b8e +AUX 5.10.4/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch 666 BLAKE2B d85b6f01c86a2cbced324cc57ed6b80e7c0cd087c9291e6bd096c6edb3f0512c62e49a7492b199e0fc46e20f5362c5412b3cd9ce5de054810be679ce00c651b2 SHA512 2bb8435c212487b9e51462cd22dc6ac40dda3c992b0d1ff05cd0e3af26d057205b096b0f543993804eab7880c4db82f3046390cb369c7b4cea440d09784631c8 +AUX 5.10.4/hardened-patches/0017-disable-X86_16BIT-by-default.patch 678 BLAKE2B 2fc4970351057cc2bf0e88d2a8fc1d1fa29a78deb6ba9a7db131af61bbaf91cd8a86820794178b653ca724c40c8121bc0143bc3145c10fa4595d1f49b4ed87ae SHA512 d1c0efa60985a741869f5989874f350c4f3699f9556e68672148f4ed873d3eb7206e1b437d3aa386af236d982749f38053d6922f87edbb4158bdb2dbb19c7117 +AUX 5.10.4/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch 754 BLAKE2B b7ebf12531d6605c8e24ecfaaec8a19822f3306ac48a72a386fae1b304fcb83e03cdd906d045ac5a27ae661e83b7a27563e3213f236a5fc5095aed1de7a61f49 SHA512 f852dbb41738fef38f0c892b348e1e6d0962c675bdfe23d01c4fe79fe0a729d2f88a7746f29ed4c0e9cdc64ed657a3c8862bf34e862b7f7982e17d7eff7ac64c +AUX 5.10.4/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch 802 BLAKE2B 4e42c1f3cd96939f909efa7d8e7313a5a9d53bc41a218325c839562c03e315f502f549ff43b37982ad35803978a2e1bc88c7e7155e49e98b81b45d1b68dec834 SHA512 1f97d61d441140c12dcc368d645ca24a5965f3edb7aaf27b9418c7f3109d31ef5f67cf084c38c6bc17a2688caa1565e8529d565a4d5bde9868d996bb397aef46 +AUX 5.10.4/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch 765 BLAKE2B 7ce2f9c93bbe548dce0cbe7f4d6d09963c45ffae5a4274fb9d56d66ecd5248ae50f19aeaac87b28d300eb1dde839e1ed2b5f1b2240362a9de0e5ac9b687c1c04 SHA512 7ab0f8e9e28bd1fb3969380caa4a0fee5dbe3d520e7d0fd09b455d7830232ec498fc9148bf669d4735026e40b3cbed8ab32261ef811d8bc626ef673518bd08a2 +AUX 5.10.4/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch 691 BLAKE2B c3f914d677f8592f61735688643ddfa733e240dd54c6964ff145ee4391bab9d48e5f4e3bbf9b65730c1a298d36fc5f88fa880780ff790ff23219305c71b0c642 SHA512 36b4d303f92fec536a961bbc694a62f117a9a39a006f535a70e477c680f9e516f8e4dd70fe3e533f40c8ec5358c054e2bfabab384fdbcc0b2c38cde0a41af802 +AUX 5.10.4/hardened-patches/0022-disable-AIO-by-default.patch 631 BLAKE2B d0ebf031134a85fa683f76751b624a811f39083624add68c4a076447202ede858938d943abe6e2fc9d4238b4f668ec47a71befcd134e7f63fd5c34986e6b618d SHA512 031c7745a3c83fb23c65505ce7afa4175a50f4091670577604e9bcc778fa79c913d5cd2e6dcf56d5ea2477b3639dbbf86917caa2be39f20618877397b35b6cfe +AUX 5.10.4/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch 962 BLAKE2B 8c3bd0ed1725a0ab63bc86566f5ca137e60ec350179d878b24aeeba5daac5c0e29fc11f49abba6a2796397bda0fca340fecc9cd857da4cb73c8249e9c2214ced SHA512 df4e8ebf5964fa0e34202960bd02284c6d9e75b0e79c6bd886a1c2edc8b5205ed5da7ac0ecd093d43a7e8ee39fa1d6112ed924d5e48d17c507962e8bed1109f6 +AUX 5.10.4/hardened-patches/0024-disable-DEVPORT-by-default.patch 695 BLAKE2B f78abccd47bdd41484086316e967f62b8ce5e97e76cb36c38abe487425b5f18008ae1ca5548ba3410a94244db2f457df7ea8369f51354c73968305395248114c SHA512 cfe1314086711658392a46b03385e7200448f18bf67c3592d53a978ff48ff674ea81786a4ed056ce4fad15fd79743a744f3fe8abf7ce3cf44c7216deff722f6d +AUX 5.10.4/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch 613 BLAKE2B e715bdf8da2377093acb0c9a84a1ab18f05a20e4b57edd8e35f38407aa51c6e02e3ad15d0d438495b9da44cc13c0578b0d5a23d9771746e28aa666161a2f04db SHA512 26845813030627edd2dcd286449121730667c8d9f2afef25e37ac06fa716cd206a77f86a6072d490d49c85e06a7cb6f3122f96fcbb0b6ca34f02332c2af46183 +AUX 5.10.4/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch 598 BLAKE2B 1de5da70b579331d4a5c14803be0b12a992fb3a833944ef7a17d4dbed36c391eb37e9a361154f9355103bf3d888469058f2f8764a41535f354d10ea9c7cd5688 SHA512 7841595d7f5b85456ab16985298e20fded76b3a93305749be673a07b13698f85bf1e60ec5c8fe3cbdbfe53be15a8b7a57ab95b702829cedae1c2e16fe1ec21f5 +AUX 5.10.4/hardened-patches/0027-enable-DEBUG_WX-by-default.patch 653 BLAKE2B 65e569a12efe40fe08d477c64e81adca244af7f2cbef5ea3b35436853e726aa0a3ab9676ce39202500eb94abf7fba0917361115dea98891ae18b78197bf7b050 SHA512 c18e79283284be943831dd02ab91db354d229d0fe77413c6a1e36aef96e457cdd13e6251cc67da844de80bba4b5894af70d4882f43fbe96b6cd386e6c5f36a12 +AUX 5.10.4/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch 683 BLAKE2B 2ad605e2109bcf5096536b0368b708ffe55b0e1e256bce7bec18934afcd3de0f29be1ee3c980841e1508043a93889a425bc63d9736ca5eac77317ee4fb3daa7c SHA512 2ba1fb334fc3c174fcffb3d635c957f704b9775ace6974f1f25efc9a0e6be9dfaa338afe326a597fb7cfe8dba9c41d71e964e57fb0c038cfead427a3b2090fc6 +AUX 5.10.4/hardened-patches/0029-disable-DEVMEM-by-default.patch 662 BLAKE2B fc6963a8c1a713306d1059c1086286b7d6f0b9cea04a53f4a81741427b8bec4f316e7eb4188d92cceeda0060569d1ec5a5d2f0f39a7a8850d6fe6540c32b1585 SHA512 bc613f0174f74a7b48e69b7864c2ae980190725919c5e2cfc2e2ab485109dfdc7779821ee6aef8ab62eeb532902917c379ca35685ae1fe4dc85a52724ccb8bb2 +AUX 5.10.4/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch 719 BLAKE2B ede9ca050f9b4250816f6f7b7115ef89b0fd1e728dfc8184e858a25aa404f73eb20c78c5a142aa437895ae7ad5e09a0c1e327c1a83b3c1e1e024533670bb11d3 SHA512 c8b4695e312c674158206c307a5a3e442d10d2467b86974af26c1427137a337e36e47957d039642ccd8da43f1baacca60b5707addba626c8af49695edb9e0e6e +AUX 5.10.4/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch 652 BLAKE2B 538e30a0d4337bfed3f1ef0caa7d0b0e47bbf5a630d8b5509eb020e2a7260444d9bd1d2e4dae7e2ef7edb6c7dc4aba0fc22a015fc0504fb97dee33e21fb26fac SHA512 07600397405e41bb6e1bb4274ec782a81d0e21b24357c81e01ef871a210822a757e2ee0db95c326bd7949bd37885a1d2b871b49c6baedf149e2b5f731a87bfd7 +AUX 5.10.4/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch 1397 BLAKE2B 78dc88f877c8b4baa8406b670d0d3df3363475354b7a9c8aa0fa7314273eda4b56bcb2893d5d8a8048bc1653071fbafc6fdd247b7606e59191552bdf40edf8a4 SHA512 705fcb868685b2ffbe6e8eaea78963108b957611338247bba531546984e4b6223fe312ca13573f979406dc647e33f3cc79ea83971cbfe61a3b37d91d70f8e572 +AUX 5.10.4/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch 818 BLAKE2B 3952aef06492d86dba8ac9cea24c65358d93900c6cbd5e737958e1dd87415b0f9da91e639dfd82b22925fecdefbaaf36c1beadf2d5118f88a58f1f4f1177bcfb SHA512 0b83727a9089e75b285df557db7079b392515ba99ed0bee79a72ffbfa2d273a23eb739c7013bba486a5d3650f55d6add106f0ea4fb19bc2053da64490e6b1250 +AUX 5.10.4/hardened-patches/0034-enable-SECURITY-by-default.patch 646 BLAKE2B 96bfc65455263adabd40d3fd20b6bd90cf9b9997a6529ae23b3126792629b562bdfe971862641679e476c192ff62f2171055981875f9868d1943cc926afe0907 SHA512 4631f02d7caa4c3ee3f9688cdb0b19846e7ba0ed4a62fe8ac16d773d17da3a5ce4461b8ef1bd1f64a7d7d250c3b6b5f9a9eb0079a451d19dbba608ce2b3d7b0b +AUX 5.10.4/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch 706 BLAKE2B 3333d8083477f36e6a8c5e77b3f8afae766eacc3dd7ab6acaccf63f3abbe51081b73f84577236a2233ddd3ef115b5465634d7a3bd686ad27b2b5567d1a897112 SHA512 9aaf5ff1c3b9a6131cae79dce9ba2390f3f418140f98c32d794ab3ee0c0ed0480f94b2175e7207c3aed660c194f47ddc163d2f072a8c9463f0e13a55a345b05b +AUX 5.10.4/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch 685 BLAKE2B 5ddaf4cde811dfbf4cf49710351440c70c230bd562e6640c1e109fcefc7336de332072986d4019ac4dff077e098c7fd9ead1d8326b0ee2d15f4a3e46bc4c9076 SHA512 8d846fe41173dd25ae2ddceaa1cb1eec68e8f51e2c822098363013d7444f1db7c3a8ef0415e7d0ea5486c3859a882947b83382aebb2ac12833a3132f2338908a +AUX 5.10.4/hardened-patches/0037-enable-AUDIT-by-default.patch 628 BLAKE2B 736efd72f9f13d67db93f89324d0e6c13f092b217052000ecdb7a370762d785beff491b960df25ec72d7c947df98a2594a12db3d083065a0e14cb90419951848 SHA512 29a72e907e6c11d4f9be5eca75b64763495426ce7d9ea23582c41a961ab3f04bb407efe84c542b6007995a381e5e1cb8ad9cdb48b2d012398be5141826bbab39 +AUX 5.10.4/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch 784 BLAKE2B ab4f3c8885491fbb7fa06df0adb1b827fbd546dc555daad4bae77df4910468cc604e8325426f61877af212a9df8d3a83b6439deb777a0502915ecbf0db820381 SHA512 88a695c7929c4be87068d1d39225f7cd469716cdbf9e5b6d0d1aaf0b84f3b682a52d9abfedd4bf8753c850e40446920be2e8752bce271070a78b15beafc73019 +AUX 5.10.4/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch 666 BLAKE2B 958b15440efd0e98aa9a262eb8ad72a9d338432515fc743578d8793568a1abbd8ab12a8b280a2b338d478e6bf0bdd19b0383369ba736c5f262a9ec9571e8afb3 SHA512 7098c8128f45273847a500b8dc277e8a588098f625f395ea54339491298cd142ff86109051b05216ae6806d924eeeb9cc25727fddb7f697215d24238c4d0908b +AUX 5.10.4/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch 697 BLAKE2B 325bfa92d9299d146f6d6819870612f9c66a6a0e747a52a29db3c7ba930831e9c3e81f9658ed5de0e15af19c87eb4864bf682ac7d0dd3a36de51261770364429 SHA512 f6239e6ff823e299fabc5744d758162f6b4c28eff925450ee6d3eb9facb309ed58ec72b2df0c57dcbd162b0a7d81886f82af5246a82943baf066fa39e1295801 +AUX 5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch 3971 BLAKE2B 3e36d534b2c4278905aa1ed26f3f31017877b7957754ad9afa391c1733ef52dddaeb8b1be5d2331cdf6da260c8455e0acf3e810a6d85e8a51e4c3b983603ce4e SHA512 1e8772fd0fbe2c7479a7ec989ccb58b7ea2ad50b86006c17e34703f474ce81525f4e59c1b82480174fef535d61e105fea5717a97aecd7690bf7c57eb3d77796b +AUX 5.10.4/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch 2089 BLAKE2B 6e6701beefebbf1ee87b4e61e36af4942c35477ba94a2c3456e4c44c7c48f0d5e819fa9906c87ab2d08caeb52ad8147292ae9b50fe15580e1eca303d6b0f93f0 SHA512 8bfa89e1be8c4cf64fdc9e4c245d63922304a9bb4114c22ffa1ad4708d4a09334fbc609ed3ac2d29d1da8689beef6dbca5162933acd672175903f730fb0b61da +AUX 5.10.4/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch 2004 BLAKE2B 56eae51db487eb12d5ecdb328e327c8bcc54ea57c1a89c171e44afacc99b77d1adf18c74fe88852d43f79471156ccc1b7e7631cd0ef6140443ae13edf2c11ef3 SHA512 fffb9907df0eab71055c26ae4f8e807bd80aed730db38735c1b802ebf94dcb4b1efb5153f8a0b1a0b84514b9b3d29997f773ee72736448546b1c08c2b031ef1f +AUX 5.10.4/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch 1165 BLAKE2B 83a0ca9026a6723e72ee2684eb77ba1885683b5b35dfe7bfe2c3732bc053095cf9221af1308a8fe363163ce03dd4dc5d7a71d9f680123d185c37d896f0606894 SHA512 935095ed710e9e4a86d768fcfc19c9b53edbde10eab2bc5e6b9d86d128dc95a2cb1daa74466f72a887cb673c991739c6687c5c3079669d8785e32a08425ba865 +AUX 5.10.4/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch 709 BLAKE2B 840e80e2f2e97e109369cc612954aa09d86e0eba5ee2125ebbfd214ca8539fddc038ad147c1b8412afc223c6de091d5a7aebc7a9a8d65bba5270f3981c733182 SHA512 2a04295b1a91c5867e603eddba41c125bb0615e8a93492ec015acd45b308ef0c549752b73a221a99797957fa7f5b7ad6957b8a4171363df0b4831898a9687687 +AUX 5.10.4/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch 1954 BLAKE2B efd668b4a1323899fd1f8dcd72809c12c9c2f36227f67f3bdb643439c62ec7a38315b9b27e6659cec67f3137c09961b519fe719f87c786086fb58dbc0f43a1d4 SHA512 7df1ecb55e83bdbd632669ab2676e3b0e456e965cfb99b55733c5982422f8ad5013f0291285ec800d32b2b5ccc490f5c64e8e2877fe0aa8d43a3953b3da9d6be +AUX 5.10.4/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch 1663 BLAKE2B fceb11e48b5eefb60f773d9318c99d2d1f4bd054924e7839ca40c1f27df5408aa9d08c7fcc808816e2839cf7dd8c54fea5e852174907cff6790a88eecea78e73 SHA512 3f7e5e62fb7e1099ba79a58bda29583c654fe9cb9f6296d66e1b9d53a21d3348ee2b2398a8030982127f340fd453462effa11c49c6423d40ebc8cd81c1fc670d +AUX 5.10.4/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch 1272 BLAKE2B d1c1ff47e3c423f77983b51c7b85756f5c4f5b867f04b8e88b95a94df3723234f8483faeca2d941b70e36da611a919cbc394ef606f4c3d0a6692b548fdf02e1a SHA512 3752584fc2f8ace7b6af835022382e42bc64545773d50dc50458b8a3f3a3a9502e0fefd9e894b93866104706aef108c5458f77d1fe2f1eebfff2fe537a033820 +AUX 5.10.4/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch 7357 BLAKE2B 1361a3c48b2f5e2ead6790abdc849ea64304f712f0e6f211d272f0454b5848fa32782abadf9ea08bb76cddbf412d3ce246d7516aaae1d4f41c3f1572273602b1 SHA512 963b0e4a39a60c3273b83aeaf46953a21d06730a38bc952acef7062703a55a938c9c504a8f03caaa5537c4769339f95ec542ccf827470591257fb9e2aaf47abd +AUX 5.10.4/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch 871 BLAKE2B 8ac721cab2f24695a57c46835e4d8a861c6ccc8023294bb84ec41119e6cf7d7a1a99f80919db51780dd8d5c6d8839fbfb7ccb75d3af76cfc5f1d64c572683640 SHA512 94fda9b7982f2f812660364ef272533db6dc89d8426bc3ed04b83c9b9c6bd2853cd9e9b1c5f9ccb0352d7734f30596c679a7927d2839044d539fd37e45eb74ff +AUX 5.10.4/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch 947 BLAKE2B c5fc161a274d3abcfb99a20807c5f04f9e24b1073168f6f446c82ecbeb150c1bc82abefcb87eca2829197a5dde850b862bf80239ce88c975e3a28d63dffbfa0d SHA512 6c58b10ca00869c295649877e20f9c2c069b503c1b72a3ff2d6e60e3d7e66c9233feed87095683f5a3a925989f0e10a50a4aa6344dc5308745812d2486bd3cc7 +AUX 5.10.4/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch 1180 BLAKE2B f58edfe2e8902843511c3bd6f2755e31f1942456008a8b8aa782eb3642201a54fdf036571cb18de529e12e72304e619540235d04a948ca8acaf89f8ab0df657f SHA512 91bc752d221c07a6ede9a08a6e59978ddb7590423bbc2bd7d4d28ef94d31c0352c5994449c6fa64195eb838e8ac623af1f60f81bb8f14216cb8289a6fd9fcf77 +AUX 5.10.4/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch 788 BLAKE2B f4a07aa49d9acb668b9b362054f12c1b25dcda01dbecd119ffd012c2297caab79bc3b2591bab99814dc097358adcc9971a1f4d0764813d07b022493612a175e5 SHA512 01decbb01597775dab66fb5221153a548fb717c30c2b6e50682436b89fbad6084c892c6e757de5a854f3b3601c6426f6323bfbaf58ae6340485c3991c72109c2 +AUX 5.10.4/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch 2256 BLAKE2B 65db35730da8ea79cda86a18087b242681cfe64fdb50a2edafc53036a9188380963ad6ecf789bdb9538b5b79fa57fedd20a8dc0d794d412604d1e2d1fa45ef79 SHA512 3b41bc8cffa1f59c6d31ea16371625b9338693916b8e8ddc37234f5f7c4cc1dab944cc269c808f21624e48fa88ce532f30598c82ae61699466a8eedb82526478 +AUX 5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch 2454 BLAKE2B 6b236422395b6e64ed1d272d5782959c8e65ad00af150221bd53e124d1e548db366bbd952abb83ac31fdb3315d036efbe2bf8fff1bd92a4e9a09506ca987e7fc SHA512 3fcf33fded5ec09a7f4f2ddfccb059d9d58995c0b72916e474486f054a9a828b579bf0cc7bfd668437cf815b23602f2252b900761cf047425afab2c1593cbf6b +AUX 5.10.4/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch 4020 BLAKE2B b39462ce8b42f1472cd86904fd9104a86efb0a2ed87969fdf6a6347c224d9d10df8b14c6e996006a28196ad425423f9351c36252c67ba4e33b0be467e14654a5 SHA512 eeac81323682eee9f8ed14eedacb71f788d15954cb90db1429221c56736076c3f4dd08fce3688f6bc039d2c5821f00933b83694b12c17d269c465edf1e4a2140 +AUX 5.10.4/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch 8811 BLAKE2B 5ad7d98c75bd582aa0cfd992dacb4c62c5466d47b93dd45c42ede450d3b5551dc8f2d11dac8231f16220101095c1ba36426b8ce1b5cb441bba710632c939cb82 SHA512 1749e1ba659bfe0d0a6a3704ac7b3b7383b7a765b923088dc85d1608c4b4b0f22da93d63ea614aaaa99ad1f8dbb39ab2d4c82ee99c2d7441ac1ec96d05a9593d +AUX 5.10.4/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch 4744 BLAKE2B c10919ba86bbe96c3f1730ff59eca21420a0e2759516fb8eb9b18bdaf67a776391c69a0ba71db7f17b75ae7f0377d78f5741abafb8c9cd8fd280833564e1c6c2 SHA512 c3bcd40b63993aca97046adc9afdd0f19f09057e1e0251092f89d7952a2dab14593b7282005742d30113043722eede15ad79dea79adcecd000c2e83fc78c080c +AUX 5.10.4/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch 798 BLAKE2B a00bd05ebe963a2a026c3e9b30cd2fee2b583a9304f81909454c2ff8378ef527e70022ee8ce9d3206267579d3b6b32ebafa2c2eca90c89be0469642579a5861b SHA512 32df2b8f13da2755b4ed5898432a167d366718241b6faa4e01ad080ad00038b04af0d56ede2081f2295d1213f03ba425e7b1f5dad62838fce69cd4bfe66f59d1 +AUX 5.10.4/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 3791 BLAKE2B ad0098dcdd3e2ada46d9359e213879a16a2b0943e24f02665f427f2302eb6e6265253fd2569b2bf285712fa4e1e0ababcbdc6a2bb0497be45a62f519bcc10a98 SHA512 3c3201d3a2e24447585c04e27cc61eb7d63a6f78a50afe0b27d44ec8f596e120214beff682f895b995a75877578cc7a898ac3937f539d9e33193c249a4238def +AUX 5.10.4/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch 2735 BLAKE2B e71dae6b8fdc6f112bc725c623a665a04d06f5a6e4d778665ac3f8c4e6a0d8c7e8c767da1d879e9ebed9758f1289fbd9fc1e2fe8fceef5453227cb517c47f511 SHA512 196c652a8b20765c6d6ab8aa6683ad418bec6dd1c8bcb55bd2249dfea1db8ff47de9102245588e2324cbc96e4f73181b595ac04f2980a564f49352b5859c352a +AUX 5.10.4/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch 2249 BLAKE2B 736856d1fccb55a4dee4a09bf3e1c477ab256b33dd23558338ed7d989ac55fbd812216d7d801672d5300ef5b6504d030c1082aba5dbe577c305e487a96d34664 SHA512 6e5a16f70d813fed1ec53195aaacc3a63fccc39f4203524541652cd45446a0e7a0bec5813bb7291ba146d96611e65077eb17e303b255ba27d102845c6121d88a +AUX 5.10.4/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch 860 BLAKE2B 8762579fe848319040f8c3f734cbb75cb28c940b2a6f89366d40f46e5f9794eac1163f8e7f0e4b7126be0eac7f047ccdb530f5672ce76fd77fb86183bb49706b SHA512 5f3026bd5200745c0e3182103244b376cd360061b118a4d59fe140dcd955378c8d65ba944ab2fd466822aaf6413554f9c1b7dd554cba0aa3d0424433ffc233b5 +AUX 5.10.4/hardened-patches/0064-add-percpu-alloc_size-attributes.patch 1588 BLAKE2B 15aca31a046c1549dbf2f3f2afab65d55634fafa28331bdd1d0f6253a22205886e11ceaf7d225518fa4ce6ee46466a6fe490d416496fdb571b23d3905f88196a SHA512 4a5c29e014932234c32d851576e1cd29291aed48ae8d1e131f09d662382ab6859a28f64d7199b28adb3c8b754005ee4c67c6fa067e01d2e15d295f16e6a299f0 +AUX 5.10.4/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch 1259 BLAKE2B a374ba45760de333084ba5a43d6cf83b3b9576056119469403359287c60bf5fa1efad69bc787cdbf0789fbd5192b1323719802fef58fb9ec3aae7038dddbb1bf SHA512 565920304fe5f5512fd99b90aa051ce09440600f9a67d97196df66a35584a54357f730bb64a0b2988b5e73eebdf6cfa5f4005f21674255f98fa91c54e1223709 +AUX 5.10.4/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch 3591 BLAKE2B 22808a656ae8d46ea02fd1624ca2dfa4b6b03ed86751caa38ff7688a3fb17175ad031dc8bfce905d2d04d036e1a41ce6176fdb6e02f0b163658fd66326949bab SHA512 b610ead8209b410679655835e7ed29c70eb1249ee2c3bffd71723e6cc7b35a05a919b1cbadcf27de6997a53d02ed89907e23c369e6527704e9f78edc96fa8fa4 +AUX 5.10.4/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch 1191 BLAKE2B 15a4ee65eee64d364892ac65a7d6581dd97c602a8c4e06bf8633f2e2b218da2ca05bac60c1de6022f86cd37411bd4e6864acb7298467a5c2261db985879fb92d SHA512 45b543d003f0f8181caf76505546c517bf5cc04fdcf33adf6fceaed591a0b0f1dce098e158570933ea5d5cc389c849a3325ecd6d541cd45bc07a716e782ff98e +AUX 5.10.4/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch 755 BLAKE2B 385ba59354c96ae5275ee5864d11ec9fef20cd671f34e8d44c4c1172722bc92cf06298f44b8864760746b294bf44b01f1c8cc18c0ab05343e5f7809d206255c2 SHA512 a10c4d2ddd69ea99ba6c0ab26ac41d70fc858d0b5aa3b35af99087047239195b9b916f69d7b5df4dfefd9bbeda22f4b3dfce4c274be56658ec1861f45ac59248 +AUX 5.10.4/hardened-patches/0069-add-page-destructor-sanity-check.patch 2205 BLAKE2B 529ab2c7de9d2ffe68e49c968a772d8d7c980584c9c038591a20abefc3927c36fd52cfdc5952f73ec74a80d3d6a8dceb416ca436954ec4d4088c772f59476282 SHA512 151d071770900024e5512f9eabe91ff5151068f6555851a05384a7061b8fd4ca018e5099a2870de11ff93ac5ec82598375d8c0ac9fb7c6420c710335fe0b327c +AUX 5.10.4/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch 1793 BLAKE2B d57316fbecd053f7f5384de467f771b4ef715d58195f331a25a22a74ace780cba3ffb30ed129ce512793cf016fb8553bc20d1e4ec5ea6ac804225baf1a760eee SHA512 923e0b1920814712fedf400bd1d51efe4cbe51f4d6b33b480b674ff4b0f8f549ed48c5a6a855dac976c984b46baa3f1cdfc34e3d2a18a9d5509487173c427e2d +AUX 5.10.4/hardened-patches/0071-add-writable-function-pointer-detection.patch 2688 BLAKE2B 2e588d88277319b60639204f292d20c2dbfcb1704f7693d81cba4462e4eb786c80c26f0999816115a76aa2b7d42bc4958a4b142f2325272b0a79beeb8da4bd9f SHA512 2905fe42602282a5c5028fd2b197a64dcd2376e3b234cf22c3288e3d3cb9ad4cc0bbd7057e8e4c94af67c68e81b3a1274756e8d6a05e98c0668034b2f83f8e93 +AUX 5.10.4/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch 760 BLAKE2B c499534c103d5b75b1cda3195088c255d3f65da99e7a693511a0483ddedf6e71c47ef03e4433cfcb01dec2f4e501ae79de561cc4e9174f85cc2c9b838b9ff520 SHA512 33e415cda0b82930ba1fce94f1e54186dc5eef925935951e329a080522a6c2cadfecd50da9b6e130c3edf146773fb7a9b41f71d2bd413699692e8e95e6d872a5 +AUX 5.10.4/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch 5669 BLAKE2B 882c5bda7218776a89100ebdcbc01b8785c5621df25a43f8d8ed6b92286f93f4fbac3a88a654d98558482fdbd0fe05edb7c36124438a6567fbdc9fa053cf41bb SHA512 ffc74ef8c0f2c7f85edfe333de775213b863d0ac5b6eb06b2f4cd11db1e1aeeb6e01285f7f2d2dc606eabe6af40e465ca8756d076063d61ef945d377fd65bc90 +AUX 5.10.4/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch 1986 BLAKE2B 152a48d974f5d0e5d75148e14d67ac492095ea522c1aaa32b038e01ccaf7f7cbc9df94938c06a680defb0daf45592ed4af569aad48e1f431d9b444df35285c38 SHA512 bf5a52ddd04aaf5d8ef7ba66bc56572b3b39e7cd857537768edfe906923680cabc7feb6417ceb8d977fe68e368ac654ad17be1da482a9c58eabc9349c4085618 +AUX 5.10.4/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch 3921 BLAKE2B d84312482d4cb6b7202245b0e1966b5366b9e5ab1cc06d704816ad4f31c4d39bf9ea572a5647c18db6285cdbc922f0d582759948c48bb4c92e130ae727798869 SHA512 b73f2da66d966d51dff3c992e0e86a83702915c803114e655464bff5adb39fe2368a36f8ff1aaf0be50aedb2e855dd4539a54ce8d3ef02b755bc2f564405a896 +AUX 5.10.4/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch 2502 BLAKE2B a608bad4406b077c58111600ae361fc4c68d65f5229ca99a8ebd493051442c6e9171daf791a94a3a55818e69cd86ca65e913573022dc5f5b4cbc4729a5ef57ad SHA512 2dec362b1f82e5b91561440a32bbcb2c3379d704aa84db49b86ec911ce37dd968b5aa5a1d3d9daba5616e556725aca50d0bcf175c24ca108789c07eedf2589db +AUX 5.10.4/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch 2224 BLAKE2B d7d7ae5d5b0f85e97821bcd45feca0da3802b8bdd69e94587ee462b416829e4e5d7cec38ff68f1141de62271e764cfab52b06a4c7ccbf132f29391d00b3a1c3f SHA512 9c11db546f3305723be5c0e9d3f6dba6413d121bbb6a1a32f462b3810f2ee0267f9b95ef5a87b38fdeb80f7837c6e36be21d34936b11a489277a563d688c7da0 +AUX 5.10.4/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch 1061 BLAKE2B e99c78adbd1413fd52fbf615d7026841d573a8d7516b14a97f975edf082b4288de993dd8cf84e4a5d585d8d596f7f0c1d8423b2d2e2ce8852a8b9abbf11cbc6c SHA512 7990a52e161007717a1bb8be2665f3e5738f4400ded20fc89faa41dd99e6541b1de79108a6fcc7182245f8991bf3b7d53b8c438ee0d741e7c898cfb8ee8f4581 +AUX 5.10.4/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch 1019 BLAKE2B cf334fa221a56d4ea783341c53478691f3bb0f6cc093f2f599275258e438c7f16d817703b3759bdfdbe9e40b6a28d122b89e5ad37b3b61d4efbe57db851a01cf SHA512 a039714d0abeeeb1cd3753071d5bf02a633959610852f1eef8642b6c0d4d5bb92ef107cc0ee4a936b8faec5a6aa99aba6aa127bb839aeccd3b09d60f47630670 +AUX 5.10.4/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch 1368 BLAKE2B 4dd025900be57f48a77241cfc89223a0e7142205a56ea2e9a5ad32e106cc9c9165a99f6e724fd74016c1ef43333d9966c6fce83940b6e9c1b37b82b6438bc47f SHA512 a14a9055ce2cb34c1c3768ac25d424cd00f338120dfeb79924c47f64951865e60a7361aaddadefdf17d1eeb05de9bee7b1505c5e68bcd87a94f5c9338655f07a +AUX 5.10.4/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch 902 BLAKE2B 3101a151071a9496f9db53b189d33a417ea3515e36dbbaa5f2d08d6c015540fc942f113ad2535d033e8fadc48de9632c3ed070fd82a90d7931a3f68f022ae536 SHA512 63ecb622571ed8fdd6fbde807f9b3f040de24e0d445569f2d053cb9043706077cf0bbc45ec7982f229e44e4d5eb4d7b2d394954667cfc6b04e2bcaa8aff7edf0 +AUX 5.10.4/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch 942 BLAKE2B 3464c98df52e6caac87dfd77d2b96642e41f0bff0d93d57d777c9a2be440d4204b18183fd14460e30fd96b446f48f3598b1778bb5aa81e8cd8cb215d27f28a14 SHA512 3f382d250a35e01c036ffc97aa992584b45b76d6ac9ccfeecc34c992694df6967f334c3730feaf47bef223bf481bb7d8e12fd751805a7402f84ba9bb42b1d83d +AUX 5.10.4/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch 947 BLAKE2B aaf95f51c80d3ebf407e2adb15857634d37348595e7e0418217b7d0ea3fdf160992cc532ce91ffa0ba585db53c790e40296678e49ddf0fa5fcb0b2bb6479ac91 SHA512 094b74f933ee8ae2556000ed9a9c4e0774079d50e7d30d02e7f580233268ac4dec1b9c3de7278c05c2af70ea80ffbb1518c75f3d79ef05febc070981e0c72ef8 +AUX 5.10.4/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch 987 BLAKE2B 86a467a10b13333f24efb77ca25efee16cee1c7ac580b4dae31cf2e94cbb2bd9037ad8037382fc604762b0135819a0f607aa128701702d626f96a19407585766 SHA512 8c1eeadc671f1f2f0e5758c915c01a159dfa3efa15f6d7a5f44391486aba439e0c42a10b490e6d63faa88cc660c5d6a112d60e1d1fb794a8ab5372486bff305e +AUX 5.10.4/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch 1075 BLAKE2B 2b168d61731913bf9c521b06c700687ee20d9be5569cb2d8adddb316ee940a6c9c6a2d72fab9fa363f5da8945ef746a8f84112adc467ff4231a54fb52b0c2280 SHA512 1868e84ebe1f4faee58713ae17a29b53b9c3da40f41ab83297e5b65eebad9b382ba9af3649b022d3b941ac9f6b918de99111a930ec50a121b48c2aa4752602e7 +AUX 5.10.4/hardened-patches/0086-restrict-device-timing-side-channels.patch 5426 BLAKE2B ae4ed92f24edce8a659eeccc56464b86e3600ee40b8012755e4f018f25e8b8095053e24e1e8fb77f30ba3a07b74f2daf4558736065212c2b07fa2295d2a24113 SHA512 2217ed203b653afe3442cd18eab969adbf3b9c024d23855d66543c43a9c30838feead19abfed4032ebbfeaed19a236ae7ee8a757c66d9b6307d980fd1c0e8ea8 +AUX 5.10.4/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch 3572 BLAKE2B d84cbe65faa191aedf9886685bb0dd0930d3eecd1d623ed43b9b9744727532775ef621baf2383f5b84d238952c3ed716a79d3145e24baff8c35b16744fbbb39e SHA512 1d3d3e2d4fe2eabd0d102caf94a858be6a637bda72fb68d1c260024bb0f60742935bfa9fb98e731e1f3f79de37d2dd776cbe26a1ad032b28fcaaa33ed20d25ce +AUX 5.10.4/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch 2474 BLAKE2B dcb2dbb5ba00935d1f2f60441710001ec59976fa9973f4e871e8c2d52fc30043e9010d0451a3904f4062cd345f9c205c87f3761d071bf76d4c80676eeafd70eb SHA512 047f7a5da8a199d5f4fa6f6cef8a08bcea82f90b4424bbf2a1c6728eed07834e0580ea4be83546ac5b16127de47ffdf6fab2d2db37b99b681ef3c1832625de79 +AUX 5.10.4/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch 5440 BLAKE2B d312fcef76a8d0eb8e38d498035f1fba4915d2fc2418590e662575e177b32ba8071a8432feef78d86818539f6aa23b7a90ab4714b3f0795619ff993ae7a34810 SHA512 0287e52b981f9635f9df1d41955ab03552e5d365de72beaa53bf17d88b0fcec6fdcc69646048b48ca09562a6a2b536bab8f4d5275f1ed8a99682ad26e7773630 +AUX 5.10.4/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch 5154 BLAKE2B ee258ed465814501bdeae8d0062b715176db585b83ea45e7e9b4d6e4ec0e89b589015c914d41a9c9a1fc99baf86d8aecf53b1dcdb4d79411a1c08a8672860977 SHA512 4606e8f3a9481aea1b0688f08930d553a1fd2f2a9cf0b1a62115d27a23b4bed250ed2b7c0633606ee38dbe3f9177254f44d45345da4cb2371f41ae3135ef2767 +AUX 5.10.4/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch 2194 BLAKE2B a3ab1ec4769be5b5ad4d8b888676462959dadb9c42b2a343ba99b1a019ef9c2057aa98bc612caa1ec2cdb16bf321f5cb918d2b50f423ab7e9d694003ebf3ee83 SHA512 6035ec6f670c21c6ae14d5ec2355a225cae6157a8548768145fc40de96c93b23ffe27fde3a9ed427a43fa95d316012e17aed3ebcf69110d0802a3f4f2804db2c +AUX 5.10.4/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch 6822 BLAKE2B d84ee66974ba4003e35004cce335a7ffe62d6fabe4a61382a17c1d6d5c224a1f0dfc3299be0e21f1a1ab4b37df25c3c17a5253c7ea75177561cbe72d49ae41c6 SHA512 47781be325d1b2370774c8e1a8f84b82f06ac125538fe9541800fcb22a3606c459308883873960b9fe2a51b3a640abb1d52c0ee56a9078285a74592912b41d2b +AUX 5.10.4/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch 824 BLAKE2B 200b9c1fcf1d4548d1cb032c83e7bd8eadbbd9e8209b74576bca4f1c073cbb4a6094b12bdfbba1844cc5960212416faaeb7d8887b2576aaa3d18544f45824446 SHA512 627163e2c151492a2ab594e5d09644f346dff4bae0bd7eb9fd1e18cb2f487839eac7355edd63fbf4ce4005330ca3533850810e460aa75bbdc969b812000b6a03 +AUX 5.10.4/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch 837 BLAKE2B f3e52a79bdc36b2c7e0b6c9cd79bc8ece32060c38e8e8131561722b3522c2a22fdf2fd33c3729e2e55877953df63ec986cbe86b10d08d19df102bad51c3d1b5d SHA512 a665e944529aebf083928a2122c33f8b24afdcc2447618f69d6cc26ad5ebfe4722d1992d7620f1b6977c9a0a09586cec4bd2c28e625ff59dabd1ddfec316b50b +AUX 5.10.4/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch 857 BLAKE2B 4632ae5e3c23e78c404ed991aa0f7017837917a24ff9f26c79d8657e311e2d0b9a34776c58f5107fd651bb4e221e59294f0df6788ee9cb9c5ebab594f32ee2c4 SHA512 26a9eee96fe880b1f609c98db96caf20d483d78c1cc9afdce1f29c9ade8dfabd35fd9717651092d3f50506da7b2c5f2443ce07525bc97766ece86b33106597f0 +AUX 5.10.4/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch 857 BLAKE2B 87140be03161b46b5e38279f000dfcdfee61eff5ad09f576062d992a5b0d76849d3e7a2e6618810053b7313c9872b320d5dd32541caf46461581bab3bd7c98c9 SHA512 2cbd137e73cc0c363779f19568d4a4f0ff7c28c64b07519d73c030ebad8097c77198ed168d8f14c6d21b5ce3377fd8e53094549c084a5f93953c607d38b04db4 +AUX 5.10.4/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch 2171 BLAKE2B e7dbe06258fb3414c3b85d1849d05a787a8bcc6684978a9b20c97437ba05a21bdf6f5c3e15a3041ab830be41d6f68907113218add5b04b6701385cde7ea46c73 SHA512 6ddd3d9fddb56c1f319ef8745d204eca0ab8b108883b9beb7f7debdb31355491acb2e86307cf77fa59e4f7d518c83ea1d2ee722294bb8bab3cef2095c142d5dd +AUX 5.10.4/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch 4376 BLAKE2B c01e081195fe0bc5115c1edfd3ff7a0a7aab6df27531adf3a7923b15ecdff2d5fef5010f618476045156954044d179869d3d81278bd2a9bca4ef0a69e7e5df5e SHA512 131842001b833177148851ec5143b94c52764155e6e380fb3f75d31fe0dafab8b920f2235a73f30b0a078b5af046cfe373d215c65be20f10efb1cd7d59914559 +AUX 5.10.4/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch 3878 BLAKE2B 96bb6d95eb13075516d33386d9bdac49aaf21e34fcc6c9cf4ffceecad4717fd0a3834829d8d8adf061a6f062bdbc3754c21508666dc4ec7e97dc88940a93257f SHA512 430eaa00d7f61a12328d1e23233f70f9693bde2e9d5c8e83f261cb3a926ea0e4f7dc878965192218164cf98b8ae80099faa663e0b4d49f830501f5957f1c05b9 +AUX 5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch 2070 BLAKE2B 56ba8e52a7a9c015f09832d3fbc52e490e793000539e0a6a1c503a1bddef3ff4800b3c9a73eb6b2ad17b193dd04a26804280fe4080a6fb7d05b0a2e0fb422929 SHA512 3b71ef5d8bc943dad14ae0852e2c913ee102db95b9409dea95549f770e538e87f7e138524cb083a40917a00f56083e71e36b784b4ed1f15e5d02499c430e06d3 +AUX 5.10.4/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch 785 BLAKE2B b9c262b7d9c018e12a9afedfb8cfde295c222368ca637494209596386d8523497abe94c7ecb2187f0a9e53223227001d7af9448db272a90ece16703e31e43554 SHA512 3eae3de142983144530202289c297388f2c1801a448763479c746504aef7050e385ac9be04325d992478418477b19c852fb703f00ddeb34398bff46c1f94effd +AUX 5.10.4/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch 774 BLAKE2B 969d8784943a79633149a1360972a704fd1f9340ce854deaf003f86da65866642cc021592cb5038661e0bd1ba82168816abce6a0fd7518257d6c020b989ae791 SHA512 7d936df72061d500caf90df4e1c6746cc1afca8fd32613c1c7a9567cca35b97041e2e2b74793364b79edae5a1fa0ae21803459be168cbd44bec88baee9b43778 +AUX 5.10.4/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch 2287 BLAKE2B 7db2b63d4528dcdb27e8c05e1905cc5145d0988681a7dba35d5094ea50affba31aea0d49ceb3b40c856833a2f28d44c95176af69ffcf2dc3ab8192810af0bae8 SHA512 2ab5d2af366882197d016c90baf931a43766dcf40f6268b8bd6c9b917c2283e4b2c66b6c7cfa4dae058b3ba54c396dfe3d69ba3d89dd39fdcac9ba2bb4359e9f +AUX 5.10.4/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch 2692 BLAKE2B 6cf36130c0a28ce17f1fe5b154a7f491079e7afffaeec0f74aada87a4ccb543f986d0b77820fe41d55a5cc98984bafd705278fc9887e50f26fc2a9c06d80113e SHA512 ef6428814a55b2447ba4528fc53b20d44aa683c8a8183045d54d34753704ca962f12e80f4aa9411cc785d07b88e65418743cc2c1c3118719c4d33a771afb92e0 +AUX 5.10.4/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch 6075 BLAKE2B 4e0daa0bd68f7ba177716feccdff5b536767b6290f9117c75470a1efa535e9ec8f752f3b2c9e7b0953c3d788b1bfc5bd8f390752ef41d0a26cbc2a54e57d5758 SHA512 656ca6b23bd5f796287dcef2debeeb38a544f67ffcb74c1cd41b5a3f4a0f1679a255d5c17172dbf269cd2b3b2405455464fe7f2bc5b162ddf8b5cbce9b5f040a +AUX 5.10.4/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch 827 BLAKE2B e5cd7810e4101cf68fbbd52c8181de0bc89051d96777bb607591125a3077f4da06c950a9577844ce894decb01710ffb88484dae53b3c7acfe8c6d102cf5dddc0 SHA512 e5f3726021d40f5a16111480ef188dc4e5e194c8942592500f4a25c59aa8cd702d20a188c3a536fd74b023a4a073485f90b603bc07842a10363ed8d26b22bac3 +AUX 5.10.4/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch 705 BLAKE2B 01610a359f775517868449f875c721c37909668c92998cd46427a96cc7d63de261156ef0633abf291c02436661f2aca4e97da53a957dee6bcf17ca7f60481884 SHA512 c7109ce8e3413594e2daac67d4cd8022e907526d74d12fb1c8603ae43daab66c2ebe5eba75d01ea25c9f25b41ba1c781305b3ec634a2f82dfaf37b13389b13dd +AUX 5.10.4/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch 835 BLAKE2B 1e67318a183e4bdc4b45a9d240d0902745e5338f7fa417322fac2e4bd59886997e3dc1e43ab00b0c2ce0e81764368f97e20864cde35eaedc4ed2818e78dff928 SHA512 3f6318ba069c603d29b44546767929f8e5fd2bf93c878e444cb7be67ccf7f05dcac8e8810059c8f5060aefb7efb724fa64e2fc5a7a38c162821cbf1dc0887202 +AUX 5.10.4/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch 679 BLAKE2B 16179e88bc1144389d307e145a447512d2d4bc53812f0b9f66e0a5610ac989fef95f5c1b97fe11b64d0cf0085300d30cff10c6bc7dcc688ae99637322aa754c8 SHA512 057a87657ac98df3a66a82d18e586235fd82e15c5e21795c6674c38aef093b9375bade8dd999e70ab129014ca92f3a74a1605b24240d5f4e45cbafdb4ecd5032 +AUX 5.10.4/hardened-patches/0110-disable-UID16-by-default.patch 605 BLAKE2B ce451cfe6b5f950083a4df2bbe6d90c89f70bd8d8f76d865ac41c7ca591e8ab36abb36db7ef2a5118057e8c695f013e516a960d604a7d38c7b561e437889a1de SHA512 be370bf3fdee2228b7fbb9f7e280a16fc5f7331a019641b050e826ec4ca25ab5dcd975a760ce15fd949e4954a577f4aa29138aeeee4cbdb92f2c6c539d19aa37 +AUX 5.10.4/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch 8416 BLAKE2B 24f0171723cf69fe26f9fc459ea966eba0ceead5b632a6d49c152e5fae0823105f928dc81b6b23a8aa93b37b55a311dd8b8565a6fecb1df46a04c85e51605a30 SHA512 f67c389be17a25365996fc43217e2365a88d2b932a1777bc2e5412fd52a54136f03fe2e345728d37c7904cf8813cd7c4b2769c33820145a65fe15058f8981837 +AUX 5.10.4/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch 1427 BLAKE2B bc5fed1ad1ea55f541042ecd14120d1480c1820a26f4279e5cfdf31dd67f107ca6c2c31b6fe1318242769c566d125148eb198d88b5b34476003fb83541909e98 SHA512 b03381575b0245339dfaca79caebc524988c43c512859f47eb7aa46bf38c4ae33d554267ec81b8bb6b86235561ec0521278c92f3c5d1dc6b30b59c39af06ecda +AUX 5.10.7/gentoo-patches/1500_XATTR_USER_PREFIX.patch 2293 BLAKE2B c2bde13ef40e7066340afefe55454dc933ac3b65dda4dcf81d9958ba84d9531143e58c4d35151d912bfe21a43aaed35fd99571a769ca8e823fc0d99797a96f4b SHA512 3ed100909f9aed72836a3c712e45e0116cd3c4331961a76a27b867a7098d0df9458387b656c9ea01385c3c37585436e48168ac35666b0e46dca7da05e5e38a61 +AUX 5.10.7/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch 810 BLAKE2B bb749b365f37988253206ddff130651e1042af49a6c773ba6f93642d5927af9a9926eab278979e048c13d2ca683e726a5d0cd509de9e6177d59c85197051e230 SHA512 c97a3799a2d5e4da9c9dfe129756da629fba8183479b02ca82f9b6d9993f17a165a96bd35ac50eb25fb293785b9b529a95165b1a2eb79c05134bee8ccf22a5d3 +AUX 5.10.7/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch 1290 BLAKE2B 35f8f2a707da3bdb4df74844f72244dc6cb9fb0d41ac2034af61ce61c96e4bd472fb5bc5c687611356d06f3940e9f6669c80f4261165809592173bf5dac54b61 SHA512 dc47b18749d95a456f8bc47fd6a0618c286b646b38466c3d950dfbeb25adf3fc1a794e95552e4da1abb58e49f0bd841f7222e71c4d04cb0264ca23476ca9caef +AUX 5.10.7/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch 958 BLAKE2B 095d70ef085c6200b3ac69695339b8937e54b49c45acb7a741d0f471f66c1fe1bedf0b7df0951eff6ccd53ade10abcc66d5d2bca994e28a49d3e4296d7332e55 SHA512 4e637935c2f37cc18f347293e3c94b18f90e2caccca726304a95c4891257a5b2bb3093aee7a97571038b29c0c987cc60a9a80aefd0d4c9a063b33d102f03579e +AUX 5.10.7/gentoo-patches/2920_sign-file-patch-for-libressl.patch 565 BLAKE2B ea33143cebfccbc5fdeab46161ab28c8ed6dbe265b35454659ba87f09705ed80219e9a9e47f7fc3df51292a3a7656c7a6d633e24a37911c35e47d039da530ad5 SHA512 79eaf814d76402a445efc961666a7c7c74207e552b0cb32d93d5cb828da580f7dbe93509dc9f53321c7844663205a8dce4e518ba047e4c57fc55f5c3498088ec +AUX 5.10.7/gentoo-patches/4567_distro-Gentoo-Kconfig.patch 4784 BLAKE2B ccbb902ac828a26a69bda7f7eb7c69770bca7685ed5e58459e473b7a8ac0f396ac9f1aa1ee23a9248de22c5aebbfecf76930420b640cf6307a4d1e73bc9add0a SHA512 bf681566831b583537eda1df1db9c9d1b310cf54a974dcdc437c8da11b65cda423ac86a1a8ae56c84cfc947a6ad363adb25983e51933cf7acb494934c1ad3eb5 +AUX 5.10.7/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch 55494 BLAKE2B 5c56cb45b70a340d6eb65140f3772f3c4a26e30811645d471d0db7a389c813edbfe6f46ed2fb5fa8c96596c9486c1040948d3074b4fc5ebdc8080c4b02b0992b SHA512 e832d44d4a450c45eb7a517d6cd849258985aed08349d18ea21cf4d1eb37dcbac9153f50ca8b910955bfe64169298c631a7ec7857e9235bbce0167d97d69e55b +AUX 5.10.7/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch 840 BLAKE2B e1b4e513a4712b6f06060aaf2677866df1ae1dd4327082fb86a3e9b704f476f353285f871debed8ce106cd0a37e0389c06a295db9d90eda7a00f8f1a22791410 SHA512 42e94db6e59728111f0b1910616b68b45c7ac4c1df3ffc1be330b904f1d1450ca6fc70c7b9c76a8e6d576b923eef81b43ebd19b771afefe9b34e4949e5ed78e8 +AUX 5.10.7/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch 790 BLAKE2B 66925f504ed6991f110326c704f60e003b953343acf97f463d497b39636fc6df135ed232d5d5ca2d68b0195886ff118c0f1f3ed6a25f76b3eb68846219cd76f7 SHA512 a078ce39919f23d6a788ed99a103378e584576c221806f74ac9e35935d3118197fe0cef3d5de52ba2636e1701af7aef7d504c4bc581925de9fd5ab829258fbf0 +AUX 5.10.7/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch 768 BLAKE2B db84f9708dee4b827fb0fc9bb418cb05460ab6f368b4294c56b482b2b963d3f07fa4b5f4f5d94e4be696707f52871614eec60256a9832cfdfa84392f719468b1 SHA512 aa425e24582d093e8bb138338a92d260838404fcf86ffba62ee387deda0d389fed5d9e551e7d3f3519486cbb63128efc1d697756ea761cc2d7c2bd537d3e7b37 +AUX 5.10.7/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch 763 BLAKE2B a9aba3c1d633e998a16c0d923d969cfe8ef6cf7a4fe0747db8d57bace09b71ab50a9df3959ccda4a1e087620f191e63f1e59ee9df78d502803426c356594a16e SHA512 9cdc402654e675d0e64d31b2157e275a3150321583f8df524f229b07ca8b15dbd0aac8c9619e61f7dbe629b44f7e387eb05634d6b4dce62bed339de9fba04b77 +AUX 5.10.7/hardened-patches/0005-set-kptr_restrict-2-by-default.patch 791 BLAKE2B fdb4b2c1fdfb4ee09c30774bf254b5d052e94501ef0ebc2a8fd7f5ac35f9b9e590f7ff310fa646ea3fefc601e70ca05096532b83901b6b455171150d4686fd1d SHA512 2cbd9fac63fd7687e668078e6bc24e050ee3d0055ae0ac47ccf7f9492c0d8fd859602933e318e97fd680d4815770a13a7fe76c8d47ffff6cb99bf75c6131a667 +AUX 5.10.7/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch 743 BLAKE2B 43ba9ff05aa4b241b06b580a0bfd71bc43b2c9e85d8f373afea35ad6fde0bc09b4eea943d6838e6145d5d912035814b1e2b64af16d41b251728a0c53aa0069a7 SHA512 28594fd7965c4d9d0dd5852aa62fed451aa3735c7d67070cdcf0c7c46af915a3abc94bd1afbd641d8c529d51288db50a767f948c1973bb21eb88261e5017164c +AUX 5.10.7/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch 792 BLAKE2B c3aa3253f9972f3eec2991d14b1e9a0dc7ec78aa7cd32d6faa267bbd01990fbb41f227582617bba1268732e9d840d0d8c6c3f5c45ac00ee7f89632ee7761899c SHA512 ab6e6868d642c723154132c4918595474bbb4dab2bdb03a523016845f6e6ced7a2511b43218bb2912c97c21f7727fd83516b27f18665516561fc80f6a65865b4 +AUX 5.10.7/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch 732 BLAKE2B a511726f8493f116c92db5fc691682ff688fd81c3917b09ad943b689e89083abee04dd03665be707d79900a1c195f92f2d19c4dbb695bcfab70e46294c2f5087 SHA512 6f1ddac7c8ce28172f0a98ee80384b453371c6f7aceee2b4826c60031aef6b7078d403d3b27afe4a3c975995e24929de93786a9704d7785f9bd3137886696282 +AUX 5.10.7/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch 736 BLAKE2B 993829fe5b05e85432d1f2702810ac5baec843edc0525c4d9c50898b7eae1423eeaa80681b35cdcb3864ccf76b4d920c563a8ab855b4a87c76dc8bc2b2ecad06 SHA512 0efbb86d7ade8aa566c335f2cf5d5e486b64f37295c9e12ea5032d0b19d8c9f5afb8bcd451228c1571965fa28d48a5587f6fb9e911c6b48b7f907f4c4f2a7aa1 +AUX 5.10.7/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch 745 BLAKE2B 326a090050df1dd666110af25be6ceb47e21031ab153997c77ccb2468142ff5a83b0dddb2d11491f2dc7e42e87394b42e89b35f3b450f86ac79ad246b99a0af5 SHA512 3658b9fd8b25530203734f1965179ddaa449049d049313a483b337a13a8da3fb4c432446b466b8206d8521a8f8352219d60ed0fbd7332ba0274e8fd3dbe1fbc9 +AUX 5.10.7/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch 702 BLAKE2B 1556384c1751a0ccaba8337080ab517908fb1a83860ac4c763446b3567c1d5fa1fd1adfe66de938aeccb9fbae443cb32cd312868e43834bb1661b1707130f54b SHA512 aa1d0d9670a8458298f9ba9d4f16c9016c89162dab9693e4ffae59d74fd2b3054a5033ac8bb886cce623927152ba716606544b99da64ef677618efa29d8cd620 +AUX 5.10.7/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch 654 BLAKE2B 96779664af2a7f0a839f0ecc585f2fdff2854018218d53aab8f1b902fb6575ac312c98ac647cdb3d6a4854a21ab633c38b6d8cbd5e9957071cd246e4c055d1aa SHA512 eaa709dbde2e38f6c64781a737f9b0a86b292adbf3a6ab876b1200e9b417a59ed7dab42ca0655ea9fba738bcfc11ee191439cb5635053c9cd677551e31e92375 +AUX 5.10.7/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch 807 BLAKE2B 552ac911b7ea6799e307a3e337898a4906c3351496a0ad9b0664d99a149698a575d8d2f81c3b7ab08771394533ef02e7b519c2ec50d284df6998a79f3f6d3320 SHA512 795a4be59e275160bb47f82cc7d9e3c5aff28169a6fe4fd99a6111aac550a54e3a9a275a04790d0ae92c3bbcc37509f487348f8b147a278fec8befd92ca7b785 +AUX 5.10.7/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch 966 BLAKE2B f102e5d717ac2ae3a912ab6f016e5111697476745efd8dc35d1a10ad50f310094a49faae1ecf44fe39320d7e7af7d29512e89aabd6341df4d631e997567d2977 SHA512 354760e2efb9535063fdd72f9dd17de0881962140fed0ddd721e5cc063a657b6ad54529e571b7a953678504654610285df7810cacc68098f87e2a7694eff3371 +AUX 5.10.7/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch 761 BLAKE2B d10a95c0a4ae44c9939bffc59bf0f59f32a9e1d9339709dadcbd9d229e6c1fb72ac65ac9d7010343fb2ef58cd5d3cb3c064099e33dd10af28729163e0eb5c4c8 SHA512 b8c3ff09576aacceadd1f964f117a9450ad1ab61d817bf9c8938b595bbcd6ae044e6deb82ee61433272f35d1eb21af9408741605fba68e561e236a9dac27d5bf +AUX 5.10.7/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch 666 BLAKE2B 5506a288c25699a3662bb753037ce82960f63d5179d75ae568a9680f2f8639b4dce07f4e7b3db8db35b66a55702258e265bfc12d35b28b042141fb10061a1cb6 SHA512 b0f6351e40c766b2711f7b530c24692de9bd70dd3ac170e8f50736193c1685417b7f2f925761610100146d47e52c44254dde993e672378796b460b536fa9b11b +AUX 5.10.7/hardened-patches/0017-disable-X86_16BIT-by-default.patch 678 BLAKE2B a4ce8c8c1a3f8030f421811142a515808ba6d5020a0bb1a9db2f013f79d8bc2b03b6d5dfba14e15a12b44cb4bd50e7395c8c3f912ddc36444a933015bbe16d55 SHA512 8794edae3ba23402576b7d409f289ad6ab890c6b02814d39cf1aff5e53a47b5a4f3b0082e5e690513016b4a25a5c85c8dc29efe4e9f6568a441f18aff19e2439 +AUX 5.10.7/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch 754 BLAKE2B 27eb6a2a5305a3ad4fc8d2bdd80e1d5e4616cdca6f5d335098da0db8e8bd85a1c4abdbbc48c6133f60480b8eec7c3265219a8569f47d34515c0ea2c7ffdb4a77 SHA512 d3b058a93878080320d2b9f1127a98d50ef6e110ca9a48848db74a04e809bd19b1ba4a7946eb246a2fb1d55143e395a1d7690e823ec44c03bc0c0339b537352b +AUX 5.10.7/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch 802 BLAKE2B c81bbd0293eabe9bdba077e6b30f041307a8e8ebde468663cdc92328bf1228e3180ccac9268954a0c54a6425f182fffc6764fed6ba3e95138c926d322d259dc3 SHA512 519a48ff11d02caa2d40e834a138690cee61843d92efd8458a06716b27fadcf228ab155115e4d3caf3bd4cfef55eefc0a5a2644354fa0b36fcf1087d3f0cc215 +AUX 5.10.7/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch 765 BLAKE2B cca594f01340ebeac01faf1488a2fbe6682e95892c4ea6677cdbc2d130d2c9d4fe1cd42e6450c5f099cc358cc57f2eef69246e5930400d2ee2b777da89ce10e8 SHA512 783cf4aae6c379805f91b5168d02d396710b9a18109150df19baf16986d042f09eee9c30d68a1998610e7c9fbefda128f855978ccb5a2cbf3b0d5dfe31217989 +AUX 5.10.7/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch 691 BLAKE2B a50a2f58a586beaf00f65090895b3332085db034a9f5d14496cc53d2fb5c5a56a95e5e0ba15802d1433f29d6017ed7bdeda92ae8f639fab52f3bcc356ceb68bf SHA512 6830a20122333d27d47956253116c265d385ac5829cec40fb24d7dd4a7c2e3349f85869a9bef310db0872c45528e3851a5013b9aab07b18cb749e974fe7f5cd0 +AUX 5.10.7/hardened-patches/0022-disable-AIO-by-default.patch 631 BLAKE2B 0532ef2d0d5d2d3d8f728ad79f11a85ef17545b9151799a7595fa68be990ad02a036af42d44538e16d79a936ac1f79e28657bf63f0ba743ceae569fae733d1fa SHA512 4b283c45c3514f1229f4966dc205db420aa5c947aaf868ecf60f82aada695a527b563659ee742dfc3d10b9bc66356b51ab3d17896428f853b4c77be6ee05e76f +AUX 5.10.7/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch 962 BLAKE2B 31df7e4af8e4f5765cecc2c36cc849aec4d734fb71fa0ad415496b25167c109536cfeae10fc00f1cc83ec06154219f4bb9da470d9ebb4ce1a3cc8ce9d09a5f5a SHA512 6061fb2d239137af9ec57a51e752518c8b8d1f27050e1f4e90e09f0066424496245d343ec55945970a625a357f97c4123b045476cb5a67eedee579999ff6f40f +AUX 5.10.7/hardened-patches/0024-disable-DEVPORT-by-default.patch 695 BLAKE2B fe60635875a9172614c32c7dd18e60633c1fb95b8c4a18930f0913643873e6403e3c6021205e69ccace9f611e47ea34adb64b338271b8c8a644bfbcb7aaec00d SHA512 480696eeebdd6396a1df9991147ca6a53c77c41d0737e70968533fce777858d59aecbc48526a589a0c402b2e8bef0523b331cf4e82c5d59a07780e2b9998293a +AUX 5.10.7/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch 613 BLAKE2B cc7dd285a82f9e601ffd8313d44789f1d15c777d76d85610292f3afd079288c1c1730daaba0b21b3f09c93983c22c7b09823c4b3b5b1fbe80b4ae6bc67ea2e15 SHA512 643febb83fe92dc904257b7807fe788b466c243a89351d0a70037b0d0721a15ad948ad971d6a3da74c062ba95cd34c80d08f1f82f60b0e99ba29c00c5f106357 +AUX 5.10.7/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch 598 BLAKE2B 89b2f9b7144d2524af19741e07de1a8ba64034a3ec3442311b84096ae8fa53c11178da5d13677f041742c9b914d7d105e1bb0d95183a7b4ddcde679088de6cfc SHA512 7509f5b8fa1ad9b8033616c09cbfd27cd4d86d57eda1fc47bd623d521df78837c6803b461669c1d1acbfb959c6f475d860934770cbdc29d18e2bb902a3ab4336 +AUX 5.10.7/hardened-patches/0027-enable-DEBUG_WX-by-default.patch 653 BLAKE2B 83e071a98dc8f3c19237557163f28c3b545ab503eb8ac7ed4555538152da38576dae27267da681aee7fe929ef8aca38263b7c036ef55326c8f1cd2f59c4f292d SHA512 03c924fcefd08098668bb14fbb60cbafbbcc41dfa0e4475500bea18b442d4d8b584dd89e9caaf59f0d756ac0412c61b9271e0d1ad8ed777325e81c17979b5160 +AUX 5.10.7/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch 683 BLAKE2B 0dd395da3c8f01e788025a143a57bd15d6a58b694052dbb1e3c9f1edc8ad601480944d2ea53df09875b218a2a6aef003a9a42e9a51569e20e33a272020f5cbe7 SHA512 b5d12014dd03519f3965b8cf1ac1fd7e27c984951884240d9fef889258146a160e16364809537ec682de46e7ac8fa53864903c03951c61f379c46c99014f57fa +AUX 5.10.7/hardened-patches/0029-disable-DEVMEM-by-default.patch 662 BLAKE2B 654bd39c2912586cba68bd8efcc98807019649c87ac8f84f578ec5af316d0b099a8693117aa7f80e2a2927ecf28f7ad6f21f2dbefe1dbe3bad286c49f5da7cf9 SHA512 e07b11b6258c3845dd62706840937c34e05f278f75751479fb4fa31a33688fd7afed2ffa51dabd0e344c4ebb667ec845378e32a4d42a140f2b991de66018801a +AUX 5.10.7/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch 719 BLAKE2B b714ba15ac883c0cf6f4d449c80693410d884fab7ff84727b9c45a1a5cea7b483027937ff3810f5525c45829693c464c1c4df016f4e8e8832435c7686dc6bdf5 SHA512 718dcd5db70561bb185d246a776414a41e3712125da2b3a06294674003b83660e0d92ebabdc4400fb497a4d0de7ba24eef8ea21e711986cefa40d89ddf925770 +AUX 5.10.7/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch 652 BLAKE2B 324914c748f4d7cdc07c3805b59ee5406ca7067e12dd8dff1c054af9d2eeaec64bdc3f0fd453384fa4fb68d9443609bed80b7a97dcb771a85ed5dcd30ca6fae0 SHA512 726356a2db0e0a88616a09812adc16ef139bff93a5966b4897a06e23fcab851efc4701553cebceef1672b0141e5b6cf4921de3cdb1ed6a1808b9bd9bca7dded6 +AUX 5.10.7/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch 1397 BLAKE2B 40cd9a5a83197023fd374a7afb6f54ee4d5b87140d8ad4f14d3daba1275e974235dcf7c765341b752e99c0388716e28840db5100d1a1a0eef5f3259a68afdd1e SHA512 b7224b6ff3fc4e94fa4dcbcffcabfcf215d0793bc30558a317e28dc8360e92585fa518fdc37b767366b02af20d834b38899ced4b7943d3835a87bf95c1c0894c +AUX 5.10.7/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch 818 BLAKE2B 882797f5922a801ceb8e02fd20e6b80ca951025f62885b28183a543d2e8ae92074bc0acf014083fedc3378da75509c62e1819eb5f550fcce0fdb46b971cbe3b5 SHA512 6442aaa49294a945e44ce631651c7456ea7ae8d6a063f2070097038aee95566d7619042dc2fe4b5b8f9e43951fa5d32dee0eaa3d882080efa5cbd9e8ca2ab946 +AUX 5.10.7/hardened-patches/0034-enable-SECURITY-by-default.patch 646 BLAKE2B 23740a726cc9388c25ae81b452acfafe0f510c7d58d6c3c0f584cb1b0abfdab42fb983d2d54ac4ba041688beafa2929b60bd02e12dbcb0233f1e2e8aa090ce78 SHA512 d063ec4c7843bfe813905c9042cd4108a93aad087fca251c2f407e341a10d6f2bfa2e1213fc02257a79e7416b60edfdc9c901a4d17bbb15fb8017f486b2c0936 +AUX 5.10.7/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch 706 BLAKE2B 8748741cd3642a1a67747a321a65773b1daf60d54adc33fc6b597640a57deacac11c065cf3258bd4c511f3ae5efa4bac123d45c7b00e550d0adfe026f611b697 SHA512 3404ef46aa12b63d60f83b4032072783e034534fc7fd3dec59c23f10b7d27fd59a6a3097cdb511b1df145e249e21f8dd8b6c76fb764bf3b9f2eb95ef349f5ef3 +AUX 5.10.7/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch 685 BLAKE2B e1e2ffc6612414c255f61f4cc0f2516fc66a74cc8c9d54b7f2b31091e9b57c86590132b91b9fe1ba7d4c3319556a279f7cb6bb58599f1636e9e114494721649a SHA512 eb1a6895d384d82b18227868bc419e7a2b0310bb22d27f0fb1c22182ce0f5ab373da67b2084fa1984b16944e66fd9ff7a4c2195888f81a14fdfbbd972ef26ad5 +AUX 5.10.7/hardened-patches/0037-enable-AUDIT-by-default.patch 628 BLAKE2B 47424562b96c8fbad005a356142ac6528f0bb131d6cc6bc7f58e7abde6d57f77e22c70d67fe91d9b910362e242beb2295b19a3a7e902b435b7c9de6eed70d007 SHA512 96867e4e97e77b45388fe9e210d0daa7350d8152af7bbdab9d777b8854cb40651c8509b123bd57dd98c741394cda66c12bc3b781ec052ab795f78ff1f6fc8278 +AUX 5.10.7/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch 784 BLAKE2B 27a03d0daa9a1b8fb2b1ca58fbb8b948d7f2ef76157561da54cfbfc3af8aa45aa583f82f7d1f568995c564f3185144774c97242c54fe55ed4a75b94986c50fed SHA512 6f7fd32696a46848626f4f323171210defe7a8ed57ffcc3d7efbc9998da63ee448b31a1cf1a5c5e809db473786d65686f680d3f7aa096ceb41a3a9de85c15f72 +AUX 5.10.7/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch 666 BLAKE2B 4590e5100a3c3dc484cbd04f8d6d897242e35a6a2a8668b8a551da1e6fd6b3f05396e6b9097f066fed98d307ffacef80a9f0cbd19c581a211fcd17ee23756f2f SHA512 4b7b16dcb1231c80e17b2b5201c086fdf8a3ae8c30295635dc1b9f5a82bbda85da32e919eccbaf1b3e6e8d272c2448a07964d5ef26fe24759714d9640eb1cc1f +AUX 5.10.7/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch 697 BLAKE2B 4a22564a3ccfac1eb3201677a8c574379f096e12a0d968953c5e548b8b7273f09bb16e5650ce60164e48ede8f35e11fc16a8c85295f5cc3f9a69474b4ce03731 SHA512 b46d2725e839bdaec632e7656915b47581851011b76770ecae1d88cc919339febe3f16fd6d7757c2654774751e08e1774578a64489c11132bb9c6deb00b52b0d +AUX 5.10.7/hardened-patches/0041-make-sysctl-constants-read-only.patch 3971 BLAKE2B b6da58ecaadb8353342eb51df969e49a67a9406d1cd1186281563e2a709f3b61c4489d00df66adf782f9c80a457b2d01b0e69f40b524fbf0eae43cbe3cb9b28f SHA512 71ea6148886f52c73dffca0491ec69c8edc3ef843ce5f07bebbde1392b0493fe406d6219ed02a5d0983b3cf795a2e37a78bc157d2943171e5bb77f702f302b45 +AUX 5.10.7/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch 2089 BLAKE2B 2308ddcccf6ed8759795fe6f95466456051aadfa48425bae4a8b0d8f13d100d7968a6002a047f177387e0ed7e5b73a748b7bdd85ad5550be2720e49c802fa77c SHA512 6301f2e1f5f04e45621f2592d6917103da025fc51e06078f262f27f17a5a3c18e30c77d605914ab36bbc703f88b648b9d54ee87ab094dd65ea6e0726e177fbc6 +AUX 5.10.7/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch 2004 BLAKE2B 30dd44f26ab0d185dfcad45fe64b2c670bdb79c20ef9d69d2d762b81827efb34f4b05a2ff937d1b68c52558f2db0b2dff6e74ebdf9f5598d33041ff0d031a126 SHA512 fa1f836dbf1b8e0845530e10d4768e2de0bbc53fe782bdb2c5fbd6bc057e0eb7a0ebf3e8c6ba85e7110c29af22b2d715266e3ec0ad50319b256c76186fe47ef0 +AUX 5.10.7/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch 1165 BLAKE2B 3b30d7296f69b4c0736b7fb2e17329881f76f54dd37db743aa341d3c13711adbda8e8b64982fcca7bae6a271b70074c83878d9148fa6d2c95c6793572492d543 SHA512 d7a4be3e0b64ca6c8c9e60b87acfa729a263cb651336d697db883c18fe8f61264fdd71fbfc7fbcbc9b66cec6ea155607e80bd7d69319b9c28b23f7d3f4c7cc1f +AUX 5.10.7/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch 709 BLAKE2B 7feedfabf1e50efc8676b6a11af280ee2344d789734e564e47dab302ee3cc3c84a618f843149ef470b8dcb9823a83adca1277b8bdabad2e31d03914814e41d8a SHA512 fb848ca9b60af2d11deaa0dcdc2fd556524eb46f353ab6222e4ebeea126277ee3bfdffd80cc3f46efac1a047458ca19be5cb47a6fa80b14fd48f9d204d1045c8 +AUX 5.10.7/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch 1954 BLAKE2B 2313a766299ee9be01174e1e295d79a37174ad3542e08390d2c5ad3a85a5f09f7d7e62d1b559abed276068cc469577992a8456239811060e8a21b87b17fbccee SHA512 0d14f8d7e5caac84a15e85d4d522f9c70071a08d84aaccd960b45dd5bc46c83f7eee50d45312d04218a2f7e9b3fba3ee09c6457e6761560e544c9477dce8972c +AUX 5.10.7/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch 1663 BLAKE2B 144b2dc8d93199271666c706af2702c8f496410cf100956bd33faac6b316956f02e641f22e1668e7e4ef789bf4357597841fd3f7fa6b90a8e01aa192fd282a31 SHA512 42977c069a52fb578ec37fae771cbe89cc0042748b7bdd562619628f2b019d84525bd7142ccf83705bb6acdf4bb6ed877865175b2fd284f66c324634e7195f66 +AUX 5.10.7/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch 1272 BLAKE2B a861266a800d80cef08a76aa6a72d9a473d1a9ad0214e4f989887e93359cbbab64c59ad83fda4f6b805b8964d8b38868f7ae9b826b01d3fe65663abcf5f21a0e SHA512 ac54765b8eb90a4b1938b1a71fb4aa62be8d4c0e822e2a0466e583f44ae6aa50afb3dfc2c512bec9052df897493b984315ead8e66d6373f21dea532327e03253 +AUX 5.10.7/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch 7357 BLAKE2B e9245324b94922f4bff229e281e2f515e1d6f7643d65a23e848f29027d18349f5d2f5923c491cebb0e0fc21c41bc183e075748ae17794ed2fc5297dc7f8ec9fc SHA512 c439356a62bd72cc36290e3afd278d08859c80f4d4ef6d478b3a22390ff8a044e391d7bcaf08dc41f4cea1fb4aef19bc175e38b51b0afbb0e1d1c66e4dbd3b3d +AUX 5.10.7/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch 871 BLAKE2B 0f1518d0ffd8aee98b9de7569cfa05d3d777a1a287d00c3e9d0c3cdce35878db06cdc646c865c27008a3f53f8558e8f032fb327aa27efbd2f8d4009e260d2ec3 SHA512 988cc9d9f12d9a5802a288d89c3b258ee628836776950a004f078c12e3cc6aae843ac6e9ba77e38444ffed0fd786accc325f5ce32bf59a44a05d0a064d604436 +AUX 5.10.7/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch 947 BLAKE2B 164094afd9253d56b61a2a61ab5a00e7293ac32c96581ccf6910b92fb9b3c4fa9ddb8a3fe6031fc1cf775700bd02be430489b4a0d6b9db4ddcda556af7b79a91 SHA512 25aa7e873ab1859e501aea06df160ed31f911ac313473eb6f4d02ce38f293239df4dab5ada9cc05e456bc2a3a8fb6106abd90c1a060297251cc0b93a8cda6cf7 +AUX 5.10.7/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch 1180 BLAKE2B b3287eef12d6525d971fa7f46ac5aae25e5f36fc60eac7bb973486829d2a4a798fe2a06ac2b795b32054b41c6665af540d580bbb137e49d97d1fd8c1e37ef7d2 SHA512 89e55e3cee0a1218fb3f67f4ec0851bd63d3bfc15d3ba74b7747313ada5cac8889b93ec89b6ef7796b1686c98690f85d1cff4a1d95ddb49f1e9c73f781a1ffe1 +AUX 5.10.7/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch 788 BLAKE2B 404b3237fa013d8906b41aaea54d1aaf33b9234ab8a512f5ee85899254cdb8080e744156d1db011b4fc7bbb3ef4a9c5ef28515b162d4af9fd26bb276b0582f2e SHA512 3931617a875254ebd07b26f25a8585cf6ee91d320ece77ddc473400553536a856c7a72ef594c4be4d9f601efae92730e015b85cb8de395d6eb84042e5bafbdc7 +AUX 5.10.7/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch 2256 BLAKE2B 991a4fa118e8823f284a29803ba6bad93c7f5a07b2c7690b111d323abc31527ee4476ad55f72a087aecf1f92c8eac33b123ad195cea1b1b1b9e2036b99116297 SHA512 6e41dcd0524559fb8169ea7a5091e653c3c6dc66fe54684edfe3f7f5bc1dcff8bb041563b6dc4c5bdfc593680ad2fd48cd6bb65f7cce03f5fcc212dc352fdc4b +AUX 5.10.7/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch 2454 BLAKE2B 707a8501d223192d281e6c14035e5e8da99fd165077bfcb711eb5ab99bb7968e6d63a7593e7ebf6d2118608da3bb5fc3b81e63da979d8866f129d530a335593f SHA512 d05e8d150ca80a6e70278de8b8eb0a7ae52aab7126d2d56c1e9685b8434acd7835eebcba5d3d51b3efe4a4929c117e132fd07dc16ed93dd10f2a98e281b36399 +AUX 5.10.7/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch 4020 BLAKE2B a9de137c7de9f1cc6df42b28cec4944b7a4c43297381692e108f5f7e350878e4d669d98693032adaae26e1a2fe2f3f8efe7263786c17c2b03b3bb66678ad9334 SHA512 048ccb939edb2ee441eefde259964e87593a0c0dbf29e2b59623f212d07e54c3a6781b720d51221e50bdb97499b5578a8d8db68dd60b485c668a2ff4f5070c25 +AUX 5.10.7/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch 8811 BLAKE2B ae8db6574d0a85d6361abad58bac0a2c64e3d0e25dad0655340730be55c6561207a4ad9cf5ff171c459a016919183703a6f6458c1645f5b9675d2961ac5005c1 SHA512 0f91f9ac2d3b1177a2cb21ff4a2d3780a9c8f3a18f8cb42f69eb17c797bd86cca017a00464b1fcaf6abff723919f4616d7a2c895ed4c680c39db158ba6034c1f +AUX 5.10.7/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch 4744 BLAKE2B a90c0b59641881aa5d7f1f3cd8425202a4eac1b1b4a793ee567a644faee351167a525e1c4bf593b1b68883837c765e9ffd1afafd9cc44df90beeae558e5ebe46 SHA512 c501033b9884a71ced19bbd6db456d1aaa654f249072f8e6ccaf3e63bb43ff52f46ee1e0844f1579a4009aa06d6819d620e47573ddc4e73315230bda2c60fcb0 +AUX 5.10.7/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch 798 BLAKE2B ad05f08688cd3b47e32b2eb7ad0c41598caa2633e41af52edaa15182e55fa081233236076ad71fe9495a445f3a76b687756b73b2d0bc201a257e868759bbcd08 SHA512 94625359a422f1049ba06e8e2f100ba7c02888f664d0638bfa20b776f19bc49c64a514bf2b8abd7c6b1bf1e544c2575f661831ea760ea960e5f9943671e1567f +AUX 5.10.7/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 3791 BLAKE2B 1eb03e1fddf3d7089958d7f5d127d4846ba2653909e0115497f397816f00e041648fe3d59dab16e511911a13ba537d49f1cb36b334e654cd28d467b231e8a959 SHA512 f59f9ad33eed079d76cb44ceddf7518ce27977bea410f57efa6365370f74ab3a2603e032fee506121f089f11b77799d8882e02d776abfbef2c6f760ea4689542 +AUX 5.10.7/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch 2735 BLAKE2B 24b67f4bbea8508df5159b5dcbb5e4387641927ab657805723c2895effe1c9f4cdc7c74108a2bca1bfd3fa262d8766dede45d358716426b08bcdd37e7a983324 SHA512 70f31a8cd10cd9f4d8435eb2d34e09725b6e17ddeadae18cedfc2a6d878c78f1a6ac6cbeffd9ef3ba2b0bdb25d097cf8dedc1bb12095310ef21b2f82cc7e2c5c +AUX 5.10.7/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch 2249 BLAKE2B 20579c624654f401a3509b91301066555c6d4cdedbef492f86b115410cb4c89e64e4c1c4936f3aeae9c6debb00b2f5b654d664c21943192c33d9d5dee03e05c9 SHA512 d06a1961b1b10fc766df5cf04da11b851b936298649efff819d624779617585f1f7f79b6e614ee591df8a8d5494cbedeb5414b6b23961c7fb8f0149a607fc8c2 +AUX 5.10.7/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch 860 BLAKE2B ffd1f4a8f2cf4766acde5ae9514916e1f14ad4c7356a221d2d1f5ea4b06c9d6be1b96c00bd6a5ba43ab459c2242bb854c51e4cf6786991005966280c8e5959de SHA512 28ede83fbad3795e6fce3aa77fa256a45c242978a791c3fa0190746f428b65757d39480b63ef74fb1ea6056b0acd0ed8da26087130994769814f7039ba854006 +AUX 5.10.7/hardened-patches/0064-add-percpu-alloc_size-attributes.patch 1588 BLAKE2B d97c7ed82f3b7ad63280f4052aaac85250180ae8e38ab0b6e6b71432afb16368cc729d5131fe6c3a145d4a9c9c5a4f23b9f68ea5472413557ba1169e72c5911c SHA512 98867ec61a888e1b2680f10c7af981ae35ff7beb3a6c8cd194d3fa1f053d8cf8c43a3732cc9ec0e4c9fc34a35c8bf4636cc9a5a34069a349873c93c0a8bda475 +AUX 5.10.7/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch 1259 BLAKE2B b79797314207dfd87aee9e5e2879cb4ca9f96736d1427bc90a862fa2dc1dce426a80b99d9846ff4c18f3a75505437addd4ed46efb4b21ad1ce8ee6d9c978abb1 SHA512 50dad2a9b642285632da7e4c037726432de9317f6b4891b5a0087949c185f331663215d40a132f6c1d41308c55ff5d6822fd78471ec403cf6c34a1eabe3f0ed2 +AUX 5.10.7/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch 3591 BLAKE2B 6f8f988e35992d9a8d77ad22cb1f429ad3af54f7ccce91e3f449d81c76dd84daa76036fd6c8aa55e3ed00ae70367d0891bfec293a6333edb9583f14baac4430a SHA512 9d15d78fc56183053f1fd93436abd7426cac1d11d96359c1792a4541155fd5a51d256365735c6434981555b0ca74a4bf8cc07d0dee3fd4231db802c5f34f112a +AUX 5.10.7/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch 1191 BLAKE2B 60c587eccfc4d39d01992c75e21f5c5c416800a538071581d92246615ada0c11d82001f04a9555904ccb00ff907f095959c2c5ee418269c269ffb0e6390d9117 SHA512 3cf0bef5e91abbeb8dddde66e59ab931d3dd5286a5e2fd461018bd61bf28dfffb8e54a163282f72a0184db2866057d06e34d70a1b6108933f77b3e8f37eb9a11 +AUX 5.10.7/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch 755 BLAKE2B 51dbdae55d5eaeea80b96684e19c00129e90a0c7c223d63f0a0597317061eecccfd925aef62353fa5b81f73b6ef89550a4018b597f67e9e6ebf488ddf4911a67 SHA512 55cc2757a325b345976a18dab67468a46f4f81d13fc2d88211396873e74d99277a8d400b3e398343ce952092920d5614a8448d029a7b052436ff83f707a8ae92 +AUX 5.10.7/hardened-patches/0069-add-page-destructor-sanity-check.patch 2205 BLAKE2B ca000ca75aad29e9d20defd82f129cfcae8bb863ea74db0930b4c29d1f49e21a8c68f49c26eed93d9046e77a9c4a5884df7cb3eb85cf831430ff9e3ba15f011e SHA512 2341bca45b46fb7beece643028bf87c4780b32d956848b1b3dd44d1a5e11583faa5ffeef1bc1723525363bc75087c8fb18bd92463312cf30d9c5915ffb373a4b +AUX 5.10.7/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch 1793 BLAKE2B 0b543500ff63ab724867adf0aa779f27589162e46a00cd5a5912b8f8a66cef3f0f473b0b6579a7be759f8162478aaf3823ff7ea5650c5b78852bda878eeab531 SHA512 e2d142de9b8a3a347d604613733bad0420aff4ae7368f20181a89979905bcae4a856857b507ad1b6e61f268f5b63b3be9dbec04eb4ff6fd722831ea36a364366 +AUX 5.10.7/hardened-patches/0071-add-writable-function-pointer-detection.patch 2688 BLAKE2B 3c98c5defa7191a9a845e398637267cc7033683a089d0043eb87bb3ef9bbde3b365b7abe2671f13b4f6896d9bae401b8746c358cf4e31ae48b5c2b0ab1a6670c SHA512 6006509e4f191f983a2bea040f6f7f05dac808f321432a7e468109812592661d5b21cf90be4bfe87dbccb6d2b7d20aa07c0c09a8f1a7f2646ff8a6ff96114b69 +AUX 5.10.7/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch 760 BLAKE2B ade5fc8c41bef19ec273378d036307f1c58a8b95788ee1ce57cacd03a0dc495fc4842049aae4e71f86a0df290ea445a075c46482d5bbdb73abf93a54be995d06 SHA512 9e550a92a7c6165bd45eed105951e73c1a6365cc6239fc424bee6b94410d32ec16a08012bbc6cc8adf9c86c0bb62ab5674ffe31cbd72dcc13a571a8c9757d923 +AUX 5.10.7/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch 5669 BLAKE2B 5f3328901172a5d3bd6d2df58f017798fe6d2a6ef669d6be2e2e5345195404a680f134e7a8fb573545ed7eef850b13ba32b67008b381c1943febd7dd067d8569 SHA512 320d71ce376839990cff363e5a31c80ccbe7993440474ae6f2f53024e4bbe1d2cd7a578aae80f258fe634be1a39f32378cf0ccee60b9869441ed62258896eb49 +AUX 5.10.7/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch 1986 BLAKE2B 2a12f4c1c5eab6c9798c72a61db0c58a584c256d2e51d19291e4e81ccdbe278e29c8f1d944c4512ab900c898a0a1666161c98901617046a0f286867f9ba1677d SHA512 f74c9efd100f4c97a8a7c86fbcf35553d7b3912328c014dd31bdf2f343f2a11727cf0f1ad02b8dba390fef8ec67514d679c688b4b4d1d5a1445a8269f1f9620e +AUX 5.10.7/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch 3921 BLAKE2B c88bda4b7aaac3d3450b083a5136b12fcb7c046000d75210698b1df8fcdd4a2607129e2cfd552822b4dde2df15599d8c2b8484296dfd8c85c5e3a6708b380154 SHA512 25e8136e3746f4ac94eb8808537db7f347cb905e97b349a17da262d1d7d31b813b0c9924a338e4eb1b97b143d66f0e9eaa602fa576b7d1e01f0d433d171501fc +AUX 5.10.7/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch 2502 BLAKE2B ea14d074b4772cc6ac30013d15a83f3bc21e0a8b510e55725748ccb64875b42db4c7b065a4f3b13069be82598e8b9f4907eacbabe4303acdd4709637af5fb91b SHA512 b9def960aec4cd954e43c12c41a92ba3a09f4401f510db91998e65fb34a6f0bcf69d3ce506eb6c229fb346232ac4b1dfe9e736c583d25401476c6f37d2c497db +AUX 5.10.7/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch 2224 BLAKE2B 2f688ffbb073c166a5bb84aef8b1e6c925db9d047ad23b9df491935526f72844fb45a8a4e99d20955482ac9ed09df1e09003ca50261a25b5169e1f38c3161dd2 SHA512 609a17d92a17bb12a34f658cbaf1f71762843aaf63e100cb35fe7dbd1d9d921deaeda186ad6a4c883141b529c538847a21cbcc6062e670bcf43b5f17c13513ac +AUX 5.10.7/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch 1061 BLAKE2B 0d521f22322853ed1da0ae83907d5ba2dd57c855d14aa02b469750e23c5c7d3339003d52209f1ca55eab5942285d25f673631c8393d9a39caa8f78122183eb29 SHA512 5ed07a20f0ed83bf12f84008540d469cf694accccf25068d678e9bd94c70677937513b3aaa8208e41bfc31c07fa3c79a28f3cd20da32341e694256ba0f0fda5f +AUX 5.10.7/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch 1019 BLAKE2B 3afab85c8e25c93c8cbf7ecc943027e063e87faa13a1f761052f77e62af9e4dd4365ac0eb97b29ac046c462a70cc29036bc77e557ad5086829a62992702bab15 SHA512 732bde0b8dba7962ddfbde1a41aa77b341e7b97b9081b32d96a1af300e928645fe9aaf6a3e76add91c3536c5355b8a0ce0f94cd84ab226aeb130fe09531e4da8 +AUX 5.10.7/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch 1368 BLAKE2B 9f1b28f6b096dd29d915dd1cee0f9ff19a030d15ccf493dc782646cc0c0bcbd21b26772336bd89476ed43cfb431780cd910bf90ace087ac2b0235c7d4c1a4a43 SHA512 0333fbe0fc8b43a319f9faef096c8c471c59309e6b6d95e39bf124c833c9753bbf8e2807fa4afc3121c21b7f6f4d4870399cb5a7dcc2edc2205bad0b6742b38e +AUX 5.10.7/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch 902 BLAKE2B db0bcff37513e5548e849173b44ca5c769e212cb88dbaf1c447f9b5312d9192c8cd2cb69f93dfa90235a42dbd8f0f83956a89545404fca2a55c6719787a30d0e SHA512 b3ee3ccec1a8e1f0f97d8386b335fa9350d81bb226c141257aaed2000a9fd3180fdf6a1d86b5494cc1bb48c54e5f47227d61fe66388907ab285849c94fc00c35 +AUX 5.10.7/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch 942 BLAKE2B 365c214b0e78438084d5cd0bcb105ac36f842ed2750998464a7609cb9b4c488f344c8ec7a21dd73484119372033dc4b52268bb23a89800d868419bde95055474 SHA512 24d2ded6e9c1659974dc581a861b27fe724f08e53e5d47519e9b5a876f2918435286c74f44f03cf9a9b64b4775d80c7e4290de7c5589299a4968592fbac5de09 +AUX 5.10.7/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch 947 BLAKE2B 8ffd6476999219f28fba4fdf10504048f599400aadb296e0f33fab7889123748d1136e87a2169cbbc2a8dbb38096aedba12aebfd7252008e6d493cfe85e9f287 SHA512 3116cd4e1dc60e43729b8861bcc932ba564a2422aecd13cc41551d15fdb742ffd7edf5cd88ddc33b7f053af64031234b9bd3990f5b5dd49ce08f3350e5038e92 +AUX 5.10.7/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch 987 BLAKE2B 4bc9bef5ca97901e1f5463ee78c94cd1842765dc67786997e24ef72986b280d9ac6d356b9ff1ec893991cd2d0d21c8488be815099aa7ceba70ba7642c814cf48 SHA512 07bd47fc4cbc03fe72fe50566b486cb71b59742df4813ce399b29a82a63cfad17408d0ddde4580e48d303f42f9811022f62a456f49d396e458e43885e9a7a28a +AUX 5.10.7/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch 1075 BLAKE2B 2adde15ae4af0b24eaa18970a900a0dee5dc34318e624bf78929dcdf2992e2550245ce04143d4052a55c0938c1beb2687c903c06ffa2b566b0f618e5c74dc9dd SHA512 d8cb7b6f1bd3808610ccb3b8ebc90a29df7a033d6de733d1b09cf5adb5e44e7956ef46e8ce2be4dcc809c508ea9179903f52f1ae3a0f2cb3c830d807deab1b59 +AUX 5.10.7/hardened-patches/0086-restrict-device-timing-side-channels.patch 5426 BLAKE2B 3707df506a87fc2a2836a5f91bd35a131d5bdf9587bddabfa5a2af1a90f5440f0f2eacb6952d53d3b4cbc1d48412da806cbdb189e2ee6ad0260ad238bd37d0b0 SHA512 e8adace4c986cf2b1e70d0a46b4d14d5e373f3f54885e0f41750f00ea33a112338b521c79484870f82b85608f87338b9a50f91e4a5dd2f46757b05aded4f914d +AUX 5.10.7/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch 3572 BLAKE2B d971a362aafac25098fefd67d8f07418c88576a420140db0e6638168a883f23263e8b7fb6aee0d01a87954237d8fe40f5f93d2f606f61d03bf2eb32049b3c671 SHA512 3b2040b3beed934f9e9f7d753da2635246fea4d76738aa7eec1e1a5208449ac95bc33870726c7efd1482c977b85cb6fca97294598da1f6718344084cc0abbd1c +AUX 5.10.7/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch 2474 BLAKE2B 5eb4a172f7bcaa5adc2af2f76e12d5392b0a4d052bcdbda88c9827728666eb9463ad67f9e6fc7b6bf4a96d48453eb8797c4b65e97a45ee077766cfa13717e017 SHA512 bba4158c8168c21c09f328d4894150cbc30fd71bf014cc48c671d1b48747ca4bd44e8fb0f0608c814da5d8400e6ac8e71a2f1088b66a41a44409fc4fc556aec0 +AUX 5.10.7/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch 5440 BLAKE2B c453edfd3c708c299381b2e0303a30958a0310b4666101be537b5288c4dc528a997376bb5eda7ddca7cdb4df0d674a3aebb2302e503328bbceebbf178a90b398 SHA512 2a1d4743f94c105995f5bfda32d6f8b68617202d225af2535f1d8313d0930d0aec288b3a3dd6a0ee77e3c818b2375e435bb754b0ccbc746cd338fc6b83fb4b13 +AUX 5.10.7/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch 5154 BLAKE2B 1a00d87d764a4fbc619f1dcd1cc3194de4a7c12bbc9d4998256242f42cbf13173195acfcf13f730d3ac4b41723b2474bcdad30d9c5cba5821cded3e6151dd729 SHA512 c95249b8c6634eae5d9bf58e5cf954b67f9d82efefadeecddc4cfbd481bd7accfc0e026213d631777a7c9429419fba00dfe910fdbf362492e4965d641f611912 +AUX 5.10.7/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch 2194 BLAKE2B 9b61247736ca28a594a27d4e57356d6c823fd48c743c50e48194c91000685572b640576a45b3d8882d08ca3acae686f4584f0ba76b8f4650a2b7b024e90879b7 SHA512 b9daefb19b447287fbd2045e4033596a5593315f020dcfcfff5d15da45f44d37694eecc33e83a23d418d2488bc54eb657cdcbb83b32e8d5109fe8a038a0fbf83 +AUX 5.10.7/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch 6822 BLAKE2B 93656864b97422286272ed8ee96cab5c2a4b0b5bc177d82722f9a874525d05cfdd135e47290d35f5d19155097df9510047480cd5f24f7a2a1f610e520cb8404f SHA512 e341881ffd9c001d9cbaf5df58a7e64221ac30b0aadfb4f13046f457f3cdf74ba9e1626859962aa16884984dca2b53c19335157e7bf7e2ed105379278b8e7830 +AUX 5.10.7/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch 824 BLAKE2B 6480bd5ff0df964428525cd30fbeee6341251e97049162444968e8f3b4b72b21a3b229e337e373bfa17245c14ab585fb44cb861071b47986c21c7cb65abb0819 SHA512 9cd8e81598f1fa090145b9a7f050b55f2dbbc5c10510dd39db254928b56ff25bf460451c1f0fccd288aa31cff2ecfb0acb4a2a4bba7b73e995f6437bcdcf25a8 +AUX 5.10.7/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch 837 BLAKE2B 03fbec4842e2c13669c9dece42824cca1995c2b7830bf3236eb35b94f2fb5379f4cc34ad186064fb643bf0477d58548013f66f1b8d7d7d43bd35811ee473cf0e SHA512 a68b1a092d2a2f804d581f1ae1307458b88bd9b0670495dfe0d46e96b653de5f7973ee880c5b538aedbcc3e2ad029e8883ca63c9b4b8ab33fc21b2e5fb228761 +AUX 5.10.7/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch 857 BLAKE2B 95648ee9d379306c6451dcad1289a988179e829008506a64a32578c924d3fe75e6ff1d28cae85dbe51c90af87aab47c6fe3a7093601fea255d9a0209b458a765 SHA512 e0bd4152b027aee6bf0d799bed2eede252236a6e862efea88ee46c724bcf3e5b330bf75d734eee894f8d9c471e27fc8020192a58061d82f62e54fd384c536779 +AUX 5.10.7/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch 857 BLAKE2B 7d038dc5370635eb978e4ed29b493885ef4fbd7a32b6d8f0b33e99f7a00cdb74c1c6d31450b9312c3a10dbeea20de94445f7b49bcf5f5977d769da84758d163e SHA512 821043f42ae175e98cfe6a8db8f9d634666655a2e58e1255a981bfbf2a2bf49556610c9d78d3c4416083d7be1390f610e3a902ce83f09c411ec4aec2fb3e4599 +AUX 5.10.7/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch 2171 BLAKE2B dbed2c90d4ca2096811b53a22d0f9fd06bfab9d88e8a4d54898dbf4d8cdf716e9ebdaeb72fc8a39b2246ccf747bc661731f121e6fe438e91215f139bb019d035 SHA512 e3ee73284f8d2b09c0f558184493dc0d377576b73dea90be9890db0ae158081cd4f137022e5209c96ec8ae88be0a459dc94eb8d77fc5768c733b95c16955724e +AUX 5.10.7/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch 4376 BLAKE2B a02e45ca687d3c220a5ca140b19214e008fdf0ddb608fb3b267ab95569ef6c8944d616e726fbabe5d00c2f1d4f9e556992b5530c9b8bd84a16ed3eac8e118c03 SHA512 932d2c487aaa442d8cdacf9555ab84fa204889327384086992c922e0e16894d81e7ffdf4551b76700ecf408999838ae29b3fd1ab179be6b0cd12f6a92007dcff +AUX 5.10.7/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch 3878 BLAKE2B e356c17289ec6bd1a842774fced29a6035d5a4e1c4e44ff5529a60970abcc21e13f3cfd0d60afc4b8417203b1d1c32860024e42ed76f0ce8f2fde6995f757947 SHA512 093fa66ed7e57b396c61f1fb012031baff38cf3a9d436c08867df0cf856acdf133748f7057f8a611a041886f7291cbf9073354286bb606e474e9183e0964e7d5 +AUX 5.10.7/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch 2070 BLAKE2B 23d81fb5340ca88ecefe84da1e314f87aee25fe55bcace0d5f2c8282186365ce567464890234c255b0f3786dee4818ef27783ed9039b612661ee41c9854d850b SHA512 95f8e811bda6ffa74f469ac46e346d0ce971de6544359427a8a04f31f8fc1de9a39517860bcdc280faf8fd899ab2230faaa74d798b770a16c0a41b0f3947e36c +AUX 5.10.7/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch 785 BLAKE2B 1a3670611f02436e2055f7740ba46dd80f1bfcf32c0a3f4f8bab1241b9dcee4195f6f44ca01850ff2cc42319c3d49c0bf1f3ea0400487fbe9d9928d161983e84 SHA512 82b53ab937efc9cf569d42bc0331e45889fbcfee4463bc98c61eaa6a82fcaee45950e0c014fbc7b347aeecc2696850e5d03e9fcb22642cc47bdfbf0acb94726d +AUX 5.10.7/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch 774 BLAKE2B c05b1e63afbc1215d7474724802101744b7992da676f32e2bc8740bcadcf77f54fc76d8a8a457029e1359b64e52f6dafed2793c35d33937233dfa5ef0c6b19e9 SHA512 2469bf420902343f703dfba31bd11cbfb458a7e113b17fd6e50d47f24556c326a8576aa453e9fbd94f88f46d7d5896ca27bbcf6d57aba277074d0e0a06db4a4b +AUX 5.10.7/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch 2287 BLAKE2B fafacf94c3ea08153d3f707a7e3275006aecce9ead187edfa529789bbc19a4ffca1adbcfe6bbef84877620e6d1da94ce82b1e13bc59287ffc9887b0109cd54ef SHA512 91b3a2f9d562e1f5a8536e1154a5c5a62333e1f46c154870f04a8a58eafa608c9a6ae960d7d1c10e730af6dd5e269bfbc2498d0a38155c3adead9cfa729a25ff +AUX 5.10.7/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch 2692 BLAKE2B 7954f9586eaabe2dfed6b0a219e5994afe7d3661bd02bab4645fb3f53961c85d1eb8f16aab70188b1de2f2224bddb603c5d9346899a5e64353f63bc20e983e2d SHA512 2ba767ec9c2a3b4652217e2de753ca6f07e3cb23ddf5493a4ccda8eaab955e00b66a3e4e65108d983eca446221b7e57a39165256e96e92994b4c6aeeb1fc7700 +AUX 5.10.7/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch 6075 BLAKE2B 71087029459f74d4c155a15708c39c31004165ef33477a8ef57a5c1f76339eccbd0a51a3b96caea70e8d61e4c0c83c0c5ced082dbd2086a97f811992094b830b SHA512 0154de4ca2b4ea5c7008c89946c840e6b4d33c8ccbeecf5082027622260eeaef6654de3bc431cff04a23d8a0ceff23462b86d77f582daf54342e5ad37f0223ac +AUX 5.10.7/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch 827 BLAKE2B b9275c3f293357f292371040bcc777ff2e21bf945067975fe4ac6d6bac2eca944fc562755f3eb0dbcd10271a89ce51da7ca9cc8be39ba4b38c46682a4bafc184 SHA512 2acea0aa2f4018bf420b59192f12734d05b5390652d2c76f5a705ebd4babbe188e6187ed6817e5946cffcbc909d5e1d7215bbfe568a62e4679976a2e284ddfb2 +AUX 5.10.7/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch 705 BLAKE2B 42ada56eab3cc064648be4674222d46e42ff5bbf07bdd0a70ca0d756c2b086e08af2902ec23d3b05c88c20cb12edf2d5d6a74d8214f98c221a1bd5924b868a2f SHA512 556a8824c677e7b563ab781791bb4b43f245c47ed6013dd69003af1f247883faab363bdf462418edc15d63c82fb0e04e194859eafe60065361dc9a9136a7fc93 +AUX 5.10.7/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch 835 BLAKE2B 55a10db048af78d9052fec02d81b3b4d54345bb32d09f838e1d6d8e0003b6009d2879aefbb4d3d5c76fb3010967073bf22d33b76636b25255e5660091e722f24 SHA512 5240f45f96ec19bb3b0455165be428d4487396595145c67d695cb0a15f0a98e56f4d583d8a0757d17d757c74d4b60831e69401fcae0d67e01cbe5cba0f51ae2f +AUX 5.10.7/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch 679 BLAKE2B 9b3e45f21958cd8cca19c1e61674b223445318183436db6675161827061bffd7ddd05d43ce5620f2db4676982b615fea402db6e8da27489d9f3f0520b592dc05 SHA512 01a9881353577991d27e4f9b56d3b8ec7c5b4976ea904210bfd2aa342c2361f8112363d9ac3dc0cb2af202ec9b2107490b6ea86c37b59c477695d25fb43d139f +AUX 5.10.7/hardened-patches/0110-disable-UID16-by-default.patch 605 BLAKE2B 7c53f204907d0797943a3343ef2ce2b8a77f51261053370513db877567073201b318544de1cff880b0b57fc5065fbc8c2ce88aa01435ac0bee8421fa705d7580 SHA512 dc86dc628d076af2a92d7071200ad70ecabe5229c639e1fd57336fedf3d896f45a229f0884f97372fb74876687de2caafcc50c665b227a273edf9c1d24d50be0 +AUX 5.10.7/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch 8416 BLAKE2B 7f71b94e69a37b6961007ee6746f90d7c87a165df6b87ae926f407fd8d19afef2b3fba942cb1bd03043d7a3729d9c5ed436ee4b7299d1f7a8f35139de7b84383 SHA512 40b825a4c9e7cfba19e22addef20dc7871992c72910712be25424ae6dd8882d84983ab62f5064ec93fb75eb6cf3999b036b09136e8263df5abc99b98984d99a7 +AUX 5.10.7/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch 1427 BLAKE2B e535c8b71ff2acccaf01d3313b1a8b44268046dafc339966288f22dfae17041175ecce12bfc083a1a606aaf951dad4969d6cfcc56ac1e366111955497e04aa79 SHA512 800edc10d8010d473668fe2e6e5f84a90e7a397a05212ef3b65499a8355bf0d334e98f3e1c3b89ea7a1da7a98c8e89bc86af86057e916161136dbd37fe1bba96 +AUX 5.10.8/gentoo-patches/1500_XATTR_USER_PREFIX.patch 2293 BLAKE2B c2bde13ef40e7066340afefe55454dc933ac3b65dda4dcf81d9958ba84d9531143e58c4d35151d912bfe21a43aaed35fd99571a769ca8e823fc0d99797a96f4b SHA512 3ed100909f9aed72836a3c712e45e0116cd3c4331961a76a27b867a7098d0df9458387b656c9ea01385c3c37585436e48168ac35666b0e46dca7da05e5e38a61 +AUX 5.10.8/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch 810 BLAKE2B bb749b365f37988253206ddff130651e1042af49a6c773ba6f93642d5927af9a9926eab278979e048c13d2ca683e726a5d0cd509de9e6177d59c85197051e230 SHA512 c97a3799a2d5e4da9c9dfe129756da629fba8183479b02ca82f9b6d9993f17a165a96bd35ac50eb25fb293785b9b529a95165b1a2eb79c05134bee8ccf22a5d3 +AUX 5.10.8/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch 1290 BLAKE2B 35f8f2a707da3bdb4df74844f72244dc6cb9fb0d41ac2034af61ce61c96e4bd472fb5bc5c687611356d06f3940e9f6669c80f4261165809592173bf5dac54b61 SHA512 dc47b18749d95a456f8bc47fd6a0618c286b646b38466c3d950dfbeb25adf3fc1a794e95552e4da1abb58e49f0bd841f7222e71c4d04cb0264ca23476ca9caef +AUX 5.10.8/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch 958 BLAKE2B 095d70ef085c6200b3ac69695339b8937e54b49c45acb7a741d0f471f66c1fe1bedf0b7df0951eff6ccd53ade10abcc66d5d2bca994e28a49d3e4296d7332e55 SHA512 4e637935c2f37cc18f347293e3c94b18f90e2caccca726304a95c4891257a5b2bb3093aee7a97571038b29c0c987cc60a9a80aefd0d4c9a063b33d102f03579e +AUX 5.10.8/gentoo-patches/2920_sign-file-patch-for-libressl.patch 565 BLAKE2B ea33143cebfccbc5fdeab46161ab28c8ed6dbe265b35454659ba87f09705ed80219e9a9e47f7fc3df51292a3a7656c7a6d633e24a37911c35e47d039da530ad5 SHA512 79eaf814d76402a445efc961666a7c7c74207e552b0cb32d93d5cb828da580f7dbe93509dc9f53321c7844663205a8dce4e518ba047e4c57fc55f5c3498088ec +AUX 5.10.8/gentoo-patches/4567_distro-Gentoo-Kconfig.patch 4784 BLAKE2B ccbb902ac828a26a69bda7f7eb7c69770bca7685ed5e58459e473b7a8ac0f396ac9f1aa1ee23a9248de22c5aebbfecf76930420b640cf6307a4d1e73bc9add0a SHA512 bf681566831b583537eda1df1db9c9d1b310cf54a974dcdc437c8da11b65cda423ac86a1a8ae56c84cfc947a6ad363adb25983e51933cf7acb494934c1ad3eb5 +AUX 5.10.8/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch 55494 BLAKE2B 5c56cb45b70a340d6eb65140f3772f3c4a26e30811645d471d0db7a389c813edbfe6f46ed2fb5fa8c96596c9486c1040948d3074b4fc5ebdc8080c4b02b0992b SHA512 e832d44d4a450c45eb7a517d6cd849258985aed08349d18ea21cf4d1eb37dcbac9153f50ca8b910955bfe64169298c631a7ec7857e9235bbce0167d97d69e55b +AUX 5.10.8/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch 840 BLAKE2B 2ba45478cd236af1ea359844a622d48396965e7ce913d1a45d0908ba77732f37a757a7217ce7a9fbcc9e95536966265795042e0382ec326faa911e231dc4dd83 SHA512 ed634d413b8ed6b38687e03ce271016d9a11cf2690f22ec61a783b9b8f69d7b4e7a6a43ac7e0387fc3c44c06a637e185899f9ecb0c351996df20817a22a7afc0 +AUX 5.10.8/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch 790 BLAKE2B 3898871e453f550c7f3188d51213dd078b8d438433c8cbd65177ca4daefc620540cc512a0c21c0bb53052c9b8fb5b57fb2ae0fa10a637b954a7e5821a8dc3ce1 SHA512 886766c19de4373bb82b3c766ae393d6f8d186f6ad1f7f7c909a52cb14b3c76b00191b896a1e4ba22c81cfdd4fa126290103c11f182a2ec71464c5294eb818eb +AUX 5.10.8/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch 768 BLAKE2B 31b8924bb0bdd79a10b52f3391255616ef76f2944d4e9de108b80c9162dd48a63f562a64337411c811679681a9e9ee49b9b6b45b280e3ce6a6a1470e212c245f SHA512 76c407144d0c044b86ace064e10de0d78d1b44807c52461e9b54dbd1a5af1d8325bc2e77db0dc297e226699037c3a3c50131c60197cf30db4b27c7770c723cd0 +AUX 5.10.8/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch 763 BLAKE2B 73553e4aa73223f070ebbe5398ea2d08d9171b79df2e4143b08678ce39f6bf32aae97fa75d3a0e01c40ce5574b9b1670ddea0ea37c6ffbce8949be6199c05621 SHA512 c71f41a9e8b9cf60018705b0abee55c7236b82504558bcb0fd090caa4849e8364b3790f4b6438e0c1e6be40a96a6bc2177ac4e416b71366068aabd49878f8dc3 +AUX 5.10.8/hardened-patches/0005-set-kptr_restrict-2-by-default.patch 791 BLAKE2B 4a1c3dc67b1ea976eee0a594a5becf0e591413cc5c836b78e06a125cbe3e459acc280f7acd6e7ef8c1ddc179341a830fe79002d8b2fd62b24865b6b5629f22ac SHA512 180106364671e327cfcfca265fd8508167def9628bff079c94311fe3177630f0f6537607e4bfc95a8626fde475d9200606f88dd2b0e9549f4c054d9ce4b55e68 +AUX 5.10.8/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch 743 BLAKE2B 7f56a7170f32fdf14e6a6603864ad5ad74a16ef11abb0dcfe2d39b2b38666c9180437f782a510ddd8fc065fe3f7c8d317b625543d350af72f214da1469225299 SHA512 d89487e80db17856c77c0086348a6b157905c734686efbbd9bfb04977aa662e00bf86ce8d10b52ac4a12b2d8bfe26829e5f4e84676fbcb25f27fe00a35baf811 +AUX 5.10.8/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch 792 BLAKE2B 1d8ca6f0867088aab5ecbbb7581ccd1062da5ad4ff6b4e86b5012fa2a9abf0ed656ff0ef81da6f8fe07ee73104455536aa9093071a577eff6f90e06efe30871a SHA512 13bd815d8cf6a041bdafea587b987be32704a8f0e1b64bcc106380ca6589639f1907ab40ce15b7301493052db17c4f9c1bf0bd299da022238eac447a16ef321b +AUX 5.10.8/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch 732 BLAKE2B 6f55be70241ceeaa3f87199f937310d09f139bc60ef1c1f441dfc0c617da3afcbb43d19e9b3454e1044b514e326b81b804fdafbede0b99a3041f67bedb67faa3 SHA512 133776f94e4414c90f428e80b971df140f0135acb66a1ff86a02f5785611672d44bca07182fee743888b375a25d4195b295686bbd6095fd5d0fdbce14e7b22a8 +AUX 5.10.8/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch 736 BLAKE2B 09f6b10f64e46393781598698fe5d9be7ab28ba95db6a231cab0ea3f037ba5f3d9abdce2640595930e07db9b8aa261f94e38c0547cfb188bfe1eabff07d1a8df SHA512 2b40b7bc95b985a83434905cae0605adde87df19653de540c092129750f01efa8b4f436898f0965d0f5a0e293cffe468a52f55b258297aa5c14897917889add3 +AUX 5.10.8/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch 745 BLAKE2B 669f1d5f5c0689fb88efa7e0db1a7d2e7236afaadc917defd5dbc4634ba6e09c167ada7886469cee813ca66ae938d63e3a9a731adb4e63ec0bfa63e3d1af9c5c SHA512 a9fea113d18995f3ef149af3723331c31e7b139908cec42e0e49700c06101e0ce3c22065cd2163c31ec9cd8554249acce869394af4553f700e59663f4b6c7f2e +AUX 5.10.8/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch 702 BLAKE2B 351ad90e4c59afe935481ec984dcfefb487c705e87c30689cd784f97fe65fdb6cd05789e5698a3b5ead15ad10390c4a1a7281988acb24e1e664657f4ab99e617 SHA512 57b716bfb44257ba62071ff4c31c0ed6a34e5cb79f7dfba74957eb13bdb241c17487bcbcd7d1ab8c1002b05d39c09a83eaac780eb8a5994e5843f60bc26051cb +AUX 5.10.8/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch 654 BLAKE2B 9d55a51ab26735c73955a1f77cef7f5aebfd43d465b27ab0d7167a4a06d58fabbe74ade16257fc026b4320cb74d34b9f0856849a975c55c613626e7dff323359 SHA512 2a21abea6cd9e5c4f4b0135836af3f8f337540f53c51cb1315562d0ce78520e15ddb4611ea1eada9d9f7ad512772d47c4fe24a784d39afd485825bdfef7a67f5 +AUX 5.10.8/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch 807 BLAKE2B db365c436d9515952acf2df1bf81753895645f94418c572ffe52594641a42a6353ae9e88d26e11084a1a73ad42661994b08dee7c2976eb6517cd223a297d7b38 SHA512 66a1f2ad2147d318d070612c25ae79b3d813e014a35932911f435e6a098963893d7279b71945e80c6a51e7b2dea78036532543474cffac33f9f285306e6ef466 +AUX 5.10.8/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch 966 BLAKE2B 256a9621d8964639d928d203682d67375c3436a5822be8ea7de44472161295d06e9829b4e7eb75a9c6e76211805061b3842ac27dfea1cf888b98d13ee2eaea9c SHA512 26a55f5cbe72c5d10445f7c82775c000d95c92faec259e50593077b2766e69a119ee71fd387e9270066b8bf6ec392339d1dbadbc7ea7cd2de6e4faafb8052ded +AUX 5.10.8/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch 761 BLAKE2B 56d9840a2599bde7d15dde1fdd85bbb2ba94bd8375c9dac300430e582f2a2b98427afa37d50877c6b00639b5ee8cd14cf0979fbfc98b485742daa7143c1fd225 SHA512 2dc59cab0edfbb2d4ce8958e90ae260bee41080d2943ea0ca8bdc59a46d21d6470c4463918cebe5548125694157e0fa0a965625e0b918584e4384995ffa7dcf7 +AUX 5.10.8/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch 666 BLAKE2B a6fe25202e434c05d03b060be7a7674a3bfcb4ec590bf4442e6385027266b57b55c198728817052725a9ba3c2d584ccbcb8040cb8f106144be7a14b63b13e206 SHA512 8e9d7b2bcc9142c14c0d41b8835a4e157f218e1146453b187a1a2b37eefa6969c737817aeceed8e858dbcfc394e974b5bceed965d0f541f4b854d66d500a7c1b +AUX 5.10.8/hardened-patches/0017-disable-X86_16BIT-by-default.patch 678 BLAKE2B cb8f08e9d3268aa2d27e84731ae8f8604f89a70695e3c24d634c1cde7050e6f45560c784289dcbd5a0a30165dc9745f5c6713f67cada01006bd999fa44aaf11a SHA512 098b453025e40ef4a915ab9cf721d61e43bb1732810472b8ef14ed1c1db1ba14b11c7415c1982e3e9f340fdc08909416bbdad2079d8b68fcb6c3908c7f0693a2 +AUX 5.10.8/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch 754 BLAKE2B 12a84d46a4232aaa96db9b76dfad31e1915ab1fad064f7bcf46fad1cca48040a7b1a6623f9d0c47f481e53f1834ea4c197307f0b629079ea896b192773ac9fc7 SHA512 e864d2233639d09dd3202eee6a6b1a7ced606b676484f3d8c4ed72f5998612f8ae1bd456c26b9bf61c48a47415375a9bb045195ce163e91e3e9e21c373ac057c +AUX 5.10.8/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch 802 BLAKE2B 7d5eed6d7404dd5a3f32c7e3fad47f0341bd139ae4455e8a6db8e0cf29ac0e1db0508a069c44905b7b68d56270846db3924dd31b6fb82afee5e51d75f223087d SHA512 44fdb54ad6bf970733b765bce60ce9868db780eadf9ba979534ca63853fcdb9936346d7cc5f6c54defa5677b1559ebca2700167c58d60cc638d3ea375d89139f +AUX 5.10.8/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch 765 BLAKE2B cf345b3d6c6f99d259a2bfb9cf02adb873f7626a6b47de1f0a3d63209d333097c01fb19bf535e331485867ea03a8b5a92098f56a70f482ff59d1245e50bf56ff SHA512 495bc7391fff97b9c021d7a30d48ee931000747b1552560314b681ee61d5e90005e7dc4ac53f0dff6540140183782982fa8ab3fde14aa1ce780077dc9f7ee3ff +AUX 5.10.8/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch 691 BLAKE2B 0b072354ddf25118c56997c7523b35174a2e8883b522614d3bba6291574323c08390417fbf464fd5b7580765ebab005a4762cd5daa304964bca0897bd18a24d5 SHA512 ef8252d84ca352c9ab8e6fc7a3f7fa914ceabe22d15d4cfd633250d1d0d4b1c0cf868e65a69f837a84a9c14bb1924d56e107471a238a54795295982b355afa4f +AUX 5.10.8/hardened-patches/0022-disable-AIO-by-default.patch 631 BLAKE2B e4ed36fdbe9b00029fe17d2d91ba2c8747a65dc8e5677a9e0ea58ce1c4d49d8b4b58170a9df4150ce45de5572a43f721f81a9722e20df3b5f53b4fdedb02481d SHA512 f78089400b8542084529fed513c8db3bc06d4356ec3d7d8c06590c43769c4ec49dbdc2747dec190406efcaeec6a461df959492bb8741257264c06e450ecfcac3 +AUX 5.10.8/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch 962 BLAKE2B d86f3db6c49c147370842bd0c0f81783d84111df2ddd02ea5b49ae5089dd257c8ed2d4fa62f030894f4d76e6f0268ac87f89ad4fb847ce0410b1d5ab43b35a48 SHA512 00a1faca265013d1a884ef55b595a07a3f79f0bcde51d64acd6efe7da714b467ca67be077887227eb35ea56782fca288adf6828fa44104167e637611e9cbf463 +AUX 5.10.8/hardened-patches/0024-disable-DEVPORT-by-default.patch 695 BLAKE2B 3f2b324688729ef53698d086020532071c422c75c46defe04ae3aee0a851e40cd6d8de3d3d40af72a4b32a9659d4fbce41febefa38e08eba59c2f0695ea15e88 SHA512 40a49394aa08cb7f6b7d6cf961fa1f174d182dbd741a4904ea183b4bac9d6eaa7a1a67087a2c52d203d69cfab99b7a3622650dc2cd4c686cedc6daf6da51d7ab +AUX 5.10.8/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch 613 BLAKE2B 8006543994bf14741536e337e236494c84c9c272f3d413b21375d66b09d39ca9377aa6557faa7c94da70b7b87a912f44e06f1786e11fab6128e2d7b2da634def SHA512 c50df13092ba88e5efe83fb1b49b145834a46b264873e54b2d83e434e6f3f2884c0c4430d2e044226ad21e25c137d166b09551fc711cee0f0d18d0f9324b9b86 +AUX 5.10.8/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch 598 BLAKE2B 5a8663239d1f60154a729813fd9780ca3d2f60fffa43dd1f9c061c86420218769255df0c7198e917551be9327f184e35c34a0224e92461d89fe3f70709244b14 SHA512 759c6b07ce7f47f8c7b33f9aa1feb6f39cb886c2c41ecb10b8c5bd6a5486b5873608608cf5a5199beb604816546ebac46510a7038fce7c69a01f6a7562c3153e +AUX 5.10.8/hardened-patches/0027-enable-DEBUG_WX-by-default.patch 653 BLAKE2B a7097d264d8a8f18630e53d6655bbca0946651794c01665cfad4bf27297927c1f05aa6d0260b4300470cd533f86b16370b69ed21e4dd2de90fccedc853fe3283 SHA512 265a38f5de1fc1f0ba9c060cd2d2076f01afec621b9d9e6b21aa5f5b79434367d4d4ccf08ca10aae6eefdce23e4f3844ae753726d77da7b251bf9afd70a178c7 +AUX 5.10.8/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch 683 BLAKE2B be0c041e75f7e37bf50a81bf0d6f5430a25fb27327f865c115defcfca9a32d211761969a86e674fe018c22bccde54ac3af1e4637d2f1803c8cd86b8eff3f851c SHA512 a981c9aea463e67f47444cfd4c4702ec494f38f472da238f1a59e9fcd27a623535b9ad251c265cdc91ad8c90d4630b769963f58d2824f8f0db6265bbb955773f +AUX 5.10.8/hardened-patches/0029-disable-DEVMEM-by-default.patch 662 BLAKE2B 3ee15e2139ce3dec12b86f79773e61233e949a71aa7da095af36706956b92711fe138af4c0158ccbe9cd3d6a897357530490c23c8b7bfcf670ae3dd6bacb34af SHA512 c27d9b7c127738010d56114cd5f49ae3f42c23aea1d720ba6f342da60cae5d8882a7906ccb34d8406b4bd2d13f6aa3a82306cf96c4454e4dac346235f59b85bb +AUX 5.10.8/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch 719 BLAKE2B e3646f3772876a66f23b91dbf74282b78e122da0679ab7f7e6f533832756d25d85803f5a8d67100e325a6c1d6b645aadaca954fdf156c8c511ddf48298210666 SHA512 1d87ccf5d9e2584390db657b11ea54a4af5259c8576e7a7bf8e496d194a6e0b40f41cffc869efd543a2eaff9f031298b46fd162c1cf6aff5a4875482d51dcb7e +AUX 5.10.8/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch 652 BLAKE2B ed249fcd42a3c2d720d5804eca0c8bcc8390b8d261e4f467f6828138257863a2fc654a80523957ca9d5c846c77f723949de5567c4ad8f824d929f4c99b36e8b3 SHA512 0e94d56e0fe99c99c993d0dc700dc961f6972f3af9d9ed1a25397818a479d9c9644520e9e22b552dbbe236584075848ed036f72f57a5320947506a5a5419bbbf +AUX 5.10.8/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch 1397 BLAKE2B e248e6db90bd6b56253cdf20aee1f857d271a6c1e1b295e1e70560ef8c253c2721313e3d710b98216dd4e79939338c10d5912782d7d3df4866e25fddca161b35 SHA512 32acd0bdc2bb6a139bd94f6bf0191b06553140a08318f4c9bc108b16c7ecda7b11a55aaef04f3492f63c812b49e9bd8a557210324e923b2de387d76cb5582f1d +AUX 5.10.8/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch 818 BLAKE2B 4f502eeb39da14caa2d459384a363cd0abe3a4a1f8c8b8c04910649250908fd002c19bea6af98b3250d5a6f6afacca5457427aa5c5fb1b157f2589448ba81032 SHA512 c8afdaa05a2d43367d10337c605d45fdfe3e328961ef5f81cc25fffca20d751041dfb0289f1dd305ece579e5620b43283e430e43bad7be8b046657b8396b3a1c +AUX 5.10.8/hardened-patches/0034-enable-SECURITY-by-default.patch 646 BLAKE2B 6997b0ecce529b98f26d6cb9a508a1dc40d353fbf29e05ab9919f347d5d24c72b2fb2511a1105f256aca934b89c016f4d12eee1f31d46aad01cc3b61b7214211 SHA512 463e34abbd9da0ee7be1415b7def21e516e89c165ee8febab1f56cf412acb6dc18ed00fded46211a4d6f4076787396e4c30e9a34f522895058a90fb33f0d14ef +AUX 5.10.8/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch 706 BLAKE2B 99837cb959b7acc3c8941de137795276460f9806800971342552828a9e7507c7b67e312d5a6ceff7c378b6580f47ca07d7f470419232d89924d4ddc54ddba687 SHA512 724a9f2de048554f45295d72d3906f509660042c5454b4d07bcd7d4b98be199abc7a90e7afc55ef6850f8de5bc5b731565571112a7ee097069aba12c890b29ee +AUX 5.10.8/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch 685 BLAKE2B 4b6cb1cf7247b5b35869e9e5e4ce679d5618b61848d91d4c6fc8b66be243ac1e4d2a4d787a513c8f5322255b4501071838e50360b59ecb49494e3a5fb9b960b7 SHA512 70f19d708598a317493e4b63ed6213bdf03bd5fad510711edcbd2be8e297048e32de91b5b70f72e29004d4d718fac379eead3d8c4b3fa2f3a17f7fa253e2b69c +AUX 5.10.8/hardened-patches/0037-enable-AUDIT-by-default.patch 628 BLAKE2B 3c9eb18767db68e60b8b6d14d472bda200c7b86e71423d98f710d26f8891f248477881188c5331052a9b6350bd0d7f843a7318a8b53035ddfa07b763533a3403 SHA512 299f97e7f23e9e7ee341ab1e0d807ed640b46eb43ff87acd2b85d9c60dbc5d66f4d63fee71a580a2fd01760fa586ac2d07e6cdda5f92ff9bfdba92112659041c +AUX 5.10.8/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch 784 BLAKE2B cd513977cfdade6c885a6c3842790c3e54aa86253d590031a9016e0a7568aec1e05290b35d512708176c0c42ce4aeaf31b218c4be3ec28198e67ce6f3b9508a8 SHA512 574bdd9b91c3a118d8b0a2d62c39acbf655a0f2c671d95934c34122d4a22c7d5bfd3c60e034b7c13606c450d6d2ab28f9a22ee2f0adcc64f8afbffbc91fc813a +AUX 5.10.8/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch 666 BLAKE2B 6a104105772f7f9765bb5f8d7a9a5d56f75e61fba2eb5f88a979f8bb4cf6b016bb46f16deb114de3dc7382c83c5e907d95da6f4896175a82a09c4a23e852f676 SHA512 e17834aaf2921828e4b08666af42a8ccd0bd57abd1449909f33109397c39bc239fdc98c1255d62f75e260ad5d16da822ebbbb89d89ef3ff13e171f9f296aced6 +AUX 5.10.8/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch 697 BLAKE2B 2a082f543e83700676647f7f7dbfbfdfcd5c5189231ffc57c7d7f769a9695b1d606f3e5a4581dcab94d2378c46a22e46e871719c18402f7d0e7e6f79ae830880 SHA512 1e0ffaad32039177938c4b1bc54a60767068d44eaa601fa04312f942c96927774e114f2e57e114dd3e1537d408cae0aa4e9370bebf43ac8a8e60575b35aaf027 +AUX 5.10.8/hardened-patches/0041-make-sysctl-constants-read-only.patch 3971 BLAKE2B b96ef58366f1168e6e7ee553b4e243a31e9831e782dd79094050941148f0d1da0d6bd6683d96008afdb32f6cf295bef0f0c64c05842e4b1d510383aa372b1151 SHA512 ff4f140616bc26c9c9cbb1249c48d787de4b3b011f81ae3528b09504d55b59551817cef956a33698fde1d5312b0259f6d9e5a704b920ca1c63cc5721f5bce59b +AUX 5.10.8/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch 2089 BLAKE2B 247476fc4b2dc91badcd7434197e3c43afd922b03306a830aa5e6476157d41159821ea24f4c852b9a7ee78cd9b5e043c9b223c64e3d93a49ae662c42e5aaf07a SHA512 c25cd17bcb116a97600c4562a708a8f4505f17a6e8d0ba17b043c7a4313941a732e3b72114e7d4862fcf9cec2c4fd40aaec953b8d177f87678b6095f4682e735 +AUX 5.10.8/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch 2004 BLAKE2B 7fcb8aa5a7c31245d14ece91e0a39ac958b3f8f85e06fbf5e1cd23b20fa65d8addd462dc5c3a8a0d7ce4a31e506f6a8442161feb5f0cd83fe83808db7eae6c13 SHA512 90d952f6e1387b1ad970c45f48d2d01547b54c3b9e9a5bd3e80638318e32162d4725635efa477509f3165d8df0c79762666f5fa872968d65eee8198abaa9bcc4 +AUX 5.10.8/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch 1165 BLAKE2B 41fa520c2f487f52c0b1bf95c0b14e11059b67badfff60014a44981c9622b71243c669f67bf7416af87dadb2c71071d9c7c5713e83bd17eb93b647c9773caf6f SHA512 1ae19716cecea96636219511d10dd0bcc1313205d59ec01c305a24d7999b66fb43828183f10afe9e7166f88c6b902eb0ddc5ba5163b69d24994e5822a2b88d38 +AUX 5.10.8/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch 709 BLAKE2B a8b061bc502ce15f7ca0d4e9aa08901d5e5ebcfea4bf207c1713906ffab67372a8a8c8289d83b65bf44cc97eecf036027b06d6defc5cce684155608416f7cef9 SHA512 b05f737d15bac95add37dcc222ccee86b951cd599e845610a46b8e49ba4620c5f8b108ac5192c35a8e606b1270d21ae2a652bba60a47750f8f0f4da181f14c43 +AUX 5.10.8/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch 1954 BLAKE2B 4ae8d3ad828c79f191cacee51c970bcc12840d7bd23b0899270f057d85154c372130402f295d89f275d5daecebac77e652ff88151c12620f57cf3480bb8271b7 SHA512 55a95740adb06a2016b486f54a4798477a5396803b410ae94892cccfa6b6ddc395a29b2c75d1d88035676615c9117ec6d606215ea5b7332ea88d471e1d0498c3 +AUX 5.10.8/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch 1663 BLAKE2B 0bacb90c6f916d5593c250c1f1044aabbdce6ef83f75c05c4f2ffc3cb39b51dee90cf902875ed6e06a9829ca5cd367fa72bc67e3a55987f8593461295083b729 SHA512 ede9e6ac4d64b406bfa8f6d82b3ef5240626bf211288a17cde23b6fdf532fb4943c763080b523553ffaebe847166841a13056eb6fbe3fb77e5b1aa70bb7e9a1c +AUX 5.10.8/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch 1272 BLAKE2B a0c64006cabaab19c363a046b82c98fe27df0fececf30cdc3ff66b78ba91219f1bde2719a93b17171ddda7eb03f38c6c486d5953ce78d0565c22acd972d94b16 SHA512 a8ddb1d3ba878f0d7deb0def47e95ce6600a7ae4ae48f923bb31c0130f96cedcb840de41b25456b9f4e25ad71af9b8b031004d06b912a800c91ac5252b4cbc69 +AUX 5.10.8/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch 7357 BLAKE2B 05c3a356f4685bc5aa6cbd7a5e389f8a3817e43f591be9a10de3c4e752e17df9492282bf69e333daf2bf6a9f0a4fa61d7e7ec1593edc2de486c9ece6ce9c941d SHA512 53b2d031b906d281139c542540dfdef8165a5cce73f959e4c5617ca2ef0d79586f407c44fcf4ea4c38f2b5caee2ce81676225f14d1182ba40127216515775413 +AUX 5.10.8/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch 871 BLAKE2B e22e485ed0f44a245e8f29be4a0ac493193e7b5c11221a51a0d09122de180fc2503ab7cf72d55c457f21467171adc923b3c948496a79fcc066c39e974b20d260 SHA512 b95d9472e6f9b19d682b8f618a8ad07c63dd542b2501935b3494f5b52647f93b98010495a1ef2774cbbf4efa31ca96a563ca64f0407b45166aa28f96d5538ddb +AUX 5.10.8/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch 947 BLAKE2B 543bf2dc4b81478062f0d850c2a49d53f3192843882cb2d9e21d18e7cc70f5baff4f6dfde0d94f4aa5e433fff2d82ce59e4b6b43ffaf832bff23bee92b258595 SHA512 aa11e2683e3bb47c90efc25f465e0bb3b294c7aa63909bc8e57a29a638c89858027ec17e3fdbafe6dddfa82931ce54f592de280570b66c65ca6a30a1848ad4c1 +AUX 5.10.8/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch 1180 BLAKE2B 5cdea71d2f5e8674a63cca3f2c1a055cf81276740bb36ae6039472147a62c051599f4b3ba9928c3f4c93e28ab50af57adb3c46a5221a7e7c770bec3816718be1 SHA512 50b1a88ae5ad2faf076bf7e9ae9e1a3ee30149acc67189658191dea65471d78d889ebded058865bfdf0a234d982ddd15bca6017fed9c90e32faf1561decd533f +AUX 5.10.8/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch 788 BLAKE2B 5d7a43626331d7f80e49f0bd6aa778223bfab991dc85ccc2e9d23a9e24b5e2203c8e77050aa8e8ac9a960e131c8477a90fbbdcb91efd21f0340a59bf7c62456e SHA512 19a30293dcb76c473c279a9bcf3c8ecc65eb95cd75d3d91f7a64841f5f66fee672a51e8fea90cb1d607ece659925dbab863a9e8c70145958f6d851c0ab869f09 +AUX 5.10.8/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch 2256 BLAKE2B 23f8f9851b0b372782992fdd0668dcfe7ff35c68ea210f9109927b721431dcf70e9fc2fbfc3668e94594005ac4d6181c50ae851ae2c6aabf4a769b420e077bf7 SHA512 846ebced6bf5ebc111be3315131313889ee819311e23c6a93e601835ff72a15910a2e744fff25b4ae2ff056542413195e3c01799ffa5ab1f32e10bba496aac9b +AUX 5.10.8/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch 2454 BLAKE2B bf2e31c33313e8c7688ee7c62793d5d9b4e3369ec00237687a2bc374189d8dfc9bd0eb6b11dc193ffba889afff40c18f24e2ec01ae38502f6bf0a02205ca0428 SHA512 33c13a4e52b27dc94acd3fc5185024e87d8c5bf8f1b68cff7851957e721de7c29832c9a53162ab2c59e47d9ee324ea525244e62c88edfbfc28032a904e4e246b +AUX 5.10.8/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch 4020 BLAKE2B e29bb708e1ee9154de75a18d97dac88538dd5bd757325a67e1f3fb52d4350cb674bf59471c3c519977f3ac8e0d35dd4086a492261dd4aeadd1d8b51026601758 SHA512 a20b055ecd19b2681f61dda16bd5f59e2d9c2977d100c360a1daa0be25b6fd457792172f1bbd1e0a230435f1b0428ad7579b3e1f817222aad2d1f3b79bcb6c20 +AUX 5.10.8/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch 8811 BLAKE2B 56a63813c76c05f3d027bcf85eeb4560e62e9319d8dead1915de160d320394c9bb3301df144b7592b7246864d29f2f38e09e14fa933b43f4d4a837edb5769ad9 SHA512 a81e23cf74d11c178fe5a5fa2d4e255fc608cf7a6486645b67408e586973a283837532f99df4d4970576944142b3638b7a0af543f01f271ba2322453eab2cebe +AUX 5.10.8/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch 4744 BLAKE2B ac05a49da064d69aaf5d3569c08e56f46e9e7cd3b6f01043abc4e8e99809d65de306a9e27d5a2a382486ebf46426c41161f3814fd7aba8e66664074d08aaebaa SHA512 a7e00a6d9b4db164b0726ee656cfa45d4a629e0593a84b188369214e3effa57e077b80fa12f736bd134748c6715d54543c14387e7da6020985db12d99bbeff19 +AUX 5.10.8/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch 798 BLAKE2B 1d53f1066126beada929241d6cb4ef9bf125ee3ebc76265659b8c65d2689eabfac55a375eebf8ff325f60fa9a4c06ee161ff355f24b86d0ab5374b02be9594ed SHA512 a9d0443144bc89736fa9d28455b4c0521cbf111a5ce5e8961264d7dfe3623c2725bafb0a7548723ca61efa13b3f8b6ca158b23d7b935e6575a672d9e7fc5a6f3 +AUX 5.10.8/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 3791 BLAKE2B bf828941104539a70486b3db20ed8a503a0f49ecd15bc273d7a97e3281bff595e6a3977012209ee9ebecb71d5093f8251ad5a95d2e1cea3fe78105c2fa7a7f65 SHA512 07e77ce1b9e1c80c55260d310b1e1b7fb255141883f0b9dafdf7f444a6a4ff4b9f281cbab4bb6e675e5180d59fba75ce7f484d6e46f14549517dd9771ca885d5 +AUX 5.10.8/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch 2735 BLAKE2B 0e652c1235b631901193469bae3d6f863080bde22a1450ec80942372f86ff9d947e1d8856b28483520717c728469b21494f969d7bc50ed538710b111e9a6ea80 SHA512 b5f724170e1a8dfbd9a859eb62e505cd56022c34eefdf5d4b4f56143c6bcefe4d1df1cb846e2971d5afe8c77a114548d63b5efcdd7f5e8f99a5acbc0483aaf42 +AUX 5.10.8/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch 2249 BLAKE2B d244946798fa0dfb988763276acc54dd1c64bf7198eb8fcfd4a1014ab95088f0944220c90ccc47a0de2ba691fd71b4a65e9a12f65cda37356825009e3695d98d SHA512 1ba5a4ad1a4c070d86da98824775f07ae5957d32019ae0bec70a13b4a9ca60e4653ef109f23cc6d73aeea91be9a71b7a44ebd79378843a69377d8df00aaec3fc +AUX 5.10.8/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch 860 BLAKE2B 1ecf41e2b07e7ecc76010ab60b157c5a341b374b924c26183979f02a621bcdf275beae28f53b022f41f4c81feccd8b4fe27904bd85b7b78c00a6493fd2f1a725 SHA512 e5e635fb32d51b824ac3b7532ada285296bd65867581281fb496678ba4a62d89fc5b9fa7a5afaa84cc4d2ea623d07440192fe5bd361f8690ac64022c59c69943 +AUX 5.10.8/hardened-patches/0064-add-percpu-alloc_size-attributes.patch 1588 BLAKE2B 4fa664a3c1a3fee3266b58cb8179a54334c3081adae8e21ca0a398186fcb5266374157eddaee66a7c4db5c9a629751bf436890528a8c7360d4669fa7c508c60e SHA512 7cf5aa58b1a99b95cda1daa40ef8fa7a39d4bc1ff6ea46fa3d7a9a3197808d77cb4b022cd0d96bb3f6f67c60c67704b688db55ce5d2a5d7d76e2f385734d15b4 +AUX 5.10.8/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch 1259 BLAKE2B 8ee69d3bc13ce9f095d6dc8595d079602d940500ba838db03e1bbe18a07d3092d108bd47f79a7693e933b1d6d90fbcb4287f817e1d2f55977ac1cdda8af3fede SHA512 70b863cafa7b8c508d1d7738bb13aa9278139ae4cc092d4dc137bd3eef0fa8ac1f91e12afdc3b8ae4fe319df4153eb3248632b325103848bf71b15a50676533b +AUX 5.10.8/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch 3591 BLAKE2B ea07f11298a6b2ee4f4b78875c19fc67925af2aa142cedccbf1dd3ff11941fb18352d61f7417748c8acfc7686b814fb04aafa255010dd4064754e992cf461061 SHA512 be04148f30ce49110f373b2f45811051913f7eec3a1d87e7ef2f23a997aebcf480e5f4e7d31cdabe64405131d5b118c7abc12f1b3af823cf73baa345b1717d69 +AUX 5.10.8/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch 1191 BLAKE2B 0c4db6350c986f2f5b730c4d6e56d075688ef9942c2491a98e6227429eddcd1a79fe8c78ce41e9ccafe0e775f61ace206c8bb0f0ee6b8f188037b2cf2d971854 SHA512 60bd28269ae5482463ae557fdb3edb394898a8fc8878abcd3ef8458f4061c910a437198a224a666e683b8aa51df0a4506fbe3fc9aa6945aa54b91b5ec4a1df9a +AUX 5.10.8/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch 755 BLAKE2B 1b71c779031fd1e55b8195202abd4e93725f7fe715a4ddc130dfedbfce917b5107dbe66c40a9fa117926ad9bca82273a290fbc60c0bf6ebab7e2d3bbc2246ec4 SHA512 75fda2211791c7e58c04e836bcee10a654cf6c1035fc19f5b4a6abdb94cab7020df32ab7d6932eaab673dab5648cb532b35e313d2e6ea203f04c047cded8b0b9 +AUX 5.10.8/hardened-patches/0069-add-page-destructor-sanity-check.patch 2205 BLAKE2B 3ee09eaeaecc53b2d2d617ce65300965e33ea11e16cdc41a9010fa3c21f1b5f0c80488b6fd9bf2dae743881f75225d71d572be21550eb534a11d5baa184c6f88 SHA512 76deae2c945d16a937d61be1c8c1f8e3b3c2fd92e4d0e31caee64e9ae92b462b640744897080ce112954e372fffc068c5ebffc57acd3eaa85133b76e051c529d +AUX 5.10.8/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch 1793 BLAKE2B a9521f20217144bbd1f9e2f73abfba1b337c14f6a88dfa60862817b4f2c49f8d83d4f6cd9703a5d373b7374ab0b122c02d429ea6c175a473b260f8d6b2a8af1c SHA512 a09363794bb394a061653385c1bed6e802c6ac46b367958b565e3bf513b9fa8fc9d24abccddaaa820a084074563f034c62d294553ed98c885e6bf33dae3e92ff +AUX 5.10.8/hardened-patches/0071-add-writable-function-pointer-detection.patch 2688 BLAKE2B 94b79365e3aeb150c96f23e73b77550a4758bd502039406a41e6d54c65718c851f788a295dc92b5e0a11826d7c9af39926420fdde0e0d26bd28a0fa98a6dbece SHA512 4f5d02ffcc6caf2969967e8c29ac18ce399e54a37dc73502f075b6f5c533c64a4e7ba2fb4ffccaa1f99fcf2355b5f48888ebf08457338a317e68ca9d9153cfec +AUX 5.10.8/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch 760 BLAKE2B 6ff39a7ce21b9f29594173d0e0bf4f47887c216572c51bb3c81a8a28723bfb2fd3faf646b6bcbe9c174215ac58f6c80bcf5e67dce44adc0094eef1331ef5bb19 SHA512 3e64cb4bfaa03833076bc79bbb06892b294a74a73ceed76a9f03d1828be5f125dddd7369f2adfcfe093f795da8e06d340fa51a56e39939fa1b1b0adea73aac9a +AUX 5.10.8/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch 5669 BLAKE2B d0ddf7cb913aba58c2915ff311e6ce79731ba9a0c7fc7901b3834e55e29fa992b78e666a8530212efcd1cd8be2d4d46b979f0cf6f39360609a670743ccf99a8c SHA512 86b18bf0988772461ac1d3dcf069677f4d770d1c09d9d2bb1d048cfa9dcb4856a8b3d9ebc6ee3beb4fe836f12b341d4c66eeddb25feeb936b1d43c6383118226 +AUX 5.10.8/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch 1986 BLAKE2B 7ba6e4e0d23d46ec5cf2d6e3b6663f8a40bca9c9debf33af1c8058fe05a3e48ed4a1a96c5238dfcda5e52341e99a5e5868b8a4b2edb51644ea787434a1cf8c82 SHA512 410490e407a939dbab86371c8c37afd4bc15bc277e0252b28f1bc01be70edc292a30149c54ad1b4e0a70ed385814182e2849b8c2d60caa3a3c72fddef20f2ad5 +AUX 5.10.8/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch 3921 BLAKE2B dc8a1b95e8e86cda51401808f8b14ac5f8c52dcbcea04d64a89d2f63d394a2fb182c9437110171fb45a350b9ed764ec5cfa7ba67eb4014247d308b6f39b61868 SHA512 c68cee6936e10dc9aa41bd6f695baa3f288e8048296e4d5627e89eb98157fb1a4972478405e8894db3401d4b362350083a6525a2eece84380bbc0fc77f26a018 +AUX 5.10.8/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch 2502 BLAKE2B caa740f5d14f2d8e2c52e5e7da4b26096469c9c08fb28873dd9b18c07b4832368d5f2c23276706991e9aaf762b8988419705466587013c78f6cc4fe2f6cd0a47 SHA512 fbffa7aad4cb4ce4a04f279b361505b71a9ea1f113dff4f2798fab2e338c45e92d56b1a5beedee8365c8aeef9d343825203a16d8c16a3d97e928dd44a93df0b5 +AUX 5.10.8/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch 2224 BLAKE2B dce9d860f45f90adc73e73db6c3b280c9e416d2e514a0a3149091f07197e51650f7c6ece55418f3a8da91a37908a27aeaa6e969da6720315048d8677ccc79d04 SHA512 435beb5324ab8fa44e86bac3e7d5dba42152346e544cb9bf764b5e7b105364bbc1b57c4b5ad812771d55655bcafaf7fb2857ac1e68444c7b8208a021913f3a8f +AUX 5.10.8/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch 1061 BLAKE2B 00fab0d4601449e324c4a271d162487cc53d7b83c2849c9849c86bac4ce23fae546eb10fe919367cf920c51e5d5d021e800fdcbc1109d49a3c9523f042a1ba97 SHA512 3d51daa9d94abdb39562b9b705636d1c5a6c52cf989ca1ab0206b3a8d5dd8da48e9098f88113952b0a7eca0efa917ef804ae2a844a085111d8f292e07da167a2 +AUX 5.10.8/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch 1019 BLAKE2B e48efe024204326941c953dedae4f4decc41b073aaa5d8b02d3f1db90d69b93e1f2da7609a6c3299957a47dc146a8f992414b5f50ae3363f8563d05bc147963f SHA512 05b84fa08294570b2393e8be72ffefcfc8137c69303ad693c2ebf8b7374922666235954697298a8c6e896e57c189681be7fbe6c3d7af6600e12695200bd27e37 +AUX 5.10.8/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch 1368 BLAKE2B f0a3eec21ad636fe635ead770cfb0b471a221c03e992f8767fb1c275fa23fc867ce7aec41f87669ef7a2ced58bb118184ea1342187bdb6ba33eccb4a69946d72 SHA512 2219eaa8bdcb9dd0ea2c5bcf1cb076017115017d332c4cb03af6a681416c79b522e42588c60463c634b0389309b5ee8c7808fcab0839224608e6f8dbbab2bf9e +AUX 5.10.8/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch 902 BLAKE2B 2593b984fda6727035468c72abdb7f2b75c4d7914b663fabb97c17ed619669d69077a9954975955bb5eb23d890808ecf3162f671eda6f91639864636325b9220 SHA512 4dcc237e9b9b3a088e6b991e6253aaf71d43c00aaa2ad6a05c88fc34615bc71870c4488b3ce93e7aea46e2360e1739745972653ce63e4ed38369dd7008027dad +AUX 5.10.8/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch 942 BLAKE2B 88f5a7142d93fadef1bffa707127bf964a525bae8e6abae47c2eb8928ff76ccb178704e9fae71c2b302164a9c1f3806230e603513ffce90174aab5af79683288 SHA512 6b984fc6f1bd2da40edfa63840571a0ba53d92c137f28f3d312ef75a9107f133e09af3100a769016d8afaab6cf7f9fe46093881f5e29cf768a87246e642d6286 +AUX 5.10.8/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch 947 BLAKE2B ce886364e534024f4750a044b076cd16172f7c5a14e56d4ed53610b0a1dcec95ba890008a198ac99fff1aea24a108453cb9ca6e2ba599402747cca5bffd4e128 SHA512 89f4da1c4e310b00af5355d095b0fe0ec99ce98c88d11b7364fa90dd3eeaf5b51031cd95df6e16e02554efb13d03d08ee7dd497613bd7d28be9776ff7fe52e57 +AUX 5.10.8/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch 987 BLAKE2B 4e67ccda4cf060793b9ecb02d1479653ee9077cb9edcc275e1d5dc184fddbe9947f65bf5f0c569af6f580c0963301c0908290749784548099e0a160b80d6b687 SHA512 123c5ba7ba6fe367570863bd7390ade982371d9b99db819dae195b5278f2663acee34cba36a2593f591c822d677b4c14a867964408ad7a4856ffaa5bf9583832 +AUX 5.10.8/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch 1075 BLAKE2B 38d9c002d32f908e4306bd40172573379d1632b81f19925bafe7b1b01b7e5d406de4ccec281a50b2d798ee284d9e1343c296dcf579023f65584d7af80f51ac35 SHA512 eb0bd8ca0eae334893d0536c8a03b3c7e5391f8f695b775874bd0de9608538551a7903a7b60f08270135ce224bcbbe5d781c9a29035439a18c5c41545088af9c +AUX 5.10.8/hardened-patches/0086-restrict-device-timing-side-channels.patch 5426 BLAKE2B 7daa9e28cc96816fee265847fa14208b749a6c094728d54489f0fe50cb16f6d63490a1d39c2971add7cc0a4eb22c97edfba6ccbef7a3345cdb8ee3993b42cdfd SHA512 66dd53b39c1035246a0bf578b2c573c17148fa8af1958fe542212e94c7042e664db606e8c69e11a1db4dde5dc0551925061d9c18f9528a90d085bc2b8a14aa94 +AUX 5.10.8/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch 3572 BLAKE2B 72aa6e0da0d81b340f9646fb13452281f57f8ded8c57f5eaac2c13a07081c6d3e4c7a8612bca8220e16e15a8e2948f111c62ecc1eb34bad99d49387a62b2e47c SHA512 6f585c433b4fde1d50aa81f7c076c3c76b4e9a5dd925155c35ba3b42fb4bb45987a35803f4e22e0875dd6690e04e5d39aefc4d7ff3f808c9291ff39e25ed2e0f +AUX 5.10.8/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch 2474 BLAKE2B 476b9cd9f0bfaf77ae32f5e94d66bf0537d6e519bd240d95a6196a942f1365783dc87f70389d2b718d90cbbeddc305d714c85a508a080c22e047e8a56cbbb141 SHA512 692dd9d12155a985c3b25fd3464dd411415ee47895a06bacb2ba9d13aa73ac2e8287f3823fcb0ee2e460f2d0463a805e488875e72256eeaf42bba08b41ff562b +AUX 5.10.8/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch 5440 BLAKE2B 4475e1c6c33c34bf93a883fbb98f590ea2857ff64cc91729735c196efb435911a1f9885bbecf77230e5b672e7527a5753f86a7c57479ae70801040a781ea6769 SHA512 420940541f078a9ee63c87bf30f72ee4192ae4b15772ba8051079df72e5e0316eb02f9e8bcd3a13c09fbc16166e18e9ddb77743f1ba582d8351c60f65abe7474 +AUX 5.10.8/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch 5154 BLAKE2B 19875b29271d7315e2258851b10e1dcf4c72bee430399afbc1d489198c341800b0189b48a3e6348f66bb22fab74379ccc63a10eb8b2757249ba4c62162fdd65c SHA512 6ce709a91f181439dcfb50a5082da705b6c23883ded9f89d777cc4f816dfdeb6ba38e587c10051d3830335fde43b1ab07c684a226c2c5510092070625084be67 +AUX 5.10.8/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch 2194 BLAKE2B 587c5edde5fd720e46a55bb2fb5ec3649f75a585b91ed079e22df42de4c3df2a5b023e4947cf646cd3f3afff2142c3b62cd0d4fa80996fcdd31534a809c1d87b SHA512 c38b1c3304833d2b14aebef474eb461a13ceadab952bd62de206a3e6e025ab0a39d6cecf142e152ed6eec6c5da547515e12bc318aa942011e688a9c0a2a3f7d8 +AUX 5.10.8/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch 6822 BLAKE2B e7d747f3112bc82ea8c36cf64a88127d79c6f9805546a8d52ef78ba2af368b30e6cf4f88bfa304cceebfa200902614835588b2a327ec9427a1d67af08189ddb1 SHA512 0e272024cff247739de4dd0c4e1328ec5465c6293c5a562fdd5077feb23be5dbc4c3206b38a0610cda296feaeaea66214dd72e97d41e115d862d89de6f366318 +AUX 5.10.8/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch 824 BLAKE2B d7605154c8c1d2234de90e60b7db835db54045ede0ee4cd9f83ccf6339da0576282ef621b4d7f01705cccc29c5952a7e56949aeeb3871989e3b94cb78fb4cd84 SHA512 e348d6ae9e7803c9718ea29914571d8cd6fd5e7727b0c7dcb2d06900bc3b93ccd1fcc37479f3694b4eaae5ef014b847f2c63ba86ecaf3bd46cdb46bbb3ba4256 +AUX 5.10.8/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch 837 BLAKE2B 054e8c26f043d8410a505e0d7ff17628aa157a3aaabc6a448f1751a26e416dcdc74c5ea965073ab05cb131423fad74b0770f72f8d1b99444cdac883db3af5e6b SHA512 0047f44bf8d9101d72e3e5012fd19ce945dcc5a4677f8d639d2c6713e742a078adaa05c155f0d5e632aea2b340444e72c94fd7fd9734f72037157e33a73ded6f +AUX 5.10.8/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch 857 BLAKE2B 82584ae952caca982e6dcd096e4ad2addb283264ac7806036bd6cc56a25505b92e92224f0b4d54e5d71c9847b2453645b22190c9b4f0cd7d7985e7de40258dee SHA512 9fd321f0319ca20f57c16cbcae9211f4784d4be09d61914821fcf95c8f510f2f494b413a413540c6cb3c93dca14e1a460d09656cc7fee2f520d7ee1673c418b0 +AUX 5.10.8/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch 857 BLAKE2B 16e18c3e7c2ba92b6773eb2a621dafe5eb47b5852ea10dfe52f3c52a2422a35547cdd63c56dfc90c9b7815f28c10e1bef2aafb7a8bd5550d960d2dc920515032 SHA512 0c637417d94daa285b3cccb7f138be7a1cca7afdf8ceb8064a77bc577f75da79a56e0bd2793a04eb7dc8c494b611200746a78d80703d12f5df5bba106aa1ed7e +AUX 5.10.8/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch 2171 BLAKE2B 541feab54f9659392806e6692cec1477380f1e67d04ac08cbc0183bf1333b3e9180f8af23370055350f30b3bce3579546b2f034989cacd92a6d35a5d65803486 SHA512 d171a4c899b4c95f3b7f6fd9aadc2205aae64314fd72d627588d142a29665905695e2205d4d4c16f6325cec803cbfe1ab2a14bdf543a672df8a870f74833659e +AUX 5.10.8/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch 4376 BLAKE2B ff1bdec6881f13763356d7fcc91ea90eeff5a55ad37a3acc14260a8b2254cafa5827c55414371773df7f3e207f65d25156f85eadfba4b0fb74ef5e8f8eb6afa7 SHA512 fdee93c8ec9353f318166714b07bc17cd52600acbdc92436415311163f09ba169390074dd7585d2b7a9421279ec9a7f325a09c12acd5f976922df5aa83a094cd +AUX 5.10.8/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch 3878 BLAKE2B 53576320a8887415d0a5c07d0f80c644d05d1e32946e634083061e8957dcb3c18cf797bc85c0b7b58880609e6eca95568afd68a07fece3f3ecc7af9189554e52 SHA512 c337bee01a3faeac4506991367dde8664fec0d979e4695c21a0395e0a54e6bf02230993c6731378fe9b02d51d0a00e6897e52f2cb1d443aaf2ad7ee368ae6da5 +AUX 5.10.8/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch 2070 BLAKE2B 8d7238f74fed15fc778178c7c760040a9c4b62a7aa72c82f66162b7143d3c6c677052567045304b865f210f6c99dbadec2891a9e496441e9dcac7113b0439edd SHA512 468f7d47f49bbd191176de8e9bb2fe7df4d924267fe353b2d4e6f07914ef649ff856012ad35506fd72c874a55e7d52bf9e867cf1f3d970b78eb2745dce5bcf11 +AUX 5.10.8/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch 785 BLAKE2B 2e5e9fe08c09ae6ec57a78a55470bd7fae7165e15a56dc18fad7c372bab9eb589b587e972bd7aa92c5e413b992d2748252c474acac74896852ba97a1bbae9524 SHA512 76f8419762feb05161eaf8ccb847d24216b4c45c8b05ea43b3f7d87d281a4506b7f2b979f522fefe4d2a247d64f96a6058c1affc91fcebc34fe80350c45baed0 +AUX 5.10.8/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch 774 BLAKE2B 63a49c27f47c85cb0f5f9c5ff5e5ce32a2e8508dacf0417ba8e0dd3fbeb8b0e0cf1b64884fd213aa00941a9e476f020e9caecd0ed38decb9c536c925104b027e SHA512 e57a89084f523b36701ba9c0b4248507e94bd3c5b9139c69b99ccb192a833375b388c1a4d2976d4b8befcf66841e7f0b1b4b5af2fc91856a3791019cac7af3e1 +AUX 5.10.8/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch 2287 BLAKE2B 7c699fed4c5b5a58209c7da8dfbba908201edbb3b8a549c5d0ab61c1cc42d297c9ee51e000e4d6bac3fabec80db06d68a1cd41337ffcb0d6db80f8e6bde0f202 SHA512 61d4fbec10e49174add5a9fcfb6509d7b37fef62f7c450030901509099a1e4b2bfada44e30ec0f38eaac4674bde0bf94c1d8ab7fbe5cca904c9b2bd57a20c4c2 +AUX 5.10.8/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch 2692 BLAKE2B 66c7a9b9d48158c048c0c6845f40cfebf8d8af446cffa7aadd20036199c95610e56a75472274647690a91dabb99dfc9eba9cc6fc95c8badf318d9f2a8f3f4771 SHA512 8b50bc89cf46667f66b766e441d91159a686759066b8bdaa7224bacb88e2825fad326317931839e3b4342de8b7fafdd89deb486d24fa6a717cc1f12f18fa4ad1 +AUX 5.10.8/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch 6075 BLAKE2B b0dac102b770d0aedf3200676fb9ac67dab1e65a44d46316fd44e101b7bed6aa36b9ace586f0c7067f4ea9f16e07a649cc770b1803e2a1bbb1c500833e90061b SHA512 fca47cc26fcfae98048ba122ac1b82f221774673702446295fb9830bfa79aef74a7569a08f399048298346d116eed71303bc2ce77422ff8f31ac3368964931b7 +AUX 5.10.8/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch 827 BLAKE2B 6fbed62c868c7e7ee32a7eeed445d0fd29c59c9921780bddadc4663058ab8877688134608ae2ef2973262dd4c4a26081a21661683968e512f978e5843fa9897f SHA512 404d5d8fdbb7222374fe14b3714deccb3358283a9ce6326298619fdfe73e97fefa97693fb46c7fe7b01c125282768abe5eed87d1dacd7da2881d6dce24501c94 +AUX 5.10.8/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch 705 BLAKE2B 4f0add7997b648934d9fd721ff9bea3f20d1ccae33e9f2d08ff0d71e605098cebb8c8dc7a6dc1beb47125a9e52aec628c2775b059c167f53e9ede0244ef97fd2 SHA512 48b20cfb54e5b72e41d72d1245201000617bf69877f3c946024e82bb62756216d956d14676abb898feb4bc5aa7b11d586eacd2bcef45984ceae0fbdfd7957cc8 +AUX 5.10.8/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch 835 BLAKE2B af9da2bda7c5eccde4f4bf5793af9c26cad52fe529582f250b15685e7360e7d170c089419a46c9ad77dad58770dd345b8c469d64aed4b961b25b90d1b5712627 SHA512 6067122b65327df74cd98c9d92aca6140e5c1f0591c8fe49d6840d13d4d42887b11e3747fabd6d1311e48ff46684ea1bd3c25d6a23c3dd5cee09121b5fe96f6b +AUX 5.10.8/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch 679 BLAKE2B d4e3138da256d1c4995bcf22458ac654a6694e4be1e3b2d45c898c5d4fb15da1d49f79973d5c04e2bee22e386bf828bc21f4d80352c5246c1d80ce880618025d SHA512 1bfb099117887bc777a875a0290e6592ed948ba28c0554d80cb4c6a4f1a383a20d5854a5588fd84b0e21dd8ce95c88a5993ad49881b3a49da1935e65fe87a766 +AUX 5.10.8/hardened-patches/0110-disable-UID16-by-default.patch 605 BLAKE2B 0fba958b19322af8d9fd539b1335ef0121da20432f5eb0205c6fc5d269b8126b6c845a8ca45135bf9190120e6824830920b1b75dd0530ef00134d02944492269 SHA512 382050925094533cc724db0d1d30ff0d9262537e0e2f88d29dee0c7942fa850c154fc4cbcd200aec2f6a47f0548d3b06920ddf52e1cf81b3fd0b61b59550984c +AUX 5.10.8/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch 8416 BLAKE2B 11eb3e2770e4e1fefb326222644542e7dcd9eedde034a4d9ca45eeaac996b9346b09ab645611de9bc0a75a524e733f0d05442211be645c61d904e7de9db3a9ab SHA512 072f98499e29c55a59e156a1add69a58515dea049a4ca87cf640a1eea8348f1772a2dc403762092b79ad31db426132837778f4195ee7530a0096cef23a6c628c +AUX 5.10.8/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch 1427 BLAKE2B 9c5990abf482cb5e64a27a2a3620493e6f014661c5e16481476528da4c95b6728c9b6ea3372dc74e5b3aa5ec6912352972faf791d6f530bd0cfbde09198d55de SHA512 708edda496a21a552fdd76cf65369864c25dac941643b0e37e7fd190c018a63a4a4d4249a6d92598337e7e8120b48e029bf7bb3a0a7e790bd7ae856c2efcb158 +AUX 5.10.9/gentoo-patches/0000_README 3530 BLAKE2B c548a8210154295e89bf7a0f9b640a482854ef7b75ddd1694b58aad44f41a6d9ebdec56958e0690d95df02fdd9e2ffa3a3d934e4a418b1528633fef959bce1a9 SHA512 68e83a08cdaccc08fc02ae28d0efa1158f51b8b7797403b38cb42ba7fde56b73a1fe3f1ebcd3c48bcdd16fc63a4d4826b3bd56d4d10800cca754387c24708729 +AUX 5.10.9/gentoo-patches/1500_XATTR_USER_PREFIX.patch 2293 BLAKE2B c2bde13ef40e7066340afefe55454dc933ac3b65dda4dcf81d9958ba84d9531143e58c4d35151d912bfe21a43aaed35fd99571a769ca8e823fc0d99797a96f4b SHA512 3ed100909f9aed72836a3c712e45e0116cd3c4331961a76a27b867a7098d0df9458387b656c9ea01385c3c37585436e48168ac35666b0e46dca7da05e5e38a61 +AUX 5.10.9/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch 810 BLAKE2B bb749b365f37988253206ddff130651e1042af49a6c773ba6f93642d5927af9a9926eab278979e048c13d2ca683e726a5d0cd509de9e6177d59c85197051e230 SHA512 c97a3799a2d5e4da9c9dfe129756da629fba8183479b02ca82f9b6d9993f17a165a96bd35ac50eb25fb293785b9b529a95165b1a2eb79c05134bee8ccf22a5d3 +AUX 5.10.9/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch 1290 BLAKE2B 35f8f2a707da3bdb4df74844f72244dc6cb9fb0d41ac2034af61ce61c96e4bd472fb5bc5c687611356d06f3940e9f6669c80f4261165809592173bf5dac54b61 SHA512 dc47b18749d95a456f8bc47fd6a0618c286b646b38466c3d950dfbeb25adf3fc1a794e95552e4da1abb58e49f0bd841f7222e71c4d04cb0264ca23476ca9caef +AUX 5.10.9/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch 958 BLAKE2B 095d70ef085c6200b3ac69695339b8937e54b49c45acb7a741d0f471f66c1fe1bedf0b7df0951eff6ccd53ade10abcc66d5d2bca994e28a49d3e4296d7332e55 SHA512 4e637935c2f37cc18f347293e3c94b18f90e2caccca726304a95c4891257a5b2bb3093aee7a97571038b29c0c987cc60a9a80aefd0d4c9a063b33d102f03579e +AUX 5.10.9/gentoo-patches/2920_sign-file-patch-for-libressl.patch 565 BLAKE2B ea33143cebfccbc5fdeab46161ab28c8ed6dbe265b35454659ba87f09705ed80219e9a9e47f7fc3df51292a3a7656c7a6d633e24a37911c35e47d039da530ad5 SHA512 79eaf814d76402a445efc961666a7c7c74207e552b0cb32d93d5cb828da580f7dbe93509dc9f53321c7844663205a8dce4e518ba047e4c57fc55f5c3498088ec +AUX 5.10.9/gentoo-patches/4567_distro-Gentoo-Kconfig.patch 4784 BLAKE2B ccbb902ac828a26a69bda7f7eb7c69770bca7685ed5e58459e473b7a8ac0f396ac9f1aa1ee23a9248de22c5aebbfecf76930420b640cf6307a4d1e73bc9add0a SHA512 bf681566831b583537eda1df1db9c9d1b310cf54a974dcdc437c8da11b65cda423ac86a1a8ae56c84cfc947a6ad363adb25983e51933cf7acb494934c1ad3eb5 +AUX 5.10.9/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch 55494 BLAKE2B 5c56cb45b70a340d6eb65140f3772f3c4a26e30811645d471d0db7a389c813edbfe6f46ed2fb5fa8c96596c9486c1040948d3074b4fc5ebdc8080c4b02b0992b SHA512 e832d44d4a450c45eb7a517d6cd849258985aed08349d18ea21cf4d1eb37dcbac9153f50ca8b910955bfe64169298c631a7ec7857e9235bbce0167d97d69e55b +AUX 5.10.9/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch 840 BLAKE2B ccf954cf19843e47fc1596e638431463f268f87fc24b8446292e0a60f6076b1d01def4f8da7a570169a4e957529cf9be35b3be5681de8368cc7368848b8d8b77 SHA512 8172ccb701b7110e2eba82e7704d040a99ac722d67332d004118d592d603a1c23e925ddffd53d5638fa9d9b9d0d72562a3d8d01f4e43040a19eb283d50d0aa53 +AUX 5.10.9/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch 790 BLAKE2B a1b79b791f2814d0d6cc824dc84e164b58bc04d285ac44010d030799b93f41f633a1442f8f06201cd3f6dcecaeed148d417d0e9fb253319d565ec4aee9013146 SHA512 b04c132ed066158d7705433f52d9575d5a6eddce482bdab5f4d23f54211e5f9362373cffde45ff271c5e51f54a4f58748f26c705279ed49e877a72983955dea5 +AUX 5.10.9/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch 768 BLAKE2B 2007be31ace55f52a72c3aa34e6d675c129f487358cc4e0995eed3ac80b6996287103eba5a8240b963455ad8d77b516d84c60dc501eff1151821c26867cd1a06 SHA512 d12440456bd46dbd39c5193383091e4111292af57bc70ebeaa5d2a1bec3579a55c685795c57c95bc32e38a0dbbb664199af63defc1d38a0feb5b2d97c33d09f0 +AUX 5.10.9/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch 763 BLAKE2B 5a2707df0b361c16e78546090f6f2fe76992bc0a939ad5f9338b655d12169213d528d806ff3dec0a608017448b035f34a9d2c0c8546355c15001b9bf9b0ac146 SHA512 8953ba553c6c8d7cb76707abee1ad53602436a7c4b8d93046015434ed91481f9eccf0fdc446bb79fefe2d96664a23945b2b9673f635f1b8cc7afbf56fe64964e +AUX 5.10.9/hardened-patches/0005-set-kptr_restrict-2-by-default.patch 791 BLAKE2B e008b81c5d4ae9d98692cab0a8e7b9e313eb5ed9ae70b1471edda2ca80dd6157b55a976fc35dd2e1760b11573238539d5d9515cb5808069003f5bc22d0d81e58 SHA512 230592ae67ed8347328243e64fae5b723adf775db8a33e5fb6a6667171ae32424f154f8b94ef533aab5de3e65440e077a6e92c5b24b3f8d02371aafb0f24b3ad +AUX 5.10.9/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch 743 BLAKE2B 81fa4c0b5cd371ce8a1f19736faeeeee1edade0b569ca1af48febd6774cd905b36d290a4aac5cabbbc4ee2b178647eebfe4dad3f23cb6bd43a0a3dd2ca1227aa SHA512 db2431d4c57ab2192d5c08d3e228260af260253c5e77d349f52b68e238a1f1970c915b89149836dacd9d273537d81d50fafc9dc0bb2f39f932a4ad6d035eaa2a +AUX 5.10.9/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch 792 BLAKE2B 614a28ce67145b8b5f4bf0281fcce2186314ffcdea2f31d64e472d69592a6434e37b964b9ce7cadedaf042c855075a72ee3a4cf8af6050ebd92424981091b2d0 SHA512 5569052d1ffeb7354bc205699af220046106796bcf7eb72874ba5a563657a8416250da4e052162581e67591545b5995165fecfeb833e58ad0d8f82f65552f34d +AUX 5.10.9/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch 732 BLAKE2B 91c6121088a6279a72cd424bcf9744d3cc0426b93408b22c2c898c9e8b360cb6d429263ac1acc498527d6850847f1f4ada155c592025d0dbeed107d87e1b767f SHA512 50fd7fde9846b2cd547620a30ed01c8943ce832a65fa9a6da6348e82e6e446d82f1a24ddc55878265e7ea78b5abe71d7e1dcc8245abf3cff71c8146b6984490e +AUX 5.10.9/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch 736 BLAKE2B 44e271c93e1a268e60d7b394a4dbf753b6616b47ee5ebde08aadfe67f9c08512f52225f347630e317de332c1deca3bc7c029e5f3486d3d0f304e646d5472fbb5 SHA512 6ee90d7bca294c573a1f166501e072da0cca03c72665ab549368618498bfaac1f51e29b387936810f51bd6d40aa9372e2786b1b4364790187ad56d6398ce3bea +AUX 5.10.9/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch 745 BLAKE2B 51b66f7cd3d00f5258542cf3eebfa4cdef23c74ed125b3cdf3b63a5882a8baaf63cc8033c6d27c56ac9730be81809661cc70af247af19be3d7bfdaacd8f8b94a SHA512 4d87057ce87577724371d354950942cf6b2a0f18fda679b38223133663920a6f14fb6c946b44cc573e10dba446bf3c903667d162ac08761ecd5f4eb947baab1c +AUX 5.10.9/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch 702 BLAKE2B ab194ed59002b8814e4f26aaeffa9fe3c9a955d3ebe37eccb216296b79e9a8be17df47cbefb8ba011debdc2d4f10ecee495038fba5576c69fd84acf653bda72e SHA512 6da628a9c0db8aed5930a4474fb41f3688b55484026cea084a08adc0321bacc872fd3022138c383a71435367940beace2b954d24cb67946c717fcff3b42092cb +AUX 5.10.9/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch 654 BLAKE2B a5db97c33bc3eda4115b1cdb75673fdd32a96edbc4270ef9bcc4e9c25cb7972923c8c4cc3ce5e2e8f0abf6cf4067038900db31f4de5fe57f712d5f64560d1d78 SHA512 201c93b16de438312e015910cc027f35c10bddc495b9bc58309639f1e0004880ed2999133a54fa3ce9acffa132eb1eff2657d6d8087970c5df7bbaad0545cfff +AUX 5.10.9/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch 807 BLAKE2B b7f528bcae1c4e4bb916e77599a9d5f1e0ab1f79a830f3d96d410b5a8dce34504b5d6631e9cd282dc7178a5c73b63520f048f681c0107d13828b71eda2415083 SHA512 caebafff4ec9b14d31fdb28f2ab9a649dda37243d839c7083c9b08ca26363f45294afb2913ee401a0fb02035e6190bc36504871b0a6431f652c1076e923d9451 +AUX 5.10.9/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch 966 BLAKE2B bfa7f37e9daf80e24868cc951e428c40ee28e1bc3f8402e6f41e4aedf6f93ce7558ae2c2244a075181154def48d2fced6ab4e1cf76d93528bffbbe830eb85a27 SHA512 c61fb11fe9cc5ed8d03aa5e892a714f3d68fa35c6a82dfc94331309dddd497c38d789b07a401122dc4d3e043c30670248000862f8d1a4b061a4cafa90fd518c9 +AUX 5.10.9/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch 761 BLAKE2B 33ea1adf6912a47b22a1306d789ea21d9b79adeff4daee91f2fe0ec0472fa60d040574efc3308aa07bdf7b17895306fee243eaf96a23c5c0950411df7974bc92 SHA512 651b62b2d195fd90de7611b51d0962529ae60863d553a3bfb5df1748cf71de64310df3f2ac1762c45ff233f9f4642aece1a0d92308ff9aa26e7f5e991fa25952 +AUX 5.10.9/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch 666 BLAKE2B 4c3c7a86b890a2be2bb5cf74a897d9de1b9fca1753607ba2a729708ceb49bccc648cab10a5abc46d155714c63bbd7ef577dae017b679328760312bfb7ab6e276 SHA512 398d910bd98dd5a6723445841693b93a49cb3b9b1fb6efd07210fcaf65ea3fcb7007f0366c4118597aae13f3e9313c287baa7b0893c91030f8b85c81a710dbec +AUX 5.10.9/hardened-patches/0017-disable-X86_16BIT-by-default.patch 678 BLAKE2B e07bd28bed14c876c5452e7f8f04f0ea796613f5a0ee857c758680a439643bd803676b1cb6bdf0929ee9b6bf689a2a6de4a2d9861e4e9cf7cb9d4dc3f580ad32 SHA512 536cd83ec723285dcad64d7b62927216d0010c96a481ca146224870fc95b30d67129e712448e8fc48520848d9ddab013317da41622933fa544e8b659ff9383d8 +AUX 5.10.9/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch 754 BLAKE2B 7303f49d35fe1f0caee0720696603877785071be568e519ec3444b957e6cbdfbeadef6d68cacc6aa96a047eadbe7e5fba2c7b6df1dd229c0f24ec08b22385ef6 SHA512 cfdad1e0c8af65969c5e4c475e813ca73a726101c2cddbba0e413faf503adc1218746a0e9e37d5205abdfed9ebfa6f2f63fd7c36bc18aada5dacb657c3403165 +AUX 5.10.9/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch 802 BLAKE2B f7c51025119d9d6ee9640ea4f39722c86a87f01154b4a7f1c9d9fc533935999ad1f37d5a1b41e7c4c890c0698aa30959c638f7edbe78261d3ad6598469f4ce09 SHA512 c268200cd347e2e304e2156d5a5e17cc5dcb548170a4c1fe97bd5cacc156ad04263036e804021aaac3d91cfc886172916210f769fc1a57135587603ef678d781 +AUX 5.10.9/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch 765 BLAKE2B fbb059fcc75d7e5482941ced061ac1f5a7311a89040e4f67fa1a33ed33f6b01cbb220788a41f5ee0f7d305e44a515355e903f1dc6e3a5a14da1bba53bf26ed0c SHA512 f30bc0db38391a4ae9fb2ddc01fa36f30fe6602305d8cddd1655e5fecb0973e6fd2dc1a3857a32fe64316244858d621da32ad07cbf9df8fc66ab271d4e8b7d35 +AUX 5.10.9/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch 691 BLAKE2B c6ba8bc50b8219cee5177f47dcba89c8f707ce00f840cefb79198b7f0c59d327bb17e455ecab13b620a27c7ee5b133605b50b2baa64a4ea739510e7da8ded373 SHA512 c4508fa6397f6eeb6de19900bd7b0304f56bb82d16fe0d86c54e832e5ad677e6b87908544470d465dcb3fd8e528bf103c0a5618d38edebba370ee8441e0a7d22 +AUX 5.10.9/hardened-patches/0022-disable-AIO-by-default.patch 631 BLAKE2B 4929a10b5e8f5eb0f3d40c094cf4379c58a1bba5c0d0d9dbb5158ac738312b5f3a26469d0843910fadc8c24930fc96b332405853f9f2f38b71ddf8c19a6b478c SHA512 c580c12ccb060e0f364d84bb773316b9229647d4f49d5f92e5629c4b92ab70f59377efa7eaaabab2541329ce9f8fd0b2154660a72e815257e067ab44ffa05541 +AUX 5.10.9/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch 962 BLAKE2B 1941794d8fd16176655ca75dfca85ef03a96d9664ea156a5b7638610411c9f25e513c21bc572653bc5a46500ace45359568f72c25b587cd2524c56e260e1c258 SHA512 7fcc7fef4aea0799358133b83b5412a0307f0f3b133a79a2f5df262d41ee35b00119b8987666b7386bff2f428720123c2861a3e1b08b07004324d3a28187248c +AUX 5.10.9/hardened-patches/0024-disable-DEVPORT-by-default.patch 695 BLAKE2B acadd4e562fc9059021c79ed784720320f6b4ac8ba061b1ad53071471121b2d7f2d21a67b2d4c7c3470e6211c9dadfc5992aef880eb0d60b0c07365ee62961d5 SHA512 4e0af65ba37936bfe26722771555b8d983aefe8a14e8ffcaf175f597ac89e347f79246b6d65c216f84351e1e968de2c58e8db8c3f7a4d154f8990120aceff47b +AUX 5.10.9/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch 613 BLAKE2B c076343e0dc12be2c60c6ecbcc7416a7b4545b2553cfbd93b09a61a41cd9b0291b39d9a5ebec46718b7688aa78c2c72edd169cd40cf2866ca0ec78758edcfe9f SHA512 d5a225fc4f8b4c51e6cfa785f3fd03814ed089565e24e81bacdbae2a88e9806ed51ef8993d78613a024270c6eb097daf6dbd0ebcabe25cb52de900e996ef8654 +AUX 5.10.9/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch 598 BLAKE2B 924333212ecbd239900674b2bd88deee4f6f357102e66cb7cab96a129c68f5d3d9bfbddab562606f825436704e3fb0ff5d53dadc67546715493affaff93826e4 SHA512 b9634e6b75a1089e26d4d0e2e723e1bc71c09c4510aa505c9a2cea3e7843018e8c6222574643b3f697185581f980b8fd9ac8330e69ad5f8879ea51b17ae39b4a +AUX 5.10.9/hardened-patches/0027-enable-DEBUG_WX-by-default.patch 653 BLAKE2B 31ed112237bb28c40650f8bb687f9af17410b03acbc43f560e186ca688e886b7a7b601860422b8479cbe787d9b33620e84e496b242a1a32364e063e337f53923 SHA512 9c25998983fbdc0071a14857710e4a820d6ffd09a8c07d263090f82c5aaaf315c6c57611fbe6616ae3dfa71123cf96594753976dbfd27a557bdf01ce52a52966 +AUX 5.10.9/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch 683 BLAKE2B 0b938635c40e457171e067e144f0eaef43657214566fcae9ce06e4291086b9acab2d0e3f7ad526abfeb96ddbda8faee6b3a155408f1bea26885d4d15fd0cba82 SHA512 8fcd016a082e365a45abe7980b2aa87a7879a81e6b9bde3530d3b86c12a3a475104b00e8809c9a0177188c3dbc41af0c03bce4a8dd692e651016f4d531fce473 +AUX 5.10.9/hardened-patches/0029-disable-DEVMEM-by-default.patch 662 BLAKE2B 09036d3aae7a805a59a1df1ad1a885396f2c04338909102404d071b09f156c2c4588cdef5542876d538d2fee0d6e8018fc0b60187aaeffae210bb31508a7e245 SHA512 047d3a524970e50c067f98ae0fef42570ef23080956f7ef7737b0b0ec06132526de0b922d2c1a92570170edab2f55473b758ac21a9de86d094b214ac8035938f +AUX 5.10.9/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch 719 BLAKE2B 8aca046c0e476ec30a2bbf53e390fd654645a76c11c54e0430f6455a7ab9590cc9ffcd81537f4c0f12aacfd8bc0a792636e6f67c2fa0d3eeebb9b2413981a272 SHA512 0f1bd72edc69c2a07749a055916738b374e86c2d7343bb4df3a99a92edcb1c01770e73f2ed1809c4a7d258aba91a354f543eb03a1eec76ff3697c963ff15ec40 +AUX 5.10.9/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch 652 BLAKE2B f5ad9583ac19d710e52e17edfc66b8cf2cce646042e0640a3125ead9087a0b9c75bd6ad77957f8ddb39d5340ba3051ef056f502eefd2b68588dd9a4018eb0c5d SHA512 df2a024779267c777598cd54fcc5c5c2f61af7ed4f2bc51a4deab356bd45af0f2226d271405018ec338617745492f3d6da85bd9ee2ad9e192e901e9750eb9612 +AUX 5.10.9/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch 1397 BLAKE2B e0401e03ef88dcdd092b4323b8523a8ae722fb461ed80645d368fb0ca77c7d39c7de2e1ffcbfa9fe5e28ccc3d3d02f9f39b7a84fe6b6453b7025ffb0301c1fec SHA512 0f13c785709112d7bb05cddb45a006b809ed8352de6dbb4fac5fd32832cf2532b913c90446c347a9cf65f0fa6d591f28fef1dfa9437b1712482995b988c432d5 +AUX 5.10.9/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch 818 BLAKE2B f0eb93571641e314b6d098943b057bc860df9a5bf50d68bebf571b2792dd06fc2bd5e3a39ecdb8a6e648d3add987f0760393275dd5c4ba67673503db5e3ca9a6 SHA512 f9905e820a11b9d75de67208204e56b154e8adc27c3279b7b1f7c9e70dbe6144ecc84784e60f01ec228285f694db9a906feb0fec51c5f777e00c8bf18e7cac46 +AUX 5.10.9/hardened-patches/0034-enable-SECURITY-by-default.patch 646 BLAKE2B 906784ef3bb7d56e00093db22a89e54fdd3cdd60aa8bf27eb1701d58d9ab9c7075478d81147abea6025484cc41bb760eef8b6ee8d48b85302a8969938afe32d6 SHA512 9178089dbca4e89504087534b274c56ced481471d4b758de5ce89a2a52b227a739a8b839efc03a606e12a931e579f0fed9e2a034502f4753abf54de83e5ec34e +AUX 5.10.9/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch 706 BLAKE2B ede37e692606de83e1a2d1db63b667600a91c2cc59c613858dae96432525a788ee1a03ec5f4f756c3cb551d701bfc666ec16e9da5605e1fa7f311225392dbdcb SHA512 d95bed535039b928eae451e76c9a288b8db3ca94517998b09db9e03f627745ac7edaff9826fbab82f7303b9e1c40cb9e36f820386c458df2cbcf2ad3b06a8bee +AUX 5.10.9/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch 685 BLAKE2B 162498ed31f74e4fc3e7efaad6560d71842c680e329c49d2b9059565438fcb76873e1200859965fde581a89f0992d20073c5fc42aba4ea7f77918395cc9bfe31 SHA512 1095444461247eb6e744a410bc7836b68657d7c971da8a1f42f5b18d1ff15f0bc7ab9f23fe313d386f82e303046f820fa950832a34e4dae586ddb0f8d4319197 +AUX 5.10.9/hardened-patches/0037-enable-AUDIT-by-default.patch 628 BLAKE2B 4a1feb08be46bf140ce178d47f3d8c4b9e8a2be982a435b7e0ec07bd0f6573a8450cc65f5f38b2d40697a56510304635ff52550f07d484f2ec5e17e04582dc00 SHA512 84afb93998fc308165a440d61a7d8a18629c07c3f7b5c827149de5b5f2df6ece282fe54e45df5ee29034090b68e6cefe22038c71a5999f1df0d9f28828b268aa +AUX 5.10.9/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch 784 BLAKE2B b2b458e6ddb0d53a5db75916df388744ec23c22a55b708451422b07b312fe652c7e19775316c7f7d136d1b97f78798569b4d0b806060a79509d4d864e370bd92 SHA512 c7ecb53f3b046b01a3e7754d0d383b7c968e7227a19931f27d77a9f41370c1966538a68e0a0b00fef6e80c7f3893f7127b94893f7147d3b1021cb96ca6f7c1a0 +AUX 5.10.9/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch 666 BLAKE2B 9d42882a3936a84f8883892f96918ad463a25c0fa660b94fd1e8f70ad9c4115db0b098382b6ba67fd997935a1ef40861ec27c6534a3ab96029c20e09d7e63764 SHA512 53435bb28590b4027ca51a5856cd00263817eeab191b9c7f66046a1974076ead8e96e420aa3c53a7bc45b946f589469f28e2c7e3f2daa21ea6eb9ace03e3c75c +AUX 5.10.9/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch 785 BLAKE2B dcc2de2b40d46d52a8dc58cd46dc6b570000cb47a7c5d9a920de833f8a61e0f6d012bd39bed37c8239b2052e0f42aa691bb12197254a3f705180da06bafb2f5c SHA512 58740d0daa701446bd531be814053cb39215927722c771ce024bd3499255f57d81d69a1e608e039b052c4be7ce8e3fdf384a61ee44ec92642490f879bded5e1b +AUX 5.10.9/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch 774 BLAKE2B 10575b8dedd3185653e50d07e2b7e443e186d6a95d52de32dbb3f96dd6a32ca28f35e58ec20b2001517d9b3d92fcb5a3c99c1b622e4d22cc8f767c5b8f5dc4b2 SHA512 6649dc0870c103e0970a9556fcf51aa40b97fe6ecec6340e59a12afa1af3877c119544415e3daf6cc4ab4825c1161bad90dfd8933d46b404164fa9592431caa0 +AUX 5.10.9/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch 827 BLAKE2B 33f163cb9c2fe22970a69ddb582b3edcc6331f0d7f790bfedc47e835f64c9e8c81599b1249d602e0a3a40bbd34c8f0a280f3f6bbda3c39801c2704b3ca5c8272 SHA512 11120a4026d872180d8b843e41b328684b17903159c3a3611d75e2cc65024d62d40d902ee83f7a93acf15d3de814177147922fec60420771005d2c6d4bf996e7 +AUX 5.10.9/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch 705 BLAKE2B 3c0b4a9ef6e47b17655340e948243c743f784be2873705a6d412c6978c08595f45a37b4d1739b8ce099710e81ab1fd88d3686f929c9fe5bd6ab8f6f9c9070197 SHA512 7001e49fa559162b9bd6838e68dcb1ee0f1c3e3284111a7a0281985418fe66b59a0517b5250425b728f5740ec722679026fdde30efca6a19041bbb29ba6d0ab9 +AUX 5.10.9/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch 835 BLAKE2B ff56b7cb546b18d6cfde640320dc2976c96a0466037ec5bb06bfb04acfe719f3b02f67130303bb968c39c41c84a3c97a0fa800c929422743b647d4ee37594881 SHA512 5156ca4815cef679b3f0693dc45637e29624a67f197b52f325acc21b1dc6e5cd72357e4c24ab845ecce706fbb54ce948bb56a40fdbcd5c704d81ac83bd432960 +AUX 5.10.9/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch 679 BLAKE2B 0479c913526a5c8644cec606760264ad19728de8a0b1b925328a010275844e771177a335ff45d990bcb59fb8498fcae03f37317af9274a0dc2b7706d4ca992be SHA512 a7ea245fd7a87349e0389c396a607197a8f1a7675c7f5f3e9bc1063cf8ff84e9cee88c6862c07f7a221849dfd1a835658894c0f73a822b686c55d36da34eb783 +AUX 5.10.9/hardened-patches/0046-disable-UID16-by-default.patch 605 BLAKE2B a068af671ccb00cfdf0eaa4ea4d67360b7bd27205020b5b416e25fb4fcc7c9746b9ceb0694ee39003865422985b6581b330cfe9cf2f56918eabf26f4bf58ce42 SHA512 eda96ecab01411f3734336f2503680559b9a083a66d1003a156925df98c6ddb72ad6118e3fa92075f81d0d672a3affcf1f0841f68160e81dcf58a48dc829dfc8 +AUX 5.10.9/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch 697 BLAKE2B 5ab14655f227ad9b871b525db7a41c0b7e1bbe8ff16762c528f46f749223c76e34df8522be73e3a1239e795ae75e602fa2e88c27f825c1664c68e499dbfb5c61 SHA512 c5325d7232f2075c550e623a8951dc28214229d1bdc4f24bb606dcb7b58a68e34c6239e831719215b6befb9cebea50c095a82d3b78cf26fba2f3b4d011d39edc +AUX 5.10.9/hardened-patches/0048-make-sysctl-constants-read-only.patch 3971 BLAKE2B 6c5f1dc570e0cea153f55834f214e954eb59edb2ee8ccfc5a662edeece8941c96d0fde8234bcec3f82f2d8f392d42772d07e53e7cd6fd7a8c51a8312f353b837 SHA512 8bea7cfc6d35e22becfe3320d47d53fb5a2d1ea44614f4195d02f02745bb3bd149aaf145f5eb5455793cddbbe42b2f34e8b62298bc1030954136283c68ff2a42 +AUX 5.10.9/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch 2089 BLAKE2B 247aea0420a71f53910f4c83d2cc5101c15ed590aad6c67e687e969a3ff75defa2667fbcb95a504c6d4ac4b15e805de97830e441cc5e866e2107bd7ccbfb20a5 SHA512 923471f82ec8ff41f7abafdd29f679757892decdef42c9ab740a20dacc4b8a58763347592ec03818fc2aaa1812b9fb2c8a33a072eeaed57812905759887d694e +AUX 5.10.9/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch 2171 BLAKE2B 732778f707bf59b4e53351e3c37322ab3f003c28978438b64f74ef7181284adfd93c9971b5f2a2b2606b3b81ff9ec3a84e2f4d3111f703e2d3b41425921549d8 SHA512 73d944be82a655150a806a3e7ba71975f9227a9c1f6ba4b1b9773f6a876d38165ea9a9a6ead9de75091d7d92d1365feb6f8f7fc87e99270f849a020a4ba60208 +AUX 5.10.9/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch 2004 BLAKE2B c4784de2e610af02c098ce157d0616580e9311338786fed1f36255573fac45fa78a0e277f81e284ec95ec9bb8af3c88ca6f0c49e6f93492b77c066bc39a4bcf9 SHA512 3365faaacfea0d62d877b9cc61c96558f099129abb8025a8eadbfee9ad37f47e6414aa809da355e76e19aec70f24dc4431b182515a3ee75c19df43a66437787c +AUX 5.10.9/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch 1165 BLAKE2B 75b458c166ec05023f88e4ded1b95a9b99d2ab9ee7aa921c488a4f27551ca2a17e657b88db41e51b579572ad84aa101fe7fac77e879fbf392107c012eaaf95bc SHA512 21b0f7ec148a645c7ab6f1a85991273c68f8bdba74dd43462a875370110c2dbe3789a0761d8e53f1e91e27b42e510a9d87743e0538e775419fdadfc3bc4d7f41 +AUX 5.10.9/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch 709 BLAKE2B 124e85245295c42829a68c40ae7db8ea3570444c078a559b74f100ac606de007f2279459a3af47bcab04e98974bcd3b7ae24450f5efebdcf7c7a25fe57ff0ce4 SHA512 bfe2d9dd1b3740c74b153c5b65036813f85a1c283190c11eafd75906b49481818fb1e7bd945bf4b2029495047af726f05ec6a87eee58f4d61b48985e857e8f36 +AUX 5.10.9/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch 1954 BLAKE2B ea2cac83009f02aa3aa725e87cc72f9e81d7dff3fa0f207953dcde9831fe40141dc422810b330664d349d7d8a7ce816f7df602c4fd8f452887b3e93ed862d192 SHA512 b7c9bbb7803d4cc678920bda8bc80925fe7b3aba40ba822da76db475d8d85703ca321e4f9f47b4dd2031c0168cf6a1f9cc77690390a5fcb99b7e84623cf79987 +AUX 5.10.9/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch 1663 BLAKE2B ec56f1f5c62ddfb0878b0ff773a9bfb075858363c496c4e3f75fc128db703baa22cd1145c785c31f272b3e16c2edd72298c4c05a92e93edffd6741ce2007072f SHA512 14ab1ba971fc5fd68dfc32b178f6d4da30ce5e0010ae6f18d95572119275d810e89a7a3dbf1595b56d817996545baa8da74d0a0d27b53374842802e50abb0357 +AUX 5.10.9/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch 1272 BLAKE2B 1c75523cb515a59396471b6f21747a3e02c773c1c411c5b647d7cb7df441652dd948adc0bda01116970be52b160a628e115cb830eed28be8d6bc075c550549de SHA512 ed34d3eb54e52a0447c9b2047af02a6a380ec8629aee5b4cbc34ac0945fae11bb2eea1ad40e90caa0955e37698814d4bd60235eb699fe884200909af1c782246 +AUX 5.10.9/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch 7357 BLAKE2B 8744657691b55b35192edd7fd25c308b0ee735cf263e2e5720d0acd69a0b21c8e24e6ac83d1ddef38b627c4979bebf47c5c10a357d42c7c6fda65dc7e8bf107a SHA512 fa4c86c72baea374399815f715565008e3546056e9da2e8edafaa72b58b1a36740d2299e8c1bebbe35ec2ed261f73a42258da4eb553dc04e0d93da3cdfe5090b +AUX 5.10.9/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch 871 BLAKE2B 5be80de92b4ca12d5fadf13dc084bfc8b50f7f2a24419a0469c65793ad8e0fbbf4f6f396e91e02983e83720153fa37bc5f3bb04c80e943c391579915b8590d89 SHA512 8770afd558f70998dd4ba60dc1eb7357defb825a3aa5d9c3cee1e36febb031b686223447bb2c4f8090464e3c1e74211c5f1d958f878aa00b86d9ee509cebe34c +AUX 5.10.9/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch 947 BLAKE2B fb37e4b39c599e0981727d8caefe11a437beae86e39cddcbef6dd22b735ae2812ad0b8f98114b3fc112ff9bcc50f2525b53c010b9350d1285547cb84e44cd0e8 SHA512 85c95e24d7d091586dc1e588eb1dc08451109b0a8aebf39f9aa07edfc30b332d56b08dd962c50adc84d98261692c6c0c8b938a2a2b2d9c8e5a363ca125b7f847 +AUX 5.10.9/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch 1180 BLAKE2B ec5dfed3918c51171275dfcb179420996d9432c52e30f6ae19a11c94bde010d9b5c56504609302b29156b0e925a171738f4329c7687a9a10f15aa5f9697980d7 SHA512 f3fc30df6b272754bd4ced58eca1ae4432530bdb279b4bd17dc9da4557aa6419d27f5d54d0435d969b40d4cbf6927e14ff6d54686b7e7b245388e15869295405 +AUX 5.10.9/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch 788 BLAKE2B f0d021814e176d59df2c2fe6021d8373db5d1e81c740e8327ef31c83e2b8cd69fd476fcc4716e849c6c0fb677574323956e845c1e8fb32102d36f02d37d156f2 SHA512 afc9bac2f041739f461acfebada83ff17c34743450d41ed259d2188cf7b2e790d8fae8fd1ad6b49f8d945904161e38973c22a6180097af974d617b2111adc275 +AUX 5.10.9/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch 2256 BLAKE2B 4b59a6c41a61686f10e4c73276a2708ddfa0aac9e8e1f0980985a75be408a5d1d7712e9cee0091e9497723a9f5dc2652e43fa2216800d6aa7c072a61524f50d0 SHA512 b91a86848f4bbef03831f3b197647e52fccd758981c114a7b98553138b87f162f7db07259fef3a999c9499d3f10f8ffb7cd9490cd9f014e3fa37f3ca67d8eaa8 +AUX 5.10.9/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch 2454 BLAKE2B a4bbd03589d761ad24b0b2e63f1f2a1dbcf5060d7ed9dcdc7999072e4b8b5c1b9cce7196a4ef7058009717d053be10b191bfe503dcfb909f2cdbeda2f5c2bbab SHA512 662af40884ea5b4d59c03cfdea3893503f8ef7c2f4526bcb0af5fffc2abb57e4b96d312ed138e3a21a86b31a449a3be674b26e2140225435b15108124727a9c1 +AUX 5.10.9/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch 4020 BLAKE2B 45456dd04ccb61a98aafb85ce2c6785bca44bf1d29942a247ad11c4f412d684fb91baa9855da1f28b0275a4e8272370f3379da85dc61f7bd5532c7925a447c4b SHA512 cbaaf3483666e50dbcc5169ed0631939aea5e103bd3c83c89a2629a18fe3f34322eaf1afb58ab860e45e488a58803e001399be0975e4df33a9145b7223e2283b +AUX 5.10.9/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch 8811 BLAKE2B 53424785f0d66238c06443e73c8018d538f1bd0b993fe09a65431464f56124096f6f0f4fb2875458d70ae8427fe01d01a9ce7d475202e947dc57c8cfda52be95 SHA512 407aeedf1202f97a63a059c3ab0fb2e34f002046b1e437a7c183b33b2f069f1d4d1c9b872a48e08ea3ae7182b2df57a97eb808bc95cdd61ec379c7b08d759d5a +AUX 5.10.9/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch 4744 BLAKE2B bffdf8126cd0cd223a2ff921d5b3346d8b88f1f2a7cfa965ae5565040703db9c52d2ce26182032d8c78d11146350a796a045ba67c0e9051a93ea0000be5faeef SHA512 607feace1458c0cd5a425777924532557437e0f976058759afdac4195825c2ff34923f615964c237518c65a14aa95a725ced95b803c88af58315d5789e36be97 +AUX 5.10.9/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch 798 BLAKE2B 6e84c38031754f4002d337417cc9dec12ba397d845e79a3d9f54c5439c6abcbf279a3bc384f1ddbc075f39433178ac0831d310bcbb368245f2a34288632182de SHA512 0f63fd0f6d737c49fdc8a3a091a4326d5fcef9e70ca24db8a2e070b6cc66a4a8e2f967d5ad8b5f00cbd99f564c0b2da4604ccd74f75844905517e39b2660b93a +AUX 5.10.9/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 3791 BLAKE2B 5b3df4c4e523323de46d0b7e9b8ed7ff56ac3ca0cabd3ad6c21d9907e64df537f01646508a659034cf9e13ee354ab57041130f0c07a9cbce94a6d53146887664 SHA512 4b8b2e8e3849f1278600e92f079f51d0cbc3ff3eff48997d4237c0c734746fd6aa5e958b9ac1f5571094985dfb17e6e416c03fa409d7d8c3bc969a4ccc1a74e2 +AUX 5.10.9/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch 2070 BLAKE2B 2be01ffcf2919eb58b6fc3b1bf5a60c88269d76a44a64d0d652c303db7617bd5ba18b30bbc8f78e1f433cc1044e2b65cc669dddd78e065943f569bc855caa4dc SHA512 a3b81dfd181d71bf28e78e1137b5f35b875945a39d931961c186981165bc2bc186551f086f728b5bd511aab80b63cd523c91d9ca3dee44402fae6bd873c988ee +AUX 5.10.9/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch 2735 BLAKE2B c252f7fc341bd6e6fad941b15ce131d726a404ffad8e8f39e0b0b47539ea49c24b417cd15d31d6fd39d3b890aa0095b74581e97fadd4dc60f5de9bf7272fbf00 SHA512 0f2936549fde0cedb32e5f800fa1b2dc8f3cf2930353d009bf08d060295a0ecd6a27e0992846d594878368bd3b3a9f3406f2e54faa1a4ac4dfca907f8881e242 +AUX 5.10.9/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch 2249 BLAKE2B c937ff2d0de83b17e0099d9ccfa5675ff1eec976b8ef920db0e45870a7d77e1bbfcd183952d6b532cc36b50bed2b0aa69bab4a8dc031b52a84d5a4670689b0b0 SHA512 99306bd1b6c1f817f5dfdd82f426458bb9d2bc672656f48aa72724e409665b2abe4f95d8c8fc8bcfbf05f4ed18a8b6d7f046778b86700add85ec5f4a7e9e2191 +AUX 5.10.9/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch 860 BLAKE2B 10719ab12ffa63601a428fbae0c6a8015f1aab37d00634c96b88f258270f7d657ca790206ea3bc9208d860264897b7fb606a2e634d1651aa870a9f2e63f39db0 SHA512 5136341531ece2aba2535eb189b533dec7968120dfc056deb56c0842a729ab0b8dc2c67db2b9e821153a4f7d25e6c6111814261f971229ee4a1daf2f0e4919cd +AUX 5.10.9/hardened-patches/0073-add-percpu-alloc_size-attributes.patch 1588 BLAKE2B b4c130b1116573d0eb3be890659b463629ac4b246b29a630332e056edac160faa4401e0ceda92ea6e9ae3d0f96610e642a029ffc1b347657556a76e2038d816c SHA512 8f1a7636d7c33a08efd77acd54cf71de7e43eec402ac9d29453a99155534d07e712a78ca1b8aa5e64e6c74204459fef8157e8bdc753b8b3e2f417e8d288ce80d +AUX 5.10.9/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch 1259 BLAKE2B 1afe3083baddc00f6097f5b8536ec24bf5418352bfd4117fec37c641851c88b9bdb95ca5d947b0e970230d7bdb4f55331f56dbade520c65de053934f74bcd6eb SHA512 5dc07b3eba2b58bee814113aefc733aeb26fa1da437e25ed1ffaab5aaf4f350adcfb583f787052eb2bfe819e6bcc7df029c898abca0eb188086008a7dcb75ac7 +AUX 5.10.9/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch 3591 BLAKE2B 071b1b30e31c07842f4c350ae499731e6d04091e000c87f68fe0ce60510b2eba66f38bed531693a37ebbdf54b6916d780d7e1b55c47be15bb87f17f6d7f8bcb8 SHA512 d3f8ba9b10e921a51ad98573ceb71ddbe78ac44262112f7ee2326c1d705e3b47e58870fe90e4280fb3ae21f4a15e62c619b2b4a5f9af9ab507884f1e1ebc1a5e +AUX 5.10.9/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch 1191 BLAKE2B 2326c552629f31d125ae3bcc3895c6345e5cc68d3a9ae72c010a10d4d14717bb92009b4af3e6d652f3920631b9593e151791596dfb3679569415be1e4287001d SHA512 4b63cd34c309b03786ee0ada8a0c18cabb1a2ac637b5782b892906a3153c46fbfb1466d1d91712854d2b8e63c8a961ec34c85a13bde32a0259f051acebe3d4ee +AUX 5.10.9/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch 755 BLAKE2B de5275a1b891c33278d142cf018b829b84de897737adc33e6c516086ed7111dd32611d6ae7e84e05791576bfea8019bef0fadf275e25b835acdab6985cc96804 SHA512 07a83029019b15c1eb6b3172f63a810c056803eaa07f92461b40aff0b0f66461fa41736f72a8187e7ac77641f92da949487e5a1252651e6de1d268bc8ddea878 +AUX 5.10.9/hardened-patches/0078-add-page-destructor-sanity-check.patch 2205 BLAKE2B 85b42ef74e7091cae5ddc105923c2d8e8823e42d5cb9c8e4fefd84f3b15234c3cda4059d044288cf3c1deca4655f7c538b4c457ba6a369699dc6a1c6d0be4cd7 SHA512 3e522d5cbf09f37a55d590eb16b5428b11e48e100645d2efa2c7a23b4c6bc6998f3b9e228326bd386d3c1c7fae7d32789b8106ee7d92bccb7a085fb8c1bdda78 +AUX 5.10.9/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch 1793 BLAKE2B e1c69fcda7e9ccb16b74c2b7264fa32486cf3633e83768b76124902afd479f021312a737f5e9da543ecda2de692e74c261658012b4cf6f0f8ea58de439b0c55e SHA512 cd5abf28ba3d0826fed2b064ab20a0423a53bef5d349f71cd624b1d9ab6a2d22bc0598b42fa3a7720263eeeab9c56e11749db4c9824d3eb8aaeffa6b3e97b5c6 +AUX 5.10.9/hardened-patches/0080-add-writable-function-pointer-detection.patch 2688 BLAKE2B 6844befc7843df407062e6b7d9763198a15c441d3d624286d59d904653f2ed61fdbc6b142da0c4ade9b4b8f8a3b6d14266833c42e1761e4aa711a2ca04dd4d00 SHA512 d3e17342c611f092fe673ce6ec2eae362d73f7acffedf14784535d51c12decd83287be4bd62729d960f9658821b8bf4fdbad70c11c28c39347609f4ff5e0d7a2 +AUX 5.10.9/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch 760 BLAKE2B e5703b390be696348f06899a43ffee075f64f6ad7126f94bcffe6b7eacedeae4a56a442b62f08317d4c54ba24454b698abeb6e8b45a9f40d5b8906b7aaa0ffb8 SHA512 c8cdf3df2e0892ecfab00265bec927eb4f809e220f69c669b1a4d46d8ad5443f9f8eac68b1907a98186473d45c12682a2beff3608d7af029ecfeb3b36e1ef3e7 +AUX 5.10.9/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch 5669 BLAKE2B 5f55a1aa046cf24fb8de626364a13efdca0896b18858235bf20573394498b9b6a1000d1626a1dfc3dbb53ca231b0dfeff66c8ef6d9f712246453f86a34704cd3 SHA512 41e05f555867cc2251dead227c693f551f003fe8ce7a73909e129851b57c95891949108d88f21ffb11e8b4ee8a01b7f0e0e921acaebcdf0754d6a0680ae2848f +AUX 5.10.9/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch 1986 BLAKE2B b52491fe0f25f9a4dd43f1611ddcec5b936641054c3818fe3c119485b2e623530e31ed176427501cc2c6f342b4c3f7f6386ab09041802b249f7e339403aa1946 SHA512 a57e36be0e115db2d53d6fb1671d7e190b67f5b39f01e533a2a5a767131b5ce8031eb4bfd88ba1e22f78a3ec94dbfd9987833583b1474b1fe977e9bf3bcd260b +AUX 5.10.9/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch 3921 BLAKE2B 7b9a1e6fb4f4c3ee21b6a8dcb212cf110e940a83a67629266cee93b695d85a97e24814674b538b6ed678b9c94bd5e466a9682007e4945f2e04a9528654798980 SHA512 b1987eb3b598c37e36f8c10b85c49975a1534d25ad2bccf11f8701c8bfde7530a60ef764d86b9f734f5276e54512c4cf1d4d1990b3b040d8e30fe13ab9e9088e +AUX 5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch 2502 BLAKE2B c9ccbeeced540beae93b84c24c5ae8127bd28dc1b1f677f54b48e3c82868369ff099cceb6bd7795ab6841c962bc11ae013ff65ed17f64d13afebdce4ee9416f3 SHA512 80d8c67887bdd0ad102b11e36ef8fd85aec6af8ade5351ef982a08d6fdd14623b2ab93d5c969de367c509b3cd094be09ac52a8a3d973a666fd9f7b68028d3594 +AUX 5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch 2224 BLAKE2B 2342856c194354e182e68e35b6cece64d7468648ff1c5260fb7907a1a5192d0f18d7564ba646a0c2f586c3b5a4792621a85f9c911a8204c6ee2c53eba100cfca SHA512 647e1fd21cc8589811393cb912f84b8687b8c61605264b658632ec5ed4b5079c549df53469641be6223250d560ca74a9649f4fcd5f8b45bb769bf6e258d676b3 +AUX 5.10.9/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch 1466 BLAKE2B 570e4770387cce06f65c62e61199532de9c1c229dea2c688c50a59c7d2f28f96a6a1566e5a955b0f083c1fb3e42bd3c271642e6ae0e6c81bc58a4a649b9e7827 SHA512 b9e77533cb37950ce7aef94e4ce471ad5623a6d819901a166e4956538f0e8ea1fb0edbadec75afdfed3908818572aaa2d3f2f0a237b9c3d18e6404dad558d6f1 +AUX 5.10.9/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch 1019 BLAKE2B 1595e67b86349ee88a202cdce29c11bc3f34c61f99631ea84356bd5b0af4766dd72615407a0ffbcf3e3963030eb004d54f309dcdf2762bf940a326a3760de921 SHA512 b963b802b1c2508a52b99feea975b017117275966749f326b8cd2b3d08cc055b008a259f6d4aa2d38f7d32961b876699f6f5dd96cd3969176359dceca52b1f59 +AUX 5.10.9/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch 1368 BLAKE2B 283702092190944c55bd881bda2d5206aeda524d41aa04369edb670cf1f0630cb92bb36d89d6cd7d6eee94ba547239303bf4d1b0149cf64fcfb1fefd8a98cd27 SHA512 89c6a359f754e3467ff7ebcd5ccb34e00e99760d9030e05abe01e2b9d974ee8dfb86cb3472e34ae55f45bc32e0037b0298fd24b2c0c517bddcbd9937692d838a +AUX 5.10.9/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch 902 BLAKE2B d84dd1da52f727a43c1df175c01921982761e42cb8b1ee511ae4132581dbb23b4885d112b047d604e2428e8a0d78be33e5513a2f2cd6a68ab92cbd9f58040fb8 SHA512 0a99c4065320ece6956cbde0872daa0fefe70445590e6b6e3c23987f37d94bf8dd766da83daae97f27a6ccd5dc59214081e83ccc557a4532144b4e0867ab0f50 +AUX 5.10.9/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch 942 BLAKE2B 28f901065b1285b35a9ef03578c4a402e1477855a5ff18ca3352c62eb6f1c9c5a0aa2088246e1be5f6d47a6c96d1a79d070fbcdcb4e2e630cc33a488dea209d0 SHA512 75d466e1003d84630c5f21292fdcc5248d2866039a31c32b9b28c3046f70ed56edc66fda291716bffc09990a661ffa23e0afa2c14a01bd0172a29d72f43a1fd9 +AUX 5.10.9/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch 947 BLAKE2B 40fcf2470923aacc2f2543505105e56da10d345118cf9e3ba32b2dfb0868e8af0ea2d38de3a16a841a633dd513930d9690a65b71e28d9bf0db5c7b89d85e8382 SHA512 60d54b48c9813f869368db7b03c90c867a377d8e0ed989dbe558bd831cf942a8748aea0ac25ccc2533887ee46957134dc8661e9dd432259ce564601ba8ce0ba6 +AUX 5.10.9/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch 987 BLAKE2B 3b1fb1d5ccf48a7585a386d0e3ab70ce818397255958f3ddbe802d12c4c99e28dde4b6177d17c278227e49fb41836a4c763673874d1af15c96e9cb0611bda297 SHA512 535363e70f3abc7eb3a9ff1e86cdccf850462432ad57ea185b733a13d7454e8d557c99b184ecf7cf426d0f66c000417992223f4ed71de04e23114e15bec0d11f +AUX 5.10.9/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch 1075 BLAKE2B 524b5904368cd94667fdffe0186b1d665d649b978fdb9a98ba068ef592ed8cc6ceceb948abf785bbe0d767222a6d768d74403b3e68778bcd9e22d0cb42fbbfbd SHA512 1e2cea4f47176ca87a3ff5a56adc023830f8fd6c3a8b93abe4f80d44e2c56105c52d931de691d19c73e5e028fe01ebe91bbc709e582fe85db1731f8cc0cbbe4b +AUX 5.10.9/hardened-patches/0095-restrict-device-timing-side-channels.patch 5426 BLAKE2B 7e55d01bfeff55944dabfdb845fdb778b7294ffb80818d189195bd407b3040ecdcc4223eb551c18b0c3fadf068635593b986c20f16ea3eb3bc564d07e70dc441 SHA512 520167f270acdbe779d90f36801a5d5efe72863e1595d68e6608cac8dbb8d463d5a9b676545c1c51bd26fde40227690ccd2dd580936cd7ef7510cd3ec7c476c7 +AUX 5.10.9/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch 3572 BLAKE2B df74633d56cad9182c24c2069afceb6cf7d2a969fcce7454ac87d46af5d66754a4740effce88156bd65f1c6d9a9f2146e3c026525ebf3612743a75d2880dfe81 SHA512 ec5dab9e8aee3f842f7fffe9c60b4f7dc3cde8307e9e701c72aaf2555aab154c02d330f0d521361e18960306a4927e816222d49f1f18f3bb2e16b987f46b7558 +AUX 5.10.9/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch 2474 BLAKE2B c3021c4c79c097bc311ef0ae5fa2e72690f02b7ca40642ffc2eb46ce61cafe9c638bfaa5cff9014d2324aac6636991792ee9750bd09270eca0a0f31506a332d2 SHA512 43e25948145cc821c81a150ad1be4954123596985e9ca81573d41b569df332646a104cd9c5158f6035b30e0332263d4010171b2377a764c1c9fab0fcd7ec57c6 +AUX 5.10.9/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch 5440 BLAKE2B 1569c2253a39ef2857f1c172a7a4a534e9cd3a7bbbc25a72035537fc9de9b08d73cdb395965d6dc71347757404f9f28e8f097fc7580383f01ef16a06176ff5c8 SHA512 6aca5ebee8da50fcb7c342fafffc9b66849c43b4621ed62369f6cee3805502aa2466075bcd88ddeeaeb32b16aaebc10f8f0fc427b3263e5d77d222fd751c5dd0 +AUX 5.10.9/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch 5154 BLAKE2B 561d5c554f19d1e9f760b631c936385648de796659bd07a3e1331a4be832c0428c51011c74e8d774afcc49ff83558dcb3e8f1f2cc1255d72745cf78aa5a14e83 SHA512 21382b905d5155434214a5a19914afdb118ba83202a03eb453ecb2e2253d49c06cc5fee7fd2fb1553a4ecc1086f586649f35c3ff828a30fdfd6d902395575176 +AUX 5.10.9/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch 2194 BLAKE2B 37543471872193f1619c3fc46195d61e703d1b35e8b23e515a31c76452ae393ca6259404e4806199105d7f73d7690414eb39f36b5290f7081351805f5296a807 SHA512 91ea1d4750c440323d376187b15308d50019c9ece327b5a7cdb585b82922e042f46974fab927788a63be5b536301989e54c515fd7d190b1ff94065858725f39e +AUX 5.10.9/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch 6822 BLAKE2B 95c86e06adbf8ed3930611a178e3d355c7e836a2f8fb3b60c8f10213f6c75f34cb4b2708e40b6e8031afc1cd3fe0adfd05d65382dfd521be7cc875e2ee91b87d SHA512 9544b4187f0fa30e98c63915ea3d0bd7eaef80508f3b244a047ea4c073c07b4f86ba9d2fb8f0dc87cf16d620af7d3ecbd0f07fbde48e700efabab73567fb84f3 +AUX 5.10.9/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch 824 BLAKE2B 290e1a96f10ee0c78b3399356935cd47de21c88e30e0814c913e9ae5399ef2e468e698fe2fb1c983c1589b96857e95442a286f09490759fd45c962b630827862 SHA512 8cdfc222ed2cbdf525dd5b6837500bb96639c4af1c1be1059fae98325a3f4ddd495c35fd63a614d2199da3a4dae1b9aeb168f16cdc24007753c9d1137116c0b5 +AUX 5.10.9/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch 837 BLAKE2B 2f495481bc72c02adae96fb47400162727192bab366fb1127d26b6bcc6c402ef4134087c8e582217749f889f49027d65c2f0a1c1cf2b2604833a378e78c26aa7 SHA512 8b361fc8e2d837df2db56efe61b840b362e348ee0a456dadd1891374bb0dc7e2b44adbf107d0ad50e35d610562c4d6dc3ed1e79f3faeff6f74b6318d5b705eb9 +AUX 5.10.9/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch 857 BLAKE2B e995fd9d0c91e7f75e07ab298a159ff2dfcc95a1ec98685e2d9da716fb65a7c9956ef4387972d4dac80cd12795a5fe0bb05819e4f6376a084dcd01af9994a7f4 SHA512 e01dbc042fa5fff18ec4130fb2dbebf6f5f2e239f0e74c13d86a3b35f87e78469effd9fa8112cc7f3265c0a249a11ff11235b85c1c8515286c995fe34fb3bb2e +AUX 5.10.9/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch 857 BLAKE2B 27db462c59fe5927b3749d60c774673acabe485e591c37e7d73eb8c4c98030e2550882a22c94a02f8508ab613194c0b219fb190eb53c11be29af53b93617f0d5 SHA512 5001483d7fb197267155c81f60cc060d8a947644f561440d9b4e017b9b5785eebe7fb96e4ead6c26bc1f0228d4ecb58ba9b4860d90d3cb9b266e704f2c038e8b +AUX 5.10.9/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch 4376 BLAKE2B c41f5292932dc92631671f4e707e3e2e88d5c4f0a4b6d976b2d1adf1902e065f0a06e412b913e6e0ba03473195b9635c1816ec5c89063e1564bc8f008e343894 SHA512 f5062e6d7a2eeb4eb97fa5960f50ca7f52682cbf962333c7644ef0a2e6b72e7ff3429abb57196f3842b01f20a0235ff73bf36b589a46c551aa3af52bfe036ae9 +AUX 5.10.9/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch 3878 BLAKE2B 765e7a5e6d8e984a6cc99d04c8b296c1a92edafae7c7dfc18111af013bc2ecb1368f5d7db628f6fd83154a917e745566517ad73ddec9028f440a49160980c623 SHA512 5f1a328107c2181a113058b75971f02732b8e62559ffa1f130cf1cd64aeb4eed45fcd5d985aeff0b508fe5b6332ee085c3cdbba42478026609c11e13474edb1f +AUX 5.10.9/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch 2287 BLAKE2B 713a0c3771b90b01f72f197d08f7c37a4f81c11f79b79e14d1ac149cae48a61e50904d4884e81472be3f09e2d9d17efdd757e1e39631e9e5f31e6d3b8742284d SHA512 e32d04017100073e274953585b81513a5dcf46a5cb113f5b387e4b5c534bde01b03061a7706ba499ed2090dff160dc7cfd6b82e1af9bcf92f9493d63fbf6f343 +AUX 5.10.9/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch 2692 BLAKE2B dd9cc896fc4686e403e4e02768b24e9f58685527861764f61491c16e81ec536e7012921b677a870fa3f5d8c8f67aa3d98b07f45ea2bfb57ee172cfe55645071d SHA512 23e839368aad2840968fe1611a9c8595ddfa8c5b321a5510f098f1bb671fc46c933cfe86f89366968b9a9bddae18956e016017bced1ed312861f550852456e73 +AUX 5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch 6075 BLAKE2B 758a54314f925957bf13780eb6160a9938aeb4f48d85431bd2a5d04dfd684f5e26155d9f810ea3b9ca462c3f9d5d1840b66dd18952339bef0543b59215796d63 SHA512 38f65dc1eb0d3affd4a7054df49244d0ae50509747a75f0cece43edd9a0aecaf61dd7fc8d61cd7dac384e4465b8610ffb5c62162ff38841e9a2e3a8ccc7081ee +AUX 5.10.9/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch 8416 BLAKE2B 6f2a75f4ead70fd6367ac5e41f81cfa029bd125a342c25f81f641cd1f405e0fd9273029cf78271cd1a74ab756fdc6f1a74b5ee865313e0bcca97add831793060 SHA512 d66b7f05d956eb43318160b83a45d3769e227bc73079c081b1b2a70a2b511b0cb061f160ebfd1f6396a973c4cbe5ac012bc76b185e66a22bd0bcbb7ae3590f91 +AUX 5.10.9/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch 1427 BLAKE2B 2cf6e3045623c4b12cdbbdecf17f65da83a5c9cafa50f87e4de33f5de9205dc0f3e3ef6b4a2ed69ff23524ee15069b063556c50778dc46439e0e6e5f9923cdbb SHA512 1e802b4588c29acff22673c7016bfb68060cbaefe6cd545a49d02e20dbdcc62b8818042f7928783d3c533b9d34379abad544d61ce6717c7bdf7b820e57f0d13e +AUX 5.9.6/export_kernel_fpu_functions.patch 1224 BLAKE2B 7922054672029120447da6c7dbb88e51b3c4a65c5476ff945220cc8851716fad89d8b3258abb86713444cfa603e51279ed80b512b1a4c9340087b13804040873 SHA512 bcd65aae8b039ce94c1a30b7ca99f180c4f0d6c4e09eb70f1e7d358f8759528df2e8c1d0924cfa80b29227a12b5145f296fac5919e9ccb75e8d7ecaf6ddf85d1 +AUX 5.9.6/gentoo-patches/0000_README 3150 BLAKE2B f40e24b745c7ce1d72a5bfef8ad633ce27afe95859795cd1f70295e6626f10d808ea275ecaa5ec44ba04ef7851a19406a56926c9332e4b411432f6228bad645d SHA512 c69e33149dcd12f29c7b59033991668736838e715aa4a0db5d7f47901824d00f75c714a01240959a61f21334867d99fef9dbebcfe075d3e25019714f6a1c7b89 +AUX 5.9.6/gentoo-patches/1500_XATTR_USER_PREFIX.patch 2293 BLAKE2B c2bde13ef40e7066340afefe55454dc933ac3b65dda4dcf81d9958ba84d9531143e58c4d35151d912bfe21a43aaed35fd99571a769ca8e823fc0d99797a96f4b SHA512 3ed100909f9aed72836a3c712e45e0116cd3c4331961a76a27b867a7098d0df9458387b656c9ea01385c3c37585436e48168ac35666b0e46dca7da05e5e38a61 +AUX 5.9.6/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch 810 BLAKE2B bb749b365f37988253206ddff130651e1042af49a6c773ba6f93642d5927af9a9926eab278979e048c13d2ca683e726a5d0cd509de9e6177d59c85197051e230 SHA512 c97a3799a2d5e4da9c9dfe129756da629fba8183479b02ca82f9b6d9993f17a165a96bd35ac50eb25fb293785b9b529a95165b1a2eb79c05134bee8ccf22a5d3 +AUX 5.9.6/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch 1290 BLAKE2B 35f8f2a707da3bdb4df74844f72244dc6cb9fb0d41ac2034af61ce61c96e4bd472fb5bc5c687611356d06f3940e9f6669c80f4261165809592173bf5dac54b61 SHA512 dc47b18749d95a456f8bc47fd6a0618c286b646b38466c3d950dfbeb25adf3fc1a794e95552e4da1abb58e49f0bd841f7222e71c4d04cb0264ca23476ca9caef +AUX 5.9.6/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch 958 BLAKE2B 095d70ef085c6200b3ac69695339b8937e54b49c45acb7a741d0f471f66c1fe1bedf0b7df0951eff6ccd53ade10abcc66d5d2bca994e28a49d3e4296d7332e55 SHA512 4e637935c2f37cc18f347293e3c94b18f90e2caccca726304a95c4891257a5b2bb3093aee7a97571038b29c0c987cc60a9a80aefd0d4c9a063b33d102f03579e +AUX 5.9.6/gentoo-patches/2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch 392 BLAKE2B df15589c0cec31da2f540112fd00688f75cb6818646dd60298728c81ec4064e5f9c84e9bd09e273244627790be50809736a9eccbff201d769ff6a20be61ec339 SHA512 681b6f49e912a6db76153e6af75f24d1c6261c0f07a1bf25320c70a6e80f647a2f116222d4eca9ae16321ff0bdbd825e2daccf6185692052eb36b03dbdfdf303 +AUX 5.9.6/gentoo-patches/2920_sign-file-patch-for-libressl.patch 565 BLAKE2B ea33143cebfccbc5fdeab46161ab28c8ed6dbe265b35454659ba87f09705ed80219e9a9e47f7fc3df51292a3a7656c7a6d633e24a37911c35e47d039da530ad5 SHA512 79eaf814d76402a445efc961666a7c7c74207e552b0cb32d93d5cb828da580f7dbe93509dc9f53321c7844663205a8dce4e518ba047e4c57fc55f5c3498088ec +AUX 5.9.6/gentoo-patches/4567_distro-Gentoo-Kconfig.patch 4767 BLAKE2B f047d5a37d11e799cfa5c0704b2844882d7fa4b1ae6f533e152d89c75e20a04522f2ee9ef59e70104bc803f591ef1cec5ff23012c34ec7bc2eef019430694744 SHA512 dba7cb0277ade2ff0edcb77b367f1082ead58c1b8cdb6300806a59483d564683c1972e5b4e0af9a60ec6f72a964e1e9199737938f8cb5c24971df7b1dfc7499a +AUX 5.9.6/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch 840 BLAKE2B faf6f7c2ce1593250d4ba78571a7e8afd3d43ef4974025f76700f0509a7c769a565a407309f11f819067592cc77f53c4fd7bed9d6989088f0ef701b5d2fd7d51 SHA512 d568d8748a63f085453562b20d90442df996fb7bc12635bc4ad7850e1b4baed6e75f125c47135a489b77f23c45a08d2270651cc4a29ce701c48d971a42b3fde5 +AUX 5.9.6/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch 790 BLAKE2B 0735ef8178f787e2942f1520084c031f8dd66a7a5fa9e366f14181b49bd285a0cc484e1ba1e5801d4422b08d49478b8b8c6fdc601d9480550e3864d3a304d66e SHA512 e6826f32a41c053e599b78eda6069d9d65694c68d434b401a3830118216d97179454fecf63e03d84fc3fa08928d72633702b8b914cc743c9aa38ef5495fde507 +AUX 5.9.6/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch 768 BLAKE2B aaa21f1a77aa83e3c50e8c940d0c71099c7ca84dd509607acffb569e922ea9dde7238611227e226ed42c8db2596916113c0952a4783714fded7d98f6c423e853 SHA512 ee09627e7aa59b58b98b265ec2d6baddd91d7dd9c10a7101939a300d001c0f07abf47b65f67104b9bfd3e6c1a3cc5cf8ab99a2a2261e15967a4f28ac1fe41543 +AUX 5.9.6/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch 763 BLAKE2B cc065c855df67a8546a2197053437b837ae061db162c7ff948cf02f3ca31583545114e3dc7b8265caf4c68b275716d7cdefe117222a6a6575b863e0f8dee15be SHA512 1820c2686597b3abb52df08d55e5afba9ae45d8234204fdb3ae1695b64fd9f42b0ddb9e74531c7211d5c362c040921d430ec62b049f83ae3bc276411c5b97e0a +AUX 5.9.6/hardened-patches/0005-set-kptr_restrict-2-by-default.patch 791 BLAKE2B 6e60a9267d00f0677142084daea914490b56b7507d9e168d2db8ef2fe0461094e41f28d5a8c6d0a05003f7d973ac85da38fb22c8de67aeba944a3f40836e22f2 SHA512 43cec7182ad691e94d864d79a526d195ed2f275b8810411bc2cac72cf8e0f4f59bd5d47331b2fbbdc2117599b80ecb94681c000af924e9ae5a91f3da77136f88 +AUX 5.9.6/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch 743 BLAKE2B d6cd4569028bf7f9a0028876ad546d4892f4500125a3eb08c0d0c60f306aeab4c5467e92e6af8bbe8e7b68017050534faee66a1d0ceb25998271a51157e97231 SHA512 8eabfebf1dbf9cfad323f9da9279078ad5d97ef91906fc283f66aed8915fd1f13237281eef053b2c26682c0a6d8e86ecba794d8d55507eda18e67043257d2623 +AUX 5.9.6/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch 792 BLAKE2B 4d519b0d61fdeaed26d9cdb876d77148c3ce06775db55cdf97be958957d9c4447c19fdc1faff9f3fbc96ca0db17335a52504e462a40a16676dec57cb9a3622b5 SHA512 306849001b82d8e781de9b13525a495b2aa645a6968cff9c78e529c4e34051b791fcf57b90c856de4f9038f35e9419f65c1629a503edcea6c2614ee1c7671ee6 +AUX 5.9.6/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch 732 BLAKE2B 73b12005501e99ad56d6788b085506604c94f2116cc83f2aaca3ded5dbe6fcc7b193631532511512df85e1a38c686ad9ca8a588abb60c1f57d70c937ae34271d SHA512 6029a7f2913fd2fbd2abbe298d390b5f897b28c638a7bbbd92f17b060ae48e1f6953a0f7037e05554da7de517682f4eacf54e3dfb1276690ac250394af121895 +AUX 5.9.6/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch 736 BLAKE2B fde3d90d06b7d5515fbc4ed7615188c4cb893956c9522e19ad49200be63e2ba816232fc507c7e5b1951b70a08aaa1a7108b0a33d3bcc3c84bd3c7ecfb67ca39a SHA512 b9aa1f4f56900c322b34061d7b755a22795bbd6b7c9c1c8ef1537f315896c018b767ce2245d0a434814e96232c57759b94c1b4b1e3adf919696d02368a244e2f +AUX 5.9.6/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch 745 BLAKE2B b9b68e4830e2613f3ea63a8a0239edc031afd1921eba2fa55c02c0206181824480aa600a8731afaea156d4e2eeb5150ab3af8bda7687862d080054863f95f9a3 SHA512 949e0b10c7ab334407355583a2ba31e46c6d1845f2cec002fda14e010fc4044eff85cfe5e062b8dc70735240f136d95e7cd13f8ac1387f8c9ccc9c3842e09ca0 +AUX 5.9.6/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch 702 BLAKE2B 0df408f044982927be1dd9c7117ddf1209acc0c381fd338cf422f8374951d61c527a378ac9c1f3cfcb13b11e788a10add237109b12e53121989daff98a2214aa SHA512 76c5e5823487ef9a1c5841b57d4ed2eaceeea94b958a819a100930f527c7c68a897294621bf194006f609568d5332d9249847106600852e4ac2cb7ff62dcb923 +AUX 5.9.6/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch 654 BLAKE2B f94b7e2ccd3a086283da714388e16c4e08e58cb48de6b765fa7588ce19530159feb7a5725af05d5654f9ee1818ffe4f862230b371285644bc42c86399a81e8fd SHA512 ee1deaa42a040a2bed59fb69f4ca1a36ebd41fc2f5799fce037ce11f82d192b1a843340a3b406e61edef7791367b9b9c6beb3535e3db1b0a6666d5bb18bc3eab +AUX 5.9.6/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch 807 BLAKE2B b82f89429f5bf36b093d58168a28b96d8437db5fc8e1a0a9c8e569732f4521ac04c74c08924a7c0f07eacf27745eaf220d24f52b5ff6870dbaf8fbe13edc5747 SHA512 bfae5028bff380557df51f34409322d78d7aaef6877cd3cb42e017ec0a1f0cf29b4058aa405b6a17f176ef6956c66e57833893ed035b68eb10c320ce275790bf +AUX 5.9.6/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch 966 BLAKE2B a9f58d99347056704720dbf763f9a3b766ef0f0c5d9097f8e4480d4aa43b3fad3c47aa01340928d1825d7c80b60b964e8362586ad21247f87cc44322018a1cfc SHA512 73075813d7ca39b23a9cf0d807d3d7ead25eba5bb4d7742ef83897839b322ab5d50fc330fdd5f280897d0517267fcdcd4b9b82c1bd656c8b995c31c9acd5593a +AUX 5.9.6/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch 761 BLAKE2B 521ca72d3d1d6ef7f422580d29e54b9c6de7e28f121f491e4a92de1a6ed49a46f5b4c6a404f5ac252564e036e0c53db207941a931726dcac3a157b4cf79ba950 SHA512 54cff615e87ef15577df8320e06f0083acd267a22d568daf5f152d296e4080d301577c6adc096b3d1c459663b717865904ffc211ed419e289b69b71c2d3d134b +AUX 5.9.6/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch 666 BLAKE2B ca0e4c29116c1c043bdbe218a1b1ab04b94bbbe9223c912c7fee31ea3b8ef65536c0fd968425358109359f091f067c11aae37a93cb0398060ba42cac28ff0597 SHA512 c6e2a2064edd3019ab0bc42095b3c4f12237f7fa8dddd11f3ee61d91badb60e0744a024650b079db0fec3ab609515e6434e6c2b939914eda572a9ac1276f8961 +AUX 5.9.6/hardened-patches/0017-disable-X86_16BIT-by-default.patch 678 BLAKE2B 1f50c44a5f80fbf2bf1c2d7310ed1daf85633ccb651a26a38fa6af4357f4e0b4caddf8fa629b7d872a95773fed7ba238670a448f64a0ee23610531c784a69a47 SHA512 85d13f5d0c5b706d0ba4679a90d0aeb26251f8523161a284ecd5853f224e04ef7a23dc6d5c2c69e3fd1bc17621b9df2f6491a50a717d6ef580b6e415f7c58bf8 +AUX 5.9.6/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch 754 BLAKE2B dc37554430d6ca9a09358c201ef3d0b88d126a2dbf60a0de46924b4075729f5b00782561d40a400c6be02a4ebe8c96f80486bc95c42374c3266131b8aa09f493 SHA512 d9148db58dd562622a91fb9351dc28f99db871646a7a8594a2afbcf9161878baa8df6d109818b6218e51f55a5e3ce1ee260480e18646302a49cb210ff60d1b0f +AUX 5.9.6/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch 802 BLAKE2B 2a3e134a81a86209b37e1288577d24ba0bca6699990cff14cc7e446abdac98b7f9c04c007c681c4d94bc9e9fa2b5dec9924c167215d336f1607dbd7e3806ef9c SHA512 c6f81f43de5af243c62375826a70bd841c9de843be0822e7b3eb7e9a997596d1f6e888483de5e7dc755b4b8d31ffd66a079b48458d34b54f6902c6b87bc30f7e +AUX 5.9.6/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch 765 BLAKE2B 98e91b11dd265893d091f71c747fac87270b41d9639a232f39f38041ad267bd6f59515f9f33b238ede58996d2e95da472cac72a1c6f4195af770dc8096ae9333 SHA512 64d2ffbf24bc23b6510c4295ccf5d0c68f45ecad73cb5e1d0ac9c2f5debe0da4a5669a1c591e762b402fcf70016b35adad407c89ee5c65e3de5973cbcd810f75 +AUX 5.9.6/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch 691 BLAKE2B d174b0d6b6d9228483f6f2c245f4b4e6e2a0314a06cf4e793a9efb12df386e89b15b27ee4d26b0707e557be8f5513b86d95cd38880a8506c34a396c33c9b606d SHA512 171892216660e99ab83817b383a9df9f976a342edebef2d15373db77053d4a3118afb9cff99308708e02b7a4c156959410f87497f199fe16d85c7bd8bfe9099d +AUX 5.9.6/hardened-patches/0022-disable-AIO-by-default.patch 631 BLAKE2B da2859c64a1003351024d5628c0471d9153853c1e86a522b3853464899318296ee537c32ae0d6b30ebab10a739e9bc79ea125d265bcf45b2470d947214512bc3 SHA512 6f6c65f55cf73c9da5cad85fcd1e26e63d44514f740cede0bc8eb056a7445e4424f96033367d81049d0f6d3686c64a768c210753115cf07b48407f79b0a8414f +AUX 5.9.6/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch 962 BLAKE2B 14cc7f76806ade7cfc46a1ef888bba79e3c828240720ab30f66fa3e82f2bd44c8102bb9550ccf144790d26f26641e1b16de0af272e50c2c368b5536e4dc939dc SHA512 222d22bb269bb24d5c128b0463398e0d89fd02d0c52c2bbdfc7a5e7f7fa888bc38682c0b2a1c52fe0a85714a0ba85696370b250d16d67c49a26d4be2149d50bc +AUX 5.9.6/hardened-patches/0024-disable-DEVPORT-by-default.patch 695 BLAKE2B fae6b088e330bf4939c113078e10d5913933b3684672d164b3b4141c50b71e189d1b12a7024422ac830930f7cb791c9e2139697081391d1d8ee3e340573e507d SHA512 a1c23d1205727f2e3ee1a9b9d7f55504b09f8a46d2a8654b0f2a5d5392d55c0c6d3e55a6f8f1aff60706c563ade79b4ea87b045e6f5e98f14fde592978b97b18 +AUX 5.9.6/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch 613 BLAKE2B d10fa2972d2a6de759a2fa136fd65c82f4b9d8172369583ae488d23a15416ff9cfccc745fb2aed53741f4e39ae797aa4a20193a2e2f9fdaeca6da7d6b2377cf4 SHA512 40d827f4a266491691f7a73e88a6e35a51263d4bddbe31db74ce6d4e5f11a1213c91007654572bcff2d10fa865474396e811d0f97d3ca899481314dc2458aefd +AUX 5.9.6/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch 598 BLAKE2B 58650bfdce9e1aec1314cb278119d8a51ac392f1df9c5696482d48ad7f494a2fde63316363e79f4a8d9f13d4700dff0b4b51d348ef0723388e9d4f330b1a7a30 SHA512 2a1e23fc4c05dfcc09630147dbd2b93678e0cf5a9ac8fd3e016eb7782bdd8ffde5cd66fa34379f9454654f4db1cd03a79162ff8668fe2d26519bff8e434ece54 +AUX 5.9.6/hardened-patches/0027-enable-DEBUG_WX-by-default.patch 653 BLAKE2B 2a16d2220017c3b6a768fc13a09276462d8ffbe0c44ba78d2a73ff3de66abed58c1d425038664c8b5afbecdebe3ddb221ca77edf7aad3405eea70f7f9f951580 SHA512 284525a7be04bc5d76c3e1971bc5a2a60bd4202e6cfe96851deb3e1bd618fa7f3ecb05ca0cdd61a9d27dd5263a4fc752e12765e1324c6874275174a0daa5c055 +AUX 5.9.6/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch 683 BLAKE2B 7ef25251942ec0d98b8618b382b44563f257d67ed2439ed672f1fed53c1f622ffca64edba0b330c11ff10ff3222aaa9994269da1b4ef41ce9889f2afbb192121 SHA512 423290e25a5f09eb7429996dc7b4c486a99ee5a2c3e94d76b2db7e5f3de0d158357154353f3b18e1995759c8c93c4ef42a10205e8fe96974b35ef314bbb9ca9c +AUX 5.9.6/hardened-patches/0029-disable-DEVMEM-by-default.patch 662 BLAKE2B 2decd79e73eec192e5d1f20319b388dce43ffa450cf26237f2a47ed2c8e5bec07a068a93ceb1b53aebfcb742a6238cb2cff7bf88149108c12f42f5a20dfeec31 SHA512 a9c9c5d1a2421f08c84d0d509fbd2d8e2788babe569a4df5b60c86693f45f6debe0ce7652e789b70721a906e8b58a8282feff70aadb0e33f1b37952fc32dbf73 +AUX 5.9.6/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch 719 BLAKE2B 1d05daf9dfcd623f9e90f15751b9f9ea42059ccd0ac1b2d7f2138336b462aa28e2f4289b060c691be8bd93208447ad079000b5a180d7c1184d8373235df41ab2 SHA512 6a59fcfc0ddaf5a05140068dd6f99d0eca89a3ad04cb3af461384d6ec0b266edda49be73e0c838a1fb059f1944d18be693b38117e131a22d8b66656a3da925bc +AUX 5.9.6/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch 652 BLAKE2B 24773bdb9c1a4302b22775c714d90e8d7459f683c106db83608027d2610e5d6d9cda03dd44da9bf300a8169f13540f332b1257a16d73360478ce6ce63bd00fe1 SHA512 44e530474614b5272c4216c29c7bc9f57ba43575347ea260131d323aeb836fc4ca7af3b960faae9d152c1c3b30a8ea1ec9ed466822cfab9243e8b763d3b7a9ed +AUX 5.9.6/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch 1397 BLAKE2B bb1262bf717022eaf16bc4b1c4ccf160e09f0de50909da8e8e8efb4f2457fac3d06b3095148e74f48d57a47c8ac327d9c799fe25e25c7b3f82bb217bc252bdcc SHA512 2d954092464fef2f61c4a05e1e363f91260da8dfe438d1fc84a2fba71d81b7f3c978e7bf8074d096f0af8bb55b6913e30118ccc7c0e9a44b25e8a9a35fde6e95 +AUX 5.9.6/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch 818 BLAKE2B 2dd760198a30e8a902125a943b06002cadb5e2e8bc13ce9b17c6bc9f7e6f5ff30beab03927e772f9cb6da5cf8612eb038f33d3a4c864bf346c452ddc3e689e44 SHA512 37ad186ce32276fa1b32b089cdb993937f0541ff85cfde3ee6ad5a2ab6adfcdfb971de629a51a4d151637be9a90294ee6a79509ae21dcbfcc93ffcf35274a173 +AUX 5.9.6/hardened-patches/0034-enable-SECURITY-by-default.patch 646 BLAKE2B 019d1138d937e2bf9a74dae9df3ef9e473c56b076146ffa4dd5a7f09e4b84dfc2be4dcc1b84a4318a9c4cec511ff05679c9369e3c362d2f07026694eff02d610 SHA512 6fdc87fae0c9c4bd224107ad68d5fc98d24e644aaae14bd5d9d31fd311c0a135191f00e65e703196f6afd7de0817c19cf937b72b3752e8ab35bb268b0f66b876 +AUX 5.9.6/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch 706 BLAKE2B 0f686646e1c4400974793f047c343b55511af1f52a77856d378c68492a3e6b27f1d0c9fecdc83617a48c83afc98a6a4b8cc8c18154c3ce7a0732b4aae013b601 SHA512 fbb8e9a6434f98e59d4533187ad2dc1158e55d45a228ed3d2a99582efbb8e2409c55f5e82e1bd99eaa94d533212d94a841ca9f2be67fe20c3286a29a723b9f9e +AUX 5.9.6/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch 685 BLAKE2B d9a97fbe0ff33c4926c479376404d0d2cdc4b7fd910844fd2e4de52055c4d9b0962c1caca5c11426031f5e1361f0f14856d0ba94a7756b9727c5bb9916628452 SHA512 8bcc6f57e3c977a9a71eeaded2c01ca7928ce51d5a2a30e75d5effa195b7e5d8db966c56ba0e9512d8d77dc7c535aacab6137652aff919c6bfa8e413fe64af1e +AUX 5.9.6/hardened-patches/0037-enable-AUDIT-by-default.patch 628 BLAKE2B 7deef03350207dba4c42a21b93282316fd729bd5ee7b5dac164ef4fdfb2060b16c92c99505005738da317bee651036c08aa77de118d95e4f5a07cc0ab9aae969 SHA512 a2229aa27eb77e59cbe550c5aa5dc497192c41374e9f7599b66b720fbac5daaa644135dba0c0f55c8cf6f406e1cf69bd5ab4fb5137d22c78a51b4663d90d40f1 +AUX 5.9.6/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch 784 BLAKE2B 77bac042e42fb64956bbf29ae707615873846a2c123164b83767c0d3020a1fb2009464c35fd6a69c39ddd6b239b5c85156ff54d4e4ea0ff10590638d33735ec8 SHA512 4b290ba22b204794bbe80b7b782640093ceb39c17d0a404e0576bbe89e72fbb773b6df66a752c94a6dd1c07b8d48fac4200e948c4e27b3c8da3e83f9d6f4673b +AUX 5.9.6/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch 666 BLAKE2B 0a77a3fc38dd4cb7ca94f726213840bf534eb99d64501c94749a184384da9cd6c6881f45f73d3d2a251ea952bd3eed39502439c4908874898960443bf5f98bee SHA512 9ec3853150412b5265904c2672c7f88bddd90534fcdb33e464717b4b6bf9c8fb9a4360ff6a4c5166a6e8c4bf0757fb24fd8c221bb6d182307bf83782b21ef283 +AUX 5.9.6/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch 716 BLAKE2B 2ce9a7e29baaf6ef82ee37bec1a07dede32fb379ee1d7892d0c68d544166785a1a43e7085381ae2cfee91678b02c482efeccfdd60a9e327b0b1bddb79c52505d SHA512 08e346cf18f347732f4b7c1dfaa5c93071521327997e0a2e8b919e991d21b5d54753f725b1f2d2a2dbbf62ad3deb6aefe6ef6f441e98705bddf53d26d9bc0ef3 +AUX 5.9.6/hardened-patches/0041-make-sysctl-constants-read-only.patch 3971 BLAKE2B c3118872a87ce5f03974de194107574c82b68217b38bf775303eceeeaee213d912b769406b1a67caa731a6fe1ef993fe237dfe8f2ce0dbcae8d7860b46d28e0b SHA512 871d5d751968452bce48313c1190628f052dc4eba6657970f02d1fa255407076b9e655d85ae5a05387153e6e12dc3198068ff249616ceb1295e079aa6d4c95a6 +AUX 5.9.6/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch 2089 BLAKE2B 47e2135c2d6525dfe5068abff5368da973414c680f99d4afb611ae1e60f023d027a1fd2b1b5f050f0b3f7e22ddcdb1909d0b604a122a2ba1917af6272fd3b092 SHA512 ccd42f4cb2738f4f45770701e727ccbfc6d52781ee96f2573a76bc7dd567609ac29e73455942b8aee40f1ec79af4d2c1dcabd336ae41d2cb9bec262ff14afe80 +AUX 5.9.6/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch 2004 BLAKE2B 475818a8fc294a1010e3b918ff811d19f24da18aba09676e8a038954e4cb727a46b65348acf3c7ad2619029bffd7257a6998ef39aba68a12c5e531dc85669da2 SHA512 80e326a846812d1e9aee2ae8f0f7c6f269906701aded51a177e6f8c99e23616c6c7f7b0a2693abfbf9a99c89f17d7b7d3312f2eb4b0799808fbc005687c78ccf +AUX 5.9.6/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch 1165 BLAKE2B 5b9222240b53b94f9c098bf9b1fa6e93517876666003bd44aedf9af0df809d809418aa4c563069c5bdd3d63e4932b1a4bde02e01c1eff184884b73d54ee8991f SHA512 3917f4c551460670b6384b863f6be321d1f4cdbc3c3a734bc8c1ee860d06c08b46c9af1090b05d0556dff96853fa99c7f5c8edf05b7a30bddc38f79d728f6d4b +AUX 5.9.6/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch 709 BLAKE2B 5bf0e2d58f4c710302cb405c943a2cd023e7cd5f3671cf9aa605f86b02b7cbbfb1381527d6b65416d4a4ded3fd36c0d8d12efdc58881fc61ed5adc14c728e20e SHA512 a439d19b2af01989f8a01f59fbfb4dae4e6ba80631e26f46adb8f9b72b5a4e259bd7ac3336b959f90f10a820ea5e222252b77f1226a9a68e4dd5c64d4f5e875a +AUX 5.9.6/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch 1954 BLAKE2B b470e1d3a32897484bd239ef72ba1445fa79018b4858cb6fbd1044d242b62e3370e5a412212ba429523a95f38bee8d026b711be909f7323fb292de6105620441 SHA512 222eb77f62f5315d8414780ca153aa2b678d76e3930c951b06bb408a2e5de63fd300538cc07e90b5a51fd949be8f676e7454e936f81cbf314e6e331929cf69fd +AUX 5.9.6/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch 1663 BLAKE2B 07561bb3c5893d83e6e32feb87ed6bc65ff1a3d4b0c79635d52e3f58948422a34baeba63d38321ece86d45f186de5fb31c6d6949002c3b9fb94f8e2df26b3526 SHA512 3d80267632b25ace0a9abdb59af8b80cfcb7ffedf73a842f9b85c480cd4501faeacb5b252c50340d15d337a5354e02c89eee03cb46a0f73f54239b1293407250 +AUX 5.9.6/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch 1272 BLAKE2B f359cba13a089b62d72af6a23d8464740838d772ffcda019bdec27a4c189b0cd9cd8c3c6aa195b9bdb44b2a15bcbf01dd7d556fcd2a2a26169ddedd5ca033fc6 SHA512 09cd5e128a1c633777fca95fa233278dcc9c20e3d577318e62c5d06a0df450dbc0e192740bfeb97ed54a379241f03c27cbeba94832975bfaa0df9bce001a7f50 +AUX 5.9.6/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch 7327 BLAKE2B 340f1df27aceaa088e2356214a88280f004889cc1d1730a52a4a2f2f89483d4859069b29b751b2071856bf3d68cf9757cc7e457b750b44a0d5a6e6b50acbbf07 SHA512 537e033b20d3e6d7720544b5f1129512391a0668ae72798ff10bd28c95fd953ebe0cafffa940fc5f4b10a3abb5d03ee9b26e125dc52d7e8a09be02427168b9c3 +AUX 5.9.6/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch 871 BLAKE2B eff180721ddf0206fe55eb609d6acccbf2da52643b8ff9b4c730cc505eb113c2ba20d6f887c881220540a2b907e91eeaba38f1013ce4f5e40c81e408865ac472 SHA512 41e5135264bf00cf8c8f76d91ec5423684328629d42ef01698db5877b818feddcfe0f647af25b2bb7b0498314d98343f5a359ce30dae065fe1258e843d08d3aa +AUX 5.9.6/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch 947 BLAKE2B 3d9605a7e36023069791285d4ee1f7de22536458f1bb4e2e8d88dde5e64891ce8457cf7ae4616bb6094256b154f77f297cdeda97614b9970feec0e83b67a57e6 SHA512 c35646a0d6f7f2b00c6144383ad6d7e2bb731c6a042c7a01bf52edd50f8f693887451821a3afee5865b57e128e1f5e7673952b854422dd050efe7247a10b0343 +AUX 5.9.6/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch 1180 BLAKE2B 850039c4cf33afa0c91ead86daa2b9e9a61c278cf5981ed471f28adbfaa934708d8e72f0af78cc91c45a1b97b965db56cf81294a1c59ac493f88bb2c4b889aef SHA512 3dc8399523346d6714c3a2299fa0e5e71ec40b7ebe36424cfbb88f2a6d620925832a5ecb0f571bd94b58aeccd027bdf93db0c7db50ebc89def2142d16b3c08b3 +AUX 5.9.6/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch 788 BLAKE2B db749b6b2a40c436ff63edd94880f6d17b5c4ebe82e109a1a3d9aed35c19c60273b245d394370096f145574a8cf71c3cf8b9e3530a5b748d8be0e87b342664ff SHA512 ba229ea806624d305b0ab2371694cec4c9d93a65779d3552ede3744830c2f538ac1ac6761c7e6c96e82214025753dadeb3abd11d3befdf0103837d379410cacf +AUX 5.9.6/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch 2256 BLAKE2B b22cb149107fb8c68511b62c4969ccdaa7108343e6bcde383e0ee4b749e5e6b4ca38156d04dc89680f77536ea68f41bd36070b38b4ec2c84e639f8b90de79ee1 SHA512 69a44aaeb94bfd83cc71aa86464f2380d8f55f7e9b9f9f6f859ae2a19d24b74b054a7b9b9b16918826b747e01c89efdd1bfbac3a414f0aca3c211167c3363282 +AUX 5.9.6/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch 2454 BLAKE2B 0f0f4e179a258b72fa8f2858003e568fb774ef58cace0e404327d9f51163e155f7d48be5395c52a15f37f3131ed6a6970032c8408804240c3c45d33762f0a6bb SHA512 014de701b21dc8271a5ad054b88b58d8e5e45106a945ea8056a945d19c1b259d41e4757f7e99fc3fb9064d01f2964b802de64ab3d4487aab5bb2178f09adfbaa +AUX 5.9.6/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch 4020 BLAKE2B 64d7a9d7cb0ca969aae1098fa87bc6ccf283710c2d60585613b98f37598220005473ffec96aaa0005bde65d254137b1213dc152f9b0000a3f603b8e8d5c95f15 SHA512 d38514b0008b18b02c206f3f78a5d175141225b6768823e035fd83dc060e004690ecac948b39760b15219f0e17dea11b77abc141253f647c97f1a8e03e05e603 +AUX 5.9.6/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch 8811 BLAKE2B 8da7b7022eda0f309ac03a3bc7f285d3d76cbb899ffe914868b36cb3c3577ae16ce06fa3d1e8c7aa5722ea1325293284394aaa86d92901317a39e318fe36b0b0 SHA512 aa7bccab47ab1b3ceb30fde86624d5a0c7fdac912b3baff2de6e620669a18e8b7a4b9e22a3ec8efb77335a1dd55b36bf16829438d64e1e73981153d8092bd1d1 +AUX 5.9.6/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch 4744 BLAKE2B f6b0e3d087dd6db3c5365a7928219fcf907f07e27a5fccf8df59aa2af0e08dae28e83c46b8b6892ed9e0085382bc699859f2d352b8767d386cc4d0d41b43eca6 SHA512 d821240631cb1ed6b2eea12269a6d96f23ffadbcffeca4e820bd2d8560c0ac8320e07de9f16f69b95daa14752dcdf37bb84f9d3d5aeb7f037dd0f09d0f054135 +AUX 5.9.6/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch 798 BLAKE2B 7660f0210982a91b3778033e12b6f76ac20bc9c3959696afc8659241d9f0f998ee83240f13e07b7cba005728e9d263dacc1b7013d4ee39e22e1fdd97bcb8cef2 SHA512 8c6e8876fbc9ad944db8f48926be0211bc70080136b61c963d0666e5316081d455aa91c2dfe0a9ee3e78ba98a8a56f7583a01737b37cdc448604cd7337fe7b11 +AUX 5.9.6/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch 3791 BLAKE2B f3d3e5f5e7eb72cb780109a955c51d2343d97873b0aa71e08906c1483c77f7faf77301064bf809b22774635861acd5efdd98163a1932f141cae53997ae460305 SHA512 30fabd3edcdfb837a5f6085898bb9c17feef93915629166fa46009f507b92a4a16e768da25123b6ca7004c9496cc7b66e067c0460dedce2557db2507d6fd5e10 +AUX 5.9.6/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch 2735 BLAKE2B 3d075a18cdeda0f5d9bdc5e9c29a66d5623eda7990b1d7318bd8b8dba1dd3fa3e8befdfa7015ec8ec3f74e638f3045e96b75ea2a1c6c7e2f58af079e22c48fe7 SHA512 9e0702d0c4be487b56adff19350d4615c47d9bc9674e8d7a38cf837f5f232b1a59470b633e5a534f797238a0c1631d96f8e9d5473b689c9cbaa35507da65c5d1 +AUX 5.9.6/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch 2249 BLAKE2B 294d14e367f49a7b920c3a5850ee5453387cea8379837ef2dac351770b87376fb43f139c98e0b232d32e4202c7d6e3d03d9f219c77a0864ff72d0ce658f23316 SHA512 0a803f5b07e3e1d3075084035d8430f1091b933b04eb59eb1668f8e32f48a6db4af03b047af57d2a75e6b7bd804f9169d4f1cd3e4b156eee614812f294d3dec1 +AUX 5.9.6/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch 860 BLAKE2B 76413bdda6071345c146eeaf20e4378ccddd0233b297ed89913ca6aa9ec13d9d60c08741dbb0fa1fd461e2395ccab81038a0b4b7b08400c45ce6f8f8e726ab26 SHA512 a276625a0b2c6ce3169509f0d942a5f18624a4c6d3fd3445c9f1dfecdcc9c9525a4540c9a96edf64d9871149f15b14e00045e0e258917e54729889ffb6035c7d +AUX 5.9.6/hardened-patches/0064-add-percpu-alloc_size-attributes.patch 1588 BLAKE2B 90184348f41b53026a7f33f1eb193e48b276078bf5ba74baf41874cc6a3dc9dc4b799ac6ba15e1fe20f8d1d2c5be8f6a759e5ef3208a87aa34cc1767269ff7e9 SHA512 052f9ac7275a6692ae6fcac2621ea3c98b34f6ab6897204e8a5824bf5190dc25c62ba23f56321d4babd4773217ba34508efb042afa664dc1d8420bb918e52580 +AUX 5.9.6/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch 1247 BLAKE2B c016865b787fea8a2d40f58d7002638fba971275d26c0a87fb7f87fe54633fc8e55183438627b9e90d28ee976f15b350d641aba11ca0fce5202caea632590434 SHA512 027c9fafd1b0bf0ea2a9ad9659581239c4e3160c6c0ac1a00043501922e21e7f715f16c2df850a1447da16309176f32a0b61004d76390eaa30e2b8868651562b +AUX 5.9.6/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch 3642 BLAKE2B cde096fbc55c157bccaeb7d41b317d1e201066ff6a859ac2b40c1db56bd9e4263f52d0584fa15204bcf2b8df7245c36f72f0865c3c0f14c2bd5ef6671d2bc7c6 SHA512 6bf66e3175124e41a4f1c6a8dc68502bcc299f2702cc03c759010eb42e5b1dec4469132461a3e26cacf4f93470b656b88ac9dfdc44fd15328fd69f7128e71d6e +AUX 5.9.6/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch 1191 BLAKE2B f942271ed2464ae799d21ad26c44d19fff1005559cc8944d23b520e03bcc0679f1bdf263a4d958ace2274ee87e81cfd1e732e54d1cc6962a11e102a0e78af7fc SHA512 dbc27fc2d48787c6c24a18ff108aea9833d8b73489fba05e91d52850b2fc9408c5e2783db7c139e3f38bafdbcb2f93ee10103e1026c769616b306771003c21ef +AUX 5.9.6/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch 755 BLAKE2B 49bb90822b25322f2701287085e4c9284af2cbdc8032ba8bc299deccb6e81318d80afc60472bbbfbb8085e1c9aa4304d563831c58f06d2992eb522f6a509fdb4 SHA512 b2d7db26fcbe72cadb4ab70027d0e401460daec73a72b09045640547e0d7abd034576194be6e10389f47403535e464cadfd8c45d6486f7c8a254b2f9b785e2f7 +AUX 5.9.6/hardened-patches/0069-add-page-destructor-sanity-check.patch 2205 BLAKE2B 42e7013e3cb1a53441a20915405ad5e6290ad904e86aa369c15110cfd2bd077220cad1a7a53df50a0269858b65cbecf42667a4fb68089f3b0380f16741d8d991 SHA512 d18eb16110ef85b3c03baeb9ffd4f7ea2717422a87c23c9f8c5e993b17d468285c5e6087373ba268953e4f5e3cdc30b28da361ffc74c9c7db7e0526628ff9ae8 +AUX 5.9.6/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch 1793 BLAKE2B e5c29412a7c19541632b08896ba6ed48d7ef7ba195c0c5027c5de36f31b620ca1d797646e7101d2bf3bcc6d44fb6eb7b47d1f9c570df4e6229b212e404fb4d44 SHA512 e86c4bee3427a336b741fe2a798cf52adb5866b6a128577c17e1967b762db3b5786d980d11cc921d2e65bb6b5c03b7988de2cbd77367e4e82f6ca4d5ea96d106 +AUX 5.9.6/hardened-patches/0071-add-writable-function-pointer-detection.patch 2688 BLAKE2B af5995267a6e5c8624a4d3d0cbf11cd04a3da6d15dee923dbd174942977b87e0f03c67e8da80c87f0a3ed1d8e1dd2c0a55aab94840bddaa9842a81c6af2b9aa9 SHA512 a69aaaecc93d14b8ff2dac3bb96620c7c5188543688dec3a733a2a9784d06e35926c14c0e439942ee9511df99444ad492a69bda1d82ba68631a5d0e753d069ec +AUX 5.9.6/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch 760 BLAKE2B de451cf26dc4fc5592747fd3366617af8a32b9dc1c0940464dac0e044c252298dfb1310c51c96e1133a81e74dfb420a7ec394f63ccdb7c9f8830525657dc06cb SHA512 98befab6a819e392ec5b4d516b5d96746d9091da639eb190f60a477ec2008af1d8146fda5acdffda412afea463cb0ba9c5fcadbced257126e02ce52e6c3a408d +AUX 5.9.6/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch 5669 BLAKE2B df46ed1b157978ef4944f57a153fb843271262edf8ead228872b40863b8227f4b2dc3616081ed88f34e02a8530ad7b1b49af0ba4f2cf9c879132e85ef6865b15 SHA512 6bfea77acd34633b3d19102af04df6a0a26fbc3662a8ef57ad29be44cde009727085b97542a6f15ebe93dfbf8b2eb92aec0041d8054f582e996eb10660c9c066 +AUX 5.9.6/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch 1986 BLAKE2B bd48789da072a85b8d6575974d62e78b835a9032b30be78539cfba630b629ff825784b582649093152dff18f8ba766fc58006460754ad969ff6436d048920f50 SHA512 3ae3df0ab47c46baa65b0b40605e824f2d2a4791b661f628d1d6060b8284da6db1423e3922021a1afdd41c481b29429b368e5361feca1bf49750685efe510103 +AUX 5.9.6/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch 3921 BLAKE2B d115c42117cd13e71e873e978fe0c01668596d152792987d3b9c67fd4877faf818a61c9cb1a4ed5117c1927715b168e881e0ffe412b571628e7b816e45d5fbd5 SHA512 555daad2eb720c36505ca5149f603eb61c2d3f3b1c64faee6a60136c16aadeb044d4854d6372a2b0e86b5d4d1dc533487fe05491df8d3fbe80e8e30f904167c2 +AUX 5.9.6/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch 2502 BLAKE2B e24c12ca751c2b1e5445ee521ae2b4407f7334646653237a06adeb3dd498261fd8907e74493cc9dda8e5db01be4cea4838705ef05af988975df4317d5b3058aa SHA512 57fbad81fe64b0c03566648e24283b0a5a1b1d0e6c053edbfb0bcb2ff57b62357f312ce27577c54e557e8c67df6cdb1665a99d9a2a773b386e022b2290e29f53 +AUX 5.9.6/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch 2224 BLAKE2B 27e0fb189c0709c795b1f302459c475f63337c4333b71f43d7812c4d7516adb95280755a6a4a8d8295ab5cb30c28532e35e5caf7a51d28d0b0faee4dfed0bbbe SHA512 0ea90f00664520a06b02d10e4c66227d936b98c9d9e041348490075f6c9c10d79d69d2731dd917ebcef00e7096a0817aa5ce0b64fc3a944a652424e65a46163f +AUX 5.9.6/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch 1061 BLAKE2B 223582247efc4fa1b16eacfcb61c6e86ca980033cf649c91e3d9059ca5ee1ffc1c3e1c5480abc47dcdf125283675b7b4a492894c18a05c9934b5c2a368ef2aa2 SHA512 42d3d4fd1c4ce6d108d6be47b64b758d62dc0bff811b610d235bba272e1cb3f085915d42dcba59f1fa05153ac5689d84fced68ba2655b497eb6e00b16f89aa28 +AUX 5.9.6/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch 1019 BLAKE2B eefcf2c111204d971a4e7bd38cc38db6c9e3a3960fd2be02de4315bc58fd792db7fc82d288b0272c9d7bcc496160b39650580cd05cda154183ce9d22ffaa7b57 SHA512 794d45b7cfe0062a07a53c608a214dfdbf4e8ae8fdfb1dfb17d6f71ece10d6da6ebb4c8262fb7769876a5e4036d30a2024d02f194a876d4202bf8accbf91ebfe +AUX 5.9.6/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch 1368 BLAKE2B 263a86157f05cecda034cfa096caa056d5a6f28640a676ee54b460e8917a6f2f1ab69eab213547b80a62f1c751ffd6902ac036358825736b3ddfdf9a706bc042 SHA512 066eec4498198136bcaead7831ff339f811ca09f496ef8285338b5342194b1163eefa0558435e955252ac54eedd9cf1f7d458aed874aa770337b9c783a1496ba +AUX 5.9.6/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch 902 BLAKE2B a953764248e6dffd85f14afc58ba9273268a76c5629d9b92a09979e1085172ae1ac6d39dd64275112508887db1b2e5a2a74d5543b0a5cd33307ef44c4a7e4efd SHA512 2ff44c261a842ea150db87ae8bc3f6a9ab0723bdbb2ff30282f48a353c364594da3b71ec0ea934d3d4a9fcd1cee0ce221c834481c5ab7e57c237742b152e61de +AUX 5.9.6/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch 942 BLAKE2B 72db16dfd8b0dfb4cefb99bb82d57c4696541619a0d35645b4e8f30aeb82015f44d92303d7e98fe80cbb282aa66f72902aa20e7fa50c7819169f1f5d825179a6 SHA512 139f2a49e64c77627bd9e27f3561ff7b54af54cfe488cc0530898353ef3a36a8f0ea3fd6f64880410f4bb981d1ef8b08ef3aab231866ec152e32bd39761965b5 +AUX 5.9.6/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch 947 BLAKE2B f86f0b02bb8a8de32ecf2dd3ed8ce29ddf8ab5b6378d1d46c51131a6d36d24679f64215c2d5f3025044f46fbd49e0979008a8a1252cbe545fc7f181c06b84432 SHA512 c790b2c40dc43b339baaf5b8695d08278f51d068ea78e9edd4d9819f1e22c2f9dd1d0fc8e2ea9efe3defd63733d6e24a2adc6a9a6beceab4aaeafdc4445f57f8 +AUX 5.9.6/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch 987 BLAKE2B c001394e1be7f40b39319fd869f0c27be2a7a2337f9a1f76806d0a929d312d92fdebb462fbad60f387f06ab6a3592be73db2a0d0d14b577dd812df145e1f18aa SHA512 7f5cb14495716c41506fde65c48a475c3321a0a1d465c811d95c8f68c9ef583b10d9f6375037d31d5919f30d33d889c49012f2f8b95619f9cc463a8f1bc2ad5a +AUX 5.9.6/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch 1075 BLAKE2B 387cbf96cad968e09ff473435bbd20297785e682505a0d6331cb12633e9f4da70007ead1726c11af00bf5ccc9fdffe6124be1d144175f4b03fc3983ecd177aae SHA512 d97e80cad26effbc42fe8dda7484f8d1455e6f1670b27a8bbb5837ca8cd8a93b49615cf76ae3b3a473153432e06a6d86b9d84671b5e11861d277a4dbe027ece9 +AUX 5.9.6/hardened-patches/0086-restrict-device-timing-side-channels.patch 5426 BLAKE2B d4aafd587d460ef7c0c28a65fa8ac252bf5b5bcfb5e769f5ad8080d902206bd67e0a19c17647892150ba751e857b4d4bb2445b21e155a25141d990a52dadb973 SHA512 30710115e91d1849b80b8d9f004cbac1b75b48798bd9daf4050e6c0b20065a388f7f1a00dea110b05156f14ac4eebd69b0b01105da660b0c70a69db31e108ae2 +AUX 5.9.6/hardened-patches/0087-add-toggle-for-disabling-newly-added-USB-devices.patch 2469 BLAKE2B 49d6baabf8724462368f1d93faf1591a237fecc61ca21dd508752a498e94f20ce943f7d4d83e5d012f389364bdf57a49215808d4664972507eb00374a344126b SHA512 458e9a0e70939118bbb4adc589050679390e3431746ebe2a06a8fd503833e0818c1bf34c46b907c756a219aa0eef89a459bb4f6ced73b53e353f61ef21d459ae +AUX 5.9.6/hardened-patches/0088-hard-wire-legacy-checkreqprot-option-to-0.patch 5149 BLAKE2B 1d4c21e3d1c57715a9b972a6a8f2e3f4c8408fc9596a1fc3729ee0754a9f9b204c1f4b13ed2a432511516c77fbea8782a8a9267dd01046cbce67983146fcf8e9 SHA512 e221d087d01e40632044b5ee021d71c960914c894e3e772111351cb52ae8ac0447333b1fb5a8422d70da2da33a0a0d05faef49fe2ecedabea48bbfb473d20667 +AUX 5.9.6/hardened-patches/0089-security-tty-Add-owner-user-namespace-to-tty_struct.patch 2194 BLAKE2B 64cee030a28e115e205f5037e3352414ac4ae67e6bd982db27e2de36fcf5fcaf6ca745daa726fe8f4a4af618d811b73dbf0114569beae173d8a77321ed243914 SHA512 c99e52a3101d37c17e70f94f959396dc0c0550f256cd8b5a8462934676352b3186ad37329612566606b113ee4db3980c7d03b4efe2081bf340cb2d7e1dcc984d +AUX 5.9.6/hardened-patches/0090-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch 6816 BLAKE2B 1b5bd5d09b0ad2ba218a0b177d5d84ef3172f2b6c8dc7e5305f264e0a3c9255b08552a3b851bd220d4d9c67ae7d2a4c935787b6ee8c2512480a5432e262f2f67 SHA512 53c08e5cdcbdac6fe8a11a186a2e0c6970bf5a1660b1b1c9c540d045dea5f9b650aad5519856f6d8ab80c8ed69b2e3736175c2f76d46e89417c92eba0c694b28 +AUX 5.9.6/hardened-patches/0091-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch 824 BLAKE2B 0ac2d65a42d5a197473bbb412039769c57813f3f68cd4329d80a900c1babe26cf462e1b07f503a31cb0c39261be468d8465a33182d71e5cab4c9c78d9daaeec8 SHA512 5e88518aad7e32b597f7ebbe4546a699d03ac6d7c6d0e6708db0ef29adcf622283c0976c0e055316d083f31970b1619db49304b5141df6ff3cd2cdd06590f30b +AUX 5.9.6/hardened-patches/0092-disable-unprivileged-eBPF-access-by-default.patch 837 BLAKE2B 004f1d1095dce71d6197ad1739f22e966e8931611d801d3d4e2d0843a2864589971e7411c90d2fc56566beedf09e3cd31894e0cc373e398b27368aa77677775f SHA512 4f3fafd5172c9d469eb74ec4cd58d71ddc122b53611439b1283622774d21771924cf2ffb86ed606450d4cf554d3d0a8f533cb26c2afe1ae5f096427fea6695da +AUX 5.9.6/hardened-patches/0093-enable-BPF-JIT-hardening-by-default-if-available.patch 857 BLAKE2B f477dd0824da6b9232efd122113c5d33e7c9fde8a7f51899e9f13496276fea430fd3e80c45d0e302dd2c403a95d5ddeb11b7377aa433e85031f84a341bc47602 SHA512 8b679a47dc3172e45b3812b0fd183cbe50c98b91e2fc439238b5d48fc53659eb59246b6a2026b71aae823bcb4971ebbfb410c1af6427152bba8692a6e6043c3b +AUX 5.9.6/hardened-patches/0094-enable-protected_-fifos-regular-by-default.patch 857 BLAKE2B 0bfa33d8863154c6df6daa0af16e0dde6f55ebe18e6c3f87e9129fceb2fef5c8a5a164094be34195c7fa72d3d2fdcecde33d94ccb8470dfbec144e213350aee8 SHA512 d3e376671f5b92271387bf8c975f60e91b1580346cf1573f0b3665d052303656eef388ed557f3aa202993e7f8d8bcf76590d4512681bc435d590ff453f3da0b7 +AUX 5.9.6/hardened-patches/0095-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch 2171 BLAKE2B 51ab7ee108f6a2cc98b16b837209a138a1fa60391e6ab8f47041d13c64ae86705cc60ff9000e889c61216a428c495b746a8151ffe69ddf49d8b2aa7e1e9c949c SHA512 05395d4151d32b4d684a8817597e375b633e8e6cfa2b8cba961066638e92ea8c719efacf0c9be373db17b0a804b53c68144babf205bd766f1627645a4f0a5ae0 +AUX 5.9.6/hardened-patches/0096-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch 4376 BLAKE2B 22c68a5a2421d8dc420f2ac147e5b8a0a824429b34926babaea4a90e7b1ee015c4cfa37e928f0e9196ea2810d36107985f6bb3adc03849507edb8f1952d8c074 SHA512 a424fc8d20de9bca31b0acc59f63d68ca026aedfdedccbaa99be9e713bf1471f80ce409cbe7cafacb9812786d99cfca69a6078cafbf28902c8fd6c8ef446bd1d +AUX 5.9.6/hardened-patches/0097-mm-Fix-extra_latent_entropy.patch 3641 BLAKE2B 87204bb44b17622fdf6f9f11a7f227d87d1ce03c3b2c2c5c8f0ec5aeeaf3f9de32a78114706001735082fa1dd100f79d8c56fa77dcde0968907f2ccef8301a9e SHA512 8474351a4dd5c95f905fa9363a9912d7f250bee1436473c059c87fcedbe81e2f17718744047f9a97432fa87d21e03cd16a17870aaf6e0031bdd4f9b78867c0e6 +AUX 5.9.6/hardened-patches/0098-add-CONFIG-for-unprivileged_userns_clone.patch 2070 BLAKE2B ea53f319935d6b885aff50171bdfa05ec57acaede946262f836cfed5247afc534d05ebc811a572370e28a5b7256d974867ee62e5c9729667792c0fb9360bfbac SHA512 f2a56cea1074cec065346758df03e9e118fd9be1ffd269a07fa20f190b052ec4758f44e971244e77e319f4b638a6c736fc0e532b1b26a68854f79255140e6fc6 +AUX 5.9.6/hardened-patches/0099-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch 785 BLAKE2B 27ab998f28c44ee7d4d538e870484c49bfa994dcc5680a417598a16117b10006d43a30cc35962f299eddbcdcc5719e3425f77ff0523f4db7e6064796ffcf428c SHA512 d85874c4b7b20aa011247ba94b5be05caa630e1e4592a6e4555f2783400d81263c6e525b67d08cd7154560cac87c959e7936fe8dc100b1d55a00e652a22e76ef +AUX 5.9.6/hardened-patches/0100-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch 774 BLAKE2B be53cfe9c68c4403a5b239fd494c85ab3fbf4a13f1f0cd070869eae5bbe2c7cceb9bdb3e77e2be201d2a7bba26f4ea0342b0ea717f22fffd24a6f9bde35aa4f1 SHA512 034d69ffa5a1e734c2ac298d461280a592d2aa2970f1276381d19ef385a6f8b99f3063c0e07d4c00721c8b4c803ed1698ef7520282d17d42e09e73a4a0adac9a +AUX 5.9.6/hardened-patches/0101-add-CONFIG-for-unprivileged_userfaultfd.patch 2287 BLAKE2B 4b45a7a624a31aae291921dadff265de2ba170d08c833771ef5a5cf1e3a99319a49c7271edaba1f31e78f4b0aa4d5884e8860a2144d67296da4aea205386468d SHA512 f61426589c5ae2a2cb3f90f0364162528d7f605cf2a2cba96f07732dc02daeab4a7ac60edf7638f68811a65a2ee9cc6608b872131d1881bd947c93f67b3485d5 +AUX 5.9.6/hardened-patches/0102-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch 2692 BLAKE2B 04b8dc9ff1a3062ee0c33d4021a912805fe8860ba41e8345a488341849534f978df9831974ecaecc3c97924228af43c9c4ed50d7c004a3d9f30949533c0daf11 SHA512 42d2b50341e427b7960d2bd1f15ec7bb4855c78f95e35763c1a3535df40b2740b40fd360b27c8a1f4f82251d3bbd40c581fe359a731f8b182e63769ebc6c120f +AUX 5.9.6/hardened-patches/0103-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch 6075 BLAKE2B e5da90cf903dc5fc7c5e21fb52b7f9b932cb0549ab757c55d60da0bd1873f125ec94f353eaa72403ec2f31b4785c8a193ba747922633288ca65612057677992a SHA512 5759a545b74846353778cdaf8b3c97ff08c7f03c646d1d3aa7c9ece34abd8ca2f18bb2a8943fb86bca6b65e8958ac788554a37dbef1b99b174679381354cc444 +AUX 5.9.6/hardened-patches/0104-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch 827 BLAKE2B 7c8778875a0e73b7be179b241e173fa575a63f3306934a80f1ad6613ae97f6a1678aea69190085aef62e39f610995793c3eeda02c43bcd8f27e4413668596448 SHA512 63f44be21f16036ca72a0d50fce75336da17c5ba5e01d06562846eef5ba8b846f6481f1ad43bc36a6fa82bc635142b18a57f51312b0be2c10897a4fa62d3cb70 +AUX 5.9.6/hardened-patches/0105-dccp-ccid-move-timers-to-struct-dccp_sock.patch 8416 BLAKE2B 136402d84563b52154b5075af819bc720a81825f242767d135ffbe46c36d6bd0a087f4c00d82bd4f0ad7e9766e21595c148f56bd7ad8d0685b3f34aca93f8cbc SHA512 67675d3150e40987fc8877deb1ecea4e5107f2b92306838944c3a6f0bde93c675733b78374157859fd0d14e8715522f82e06a0b7fdbea76bd5dc9057faa2c0ff +AUX 5.9.6/hardened-patches/0106-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch 1427 BLAKE2B dc4e93105e08df9434de44adade762c77df3be13992df49b882dcb7e428427533cf046bd38319d65cf42a19bf3de47aa1f0bed14c39e1b70759fec4b641a4ba6 SHA512 1314436eb1bef69f2563d0de5feb97f1eb2bf4fb24ad2f35f0cfc426ab91a937063848bfc8db9f64f4e7df10829c7074b9481b06f7d8b6466587e88c2b786f9b +AUX 5.9.6/hardened-patches/0107-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch 3572 BLAKE2B 442c1b933e451367a1c062475ef3d15c9df746452ccd98fa5cf532c0fdb0328c187983e21591387f61b9dea4ec9c6182b317e2d96c541ba1e15dc21000516d45 SHA512 8181bb163d8d88773db27b5cbb3cfda4c695631ca866332f01d2d410384fe77069d2211b240d406b8de0ba5444a39d8958cc23ad79e54b6581bc0db2af368554 +AUX 5.9.6/hardened-patches/0108-usb-implement-dedicated-subsystem-sysctl-tables.patch 5259 BLAKE2B 24593283d22212a5ca6cb5aa0aca073a877629bfb0390048c3182ee75230cf12279e894d1e517247f8d6624c476c59001a4e9857edee1ceac1c5ad0ffe5500aa SHA512 39508d998f5fa182b2733eb582bf01fb9c88922bbee4876778948b2c095e09ddd835468286beb803efa295341a1e708895fd614e52818e8bbcd84fb22980e36a +DIST debian-kconfig-5.10.10 172278 BLAKE2B da24af19be62fd5e5be5358e73f25f164ab99b318b0cfe744097de0fd507d9dcfaec49993917cef458722ebc7846a0caab40b0f34468726ae0cf2522836219b6 SHA512 1a0a07eb1cc0c66ae09811a76c01b9cb76ffc55a66b441cc1ce1344811bbe1ab1d705b7d3ba2e0b611460732be2eaf63782e6c5ae0cbd6a5f7985261d60e3bfc +DIST debian-kconfig-5.10.4 171988 BLAKE2B 9d9a91744e57d2bc035192bddda3e8730798390157abadda1a6f4f6dacfa6da5af032c18b3058bfdb5ba1debe2f401a7047b5998eff4f1b877bd30a2103c38d2 SHA512 53ee05d6cfa3e7a687bfda2fab6f49ad8eeba52fd2178ddc6de8367e9e025b0e144944559d0dde35a0afe36f1afa0dbd3954504afa95899057e5483078ce03b9 +DIST debian-kconfig-5.10.7 171988 BLAKE2B 9d9a91744e57d2bc035192bddda3e8730798390157abadda1a6f4f6dacfa6da5af032c18b3058bfdb5ba1debe2f401a7047b5998eff4f1b877bd30a2103c38d2 SHA512 53ee05d6cfa3e7a687bfda2fab6f49ad8eeba52fd2178ddc6de8367e9e025b0e144944559d0dde35a0afe36f1afa0dbd3954504afa95899057e5483078ce03b9 +DIST debian-kconfig-5.10.8 171988 BLAKE2B 9d9a91744e57d2bc035192bddda3e8730798390157abadda1a6f4f6dacfa6da5af032c18b3058bfdb5ba1debe2f401a7047b5998eff4f1b877bd30a2103c38d2 SHA512 53ee05d6cfa3e7a687bfda2fab6f49ad8eeba52fd2178ddc6de8367e9e025b0e144944559d0dde35a0afe36f1afa0dbd3954504afa95899057e5483078ce03b9 +DIST debian-kconfig-5.10.9 171988 BLAKE2B 9d9a91744e57d2bc035192bddda3e8730798390157abadda1a6f4f6dacfa6da5af032c18b3058bfdb5ba1debe2f401a7047b5998eff4f1b877bd30a2103c38d2 SHA512 53ee05d6cfa3e7a687bfda2fab6f49ad8eeba52fd2178ddc6de8367e9e025b0e144944559d0dde35a0afe36f1afa0dbd3954504afa95899057e5483078ce03b9 +DIST debian-kconfig-5.9.6 171262 BLAKE2B f3726b06657cfd827e5676c567117a85407da468829eaae0638666d27480a463e20abfd868b2325633e1dc84a43a42c8ca6eebfa4ff8964a15bb5cd9aa123163 SHA512 32d65e9a539fc6e12eebbd2d0fd02bad7df8d642905a4dd03d9c3fb3939a81d5e1deadecee83ea70f88b6f8dcca744659c9d273d652407a15919c2ee12624709 +DIST debian-kconfig-amd64-5.10.10 4367 BLAKE2B dfa1559a2c8c5d2447979eee4bc52b5f7e7b310aee6e326f9b55036c01714d120ebc6ca7c9ffdba6c3241ffd6b3b13e8222f511db30797527145640680a39d26 SHA512 6473dceb7641a9e60eedfaa24be95e4d20401e9508ec907c49da2d73983f54eb293e781245ee84aa41f2728354be9bdb06191867008c111735e6962a1d79e888 +DIST debian-kconfig-amd64-5.10.4 4277 BLAKE2B 087ecc833619a3322346a649ac7f2a4673f6dc2863cdb95ef0df761e8f209055c0ea4c10dd7302742e982a6c16b2c7f1962994c54bd5296cba98801e49383cad SHA512 a6f7bcbb15213ce8252d179bf12087814c556fe55d15e56e522773536d02c44a5588da923498b24838669a6fa2638cd0006277d126e5679d4f697483c59de32b +DIST debian-kconfig-amd64-5.10.7 4301 BLAKE2B ef85052d2f85824d0ff20c99a79c4e5585a80b3fabc0946fa50723b79004a3abd13f68696d85fc539e9c9bb878cfe14e5bfbb369d6614a8140c724bac721f8d1 SHA512 e5637be79d25dc8a5a3a471172270bdd23cb0e50e65b062080229c273a0441f2efab3e12d3ce5d742baef067fe39982e1f76d22eb69967d9fdad775f3fe5224b +DIST debian-kconfig-amd64-5.10.8 4301 BLAKE2B ef85052d2f85824d0ff20c99a79c4e5585a80b3fabc0946fa50723b79004a3abd13f68696d85fc539e9c9bb878cfe14e5bfbb369d6614a8140c724bac721f8d1 SHA512 e5637be79d25dc8a5a3a471172270bdd23cb0e50e65b062080229c273a0441f2efab3e12d3ce5d742baef067fe39982e1f76d22eb69967d9fdad775f3fe5224b +DIST debian-kconfig-amd64-5.10.9 4301 BLAKE2B ef85052d2f85824d0ff20c99a79c4e5585a80b3fabc0946fa50723b79004a3abd13f68696d85fc539e9c9bb878cfe14e5bfbb369d6614a8140c724bac721f8d1 SHA512 e5637be79d25dc8a5a3a471172270bdd23cb0e50e65b062080229c273a0441f2efab3e12d3ce5d742baef067fe39982e1f76d22eb69967d9fdad775f3fe5224b +DIST debian-kconfig-amd64-5.9.6 4444 BLAKE2B 65e60f917edb80deca7ece6819fe359fb992ef77776c6bd2d13aaf7cd6338f31e0cbfeb1620f825d17b34899da245e301e95a18c414b540a15993b862f1bdcbc SHA512 dbd6125b368c5d16d3ad4cdf21523bcdbf3654cf6cb75dce5a3abc4166b78d60d37b23e3963528d56b83520765267bb0cca0363d7f59dfedb1fe7289bc392a9a +DIST debian-kconfig-arm64-5.10.10 25906 BLAKE2B 4a6f596d6be02feb46695d98f4e1bb0899af41da103e5ed001920a82ff2c6dac752108e4c9f47bab3a2650dbd538e0677c67fbe34c0afc55404e3b4c0cca94c6 SHA512 ad8d9c35e43c918673a9eaeb3fc75549398084965038db8ad2e01a0ea7444fb51cf3e9c5bbfabb852266f3e2ff8735c78208e6c51b9077d64c2d116abc0c5263 +DIST debian-kconfig-arm64-5.10.4 25641 BLAKE2B de55b4f14fdf6d8d4953fbe37c9e8055993f31a625ed864cc810ed9c05578a8abb90a96f3af2d33751b1a624e325379b4b6c80c923ea2505453aa27f11673786 SHA512 d404cf7aadaad6b9296d3cfcd06f7151d5379b7fb2c8332c1d2d078c8139c4b8f0f75bfbd18e1f621b88b7e6ec573516c6be9c4dae27ace90212a6ef31750cc4 +DIST debian-kconfig-arm64-5.10.7 25699 BLAKE2B e2c5b05971e3d5966fd1783014f2dc686cc00a6367425de2c5513461144f54da6ce343e4cfd6b2f59903ee9d4651b32e0294f85686bee2833d42cf987cafff2b SHA512 10088d904cee7e75376bc7308819ec6c6974a05369d242dc53ee09f9052d8d8af6724caf6c941ff9677b67b5fe7da215fa83204f4ad79ee72040159c5a519c92 +DIST debian-kconfig-arm64-5.10.8 25699 BLAKE2B e2c5b05971e3d5966fd1783014f2dc686cc00a6367425de2c5513461144f54da6ce343e4cfd6b2f59903ee9d4651b32e0294f85686bee2833d42cf987cafff2b SHA512 10088d904cee7e75376bc7308819ec6c6974a05369d242dc53ee09f9052d8d8af6724caf6c941ff9677b67b5fe7da215fa83204f4ad79ee72040159c5a519c92 +DIST debian-kconfig-arm64-5.10.9 25699 BLAKE2B e2c5b05971e3d5966fd1783014f2dc686cc00a6367425de2c5513461144f54da6ce343e4cfd6b2f59903ee9d4651b32e0294f85686bee2833d42cf987cafff2b SHA512 10088d904cee7e75376bc7308819ec6c6974a05369d242dc53ee09f9052d8d8af6724caf6c941ff9677b67b5fe7da215fa83204f4ad79ee72040159c5a519c92 +DIST debian-kconfig-arm64-5.9.6 25799 BLAKE2B 08f02c6c7579f87f2e90afc837fb2937f876b3ac7a2f7405a755afa906741154f1de39428bda4ab5bc82b885dbbe52c52836f97ab077951b5c5dd600a967cda0 SHA512 09acf44402d22f64395f0983139a76447af2b853872e8709cdc2fea08680f8983a75849e34a3437065c9521a5bd5c1ccbb2ac92152945a912548eb7fd4c14619 +DIST debian-kconfig-i386-5.10.10 8990 BLAKE2B 72fac181239cbc9eb8fd0dcfc8edac3f68447ca3368ec87a1beffe499c0cd30c4da6a44756dc0de56e2997ac265f238ce07e23f7b1883f9dfcf9a272d07005df SHA512 de116317bccce4476901597bbbf47ec62feba828e4fe74bdecd36f009b6a9d46c168a06eb0448bc688503e3ea8b9d427fb381513763a1d6389cbafdec7f1def5 +DIST debian-kconfig-i386-5.10.4 8990 BLAKE2B 72fac181239cbc9eb8fd0dcfc8edac3f68447ca3368ec87a1beffe499c0cd30c4da6a44756dc0de56e2997ac265f238ce07e23f7b1883f9dfcf9a272d07005df SHA512 de116317bccce4476901597bbbf47ec62feba828e4fe74bdecd36f009b6a9d46c168a06eb0448bc688503e3ea8b9d427fb381513763a1d6389cbafdec7f1def5 +DIST debian-kconfig-i386-5.10.7 8990 BLAKE2B 72fac181239cbc9eb8fd0dcfc8edac3f68447ca3368ec87a1beffe499c0cd30c4da6a44756dc0de56e2997ac265f238ce07e23f7b1883f9dfcf9a272d07005df SHA512 de116317bccce4476901597bbbf47ec62feba828e4fe74bdecd36f009b6a9d46c168a06eb0448bc688503e3ea8b9d427fb381513763a1d6389cbafdec7f1def5 +DIST debian-kconfig-i386-5.10.8 8990 BLAKE2B 72fac181239cbc9eb8fd0dcfc8edac3f68447ca3368ec87a1beffe499c0cd30c4da6a44756dc0de56e2997ac265f238ce07e23f7b1883f9dfcf9a272d07005df SHA512 de116317bccce4476901597bbbf47ec62feba828e4fe74bdecd36f009b6a9d46c168a06eb0448bc688503e3ea8b9d427fb381513763a1d6389cbafdec7f1def5 +DIST debian-kconfig-i386-5.10.9 8990 BLAKE2B 72fac181239cbc9eb8fd0dcfc8edac3f68447ca3368ec87a1beffe499c0cd30c4da6a44756dc0de56e2997ac265f238ce07e23f7b1883f9dfcf9a272d07005df SHA512 de116317bccce4476901597bbbf47ec62feba828e4fe74bdecd36f009b6a9d46c168a06eb0448bc688503e3ea8b9d427fb381513763a1d6389cbafdec7f1def5 +DIST debian-kconfig-i386-5.9.6 8978 BLAKE2B 41115f31e22dad9c03fd6403d0dfc56ead17cdcc91961848ae7fcdac18fc2962c9e8ca230a5b8edb5a95a8d6b0c1053968809467d849baab8de06928ee698f9c SHA512 278b9735a6206adb9fc7367646ef9a6df1db43e4b58914c0d46b803c2a014e2dd05066522160e0aa5fa28c6e71bc2e8fd9e0a1e9b3f2f1a28e80c4432d7ad2a2 +DIST debian-kconfig-i686-5.10.10 1296 BLAKE2B a015d0163d8c484f59b85e18b32d4226bcf42416f94e732f44f9121cda8f99b88e3744bc4ae2fc31f88a48f972b7d6a842a1dab488341fcd4eec125ce649ecd7 SHA512 ab20d397b14d774706c278340d992a57b616b8f8aa084e17f9500d87d83915bdb922679275766ae7aebb42f4cc05d25dfd4e75ac9aae84e8dfa85141d31f0011 +DIST debian-kconfig-i686-5.10.4 1296 BLAKE2B a015d0163d8c484f59b85e18b32d4226bcf42416f94e732f44f9121cda8f99b88e3744bc4ae2fc31f88a48f972b7d6a842a1dab488341fcd4eec125ce649ecd7 SHA512 ab20d397b14d774706c278340d992a57b616b8f8aa084e17f9500d87d83915bdb922679275766ae7aebb42f4cc05d25dfd4e75ac9aae84e8dfa85141d31f0011 +DIST debian-kconfig-i686-5.10.7 1296 BLAKE2B a015d0163d8c484f59b85e18b32d4226bcf42416f94e732f44f9121cda8f99b88e3744bc4ae2fc31f88a48f972b7d6a842a1dab488341fcd4eec125ce649ecd7 SHA512 ab20d397b14d774706c278340d992a57b616b8f8aa084e17f9500d87d83915bdb922679275766ae7aebb42f4cc05d25dfd4e75ac9aae84e8dfa85141d31f0011 +DIST debian-kconfig-i686-5.10.8 1296 BLAKE2B a015d0163d8c484f59b85e18b32d4226bcf42416f94e732f44f9121cda8f99b88e3744bc4ae2fc31f88a48f972b7d6a842a1dab488341fcd4eec125ce649ecd7 SHA512 ab20d397b14d774706c278340d992a57b616b8f8aa084e17f9500d87d83915bdb922679275766ae7aebb42f4cc05d25dfd4e75ac9aae84e8dfa85141d31f0011 +DIST debian-kconfig-i686-5.10.9 1296 BLAKE2B a015d0163d8c484f59b85e18b32d4226bcf42416f94e732f44f9121cda8f99b88e3744bc4ae2fc31f88a48f972b7d6a842a1dab488341fcd4eec125ce649ecd7 SHA512 ab20d397b14d774706c278340d992a57b616b8f8aa084e17f9500d87d83915bdb922679275766ae7aebb42f4cc05d25dfd4e75ac9aae84e8dfa85141d31f0011 +DIST debian-kconfig-i686-5.9.6 1296 BLAKE2B a015d0163d8c484f59b85e18b32d4226bcf42416f94e732f44f9121cda8f99b88e3744bc4ae2fc31f88a48f972b7d6a842a1dab488341fcd4eec125ce649ecd7 SHA512 ab20d397b14d774706c278340d992a57b616b8f8aa084e17f9500d87d83915bdb922679275766ae7aebb42f4cc05d25dfd4e75ac9aae84e8dfa85141d31f0011 +DIST debian-kconfig-i686-pae-5.10.10 856 BLAKE2B 3c5a77d9a0c3dadbe4c1d1beb9b2f08e74d77635b520d27397218b4d63815f270e9d06939e17221a0df46fd6de8f758b9236a6654793eda21a336841e3d19f5d SHA512 920a5807ec1a742c35429b88b7702fed870b89ae365e95c9cd521b54102aa51f9ad1abcb0b1424d315b346af2e8ec57054ada5ddcc0ab1872d400956090fbf4b +DIST debian-kconfig-i686-pae-5.10.4 856 BLAKE2B 3c5a77d9a0c3dadbe4c1d1beb9b2f08e74d77635b520d27397218b4d63815f270e9d06939e17221a0df46fd6de8f758b9236a6654793eda21a336841e3d19f5d SHA512 920a5807ec1a742c35429b88b7702fed870b89ae365e95c9cd521b54102aa51f9ad1abcb0b1424d315b346af2e8ec57054ada5ddcc0ab1872d400956090fbf4b +DIST debian-kconfig-i686-pae-5.10.7 856 BLAKE2B 3c5a77d9a0c3dadbe4c1d1beb9b2f08e74d77635b520d27397218b4d63815f270e9d06939e17221a0df46fd6de8f758b9236a6654793eda21a336841e3d19f5d SHA512 920a5807ec1a742c35429b88b7702fed870b89ae365e95c9cd521b54102aa51f9ad1abcb0b1424d315b346af2e8ec57054ada5ddcc0ab1872d400956090fbf4b +DIST debian-kconfig-i686-pae-5.10.8 856 BLAKE2B 3c5a77d9a0c3dadbe4c1d1beb9b2f08e74d77635b520d27397218b4d63815f270e9d06939e17221a0df46fd6de8f758b9236a6654793eda21a336841e3d19f5d SHA512 920a5807ec1a742c35429b88b7702fed870b89ae365e95c9cd521b54102aa51f9ad1abcb0b1424d315b346af2e8ec57054ada5ddcc0ab1872d400956090fbf4b +DIST debian-kconfig-i686-pae-5.10.9 856 BLAKE2B 3c5a77d9a0c3dadbe4c1d1beb9b2f08e74d77635b520d27397218b4d63815f270e9d06939e17221a0df46fd6de8f758b9236a6654793eda21a336841e3d19f5d SHA512 920a5807ec1a742c35429b88b7702fed870b89ae365e95c9cd521b54102aa51f9ad1abcb0b1424d315b346af2e8ec57054ada5ddcc0ab1872d400956090fbf4b +DIST debian-kconfig-i686-pae-5.9.6 856 BLAKE2B 3c5a77d9a0c3dadbe4c1d1beb9b2f08e74d77635b520d27397218b4d63815f270e9d06939e17221a0df46fd6de8f758b9236a6654793eda21a336841e3d19f5d SHA512 920a5807ec1a742c35429b88b7702fed870b89ae365e95c9cd521b54102aa51f9ad1abcb0b1424d315b346af2e8ec57054ada5ddcc0ab1872d400956090fbf4b +DIST debian-kconfig-kernelarch-arm-5.10.10 2082 BLAKE2B 330b1d06e663ec20de70daf4d513f612366aa2e096c1a8f1cbdd93a86b32632c45060b1a3534fb29835baf1e908f346ef273606d82e5905fd49c26b8ca59941c SHA512 90f5ed4d96aa7a386ddf32c2cb58b0c36f85d99694d9f46ef2564dfe3deb94898585b6a899755afe4f78358d966730487d64730f3300f1b31cbe54246daa0128 +DIST debian-kconfig-kernelarch-arm-5.10.4 1963 BLAKE2B a9af56f259b14570d7079f02592a50980a73c99f8553ecdd2660ce88665f79facb134ff41691049bbec6fb6c0246f61d01af7e399bc09b836f3ddeb212cc899f SHA512 57429690a79a868b235b74f0527b3cf0047100d065fc2f42d0035a51e6b64f40b55e427446e9990fc2f92f0d9982e17dde542e6112fab6830ed8c9e484048d4c +DIST debian-kconfig-kernelarch-arm-5.10.7 1963 BLAKE2B a9af56f259b14570d7079f02592a50980a73c99f8553ecdd2660ce88665f79facb134ff41691049bbec6fb6c0246f61d01af7e399bc09b836f3ddeb212cc899f SHA512 57429690a79a868b235b74f0527b3cf0047100d065fc2f42d0035a51e6b64f40b55e427446e9990fc2f92f0d9982e17dde542e6112fab6830ed8c9e484048d4c +DIST debian-kconfig-kernelarch-arm-5.10.8 1963 BLAKE2B a9af56f259b14570d7079f02592a50980a73c99f8553ecdd2660ce88665f79facb134ff41691049bbec6fb6c0246f61d01af7e399bc09b836f3ddeb212cc899f SHA512 57429690a79a868b235b74f0527b3cf0047100d065fc2f42d0035a51e6b64f40b55e427446e9990fc2f92f0d9982e17dde542e6112fab6830ed8c9e484048d4c +DIST debian-kconfig-kernelarch-arm-5.10.9 1963 BLAKE2B a9af56f259b14570d7079f02592a50980a73c99f8553ecdd2660ce88665f79facb134ff41691049bbec6fb6c0246f61d01af7e399bc09b836f3ddeb212cc899f SHA512 57429690a79a868b235b74f0527b3cf0047100d065fc2f42d0035a51e6b64f40b55e427446e9990fc2f92f0d9982e17dde542e6112fab6830ed8c9e484048d4c +DIST debian-kconfig-kernelarch-arm-5.9.6 1934 BLAKE2B c81dbc375b87ddddd69690a69769abdfb6580a80ed5d7b7708fab962669a23a078eede54bb490ab2a1b6b70da3f06cb7fb40fdbca8df8aaf508917c9e778e6e7 SHA512 b46c35f494db7f33ef62c134f6be1eb6ed07341c27678fd2fbad95b3779fbc71779d41a9ffbbdee4216ca8684c4e4e434632811195a818256892eca562ab53cc +DIST debian-kconfig-kernelarch-x86-5.10.10 40792 BLAKE2B 156921f8c394ad76e49216e83c7fba299cafa1e58655a3c7173ae8bd196fafe3227af872fc590a036d4b4959b06ab6d02e53d5730ad4ecc951d47fb52cb7dace SHA512 327574ed49d79089a505f1e8e3eb38e515fbe1e807120815aef4c858153a6ef77572a6a26b792a964c132f0ad704235005a95d3171246812e9622c4551aa9030 +DIST debian-kconfig-kernelarch-x86-5.10.4 40654 BLAKE2B 0a5fc935443a990fcaf2519c2887367106b166e10fdbd3853560b7e2fbc9eeaade40c8f904afffc93176afe0b52993eadc384067899a1ff37cea539723c8ea00 SHA512 05d8048a144b208265352a96a7cabb9f417eff853461602efa7c817fb18f1cba57ab72e867bae2f5a355797f83281298a4601fe8d6e6d43702b15e8eb3678b7d +DIST debian-kconfig-kernelarch-x86-5.10.7 40702 BLAKE2B dffa1cf6b43379f12ba994419bbef3cbd4620253786e4e34acb0a1cfca0ec1294a9d1e62399504c7bdfc80644ae908978ba623fad7d5110d35b441fd9e7ba445 SHA512 c3d776f1f2ff19bab3f3f9de454d324d48bfe9a41784a54538a92f616f75bf98d2b98aded0c4cec46f01f8b9ddf8e58a113baad44718a8093ac415916febd829 +DIST debian-kconfig-kernelarch-x86-5.10.8 40702 BLAKE2B dffa1cf6b43379f12ba994419bbef3cbd4620253786e4e34acb0a1cfca0ec1294a9d1e62399504c7bdfc80644ae908978ba623fad7d5110d35b441fd9e7ba445 SHA512 c3d776f1f2ff19bab3f3f9de454d324d48bfe9a41784a54538a92f616f75bf98d2b98aded0c4cec46f01f8b9ddf8e58a113baad44718a8093ac415916febd829 +DIST debian-kconfig-kernelarch-x86-5.10.9 40702 BLAKE2B dffa1cf6b43379f12ba994419bbef3cbd4620253786e4e34acb0a1cfca0ec1294a9d1e62399504c7bdfc80644ae908978ba623fad7d5110d35b441fd9e7ba445 SHA512 c3d776f1f2ff19bab3f3f9de454d324d48bfe9a41784a54538a92f616f75bf98d2b98aded0c4cec46f01f8b9ddf8e58a113baad44718a8093ac415916febd829 +DIST debian-kconfig-kernelarch-x86-5.9.6 40938 BLAKE2B f4134a141015e8a7fe32e28fb88cdab7f39d0951ff0791a3a3518d95b83b8d98c9613d745d8ad17871d1ec1e9ff2572b6704367709cb6d66c3a48928dc5870e8 SHA512 2fb4678840fd4edc43b19db5928c3043ea10d7c6e8e991bc092988012415d4e537eebb77061213795bbd656c3f23b58b4647ac2628d20b4dfed4182a94ced92d +DIST linux-5.10.10.tar.xz 116625516 BLAKE2B 180f0dd063eab9542fd799c54dd335c4f310bea739048800ab3222526cb1ea7cc4ef43d2a2c27ed0e37a776f5c77540c33795aa63297704d9e215735a1a98606 SHA512 05a3f91470e1402510f10d9ad8b04350be7aa1232fec5083e5bb59e16cae8168b1f117b15508fc0dd345d7f8d20a43029a48ebcf54278596b778c37d2f966ca7 +DIST linux-5.10.4.tar.xz 116612908 BLAKE2B 57f6d719451aacfd298452703ae02e6188885500e8cdf18fffa6b9967b0934a23cd378ab4c49b76ccb2f7a9012d6aa7ff1349d488cb31e40924be2f27b244cec SHA512 aab782786cc06b5f1872bbb88c4f55a73d222f8ecf1ab8f5b7d96de2160b11b4407e02a44b206d2c00e395ba0662aa5a038b8e10d185621a0b33c576b523b490 +DIST linux-5.10.7.tar.xz 116616036 BLAKE2B c3a222cf56350a3778bd825ba8434d27266412ffe921429be189d51fa97ec66b6aaf336bfd67c20d44828e4b150afade9659b341e9c499f63d6dc01fc2a4fb03 SHA512 d639ee7ddd8071b1b54354e68034508bd32a3d2b8eb50ab4aa0f64f3beac9d4ce4f7940ba1848f9903ee827f7cad1a2625185eb4071b0f348bc4639af6f41d9a +DIST linux-5.10.8.tar.xz 116625448 BLAKE2B 1bea3293bb036639d5dd72aba9ca078e1cf94c3752d48abd6462c65038ca5808ee976919623ccb64356756b2cc766a014e57483e8e1418a089236522a0e0a56e SHA512 13ea7cf81db43059466c1558bd80175a6c2090496786fe9220c165958d19781d5501104f41f8207e0239a101611a1faa38b203dd1e8890964494ef8518f5f21e +DIST linux-5.10.9.tar.xz 116619508 BLAKE2B faedb4032fd709d3f0089d706232ec0dcfdf3817223aa910112e6cd58bffea20a3127fee407a465fa3b4db1a54050fabd839809c404492820216fadae70885b9 SHA512 63271212f300a58a5c2826052928aa980994fff6af553f801b0d2a1ae05e3b55788cc46fa26c97f330bab74068a93df58ce768f21fc5edd1481c841b975e56cf +DIST linux-5.9.6.tar.xz 115547768 BLAKE2B c1a547d4af558bf364f2c1699e529deefeb5bd9322b7cfe8c034a0414d9e69dc96e27bd4011ce105f02d9787ca0e18e4c3d9c7581ccc486e45995f4fc493d932 SHA512 0a01d7d503959c20a8dd62a3fa1b44b5b4650aac2fdb8f481b81a1321fcf2565049927418422dd1013e2d54af2a0b27a82cfbe8c1cb0843d8b840adef45d5db1 +EBUILD cairn-sources-5.10.10.ebuild 26774 BLAKE2B 4161e029f76fb0a15f4f1b956cdb8e4838494ea92318d98f7cb56853ad513fdf3bbb719d150e6f42540785a9f0a549dbd2ff71e8877838d6d07c17f0633774f5 SHA512 5663ef2705f9429500c787c6ada8c8144a878838c6371f4786b9fc374836ca989534384c9bcd7d86b4bcfa59a6a75b473318445b3a9eed4b98a460cb7dbfbfd3 +EBUILD cairn-sources-5.10.4.ebuild 26953 BLAKE2B cfdabab5bbd91064c8583549f3187f5f9e767f5b674b4064f85fed87929601b0b22709e3b2e1faad333c6c815be8ebda2a6ffa48ceb3c794673450474d49a5a5 SHA512 32b8baf11d9781c8e479c42793ebdad8fc2355df90fb3d2aba2ae3c8dbb802046f71822375c0a2a94870159c0c9e2ffa77dbe8670cf82fbce71b742e91d74bcc +EBUILD cairn-sources-5.10.7.ebuild 26773 BLAKE2B a14d325e5978bdb9845ef0a5a240bb259025b6cd485ec61a38e84f1ff07ff45fba8cb75bc4d70432adc8c9a570ca37b28a74d4df88a777f4b64ff48d155fd024 SHA512 23ebef0e322bf01306e2cbf019a3dc79511cff92d3e01a2c451c29c2764206cfb3058564ee810b69b865b4d1d2f06bd0eab74e6bcbb071ad37039b398f91317f +EBUILD cairn-sources-5.10.8.ebuild 26773 BLAKE2B 8e2d608ec9607a97feb2d369291016da58cb0acc5540d167463eb19a3d7970626fafb0d735805055ed5e54ecd4c60160791474cf515ccdf9f17191f57cf3a9c9 SHA512 755f19f018cfd4fa94e3bbd2ddeb704755bfa99017255208231afa28ce889ffe74eba2632c9120824b5567c7e515a0adc8cca0782814ebebccc67be4e28bae18 +EBUILD cairn-sources-5.10.9.ebuild 26773 BLAKE2B a788a6025a6c42f220e470c74160abfb3355f606a53a531c189d8ee9868690f17cd138763da7cf28eb602d51738e6b94d9945f2fdd441521aceee2ca900a56bd SHA512 e53f2457d8dd3a04b24ee7515f4bc7ecbfc91d8dea30781e0a2b52693c4e983b1c275b0f7c55cfb25111afc0b757fe302f2b2082f50a6c1f2de4dc361864633e +EBUILD cairn-sources-5.9.6.ebuild 26815 BLAKE2B d574b1fd5b5354c7c288d5a18400678d310e0f20aba0f1e6d5899291a28284fa75eed9876ee494be6fdf9f8b1a1dc51b1e7516fd11ad6d486bf92d5bf68f4c1d SHA512 d80a8576f13d96e202457decd4bb16dbf4ffb21bde3a0628d08a6c31c037e35e3b3a0424fce008da0d0ac4e04b9a6c7897fa35604914c8bef3b24d70024f3c8c diff --git a/sys-kernel/cairn-sources/cairn-sources-5.10.10.ebuild b/sys-kernel/cairn-sources/cairn-sources-5.10.10.ebuild new file mode 100644 index 000000000000..5159aac7c575 --- /dev/null +++ b/sys-kernel/cairn-sources/cairn-sources-5.10.10.ebuild @@ -0,0 +1,659 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit check-reqs eutils mount-boot toolchain-funcs + +DESCRIPTION="Linux kernel sources with some optional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="x86 amd64 arm arm64" + +SLOT="${PV}" + +RESTRICT="binchecks strip mirror" + +IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + binary? ( sys-kernel/dracut ) + btrfs? ( sys-fs/btrfs-progs ) + dtrace? ( + dev-util/dtrace-utils + dev-libs/libdtrace-ctf + ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + || ( dev-libs/openssl + dev-libs/libressl + ) + sys-apps/kmod + ) + systemd? ( sys-apps/systemd ) + wireguard? ( virtual/wireguard ) + zfs? ( sys-fs/zfs ) +" + +# linux kernel upstream +KERNEL_VERSION="5.10.10" +KERNEL_ARCHIVE="linux-${KERNEL_VERSION}.tar.xz" +KERNEL_UPSTREAM="https://cdn.kernel.org/pub/linux/kernel/v5.x/${KERNEL_ARCHIVE}" +KERNEL_EXTRAVERSION="-cairn" + +KERNEL_CONFIG_UPSTREAM="https://salsa.debian.org/kernel-team/linux/-/raw/debian/5.10.9-1/debian/config" + +SRC_URI=" + ${KERNEL_UPSTREAM} + + ${KERNEL_CONFIG_UPSTREAM}/config -> debian-kconfig-${PV} + x86? ( + ${KERNEL_CONFIG_UPSTREAM}/i386/config -> debian-kconfig-i386-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686 -> debian-kconfig-i686-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686-pae -> debian-kconfig-i686-pae-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + amd64? ( + ${KERNEL_CONFIG_UPSTREAM}/amd64/config -> debian-kconfig-amd64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + arm64? ( + ${KERNEL_CONFIG_UPSTREAM}/arm64/config -> debian-kconfig-arm64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-arm/config -> debian-kconfig-kernelarch-arm-${PV} + ) +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES +# can be managed in a git repository and packed into tar balls per version. + +HARDENED_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/hardened-patches/" + +# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project +# 0033-enable-protected_-symlinks-hardlinks-by-default.patch +# 0066-security-perf-Allow-further-restriction-of-perf_even.patch +# 0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +HARDENED_PATCHES=( + 0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch + 0002-enable-HARDENED_USERCOPY-by-default.patch + 0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch + 0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch + 0005-set-kptr_restrict-2-by-default.patch + 0006-enable-DEBUG_LIST-by-default.patch + 0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch + 0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch + 0009-arm64-enable-RANDOMIZE_BASE-by-default.patch + 0010-enable-SLAB_FREELIST_RANDOM-by-default.patch + 0011-enable-SLAB_FREELIST_HARDENED-by-default.patch + 0012-disable-SLAB_MERGE_DEFAULT-by-default.patch + 0013-enable-FORTIFY_SOURCE-by-default.patch + 0014-enable-PANIC_ON_OOPS-by-default.patch + 0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch + 0016-stop-hiding-X86_16BIT-behind-EXPERT.patch + 0017-disable-X86_16BIT-by-default.patch + 0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch + 0019-disable-MODIFY_LDT_SYSCALL-by-default.patch + 0020-set-LEGACY_VSYSCALL_NONE-by-default.patch + 0021-stop-hiding-AIO-behind-EXPERT.patch + 0022-disable-AIO-by-default.patch + 0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch + 0024-disable-DEVPORT-by-default.patch + 0025-disable-PROC_VMCORE-by-default.patch + 0026-disable-NFS_DEBUG-by-default.patch + 0027-enable-DEBUG_WX-by-default.patch + 0028-disable-LEGACY_PTYS-by-default.patch + 0029-disable-DEVMEM-by-default.patch + 0030-enable-IO_STRICT_DEVMEM-by-default.patch + 0031-disable-COMPAT_BRK-by-default.patch + 0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch + 0033-enable-protected_-symlinks-hardlinks-by-default.patch + 0034-enable-SECURITY-by-default.patch + 0035-enable-SECURITY_YAMA-by-default.patch + 0036-enable-SECURITY_NETWORK-by-default.patch + 0037-enable-AUDIT-by-default.patch + 0038-enable-SECURITY_SELINUX-by-default.patch + 0039-enable-SYN_COOKIES-by-default.patch + 0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch + 0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch + 0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch + 0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch + 0044-disable-SYSFS_SYSCALL-by-default.patch + 0045-stop-hiding-UID16-behind-EXPERT.patch + 0046-disable-UID16-by-default.patch + 0047-add-__read_only-for-non-init-related-usage.patch + 0048-make-sysctl-constants-read-only.patch + 0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch + 0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch + 0051-mark-slub-runtime-configuration-as-__ro_after_init.patch + 0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch + 0053-mark-kmem_cache-as-__ro_after_init.patch + 0054-mark-__supported_pte_mask-as-__ro_after_init.patch + 0055-mark-kobj_ns_type_register-as-only-used-for-init.patch + 0056-mark-open_softirq-as-only-used-for-init.patch + 0057-remove-unused-softirq_action-callback-parameter.patch + 0058-mark-softirq_vec-as-__ro_after_init.patch + 0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch + 0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch + 0061-bug-on-PageSlab-PageCompound-in-ksize.patch + 0062-mm-add-support-for-verifying-page-sanitization.patch + 0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch + 0064-slub-Add-support-for-verifying-slab-sanitization.patch + 0065-slub-add-multi-purpose-random-canaries.patch + 0066-security-perf-Allow-further-restriction-of-perf_even.patch + 0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch + 0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0069-add-CONFIG-for-unprivileged_userns_clone.patch + 0070-add-kmalloc-krealloc-alloc_size-attributes.patch + 0071-add-vmalloc-alloc_size-attributes.patch + 0072-add-kvmalloc-alloc_size-attribute.patch + 0073-add-percpu-alloc_size-attributes.patch + 0074-add-alloc_pages_exact-alloc_size-attributes.patch + 0075-Add-the-extra_latent_entropy-kernel-parameter.patch + 0076-ata-avoid-null-pointer-dereference-on-bug.patch + 0077-sanity-check-for-negative-length-in-nla_memcpy.patch + 0078-add-page-destructor-sanity-check.patch + 0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch + 0080-add-writable-function-pointer-detection.patch + 0081-support-overriding-early-audit-kernel-cmdline.patch + 0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch + 0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch + 0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch + 0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch + 0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch + 0087-randomize-lower-bits-of-the-argument-block.patch + 0088-x86_64-match-arm64-brk-randomization-entropy.patch + 0089-support-randomizing-the-lower-bits-of-brk.patch + 0090-mm-randomize-lower-bits-of-brk.patch + 0091-x86-randomize-lower-bits-of-brk.patch + 0092-mm-guarantee-brk-gap-is-at-least-one-page.patch + 0093-x86-guarantee-brk-gap-is-at-least-one-page.patch + 0094-x86_64-bound-mmap-between-legacy-modern-bases.patch + 0095-restrict-device-timing-side-channels.patch + 0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch + 0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch + 0098-usb-implement-dedicated-subsystem-sysctl-tables.patch + 0099-hard-wire-legacy-checkreqprot-option-to-0.patch + 0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch + 0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch + 0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch + 0103-disable-unprivileged-eBPF-access-by-default.patch + 0104-enable-BPF-JIT-hardening-by-default-if-available.patch + 0105-enable-protected_-fifos-regular-by-default.patch + 0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch + 0107-mm-Fix-extra_latent_entropy.patch + 0108-add-CONFIG-for-unprivileged_userfaultfd.patch + 0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch + 0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch + 0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch + 0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch +) + +GENTOO_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/gentoo-patches/" + +# Gentoo Linux 'genpatches' patch set +# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in hardened patches +# 4567_distro-Gentoo-Kconfiig TODO? +GENTOO_PATCHES=( + 1500_XATTR_USER_PREFIX.patch +# 1510_fs-enable-link-security-restrictions-by-default.patch + 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch + 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch + 2920_sign-file-patch-for-libressl.patch +# 4567_distro-Gentoo-Kconfig.patch + 5000_shiftfs-ubuntu-20.04.patch +) + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in $PF $P linux; do + certdir=/etc/kernel/certs/$subdir + if [ -d $certdir ]; then + if [ ! -e $certdir/signing_key.pem ]; then + eerror "$certdir exists but missing signing key; exiting." + exit 1 + fi + echo $certdir + return + fi + done +} + +pkg_pretend() { + # Ensure we have enough disk space to compile + if use binary ; then + CHECKREQS_DISK_BUILD="5G" + check-reqs_pkg_setup + fi +} + +pkg_setup() { + export REAL_ARCH="$ARCH" + unset ARCH; unset LDFLAGS #will interfere with Makefile if set +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources" + + # unpack the various kconfig files into a single file + cat "${DISTDIR}"/debian-kconfig-* >> "${WORKDIR}"/debian-kconfig-${PV} || die "failed to unpack kconfig" +} + +src_prepare() { + + ### PATCHES ### + + # only apply these if USE=hardened as the patches will break proprietary userspace and some others. + if use hardened; then + # apply hardening patches + einfo "Applying hardening patches ..." + for my_patch in ${HARDENED_PATCHES[*]} ; do + eapply "${HARDENED_PATCHES_DIR}/${my_patch}" + done + fi + + # apply gentoo patches + einfo "Applying Gentoo Linux patches ..." + for my_patch in ${GENTOO_PATCHES[*]} ; do + eapply "${GENTOO_PATCHES_DIR}/${my_patch}" + done + + if ! use hardened; then + eapply "${FILESDIR}"/${KERNEL_VERSION}/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch + fi + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the kconfig file into the kernel sources tree + cp "${WORKDIR}"/debian-kconfig-${PV} "${S}"/.config + + ### TWEAK CONFIG ### + + # Do not configure Debian devs certificates + echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + echo "CONFIG_IKCONFIG=y" >> .config + echo "CONFIG_IKCONFIG_PROC=y" >> .config + + if use custom-cflags; then + MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")" + if [ -n "$MARCH" ]; then + sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!" + fi + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + echo "CONFIG_DEBUG_INFO=y" >> .config + else + echo "CONFIG_DEBUG_INFO=n" >> .config + fi + + if use dtrace; then + echo "CONFIG_WAITFD=y" >> .config + fi + + # these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2 + if use ec2; then + echo "CONFIG_BLK_DEV_NVME=y" >> .config + echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config + echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config + echo "CONFIG_IXGBEVF=m" >> .config + fi + + # hardening opts + # TODO: document these + if use hardened; then + echo "CONFIG_AUDIT=y" >> .config + echo "CONFIG_EXPERT=y" >> .config + echo "CONFIG_SLUB_DEBUG=y" >> .config + echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config + echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config + echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config + echo "CONFIG_SLAB_CANARY=y" >> .config + echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config + echo "CONFIG_RANDOMIZE_BASE=y" >> .config + echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config + echo "CONFIG_HIBERNATION=n" >> .config + echo "CONFIG_HARDENED_USERCOPY=y" >> .config + echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config + echo "CONFIG_FORTIFY_SOURCE=y" >> .config + echo "CONFIG_STACKPROTECTOR=y" >> .config + echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config + echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config + echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config + echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config + echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config + echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config + echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config + + # gcc plugins + if ! use clang; then + echo "CONFIG_GCC_PLUGINS=y" >> .config + echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config + echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config + echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config + echo "CONFIG_STACKLEAK_METRICS=n" >> .config + echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + echo 'CONFIG_KEXEC=n' >> .config + echo "CONFIG_KEXEC_FILE=n" >> .config + echo 'CONFIG_KEXEC_SIG=n' >> .config + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + echo + if [ -z "$certs_dir" ]; then + eerror "No certs dir found in /etc/kernel/certs; aborting." + die + else + einfo "Using certificate directory of $certs_dir for kernel module signing." + fi + echo + # turn on options for signing modules. + # first, remove existing configs and comments: + echo 'CONFIG_MODULE_SIG=""' >> .config + + # now add our settings: + echo 'CONFIG_MODULE_SIG=y' >> .config + echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config + echo 'CONFIG_MODULE_SIG_ALL=n' >> .config + echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config + echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config + echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config + echo "CONFIG_MODULE_SIG_SHA512=y" >> .config + + # print some info to warn user + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot" + ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)" + echo + fi + + # enable wireguard support within kernel + if use wireguard; then + echo 'CONFIG_WIREGUARD=m' >> .config + # there are some other options, but I need to verify them first, so I'll start with this + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" + + # Apply any user patches + eapply_user +} + +src_configure() { + + if use binary; then + + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/modprep || die + cp "${T}"/.config "${WORKDIR}"/modprep/ || die + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed" + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed" + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die + fi +} + +src_compile() { + + if use binary; then + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +src_install() { + + # TODO: Change to SANDBOX_WRITE=".." for installkernel writes + # Disable sandbox + export SANDBOX_ON=0 + + # create sources directory if required + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} || die "failed to install kernel sources" + + # change to installed kernel sources directory + cd "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} + + # prepare for real-world use and 3rd-party module building: + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config .config || die "failed to copy kconfig from ${TEMPDIR}" + + # if we didn't USE=binary - we're done. + # The kernel source tree is left in an unconfigured state - you can't compile 3rd-party modules against it yet. + if use binary; then + make prepare || die + make scripts || die + + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + installkernel "${PV}${KERNEL_EXTRAVERSION}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to create kernel build symlink" + + # Fixes FL-14 + cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install System.map" + cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install Module.symvers" + + if use sign-modules; then + for x in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + ${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${PV}-${KERNEL_EXTRAVERSION}/scripts + doexe ${WORKDIR}/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # TODO: Change to SANDBOX_WRITE=".." for Dracut writes + export SANDBOX_ON=0 + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${EROOT}"/usr/src/linux ]]; then + rm "${EROOT}"/usr/src/linux + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${PV}${KERNEL_EXTRAVERSION}" + ewarn "" + ln -sf "${EROOT}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${EROOT}"/usr/src/linux + fi + + # if there's a modules folder for these sources, generate modules.dep and map files + if [[ -d ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} ]]; then + depmod -a ${PV}${KERNEL_EXTRAVERSION} + fi + + # NOTE: WIP and not well tested yet. + # + # Dracut will build an initramfs when USE=binary. + # + # The initramfs will be configurable via USE, i.e. + # USE=zfs will pass '--zfs' to Dracut + # USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs. + # + # NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'. + # Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems), + # and may end up requiring network-manager for decent support (this really needs further research). + if use binary; then + einfo "" + einfo ">>> Dracut: building initramfs" + dracut \ + --stdlog=1 \ + --force \ + --no-hostonly \ + --add "base dm fs-lib i18n kernel-modules rootfs-block shutdown terminfo udev-rules usrmount" \ + --omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network network-manager qemu qemu-net rpmversion securityfs ssh-client stratis syslog url-lib" \ + $(usex btrfs "-a btrfs" "-o btrfs") \ + $(usex dmraid "-a dmraid" "-o dmraid") \ + $(usex hardened "-o resume" "-a resume") \ + $(usex iscsi "-a iscsi" "-o iscsi") \ + $(usex lvm "-a lvm" "-o lvm") \ + $(usex lvm "--lvmconf" "--nolvmconf") \ + $(usex luks "-a crypt" "-o crypt") \ + $(usex mdadm "--mdadmconf" "--nomdadmconf") \ + $(usex mdadm "-a mdraid" "-o mdraid") \ + $(usex microcode "--early-microcode" "--no-early-microcode") \ + $(usex multipath "-a multipath" "-o multipath") \ + $(usex nbd "-a nbd" "-o nbd") \ + $(usex nfs "-a nfs" "-o nfs") \ + $(usex plymouth "-a plymouth" "-o plymouth") \ + $(usex selinux "-a selinux" "-o selinux") \ + $(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \ + $(usex zfs "-a zfs" "-o zfs") \ + --kver ${PV}${KERNEL_EXTRAVERSION} \ + --kmoddir ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} \ + --fwdir ${EROOT}/lib/firmware \ + --kernel-image ${EROOT}/boot/vmlinuz-${PV}${KERNEL_EXTRAVERSION} + einfo "" + einfo ">>> Dracut: Finished building initramfs" + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Dracut initramfs has been generated!" + ewarn "" + ewarn "Required kernel arguments:" + ewarn "" + ewarn " root=/dev/ROOT" + ewarn "" + ewarn " Where ROOT is the device node for your root partition as the" + ewarn " one specified in /etc/fstab" + ewarn "" + ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..." + ewarn "" + ewarn "If you use hibernation:" + ewarn "" + ewarn " resume=/dev/SWAP" + ewarn "" + ewarn " Where $SWAP is the swap device used by hibernate software of your choice." + ewarn"" + ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments." + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set." + ewarn "These KCONFIG options and patches change kernel behavior." + ewarn "Changes include:" + ewarn "Increased entropy for Address Space Layout Randomization" + ewarn "GCC plugins (if using GCC)" + ewarn "Memory allocation" + ewarn "... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + # if there are out-of-tree kernel modules detected, warn warn warn + # TODO: tidy up below + if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "External kernel modules are not yet automatically built" + ewarn "by USE=binary - emerge @modules-rebuild to do this" + ewarn "and regenerate your initramfs if you are using ZFS root filesystem" + ewarn "" + fi + + if use binary; then + if [[ -e /etc/boot.conf ]]; then + ego boot update + fi + fi +} diff --git a/sys-kernel/cairn-sources/cairn-sources-5.10.4.ebuild b/sys-kernel/cairn-sources/cairn-sources-5.10.4.ebuild new file mode 100644 index 000000000000..090657321bfc --- /dev/null +++ b/sys-kernel/cairn-sources/cairn-sources-5.10.4.ebuild @@ -0,0 +1,664 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit check-reqs eutils mount-boot toolchain-funcs + +DESCRIPTION="Linux kernel sources with some optional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="x86 amd64 arm arm64" + +SLOT="${PV}" + +RESTRICT="binchecks strip mirror" + +IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + binary? ( sys-kernel/dracut ) + btrfs? ( sys-fs/btrfs-progs ) + dtrace? ( + dev-util/dtrace-utils + dev-libs/libdtrace-ctf + ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + || ( dev-libs/openssl + dev-libs/libressl + ) + sys-apps/kmod + ) + systemd? ( sys-apps/systemd ) + wireguard? ( virtual/wireguard ) + zfs? ( sys-fs/zfs ) +" + +# linux kernel upstream +KERNEL_VERSION="5.10.4" +KERNEL_ARCHIVE="linux-${KERNEL_VERSION}.tar.xz" +KERNEL_UPSTREAM="https://cdn.kernel.org/pub/linux/kernel/v5.x/${KERNEL_ARCHIVE}" +KERNEL_EXTRAVERSION="-cairn" + +KERNEL_CONFIG_UPSTREAM="https://salsa.debian.org/kernel-team/linux/-/raw/debian/5.10.2-1_exp1/debian/config" + +SRC_URI=" + ${KERNEL_UPSTREAM} + + ${KERNEL_CONFIG_UPSTREAM}/config -> debian-kconfig-${PV} + x86? ( + ${KERNEL_CONFIG_UPSTREAM}/i386/config -> debian-kconfig-i386-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686 -> debian-kconfig-i686-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686-pae -> debian-kconfig-i686-pae-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + amd64? ( + ${KERNEL_CONFIG_UPSTREAM}/amd64/config -> debian-kconfig-amd64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + arm64? ( + ${KERNEL_CONFIG_UPSTREAM}/arm64/config -> debian-kconfig-arm64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-arm/config -> debian-kconfig-kernelarch-arm-${PV} + ) +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES +# can be managed in a git repository and packed into tar balls per version. + +HARDENED_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/hardened-patches/" + +# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project +# 0033-enable-protected_-symlinks-hardlinks-by-default.patch +# 0058-security-perf-Allow-further-restriction-of-perf_even.patch +# 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +HARDENED_PATCHES=( + 0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch + 0002-enable-HARDENED_USERCOPY-by-default.patch + 0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch + 0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch + 0005-set-kptr_restrict-2-by-default.patch + 0006-enable-DEBUG_LIST-by-default.patch + 0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch + 0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch + 0009-arm64-enable-RANDOMIZE_BASE-by-default.patch + 0010-enable-SLAB_FREELIST_RANDOM-by-default.patch + 0011-enable-SLAB_FREELIST_HARDENED-by-default.patch + 0012-disable-SLAB_MERGE_DEFAULT-by-default.patch + 0013-enable-FORTIFY_SOURCE-by-default.patch + 0014-enable-PANIC_ON_OOPS-by-default.patch + 0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch + 0016-stop-hiding-X86_16BIT-behind-EXPERT.patch + 0017-disable-X86_16BIT-by-default.patch + 0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch + 0019-disable-MODIFY_LDT_SYSCALL-by-default.patch + 0020-set-LEGACY_VSYSCALL_NONE-by-default.patch + 0021-stop-hiding-AIO-behind-EXPERT.patch + 0022-disable-AIO-by-default.patch + 0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch + 0024-disable-DEVPORT-by-default.patch + 0025-disable-PROC_VMCORE-by-default.patch + 0026-disable-NFS_DEBUG-by-default.patch + 0027-enable-DEBUG_WX-by-default.patch + 0028-disable-LEGACY_PTYS-by-default.patch + 0029-disable-DEVMEM-by-default.patch + 0030-enable-IO_STRICT_DEVMEM-by-default.patch + 0031-disable-COMPAT_BRK-by-default.patch + 0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch + 0033-enable-protected_-symlinks-hardlinks-by-default.patch + 0034-enable-SECURITY-by-default.patch + 0035-enable-SECURITY_YAMA-by-default.patch + 0036-enable-SECURITY_NETWORK-by-default.patch + 0037-enable-AUDIT-by-default.patch + 0038-enable-SECURITY_SELINUX-by-default.patch + 0039-enable-SYN_COOKIES-by-default.patch + 0040-add-__read_only-for-non-init-related-usage.patch + 0041-make-sysctl-constants-read-only.patch + 0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch + 0043-mark-slub-runtime-configuration-as-__ro_after_init.patch + 0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch + 0045-mark-kmem_cache-as-__ro_after_init.patch + 0046-mark-__supported_pte_mask-as-__ro_after_init.patch + 0047-mark-kobj_ns_type_register-as-only-used-for-init.patch + 0048-mark-open_softirq-as-only-used-for-init.patch + 0049-remove-unused-softirq_action-callback-parameter.patch + 0050-mark-softirq_vec-as-__ro_after_init.patch + 0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch + 0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch + 0053-bug-on-PageSlab-PageCompound-in-ksize.patch + 0054-mm-add-support-for-verifying-page-sanitization.patch + 0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch + 0056-slub-Add-support-for-verifying-slab-sanitization.patch + 0057-slub-add-multi-purpose-random-canaries.patch + 0058-security-perf-Allow-further-restriction-of-perf_even.patch + 0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch + 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0061-add-kmalloc-krealloc-alloc_size-attributes.patch + 0062-add-vmalloc-alloc_size-attributes.patch + 0063-add-kvmalloc-alloc_size-attribute.patch + 0064-add-percpu-alloc_size-attributes.patch + 0065-add-alloc_pages_exact-alloc_size-attributes.patch + 0066-Add-the-extra_latent_entropy-kernel-parameter.patch + 0067-ata-avoid-null-pointer-dereference-on-bug.patch + 0068-sanity-check-for-negative-length-in-nla_memcpy.patch + 0069-add-page-destructor-sanity-check.patch + 0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch + 0071-add-writable-function-pointer-detection.patch + 0072-support-overriding-early-audit-kernel-cmdline.patch + 0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch + 0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch + 0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch + 0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch + 0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch + 0078-randomize-lower-bits-of-the-argument-block.patch + 0079-x86_64-match-arm64-brk-randomization-entropy.patch + 0080-support-randomizing-the-lower-bits-of-brk.patch + 0081-mm-randomize-lower-bits-of-brk.patch + 0082-x86-randomize-lower-bits-of-brk.patch + 0083-mm-guarantee-brk-gap-is-at-least-one-page.patch + 0084-x86-guarantee-brk-gap-is-at-least-one-page.patch + 0085-x86_64-bound-mmap-between-legacy-modern-bases.patch + 0086-restrict-device-timing-side-channels.patch + 0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch + 0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch + 0089-usb-implement-dedicated-subsystem-sysctl-tables.patch + 0090-hard-wire-legacy-checkreqprot-option-to-0.patch + 0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch + 0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch + 0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch + 0094-disable-unprivileged-eBPF-access-by-default.patch + 0095-enable-BPF-JIT-hardening-by-default-if-available.patch + 0096-enable-protected_-fifos-regular-by-default.patch + 0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch + 0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch + 0099-mm-Fix-extra_latent_entropy.patch + 0100-add-CONFIG-for-unprivileged_userns_clone.patch + 0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch + 0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch + 0103-add-CONFIG-for-unprivileged_userfaultfd.patch + 0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch + 0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch + 0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch + 0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch + 0108-disable-SYSFS_SYSCALL-by-default.patch + 0109-stop-hiding-UID16-behind-EXPERT.patch + 0110-disable-UID16-by-default.patch + 0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch + 0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch +) + +GENTOO_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/gentoo-patches/" + +# Gentoo Linux 'genpatches' patch set +# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in hardened patches +# 4567_distro-Gentoo-Kconfiig TODO? +GENTOO_PATCHES=( + 1500_XATTR_USER_PREFIX.patch +# 1510_fs-enable-link-security-restrictions-by-default.patch + 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch + 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch + 2920_sign-file-patch-for-libressl.patch +# 4567_distro-Gentoo-Kconfig.patch +) + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in $PF $P linux; do + certdir=/etc/kernel/certs/$subdir + if [ -d $certdir ]; then + if [ ! -e $certdir/signing_key.pem ]; then + eerror "$certdir exists but missing signing key; exiting." + exit 1 + fi + echo $certdir + return + fi + done +} + +pkg_pretend() { + # Ensure we have enough disk space to compile + if use binary ; then + CHECKREQS_DISK_BUILD="5G" + check-reqs_pkg_setup + fi +} + +pkg_setup() { + export REAL_ARCH="$ARCH" + unset ARCH; unset LDFLAGS #will interfere with Makefile if set +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources" + + # unpack the various kconfig files into a single file + cat "${DISTDIR}"/debian-kconfig-* >> "${WORKDIR}"/debian-kconfig-${PV} || die "failed to unpack kconfig" +} + +src_prepare() { + + ### PATCHES ### + + # only apply these if USE=hardened as the patches will break proprietary userspace and some others. + if use hardened; then + # apply hardening patches + einfo "Applying hardening patches ..." + for my_patch in ${HARDENED_PATCHES[*]} ; do + eapply "${HARDENED_PATCHES_DIR}/${my_patch}" + done + fi + + # apply gentoo patches + einfo "Applying Gentoo Linux patches ..." + for my_patch in ${GENTOO_PATCHES[*]} ; do + eapply "${GENTOO_PATCHES_DIR}/${my_patch}" + done + + if ! use hardened; then + eapply "${FILESDIR}"/${KERNEL_VERSION}/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch + fi + + # Cairn Linux patches are misc fix-ups + einfo "Applying Cairn Linux patches ..." + + # Restore export_kernel_fpu_functions for zfs + eapply "${FILESDIR}"/${KERNEL_VERSION}/export_kernel_fpu_functions.patch + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the kconfig file into the kernel sources tree + cp "${WORKDIR}"/debian-kconfig-${PV} "${S}"/.config + + ### TWEAK CONFIG ### + + # Do not configure Debian devs certificates + echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + echo "CONFIG_IKCONFIG=y" >> .config + echo "CONFIG_IKCONFIG_PROC=y" >> .config + + if use custom-cflags; then + MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")" + if [ -n "$MARCH" ]; then + sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!" + fi + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + echo "CONFIG_DEBUG_INFO=y" >> .config + else + echo "CONFIG_DEBUG_INFO=n" >> .config + fi + + if use dtrace; then + echo "CONFIG_WAITFD=y" >> .config + fi + + # these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2 + if use ec2; then + echo "CONFIG_BLK_DEV_NVME=y" >> .config + echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config + echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config + echo "CONFIG_IXGBEVF=m" >> .config + fi + + # hardening opts + # TODO: document these + if use hardened; then + echo "CONFIG_AUDIT=y" >> .config + echo "CONFIG_EXPERT=y" >> .config + echo "CONFIG_SLUB_DEBUG=y" >> .config + echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config + echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config + echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config + echo "CONFIG_SLAB_CANARY=y" >> .config + echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config + echo "CONFIG_RANDOMIZE_BASE=y" >> .config + echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config + echo "CONFIG_HIBERNATION=n" >> .config + echo "CONFIG_HARDENED_USERCOPY=y" >> .config + echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config + echo "CONFIG_FORTIFY_SOURCE=y" >> .config + echo "CONFIG_STACKPROTECTOR=y" >> .config + echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config + echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config + echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config + echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config + echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config + echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config + echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config + + # gcc plugins + if ! use clang; then + echo "CONFIG_GCC_PLUGINS=y" >> .config + echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config + echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config + echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config + echo "CONFIG_STACKLEAK_METRICS=n" >> .config + echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + echo 'CONFIG_KEXEC=n' >> .config + echo "CONFIG_KEXEC_FILE=n" >> .config + echo 'CONFIG_KEXEC_SIG=n' >> .config + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + echo + if [ -z "$certs_dir" ]; then + eerror "No certs dir found in /etc/kernel/certs; aborting." + die + else + einfo "Using certificate directory of $certs_dir for kernel module signing." + fi + echo + # turn on options for signing modules. + # first, remove existing configs and comments: + echo 'CONFIG_MODULE_SIG=""' >> .config + + # now add our settings: + echo 'CONFIG_MODULE_SIG=y' >> .config + echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config + echo 'CONFIG_MODULE_SIG_ALL=n' >> .config + echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config + echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config + echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config + echo "CONFIG_MODULE_SIG_SHA512=y" >> .config + + # print some info to warn user + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot" + ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)" + echo + fi + + # enable wireguard support within kernel + if use wireguard; then + echo 'CONFIG_WIREGUARD=m' >> .config + # there are some other options, but I need to verify them first, so I'll start with this + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" + + # Apply any user patches + eapply_user +} + +src_configure() { + + if use binary; then + + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/modprep || die + cp "${T}"/.config "${WORKDIR}"/modprep/ || die + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed" + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed" + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die + fi +} + +src_compile() { + + if use binary; then + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +src_install() { + + # TODO: Change to SANDBOX_WRITE=".." for installkernel writes + # Disable sandbox + export SANDBOX_ON=0 + + # create sources directory if required + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} || die "failed to install kernel sources" + + # change to installed kernel sources directory + cd "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} + + # prepare for real-world use and 3rd-party module building: + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config .config || die "failed to copy kconfig from ${TEMPDIR}" + + # if we didn't USE=binary - we're done. + # The kernel source tree is left in an unconfigured state - you can't compile 3rd-party modules against it yet. + if use binary; then + make prepare || die + make scripts || die + + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + installkernel "${PV}${KERNEL_EXTRAVERSION}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to create kernel build symlink" + + # Fixes FL-14 + cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install System.map" + cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install Module.symvers" + + if use sign-modules; then + for x in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + ${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${PV}-${KERNEL_EXTRAVERSION}/scripts + doexe ${WORKDIR}/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # TODO: Change to SANDBOX_WRITE=".." for Dracut writes + export SANDBOX_ON=0 + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${EROOT}"/usr/src/linux ]]; then + rm "${EROOT}"/usr/src/linux + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${PV}${KERNEL_EXTRAVERSION}" + ewarn "" + ln -sf "${EROOT}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${EROOT}"/usr/src/linux + fi + + # if there's a modules folder for these sources, generate modules.dep and map files + if [[ -d ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} ]]; then + depmod -a ${PV}${KERNEL_EXTRAVERSION} + fi + + # NOTE: WIP and not well tested yet. + # + # Dracut will build an initramfs when USE=binary. + # + # The initramfs will be configurable via USE, i.e. + # USE=zfs will pass '--zfs' to Dracut + # USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs. + # + # NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'. + # Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems), + # and may end up requiring network-manager for decent support (this really needs further research). + if use binary; then + einfo "" + einfo ">>> Dracut: building initramfs" + dracut \ + --stdlog=1 \ + --force \ + --no-hostonly \ + --add "base dm fs-lib i18n kernel-modules rootfs-block shutdown terminfo udev-rules usrmount" \ + --omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network network-manager qemu qemu-net rpmversion securityfs ssh-client stratis syslog url-lib" \ + $(usex btrfs "-a btrfs" "-o btrfs") \ + $(usex dmraid "-a dmraid" "-o dmraid") \ + $(usex hardened "-o resume" "-a resume") \ + $(usex iscsi "-a iscsi" "-o iscsi") \ + $(usex lvm "-a lvm" "-o lvm") \ + $(usex lvm "--lvmconf" "--nolvmconf") \ + $(usex luks "-a crypt" "-o crypt") \ + $(usex mdadm "--mdadmconf" "--nomdadmconf") \ + $(usex mdadm "-a mdraid" "-o mdraid") \ + $(usex microcode "--early-microcode" "--no-early-microcode") \ + $(usex multipath "-a multipath" "-o multipath") \ + $(usex nbd "-a nbd" "-o nbd") \ + $(usex nfs "-a nfs" "-o nfs") \ + $(usex plymouth "-a plymouth" "-o plymouth") \ + $(usex selinux "-a selinux" "-o selinux") \ + $(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \ + $(usex zfs "-a zfs" "-o zfs") \ + --kver ${PV}${KERNEL_EXTRAVERSION} \ + --kmoddir ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} \ + --fwdir ${EROOT}/lib/firmware \ + --kernel-image ${EROOT}/boot/vmlinuz-${PV}${KERNEL_EXTRAVERSION} + einfo "" + einfo ">>> Dracut: Finished building initramfs" + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Dracut initramfs has been generated!" + ewarn "" + ewarn "Required kernel arguments:" + ewarn "" + ewarn " root=/dev/ROOT" + ewarn "" + ewarn " Where ROOT is the device node for your root partition as the" + ewarn " one specified in /etc/fstab" + ewarn "" + ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..." + ewarn "" + ewarn "If you use hibernation:" + ewarn "" + ewarn " resume=/dev/SWAP" + ewarn "" + ewarn " Where $SWAP is the swap device used by hibernate software of your choice." + ewarn"" + ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments." + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set." + ewarn "These KCONFIG options and patches change kernel behavior." + ewarn "Changes include:" + ewarn "Increased entropy for Address Space Layout Randomization" + ewarn "GCC plugins (if using GCC)" + ewarn "Memory allocation" + ewarn "... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + # if there are out-of-tree kernel modules detected, warn warn warn + # TODO: tidy up below + if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "External kernel modules are not yet automatically built" + ewarn "by USE=binary - emerge @modules-rebuild to do this" + ewarn "and regenerate your initramfs if you are using ZFS root filesystem" + ewarn "" + fi + + if use binary; then + if [[ -e /etc/boot.conf ]]; then + ego boot update + fi + fi +} diff --git a/sys-kernel/cairn-sources/cairn-sources-5.10.7.ebuild b/sys-kernel/cairn-sources/cairn-sources-5.10.7.ebuild new file mode 100644 index 000000000000..0776df305350 --- /dev/null +++ b/sys-kernel/cairn-sources/cairn-sources-5.10.7.ebuild @@ -0,0 +1,659 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit check-reqs eutils mount-boot toolchain-funcs + +DESCRIPTION="Linux kernel sources with some optional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="x86 amd64 arm arm64" + +SLOT="${PV}" + +RESTRICT="binchecks strip mirror" + +IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + binary? ( sys-kernel/dracut ) + btrfs? ( sys-fs/btrfs-progs ) + dtrace? ( + dev-util/dtrace-utils + dev-libs/libdtrace-ctf + ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + || ( dev-libs/openssl + dev-libs/libressl + ) + sys-apps/kmod + ) + systemd? ( sys-apps/systemd ) + wireguard? ( virtual/wireguard ) + zfs? ( sys-fs/zfs ) +" + +# linux kernel upstream +KERNEL_VERSION="5.10.7" +KERNEL_ARCHIVE="linux-${KERNEL_VERSION}.tar.xz" +KERNEL_UPSTREAM="https://cdn.kernel.org/pub/linux/kernel/v5.x/${KERNEL_ARCHIVE}" +KERNEL_EXTRAVERSION="-cairn" + +KERNEL_CONFIG_UPSTREAM="https://salsa.debian.org/kernel-team/linux/-/raw/debian/5.10.5-1/debian/config" + +SRC_URI=" + ${KERNEL_UPSTREAM} + + ${KERNEL_CONFIG_UPSTREAM}/config -> debian-kconfig-${PV} + x86? ( + ${KERNEL_CONFIG_UPSTREAM}/i386/config -> debian-kconfig-i386-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686 -> debian-kconfig-i686-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686-pae -> debian-kconfig-i686-pae-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + amd64? ( + ${KERNEL_CONFIG_UPSTREAM}/amd64/config -> debian-kconfig-amd64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + arm64? ( + ${KERNEL_CONFIG_UPSTREAM}/arm64/config -> debian-kconfig-arm64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-arm/config -> debian-kconfig-kernelarch-arm-${PV} + ) +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES +# can be managed in a git repository and packed into tar balls per version. + +HARDENED_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/hardened-patches/" + +# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project +# 0033-enable-protected_-symlinks-hardlinks-by-default.patch +# 0058-security-perf-Allow-further-restriction-of-perf_even.patch +# 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +HARDENED_PATCHES=( + 0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch + 0002-enable-HARDENED_USERCOPY-by-default.patch + 0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch + 0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch + 0005-set-kptr_restrict-2-by-default.patch + 0006-enable-DEBUG_LIST-by-default.patch + 0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch + 0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch + 0009-arm64-enable-RANDOMIZE_BASE-by-default.patch + 0010-enable-SLAB_FREELIST_RANDOM-by-default.patch + 0011-enable-SLAB_FREELIST_HARDENED-by-default.patch + 0012-disable-SLAB_MERGE_DEFAULT-by-default.patch + 0013-enable-FORTIFY_SOURCE-by-default.patch + 0014-enable-PANIC_ON_OOPS-by-default.patch + 0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch + 0016-stop-hiding-X86_16BIT-behind-EXPERT.patch + 0017-disable-X86_16BIT-by-default.patch + 0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch + 0019-disable-MODIFY_LDT_SYSCALL-by-default.patch + 0020-set-LEGACY_VSYSCALL_NONE-by-default.patch + 0021-stop-hiding-AIO-behind-EXPERT.patch + 0022-disable-AIO-by-default.patch + 0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch + 0024-disable-DEVPORT-by-default.patch + 0025-disable-PROC_VMCORE-by-default.patch + 0026-disable-NFS_DEBUG-by-default.patch + 0027-enable-DEBUG_WX-by-default.patch + 0028-disable-LEGACY_PTYS-by-default.patch + 0029-disable-DEVMEM-by-default.patch + 0030-enable-IO_STRICT_DEVMEM-by-default.patch + 0031-disable-COMPAT_BRK-by-default.patch + 0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch + 0033-enable-protected_-symlinks-hardlinks-by-default.patch + 0034-enable-SECURITY-by-default.patch + 0035-enable-SECURITY_YAMA-by-default.patch + 0036-enable-SECURITY_NETWORK-by-default.patch + 0037-enable-AUDIT-by-default.patch + 0038-enable-SECURITY_SELINUX-by-default.patch + 0039-enable-SYN_COOKIES-by-default.patch + 0040-add-__read_only-for-non-init-related-usage.patch + 0041-make-sysctl-constants-read-only.patch + 0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch + 0043-mark-slub-runtime-configuration-as-__ro_after_init.patch + 0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch + 0045-mark-kmem_cache-as-__ro_after_init.patch + 0046-mark-__supported_pte_mask-as-__ro_after_init.patch + 0047-mark-kobj_ns_type_register-as-only-used-for-init.patch + 0048-mark-open_softirq-as-only-used-for-init.patch + 0049-remove-unused-softirq_action-callback-parameter.patch + 0050-mark-softirq_vec-as-__ro_after_init.patch + 0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch + 0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch + 0053-bug-on-PageSlab-PageCompound-in-ksize.patch + 0054-mm-add-support-for-verifying-page-sanitization.patch + 0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch + 0056-slub-Add-support-for-verifying-slab-sanitization.patch + 0057-slub-add-multi-purpose-random-canaries.patch + 0058-security-perf-Allow-further-restriction-of-perf_even.patch + 0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch + 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0061-add-kmalloc-krealloc-alloc_size-attributes.patch + 0062-add-vmalloc-alloc_size-attributes.patch + 0063-add-kvmalloc-alloc_size-attribute.patch + 0064-add-percpu-alloc_size-attributes.patch + 0065-add-alloc_pages_exact-alloc_size-attributes.patch + 0066-Add-the-extra_latent_entropy-kernel-parameter.patch + 0067-ata-avoid-null-pointer-dereference-on-bug.patch + 0068-sanity-check-for-negative-length-in-nla_memcpy.patch + 0069-add-page-destructor-sanity-check.patch + 0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch + 0071-add-writable-function-pointer-detection.patch + 0072-support-overriding-early-audit-kernel-cmdline.patch + 0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch + 0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch + 0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch + 0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch + 0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch + 0078-randomize-lower-bits-of-the-argument-block.patch + 0079-x86_64-match-arm64-brk-randomization-entropy.patch + 0080-support-randomizing-the-lower-bits-of-brk.patch + 0081-mm-randomize-lower-bits-of-brk.patch + 0082-x86-randomize-lower-bits-of-brk.patch + 0083-mm-guarantee-brk-gap-is-at-least-one-page.patch + 0084-x86-guarantee-brk-gap-is-at-least-one-page.patch + 0085-x86_64-bound-mmap-between-legacy-modern-bases.patch + 0086-restrict-device-timing-side-channels.patch + 0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch + 0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch + 0089-usb-implement-dedicated-subsystem-sysctl-tables.patch + 0090-hard-wire-legacy-checkreqprot-option-to-0.patch + 0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch + 0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch + 0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch + 0094-disable-unprivileged-eBPF-access-by-default.patch + 0095-enable-BPF-JIT-hardening-by-default-if-available.patch + 0096-enable-protected_-fifos-regular-by-default.patch + 0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch + 0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch + 0099-mm-Fix-extra_latent_entropy.patch + 0100-add-CONFIG-for-unprivileged_userns_clone.patch + 0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch + 0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch + 0103-add-CONFIG-for-unprivileged_userfaultfd.patch + 0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch + 0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch + 0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch + 0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch + 0108-disable-SYSFS_SYSCALL-by-default.patch + 0109-stop-hiding-UID16-behind-EXPERT.patch + 0110-disable-UID16-by-default.patch + 0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch + 0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch +) + +GENTOO_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/gentoo-patches/" + +# Gentoo Linux 'genpatches' patch set +# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in hardened patches +# 4567_distro-Gentoo-Kconfiig TODO? +GENTOO_PATCHES=( + 1500_XATTR_USER_PREFIX.patch +# 1510_fs-enable-link-security-restrictions-by-default.patch + 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch + 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch + 2920_sign-file-patch-for-libressl.patch +# 4567_distro-Gentoo-Kconfig.patch + 5000_shiftfs-ubuntu-20.04.patch +) + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in $PF $P linux; do + certdir=/etc/kernel/certs/$subdir + if [ -d $certdir ]; then + if [ ! -e $certdir/signing_key.pem ]; then + eerror "$certdir exists but missing signing key; exiting." + exit 1 + fi + echo $certdir + return + fi + done +} + +pkg_pretend() { + # Ensure we have enough disk space to compile + if use binary ; then + CHECKREQS_DISK_BUILD="5G" + check-reqs_pkg_setup + fi +} + +pkg_setup() { + export REAL_ARCH="$ARCH" + unset ARCH; unset LDFLAGS #will interfere with Makefile if set +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources" + + # unpack the various kconfig files into a single file + cat "${DISTDIR}"/debian-kconfig-* >> "${WORKDIR}"/debian-kconfig-${PV} || die "failed to unpack kconfig" +} + +src_prepare() { + + ### PATCHES ### + + # only apply these if USE=hardened as the patches will break proprietary userspace and some others. + if use hardened; then + # apply hardening patches + einfo "Applying hardening patches ..." + for my_patch in ${HARDENED_PATCHES[*]} ; do + eapply "${HARDENED_PATCHES_DIR}/${my_patch}" + done + fi + + # apply gentoo patches + einfo "Applying Gentoo Linux patches ..." + for my_patch in ${GENTOO_PATCHES[*]} ; do + eapply "${GENTOO_PATCHES_DIR}/${my_patch}" + done + + if ! use hardened; then + eapply "${FILESDIR}"/${KERNEL_VERSION}/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch + fi + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the kconfig file into the kernel sources tree + cp "${WORKDIR}"/debian-kconfig-${PV} "${S}"/.config + + ### TWEAK CONFIG ### + + # Do not configure Debian devs certificates + echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + echo "CONFIG_IKCONFIG=y" >> .config + echo "CONFIG_IKCONFIG_PROC=y" >> .config + + if use custom-cflags; then + MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")" + if [ -n "$MARCH" ]; then + sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!" + fi + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + echo "CONFIG_DEBUG_INFO=y" >> .config + else + echo "CONFIG_DEBUG_INFO=n" >> .config + fi + + if use dtrace; then + echo "CONFIG_WAITFD=y" >> .config + fi + + # these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2 + if use ec2; then + echo "CONFIG_BLK_DEV_NVME=y" >> .config + echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config + echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config + echo "CONFIG_IXGBEVF=m" >> .config + fi + + # hardening opts + # TODO: document these + if use hardened; then + echo "CONFIG_AUDIT=y" >> .config + echo "CONFIG_EXPERT=y" >> .config + echo "CONFIG_SLUB_DEBUG=y" >> .config + echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config + echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config + echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config + echo "CONFIG_SLAB_CANARY=y" >> .config + echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config + echo "CONFIG_RANDOMIZE_BASE=y" >> .config + echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config + echo "CONFIG_HIBERNATION=n" >> .config + echo "CONFIG_HARDENED_USERCOPY=y" >> .config + echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config + echo "CONFIG_FORTIFY_SOURCE=y" >> .config + echo "CONFIG_STACKPROTECTOR=y" >> .config + echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config + echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config + echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config + echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config + echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config + echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config + echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config + + # gcc plugins + if ! use clang; then + echo "CONFIG_GCC_PLUGINS=y" >> .config + echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config + echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config + echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config + echo "CONFIG_STACKLEAK_METRICS=n" >> .config + echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + echo 'CONFIG_KEXEC=n' >> .config + echo "CONFIG_KEXEC_FILE=n" >> .config + echo 'CONFIG_KEXEC_SIG=n' >> .config + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + echo + if [ -z "$certs_dir" ]; then + eerror "No certs dir found in /etc/kernel/certs; aborting." + die + else + einfo "Using certificate directory of $certs_dir for kernel module signing." + fi + echo + # turn on options for signing modules. + # first, remove existing configs and comments: + echo 'CONFIG_MODULE_SIG=""' >> .config + + # now add our settings: + echo 'CONFIG_MODULE_SIG=y' >> .config + echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config + echo 'CONFIG_MODULE_SIG_ALL=n' >> .config + echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config + echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config + echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config + echo "CONFIG_MODULE_SIG_SHA512=y" >> .config + + # print some info to warn user + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot" + ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)" + echo + fi + + # enable wireguard support within kernel + if use wireguard; then + echo 'CONFIG_WIREGUARD=m' >> .config + # there are some other options, but I need to verify them first, so I'll start with this + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" + + # Apply any user patches + eapply_user +} + +src_configure() { + + if use binary; then + + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/modprep || die + cp "${T}"/.config "${WORKDIR}"/modprep/ || die + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed" + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed" + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die + fi +} + +src_compile() { + + if use binary; then + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +src_install() { + + # TODO: Change to SANDBOX_WRITE=".." for installkernel writes + # Disable sandbox + export SANDBOX_ON=0 + + # create sources directory if required + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} || die "failed to install kernel sources" + + # change to installed kernel sources directory + cd "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} + + # prepare for real-world use and 3rd-party module building: + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config .config || die "failed to copy kconfig from ${TEMPDIR}" + + # if we didn't USE=binary - we're done. + # The kernel source tree is left in an unconfigured state - you can't compile 3rd-party modules against it yet. + if use binary; then + make prepare || die + make scripts || die + + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + installkernel "${PV}${KERNEL_EXTRAVERSION}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to create kernel build symlink" + + # Fixes FL-14 + cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install System.map" + cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install Module.symvers" + + if use sign-modules; then + for x in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + ${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${PV}-${KERNEL_EXTRAVERSION}/scripts + doexe ${WORKDIR}/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # TODO: Change to SANDBOX_WRITE=".." for Dracut writes + export SANDBOX_ON=0 + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${EROOT}"/usr/src/linux ]]; then + rm "${EROOT}"/usr/src/linux + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${PV}${KERNEL_EXTRAVERSION}" + ewarn "" + ln -sf "${EROOT}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${EROOT}"/usr/src/linux + fi + + # if there's a modules folder for these sources, generate modules.dep and map files + if [[ -d ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} ]]; then + depmod -a ${PV}${KERNEL_EXTRAVERSION} + fi + + # NOTE: WIP and not well tested yet. + # + # Dracut will build an initramfs when USE=binary. + # + # The initramfs will be configurable via USE, i.e. + # USE=zfs will pass '--zfs' to Dracut + # USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs. + # + # NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'. + # Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems), + # and may end up requiring network-manager for decent support (this really needs further research). + if use binary; then + einfo "" + einfo ">>> Dracut: building initramfs" + dracut \ + --stdlog=1 \ + --force \ + --no-hostonly \ + --add "base dm fs-lib i18n kernel-modules rootfs-block shutdown terminfo udev-rules usrmount" \ + --omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network network-manager qemu qemu-net rpmversion securityfs ssh-client stratis syslog url-lib" \ + $(usex btrfs "-a btrfs" "-o btrfs") \ + $(usex dmraid "-a dmraid" "-o dmraid") \ + $(usex hardened "-o resume" "-a resume") \ + $(usex iscsi "-a iscsi" "-o iscsi") \ + $(usex lvm "-a lvm" "-o lvm") \ + $(usex lvm "--lvmconf" "--nolvmconf") \ + $(usex luks "-a crypt" "-o crypt") \ + $(usex mdadm "--mdadmconf" "--nomdadmconf") \ + $(usex mdadm "-a mdraid" "-o mdraid") \ + $(usex microcode "--early-microcode" "--no-early-microcode") \ + $(usex multipath "-a multipath" "-o multipath") \ + $(usex nbd "-a nbd" "-o nbd") \ + $(usex nfs "-a nfs" "-o nfs") \ + $(usex plymouth "-a plymouth" "-o plymouth") \ + $(usex selinux "-a selinux" "-o selinux") \ + $(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \ + $(usex zfs "-a zfs" "-o zfs") \ + --kver ${PV}${KERNEL_EXTRAVERSION} \ + --kmoddir ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} \ + --fwdir ${EROOT}/lib/firmware \ + --kernel-image ${EROOT}/boot/vmlinuz-${PV}${KERNEL_EXTRAVERSION} + einfo "" + einfo ">>> Dracut: Finished building initramfs" + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Dracut initramfs has been generated!" + ewarn "" + ewarn "Required kernel arguments:" + ewarn "" + ewarn " root=/dev/ROOT" + ewarn "" + ewarn " Where ROOT is the device node for your root partition as the" + ewarn " one specified in /etc/fstab" + ewarn "" + ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..." + ewarn "" + ewarn "If you use hibernation:" + ewarn "" + ewarn " resume=/dev/SWAP" + ewarn "" + ewarn " Where $SWAP is the swap device used by hibernate software of your choice." + ewarn"" + ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments." + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set." + ewarn "These KCONFIG options and patches change kernel behavior." + ewarn "Changes include:" + ewarn "Increased entropy for Address Space Layout Randomization" + ewarn "GCC plugins (if using GCC)" + ewarn "Memory allocation" + ewarn "... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + # if there are out-of-tree kernel modules detected, warn warn warn + # TODO: tidy up below + if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "External kernel modules are not yet automatically built" + ewarn "by USE=binary - emerge @modules-rebuild to do this" + ewarn "and regenerate your initramfs if you are using ZFS root filesystem" + ewarn "" + fi + + if use binary; then + if [[ -e /etc/boot.conf ]]; then + ego boot update + fi + fi +} diff --git a/sys-kernel/cairn-sources/cairn-sources-5.10.8.ebuild b/sys-kernel/cairn-sources/cairn-sources-5.10.8.ebuild new file mode 100644 index 000000000000..9cc8f966b75c --- /dev/null +++ b/sys-kernel/cairn-sources/cairn-sources-5.10.8.ebuild @@ -0,0 +1,659 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit check-reqs eutils mount-boot toolchain-funcs + +DESCRIPTION="Linux kernel sources with some optional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="x86 amd64 arm arm64" + +SLOT="${PV}" + +RESTRICT="binchecks strip mirror" + +IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + binary? ( sys-kernel/dracut ) + btrfs? ( sys-fs/btrfs-progs ) + dtrace? ( + dev-util/dtrace-utils + dev-libs/libdtrace-ctf + ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + || ( dev-libs/openssl + dev-libs/libressl + ) + sys-apps/kmod + ) + systemd? ( sys-apps/systemd ) + wireguard? ( virtual/wireguard ) + zfs? ( sys-fs/zfs ) +" + +# linux kernel upstream +KERNEL_VERSION="5.10.8" +KERNEL_ARCHIVE="linux-${KERNEL_VERSION}.tar.xz" +KERNEL_UPSTREAM="https://cdn.kernel.org/pub/linux/kernel/v5.x/${KERNEL_ARCHIVE}" +KERNEL_EXTRAVERSION="-cairn" + +KERNEL_CONFIG_UPSTREAM="https://salsa.debian.org/kernel-team/linux/-/raw/debian/5.10.5-1/debian/config" + +SRC_URI=" + ${KERNEL_UPSTREAM} + + ${KERNEL_CONFIG_UPSTREAM}/config -> debian-kconfig-${PV} + x86? ( + ${KERNEL_CONFIG_UPSTREAM}/i386/config -> debian-kconfig-i386-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686 -> debian-kconfig-i686-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686-pae -> debian-kconfig-i686-pae-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + amd64? ( + ${KERNEL_CONFIG_UPSTREAM}/amd64/config -> debian-kconfig-amd64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + arm64? ( + ${KERNEL_CONFIG_UPSTREAM}/arm64/config -> debian-kconfig-arm64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-arm/config -> debian-kconfig-kernelarch-arm-${PV} + ) +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES +# can be managed in a git repository and packed into tar balls per version. + +HARDENED_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/hardened-patches/" + +# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project +# 0033-enable-protected_-symlinks-hardlinks-by-default.patch +# 0058-security-perf-Allow-further-restriction-of-perf_even.patch +# 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +HARDENED_PATCHES=( + 0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch + 0002-enable-HARDENED_USERCOPY-by-default.patch + 0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch + 0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch + 0005-set-kptr_restrict-2-by-default.patch + 0006-enable-DEBUG_LIST-by-default.patch + 0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch + 0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch + 0009-arm64-enable-RANDOMIZE_BASE-by-default.patch + 0010-enable-SLAB_FREELIST_RANDOM-by-default.patch + 0011-enable-SLAB_FREELIST_HARDENED-by-default.patch + 0012-disable-SLAB_MERGE_DEFAULT-by-default.patch + 0013-enable-FORTIFY_SOURCE-by-default.patch + 0014-enable-PANIC_ON_OOPS-by-default.patch + 0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch + 0016-stop-hiding-X86_16BIT-behind-EXPERT.patch + 0017-disable-X86_16BIT-by-default.patch + 0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch + 0019-disable-MODIFY_LDT_SYSCALL-by-default.patch + 0020-set-LEGACY_VSYSCALL_NONE-by-default.patch + 0021-stop-hiding-AIO-behind-EXPERT.patch + 0022-disable-AIO-by-default.patch + 0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch + 0024-disable-DEVPORT-by-default.patch + 0025-disable-PROC_VMCORE-by-default.patch + 0026-disable-NFS_DEBUG-by-default.patch + 0027-enable-DEBUG_WX-by-default.patch + 0028-disable-LEGACY_PTYS-by-default.patch + 0029-disable-DEVMEM-by-default.patch + 0030-enable-IO_STRICT_DEVMEM-by-default.patch + 0031-disable-COMPAT_BRK-by-default.patch + 0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch + 0033-enable-protected_-symlinks-hardlinks-by-default.patch + 0034-enable-SECURITY-by-default.patch + 0035-enable-SECURITY_YAMA-by-default.patch + 0036-enable-SECURITY_NETWORK-by-default.patch + 0037-enable-AUDIT-by-default.patch + 0038-enable-SECURITY_SELINUX-by-default.patch + 0039-enable-SYN_COOKIES-by-default.patch + 0040-add-__read_only-for-non-init-related-usage.patch + 0041-make-sysctl-constants-read-only.patch + 0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch + 0043-mark-slub-runtime-configuration-as-__ro_after_init.patch + 0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch + 0045-mark-kmem_cache-as-__ro_after_init.patch + 0046-mark-__supported_pte_mask-as-__ro_after_init.patch + 0047-mark-kobj_ns_type_register-as-only-used-for-init.patch + 0048-mark-open_softirq-as-only-used-for-init.patch + 0049-remove-unused-softirq_action-callback-parameter.patch + 0050-mark-softirq_vec-as-__ro_after_init.patch + 0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch + 0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch + 0053-bug-on-PageSlab-PageCompound-in-ksize.patch + 0054-mm-add-support-for-verifying-page-sanitization.patch + 0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch + 0056-slub-Add-support-for-verifying-slab-sanitization.patch + 0057-slub-add-multi-purpose-random-canaries.patch + 0058-security-perf-Allow-further-restriction-of-perf_even.patch + 0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch + 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0061-add-kmalloc-krealloc-alloc_size-attributes.patch + 0062-add-vmalloc-alloc_size-attributes.patch + 0063-add-kvmalloc-alloc_size-attribute.patch + 0064-add-percpu-alloc_size-attributes.patch + 0065-add-alloc_pages_exact-alloc_size-attributes.patch + 0066-Add-the-extra_latent_entropy-kernel-parameter.patch + 0067-ata-avoid-null-pointer-dereference-on-bug.patch + 0068-sanity-check-for-negative-length-in-nla_memcpy.patch + 0069-add-page-destructor-sanity-check.patch + 0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch + 0071-add-writable-function-pointer-detection.patch + 0072-support-overriding-early-audit-kernel-cmdline.patch + 0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch + 0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch + 0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch + 0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch + 0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch + 0078-randomize-lower-bits-of-the-argument-block.patch + 0079-x86_64-match-arm64-brk-randomization-entropy.patch + 0080-support-randomizing-the-lower-bits-of-brk.patch + 0081-mm-randomize-lower-bits-of-brk.patch + 0082-x86-randomize-lower-bits-of-brk.patch + 0083-mm-guarantee-brk-gap-is-at-least-one-page.patch + 0084-x86-guarantee-brk-gap-is-at-least-one-page.patch + 0085-x86_64-bound-mmap-between-legacy-modern-bases.patch + 0086-restrict-device-timing-side-channels.patch + 0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch + 0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch + 0089-usb-implement-dedicated-subsystem-sysctl-tables.patch + 0090-hard-wire-legacy-checkreqprot-option-to-0.patch + 0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch + 0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch + 0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch + 0094-disable-unprivileged-eBPF-access-by-default.patch + 0095-enable-BPF-JIT-hardening-by-default-if-available.patch + 0096-enable-protected_-fifos-regular-by-default.patch + 0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch + 0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch + 0099-mm-Fix-extra_latent_entropy.patch + 0100-add-CONFIG-for-unprivileged_userns_clone.patch + 0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch + 0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch + 0103-add-CONFIG-for-unprivileged_userfaultfd.patch + 0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch + 0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch + 0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch + 0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch + 0108-disable-SYSFS_SYSCALL-by-default.patch + 0109-stop-hiding-UID16-behind-EXPERT.patch + 0110-disable-UID16-by-default.patch + 0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch + 0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch +) + +GENTOO_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/gentoo-patches/" + +# Gentoo Linux 'genpatches' patch set +# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in hardened patches +# 4567_distro-Gentoo-Kconfiig TODO? +GENTOO_PATCHES=( + 1500_XATTR_USER_PREFIX.patch +# 1510_fs-enable-link-security-restrictions-by-default.patch + 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch + 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch + 2920_sign-file-patch-for-libressl.patch +# 4567_distro-Gentoo-Kconfig.patch + 5000_shiftfs-ubuntu-20.04.patch +) + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in $PF $P linux; do + certdir=/etc/kernel/certs/$subdir + if [ -d $certdir ]; then + if [ ! -e $certdir/signing_key.pem ]; then + eerror "$certdir exists but missing signing key; exiting." + exit 1 + fi + echo $certdir + return + fi + done +} + +pkg_pretend() { + # Ensure we have enough disk space to compile + if use binary ; then + CHECKREQS_DISK_BUILD="5G" + check-reqs_pkg_setup + fi +} + +pkg_setup() { + export REAL_ARCH="$ARCH" + unset ARCH; unset LDFLAGS #will interfere with Makefile if set +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources" + + # unpack the various kconfig files into a single file + cat "${DISTDIR}"/debian-kconfig-* >> "${WORKDIR}"/debian-kconfig-${PV} || die "failed to unpack kconfig" +} + +src_prepare() { + + ### PATCHES ### + + # only apply these if USE=hardened as the patches will break proprietary userspace and some others. + if use hardened; then + # apply hardening patches + einfo "Applying hardening patches ..." + for my_patch in ${HARDENED_PATCHES[*]} ; do + eapply "${HARDENED_PATCHES_DIR}/${my_patch}" + done + fi + + # apply gentoo patches + einfo "Applying Gentoo Linux patches ..." + for my_patch in ${GENTOO_PATCHES[*]} ; do + eapply "${GENTOO_PATCHES_DIR}/${my_patch}" + done + + if ! use hardened; then + eapply "${FILESDIR}"/${KERNEL_VERSION}/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch + fi + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the kconfig file into the kernel sources tree + cp "${WORKDIR}"/debian-kconfig-${PV} "${S}"/.config + + ### TWEAK CONFIG ### + + # Do not configure Debian devs certificates + echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + echo "CONFIG_IKCONFIG=y" >> .config + echo "CONFIG_IKCONFIG_PROC=y" >> .config + + if use custom-cflags; then + MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")" + if [ -n "$MARCH" ]; then + sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!" + fi + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + echo "CONFIG_DEBUG_INFO=y" >> .config + else + echo "CONFIG_DEBUG_INFO=n" >> .config + fi + + if use dtrace; then + echo "CONFIG_WAITFD=y" >> .config + fi + + # these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2 + if use ec2; then + echo "CONFIG_BLK_DEV_NVME=y" >> .config + echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config + echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config + echo "CONFIG_IXGBEVF=m" >> .config + fi + + # hardening opts + # TODO: document these + if use hardened; then + echo "CONFIG_AUDIT=y" >> .config + echo "CONFIG_EXPERT=y" >> .config + echo "CONFIG_SLUB_DEBUG=y" >> .config + echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config + echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config + echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config + echo "CONFIG_SLAB_CANARY=y" >> .config + echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config + echo "CONFIG_RANDOMIZE_BASE=y" >> .config + echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config + echo "CONFIG_HIBERNATION=n" >> .config + echo "CONFIG_HARDENED_USERCOPY=y" >> .config + echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config + echo "CONFIG_FORTIFY_SOURCE=y" >> .config + echo "CONFIG_STACKPROTECTOR=y" >> .config + echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config + echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config + echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config + echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config + echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config + echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config + echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config + + # gcc plugins + if ! use clang; then + echo "CONFIG_GCC_PLUGINS=y" >> .config + echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config + echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config + echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config + echo "CONFIG_STACKLEAK_METRICS=n" >> .config + echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + echo 'CONFIG_KEXEC=n' >> .config + echo "CONFIG_KEXEC_FILE=n" >> .config + echo 'CONFIG_KEXEC_SIG=n' >> .config + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + echo + if [ -z "$certs_dir" ]; then + eerror "No certs dir found in /etc/kernel/certs; aborting." + die + else + einfo "Using certificate directory of $certs_dir for kernel module signing." + fi + echo + # turn on options for signing modules. + # first, remove existing configs and comments: + echo 'CONFIG_MODULE_SIG=""' >> .config + + # now add our settings: + echo 'CONFIG_MODULE_SIG=y' >> .config + echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config + echo 'CONFIG_MODULE_SIG_ALL=n' >> .config + echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config + echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config + echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config + echo "CONFIG_MODULE_SIG_SHA512=y" >> .config + + # print some info to warn user + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot" + ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)" + echo + fi + + # enable wireguard support within kernel + if use wireguard; then + echo 'CONFIG_WIREGUARD=m' >> .config + # there are some other options, but I need to verify them first, so I'll start with this + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" + + # Apply any user patches + eapply_user +} + +src_configure() { + + if use binary; then + + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/modprep || die + cp "${T}"/.config "${WORKDIR}"/modprep/ || die + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed" + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed" + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die + fi +} + +src_compile() { + + if use binary; then + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +src_install() { + + # TODO: Change to SANDBOX_WRITE=".." for installkernel writes + # Disable sandbox + export SANDBOX_ON=0 + + # create sources directory if required + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} || die "failed to install kernel sources" + + # change to installed kernel sources directory + cd "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} + + # prepare for real-world use and 3rd-party module building: + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config .config || die "failed to copy kconfig from ${TEMPDIR}" + + # if we didn't USE=binary - we're done. + # The kernel source tree is left in an unconfigured state - you can't compile 3rd-party modules against it yet. + if use binary; then + make prepare || die + make scripts || die + + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + installkernel "${PV}${KERNEL_EXTRAVERSION}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to create kernel build symlink" + + # Fixes FL-14 + cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install System.map" + cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install Module.symvers" + + if use sign-modules; then + for x in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + ${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${PV}-${KERNEL_EXTRAVERSION}/scripts + doexe ${WORKDIR}/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # TODO: Change to SANDBOX_WRITE=".." for Dracut writes + export SANDBOX_ON=0 + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${EROOT}"/usr/src/linux ]]; then + rm "${EROOT}"/usr/src/linux + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${PV}${KERNEL_EXTRAVERSION}" + ewarn "" + ln -sf "${EROOT}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${EROOT}"/usr/src/linux + fi + + # if there's a modules folder for these sources, generate modules.dep and map files + if [[ -d ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} ]]; then + depmod -a ${PV}${KERNEL_EXTRAVERSION} + fi + + # NOTE: WIP and not well tested yet. + # + # Dracut will build an initramfs when USE=binary. + # + # The initramfs will be configurable via USE, i.e. + # USE=zfs will pass '--zfs' to Dracut + # USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs. + # + # NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'. + # Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems), + # and may end up requiring network-manager for decent support (this really needs further research). + if use binary; then + einfo "" + einfo ">>> Dracut: building initramfs" + dracut \ + --stdlog=1 \ + --force \ + --no-hostonly \ + --add "base dm fs-lib i18n kernel-modules rootfs-block shutdown terminfo udev-rules usrmount" \ + --omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network network-manager qemu qemu-net rpmversion securityfs ssh-client stratis syslog url-lib" \ + $(usex btrfs "-a btrfs" "-o btrfs") \ + $(usex dmraid "-a dmraid" "-o dmraid") \ + $(usex hardened "-o resume" "-a resume") \ + $(usex iscsi "-a iscsi" "-o iscsi") \ + $(usex lvm "-a lvm" "-o lvm") \ + $(usex lvm "--lvmconf" "--nolvmconf") \ + $(usex luks "-a crypt" "-o crypt") \ + $(usex mdadm "--mdadmconf" "--nomdadmconf") \ + $(usex mdadm "-a mdraid" "-o mdraid") \ + $(usex microcode "--early-microcode" "--no-early-microcode") \ + $(usex multipath "-a multipath" "-o multipath") \ + $(usex nbd "-a nbd" "-o nbd") \ + $(usex nfs "-a nfs" "-o nfs") \ + $(usex plymouth "-a plymouth" "-o plymouth") \ + $(usex selinux "-a selinux" "-o selinux") \ + $(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \ + $(usex zfs "-a zfs" "-o zfs") \ + --kver ${PV}${KERNEL_EXTRAVERSION} \ + --kmoddir ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} \ + --fwdir ${EROOT}/lib/firmware \ + --kernel-image ${EROOT}/boot/vmlinuz-${PV}${KERNEL_EXTRAVERSION} + einfo "" + einfo ">>> Dracut: Finished building initramfs" + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Dracut initramfs has been generated!" + ewarn "" + ewarn "Required kernel arguments:" + ewarn "" + ewarn " root=/dev/ROOT" + ewarn "" + ewarn " Where ROOT is the device node for your root partition as the" + ewarn " one specified in /etc/fstab" + ewarn "" + ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..." + ewarn "" + ewarn "If you use hibernation:" + ewarn "" + ewarn " resume=/dev/SWAP" + ewarn "" + ewarn " Where $SWAP is the swap device used by hibernate software of your choice." + ewarn"" + ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments." + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set." + ewarn "These KCONFIG options and patches change kernel behavior." + ewarn "Changes include:" + ewarn "Increased entropy for Address Space Layout Randomization" + ewarn "GCC plugins (if using GCC)" + ewarn "Memory allocation" + ewarn "... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + # if there are out-of-tree kernel modules detected, warn warn warn + # TODO: tidy up below + if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "External kernel modules are not yet automatically built" + ewarn "by USE=binary - emerge @modules-rebuild to do this" + ewarn "and regenerate your initramfs if you are using ZFS root filesystem" + ewarn "" + fi + + if use binary; then + if [[ -e /etc/boot.conf ]]; then + ego boot update + fi + fi +} diff --git a/sys-kernel/cairn-sources/cairn-sources-5.10.9.ebuild b/sys-kernel/cairn-sources/cairn-sources-5.10.9.ebuild new file mode 100644 index 000000000000..28caf6d9735c --- /dev/null +++ b/sys-kernel/cairn-sources/cairn-sources-5.10.9.ebuild @@ -0,0 +1,659 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit check-reqs eutils mount-boot toolchain-funcs + +DESCRIPTION="Linux kernel sources with some optional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="x86 amd64 arm arm64" + +SLOT="${PV}" + +RESTRICT="binchecks strip mirror" + +IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + binary? ( sys-kernel/dracut ) + btrfs? ( sys-fs/btrfs-progs ) + dtrace? ( + dev-util/dtrace-utils + dev-libs/libdtrace-ctf + ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + || ( dev-libs/openssl + dev-libs/libressl + ) + sys-apps/kmod + ) + systemd? ( sys-apps/systemd ) + wireguard? ( virtual/wireguard ) + zfs? ( sys-fs/zfs ) +" + +# linux kernel upstream +KERNEL_VERSION="5.10.9" +KERNEL_ARCHIVE="linux-${KERNEL_VERSION}.tar.xz" +KERNEL_UPSTREAM="https://cdn.kernel.org/pub/linux/kernel/v5.x/${KERNEL_ARCHIVE}" +KERNEL_EXTRAVERSION="-cairn" + +KERNEL_CONFIG_UPSTREAM="https://salsa.debian.org/kernel-team/linux/-/raw/debian/5.10.5-1/debian/config" + +SRC_URI=" + ${KERNEL_UPSTREAM} + + ${KERNEL_CONFIG_UPSTREAM}/config -> debian-kconfig-${PV} + x86? ( + ${KERNEL_CONFIG_UPSTREAM}/i386/config -> debian-kconfig-i386-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686 -> debian-kconfig-i686-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686-pae -> debian-kconfig-i686-pae-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + amd64? ( + ${KERNEL_CONFIG_UPSTREAM}/amd64/config -> debian-kconfig-amd64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + arm64? ( + ${KERNEL_CONFIG_UPSTREAM}/arm64/config -> debian-kconfig-arm64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-arm/config -> debian-kconfig-kernelarch-arm-${PV} + ) +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES +# can be managed in a git repository and packed into tar balls per version. + +HARDENED_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/hardened-patches/" + +# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project +# 0033-enable-protected_-symlinks-hardlinks-by-default.patch +# 0066-security-perf-Allow-further-restriction-of-perf_even.patch +# 0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +HARDENED_PATCHES=( + 0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch + 0002-enable-HARDENED_USERCOPY-by-default.patch + 0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch + 0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch + 0005-set-kptr_restrict-2-by-default.patch + 0006-enable-DEBUG_LIST-by-default.patch + 0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch + 0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch + 0009-arm64-enable-RANDOMIZE_BASE-by-default.patch + 0010-enable-SLAB_FREELIST_RANDOM-by-default.patch + 0011-enable-SLAB_FREELIST_HARDENED-by-default.patch + 0012-disable-SLAB_MERGE_DEFAULT-by-default.patch + 0013-enable-FORTIFY_SOURCE-by-default.patch + 0014-enable-PANIC_ON_OOPS-by-default.patch + 0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch + 0016-stop-hiding-X86_16BIT-behind-EXPERT.patch + 0017-disable-X86_16BIT-by-default.patch + 0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch + 0019-disable-MODIFY_LDT_SYSCALL-by-default.patch + 0020-set-LEGACY_VSYSCALL_NONE-by-default.patch + 0021-stop-hiding-AIO-behind-EXPERT.patch + 0022-disable-AIO-by-default.patch + 0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch + 0024-disable-DEVPORT-by-default.patch + 0025-disable-PROC_VMCORE-by-default.patch + 0026-disable-NFS_DEBUG-by-default.patch + 0027-enable-DEBUG_WX-by-default.patch + 0028-disable-LEGACY_PTYS-by-default.patch + 0029-disable-DEVMEM-by-default.patch + 0030-enable-IO_STRICT_DEVMEM-by-default.patch + 0031-disable-COMPAT_BRK-by-default.patch + 0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch + 0033-enable-protected_-symlinks-hardlinks-by-default.patch + 0034-enable-SECURITY-by-default.patch + 0035-enable-SECURITY_YAMA-by-default.patch + 0036-enable-SECURITY_NETWORK-by-default.patch + 0037-enable-AUDIT-by-default.patch + 0038-enable-SECURITY_SELINUX-by-default.patch + 0039-enable-SYN_COOKIES-by-default.patch + 0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch + 0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch + 0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch + 0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch + 0044-disable-SYSFS_SYSCALL-by-default.patch + 0045-stop-hiding-UID16-behind-EXPERT.patch + 0046-disable-UID16-by-default.patch + 0047-add-__read_only-for-non-init-related-usage.patch + 0048-make-sysctl-constants-read-only.patch + 0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch + 0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch + 0051-mark-slub-runtime-configuration-as-__ro_after_init.patch + 0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch + 0053-mark-kmem_cache-as-__ro_after_init.patch + 0054-mark-__supported_pte_mask-as-__ro_after_init.patch + 0055-mark-kobj_ns_type_register-as-only-used-for-init.patch + 0056-mark-open_softirq-as-only-used-for-init.patch + 0057-remove-unused-softirq_action-callback-parameter.patch + 0058-mark-softirq_vec-as-__ro_after_init.patch + 0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch + 0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch + 0061-bug-on-PageSlab-PageCompound-in-ksize.patch + 0062-mm-add-support-for-verifying-page-sanitization.patch + 0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch + 0064-slub-Add-support-for-verifying-slab-sanitization.patch + 0065-slub-add-multi-purpose-random-canaries.patch + 0066-security-perf-Allow-further-restriction-of-perf_even.patch + 0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch + 0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0069-add-CONFIG-for-unprivileged_userns_clone.patch + 0070-add-kmalloc-krealloc-alloc_size-attributes.patch + 0071-add-vmalloc-alloc_size-attributes.patch + 0072-add-kvmalloc-alloc_size-attribute.patch + 0073-add-percpu-alloc_size-attributes.patch + 0074-add-alloc_pages_exact-alloc_size-attributes.patch + 0075-Add-the-extra_latent_entropy-kernel-parameter.patch + 0076-ata-avoid-null-pointer-dereference-on-bug.patch + 0077-sanity-check-for-negative-length-in-nla_memcpy.patch + 0078-add-page-destructor-sanity-check.patch + 0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch + 0080-add-writable-function-pointer-detection.patch + 0081-support-overriding-early-audit-kernel-cmdline.patch + 0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch + 0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch + 0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch + 0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch + 0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch + 0087-randomize-lower-bits-of-the-argument-block.patch + 0088-x86_64-match-arm64-brk-randomization-entropy.patch + 0089-support-randomizing-the-lower-bits-of-brk.patch + 0090-mm-randomize-lower-bits-of-brk.patch + 0091-x86-randomize-lower-bits-of-brk.patch + 0092-mm-guarantee-brk-gap-is-at-least-one-page.patch + 0093-x86-guarantee-brk-gap-is-at-least-one-page.patch + 0094-x86_64-bound-mmap-between-legacy-modern-bases.patch + 0095-restrict-device-timing-side-channels.patch + 0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch + 0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch + 0098-usb-implement-dedicated-subsystem-sysctl-tables.patch + 0099-hard-wire-legacy-checkreqprot-option-to-0.patch + 0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch + 0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch + 0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch + 0103-disable-unprivileged-eBPF-access-by-default.patch + 0104-enable-BPF-JIT-hardening-by-default-if-available.patch + 0105-enable-protected_-fifos-regular-by-default.patch + 0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch + 0107-mm-Fix-extra_latent_entropy.patch + 0108-add-CONFIG-for-unprivileged_userfaultfd.patch + 0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch + 0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch + 0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch + 0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch +) + +GENTOO_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/gentoo-patches/" + +# Gentoo Linux 'genpatches' patch set +# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in hardened patches +# 4567_distro-Gentoo-Kconfiig TODO? +GENTOO_PATCHES=( + 1500_XATTR_USER_PREFIX.patch +# 1510_fs-enable-link-security-restrictions-by-default.patch + 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch + 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch + 2920_sign-file-patch-for-libressl.patch +# 4567_distro-Gentoo-Kconfig.patch + 5000_shiftfs-ubuntu-20.04.patch +) + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in $PF $P linux; do + certdir=/etc/kernel/certs/$subdir + if [ -d $certdir ]; then + if [ ! -e $certdir/signing_key.pem ]; then + eerror "$certdir exists but missing signing key; exiting." + exit 1 + fi + echo $certdir + return + fi + done +} + +pkg_pretend() { + # Ensure we have enough disk space to compile + if use binary ; then + CHECKREQS_DISK_BUILD="5G" + check-reqs_pkg_setup + fi +} + +pkg_setup() { + export REAL_ARCH="$ARCH" + unset ARCH; unset LDFLAGS #will interfere with Makefile if set +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources" + + # unpack the various kconfig files into a single file + cat "${DISTDIR}"/debian-kconfig-* >> "${WORKDIR}"/debian-kconfig-${PV} || die "failed to unpack kconfig" +} + +src_prepare() { + + ### PATCHES ### + + # only apply these if USE=hardened as the patches will break proprietary userspace and some others. + if use hardened; then + # apply hardening patches + einfo "Applying hardening patches ..." + for my_patch in ${HARDENED_PATCHES[*]} ; do + eapply "${HARDENED_PATCHES_DIR}/${my_patch}" + done + fi + + # apply gentoo patches + einfo "Applying Gentoo Linux patches ..." + for my_patch in ${GENTOO_PATCHES[*]} ; do + eapply "${GENTOO_PATCHES_DIR}/${my_patch}" + done + + if ! use hardened; then + eapply "${FILESDIR}"/${KERNEL_VERSION}/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch + fi + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the kconfig file into the kernel sources tree + cp "${WORKDIR}"/debian-kconfig-${PV} "${S}"/.config + + ### TWEAK CONFIG ### + + # Do not configure Debian devs certificates + echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + echo "CONFIG_IKCONFIG=y" >> .config + echo "CONFIG_IKCONFIG_PROC=y" >> .config + + if use custom-cflags; then + MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")" + if [ -n "$MARCH" ]; then + sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!" + fi + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + echo "CONFIG_DEBUG_INFO=y" >> .config + else + echo "CONFIG_DEBUG_INFO=n" >> .config + fi + + if use dtrace; then + echo "CONFIG_WAITFD=y" >> .config + fi + + # these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2 + if use ec2; then + echo "CONFIG_BLK_DEV_NVME=y" >> .config + echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config + echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config + echo "CONFIG_IXGBEVF=m" >> .config + fi + + # hardening opts + # TODO: document these + if use hardened; then + echo "CONFIG_AUDIT=y" >> .config + echo "CONFIG_EXPERT=y" >> .config + echo "CONFIG_SLUB_DEBUG=y" >> .config + echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config + echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config + echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config + echo "CONFIG_SLAB_CANARY=y" >> .config + echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config + echo "CONFIG_RANDOMIZE_BASE=y" >> .config + echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config + echo "CONFIG_HIBERNATION=n" >> .config + echo "CONFIG_HARDENED_USERCOPY=y" >> .config + echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config + echo "CONFIG_FORTIFY_SOURCE=y" >> .config + echo "CONFIG_STACKPROTECTOR=y" >> .config + echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config + echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config + echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config + echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config + echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config + echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config + echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config + + # gcc plugins + if ! use clang; then + echo "CONFIG_GCC_PLUGINS=y" >> .config + echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config + echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config + echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config + echo "CONFIG_STACKLEAK_METRICS=n" >> .config + echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + echo 'CONFIG_KEXEC=n' >> .config + echo "CONFIG_KEXEC_FILE=n" >> .config + echo 'CONFIG_KEXEC_SIG=n' >> .config + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + echo + if [ -z "$certs_dir" ]; then + eerror "No certs dir found in /etc/kernel/certs; aborting." + die + else + einfo "Using certificate directory of $certs_dir for kernel module signing." + fi + echo + # turn on options for signing modules. + # first, remove existing configs and comments: + echo 'CONFIG_MODULE_SIG=""' >> .config + + # now add our settings: + echo 'CONFIG_MODULE_SIG=y' >> .config + echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config + echo 'CONFIG_MODULE_SIG_ALL=n' >> .config + echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config + echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config + echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config + echo "CONFIG_MODULE_SIG_SHA512=y" >> .config + + # print some info to warn user + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot" + ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)" + echo + fi + + # enable wireguard support within kernel + if use wireguard; then + echo 'CONFIG_WIREGUARD=m' >> .config + # there are some other options, but I need to verify them first, so I'll start with this + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" + + # Apply any user patches + eapply_user +} + +src_configure() { + + if use binary; then + + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/modprep || die + cp "${T}"/.config "${WORKDIR}"/modprep/ || die + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed" + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed" + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die + fi +} + +src_compile() { + + if use binary; then + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +src_install() { + + # TODO: Change to SANDBOX_WRITE=".." for installkernel writes + # Disable sandbox + export SANDBOX_ON=0 + + # create sources directory if required + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} || die "failed to install kernel sources" + + # change to installed kernel sources directory + cd "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} + + # prepare for real-world use and 3rd-party module building: + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config .config || die "failed to copy kconfig from ${TEMPDIR}" + + # if we didn't USE=binary - we're done. + # The kernel source tree is left in an unconfigured state - you can't compile 3rd-party modules against it yet. + if use binary; then + make prepare || die + make scripts || die + + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + installkernel "${PV}${KERNEL_EXTRAVERSION}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to create kernel build symlink" + + # Fixes FL-14 + cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install System.map" + cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install Module.symvers" + + if use sign-modules; then + for x in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + ${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${PV}-${KERNEL_EXTRAVERSION}/scripts + doexe ${WORKDIR}/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # TODO: Change to SANDBOX_WRITE=".." for Dracut writes + export SANDBOX_ON=0 + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${EROOT}"/usr/src/linux ]]; then + rm "${EROOT}"/usr/src/linux + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${PV}${KERNEL_EXTRAVERSION}" + ewarn "" + ln -sf "${EROOT}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${EROOT}"/usr/src/linux + fi + + # if there's a modules folder for these sources, generate modules.dep and map files + if [[ -d ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} ]]; then + depmod -a ${PV}${KERNEL_EXTRAVERSION} + fi + + # NOTE: WIP and not well tested yet. + # + # Dracut will build an initramfs when USE=binary. + # + # The initramfs will be configurable via USE, i.e. + # USE=zfs will pass '--zfs' to Dracut + # USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs. + # + # NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'. + # Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems), + # and may end up requiring network-manager for decent support (this really needs further research). + if use binary; then + einfo "" + einfo ">>> Dracut: building initramfs" + dracut \ + --stdlog=1 \ + --force \ + --no-hostonly \ + --add "base dm fs-lib i18n kernel-modules rootfs-block shutdown terminfo udev-rules usrmount" \ + --omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network network-manager qemu qemu-net rpmversion securityfs ssh-client stratis syslog url-lib" \ + $(usex btrfs "-a btrfs" "-o btrfs") \ + $(usex dmraid "-a dmraid" "-o dmraid") \ + $(usex hardened "-o resume" "-a resume") \ + $(usex iscsi "-a iscsi" "-o iscsi") \ + $(usex lvm "-a lvm" "-o lvm") \ + $(usex lvm "--lvmconf" "--nolvmconf") \ + $(usex luks "-a crypt" "-o crypt") \ + $(usex mdadm "--mdadmconf" "--nomdadmconf") \ + $(usex mdadm "-a mdraid" "-o mdraid") \ + $(usex microcode "--early-microcode" "--no-early-microcode") \ + $(usex multipath "-a multipath" "-o multipath") \ + $(usex nbd "-a nbd" "-o nbd") \ + $(usex nfs "-a nfs" "-o nfs") \ + $(usex plymouth "-a plymouth" "-o plymouth") \ + $(usex selinux "-a selinux" "-o selinux") \ + $(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \ + $(usex zfs "-a zfs" "-o zfs") \ + --kver ${PV}${KERNEL_EXTRAVERSION} \ + --kmoddir ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} \ + --fwdir ${EROOT}/lib/firmware \ + --kernel-image ${EROOT}/boot/vmlinuz-${PV}${KERNEL_EXTRAVERSION} + einfo "" + einfo ">>> Dracut: Finished building initramfs" + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Dracut initramfs has been generated!" + ewarn "" + ewarn "Required kernel arguments:" + ewarn "" + ewarn " root=/dev/ROOT" + ewarn "" + ewarn " Where ROOT is the device node for your root partition as the" + ewarn " one specified in /etc/fstab" + ewarn "" + ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..." + ewarn "" + ewarn "If you use hibernation:" + ewarn "" + ewarn " resume=/dev/SWAP" + ewarn "" + ewarn " Where $SWAP is the swap device used by hibernate software of your choice." + ewarn"" + ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments." + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set." + ewarn "These KCONFIG options and patches change kernel behavior." + ewarn "Changes include:" + ewarn "Increased entropy for Address Space Layout Randomization" + ewarn "GCC plugins (if using GCC)" + ewarn "Memory allocation" + ewarn "... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + # if there are out-of-tree kernel modules detected, warn warn warn + # TODO: tidy up below + if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "External kernel modules are not yet automatically built" + ewarn "by USE=binary - emerge @modules-rebuild to do this" + ewarn "and regenerate your initramfs if you are using ZFS root filesystem" + ewarn "" + fi + + if use binary; then + if [[ -e /etc/boot.conf ]]; then + ego boot update + fi + fi +} diff --git a/sys-kernel/cairn-sources/cairn-sources-5.9.6.ebuild b/sys-kernel/cairn-sources/cairn-sources-5.9.6.ebuild new file mode 100644 index 000000000000..3dbe27f459eb --- /dev/null +++ b/sys-kernel/cairn-sources/cairn-sources-5.9.6.ebuild @@ -0,0 +1,661 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit check-reqs eutils mount-boot toolchain-funcs + +DESCRIPTION="Linux kernel sources with some optional patches." +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="x86 amd64 arm arm64" + +SLOT="${PV}" + +RESTRICT="binchecks strip mirror" + +IUSE="binary btrfs clang custom-cflags debug dmraid dtrace ec2 firmware hardened iscsi luks lvm mcelog mdadm microcode multipath nbd nfs plymouth selinux sign-modules symlink systemd wireguard zfs" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + binary? ( sys-kernel/dracut ) + btrfs? ( sys-fs/btrfs-progs ) + dtrace? ( + dev-util/dtrace-utils + dev-libs/libdtrace-ctf + ) + firmware? ( + sys-kernel/linux-firmware + ) + luks? ( sys-fs/cryptsetup ) + lvm? ( sys-fs/lvm2 ) + mdadm? ( sys-fs/mdadm ) + mcelog? ( app-admin/mcelog ) + plymouth? ( + x11-libs/libdrm[libkms] + sys-boot/plymouth[libkms,udev] + ) + sign-modules? ( + || ( dev-libs/openssl + dev-libs/libressl + ) + sys-apps/kmod + ) + systemd? ( sys-apps/systemd ) + wireguard? ( virtual/wireguard ) + zfs? ( sys-fs/zfs ) +" + +# linux kernel upstream +KERNEL_VERSION="5.9.6" +KERNEL_ARCHIVE="linux-${KERNEL_VERSION}.tar.xz" +KERNEL_UPSTREAM="https://cdn.kernel.org/pub/linux/kernel/v5.x/${KERNEL_ARCHIVE}" +KERNEL_EXTRAVERSION="-cairn" + +KERNEL_CONFIG_UPSTREAM="https://salsa.debian.org/kernel-team/linux/-/raw/debian/5.9.1-1/debian/config" + +SRC_URI=" + ${KERNEL_UPSTREAM} + + ${KERNEL_CONFIG_UPSTREAM}/config -> debian-kconfig-${PV} + x86? ( + ${KERNEL_CONFIG_UPSTREAM}/i386/config -> debian-kconfig-i386-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686 -> debian-kconfig-i686-${PV} + ${KERNEL_CONFIG_UPSTREAM}/i386/config.686-pae -> debian-kconfig-i686-pae-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + amd64? ( + ${KERNEL_CONFIG_UPSTREAM}/amd64/config -> debian-kconfig-amd64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-x86/config -> debian-kconfig-kernelarch-x86-${PV} + ) + arm64? ( + ${KERNEL_CONFIG_UPSTREAM}/arm64/config -> debian-kconfig-arm64-${PV} + ${KERNEL_CONFIG_UPSTREAM}/kernelarch-arm/config -> debian-kconfig-kernelarch-arm-${PV} + ) +" + +S="$WORKDIR/linux-${KERNEL_VERSION}" + +# TODO: manage HARDENED_PATCHES and GENTOO_PATCHES +# can be managed in a git repository and packed into tar balls per version. + +HARDENED_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/hardened-patches/" + +# 'linux-hardened' minimal patch set to compliment existing Kernel-Self-Protection-Project +# 0033-enable-protected_-symlinks-hardlinks-by-default.patch +# 0058-security-perf-Allow-further-restriction-of-perf_even.patch +# 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +HARDENED_PATCHES=( + 0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch + 0002-enable-HARDENED_USERCOPY-by-default.patch + 0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch + 0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch + 0005-set-kptr_restrict-2-by-default.patch + 0006-enable-DEBUG_LIST-by-default.patch + 0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch + 0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch + 0009-arm64-enable-RANDOMIZE_BASE-by-default.patch + 0010-enable-SLAB_FREELIST_RANDOM-by-default.patch + 0011-enable-SLAB_FREELIST_HARDENED-by-default.patch + 0012-disable-SLAB_MERGE_DEFAULT-by-default.patch + 0013-enable-FORTIFY_SOURCE-by-default.patch + 0014-enable-PANIC_ON_OOPS-by-default.patch + 0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch + 0016-stop-hiding-X86_16BIT-behind-EXPERT.patch + 0017-disable-X86_16BIT-by-default.patch + 0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch + 0019-disable-MODIFY_LDT_SYSCALL-by-default.patch + 0020-set-LEGACY_VSYSCALL_NONE-by-default.patch + 0021-stop-hiding-AIO-behind-EXPERT.patch + 0022-disable-AIO-by-default.patch + 0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch + 0024-disable-DEVPORT-by-default.patch + 0025-disable-PROC_VMCORE-by-default.patch + 0026-disable-NFS_DEBUG-by-default.patch + 0027-enable-DEBUG_WX-by-default.patch + 0028-disable-LEGACY_PTYS-by-default.patch + 0029-disable-DEVMEM-by-default.patch + 0030-enable-IO_STRICT_DEVMEM-by-default.patch + 0031-disable-COMPAT_BRK-by-default.patch + 0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch + 0033-enable-protected_-symlinks-hardlinks-by-default.patch + 0034-enable-SECURITY-by-default.patch + 0035-enable-SECURITY_YAMA-by-default.patch + 0036-enable-SECURITY_NETWORK-by-default.patch + 0037-enable-AUDIT-by-default.patch + 0038-enable-SECURITY_SELINUX-by-default.patch + 0039-enable-SYN_COOKIES-by-default.patch + 0040-add-__read_only-for-non-init-related-usage.patch + 0041-make-sysctl-constants-read-only.patch + 0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch + 0043-mark-slub-runtime-configuration-as-__ro_after_init.patch + 0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch + 0045-mark-kmem_cache-as-__ro_after_init.patch + 0046-mark-__supported_pte_mask-as-__ro_after_init.patch + 0047-mark-kobj_ns_type_register-as-only-used-for-init.patch + 0048-mark-open_softirq-as-only-used-for-init.patch + 0049-remove-unused-softirq_action-callback-parameter.patch + 0050-mark-softirq_vec-as-__ro_after_init.patch + 0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch + 0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch + 0053-bug-on-PageSlab-PageCompound-in-ksize.patch + 0054-mm-add-support-for-verifying-page-sanitization.patch + 0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch + 0056-slub-Add-support-for-verifying-slab-sanitization.patch + 0057-slub-add-multi-purpose-random-canaries.patch + 0058-security-perf-Allow-further-restriction-of-perf_even.patch + 0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch + 0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch + 0061-add-kmalloc-krealloc-alloc_size-attributes.patch + 0062-add-vmalloc-alloc_size-attributes.patch + 0063-add-kvmalloc-alloc_size-attribute.patch + 0064-add-percpu-alloc_size-attributes.patch + 0065-add-alloc_pages_exact-alloc_size-attributes.patch + 0066-Add-the-extra_latent_entropy-kernel-parameter.patch + 0067-ata-avoid-null-pointer-dereference-on-bug.patch + 0068-sanity-check-for-negative-length-in-nla_memcpy.patch + 0069-add-page-destructor-sanity-check.patch + 0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch + 0071-add-writable-function-pointer-detection.patch + 0072-support-overriding-early-audit-kernel-cmdline.patch + 0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch + 0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch + 0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch + 0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch + 0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch + 0078-randomize-lower-bits-of-the-argument-block.patch + 0079-x86_64-match-arm64-brk-randomization-entropy.patch + 0080-support-randomizing-the-lower-bits-of-brk.patch + 0081-mm-randomize-lower-bits-of-brk.patch + 0082-x86-randomize-lower-bits-of-brk.patch + 0083-mm-guarantee-brk-gap-is-at-least-one-page.patch + 0084-x86-guarantee-brk-gap-is-at-least-one-page.patch + 0085-x86_64-bound-mmap-between-legacy-modern-bases.patch + 0086-restrict-device-timing-side-channels.patch + 0087-add-toggle-for-disabling-newly-added-USB-devices.patch + 0088-hard-wire-legacy-checkreqprot-option-to-0.patch + 0089-security-tty-Add-owner-user-namespace-to-tty_struct.patch + 0090-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch + 0091-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch + 0092-disable-unprivileged-eBPF-access-by-default.patch + 0093-enable-BPF-JIT-hardening-by-default-if-available.patch + 0094-enable-protected_-fifos-regular-by-default.patch + 0095-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch + 0096-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch + 0097-mm-Fix-extra_latent_entropy.patch + 0098-add-CONFIG-for-unprivileged_userns_clone.patch + 0099-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch + 0100-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch + 0101-add-CONFIG-for-unprivileged_userfaultfd.patch + 0102-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch + 0103-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch + 0104-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch + 0105-dccp-ccid-move-timers-to-struct-dccp_sock.patch + 0106-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch + 0107-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch + 0108-usb-implement-dedicated-subsystem-sysctl-tables.patch +) + +GENTOO_PATCHES_DIR="${FILESDIR}/${KERNEL_VERSION}/gentoo-patches/" + +# Gentoo Linux 'genpatches' patch set +# 1510_fs-enable-link-security-restrctions-by-default.patch is already provided in hardened patches +# 4567_distro-Gentoo-Kconfiig TODO? +GENTOO_PATCHES=( + 1500_XATTR_USER_PREFIX.patch +# 1510_fs-enable-link-security-restrictions-by-default.patch + 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch + 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch + 2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch + 2920_sign-file-patch-for-libressl.patch +# 4567_distro-Gentoo-Kconfig.patch +) + +get_certs_dir() { + # find a certificate dir in /etc/kernel/certs/ that contains signing cert for modules. + for subdir in $PF $P linux; do + certdir=/etc/kernel/certs/$subdir + if [ -d $certdir ]; then + if [ ! -e $certdir/signing_key.pem ]; then + eerror "$certdir exists but missing signing key; exiting." + exit 1 + fi + echo $certdir + return + fi + done +} + +pkg_pretend() { + # Ensure we have enough disk space to compile + if use binary ; then + CHECKREQS_DISK_BUILD="5G" + check-reqs_pkg_setup + fi +} + +pkg_setup() { + export REAL_ARCH="$ARCH" + unset ARCH; unset LDFLAGS #will interfere with Makefile if set +} + +src_unpack() { + + # unpack the kernel sources to ${WORKDIR} + unpack ${KERNEL_ARCHIVE} || die "failed to unpack kernel sources" + + # unpack the various kconfig files into a single file + cat "${DISTDIR}"/debian-kconfig-* >> "${WORKDIR}"/debian-kconfig-${PV} || die "failed to unpack kconfig" +} + +src_prepare() { + + ### PATCHES ### + + # only apply these if USE=hardened as the patches will break proprietary userspace and some others. + if use hardened; then + # apply hardening patches + einfo "Applying hardening patches ..." + for my_patch in ${HARDENED_PATCHES[*]} ; do + eapply "${HARDENED_PATCHES_DIR}/${my_patch}" + done + fi + + # apply gentoo patches + einfo "Applying Gentoo Linux patches ..." + for my_patch in ${GENTOO_PATCHES[*]} ; do + eapply "${GENTOO_PATCHES_DIR}/${my_patch}" + done + + if ! use hardened; then + eapply "${FILESDIR}"/${KERNEL_VERSION}/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch + fi + + # Cairn Linux patches are misc fix-ups + einfo "Applying Cairn Linux patches ..." + + # Restore export_kernel_fpu_functions for zfs + eapply "${FILESDIR}"/${KERNEL_VERSION}/export_kernel_fpu_functions.patch + + # append EXTRAVERSION to the kernel sources Makefile + sed -i -e "s:^\(EXTRAVERSION =\).*:\1 ${KERNEL_EXTRAVERSION}:" Makefile || die "failed to append EXTRAVERSION to kernel Makefile" + + # todo: look at this, haven't seen it used in many cases. + sed -i -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' Makefile || die "failed to fix-up INSTALL_PATH in kernel Makefile" + + # copy the kconfig file into the kernel sources tree + cp "${WORKDIR}"/debian-kconfig-${PV} "${S}"/.config + + ### TWEAK CONFIG ### + + # Do not configure Debian devs certificates + echo 'CONFIG_SYSTEM_TRUSTED_KEYS=""' >> .config + + # enable IKCONFIG so that /proc/config.gz can be used for various checks + # TODO: Maybe not a good idea for USE=hardened, look into this... + echo "CONFIG_IKCONFIG=y" >> .config + echo "CONFIG_IKCONFIG_PROC=y" >> .config + + if use custom-cflags; then + MARCH="$(python -c "import portage; print(portage.settings[\"CFLAGS\"])" | sed 's/ /\n/g' | grep "march")" + if [ -n "$MARCH" ]; then + sed -i -e 's/-mtune=generic/$MARCH/g' arch/x86/Makefile || die "Canna optimize this kernel anymore, captain!" + fi + fi + + # only enable debugging symbols etc if USE=debug... + if use debug; then + echo "CONFIG_DEBUG_INFO=y" >> .config + else + echo "CONFIG_DEBUG_INFO=n" >> .config + fi + + if use dtrace; then + echo "CONFIG_WAITFD=y" >> .config + fi + + # these options should already be set, but are a hard dependency for ec2, so we ensure they are set if USE=ec2 + if use ec2; then + echo "CONFIG_BLK_DEV_NVME=y" >> .config + echo "CONFIG_XEN_BLKDEV_FRONTEND=m" >> .config + echo "CONFIG_XEN_BLKDEV_BACKEND=m" >> .config + echo "CONFIG_IXGBEVF=m" >> .config + fi + + # hardening opts + # TODO: document these + if use hardened; then + echo "CONFIG_AUDIT=y" >> .config + echo "CONFIG_EXPERT=y" >> .config + echo "CONFIG_SLUB_DEBUG=y" >> .config + echo "CONFIG_SLAB_MERGE_DEFAULT=n" >> .config + echo "CONFIG_SLAB_FREELIST_RANDOM=y" >> .config + echo "CONFIG_SLAB_FREELIST_HARDENED=y" >> .config + echo "CONFIG_SLAB_CANARY=y" >> .config + echo "CONFIG_SHUFFLE_PAGE_ALLOCATOR=y" >> .config + echo "CONFIG_RANDOMIZE_BASE=y" >> .config + echo "CONFIG_RANDOMIZE_MEMORY=y" >> .config + echo "CONFIG_HIBERNATION=n" >> .config + echo "CONFIG_HARDENED_USERCOPY=y" >> .config + echo "CONFIG_HARDENED_USERCOPY_FALLBACK=n" >> .config + echo "CONFIG_FORTIFY_SOURCE=y" >> .config + echo "CONFIG_STACKPROTECTOR=y" >> .config + echo "CONFIG_STACKPROTECTOR_STRONG=y" >> .config + echo "CONFIG_ARCH_MMAP_RND_BITS=32" >> .config + echo "CONFIG_ARCH_MMAP_RND_COMPAT_BITS=16" >> .config + echo "CONFIG_INIT_ON_FREE_DEFAULT_ON=y" >> .config + echo "CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y" >> .config + echo "CONFIG_SLAB_SANITIZE_VERIFY=y" >> .config + echo "CONFIG_PAGE_SANITIZE_VERIFY=y" >> .config + + # gcc plugins + if ! use clang; then + echo "CONFIG_GCC_PLUGINS=y" >> .config + echo "CONFIG_GCC_PLUGIN_LATENT_ENTROPY=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK=y" >> .config + echo "CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y" >> .config + echo "CONFIG_GCC_PLUGIN_STACKLEAK=y" >> .config + echo "CONFIG_STACKLEAK_TRACK_MIN_SIZE=100" >> .config + echo "CONFIG_STACKLEAK_METRICS=n" >> .config + echo "CONFIG_STACKLEAK_RUNTIME_DISABLE=n" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT=y" >> .config + echo "CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=n" >> .config + fi + + # main hardening options complete... anything after this point is a focus on disabling potential attack vectors + # i.e legacy drivers, new complex code that isn't yet proven, or code that we really don't want in a hardened kernel. + echo 'CONFIG_KEXEC=n' >> .config + echo "CONFIG_KEXEC_FILE=n" >> .config + echo 'CONFIG_KEXEC_SIG=n' >> .config + fi + + # mcelog is deprecated, but there are still some valid use cases and requirements for it... so stick it behind a USE flag for optional kernel support. + if use mcelog; then + echo "CONFIG_X86_MCELOG_LEGACY=y" >> .config + fi + + # sign kernel modules via + if use sign-modules; then + certs_dir=$(get_certs_dir) + echo + if [ -z "$certs_dir" ]; then + eerror "No certs dir found in /etc/kernel/certs; aborting." + die + else + einfo "Using certificate directory of $certs_dir for kernel module signing." + fi + echo + # turn on options for signing modules. + # first, remove existing configs and comments: + echo 'CONFIG_MODULE_SIG=""' >> .config + + # now add our settings: + echo 'CONFIG_MODULE_SIG=y' >> .config + echo 'CONFIG_MODULE_SIG_FORCE=n' >> .config + echo 'CONFIG_MODULE_SIG_ALL=n' >> .config + echo 'CONFIG_MODULE_SIG_HASH="sha512"' >> .config + echo 'CONFIG_MODULE_SIG_KEY="${certs_dir}/signing_key.pem"' >> .config + echo 'CONFIG_SYSTEM_TRUSTED_KEYRING=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE=y' >> .config + echo 'CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE="4096"' >> .config + echo "CONFIG_MODULE_SIG_SHA512=y" >> .config + + # print some info to warn user + ewarn "This kernel will ALLOW non-signed modules to be loaded with a WARNING." + ewarn "To enable strict enforcement, YOU MUST add module.sig_enforce=1 as a kernel boot" + ewarn "parameter (to params in /etc/boot.conf, and re-run boot-update.)" + echo + fi + + # enable wireguard support within kernel + if use wireguard; then + echo 'CONFIG_WIREGUARD=m' >> .config + # there are some other options, but I need to verify them first, so I'll start with this + fi + + # get config into good state: + yes "" | make oldconfig >/dev/null 2>&1 || die + cp .config "${T}"/.config || die + make -s mrproper || die "make mrproper failed" + + # Apply any user patches + eapply_user +} + +src_configure() { + + if use binary; then + + tc-export_build_env + MAKEARGS=( + V=1 + + HOSTCC="$(tc-getBUILD_CC)" + HOSTCXX="$(tc-getBUILD_CXX)" + HOSTCFLAGS="${BUILD_CFLAGS}" + HOSTLDFLAGS="${BUILD_LDFLAGS}" + + CROSS_COMPILE=${CHOST}- + AS="$(tc-getAS)" + CC="$(tc-getCC)" + LD="$(tc-getLD)" + AR="$(tc-getAR)" + NM="$(tc-getNM)" + STRIP=":" + OBJCOPY="$(tc-getOBJCOPY)" + OBJDUMP="$(tc-getOBJDUMP)" + + # we need to pass it to override colliding Gentoo envvar + ARCH=$(tc-arch-kernel) + ) + + mkdir -p "${WORKDIR}"/modprep || die + cp "${T}"/.config "${WORKDIR}"/modprep/ || die + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" olddefconfig || die "kernel configure failed" + emake O="${WORKDIR}"/modprep "${MAKEARGS[@]}" modules_prepare || die "modules_prepare failed" + cp -pR "${WORKDIR}"/modprep "${WORKDIR}"/build || die + fi +} + +src_compile() { + + if use binary; then + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" all || "kernel build failed" + fi +} + +src_install() { + + # TODO: Change to SANDBOX_WRITE=".." for installkernel writes + # Disable sandbox + export SANDBOX_ON=0 + + # create sources directory if required + dodir /usr/src + + # copy kernel sources into place + cp -a "${S}" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} || die "failed to install kernel sources" + + # change to installed kernel sources directory + cd "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} + + # prepare for real-world use and 3rd-party module building: + make mrproper || die "failed to prepare kernel sources" + + # copy kconfig into place + cp "${T}"/.config .config || die "failed to copy kconfig from ${TEMPDIR}" + + # if we didn't USE=binary - we're done. + # The kernel source tree is left in an unconfigured state - you can't compile 3rd-party modules against it yet. + if use binary; then + make prepare || die + make scripts || die + + local targets=( modules_install ) + + # ARM / ARM64 requires dtb + if (use arm || use arm64); then + targets+=( dtbs_install ) + fi + + emake O="${WORKDIR}"/build "${MAKEARGS[@]}" INSTALL_MOD_PATH="${ED}" INSTALL_PATH="${ED}/boot" "${targets[@]}" + installkernel "${PV}${KERNEL_EXTRAVERSION}" "${WORKDIR}/build/arch/x86_64/boot/bzImage" "${WORKDIR}/build/System.map" "${EROOT}/boot" + + # module symlink fix-up: + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to remove old kernel source symlink" + rm -rf "${D}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to remove old kernel build symlink" + + # Set-up module symlinks: + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/source || die "failed to create kernel source symlink" + ln -s /usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${ED}"/lib/modules/${PV}${KERNEL_EXTRAVERSION}/build || die "failed to create kernel build symlink" + + # Fixes FL-14 + cp "${WORKDIR}/build/System.map" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install System.map" + cp "${WORKDIR}/build/Module.symvers" "${D}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION}/ || die "failed to install Module.symvers" + + if use sign-modules; then + for x in $(find "${D}"/lib/modules -iname *.ko); do + # $certs_dir defined previously in this function. + ${WORKDIR}/build/scripts/sign-file sha512 $certs_dir/signing_key.pem $certs_dir/signing_key.x509 $x || die + done + # install the sign-file executable for future use. + exeinto /usr/src/linux-${PV}-${KERNEL_EXTRAVERSION}/scripts + doexe ${WORKDIR}/build/scripts/sign-file + fi + fi +} + +pkg_postinst() { + + # TODO: Change to SANDBOX_WRITE=".." for Dracut writes + export SANDBOX_ON=0 + + # if USE=symlink... + if use symlink; then + # delete the existing symlink if one exists + if [[ -h "${EROOT}"/usr/src/linux ]]; then + rm "${EROOT}"/usr/src/linux + fi + # and now symlink the newly installed sources + ewarn "" + ewarn "WARNING... WARNING... WARNING" + ewarn "" + ewarn "/usr/src/linux symlink automatically set to linux-${PV}${KERNEL_EXTRAVERSION}" + ewarn "" + ln -sf "${EROOT}"/usr/src/linux-${PV}${KERNEL_EXTRAVERSION} "${EROOT}"/usr/src/linux + fi + + # if there's a modules folder for these sources, generate modules.dep and map files + if [[ -d ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} ]]; then + depmod -a ${PV}${KERNEL_EXTRAVERSION} + fi + + # NOTE: WIP and not well tested yet. + # + # Dracut will build an initramfs when USE=binary. + # + # The initramfs will be configurable via USE, i.e. + # USE=zfs will pass '--zfs' to Dracut + # USE=-systemd will pass '--omit dracut-systemd systemd systemd-networkd systemd-initrd' to exclude these (Dracut) modules from the initramfs. + # + # NOTE 2: this will create a fairly.... minimal, and modular initramfs. It has been tested with things with ZFS and LUKS, and 'works'. + # Things like network support have not been tested (I am currently unsure how well this works with Gentoo Linux based systems), + # and may end up requiring network-manager for decent support (this really needs further research). + if use binary; then + einfo "" + einfo ">>> Dracut: building initramfs" + dracut \ + --stdlog=1 \ + --force \ + --no-hostonly \ + --add "base dm fs-lib i18n kernel-modules rootfs-block shutdown terminfo udev-rules usrmount" \ + --omit "biosdevname bootchart busybox caps convertfs dash debug dmsquash-live dmsquash-live-ntfs fcoe fcoe-uefi fstab-sys gensplash ifcfg img-lib livenet mksh network network-manager qemu qemu-net rpmversion securityfs ssh-client stratis syslog url-lib" \ + $(usex btrfs "-a btrfs" "-o btrfs") \ + $(usex dmraid "-a dmraid" "-o dmraid") \ + $(usex hardened "-o resume" "-a resume") \ + $(usex iscsi "-a iscsi" "-o iscsi") \ + $(usex lvm "-a lvm" "-o lvm") \ + $(usex lvm "--lvmconf" "--nolvmconf") \ + $(usex luks "-a crypt" "-o crypt") \ + $(usex mdadm "--mdadmconf" "--nomdadmconf") \ + $(usex mdadm "-a mdraid" "-o mdraid") \ + $(usex microcode "--early-microcode" "--no-early-microcode") \ + $(usex multipath "-a multipath" "-o multipath") \ + $(usex nbd "-a nbd" "-o nbd") \ + $(usex nfs "-a nfs" "-o nfs") \ + $(usex plymouth "-a plymouth" "-o plymouth") \ + $(usex selinux "-a selinux" "-o selinux") \ + $(usex systemd "-a systemd -a systemd-initrd -a systemd-networkd" "-o systemd -o systemd-initrd -o systemd-networkd") \ + $(usex zfs "-a zfs" "-o zfs") \ + --kver ${PV}${KERNEL_EXTRAVERSION} \ + --kmoddir ${EROOT}/lib/modules/${PV}${KERNEL_EXTRAVERSION} \ + --fwdir ${EROOT}/lib/firmware \ + --kernel-image ${EROOT}/boot/vmlinuz-${PV}${KERNEL_EXTRAVERSION} + einfo "" + einfo ">>> Dracut: Finished building initramfs" + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Dracut initramfs has been generated!" + ewarn "" + ewarn "Required kernel arguments:" + ewarn "" + ewarn " root=/dev/ROOT" + ewarn "" + ewarn " Where ROOT is the device node for your root partition as the" + ewarn " one specified in /etc/fstab" + ewarn "" + ewarn "Additional kernel cmdline arguments that *may* be required to boot properly..." + ewarn "" + ewarn "If you use hibernation:" + ewarn "" + ewarn " resume=/dev/SWAP" + ewarn "" + ewarn " Where $SWAP is the swap device used by hibernate software of your choice." + ewarn"" + ewarn " Please consult "man 7 dracut.kernel" for additional kernel arguments." + fi + + # warn about the issues with running a hardened kernel + if use hardened; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "Hardened patches have been applied to the kernel and KCONFIG options have been set." + ewarn "These KCONFIG options and patches change kernel behavior." + ewarn "Changes include:" + ewarn "Increased entropy for Address Space Layout Randomization" + ewarn "GCC plugins (if using GCC)" + ewarn "Memory allocation" + ewarn "... and more" + ewarn "" + ewarn "These changes will stop certain programs from functioning" + ewarn "e.g. VirtualBox, Skype" + ewarn "Full information available in $DOCUMENTATION" + ewarn "" + fi + + # if there are out-of-tree kernel modules detected, warn warn warn + # TODO: tidy up below + if use binary && [[ -e "${EROOT}"/var/lib/module-rebuild/moduledb ]]; then + ewarn "" + ewarn "WARNING... WARNING... WARNING..." + ewarn "" + ewarn "External kernel modules are not yet automatically built" + ewarn "by USE=binary - emerge @modules-rebuild to do this" + ewarn "and regenerate your initramfs if you are using ZFS root filesystem" + ewarn "" + fi + + if use binary; then + if [[ -e /etc/boot.conf ]]; then + ego boot update + fi + fi +} diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/0000_README b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/0000_README new file mode 100644 index 000000000000..4ad6d6952243 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/0000_README @@ -0,0 +1,116 @@ +README +-------------------------------------------------------------------------- +This patchset is to be the series of patches for gentoo-sources. +It is designed for cross-compatibility, fixes and stability, with performance +and additional features/driver support being a second. + +Unless otherwise stated and marked as such, this kernel should be suitable for +all environments. + + +Patchset Numbering Scheme +-------------------------------------------------------------------------- + +FIXES +1000-1400 linux-stable +1400-1500 linux-stable queue +1500-1700 security +1700-1800 architecture-related +1800-1900 mm/scheduling/misc +1900-2000 filesystems +2000-2100 networking core +2100-2200 storage core +2200-2300 power management (ACPI, APM) +2300-2400 bus (USB, IEEE1394, PCI, PCMCIA, ...) +2400-2500 network drivers +2500-2600 storage drivers +2600-2700 input +2700-2900 media (graphics, sound, tv) +2900-3000 other +3000-4000 reserved + +FEATURES +4000-4100 network +4100-4200 storage +4200-4300 graphics +4300-4400 filesystem +4400-4500 security enhancement +4500-4600 other + +EXPERIMENTAL +5000-5100 experimental patches (BFQ, ...) + +Individual Patch Descriptions: +-------------------------------------------------------------------------- + +Patch: 1000_linux-5.10.1.patch +From: http://www.kernel.org +Desc: Linux 5.10.1 + +Patch: 1001_linux-5.10.2.patch +From: http://www.kernel.org +Desc: Linux 5.10.2 + +Patch: 1002_linux-5.10.3.patch +From: http://www.kernel.org +Desc: Linux 5.10.3 + +Patch: 1003_linux-5.10.4.patch +From: http://www.kernel.org +Desc: Linux 5.10.4 + +Patch: 1004_linux-5.10.5.patch +From: http://www.kernel.org +Desc: Linux 5.10.5 + +Patch: 1005_linux-5.10.6.patch +From: http://www.kernel.org +Desc: Linux 5.10.6 + +Patch: 1006_linux-5.10.7.patch +From: http://www.kernel.org +Desc: Linux 5.10.7 + +Patch: 1007_linux-5.10.8.patch +From: http://www.kernel.org +Desc: Linux 5.10.8 + +Patch: 1008_linux-5.10.9.patch +From: http://www.kernel.org +Desc: Linux 5.10.9 + +Patch: 1009_linux-5.10.10.patch +From: http://www.kernel.org +Desc: Linux 5.10.10 + +Patch: 1500_XATTR_USER_PREFIX.patch +From: https://bugs.gentoo.org/show_bug.cgi?id=470644 +Desc: Support for namespace user.pax.* on tmpfs. + +Patch: 1510_fs-enable-link-security-restrictions-by-default.patch +From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ +Desc: Enable link security restrictions by default. + +Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch +From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@holtmann.org/raw +Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 + +Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch +From: https://bugs.gentoo.org/710790 +Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino + +Patch: 2920_sign-file-patch-for-libressl.patch +From: https://bugs.gentoo.org/717166 +Desc: sign-file: full functionality with modern LibreSSL + +Patch: 4567_distro-Gentoo-Kconfig.patch +From: Tom Wijsman <TomWij@gentoo.org> +Desc: Add Gentoo Linux support config settings and defaults. + +Patch: 5000_shifts-ubuntu-20.04.patch +From: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal +Desc: UID/GID shifting overlay filesystem for containers + +Patch: 5013_enable-cpu-optimizations-for-gcc10.patch +From: https://github.com/graysky2/kernel_gcc_patch/ +Desc: Kernel patch enables gcc = v10.1+ optimizations for additional CPUs. diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/1500_XATTR_USER_PREFIX.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 000000000000..245dcc29fa56 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,67 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; + diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000000..f0ed144fb17a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 000000000000..394ad48fc20c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Cc: stable@vger.kernel.org +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1 diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 000000000000..433568579cab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,30 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <mpagano@gentoo.org> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: mpagano@gentoo.org + +Reported-by: Phil Stracchino <phils@caerllewys.net> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2920_sign-file-patch-for-libressl.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 000000000000..e6ec017d46c8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/4567_distro-Gentoo-Kconfig.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/4567_distro-Gentoo-Kconfig.patch new file mode 100644 index 000000000000..e754a3e6e459 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/4567_distro-Gentoo-Kconfig.patch @@ -0,0 +1,169 @@ +--- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 ++++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 +@@ -32,3 +32,5 @@ source "lib/Kconfig" + source "lib/Kconfig.debug" + + source "Documentation/Kconfig" ++ ++source "distro/Kconfig" +--- /dev/null 2020-09-24 03:06:47.590000000 -0400 ++++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 +@@ -0,0 +1,158 @@ ++menu "Gentoo Linux" ++ ++config GENTOO_LINUX ++ bool "Gentoo Linux support" ++ ++ default y ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ See the settings that become available for more details and fine-tuning. ++ ++config GENTOO_LINUX_UDEV ++ bool "Linux dynamic and persistent device naming (userspace devfs) support" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select DEVTMPFS ++ select TMPFS ++ select UNIX ++ ++ select MMU ++ select SHMEM ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ Currently this only selects TMPFS, DEVTMPFS and their dependencies. ++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and ++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. ++ ++ Some of these are critical files that need to be available early in the ++ boot process; if not available, it causes sysfs and udev to malfunction. ++ ++ To ensure Gentoo Linux boots, it is best to leave this setting enabled; ++ if you run a custom setup, you could consider whether to disable this. ++ ++config GENTOO_LINUX_PORTAGE ++ bool "Select options required by Portage features" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select CGROUPS ++ select NAMESPACES ++ select IPC_NS ++ select NET_NS ++ select PID_NS ++ select SYSVIPC ++ select UTS_NS ++ ++ help ++ This enables options required by various Portage FEATURES. ++ Currently this selects: ++ ++ CGROUPS (required for FEATURES=cgroup) ++ IPC_NS (required for FEATURES=ipc-sandbox) ++ NET_NS (required for FEATURES=network-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) ++ SYSVIPC (required by IPC_NS) ++ ++ ++ It is highly recommended that you leave this enabled as these FEATURES ++ are, or will soon be, enabled by default. ++ ++menu "Support for init systems, system and service managers" ++ visible if GENTOO_LINUX ++ ++config GENTOO_LINUX_INIT_SCRIPT ++ bool "OpenRC, runit and other script based systems and managers" ++ ++ default y if GENTOO_LINUX ++ ++ depends on GENTOO_LINUX ++ ++ select BINFMT_SCRIPT ++ select CGROUPS ++ select EPOLL ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select SIGNALFD ++ select TIMERFD ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for OpenRC, ++ runit and similar script based systems and managers. ++ ++ If you are unsure about this, it is best to leave this setting enabled. ++ ++config GENTOO_LINUX_INIT_SYSTEMD ++ bool "systemd" ++ ++ default n ++ ++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV ++ ++ select AUTOFS4_FS ++ select BLK_DEV_BSG ++ select BPF_SYSCALL ++ select CGROUP_BPF ++ select CGROUPS ++ select CHECKPOINT_RESTORE ++ select CRYPTO_HMAC ++ select CRYPTO_SHA256 ++ select CRYPTO_USER_API_HASH ++ select DEVPTS_MULTIPLE_INSTANCES ++ select DMIID if X86_32 || X86_64 || X86 ++ select EPOLL ++ select FANOTIFY ++ select FHANDLE ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select IPV6 ++ select NET ++ select NET_NS ++ select PROC_FS ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SIGNALFD ++ select SYSFS ++ select TIMERFD ++ select TMPFS_POSIX_ACL ++ select TMPFS_XATTR ++ select USER_NS ++ ++ select ANON_INODES ++ select BLOCK ++ select EVENTFD ++ select FSNOTIFY ++ select INET ++ select NLATTR ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for systemd; ++ it also enables suggested optional settings, as the package suggests to. ++ ++endmenu ++ ++endmenu diff --git a/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch new file mode 100644 index 000000000000..665fc660b0de --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch @@ -0,0 +1,2203 @@ +--- /dev/null 2021-01-08 13:33:13.190303432 -0500 ++++ b/fs/shiftfs.c 2021-01-08 19:02:40.000000000 -0500 +@@ -0,0 +1,2157 @@ ++#include <linux/btrfs.h> ++#include <linux/capability.h> ++#include <linux/cred.h> ++#include <linux/mount.h> ++#include <linux/fdtable.h> ++#include <linux/file.h> ++#include <linux/fs.h> ++#include <linux/namei.h> ++#include <linux/module.h> ++#include <linux/kernel.h> ++#include <linux/magic.h> ++#include <linux/parser.h> ++#include <linux/security.h> ++#include <linux/seq_file.h> ++#include <linux/statfs.h> ++#include <linux/slab.h> ++#include <linux/user_namespace.h> ++#include <linux/uidgid.h> ++#include <linux/xattr.h> ++#include <linux/posix_acl.h> ++#include <linux/posix_acl_xattr.h> ++#include <linux/uio.h> ++#include <linux/fiemap.h> ++ ++struct shiftfs_super_info { ++ struct vfsmount *mnt; ++ struct user_namespace *userns; ++ /* creds of process who created the super block */ ++ const struct cred *creator_cred; ++ bool mark; ++ unsigned int passthrough; ++ unsigned int passthrough_mark; ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry); ++ ++#define SHIFTFS_PASSTHROUGH_NONE 0 ++#define SHIFTFS_PASSTHROUGH_STAT 1 ++#define SHIFTFS_PASSTHROUGH_IOCTL 2 ++#define SHIFTFS_PASSTHROUGH_ALL \ ++ (SHIFTFS_PASSTHROUGH_STAT | SHIFTFS_PASSTHROUGH_IOCTL) ++ ++static inline bool shiftfs_passthrough_ioctls(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_IOCTL)) ++ return false; ++ ++ return true; ++} ++ ++static inline bool shiftfs_passthrough_statfs(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_STAT)) ++ return false; ++ ++ return true; ++} ++ ++enum { ++ OPT_MARK, ++ OPT_PASSTHROUGH, ++ OPT_LAST, ++}; ++ ++/* global filesystem options */ ++static const match_table_t tokens = { ++ { OPT_MARK, "mark" }, ++ { OPT_PASSTHROUGH, "passthrough=%u" }, ++ { OPT_LAST, NULL } ++}; ++ ++static const struct cred *shiftfs_override_creds(const struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ return override_creds(sbinfo->creator_cred); ++} ++ ++static inline void shiftfs_revert_object_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ revert_creds(oldcred); ++ put_cred(newcred); ++} ++ ++static kuid_t shift_kuid(struct user_namespace *from, struct user_namespace *to, ++ kuid_t kuid) ++{ ++ uid_t uid = from_kuid(from, kuid); ++ return make_kuid(to, uid); ++} ++ ++static kgid_t shift_kgid(struct user_namespace *from, struct user_namespace *to, ++ kgid_t kgid) ++{ ++ gid_t gid = from_kgid(from, kgid); ++ return make_kgid(to, gid); ++} ++ ++static int shiftfs_override_object_creds(const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred, ++ struct dentry *dentry, umode_t mode, ++ bool hardlink) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ if (!hardlink) { ++ int err = security_dentry_create_files_as(dentry, mode, ++ &dentry->d_name, ++ *oldcred, *newcred); ++ if (err) { ++ shiftfs_revert_object_creds(*oldcred, *newcred); ++ return err; ++ } ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static void shiftfs_copyattr(struct inode *from, struct inode *to) ++{ ++ struct user_namespace *from_ns = from->i_sb->s_user_ns; ++ struct user_namespace *to_ns = to->i_sb->s_user_ns; ++ ++ to->i_uid = shift_kuid(from_ns, to_ns, from->i_uid); ++ to->i_gid = shift_kgid(from_ns, to_ns, from->i_gid); ++ to->i_mode = from->i_mode; ++ to->i_atime = from->i_atime; ++ to->i_mtime = from->i_mtime; ++ to->i_ctime = from->i_ctime; ++ i_size_write(to, i_size_read(from)); ++} ++ ++static void shiftfs_copyflags(struct inode *from, struct inode *to) ++{ ++ unsigned int mask = S_SYNC | S_IMMUTABLE | S_APPEND | S_NOATIME; ++ ++ inode_set_flags(to, from->i_flags & mask, mask); ++} ++ ++static void shiftfs_file_accessed(struct file *file) ++{ ++ struct inode *upperi, *loweri; ++ ++ if (file->f_flags & O_NOATIME) ++ return; ++ ++ upperi = file_inode(file); ++ loweri = upperi->i_private; ++ ++ if (!loweri) ++ return; ++ ++ upperi->i_mtime = loweri->i_mtime; ++ upperi->i_ctime = loweri->i_ctime; ++ ++ touch_atime(&file->f_path); ++} ++ ++static int shiftfs_parse_mount_options(struct shiftfs_super_info *sbinfo, ++ char *options) ++{ ++ char *p; ++ substring_t args[MAX_OPT_ARGS]; ++ ++ sbinfo->mark = false; ++ sbinfo->passthrough = 0; ++ ++ while ((p = strsep(&options, ",")) != NULL) { ++ int err, intarg, token; ++ ++ if (!*p) ++ continue; ++ ++ token = match_token(p, tokens, args); ++ switch (token) { ++ case OPT_MARK: ++ sbinfo->mark = true; ++ break; ++ case OPT_PASSTHROUGH: ++ err = match_int(&args[0], &intarg); ++ if (err) ++ return err; ++ ++ if (intarg & ~SHIFTFS_PASSTHROUGH_ALL) ++ return -EINVAL; ++ ++ sbinfo->passthrough = intarg; ++ break; ++ default: ++ return -EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++static void shiftfs_d_release(struct dentry *dentry) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (lowerd) ++ dput(lowerd); ++} ++ ++static struct dentry *shiftfs_d_real(struct dentry *dentry, ++ const struct inode *inode) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (inode && d_inode(dentry) == inode) ++ return dentry; ++ ++ lowerd = d_real(lowerd, inode); ++ if (lowerd && (!inode || inode == d_inode(lowerd))) ++ return lowerd; ++ ++ WARN(1, "shiftfs_d_real(%pd4, %s:%lu): real dentry not found\n", dentry, ++ inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0); ++ return dentry; ++} ++ ++static int shiftfs_d_weak_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_is_negative(lowerd) != d_is_negative(dentry)) ++ return 0; ++ ++ if ((lowerd->d_flags & DCACHE_OP_WEAK_REVALIDATE)) ++ err = lowerd->d_op->d_weak_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static int shiftfs_d_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_unhashed(lowerd) || ++ ((d_is_negative(lowerd) != d_is_negative(dentry)))) ++ return 0; ++ ++ if (flags & LOOKUP_RCU) ++ return -ECHILD; ++ ++ if ((lowerd->d_flags & DCACHE_OP_REVALIDATE)) ++ err = lowerd->d_op->d_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static const struct dentry_operations shiftfs_dentry_ops = { ++ .d_release = shiftfs_d_release, ++ .d_real = shiftfs_d_real, ++ .d_revalidate = shiftfs_d_revalidate, ++ .d_weak_revalidate = shiftfs_d_weak_revalidate, ++}; ++ ++static const char *shiftfs_get_link(struct dentry *dentry, struct inode *inode, ++ struct delayed_call *done) ++{ ++ const char *p; ++ const struct cred *oldcred; ++ struct dentry *lowerd; ++ ++ /* RCU lookup not supported */ ++ if (!dentry) ++ return ERR_PTR(-ECHILD); ++ ++ lowerd = dentry->d_fsdata; ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ p = vfs_get_link(lowerd, done); ++ revert_creds(oldcred); ++ ++ return p; ++} ++ ++static int shiftfs_setxattr(struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_setxattr(lowerd, name, value, size, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(lowerd->d_inode, inode); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *value, size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_getxattr(lowerd, name, value, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static ssize_t shiftfs_listxattr(struct dentry *dentry, char *list, ++ size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_listxattr(lowerd, list, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_removexattr(struct dentry *dentry, const char *name) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_removexattr(lowerd, name); ++ revert_creds(oldcred); ++ ++ /* update c/mtime */ ++ shiftfs_copyattr(lowerd->d_inode, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, size_t size, ++ int flags) ++{ ++ if (!value) ++ return shiftfs_removexattr(dentry, name); ++ return shiftfs_setxattr(dentry, inode, name, value, size, flags); ++} ++ ++static int shiftfs_inode_test(struct inode *inode, void *data) ++{ ++ return inode->i_private == data; ++} ++ ++static int shiftfs_inode_set(struct inode *inode, void *data) ++{ ++ inode->i_private = data; ++ return 0; ++} ++ ++static int shiftfs_create_object(struct inode *diri, struct dentry *dentry, ++ umode_t mode, const char *symlink, ++ struct dentry *hardlink, bool excl) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct cred *newcred; ++ void *loweri_iop_ptr = NULL; ++ umode_t modei = mode; ++ struct super_block *dir_sb = diri->i_sb; ++ struct dentry *lowerd_new = dentry->d_fsdata; ++ struct inode *inode = NULL, *loweri_dir = diri->i_private; ++ const struct inode_operations *loweri_dir_iop = loweri_dir->i_op; ++ struct dentry *lowerd_link = NULL; ++ ++ if (hardlink) { ++ loweri_iop_ptr = loweri_dir_iop->link; ++ } else { ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ loweri_iop_ptr = loweri_dir_iop->mkdir; ++ break; ++ case S_IFREG: ++ loweri_iop_ptr = loweri_dir_iop->create; ++ break; ++ case S_IFLNK: ++ loweri_iop_ptr = loweri_dir_iop->symlink; ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ loweri_iop_ptr = loweri_dir_iop->mknod; ++ break; ++ } ++ } ++ if (!loweri_iop_ptr) { ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ inode_lock_nested(loweri_dir, I_MUTEX_PARENT); ++ ++ if (!hardlink) { ++ inode = new_inode(dir_sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_iput; ++ } ++ ++ /* ++ * new_inode() will have added the new inode to the super ++ * block's list of inodes. Further below we will call ++ * inode_insert5() Which would perform the same operation again ++ * thereby corrupting the list. To avoid this raise I_CREATING ++ * in i_state which will cause inode_insert5() to skip this ++ * step. I_CREATING will be cleared by d_instantiate_new() ++ * below. ++ */ ++ spin_lock(&inode->i_lock); ++ inode->i_state |= I_CREATING; ++ spin_unlock(&inode->i_lock); ++ ++ inode_init_owner(inode, diri, mode); ++ modei = inode->i_mode; ++ } ++ ++ err = shiftfs_override_object_creds(dentry->d_sb, &oldcred, &newcred, ++ dentry, modei, hardlink != NULL); ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ lowerd_link = hardlink->d_fsdata; ++ err = vfs_link(lowerd_link, loweri_dir, lowerd_new, NULL); ++ } else { ++ switch (modei & S_IFMT) { ++ case S_IFDIR: ++ err = vfs_mkdir(loweri_dir, lowerd_new, modei); ++ break; ++ case S_IFREG: ++ err = vfs_create(loweri_dir, lowerd_new, modei, excl); ++ break; ++ case S_IFLNK: ++ err = vfs_symlink(loweri_dir, lowerd_new, symlink); ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ err = vfs_mknod(loweri_dir, lowerd_new, modei, 0); ++ break; ++ default: ++ err = -EINVAL; ++ break; ++ } ++ } ++ ++ shiftfs_revert_object_creds(oldcred, newcred); ++ ++ if (!err && WARN_ON(!lowerd_new->d_inode)) ++ err = -EIO; ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ inode = d_inode(hardlink); ++ ihold(inode); ++ ++ /* copy up times from lower inode */ ++ shiftfs_copyattr(d_inode(lowerd_link), inode); ++ set_nlink(d_inode(hardlink), d_inode(lowerd_link)->i_nlink); ++ d_instantiate(dentry, inode); ++ } else { ++ struct inode *inode_tmp; ++ struct inode *loweri_new = d_inode(lowerd_new); ++ ++ inode_tmp = inode_insert5(inode, (unsigned long)loweri_new, ++ shiftfs_inode_test, shiftfs_inode_set, ++ loweri_new); ++ if (unlikely(inode_tmp != inode)) { ++ pr_err_ratelimited("shiftfs: newly created inode found in cache\n"); ++ iput(inode_tmp); ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ ihold(loweri_new); ++ shiftfs_fill_inode(inode, loweri_new->i_ino, loweri_new->i_mode, ++ 0, lowerd_new); ++ d_instantiate_new(dentry, inode); ++ } ++ ++ shiftfs_copyattr(loweri_dir, diri); ++ if (loweri_iop_ptr == loweri_dir_iop->mkdir) ++ set_nlink(diri, loweri_dir->i_nlink); ++ ++ inode = NULL; ++ ++out_iput: ++ iput(inode); ++ inode_unlock(loweri_dir); ++ ++ return err; ++} ++ ++static int shiftfs_create(struct inode *dir, struct dentry *dentry, ++ umode_t mode, bool excl) ++{ ++ mode |= S_IFREG; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, excl); ++} ++ ++static int shiftfs_mkdir(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ mode |= S_IFDIR; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_link(struct dentry *hardlink, struct inode *dir, ++ struct dentry *dentry) ++{ ++ return shiftfs_create_object(dir, dentry, 0, NULL, hardlink, false); ++} ++ ++static int shiftfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, ++ dev_t rdev) ++{ ++ if (!S_ISFIFO(mode) && !S_ISSOCK(mode)) ++ return -EPERM; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_symlink(struct inode *dir, struct dentry *dentry, ++ const char *symlink) ++{ ++ return shiftfs_create_object(dir, dentry, S_IFLNK, symlink, NULL, false); ++} ++ ++static int shiftfs_rm(struct inode *dir, struct dentry *dentry, bool rmdir) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ struct inode *inode = d_inode(dentry); ++ int err; ++ const struct cred *oldcred; ++ ++ dget(lowerd); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ inode_lock_nested(loweri, I_MUTEX_PARENT); ++ if (rmdir) ++ err = vfs_rmdir(loweri, lowerd); ++ else ++ err = vfs_unlink(loweri, lowerd, NULL); ++ revert_creds(oldcred); ++ ++ if (!err) { ++ d_drop(dentry); ++ ++ if (rmdir) ++ clear_nlink(inode); ++ else ++ drop_nlink(inode); ++ } ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, dir); ++ dput(lowerd); ++ ++ return err; ++} ++ ++static int shiftfs_unlink(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, false); ++} ++ ++static int shiftfs_rmdir(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, true); ++} ++ ++static int shiftfs_rename(struct inode *olddir, struct dentry *old, ++ struct inode *newdir, struct dentry *new, ++ unsigned int flags) ++{ ++ struct dentry *lowerd_dir_old = old->d_parent->d_fsdata, ++ *lowerd_dir_new = new->d_parent->d_fsdata, ++ *lowerd_old = old->d_fsdata, *lowerd_new = new->d_fsdata, ++ *trapd; ++ struct inode *loweri_dir_old = lowerd_dir_old->d_inode, ++ *loweri_dir_new = lowerd_dir_new->d_inode; ++ int err = -EINVAL; ++ const struct cred *oldcred; ++ ++ trapd = lock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ if (trapd == lowerd_old || trapd == lowerd_new) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(old->d_sb); ++ err = vfs_rename(loweri_dir_old, lowerd_old, loweri_dir_new, lowerd_new, ++ NULL, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(loweri_dir_old, olddir); ++ shiftfs_copyattr(loweri_dir_new, newdir); ++ ++out_unlock: ++ unlock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_lookup(struct inode *dir, struct dentry *dentry, ++ unsigned int flags) ++{ ++ struct dentry *new; ++ struct inode *newi; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_parent->d_fsdata; ++ struct inode *inode = NULL, *loweri = lowerd->d_inode; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ new = lookup_one_len(dentry->d_name.name, lowerd, dentry->d_name.len); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ if (IS_ERR(new)) ++ return new; ++ ++ dentry->d_fsdata = new; ++ ++ newi = new->d_inode; ++ if (!newi) ++ goto out; ++ ++ inode = iget5_locked(dentry->d_sb, (unsigned long)newi, ++ shiftfs_inode_test, shiftfs_inode_set, newi); ++ if (!inode) { ++ dput(new); ++ return ERR_PTR(-ENOMEM); ++ } ++ if (inode->i_state & I_NEW) { ++ /* ++ * inode->i_private set by shiftfs_inode_set(), but we still ++ * need to take a reference ++ */ ++ ihold(newi); ++ shiftfs_fill_inode(inode, newi->i_ino, newi->i_mode, 0, new); ++ unlock_new_inode(inode); ++ } ++ ++out: ++ return d_splice_alias(inode, dentry); ++} ++ ++static int shiftfs_permission(struct inode *inode, int mask) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri) { ++ WARN_ON(!(mask & MAY_NOT_BLOCK)); ++ return -ECHILD; ++ } ++ ++ err = generic_permission(inode, mask); ++ if (err) ++ return err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = inode_permission(loweri, mask); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_fiemap(struct inode *inode, ++ struct fiemap_extent_info *fieinfo, u64 start, ++ u64 len) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri->i_op->fiemap) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ if (fieinfo->fi_flags & FIEMAP_FLAG_SYNC) ++ filemap_write_and_wait(loweri->i_mapping); ++ err = loweri->i_op->fiemap(loweri, fieinfo, start, len); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_tmpfile(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ ++ if (!loweri->i_op->tmpfile) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(dir->i_sb); ++ err = loweri->i_op->tmpfile(loweri, lowerd, mode); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct iattr newattr; ++ const struct cred *oldcred; ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ int err; ++ ++ err = setattr_prepare(dentry, attr); ++ if (err) ++ return err; ++ ++ newattr = *attr; ++ newattr.ia_uid = shift_kuid(sb->s_user_ns, sbinfo->userns, attr->ia_uid); ++ newattr.ia_gid = shift_kgid(sb->s_user_ns, sbinfo->userns, attr->ia_gid); ++ ++ /* ++ * mode change is for clearing setuid/setgid bits. Allow lower fs ++ * to interpret this in its own way. ++ */ ++ if (newattr.ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) ++ newattr.ia_valid &= ~ATTR_MODE; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = notify_change(lowerd, &newattr, NULL); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_getattr(const struct path *path, struct kstat *stat, ++ u32 request_mask, unsigned int query_flags) ++{ ++ struct inode *inode = path->dentry->d_inode; ++ struct dentry *lowerd = path->dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct shiftfs_super_info *info = path->dentry->d_sb->s_fs_info; ++ struct path newpath = { .mnt = info->mnt, .dentry = lowerd }; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ const struct cred *oldcred; ++ int err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = vfs_getattr(&newpath, stat, request_mask, query_flags); ++ revert_creds(oldcred); ++ ++ if (err) ++ return err; ++ ++ /* transform the underlying id */ ++ stat->uid = shift_kuid(from_ns, to_ns, stat->uid); ++ stat->gid = shift_kgid(from_ns, to_ns, stat->gid); ++ return 0; ++} ++ ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ ++static int ++shift_acl_ids(struct user_namespace *from, struct user_namespace *to, ++ struct posix_acl *acl) ++{ ++ int i; ++ ++ for (i = 0; i < acl->a_count; i++) { ++ struct posix_acl_entry *e = &acl->a_entries[i]; ++ switch(e->e_tag) { ++ case ACL_USER: ++ e->e_uid = shift_kuid(from, to, e->e_uid); ++ if (!uid_valid(e->e_uid)) ++ return -EOVERFLOW; ++ break; ++ case ACL_GROUP: ++ e->e_gid = shift_kgid(from, to, e->e_gid); ++ if (!gid_valid(e->e_gid)) ++ return -EOVERFLOW; ++ break; ++ } ++ } ++ return 0; ++} ++ ++static void ++shift_acl_xattr_ids(struct user_namespace *from, struct user_namespace *to, ++ void *value, size_t size) ++{ ++ struct posix_acl_xattr_header *header = value; ++ struct posix_acl_xattr_entry *entry = (void *)(header + 1), *end; ++ int count; ++ kuid_t kuid; ++ kgid_t kgid; ++ ++ if (!value) ++ return; ++ if (size < sizeof(struct posix_acl_xattr_header)) ++ return; ++ if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) ++ return; ++ ++ count = posix_acl_xattr_count(size); ++ if (count < 0) ++ return; ++ if (count == 0) ++ return; ++ ++ for (end = entry + count; entry != end; entry++) { ++ switch(le16_to_cpu(entry->e_tag)) { ++ case ACL_USER: ++ kuid = make_kuid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kuid = shift_kuid(from, to, kuid); ++ entry->e_id = cpu_to_le32(from_kuid(&init_user_ns, kuid)); ++ break; ++ case ACL_GROUP: ++ kgid = make_kgid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kgid = shift_kgid(from, to, kgid); ++ entry->e_id = cpu_to_le32(from_kgid(&init_user_ns, kgid)); ++ break; ++ default: ++ break; ++ } ++ } ++} ++ ++static struct posix_acl *shiftfs_get_acl(struct inode *inode, int type) ++{ ++ struct inode *loweri = inode->i_private; ++ const struct cred *oldcred; ++ struct posix_acl *lower_acl, *acl = NULL; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ int size; ++ int err; ++ ++ if (!IS_POSIXACL(loweri)) ++ return NULL; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ lower_acl = get_acl(loweri, type); ++ revert_creds(oldcred); ++ ++ if (lower_acl && !IS_ERR(lower_acl)) { ++ /* XXX: export posix_acl_clone? */ ++ size = sizeof(struct posix_acl) + ++ lower_acl->a_count * sizeof(struct posix_acl_entry); ++ acl = kmemdup(lower_acl, size, GFP_KERNEL); ++ posix_acl_release(lower_acl); ++ ++ if (!acl) ++ return ERR_PTR(-ENOMEM); ++ ++ refcount_set(&acl->a_refcount, 1); ++ ++ err = shift_acl_ids(from_ns, to_ns, acl); ++ if (err) { ++ kfree(acl); ++ return ERR_PTR(err); ++ } ++ } ++ ++ return acl; ++} ++ ++static int ++shiftfs_posix_acl_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *buffer, size_t size) ++{ ++ struct inode *loweri = inode->i_private; ++ int ret; ++ ++ ret = shiftfs_xattr_get(NULL, dentry, inode, handler->name, ++ buffer, size); ++ if (ret < 0) ++ return ret; ++ ++ inode_lock(loweri); ++ shift_acl_xattr_ids(loweri->i_sb->s_user_ns, inode->i_sb->s_user_ns, ++ buffer, size); ++ inode_unlock(loweri); ++ return ret; ++} ++ ++static int ++shiftfs_posix_acl_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct inode *loweri = inode->i_private; ++ int err; ++ ++ if (!IS_POSIXACL(loweri) || !loweri->i_op->set_acl) ++ return -EOPNOTSUPP; ++ if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return value ? -EACCES : 0; ++ if (!inode_owner_or_capable(inode)) ++ return -EPERM; ++ ++ if (value) { ++ shift_acl_xattr_ids(inode->i_sb->s_user_ns, ++ loweri->i_sb->s_user_ns, ++ (void *)value, size); ++ err = shiftfs_setxattr(dentry, inode, handler->name, value, ++ size, flags); ++ } else { ++ err = shiftfs_removexattr(dentry, handler->name); ++ } ++ ++ if (!err) ++ shiftfs_copyattr(loweri, inode); ++ ++ return err; ++} ++ ++static const struct xattr_handler ++shiftfs_posix_acl_access_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_ACCESS, ++ .flags = ACL_TYPE_ACCESS, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++static const struct xattr_handler ++shiftfs_posix_acl_default_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_DEFAULT, ++ .flags = ACL_TYPE_DEFAULT, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++#else /* !CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++#define shiftfs_get_acl NULL ++ ++#endif /* CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++static const struct inode_operations shiftfs_dir_inode_operations = { ++ .lookup = shiftfs_lookup, ++ .mkdir = shiftfs_mkdir, ++ .symlink = shiftfs_symlink, ++ .unlink = shiftfs_unlink, ++ .rmdir = shiftfs_rmdir, ++ .rename = shiftfs_rename, ++ .link = shiftfs_link, ++ .setattr = shiftfs_setattr, ++ .create = shiftfs_create, ++ .mknod = shiftfs_mknod, ++ .permission = shiftfs_permission, ++ .getattr = shiftfs_getattr, ++ .listxattr = shiftfs_listxattr, ++ .get_acl = shiftfs_get_acl, ++}; ++ ++static const struct inode_operations shiftfs_file_inode_operations = { ++ .fiemap = shiftfs_fiemap, ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++ .tmpfile = shiftfs_tmpfile, ++}; ++ ++static const struct inode_operations shiftfs_special_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++}; ++ ++static const struct inode_operations shiftfs_symlink_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_link = shiftfs_get_link, ++ .listxattr = shiftfs_listxattr, ++ .setattr = shiftfs_setattr, ++}; ++ ++static struct file *shiftfs_open_realfile(const struct file *file, ++ struct inode *realinode) ++{ ++ struct file *realfile; ++ const struct cred *old_cred; ++ struct inode *inode = file_inode(file); ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ old_cred = shiftfs_override_creds(inode->i_sb); ++ realfile = open_with_fake_path(&realpath, file->f_flags, realinode, ++ info->creator_cred); ++ revert_creds(old_cred); ++ ++ return realfile; ++} ++ ++#define SHIFTFS_SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT) ++ ++static int shiftfs_change_flags(struct file *file, unsigned int flags) ++{ ++ struct inode *inode = file_inode(file); ++ int err; ++ ++ /* if some flag changed that cannot be changed then something's amiss */ ++ if (WARN_ON((file->f_flags ^ flags) & ~SHIFTFS_SETFL_MASK)) ++ return -EIO; ++ ++ flags &= SHIFTFS_SETFL_MASK; ++ ++ if (((flags ^ file->f_flags) & O_APPEND) && IS_APPEND(inode)) ++ return -EPERM; ++ ++ if (flags & O_DIRECT) { ++ if (!file->f_mapping->a_ops || ++ !file->f_mapping->a_ops->direct_IO) ++ return -EINVAL; ++ } ++ ++ if (file->f_op->check_flags) { ++ err = file->f_op->check_flags(flags); ++ if (err) ++ return err; ++ } ++ ++ spin_lock(&file->f_lock); ++ file->f_flags = (file->f_flags & ~SHIFTFS_SETFL_MASK) | flags; ++ spin_unlock(&file->f_lock); ++ ++ return 0; ++} ++ ++static int shiftfs_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ ++ realfile = shiftfs_open_realfile(file, inode->i_private); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO. */ ++ file->f_mapping = realfile->f_mapping; ++ ++ return 0; ++} ++ ++static int shiftfs_dir_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ const struct cred *oldcred; ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ realfile = dentry_open(&realpath, file->f_flags | O_NOATIME, ++ info->creator_cred); ++ revert_creds(oldcred); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ ++ return 0; ++} ++ ++static int shiftfs_release(struct inode *inode, struct file *file) ++{ ++ struct file *realfile = file->private_data; ++ ++ if (realfile) ++ fput(realfile); ++ ++ return 0; ++} ++ ++static int shiftfs_dir_release(struct inode *inode, struct file *file) ++{ ++ return shiftfs_release(inode, file); ++} ++ ++static loff_t shiftfs_dir_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct file *realfile = file->private_data; ++ ++ return vfs_llseek(realfile, offset, whence); ++} ++ ++static loff_t shiftfs_file_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct inode *realinode = file_inode(file)->i_private; ++ ++ return generic_file_llseek_size(file, offset, whence, ++ realinode->i_sb->s_maxbytes, ++ i_size_read(realinode)); ++} ++ ++/* XXX: Need to figure out what to to about atime updates, maybe other ++ * timestamps too ... ref. ovl_file_accessed() */ ++ ++static rwf_t shiftfs_iocb_to_rwf(struct kiocb *iocb) ++{ ++ int ifl = iocb->ki_flags; ++ rwf_t flags = 0; ++ ++ if (ifl & IOCB_NOWAIT) ++ flags |= RWF_NOWAIT; ++ if (ifl & IOCB_HIPRI) ++ flags |= RWF_HIPRI; ++ if (ifl & IOCB_DSYNC) ++ flags |= RWF_DSYNC; ++ if (ifl & IOCB_SYNC) ++ flags |= RWF_SYNC; ++ ++ return flags; ++} ++ ++static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd) ++{ ++ struct file *realfile; ++ ++ if (file->f_op->open != shiftfs_open && ++ file->f_op->open != shiftfs_dir_open) ++ return -EINVAL; ++ ++ realfile = file->private_data; ++ lowerfd->flags = 0; ++ lowerfd->file = realfile; ++ ++ /* Did the flags change since open? */ ++ if (unlikely(file->f_flags & ~lowerfd->file->f_flags)) ++ return shiftfs_change_flags(lowerfd->file, file->f_flags); ++ ++ return 0; ++} ++ ++static ssize_t shiftfs_read_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_iter_read(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static ssize_t shiftfs_write_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct inode *inode = file_inode(file); ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ inode_lock(inode); ++ /* Update mode */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ret = file_remove_privs(file); ++ if (ret) ++ goto out_unlock; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ file_start_write(lowerfd.file); ++ ret = vfs_iter_write(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ file_end_write(lowerfd.file); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ++ fdput(lowerfd); ++ ++out_unlock: ++ inode_unlock(inode); ++ return ret; ++} ++ ++static int shiftfs_fsync(struct file *file, loff_t start, loff_t end, ++ int datasync) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fsync_range(lowerfd.file, start, end, datasync); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *realfile = file->private_data; ++ const struct cred *oldcred; ++ int ret; ++ ++ if (!realfile->f_op->mmap) ++ return -ENODEV; ++ ++ if (WARN_ON(file != vma->vm_file)) ++ return -EIO; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ vma->vm_file = get_file(realfile); ++ ret = call_mmap(vma->vm_file, vma); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ if (ret) { ++ /* ++ * Drop refcount from new vm_file value and restore original ++ * vm_file value ++ */ ++ vma->vm_file = file; ++ fput(realfile); ++ } else { ++ /* Drop refcount from previous vm_file value */ ++ fput(file); ++ } ++ ++ return ret; ++} ++ ++static long shiftfs_fallocate(struct file *file, int mode, loff_t offset, ++ loff_t len) ++{ ++ struct inode *inode = file_inode(file); ++ struct inode *loweri = inode->i_private; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fallocate(lowerfd.file, mode, offset, len); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_fadvise(struct file *file, loff_t offset, loff_t len, ++ int advice) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fadvise(lowerfd.file, offset, len, advice); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_override_ioctl_creds(int cmd, const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ /* clear all caps to prevent bypassing capable() checks */ ++ cap_clear((*newcred)->cap_bset); ++ cap_clear((*newcred)->cap_effective); ++ cap_clear((*newcred)->cap_inheritable); ++ cap_clear((*newcred)->cap_permitted); ++ ++ if (cmd == BTRFS_IOC_SNAP_DESTROY) { ++ kuid_t kuid_root = make_kuid(sb->s_user_ns, 0); ++ /* ++ * Allow the root user in the container to remove subvolumes ++ * from other users. ++ */ ++ if (uid_valid(kuid_root) && uid_eq(fsuid, kuid_root)) ++ cap_raise((*newcred)->cap_effective, CAP_DAC_OVERRIDE); ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static inline void shiftfs_revert_ioctl_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ return shiftfs_revert_object_creds(oldcred, newcred); ++} ++ ++static inline bool is_btrfs_snap_ioctl(int cmd) ++{ ++ if ((cmd == BTRFS_IOC_SNAP_CREATE) || (cmd == BTRFS_IOC_SNAP_CREATE_V2)) ++ return true; ++ ++ return false; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg, ++ struct btrfs_ioctl_vol_args *v1, ++ struct btrfs_ioctl_vol_args_v2 *v2) ++{ ++ int ret; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ else ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ ++ __close_fd(current->files, fd); ++ kfree(v1); ++ kfree(v2); ++ ++ return ret; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg, ++ struct btrfs_ioctl_vol_args **b1, ++ struct btrfs_ioctl_vol_args_v2 **b2, ++ int *newfd) ++{ ++ int oldfd, ret; ++ struct fd src; ++ struct fd lfd = {}; ++ struct btrfs_ioctl_vol_args *v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *v2 = NULL; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1 = memdup_user(arg, sizeof(*v1)); ++ if (IS_ERR(v1)) ++ return PTR_ERR(v1); ++ oldfd = v1->fd; ++ *b1 = v1; ++ } else { ++ v2 = memdup_user(arg, sizeof(*v2)); ++ if (IS_ERR(v2)) ++ return PTR_ERR(v2); ++ oldfd = v2->fd; ++ *b2 = v2; ++ } ++ ++ src = fdget(oldfd); ++ if (!src.file) ++ return -EINVAL; ++ ++ ret = shiftfs_real_fdget(src.file, &lfd); ++ if (ret) { ++ fdput(src); ++ return ret; ++ } ++ ++ /* ++ * shiftfs_real_fdget() does not take a reference to lfd.file, so ++ * take a reference here to offset the one which will be put by ++ * __close_fd(), and make sure that reference is put on fdput(lfd). ++ */ ++ get_file(lfd.file); ++ lfd.flags |= FDPUT_FPUT; ++ fdput(src); ++ ++ *newfd = get_unused_fd_flags(lfd.file->f_flags); ++ if (*newfd < 0) { ++ fdput(lfd); ++ return *newfd; ++ } ++ ++ fd_install(*newfd, lfd.file); ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1->fd = *newfd; ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ v1->fd = oldfd; ++ } else { ++ v2->fd = *newfd; ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ v2->fd = oldfd; ++ } ++ ++ if (ret) ++ shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2); ++ ++ return ret; ++} ++ ++static long shiftfs_real_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct fd lowerfd; ++ struct cred *newcred; ++ const struct cred *oldcred; ++ int newfd = -EBADF; ++ long err = 0, ret = 0; ++ void __user *argp = (void __user *)arg; ++ struct super_block *sb = file->f_path.dentry->d_sb; ++ struct btrfs_ioctl_vol_args *btrfs_v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *btrfs_v2 = NULL; ++ ++ ret = shiftfs_btrfs_ioctl_fd_replace(cmd, argp, &btrfs_v1, &btrfs_v2, ++ &newfd); ++ if (ret < 0) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_restore; ++ ++ ret = shiftfs_override_ioctl_creds(cmd, sb, &oldcred, &newcred); ++ if (ret) ++ goto out_fdput; ++ ++ ret = vfs_ioctl(lowerfd.file, cmd, arg); ++ ++ shiftfs_revert_ioctl_creds(oldcred, newcred); ++ ++ shiftfs_copyattr(file_inode(lowerfd.file), file_inode(file)); ++ shiftfs_copyflags(file_inode(lowerfd.file), file_inode(file)); ++ ++out_fdput: ++ fdput(lowerfd); ++ ++out_restore: ++ err = shiftfs_btrfs_ioctl_fd_restore(cmd, newfd, argp, ++ btrfs_v1, btrfs_v2); ++ if (!ret) ++ ret = err; ++ ++ return ret; ++} ++ ++static bool in_ioctl_whitelist(int flag, unsigned long arg) ++{ ++ void __user *argp = (void __user *)arg; ++ u64 flags = 0; ++ ++ switch (flag) { ++ case BTRFS_IOC_FS_INFO: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_GETFLAGS: ++ return true; ++ case BTRFS_IOC_SUBVOL_SETFLAGS: ++ if (copy_from_user(&flags, argp, sizeof(flags))) ++ return false; ++ ++ if (flags & ~BTRFS_SUBVOL_RDONLY) ++ return false; ++ ++ return true; ++ case BTRFS_IOC_SNAP_DESTROY: ++ return true; ++ } ++ ++ return false; ++} ++ ++static long shiftfs_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC_GETVERSION: ++ /* fall through */ ++ case FS_IOC_GETFLAGS: ++ /* fall through */ ++ case FS_IOC_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOTTY; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++static long shiftfs_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC32_GETVERSION: ++ /* fall through */ ++ case FS_IOC32_GETFLAGS: ++ /* fall through */ ++ case FS_IOC32_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOIOCTLCMD; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++enum shiftfs_copyop { ++ SHIFTFS_COPY, ++ SHIFTFS_CLONE, ++ SHIFTFS_DEDUPE, ++}; ++ ++static ssize_t shiftfs_copyfile(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, u64 len, ++ unsigned int flags, enum shiftfs_copyop op) ++{ ++ ssize_t ret; ++ struct fd real_in, real_out; ++ const struct cred *oldcred; ++ struct inode *inode_out = file_inode(file_out); ++ struct inode *loweri = inode_out->i_private; ++ ++ ret = shiftfs_real_fdget(file_out, &real_out); ++ if (ret) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file_in, &real_in); ++ if (ret) { ++ fdput(real_out); ++ return ret; ++ } ++ ++ oldcred = shiftfs_override_creds(inode_out->i_sb); ++ switch (op) { ++ case SHIFTFS_COPY: ++ ret = vfs_copy_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_CLONE: ++ ret = vfs_clone_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_DEDUPE: ++ ret = vfs_dedupe_file_range_one(real_in.file, pos_in, ++ real_out.file, pos_out, len, ++ flags); ++ break; ++ } ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode_out); ++ ++ fdput(real_in); ++ fdput(real_out); ++ ++ return ret; ++} ++ ++static ssize_t shiftfs_copy_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ size_t len, unsigned int flags) ++{ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, flags, ++ SHIFTFS_COPY); ++} ++ ++static loff_t shiftfs_remap_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ loff_t len, unsigned int remap_flags) ++{ ++ enum shiftfs_copyop op; ++ ++ if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY)) ++ return -EINVAL; ++ ++ if (remap_flags & REMAP_FILE_DEDUP) ++ op = SHIFTFS_DEDUPE; ++ else ++ op = SHIFTFS_CLONE; ++ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, ++ remap_flags, op); ++} ++ ++static int shiftfs_iterate_shared(struct file *file, struct dir_context *ctx) ++{ ++ const struct cred *oldcred; ++ int err = -ENOTDIR; ++ struct file *realfile = file->private_data; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ err = iterate_dir(realfile, ctx); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++const struct file_operations shiftfs_file_operations = { ++ .open = shiftfs_open, ++ .release = shiftfs_release, ++ .llseek = shiftfs_file_llseek, ++ .read_iter = shiftfs_read_iter, ++ .write_iter = shiftfs_write_iter, ++ .fsync = shiftfs_fsync, ++ .mmap = shiftfs_mmap, ++ .fallocate = shiftfs_fallocate, ++ .fadvise = shiftfs_fadvise, ++ .unlocked_ioctl = shiftfs_ioctl, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .copy_file_range = shiftfs_copy_file_range, ++ .remap_file_range = shiftfs_remap_file_range, ++}; ++ ++const struct file_operations shiftfs_dir_operations = { ++ .open = shiftfs_dir_open, ++ .release = shiftfs_dir_release, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .fsync = shiftfs_fsync, ++ .iterate_shared = shiftfs_iterate_shared, ++ .llseek = shiftfs_dir_llseek, ++ .read = generic_read_dir, ++ .unlocked_ioctl = shiftfs_ioctl, ++}; ++ ++static const struct address_space_operations shiftfs_aops = { ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */ ++ .direct_IO = noop_direct_IO, ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry) ++{ ++ struct inode *loweri; ++ ++ inode->i_ino = ino; ++ inode->i_flags |= S_NOCMTIME; ++ ++ mode &= S_IFMT; ++ inode->i_mode = mode; ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ inode->i_op = &shiftfs_dir_inode_operations; ++ inode->i_fop = &shiftfs_dir_operations; ++ break; ++ case S_IFLNK: ++ inode->i_op = &shiftfs_symlink_inode_operations; ++ break; ++ case S_IFREG: ++ inode->i_op = &shiftfs_file_inode_operations; ++ inode->i_fop = &shiftfs_file_operations; ++ inode->i_mapping->a_ops = &shiftfs_aops; ++ break; ++ default: ++ inode->i_op = &shiftfs_special_inode_operations; ++ init_special_inode(inode, mode, dev); ++ break; ++ } ++ ++ if (!dentry) ++ return; ++ ++ loweri = dentry->d_inode; ++ if (!loweri->i_op->get_link) ++ inode->i_opflags |= IOP_NOFOLLOW; ++ ++ shiftfs_copyattr(loweri, inode); ++ shiftfs_copyflags(loweri, inode); ++ set_nlink(inode, loweri->i_nlink); ++} ++ ++static int shiftfs_show_options(struct seq_file *m, struct dentry *dentry) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo->mark) ++ seq_show_option(m, "mark", NULL); ++ ++ if (sbinfo->passthrough) ++ seq_printf(m, ",passthrough=%u", sbinfo->passthrough); ++ ++ return 0; ++} ++ ++static int shiftfs_statfs(struct dentry *dentry, struct kstatfs *buf) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ struct dentry *root = sb->s_root; ++ struct dentry *realroot = root->d_fsdata; ++ struct path realpath = { .mnt = sbinfo->mnt, .dentry = realroot }; ++ int err; ++ ++ err = vfs_statfs(&realpath, buf); ++ if (err) ++ return err; ++ ++ if (!shiftfs_passthrough_statfs(sbinfo)) ++ buf->f_type = sb->s_magic; ++ ++ return 0; ++} ++ ++static void shiftfs_evict_inode(struct inode *inode) ++{ ++ struct inode *loweri = inode->i_private; ++ ++ clear_inode(inode); ++ ++ if (loweri) ++ iput(loweri); ++} ++ ++static void shiftfs_put_super(struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo) { ++ mntput(sbinfo->mnt); ++ put_cred(sbinfo->creator_cred); ++ kfree(sbinfo); ++ } ++} ++ ++static const struct xattr_handler shiftfs_xattr_handler = { ++ .prefix = "", ++ .get = shiftfs_xattr_get, ++ .set = shiftfs_xattr_set, ++}; ++ ++const struct xattr_handler *shiftfs_xattr_handlers[] = { ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ &shiftfs_posix_acl_access_xattr_handler, ++ &shiftfs_posix_acl_default_xattr_handler, ++#endif ++ &shiftfs_xattr_handler, ++ NULL ++}; ++ ++static inline bool passthrough_is_subset(int old_flags, int new_flags) ++{ ++ if ((new_flags & old_flags) != new_flags) ++ return false; ++ ++ return true; ++} ++ ++static int shiftfs_super_check_flags(unsigned long old_flags, ++ unsigned long new_flags) ++{ ++ if ((old_flags & SB_RDONLY) && !(new_flags & SB_RDONLY)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOSUID) && !(new_flags & SB_NOSUID)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODEV) && !(new_flags & SB_NODEV)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOEXEC) && !(new_flags & SB_NOEXEC)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOATIME) && !(new_flags & SB_NOATIME)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODIRATIME) && !(new_flags & SB_NODIRATIME)) ++ return -EPERM; ++ ++ if (!(old_flags & SB_POSIXACL) && (new_flags & SB_POSIXACL)) ++ return -EPERM; ++ ++ return 0; ++} ++ ++static int shiftfs_remount(struct super_block *sb, int *flags, char *data) ++{ ++ int err; ++ struct shiftfs_super_info new = {}; ++ struct shiftfs_super_info *info = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(&new, data); ++ if (err) ++ return err; ++ ++ err = shiftfs_super_check_flags(sb->s_flags, *flags); ++ if (err) ++ return err; ++ ++ /* Mark mount option cannot be changed. */ ++ if (info->mark || (info->mark != new.mark)) ++ return -EPERM; ++ ++ if (info->passthrough != new.passthrough) { ++ /* Don't allow exceeding passthrough options of mark mount. */ ++ if (!passthrough_is_subset(info->passthrough_mark, ++ info->passthrough)) ++ return -EPERM; ++ ++ info->passthrough = new.passthrough; ++ } ++ ++ return 0; ++} ++ ++static const struct super_operations shiftfs_super_ops = { ++ .put_super = shiftfs_put_super, ++ .show_options = shiftfs_show_options, ++ .statfs = shiftfs_statfs, ++ .remount_fs = shiftfs_remount, ++ .evict_inode = shiftfs_evict_inode, ++}; ++ ++struct shiftfs_data { ++ void *data; ++ const char *path; ++}; ++ ++static void shiftfs_super_force_flags(struct super_block *sb, ++ unsigned long lower_flags) ++{ ++ sb->s_flags |= lower_flags & (SB_RDONLY | SB_NOSUID | SB_NODEV | ++ SB_NOEXEC | SB_NOATIME | SB_NODIRATIME); ++ ++ if (!(lower_flags & SB_POSIXACL)) ++ sb->s_flags &= ~SB_POSIXACL; ++} ++ ++static int shiftfs_fill_super(struct super_block *sb, void *raw_data, ++ int silent) ++{ ++ int err; ++ struct path path = {}; ++ struct shiftfs_super_info *sbinfo_mp; ++ char *name = NULL; ++ struct inode *inode = NULL; ++ struct dentry *dentry = NULL; ++ struct shiftfs_data *data = raw_data; ++ struct shiftfs_super_info *sbinfo = NULL; ++ ++ if (!data->path) ++ return -EINVAL; ++ ++ sb->s_fs_info = kzalloc(sizeof(*sbinfo), GFP_KERNEL); ++ if (!sb->s_fs_info) ++ return -ENOMEM; ++ sbinfo = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(sbinfo, data->data); ++ if (err) ++ return err; ++ ++ /* to mount a mark, must be userns admin */ ++ if (!sbinfo->mark && !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ name = kstrdup(data->path, GFP_KERNEL); ++ if (!name) ++ return -ENOMEM; ++ ++ err = kern_path(name, LOOKUP_FOLLOW, &path); ++ if (err) ++ goto out_free_name; ++ ++ if (!S_ISDIR(path.dentry->d_inode->i_mode)) { ++ err = -ENOTDIR; ++ goto out_put_path; ++ } ++ ++ sb->s_flags |= SB_POSIXACL; ++ ++ if (sbinfo->mark) { ++ struct cred *cred_tmp; ++ struct super_block *lower_sb = path.mnt->mnt_sb; ++ ++ /* to mark a mount point, must root wrt lower s_user_ns */ ++ if (!ns_capable(lower_sb->s_user_ns, CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ /* ++ * this part is visible unshifted, so make sure no ++ * executables that could be used to give suid ++ * privileges ++ */ ++ sb->s_iflags = SB_I_NOEXEC; ++ ++ shiftfs_super_force_flags(sb, lower_sb->s_flags); ++ ++ /* ++ * Handle nesting of shiftfs mounts by referring this mark ++ * mount back to the original mark mount. This is more ++ * efficient and alleviates concerns about stack depth. ++ */ ++ if (lower_sb->s_magic == SHIFTFS_MAGIC) { ++ sbinfo_mp = lower_sb->s_fs_info; ++ ++ /* Doesn't make sense to mark a mark mount */ ++ if (sbinfo_mp->mark) { ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up the passthrough mount options from the ++ * parent mark mountpoint. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough_mark; ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ } else { ++ sbinfo->mnt = mntget(path.mnt); ++ dentry = dget(path.dentry); ++ /* ++ * For a new mark passthrough_mark and passthrough ++ * are identical. ++ */ ++ sbinfo->passthrough_mark = sbinfo->passthrough; ++ ++ cred_tmp = prepare_creds(); ++ if (!cred_tmp) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ /* Don't override disk quota limits or use reserved space. */ ++ cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE); ++ sbinfo->creator_cred = cred_tmp; ++ } ++ } else { ++ /* ++ * This leg executes if we're admin capable in the namespace, ++ * so be very careful. ++ */ ++ err = -EPERM; ++ if (path.dentry->d_sb->s_magic != SHIFTFS_MAGIC) ++ goto out_put_path; ++ ++ sbinfo_mp = path.dentry->d_sb->s_fs_info; ++ if (!sbinfo_mp->mark) ++ goto out_put_path; ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) ++ goto out_put_path; ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up passthrough settings from mark mountpoint so we can ++ * verify when the overlay wants to remount with different ++ * passthrough settings. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough; ++ shiftfs_super_force_flags(sb, path.mnt->mnt_sb->s_flags); ++ } ++ ++ sb->s_stack_depth = dentry->d_sb->s_stack_depth + 1; ++ if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { ++ printk(KERN_ERR "shiftfs: maximum stacking depth exceeded\n"); ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ inode = new_inode(sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ shiftfs_fill_inode(inode, dentry->d_inode->i_ino, S_IFDIR, 0, dentry); ++ ++ ihold(dentry->d_inode); ++ inode->i_private = dentry->d_inode; ++ ++ sb->s_magic = SHIFTFS_MAGIC; ++ sb->s_maxbytes = MAX_LFS_FILESIZE; ++ sb->s_op = &shiftfs_super_ops; ++ sb->s_xattr = shiftfs_xattr_handlers; ++ sb->s_d_op = &shiftfs_dentry_ops; ++ sb->s_root = d_make_root(inode); ++ if (!sb->s_root) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ ++ sb->s_root->d_fsdata = dentry; ++ sbinfo->userns = get_user_ns(dentry->d_sb->s_user_ns); ++ shiftfs_copyattr(dentry->d_inode, sb->s_root->d_inode); ++ ++ dentry = NULL; ++ err = 0; ++ ++out_put_path: ++ path_put(&path); ++ ++out_free_name: ++ kfree(name); ++ ++ dput(dentry); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_mount(struct file_system_type *fs_type, ++ int flags, const char *dev_name, void *data) ++{ ++ struct shiftfs_data d = { data, dev_name }; ++ ++ return mount_nodev(fs_type, flags, &d, shiftfs_fill_super); ++} ++ ++static struct file_system_type shiftfs_type = { ++ .owner = THIS_MODULE, ++ .name = "shiftfs", ++ .mount = shiftfs_mount, ++ .kill_sb = kill_anon_super, ++ .fs_flags = FS_USERNS_MOUNT, ++}; ++ ++static int __init shiftfs_init(void) ++{ ++ return register_filesystem(&shiftfs_type); ++} ++ ++static void __exit shiftfs_exit(void) ++{ ++ unregister_filesystem(&shiftfs_type); ++} ++ ++MODULE_ALIAS_FS("shiftfs"); ++MODULE_AUTHOR("James Bottomley"); ++MODULE_AUTHOR("Seth Forshee <seth.forshee@canonical.com>"); ++MODULE_AUTHOR("Christian Brauner <christian.brauner@ubuntu.com>"); ++MODULE_DESCRIPTION("id shifting filesystem"); ++MODULE_LICENSE("GPL v2"); ++module_init(shiftfs_init) ++module_exit(shiftfs_exit) +--- a/include/uapi/linux/magic.h 2021-01-06 19:08:45.234777659 -0500 ++++ b/include/uapi/linux/magic.h 2021-01-06 19:09:53.900375394 -0500 +@@ -96,4 +96,6 @@ + #define DEVMEM_MAGIC 0x454d444d /* "DMEM" */ + #define Z3FOLD_MAGIC 0x33 + ++#define SHIFTFS_MAGIC 0x6a656a62 ++ + #endif /* __LINUX_MAGIC_H__ */ +--- a/fs/Makefile 2021-01-08 18:08:28.187064015 -0500 ++++ b/fs/Makefile 2021-01-08 18:09:00.788217579 -0500 +@@ -136,3 +136,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/ + obj-$(CONFIG_EROFS_FS) += erofs/ + obj-$(CONFIG_VBOXSF_FS) += vboxsf/ + obj-$(CONFIG_ZONEFS_FS) += zonefs/ ++obj-$(CONFIG_SHIFT_FS) += shiftfs.o +--- a/fs/Kconfig 2021-01-06 19:14:17.709697891 -0500 ++++ b/fs/Kconfig 2021-01-06 19:15:23.413281282 -0500 +@@ -122,6 +122,24 @@ source "fs/autofs/Kconfig" + source "fs/fuse/Kconfig" + source "fs/overlayfs/Kconfig" + ++config SHIFT_FS ++ tristate "UID/GID shifting overlay filesystem for containers" ++ help ++ This filesystem can overlay any mounted filesystem and shift ++ the uid/gid the files appear at. The idea is that ++ unprivileged containers can use this to mount root volumes ++ using this technique. ++ ++config SHIFT_FS_POSIX_ACL ++ bool "shiftfs POSIX Access Control Lists" ++ depends on SHIFT_FS ++ select FS_POSIX_ACL ++ help ++ POSIX Access Control Lists (ACLs) support permissions for users and ++ groups beyond the owner/group/world scheme. ++ ++ If you don't know what Access Control Lists are, say N. ++ + menu "Caches" + + source "fs/fscache/Kconfig" diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch new file mode 100644 index 000000000000..c662ab1ee626 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch @@ -0,0 +1,27 @@ +From 1e34c1502396d028e41fa181aa5a0e51119ca7d9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:22:12 -0400 +Subject: [PATCH 001/113] make DEFAULT_MMAP_MIN_ADDR match LSM_MMAP_MIN_ADDR + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 390165ffbb0f..3b24c9e3535e 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,7 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU +- default 4096 ++ default 32768 if ARM || (ARM64 && COMPAT) ++ default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch new file mode 100644 index 000000000000..b610e7921a56 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch @@ -0,0 +1,25 @@ +From 1ddcb1feafe366ec3bc5991cd648ec1b766cbad0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:41 -0400 +Subject: [PATCH 002/113] enable HARDENED_USERCOPY by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99f1d..9446ddf40974 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -154,6 +154,7 @@ config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM ++ default y + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch new file mode 100644 index 000000000000..555da499ec02 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch @@ -0,0 +1,24 @@ +From f3d03ecf02861a3ac215c236c2ba7bd14302c86a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 26 Apr 2018 02:01:26 -0400 +Subject: [PATCH 003/113] disable HARDENED_USERCOPY_FALLBACK by default + +--- + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 9446ddf40974..5c388f7fe09d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -167,7 +167,6 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY +- default y + help + This is a temporary option that allows missing usercopy whitelists + to be discovered via a WARN() to the kernel log, instead of +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch new file mode 100644 index 000000000000..7c26a635cf8c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From c797563665e217b7deb8a6b2d7bf94b5ac96b864 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:05:15 -0400 +Subject: [PATCH 004/113] enable SECURITY_DMESG_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 5c388f7fe09d..428ad7622370 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -9,7 +9,7 @@ source "security/keys/Kconfig" + + config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" +- default n ++ default y + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0005-set-kptr_restrict-2-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0005-set-kptr_restrict-2-by-default.patch new file mode 100644 index 000000000000..0ceff543f5d5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0005-set-kptr_restrict-2-by-default.patch @@ -0,0 +1,26 @@ +From fe7097eb6d9349aaa39b2d1e008d0cf90b4b60aa Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:06:14 -0400 +Subject: [PATCH 005/113] set kptr_restrict=2 by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 14c9a6af1b23..2501f75bd74d 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -821,7 +821,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, + return pointer_string(buf, end, (const void *)hashval, spec); + } + +-int kptr_restrict __read_mostly; ++int kptr_restrict __read_mostly = 2; + + static noinline_for_stack + char *restricted_pointer(char *buf, char *end, const void *ptr, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch new file mode 100644 index 000000000000..1df0b20a7ec3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch @@ -0,0 +1,25 @@ +From 72c8f2e0c3734dc817a9cf38d4e088483a2c6661 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:10:57 -0400 +Subject: [PATCH 006/113] enable DEBUG_LIST by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index c789b39ed527..89c9d6aebf77 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1471,6 +1471,7 @@ menu "Debug kernel data structures" + config DEBUG_LIST + bool "Debug linked list manipulation" + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION ++ default y + help + Enable this to turn on extended checks in the linked-list + walking routines. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch new file mode 100644 index 000000000000..58ebc4c24807 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch @@ -0,0 +1,25 @@ +From 10144ee120b069759d2f2d9ae8bb29d594ce6b6a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:21:21 -0400 +Subject: [PATCH 007/113] enable BUG_ON_DATA_CORRUPTION by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 89c9d6aebf77..11068e77d146 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1511,6 +1511,7 @@ config DEBUG_NOTIFIERS + config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select DEBUG_LIST ++ default y + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch new file mode 100644 index 000000000000..11cb57fd4599 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch @@ -0,0 +1,24 @@ +From 75d10fe58e0764aa62138539082e55914c52c398 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:39:32 -0500 +Subject: [PATCH 008/113] enable ARM64_SW_TTBR0_PAN by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a6b5b7ef40ae..a145245ec5e7 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1199,6 +1199,7 @@ config RODATA_FULL_DEFAULT_ENABLED + + config ARM64_SW_TTBR0_PAN + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" ++ default y + help + Enabling this option prevents the kernel from accessing + user-space memory directly by pointing TTBR0_EL1 to a reserved +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch new file mode 100644 index 000000000000..47b02efb41d9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch @@ -0,0 +1,24 @@ +From 2a1029076cc3bcf99a63d06f2bfe260bda2be72b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:33:48 -0500 +Subject: [PATCH 009/113] arm64: enable RANDOMIZE_BASE by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a145245ec5e7..21088a6532d8 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1790,6 +1790,7 @@ config RANDOMIZE_BASE + bool "Randomize the address of the kernel image" + select ARM64_MODULE_PLTS if MODULES + select RELOCATABLE ++ default y + help + Randomizes the virtual address at which the kernel image is + loaded, as a security feature that deters exploit attempts +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch new file mode 100644 index 000000000000..57c42262537f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch @@ -0,0 +1,25 @@ +From 5daa9efa7108c21d557c94c5c5993dfffb38a04f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 19:43:38 -0400 +Subject: [PATCH 010/113] enable SLAB_FREELIST_RANDOM by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..dcbcb4243316 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1929,6 +1929,7 @@ config SLAB_MERGE_DEFAULT + config SLAB_FREELIST_RANDOM + bool "Randomize slab freelist" + depends on SLAB || SLUB ++ default y + help + Randomizes the freelist order used on creating new pages. This + security feature reduces the predictability of the kernel slab +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch new file mode 100644 index 000000000000..8faf1da6dcc5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch @@ -0,0 +1,24 @@ +From 818b75782276efbc497cc3f896e52e55836bd498 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 20 Aug 2017 15:39:25 -0400 +Subject: [PATCH 011/113] enable SLAB_FREELIST_HARDENED by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index dcbcb4243316..667d1c6c021b 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1938,6 +1938,7 @@ config SLAB_FREELIST_RANDOM + config SLAB_FREELIST_HARDENED + bool "Harden slab freelist metadata" + depends on SLAB || SLUB ++ default y + help + Many kernel heap attacks try to target slab cache metadata and + other infrastructure. This options makes minor performance +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch new file mode 100644 index 000000000000..c8804aeb7fa3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch @@ -0,0 +1,24 @@ +From 1e19092fdc3ac847f746cb52f4a83863eb554b13 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 8 Jul 2017 02:38:54 -0400 +Subject: [PATCH 012/113] disable SLAB_MERGE_DEFAULT by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 667d1c6c021b..859ab5ae66ff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1914,7 +1914,6 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" +- default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch new file mode 100644 index 000000000000..2514c1269dbd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch @@ -0,0 +1,25 @@ +From b75b92f5fb124ad1083aac6ab2c67414cb568bd9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 8 May 2017 12:51:54 -0400 +Subject: [PATCH 013/113] enable FORTIFY_SOURCE by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 428ad7622370..3a2c68c7b50f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -191,6 +191,7 @@ config HARDENED_USERCOPY_PAGESPAN + config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE ++ default y + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch new file mode 100644 index 000000000000..b30cf359a8a5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch @@ -0,0 +1,34 @@ +From 2ec23be9ee7c956384f9e88b41dcf00d44a75ce5 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:09:17 -0400 +Subject: [PATCH 014/113] enable PANIC_ON_OOPS by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 11068e77d146..45b169177fb9 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -894,6 +894,7 @@ menu "Debug Oops, Lockups and Hangs" + + config PANIC_ON_OOPS + bool "Panic on Oops" ++ default y + help + Say Y here to enable the kernel to panic when it oopses. This + has the same effect as setting oops=panic on the kernel command +@@ -903,7 +904,7 @@ config PANIC_ON_OOPS + anything erroneous after an oops which could result in data + corruption or other issues. + +- Say N if unsure. ++ Say Y if unsure. + + config PANIC_ON_OOPS_VALUE + int +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch new file mode 100644 index 000000000000..f987a5e17f47 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch @@ -0,0 +1,26 @@ +From 82feb15888716cf97f9825211ff4d596f7f26730 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 22:39:34 -0400 +Subject: [PATCH 015/113] stop hiding SLUB_DEBUG behind EXPERT + +It can make sense to disable this to reduce attack surface / complexity. +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 859ab5ae66ff..74680a15ceb4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1843,7 +1843,7 @@ config VM_EVENT_COUNTERS + + config SLUB_DEBUG + default y +- bool "Enable SLUB debugging support" if EXPERT ++ bool "Enable SLUB debugging support" + depends on SLUB && SYSFS + help + SLUB has extensive debug support features. Disabling these can +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch new file mode 100644 index 000000000000..639e5865bc05 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From f34bdacd0110b6082c1912414ea550fb7f5272e4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:31 -0400 +Subject: [PATCH 016/113] stop hiding X86_16BIT behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 3a5ecb1039bf..d2d5e0cbf85c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1194,7 +1194,7 @@ config VM86 + default X86_LEGACY_VM86 + + config X86_16BIT +- bool "Enable support for 16-bit segments" if EXPERT ++ bool "Enable support for 16-bit segments" + default y + depends on MODIFY_LDT_SYSCALL + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0017-disable-X86_16BIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0017-disable-X86_16BIT-by-default.patch new file mode 100644 index 000000000000..a7475bc0e28f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0017-disable-X86_16BIT-by-default.patch @@ -0,0 +1,25 @@ +From 7c4a32a1820cf2d09f70203b0d41cc82946f79be Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:52 -0400 +Subject: [PATCH 017/113] disable X86_16BIT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index d2d5e0cbf85c..ab6e7e2d3cf0 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1195,7 +1195,6 @@ config VM86 + + config X86_16BIT + bool "Enable support for 16-bit segments" +- default y + depends on MODIFY_LDT_SYSCALL + help + This option is required by programs like Wine to run 16-bit +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..2094393f7317 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 45e548c2f2a832ba2cd10ed39346461fbe7289eb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:15:52 -0400 +Subject: [PATCH 018/113] stop hiding MODIFY_LDT_SYSCALL behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ab6e7e2d3cf0..7b9df510469b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2392,7 +2392,7 @@ config CMDLINE_OVERRIDE + be set to 'N' under normal conditions. + + config MODIFY_LDT_SYSCALL +- bool "Enable the LDT (local descriptor table)" if EXPERT ++ bool "Enable the LDT (local descriptor table)" + default y + help + Linux can allow user programs to install a per-process x86 +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch new file mode 100644 index 000000000000..0b678d5296ad --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch @@ -0,0 +1,26 @@ +From bbfa74d67f0577c7660978068e201135faa93c8e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:16:16 -0400 +Subject: [PATCH 019/113] disable MODIFY_LDT_SYSCALL by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 7b9df510469b..63e1e9fc18dd 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2393,7 +2393,6 @@ config CMDLINE_OVERRIDE + + config MODIFY_LDT_SYSCALL + bool "Enable the LDT (local descriptor table)" +- default y + help + Linux can allow user programs to install a per-process x86 + Local Descriptor Table (LDT) using the modify_ldt(2) system +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch new file mode 100644 index 000000000000..af891921b53a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch @@ -0,0 +1,25 @@ +From aac7980cab76e22b23ad2a4f9c2f19c2b0b5fe2b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 07:08:42 -0400 +Subject: [PATCH 020/113] set LEGACY_VSYSCALL_NONE by default + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 63e1e9fc18dd..4fd082de7420 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2296,7 +2296,7 @@ config COMPAT_VDSO + choice + prompt "vsyscall table for legacy applications" + depends on X86_64 +- default LEGACY_VSYSCALL_XONLY ++ default LEGACY_VSYSCALL_NONE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch new file mode 100644 index 000000000000..1fb46b00d644 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From cd0494ee41507fff0b36f3f055e1dab4d9f78fb5 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:21:50 +0000 +Subject: [PATCH 021/113] stop hiding AIO behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 74680a15ceb4..8605f3e78e47 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1591,7 +1591,7 @@ config SHMEM + which may be appropriate on small systems without swap. + + config AIO +- bool "Enable AIO support" if EXPERT ++ bool "Enable AIO support" + default y + help + This option enables POSIX asynchronous I/O which may by used +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0022-disable-AIO-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0022-disable-AIO-by-default.patch new file mode 100644 index 000000000000..851cd12c62c1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0022-disable-AIO-by-default.patch @@ -0,0 +1,24 @@ +From cfcb4b5fd9234b1a8c97dd9133c09f876bfe9b18 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:24:10 +0000 +Subject: [PATCH 022/113] disable AIO by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 8605f3e78e47..21f0b6926cf3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1592,7 +1592,6 @@ config SHMEM + + config AIO + bool "Enable AIO support" +- default y + help + This option enables POSIX asynchronous I/O which may by used + by some high performance threaded applications. Disabling +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch new file mode 100644 index 000000000000..8a6730812c6e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch @@ -0,0 +1,32 @@ +From 448e86343fbe606aff00e5ad667b87de882cdef9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:08:49 -0500 +Subject: [PATCH 023/113] remove SYSVIPC from arm64/x86_64 defconfigs + +--- + arch/arm64/configs/defconfig | 1 - + arch/x86/configs/x86_64_defconfig | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 5cfe3cf6f2ac..f25871361bdc 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1,4 +1,3 @@ +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ_IDLE=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e1939..981ee8c0e330 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -1,5 +1,4 @@ + # CONFIG_LOCALVERSION_AUTO is not set +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ=y +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0024-disable-DEVPORT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0024-disable-DEVPORT-by-default.patch new file mode 100644 index 000000000000..15c0424593d2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0024-disable-DEVPORT-by-default.patch @@ -0,0 +1,24 @@ +From 8ad49bc0a6e3ab91dad346b66ec8cf1bfda7c4b2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:28:10 -0400 +Subject: [PATCH 024/113] disable DEVPORT by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index d229a2d0c017..68178c3a25de 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -391,7 +391,6 @@ config MAX_RAW_DEVS + config DEVPORT + bool "/dev/port character device" + depends on ISA || PCI +- default y + help + Say Y here if you want to support the /dev/port device. The /dev/port + device is similar to /dev/mem, but for I/O ports. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch new file mode 100644 index 000000000000..a2574937648b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch @@ -0,0 +1,24 @@ +From 9cb74418b795ca0405e60455c49881757dc39d1c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:29:45 -0400 +Subject: [PATCH 025/113] disable PROC_VMCORE by default + +--- + fs/proc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig +index c930001056f9..6a0a51b3f593 100644 +--- a/fs/proc/Kconfig ++++ b/fs/proc/Kconfig +@@ -41,7 +41,6 @@ config PROC_KCORE + config PROC_VMCORE + bool "/proc/vmcore support" + depends on PROC_FS && CRASH_DUMP +- default y + help + Exports the dump image of crashed kernel in ELF format. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch new file mode 100644 index 000000000000..9ee98bd6e0a2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch @@ -0,0 +1,24 @@ +From 0c6c73c2e28b0358c50c62e41012a974e72d3df0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 03:03:46 -0400 +Subject: [PATCH 026/113] disable NFS_DEBUG by default + +--- + fs/nfs/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index e2a488d403a6..ce54c1c693a8 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -195,7 +195,6 @@ config NFS_DEBUG + bool + depends on NFS_FS && SUNRPC_DEBUG + select CRC32 +- default y + + config NFS_DISABLE_UDP_SUPPORT + bool "NFS: Disable NFS UDP protocol support" +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0027-enable-DEBUG_WX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0027-enable-DEBUG_WX-by-default.patch new file mode 100644 index 000000000000..0240f5051853 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0027-enable-DEBUG_WX-by-default.patch @@ -0,0 +1,25 @@ +From a2766371a62de8d205ced6e43cf644442098bf26 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:11:11 -0400 +Subject: [PATCH 027/113] enable DEBUG_WX by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 864f129f1937..929d585bd267 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -126,6 +126,7 @@ config DEBUG_WX + depends on ARCH_HAS_DEBUG_WX + depends on MMU + select PTDUMP_CORE ++ default y + help + Generate a warning if any W+X mappings are found at boot. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch new file mode 100644 index 000000000000..9bb20a24462a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch @@ -0,0 +1,24 @@ +From 8dc8db67c4c210ef3a9302f2cbe86858182cfa19 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 13:21:16 -0500 +Subject: [PATCH 028/113] disable LEGACY_PTYS by default + +--- + drivers/tty/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 93fd984eb2f5..d9086484d2de 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -122,7 +122,6 @@ config UNIX98_PTYS + + config LEGACY_PTYS + bool "Legacy (BSD) PTY support" +- default y + help + A pseudo terminal (PTY) is a software device consisting of two + halves: a master and a slave. The slave device behaves identical to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0029-disable-DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0029-disable-DEVMEM-by-default.patch new file mode 100644 index 000000000000..6dadef3a6804 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0029-disable-DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From 6a6f98ad0f687e626b89277928c71df2bb32890d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:41:42 -0500 +Subject: [PATCH 029/113] disable DEVMEM by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 68178c3a25de..2fd45f01e7a2 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -327,7 +327,6 @@ config NSC_GPIO + + config DEVMEM + bool "/dev/mem virtual device support" +- default y + help + Say Y here if you want to support the /dev/mem device. + The /dev/mem device is used to access areas of physical +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch new file mode 100644 index 000000000000..2250ec2ddb6a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From ba77a170999aff9791857a7d6841410cf4cd5e72 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:43:49 -0500 +Subject: [PATCH 030/113] enable IO_STRICT_DEVMEM by default + +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 45b169177fb9..a46f21a56125 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1668,6 +1668,7 @@ config STRICT_DEVMEM + config IO_STRICT_DEVMEM + bool "Filter I/O access to /dev/mem" + depends on STRICT_DEVMEM ++ default y + help + If this option is disabled, you allow userspace (root) access to all + io-memory regardless of whether a driver is actively using that +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch new file mode 100644 index 000000000000..1154447b2bdc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch @@ -0,0 +1,24 @@ +From 96ef89b38dbce637e7b0ded3129ab33b8d88408f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 18:28:33 -0400 +Subject: [PATCH 031/113] disable COMPAT_BRK by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 21f0b6926cf3..4f5827e10be3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1866,7 +1866,6 @@ config SLUB_MEMCG_SYSFS_ON + + config COMPAT_BRK + bool "Disable heap randomization" +- default y + help + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch new file mode 100644 index 000000000000..e219b70131ce --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch @@ -0,0 +1,35 @@ +From 0b06f0f326d0a56eaaac9f1f445e2ea031ffde62 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 16:16:39 -0400 +Subject: [PATCH 032/113] use maximum supported mmap rnd entropy by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 69fe7133c765..8b5c346d5dd8 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -752,7 +752,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -786,7 +786,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch new file mode 100644 index 000000000000..04a7a717e516 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch @@ -0,0 +1,27 @@ +From 92bc8866137bf07fb5369f597ef421f9d1070257 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 10:47:23 -0400 +Subject: [PATCH 033/113] enable protected_{symlinks,hardlinks} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index d4a6dd772303..59ff3ce21026 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -932,8 +932,8 @@ static inline void put_link(struct nameidata *nd) + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0034-enable-SECURITY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0034-enable-SECURITY-by-default.patch new file mode 100644 index 000000000000..84eb89802496 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0034-enable-SECURITY-by-default.patch @@ -0,0 +1,24 @@ +From b2e6b25954d0f7d8b2fc0252e6f1889374686423 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:13:48 -0500 +Subject: [PATCH 034/113] enable SECURITY by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 3a2c68c7b50f..fa037a250821 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -23,6 +23,7 @@ config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER ++ default y + help + This allows you to choose different security modules to be + configured into your kernel. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch new file mode 100644 index 000000000000..54cb4841cd13 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch @@ -0,0 +1,25 @@ +From 3b19a3be274e63c9a6df2ae0ea097e88e6838ce2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:59 -0400 +Subject: [PATCH 035/113] enable SECURITY_YAMA by default + +--- + security/yama/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index a810304123ca..b809050b25d2 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -2,7 +2,7 @@ + config SECURITY_YAMA + bool "Yama support" + depends on SECURITY +- default n ++ default y + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch new file mode 100644 index 000000000000..be5249c8a6bc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch @@ -0,0 +1,24 @@ +From 34f81843f6e7724028600e15b2727dc0904ce3f3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:14:02 -0500 +Subject: [PATCH 036/113] enable SECURITY_NETWORK by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index fa037a250821..81d0a08736aa 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -49,6 +49,7 @@ config SECURITYFS + config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY ++ default y + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0037-enable-AUDIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0037-enable-AUDIT-by-default.patch new file mode 100644 index 000000000000..0447318afd1c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0037-enable-AUDIT-by-default.patch @@ -0,0 +1,24 @@ +From 1db113153e2290ebefa23ec4f9a5ad5c389ecb27 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:15:24 -0500 +Subject: [PATCH 037/113] enable AUDIT by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4f5827e10be3..9b75a4921575 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -419,6 +419,7 @@ config USELIB + config AUDIT + bool "Auditing support" + depends on NET ++ default y + help + Enable auditing infrastructure that can be used with another + kernel subsystem, such as SELinux (which requires this for +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch new file mode 100644 index 000000000000..2d2ff66f09a5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch @@ -0,0 +1,25 @@ +From 8215b5158dedfeba32b1c001e89d804d6c7e4edb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:16:49 -0500 +Subject: [PATCH 038/113] enable SECURITY_SELINUX by default + +--- + security/selinux/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72538..76d7ed11513c 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -3,7 +3,7 @@ config SECURITY_SELINUX + bool "NSA SELinux Support" + depends on SECURITY_NETWORK && AUDIT && NET && INET + select NETWORK_SECMARK +- default n ++ default y + help + This selects NSA Security-Enhanced Linux (SELinux). + You will also need a policy configuration and a labeled filesystem. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch new file mode 100644 index 000000000000..bbcd9785ca39 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch @@ -0,0 +1,24 @@ +From 66aa044db10b59b51b34d4c32c10e0bb52d30200 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 6 Jan 2018 13:41:11 -0500 +Subject: [PATCH 039/113] enable SYN_COOKIES by default + +--- + net/ipv4/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 87983e70f03f..989e005bf698 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -267,6 +267,7 @@ config IP_PIMSM_V2 + + config SYN_COOKIES + bool "IP: TCP syncookie support" ++ default y + help + Normal TCP/IP networking is open to an attack known as "SYN + flooding". This denial-of-service attack prevents legitimate remote +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..3640996230ce --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From d4035e768f18cbfe969e0e7636e16afd39a2ee84 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:02:23 +0200 +Subject: [PATCH 040/113] enable INIT_ON_ALLOC_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 269967c4fc1b..1e279f6d7633 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE + + config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" ++ default yes + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..d4f6ccb60a57 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 7e2c7c1e7e5b878f5869bc2714e2b350d975bb8f Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:03:01 +0200 +Subject: [PATCH 041/113] enable INIT_ON_FREE_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 1e279f6d7633..2fa447823405 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -203,6 +203,7 @@ config INIT_ON_ALLOC_DEFAULT_ON + + config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" ++ default yes + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch new file mode 100644 index 000000000000..05ca7264784b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch @@ -0,0 +1,27 @@ +From 7c62f6b37a2b88aaf767c612da9e66c4b27ca87f Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 27 Sep 2020 00:43:48 +0200 +Subject: [PATCH 042/113] kconfig: select DEBUG_FS_ALLOW_NONE by default if + DEBUG_FS is enabled + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index a46f21a56125..4a1a32a059f4 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -488,7 +488,7 @@ config DEBUG_FS + choice + prompt "Debugfs default access" + depends on DEBUG_FS +- default DEBUG_FS_ALLOW_ALL ++ default DEBUG_FS_ALLOW_NONE + help + This selects the default access restrictions for debugfs. + It can be overridden with kernel command line option +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..5902e0c978c4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 316b1e519794909b9c9d531e76abeb02a36ef12b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:35:53 +0100 +Subject: [PATCH 043/113] stop hiding SYSFS_SYSCALL behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 9b75a4921575..006d4d41e3af 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1434,7 +1434,7 @@ config SGETMASK_SYSCALL + If unsure, leave the default option here. + + config SYSFS_SYSCALL +- bool "Sysfs syscall support" if EXPERT ++ bool "Sysfs syscall support" + default y + help + sys_sysfs is an obsolete system call no longer supported in libc. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch new file mode 100644 index 000000000000..930fea4542e9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch @@ -0,0 +1,31 @@ +From 290b03b22bc6aec5b7c95de210899819bd1393cf Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:36:54 +0100 +Subject: [PATCH 044/113] disable SYSFS_SYSCALL by default + +--- + init/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 006d4d41e3af..3d6b1b23e2db 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1435,13 +1435,12 @@ config SGETMASK_SYSCALL + + config SYSFS_SYSCALL + bool "Sysfs syscall support" +- default y + help + sys_sysfs is an obsolete system call no longer supported in libc. + Note that disabling this option is more secure but might break + compatibility with some systems. + +- If unsure say Y here. ++ If unsure say N here. + + config FHANDLE + bool "open by fhandle syscalls" if EXPERT +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch new file mode 100644 index 000000000000..1676b8c9f77e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From ba61903d340b3deb287170c9350d087d82cb1d79 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:40:09 +0100 +Subject: [PATCH 045/113] stop hiding UID16 behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 3d6b1b23e2db..2b6d0492def5 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1403,7 +1403,7 @@ menuconfig EXPERT + Only use this if you really know what you are doing. + + config UID16 +- bool "Enable 16-bit UID system calls" if EXPERT ++ bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER + default y + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0046-disable-UID16-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0046-disable-UID16-by-default.patch new file mode 100644 index 000000000000..44866bdfb8b5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0046-disable-UID16-by-default.patch @@ -0,0 +1,24 @@ +From eb52c72ccc3483369f82944fa2e59843d5f880c9 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:41:32 +0100 +Subject: [PATCH 046/113] disable UID16 by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 2b6d0492def5..58df4930995f 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1405,7 +1405,6 @@ menuconfig EXPERT + config UID16 + bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER +- default y + help + This enables the legacy 16-bit UID syscall wrappers. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch new file mode 100644 index 000000000000..4b375e47b695 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch @@ -0,0 +1,25 @@ +From 2e65fff3449da55120c897d1c6aec927abc7bed3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:28:23 -0400 +Subject: [PATCH 047/113] add __read_only for non-init related usage + +--- + include/linux/cache.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/cache.h b/include/linux/cache.h +index d742c57eaee5..f0222c070458 100644 +--- a/include/linux/cache.h ++++ b/include/linux/cache.h +@@ -37,6 +37,8 @@ + #define __ro_after_init __section(".data..ro_after_init") + #endif + ++#define __read_only __ro_after_init ++ + #ifndef ____cacheline_aligned + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) + #endif +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0048-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0048-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..e49e71757b23 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0048-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From 924f2fc6b91d86ce7668c379cf32c25c96e896fa Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 048/113] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch new file mode 100644 index 000000000000..049a5c47a5c0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch @@ -0,0 +1,67 @@ +From 9f5564dd1b1f4cd6b849793b0b1fa0a26ea8987b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 03:22:00 -0400 +Subject: [PATCH 049/113] mark kernel_set_to_readonly as __ro_after_init + +This change was extracted from PaX where it's part of KERNEXEC. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 5 ++--- + arch/x86/mm/init_64.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..77192cbc1dd7 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __ro_after_init; + + static void mark_nxdata_nx(void) + { +@@ -852,12 +852,11 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + ++ kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- kernel_set_to_readonly = 1; +- + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..63a0f8097d0a 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __ro_after_init; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,8 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- + kernel_set_to_readonly = 1; ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); + + /* + * The rodata/data/bss/brk section (but not the kernel text!) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch new file mode 100644 index 000000000000..7f3cc56a7d7d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch @@ -0,0 +1,70 @@ +From 6a11398510ed1f260f271309c0a03c6fa4694ebf Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 13 Jan 2019 21:42:45 +0100 +Subject: [PATCH 050/113] Revert "mark kernel_set_to_readonly as + __ro_after_init" + + This commit causes CPA conflicts, cf. + https://github.com/anthraxx/linux-hardened/issues/4. + + Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + arch/x86/mm/init_32.c | 5 +++-- + arch/x86/mm/init_64.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 77192cbc1dd7..7c055259de3a 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly __read_mostly; + + static void mark_nxdata_nx(void) + { +@@ -852,11 +852,12 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + +- kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + ++ kernel_set_to_readonly = 1; ++ + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 63a0f8097d0a..b5a3fa4033d3 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,10 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- kernel_set_to_readonly = 1; + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + ++ kernel_set_to_readonly = 1; ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch new file mode 100644 index 000000000000..deae68fbf100 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch @@ -0,0 +1,57 @@ +From 3cbdb1e349a673c9e01c4bc221561038bdc3a765 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 19:01:58 -0400 +Subject: [PATCH 051/113] mark slub runtime configuration as __ro_after_init + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 3f4303f4b657..7a8d4d37cffb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -486,13 +486,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) + * Debug settings: + */ + #if defined(CONFIG_SLUB_DEBUG_ON) +-static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; ++static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; + #else +-static slab_flags_t slub_debug; ++static slab_flags_t slub_debug __ro_after_init; + #endif + +-static char *slub_debug_string; +-static int disable_higher_order_debug; ++static char *slub_debug_string __ro_after_init; ++static int disable_higher_order_debug __ro_after_init; + + /* + * slub is about to manipulate internal object metadata. This memory lies +@@ -3363,9 +3363,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); + * and increases the number of allocations possible without having to + * take the list_lock. + */ +-static unsigned int slub_min_order; +-static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; +-static unsigned int slub_min_objects; ++static unsigned int slub_min_order __ro_after_init; ++static unsigned int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; ++static unsigned int slub_min_objects __ro_after_init; + + /* + * Calculate the order of allocation given an slab object size. +@@ -4883,7 +4883,7 @@ enum slab_stat_type { + #define SO_TOTAL (1 << SL_TOTAL) + + #ifdef CONFIG_MEMCG +-static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); ++static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); + + static int __init setup_slub_memcg_sysfs(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch new file mode 100644 index 000000000000..cf39451e2615 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch @@ -0,0 +1,38 @@ +From a5b2d97f72be8ff592665945d3aa93a1f742d908 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:35:35 -0400 +Subject: [PATCH 052/113] add __ro_after_init to slab_nomerge and slab_state + +This was extracted from the PaX patch where it's part of the KERNEXEC +feature as __read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slab_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index f9ccd5dc13f3..bff04048559f 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -30,7 +30,7 @@ + + #include "slab.h" + +-enum slab_state slab_state; ++enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); + struct kmem_cache *kmem_cache; +@@ -61,7 +61,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, + /* + * Merge control. If this is set then no merging of slab caches will occur. + */ +-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); ++static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); + + static int __init setup_slab_nomerge(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch new file mode 100644 index 000000000000..6717538b8509 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch @@ -0,0 +1,25 @@ +From 3d169c264161cad3fe7b605362e568a2f95d63e6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 18:51:30 -0400 +Subject: [PATCH 053/113] mark kmem_cache as __ro_after_init + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index bff04048559f..2b73c12d8fce 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -33,7 +33,7 @@ + enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); +-struct kmem_cache *kmem_cache; ++struct kmem_cache *kmem_cache __ro_after_init; + + #ifdef CONFIG_HARDENED_USERCOPY + bool usercopy_fallback __ro_after_init = +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch new file mode 100644 index 000000000000..9369e03ad41f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch @@ -0,0 +1,49 @@ +From e264584889a2fe7d7b30d79d708de6dda6061c63 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 00:06:16 -0400 +Subject: [PATCH 054/113] mark __supported_pte_mask as __ro_after_init + +These changes were extracted from PaX where it was part of KERNEXEC as +__read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..291b7b4476a9 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -546,9 +546,9 @@ static void __init pagetable_init(void) + + #define DEFAULT_PTE_MASK ~(_PAGE_NX | _PAGE_GLOBAL) + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __supported_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __default_kernel_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..c3d771ffc178 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -97,9 +97,9 @@ DEFINE_ENTRY(pte, pte, init) + */ + + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = ~0; ++pteval_t __supported_pte_mask __ro_after_init = ~0; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = ~0; ++pteval_t __default_kernel_pte_mask __ro_after_init = ~0; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch new file mode 100644 index 000000000000..bef38a55b7dd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch @@ -0,0 +1,45 @@ +From 69b849e95f98e879a7977930daf6f19b5c131e3a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:24:28 -0400 +Subject: [PATCH 055/113] mark kobj_ns_type_register as only used for init + +This allows kobj_ns_ops_tbl to be __ro_after_init. + +Extracted from PaX. +--- + include/linux/kobject_ns.h | 2 +- + lib/kobject.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h +index 2b5b64256cf4..8cdce21dce0f 100644 +--- a/include/linux/kobject_ns.h ++++ b/include/linux/kobject_ns.h +@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { + void (*drop_ns)(void *); + }; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); + int kobj_ns_type_registered(enum kobj_ns_type type); + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..5343bbeea5f8 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -1023,9 +1023,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); + + + static DEFINE_SPINLOCK(kobj_ns_type_lock); +-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; ++static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) + { + enum kobj_ns_type type = ops->type; + int error; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch new file mode 100644 index 000000000000..354dfbcaed5a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch @@ -0,0 +1,39 @@ +From 7d0f862fe1df00467d31a9039b2f6d9179cb660f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:32:30 -0400 +Subject: [PATCH 056/113] mark open_softirq as only used for init + +--- + include/linux/interrupt.h | 2 +- + kernel/softirq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index ee8299eb1f52..f03b78ae5f0a 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 09229ad82209..0595a8248c4a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(struct softirq_action *)) + { + softirq_vec[nr].action = action; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch new file mode 100644 index 000000000000..c72627ae4b00 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch @@ -0,0 +1,208 @@ +From 14ae333d23f836b0d63d447a036bbc49f61566f1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:41:11 -0400 +Subject: [PATCH 057/113] remove unused softirq_action callback parameter + +Extracted from PaX. +--- + block/blk-mq.c | 2 +- + include/linux/interrupt.h | 4 ++-- + kernel/rcu/tiny.c | 2 +- + kernel/rcu/tree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 15 +++++++-------- + kernel/time/hrtimer.c | 2 +- + kernel/time/timer.c | 2 +- + lib/irq_poll.c | 2 +- + net/core/dev.c | 4 ++-- + 10 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 2a1eff60c797..75a0077ea1a9 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -569,7 +569,7 @@ EXPORT_SYMBOL(blk_mq_end_request); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static __latent_entropy void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index f03b78ae5f0a..4381b79f76cf 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -554,7 +554,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; + + struct softirq_action + { +- void (*action)(struct softirq_action *); ++ void (*action)(void); + }; + + asmlinkage void do_softirq(void); +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(void)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index aa897c3f2e92..d8976886fd68 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -101,7 +101,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + } + + /* Invoke the RCU callbacks whose grace period has elapsed. */ +-static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) ++static __latent_entropy void rcu_process_callbacks(void) + { + struct rcu_head *next, *list; + unsigned long flags; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 593df7edfe97..3285d81d8a26 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2722,7 +2722,7 @@ static __latent_entropy void rcu_core(void) + queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work); + } + +-static void rcu_core_si(struct softirq_action *h) ++static void rcu_core_si(void) + { + rcu_core(); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index ae7ceba8fd4f..d118be5f18b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10628,7 +10628,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) + * run_rebalance_domains is triggered when needed from the scheduler tick. + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). + */ +-static __latent_entropy void run_rebalance_domains(struct softirq_action *h) ++static __latent_entropy void run_rebalance_domains(void) + { + struct rq *this_rq = this_rq(); + enum cpu_idle_type idle = this_rq->idle_balance ? +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0595a8248c4a..3a21b22227c1 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -295,7 +295,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + kstat_incr_softirqs_this_cpu(vec_nr); + + trace_softirq_entry(vec_nr); +- h->action(h); ++ h->action(); + trace_softirq_exit(vec_nr); + if (unlikely(prev_count != preempt_count())) { + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void __init open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(void)) + { + softirq_vec[nr].action = action; + } +@@ -532,8 +532,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) + } + EXPORT_SYMBOL(__tasklet_hi_schedule); + +-static void tasklet_action_common(struct softirq_action *a, +- struct tasklet_head *tl_head, ++static void tasklet_action_common(struct tasklet_head *tl_head, + unsigned int softirq_nr) + { + struct tasklet_struct *list; +@@ -573,14 +572,14 @@ static void tasklet_action_common(struct softirq_action *a, + } + } + +-static __latent_entropy void tasklet_action(struct softirq_action *a) ++static __latent_entropy void tasklet_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); + } + +-static __latent_entropy void tasklet_hi_action(struct softirq_action *a) ++static __latent_entropy void tasklet_hi_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + + void tasklet_setup(struct tasklet_struct *t, +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 387b4bef7dd1..8fe28c28a906 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1587,7 +1587,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, + } + } + +-static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) ++static __latent_entropy void hrtimer_run_softirq(void) + { + struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); + unsigned long flags; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index c3ad64fb9d8b..217bc49a3856 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1753,7 +1753,7 @@ static inline void __run_timers(struct timer_base *base) + /* + * This function runs timers and the timer-tq in bottom half context. + */ +-static __latent_entropy void run_timer_softirq(struct softirq_action *h) ++static __latent_entropy void run_timer_softirq(void) + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +diff --git a/lib/irq_poll.c b/lib/irq_poll.c +index 2f17b488d58e..b6e7996a0058 100644 +--- a/lib/irq_poll.c ++++ b/lib/irq_poll.c +@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) + } + EXPORT_SYMBOL(irq_poll_complete); + +-static void __latent_entropy irq_poll_softirq(struct softirq_action *h) ++static void __latent_entropy irq_poll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = irq_poll_budget; +diff --git a/net/core/dev.c b/net/core/dev.c +index 38412e70f761..c3cd49e04b7b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4856,7 +4856,7 @@ int netif_rx_any_context(struct sk_buff *skb) + } + EXPORT_SYMBOL(netif_rx_any_context); + +-static __latent_entropy void net_tx_action(struct softirq_action *h) ++static __latent_entropy void net_tx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + +@@ -6803,7 +6803,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + return work; + } + +-static __latent_entropy void net_rx_action(struct softirq_action *h) ++static __latent_entropy void net_rx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch new file mode 100644 index 000000000000..2a7732b132aa --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch @@ -0,0 +1,28 @@ +From e02891b75ae9d0a510085da1a06c94f50d74524d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:42:33 -0400 +Subject: [PATCH 058/113] mark softirq_vec as __ro_after_init + +Note: __cacheline_aligned_in_smp conflicts with __ro_after_init on x86. + +Extracted from PaX. +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 3a21b22227c1..6a02d63b135a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -52,7 +52,7 @@ DEFINE_PER_CPU_ALIGNED(irq_cpustat_t, irq_stat); + EXPORT_PER_CPU_SYMBOL(irq_stat); + #endif + +-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; ++static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); + + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch new file mode 100644 index 000000000000..4960505df33f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch @@ -0,0 +1,34 @@ +From 45fafbe082626e7c5680741f8058cf26ab4dce4c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 17 Sep 2019 18:00:54 +0200 +Subject: [PATCH 059/113] mm: slab: trigger BUG if requested object is not a + slab page + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slab.h b/mm/slab.h +index f9977d6613d6..5adb48bb2e68 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -435,9 +435,13 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) + struct page *page; + + page = virt_to_head_page(obj); ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageSlab(page)); ++#else + if (WARN_ONCE(!PageSlab(page), "%s: Object is not a Slab page!\n", + __func__)) + return NULL; ++#endif + return page->slab_cache; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch new file mode 100644 index 000000000000..34c7b8c77e92 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch @@ -0,0 +1,40 @@ +From 314454ad4d7a0c587e1083e450e73686b042e72c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:50:53 -0400 +Subject: [PATCH 060/113] bug on kmem_cache_free with the wrong cache + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 5adb48bb2e68..9fef4285514a 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -471,10 +471,15 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) + return s; + + cachep = virt_to_cache(x); +- if (WARN(cachep && cachep != s, +- "%s: Wrong slab cache. %s but object is from %s\n", +- __func__, s->name, cachep->name)) ++ if (cachep && cachep != s) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG(); ++#else ++ WARN(1, "%s: Wrong slab cache. %s but object is from %s\n", ++ __func__, s->name, cachep->name); ++#endif + print_tracking(cachep, x); ++ } + return cachep; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch new file mode 100644 index 000000000000..9a0644e03fc2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch @@ -0,0 +1,31 @@ +From 326ee6bdd8da5e183a933ed45771aa3e893bca31 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:57:35 -0400 +Subject: [PATCH 061/113] bug on !PageSlab && !PageCompound in ksize + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slub.c b/mm/slub.c +index 7a8d4d37cffb..391880ea7445 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4092,7 +4092,11 @@ size_t __ksize(const void *object) + page = virt_to_head_page(object); + + if (unlikely(!PageSlab(page))) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageCompound(page)); ++#else + WARN_ON(!PageCompound(page)); ++#endif + return page_size(page); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch new file mode 100644 index 000000000000..21cc4797e8b5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch @@ -0,0 +1,70 @@ +From 2bfe36bad55c39d0f0219c55e83960d81e978740 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 21:54:56 -0400 +Subject: [PATCH 062/113] mm: add support for verifying page sanitization + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/highmem.h | 7 +++++++ + mm/page_alloc.c | 6 ++++++ + security/Kconfig.hardening | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index 14e6202ce47f..4348ad7f5c50 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -284,6 +284,13 @@ static inline void clear_highpage(struct page *page) + kunmap_atomic(kaddr); + } + ++static inline void verify_zero_highpage(struct page *page) ++{ ++ void *kaddr = kmap_atomic(page); ++ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); ++ kunmap_atomic(kaddr); ++} ++ + static inline void zero_user_segments(struct page *page, + unsigned start1, unsigned end1, + unsigned start2, unsigned end2) +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 14b9e83ff9da..84070ae3885e 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2284,6 +2284,12 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags + { + post_alloc_hook(page, order, gfp_flags); + ++ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY) && want_init_on_free()) { ++ int i; ++ for (i = 0; i < (1 << order); i++) ++ verify_zero_highpage(page + i); ++ } ++ + if (!free_pages_prezeroed() && want_init_on_alloc(gfp_flags)) + kernel_init_free_pages(page, 1 << order); + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 2fa447823405..83ad70ae6bc3 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -219,6 +219,13 @@ config INIT_ON_FREE_DEFAULT_ON + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + ++config PAGE_SANITIZE_VERIFY ++ bool "Verify sanitized pages" ++ default y ++ help ++ When init_on_free is enabled, verify that newly allocated pages ++ are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..ccaf70184f4d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 9961001521c46f8787df8586016e98632564fe87 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 063/113] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 9fef4285514a..0fcd97a4eb6f 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -641,9 +641,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index 391880ea7445..3c2c22488439 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch new file mode 100644 index 000000000000..9228a64b85d7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch @@ -0,0 +1,116 @@ +From 80497b1658f8887c0cba4123dd07125bf949d4eb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 15:58:57 -0400 +Subject: [PATCH 064/113] slub: Add support for verifying slab sanitization + +This is an extension to the sanitization feature in PaX for when +sacricifing more performance for security is acceptable. + +The initial version from Daniel Micay was relying on PAGE_SANITIZE. It +now relies on upstream's init_on_free. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slub.c | 36 ++++++++++++++++++++++++++++++++---- + security/Kconfig.hardening | 8 ++++++++ + 2 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 3c2c22488439..d5427ead7d74 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -127,6 +127,12 @@ static inline bool kmem_cache_debug(struct kmem_cache *s) + return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS); + } + ++static inline bool has_sanitize_verify(struct kmem_cache *s) ++{ ++ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && ++ slab_want_init_on_free(s); ++} ++ + void *fixup_red_left(struct kmem_cache *s, void *p) + { + if (kmem_cache_debug_flags(s, SLAB_RED_ZONE)) +@@ -1571,7 +1577,7 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- if (s->ctor) ++ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ +@@ -1606,7 +1612,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + { + setup_object_debug(s, page, object); + object = kasan_init_slab_obj(s, object); +- if (unlikely(s->ctor)) { ++ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); + s->ctor(object); + kasan_poison_object_data(s, object); +@@ -2897,7 +2903,16 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + + maybe_wipe_obj_freeptr(s, object); + +- if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ if (has_sanitize_verify(s) && object) { ++ /* KASAN hasn't unpoisoned the object yet (this is done in the ++ * post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, object); ++ BUG_ON(memchr_inv(object, 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); +@@ -3337,7 +3352,20 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + local_irq_enable(); + + /* Clear memory outside IRQ disabled fastpath loop */ +- if (unlikely(slab_want_init_on_alloc(flags, s))) { ++ if (has_sanitize_verify(s)) { ++ int j; ++ ++ for (j = 0; j < i; j++) { ++ /* KASAN hasn't unpoisoned the object yet (this is done ++ * in the post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, p[j]); ++ BUG_ON(memchr_inv(p[j], 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + + for (j = 0; j < i; j++) +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 83ad70ae6bc3..7dede18f1074 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -226,6 +226,14 @@ config PAGE_SANITIZE_VERIFY + When init_on_free is enabled, verify that newly allocated pages + are zeroed to detect write-after-free bugs. + ++config SLAB_SANITIZE_VERIFY ++ bool "Verify sanitized SLAB allocations" ++ default y ++ depends on !KASAN ++ help ++ When init_on_free is enabled, verify that newly allocated slab ++ objects are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch new file mode 100644 index 000000000000..0a85ed62e5be --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch @@ -0,0 +1,264 @@ +From 90b4b67f61076de2befe1e5e3e308d0c1d4a8a7b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 16:16:58 -0400 +Subject: [PATCH 065/113] slub: add multi-purpose random canaries + +From the configuration option: + + Place canaries at the end of kernel slab allocations, sacrificing + some performance and memory usage for security. + + Canaries can detect some forms of heap corruption when allocations + are freed and as part of the HARDENED_USERCOPY feature. It provides + basic use-after-free detection for HARDENED_USERCOPY. + + Canaries absorb small overflows (rendering them harmless), mitigate + non-NUL terminated C string overflows on 64-bit via a guaranteed zero + byte and provide basic double-free detection. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slub_def.h | 5 +++ + init/Kconfig | 17 ++++++++++ + mm/slab.h | 2 +- + mm/slub.c | 69 ++++++++++++++++++++++++++++++++++++++-- + 4 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h +index 1be0ed5befa1..c71cf30b5987 100644 +--- a/include/linux/slub_def.h ++++ b/include/linux/slub_def.h +@@ -113,6 +113,11 @@ struct kmem_cache { + unsigned long random; + #endif + ++#ifdef CONFIG_SLAB_CANARY ++ unsigned long random_active; ++ unsigned long random_inactive; ++#endif ++ + #ifdef CONFIG_NUMA + /* + * Defragmentation by allocating from a remote node. +diff --git a/init/Kconfig b/init/Kconfig +index 58df4930995f..2af6689d9e71 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1943,6 +1943,23 @@ config SLAB_FREELIST_HARDENED + sanity-checking than others. This option is most effective with + CONFIG_SLUB. + ++config SLAB_CANARY ++ depends on SLUB ++ depends on !SLAB_MERGE_DEFAULT ++ bool "SLAB canaries" ++ default y ++ help ++ Place canaries at the end of kernel slab allocations, sacrificing ++ some performance and memory usage for security. ++ ++ Canaries can detect some forms of heap corruption when allocations ++ are freed and as part of the HARDENED_USERCOPY feature. It provides ++ basic use-after-free detection for HARDENED_USERCOPY. ++ ++ Canaries absorb small overflows (rendering them harmless), mitigate ++ non-NUL terminated C string overflows on 64-bit via a guaranteed zero ++ byte and provide basic double-free detection. ++ + config SHUFFLE_PAGE_ALLOCATOR + bool "Page allocator randomization" + default SLAB_FREELIST_RANDOM && ACPI_NUMA +diff --git a/mm/slab.h b/mm/slab.h +index 0fcd97a4eb6f..105dba485a7e 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -504,7 +504,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) + * back there or track user information then we can + * only use the space before that information. + */ +- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) ++ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) + return s->inuse; + /* + * Else we can use all the padding etc for the allocation +diff --git a/mm/slub.c b/mm/slub.c +index d5427ead7d74..a06d34be763a 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -569,6 +569,33 @@ static inline unsigned int get_info_end(struct kmem_cache *s) + return s->inuse; + } + ++#ifdef CONFIG_SLAB_CANARY ++static inline unsigned long *get_canary(struct kmem_cache *s, void *object) ++{ ++ return object + get_info_end(s); ++} ++ ++static inline unsigned long get_canary_value(const void *canary, unsigned long value) ++{ ++ return (value ^ (unsigned long)canary) & CANARY_MASK; ++} ++ ++static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ *canary = get_canary_value(canary, value); ++} ++ ++static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ BUG_ON(*canary != get_canary_value(canary, value)); ++} ++#else ++#define set_canary(s, object, value) ++#define check_canary(s, object, value) ++#endif ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { +@@ -576,6 +603,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, + + p = object + get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ p = (void *)p + sizeof(void *); ++ + return p + alloc; + } + +@@ -717,6 +747,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + + off = get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); + +@@ -825,8 +858,9 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * Meta data starts here. + * + * A. Free pointer (if we cannot overwrite object on free) +- * B. Tracking data for SLAB_STORE_USER +- * C. Padding to reach required alignment boundary or at mininum ++ * B. Canary for SLAB_CANARY ++ * C. Tracking data for SLAB_STORE_USER ++ * D. Padding to reach required alignment boundary or at mininum + * one word if debugging is on to be able to detect writes + * before the word boundary. + * +@@ -844,6 +878,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { + unsigned long off = get_info_end(s); /* The end of info */ + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ + off += 2 * sizeof(struct track); +@@ -1567,6 +1604,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + object = next; + next = get_freepointer(s, object); + ++ check_canary(s, object, s->random_active); ++ + if (slab_want_init_on_free(s)) { + /* + * Clear the object and the metadata, but don't touch +@@ -1580,6 +1619,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } ++ ++ set_canary(s, object, s->random_inactive); ++ + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { + /* Move object to the new freelist */ +@@ -1611,6 +1653,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + void *object) + { + setup_object_debug(s, page, object); ++ set_canary(s, object, s->random_inactive); + object = kasan_init_slab_obj(s, object); + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); +@@ -2915,6 +2958,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + ++ if (object) { ++ check_canary(s, object, s->random_inactive); ++ set_canary(s, object, s->random_active); ++ } ++ + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); + + return object; +@@ -3302,7 +3350,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + void **p) + { + struct kmem_cache_cpu *c; +- int i; ++ int i, k; + struct obj_cgroup *objcg = NULL; + + /* memcg and kmem_cache debug support */ +@@ -3372,6 +3420,11 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + memset(p[j], 0, s->object_size); + } + ++ for (k = 0; k < i; k++) { ++ check_canary(s, p[k], s->random_inactive); ++ set_canary(s, p[k], s->random_active); ++ } ++ + /* memcg and kmem_cache debug support */ + slab_post_alloc_hook(s, objcg, flags, size, p); + return i; +@@ -3573,6 +3626,7 @@ static void early_kmem_cache_node_alloc(int node) + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); + init_tracking(kmem_cache_node, n); + #endif ++ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); + n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), + GFP_KERNEL); + page->freelist = get_freepointer(kmem_cache_node, n); +@@ -3753,6 +3807,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + } + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ size += sizeof(void *); ++ + #ifdef CONFIG_SLUB_DEBUG + if (flags & SLAB_STORE_USER) + /* +@@ -3826,6 +3883,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) + #ifdef CONFIG_SLAB_FREELIST_HARDENED + s->random = get_random_long(); + #endif ++#ifdef CONFIG_SLAB_CANARY ++ s->random_active = get_random_long(); ++ s->random_inactive = get_random_long(); ++#endif + + if (!calculate_sizes(s, -1)) + goto error; +@@ -4099,6 +4160,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + offset -= s->red_left_pad; + } + ++ check_canary(s, (void *)ptr - offset, s->random_active); ++ + /* Allow address range falling entirely within usercopy region. */ + if (offset >= s->useroffset && + offset - s->useroffset <= s->usersize && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch new file mode 100644 index 000000000000..570a2f1cf763 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch @@ -0,0 +1,122 @@ +From 208465d841bac791f8a057c1082741638557f8c9 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: [PATCH 066/113] security,perf: Allow further restriction of + perf_event_open + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +[thibaut.sautereau@ssi.gouv.fr: Adapt to work with the new CAP_PERFMON capability] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + Documentation/admin-guide/sysctl/kernel.rst | 2 ++ + include/linux/perf_event.h | 8 ++++++++ + kernel/events/core.c | 7 ++++++- + security/Kconfig | 9 +++++++++ + tools/perf/Documentation/security.txt | 1 + + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index d4b32cc32bb7..4c20e6ded0af 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -860,6 +860,8 @@ with respect to CAP_PERFMON use cases. + >=1 Disallow CPU event access by users without ``CAP_PERFMON``. + + >=2 Disallow kernel profiling by users without ``CAP_PERFMON``. ++ ++>=3 Disallow use of any event by users without ``CAP_PERFMON``. + === ================================================================== + + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 96450f6fb1de..d020c26b612a 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1312,6 +1312,14 @@ static inline int perf_is_paranoid(void) + return sysctl_perf_event_paranoid > -1; + } + ++static inline int perf_allow_open(struct perf_event_attr *attr) ++{ ++ if (sysctl_perf_event_paranoid > 2 && !perfmon_capable()) ++ return -EACCES; ++ ++ return security_perf_event_open(attr, PERF_SECURITY_OPEN); ++} ++ + static inline int perf_allow_kernel(struct perf_event_attr *attr) + { + if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index c3ba29d058b7..6efbf92763b1 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -407,8 +407,13 @@ static cpumask_var_t perf_online_mask; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -11638,7 +11643,7 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + + /* Do we allow access to perf_event_open(2) ? */ +- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); ++ err = perf_allow_open(&attr); + if (err) + return err; + +diff --git a/security/Kconfig b/security/Kconfig +index 81d0a08736aa..c797326308f1 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +diff --git a/tools/perf/Documentation/security.txt b/tools/perf/Documentation/security.txt +index 4fe3b8b1958f..a7d88cc23a70 100644 +--- a/tools/perf/Documentation/security.txt ++++ b/tools/perf/Documentation/security.txt +@@ -148,6 +148,7 @@ Perf tool provides a message similar to the one below: + >= 0: Disallow raw and ftrace function tracepoint access + >= 1: Disallow CPU event access + >= 2: Disallow kernel profiling ++ >= 3: Disallow use of any event + To make the adjusted perf_event_paranoid setting permanent preserve it + in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch new file mode 100644 index 000000000000..b986bc0a607e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch @@ -0,0 +1,25 @@ +From 749b43ce650a48c6c057cb39c00ddcdbb5fb455c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 14:45:59 -0400 +Subject: [PATCH 067/113] enable SECURITY_PERF_EVENTS_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index c797326308f1..2348ff7d4e1d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -22,6 +22,7 @@ config SECURITY_DMESG_RESTRICT + config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS ++ default y + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..4d0cbece3348 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,124 @@ +From 658f843664d528fbdd4063c1d4555d5e1e71f1de Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 068/113] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/user_namespace.h | 4 ++++ + kernel/fork.c | 11 +++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 4 files changed, 30 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/kernel/fork.c b/kernel/fork.c +index c675fdbd3dce..cba344194fba 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -82,6 +82,7 @@ + #include <linux/perf_event.h> + #include <linux/posix-timers.h> + #include <linux/user-return-notifier.h> ++#include <linux/user_namespace.h> + #include <linux/oom.h> + #include <linux/khugepaged.h> + #include <linux/signalfd.h> +@@ -1863,6 +1864,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2928,6 +2933,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b2cd3dbbb17a..fccf24a08c8a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..29a30cff5e60 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..819259469cdb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From 93fee580f468ad7d67243efa0ff9eaa324991c93 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 069/113] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 2af6689d9e71..a7b5a4cb7939 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1174,6 +1174,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 29a30cff5e60..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..67eec5e57852 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch @@ -0,0 +1,65 @@ +From 09a279df267b747d67799568a092c0381e55aa6d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:02:56 -0400 +Subject: [PATCH 070/113] add kmalloc/krealloc alloc_size attributes + +Note that this is overly strict when combined with ksize users accessing +beyond the requested data size. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slab.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/slab.h b/include/linux/slab.h +index dd6897f62010..78f99835b91b 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); + /* + * Common kmalloc functions provided by all allocators + */ +-void * __must_check krealloc(const void *, size_t, gfp_t); ++void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); + void kfree(const void *); + void kfree_sensitive(const void *); + size_t __ksize(const void *); +@@ -386,7 +386,7 @@ static __always_inline unsigned int kmalloc_index(size_t size) + } + #endif /* !CONFIG_SLOB */ + +-void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; ++void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; + void kmem_cache_free(struct kmem_cache *, void *); + +@@ -410,7 +410,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) + } + + #ifdef CONFIG_NUMA +-void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; ++void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; + #else + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -535,7 +535,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) + * Try really hard to succeed the allocation but fail + * eventually. + */ +-static __always_inline void *kmalloc(size_t size, gfp_t flags) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) + { + if (__builtin_constant_p(size)) { + #ifndef CONFIG_SLOB +@@ -557,7 +557,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return __kmalloc(size, flags); + } + +-static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) + { + #ifndef CONFIG_SLOB + if (__builtin_constant_p(size) && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..23464ff78441 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch @@ -0,0 +1,47 @@ +From f9ab06bcef024b65f75f37327e5441ba080244b3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:04:03 -0400 +Subject: [PATCH 071/113] add vmalloc alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/vmalloc.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 938eaf9517e2..7c069063c20d 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -102,18 +102,18 @@ static inline void vmalloc_init(void) + static inline unsigned long vmalloc_nr_pages(void) { return 0; } + #endif + +-extern void *vmalloc(unsigned long size); +-extern void *vzalloc(unsigned long size); +-extern void *vmalloc_user(unsigned long size); +-extern void *vmalloc_node(unsigned long size, int node); +-extern void *vzalloc_node(unsigned long size, int node); +-extern void *vmalloc_32(unsigned long size); +-extern void *vmalloc_32_user(unsigned long size); +-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); ++extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, + unsigned long start, unsigned long end, gfp_t gfp_mask, + pgprot_t prot, unsigned long vm_flags, int node, +- const void *caller); ++ const void *caller) __attribute__((alloc_size(1))); + void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, + int node, const void *caller); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch new file mode 100644 index 000000000000..8b137854ae2e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch @@ -0,0 +1,26 @@ +From abd920f4e9ed3b86273754c88c633a4798a7e9af Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 00:51:33 -0400 +Subject: [PATCH 072/113] add kvmalloc alloc_size attribute + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/mm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index cd5c313729ea..746f6d05bd81 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -759,7 +759,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) + } + #endif + +-extern void *kvmalloc_node(size_t size, gfp_t flags, int node); ++extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); + static inline void *kvmalloc(size_t size, gfp_t flags) + { + return kvmalloc_node(size, flags, NUMA_NO_NODE); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0073-add-percpu-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0073-add-percpu-alloc_size-attributes.patch new file mode 100644 index 000000000000..fc5afeec8c8f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0073-add-percpu-alloc_size-attributes.patch @@ -0,0 +1,37 @@ +From 13af5be17273ec77e380c6550b723d114a2b84d3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:39:36 -0400 +Subject: [PATCH 073/113] add percpu alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/percpu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/percpu.h b/include/linux/percpu.h +index 5e76af742c80..9a6c682ec127 100644 +--- a/include/linux/percpu.h ++++ b/include/linux/percpu.h +@@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, + pcpu_fc_populate_pte_fn_t populate_pte_fn); + #endif + +-extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); + extern bool is_kernel_percpu_address(unsigned long addr); + +@@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); + extern void __init setup_per_cpu_areas(void); + #endif + +-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); +-extern void __percpu *__alloc_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); ++extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern void free_percpu(void __percpu *__pdata); + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch new file mode 100644 index 000000000000..1d58e9a34c26 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch @@ -0,0 +1,30 @@ +From 13251448838b240a885a01c53615ecdd05446c08 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:53:59 -0400 +Subject: [PATCH 074/113] add alloc_pages_exact alloc_size attributes + +Edited-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/gfp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index c603237e006c..893378b0262e 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -568,9 +568,9 @@ static inline struct page *alloc_pages(gfp_t gfp_mask, unsigned int order) + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); + extern unsigned long get_zeroed_page(gfp_t gfp_mask); + +-void *alloc_pages_exact(size_t size, gfp_t gfp_mask); ++void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + void free_pages_exact(void *virt, size_t size); +-void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); ++void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(2))); + + #define __get_free_page(gfp_mask) \ + __get_free_pages((gfp_mask), 0) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch new file mode 100644 index 000000000000..2245f1f4f288 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch @@ -0,0 +1,104 @@ +From 359d288ed8eec975bab9f11ec36fafde808e9879 Mon Sep 17 00:00:00 2001 +From: Emese Revfy <re.emese@gmail.com> +Date: Tue, 31 May 2016 01:34:02 +0200 +Subject: [PATCH 075/113] Add the extra_latent_entropy kernel parameter + +When extra_latent_entropy is passed on the kernel command line, +entropy will be extracted from up to the first 4GB of RAM while the +runtime memory allocator is being initialized. + +Based on work created by the PaX Team. + +Signed-off-by: Emese Revfy <re.emese@gmail.com> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + .../admin-guide/kernel-parameters.txt | 5 ++++ + mm/page_alloc.c | 25 +++++++++++++++++++ + scripts/gcc-plugins/Kconfig | 5 ++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f6a1513dfb76..f399208c873a 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3566,6 +3566,11 @@ + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 84070ae3885e..ded9e8536285 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -70,6 +70,7 @@ + #include <linux/psi.h> + #include <linux/padata.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/sections.h> + #include <asm/tlbflush.h> +@@ -136,6 +137,15 @@ struct pcpu_drain { + static DEFINE_MUTEX(pcpu_drain_mutex); + static DEFINE_PER_CPU(struct pcpu_drain, pcpu_drain); + ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("extra_latent_entropy", setup_extra_latent_entropy); ++ + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY + volatile unsigned long latent_entropy __latent_entropy; + EXPORT_SYMBOL(latent_entropy); +@@ -1549,6 +1559,21 @@ void __free_pages_core(struct page *page, unsigned int order) + __ClearPageReserved(p); + set_page_count(p, 0); + ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++ + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig +index ae19fb0243b9..ad78375ece5e 100644 +--- a/scripts/gcc-plugins/Kconfig ++++ b/scripts/gcc-plugins/Kconfig +@@ -53,6 +53,11 @@ config GCC_PLUGIN_LATENT_ENTROPY + is some slowdown of the boot process (about 0.5%) and fork and + irq processing. + ++ When extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that entropy extracted this way is not cryptographically + secure! + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch new file mode 100644 index 000000000000..1ba0c9228b9f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch @@ -0,0 +1,37 @@ +From a815e88d7f0ea41387781fb5c745298a883bd3b2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:45:34 -0400 +Subject: [PATCH 076/113] ata: avoid null pointer dereference on bug + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 61c762961ca8..02a83039c25b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4540,7 +4540,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4557,7 +4557,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch new file mode 100644 index 000000000000..1fc45c43bf02 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch @@ -0,0 +1,28 @@ +From 76fa55a0f956fc0a3395e24ce01e61932681cf6e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:51:12 -0400 +Subject: [PATCH 077/113] sanity check for negative length in nla_memcpy + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/nlattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 74019c8ebf6b..c480b4e7ffef 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -778,6 +778,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); + if (count > minlen) + memset(dest + minlen, 0, count - minlen); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0078-add-page-destructor-sanity-check.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0078-add-page-destructor-sanity-check.patch new file mode 100644 index 000000000000..7985076a537f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0078-add-page-destructor-sanity-check.patch @@ -0,0 +1,71 @@ +From 21518eb9081e1bc4db5d12f98beb650e430a174b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:59:18 -0400 +Subject: [PATCH 078/113] add page destructor sanity check + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Restore get_compound_page_dtor()] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/mm.h | 9 +++++++-- + mm/swap.c | 12 +++++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 746f6d05bd81..a463ffe84eb4 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -894,10 +894,15 @@ static inline void set_compound_page_dtor(struct page *page, + page[1].compound_dtor = compound_dtor; + } + +-static inline void destroy_compound_page(struct page *page) ++static inline compound_page_dtor *get_compound_page_dtor(struct page *page) + { + VM_BUG_ON_PAGE(page[1].compound_dtor >= NR_COMPOUND_DTORS, page); +- compound_page_dtors[page[1].compound_dtor](page); ++ return compound_page_dtors[page[1].compound_dtor]; ++} ++ ++static inline void destroy_compound_page(struct page *page) ++{ ++ (*get_compound_page_dtor(page))(page); + } + + static inline unsigned int compound_order(struct page *page) +diff --git a/mm/swap.c b/mm/swap.c +index 47a47681c86b..762095d95092 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -102,6 +102,8 @@ static void __put_single_page(struct page *page) + + static void __put_compound_page(struct page *page) + { ++ compound_page_dtor *dtor; ++ + /* + * __page_cache_release() is supposed to be called for thp, not for + * hugetlb. This is because hugetlb page does never have PageLRU set +@@ -110,7 +112,15 @@ static void __put_compound_page(struct page *page) + */ + if (!PageHuge(page)) + __page_cache_release(page); +- destroy_compound_page(page); ++ dtor = get_compound_page_dtor(page); ++ if (!PageHuge(page)) ++ BUG_ON(dtor != free_compound_page ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ && dtor != free_transhuge_page ++#endif ++ ); ++ ++ (*dtor)(page); + } + + void __put_page(struct page *page) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch new file mode 100644 index 000000000000..17b373816afc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch @@ -0,0 +1,52 @@ +From fdad349dbd31e9a4e65002727118cc2116d3a33f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 00:59:48 -0400 +Subject: [PATCH 079/113] PaX shadow cr4 sanity check (essentially a revert) + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/process.c | 1 + + arch/x86/mm/tlb.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 35ad8480c464..edaeeab9df4b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -399,6 +399,7 @@ EXPORT_SYMBOL_GPL(native_write_cr4); + void cr4_update_irqsoff(unsigned long set, unsigned long clear) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + lockdep_assert_irqs_disabled(); + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 145a7ac0c19a..058941e9ae40 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -596,6 +596,7 @@ void speculation_ctrl_update_current(void) + static inline void cr4_toggle_bits_irqsoff(unsigned long mask) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + newval = cr4 ^ mask; + if (newval != cr4) { +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 569ac1d57f55..044d88da4aee 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -1066,6 +1066,7 @@ STATIC_NOPV void native_flush_tlb_global(void) + raw_local_irq_save(flags); + + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* toggle PGE */ + native_write_cr4(cr4 ^ X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0080-add-writable-function-pointer-detection.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0080-add-writable-function-pointer-detection.patch new file mode 100644 index 000000000000..23cc971a7709 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0080-add-writable-function-pointer-detection.patch @@ -0,0 +1,98 @@ +From a1208773e71435e46e70270672fca9192d587602 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:53:23 -0400 +Subject: [PATCH 080/113] add writable function pointer detection + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + scripts/mod/modpost.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f882ce0d9327..50e9baefc4e7 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,6 +34,7 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; ++static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; + /* ignore missing files */ + static int ignore_missing_files; +@@ -1007,6 +1008,7 @@ enum mismatch { + ANY_EXIT_TO_ANY_INIT, + EXPORT_TO_INIT_EXIT, + EXTABLE_TO_NON_TEXT, ++ DATA_TO_TEXT + }; + + /** +@@ -1133,6 +1135,12 @@ static const struct sectioncheck sectioncheck[] = { + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, + .mismatch = EXTABLE_TO_NON_TEXT, + .handler = extable_mismatch_handler, ++}, ++/* Do not reference code from writable data */ ++{ ++ .fromsec = { DATA_SECTIONS, NULL }, ++ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, ++ .mismatch = DATA_TO_TEXT + } + }; + +@@ -1320,10 +1328,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (!is_valid_name(elf, sym)) + continue; +- if (sym->st_value == addr) +- return sym; + /* Find a symbol nearby - addr are maybe negative */ + d = sym->st_value - addr; ++ if (d == 0) ++ return sym; + if (d < 0) + d = addr - sym->st_value; + if (d < distance) { +@@ -1458,7 +1466,10 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- sec_mismatch_count++; ++ if (mismatch->mismatch == DATA_TO_TEXT) ++ writable_fptr_count++; ++ else ++ sec_mismatch_count++; + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1580,6 +1591,14 @@ static void report_sec_mismatch(const char *modname, + fatal("There's a special handler for this mismatch type, " + "we should never get here."); + break; ++ case DATA_TO_TEXT: ++#if 0 ++ fprintf(stderr, ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif ++ break; + } + fprintf(stderr, "\n"); + } +@@ -2670,6 +2689,9 @@ int main(int argc, char **argv) + } + + free(buf.p); ++ if (writable_fptr_count) ++ warn("modpost: Found %d writable function pointer(s).\n", ++ writable_fptr_count); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch new file mode 100644 index 000000000000..f3811a17f177 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch @@ -0,0 +1,26 @@ +From 7f61114d285a1c4250c6989ab16c3e73b1914251 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:20:29 -0400 +Subject: [PATCH 081/113] support overriding early audit kernel cmdline + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 68cee3bc8cfe..2059c66f7c9b 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1693,6 +1693,9 @@ static int __init audit_enable(char *str) + + if (audit_default == AUDIT_OFF) + audit_initialized = AUDIT_DISABLED; ++ else if (!audit_ever_enabled) ++ audit_initialized = AUDIT_UNINITIALIZED; ++ + if (audit_set_enabled(audit_default)) + pr_err("audit: error setting audit state (%d)\n", + audit_default); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch new file mode 100644 index 000000000000..3cf1fc9bb713 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch @@ -0,0 +1,135 @@ +From 1bdee955a2bbcc3a9e118c0818c4c824ad1bd466 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 3 Jun 2017 17:34:13 -0400 +Subject: [PATCH 082/113] FORTIFY_SOURCE intra-object overflow checking + +This adds supporting for detecting buffer overflows from inner objects +for the fortified string family functions. It's comparable to the +_FORTIFY_SOURCE=2 feature in glibc with the additional coverage of +intra-object read overflows for supported functions. + +The mem* family functions are left with only the inter-object overflow +checks as is the case with glibc _FORTIFY_SOURCE=2. + +This feature is currently hidden behind CONFIG_EXPERT because it's a lot +more likely to uncover benign / intended issues and will need a lot of +runtime testing. It's already useful for finding bugs but it may not yet +be a good idea to use it for hardening unless panics for benign issues +are seen as a lesser evil than the vulnerabilities it can catch. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/string.h | 26 ++++++++++++++++---------- + security/Kconfig | 10 ++++++++++ + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index b1f3894a0a3e..4c5564a6ad80 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -264,6 +264,12 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + ++#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING ++#define __string_size(p) __builtin_object_size(p, 1) ++#else ++#define __string_size(p) __builtin_object_size(p, 0) ++#endif ++ + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) + + #ifdef CONFIG_KASAN +@@ -292,7 +298,7 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + if (p_size < size) +@@ -302,7 +308,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (p_size == (size_t)-1) + return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) +@@ -313,7 +319,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || +@@ -328,7 +334,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); +@@ -340,8 +346,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + { + size_t ret; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __real_strlcpy(p, q, size); + ret = strlen(q); +@@ -361,8 +367,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + { + size_t p_len, copy_len; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strncat(p, q, count); + p_len = strlen(p); +@@ -475,8 +481,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) + /* defined after fortified strlen and memcpy to reuse them */ + __FORTIFY_INLINE char *strcpy(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); +diff --git a/security/Kconfig b/security/Kconfig +index 2348ff7d4e1d..f3c995bd79cf 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -208,6 +208,16 @@ config FORTIFY_SOURCE + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + ++config FORTIFY_SOURCE_STRICT_STRING ++ bool "Harden common functions against buffer overflows" ++ depends on FORTIFY_SOURCE ++ depends on EXPERT ++ help ++ Perform stricter overflow checks catching overflows within objects ++ for common C string functions rather than only between objects. ++ ++ This is not yet intended for production use, only bug finding. ++ + config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch new file mode 100644 index 000000000000..5e1fa1d40086 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch @@ -0,0 +1,54 @@ +From 68e3d8c66111e6c2871a3ef5a0d2f843494e012c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 26 Aug 2017 20:16:03 -0400 +Subject: [PATCH 083/113] Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE + base changes" + +This reverts commit aab425db4279aeb83b7911693f0cccbd3644c9fd. +--- + arch/arm64/include/asm/elf.h | 8 ++------ + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 8d1c8dcb87fd..26d27c7a2c2e 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -124,14 +124,10 @@ + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#ifdef CONFIG_ARM64_FORCE_52BIT +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) +-#else +-#define ELF_ET_DYN_BASE (2 * DEFAULT_MAP_WINDOW_64 / 3) +-#endif /* CONFIG_ARM64_FORCE_52BIT */ ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b9a5d488f1a5..b55054566ece 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -246,11 +246,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- (DEFAULT_MAP_WINDOW / 3 * 2)) ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch new file mode 100644 index 000000000000..7ade63287ffe --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch @@ -0,0 +1,118 @@ +From dc6ca4933ccf050ea765f06bb054c933f47a454e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:52:00 -0400 +Subject: [PATCH 084/113] x86_64: move vdso to mmap region from stack region + +This removes the only executable code from the stack region and gives +the vdso the same randomized base as other mmap mappings including the +linker and other shared objects. It results in a sane amount of entropy +being provided and there's little to no advantage in separating this +from the existing executable code there. + +It's sensible for userspace to reserve the initial mmap base as a region +for executable code with a random gap for other mmap allocations, along +with providing randomization within that region. However, there isn't +much the kernel can do to help due to how dynamic linkers load the +shared objects. + +This was extracted from the PaX RANDMMAP feature. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/entry/vdso/vma.c | 48 +----------------------------------- + arch/x86/include/asm/elf.h | 1 - + arch/x86/kernel/sys_x86_64.c | 7 ------ + 3 files changed, 1 insertion(+), 55 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 9185cb1d13b9..543912071557 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -315,55 +315,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) + } + + #ifdef CONFIG_X86_64 +-/* +- * Put the vdso above the (randomized) stack with another randomized +- * offset. This way there is no hole in the middle of address space. +- * To save memory make sure it is still in the same PTE as the stack +- * top. This doesn't give that many random bits. +- * +- * Note that this algorithm is imperfect: the distribution of the vdso +- * start address within a PMD is biased toward the end. +- * +- * Only used for the 64-bit and x32 vdsos. +- */ +-static unsigned long vdso_addr(unsigned long start, unsigned len) +-{ +- unsigned long addr, end; +- unsigned offset; +- +- /* +- * Round up the start address. It can start out unaligned as a result +- * of stack start randomization. +- */ +- start = PAGE_ALIGN(start); +- +- /* Round the lowest possible end address up to a PMD boundary. */ +- end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; +- end -= len; +- +- if (end > start) { +- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); +- addr = start + (offset << PAGE_SHIFT); +- } else { +- addr = start; +- } +- +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- +- return addr; +-} +- + static int map_vdso_randomized(const struct vdso_image *image) + { +- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); +- +- return map_vdso(image, addr); ++ return map_vdso(image, 0); + } + #endif + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b55054566ece..58292600112d 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -398,5 +398,4 @@ struct va_alignment { + } ____cacheline_aligned; + + extern struct va_alignment va_align; +-extern unsigned long align_vdso_addr(unsigned long); + #endif /* _ASM_X86_ELF_H */ +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 504fa5425bce..c4e35a3b3733 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) + return va_align.bits & get_align_mask(); + } + +-unsigned long align_vdso_addr(unsigned long addr) +-{ +- unsigned long align_mask = get_align_mask(); +- addr = (addr + align_mask) & ~align_mask; +- return addr | get_align_bits(); +-} +- + static int __init control_va_addr_alignment(char *str) + { + /* guard against enabling this on other CPU families */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..4af3e64efa96 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From e4875147c376094ecd41d7f1338475ad84aada0d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 085/113] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..509f114e1355 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From 43f10f95a1e7489273ebc4d92582b9b6ed0c738b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 086/113] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch new file mode 100644 index 000000000000..13a4242f2e9d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch @@ -0,0 +1,47 @@ +From 29f3c78257ea25a5452d9272ff85b4f764f16aef Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:02:49 -0400 +Subject: [PATCH 087/113] randomize lower bits of the argument block + +This was based on the PaX RANDUSTACK feature in grsecurity, where all of +the lower bits are randomized. PaX keeps 16-byte alignment. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[levente@leventepolyak.net: do not randomize with ADDR_NO_RANDOMIZE personality] +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/exec.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index ca89e0e3ef10..d2a03d32e195 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -34,6 +34,7 @@ + #include <linux/swap.h> + #include <linux/string.h> + #include <linux/init.h> ++#include <linux/sched.h> + #include <linux/sched/mm.h> + #include <linux/sched/coredump.h> + #include <linux/sched/signal.h> +@@ -64,6 +65,7 @@ + #include <linux/compat.h> + #include <linux/vmalloc.h> + #include <linux/io_uring.h> ++#include <linux/random.h> + + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -280,6 +282,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + mm->stack_vm = mm->total_vm = 1; + mmap_write_unlock(mm); + bprm->p = vma->vm_end - sizeof(void *); ++ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) ++ bprm->p ^= get_random_int() & ~PAGE_MASK; + return 0; + err: + mmap_write_unlock(mm); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch new file mode 100644 index 000000000000..d6063edcf8c7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch @@ -0,0 +1,38 @@ +From d42815baa6da0237eca7b7bf5081aa20133a6651 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 07:19:48 -0400 +Subject: [PATCH 088/113] x86_64: match arm64 brk randomization entropy + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 058941e9ae40..61460d55dd72 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,8 @@ + #include <asm/io_bitmap.h> + #include <asm/proto.h> + #include <asm/frame.h> ++#include <asm/elf.h> ++#include <linux/sizes.h> + + #include "process.h" + +@@ -906,7 +908,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ else ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch new file mode 100644 index 000000000000..f940f6004c8f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch @@ -0,0 +1,42 @@ +From 31b13780cc8f90b776b73eb21ce8cbde294091d7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 18:03:30 -0400 +Subject: [PATCH 089/113] support randomizing the lower bits of brk + +This adds support for arch_randomize_brk implementations not performing +page alignment in order to randomize the lower bits of the brk heap. + +This idea is taken from PaX but the approach is different. This reuses +the existing code and avoids forcing early creation of the heap mapping, +avoiding mapping it if it's not used which is the case with many modern +allocators based solely on mmap. + +The malloc implementation can be relied upon to align this as needed to +the requirements it has, so using 16 byte alignment here is unnecessary. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/mmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5c8b4485860d..0e26c225bb53 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -231,6 +231,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + + newbrk = PAGE_ALIGN(brk); + oldbrk = PAGE_ALIGN(mm->brk); ++ /* properly handle unaligned min_brk as an empty heap */ ++ if (min_brk & ~PAGE_MASK) { ++ if (brk == min_brk) ++ newbrk -= PAGE_SIZE; ++ if (mm->brk == min_brk) ++ oldbrk -= PAGE_SIZE; ++ } + if (oldbrk == newbrk) { + mm->brk = brk; + goto success; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..12d865fc8a8c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 69139d46b7fad98a633e00e3e74bd16e5e608b72 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:22:38 -0400 +Subject: [PATCH 090/113] mm: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ddb6e186dd5..4ca72f952329 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..0550dfb0c14d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 0e2271ce7f0368c822a456eb6004b6639543ab2a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:06 -0400 +Subject: [PATCH 091/113] x86: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 61460d55dd72..0d4c3887229d 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + else +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..33dd866a42ee --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From eeffd80dcf3e8080b127a7302dc593e923ad3f06 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:39 -0400 +Subject: [PATCH 092/113] mm: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ca72f952329..62ed34dfceb7 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..f4f5c975a263 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 29a451d810d0bb9010e26914d158c769deaa46b9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:48 -0400 +Subject: [PATCH 093/113] x86: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 0d4c3887229d..161e25d02fd5 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + else +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch new file mode 100644 index 000000000000..8418f6754a2c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch @@ -0,0 +1,37 @@ +From 7ae6e0397f670f8b78a89f045eba1837bf097157 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 14:50:54 -0400 +Subject: [PATCH 094/113] x86_64: bound mmap between legacy/modern bases + +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index c4e35a3b3733..e30ec4c750d1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -113,10 +113,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, + } + + *begin = get_mmap_base(1); +- if (in_32bit_syscall()) +- *end = task_size_32bit(); +- else +- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); ++ *end = get_mmap_base(0); + } + + unsigned long +@@ -193,7 +190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = get_mmap_base(1); + info.high_limit = get_mmap_base(0); + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0095-restrict-device-timing-side-channels.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0095-restrict-device-timing-side-channels.patch new file mode 100644 index 000000000000..8846d886764d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0095-restrict-device-timing-side-channels.patch @@ -0,0 +1,174 @@ +From 39267a9ae592c16d377d370cde8fd501a80046b7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 18:26:10 -0400 +Subject: [PATCH 095/113] restrict device timing side channels + +Based on the public grsecurity patches. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/inode.c | 4 ++++ + fs/stat.c | 20 +++++++++++++++----- + include/linux/capability.h | 5 +++++ + include/linux/fs.h | 11 +++++++++++ + include/linux/fsnotify.h | 4 ++++ + kernel/capability.c | 6 ++++++ + kernel/sysctl.c | 9 +++++++++ + 7 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 5eea9912a0b9..f86f383a3e1d 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -116,6 +116,10 @@ int proc_nr_inodes(struct ctl_table *table, int write, + } + #endif + ++/* sysctl */ ++int device_sidechannel_restrict __read_mostly = 1; ++EXPORT_SYMBOL(device_sidechannel_restrict); ++ + static int no_open(struct inode *inode, struct file *file) + { + return -ENXIO; +diff --git a/fs/stat.c b/fs/stat.c +index dacecdda2e79..14173d0f777d 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -43,8 +43,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = i_blocksize(inode); + stat->blocks = inode->i_blocks; +@@ -83,9 +88,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(path, stat, request_mask, +- query_flags); ++ if (inode->i_op->getattr) { ++ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); ++ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..a5b6d4c9acf5 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -208,6 +208,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); + extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); + extern bool capable(int cap); ++extern bool capable_noaudit(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + extern bool ns_capable_setid(struct user_namespace *ns, int cap); +@@ -234,6 +235,10 @@ static inline bool capable(int cap) + { + return true; + } ++static inline bool capable_noaudit(int cap) ++{ ++ return true; ++} + static inline bool ns_capable(struct user_namespace *ns, int cap) + { + return true; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 8bde32cf9711..83d50b0a2a18 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3475,4 +3475,15 @@ static inline int inode_drain_writes(struct inode *inode) + return filemap_write_and_wait(inode->i_mapping); + } + ++extern int device_sidechannel_restrict; ++ ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++ umode_t mode; ++ if (!device_sidechannel_restrict) ++ return false; ++ mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++} ++ + #endif /* _LINUX_FS_H */ +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index f8acddcf54fb..7b109980327f 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -83,10 +83,14 @@ static inline void fsnotify_dentry(struct dentry *dentry, __u32 mask) + static inline int fsnotify_file(struct file *file, __u32 mask) + { + const struct path *path = &file->f_path; ++ struct inode *inode = file_inode(file); + + if (file->f_mode & FMODE_NONOTIFY) + return 0; + ++ if (mask & (FS_ACCESS | FS_MODIFY) && is_sidechannel_device(inode)) ++ return 0; ++ + return fsnotify_parent(path->dentry, mask, path, FSNOTIFY_EVENT_PATH); + } + +diff --git a/kernel/capability.c b/kernel/capability.c +index de7eac903a2a..5602178f3d21 100644 +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -449,6 +449,12 @@ bool capable(int cap) + return ns_capable(&init_user_ns, cap); + } + EXPORT_SYMBOL(capable); ++ ++bool capable_noaudit(int cap) ++{ ++ return ns_capable_noaudit(&init_user_ns, cap); ++} ++EXPORT_SYMBOL(capable_noaudit); + #endif /* CONFIG_MULTIUSER */ + + /** +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index fccf24a08c8a..7fda9f61ea1a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2272,6 +2272,15 @@ static struct ctl_table kern_table[] = { + .extra2 = &two, + }, + #endif ++ { ++ .procname = "device_sidechannel_restrict", ++ .data = &device_sidechannel_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch new file mode 100644 index 000000000000..4770b2b68d6c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch @@ -0,0 +1,95 @@ +From abeeef2dec218fd3fbe78c3a546eb56d0935b3d6 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 20:28:32 +0200 +Subject: [PATCH 096/113] sysctl: expose proc_dointvec_minmax_sysadmin as API + function + +Orthogonal to the other sysctl proc functions expose the variant that is +checking CAP_SYS_ADMIN on write for consumption in external subsystem's +sysctl tables. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 51298a4f4623..b835c57330f2 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7fda9f61ea1a..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -890,8 +890,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -899,7 +918,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -1585,6 +1603,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3436,6 +3460,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch new file mode 100644 index 000000000000..93c844189efe --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch @@ -0,0 +1,92 @@ +From bc3dd8ff72c76761406cd591fc54b5a738802c8d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 17:51:48 -0400 +Subject: [PATCH 097/113] usb: add toggle for disabling newly added USB devices + +Based on the public grsecurity patches. + +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/hub.c | 9 +++++++++ + include/linux/usb.h | 3 +++ + kernel/sysctl.c | 14 ++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 17202b2ee063..9385c745d55e 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,6 +5054,9 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + ++/* sysctl */ ++int deny_new_usb __read_mostly = 0; ++ + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +@@ -5114,6 +5117,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + goto done; + return; + } ++ ++ if (deny_new_usb) { ++ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); ++ goto done; ++ } ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 7d72c4e0713c..8e7549e3012a 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,6 +2035,9 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl */ ++extern int deny_new_usb; ++ + #endif /* __KERNEL__ */ + + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..f867606fbd80 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if IS_ENABLED(CONFIG_USB) ++#include <linux/usb.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2305,6 +2308,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, ++#if IS_ENABLED(CONFIG_USB) ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch new file mode 100644 index 000000000000..ae573337bf00 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch @@ -0,0 +1,195 @@ +From 6c3dd5ee3ce4196ce77f6b13d1e6073cfba54bad Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 21:08:16 +0200 +Subject: [PATCH 098/113] usb: implement dedicated subsystem sysctl tables + +This moves the usb related sysctl knobs to an own usb local sysctl table +in order to clean up the global sysctl as well as allow the knob to be +exported and referenced appropriately when building the usb components +as dedicated modules. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/Makefile | 1 + + drivers/usb/core/hub.c | 3 --- + drivers/usb/core/sysctl.c | 44 +++++++++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.c | 9 ++++++++ + include/linux/usb.h | 10 ++++++++- + kernel/sysctl.c | 14 ------------- + 6 files changed, 63 insertions(+), 18 deletions(-) + create mode 100644 drivers/usb/core/sysctl.c + +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..fc7a3a9aa72a 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 9385c745d55e..b62b3da81ac4 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,9 +5054,6 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + +-/* sysctl */ +-int deny_new_usb __read_mostly = 0; +- + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..3fa188ac8f67 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,44 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 9b4ac4415f1a..93b4b798bdcc 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -72,6 +72,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -978,6 +981,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1012,6 +1018,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1035,6 +1043,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 8e7549e3012a..653265115e56 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,8 +2035,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + +-/* sysctl */ ++/* sysctl.c */ + extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + + #endif /* __KERNEL__ */ + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index f867606fbd80..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,9 +106,6 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif +-#if IS_ENABLED(CONFIG_USB) +-#include <linux/usb.h> +-#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2308,17 +2305,6 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-#if IS_ENABLED(CONFIG_USB) +- { +- .procname = "deny_new_usb", +- .data = &deny_new_usb, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax_sysadmin, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, +-#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch new file mode 100644 index 000000000000..194deb488d14 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch @@ -0,0 +1,133 @@ +From 8cb651297cb52059f95e79120b22651db91ee737 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 03:26:45 -0500 +Subject: [PATCH 099/113] hard-wire legacy checkreqprot option to 0 + +The userspace API is left intact for compatibility. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + .../admin-guide/kernel-parameters.txt | 11 --------- + security/selinux/Kconfig | 23 ------------------- + security/selinux/hooks.c | 16 +------------ + security/selinux/selinuxfs.c | 12 +--------- + 4 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f399208c873a..282777d18d19 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -518,17 +518,6 @@ + nosocket -- Disable socket memory accounting. + nokmem -- Disable kernel memory accounting. + +- checkreqprot [SELINUX] Set initial checkreqprot flag value. +- Format: { "0" | "1" } +- See security/selinux/Kconfig help text. +- 0 -- check protection applied by kernel (includes +- any implied execute protection). +- 1 -- check protection requested by application. +- Default value is set via a kernel config option. +- Value can be changed at runtime via +- /sys/fs/selinux/checkreqprot. +- Setting checkreqprot to 1 is deprecated. +- + cio_ignore= [S390] + See Documentation/s390/common_io.rst for details. + clk_ignore_unused +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 76d7ed11513c..ae851a826c26 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS + /sys/fs/selinux/avc/cache_stats, which may be monitored via + tools such as avcstat. + +-config SECURITY_SELINUX_CHECKREQPROT_VALUE +- int "NSA SELinux checkreqprot default value" +- depends on SECURITY_SELINUX +- range 0 1 +- default 0 +- help +- This option sets the default value for the 'checkreqprot' flag +- that determines whether SELinux checks the protection requested +- by the application or the protection that will be applied by the +- kernel (including any implied execute for read-implies-exec) for +- mmap and mprotect calls. If this option is set to 0 (zero), +- SELinux will default to checking the protection that will be applied +- by the kernel. If this option is set to 1 (one), SELinux will +- default to checking the protection requested by the application. +- The checkreqprot flag may be changed from the default via the +- 'checkreqprot=' boot parameter. It may also be changed at runtime +- via /sys/fs/selinux/checkreqprot if authorized by policy. +- +- WARNING: this option is deprecated and will be removed in a future +- kernel release. +- +- If you are unsure how to answer this question, answer 0. +- + config SECURITY_SELINUX_SIDTAB_HASH_BITS + int "NSA SELinux sidtab hashtable size" + depends on SECURITY_SELINUX +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index c46312710e73..541c65650c5e 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str) + __setup("selinux=", selinux_enabled_setup); + #endif + +-static unsigned int selinux_checkreqprot_boot = +- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +- +-static int __init checkreqprot_setup(char *str) +-{ +- unsigned long checkreqprot; +- +- if (!kstrtoul(str, 0, &checkreqprot)) { +- selinux_checkreqprot_boot = checkreqprot ? 1 : 0; +- if (checkreqprot) +- pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); +- } +- return 1; +-} +-__setup("checkreqprot=", checkreqprot_setup); ++static const unsigned int selinux_checkreqprot_boot; + + /** + * selinux_secmark_enabled - Check to see if SECMARK is currently enabled +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4bde570d56a2..cc5caffc07fa 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, + static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; + char *page; + ssize_t length; + unsigned int new_value; +@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + return PTR_ERR(page); + + length = -EINVAL; +- if (sscanf(page, "%u", &new_value) != 1) ++ if (sscanf(page, "%u", &new_value) != 1 || new_value) + goto out; + +- if (new_value) { +- char comm[sizeof(current->comm)]; +- +- memcpy(comm, current->comm, sizeof(comm)); +- pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", +- comm, current->pid); +- } +- +- checkreqprot_set(fsi->state, (new_value ? 1 : 0)); + length = count; + out: + kfree(page); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch new file mode 100644 index 000000000000..2d8c2c788490 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch @@ -0,0 +1,70 @@ +From ecc6e9be317b1eadf3cf8437b0ece8cf060db68d Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:37:59 -0400 +Subject: [PATCH 100/113] security: tty: Add owner user namespace to tty_struct + +This patch adds struct user_namespace *owner_user_ns to the tty_struct. +Then it is set to current_user_ns() in the alloc_tty_struct function. + +This is done to facilitate capability checks against the original user +namespace that allocated the tty. + +E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) + +This combined with the use of user namespace's will allow hardening +protections to be built to mitigate container escapes that utilize TTY +ioctls such as TIOCSTI. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +--- + drivers/tty/tty_io.c | 2 ++ + include/linux/tty.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 56ade99ef99f..557356504a81 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -174,6 +174,7 @@ static void free_tty_struct(struct tty_struct *tty) + put_device(tty->dev); + kfree(tty->write_buf); + tty->magic = 0xDEADDEAD; ++ put_user_ns(tty->owner_user_ns); + kfree(tty); + } + +@@ -3014,6 +3015,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + tty->index = idx; + tty_line_name(driver, idx, tty->name); + tty->dev = tty_get_device(tty); ++ tty->owner_user_ns = get_user_ns(current_user_ns()); + + return tty; + } +diff --git a/include/linux/tty.h b/include/linux/tty.h +index eb33d948788c..a205640b4c61 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -14,6 +14,7 @@ + #include <uapi/linux/tty.h> + #include <linux/rwsem.h> + #include <linux/llist.h> ++#include <linux/user_namespace.h> + + + /* +@@ -342,6 +343,7 @@ struct tty_struct { + /* If the tty has a pending do_SAK, queue it here - akpm */ + struct work_struct SAK_work; + struct tty_port *port; ++ struct user_namespace *owner_user_ns; + } __randomize_layout; + + /* Each of a tty's open files has private_data pointing to tty_file_private */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch new file mode 100644 index 000000000000..9a62d2982d62 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch @@ -0,0 +1,197 @@ +From cccacc18996616ae32ecb04811135443515b7d90 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:38:00 -0400 +Subject: [PATCH 101/113] security: tty: make TIOCSTI ioctl require + CAP_SYS_ADMIN + +This introduces the tiocsti_restrict sysctl, whose default is controlled +via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control +restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. + +This patch depends on patch 1/2 + +This patch was inspired from GRKERNSEC_HARDEN_TTY. + +This patch would have prevented +https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following +conditions: +* non-privileged container +* container run inside new user namespace + +Possible effects on userland: + +There could be a few user programs that would be effected by this +change. +See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI> +notable programs are: agetty, csh, xemacs and tcsh + +However, I still believe that this change is worth it given that the +Kconfig defaults to n. This will be a feature that is turned on for the +same reason that people activate it when using grsecurity. Users of this +opt-in feature will realize that they are choosing security over some OS +features like unprivileged TIOCSTI ioctls, as should be clear in the +Kconfig help message. + +Threat Model/Patch Rational: + +>From grsecurity's config for GRKERNSEC_HARDEN_TTY. + + | There are very few legitimate uses for this functionality and it + | has made vulnerabilities in several 'su'-like programs possible in + | the past. Even without these vulnerabilities, it provides an + | attacker with an easy mechanism to move laterally among other + | processes within the same user's compromised session. + +So if one process within a tty session becomes compromised it can follow +that additional processes, that are thought to be in different security +boundaries, can be compromised as a result. When using a program like su +or sudo, these additional processes could be in a tty session where TTY +file descriptors are indeed shared over privilege boundaries. + +This is also an excellent writeup about the issue: +<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/> + +When user namespaces are in use, the check for the capability +CAP_SYS_ADMIN is done against the user namespace that originally opened +the tty. + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/admin-guide/sysctl/kernel.rst | 20 ++++++++++++++++++++ + drivers/tty/tty_io.c | 8 ++++++++ + include/linux/tty.h | 2 ++ + kernel/sysctl.c | 14 ++++++++++++++ + security/Kconfig | 13 +++++++++++++ + 5 files changed, 57 insertions(+) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index 4c20e6ded0af..3cd263f8ac46 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -1385,6 +1385,26 @@ If a value outside of this range is written to ``threads-max`` an + ``EINVAL`` error occurs. + + ++tiocsti_restrict ++================ ++ ++This toggle indicates whether unprivileged users are prevented from using the ++``TIOCSTI`` ioctl to inject commands into other processes which share a tty ++session. ++ ++= ============================================================================ ++0 No restriction, except the default one of only being able to inject commands ++ into one's own tty. ++1 Users must have ``CAP_SYS_ADMIN`` to use the ``TIOCSTI`` ioctl. ++= ============================================================================ ++ ++When user namespaces are in use, the check for ``CAP_SYS_ADMIN`` is done ++against the user namespace that originally opened the tty. ++ ++The kernel config option ``CONFIG_SECURITY_TIOCSTI_RESTRICT`` sets the default ++value of ``tiocsti_restrict``. ++ ++ + traceoff_on_warning + =================== + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 557356504a81..5670bd7442df 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2182,11 +2182,19 @@ static int tty_fasync(int fd, struct file *filp, int on) + * FIXME: may race normal receive processing + */ + ++int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); ++ + static int tiocsti(struct tty_struct *tty, char __user *p) + { + char ch, mbz = 0; + struct tty_ldisc *ld; + ++ if (tiocsti_restrict && ++ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { ++ dev_warn_ratelimited(tty->dev, ++ "Denied TIOCSTI ioctl for non-privileged process\n"); ++ return -EPERM; ++ } + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + if (get_user(ch, p)) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a205640b4c61..116138eb394c 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -353,6 +353,8 @@ struct tty_file_private { + struct list_head list; + }; + ++extern int tiocsti_restrict; ++ + /* tty magic number */ + #define TTY_MAGIC 0x5401 + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..8fd007fbec4c 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if defined CONFIG_TTY ++#include <linux/tty.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2295,6 +2298,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, ++#endif ++#if defined CONFIG_TTY ++ { ++ .procname = "tiocsti_restrict", ++ .data = &tiocsti_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + #endif + { + .procname = "device_sidechannel_restrict", +diff --git a/security/Kconfig b/security/Kconfig +index f3c995bd79cf..c8ea5a6ecce0 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -29,6 +29,19 @@ config SECURITY_PERF_EVENTS_RESTRICT + perf_event_open syscall will be permitted unless it is + changed. + ++config SECURITY_TIOCSTI_RESTRICT ++ bool "Restrict unprivileged use of tiocsti command injection" ++ default n ++ help ++ This enforces restrictions on unprivileged users injecting commands ++ into other processes which share a tty session using the TIOCSTI ++ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. ++ ++ If this option is not selected, no restrictions will be enforced ++ unless the tiocsti_restrict sysctl is explicitly set to (1). ++ ++ If you are unsure how to answer this question, answer N. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch new file mode 100644 index 000000000000..a168fcb61f37 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 5abc285586b918ef702a68b17e7cfe2cbee074f0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 23:36:14 -0400 +Subject: [PATCH 102/113] enable SECURITY_TIOCSTI_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index c8ea5a6ecce0..615205c0113b 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -31,7 +31,7 @@ config SECURITY_PERF_EVENTS_RESTRICT + + config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" +- default n ++ default y + help + This enforces restrictions on unprivileged users injecting commands + into other processes which share a tty session using the TIOCSTI +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch new file mode 100644 index 000000000000..a7049e8547fa --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch @@ -0,0 +1,25 @@ +From cb00a2b154aff901d66ee6683510db6062c0b7c0 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:07 +0200 +Subject: [PATCH 103/113] disable unprivileged eBPF access by default + +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8f50c9c19f1b..a54c05624647 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); + static DEFINE_IDR(link_idr); + static DEFINE_SPINLOCK(link_idr_lock); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = 1; + + static const struct bpf_map_ops * const bpf_map_types[] = { + #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch new file mode 100644 index 000000000000..4ce822e2276b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch @@ -0,0 +1,25 @@ +From 7142360a87ad2caeac10e89be2dcd89b4b8f704c Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:55 +0200 +Subject: [PATCH 104/113] enable BPF JIT hardening by default (if available) + +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 55454d2278b1..de02792dc2fc 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -524,7 +524,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +-int bpf_jit_harden __read_mostly; ++int bpf_jit_harden __read_mostly = 2; + long bpf_jit_limit __read_mostly; + + static void +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch new file mode 100644 index 000000000000..44ff5f0f3b86 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch @@ -0,0 +1,27 @@ +From 2e1e802084ce8b28da406c565800f8013834f690 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 4 Nov 2018 18:48:53 +0100 +Subject: [PATCH 105/113] enable protected_{fifos,regular} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 59ff3ce21026..72f912c68975 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -934,8 +934,8 @@ static inline void put_link(struct nameidata *nd) + + int sysctl_protected_symlinks __read_mostly = 1; + int sysctl_protected_hardlinks __read_mostly = 1; +-int sysctl_protected_fifos __read_mostly; +-int sysctl_protected_regular __read_mostly; ++int sysctl_protected_fifos __read_mostly = 2; ++int sysctl_protected_regular __read_mostly = 2; + + /** + * may_follow_link - Check symlink following for unsafe situations +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch new file mode 100644 index 000000000000..b68e7a29bd92 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch @@ -0,0 +1,129 @@ +From 91b0599d34c5dd2f0cca4ef35a3d292510d03d61 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Mon, 6 May 2019 17:07:11 +0200 +Subject: [PATCH 106/113] modpost: Add + CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE + +With 46c7dd56d541 ("modpost: always show verbose warning for section +mismatch"), sec_mismatch_verbose was removed which would have printed +errors for all writable function pointers during compilation if it +hadn't been "#if 0"ed out for quite some time now. + +Let's introduce a new DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE Kconfig +option to cleanly control this linux-hardened functionality. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 3 +++ + scripts/Makefile.modpost | 1 + + scripts/mod/modpost.c | 25 ++++++++++++++++--------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 4a1a32a059f4..5fce84adc315 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -374,6 +374,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B + + It is mainly for debug and performance tuning use. + ++config DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE ++ bool "Enable verbose reporting of writable function pointers" ++ + # + # Select this config option from the architecture Kconfig, if it + # is preferred to always offer frame pointers as a config +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..e53b3057d4cb 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -47,6 +47,7 @@ MODPOST = scripts/mod/modpost \ + $(if $(CONFIG_MODVERSIONS),-m) \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ ++ $(if $(CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE),-f) \ + $(if $(KBUILD_MODPOST_WARN),-w) \ + -o $@ + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 50e9baefc4e7..2cbc4e8a6295 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,8 +34,9 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; +-static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; ++static int writable_fptr_count = 0; ++static int writable_fptr_verbose = 0; + /* ignore missing files */ + static int ignore_missing_files; + /* If set to 1, only warn (instead of error) about missing ns imports */ +@@ -1466,10 +1467,13 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- if (mismatch->mismatch == DATA_TO_TEXT) ++ if (mismatch->mismatch == DATA_TO_TEXT) { + writable_fptr_count++; +- else ++ if (!writable_fptr_verbose) ++ return; ++ } else { + sec_mismatch_count++; ++ } + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1592,12 +1596,10 @@ static void report_sec_mismatch(const char *modname, + "we should never get here."); + break; + case DATA_TO_TEXT: +-#if 0 + fprintf(stderr, + "The %s %s:%s references\n" + "the %s %s:%s%s\n", + from, fromsec, fromsym, to, tosec, tosym, to_p); +-#endif + break; + } + fprintf(stderr, "\n"); +@@ -2578,7 +2580,7 @@ int main(int argc, char **argv) + struct dump_list *dump_read_start = NULL; + struct dump_list **dump_read_iter = &dump_read_start; + +- while ((opt = getopt(argc, argv, "ei:mnT:o:awENd:")) != -1) { ++ while ((opt = getopt(argc, argv, "ei:fmnT:o:awENd:")) != -1) { + switch (opt) { + case 'e': + external_module = 1; +@@ -2589,6 +2591,9 @@ int main(int argc, char **argv) + (*dump_read_iter)->file = optarg; + dump_read_iter = &(*dump_read_iter)->next; + break; ++ case 'f': ++ writable_fptr_verbose = 1; ++ break; + case 'm': + modversions = 1; + break; +@@ -2689,9 +2694,11 @@ int main(int argc, char **argv) + } + + free(buf.p); +- if (writable_fptr_count) +- warn("modpost: Found %d writable function pointer(s).\n", +- writable_fptr_count); ++ if (writable_fptr_count && !writable_fptr_verbose) ++ warn("modpost: Found %d writable function pointer%s.\n" ++ "To see full details build your kernel with:\n" ++ "'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'\n", ++ writable_fptr_count, (writable_fptr_count == 1 ? "" : "s")); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch new file mode 100644 index 000000000000..d60949d64658 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch @@ -0,0 +1,103 @@ +From 3f29827dd2c6423c43d0e8e73c2e13685c7e7a4b Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Tue, 7 May 2019 11:46:21 +0200 +Subject: [PATCH 107/113] mm: Fix extra_latent_entropy + +Commit a9cd410a3d29 ("mm/page_alloc.c: memory hotplug: free pages as +higher order") changed `static void __init __free_pages_boot_core()` +into `void __free_pages_core()`, causing the following section mismatch +warning at compile time: + + WARNING: vmlinux.o(.text+0x180fe4): Section mismatch in reference from the function __free_pages_core() to the variable .meminit.data:extra_latent_entropy + The function __free_pages_core() references the variable __meminitdata extra_latent_entropy. + This is often because __free_pages_core lacks a __meminitdata annotation or the annotation of extra_latent_entropy is wrong. + +This commit is an attempt at fixing this issue. I'm not sure it's OK as +we are accessing pages that are still managed by the bootmem allocator. +The prefetching part is not an issue as it only affects struct pages. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/page_alloc.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index ded9e8536285..8730ae4244b9 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1539,6 +1539,25 @@ static void __free_pages_ok(struct page *page, unsigned int order, + local_irq_restore(flags); + } + ++static void __init __gather_extra_latent_entropy(struct page *page, ++ unsigned int nr_pages) ++{ ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++} ++ + void __free_pages_core(struct page *page, unsigned int order) + { + unsigned int nr_pages = 1 << order; +@@ -1558,22 +1577,6 @@ void __free_pages_core(struct page *page, unsigned int order) + } + __ClearPageReserved(p); + set_page_count(p, 0); +- +- if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { +- unsigned long hash = 0; +- size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; +- const unsigned long *data = lowmem_page_address(page); +- +- for (index = 0; index < end; index++) +- hash ^= hash + data[index]; +-#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY +- latent_entropy ^= hash; +- add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +-#else +- add_device_randomness((const void *)&hash, sizeof(hash)); +-#endif +- } +- + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +@@ -1632,6 +1635,7 @@ void __init memblock_free_pages(struct page *page, unsigned long pfn, + { + if (early_page_uninitialised(pfn)) + return; ++ __gather_extra_latent_entropy(page, 1 << order); + __free_pages_core(page, order); + } + +@@ -1723,6 +1727,7 @@ static void __init deferred_free_range(unsigned long pfn, + if (nr_pages == pageblock_nr_pages && + (pfn & (pageblock_nr_pages - 1)) == 0) { + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1 << pageblock_order); + __free_pages_core(page, pageblock_order); + return; + } +@@ -1730,6 +1735,7 @@ static void __init deferred_free_range(unsigned long pfn, + for (i = 0; i < nr_pages; i++, page++, pfn++) { + if ((pfn & (pageblock_nr_pages - 1)) == 0) + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1); + __free_pages_core(page, 0); + } + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch new file mode 100644 index 000000000000..4f58ab27569d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch @@ -0,0 +1,68 @@ +From 7c982f0a57fbef3b984b32a0ed289fbfbaa9cbe2 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 2 Oct 2019 01:22:17 +0200 +Subject: [PATCH 108/113] add CONFIG for unprivileged_userfaultfd + +When disabled, unprivileged users will not be able to use the userfaultfd +syscall. Userfaultfd provide attackers with a way to stall a kernel +thread in the middle of memory accesses from userspace by initiating an +access on an unmapped page. To avoid various heap grooming and heap +spraying techniques for exploiting use-after-free flaws this should be +disabled by default. + +This setting can be overridden at runtime via the +vm.unprivileged_userfaultfd sysctl. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/userfaultfd.c | 4 ++++ + init/Kconfig | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 000b457ad087..06d35ecdcbc8 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -28,7 +28,11 @@ + #include <linux/security.h> + #include <linux/hugetlb.h> + ++#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED + int sysctl_unprivileged_userfaultfd __read_mostly = 1; ++#else ++int sysctl_unprivileged_userfaultfd __read_mostly; ++#endif + + static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; + +diff --git a/init/Kconfig b/init/Kconfig +index a7b5a4cb7939..2feea719cc25 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1745,6 +1745,23 @@ config USERFAULTFD + Enable the userfaultfd() system call that allows to intercept and + handle page faults in userland. + ++config USERFAULTFD_UNPRIVILEGED ++ bool "Allow unprivileged users to use the userfaultfd syscall" ++ depends on USERFAULTFD ++ default n ++ help ++ When disabled, unprivileged users will not be able to use the userfaultfd ++ syscall. Userfaultfd provide attackers with a way to stall a kernel ++ thread in the middle of memory accesses from userspace by initiating an ++ access on an unmapped page. To avoid various heap grooming and heap ++ spraying techniques for exploiting use-after-free flaws this should be ++ disabled by default. ++ ++ This setting can be overridden at runtime via the ++ vm.unprivileged_userfaultfd sysctl. ++ ++ If unsure, say N. ++ + config ARCH_HAS_MEMBARRIER_CALLBACKS + bool + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch new file mode 100644 index 000000000000..95258b1a358b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch @@ -0,0 +1,81 @@ +From c6c3515b7cdc69aa4de7b901a75a97500085f35b Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 29 Nov 2019 16:27:14 +0100 +Subject: [PATCH 109/113] slub: Extend init_on_alloc to slab caches with + constructors + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 2 ++ + mm/slub.c | 23 ++++++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 105dba485a7e..2138deacf719 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -630,8 +630,10 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } + static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + { + if (static_branch_unlikely(&init_on_alloc)) { ++#ifndef CONFIG_SLUB + if (c->ctor) + return false; ++#endif + if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) + return flags & __GFP_ZERO; + return true; +diff --git a/mm/slub.c b/mm/slub.c +index a06d34be763a..32cc008ee278 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1635,9 +1635,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + * need to show a valid freepointer to check_object(). + * + * Note that doing this for all caches (not just ctor +- * ones, which have s->offset != NULL)) causes a GPF, +- * due to KASAN poisoning and the way set_freepointer() +- * eventually dereferences the freepointer. ++ * ones, which have s->offset >= object_size)) causes a ++ * GPF, due to KASAN poisoning and the way ++ * set_freepointer() eventually dereferences the ++ * freepointer. + */ + set_freepointer(s, object, NULL); + } +@@ -2955,8 +2956,14 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + if (s->ctor) + s->ctor(object); + kasan_poison_object_data(s, object); +- } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) { + memset(object, 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, object); ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } ++ } + + if (object) { + check_canary(s, object, s->random_inactive); +@@ -3416,8 +3423,14 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { + memset(p[j], 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, p[j]); ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } + } + + for (k = 0; k < i; k++) { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..1b028e5d143e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From bd9056a84c976082445ada0013c5c43f077dd73d Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 110/113] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d4ef5bf94168..34d0d5438108 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 3e5f4f2e705e..791329c77dea 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ef4bdb038a4b..86967b09a8e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6195,7 +6196,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch new file mode 100644 index 000000000000..9ef06de6ec76 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch @@ -0,0 +1,238 @@ +From 2722c589aefa351b107d792a91b852434d4a1445 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:48 +0200 +Subject: [PATCH 111/113] dccp: ccid: move timers to struct dccp_sock + +When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason +del_timer_sync can't be used is because this relies on keeping a reference +to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that +during disconnect, the timer should really belong to struct dccp_sock. + +This addresses CVE-2020-16119. + +Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + include/linux/dccp.h | 2 ++ + net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++------------- + net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++---------- + 3 files changed, 41 insertions(+), 23 deletions(-) + +diff --git a/include/linux/dccp.h b/include/linux/dccp.h +index 07e547c02fd8..504afa1a4be6 100644 +--- a/include/linux/dccp.h ++++ b/include/linux/dccp.h +@@ -259,6 +259,7 @@ struct dccp_ackvec; + * @dccps_sync_scheduled - flag which signals "send out-of-band message soon" + * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets + * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing) ++ * @dccps_ccid_timer - used by the CCIDs + * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs) + */ + struct dccp_sock { +@@ -303,6 +304,7 @@ struct dccp_sock { + __u8 dccps_sync_scheduled:1; + struct tasklet_struct dccps_xmitlet; + struct timer_list dccps_xmit_timer; ++ struct timer_list dccps_ccid_timer; + }; + + static inline struct dccp_sock *dccp_sk(const struct sock *sk) +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 3da1f77bd039..dbca1f1e2449 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk) + + static void ccid2_hc_tx_rto_expire(struct timer_list *t) + { +- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer); +- struct sock *sk = hc->sk; +- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct sock *sk = (struct sock *)dp; ++ struct ccid2_hc_tx_sock *hc; ++ bool sender_was_blocked; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ + if (sock_owned_by_user(sk)) { +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5); + goto out; + } + + ccid2_pr_debug("RTO_EXPIRE\n"); + +- if (sk->sk_state == DCCP_CLOSED) +- goto out; +- + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) + if (sender_was_blocked) + dccp_tasklet_schedule(sk); + /* restart backed-off timer */ +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len) + } + #endif + +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + + #ifdef CONFIG_IP_DCCP_CCID2_DEBUG + do { +@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + + /* restart RTO timer if not all outstanding data has been acked */ + if (hc->tx_pipe == 0) +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + else +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk) + hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32; + hc->tx_cwnd_used = 0; + hc->sk = sk; +- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0); ++ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0); + INIT_LIST_HEAD(&hc->tx_av_chunks); + return 0; + } + + static void ccid2_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk); + int i; + +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index b9ee1a4a8955..685f4d046c0d 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc, + + static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + { +- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer); +- struct sock *sk = hc->sk; ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct ccid3_hc_tx_sock *hc; ++ struct sock *sk = (struct sock *)dp; + unsigned long t_nfb = USEC_PER_SEC / 5; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ + if (sock_owned_by_user(sk)) { + /* Try again later. */ + /* XXX: set some sensible MIB */ + goto restart_timer; + } + ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ + ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk, + ccid3_tx_state_name(hc->tx_state)); + +@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi); + + restart_timer: +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb) + return -EBADMSG; + + if (hc->tx_state == TFRC_SSTATE_NO_SENT) { +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies + ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies + + usecs_to_jiffies(TFRC_INITIAL_TIMEOUT))); + hc->tx_last_win_count = 0; + hc->tx_t_last_win_count = now; +@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len) + static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + { + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + struct tfrc_tx_hist_entry *acked; + ktime_t now; + unsigned long t_nfb; +@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + (unsigned int)(hc->tx_x >> 6)); + + /* unschedule no feedback timer */ +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + /* + * As we have calculated new ipi, delta, t_nom it is possible +@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + "expire in %lu jiffies (%luus)\n", + dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb); + +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + } + + static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, +@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, + + static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid_priv(ccid); + + hc->tx_state = TFRC_SSTATE_NO_SENT; + hc->tx_hist = NULL; + hc->sk = sk; +- timer_setup(&hc->tx_no_feedback_timer, ++ timer_setup(&dp->dccps_ccid_timer, + ccid3_hc_tx_no_feedback_timer, 0); + return 0; + } + + static void ccid3_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); + +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + tfrc_tx_hist_purge(&hc->tx_hist); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch new file mode 100644 index 000000000000..d9092b635eea --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.10/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch @@ -0,0 +1,40 @@ +From fa0e568133b2060aa26a2d7546e10b1614cc0018 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:49 +0200 +Subject: [PATCH 112/113] Revert "dccp: don't free ccid2_hc_tx_sock struct in + dccp_disconnect()" + +This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. + +This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be +kept, allowing the socket to be reused as a listener socket, and the cloned +socket will free its dccps_hc_tx_ccid, leading to a later use after free, +when the listener socket is closed. + +This addresses CVE-2020-16119. + +Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) +Reported-by: Hadar Manor +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + net/dccp/proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 6d705d90c614..359e848dba6c 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/export_kernel_fpu_functions.patch b/sys-kernel/cairn-sources/files/5.10.4/export_kernel_fpu_functions.patch new file mode 100644 index 000000000000..883841c34309 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/export_kernel_fpu_functions.patch @@ -0,0 +1,43 @@ +From 1e010beda2896bdf3082fb37a3e49f8ce20e04d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> +Date: Thu, 2 May 2019 05:28:08 +0100 +Subject: [PATCH] x86/fpu: Export kernel_fpu_{begin,end}() with + EXPORT_SYMBOL_GPL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We need these symbols in zfs as the fpu implementation breaks userspace: + +https://github.com/zfsonlinux/zfs/issues/9346 +Signed-off-by: Jörg Thalheim <joerg@thalheim.io> +--- + arch/x86/kernel/fpu/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 12c70840980e..352538b3bb5d 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -102,7 +102,7 @@ void kernel_fpu_begin(void) + } + __cpu_invalidate_fpregs_state(); + } +-EXPORT_SYMBOL_GPL(kernel_fpu_begin); ++EXPORT_SYMBOL(kernel_fpu_begin); + + void kernel_fpu_end(void) + { +@@ -111,7 +111,7 @@ void kernel_fpu_end(void) + this_cpu_write(in_kernel_fpu, false); + preempt_enable(); + } +-EXPORT_SYMBOL_GPL(kernel_fpu_end); ++EXPORT_SYMBOL(kernel_fpu_end); + + /* + * Save the FPU state (mark it for reload if necessary): +-- +2.23.0 + + diff --git a/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/1500_XATTR_USER_PREFIX.patch b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 000000000000..2512fefebf8c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,66 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; diff --git a/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000000..29c1b48fa669 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,19 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; diff --git a/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 000000000000..731ca12eb038 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Cc: stable@vger.kernel.org +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1
\ No newline at end of file diff --git a/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 000000000000..fa2fe7c38e75 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,29 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <mpagano@gentoo.org> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: mpagano@gentoo.org + +Reported-by: Phil Stracchino <phils@caerllewys.net> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 diff --git a/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2920_sign-file-patch-for-libressl.patch b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 000000000000..45ab548dfd23 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7
\ No newline at end of file diff --git a/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/4567_distro-Gentoo-Kconfig.patch b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/4567_distro-Gentoo-Kconfig.patch new file mode 100644 index 000000000000..64b10c5c959e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/gentoo-patches/4567_distro-Gentoo-Kconfig.patch @@ -0,0 +1,169 @@ +--- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 ++++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 +@@ -32,3 +32,5 @@ source "lib/Kconfig" + source "lib/Kconfig.debug" + + source "Documentation/Kconfig" ++ ++source "distro/Kconfig" +--- /dev/null 2020-09-24 03:06:47.590000000 -0400 ++++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 +@@ -0,0 +1,158 @@ ++menu "Gentoo Linux" ++ ++config GENTOO_LINUX ++ bool "Gentoo Linux support" ++ ++ default y ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ See the settings that become available for more details and fine-tuning. ++ ++config GENTOO_LINUX_UDEV ++ bool "Linux dynamic and persistent device naming (userspace devfs) support" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select DEVTMPFS ++ select TMPFS ++ select UNIX ++ ++ select MMU ++ select SHMEM ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ Currently this only selects TMPFS, DEVTMPFS and their dependencies. ++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and ++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. ++ ++ Some of these are critical files that need to be available early in the ++ boot process; if not available, it causes sysfs and udev to malfunction. ++ ++ To ensure Gentoo Linux boots, it is best to leave this setting enabled; ++ if you run a custom setup, you could consider whether to disable this. ++ ++config GENTOO_LINUX_PORTAGE ++ bool "Select options required by Portage features" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select CGROUPS ++ select NAMESPACES ++ select IPC_NS ++ select NET_NS ++ select PID_NS ++ select SYSVIPC ++ select UTS_NS ++ ++ help ++ This enables options required by various Portage FEATURES. ++ Currently this selects: ++ ++ CGROUPS (required for FEATURES=cgroup) ++ IPC_NS (required for FEATURES=ipc-sandbox) ++ NET_NS (required for FEATURES=network-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) ++ SYSVIPC (required by IPC_NS) ++ ++ ++ It is highly recommended that you leave this enabled as these FEATURES ++ are, or will soon be, enabled by default. ++ ++menu "Support for init systems, system and service managers" ++ visible if GENTOO_LINUX ++ ++config GENTOO_LINUX_INIT_SCRIPT ++ bool "OpenRC, runit and other script based systems and managers" ++ ++ default y if GENTOO_LINUX ++ ++ depends on GENTOO_LINUX ++ ++ select BINFMT_SCRIPT ++ select CGROUPS ++ select EPOLL ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select SIGNALFD ++ select TIMERFD ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for OpenRC, ++ runit and similar script based systems and managers. ++ ++ If you are unsure about this, it is best to leave this setting enabled. ++ ++config GENTOO_LINUX_INIT_SYSTEMD ++ bool "systemd" ++ ++ default n ++ ++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV ++ ++ select AUTOFS4_FS ++ select BLK_DEV_BSG ++ select BPF_SYSCALL ++ select CGROUP_BPF ++ select CGROUPS ++ select CHECKPOINT_RESTORE ++ select CRYPTO_HMAC ++ select CRYPTO_SHA256 ++ select CRYPTO_USER_API_HASH ++ select DEVPTS_MULTIPLE_INSTANCES ++ select DMIID if X86_32 || X86_64 || X86 ++ select EPOLL ++ select FANOTIFY ++ select FHANDLE ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select IPV6 ++ select NET ++ select NET_NS ++ select PROC_FS ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SIGNALFD ++ select SYSFS ++ select TIMERFD ++ select TMPFS_POSIX_ACL ++ select TMPFS_XATTR ++ select USER_NS ++ ++ select ANON_INODES ++ select BLOCK ++ select EVENTFD ++ select FSNOTIFY ++ select INET ++ select NLATTR ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for systemd; ++ it also enables suggested optional settings, as the package suggests to. ++ ++endmenu ++ ++endmenu
\ No newline at end of file diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch new file mode 100644 index 000000000000..e2375fbae851 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch @@ -0,0 +1,27 @@ +From 6071064b9c3853b5031f926848861ac58fca3035 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:22:12 -0400 +Subject: [PATCH 001/112] make DEFAULT_MMAP_MIN_ADDR match LSM_MMAP_MIN_ADDR + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 390165ffbb0f..3b24c9e3535e 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,7 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU +- default 4096 ++ default 32768 if ARM || (ARM64 && COMPAT) ++ default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch new file mode 100644 index 000000000000..807761750a31 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch @@ -0,0 +1,25 @@ +From c3a8d00dba999e71145be50dea27227f597a5a39 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:41 -0400 +Subject: [PATCH 002/112] enable HARDENED_USERCOPY by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99f1d..9446ddf40974 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -154,6 +154,7 @@ config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM ++ default y + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch new file mode 100644 index 000000000000..1038927b6863 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch @@ -0,0 +1,24 @@ +From f2c14b01a34aa4ff40eeae58eb6220bc7459acb0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 26 Apr 2018 02:01:26 -0400 +Subject: [PATCH 003/112] disable HARDENED_USERCOPY_FALLBACK by default + +--- + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 9446ddf40974..5c388f7fe09d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -167,7 +167,6 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY +- default y + help + This is a temporary option that allows missing usercopy whitelists + to be discovered via a WARN() to the kernel log, instead of +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch new file mode 100644 index 000000000000..5c6a7f62df75 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From d7977eb17e229e22d838af3571c44c5be583aaea Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:05:15 -0400 +Subject: [PATCH 004/112] enable SECURITY_DMESG_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 5c388f7fe09d..428ad7622370 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -9,7 +9,7 @@ source "security/keys/Kconfig" + + config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" +- default n ++ default y + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0005-set-kptr_restrict-2-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0005-set-kptr_restrict-2-by-default.patch new file mode 100644 index 000000000000..ede801611f8a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0005-set-kptr_restrict-2-by-default.patch @@ -0,0 +1,26 @@ +From 3b34c97b042debf3ded8ed723634c0c4804f911b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:06:14 -0400 +Subject: [PATCH 005/112] set kptr_restrict=2 by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 14c9a6af1b23..2501f75bd74d 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -821,7 +821,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, + return pointer_string(buf, end, (const void *)hashval, spec); + } + +-int kptr_restrict __read_mostly; ++int kptr_restrict __read_mostly = 2; + + static noinline_for_stack + char *restricted_pointer(char *buf, char *end, const void *ptr, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch new file mode 100644 index 000000000000..3e272c406ce7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch @@ -0,0 +1,25 @@ +From 0edff510a05741b27772133d0c71278c4f9a567a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:10:57 -0400 +Subject: [PATCH 006/112] enable DEBUG_LIST by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index c789b39ed527..89c9d6aebf77 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1471,6 +1471,7 @@ menu "Debug kernel data structures" + config DEBUG_LIST + bool "Debug linked list manipulation" + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION ++ default y + help + Enable this to turn on extended checks in the linked-list + walking routines. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch new file mode 100644 index 000000000000..355c9f0de85a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch @@ -0,0 +1,25 @@ +From 3e7ec6ddb85d1a5b568a17fc8515efb27aedbec3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:21:21 -0400 +Subject: [PATCH 007/112] enable BUG_ON_DATA_CORRUPTION by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 89c9d6aebf77..11068e77d146 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1511,6 +1511,7 @@ config DEBUG_NOTIFIERS + config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select DEBUG_LIST ++ default y + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch new file mode 100644 index 000000000000..bf081ea7c2d3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch @@ -0,0 +1,24 @@ +From db0e9b42c3fe7bef3db58319185c21da64dab63b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:39:32 -0500 +Subject: [PATCH 008/112] enable ARM64_SW_TTBR0_PAN by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a6b5b7ef40ae..a145245ec5e7 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1199,6 +1199,7 @@ config RODATA_FULL_DEFAULT_ENABLED + + config ARM64_SW_TTBR0_PAN + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" ++ default y + help + Enabling this option prevents the kernel from accessing + user-space memory directly by pointing TTBR0_EL1 to a reserved +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch new file mode 100644 index 000000000000..ef4f16bf08e4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch @@ -0,0 +1,24 @@ +From 566e37c80b321a4ebdfd26de3e955e2b1f86b9c7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:33:48 -0500 +Subject: [PATCH 009/112] arm64: enable RANDOMIZE_BASE by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a145245ec5e7..21088a6532d8 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1790,6 +1790,7 @@ config RANDOMIZE_BASE + bool "Randomize the address of the kernel image" + select ARM64_MODULE_PLTS if MODULES + select RELOCATABLE ++ default y + help + Randomizes the virtual address at which the kernel image is + loaded, as a security feature that deters exploit attempts +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch new file mode 100644 index 000000000000..d51551e01f7c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch @@ -0,0 +1,25 @@ +From efb80bd6e5195858518ea62df4fbab273b2ad78a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 19:43:38 -0400 +Subject: [PATCH 010/112] enable SLAB_FREELIST_RANDOM by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..dcbcb4243316 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1929,6 +1929,7 @@ config SLAB_MERGE_DEFAULT + config SLAB_FREELIST_RANDOM + bool "Randomize slab freelist" + depends on SLAB || SLUB ++ default y + help + Randomizes the freelist order used on creating new pages. This + security feature reduces the predictability of the kernel slab +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch new file mode 100644 index 000000000000..86e3f23f04f7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch @@ -0,0 +1,24 @@ +From e1c71cfbc04c65c80fd6ff572ddef3aa3a60a35f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 20 Aug 2017 15:39:25 -0400 +Subject: [PATCH 011/112] enable SLAB_FREELIST_HARDENED by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index dcbcb4243316..667d1c6c021b 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1938,6 +1938,7 @@ config SLAB_FREELIST_RANDOM + config SLAB_FREELIST_HARDENED + bool "Harden slab freelist metadata" + depends on SLAB || SLUB ++ default y + help + Many kernel heap attacks try to target slab cache metadata and + other infrastructure. This options makes minor performance +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch new file mode 100644 index 000000000000..8af329d9c55e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch @@ -0,0 +1,24 @@ +From d26af5449b86fdb2acedb946b02539dcb3f05bb5 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 8 Jul 2017 02:38:54 -0400 +Subject: [PATCH 012/112] disable SLAB_MERGE_DEFAULT by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 667d1c6c021b..859ab5ae66ff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1914,7 +1914,6 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" +- default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch new file mode 100644 index 000000000000..be36a59dc753 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch @@ -0,0 +1,25 @@ +From 907e74582076a249f44b9109f347212fd5d6cfb9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 8 May 2017 12:51:54 -0400 +Subject: [PATCH 013/112] enable FORTIFY_SOURCE by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 428ad7622370..3a2c68c7b50f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -191,6 +191,7 @@ config HARDENED_USERCOPY_PAGESPAN + config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE ++ default y + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch new file mode 100644 index 000000000000..744551cbbfeb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch @@ -0,0 +1,34 @@ +From d3ac7805246b7383840108bb3bc0a0f4fd907837 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:09:17 -0400 +Subject: [PATCH 014/112] enable PANIC_ON_OOPS by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 11068e77d146..45b169177fb9 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -894,6 +894,7 @@ menu "Debug Oops, Lockups and Hangs" + + config PANIC_ON_OOPS + bool "Panic on Oops" ++ default y + help + Say Y here to enable the kernel to panic when it oopses. This + has the same effect as setting oops=panic on the kernel command +@@ -903,7 +904,7 @@ config PANIC_ON_OOPS + anything erroneous after an oops which could result in data + corruption or other issues. + +- Say N if unsure. ++ Say Y if unsure. + + config PANIC_ON_OOPS_VALUE + int +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch new file mode 100644 index 000000000000..eccf17b2e5a5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch @@ -0,0 +1,26 @@ +From 6facad7283d590979723662dc899e63370a0b872 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 22:39:34 -0400 +Subject: [PATCH 015/112] stop hiding SLUB_DEBUG behind EXPERT + +It can make sense to disable this to reduce attack surface / complexity. +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 859ab5ae66ff..74680a15ceb4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1843,7 +1843,7 @@ config VM_EVENT_COUNTERS + + config SLUB_DEBUG + default y +- bool "Enable SLUB debugging support" if EXPERT ++ bool "Enable SLUB debugging support" + depends on SLUB && SYSFS + help + SLUB has extensive debug support features. Disabling these can +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch new file mode 100644 index 000000000000..9634cf7b682c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From c7c498f95d9bdd028a5318d72e063b3804908288 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:31 -0400 +Subject: [PATCH 016/112] stop hiding X86_16BIT behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index fbf26e0f7a6a..ac5c142ce1e7 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1193,7 +1193,7 @@ config VM86 + default X86_LEGACY_VM86 + + config X86_16BIT +- bool "Enable support for 16-bit segments" if EXPERT ++ bool "Enable support for 16-bit segments" + default y + depends on MODIFY_LDT_SYSCALL + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0017-disable-X86_16BIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0017-disable-X86_16BIT-by-default.patch new file mode 100644 index 000000000000..c40cf84e0a00 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0017-disable-X86_16BIT-by-default.patch @@ -0,0 +1,25 @@ +From 0e42fda13af897bbc5ebc9f229c6510d99e127d0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:52 -0400 +Subject: [PATCH 017/112] disable X86_16BIT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ac5c142ce1e7..f01a75a8d6b1 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1194,7 +1194,6 @@ config VM86 + + config X86_16BIT + bool "Enable support for 16-bit segments" +- default y + depends on MODIFY_LDT_SYSCALL + help + This option is required by programs like Wine to run 16-bit +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..321aa6df68b3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 230ecbb07d09255cb5e3a17628ba2117f2a37dc0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:15:52 -0400 +Subject: [PATCH 018/112] stop hiding MODIFY_LDT_SYSCALL behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index f01a75a8d6b1..cdc900ab77e6 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2391,7 +2391,7 @@ config CMDLINE_OVERRIDE + be set to 'N' under normal conditions. + + config MODIFY_LDT_SYSCALL +- bool "Enable the LDT (local descriptor table)" if EXPERT ++ bool "Enable the LDT (local descriptor table)" + default y + help + Linux can allow user programs to install a per-process x86 +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch new file mode 100644 index 000000000000..3249805eb5d7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch @@ -0,0 +1,26 @@ +From 26b8eba72df076ad1013fc624f55084a8f6dfdff Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:16:16 -0400 +Subject: [PATCH 019/112] disable MODIFY_LDT_SYSCALL by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index cdc900ab77e6..7ec2050fd39c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2392,7 +2392,6 @@ config CMDLINE_OVERRIDE + + config MODIFY_LDT_SYSCALL + bool "Enable the LDT (local descriptor table)" +- default y + help + Linux can allow user programs to install a per-process x86 + Local Descriptor Table (LDT) using the modify_ldt(2) system +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch new file mode 100644 index 000000000000..dc50e4061a9b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch @@ -0,0 +1,25 @@ +From 8bc119efb1c53924175a36f30ad1e685cf34b021 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 07:08:42 -0400 +Subject: [PATCH 020/112] set LEGACY_VSYSCALL_NONE by default + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 7ec2050fd39c..ab11aeb0a807 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2295,7 +2295,7 @@ config COMPAT_VDSO + choice + prompt "vsyscall table for legacy applications" + depends on X86_64 +- default LEGACY_VSYSCALL_XONLY ++ default LEGACY_VSYSCALL_NONE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch new file mode 100644 index 000000000000..67035814f139 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 79003d7f9d8a44ccd3d54e6aa9fa4a0f2f1742b5 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:21:50 +0000 +Subject: [PATCH 021/112] stop hiding AIO behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 74680a15ceb4..8605f3e78e47 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1591,7 +1591,7 @@ config SHMEM + which may be appropriate on small systems without swap. + + config AIO +- bool "Enable AIO support" if EXPERT ++ bool "Enable AIO support" + default y + help + This option enables POSIX asynchronous I/O which may by used +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0022-disable-AIO-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0022-disable-AIO-by-default.patch new file mode 100644 index 000000000000..f5138d761da7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0022-disable-AIO-by-default.patch @@ -0,0 +1,24 @@ +From 192f0e1440b449ef825d87080d031b8aac3954ad Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:24:10 +0000 +Subject: [PATCH 022/112] disable AIO by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 8605f3e78e47..21f0b6926cf3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1592,7 +1592,6 @@ config SHMEM + + config AIO + bool "Enable AIO support" +- default y + help + This option enables POSIX asynchronous I/O which may by used + by some high performance threaded applications. Disabling +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch new file mode 100644 index 000000000000..523c6a470bb1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch @@ -0,0 +1,32 @@ +From 377c9b71f067fe28b84148d940c7538c4c57d1eb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:08:49 -0500 +Subject: [PATCH 023/112] remove SYSVIPC from arm64/x86_64 defconfigs + +--- + arch/arm64/configs/defconfig | 1 - + arch/x86/configs/x86_64_defconfig | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 5cfe3cf6f2ac..f25871361bdc 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1,4 +1,3 @@ +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ_IDLE=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e1939..981ee8c0e330 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -1,5 +1,4 @@ + # CONFIG_LOCALVERSION_AUTO is not set +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ=y +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0024-disable-DEVPORT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0024-disable-DEVPORT-by-default.patch new file mode 100644 index 000000000000..b7c693844e49 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0024-disable-DEVPORT-by-default.patch @@ -0,0 +1,24 @@ +From 43dee048aa75fea6055e2dcf02ce39a50e8cb7d5 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:28:10 -0400 +Subject: [PATCH 024/112] disable DEVPORT by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index d229a2d0c017..68178c3a25de 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -391,7 +391,6 @@ config MAX_RAW_DEVS + config DEVPORT + bool "/dev/port character device" + depends on ISA || PCI +- default y + help + Say Y here if you want to support the /dev/port device. The /dev/port + device is similar to /dev/mem, but for I/O ports. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch new file mode 100644 index 000000000000..e82778091b49 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch @@ -0,0 +1,24 @@ +From f6be4ec41404d6527ba725c53cdfeed263e0d24d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:29:45 -0400 +Subject: [PATCH 025/112] disable PROC_VMCORE by default + +--- + fs/proc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig +index c930001056f9..6a0a51b3f593 100644 +--- a/fs/proc/Kconfig ++++ b/fs/proc/Kconfig +@@ -41,7 +41,6 @@ config PROC_KCORE + config PROC_VMCORE + bool "/proc/vmcore support" + depends on PROC_FS && CRASH_DUMP +- default y + help + Exports the dump image of crashed kernel in ELF format. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch new file mode 100644 index 000000000000..488e05455afd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch @@ -0,0 +1,24 @@ +From 216d34822432f6333ba84fa573bd002be91a6c6f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 03:03:46 -0400 +Subject: [PATCH 026/112] disable NFS_DEBUG by default + +--- + fs/nfs/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index e2a488d403a6..ce54c1c693a8 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -195,7 +195,6 @@ config NFS_DEBUG + bool + depends on NFS_FS && SUNRPC_DEBUG + select CRC32 +- default y + + config NFS_DISABLE_UDP_SUPPORT + bool "NFS: Disable NFS UDP protocol support" +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0027-enable-DEBUG_WX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0027-enable-DEBUG_WX-by-default.patch new file mode 100644 index 000000000000..94f634d3764b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0027-enable-DEBUG_WX-by-default.patch @@ -0,0 +1,25 @@ +From 3cc0c6615576e0335b7e3736c26a0684cfdf7f33 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:11:11 -0400 +Subject: [PATCH 027/112] enable DEBUG_WX by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 864f129f1937..929d585bd267 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -126,6 +126,7 @@ config DEBUG_WX + depends on ARCH_HAS_DEBUG_WX + depends on MMU + select PTDUMP_CORE ++ default y + help + Generate a warning if any W+X mappings are found at boot. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch new file mode 100644 index 000000000000..49c90743d35f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch @@ -0,0 +1,24 @@ +From f5a8105810c5bf58d36e70a9ed3e72637070fbf9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 13:21:16 -0500 +Subject: [PATCH 028/112] disable LEGACY_PTYS by default + +--- + drivers/tty/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 93fd984eb2f5..d9086484d2de 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -122,7 +122,6 @@ config UNIX98_PTYS + + config LEGACY_PTYS + bool "Legacy (BSD) PTY support" +- default y + help + A pseudo terminal (PTY) is a software device consisting of two + halves: a master and a slave. The slave device behaves identical to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0029-disable-DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0029-disable-DEVMEM-by-default.patch new file mode 100644 index 000000000000..30cb8f73acd8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0029-disable-DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From 33f42d98e301e0f5e64b2d3d1c4a8ae1a9ab30c9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:41:42 -0500 +Subject: [PATCH 029/112] disable DEVMEM by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 68178c3a25de..2fd45f01e7a2 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -327,7 +327,6 @@ config NSC_GPIO + + config DEVMEM + bool "/dev/mem virtual device support" +- default y + help + Say Y here if you want to support the /dev/mem device. + The /dev/mem device is used to access areas of physical +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch new file mode 100644 index 000000000000..8791b5410efc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From b4f59a01b9bdcede85636c53a25b73418dea510c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:43:49 -0500 +Subject: [PATCH 030/112] enable IO_STRICT_DEVMEM by default + +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 45b169177fb9..a46f21a56125 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1668,6 +1668,7 @@ config STRICT_DEVMEM + config IO_STRICT_DEVMEM + bool "Filter I/O access to /dev/mem" + depends on STRICT_DEVMEM ++ default y + help + If this option is disabled, you allow userspace (root) access to all + io-memory regardless of whether a driver is actively using that +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch new file mode 100644 index 000000000000..3bf01acb2f29 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch @@ -0,0 +1,24 @@ +From d0e0b92a236614141a9f63510c5f52c898678169 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 18:28:33 -0400 +Subject: [PATCH 031/112] disable COMPAT_BRK by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 21f0b6926cf3..4f5827e10be3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1866,7 +1866,6 @@ config SLUB_MEMCG_SYSFS_ON + + config COMPAT_BRK + bool "Disable heap randomization" +- default y + help + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch new file mode 100644 index 000000000000..c16f1f3fedb8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch @@ -0,0 +1,35 @@ +From f3d8c682767414e125c3220e9bce12e005023919 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 16:16:39 -0400 +Subject: [PATCH 032/112] use maximum supported mmap rnd entropy by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index ddd4641446bd..8e8f31cafe43 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -752,7 +752,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -786,7 +786,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch new file mode 100644 index 000000000000..e19b80c97765 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch @@ -0,0 +1,27 @@ +From fbce44590e786ce764a4e5086e65afa262b7ddf1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 10:47:23 -0400 +Subject: [PATCH 033/112] enable protected_{symlinks,hardlinks} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index d4a6dd772303..59ff3ce21026 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -932,8 +932,8 @@ static inline void put_link(struct nameidata *nd) + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0034-enable-SECURITY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0034-enable-SECURITY-by-default.patch new file mode 100644 index 000000000000..42812d37b532 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0034-enable-SECURITY-by-default.patch @@ -0,0 +1,24 @@ +From 5c6adf5cb67d9d6e368292313f1380c673492b0f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:13:48 -0500 +Subject: [PATCH 034/112] enable SECURITY by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 3a2c68c7b50f..fa037a250821 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -23,6 +23,7 @@ config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER ++ default y + help + This allows you to choose different security modules to be + configured into your kernel. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch new file mode 100644 index 000000000000..c1abc350c796 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch @@ -0,0 +1,25 @@ +From 388adae0ac75a6656579bcc3e50c5a40b3ff52af Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:59 -0400 +Subject: [PATCH 035/112] enable SECURITY_YAMA by default + +--- + security/yama/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index a810304123ca..b809050b25d2 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -2,7 +2,7 @@ + config SECURITY_YAMA + bool "Yama support" + depends on SECURITY +- default n ++ default y + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch new file mode 100644 index 000000000000..5e132033b52a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch @@ -0,0 +1,24 @@ +From 72be1dde0be1006075181de2f50eeee8040642e6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:14:02 -0500 +Subject: [PATCH 036/112] enable SECURITY_NETWORK by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index fa037a250821..81d0a08736aa 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -49,6 +49,7 @@ config SECURITYFS + config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY ++ default y + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0037-enable-AUDIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0037-enable-AUDIT-by-default.patch new file mode 100644 index 000000000000..36c363d7fb29 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0037-enable-AUDIT-by-default.patch @@ -0,0 +1,24 @@ +From fb9d678057ca63444cb377fd9ae754235cc5411b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:15:24 -0500 +Subject: [PATCH 037/112] enable AUDIT by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4f5827e10be3..9b75a4921575 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -419,6 +419,7 @@ config USELIB + config AUDIT + bool "Auditing support" + depends on NET ++ default y + help + Enable auditing infrastructure that can be used with another + kernel subsystem, such as SELinux (which requires this for +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch new file mode 100644 index 000000000000..35b6a34c368a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch @@ -0,0 +1,25 @@ +From 3aff5de744db9439826a0fa1982bf8391d26b686 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:16:49 -0500 +Subject: [PATCH 038/112] enable SECURITY_SELINUX by default + +--- + security/selinux/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72538..76d7ed11513c 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -3,7 +3,7 @@ config SECURITY_SELINUX + bool "NSA SELinux Support" + depends on SECURITY_NETWORK && AUDIT && NET && INET + select NETWORK_SECMARK +- default n ++ default y + help + This selects NSA Security-Enhanced Linux (SELinux). + You will also need a policy configuration and a labeled filesystem. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch new file mode 100644 index 000000000000..4af2067b79b7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch @@ -0,0 +1,24 @@ +From c19804976bb2fe0719a6cb934ccb7b0717b70d1c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 6 Jan 2018 13:41:11 -0500 +Subject: [PATCH 039/112] enable SYN_COOKIES by default + +--- + net/ipv4/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 87983e70f03f..989e005bf698 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -267,6 +267,7 @@ config IP_PIMSM_V2 + + config SYN_COOKIES + bool "IP: TCP syncookie support" ++ default y + help + Normal TCP/IP networking is open to an attack known as "SYN + flooding". This denial-of-service attack prevents legitimate remote +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch new file mode 100644 index 000000000000..26ca84a20af9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch @@ -0,0 +1,25 @@ +From 862ff7234431f87678634b8b3931f36dc9c6a18f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:28:23 -0400 +Subject: [PATCH 040/112] add __read_only for non-init related usage + +--- + include/linux/cache.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/cache.h b/include/linux/cache.h +index d742c57eaee5..f0222c070458 100644 +--- a/include/linux/cache.h ++++ b/include/linux/cache.h +@@ -37,6 +37,8 @@ + #define __ro_after_init __section(".data..ro_after_init") + #endif + ++#define __read_only __ro_after_init ++ + #ifndef ____cacheline_aligned + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) + #endif +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..48e39a20c760 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0041-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From 1c835635f9bd5b5bfa0fb5773fbbe99169561b26 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 041/112] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch new file mode 100644 index 000000000000..58c35a4af04a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch @@ -0,0 +1,67 @@ +From ff486f8ee21b61313c59d58950a65be5c1e53e59 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 03:22:00 -0400 +Subject: [PATCH 042/112] mark kernel_set_to_readonly as __ro_after_init + +This change was extracted from PaX where it's part of KERNEXEC. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 5 ++--- + arch/x86/mm/init_64.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..77192cbc1dd7 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __ro_after_init; + + static void mark_nxdata_nx(void) + { +@@ -852,12 +852,11 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + ++ kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- kernel_set_to_readonly = 1; +- + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..63a0f8097d0a 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __ro_after_init; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,8 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- + kernel_set_to_readonly = 1; ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); + + /* + * The rodata/data/bss/brk section (but not the kernel text!) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch new file mode 100644 index 000000000000..dbcf564e88e0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch @@ -0,0 +1,57 @@ +From b29c30667cea95995dd28864b11293ad5ec9499a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 19:01:58 -0400 +Subject: [PATCH 043/112] mark slub runtime configuration as __ro_after_init + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 34dcc09e2ec9..3ef79a1878ed 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -486,13 +486,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) + * Debug settings: + */ + #if defined(CONFIG_SLUB_DEBUG_ON) +-static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; ++static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; + #else +-static slab_flags_t slub_debug; ++static slab_flags_t slub_debug __ro_after_init; + #endif + +-static char *slub_debug_string; +-static int disable_higher_order_debug; ++static char *slub_debug_string __ro_after_init; ++static int disable_higher_order_debug __ro_after_init; + + /* + * slub is about to manipulate internal object metadata. This memory lies +@@ -3363,9 +3363,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); + * and increases the number of allocations possible without having to + * take the list_lock. + */ +-static unsigned int slub_min_order; +-static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; +-static unsigned int slub_min_objects; ++static unsigned int slub_min_order __ro_after_init; ++static unsigned int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; ++static unsigned int slub_min_objects __ro_after_init; + + /* + * Calculate the order of allocation given an slab object size. +@@ -4883,7 +4883,7 @@ enum slab_stat_type { + #define SO_TOTAL (1 << SL_TOTAL) + + #ifdef CONFIG_MEMCG +-static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); ++static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); + + static int __init setup_slub_memcg_sysfs(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch new file mode 100644 index 000000000000..cb14eb1204fd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch @@ -0,0 +1,38 @@ +From 5ae710a87dabce8cfd6e125049a4ae63ca1dd202 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:35:35 -0400 +Subject: [PATCH 044/112] add __ro_after_init to slab_nomerge and slab_state + +This was extracted from the PaX patch where it's part of the KERNEXEC +feature as __read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slab_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index f9ccd5dc13f3..bff04048559f 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -30,7 +30,7 @@ + + #include "slab.h" + +-enum slab_state slab_state; ++enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); + struct kmem_cache *kmem_cache; +@@ -61,7 +61,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, + /* + * Merge control. If this is set then no merging of slab caches will occur. + */ +-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); ++static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); + + static int __init setup_slab_nomerge(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch new file mode 100644 index 000000000000..db08c4152ef4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch @@ -0,0 +1,25 @@ +From 29d5811956498b59955d588923d8fd0daaf8a339 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 18:51:30 -0400 +Subject: [PATCH 045/112] mark kmem_cache as __ro_after_init + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index bff04048559f..2b73c12d8fce 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -33,7 +33,7 @@ + enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); +-struct kmem_cache *kmem_cache; ++struct kmem_cache *kmem_cache __ro_after_init; + + #ifdef CONFIG_HARDENED_USERCOPY + bool usercopy_fallback __ro_after_init = +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch new file mode 100644 index 000000000000..3b6a7f5a7752 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch @@ -0,0 +1,49 @@ +From e275addda6a7105a06dc0511c4f924e289ea36d6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 00:06:16 -0400 +Subject: [PATCH 046/112] mark __supported_pte_mask as __ro_after_init + +These changes were extracted from PaX where it was part of KERNEXEC as +__read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 77192cbc1dd7..bda9596d7a9f 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -546,9 +546,9 @@ static void __init pagetable_init(void) + + #define DEFAULT_PTE_MASK ~(_PAGE_NX | _PAGE_GLOBAL) + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __supported_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __default_kernel_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 63a0f8097d0a..f9eb66b3f152 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -97,9 +97,9 @@ DEFINE_ENTRY(pte, pte, init) + */ + + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = ~0; ++pteval_t __supported_pte_mask __ro_after_init = ~0; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = ~0; ++pteval_t __default_kernel_pte_mask __ro_after_init = ~0; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch new file mode 100644 index 000000000000..13f7d994e63b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch @@ -0,0 +1,45 @@ +From 47d7a9ff7b292d134268103b0992e548902efbe7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:24:28 -0400 +Subject: [PATCH 047/112] mark kobj_ns_type_register as only used for init + +This allows kobj_ns_ops_tbl to be __ro_after_init. + +Extracted from PaX. +--- + include/linux/kobject_ns.h | 2 +- + lib/kobject.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h +index 2b5b64256cf4..8cdce21dce0f 100644 +--- a/include/linux/kobject_ns.h ++++ b/include/linux/kobject_ns.h +@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { + void (*drop_ns)(void *); + }; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); + int kobj_ns_type_registered(enum kobj_ns_type type); + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..5343bbeea5f8 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -1023,9 +1023,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); + + + static DEFINE_SPINLOCK(kobj_ns_type_lock); +-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; ++static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) + { + enum kobj_ns_type type = ops->type; + int error; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch new file mode 100644 index 000000000000..febb91a297a1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch @@ -0,0 +1,39 @@ +From 737ed8108a59dac8483bb2246dec33c051769f21 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:32:30 -0400 +Subject: [PATCH 048/112] mark open_softirq as only used for init + +--- + include/linux/interrupt.h | 2 +- + kernel/softirq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index ee8299eb1f52..f03b78ae5f0a 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 09229ad82209..0595a8248c4a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(struct softirq_action *)) + { + softirq_vec[nr].action = action; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch new file mode 100644 index 000000000000..39b1818169f6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch @@ -0,0 +1,208 @@ +From e29e135551f6e4506d154896e644948b5e765a53 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:41:11 -0400 +Subject: [PATCH 049/112] remove unused softirq_action callback parameter + +Extracted from PaX. +--- + block/blk-mq.c | 2 +- + include/linux/interrupt.h | 4 ++-- + kernel/rcu/tiny.c | 2 +- + kernel/rcu/tree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 15 +++++++-------- + kernel/time/hrtimer.c | 2 +- + kernel/time/timer.c | 2 +- + lib/irq_poll.c | 2 +- + net/core/dev.c | 4 ++-- + 10 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 55bcee5dc032..507336218518 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -569,7 +569,7 @@ EXPORT_SYMBOL(blk_mq_end_request); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static __latent_entropy void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index f03b78ae5f0a..4381b79f76cf 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -554,7 +554,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; + + struct softirq_action + { +- void (*action)(struct softirq_action *); ++ void (*action)(void); + }; + + asmlinkage void do_softirq(void); +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(void)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index aa897c3f2e92..d8976886fd68 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -101,7 +101,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + } + + /* Invoke the RCU callbacks whose grace period has elapsed. */ +-static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) ++static __latent_entropy void rcu_process_callbacks(void) + { + struct rcu_head *next, *list; + unsigned long flags; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 593df7edfe97..3285d81d8a26 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2722,7 +2722,7 @@ static __latent_entropy void rcu_core(void) + queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work); + } + +-static void rcu_core_si(struct softirq_action *h) ++static void rcu_core_si(void) + { + rcu_core(); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index ae7ceba8fd4f..d118be5f18b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10628,7 +10628,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) + * run_rebalance_domains is triggered when needed from the scheduler tick. + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). + */ +-static __latent_entropy void run_rebalance_domains(struct softirq_action *h) ++static __latent_entropy void run_rebalance_domains(void) + { + struct rq *this_rq = this_rq(); + enum cpu_idle_type idle = this_rq->idle_balance ? +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0595a8248c4a..3a21b22227c1 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -295,7 +295,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + kstat_incr_softirqs_this_cpu(vec_nr); + + trace_softirq_entry(vec_nr); +- h->action(h); ++ h->action(); + trace_softirq_exit(vec_nr); + if (unlikely(prev_count != preempt_count())) { + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void __init open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(void)) + { + softirq_vec[nr].action = action; + } +@@ -532,8 +532,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) + } + EXPORT_SYMBOL(__tasklet_hi_schedule); + +-static void tasklet_action_common(struct softirq_action *a, +- struct tasklet_head *tl_head, ++static void tasklet_action_common(struct tasklet_head *tl_head, + unsigned int softirq_nr) + { + struct tasklet_struct *list; +@@ -573,14 +572,14 @@ static void tasklet_action_common(struct softirq_action *a, + } + } + +-static __latent_entropy void tasklet_action(struct softirq_action *a) ++static __latent_entropy void tasklet_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); + } + +-static __latent_entropy void tasklet_hi_action(struct softirq_action *a) ++static __latent_entropy void tasklet_hi_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + + void tasklet_setup(struct tasklet_struct *t, +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 387b4bef7dd1..8fe28c28a906 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1587,7 +1587,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, + } + } + +-static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) ++static __latent_entropy void hrtimer_run_softirq(void) + { + struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); + unsigned long flags; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index c3ad64fb9d8b..217bc49a3856 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1753,7 +1753,7 @@ static inline void __run_timers(struct timer_base *base) + /* + * This function runs timers and the timer-tq in bottom half context. + */ +-static __latent_entropy void run_timer_softirq(struct softirq_action *h) ++static __latent_entropy void run_timer_softirq(void) + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +diff --git a/lib/irq_poll.c b/lib/irq_poll.c +index 2f17b488d58e..b6e7996a0058 100644 +--- a/lib/irq_poll.c ++++ b/lib/irq_poll.c +@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) + } + EXPORT_SYMBOL(irq_poll_complete); + +-static void __latent_entropy irq_poll_softirq(struct softirq_action *h) ++static void __latent_entropy irq_poll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = irq_poll_budget; +diff --git a/net/core/dev.c b/net/core/dev.c +index 38412e70f761..c3cd49e04b7b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4856,7 +4856,7 @@ int netif_rx_any_context(struct sk_buff *skb) + } + EXPORT_SYMBOL(netif_rx_any_context); + +-static __latent_entropy void net_tx_action(struct softirq_action *h) ++static __latent_entropy void net_tx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + +@@ -6803,7 +6803,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + return work; + } + +-static __latent_entropy void net_rx_action(struct softirq_action *h) ++static __latent_entropy void net_rx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch new file mode 100644 index 000000000000..b60e2f655d18 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch @@ -0,0 +1,28 @@ +From 62ea8c96deb35b01b105e4f7b96e1c054664763e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:42:33 -0400 +Subject: [PATCH 050/112] mark softirq_vec as __ro_after_init + +Note: __cacheline_aligned_in_smp conflicts with __ro_after_init on x86. + +Extracted from PaX. +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 3a21b22227c1..6a02d63b135a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -52,7 +52,7 @@ DEFINE_PER_CPU_ALIGNED(irq_cpustat_t, irq_stat); + EXPORT_PER_CPU_SYMBOL(irq_stat); + #endif + +-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; ++static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); + + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch new file mode 100644 index 000000000000..66d3872d8f9a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch @@ -0,0 +1,34 @@ +From f102cd8faebd9d10b1dd1cb9f436c4b8733e1c0d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 17 Sep 2019 18:00:54 +0200 +Subject: [PATCH 051/112] mm: slab: trigger BUG if requested object is not a + slab page + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slab.h b/mm/slab.h +index f9977d6613d6..5adb48bb2e68 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -435,9 +435,13 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) + struct page *page; + + page = virt_to_head_page(obj); ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageSlab(page)); ++#else + if (WARN_ONCE(!PageSlab(page), "%s: Object is not a Slab page!\n", + __func__)) + return NULL; ++#endif + return page->slab_cache; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch new file mode 100644 index 000000000000..6c23deacad9e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch @@ -0,0 +1,40 @@ +From 20bcda8714dddd8a06b6d0c4f299f12b48cf43b2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:50:53 -0400 +Subject: [PATCH 052/112] bug on kmem_cache_free with the wrong cache + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 5adb48bb2e68..9fef4285514a 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -471,10 +471,15 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) + return s; + + cachep = virt_to_cache(x); +- if (WARN(cachep && cachep != s, +- "%s: Wrong slab cache. %s but object is from %s\n", +- __func__, s->name, cachep->name)) ++ if (cachep && cachep != s) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG(); ++#else ++ WARN(1, "%s: Wrong slab cache. %s but object is from %s\n", ++ __func__, s->name, cachep->name); ++#endif + print_tracking(cachep, x); ++ } + return cachep; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch new file mode 100644 index 000000000000..7b2db83e525a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch @@ -0,0 +1,31 @@ +From 209e0b3ccc1b28e6a6f1b86507bae1a28e70c818 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:57:35 -0400 +Subject: [PATCH 053/112] bug on !PageSlab && !PageCompound in ksize + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slub.c b/mm/slub.c +index 3ef79a1878ed..e5564f339095 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4092,7 +4092,11 @@ size_t __ksize(const void *object) + page = virt_to_head_page(object); + + if (unlikely(!PageSlab(page))) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageCompound(page)); ++#else + WARN_ON(!PageCompound(page)); ++#endif + return page_size(page); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch new file mode 100644 index 000000000000..fc70192187b1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch @@ -0,0 +1,70 @@ +From 2ca9f9e5846686c98f8b48f5ffa5594dd2f41d7c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 21:54:56 -0400 +Subject: [PATCH 054/112] mm: add support for verifying page sanitization + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/highmem.h | 7 +++++++ + mm/page_alloc.c | 6 ++++++ + security/Kconfig.hardening | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index 14e6202ce47f..4348ad7f5c50 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -284,6 +284,13 @@ static inline void clear_highpage(struct page *page) + kunmap_atomic(kaddr); + } + ++static inline void verify_zero_highpage(struct page *page) ++{ ++ void *kaddr = kmap_atomic(page); ++ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); ++ kunmap_atomic(kaddr); ++} ++ + static inline void zero_user_segments(struct page *page, + unsigned start1, unsigned end1, + unsigned start2, unsigned end2) +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 32f783ddb5c3..7f663eea14a0 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2282,6 +2282,12 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags + { + post_alloc_hook(page, order, gfp_flags); + ++ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY) && want_init_on_free()) { ++ int i; ++ for (i = 0; i < (1 << order); i++) ++ verify_zero_highpage(page + i); ++ } ++ + if (!free_pages_prezeroed() && want_init_on_alloc(gfp_flags)) + kernel_init_free_pages(page, 1 << order); + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 269967c4fc1b..3d2f1d2c3d80 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -217,6 +217,13 @@ config INIT_ON_FREE_DEFAULT_ON + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + ++config PAGE_SANITIZE_VERIFY ++ bool "Verify sanitized pages" ++ default y ++ help ++ When init_on_free is enabled, verify that newly allocated pages ++ are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..ce031732cb39 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 1ba84061aeadaef10680925bb3299b435fa59ff8 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 055/112] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 9fef4285514a..0fcd97a4eb6f 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -641,9 +641,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index e5564f339095..cf24f74e01de 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch new file mode 100644 index 000000000000..d557a0d9e060 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch @@ -0,0 +1,116 @@ +From 493409e8de0b4a473addd41265fdeb9141b728dc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 15:58:57 -0400 +Subject: [PATCH 056/112] slub: Add support for verifying slab sanitization + +This is an extension to the sanitization feature in PaX for when +sacricifing more performance for security is acceptable. + +The initial version from Daniel Micay was relying on PAGE_SANITIZE. It +now relies on upstream's init_on_free. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slub.c | 36 ++++++++++++++++++++++++++++++++---- + security/Kconfig.hardening | 8 ++++++++ + 2 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index cf24f74e01de..d42d2709526a 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -127,6 +127,12 @@ static inline bool kmem_cache_debug(struct kmem_cache *s) + return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS); + } + ++static inline bool has_sanitize_verify(struct kmem_cache *s) ++{ ++ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && ++ slab_want_init_on_free(s); ++} ++ + void *fixup_red_left(struct kmem_cache *s, void *p) + { + if (kmem_cache_debug_flags(s, SLAB_RED_ZONE)) +@@ -1571,7 +1577,7 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- if (s->ctor) ++ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ +@@ -1606,7 +1612,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + { + setup_object_debug(s, page, object); + object = kasan_init_slab_obj(s, object); +- if (unlikely(s->ctor)) { ++ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); + s->ctor(object); + kasan_poison_object_data(s, object); +@@ -2897,7 +2903,16 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + + maybe_wipe_obj_freeptr(s, object); + +- if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ if (has_sanitize_verify(s) && object) { ++ /* KASAN hasn't unpoisoned the object yet (this is done in the ++ * post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, object); ++ BUG_ON(memchr_inv(object, 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); +@@ -3337,7 +3352,20 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + local_irq_enable(); + + /* Clear memory outside IRQ disabled fastpath loop */ +- if (unlikely(slab_want_init_on_alloc(flags, s))) { ++ if (has_sanitize_verify(s)) { ++ int j; ++ ++ for (j = 0; j < i; j++) { ++ /* KASAN hasn't unpoisoned the object yet (this is done ++ * in the post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, p[j]); ++ BUG_ON(memchr_inv(p[j], 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + + for (j = 0; j < i; j++) +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 3d2f1d2c3d80..a718487ad717 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -224,6 +224,14 @@ config PAGE_SANITIZE_VERIFY + When init_on_free is enabled, verify that newly allocated pages + are zeroed to detect write-after-free bugs. + ++config SLAB_SANITIZE_VERIFY ++ bool "Verify sanitized SLAB allocations" ++ default y ++ depends on !KASAN ++ help ++ When init_on_free is enabled, verify that newly allocated slab ++ objects are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch new file mode 100644 index 000000000000..1c38e4733107 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch @@ -0,0 +1,264 @@ +From 551722a13257966781dad52618ad54ba9cc6427c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 16:16:58 -0400 +Subject: [PATCH 057/112] slub: add multi-purpose random canaries + +From the configuration option: + + Place canaries at the end of kernel slab allocations, sacrificing + some performance and memory usage for security. + + Canaries can detect some forms of heap corruption when allocations + are freed and as part of the HARDENED_USERCOPY feature. It provides + basic use-after-free detection for HARDENED_USERCOPY. + + Canaries absorb small overflows (rendering them harmless), mitigate + non-NUL terminated C string overflows on 64-bit via a guaranteed zero + byte and provide basic double-free detection. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slub_def.h | 5 +++ + init/Kconfig | 17 ++++++++++ + mm/slab.h | 2 +- + mm/slub.c | 69 ++++++++++++++++++++++++++++++++++++++-- + 4 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h +index 1be0ed5befa1..c71cf30b5987 100644 +--- a/include/linux/slub_def.h ++++ b/include/linux/slub_def.h +@@ -113,6 +113,11 @@ struct kmem_cache { + unsigned long random; + #endif + ++#ifdef CONFIG_SLAB_CANARY ++ unsigned long random_active; ++ unsigned long random_inactive; ++#endif ++ + #ifdef CONFIG_NUMA + /* + * Defragmentation by allocating from a remote node. +diff --git a/init/Kconfig b/init/Kconfig +index 9b75a4921575..f15109e7b111 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1945,6 +1945,23 @@ config SLAB_FREELIST_HARDENED + sanity-checking than others. This option is most effective with + CONFIG_SLUB. + ++config SLAB_CANARY ++ depends on SLUB ++ depends on !SLAB_MERGE_DEFAULT ++ bool "SLAB canaries" ++ default y ++ help ++ Place canaries at the end of kernel slab allocations, sacrificing ++ some performance and memory usage for security. ++ ++ Canaries can detect some forms of heap corruption when allocations ++ are freed and as part of the HARDENED_USERCOPY feature. It provides ++ basic use-after-free detection for HARDENED_USERCOPY. ++ ++ Canaries absorb small overflows (rendering them harmless), mitigate ++ non-NUL terminated C string overflows on 64-bit via a guaranteed zero ++ byte and provide basic double-free detection. ++ + config SHUFFLE_PAGE_ALLOCATOR + bool "Page allocator randomization" + default SLAB_FREELIST_RANDOM && ACPI_NUMA +diff --git a/mm/slab.h b/mm/slab.h +index 0fcd97a4eb6f..105dba485a7e 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -504,7 +504,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) + * back there or track user information then we can + * only use the space before that information. + */ +- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) ++ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) + return s->inuse; + /* + * Else we can use all the padding etc for the allocation +diff --git a/mm/slub.c b/mm/slub.c +index d42d2709526a..c949d918dc7f 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -569,6 +569,33 @@ static inline unsigned int get_info_end(struct kmem_cache *s) + return s->inuse; + } + ++#ifdef CONFIG_SLAB_CANARY ++static inline unsigned long *get_canary(struct kmem_cache *s, void *object) ++{ ++ return object + get_info_end(s); ++} ++ ++static inline unsigned long get_canary_value(const void *canary, unsigned long value) ++{ ++ return (value ^ (unsigned long)canary) & CANARY_MASK; ++} ++ ++static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ *canary = get_canary_value(canary, value); ++} ++ ++static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ BUG_ON(*canary != get_canary_value(canary, value)); ++} ++#else ++#define set_canary(s, object, value) ++#define check_canary(s, object, value) ++#endif ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { +@@ -576,6 +603,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, + + p = object + get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ p = (void *)p + sizeof(void *); ++ + return p + alloc; + } + +@@ -717,6 +747,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + + off = get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); + +@@ -825,8 +858,9 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * Meta data starts here. + * + * A. Free pointer (if we cannot overwrite object on free) +- * B. Tracking data for SLAB_STORE_USER +- * C. Padding to reach required alignment boundary or at mininum ++ * B. Canary for SLAB_CANARY ++ * C. Tracking data for SLAB_STORE_USER ++ * D. Padding to reach required alignment boundary or at mininum + * one word if debugging is on to be able to detect writes + * before the word boundary. + * +@@ -844,6 +878,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { + unsigned long off = get_info_end(s); /* The end of info */ + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ + off += 2 * sizeof(struct track); +@@ -1567,6 +1604,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + object = next; + next = get_freepointer(s, object); + ++ check_canary(s, object, s->random_active); ++ + if (slab_want_init_on_free(s)) { + /* + * Clear the object and the metadata, but don't touch +@@ -1580,6 +1619,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } ++ ++ set_canary(s, object, s->random_inactive); ++ + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { + /* Move object to the new freelist */ +@@ -1611,6 +1653,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + void *object) + { + setup_object_debug(s, page, object); ++ set_canary(s, object, s->random_inactive); + object = kasan_init_slab_obj(s, object); + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); +@@ -2915,6 +2958,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + ++ if (object) { ++ check_canary(s, object, s->random_inactive); ++ set_canary(s, object, s->random_active); ++ } ++ + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); + + return object; +@@ -3302,7 +3350,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + void **p) + { + struct kmem_cache_cpu *c; +- int i; ++ int i, k; + struct obj_cgroup *objcg = NULL; + + /* memcg and kmem_cache debug support */ +@@ -3372,6 +3420,11 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + memset(p[j], 0, s->object_size); + } + ++ for (k = 0; k < i; k++) { ++ check_canary(s, p[k], s->random_inactive); ++ set_canary(s, p[k], s->random_active); ++ } ++ + /* memcg and kmem_cache debug support */ + slab_post_alloc_hook(s, objcg, flags, size, p); + return i; +@@ -3573,6 +3626,7 @@ static void early_kmem_cache_node_alloc(int node) + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); + init_tracking(kmem_cache_node, n); + #endif ++ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); + n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), + GFP_KERNEL); + page->freelist = get_freepointer(kmem_cache_node, n); +@@ -3753,6 +3807,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + } + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ size += sizeof(void *); ++ + #ifdef CONFIG_SLUB_DEBUG + if (flags & SLAB_STORE_USER) + /* +@@ -3826,6 +3883,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) + #ifdef CONFIG_SLAB_FREELIST_HARDENED + s->random = get_random_long(); + #endif ++#ifdef CONFIG_SLAB_CANARY ++ s->random_active = get_random_long(); ++ s->random_inactive = get_random_long(); ++#endif + + if (!calculate_sizes(s, -1)) + goto error; +@@ -4099,6 +4160,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + offset -= s->red_left_pad; + } + ++ check_canary(s, (void *)ptr - offset, s->random_active); ++ + /* Allow address range falling entirely within usercopy region. */ + if (offset >= s->useroffset && + offset - s->useroffset <= s->usersize && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch new file mode 100644 index 000000000000..0824a3e8f361 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch @@ -0,0 +1,122 @@ +From ba45ab6d3688ed1fdbeb443faf160b391b6dcfea Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: [PATCH 058/112] security,perf: Allow further restriction of + perf_event_open + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +[thibaut.sautereau@ssi.gouv.fr: Adapt to work with the new CAP_PERFMON capability] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + Documentation/admin-guide/sysctl/kernel.rst | 2 ++ + include/linux/perf_event.h | 8 ++++++++ + kernel/events/core.c | 7 ++++++- + security/Kconfig | 9 +++++++++ + tools/perf/Documentation/security.txt | 1 + + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index d4b32cc32bb7..4c20e6ded0af 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -860,6 +860,8 @@ with respect to CAP_PERFMON use cases. + >=1 Disallow CPU event access by users without ``CAP_PERFMON``. + + >=2 Disallow kernel profiling by users without ``CAP_PERFMON``. ++ ++>=3 Disallow use of any event by users without ``CAP_PERFMON``. + === ================================================================== + + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 96450f6fb1de..d020c26b612a 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1312,6 +1312,14 @@ static inline int perf_is_paranoid(void) + return sysctl_perf_event_paranoid > -1; + } + ++static inline int perf_allow_open(struct perf_event_attr *attr) ++{ ++ if (sysctl_perf_event_paranoid > 2 && !perfmon_capable()) ++ return -EACCES; ++ ++ return security_perf_event_open(attr, PERF_SECURITY_OPEN); ++} ++ + static inline int perf_allow_kernel(struct perf_event_attr *attr) + { + if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index dc568ca295bd..d97501029990 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -407,8 +407,13 @@ static cpumask_var_t perf_online_mask; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -11638,7 +11643,7 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + + /* Do we allow access to perf_event_open(2) ? */ +- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); ++ err = perf_allow_open(&attr); + if (err) + return err; + +diff --git a/security/Kconfig b/security/Kconfig +index 81d0a08736aa..c797326308f1 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +diff --git a/tools/perf/Documentation/security.txt b/tools/perf/Documentation/security.txt +index 4fe3b8b1958f..a7d88cc23a70 100644 +--- a/tools/perf/Documentation/security.txt ++++ b/tools/perf/Documentation/security.txt +@@ -148,6 +148,7 @@ Perf tool provides a message similar to the one below: + >= 0: Disallow raw and ftrace function tracepoint access + >= 1: Disallow CPU event access + >= 2: Disallow kernel profiling ++ >= 3: Disallow use of any event + To make the adjusted perf_event_paranoid setting permanent preserve it + in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch new file mode 100644 index 000000000000..b6a96dab7880 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch @@ -0,0 +1,25 @@ +From d975062fd7f60f1c91f1ef03bef4776fccd9ce4f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 14:45:59 -0400 +Subject: [PATCH 059/112] enable SECURITY_PERF_EVENTS_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index c797326308f1..2348ff7d4e1d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -22,6 +22,7 @@ config SECURITY_DMESG_RESTRICT + config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS ++ default y + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..042442c266ad --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,124 @@ +From 6b4e452113fa2b1dbad5751d991b500ca38c2610 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 060/112] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/user_namespace.h | 4 ++++ + kernel/fork.c | 11 +++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 4 files changed, 30 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/kernel/fork.c b/kernel/fork.c +index dc55f68a6ee3..31932fe83510 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -82,6 +82,7 @@ + #include <linux/perf_event.h> + #include <linux/posix-timers.h> + #include <linux/user-return-notifier.h> ++#include <linux/user_namespace.h> + #include <linux/oom.h> + #include <linux/khugepaged.h> + #include <linux/signalfd.h> +@@ -1863,6 +1864,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2928,6 +2933,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b2cd3dbbb17a..fccf24a08c8a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..29a30cff5e60 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..f6b1ddc96a74 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch @@ -0,0 +1,65 @@ +From 2e11dd4e2e4037e0080591a4f4a099262746b780 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:02:56 -0400 +Subject: [PATCH 061/112] add kmalloc/krealloc alloc_size attributes + +Note that this is overly strict when combined with ksize users accessing +beyond the requested data size. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slab.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/slab.h b/include/linux/slab.h +index dd6897f62010..78f99835b91b 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); + /* + * Common kmalloc functions provided by all allocators + */ +-void * __must_check krealloc(const void *, size_t, gfp_t); ++void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); + void kfree(const void *); + void kfree_sensitive(const void *); + size_t __ksize(const void *); +@@ -386,7 +386,7 @@ static __always_inline unsigned int kmalloc_index(size_t size) + } + #endif /* !CONFIG_SLOB */ + +-void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; ++void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; + void kmem_cache_free(struct kmem_cache *, void *); + +@@ -410,7 +410,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) + } + + #ifdef CONFIG_NUMA +-void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; ++void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; + #else + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -535,7 +535,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) + * Try really hard to succeed the allocation but fail + * eventually. + */ +-static __always_inline void *kmalloc(size_t size, gfp_t flags) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) + { + if (__builtin_constant_p(size)) { + #ifndef CONFIG_SLOB +@@ -557,7 +557,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return __kmalloc(size, flags); + } + +-static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) + { + #ifndef CONFIG_SLOB + if (__builtin_constant_p(size) && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..5e559e92adc3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch @@ -0,0 +1,47 @@ +From d0bd943e0930596a73950bc1a9d0c128e7e1fecd Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:04:03 -0400 +Subject: [PATCH 062/112] add vmalloc alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/vmalloc.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 938eaf9517e2..7c069063c20d 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -102,18 +102,18 @@ static inline void vmalloc_init(void) + static inline unsigned long vmalloc_nr_pages(void) { return 0; } + #endif + +-extern void *vmalloc(unsigned long size); +-extern void *vzalloc(unsigned long size); +-extern void *vmalloc_user(unsigned long size); +-extern void *vmalloc_node(unsigned long size, int node); +-extern void *vzalloc_node(unsigned long size, int node); +-extern void *vmalloc_32(unsigned long size); +-extern void *vmalloc_32_user(unsigned long size); +-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); ++extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, + unsigned long start, unsigned long end, gfp_t gfp_mask, + pgprot_t prot, unsigned long vm_flags, int node, +- const void *caller); ++ const void *caller) __attribute__((alloc_size(1))); + void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, + int node, const void *caller); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch new file mode 100644 index 000000000000..c205f9649c89 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch @@ -0,0 +1,26 @@ +From 4dcffb97cbb85eb38a18c7ec9f80a84e9c8abbe0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 00:51:33 -0400 +Subject: [PATCH 063/112] add kvmalloc alloc_size attribute + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/mm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index db6ae4d3fb4e..0bc79d6871bb 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -759,7 +759,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) + } + #endif + +-extern void *kvmalloc_node(size_t size, gfp_t flags, int node); ++extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); + static inline void *kvmalloc(size_t size, gfp_t flags) + { + return kvmalloc_node(size, flags, NUMA_NO_NODE); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0064-add-percpu-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0064-add-percpu-alloc_size-attributes.patch new file mode 100644 index 000000000000..fb7a099c9e40 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0064-add-percpu-alloc_size-attributes.patch @@ -0,0 +1,37 @@ +From 801b46fdf70c52f5125eb405123800b27590fbbc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:39:36 -0400 +Subject: [PATCH 064/112] add percpu alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/percpu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/percpu.h b/include/linux/percpu.h +index 5e76af742c80..9a6c682ec127 100644 +--- a/include/linux/percpu.h ++++ b/include/linux/percpu.h +@@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, + pcpu_fc_populate_pte_fn_t populate_pte_fn); + #endif + +-extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); + extern bool is_kernel_percpu_address(unsigned long addr); + +@@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); + extern void __init setup_per_cpu_areas(void); + #endif + +-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); +-extern void __percpu *__alloc_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); ++extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern void free_percpu(void __percpu *__pdata); + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch new file mode 100644 index 000000000000..d70449303cc0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch @@ -0,0 +1,30 @@ +From da3fce5feb13460be67969633b27c23429fb2ff1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:53:59 -0400 +Subject: [PATCH 065/112] add alloc_pages_exact alloc_size attributes + +Edited-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/gfp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index c603237e006c..893378b0262e 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -568,9 +568,9 @@ static inline struct page *alloc_pages(gfp_t gfp_mask, unsigned int order) + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); + extern unsigned long get_zeroed_page(gfp_t gfp_mask); + +-void *alloc_pages_exact(size_t size, gfp_t gfp_mask); ++void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + void free_pages_exact(void *virt, size_t size); +-void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); ++void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(2))); + + #define __get_free_page(gfp_mask) \ + __get_free_pages((gfp_mask), 0) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch new file mode 100644 index 000000000000..d0f7fccce768 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch @@ -0,0 +1,104 @@ +From 85f4841e32ccc2662f1e09788843e6ef9b51303b Mon Sep 17 00:00:00 2001 +From: Emese Revfy <re.emese@gmail.com> +Date: Tue, 31 May 2016 01:34:02 +0200 +Subject: [PATCH 066/112] Add the extra_latent_entropy kernel parameter + +When extra_latent_entropy is passed on the kernel command line, +entropy will be extracted from up to the first 4GB of RAM while the +runtime memory allocator is being initialized. + +Based on work created by the PaX Team. + +Signed-off-by: Emese Revfy <re.emese@gmail.com> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + .../admin-guide/kernel-parameters.txt | 5 ++++ + mm/page_alloc.c | 25 +++++++++++++++++++ + scripts/gcc-plugins/Kconfig | 5 ++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f6a1513dfb76..f399208c873a 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3566,6 +3566,11 @@ + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 7f663eea14a0..8db6908c8124 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -70,6 +70,7 @@ + #include <linux/psi.h> + #include <linux/padata.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/sections.h> + #include <asm/tlbflush.h> +@@ -136,6 +137,15 @@ struct pcpu_drain { + static DEFINE_MUTEX(pcpu_drain_mutex); + static DEFINE_PER_CPU(struct pcpu_drain, pcpu_drain); + ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("extra_latent_entropy", setup_extra_latent_entropy); ++ + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY + volatile unsigned long latent_entropy __latent_entropy; + EXPORT_SYMBOL(latent_entropy); +@@ -1547,6 +1557,21 @@ void __free_pages_core(struct page *page, unsigned int order) + __ClearPageReserved(p); + set_page_count(p, 0); + ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++ + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig +index ae19fb0243b9..ad78375ece5e 100644 +--- a/scripts/gcc-plugins/Kconfig ++++ b/scripts/gcc-plugins/Kconfig +@@ -53,6 +53,11 @@ config GCC_PLUGIN_LATENT_ENTROPY + is some slowdown of the boot process (about 0.5%) and fork and + irq processing. + ++ When extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that entropy extracted this way is not cryptographically + secure! + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch new file mode 100644 index 000000000000..bcbed2152063 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch @@ -0,0 +1,37 @@ +From a0814c976b3a3362a8817a021ca616403dfa1e15 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:45:34 -0400 +Subject: [PATCH 067/112] ata: avoid null pointer dereference on bug + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 61c762961ca8..02a83039c25b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4540,7 +4540,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4557,7 +4557,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch new file mode 100644 index 000000000000..1649829ad37e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch @@ -0,0 +1,28 @@ +From 6fe723d4cdac71d44d6862925044e08ea135e92e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:51:12 -0400 +Subject: [PATCH 068/112] sanity check for negative length in nla_memcpy + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/nlattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 74019c8ebf6b..c480b4e7ffef 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -778,6 +778,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); + if (count > minlen) + memset(dest + minlen, 0, count - minlen); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0069-add-page-destructor-sanity-check.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0069-add-page-destructor-sanity-check.patch new file mode 100644 index 000000000000..4beb68ee963d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0069-add-page-destructor-sanity-check.patch @@ -0,0 +1,71 @@ +From 37c0e7a7e065a9cd28ef708d8d6d53c93adc9214 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:59:18 -0400 +Subject: [PATCH 069/112] add page destructor sanity check + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Restore get_compound_page_dtor()] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/mm.h | 9 +++++++-- + mm/swap.c | 12 +++++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 0bc79d6871bb..3519e61b07fa 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -894,10 +894,15 @@ static inline void set_compound_page_dtor(struct page *page, + page[1].compound_dtor = compound_dtor; + } + +-static inline void destroy_compound_page(struct page *page) ++static inline compound_page_dtor *get_compound_page_dtor(struct page *page) + { + VM_BUG_ON_PAGE(page[1].compound_dtor >= NR_COMPOUND_DTORS, page); +- compound_page_dtors[page[1].compound_dtor](page); ++ return compound_page_dtors[page[1].compound_dtor]; ++} ++ ++static inline void destroy_compound_page(struct page *page) ++{ ++ (*get_compound_page_dtor(page))(page); + } + + static inline unsigned int compound_order(struct page *page) +diff --git a/mm/swap.c b/mm/swap.c +index 47a47681c86b..762095d95092 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -102,6 +102,8 @@ static void __put_single_page(struct page *page) + + static void __put_compound_page(struct page *page) + { ++ compound_page_dtor *dtor; ++ + /* + * __page_cache_release() is supposed to be called for thp, not for + * hugetlb. This is because hugetlb page does never have PageLRU set +@@ -110,7 +112,15 @@ static void __put_compound_page(struct page *page) + */ + if (!PageHuge(page)) + __page_cache_release(page); +- destroy_compound_page(page); ++ dtor = get_compound_page_dtor(page); ++ if (!PageHuge(page)) ++ BUG_ON(dtor != free_compound_page ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ && dtor != free_transhuge_page ++#endif ++ ); ++ ++ (*dtor)(page); + } + + void __put_page(struct page *page) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch new file mode 100644 index 000000000000..b1a00bec707b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch @@ -0,0 +1,52 @@ +From 65dfb760e4c38e4eff5f604128fc3521ac894ec7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 00:59:48 -0400 +Subject: [PATCH 070/112] PaX shadow cr4 sanity check (essentially a revert) + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/process.c | 1 + + arch/x86/mm/tlb.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 35ad8480c464..edaeeab9df4b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -399,6 +399,7 @@ EXPORT_SYMBOL_GPL(native_write_cr4); + void cr4_update_irqsoff(unsigned long set, unsigned long clear) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + lockdep_assert_irqs_disabled(); + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 145a7ac0c19a..058941e9ae40 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -596,6 +596,7 @@ void speculation_ctrl_update_current(void) + static inline void cr4_toggle_bits_irqsoff(unsigned long mask) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + newval = cr4 ^ mask; + if (newval != cr4) { +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 569ac1d57f55..044d88da4aee 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -1066,6 +1066,7 @@ STATIC_NOPV void native_flush_tlb_global(void) + raw_local_irq_save(flags); + + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* toggle PGE */ + native_write_cr4(cr4 ^ X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0071-add-writable-function-pointer-detection.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0071-add-writable-function-pointer-detection.patch new file mode 100644 index 000000000000..e115fb3ed9cb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0071-add-writable-function-pointer-detection.patch @@ -0,0 +1,98 @@ +From 68aedeb766c477219aab48b552788c53c89890b1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:53:23 -0400 +Subject: [PATCH 071/112] add writable function pointer detection + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + scripts/mod/modpost.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f882ce0d9327..50e9baefc4e7 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,6 +34,7 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; ++static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; + /* ignore missing files */ + static int ignore_missing_files; +@@ -1007,6 +1008,7 @@ enum mismatch { + ANY_EXIT_TO_ANY_INIT, + EXPORT_TO_INIT_EXIT, + EXTABLE_TO_NON_TEXT, ++ DATA_TO_TEXT + }; + + /** +@@ -1133,6 +1135,12 @@ static const struct sectioncheck sectioncheck[] = { + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, + .mismatch = EXTABLE_TO_NON_TEXT, + .handler = extable_mismatch_handler, ++}, ++/* Do not reference code from writable data */ ++{ ++ .fromsec = { DATA_SECTIONS, NULL }, ++ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, ++ .mismatch = DATA_TO_TEXT + } + }; + +@@ -1320,10 +1328,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (!is_valid_name(elf, sym)) + continue; +- if (sym->st_value == addr) +- return sym; + /* Find a symbol nearby - addr are maybe negative */ + d = sym->st_value - addr; ++ if (d == 0) ++ return sym; + if (d < 0) + d = addr - sym->st_value; + if (d < distance) { +@@ -1458,7 +1466,10 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- sec_mismatch_count++; ++ if (mismatch->mismatch == DATA_TO_TEXT) ++ writable_fptr_count++; ++ else ++ sec_mismatch_count++; + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1580,6 +1591,14 @@ static void report_sec_mismatch(const char *modname, + fatal("There's a special handler for this mismatch type, " + "we should never get here."); + break; ++ case DATA_TO_TEXT: ++#if 0 ++ fprintf(stderr, ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif ++ break; + } + fprintf(stderr, "\n"); + } +@@ -2670,6 +2689,9 @@ int main(int argc, char **argv) + } + + free(buf.p); ++ if (writable_fptr_count) ++ warn("modpost: Found %d writable function pointer(s).\n", ++ writable_fptr_count); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch new file mode 100644 index 000000000000..165daf466674 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch @@ -0,0 +1,26 @@ +From 1fcab99a22de4d36a5b457207892d9e0c4dd959f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:20:29 -0400 +Subject: [PATCH 072/112] support overriding early audit kernel cmdline + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 68cee3bc8cfe..2059c66f7c9b 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1693,6 +1693,9 @@ static int __init audit_enable(char *str) + + if (audit_default == AUDIT_OFF) + audit_initialized = AUDIT_DISABLED; ++ else if (!audit_ever_enabled) ++ audit_initialized = AUDIT_UNINITIALIZED; ++ + if (audit_set_enabled(audit_default)) + pr_err("audit: error setting audit state (%d)\n", + audit_default); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch new file mode 100644 index 000000000000..874ea5f655ac --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch @@ -0,0 +1,135 @@ +From d0b515f2c36b12d037d9bf3d063e04a3c1cf50e8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 3 Jun 2017 17:34:13 -0400 +Subject: [PATCH 073/112] FORTIFY_SOURCE intra-object overflow checking + +This adds supporting for detecting buffer overflows from inner objects +for the fortified string family functions. It's comparable to the +_FORTIFY_SOURCE=2 feature in glibc with the additional coverage of +intra-object read overflows for supported functions. + +The mem* family functions are left with only the inter-object overflow +checks as is the case with glibc _FORTIFY_SOURCE=2. + +This feature is currently hidden behind CONFIG_EXPERT because it's a lot +more likely to uncover benign / intended issues and will need a lot of +runtime testing. It's already useful for finding bugs but it may not yet +be a good idea to use it for hardening unless panics for benign issues +are seen as a lesser evil than the vulnerabilities it can catch. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/string.h | 26 ++++++++++++++++---------- + security/Kconfig | 10 ++++++++++ + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index b1f3894a0a3e..4c5564a6ad80 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -264,6 +264,12 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + ++#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING ++#define __string_size(p) __builtin_object_size(p, 1) ++#else ++#define __string_size(p) __builtin_object_size(p, 0) ++#endif ++ + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) + + #ifdef CONFIG_KASAN +@@ -292,7 +298,7 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + if (p_size < size) +@@ -302,7 +308,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (p_size == (size_t)-1) + return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) +@@ -313,7 +319,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || +@@ -328,7 +334,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); +@@ -340,8 +346,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + { + size_t ret; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __real_strlcpy(p, q, size); + ret = strlen(q); +@@ -361,8 +367,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + { + size_t p_len, copy_len; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strncat(p, q, count); + p_len = strlen(p); +@@ -475,8 +481,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) + /* defined after fortified strlen and memcpy to reuse them */ + __FORTIFY_INLINE char *strcpy(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); +diff --git a/security/Kconfig b/security/Kconfig +index 2348ff7d4e1d..f3c995bd79cf 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -208,6 +208,16 @@ config FORTIFY_SOURCE + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + ++config FORTIFY_SOURCE_STRICT_STRING ++ bool "Harden common functions against buffer overflows" ++ depends on FORTIFY_SOURCE ++ depends on EXPERT ++ help ++ Perform stricter overflow checks catching overflows within objects ++ for common C string functions rather than only between objects. ++ ++ This is not yet intended for production use, only bug finding. ++ + config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch new file mode 100644 index 000000000000..2fb86298c35b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch @@ -0,0 +1,54 @@ +From 248717cf2e3917da7d4ddbf6dbfc9015b00fbfc1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 26 Aug 2017 20:16:03 -0400 +Subject: [PATCH 074/112] Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE + base changes" + +This reverts commit aab425db4279aeb83b7911693f0cccbd3644c9fd. +--- + arch/arm64/include/asm/elf.h | 8 ++------ + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 8d1c8dcb87fd..26d27c7a2c2e 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -124,14 +124,10 @@ + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#ifdef CONFIG_ARM64_FORCE_52BIT +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) +-#else +-#define ELF_ET_DYN_BASE (2 * DEFAULT_MAP_WINDOW_64 / 3) +-#endif /* CONFIG_ARM64_FORCE_52BIT */ ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b9a5d488f1a5..b55054566ece 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -246,11 +246,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- (DEFAULT_MAP_WINDOW / 3 * 2)) ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch new file mode 100644 index 000000000000..5e149a8c95e8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch @@ -0,0 +1,118 @@ +From ee13f3b984b979b264152d9ee1643d3f1ccf3fc9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:52:00 -0400 +Subject: [PATCH 075/112] x86_64: move vdso to mmap region from stack region + +This removes the only executable code from the stack region and gives +the vdso the same randomized base as other mmap mappings including the +linker and other shared objects. It results in a sane amount of entropy +being provided and there's little to no advantage in separating this +from the existing executable code there. + +It's sensible for userspace to reserve the initial mmap base as a region +for executable code with a random gap for other mmap allocations, along +with providing randomization within that region. However, there isn't +much the kernel can do to help due to how dynamic linkers load the +shared objects. + +This was extracted from the PaX RANDMMAP feature. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/entry/vdso/vma.c | 48 +----------------------------------- + arch/x86/include/asm/elf.h | 1 - + arch/x86/kernel/sys_x86_64.c | 7 ------ + 3 files changed, 1 insertion(+), 55 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 9185cb1d13b9..543912071557 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -315,55 +315,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) + } + + #ifdef CONFIG_X86_64 +-/* +- * Put the vdso above the (randomized) stack with another randomized +- * offset. This way there is no hole in the middle of address space. +- * To save memory make sure it is still in the same PTE as the stack +- * top. This doesn't give that many random bits. +- * +- * Note that this algorithm is imperfect: the distribution of the vdso +- * start address within a PMD is biased toward the end. +- * +- * Only used for the 64-bit and x32 vdsos. +- */ +-static unsigned long vdso_addr(unsigned long start, unsigned len) +-{ +- unsigned long addr, end; +- unsigned offset; +- +- /* +- * Round up the start address. It can start out unaligned as a result +- * of stack start randomization. +- */ +- start = PAGE_ALIGN(start); +- +- /* Round the lowest possible end address up to a PMD boundary. */ +- end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; +- end -= len; +- +- if (end > start) { +- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); +- addr = start + (offset << PAGE_SHIFT); +- } else { +- addr = start; +- } +- +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- +- return addr; +-} +- + static int map_vdso_randomized(const struct vdso_image *image) + { +- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); +- +- return map_vdso(image, addr); ++ return map_vdso(image, 0); + } + #endif + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b55054566ece..58292600112d 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -398,5 +398,4 @@ struct va_alignment { + } ____cacheline_aligned; + + extern struct va_alignment va_align; +-extern unsigned long align_vdso_addr(unsigned long); + #endif /* _ASM_X86_ELF_H */ +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 504fa5425bce..c4e35a3b3733 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) + return va_align.bits & get_align_mask(); + } + +-unsigned long align_vdso_addr(unsigned long addr) +-{ +- unsigned long align_mask = get_align_mask(); +- addr = (addr + align_mask) & ~align_mask; +- return addr | get_align_bits(); +-} +- + static int __init control_va_addr_alignment(char *str) + { + /* guard against enabling this on other CPU families */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..1b1d4359ceaa --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From 9ace1e919fb8a41cef6756cb44730de713466199 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 076/112] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..81c144e43ff3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From cbb5a57af02598f29673f8f829076eebf83fce55 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 077/112] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch new file mode 100644 index 000000000000..f0f37c9260d7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch @@ -0,0 +1,37 @@ +From d8be19888d6dc29bd81a8267b41b73c4cb93f12c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:02:49 -0400 +Subject: [PATCH 078/112] randomize lower bits of the argument block + +This was based on the PaX RANDUSTACK feature in grsecurity, where all of +the lower bits are randomized. PaX keeps 16-byte alignment. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + fs/exec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index 547a2390baf5..5f8758368f15 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -64,6 +64,7 @@ + #include <linux/compat.h> + #include <linux/vmalloc.h> + #include <linux/io_uring.h> ++#include <linux/random.h> + + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -280,6 +281,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + mm->stack_vm = mm->total_vm = 1; + mmap_write_unlock(mm); + bprm->p = vma->vm_end - sizeof(void *); ++ if (randomize_va_space) ++ bprm->p ^= get_random_int() & ~PAGE_MASK; + return 0; + err: + mmap_write_unlock(mm); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch new file mode 100644 index 000000000000..e225cad26c6a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch @@ -0,0 +1,38 @@ +From 361e279f6f64a3210bd7c468995422b30afd0dc4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 07:19:48 -0400 +Subject: [PATCH 079/112] x86_64: match arm64 brk randomization entropy + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 058941e9ae40..61460d55dd72 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,8 @@ + #include <asm/io_bitmap.h> + #include <asm/proto.h> + #include <asm/frame.h> ++#include <asm/elf.h> ++#include <linux/sizes.h> + + #include "process.h" + +@@ -906,7 +908,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ else ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch new file mode 100644 index 000000000000..ca2db77cfc27 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch @@ -0,0 +1,42 @@ +From a2139f4786430c524fb1b589909c0aeaf420ce12 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 18:03:30 -0400 +Subject: [PATCH 080/112] support randomizing the lower bits of brk + +This adds support for arch_randomize_brk implementations not performing +page alignment in order to randomize the lower bits of the brk heap. + +This idea is taken from PaX but the approach is different. This reuses +the existing code and avoids forcing early creation of the heap mapping, +avoiding mapping it if it's not used which is the case with many modern +allocators based solely on mmap. + +The malloc implementation can be relied upon to align this as needed to +the requirements it has, so using 16 byte alignment here is unnecessary. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/mmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5c8b4485860d..0e26c225bb53 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -231,6 +231,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + + newbrk = PAGE_ALIGN(brk); + oldbrk = PAGE_ALIGN(mm->brk); ++ /* properly handle unaligned min_brk as an empty heap */ ++ if (min_brk & ~PAGE_MASK) { ++ if (brk == min_brk) ++ newbrk -= PAGE_SIZE; ++ if (mm->brk == min_brk) ++ oldbrk -= PAGE_SIZE; ++ } + if (oldbrk == newbrk) { + mm->brk = brk; + goto success; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..e6e542a0c115 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From e5c65144ec28a78c67b2f654b2701bdd71ce7903 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:22:38 -0400 +Subject: [PATCH 081/112] mm: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ddb6e186dd5..4ca72f952329 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..99edadbce8c2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 33bf76b71bf373fe40d82349edb3bd7843358392 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:06 -0400 +Subject: [PATCH 082/112] x86: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 61460d55dd72..0d4c3887229d 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + else +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..aca450f1b50e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 1da4225bb3e25dad5ce4ac65445dab78a604a711 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:39 -0400 +Subject: [PATCH 083/112] mm: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ca72f952329..62ed34dfceb7 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..aa2b4149b443 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From e83175047808bf28d508a55c2dcbc4f9087e78bd Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:48 -0400 +Subject: [PATCH 084/112] x86: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 0d4c3887229d..161e25d02fd5 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + else +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch new file mode 100644 index 000000000000..412648da7e13 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch @@ -0,0 +1,37 @@ +From c7443c2fd25f64a4370111b268b3b520014924f7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 14:50:54 -0400 +Subject: [PATCH 085/112] x86_64: bound mmap between legacy/modern bases + +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index c4e35a3b3733..e30ec4c750d1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -113,10 +113,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, + } + + *begin = get_mmap_base(1); +- if (in_32bit_syscall()) +- *end = task_size_32bit(); +- else +- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); ++ *end = get_mmap_base(0); + } + + unsigned long +@@ -193,7 +190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = get_mmap_base(1); + info.high_limit = get_mmap_base(0); + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0086-restrict-device-timing-side-channels.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0086-restrict-device-timing-side-channels.patch new file mode 100644 index 000000000000..f5f07d28bd89 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0086-restrict-device-timing-side-channels.patch @@ -0,0 +1,174 @@ +From f7235492328e27638d669622cfb6428025e5618a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 18:26:10 -0400 +Subject: [PATCH 086/112] restrict device timing side channels + +Based on the public grsecurity patches. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/inode.c | 4 ++++ + fs/stat.c | 20 +++++++++++++++----- + include/linux/capability.h | 5 +++++ + include/linux/fs.h | 11 +++++++++++ + include/linux/fsnotify.h | 4 ++++ + kernel/capability.c | 6 ++++++ + kernel/sysctl.c | 9 +++++++++ + 7 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 5eea9912a0b9..f86f383a3e1d 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -116,6 +116,10 @@ int proc_nr_inodes(struct ctl_table *table, int write, + } + #endif + ++/* sysctl */ ++int device_sidechannel_restrict __read_mostly = 1; ++EXPORT_SYMBOL(device_sidechannel_restrict); ++ + static int no_open(struct inode *inode, struct file *file) + { + return -ENXIO; +diff --git a/fs/stat.c b/fs/stat.c +index dacecdda2e79..14173d0f777d 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -43,8 +43,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = i_blocksize(inode); + stat->blocks = inode->i_blocks; +@@ -83,9 +88,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(path, stat, request_mask, +- query_flags); ++ if (inode->i_op->getattr) { ++ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); ++ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..a5b6d4c9acf5 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -208,6 +208,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); + extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); + extern bool capable(int cap); ++extern bool capable_noaudit(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + extern bool ns_capable_setid(struct user_namespace *ns, int cap); +@@ -234,6 +235,10 @@ static inline bool capable(int cap) + { + return true; + } ++static inline bool capable_noaudit(int cap) ++{ ++ return true; ++} + static inline bool ns_capable(struct user_namespace *ns, int cap) + { + return true; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 8bde32cf9711..83d50b0a2a18 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3475,4 +3475,15 @@ static inline int inode_drain_writes(struct inode *inode) + return filemap_write_and_wait(inode->i_mapping); + } + ++extern int device_sidechannel_restrict; ++ ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++ umode_t mode; ++ if (!device_sidechannel_restrict) ++ return false; ++ mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++} ++ + #endif /* _LINUX_FS_H */ +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index f8acddcf54fb..7b109980327f 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -83,10 +83,14 @@ static inline void fsnotify_dentry(struct dentry *dentry, __u32 mask) + static inline int fsnotify_file(struct file *file, __u32 mask) + { + const struct path *path = &file->f_path; ++ struct inode *inode = file_inode(file); + + if (file->f_mode & FMODE_NONOTIFY) + return 0; + ++ if (mask & (FS_ACCESS | FS_MODIFY) && is_sidechannel_device(inode)) ++ return 0; ++ + return fsnotify_parent(path->dentry, mask, path, FSNOTIFY_EVENT_PATH); + } + +diff --git a/kernel/capability.c b/kernel/capability.c +index de7eac903a2a..5602178f3d21 100644 +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -449,6 +449,12 @@ bool capable(int cap) + return ns_capable(&init_user_ns, cap); + } + EXPORT_SYMBOL(capable); ++ ++bool capable_noaudit(int cap) ++{ ++ return ns_capable_noaudit(&init_user_ns, cap); ++} ++EXPORT_SYMBOL(capable_noaudit); + #endif /* CONFIG_MULTIUSER */ + + /** +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index fccf24a08c8a..7fda9f61ea1a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2272,6 +2272,15 @@ static struct ctl_table kern_table[] = { + .extra2 = &two, + }, + #endif ++ { ++ .procname = "device_sidechannel_restrict", ++ .data = &device_sidechannel_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch new file mode 100644 index 000000000000..c3b2536556f9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch @@ -0,0 +1,95 @@ +From b3e61892d172016a68892712e96fa3abf95e6f1d Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 20:28:32 +0200 +Subject: [PATCH 087/112] sysctl: expose proc_dointvec_minmax_sysadmin as API + function + +Orthogonal to the other sysctl proc functions expose the variant that is +checking CAP_SYS_ADMIN on write for consumption in external subsystem's +sysctl tables. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 51298a4f4623..b835c57330f2 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7fda9f61ea1a..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -890,8 +890,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -899,7 +918,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -1585,6 +1603,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3436,6 +3460,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch new file mode 100644 index 000000000000..ffd259facecc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch @@ -0,0 +1,92 @@ +From 3e36ae22c409a74e07654838395988792043acd7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 17:51:48 -0400 +Subject: [PATCH 088/112] usb: add toggle for disabling newly added USB devices + +Based on the public grsecurity patches. + +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/hub.c | 9 +++++++++ + include/linux/usb.h | 3 +++ + kernel/sysctl.c | 14 ++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 17202b2ee063..9385c745d55e 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,6 +5054,9 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + ++/* sysctl */ ++int deny_new_usb __read_mostly = 0; ++ + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +@@ -5114,6 +5117,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + goto done; + return; + } ++ ++ if (deny_new_usb) { ++ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); ++ goto done; ++ } ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 7d72c4e0713c..8e7549e3012a 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,6 +2035,9 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl */ ++extern int deny_new_usb; ++ + #endif /* __KERNEL__ */ + + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..f867606fbd80 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if IS_ENABLED(CONFIG_USB) ++#include <linux/usb.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2305,6 +2308,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, ++#if IS_ENABLED(CONFIG_USB) ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch new file mode 100644 index 000000000000..14cf80bd662c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch @@ -0,0 +1,195 @@ +From bc0eae0ad1c9a6d433bc7a551b894e550ef46f74 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 21:08:16 +0200 +Subject: [PATCH 089/112] usb: implement dedicated subsystem sysctl tables + +This moves the usb related sysctl knobs to an own usb local sysctl table +in order to clean up the global sysctl as well as allow the knob to be +exported and referenced appropriately when building the usb components +as dedicated modules. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/Makefile | 1 + + drivers/usb/core/hub.c | 3 --- + drivers/usb/core/sysctl.c | 44 +++++++++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.c | 9 ++++++++ + include/linux/usb.h | 10 ++++++++- + kernel/sysctl.c | 14 ------------- + 6 files changed, 63 insertions(+), 18 deletions(-) + create mode 100644 drivers/usb/core/sysctl.c + +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..fc7a3a9aa72a 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 9385c745d55e..b62b3da81ac4 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,9 +5054,6 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + +-/* sysctl */ +-int deny_new_usb __read_mostly = 0; +- + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..3fa188ac8f67 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,44 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 9b4ac4415f1a..93b4b798bdcc 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -72,6 +72,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -978,6 +981,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1012,6 +1018,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1035,6 +1043,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 8e7549e3012a..653265115e56 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,8 +2035,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + +-/* sysctl */ ++/* sysctl.c */ + extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + + #endif /* __KERNEL__ */ + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index f867606fbd80..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,9 +106,6 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif +-#if IS_ENABLED(CONFIG_USB) +-#include <linux/usb.h> +-#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2308,17 +2305,6 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-#if IS_ENABLED(CONFIG_USB) +- { +- .procname = "deny_new_usb", +- .data = &deny_new_usb, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax_sysadmin, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, +-#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch new file mode 100644 index 000000000000..ca32df1e209d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch @@ -0,0 +1,133 @@ +From 8d35f6ce4ec7f27e9574b3d93539d8b2df79e45f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 03:26:45 -0500 +Subject: [PATCH 090/112] hard-wire legacy checkreqprot option to 0 + +The userspace API is left intact for compatibility. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + .../admin-guide/kernel-parameters.txt | 11 --------- + security/selinux/Kconfig | 23 ------------------- + security/selinux/hooks.c | 16 +------------ + security/selinux/selinuxfs.c | 12 +--------- + 4 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f399208c873a..282777d18d19 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -518,17 +518,6 @@ + nosocket -- Disable socket memory accounting. + nokmem -- Disable kernel memory accounting. + +- checkreqprot [SELINUX] Set initial checkreqprot flag value. +- Format: { "0" | "1" } +- See security/selinux/Kconfig help text. +- 0 -- check protection applied by kernel (includes +- any implied execute protection). +- 1 -- check protection requested by application. +- Default value is set via a kernel config option. +- Value can be changed at runtime via +- /sys/fs/selinux/checkreqprot. +- Setting checkreqprot to 1 is deprecated. +- + cio_ignore= [S390] + See Documentation/s390/common_io.rst for details. + clk_ignore_unused +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 76d7ed11513c..ae851a826c26 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS + /sys/fs/selinux/avc/cache_stats, which may be monitored via + tools such as avcstat. + +-config SECURITY_SELINUX_CHECKREQPROT_VALUE +- int "NSA SELinux checkreqprot default value" +- depends on SECURITY_SELINUX +- range 0 1 +- default 0 +- help +- This option sets the default value for the 'checkreqprot' flag +- that determines whether SELinux checks the protection requested +- by the application or the protection that will be applied by the +- kernel (including any implied execute for read-implies-exec) for +- mmap and mprotect calls. If this option is set to 0 (zero), +- SELinux will default to checking the protection that will be applied +- by the kernel. If this option is set to 1 (one), SELinux will +- default to checking the protection requested by the application. +- The checkreqprot flag may be changed from the default via the +- 'checkreqprot=' boot parameter. It may also be changed at runtime +- via /sys/fs/selinux/checkreqprot if authorized by policy. +- +- WARNING: this option is deprecated and will be removed in a future +- kernel release. +- +- If you are unsure how to answer this question, answer 0. +- + config SECURITY_SELINUX_SIDTAB_HASH_BITS + int "NSA SELinux sidtab hashtable size" + depends on SECURITY_SELINUX +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index c46312710e73..541c65650c5e 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str) + __setup("selinux=", selinux_enabled_setup); + #endif + +-static unsigned int selinux_checkreqprot_boot = +- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +- +-static int __init checkreqprot_setup(char *str) +-{ +- unsigned long checkreqprot; +- +- if (!kstrtoul(str, 0, &checkreqprot)) { +- selinux_checkreqprot_boot = checkreqprot ? 1 : 0; +- if (checkreqprot) +- pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); +- } +- return 1; +-} +-__setup("checkreqprot=", checkreqprot_setup); ++static const unsigned int selinux_checkreqprot_boot; + + /** + * selinux_secmark_enabled - Check to see if SECMARK is currently enabled +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4bde570d56a2..cc5caffc07fa 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, + static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; + char *page; + ssize_t length; + unsigned int new_value; +@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + return PTR_ERR(page); + + length = -EINVAL; +- if (sscanf(page, "%u", &new_value) != 1) ++ if (sscanf(page, "%u", &new_value) != 1 || new_value) + goto out; + +- if (new_value) { +- char comm[sizeof(current->comm)]; +- +- memcpy(comm, current->comm, sizeof(comm)); +- pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", +- comm, current->pid); +- } +- +- checkreqprot_set(fsi->state, (new_value ? 1 : 0)); + length = count; + out: + kfree(page); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch new file mode 100644 index 000000000000..dd74d969d803 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch @@ -0,0 +1,70 @@ +From 2573a259acd9e20175b0495a8de249535e994851 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:37:59 -0400 +Subject: [PATCH 091/112] security: tty: Add owner user namespace to tty_struct + +This patch adds struct user_namespace *owner_user_ns to the tty_struct. +Then it is set to current_user_ns() in the alloc_tty_struct function. + +This is done to facilitate capability checks against the original user +namespace that allocated the tty. + +E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) + +This combined with the use of user namespace's will allow hardening +protections to be built to mitigate container escapes that utilize TTY +ioctls such as TIOCSTI. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +--- + drivers/tty/tty_io.c | 2 ++ + include/linux/tty.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 56ade99ef99f..557356504a81 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -174,6 +174,7 @@ static void free_tty_struct(struct tty_struct *tty) + put_device(tty->dev); + kfree(tty->write_buf); + tty->magic = 0xDEADDEAD; ++ put_user_ns(tty->owner_user_ns); + kfree(tty); + } + +@@ -3014,6 +3015,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + tty->index = idx; + tty_line_name(driver, idx, tty->name); + tty->dev = tty_get_device(tty); ++ tty->owner_user_ns = get_user_ns(current_user_ns()); + + return tty; + } +diff --git a/include/linux/tty.h b/include/linux/tty.h +index eb33d948788c..a205640b4c61 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -14,6 +14,7 @@ + #include <uapi/linux/tty.h> + #include <linux/rwsem.h> + #include <linux/llist.h> ++#include <linux/user_namespace.h> + + + /* +@@ -342,6 +343,7 @@ struct tty_struct { + /* If the tty has a pending do_SAK, queue it here - akpm */ + struct work_struct SAK_work; + struct tty_port *port; ++ struct user_namespace *owner_user_ns; + } __randomize_layout; + + /* Each of a tty's open files has private_data pointing to tty_file_private */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch new file mode 100644 index 000000000000..0f01701a058a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch @@ -0,0 +1,197 @@ +From 2bdf30506465290f7d73bdf3a20170b50ef4026d Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:38:00 -0400 +Subject: [PATCH 092/112] security: tty: make TIOCSTI ioctl require + CAP_SYS_ADMIN + +This introduces the tiocsti_restrict sysctl, whose default is controlled +via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control +restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. + +This patch depends on patch 1/2 + +This patch was inspired from GRKERNSEC_HARDEN_TTY. + +This patch would have prevented +https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following +conditions: +* non-privileged container +* container run inside new user namespace + +Possible effects on userland: + +There could be a few user programs that would be effected by this +change. +See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI> +notable programs are: agetty, csh, xemacs and tcsh + +However, I still believe that this change is worth it given that the +Kconfig defaults to n. This will be a feature that is turned on for the +same reason that people activate it when using grsecurity. Users of this +opt-in feature will realize that they are choosing security over some OS +features like unprivileged TIOCSTI ioctls, as should be clear in the +Kconfig help message. + +Threat Model/Patch Rational: + +>From grsecurity's config for GRKERNSEC_HARDEN_TTY. + + | There are very few legitimate uses for this functionality and it + | has made vulnerabilities in several 'su'-like programs possible in + | the past. Even without these vulnerabilities, it provides an + | attacker with an easy mechanism to move laterally among other + | processes within the same user's compromised session. + +So if one process within a tty session becomes compromised it can follow +that additional processes, that are thought to be in different security +boundaries, can be compromised as a result. When using a program like su +or sudo, these additional processes could be in a tty session where TTY +file descriptors are indeed shared over privilege boundaries. + +This is also an excellent writeup about the issue: +<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/> + +When user namespaces are in use, the check for the capability +CAP_SYS_ADMIN is done against the user namespace that originally opened +the tty. + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/admin-guide/sysctl/kernel.rst | 20 ++++++++++++++++++++ + drivers/tty/tty_io.c | 8 ++++++++ + include/linux/tty.h | 2 ++ + kernel/sysctl.c | 14 ++++++++++++++ + security/Kconfig | 13 +++++++++++++ + 5 files changed, 57 insertions(+) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index 4c20e6ded0af..3cd263f8ac46 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -1385,6 +1385,26 @@ If a value outside of this range is written to ``threads-max`` an + ``EINVAL`` error occurs. + + ++tiocsti_restrict ++================ ++ ++This toggle indicates whether unprivileged users are prevented from using the ++``TIOCSTI`` ioctl to inject commands into other processes which share a tty ++session. ++ ++= ============================================================================ ++0 No restriction, except the default one of only being able to inject commands ++ into one's own tty. ++1 Users must have ``CAP_SYS_ADMIN`` to use the ``TIOCSTI`` ioctl. ++= ============================================================================ ++ ++When user namespaces are in use, the check for ``CAP_SYS_ADMIN`` is done ++against the user namespace that originally opened the tty. ++ ++The kernel config option ``CONFIG_SECURITY_TIOCSTI_RESTRICT`` sets the default ++value of ``tiocsti_restrict``. ++ ++ + traceoff_on_warning + =================== + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 557356504a81..5670bd7442df 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2182,11 +2182,19 @@ static int tty_fasync(int fd, struct file *filp, int on) + * FIXME: may race normal receive processing + */ + ++int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); ++ + static int tiocsti(struct tty_struct *tty, char __user *p) + { + char ch, mbz = 0; + struct tty_ldisc *ld; + ++ if (tiocsti_restrict && ++ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { ++ dev_warn_ratelimited(tty->dev, ++ "Denied TIOCSTI ioctl for non-privileged process\n"); ++ return -EPERM; ++ } + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + if (get_user(ch, p)) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a205640b4c61..116138eb394c 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -353,6 +353,8 @@ struct tty_file_private { + struct list_head list; + }; + ++extern int tiocsti_restrict; ++ + /* tty magic number */ + #define TTY_MAGIC 0x5401 + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..8fd007fbec4c 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if defined CONFIG_TTY ++#include <linux/tty.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2295,6 +2298,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, ++#endif ++#if defined CONFIG_TTY ++ { ++ .procname = "tiocsti_restrict", ++ .data = &tiocsti_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + #endif + { + .procname = "device_sidechannel_restrict", +diff --git a/security/Kconfig b/security/Kconfig +index f3c995bd79cf..c8ea5a6ecce0 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -29,6 +29,19 @@ config SECURITY_PERF_EVENTS_RESTRICT + perf_event_open syscall will be permitted unless it is + changed. + ++config SECURITY_TIOCSTI_RESTRICT ++ bool "Restrict unprivileged use of tiocsti command injection" ++ default n ++ help ++ This enforces restrictions on unprivileged users injecting commands ++ into other processes which share a tty session using the TIOCSTI ++ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. ++ ++ If this option is not selected, no restrictions will be enforced ++ unless the tiocsti_restrict sysctl is explicitly set to (1). ++ ++ If you are unsure how to answer this question, answer N. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch new file mode 100644 index 000000000000..7a4fba86d67d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 31adcadc6a8343d2b0d4cd9cdb39a7804531acca Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 23:36:14 -0400 +Subject: [PATCH 093/112] enable SECURITY_TIOCSTI_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index c8ea5a6ecce0..615205c0113b 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -31,7 +31,7 @@ config SECURITY_PERF_EVENTS_RESTRICT + + config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" +- default n ++ default y + help + This enforces restrictions on unprivileged users injecting commands + into other processes which share a tty session using the TIOCSTI +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch new file mode 100644 index 000000000000..51c1fd7467a2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch @@ -0,0 +1,25 @@ +From e965c49871c87034aab17b4cb163f38d6001222a Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:07 +0200 +Subject: [PATCH 094/112] disable unprivileged eBPF access by default + +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8f50c9c19f1b..a54c05624647 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); + static DEFINE_IDR(link_idr); + static DEFINE_SPINLOCK(link_idr_lock); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = 1; + + static const struct bpf_map_ops * const bpf_map_types[] = { + #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch new file mode 100644 index 000000000000..ff451498400b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch @@ -0,0 +1,25 @@ +From 331879b6d07cca5c402941f1f37ddc235ede8ee5 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:55 +0200 +Subject: [PATCH 095/112] enable BPF JIT hardening by default (if available) + +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 55454d2278b1..de02792dc2fc 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -524,7 +524,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +-int bpf_jit_harden __read_mostly; ++int bpf_jit_harden __read_mostly = 2; + long bpf_jit_limit __read_mostly; + + static void +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch new file mode 100644 index 000000000000..e3965a930109 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch @@ -0,0 +1,27 @@ +From 4593a4a6491ec45ae30a3944030295483bf5ab48 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 4 Nov 2018 18:48:53 +0100 +Subject: [PATCH 096/112] enable protected_{fifos,regular} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 59ff3ce21026..72f912c68975 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -934,8 +934,8 @@ static inline void put_link(struct nameidata *nd) + + int sysctl_protected_symlinks __read_mostly = 1; + int sysctl_protected_hardlinks __read_mostly = 1; +-int sysctl_protected_fifos __read_mostly; +-int sysctl_protected_regular __read_mostly; ++int sysctl_protected_fifos __read_mostly = 2; ++int sysctl_protected_regular __read_mostly = 2; + + /** + * may_follow_link - Check symlink following for unsafe situations +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch new file mode 100644 index 000000000000..3a84b02ba4a6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch @@ -0,0 +1,70 @@ +From e0c8608f455cb91b35f8f6c22697f5842f440825 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 13 Jan 2019 21:42:45 +0100 +Subject: [PATCH 097/112] Revert "mark kernel_set_to_readonly as + __ro_after_init" + + This commit causes CPA conflicts, cf. + https://github.com/anthraxx/linux-hardened/issues/4. + + Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + arch/x86/mm/init_32.c | 5 +++-- + arch/x86/mm/init_64.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index bda9596d7a9f..291b7b4476a9 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly __read_mostly; + + static void mark_nxdata_nx(void) + { +@@ -852,11 +852,12 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + +- kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + ++ kernel_set_to_readonly = 1; ++ + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index f9eb66b3f152..c3d771ffc178 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,10 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- kernel_set_to_readonly = 1; + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + ++ kernel_set_to_readonly = 1; ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch new file mode 100644 index 000000000000..5efbdcb4f05b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch @@ -0,0 +1,129 @@ +From a1f9e84fd74b9b2c065a83abfd3d7e026d9cacfd Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Mon, 6 May 2019 17:07:11 +0200 +Subject: [PATCH 098/112] modpost: Add + CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE + +With 46c7dd56d541 ("modpost: always show verbose warning for section +mismatch"), sec_mismatch_verbose was removed which would have printed +errors for all writable function pointers during compilation if it +hadn't been "#if 0"ed out for quite some time now. + +Let's introduce a new DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE Kconfig +option to cleanly control this linux-hardened functionality. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 3 +++ + scripts/Makefile.modpost | 1 + + scripts/mod/modpost.c | 25 ++++++++++++++++--------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index a46f21a56125..6f5011b629a3 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -374,6 +374,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B + + It is mainly for debug and performance tuning use. + ++config DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE ++ bool "Enable verbose reporting of writable function pointers" ++ + # + # Select this config option from the architecture Kconfig, if it + # is preferred to always offer frame pointers as a config +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..e53b3057d4cb 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -47,6 +47,7 @@ MODPOST = scripts/mod/modpost \ + $(if $(CONFIG_MODVERSIONS),-m) \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ ++ $(if $(CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE),-f) \ + $(if $(KBUILD_MODPOST_WARN),-w) \ + -o $@ + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 50e9baefc4e7..2cbc4e8a6295 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,8 +34,9 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; +-static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; ++static int writable_fptr_count = 0; ++static int writable_fptr_verbose = 0; + /* ignore missing files */ + static int ignore_missing_files; + /* If set to 1, only warn (instead of error) about missing ns imports */ +@@ -1466,10 +1467,13 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- if (mismatch->mismatch == DATA_TO_TEXT) ++ if (mismatch->mismatch == DATA_TO_TEXT) { + writable_fptr_count++; +- else ++ if (!writable_fptr_verbose) ++ return; ++ } else { + sec_mismatch_count++; ++ } + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1592,12 +1596,10 @@ static void report_sec_mismatch(const char *modname, + "we should never get here."); + break; + case DATA_TO_TEXT: +-#if 0 + fprintf(stderr, + "The %s %s:%s references\n" + "the %s %s:%s%s\n", + from, fromsec, fromsym, to, tosec, tosym, to_p); +-#endif + break; + } + fprintf(stderr, "\n"); +@@ -2578,7 +2580,7 @@ int main(int argc, char **argv) + struct dump_list *dump_read_start = NULL; + struct dump_list **dump_read_iter = &dump_read_start; + +- while ((opt = getopt(argc, argv, "ei:mnT:o:awENd:")) != -1) { ++ while ((opt = getopt(argc, argv, "ei:fmnT:o:awENd:")) != -1) { + switch (opt) { + case 'e': + external_module = 1; +@@ -2589,6 +2591,9 @@ int main(int argc, char **argv) + (*dump_read_iter)->file = optarg; + dump_read_iter = &(*dump_read_iter)->next; + break; ++ case 'f': ++ writable_fptr_verbose = 1; ++ break; + case 'm': + modversions = 1; + break; +@@ -2689,9 +2694,11 @@ int main(int argc, char **argv) + } + + free(buf.p); +- if (writable_fptr_count) +- warn("modpost: Found %d writable function pointer(s).\n", +- writable_fptr_count); ++ if (writable_fptr_count && !writable_fptr_verbose) ++ warn("modpost: Found %d writable function pointer%s.\n" ++ "To see full details build your kernel with:\n" ++ "'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'\n", ++ writable_fptr_count, (writable_fptr_count == 1 ? "" : "s")); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch new file mode 100644 index 000000000000..021e81d5abe1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch @@ -0,0 +1,103 @@ +From bbeab61f1ed1d54d37947bc110cf8d81675831fe Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Tue, 7 May 2019 11:46:21 +0200 +Subject: [PATCH 099/112] mm: Fix extra_latent_entropy + +Commit a9cd410a3d29 ("mm/page_alloc.c: memory hotplug: free pages as +higher order") changed `static void __init __free_pages_boot_core()` +into `void __free_pages_core()`, causing the following section mismatch +warning at compile time: + + WARNING: vmlinux.o(.text+0x180fe4): Section mismatch in reference from the function __free_pages_core() to the variable .meminit.data:extra_latent_entropy + The function __free_pages_core() references the variable __meminitdata extra_latent_entropy. + This is often because __free_pages_core lacks a __meminitdata annotation or the annotation of extra_latent_entropy is wrong. + +This commit is an attempt at fixing this issue. I'm not sure it's OK as +we are accessing pages that are still managed by the bootmem allocator. +The prefetching part is not an issue as it only affects struct pages. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/page_alloc.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 8db6908c8124..3a7e9c279c35 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1537,6 +1537,25 @@ static void __free_pages_ok(struct page *page, unsigned int order, + local_irq_restore(flags); + } + ++static void __init __gather_extra_latent_entropy(struct page *page, ++ unsigned int nr_pages) ++{ ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++} ++ + void __free_pages_core(struct page *page, unsigned int order) + { + unsigned int nr_pages = 1 << order; +@@ -1556,22 +1575,6 @@ void __free_pages_core(struct page *page, unsigned int order) + } + __ClearPageReserved(p); + set_page_count(p, 0); +- +- if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { +- unsigned long hash = 0; +- size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; +- const unsigned long *data = lowmem_page_address(page); +- +- for (index = 0; index < end; index++) +- hash ^= hash + data[index]; +-#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY +- latent_entropy ^= hash; +- add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +-#else +- add_device_randomness((const void *)&hash, sizeof(hash)); +-#endif +- } +- + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +@@ -1630,6 +1633,7 @@ void __init memblock_free_pages(struct page *page, unsigned long pfn, + { + if (early_page_uninitialised(pfn)) + return; ++ __gather_extra_latent_entropy(page, 1 << order); + __free_pages_core(page, order); + } + +@@ -1721,6 +1725,7 @@ static void __init deferred_free_range(unsigned long pfn, + if (nr_pages == pageblock_nr_pages && + (pfn & (pageblock_nr_pages - 1)) == 0) { + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1 << pageblock_order); + __free_pages_core(page, pageblock_order); + return; + } +@@ -1728,6 +1733,7 @@ static void __init deferred_free_range(unsigned long pfn, + for (i = 0; i < nr_pages; i++, page++, pfn++) { + if ((pfn & (pageblock_nr_pages - 1)) == 0) + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1); + __free_pages_core(page, 0); + } + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..0cea2ed57cfe --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From fbd6fc095f4430b68ef24e35fd196d3a20c7d382 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 100/112] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index f15109e7b111..94918210ee72 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1174,6 +1174,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 29a30cff5e60..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..d4d6c1316247 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From acc86df6faf816a0650a6c0bb5f6f87f7a95b54c Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:02:23 +0200 +Subject: [PATCH 101/112] enable INIT_ON_ALLOC_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index a718487ad717..7e3fe39ed6a4 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE + + config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" ++ default yes + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..2d0a4d0c134b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From df28e0ac22621f05f80e3272f8305a571df6499d Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:03:01 +0200 +Subject: [PATCH 102/112] enable INIT_ON_FREE_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 7e3fe39ed6a4..7dede18f1074 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -203,6 +203,7 @@ config INIT_ON_ALLOC_DEFAULT_ON + + config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" ++ default yes + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch new file mode 100644 index 000000000000..b8fdb483bbb3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch @@ -0,0 +1,68 @@ +From 8462e374c0d6da92262e9b24f52531660d7185e0 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 2 Oct 2019 01:22:17 +0200 +Subject: [PATCH 103/112] add CONFIG for unprivileged_userfaultfd + +When disabled, unprivileged users will not be able to use the userfaultfd +syscall. Userfaultfd provide attackers with a way to stall a kernel +thread in the middle of memory accesses from userspace by initiating an +access on an unmapped page. To avoid various heap grooming and heap +spraying techniques for exploiting use-after-free flaws this should be +disabled by default. + +This setting can be overridden at runtime via the +vm.unprivileged_userfaultfd sysctl. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/userfaultfd.c | 4 ++++ + init/Kconfig | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 000b457ad087..06d35ecdcbc8 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -28,7 +28,11 @@ + #include <linux/security.h> + #include <linux/hugetlb.h> + ++#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED + int sysctl_unprivileged_userfaultfd __read_mostly = 1; ++#else ++int sysctl_unprivileged_userfaultfd __read_mostly; ++#endif + + static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; + +diff --git a/init/Kconfig b/init/Kconfig +index 94918210ee72..970066ca7388 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1747,6 +1747,23 @@ config USERFAULTFD + Enable the userfaultfd() system call that allows to intercept and + handle page faults in userland. + ++config USERFAULTFD_UNPRIVILEGED ++ bool "Allow unprivileged users to use the userfaultfd syscall" ++ depends on USERFAULTFD ++ default n ++ help ++ When disabled, unprivileged users will not be able to use the userfaultfd ++ syscall. Userfaultfd provide attackers with a way to stall a kernel ++ thread in the middle of memory accesses from userspace by initiating an ++ access on an unmapped page. To avoid various heap grooming and heap ++ spraying techniques for exploiting use-after-free flaws this should be ++ disabled by default. ++ ++ This setting can be overridden at runtime via the ++ vm.unprivileged_userfaultfd sysctl. ++ ++ If unsure, say N. ++ + config ARCH_HAS_MEMBARRIER_CALLBACKS + bool + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch new file mode 100644 index 000000000000..b820dcd99e87 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch @@ -0,0 +1,81 @@ +From 44156606b8df578b56308737065e4ec8fc0251b9 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 29 Nov 2019 16:27:14 +0100 +Subject: [PATCH 104/112] slub: Extend init_on_alloc to slab caches with + constructors + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 2 ++ + mm/slub.c | 23 ++++++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 105dba485a7e..2138deacf719 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -630,8 +630,10 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } + static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + { + if (static_branch_unlikely(&init_on_alloc)) { ++#ifndef CONFIG_SLUB + if (c->ctor) + return false; ++#endif + if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) + return flags & __GFP_ZERO; + return true; +diff --git a/mm/slub.c b/mm/slub.c +index c949d918dc7f..cb8abacabfdb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1635,9 +1635,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + * need to show a valid freepointer to check_object(). + * + * Note that doing this for all caches (not just ctor +- * ones, which have s->offset != NULL)) causes a GPF, +- * due to KASAN poisoning and the way set_freepointer() +- * eventually dereferences the freepointer. ++ * ones, which have s->offset >= object_size)) causes a ++ * GPF, due to KASAN poisoning and the way ++ * set_freepointer() eventually dereferences the ++ * freepointer. + */ + set_freepointer(s, object, NULL); + } +@@ -2955,8 +2956,14 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + if (s->ctor) + s->ctor(object); + kasan_poison_object_data(s, object); +- } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) { + memset(object, 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, object); ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } ++ } + + if (object) { + check_canary(s, object, s->random_inactive); +@@ -3416,8 +3423,14 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { + memset(p[j], 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, p[j]); ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } + } + + for (k = 0; k < i; k++) { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..d273d401d380 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From c8aba05329578e22e591e62c6bddecb70a94d12a Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 105/112] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d4ef5bf94168..34d0d5438108 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 3e5f4f2e705e..791329c77dea 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ef4bdb038a4b..86967b09a8e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6195,7 +6196,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch new file mode 100644 index 000000000000..41dab8806618 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch @@ -0,0 +1,27 @@ +From 30c2a0699d76414277623e6955b1213c341c0ecc Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 27 Sep 2020 00:43:48 +0200 +Subject: [PATCH 106/112] kconfig: select DEBUG_FS_ALLOW_NONE by default if + DEBUG_FS is enabled + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 6f5011b629a3..5fce84adc315 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -491,7 +491,7 @@ config DEBUG_FS + choice + prompt "Debugfs default access" + depends on DEBUG_FS +- default DEBUG_FS_ALLOW_ALL ++ default DEBUG_FS_ALLOW_NONE + help + This selects the default access restrictions for debugfs. + It can be overridden with kernel command line option +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..78e8dd6bc770 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 030c024c5d410e2f95f3c6496275336c1c7bec7f Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:35:53 +0100 +Subject: [PATCH 107/112] stop hiding SYSFS_SYSCALL behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 970066ca7388..000d1c837e61 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1450,7 +1450,7 @@ config SGETMASK_SYSCALL + If unsure, leave the default option here. + + config SYSFS_SYSCALL +- bool "Sysfs syscall support" if EXPERT ++ bool "Sysfs syscall support" + default y + help + sys_sysfs is an obsolete system call no longer supported in libc. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch new file mode 100644 index 000000000000..fba86b57c17c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch @@ -0,0 +1,31 @@ +From 6d3ebe6f572f01ece9fb4bc6619b079c355b388a Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:36:54 +0100 +Subject: [PATCH 108/112] disable SYSFS_SYSCALL by default + +--- + init/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 000d1c837e61..9d2db9918396 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1451,13 +1451,12 @@ config SGETMASK_SYSCALL + + config SYSFS_SYSCALL + bool "Sysfs syscall support" +- default y + help + sys_sysfs is an obsolete system call no longer supported in libc. + Note that disabling this option is more secure but might break + compatibility with some systems. + +- If unsure say Y here. ++ If unsure say N here. + + config FHANDLE + bool "open by fhandle syscalls" if EXPERT +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch new file mode 100644 index 000000000000..c44224c93b53 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 3bd630d110817ee55c101d6327304948cde11a54 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:40:09 +0100 +Subject: [PATCH 109/112] stop hiding UID16 behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 9d2db9918396..eecd7915db04 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1419,7 +1419,7 @@ menuconfig EXPERT + Only use this if you really know what you are doing. + + config UID16 +- bool "Enable 16-bit UID system calls" if EXPERT ++ bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER + default y + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0110-disable-UID16-by-default.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0110-disable-UID16-by-default.patch new file mode 100644 index 000000000000..5dd21e19b797 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0110-disable-UID16-by-default.patch @@ -0,0 +1,24 @@ +From ad6d97cc824eb4c5332a07816733b20d61384fb4 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:41:32 +0100 +Subject: [PATCH 110/112] disable UID16 by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index eecd7915db04..2feea719cc25 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1421,7 +1421,6 @@ menuconfig EXPERT + config UID16 + bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER +- default y + help + This enables the legacy 16-bit UID syscall wrappers. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch new file mode 100644 index 000000000000..4b6e6abbe994 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch @@ -0,0 +1,238 @@ +From 3c3369b8c4916b8bff2b4da41cd9dee0b9029b8b Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:48 +0200 +Subject: [PATCH 111/112] dccp: ccid: move timers to struct dccp_sock + +When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason +del_timer_sync can't be used is because this relies on keeping a reference +to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that +during disconnect, the timer should really belong to struct dccp_sock. + +This addresses CVE-2020-16119. + +Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + include/linux/dccp.h | 2 ++ + net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++------------- + net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++---------- + 3 files changed, 41 insertions(+), 23 deletions(-) + +diff --git a/include/linux/dccp.h b/include/linux/dccp.h +index 07e547c02fd8..504afa1a4be6 100644 +--- a/include/linux/dccp.h ++++ b/include/linux/dccp.h +@@ -259,6 +259,7 @@ struct dccp_ackvec; + * @dccps_sync_scheduled - flag which signals "send out-of-band message soon" + * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets + * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing) ++ * @dccps_ccid_timer - used by the CCIDs + * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs) + */ + struct dccp_sock { +@@ -303,6 +304,7 @@ struct dccp_sock { + __u8 dccps_sync_scheduled:1; + struct tasklet_struct dccps_xmitlet; + struct timer_list dccps_xmit_timer; ++ struct timer_list dccps_ccid_timer; + }; + + static inline struct dccp_sock *dccp_sk(const struct sock *sk) +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 3da1f77bd039..dbca1f1e2449 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk) + + static void ccid2_hc_tx_rto_expire(struct timer_list *t) + { +- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer); +- struct sock *sk = hc->sk; +- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct sock *sk = (struct sock *)dp; ++ struct ccid2_hc_tx_sock *hc; ++ bool sender_was_blocked; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ + if (sock_owned_by_user(sk)) { +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5); + goto out; + } + + ccid2_pr_debug("RTO_EXPIRE\n"); + +- if (sk->sk_state == DCCP_CLOSED) +- goto out; +- + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) + if (sender_was_blocked) + dccp_tasklet_schedule(sk); + /* restart backed-off timer */ +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len) + } + #endif + +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + + #ifdef CONFIG_IP_DCCP_CCID2_DEBUG + do { +@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + + /* restart RTO timer if not all outstanding data has been acked */ + if (hc->tx_pipe == 0) +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + else +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk) + hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32; + hc->tx_cwnd_used = 0; + hc->sk = sk; +- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0); ++ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0); + INIT_LIST_HEAD(&hc->tx_av_chunks); + return 0; + } + + static void ccid2_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk); + int i; + +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index b9ee1a4a8955..685f4d046c0d 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc, + + static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + { +- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer); +- struct sock *sk = hc->sk; ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct ccid3_hc_tx_sock *hc; ++ struct sock *sk = (struct sock *)dp; + unsigned long t_nfb = USEC_PER_SEC / 5; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ + if (sock_owned_by_user(sk)) { + /* Try again later. */ + /* XXX: set some sensible MIB */ + goto restart_timer; + } + ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ + ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk, + ccid3_tx_state_name(hc->tx_state)); + +@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi); + + restart_timer: +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb) + return -EBADMSG; + + if (hc->tx_state == TFRC_SSTATE_NO_SENT) { +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies + ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies + + usecs_to_jiffies(TFRC_INITIAL_TIMEOUT))); + hc->tx_last_win_count = 0; + hc->tx_t_last_win_count = now; +@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len) + static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + { + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + struct tfrc_tx_hist_entry *acked; + ktime_t now; + unsigned long t_nfb; +@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + (unsigned int)(hc->tx_x >> 6)); + + /* unschedule no feedback timer */ +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + /* + * As we have calculated new ipi, delta, t_nom it is possible +@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + "expire in %lu jiffies (%luus)\n", + dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb); + +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + } + + static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, +@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, + + static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid_priv(ccid); + + hc->tx_state = TFRC_SSTATE_NO_SENT; + hc->tx_hist = NULL; + hc->sk = sk; +- timer_setup(&hc->tx_no_feedback_timer, ++ timer_setup(&dp->dccps_ccid_timer, + ccid3_hc_tx_no_feedback_timer, 0); + return 0; + } + + static void ccid3_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); + +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + tfrc_tx_hist_purge(&hc->tx_hist); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch new file mode 100644 index 000000000000..47513d1fbe66 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.4/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch @@ -0,0 +1,40 @@ +From fa0b6a5c799c77e556de2eb085f590b5d40330a0 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:49 +0200 +Subject: [PATCH 112/112] Revert "dccp: don't free ccid2_hc_tx_sock struct in + dccp_disconnect()" + +This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. + +This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be +kept, allowing the socket to be reused as a listener socket, and the cloned +socket will free its dccps_hc_tx_ccid, leading to a later use after free, +when the listener socket is closed. + +This addresses CVE-2020-16119. + +Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) +Reported-by: Hadar Manor +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + net/dccp/proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 6d705d90c614..359e848dba6c 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/1500_XATTR_USER_PREFIX.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 000000000000..245dcc29fa56 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,67 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; + diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000000..f0ed144fb17a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 000000000000..394ad48fc20c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Cc: stable@vger.kernel.org +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1 diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 000000000000..433568579cab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,30 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <mpagano@gentoo.org> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: mpagano@gentoo.org + +Reported-by: Phil Stracchino <phils@caerllewys.net> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2920_sign-file-patch-for-libressl.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 000000000000..e6ec017d46c8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/4567_distro-Gentoo-Kconfig.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/4567_distro-Gentoo-Kconfig.patch new file mode 100644 index 000000000000..e754a3e6e459 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/4567_distro-Gentoo-Kconfig.patch @@ -0,0 +1,169 @@ +--- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 ++++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 +@@ -32,3 +32,5 @@ source "lib/Kconfig" + source "lib/Kconfig.debug" + + source "Documentation/Kconfig" ++ ++source "distro/Kconfig" +--- /dev/null 2020-09-24 03:06:47.590000000 -0400 ++++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 +@@ -0,0 +1,158 @@ ++menu "Gentoo Linux" ++ ++config GENTOO_LINUX ++ bool "Gentoo Linux support" ++ ++ default y ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ See the settings that become available for more details and fine-tuning. ++ ++config GENTOO_LINUX_UDEV ++ bool "Linux dynamic and persistent device naming (userspace devfs) support" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select DEVTMPFS ++ select TMPFS ++ select UNIX ++ ++ select MMU ++ select SHMEM ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ Currently this only selects TMPFS, DEVTMPFS and their dependencies. ++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and ++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. ++ ++ Some of these are critical files that need to be available early in the ++ boot process; if not available, it causes sysfs and udev to malfunction. ++ ++ To ensure Gentoo Linux boots, it is best to leave this setting enabled; ++ if you run a custom setup, you could consider whether to disable this. ++ ++config GENTOO_LINUX_PORTAGE ++ bool "Select options required by Portage features" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select CGROUPS ++ select NAMESPACES ++ select IPC_NS ++ select NET_NS ++ select PID_NS ++ select SYSVIPC ++ select UTS_NS ++ ++ help ++ This enables options required by various Portage FEATURES. ++ Currently this selects: ++ ++ CGROUPS (required for FEATURES=cgroup) ++ IPC_NS (required for FEATURES=ipc-sandbox) ++ NET_NS (required for FEATURES=network-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) ++ SYSVIPC (required by IPC_NS) ++ ++ ++ It is highly recommended that you leave this enabled as these FEATURES ++ are, or will soon be, enabled by default. ++ ++menu "Support for init systems, system and service managers" ++ visible if GENTOO_LINUX ++ ++config GENTOO_LINUX_INIT_SCRIPT ++ bool "OpenRC, runit and other script based systems and managers" ++ ++ default y if GENTOO_LINUX ++ ++ depends on GENTOO_LINUX ++ ++ select BINFMT_SCRIPT ++ select CGROUPS ++ select EPOLL ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select SIGNALFD ++ select TIMERFD ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for OpenRC, ++ runit and similar script based systems and managers. ++ ++ If you are unsure about this, it is best to leave this setting enabled. ++ ++config GENTOO_LINUX_INIT_SYSTEMD ++ bool "systemd" ++ ++ default n ++ ++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV ++ ++ select AUTOFS4_FS ++ select BLK_DEV_BSG ++ select BPF_SYSCALL ++ select CGROUP_BPF ++ select CGROUPS ++ select CHECKPOINT_RESTORE ++ select CRYPTO_HMAC ++ select CRYPTO_SHA256 ++ select CRYPTO_USER_API_HASH ++ select DEVPTS_MULTIPLE_INSTANCES ++ select DMIID if X86_32 || X86_64 || X86 ++ select EPOLL ++ select FANOTIFY ++ select FHANDLE ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select IPV6 ++ select NET ++ select NET_NS ++ select PROC_FS ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SIGNALFD ++ select SYSFS ++ select TIMERFD ++ select TMPFS_POSIX_ACL ++ select TMPFS_XATTR ++ select USER_NS ++ ++ select ANON_INODES ++ select BLOCK ++ select EVENTFD ++ select FSNOTIFY ++ select INET ++ select NLATTR ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for systemd; ++ it also enables suggested optional settings, as the package suggests to. ++ ++endmenu ++ ++endmenu diff --git a/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch new file mode 100644 index 000000000000..665fc660b0de --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch @@ -0,0 +1,2203 @@ +--- /dev/null 2021-01-08 13:33:13.190303432 -0500 ++++ b/fs/shiftfs.c 2021-01-08 19:02:40.000000000 -0500 +@@ -0,0 +1,2157 @@ ++#include <linux/btrfs.h> ++#include <linux/capability.h> ++#include <linux/cred.h> ++#include <linux/mount.h> ++#include <linux/fdtable.h> ++#include <linux/file.h> ++#include <linux/fs.h> ++#include <linux/namei.h> ++#include <linux/module.h> ++#include <linux/kernel.h> ++#include <linux/magic.h> ++#include <linux/parser.h> ++#include <linux/security.h> ++#include <linux/seq_file.h> ++#include <linux/statfs.h> ++#include <linux/slab.h> ++#include <linux/user_namespace.h> ++#include <linux/uidgid.h> ++#include <linux/xattr.h> ++#include <linux/posix_acl.h> ++#include <linux/posix_acl_xattr.h> ++#include <linux/uio.h> ++#include <linux/fiemap.h> ++ ++struct shiftfs_super_info { ++ struct vfsmount *mnt; ++ struct user_namespace *userns; ++ /* creds of process who created the super block */ ++ const struct cred *creator_cred; ++ bool mark; ++ unsigned int passthrough; ++ unsigned int passthrough_mark; ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry); ++ ++#define SHIFTFS_PASSTHROUGH_NONE 0 ++#define SHIFTFS_PASSTHROUGH_STAT 1 ++#define SHIFTFS_PASSTHROUGH_IOCTL 2 ++#define SHIFTFS_PASSTHROUGH_ALL \ ++ (SHIFTFS_PASSTHROUGH_STAT | SHIFTFS_PASSTHROUGH_IOCTL) ++ ++static inline bool shiftfs_passthrough_ioctls(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_IOCTL)) ++ return false; ++ ++ return true; ++} ++ ++static inline bool shiftfs_passthrough_statfs(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_STAT)) ++ return false; ++ ++ return true; ++} ++ ++enum { ++ OPT_MARK, ++ OPT_PASSTHROUGH, ++ OPT_LAST, ++}; ++ ++/* global filesystem options */ ++static const match_table_t tokens = { ++ { OPT_MARK, "mark" }, ++ { OPT_PASSTHROUGH, "passthrough=%u" }, ++ { OPT_LAST, NULL } ++}; ++ ++static const struct cred *shiftfs_override_creds(const struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ return override_creds(sbinfo->creator_cred); ++} ++ ++static inline void shiftfs_revert_object_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ revert_creds(oldcred); ++ put_cred(newcred); ++} ++ ++static kuid_t shift_kuid(struct user_namespace *from, struct user_namespace *to, ++ kuid_t kuid) ++{ ++ uid_t uid = from_kuid(from, kuid); ++ return make_kuid(to, uid); ++} ++ ++static kgid_t shift_kgid(struct user_namespace *from, struct user_namespace *to, ++ kgid_t kgid) ++{ ++ gid_t gid = from_kgid(from, kgid); ++ return make_kgid(to, gid); ++} ++ ++static int shiftfs_override_object_creds(const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred, ++ struct dentry *dentry, umode_t mode, ++ bool hardlink) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ if (!hardlink) { ++ int err = security_dentry_create_files_as(dentry, mode, ++ &dentry->d_name, ++ *oldcred, *newcred); ++ if (err) { ++ shiftfs_revert_object_creds(*oldcred, *newcred); ++ return err; ++ } ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static void shiftfs_copyattr(struct inode *from, struct inode *to) ++{ ++ struct user_namespace *from_ns = from->i_sb->s_user_ns; ++ struct user_namespace *to_ns = to->i_sb->s_user_ns; ++ ++ to->i_uid = shift_kuid(from_ns, to_ns, from->i_uid); ++ to->i_gid = shift_kgid(from_ns, to_ns, from->i_gid); ++ to->i_mode = from->i_mode; ++ to->i_atime = from->i_atime; ++ to->i_mtime = from->i_mtime; ++ to->i_ctime = from->i_ctime; ++ i_size_write(to, i_size_read(from)); ++} ++ ++static void shiftfs_copyflags(struct inode *from, struct inode *to) ++{ ++ unsigned int mask = S_SYNC | S_IMMUTABLE | S_APPEND | S_NOATIME; ++ ++ inode_set_flags(to, from->i_flags & mask, mask); ++} ++ ++static void shiftfs_file_accessed(struct file *file) ++{ ++ struct inode *upperi, *loweri; ++ ++ if (file->f_flags & O_NOATIME) ++ return; ++ ++ upperi = file_inode(file); ++ loweri = upperi->i_private; ++ ++ if (!loweri) ++ return; ++ ++ upperi->i_mtime = loweri->i_mtime; ++ upperi->i_ctime = loweri->i_ctime; ++ ++ touch_atime(&file->f_path); ++} ++ ++static int shiftfs_parse_mount_options(struct shiftfs_super_info *sbinfo, ++ char *options) ++{ ++ char *p; ++ substring_t args[MAX_OPT_ARGS]; ++ ++ sbinfo->mark = false; ++ sbinfo->passthrough = 0; ++ ++ while ((p = strsep(&options, ",")) != NULL) { ++ int err, intarg, token; ++ ++ if (!*p) ++ continue; ++ ++ token = match_token(p, tokens, args); ++ switch (token) { ++ case OPT_MARK: ++ sbinfo->mark = true; ++ break; ++ case OPT_PASSTHROUGH: ++ err = match_int(&args[0], &intarg); ++ if (err) ++ return err; ++ ++ if (intarg & ~SHIFTFS_PASSTHROUGH_ALL) ++ return -EINVAL; ++ ++ sbinfo->passthrough = intarg; ++ break; ++ default: ++ return -EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++static void shiftfs_d_release(struct dentry *dentry) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (lowerd) ++ dput(lowerd); ++} ++ ++static struct dentry *shiftfs_d_real(struct dentry *dentry, ++ const struct inode *inode) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (inode && d_inode(dentry) == inode) ++ return dentry; ++ ++ lowerd = d_real(lowerd, inode); ++ if (lowerd && (!inode || inode == d_inode(lowerd))) ++ return lowerd; ++ ++ WARN(1, "shiftfs_d_real(%pd4, %s:%lu): real dentry not found\n", dentry, ++ inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0); ++ return dentry; ++} ++ ++static int shiftfs_d_weak_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_is_negative(lowerd) != d_is_negative(dentry)) ++ return 0; ++ ++ if ((lowerd->d_flags & DCACHE_OP_WEAK_REVALIDATE)) ++ err = lowerd->d_op->d_weak_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static int shiftfs_d_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_unhashed(lowerd) || ++ ((d_is_negative(lowerd) != d_is_negative(dentry)))) ++ return 0; ++ ++ if (flags & LOOKUP_RCU) ++ return -ECHILD; ++ ++ if ((lowerd->d_flags & DCACHE_OP_REVALIDATE)) ++ err = lowerd->d_op->d_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static const struct dentry_operations shiftfs_dentry_ops = { ++ .d_release = shiftfs_d_release, ++ .d_real = shiftfs_d_real, ++ .d_revalidate = shiftfs_d_revalidate, ++ .d_weak_revalidate = shiftfs_d_weak_revalidate, ++}; ++ ++static const char *shiftfs_get_link(struct dentry *dentry, struct inode *inode, ++ struct delayed_call *done) ++{ ++ const char *p; ++ const struct cred *oldcred; ++ struct dentry *lowerd; ++ ++ /* RCU lookup not supported */ ++ if (!dentry) ++ return ERR_PTR(-ECHILD); ++ ++ lowerd = dentry->d_fsdata; ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ p = vfs_get_link(lowerd, done); ++ revert_creds(oldcred); ++ ++ return p; ++} ++ ++static int shiftfs_setxattr(struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_setxattr(lowerd, name, value, size, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(lowerd->d_inode, inode); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *value, size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_getxattr(lowerd, name, value, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static ssize_t shiftfs_listxattr(struct dentry *dentry, char *list, ++ size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_listxattr(lowerd, list, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_removexattr(struct dentry *dentry, const char *name) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_removexattr(lowerd, name); ++ revert_creds(oldcred); ++ ++ /* update c/mtime */ ++ shiftfs_copyattr(lowerd->d_inode, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, size_t size, ++ int flags) ++{ ++ if (!value) ++ return shiftfs_removexattr(dentry, name); ++ return shiftfs_setxattr(dentry, inode, name, value, size, flags); ++} ++ ++static int shiftfs_inode_test(struct inode *inode, void *data) ++{ ++ return inode->i_private == data; ++} ++ ++static int shiftfs_inode_set(struct inode *inode, void *data) ++{ ++ inode->i_private = data; ++ return 0; ++} ++ ++static int shiftfs_create_object(struct inode *diri, struct dentry *dentry, ++ umode_t mode, const char *symlink, ++ struct dentry *hardlink, bool excl) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct cred *newcred; ++ void *loweri_iop_ptr = NULL; ++ umode_t modei = mode; ++ struct super_block *dir_sb = diri->i_sb; ++ struct dentry *lowerd_new = dentry->d_fsdata; ++ struct inode *inode = NULL, *loweri_dir = diri->i_private; ++ const struct inode_operations *loweri_dir_iop = loweri_dir->i_op; ++ struct dentry *lowerd_link = NULL; ++ ++ if (hardlink) { ++ loweri_iop_ptr = loweri_dir_iop->link; ++ } else { ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ loweri_iop_ptr = loweri_dir_iop->mkdir; ++ break; ++ case S_IFREG: ++ loweri_iop_ptr = loweri_dir_iop->create; ++ break; ++ case S_IFLNK: ++ loweri_iop_ptr = loweri_dir_iop->symlink; ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ loweri_iop_ptr = loweri_dir_iop->mknod; ++ break; ++ } ++ } ++ if (!loweri_iop_ptr) { ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ inode_lock_nested(loweri_dir, I_MUTEX_PARENT); ++ ++ if (!hardlink) { ++ inode = new_inode(dir_sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_iput; ++ } ++ ++ /* ++ * new_inode() will have added the new inode to the super ++ * block's list of inodes. Further below we will call ++ * inode_insert5() Which would perform the same operation again ++ * thereby corrupting the list. To avoid this raise I_CREATING ++ * in i_state which will cause inode_insert5() to skip this ++ * step. I_CREATING will be cleared by d_instantiate_new() ++ * below. ++ */ ++ spin_lock(&inode->i_lock); ++ inode->i_state |= I_CREATING; ++ spin_unlock(&inode->i_lock); ++ ++ inode_init_owner(inode, diri, mode); ++ modei = inode->i_mode; ++ } ++ ++ err = shiftfs_override_object_creds(dentry->d_sb, &oldcred, &newcred, ++ dentry, modei, hardlink != NULL); ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ lowerd_link = hardlink->d_fsdata; ++ err = vfs_link(lowerd_link, loweri_dir, lowerd_new, NULL); ++ } else { ++ switch (modei & S_IFMT) { ++ case S_IFDIR: ++ err = vfs_mkdir(loweri_dir, lowerd_new, modei); ++ break; ++ case S_IFREG: ++ err = vfs_create(loweri_dir, lowerd_new, modei, excl); ++ break; ++ case S_IFLNK: ++ err = vfs_symlink(loweri_dir, lowerd_new, symlink); ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ err = vfs_mknod(loweri_dir, lowerd_new, modei, 0); ++ break; ++ default: ++ err = -EINVAL; ++ break; ++ } ++ } ++ ++ shiftfs_revert_object_creds(oldcred, newcred); ++ ++ if (!err && WARN_ON(!lowerd_new->d_inode)) ++ err = -EIO; ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ inode = d_inode(hardlink); ++ ihold(inode); ++ ++ /* copy up times from lower inode */ ++ shiftfs_copyattr(d_inode(lowerd_link), inode); ++ set_nlink(d_inode(hardlink), d_inode(lowerd_link)->i_nlink); ++ d_instantiate(dentry, inode); ++ } else { ++ struct inode *inode_tmp; ++ struct inode *loweri_new = d_inode(lowerd_new); ++ ++ inode_tmp = inode_insert5(inode, (unsigned long)loweri_new, ++ shiftfs_inode_test, shiftfs_inode_set, ++ loweri_new); ++ if (unlikely(inode_tmp != inode)) { ++ pr_err_ratelimited("shiftfs: newly created inode found in cache\n"); ++ iput(inode_tmp); ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ ihold(loweri_new); ++ shiftfs_fill_inode(inode, loweri_new->i_ino, loweri_new->i_mode, ++ 0, lowerd_new); ++ d_instantiate_new(dentry, inode); ++ } ++ ++ shiftfs_copyattr(loweri_dir, diri); ++ if (loweri_iop_ptr == loweri_dir_iop->mkdir) ++ set_nlink(diri, loweri_dir->i_nlink); ++ ++ inode = NULL; ++ ++out_iput: ++ iput(inode); ++ inode_unlock(loweri_dir); ++ ++ return err; ++} ++ ++static int shiftfs_create(struct inode *dir, struct dentry *dentry, ++ umode_t mode, bool excl) ++{ ++ mode |= S_IFREG; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, excl); ++} ++ ++static int shiftfs_mkdir(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ mode |= S_IFDIR; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_link(struct dentry *hardlink, struct inode *dir, ++ struct dentry *dentry) ++{ ++ return shiftfs_create_object(dir, dentry, 0, NULL, hardlink, false); ++} ++ ++static int shiftfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, ++ dev_t rdev) ++{ ++ if (!S_ISFIFO(mode) && !S_ISSOCK(mode)) ++ return -EPERM; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_symlink(struct inode *dir, struct dentry *dentry, ++ const char *symlink) ++{ ++ return shiftfs_create_object(dir, dentry, S_IFLNK, symlink, NULL, false); ++} ++ ++static int shiftfs_rm(struct inode *dir, struct dentry *dentry, bool rmdir) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ struct inode *inode = d_inode(dentry); ++ int err; ++ const struct cred *oldcred; ++ ++ dget(lowerd); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ inode_lock_nested(loweri, I_MUTEX_PARENT); ++ if (rmdir) ++ err = vfs_rmdir(loweri, lowerd); ++ else ++ err = vfs_unlink(loweri, lowerd, NULL); ++ revert_creds(oldcred); ++ ++ if (!err) { ++ d_drop(dentry); ++ ++ if (rmdir) ++ clear_nlink(inode); ++ else ++ drop_nlink(inode); ++ } ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, dir); ++ dput(lowerd); ++ ++ return err; ++} ++ ++static int shiftfs_unlink(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, false); ++} ++ ++static int shiftfs_rmdir(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, true); ++} ++ ++static int shiftfs_rename(struct inode *olddir, struct dentry *old, ++ struct inode *newdir, struct dentry *new, ++ unsigned int flags) ++{ ++ struct dentry *lowerd_dir_old = old->d_parent->d_fsdata, ++ *lowerd_dir_new = new->d_parent->d_fsdata, ++ *lowerd_old = old->d_fsdata, *lowerd_new = new->d_fsdata, ++ *trapd; ++ struct inode *loweri_dir_old = lowerd_dir_old->d_inode, ++ *loweri_dir_new = lowerd_dir_new->d_inode; ++ int err = -EINVAL; ++ const struct cred *oldcred; ++ ++ trapd = lock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ if (trapd == lowerd_old || trapd == lowerd_new) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(old->d_sb); ++ err = vfs_rename(loweri_dir_old, lowerd_old, loweri_dir_new, lowerd_new, ++ NULL, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(loweri_dir_old, olddir); ++ shiftfs_copyattr(loweri_dir_new, newdir); ++ ++out_unlock: ++ unlock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_lookup(struct inode *dir, struct dentry *dentry, ++ unsigned int flags) ++{ ++ struct dentry *new; ++ struct inode *newi; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_parent->d_fsdata; ++ struct inode *inode = NULL, *loweri = lowerd->d_inode; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ new = lookup_one_len(dentry->d_name.name, lowerd, dentry->d_name.len); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ if (IS_ERR(new)) ++ return new; ++ ++ dentry->d_fsdata = new; ++ ++ newi = new->d_inode; ++ if (!newi) ++ goto out; ++ ++ inode = iget5_locked(dentry->d_sb, (unsigned long)newi, ++ shiftfs_inode_test, shiftfs_inode_set, newi); ++ if (!inode) { ++ dput(new); ++ return ERR_PTR(-ENOMEM); ++ } ++ if (inode->i_state & I_NEW) { ++ /* ++ * inode->i_private set by shiftfs_inode_set(), but we still ++ * need to take a reference ++ */ ++ ihold(newi); ++ shiftfs_fill_inode(inode, newi->i_ino, newi->i_mode, 0, new); ++ unlock_new_inode(inode); ++ } ++ ++out: ++ return d_splice_alias(inode, dentry); ++} ++ ++static int shiftfs_permission(struct inode *inode, int mask) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri) { ++ WARN_ON(!(mask & MAY_NOT_BLOCK)); ++ return -ECHILD; ++ } ++ ++ err = generic_permission(inode, mask); ++ if (err) ++ return err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = inode_permission(loweri, mask); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_fiemap(struct inode *inode, ++ struct fiemap_extent_info *fieinfo, u64 start, ++ u64 len) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri->i_op->fiemap) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ if (fieinfo->fi_flags & FIEMAP_FLAG_SYNC) ++ filemap_write_and_wait(loweri->i_mapping); ++ err = loweri->i_op->fiemap(loweri, fieinfo, start, len); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_tmpfile(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ ++ if (!loweri->i_op->tmpfile) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(dir->i_sb); ++ err = loweri->i_op->tmpfile(loweri, lowerd, mode); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct iattr newattr; ++ const struct cred *oldcred; ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ int err; ++ ++ err = setattr_prepare(dentry, attr); ++ if (err) ++ return err; ++ ++ newattr = *attr; ++ newattr.ia_uid = shift_kuid(sb->s_user_ns, sbinfo->userns, attr->ia_uid); ++ newattr.ia_gid = shift_kgid(sb->s_user_ns, sbinfo->userns, attr->ia_gid); ++ ++ /* ++ * mode change is for clearing setuid/setgid bits. Allow lower fs ++ * to interpret this in its own way. ++ */ ++ if (newattr.ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) ++ newattr.ia_valid &= ~ATTR_MODE; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = notify_change(lowerd, &newattr, NULL); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_getattr(const struct path *path, struct kstat *stat, ++ u32 request_mask, unsigned int query_flags) ++{ ++ struct inode *inode = path->dentry->d_inode; ++ struct dentry *lowerd = path->dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct shiftfs_super_info *info = path->dentry->d_sb->s_fs_info; ++ struct path newpath = { .mnt = info->mnt, .dentry = lowerd }; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ const struct cred *oldcred; ++ int err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = vfs_getattr(&newpath, stat, request_mask, query_flags); ++ revert_creds(oldcred); ++ ++ if (err) ++ return err; ++ ++ /* transform the underlying id */ ++ stat->uid = shift_kuid(from_ns, to_ns, stat->uid); ++ stat->gid = shift_kgid(from_ns, to_ns, stat->gid); ++ return 0; ++} ++ ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ ++static int ++shift_acl_ids(struct user_namespace *from, struct user_namespace *to, ++ struct posix_acl *acl) ++{ ++ int i; ++ ++ for (i = 0; i < acl->a_count; i++) { ++ struct posix_acl_entry *e = &acl->a_entries[i]; ++ switch(e->e_tag) { ++ case ACL_USER: ++ e->e_uid = shift_kuid(from, to, e->e_uid); ++ if (!uid_valid(e->e_uid)) ++ return -EOVERFLOW; ++ break; ++ case ACL_GROUP: ++ e->e_gid = shift_kgid(from, to, e->e_gid); ++ if (!gid_valid(e->e_gid)) ++ return -EOVERFLOW; ++ break; ++ } ++ } ++ return 0; ++} ++ ++static void ++shift_acl_xattr_ids(struct user_namespace *from, struct user_namespace *to, ++ void *value, size_t size) ++{ ++ struct posix_acl_xattr_header *header = value; ++ struct posix_acl_xattr_entry *entry = (void *)(header + 1), *end; ++ int count; ++ kuid_t kuid; ++ kgid_t kgid; ++ ++ if (!value) ++ return; ++ if (size < sizeof(struct posix_acl_xattr_header)) ++ return; ++ if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) ++ return; ++ ++ count = posix_acl_xattr_count(size); ++ if (count < 0) ++ return; ++ if (count == 0) ++ return; ++ ++ for (end = entry + count; entry != end; entry++) { ++ switch(le16_to_cpu(entry->e_tag)) { ++ case ACL_USER: ++ kuid = make_kuid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kuid = shift_kuid(from, to, kuid); ++ entry->e_id = cpu_to_le32(from_kuid(&init_user_ns, kuid)); ++ break; ++ case ACL_GROUP: ++ kgid = make_kgid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kgid = shift_kgid(from, to, kgid); ++ entry->e_id = cpu_to_le32(from_kgid(&init_user_ns, kgid)); ++ break; ++ default: ++ break; ++ } ++ } ++} ++ ++static struct posix_acl *shiftfs_get_acl(struct inode *inode, int type) ++{ ++ struct inode *loweri = inode->i_private; ++ const struct cred *oldcred; ++ struct posix_acl *lower_acl, *acl = NULL; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ int size; ++ int err; ++ ++ if (!IS_POSIXACL(loweri)) ++ return NULL; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ lower_acl = get_acl(loweri, type); ++ revert_creds(oldcred); ++ ++ if (lower_acl && !IS_ERR(lower_acl)) { ++ /* XXX: export posix_acl_clone? */ ++ size = sizeof(struct posix_acl) + ++ lower_acl->a_count * sizeof(struct posix_acl_entry); ++ acl = kmemdup(lower_acl, size, GFP_KERNEL); ++ posix_acl_release(lower_acl); ++ ++ if (!acl) ++ return ERR_PTR(-ENOMEM); ++ ++ refcount_set(&acl->a_refcount, 1); ++ ++ err = shift_acl_ids(from_ns, to_ns, acl); ++ if (err) { ++ kfree(acl); ++ return ERR_PTR(err); ++ } ++ } ++ ++ return acl; ++} ++ ++static int ++shiftfs_posix_acl_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *buffer, size_t size) ++{ ++ struct inode *loweri = inode->i_private; ++ int ret; ++ ++ ret = shiftfs_xattr_get(NULL, dentry, inode, handler->name, ++ buffer, size); ++ if (ret < 0) ++ return ret; ++ ++ inode_lock(loweri); ++ shift_acl_xattr_ids(loweri->i_sb->s_user_ns, inode->i_sb->s_user_ns, ++ buffer, size); ++ inode_unlock(loweri); ++ return ret; ++} ++ ++static int ++shiftfs_posix_acl_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct inode *loweri = inode->i_private; ++ int err; ++ ++ if (!IS_POSIXACL(loweri) || !loweri->i_op->set_acl) ++ return -EOPNOTSUPP; ++ if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return value ? -EACCES : 0; ++ if (!inode_owner_or_capable(inode)) ++ return -EPERM; ++ ++ if (value) { ++ shift_acl_xattr_ids(inode->i_sb->s_user_ns, ++ loweri->i_sb->s_user_ns, ++ (void *)value, size); ++ err = shiftfs_setxattr(dentry, inode, handler->name, value, ++ size, flags); ++ } else { ++ err = shiftfs_removexattr(dentry, handler->name); ++ } ++ ++ if (!err) ++ shiftfs_copyattr(loweri, inode); ++ ++ return err; ++} ++ ++static const struct xattr_handler ++shiftfs_posix_acl_access_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_ACCESS, ++ .flags = ACL_TYPE_ACCESS, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++static const struct xattr_handler ++shiftfs_posix_acl_default_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_DEFAULT, ++ .flags = ACL_TYPE_DEFAULT, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++#else /* !CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++#define shiftfs_get_acl NULL ++ ++#endif /* CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++static const struct inode_operations shiftfs_dir_inode_operations = { ++ .lookup = shiftfs_lookup, ++ .mkdir = shiftfs_mkdir, ++ .symlink = shiftfs_symlink, ++ .unlink = shiftfs_unlink, ++ .rmdir = shiftfs_rmdir, ++ .rename = shiftfs_rename, ++ .link = shiftfs_link, ++ .setattr = shiftfs_setattr, ++ .create = shiftfs_create, ++ .mknod = shiftfs_mknod, ++ .permission = shiftfs_permission, ++ .getattr = shiftfs_getattr, ++ .listxattr = shiftfs_listxattr, ++ .get_acl = shiftfs_get_acl, ++}; ++ ++static const struct inode_operations shiftfs_file_inode_operations = { ++ .fiemap = shiftfs_fiemap, ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++ .tmpfile = shiftfs_tmpfile, ++}; ++ ++static const struct inode_operations shiftfs_special_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++}; ++ ++static const struct inode_operations shiftfs_symlink_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_link = shiftfs_get_link, ++ .listxattr = shiftfs_listxattr, ++ .setattr = shiftfs_setattr, ++}; ++ ++static struct file *shiftfs_open_realfile(const struct file *file, ++ struct inode *realinode) ++{ ++ struct file *realfile; ++ const struct cred *old_cred; ++ struct inode *inode = file_inode(file); ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ old_cred = shiftfs_override_creds(inode->i_sb); ++ realfile = open_with_fake_path(&realpath, file->f_flags, realinode, ++ info->creator_cred); ++ revert_creds(old_cred); ++ ++ return realfile; ++} ++ ++#define SHIFTFS_SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT) ++ ++static int shiftfs_change_flags(struct file *file, unsigned int flags) ++{ ++ struct inode *inode = file_inode(file); ++ int err; ++ ++ /* if some flag changed that cannot be changed then something's amiss */ ++ if (WARN_ON((file->f_flags ^ flags) & ~SHIFTFS_SETFL_MASK)) ++ return -EIO; ++ ++ flags &= SHIFTFS_SETFL_MASK; ++ ++ if (((flags ^ file->f_flags) & O_APPEND) && IS_APPEND(inode)) ++ return -EPERM; ++ ++ if (flags & O_DIRECT) { ++ if (!file->f_mapping->a_ops || ++ !file->f_mapping->a_ops->direct_IO) ++ return -EINVAL; ++ } ++ ++ if (file->f_op->check_flags) { ++ err = file->f_op->check_flags(flags); ++ if (err) ++ return err; ++ } ++ ++ spin_lock(&file->f_lock); ++ file->f_flags = (file->f_flags & ~SHIFTFS_SETFL_MASK) | flags; ++ spin_unlock(&file->f_lock); ++ ++ return 0; ++} ++ ++static int shiftfs_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ ++ realfile = shiftfs_open_realfile(file, inode->i_private); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO. */ ++ file->f_mapping = realfile->f_mapping; ++ ++ return 0; ++} ++ ++static int shiftfs_dir_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ const struct cred *oldcred; ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ realfile = dentry_open(&realpath, file->f_flags | O_NOATIME, ++ info->creator_cred); ++ revert_creds(oldcred); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ ++ return 0; ++} ++ ++static int shiftfs_release(struct inode *inode, struct file *file) ++{ ++ struct file *realfile = file->private_data; ++ ++ if (realfile) ++ fput(realfile); ++ ++ return 0; ++} ++ ++static int shiftfs_dir_release(struct inode *inode, struct file *file) ++{ ++ return shiftfs_release(inode, file); ++} ++ ++static loff_t shiftfs_dir_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct file *realfile = file->private_data; ++ ++ return vfs_llseek(realfile, offset, whence); ++} ++ ++static loff_t shiftfs_file_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct inode *realinode = file_inode(file)->i_private; ++ ++ return generic_file_llseek_size(file, offset, whence, ++ realinode->i_sb->s_maxbytes, ++ i_size_read(realinode)); ++} ++ ++/* XXX: Need to figure out what to to about atime updates, maybe other ++ * timestamps too ... ref. ovl_file_accessed() */ ++ ++static rwf_t shiftfs_iocb_to_rwf(struct kiocb *iocb) ++{ ++ int ifl = iocb->ki_flags; ++ rwf_t flags = 0; ++ ++ if (ifl & IOCB_NOWAIT) ++ flags |= RWF_NOWAIT; ++ if (ifl & IOCB_HIPRI) ++ flags |= RWF_HIPRI; ++ if (ifl & IOCB_DSYNC) ++ flags |= RWF_DSYNC; ++ if (ifl & IOCB_SYNC) ++ flags |= RWF_SYNC; ++ ++ return flags; ++} ++ ++static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd) ++{ ++ struct file *realfile; ++ ++ if (file->f_op->open != shiftfs_open && ++ file->f_op->open != shiftfs_dir_open) ++ return -EINVAL; ++ ++ realfile = file->private_data; ++ lowerfd->flags = 0; ++ lowerfd->file = realfile; ++ ++ /* Did the flags change since open? */ ++ if (unlikely(file->f_flags & ~lowerfd->file->f_flags)) ++ return shiftfs_change_flags(lowerfd->file, file->f_flags); ++ ++ return 0; ++} ++ ++static ssize_t shiftfs_read_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_iter_read(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static ssize_t shiftfs_write_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct inode *inode = file_inode(file); ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ inode_lock(inode); ++ /* Update mode */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ret = file_remove_privs(file); ++ if (ret) ++ goto out_unlock; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ file_start_write(lowerfd.file); ++ ret = vfs_iter_write(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ file_end_write(lowerfd.file); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ++ fdput(lowerfd); ++ ++out_unlock: ++ inode_unlock(inode); ++ return ret; ++} ++ ++static int shiftfs_fsync(struct file *file, loff_t start, loff_t end, ++ int datasync) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fsync_range(lowerfd.file, start, end, datasync); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *realfile = file->private_data; ++ const struct cred *oldcred; ++ int ret; ++ ++ if (!realfile->f_op->mmap) ++ return -ENODEV; ++ ++ if (WARN_ON(file != vma->vm_file)) ++ return -EIO; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ vma->vm_file = get_file(realfile); ++ ret = call_mmap(vma->vm_file, vma); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ if (ret) { ++ /* ++ * Drop refcount from new vm_file value and restore original ++ * vm_file value ++ */ ++ vma->vm_file = file; ++ fput(realfile); ++ } else { ++ /* Drop refcount from previous vm_file value */ ++ fput(file); ++ } ++ ++ return ret; ++} ++ ++static long shiftfs_fallocate(struct file *file, int mode, loff_t offset, ++ loff_t len) ++{ ++ struct inode *inode = file_inode(file); ++ struct inode *loweri = inode->i_private; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fallocate(lowerfd.file, mode, offset, len); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_fadvise(struct file *file, loff_t offset, loff_t len, ++ int advice) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fadvise(lowerfd.file, offset, len, advice); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_override_ioctl_creds(int cmd, const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ /* clear all caps to prevent bypassing capable() checks */ ++ cap_clear((*newcred)->cap_bset); ++ cap_clear((*newcred)->cap_effective); ++ cap_clear((*newcred)->cap_inheritable); ++ cap_clear((*newcred)->cap_permitted); ++ ++ if (cmd == BTRFS_IOC_SNAP_DESTROY) { ++ kuid_t kuid_root = make_kuid(sb->s_user_ns, 0); ++ /* ++ * Allow the root user in the container to remove subvolumes ++ * from other users. ++ */ ++ if (uid_valid(kuid_root) && uid_eq(fsuid, kuid_root)) ++ cap_raise((*newcred)->cap_effective, CAP_DAC_OVERRIDE); ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static inline void shiftfs_revert_ioctl_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ return shiftfs_revert_object_creds(oldcred, newcred); ++} ++ ++static inline bool is_btrfs_snap_ioctl(int cmd) ++{ ++ if ((cmd == BTRFS_IOC_SNAP_CREATE) || (cmd == BTRFS_IOC_SNAP_CREATE_V2)) ++ return true; ++ ++ return false; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg, ++ struct btrfs_ioctl_vol_args *v1, ++ struct btrfs_ioctl_vol_args_v2 *v2) ++{ ++ int ret; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ else ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ ++ __close_fd(current->files, fd); ++ kfree(v1); ++ kfree(v2); ++ ++ return ret; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg, ++ struct btrfs_ioctl_vol_args **b1, ++ struct btrfs_ioctl_vol_args_v2 **b2, ++ int *newfd) ++{ ++ int oldfd, ret; ++ struct fd src; ++ struct fd lfd = {}; ++ struct btrfs_ioctl_vol_args *v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *v2 = NULL; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1 = memdup_user(arg, sizeof(*v1)); ++ if (IS_ERR(v1)) ++ return PTR_ERR(v1); ++ oldfd = v1->fd; ++ *b1 = v1; ++ } else { ++ v2 = memdup_user(arg, sizeof(*v2)); ++ if (IS_ERR(v2)) ++ return PTR_ERR(v2); ++ oldfd = v2->fd; ++ *b2 = v2; ++ } ++ ++ src = fdget(oldfd); ++ if (!src.file) ++ return -EINVAL; ++ ++ ret = shiftfs_real_fdget(src.file, &lfd); ++ if (ret) { ++ fdput(src); ++ return ret; ++ } ++ ++ /* ++ * shiftfs_real_fdget() does not take a reference to lfd.file, so ++ * take a reference here to offset the one which will be put by ++ * __close_fd(), and make sure that reference is put on fdput(lfd). ++ */ ++ get_file(lfd.file); ++ lfd.flags |= FDPUT_FPUT; ++ fdput(src); ++ ++ *newfd = get_unused_fd_flags(lfd.file->f_flags); ++ if (*newfd < 0) { ++ fdput(lfd); ++ return *newfd; ++ } ++ ++ fd_install(*newfd, lfd.file); ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1->fd = *newfd; ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ v1->fd = oldfd; ++ } else { ++ v2->fd = *newfd; ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ v2->fd = oldfd; ++ } ++ ++ if (ret) ++ shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2); ++ ++ return ret; ++} ++ ++static long shiftfs_real_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct fd lowerfd; ++ struct cred *newcred; ++ const struct cred *oldcred; ++ int newfd = -EBADF; ++ long err = 0, ret = 0; ++ void __user *argp = (void __user *)arg; ++ struct super_block *sb = file->f_path.dentry->d_sb; ++ struct btrfs_ioctl_vol_args *btrfs_v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *btrfs_v2 = NULL; ++ ++ ret = shiftfs_btrfs_ioctl_fd_replace(cmd, argp, &btrfs_v1, &btrfs_v2, ++ &newfd); ++ if (ret < 0) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_restore; ++ ++ ret = shiftfs_override_ioctl_creds(cmd, sb, &oldcred, &newcred); ++ if (ret) ++ goto out_fdput; ++ ++ ret = vfs_ioctl(lowerfd.file, cmd, arg); ++ ++ shiftfs_revert_ioctl_creds(oldcred, newcred); ++ ++ shiftfs_copyattr(file_inode(lowerfd.file), file_inode(file)); ++ shiftfs_copyflags(file_inode(lowerfd.file), file_inode(file)); ++ ++out_fdput: ++ fdput(lowerfd); ++ ++out_restore: ++ err = shiftfs_btrfs_ioctl_fd_restore(cmd, newfd, argp, ++ btrfs_v1, btrfs_v2); ++ if (!ret) ++ ret = err; ++ ++ return ret; ++} ++ ++static bool in_ioctl_whitelist(int flag, unsigned long arg) ++{ ++ void __user *argp = (void __user *)arg; ++ u64 flags = 0; ++ ++ switch (flag) { ++ case BTRFS_IOC_FS_INFO: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_GETFLAGS: ++ return true; ++ case BTRFS_IOC_SUBVOL_SETFLAGS: ++ if (copy_from_user(&flags, argp, sizeof(flags))) ++ return false; ++ ++ if (flags & ~BTRFS_SUBVOL_RDONLY) ++ return false; ++ ++ return true; ++ case BTRFS_IOC_SNAP_DESTROY: ++ return true; ++ } ++ ++ return false; ++} ++ ++static long shiftfs_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC_GETVERSION: ++ /* fall through */ ++ case FS_IOC_GETFLAGS: ++ /* fall through */ ++ case FS_IOC_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOTTY; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++static long shiftfs_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC32_GETVERSION: ++ /* fall through */ ++ case FS_IOC32_GETFLAGS: ++ /* fall through */ ++ case FS_IOC32_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOIOCTLCMD; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++enum shiftfs_copyop { ++ SHIFTFS_COPY, ++ SHIFTFS_CLONE, ++ SHIFTFS_DEDUPE, ++}; ++ ++static ssize_t shiftfs_copyfile(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, u64 len, ++ unsigned int flags, enum shiftfs_copyop op) ++{ ++ ssize_t ret; ++ struct fd real_in, real_out; ++ const struct cred *oldcred; ++ struct inode *inode_out = file_inode(file_out); ++ struct inode *loweri = inode_out->i_private; ++ ++ ret = shiftfs_real_fdget(file_out, &real_out); ++ if (ret) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file_in, &real_in); ++ if (ret) { ++ fdput(real_out); ++ return ret; ++ } ++ ++ oldcred = shiftfs_override_creds(inode_out->i_sb); ++ switch (op) { ++ case SHIFTFS_COPY: ++ ret = vfs_copy_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_CLONE: ++ ret = vfs_clone_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_DEDUPE: ++ ret = vfs_dedupe_file_range_one(real_in.file, pos_in, ++ real_out.file, pos_out, len, ++ flags); ++ break; ++ } ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode_out); ++ ++ fdput(real_in); ++ fdput(real_out); ++ ++ return ret; ++} ++ ++static ssize_t shiftfs_copy_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ size_t len, unsigned int flags) ++{ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, flags, ++ SHIFTFS_COPY); ++} ++ ++static loff_t shiftfs_remap_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ loff_t len, unsigned int remap_flags) ++{ ++ enum shiftfs_copyop op; ++ ++ if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY)) ++ return -EINVAL; ++ ++ if (remap_flags & REMAP_FILE_DEDUP) ++ op = SHIFTFS_DEDUPE; ++ else ++ op = SHIFTFS_CLONE; ++ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, ++ remap_flags, op); ++} ++ ++static int shiftfs_iterate_shared(struct file *file, struct dir_context *ctx) ++{ ++ const struct cred *oldcred; ++ int err = -ENOTDIR; ++ struct file *realfile = file->private_data; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ err = iterate_dir(realfile, ctx); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++const struct file_operations shiftfs_file_operations = { ++ .open = shiftfs_open, ++ .release = shiftfs_release, ++ .llseek = shiftfs_file_llseek, ++ .read_iter = shiftfs_read_iter, ++ .write_iter = shiftfs_write_iter, ++ .fsync = shiftfs_fsync, ++ .mmap = shiftfs_mmap, ++ .fallocate = shiftfs_fallocate, ++ .fadvise = shiftfs_fadvise, ++ .unlocked_ioctl = shiftfs_ioctl, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .copy_file_range = shiftfs_copy_file_range, ++ .remap_file_range = shiftfs_remap_file_range, ++}; ++ ++const struct file_operations shiftfs_dir_operations = { ++ .open = shiftfs_dir_open, ++ .release = shiftfs_dir_release, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .fsync = shiftfs_fsync, ++ .iterate_shared = shiftfs_iterate_shared, ++ .llseek = shiftfs_dir_llseek, ++ .read = generic_read_dir, ++ .unlocked_ioctl = shiftfs_ioctl, ++}; ++ ++static const struct address_space_operations shiftfs_aops = { ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */ ++ .direct_IO = noop_direct_IO, ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry) ++{ ++ struct inode *loweri; ++ ++ inode->i_ino = ino; ++ inode->i_flags |= S_NOCMTIME; ++ ++ mode &= S_IFMT; ++ inode->i_mode = mode; ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ inode->i_op = &shiftfs_dir_inode_operations; ++ inode->i_fop = &shiftfs_dir_operations; ++ break; ++ case S_IFLNK: ++ inode->i_op = &shiftfs_symlink_inode_operations; ++ break; ++ case S_IFREG: ++ inode->i_op = &shiftfs_file_inode_operations; ++ inode->i_fop = &shiftfs_file_operations; ++ inode->i_mapping->a_ops = &shiftfs_aops; ++ break; ++ default: ++ inode->i_op = &shiftfs_special_inode_operations; ++ init_special_inode(inode, mode, dev); ++ break; ++ } ++ ++ if (!dentry) ++ return; ++ ++ loweri = dentry->d_inode; ++ if (!loweri->i_op->get_link) ++ inode->i_opflags |= IOP_NOFOLLOW; ++ ++ shiftfs_copyattr(loweri, inode); ++ shiftfs_copyflags(loweri, inode); ++ set_nlink(inode, loweri->i_nlink); ++} ++ ++static int shiftfs_show_options(struct seq_file *m, struct dentry *dentry) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo->mark) ++ seq_show_option(m, "mark", NULL); ++ ++ if (sbinfo->passthrough) ++ seq_printf(m, ",passthrough=%u", sbinfo->passthrough); ++ ++ return 0; ++} ++ ++static int shiftfs_statfs(struct dentry *dentry, struct kstatfs *buf) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ struct dentry *root = sb->s_root; ++ struct dentry *realroot = root->d_fsdata; ++ struct path realpath = { .mnt = sbinfo->mnt, .dentry = realroot }; ++ int err; ++ ++ err = vfs_statfs(&realpath, buf); ++ if (err) ++ return err; ++ ++ if (!shiftfs_passthrough_statfs(sbinfo)) ++ buf->f_type = sb->s_magic; ++ ++ return 0; ++} ++ ++static void shiftfs_evict_inode(struct inode *inode) ++{ ++ struct inode *loweri = inode->i_private; ++ ++ clear_inode(inode); ++ ++ if (loweri) ++ iput(loweri); ++} ++ ++static void shiftfs_put_super(struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo) { ++ mntput(sbinfo->mnt); ++ put_cred(sbinfo->creator_cred); ++ kfree(sbinfo); ++ } ++} ++ ++static const struct xattr_handler shiftfs_xattr_handler = { ++ .prefix = "", ++ .get = shiftfs_xattr_get, ++ .set = shiftfs_xattr_set, ++}; ++ ++const struct xattr_handler *shiftfs_xattr_handlers[] = { ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ &shiftfs_posix_acl_access_xattr_handler, ++ &shiftfs_posix_acl_default_xattr_handler, ++#endif ++ &shiftfs_xattr_handler, ++ NULL ++}; ++ ++static inline bool passthrough_is_subset(int old_flags, int new_flags) ++{ ++ if ((new_flags & old_flags) != new_flags) ++ return false; ++ ++ return true; ++} ++ ++static int shiftfs_super_check_flags(unsigned long old_flags, ++ unsigned long new_flags) ++{ ++ if ((old_flags & SB_RDONLY) && !(new_flags & SB_RDONLY)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOSUID) && !(new_flags & SB_NOSUID)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODEV) && !(new_flags & SB_NODEV)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOEXEC) && !(new_flags & SB_NOEXEC)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOATIME) && !(new_flags & SB_NOATIME)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODIRATIME) && !(new_flags & SB_NODIRATIME)) ++ return -EPERM; ++ ++ if (!(old_flags & SB_POSIXACL) && (new_flags & SB_POSIXACL)) ++ return -EPERM; ++ ++ return 0; ++} ++ ++static int shiftfs_remount(struct super_block *sb, int *flags, char *data) ++{ ++ int err; ++ struct shiftfs_super_info new = {}; ++ struct shiftfs_super_info *info = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(&new, data); ++ if (err) ++ return err; ++ ++ err = shiftfs_super_check_flags(sb->s_flags, *flags); ++ if (err) ++ return err; ++ ++ /* Mark mount option cannot be changed. */ ++ if (info->mark || (info->mark != new.mark)) ++ return -EPERM; ++ ++ if (info->passthrough != new.passthrough) { ++ /* Don't allow exceeding passthrough options of mark mount. */ ++ if (!passthrough_is_subset(info->passthrough_mark, ++ info->passthrough)) ++ return -EPERM; ++ ++ info->passthrough = new.passthrough; ++ } ++ ++ return 0; ++} ++ ++static const struct super_operations shiftfs_super_ops = { ++ .put_super = shiftfs_put_super, ++ .show_options = shiftfs_show_options, ++ .statfs = shiftfs_statfs, ++ .remount_fs = shiftfs_remount, ++ .evict_inode = shiftfs_evict_inode, ++}; ++ ++struct shiftfs_data { ++ void *data; ++ const char *path; ++}; ++ ++static void shiftfs_super_force_flags(struct super_block *sb, ++ unsigned long lower_flags) ++{ ++ sb->s_flags |= lower_flags & (SB_RDONLY | SB_NOSUID | SB_NODEV | ++ SB_NOEXEC | SB_NOATIME | SB_NODIRATIME); ++ ++ if (!(lower_flags & SB_POSIXACL)) ++ sb->s_flags &= ~SB_POSIXACL; ++} ++ ++static int shiftfs_fill_super(struct super_block *sb, void *raw_data, ++ int silent) ++{ ++ int err; ++ struct path path = {}; ++ struct shiftfs_super_info *sbinfo_mp; ++ char *name = NULL; ++ struct inode *inode = NULL; ++ struct dentry *dentry = NULL; ++ struct shiftfs_data *data = raw_data; ++ struct shiftfs_super_info *sbinfo = NULL; ++ ++ if (!data->path) ++ return -EINVAL; ++ ++ sb->s_fs_info = kzalloc(sizeof(*sbinfo), GFP_KERNEL); ++ if (!sb->s_fs_info) ++ return -ENOMEM; ++ sbinfo = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(sbinfo, data->data); ++ if (err) ++ return err; ++ ++ /* to mount a mark, must be userns admin */ ++ if (!sbinfo->mark && !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ name = kstrdup(data->path, GFP_KERNEL); ++ if (!name) ++ return -ENOMEM; ++ ++ err = kern_path(name, LOOKUP_FOLLOW, &path); ++ if (err) ++ goto out_free_name; ++ ++ if (!S_ISDIR(path.dentry->d_inode->i_mode)) { ++ err = -ENOTDIR; ++ goto out_put_path; ++ } ++ ++ sb->s_flags |= SB_POSIXACL; ++ ++ if (sbinfo->mark) { ++ struct cred *cred_tmp; ++ struct super_block *lower_sb = path.mnt->mnt_sb; ++ ++ /* to mark a mount point, must root wrt lower s_user_ns */ ++ if (!ns_capable(lower_sb->s_user_ns, CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ /* ++ * this part is visible unshifted, so make sure no ++ * executables that could be used to give suid ++ * privileges ++ */ ++ sb->s_iflags = SB_I_NOEXEC; ++ ++ shiftfs_super_force_flags(sb, lower_sb->s_flags); ++ ++ /* ++ * Handle nesting of shiftfs mounts by referring this mark ++ * mount back to the original mark mount. This is more ++ * efficient and alleviates concerns about stack depth. ++ */ ++ if (lower_sb->s_magic == SHIFTFS_MAGIC) { ++ sbinfo_mp = lower_sb->s_fs_info; ++ ++ /* Doesn't make sense to mark a mark mount */ ++ if (sbinfo_mp->mark) { ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up the passthrough mount options from the ++ * parent mark mountpoint. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough_mark; ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ } else { ++ sbinfo->mnt = mntget(path.mnt); ++ dentry = dget(path.dentry); ++ /* ++ * For a new mark passthrough_mark and passthrough ++ * are identical. ++ */ ++ sbinfo->passthrough_mark = sbinfo->passthrough; ++ ++ cred_tmp = prepare_creds(); ++ if (!cred_tmp) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ /* Don't override disk quota limits or use reserved space. */ ++ cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE); ++ sbinfo->creator_cred = cred_tmp; ++ } ++ } else { ++ /* ++ * This leg executes if we're admin capable in the namespace, ++ * so be very careful. ++ */ ++ err = -EPERM; ++ if (path.dentry->d_sb->s_magic != SHIFTFS_MAGIC) ++ goto out_put_path; ++ ++ sbinfo_mp = path.dentry->d_sb->s_fs_info; ++ if (!sbinfo_mp->mark) ++ goto out_put_path; ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) ++ goto out_put_path; ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up passthrough settings from mark mountpoint so we can ++ * verify when the overlay wants to remount with different ++ * passthrough settings. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough; ++ shiftfs_super_force_flags(sb, path.mnt->mnt_sb->s_flags); ++ } ++ ++ sb->s_stack_depth = dentry->d_sb->s_stack_depth + 1; ++ if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { ++ printk(KERN_ERR "shiftfs: maximum stacking depth exceeded\n"); ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ inode = new_inode(sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ shiftfs_fill_inode(inode, dentry->d_inode->i_ino, S_IFDIR, 0, dentry); ++ ++ ihold(dentry->d_inode); ++ inode->i_private = dentry->d_inode; ++ ++ sb->s_magic = SHIFTFS_MAGIC; ++ sb->s_maxbytes = MAX_LFS_FILESIZE; ++ sb->s_op = &shiftfs_super_ops; ++ sb->s_xattr = shiftfs_xattr_handlers; ++ sb->s_d_op = &shiftfs_dentry_ops; ++ sb->s_root = d_make_root(inode); ++ if (!sb->s_root) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ ++ sb->s_root->d_fsdata = dentry; ++ sbinfo->userns = get_user_ns(dentry->d_sb->s_user_ns); ++ shiftfs_copyattr(dentry->d_inode, sb->s_root->d_inode); ++ ++ dentry = NULL; ++ err = 0; ++ ++out_put_path: ++ path_put(&path); ++ ++out_free_name: ++ kfree(name); ++ ++ dput(dentry); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_mount(struct file_system_type *fs_type, ++ int flags, const char *dev_name, void *data) ++{ ++ struct shiftfs_data d = { data, dev_name }; ++ ++ return mount_nodev(fs_type, flags, &d, shiftfs_fill_super); ++} ++ ++static struct file_system_type shiftfs_type = { ++ .owner = THIS_MODULE, ++ .name = "shiftfs", ++ .mount = shiftfs_mount, ++ .kill_sb = kill_anon_super, ++ .fs_flags = FS_USERNS_MOUNT, ++}; ++ ++static int __init shiftfs_init(void) ++{ ++ return register_filesystem(&shiftfs_type); ++} ++ ++static void __exit shiftfs_exit(void) ++{ ++ unregister_filesystem(&shiftfs_type); ++} ++ ++MODULE_ALIAS_FS("shiftfs"); ++MODULE_AUTHOR("James Bottomley"); ++MODULE_AUTHOR("Seth Forshee <seth.forshee@canonical.com>"); ++MODULE_AUTHOR("Christian Brauner <christian.brauner@ubuntu.com>"); ++MODULE_DESCRIPTION("id shifting filesystem"); ++MODULE_LICENSE("GPL v2"); ++module_init(shiftfs_init) ++module_exit(shiftfs_exit) +--- a/include/uapi/linux/magic.h 2021-01-06 19:08:45.234777659 -0500 ++++ b/include/uapi/linux/magic.h 2021-01-06 19:09:53.900375394 -0500 +@@ -96,4 +96,6 @@ + #define DEVMEM_MAGIC 0x454d444d /* "DMEM" */ + #define Z3FOLD_MAGIC 0x33 + ++#define SHIFTFS_MAGIC 0x6a656a62 ++ + #endif /* __LINUX_MAGIC_H__ */ +--- a/fs/Makefile 2021-01-08 18:08:28.187064015 -0500 ++++ b/fs/Makefile 2021-01-08 18:09:00.788217579 -0500 +@@ -136,3 +136,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/ + obj-$(CONFIG_EROFS_FS) += erofs/ + obj-$(CONFIG_VBOXSF_FS) += vboxsf/ + obj-$(CONFIG_ZONEFS_FS) += zonefs/ ++obj-$(CONFIG_SHIFT_FS) += shiftfs.o +--- a/fs/Kconfig 2021-01-06 19:14:17.709697891 -0500 ++++ b/fs/Kconfig 2021-01-06 19:15:23.413281282 -0500 +@@ -122,6 +122,24 @@ source "fs/autofs/Kconfig" + source "fs/fuse/Kconfig" + source "fs/overlayfs/Kconfig" + ++config SHIFT_FS ++ tristate "UID/GID shifting overlay filesystem for containers" ++ help ++ This filesystem can overlay any mounted filesystem and shift ++ the uid/gid the files appear at. The idea is that ++ unprivileged containers can use this to mount root volumes ++ using this technique. ++ ++config SHIFT_FS_POSIX_ACL ++ bool "shiftfs POSIX Access Control Lists" ++ depends on SHIFT_FS ++ select FS_POSIX_ACL ++ help ++ POSIX Access Control Lists (ACLs) support permissions for users and ++ groups beyond the owner/group/world scheme. ++ ++ If you don't know what Access Control Lists are, say N. ++ + menu "Caches" + + source "fs/fscache/Kconfig" diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch new file mode 100644 index 000000000000..c70349e46fd5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch @@ -0,0 +1,27 @@ +From 6efb255b9b903003442911d84eac6d6695f2f023 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:22:12 -0400 +Subject: [PATCH 001/113] make DEFAULT_MMAP_MIN_ADDR match LSM_MMAP_MIN_ADDR + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 390165ffbb0f..3b24c9e3535e 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,7 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU +- default 4096 ++ default 32768 if ARM || (ARM64 && COMPAT) ++ default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch new file mode 100644 index 000000000000..93fa96283fce --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch @@ -0,0 +1,25 @@ +From 95126d7f6fd3658f367db638065ce9a508ca0465 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:41 -0400 +Subject: [PATCH 002/113] enable HARDENED_USERCOPY by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99f1d..9446ddf40974 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -154,6 +154,7 @@ config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM ++ default y + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch new file mode 100644 index 000000000000..e88f89765ec3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch @@ -0,0 +1,24 @@ +From 8c3bc1cb3f6d6da67ed3d440508476c587279f05 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 26 Apr 2018 02:01:26 -0400 +Subject: [PATCH 003/113] disable HARDENED_USERCOPY_FALLBACK by default + +--- + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 9446ddf40974..5c388f7fe09d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -167,7 +167,6 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY +- default y + help + This is a temporary option that allows missing usercopy whitelists + to be discovered via a WARN() to the kernel log, instead of +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch new file mode 100644 index 000000000000..581bccf8edf2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From e257a73cbc9f313a0964aab7278f9bf6c0f01e5c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:05:15 -0400 +Subject: [PATCH 004/113] enable SECURITY_DMESG_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 5c388f7fe09d..428ad7622370 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -9,7 +9,7 @@ source "security/keys/Kconfig" + + config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" +- default n ++ default y + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0005-set-kptr_restrict-2-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0005-set-kptr_restrict-2-by-default.patch new file mode 100644 index 000000000000..2e3ec134cfbc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0005-set-kptr_restrict-2-by-default.patch @@ -0,0 +1,26 @@ +From a82bef25fd7f9cc6639db34befcf508fcccaad4a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:06:14 -0400 +Subject: [PATCH 005/113] set kptr_restrict=2 by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 14c9a6af1b23..2501f75bd74d 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -821,7 +821,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, + return pointer_string(buf, end, (const void *)hashval, spec); + } + +-int kptr_restrict __read_mostly; ++int kptr_restrict __read_mostly = 2; + + static noinline_for_stack + char *restricted_pointer(char *buf, char *end, const void *ptr, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch new file mode 100644 index 000000000000..58112f2b4f69 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch @@ -0,0 +1,25 @@ +From 7e1fc00d8e9e9b46df55546748145e06905cbee3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:10:57 -0400 +Subject: [PATCH 006/113] enable DEBUG_LIST by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index c789b39ed527..89c9d6aebf77 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1471,6 +1471,7 @@ menu "Debug kernel data structures" + config DEBUG_LIST + bool "Debug linked list manipulation" + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION ++ default y + help + Enable this to turn on extended checks in the linked-list + walking routines. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch new file mode 100644 index 000000000000..ae085f55e0aa --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch @@ -0,0 +1,25 @@ +From 7e09df73adf80d43aa097a0d6d0b64564c8b0305 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:21:21 -0400 +Subject: [PATCH 007/113] enable BUG_ON_DATA_CORRUPTION by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 89c9d6aebf77..11068e77d146 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1511,6 +1511,7 @@ config DEBUG_NOTIFIERS + config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select DEBUG_LIST ++ default y + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch new file mode 100644 index 000000000000..528b6b0b9d86 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch @@ -0,0 +1,24 @@ +From e0fb583098c5a012a6b2cb2d5d6cb7569a004067 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:39:32 -0500 +Subject: [PATCH 008/113] enable ARM64_SW_TTBR0_PAN by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a6b5b7ef40ae..a145245ec5e7 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1199,6 +1199,7 @@ config RODATA_FULL_DEFAULT_ENABLED + + config ARM64_SW_TTBR0_PAN + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" ++ default y + help + Enabling this option prevents the kernel from accessing + user-space memory directly by pointing TTBR0_EL1 to a reserved +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch new file mode 100644 index 000000000000..1a5cc975ddcd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch @@ -0,0 +1,24 @@ +From 470ca663633b925b2eec51a015a9b9bb0876d02f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:33:48 -0500 +Subject: [PATCH 009/113] arm64: enable RANDOMIZE_BASE by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a145245ec5e7..21088a6532d8 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1790,6 +1790,7 @@ config RANDOMIZE_BASE + bool "Randomize the address of the kernel image" + select ARM64_MODULE_PLTS if MODULES + select RELOCATABLE ++ default y + help + Randomizes the virtual address at which the kernel image is + loaded, as a security feature that deters exploit attempts +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch new file mode 100644 index 000000000000..3071ebbfecd2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch @@ -0,0 +1,25 @@ +From fcf495f2d06a415d88d4b93a20d77c957de89dfb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 19:43:38 -0400 +Subject: [PATCH 010/113] enable SLAB_FREELIST_RANDOM by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..dcbcb4243316 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1929,6 +1929,7 @@ config SLAB_MERGE_DEFAULT + config SLAB_FREELIST_RANDOM + bool "Randomize slab freelist" + depends on SLAB || SLUB ++ default y + help + Randomizes the freelist order used on creating new pages. This + security feature reduces the predictability of the kernel slab +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch new file mode 100644 index 000000000000..5a6890d6f0b0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch @@ -0,0 +1,24 @@ +From 48c7e5608741bd9270a64a5df2cd064042fdbad4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 20 Aug 2017 15:39:25 -0400 +Subject: [PATCH 011/113] enable SLAB_FREELIST_HARDENED by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index dcbcb4243316..667d1c6c021b 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1938,6 +1938,7 @@ config SLAB_FREELIST_RANDOM + config SLAB_FREELIST_HARDENED + bool "Harden slab freelist metadata" + depends on SLAB || SLUB ++ default y + help + Many kernel heap attacks try to target slab cache metadata and + other infrastructure. This options makes minor performance +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch new file mode 100644 index 000000000000..005e94fabd41 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch @@ -0,0 +1,24 @@ +From dd3871d5736ec368352e9dc9819bfa91075582b4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 8 Jul 2017 02:38:54 -0400 +Subject: [PATCH 012/113] disable SLAB_MERGE_DEFAULT by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 667d1c6c021b..859ab5ae66ff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1914,7 +1914,6 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" +- default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch new file mode 100644 index 000000000000..c4ce56616875 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch @@ -0,0 +1,25 @@ +From 59bc2588da2f3567bdb24656cef798a8f6a9d6d1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 8 May 2017 12:51:54 -0400 +Subject: [PATCH 013/113] enable FORTIFY_SOURCE by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 428ad7622370..3a2c68c7b50f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -191,6 +191,7 @@ config HARDENED_USERCOPY_PAGESPAN + config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE ++ default y + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch new file mode 100644 index 000000000000..1b705178424a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch @@ -0,0 +1,34 @@ +From 25b4b12b70440befdec8f6dff2b5959f7e05e304 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:09:17 -0400 +Subject: [PATCH 014/113] enable PANIC_ON_OOPS by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 11068e77d146..45b169177fb9 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -894,6 +894,7 @@ menu "Debug Oops, Lockups and Hangs" + + config PANIC_ON_OOPS + bool "Panic on Oops" ++ default y + help + Say Y here to enable the kernel to panic when it oopses. This + has the same effect as setting oops=panic on the kernel command +@@ -903,7 +904,7 @@ config PANIC_ON_OOPS + anything erroneous after an oops which could result in data + corruption or other issues. + +- Say N if unsure. ++ Say Y if unsure. + + config PANIC_ON_OOPS_VALUE + int +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch new file mode 100644 index 000000000000..7d58548f2f05 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch @@ -0,0 +1,26 @@ +From 0aa4d30775d9f2530cef8c6d1b861a288a387daa Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 22:39:34 -0400 +Subject: [PATCH 015/113] stop hiding SLUB_DEBUG behind EXPERT + +It can make sense to disable this to reduce attack surface / complexity. +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 859ab5ae66ff..74680a15ceb4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1843,7 +1843,7 @@ config VM_EVENT_COUNTERS + + config SLUB_DEBUG + default y +- bool "Enable SLUB debugging support" if EXPERT ++ bool "Enable SLUB debugging support" + depends on SLUB && SYSFS + help + SLUB has extensive debug support features. Disabling these can +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch new file mode 100644 index 000000000000..ab42416421ae --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From c50211af817341e35f251bd5d0a71f4cbac90fa6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:31 -0400 +Subject: [PATCH 016/113] stop hiding X86_16BIT behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index fbf26e0f7a6a..ac5c142ce1e7 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1193,7 +1193,7 @@ config VM86 + default X86_LEGACY_VM86 + + config X86_16BIT +- bool "Enable support for 16-bit segments" if EXPERT ++ bool "Enable support for 16-bit segments" + default y + depends on MODIFY_LDT_SYSCALL + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0017-disable-X86_16BIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0017-disable-X86_16BIT-by-default.patch new file mode 100644 index 000000000000..d0607ba68630 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0017-disable-X86_16BIT-by-default.patch @@ -0,0 +1,25 @@ +From cb7630c8338e4190a69c95ee06d55d573a29387c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:52 -0400 +Subject: [PATCH 017/113] disable X86_16BIT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ac5c142ce1e7..f01a75a8d6b1 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1194,7 +1194,6 @@ config VM86 + + config X86_16BIT + bool "Enable support for 16-bit segments" +- default y + depends on MODIFY_LDT_SYSCALL + help + This option is required by programs like Wine to run 16-bit +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..efac58660708 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 26dc246285099383fe0f56a2de90b7e55b8dd888 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:15:52 -0400 +Subject: [PATCH 018/113] stop hiding MODIFY_LDT_SYSCALL behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index f01a75a8d6b1..cdc900ab77e6 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2391,7 +2391,7 @@ config CMDLINE_OVERRIDE + be set to 'N' under normal conditions. + + config MODIFY_LDT_SYSCALL +- bool "Enable the LDT (local descriptor table)" if EXPERT ++ bool "Enable the LDT (local descriptor table)" + default y + help + Linux can allow user programs to install a per-process x86 +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch new file mode 100644 index 000000000000..0b3d57bc1d72 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch @@ -0,0 +1,26 @@ +From 650c6b45291ce1df4f5f33488006c97d88dadaa2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:16:16 -0400 +Subject: [PATCH 019/113] disable MODIFY_LDT_SYSCALL by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index cdc900ab77e6..7ec2050fd39c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2392,7 +2392,6 @@ config CMDLINE_OVERRIDE + + config MODIFY_LDT_SYSCALL + bool "Enable the LDT (local descriptor table)" +- default y + help + Linux can allow user programs to install a per-process x86 + Local Descriptor Table (LDT) using the modify_ldt(2) system +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch new file mode 100644 index 000000000000..6b945172fcf1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch @@ -0,0 +1,25 @@ +From f13e321df904d590871bf2ec16c73bc0f20736a6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 07:08:42 -0400 +Subject: [PATCH 020/113] set LEGACY_VSYSCALL_NONE by default + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 7ec2050fd39c..ab11aeb0a807 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2295,7 +2295,7 @@ config COMPAT_VDSO + choice + prompt "vsyscall table for legacy applications" + depends on X86_64 +- default LEGACY_VSYSCALL_XONLY ++ default LEGACY_VSYSCALL_NONE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch new file mode 100644 index 000000000000..adbbac5768f3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From cbda8d7870878ab241fab196006e7cdee9b27218 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:21:50 +0000 +Subject: [PATCH 021/113] stop hiding AIO behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 74680a15ceb4..8605f3e78e47 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1591,7 +1591,7 @@ config SHMEM + which may be appropriate on small systems without swap. + + config AIO +- bool "Enable AIO support" if EXPERT ++ bool "Enable AIO support" + default y + help + This option enables POSIX asynchronous I/O which may by used +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0022-disable-AIO-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0022-disable-AIO-by-default.patch new file mode 100644 index 000000000000..b205f51035e9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0022-disable-AIO-by-default.patch @@ -0,0 +1,24 @@ +From a985d937b086b14b56a4790a18db5faac99e022b Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:24:10 +0000 +Subject: [PATCH 022/113] disable AIO by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 8605f3e78e47..21f0b6926cf3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1592,7 +1592,6 @@ config SHMEM + + config AIO + bool "Enable AIO support" +- default y + help + This option enables POSIX asynchronous I/O which may by used + by some high performance threaded applications. Disabling +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch new file mode 100644 index 000000000000..464f80eca3d6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch @@ -0,0 +1,32 @@ +From 8d92b44f5fbced5d988a701809f88ee00a7c3816 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:08:49 -0500 +Subject: [PATCH 023/113] remove SYSVIPC from arm64/x86_64 defconfigs + +--- + arch/arm64/configs/defconfig | 1 - + arch/x86/configs/x86_64_defconfig | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 5cfe3cf6f2ac..f25871361bdc 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1,4 +1,3 @@ +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ_IDLE=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e1939..981ee8c0e330 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -1,5 +1,4 @@ + # CONFIG_LOCALVERSION_AUTO is not set +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ=y +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0024-disable-DEVPORT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0024-disable-DEVPORT-by-default.patch new file mode 100644 index 000000000000..6224cf40c38c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0024-disable-DEVPORT-by-default.patch @@ -0,0 +1,24 @@ +From 3dd8ce0637d4f32659c5b60d8d5f071d860c6d61 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:28:10 -0400 +Subject: [PATCH 024/113] disable DEVPORT by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index d229a2d0c017..68178c3a25de 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -391,7 +391,6 @@ config MAX_RAW_DEVS + config DEVPORT + bool "/dev/port character device" + depends on ISA || PCI +- default y + help + Say Y here if you want to support the /dev/port device. The /dev/port + device is similar to /dev/mem, but for I/O ports. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch new file mode 100644 index 000000000000..e9b56376aba8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch @@ -0,0 +1,24 @@ +From 538cdbbf1df902988ec8cac228fd129a56d93845 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:29:45 -0400 +Subject: [PATCH 025/113] disable PROC_VMCORE by default + +--- + fs/proc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig +index c930001056f9..6a0a51b3f593 100644 +--- a/fs/proc/Kconfig ++++ b/fs/proc/Kconfig +@@ -41,7 +41,6 @@ config PROC_KCORE + config PROC_VMCORE + bool "/proc/vmcore support" + depends on PROC_FS && CRASH_DUMP +- default y + help + Exports the dump image of crashed kernel in ELF format. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch new file mode 100644 index 000000000000..510738e5f3d4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch @@ -0,0 +1,24 @@ +From 3c7f23ae28689eb3b6c9c07b23ce05f635eeafbb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 03:03:46 -0400 +Subject: [PATCH 026/113] disable NFS_DEBUG by default + +--- + fs/nfs/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index e2a488d403a6..ce54c1c693a8 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -195,7 +195,6 @@ config NFS_DEBUG + bool + depends on NFS_FS && SUNRPC_DEBUG + select CRC32 +- default y + + config NFS_DISABLE_UDP_SUPPORT + bool "NFS: Disable NFS UDP protocol support" +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0027-enable-DEBUG_WX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0027-enable-DEBUG_WX-by-default.patch new file mode 100644 index 000000000000..9013011b21b7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0027-enable-DEBUG_WX-by-default.patch @@ -0,0 +1,25 @@ +From 8eba3bd16962be9ccaa266f759cd9bda7800c689 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:11:11 -0400 +Subject: [PATCH 027/113] enable DEBUG_WX by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 864f129f1937..929d585bd267 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -126,6 +126,7 @@ config DEBUG_WX + depends on ARCH_HAS_DEBUG_WX + depends on MMU + select PTDUMP_CORE ++ default y + help + Generate a warning if any W+X mappings are found at boot. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch new file mode 100644 index 000000000000..f1d6817e8549 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch @@ -0,0 +1,24 @@ +From 20df56b210698fc6cbe35f3901f2be5fa1e87ea8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 13:21:16 -0500 +Subject: [PATCH 028/113] disable LEGACY_PTYS by default + +--- + drivers/tty/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 93fd984eb2f5..d9086484d2de 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -122,7 +122,6 @@ config UNIX98_PTYS + + config LEGACY_PTYS + bool "Legacy (BSD) PTY support" +- default y + help + A pseudo terminal (PTY) is a software device consisting of two + halves: a master and a slave. The slave device behaves identical to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0029-disable-DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0029-disable-DEVMEM-by-default.patch new file mode 100644 index 000000000000..a0611b3a9648 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0029-disable-DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From f799175551c3d2059bf6094fb86a32828e5292fb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:41:42 -0500 +Subject: [PATCH 029/113] disable DEVMEM by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 68178c3a25de..2fd45f01e7a2 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -327,7 +327,6 @@ config NSC_GPIO + + config DEVMEM + bool "/dev/mem virtual device support" +- default y + help + Say Y here if you want to support the /dev/mem device. + The /dev/mem device is used to access areas of physical +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch new file mode 100644 index 000000000000..bf0c02a7f6a5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From 43221ec984da19c49ccdc7fff9ad54a3e02782da Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:43:49 -0500 +Subject: [PATCH 030/113] enable IO_STRICT_DEVMEM by default + +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 45b169177fb9..a46f21a56125 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1668,6 +1668,7 @@ config STRICT_DEVMEM + config IO_STRICT_DEVMEM + bool "Filter I/O access to /dev/mem" + depends on STRICT_DEVMEM ++ default y + help + If this option is disabled, you allow userspace (root) access to all + io-memory regardless of whether a driver is actively using that +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch new file mode 100644 index 000000000000..91302783b68e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch @@ -0,0 +1,24 @@ +From c64d496a1a963569e384211b00970a79b30f8e62 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 18:28:33 -0400 +Subject: [PATCH 031/113] disable COMPAT_BRK by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 21f0b6926cf3..4f5827e10be3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1866,7 +1866,6 @@ config SLUB_MEMCG_SYSFS_ON + + config COMPAT_BRK + bool "Disable heap randomization" +- default y + help + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch new file mode 100644 index 000000000000..76cf3f1192fb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch @@ -0,0 +1,35 @@ +From 541cb224dbcf863b643bacc2ef10e014861bc1e2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 16:16:39 -0400 +Subject: [PATCH 032/113] use maximum supported mmap rnd entropy by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index ddd4641446bd..8e8f31cafe43 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -752,7 +752,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -786,7 +786,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch new file mode 100644 index 000000000000..52cc2e5a031c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch @@ -0,0 +1,27 @@ +From f779f3ddc69fc5ba21806b50c8d0accf0a1e4d02 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 10:47:23 -0400 +Subject: [PATCH 033/113] enable protected_{symlinks,hardlinks} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index d4a6dd772303..59ff3ce21026 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -932,8 +932,8 @@ static inline void put_link(struct nameidata *nd) + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0034-enable-SECURITY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0034-enable-SECURITY-by-default.patch new file mode 100644 index 000000000000..e9adfe709090 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0034-enable-SECURITY-by-default.patch @@ -0,0 +1,24 @@ +From f1e1cdfbaff676ff7833a5da9c6c77fe14292462 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:13:48 -0500 +Subject: [PATCH 034/113] enable SECURITY by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 3a2c68c7b50f..fa037a250821 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -23,6 +23,7 @@ config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER ++ default y + help + This allows you to choose different security modules to be + configured into your kernel. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch new file mode 100644 index 000000000000..18944538b518 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch @@ -0,0 +1,25 @@ +From 9e88a946632035425fce189305ec30ebce8cfe6b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:59 -0400 +Subject: [PATCH 035/113] enable SECURITY_YAMA by default + +--- + security/yama/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index a810304123ca..b809050b25d2 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -2,7 +2,7 @@ + config SECURITY_YAMA + bool "Yama support" + depends on SECURITY +- default n ++ default y + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch new file mode 100644 index 000000000000..6c9a4fc33a26 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch @@ -0,0 +1,24 @@ +From 359b65c1069304fb0b90cb71dc7724d2758d83ba Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:14:02 -0500 +Subject: [PATCH 036/113] enable SECURITY_NETWORK by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index fa037a250821..81d0a08736aa 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -49,6 +49,7 @@ config SECURITYFS + config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY ++ default y + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0037-enable-AUDIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0037-enable-AUDIT-by-default.patch new file mode 100644 index 000000000000..15f3c32e3880 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0037-enable-AUDIT-by-default.patch @@ -0,0 +1,24 @@ +From 7a9d71864a993fa027098222ea64ae0abe023362 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:15:24 -0500 +Subject: [PATCH 037/113] enable AUDIT by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4f5827e10be3..9b75a4921575 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -419,6 +419,7 @@ config USELIB + config AUDIT + bool "Auditing support" + depends on NET ++ default y + help + Enable auditing infrastructure that can be used with another + kernel subsystem, such as SELinux (which requires this for +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch new file mode 100644 index 000000000000..255ea4de1be5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch @@ -0,0 +1,25 @@ +From 42c2b8e16016c2f3f563274177e2922f52f000d9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:16:49 -0500 +Subject: [PATCH 038/113] enable SECURITY_SELINUX by default + +--- + security/selinux/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72538..76d7ed11513c 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -3,7 +3,7 @@ config SECURITY_SELINUX + bool "NSA SELinux Support" + depends on SECURITY_NETWORK && AUDIT && NET && INET + select NETWORK_SECMARK +- default n ++ default y + help + This selects NSA Security-Enhanced Linux (SELinux). + You will also need a policy configuration and a labeled filesystem. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch new file mode 100644 index 000000000000..beb8706d0471 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch @@ -0,0 +1,24 @@ +From 94b57911f24cf3f7baad3802e8b8a40972356327 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 6 Jan 2018 13:41:11 -0500 +Subject: [PATCH 039/113] enable SYN_COOKIES by default + +--- + net/ipv4/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 87983e70f03f..989e005bf698 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -267,6 +267,7 @@ config IP_PIMSM_V2 + + config SYN_COOKIES + bool "IP: TCP syncookie support" ++ default y + help + Normal TCP/IP networking is open to an attack known as "SYN + flooding". This denial-of-service attack prevents legitimate remote +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch new file mode 100644 index 000000000000..09a23d502e9f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch @@ -0,0 +1,25 @@ +From 07a443bc999c5a4bdf60389ccd552078aa8cf812 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:28:23 -0400 +Subject: [PATCH 040/113] add __read_only for non-init related usage + +--- + include/linux/cache.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/cache.h b/include/linux/cache.h +index d742c57eaee5..f0222c070458 100644 +--- a/include/linux/cache.h ++++ b/include/linux/cache.h +@@ -37,6 +37,8 @@ + #define __ro_after_init __section(".data..ro_after_init") + #endif + ++#define __read_only __ro_after_init ++ + #ifndef ____cacheline_aligned + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) + #endif +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0041-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0041-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..ce695d5629b3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0041-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From 91f55a5ea8c95406947cc729ca8ec67bdc152f6e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 041/113] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch new file mode 100644 index 000000000000..076515602c72 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch @@ -0,0 +1,67 @@ +From e8c96f8e7b637e8741a219b450b7f44bdb53df5c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 03:22:00 -0400 +Subject: [PATCH 042/113] mark kernel_set_to_readonly as __ro_after_init + +This change was extracted from PaX where it's part of KERNEXEC. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 5 ++--- + arch/x86/mm/init_64.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..77192cbc1dd7 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __ro_after_init; + + static void mark_nxdata_nx(void) + { +@@ -852,12 +852,11 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + ++ kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- kernel_set_to_readonly = 1; +- + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..63a0f8097d0a 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __ro_after_init; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,8 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- + kernel_set_to_readonly = 1; ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); + + /* + * The rodata/data/bss/brk section (but not the kernel text!) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch new file mode 100644 index 000000000000..4f158c72374c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch @@ -0,0 +1,57 @@ +From 87865fa7bed88054ec22e88ac0101b9f63fe65ed Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 19:01:58 -0400 +Subject: [PATCH 043/113] mark slub runtime configuration as __ro_after_init + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 34dcc09e2ec9..3ef79a1878ed 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -486,13 +486,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) + * Debug settings: + */ + #if defined(CONFIG_SLUB_DEBUG_ON) +-static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; ++static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; + #else +-static slab_flags_t slub_debug; ++static slab_flags_t slub_debug __ro_after_init; + #endif + +-static char *slub_debug_string; +-static int disable_higher_order_debug; ++static char *slub_debug_string __ro_after_init; ++static int disable_higher_order_debug __ro_after_init; + + /* + * slub is about to manipulate internal object metadata. This memory lies +@@ -3363,9 +3363,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); + * and increases the number of allocations possible without having to + * take the list_lock. + */ +-static unsigned int slub_min_order; +-static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; +-static unsigned int slub_min_objects; ++static unsigned int slub_min_order __ro_after_init; ++static unsigned int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; ++static unsigned int slub_min_objects __ro_after_init; + + /* + * Calculate the order of allocation given an slab object size. +@@ -4883,7 +4883,7 @@ enum slab_stat_type { + #define SO_TOTAL (1 << SL_TOTAL) + + #ifdef CONFIG_MEMCG +-static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); ++static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); + + static int __init setup_slub_memcg_sysfs(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch new file mode 100644 index 000000000000..54f3d009355c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch @@ -0,0 +1,38 @@ +From 6ed0eddefa4e3518feb3b9cb85f397a5d3881f5c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:35:35 -0400 +Subject: [PATCH 044/113] add __ro_after_init to slab_nomerge and slab_state + +This was extracted from the PaX patch where it's part of the KERNEXEC +feature as __read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slab_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index f9ccd5dc13f3..bff04048559f 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -30,7 +30,7 @@ + + #include "slab.h" + +-enum slab_state slab_state; ++enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); + struct kmem_cache *kmem_cache; +@@ -61,7 +61,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, + /* + * Merge control. If this is set then no merging of slab caches will occur. + */ +-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); ++static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); + + static int __init setup_slab_nomerge(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch new file mode 100644 index 000000000000..0cb81da8891e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch @@ -0,0 +1,25 @@ +From 2dc8977aaf7a27f13e37888930351ce7c54284e0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 18:51:30 -0400 +Subject: [PATCH 045/113] mark kmem_cache as __ro_after_init + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index bff04048559f..2b73c12d8fce 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -33,7 +33,7 @@ + enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); +-struct kmem_cache *kmem_cache; ++struct kmem_cache *kmem_cache __ro_after_init; + + #ifdef CONFIG_HARDENED_USERCOPY + bool usercopy_fallback __ro_after_init = +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch new file mode 100644 index 000000000000..610276428056 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch @@ -0,0 +1,49 @@ +From 036f1b7444aba4b5f9f5ea0cf378a3c5be2ddcb1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 00:06:16 -0400 +Subject: [PATCH 046/113] mark __supported_pte_mask as __ro_after_init + +These changes were extracted from PaX where it was part of KERNEXEC as +__read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 77192cbc1dd7..bda9596d7a9f 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -546,9 +546,9 @@ static void __init pagetable_init(void) + + #define DEFAULT_PTE_MASK ~(_PAGE_NX | _PAGE_GLOBAL) + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __supported_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __default_kernel_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 63a0f8097d0a..f9eb66b3f152 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -97,9 +97,9 @@ DEFINE_ENTRY(pte, pte, init) + */ + + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = ~0; ++pteval_t __supported_pte_mask __ro_after_init = ~0; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = ~0; ++pteval_t __default_kernel_pte_mask __ro_after_init = ~0; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch new file mode 100644 index 000000000000..2f498956c890 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch @@ -0,0 +1,45 @@ +From 0cfef934c3b0af6689e646d9b60a1f529f6b4d33 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:24:28 -0400 +Subject: [PATCH 047/113] mark kobj_ns_type_register as only used for init + +This allows kobj_ns_ops_tbl to be __ro_after_init. + +Extracted from PaX. +--- + include/linux/kobject_ns.h | 2 +- + lib/kobject.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h +index 2b5b64256cf4..8cdce21dce0f 100644 +--- a/include/linux/kobject_ns.h ++++ b/include/linux/kobject_ns.h +@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { + void (*drop_ns)(void *); + }; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); + int kobj_ns_type_registered(enum kobj_ns_type type); + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..5343bbeea5f8 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -1023,9 +1023,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); + + + static DEFINE_SPINLOCK(kobj_ns_type_lock); +-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; ++static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) + { + enum kobj_ns_type type = ops->type; + int error; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch new file mode 100644 index 000000000000..bc34ffd47539 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch @@ -0,0 +1,39 @@ +From 5a2705cf1169b287b13bdce6289e5ba4e67bcf6a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:32:30 -0400 +Subject: [PATCH 048/113] mark open_softirq as only used for init + +--- + include/linux/interrupt.h | 2 +- + kernel/softirq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index ee8299eb1f52..f03b78ae5f0a 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 09229ad82209..0595a8248c4a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(struct softirq_action *)) + { + softirq_vec[nr].action = action; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch new file mode 100644 index 000000000000..810cbbfb94b8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch @@ -0,0 +1,208 @@ +From fe70043e3fab81cee69adec5d6204429554c8f20 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:41:11 -0400 +Subject: [PATCH 049/113] remove unused softirq_action callback parameter + +Extracted from PaX. +--- + block/blk-mq.c | 2 +- + include/linux/interrupt.h | 4 ++-- + kernel/rcu/tiny.c | 2 +- + kernel/rcu/tree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 15 +++++++-------- + kernel/time/hrtimer.c | 2 +- + kernel/time/timer.c | 2 +- + lib/irq_poll.c | 2 +- + net/core/dev.c | 4 ++-- + 10 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 2a1eff60c797..75a0077ea1a9 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -569,7 +569,7 @@ EXPORT_SYMBOL(blk_mq_end_request); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static __latent_entropy void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index f03b78ae5f0a..4381b79f76cf 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -554,7 +554,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; + + struct softirq_action + { +- void (*action)(struct softirq_action *); ++ void (*action)(void); + }; + + asmlinkage void do_softirq(void); +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(void)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index aa897c3f2e92..d8976886fd68 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -101,7 +101,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + } + + /* Invoke the RCU callbacks whose grace period has elapsed. */ +-static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) ++static __latent_entropy void rcu_process_callbacks(void) + { + struct rcu_head *next, *list; + unsigned long flags; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 593df7edfe97..3285d81d8a26 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2722,7 +2722,7 @@ static __latent_entropy void rcu_core(void) + queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work); + } + +-static void rcu_core_si(struct softirq_action *h) ++static void rcu_core_si(void) + { + rcu_core(); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index ae7ceba8fd4f..d118be5f18b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10628,7 +10628,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) + * run_rebalance_domains is triggered when needed from the scheduler tick. + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). + */ +-static __latent_entropy void run_rebalance_domains(struct softirq_action *h) ++static __latent_entropy void run_rebalance_domains(void) + { + struct rq *this_rq = this_rq(); + enum cpu_idle_type idle = this_rq->idle_balance ? +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0595a8248c4a..3a21b22227c1 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -295,7 +295,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + kstat_incr_softirqs_this_cpu(vec_nr); + + trace_softirq_entry(vec_nr); +- h->action(h); ++ h->action(); + trace_softirq_exit(vec_nr); + if (unlikely(prev_count != preempt_count())) { + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void __init open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(void)) + { + softirq_vec[nr].action = action; + } +@@ -532,8 +532,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) + } + EXPORT_SYMBOL(__tasklet_hi_schedule); + +-static void tasklet_action_common(struct softirq_action *a, +- struct tasklet_head *tl_head, ++static void tasklet_action_common(struct tasklet_head *tl_head, + unsigned int softirq_nr) + { + struct tasklet_struct *list; +@@ -573,14 +572,14 @@ static void tasklet_action_common(struct softirq_action *a, + } + } + +-static __latent_entropy void tasklet_action(struct softirq_action *a) ++static __latent_entropy void tasklet_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); + } + +-static __latent_entropy void tasklet_hi_action(struct softirq_action *a) ++static __latent_entropy void tasklet_hi_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + + void tasklet_setup(struct tasklet_struct *t, +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 387b4bef7dd1..8fe28c28a906 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1587,7 +1587,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, + } + } + +-static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) ++static __latent_entropy void hrtimer_run_softirq(void) + { + struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); + unsigned long flags; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index c3ad64fb9d8b..217bc49a3856 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1753,7 +1753,7 @@ static inline void __run_timers(struct timer_base *base) + /* + * This function runs timers and the timer-tq in bottom half context. + */ +-static __latent_entropy void run_timer_softirq(struct softirq_action *h) ++static __latent_entropy void run_timer_softirq(void) + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +diff --git a/lib/irq_poll.c b/lib/irq_poll.c +index 2f17b488d58e..b6e7996a0058 100644 +--- a/lib/irq_poll.c ++++ b/lib/irq_poll.c +@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) + } + EXPORT_SYMBOL(irq_poll_complete); + +-static void __latent_entropy irq_poll_softirq(struct softirq_action *h) ++static void __latent_entropy irq_poll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = irq_poll_budget; +diff --git a/net/core/dev.c b/net/core/dev.c +index 38412e70f761..c3cd49e04b7b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4856,7 +4856,7 @@ int netif_rx_any_context(struct sk_buff *skb) + } + EXPORT_SYMBOL(netif_rx_any_context); + +-static __latent_entropy void net_tx_action(struct softirq_action *h) ++static __latent_entropy void net_tx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + +@@ -6803,7 +6803,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + return work; + } + +-static __latent_entropy void net_rx_action(struct softirq_action *h) ++static __latent_entropy void net_rx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch new file mode 100644 index 000000000000..cc9e01334264 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch @@ -0,0 +1,28 @@ +From 4523b403021bf8b7bc243e43f61e0369ef723fe0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:42:33 -0400 +Subject: [PATCH 050/113] mark softirq_vec as __ro_after_init + +Note: __cacheline_aligned_in_smp conflicts with __ro_after_init on x86. + +Extracted from PaX. +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 3a21b22227c1..6a02d63b135a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -52,7 +52,7 @@ DEFINE_PER_CPU_ALIGNED(irq_cpustat_t, irq_stat); + EXPORT_PER_CPU_SYMBOL(irq_stat); + #endif + +-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; ++static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); + + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch new file mode 100644 index 000000000000..02bc451c2e91 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch @@ -0,0 +1,34 @@ +From 736002b6543d15b2241aa05971f329937dbc5248 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 17 Sep 2019 18:00:54 +0200 +Subject: [PATCH 051/113] mm: slab: trigger BUG if requested object is not a + slab page + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slab.h b/mm/slab.h +index f9977d6613d6..5adb48bb2e68 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -435,9 +435,13 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) + struct page *page; + + page = virt_to_head_page(obj); ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageSlab(page)); ++#else + if (WARN_ONCE(!PageSlab(page), "%s: Object is not a Slab page!\n", + __func__)) + return NULL; ++#endif + return page->slab_cache; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch new file mode 100644 index 000000000000..336be9284291 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch @@ -0,0 +1,40 @@ +From 68ba540e07c2e0f857be61adbfac5d100c459806 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:50:53 -0400 +Subject: [PATCH 052/113] bug on kmem_cache_free with the wrong cache + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 5adb48bb2e68..9fef4285514a 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -471,10 +471,15 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) + return s; + + cachep = virt_to_cache(x); +- if (WARN(cachep && cachep != s, +- "%s: Wrong slab cache. %s but object is from %s\n", +- __func__, s->name, cachep->name)) ++ if (cachep && cachep != s) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG(); ++#else ++ WARN(1, "%s: Wrong slab cache. %s but object is from %s\n", ++ __func__, s->name, cachep->name); ++#endif + print_tracking(cachep, x); ++ } + return cachep; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch new file mode 100644 index 000000000000..3ae019b81af7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch @@ -0,0 +1,31 @@ +From eb979a8e81cf07b0d7eb56cfabd5986c7adbcf52 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:57:35 -0400 +Subject: [PATCH 053/113] bug on !PageSlab && !PageCompound in ksize + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slub.c b/mm/slub.c +index 3ef79a1878ed..e5564f339095 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4092,7 +4092,11 @@ size_t __ksize(const void *object) + page = virt_to_head_page(object); + + if (unlikely(!PageSlab(page))) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageCompound(page)); ++#else + WARN_ON(!PageCompound(page)); ++#endif + return page_size(page); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch new file mode 100644 index 000000000000..844e6b935597 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch @@ -0,0 +1,70 @@ +From 5a94a66be8ae9ae668463f4aaad6c1976e1a43e2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 21:54:56 -0400 +Subject: [PATCH 054/113] mm: add support for verifying page sanitization + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/highmem.h | 7 +++++++ + mm/page_alloc.c | 6 ++++++ + security/Kconfig.hardening | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index 14e6202ce47f..4348ad7f5c50 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -284,6 +284,13 @@ static inline void clear_highpage(struct page *page) + kunmap_atomic(kaddr); + } + ++static inline void verify_zero_highpage(struct page *page) ++{ ++ void *kaddr = kmap_atomic(page); ++ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); ++ kunmap_atomic(kaddr); ++} ++ + static inline void zero_user_segments(struct page *page, + unsigned start1, unsigned end1, + unsigned start2, unsigned end2) +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 14b9e83ff9da..84070ae3885e 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2284,6 +2284,12 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags + { + post_alloc_hook(page, order, gfp_flags); + ++ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY) && want_init_on_free()) { ++ int i; ++ for (i = 0; i < (1 << order); i++) ++ verify_zero_highpage(page + i); ++ } ++ + if (!free_pages_prezeroed() && want_init_on_alloc(gfp_flags)) + kernel_init_free_pages(page, 1 << order); + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 269967c4fc1b..3d2f1d2c3d80 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -217,6 +217,13 @@ config INIT_ON_FREE_DEFAULT_ON + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + ++config PAGE_SANITIZE_VERIFY ++ bool "Verify sanitized pages" ++ default y ++ help ++ When init_on_free is enabled, verify that newly allocated pages ++ are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..4a11816e2e90 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 42644a58ceb63406236d3b0222ba009339e41424 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 055/113] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 9fef4285514a..0fcd97a4eb6f 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -641,9 +641,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index e5564f339095..cf24f74e01de 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch new file mode 100644 index 000000000000..88a26f6c5358 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch @@ -0,0 +1,116 @@ +From 0df4718423ec96eb9397a9eef554c4cabf2ecc09 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 15:58:57 -0400 +Subject: [PATCH 056/113] slub: Add support for verifying slab sanitization + +This is an extension to the sanitization feature in PaX for when +sacricifing more performance for security is acceptable. + +The initial version from Daniel Micay was relying on PAGE_SANITIZE. It +now relies on upstream's init_on_free. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slub.c | 36 ++++++++++++++++++++++++++++++++---- + security/Kconfig.hardening | 8 ++++++++ + 2 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index cf24f74e01de..d42d2709526a 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -127,6 +127,12 @@ static inline bool kmem_cache_debug(struct kmem_cache *s) + return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS); + } + ++static inline bool has_sanitize_verify(struct kmem_cache *s) ++{ ++ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && ++ slab_want_init_on_free(s); ++} ++ + void *fixup_red_left(struct kmem_cache *s, void *p) + { + if (kmem_cache_debug_flags(s, SLAB_RED_ZONE)) +@@ -1571,7 +1577,7 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- if (s->ctor) ++ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ +@@ -1606,7 +1612,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + { + setup_object_debug(s, page, object); + object = kasan_init_slab_obj(s, object); +- if (unlikely(s->ctor)) { ++ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); + s->ctor(object); + kasan_poison_object_data(s, object); +@@ -2897,7 +2903,16 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + + maybe_wipe_obj_freeptr(s, object); + +- if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ if (has_sanitize_verify(s) && object) { ++ /* KASAN hasn't unpoisoned the object yet (this is done in the ++ * post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, object); ++ BUG_ON(memchr_inv(object, 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); +@@ -3337,7 +3352,20 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + local_irq_enable(); + + /* Clear memory outside IRQ disabled fastpath loop */ +- if (unlikely(slab_want_init_on_alloc(flags, s))) { ++ if (has_sanitize_verify(s)) { ++ int j; ++ ++ for (j = 0; j < i; j++) { ++ /* KASAN hasn't unpoisoned the object yet (this is done ++ * in the post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, p[j]); ++ BUG_ON(memchr_inv(p[j], 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + + for (j = 0; j < i; j++) +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 3d2f1d2c3d80..a718487ad717 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -224,6 +224,14 @@ config PAGE_SANITIZE_VERIFY + When init_on_free is enabled, verify that newly allocated pages + are zeroed to detect write-after-free bugs. + ++config SLAB_SANITIZE_VERIFY ++ bool "Verify sanitized SLAB allocations" ++ default y ++ depends on !KASAN ++ help ++ When init_on_free is enabled, verify that newly allocated slab ++ objects are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch new file mode 100644 index 000000000000..e546e5d0ad83 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch @@ -0,0 +1,264 @@ +From 12ed4263da48371e07495b01a856f4e2d1d862e2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 16:16:58 -0400 +Subject: [PATCH 057/113] slub: add multi-purpose random canaries + +From the configuration option: + + Place canaries at the end of kernel slab allocations, sacrificing + some performance and memory usage for security. + + Canaries can detect some forms of heap corruption when allocations + are freed and as part of the HARDENED_USERCOPY feature. It provides + basic use-after-free detection for HARDENED_USERCOPY. + + Canaries absorb small overflows (rendering them harmless), mitigate + non-NUL terminated C string overflows on 64-bit via a guaranteed zero + byte and provide basic double-free detection. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slub_def.h | 5 +++ + init/Kconfig | 17 ++++++++++ + mm/slab.h | 2 +- + mm/slub.c | 69 ++++++++++++++++++++++++++++++++++++++-- + 4 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h +index 1be0ed5befa1..c71cf30b5987 100644 +--- a/include/linux/slub_def.h ++++ b/include/linux/slub_def.h +@@ -113,6 +113,11 @@ struct kmem_cache { + unsigned long random; + #endif + ++#ifdef CONFIG_SLAB_CANARY ++ unsigned long random_active; ++ unsigned long random_inactive; ++#endif ++ + #ifdef CONFIG_NUMA + /* + * Defragmentation by allocating from a remote node. +diff --git a/init/Kconfig b/init/Kconfig +index 9b75a4921575..f15109e7b111 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1945,6 +1945,23 @@ config SLAB_FREELIST_HARDENED + sanity-checking than others. This option is most effective with + CONFIG_SLUB. + ++config SLAB_CANARY ++ depends on SLUB ++ depends on !SLAB_MERGE_DEFAULT ++ bool "SLAB canaries" ++ default y ++ help ++ Place canaries at the end of kernel slab allocations, sacrificing ++ some performance and memory usage for security. ++ ++ Canaries can detect some forms of heap corruption when allocations ++ are freed and as part of the HARDENED_USERCOPY feature. It provides ++ basic use-after-free detection for HARDENED_USERCOPY. ++ ++ Canaries absorb small overflows (rendering them harmless), mitigate ++ non-NUL terminated C string overflows on 64-bit via a guaranteed zero ++ byte and provide basic double-free detection. ++ + config SHUFFLE_PAGE_ALLOCATOR + bool "Page allocator randomization" + default SLAB_FREELIST_RANDOM && ACPI_NUMA +diff --git a/mm/slab.h b/mm/slab.h +index 0fcd97a4eb6f..105dba485a7e 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -504,7 +504,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) + * back there or track user information then we can + * only use the space before that information. + */ +- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) ++ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) + return s->inuse; + /* + * Else we can use all the padding etc for the allocation +diff --git a/mm/slub.c b/mm/slub.c +index d42d2709526a..c949d918dc7f 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -569,6 +569,33 @@ static inline unsigned int get_info_end(struct kmem_cache *s) + return s->inuse; + } + ++#ifdef CONFIG_SLAB_CANARY ++static inline unsigned long *get_canary(struct kmem_cache *s, void *object) ++{ ++ return object + get_info_end(s); ++} ++ ++static inline unsigned long get_canary_value(const void *canary, unsigned long value) ++{ ++ return (value ^ (unsigned long)canary) & CANARY_MASK; ++} ++ ++static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ *canary = get_canary_value(canary, value); ++} ++ ++static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ BUG_ON(*canary != get_canary_value(canary, value)); ++} ++#else ++#define set_canary(s, object, value) ++#define check_canary(s, object, value) ++#endif ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { +@@ -576,6 +603,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, + + p = object + get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ p = (void *)p + sizeof(void *); ++ + return p + alloc; + } + +@@ -717,6 +747,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + + off = get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); + +@@ -825,8 +858,9 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * Meta data starts here. + * + * A. Free pointer (if we cannot overwrite object on free) +- * B. Tracking data for SLAB_STORE_USER +- * C. Padding to reach required alignment boundary or at mininum ++ * B. Canary for SLAB_CANARY ++ * C. Tracking data for SLAB_STORE_USER ++ * D. Padding to reach required alignment boundary or at mininum + * one word if debugging is on to be able to detect writes + * before the word boundary. + * +@@ -844,6 +878,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { + unsigned long off = get_info_end(s); /* The end of info */ + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ + off += 2 * sizeof(struct track); +@@ -1567,6 +1604,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + object = next; + next = get_freepointer(s, object); + ++ check_canary(s, object, s->random_active); ++ + if (slab_want_init_on_free(s)) { + /* + * Clear the object and the metadata, but don't touch +@@ -1580,6 +1619,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } ++ ++ set_canary(s, object, s->random_inactive); ++ + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { + /* Move object to the new freelist */ +@@ -1611,6 +1653,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + void *object) + { + setup_object_debug(s, page, object); ++ set_canary(s, object, s->random_inactive); + object = kasan_init_slab_obj(s, object); + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); +@@ -2915,6 +2958,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + ++ if (object) { ++ check_canary(s, object, s->random_inactive); ++ set_canary(s, object, s->random_active); ++ } ++ + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); + + return object; +@@ -3302,7 +3350,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + void **p) + { + struct kmem_cache_cpu *c; +- int i; ++ int i, k; + struct obj_cgroup *objcg = NULL; + + /* memcg and kmem_cache debug support */ +@@ -3372,6 +3420,11 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + memset(p[j], 0, s->object_size); + } + ++ for (k = 0; k < i; k++) { ++ check_canary(s, p[k], s->random_inactive); ++ set_canary(s, p[k], s->random_active); ++ } ++ + /* memcg and kmem_cache debug support */ + slab_post_alloc_hook(s, objcg, flags, size, p); + return i; +@@ -3573,6 +3626,7 @@ static void early_kmem_cache_node_alloc(int node) + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); + init_tracking(kmem_cache_node, n); + #endif ++ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); + n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), + GFP_KERNEL); + page->freelist = get_freepointer(kmem_cache_node, n); +@@ -3753,6 +3807,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + } + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ size += sizeof(void *); ++ + #ifdef CONFIG_SLUB_DEBUG + if (flags & SLAB_STORE_USER) + /* +@@ -3826,6 +3883,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) + #ifdef CONFIG_SLAB_FREELIST_HARDENED + s->random = get_random_long(); + #endif ++#ifdef CONFIG_SLAB_CANARY ++ s->random_active = get_random_long(); ++ s->random_inactive = get_random_long(); ++#endif + + if (!calculate_sizes(s, -1)) + goto error; +@@ -4099,6 +4160,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + offset -= s->red_left_pad; + } + ++ check_canary(s, (void *)ptr - offset, s->random_active); ++ + /* Allow address range falling entirely within usercopy region. */ + if (offset >= s->useroffset && + offset - s->useroffset <= s->usersize && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch new file mode 100644 index 000000000000..9a51963de49e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch @@ -0,0 +1,122 @@ +From f337b4eb8c11e3dbe4cd4e134073ab0cc0d7c392 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: [PATCH 058/113] security,perf: Allow further restriction of + perf_event_open + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +[thibaut.sautereau@ssi.gouv.fr: Adapt to work with the new CAP_PERFMON capability] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + Documentation/admin-guide/sysctl/kernel.rst | 2 ++ + include/linux/perf_event.h | 8 ++++++++ + kernel/events/core.c | 7 ++++++- + security/Kconfig | 9 +++++++++ + tools/perf/Documentation/security.txt | 1 + + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index d4b32cc32bb7..4c20e6ded0af 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -860,6 +860,8 @@ with respect to CAP_PERFMON use cases. + >=1 Disallow CPU event access by users without ``CAP_PERFMON``. + + >=2 Disallow kernel profiling by users without ``CAP_PERFMON``. ++ ++>=3 Disallow use of any event by users without ``CAP_PERFMON``. + === ================================================================== + + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 96450f6fb1de..d020c26b612a 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1312,6 +1312,14 @@ static inline int perf_is_paranoid(void) + return sysctl_perf_event_paranoid > -1; + } + ++static inline int perf_allow_open(struct perf_event_attr *attr) ++{ ++ if (sysctl_perf_event_paranoid > 2 && !perfmon_capable()) ++ return -EACCES; ++ ++ return security_perf_event_open(attr, PERF_SECURITY_OPEN); ++} ++ + static inline int perf_allow_kernel(struct perf_event_attr *attr) + { + if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index c3ba29d058b7..6efbf92763b1 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -407,8 +407,13 @@ static cpumask_var_t perf_online_mask; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -11638,7 +11643,7 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + + /* Do we allow access to perf_event_open(2) ? */ +- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); ++ err = perf_allow_open(&attr); + if (err) + return err; + +diff --git a/security/Kconfig b/security/Kconfig +index 81d0a08736aa..c797326308f1 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +diff --git a/tools/perf/Documentation/security.txt b/tools/perf/Documentation/security.txt +index 4fe3b8b1958f..a7d88cc23a70 100644 +--- a/tools/perf/Documentation/security.txt ++++ b/tools/perf/Documentation/security.txt +@@ -148,6 +148,7 @@ Perf tool provides a message similar to the one below: + >= 0: Disallow raw and ftrace function tracepoint access + >= 1: Disallow CPU event access + >= 2: Disallow kernel profiling ++ >= 3: Disallow use of any event + To make the adjusted perf_event_paranoid setting permanent preserve it + in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch new file mode 100644 index 000000000000..5fa2737cf7d4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch @@ -0,0 +1,25 @@ +From 09b7ec8649b49d2a70417d7623a06f9987ddb14d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 14:45:59 -0400 +Subject: [PATCH 059/113] enable SECURITY_PERF_EVENTS_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index c797326308f1..2348ff7d4e1d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -22,6 +22,7 @@ config SECURITY_DMESG_RESTRICT + config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS ++ default y + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..b56cf48d8cb8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,124 @@ +From 34e019465d031f82fb3a887d6edc05e0d11d642a Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 060/113] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/user_namespace.h | 4 ++++ + kernel/fork.c | 11 +++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 4 files changed, 30 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/kernel/fork.c b/kernel/fork.c +index c675fdbd3dce..cba344194fba 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -82,6 +82,7 @@ + #include <linux/perf_event.h> + #include <linux/posix-timers.h> + #include <linux/user-return-notifier.h> ++#include <linux/user_namespace.h> + #include <linux/oom.h> + #include <linux/khugepaged.h> + #include <linux/signalfd.h> +@@ -1863,6 +1864,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2928,6 +2933,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b2cd3dbbb17a..fccf24a08c8a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..29a30cff5e60 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..baa310a21bff --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch @@ -0,0 +1,65 @@ +From 684af23ebf12a437804e6d2d35ed2315e88b8386 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:02:56 -0400 +Subject: [PATCH 061/113] add kmalloc/krealloc alloc_size attributes + +Note that this is overly strict when combined with ksize users accessing +beyond the requested data size. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slab.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/slab.h b/include/linux/slab.h +index dd6897f62010..78f99835b91b 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); + /* + * Common kmalloc functions provided by all allocators + */ +-void * __must_check krealloc(const void *, size_t, gfp_t); ++void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); + void kfree(const void *); + void kfree_sensitive(const void *); + size_t __ksize(const void *); +@@ -386,7 +386,7 @@ static __always_inline unsigned int kmalloc_index(size_t size) + } + #endif /* !CONFIG_SLOB */ + +-void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; ++void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; + void kmem_cache_free(struct kmem_cache *, void *); + +@@ -410,7 +410,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) + } + + #ifdef CONFIG_NUMA +-void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; ++void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; + #else + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -535,7 +535,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) + * Try really hard to succeed the allocation but fail + * eventually. + */ +-static __always_inline void *kmalloc(size_t size, gfp_t flags) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) + { + if (__builtin_constant_p(size)) { + #ifndef CONFIG_SLOB +@@ -557,7 +557,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return __kmalloc(size, flags); + } + +-static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) + { + #ifndef CONFIG_SLOB + if (__builtin_constant_p(size) && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..834c081f92a2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch @@ -0,0 +1,47 @@ +From 71a235611a8fcc22ffb6d418a5f95563ad61c9bb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:04:03 -0400 +Subject: [PATCH 062/113] add vmalloc alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/vmalloc.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 938eaf9517e2..7c069063c20d 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -102,18 +102,18 @@ static inline void vmalloc_init(void) + static inline unsigned long vmalloc_nr_pages(void) { return 0; } + #endif + +-extern void *vmalloc(unsigned long size); +-extern void *vzalloc(unsigned long size); +-extern void *vmalloc_user(unsigned long size); +-extern void *vmalloc_node(unsigned long size, int node); +-extern void *vzalloc_node(unsigned long size, int node); +-extern void *vmalloc_32(unsigned long size); +-extern void *vmalloc_32_user(unsigned long size); +-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); ++extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, + unsigned long start, unsigned long end, gfp_t gfp_mask, + pgprot_t prot, unsigned long vm_flags, int node, +- const void *caller); ++ const void *caller) __attribute__((alloc_size(1))); + void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, + int node, const void *caller); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch new file mode 100644 index 000000000000..34f9c9b97dac --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch @@ -0,0 +1,26 @@ +From 437f21d776813bb21acc416150f9cb789d19a5ba Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 00:51:33 -0400 +Subject: [PATCH 063/113] add kvmalloc alloc_size attribute + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/mm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index cd5c313729ea..746f6d05bd81 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -759,7 +759,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) + } + #endif + +-extern void *kvmalloc_node(size_t size, gfp_t flags, int node); ++extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); + static inline void *kvmalloc(size_t size, gfp_t flags) + { + return kvmalloc_node(size, flags, NUMA_NO_NODE); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0064-add-percpu-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0064-add-percpu-alloc_size-attributes.patch new file mode 100644 index 000000000000..b496ae1de753 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0064-add-percpu-alloc_size-attributes.patch @@ -0,0 +1,37 @@ +From 1b6ebc32518e82f0045d249f4e8190421ea653be Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:39:36 -0400 +Subject: [PATCH 064/113] add percpu alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/percpu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/percpu.h b/include/linux/percpu.h +index 5e76af742c80..9a6c682ec127 100644 +--- a/include/linux/percpu.h ++++ b/include/linux/percpu.h +@@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, + pcpu_fc_populate_pte_fn_t populate_pte_fn); + #endif + +-extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); + extern bool is_kernel_percpu_address(unsigned long addr); + +@@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); + extern void __init setup_per_cpu_areas(void); + #endif + +-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); +-extern void __percpu *__alloc_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); ++extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern void free_percpu(void __percpu *__pdata); + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch new file mode 100644 index 000000000000..5dad05b4d403 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch @@ -0,0 +1,30 @@ +From 1963b072515387ae23343da8e54dbed8aa8d0e30 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:53:59 -0400 +Subject: [PATCH 065/113] add alloc_pages_exact alloc_size attributes + +Edited-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/gfp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index c603237e006c..893378b0262e 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -568,9 +568,9 @@ static inline struct page *alloc_pages(gfp_t gfp_mask, unsigned int order) + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); + extern unsigned long get_zeroed_page(gfp_t gfp_mask); + +-void *alloc_pages_exact(size_t size, gfp_t gfp_mask); ++void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + void free_pages_exact(void *virt, size_t size); +-void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); ++void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(2))); + + #define __get_free_page(gfp_mask) \ + __get_free_pages((gfp_mask), 0) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch new file mode 100644 index 000000000000..8535a976366e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch @@ -0,0 +1,104 @@ +From 6de129c2e7916b50357474e5dfffd9dc2747be8b Mon Sep 17 00:00:00 2001 +From: Emese Revfy <re.emese@gmail.com> +Date: Tue, 31 May 2016 01:34:02 +0200 +Subject: [PATCH 066/113] Add the extra_latent_entropy kernel parameter + +When extra_latent_entropy is passed on the kernel command line, +entropy will be extracted from up to the first 4GB of RAM while the +runtime memory allocator is being initialized. + +Based on work created by the PaX Team. + +Signed-off-by: Emese Revfy <re.emese@gmail.com> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + .../admin-guide/kernel-parameters.txt | 5 ++++ + mm/page_alloc.c | 25 +++++++++++++++++++ + scripts/gcc-plugins/Kconfig | 5 ++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f6a1513dfb76..f399208c873a 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3566,6 +3566,11 @@ + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 84070ae3885e..ded9e8536285 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -70,6 +70,7 @@ + #include <linux/psi.h> + #include <linux/padata.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/sections.h> + #include <asm/tlbflush.h> +@@ -136,6 +137,15 @@ struct pcpu_drain { + static DEFINE_MUTEX(pcpu_drain_mutex); + static DEFINE_PER_CPU(struct pcpu_drain, pcpu_drain); + ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("extra_latent_entropy", setup_extra_latent_entropy); ++ + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY + volatile unsigned long latent_entropy __latent_entropy; + EXPORT_SYMBOL(latent_entropy); +@@ -1549,6 +1559,21 @@ void __free_pages_core(struct page *page, unsigned int order) + __ClearPageReserved(p); + set_page_count(p, 0); + ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++ + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig +index ae19fb0243b9..ad78375ece5e 100644 +--- a/scripts/gcc-plugins/Kconfig ++++ b/scripts/gcc-plugins/Kconfig +@@ -53,6 +53,11 @@ config GCC_PLUGIN_LATENT_ENTROPY + is some slowdown of the boot process (about 0.5%) and fork and + irq processing. + ++ When extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that entropy extracted this way is not cryptographically + secure! + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch new file mode 100644 index 000000000000..3d048741ea8f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch @@ -0,0 +1,37 @@ +From 761f0317dbda0042b1ce2921bcd1dc0720ab78c6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:45:34 -0400 +Subject: [PATCH 067/113] ata: avoid null pointer dereference on bug + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 61c762961ca8..02a83039c25b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4540,7 +4540,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4557,7 +4557,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch new file mode 100644 index 000000000000..488b36060bd6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch @@ -0,0 +1,28 @@ +From 52aa917a4fe6058074dac75fbdf6b707351959ae Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:51:12 -0400 +Subject: [PATCH 068/113] sanity check for negative length in nla_memcpy + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/nlattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 74019c8ebf6b..c480b4e7ffef 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -778,6 +778,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); + if (count > minlen) + memset(dest + minlen, 0, count - minlen); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0069-add-page-destructor-sanity-check.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0069-add-page-destructor-sanity-check.patch new file mode 100644 index 000000000000..74239fc26f85 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0069-add-page-destructor-sanity-check.patch @@ -0,0 +1,71 @@ +From dfed5d99c16f909a58d2d31d32fb61de026d4550 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:59:18 -0400 +Subject: [PATCH 069/113] add page destructor sanity check + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Restore get_compound_page_dtor()] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/mm.h | 9 +++++++-- + mm/swap.c | 12 +++++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 746f6d05bd81..a463ffe84eb4 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -894,10 +894,15 @@ static inline void set_compound_page_dtor(struct page *page, + page[1].compound_dtor = compound_dtor; + } + +-static inline void destroy_compound_page(struct page *page) ++static inline compound_page_dtor *get_compound_page_dtor(struct page *page) + { + VM_BUG_ON_PAGE(page[1].compound_dtor >= NR_COMPOUND_DTORS, page); +- compound_page_dtors[page[1].compound_dtor](page); ++ return compound_page_dtors[page[1].compound_dtor]; ++} ++ ++static inline void destroy_compound_page(struct page *page) ++{ ++ (*get_compound_page_dtor(page))(page); + } + + static inline unsigned int compound_order(struct page *page) +diff --git a/mm/swap.c b/mm/swap.c +index 47a47681c86b..762095d95092 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -102,6 +102,8 @@ static void __put_single_page(struct page *page) + + static void __put_compound_page(struct page *page) + { ++ compound_page_dtor *dtor; ++ + /* + * __page_cache_release() is supposed to be called for thp, not for + * hugetlb. This is because hugetlb page does never have PageLRU set +@@ -110,7 +112,15 @@ static void __put_compound_page(struct page *page) + */ + if (!PageHuge(page)) + __page_cache_release(page); +- destroy_compound_page(page); ++ dtor = get_compound_page_dtor(page); ++ if (!PageHuge(page)) ++ BUG_ON(dtor != free_compound_page ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ && dtor != free_transhuge_page ++#endif ++ ); ++ ++ (*dtor)(page); + } + + void __put_page(struct page *page) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch new file mode 100644 index 000000000000..4deb53ba5af3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch @@ -0,0 +1,52 @@ +From 2ae63f35b32dd32c6e8a4781eec8b89437c11b84 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 00:59:48 -0400 +Subject: [PATCH 070/113] PaX shadow cr4 sanity check (essentially a revert) + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/process.c | 1 + + arch/x86/mm/tlb.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 35ad8480c464..edaeeab9df4b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -399,6 +399,7 @@ EXPORT_SYMBOL_GPL(native_write_cr4); + void cr4_update_irqsoff(unsigned long set, unsigned long clear) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + lockdep_assert_irqs_disabled(); + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 145a7ac0c19a..058941e9ae40 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -596,6 +596,7 @@ void speculation_ctrl_update_current(void) + static inline void cr4_toggle_bits_irqsoff(unsigned long mask) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + newval = cr4 ^ mask; + if (newval != cr4) { +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 569ac1d57f55..044d88da4aee 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -1066,6 +1066,7 @@ STATIC_NOPV void native_flush_tlb_global(void) + raw_local_irq_save(flags); + + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* toggle PGE */ + native_write_cr4(cr4 ^ X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0071-add-writable-function-pointer-detection.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0071-add-writable-function-pointer-detection.patch new file mode 100644 index 000000000000..43ef5e823ec6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0071-add-writable-function-pointer-detection.patch @@ -0,0 +1,98 @@ +From 9a1d2b910c1a5cb78e1eb00ea06901c1b4c3f160 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:53:23 -0400 +Subject: [PATCH 071/113] add writable function pointer detection + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + scripts/mod/modpost.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f882ce0d9327..50e9baefc4e7 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,6 +34,7 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; ++static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; + /* ignore missing files */ + static int ignore_missing_files; +@@ -1007,6 +1008,7 @@ enum mismatch { + ANY_EXIT_TO_ANY_INIT, + EXPORT_TO_INIT_EXIT, + EXTABLE_TO_NON_TEXT, ++ DATA_TO_TEXT + }; + + /** +@@ -1133,6 +1135,12 @@ static const struct sectioncheck sectioncheck[] = { + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, + .mismatch = EXTABLE_TO_NON_TEXT, + .handler = extable_mismatch_handler, ++}, ++/* Do not reference code from writable data */ ++{ ++ .fromsec = { DATA_SECTIONS, NULL }, ++ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, ++ .mismatch = DATA_TO_TEXT + } + }; + +@@ -1320,10 +1328,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (!is_valid_name(elf, sym)) + continue; +- if (sym->st_value == addr) +- return sym; + /* Find a symbol nearby - addr are maybe negative */ + d = sym->st_value - addr; ++ if (d == 0) ++ return sym; + if (d < 0) + d = addr - sym->st_value; + if (d < distance) { +@@ -1458,7 +1466,10 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- sec_mismatch_count++; ++ if (mismatch->mismatch == DATA_TO_TEXT) ++ writable_fptr_count++; ++ else ++ sec_mismatch_count++; + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1580,6 +1591,14 @@ static void report_sec_mismatch(const char *modname, + fatal("There's a special handler for this mismatch type, " + "we should never get here."); + break; ++ case DATA_TO_TEXT: ++#if 0 ++ fprintf(stderr, ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif ++ break; + } + fprintf(stderr, "\n"); + } +@@ -2670,6 +2689,9 @@ int main(int argc, char **argv) + } + + free(buf.p); ++ if (writable_fptr_count) ++ warn("modpost: Found %d writable function pointer(s).\n", ++ writable_fptr_count); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch new file mode 100644 index 000000000000..2a1481b3845b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch @@ -0,0 +1,26 @@ +From 095f0c6d5ef74c56c650d694d67a75f882d1c946 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:20:29 -0400 +Subject: [PATCH 072/113] support overriding early audit kernel cmdline + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 68cee3bc8cfe..2059c66f7c9b 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1693,6 +1693,9 @@ static int __init audit_enable(char *str) + + if (audit_default == AUDIT_OFF) + audit_initialized = AUDIT_DISABLED; ++ else if (!audit_ever_enabled) ++ audit_initialized = AUDIT_UNINITIALIZED; ++ + if (audit_set_enabled(audit_default)) + pr_err("audit: error setting audit state (%d)\n", + audit_default); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch new file mode 100644 index 000000000000..1690f65619b6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch @@ -0,0 +1,135 @@ +From d844b2636c289d468ca4f2ed1881b7e33dc5b2c3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 3 Jun 2017 17:34:13 -0400 +Subject: [PATCH 073/113] FORTIFY_SOURCE intra-object overflow checking + +This adds supporting for detecting buffer overflows from inner objects +for the fortified string family functions. It's comparable to the +_FORTIFY_SOURCE=2 feature in glibc with the additional coverage of +intra-object read overflows for supported functions. + +The mem* family functions are left with only the inter-object overflow +checks as is the case with glibc _FORTIFY_SOURCE=2. + +This feature is currently hidden behind CONFIG_EXPERT because it's a lot +more likely to uncover benign / intended issues and will need a lot of +runtime testing. It's already useful for finding bugs but it may not yet +be a good idea to use it for hardening unless panics for benign issues +are seen as a lesser evil than the vulnerabilities it can catch. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/string.h | 26 ++++++++++++++++---------- + security/Kconfig | 10 ++++++++++ + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index b1f3894a0a3e..4c5564a6ad80 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -264,6 +264,12 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + ++#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING ++#define __string_size(p) __builtin_object_size(p, 1) ++#else ++#define __string_size(p) __builtin_object_size(p, 0) ++#endif ++ + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) + + #ifdef CONFIG_KASAN +@@ -292,7 +298,7 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + if (p_size < size) +@@ -302,7 +308,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (p_size == (size_t)-1) + return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) +@@ -313,7 +319,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || +@@ -328,7 +334,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); +@@ -340,8 +346,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + { + size_t ret; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __real_strlcpy(p, q, size); + ret = strlen(q); +@@ -361,8 +367,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + { + size_t p_len, copy_len; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strncat(p, q, count); + p_len = strlen(p); +@@ -475,8 +481,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) + /* defined after fortified strlen and memcpy to reuse them */ + __FORTIFY_INLINE char *strcpy(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); +diff --git a/security/Kconfig b/security/Kconfig +index 2348ff7d4e1d..f3c995bd79cf 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -208,6 +208,16 @@ config FORTIFY_SOURCE + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + ++config FORTIFY_SOURCE_STRICT_STRING ++ bool "Harden common functions against buffer overflows" ++ depends on FORTIFY_SOURCE ++ depends on EXPERT ++ help ++ Perform stricter overflow checks catching overflows within objects ++ for common C string functions rather than only between objects. ++ ++ This is not yet intended for production use, only bug finding. ++ + config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch new file mode 100644 index 000000000000..e3d1a15a5863 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch @@ -0,0 +1,54 @@ +From 27ebc8d10c75d120b92eddb501c723a276a41e58 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 26 Aug 2017 20:16:03 -0400 +Subject: [PATCH 074/113] Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE + base changes" + +This reverts commit aab425db4279aeb83b7911693f0cccbd3644c9fd. +--- + arch/arm64/include/asm/elf.h | 8 ++------ + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 8d1c8dcb87fd..26d27c7a2c2e 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -124,14 +124,10 @@ + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#ifdef CONFIG_ARM64_FORCE_52BIT +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) +-#else +-#define ELF_ET_DYN_BASE (2 * DEFAULT_MAP_WINDOW_64 / 3) +-#endif /* CONFIG_ARM64_FORCE_52BIT */ ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b9a5d488f1a5..b55054566ece 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -246,11 +246,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- (DEFAULT_MAP_WINDOW / 3 * 2)) ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch new file mode 100644 index 000000000000..364b6883184d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch @@ -0,0 +1,118 @@ +From b825d492a65b1a95ca631a5701ae5ad56564798c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:52:00 -0400 +Subject: [PATCH 075/113] x86_64: move vdso to mmap region from stack region + +This removes the only executable code from the stack region and gives +the vdso the same randomized base as other mmap mappings including the +linker and other shared objects. It results in a sane amount of entropy +being provided and there's little to no advantage in separating this +from the existing executable code there. + +It's sensible for userspace to reserve the initial mmap base as a region +for executable code with a random gap for other mmap allocations, along +with providing randomization within that region. However, there isn't +much the kernel can do to help due to how dynamic linkers load the +shared objects. + +This was extracted from the PaX RANDMMAP feature. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/entry/vdso/vma.c | 48 +----------------------------------- + arch/x86/include/asm/elf.h | 1 - + arch/x86/kernel/sys_x86_64.c | 7 ------ + 3 files changed, 1 insertion(+), 55 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 9185cb1d13b9..543912071557 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -315,55 +315,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) + } + + #ifdef CONFIG_X86_64 +-/* +- * Put the vdso above the (randomized) stack with another randomized +- * offset. This way there is no hole in the middle of address space. +- * To save memory make sure it is still in the same PTE as the stack +- * top. This doesn't give that many random bits. +- * +- * Note that this algorithm is imperfect: the distribution of the vdso +- * start address within a PMD is biased toward the end. +- * +- * Only used for the 64-bit and x32 vdsos. +- */ +-static unsigned long vdso_addr(unsigned long start, unsigned len) +-{ +- unsigned long addr, end; +- unsigned offset; +- +- /* +- * Round up the start address. It can start out unaligned as a result +- * of stack start randomization. +- */ +- start = PAGE_ALIGN(start); +- +- /* Round the lowest possible end address up to a PMD boundary. */ +- end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; +- end -= len; +- +- if (end > start) { +- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); +- addr = start + (offset << PAGE_SHIFT); +- } else { +- addr = start; +- } +- +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- +- return addr; +-} +- + static int map_vdso_randomized(const struct vdso_image *image) + { +- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); +- +- return map_vdso(image, addr); ++ return map_vdso(image, 0); + } + #endif + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b55054566ece..58292600112d 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -398,5 +398,4 @@ struct va_alignment { + } ____cacheline_aligned; + + extern struct va_alignment va_align; +-extern unsigned long align_vdso_addr(unsigned long); + #endif /* _ASM_X86_ELF_H */ +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 504fa5425bce..c4e35a3b3733 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) + return va_align.bits & get_align_mask(); + } + +-unsigned long align_vdso_addr(unsigned long addr) +-{ +- unsigned long align_mask = get_align_mask(); +- addr = (addr + align_mask) & ~align_mask; +- return addr | get_align_bits(); +-} +- + static int __init control_va_addr_alignment(char *str) + { + /* guard against enabling this on other CPU families */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..a8445b66d843 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From c0d3220bdc48946ed08c481b847e29908701a369 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 076/113] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..afef8b3ffe17 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From e7a232a31a1181e0a1b8fc7d479dbf9d98768b7d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 077/113] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch new file mode 100644 index 000000000000..94ce46954bcc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch @@ -0,0 +1,37 @@ +From 25d553ddcae357cc136bbce5e776300ada1cd260 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:02:49 -0400 +Subject: [PATCH 078/113] randomize lower bits of the argument block + +This was based on the PaX RANDUSTACK feature in grsecurity, where all of +the lower bits are randomized. PaX keeps 16-byte alignment. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + fs/exec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index ca89e0e3ef10..4875ded97db5 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -64,6 +64,7 @@ + #include <linux/compat.h> + #include <linux/vmalloc.h> + #include <linux/io_uring.h> ++#include <linux/random.h> + + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -280,6 +281,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + mm->stack_vm = mm->total_vm = 1; + mmap_write_unlock(mm); + bprm->p = vma->vm_end - sizeof(void *); ++ if (randomize_va_space) ++ bprm->p ^= get_random_int() & ~PAGE_MASK; + return 0; + err: + mmap_write_unlock(mm); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch new file mode 100644 index 000000000000..889b96f49ecf --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch @@ -0,0 +1,38 @@ +From 68ed5028e80c61ab7924930bd6e63e495f582f84 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 07:19:48 -0400 +Subject: [PATCH 079/113] x86_64: match arm64 brk randomization entropy + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 058941e9ae40..61460d55dd72 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,8 @@ + #include <asm/io_bitmap.h> + #include <asm/proto.h> + #include <asm/frame.h> ++#include <asm/elf.h> ++#include <linux/sizes.h> + + #include "process.h" + +@@ -906,7 +908,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ else ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch new file mode 100644 index 000000000000..acd51542c7c6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch @@ -0,0 +1,42 @@ +From e256dd216c922cd280d1e325b98c79bcb4c06ec2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 18:03:30 -0400 +Subject: [PATCH 080/113] support randomizing the lower bits of brk + +This adds support for arch_randomize_brk implementations not performing +page alignment in order to randomize the lower bits of the brk heap. + +This idea is taken from PaX but the approach is different. This reuses +the existing code and avoids forcing early creation of the heap mapping, +avoiding mapping it if it's not used which is the case with many modern +allocators based solely on mmap. + +The malloc implementation can be relied upon to align this as needed to +the requirements it has, so using 16 byte alignment here is unnecessary. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/mmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5c8b4485860d..0e26c225bb53 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -231,6 +231,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + + newbrk = PAGE_ALIGN(brk); + oldbrk = PAGE_ALIGN(mm->brk); ++ /* properly handle unaligned min_brk as an empty heap */ ++ if (min_brk & ~PAGE_MASK) { ++ if (brk == min_brk) ++ newbrk -= PAGE_SIZE; ++ if (mm->brk == min_brk) ++ oldbrk -= PAGE_SIZE; ++ } + if (oldbrk == newbrk) { + mm->brk = brk; + goto success; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..8b1478542ce7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 799c68244ba130c6c6ba059b85f4c5e66e10d649 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:22:38 -0400 +Subject: [PATCH 081/113] mm: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ddb6e186dd5..4ca72f952329 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..734b0d77088e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From c2b8a985e4a1425f9b94518e4a87e7537dea5769 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:06 -0400 +Subject: [PATCH 082/113] x86: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 61460d55dd72..0d4c3887229d 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + else +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..78f33fc9b648 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 075a2b2a04300b6c14be41a18908cdc2907a8326 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:39 -0400 +Subject: [PATCH 083/113] mm: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ca72f952329..62ed34dfceb7 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..d95406a9ab68 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 6812678113af4361bacf3eb00ff493408891775f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:48 -0400 +Subject: [PATCH 084/113] x86: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 0d4c3887229d..161e25d02fd5 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + else +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch new file mode 100644 index 000000000000..e00ac21dd15f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch @@ -0,0 +1,37 @@ +From 0710536c56bd56b12e5c9fa52085830606056465 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 14:50:54 -0400 +Subject: [PATCH 085/113] x86_64: bound mmap between legacy/modern bases + +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index c4e35a3b3733..e30ec4c750d1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -113,10 +113,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, + } + + *begin = get_mmap_base(1); +- if (in_32bit_syscall()) +- *end = task_size_32bit(); +- else +- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); ++ *end = get_mmap_base(0); + } + + unsigned long +@@ -193,7 +190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = get_mmap_base(1); + info.high_limit = get_mmap_base(0); + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0086-restrict-device-timing-side-channels.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0086-restrict-device-timing-side-channels.patch new file mode 100644 index 000000000000..93fde598a48c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0086-restrict-device-timing-side-channels.patch @@ -0,0 +1,174 @@ +From 1ca98de67f5f0d918d97528a80150cde5f4d951c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 18:26:10 -0400 +Subject: [PATCH 086/113] restrict device timing side channels + +Based on the public grsecurity patches. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/inode.c | 4 ++++ + fs/stat.c | 20 +++++++++++++++----- + include/linux/capability.h | 5 +++++ + include/linux/fs.h | 11 +++++++++++ + include/linux/fsnotify.h | 4 ++++ + kernel/capability.c | 6 ++++++ + kernel/sysctl.c | 9 +++++++++ + 7 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 5eea9912a0b9..f86f383a3e1d 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -116,6 +116,10 @@ int proc_nr_inodes(struct ctl_table *table, int write, + } + #endif + ++/* sysctl */ ++int device_sidechannel_restrict __read_mostly = 1; ++EXPORT_SYMBOL(device_sidechannel_restrict); ++ + static int no_open(struct inode *inode, struct file *file) + { + return -ENXIO; +diff --git a/fs/stat.c b/fs/stat.c +index dacecdda2e79..14173d0f777d 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -43,8 +43,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = i_blocksize(inode); + stat->blocks = inode->i_blocks; +@@ -83,9 +88,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(path, stat, request_mask, +- query_flags); ++ if (inode->i_op->getattr) { ++ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); ++ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..a5b6d4c9acf5 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -208,6 +208,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); + extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); + extern bool capable(int cap); ++extern bool capable_noaudit(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + extern bool ns_capable_setid(struct user_namespace *ns, int cap); +@@ -234,6 +235,10 @@ static inline bool capable(int cap) + { + return true; + } ++static inline bool capable_noaudit(int cap) ++{ ++ return true; ++} + static inline bool ns_capable(struct user_namespace *ns, int cap) + { + return true; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 8bde32cf9711..83d50b0a2a18 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3475,4 +3475,15 @@ static inline int inode_drain_writes(struct inode *inode) + return filemap_write_and_wait(inode->i_mapping); + } + ++extern int device_sidechannel_restrict; ++ ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++ umode_t mode; ++ if (!device_sidechannel_restrict) ++ return false; ++ mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++} ++ + #endif /* _LINUX_FS_H */ +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index f8acddcf54fb..7b109980327f 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -83,10 +83,14 @@ static inline void fsnotify_dentry(struct dentry *dentry, __u32 mask) + static inline int fsnotify_file(struct file *file, __u32 mask) + { + const struct path *path = &file->f_path; ++ struct inode *inode = file_inode(file); + + if (file->f_mode & FMODE_NONOTIFY) + return 0; + ++ if (mask & (FS_ACCESS | FS_MODIFY) && is_sidechannel_device(inode)) ++ return 0; ++ + return fsnotify_parent(path->dentry, mask, path, FSNOTIFY_EVENT_PATH); + } + +diff --git a/kernel/capability.c b/kernel/capability.c +index de7eac903a2a..5602178f3d21 100644 +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -449,6 +449,12 @@ bool capable(int cap) + return ns_capable(&init_user_ns, cap); + } + EXPORT_SYMBOL(capable); ++ ++bool capable_noaudit(int cap) ++{ ++ return ns_capable_noaudit(&init_user_ns, cap); ++} ++EXPORT_SYMBOL(capable_noaudit); + #endif /* CONFIG_MULTIUSER */ + + /** +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index fccf24a08c8a..7fda9f61ea1a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2272,6 +2272,15 @@ static struct ctl_table kern_table[] = { + .extra2 = &two, + }, + #endif ++ { ++ .procname = "device_sidechannel_restrict", ++ .data = &device_sidechannel_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch new file mode 100644 index 000000000000..041cac6e40c2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch @@ -0,0 +1,95 @@ +From 8035116abf91610036c170818c3fc0b6b63adee4 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 20:28:32 +0200 +Subject: [PATCH 087/113] sysctl: expose proc_dointvec_minmax_sysadmin as API + function + +Orthogonal to the other sysctl proc functions expose the variant that is +checking CAP_SYS_ADMIN on write for consumption in external subsystem's +sysctl tables. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 51298a4f4623..b835c57330f2 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7fda9f61ea1a..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -890,8 +890,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -899,7 +918,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -1585,6 +1603,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3436,6 +3460,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch new file mode 100644 index 000000000000..0b9ac46e6be3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch @@ -0,0 +1,92 @@ +From ef2373cc70cc4fc111ce3775fa02b3cd3c28ed2e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 17:51:48 -0400 +Subject: [PATCH 088/113] usb: add toggle for disabling newly added USB devices + +Based on the public grsecurity patches. + +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/hub.c | 9 +++++++++ + include/linux/usb.h | 3 +++ + kernel/sysctl.c | 14 ++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 17202b2ee063..9385c745d55e 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,6 +5054,9 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + ++/* sysctl */ ++int deny_new_usb __read_mostly = 0; ++ + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +@@ -5114,6 +5117,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + goto done; + return; + } ++ ++ if (deny_new_usb) { ++ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); ++ goto done; ++ } ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 7d72c4e0713c..8e7549e3012a 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,6 +2035,9 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl */ ++extern int deny_new_usb; ++ + #endif /* __KERNEL__ */ + + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..f867606fbd80 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if IS_ENABLED(CONFIG_USB) ++#include <linux/usb.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2305,6 +2308,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, ++#if IS_ENABLED(CONFIG_USB) ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch new file mode 100644 index 000000000000..2d39fdb455f0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch @@ -0,0 +1,195 @@ +From 79f6c4002c4c87104b9832fec170f9df0b6c377b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 21:08:16 +0200 +Subject: [PATCH 089/113] usb: implement dedicated subsystem sysctl tables + +This moves the usb related sysctl knobs to an own usb local sysctl table +in order to clean up the global sysctl as well as allow the knob to be +exported and referenced appropriately when building the usb components +as dedicated modules. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/Makefile | 1 + + drivers/usb/core/hub.c | 3 --- + drivers/usb/core/sysctl.c | 44 +++++++++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.c | 9 ++++++++ + include/linux/usb.h | 10 ++++++++- + kernel/sysctl.c | 14 ------------- + 6 files changed, 63 insertions(+), 18 deletions(-) + create mode 100644 drivers/usb/core/sysctl.c + +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..fc7a3a9aa72a 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 9385c745d55e..b62b3da81ac4 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,9 +5054,6 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + +-/* sysctl */ +-int deny_new_usb __read_mostly = 0; +- + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..3fa188ac8f67 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,44 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 9b4ac4415f1a..93b4b798bdcc 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -72,6 +72,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -978,6 +981,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1012,6 +1018,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1035,6 +1043,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 8e7549e3012a..653265115e56 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,8 +2035,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + +-/* sysctl */ ++/* sysctl.c */ + extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + + #endif /* __KERNEL__ */ + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index f867606fbd80..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,9 +106,6 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif +-#if IS_ENABLED(CONFIG_USB) +-#include <linux/usb.h> +-#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2308,17 +2305,6 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-#if IS_ENABLED(CONFIG_USB) +- { +- .procname = "deny_new_usb", +- .data = &deny_new_usb, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax_sysadmin, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, +-#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch new file mode 100644 index 000000000000..28455285e7de --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch @@ -0,0 +1,133 @@ +From 32995bfd4cdd1e4d44fa4618da7714aabee0c61f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 03:26:45 -0500 +Subject: [PATCH 090/113] hard-wire legacy checkreqprot option to 0 + +The userspace API is left intact for compatibility. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + .../admin-guide/kernel-parameters.txt | 11 --------- + security/selinux/Kconfig | 23 ------------------- + security/selinux/hooks.c | 16 +------------ + security/selinux/selinuxfs.c | 12 +--------- + 4 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f399208c873a..282777d18d19 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -518,17 +518,6 @@ + nosocket -- Disable socket memory accounting. + nokmem -- Disable kernel memory accounting. + +- checkreqprot [SELINUX] Set initial checkreqprot flag value. +- Format: { "0" | "1" } +- See security/selinux/Kconfig help text. +- 0 -- check protection applied by kernel (includes +- any implied execute protection). +- 1 -- check protection requested by application. +- Default value is set via a kernel config option. +- Value can be changed at runtime via +- /sys/fs/selinux/checkreqprot. +- Setting checkreqprot to 1 is deprecated. +- + cio_ignore= [S390] + See Documentation/s390/common_io.rst for details. + clk_ignore_unused +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 76d7ed11513c..ae851a826c26 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS + /sys/fs/selinux/avc/cache_stats, which may be monitored via + tools such as avcstat. + +-config SECURITY_SELINUX_CHECKREQPROT_VALUE +- int "NSA SELinux checkreqprot default value" +- depends on SECURITY_SELINUX +- range 0 1 +- default 0 +- help +- This option sets the default value for the 'checkreqprot' flag +- that determines whether SELinux checks the protection requested +- by the application or the protection that will be applied by the +- kernel (including any implied execute for read-implies-exec) for +- mmap and mprotect calls. If this option is set to 0 (zero), +- SELinux will default to checking the protection that will be applied +- by the kernel. If this option is set to 1 (one), SELinux will +- default to checking the protection requested by the application. +- The checkreqprot flag may be changed from the default via the +- 'checkreqprot=' boot parameter. It may also be changed at runtime +- via /sys/fs/selinux/checkreqprot if authorized by policy. +- +- WARNING: this option is deprecated and will be removed in a future +- kernel release. +- +- If you are unsure how to answer this question, answer 0. +- + config SECURITY_SELINUX_SIDTAB_HASH_BITS + int "NSA SELinux sidtab hashtable size" + depends on SECURITY_SELINUX +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index c46312710e73..541c65650c5e 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str) + __setup("selinux=", selinux_enabled_setup); + #endif + +-static unsigned int selinux_checkreqprot_boot = +- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +- +-static int __init checkreqprot_setup(char *str) +-{ +- unsigned long checkreqprot; +- +- if (!kstrtoul(str, 0, &checkreqprot)) { +- selinux_checkreqprot_boot = checkreqprot ? 1 : 0; +- if (checkreqprot) +- pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); +- } +- return 1; +-} +-__setup("checkreqprot=", checkreqprot_setup); ++static const unsigned int selinux_checkreqprot_boot; + + /** + * selinux_secmark_enabled - Check to see if SECMARK is currently enabled +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4bde570d56a2..cc5caffc07fa 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, + static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; + char *page; + ssize_t length; + unsigned int new_value; +@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + return PTR_ERR(page); + + length = -EINVAL; +- if (sscanf(page, "%u", &new_value) != 1) ++ if (sscanf(page, "%u", &new_value) != 1 || new_value) + goto out; + +- if (new_value) { +- char comm[sizeof(current->comm)]; +- +- memcpy(comm, current->comm, sizeof(comm)); +- pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", +- comm, current->pid); +- } +- +- checkreqprot_set(fsi->state, (new_value ? 1 : 0)); + length = count; + out: + kfree(page); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch new file mode 100644 index 000000000000..848cfa8d6009 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch @@ -0,0 +1,70 @@ +From 19447fd0508920fe83921c257da55ff686056d85 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:37:59 -0400 +Subject: [PATCH 091/113] security: tty: Add owner user namespace to tty_struct + +This patch adds struct user_namespace *owner_user_ns to the tty_struct. +Then it is set to current_user_ns() in the alloc_tty_struct function. + +This is done to facilitate capability checks against the original user +namespace that allocated the tty. + +E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) + +This combined with the use of user namespace's will allow hardening +protections to be built to mitigate container escapes that utilize TTY +ioctls such as TIOCSTI. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +--- + drivers/tty/tty_io.c | 2 ++ + include/linux/tty.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 56ade99ef99f..557356504a81 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -174,6 +174,7 @@ static void free_tty_struct(struct tty_struct *tty) + put_device(tty->dev); + kfree(tty->write_buf); + tty->magic = 0xDEADDEAD; ++ put_user_ns(tty->owner_user_ns); + kfree(tty); + } + +@@ -3014,6 +3015,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + tty->index = idx; + tty_line_name(driver, idx, tty->name); + tty->dev = tty_get_device(tty); ++ tty->owner_user_ns = get_user_ns(current_user_ns()); + + return tty; + } +diff --git a/include/linux/tty.h b/include/linux/tty.h +index eb33d948788c..a205640b4c61 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -14,6 +14,7 @@ + #include <uapi/linux/tty.h> + #include <linux/rwsem.h> + #include <linux/llist.h> ++#include <linux/user_namespace.h> + + + /* +@@ -342,6 +343,7 @@ struct tty_struct { + /* If the tty has a pending do_SAK, queue it here - akpm */ + struct work_struct SAK_work; + struct tty_port *port; ++ struct user_namespace *owner_user_ns; + } __randomize_layout; + + /* Each of a tty's open files has private_data pointing to tty_file_private */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch new file mode 100644 index 000000000000..ea6f1680a69c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch @@ -0,0 +1,197 @@ +From 44bb73bc8c9b371cc3057c946aa987b9cbda401d Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:38:00 -0400 +Subject: [PATCH 092/113] security: tty: make TIOCSTI ioctl require + CAP_SYS_ADMIN + +This introduces the tiocsti_restrict sysctl, whose default is controlled +via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control +restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. + +This patch depends on patch 1/2 + +This patch was inspired from GRKERNSEC_HARDEN_TTY. + +This patch would have prevented +https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following +conditions: +* non-privileged container +* container run inside new user namespace + +Possible effects on userland: + +There could be a few user programs that would be effected by this +change. +See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI> +notable programs are: agetty, csh, xemacs and tcsh + +However, I still believe that this change is worth it given that the +Kconfig defaults to n. This will be a feature that is turned on for the +same reason that people activate it when using grsecurity. Users of this +opt-in feature will realize that they are choosing security over some OS +features like unprivileged TIOCSTI ioctls, as should be clear in the +Kconfig help message. + +Threat Model/Patch Rational: + +>From grsecurity's config for GRKERNSEC_HARDEN_TTY. + + | There are very few legitimate uses for this functionality and it + | has made vulnerabilities in several 'su'-like programs possible in + | the past. Even without these vulnerabilities, it provides an + | attacker with an easy mechanism to move laterally among other + | processes within the same user's compromised session. + +So if one process within a tty session becomes compromised it can follow +that additional processes, that are thought to be in different security +boundaries, can be compromised as a result. When using a program like su +or sudo, these additional processes could be in a tty session where TTY +file descriptors are indeed shared over privilege boundaries. + +This is also an excellent writeup about the issue: +<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/> + +When user namespaces are in use, the check for the capability +CAP_SYS_ADMIN is done against the user namespace that originally opened +the tty. + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/admin-guide/sysctl/kernel.rst | 20 ++++++++++++++++++++ + drivers/tty/tty_io.c | 8 ++++++++ + include/linux/tty.h | 2 ++ + kernel/sysctl.c | 14 ++++++++++++++ + security/Kconfig | 13 +++++++++++++ + 5 files changed, 57 insertions(+) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index 4c20e6ded0af..3cd263f8ac46 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -1385,6 +1385,26 @@ If a value outside of this range is written to ``threads-max`` an + ``EINVAL`` error occurs. + + ++tiocsti_restrict ++================ ++ ++This toggle indicates whether unprivileged users are prevented from using the ++``TIOCSTI`` ioctl to inject commands into other processes which share a tty ++session. ++ ++= ============================================================================ ++0 No restriction, except the default one of only being able to inject commands ++ into one's own tty. ++1 Users must have ``CAP_SYS_ADMIN`` to use the ``TIOCSTI`` ioctl. ++= ============================================================================ ++ ++When user namespaces are in use, the check for ``CAP_SYS_ADMIN`` is done ++against the user namespace that originally opened the tty. ++ ++The kernel config option ``CONFIG_SECURITY_TIOCSTI_RESTRICT`` sets the default ++value of ``tiocsti_restrict``. ++ ++ + traceoff_on_warning + =================== + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 557356504a81..5670bd7442df 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2182,11 +2182,19 @@ static int tty_fasync(int fd, struct file *filp, int on) + * FIXME: may race normal receive processing + */ + ++int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); ++ + static int tiocsti(struct tty_struct *tty, char __user *p) + { + char ch, mbz = 0; + struct tty_ldisc *ld; + ++ if (tiocsti_restrict && ++ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { ++ dev_warn_ratelimited(tty->dev, ++ "Denied TIOCSTI ioctl for non-privileged process\n"); ++ return -EPERM; ++ } + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + if (get_user(ch, p)) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a205640b4c61..116138eb394c 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -353,6 +353,8 @@ struct tty_file_private { + struct list_head list; + }; + ++extern int tiocsti_restrict; ++ + /* tty magic number */ + #define TTY_MAGIC 0x5401 + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..8fd007fbec4c 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if defined CONFIG_TTY ++#include <linux/tty.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2295,6 +2298,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, ++#endif ++#if defined CONFIG_TTY ++ { ++ .procname = "tiocsti_restrict", ++ .data = &tiocsti_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + #endif + { + .procname = "device_sidechannel_restrict", +diff --git a/security/Kconfig b/security/Kconfig +index f3c995bd79cf..c8ea5a6ecce0 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -29,6 +29,19 @@ config SECURITY_PERF_EVENTS_RESTRICT + perf_event_open syscall will be permitted unless it is + changed. + ++config SECURITY_TIOCSTI_RESTRICT ++ bool "Restrict unprivileged use of tiocsti command injection" ++ default n ++ help ++ This enforces restrictions on unprivileged users injecting commands ++ into other processes which share a tty session using the TIOCSTI ++ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. ++ ++ If this option is not selected, no restrictions will be enforced ++ unless the tiocsti_restrict sysctl is explicitly set to (1). ++ ++ If you are unsure how to answer this question, answer N. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch new file mode 100644 index 000000000000..25a014a279ca --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 68c6443661c85e8f27e9eb36c5d374cd75548e6b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 23:36:14 -0400 +Subject: [PATCH 093/113] enable SECURITY_TIOCSTI_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index c8ea5a6ecce0..615205c0113b 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -31,7 +31,7 @@ config SECURITY_PERF_EVENTS_RESTRICT + + config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" +- default n ++ default y + help + This enforces restrictions on unprivileged users injecting commands + into other processes which share a tty session using the TIOCSTI +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch new file mode 100644 index 000000000000..8030349651c0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch @@ -0,0 +1,25 @@ +From 58818be47b1fa792496a0d1ca0541a16063cd5df Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:07 +0200 +Subject: [PATCH 094/113] disable unprivileged eBPF access by default + +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8f50c9c19f1b..a54c05624647 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); + static DEFINE_IDR(link_idr); + static DEFINE_SPINLOCK(link_idr_lock); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = 1; + + static const struct bpf_map_ops * const bpf_map_types[] = { + #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch new file mode 100644 index 000000000000..ffaf6e3b3e05 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch @@ -0,0 +1,25 @@ +From 625387e0d966fbb3d0f9515e6e7e0e768f8ec361 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:55 +0200 +Subject: [PATCH 095/113] enable BPF JIT hardening by default (if available) + +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 55454d2278b1..de02792dc2fc 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -524,7 +524,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +-int bpf_jit_harden __read_mostly; ++int bpf_jit_harden __read_mostly = 2; + long bpf_jit_limit __read_mostly; + + static void +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch new file mode 100644 index 000000000000..c7f0e5c16cc3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch @@ -0,0 +1,27 @@ +From bc11b1e3e75b79577fe8e90989d57791ed6d16e3 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 4 Nov 2018 18:48:53 +0100 +Subject: [PATCH 096/113] enable protected_{fifos,regular} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 59ff3ce21026..72f912c68975 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -934,8 +934,8 @@ static inline void put_link(struct nameidata *nd) + + int sysctl_protected_symlinks __read_mostly = 1; + int sysctl_protected_hardlinks __read_mostly = 1; +-int sysctl_protected_fifos __read_mostly; +-int sysctl_protected_regular __read_mostly; ++int sysctl_protected_fifos __read_mostly = 2; ++int sysctl_protected_regular __read_mostly = 2; + + /** + * may_follow_link - Check symlink following for unsafe situations +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch new file mode 100644 index 000000000000..da13a2e92404 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch @@ -0,0 +1,70 @@ +From cd5e90032091cf3e4287f3a4808d682a65a43240 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 13 Jan 2019 21:42:45 +0100 +Subject: [PATCH 097/113] Revert "mark kernel_set_to_readonly as + __ro_after_init" + + This commit causes CPA conflicts, cf. + https://github.com/anthraxx/linux-hardened/issues/4. + + Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + arch/x86/mm/init_32.c | 5 +++-- + arch/x86/mm/init_64.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index bda9596d7a9f..291b7b4476a9 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly __read_mostly; + + static void mark_nxdata_nx(void) + { +@@ -852,11 +852,12 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + +- kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + ++ kernel_set_to_readonly = 1; ++ + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index f9eb66b3f152..c3d771ffc178 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,10 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- kernel_set_to_readonly = 1; + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + ++ kernel_set_to_readonly = 1; ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch new file mode 100644 index 000000000000..6cffecf4961e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch @@ -0,0 +1,129 @@ +From fa0a13527c2f804d6d0a8241f5529205faf9956f Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Mon, 6 May 2019 17:07:11 +0200 +Subject: [PATCH 098/113] modpost: Add + CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE + +With 46c7dd56d541 ("modpost: always show verbose warning for section +mismatch"), sec_mismatch_verbose was removed which would have printed +errors for all writable function pointers during compilation if it +hadn't been "#if 0"ed out for quite some time now. + +Let's introduce a new DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE Kconfig +option to cleanly control this linux-hardened functionality. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 3 +++ + scripts/Makefile.modpost | 1 + + scripts/mod/modpost.c | 25 ++++++++++++++++--------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index a46f21a56125..6f5011b629a3 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -374,6 +374,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B + + It is mainly for debug and performance tuning use. + ++config DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE ++ bool "Enable verbose reporting of writable function pointers" ++ + # + # Select this config option from the architecture Kconfig, if it + # is preferred to always offer frame pointers as a config +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..e53b3057d4cb 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -47,6 +47,7 @@ MODPOST = scripts/mod/modpost \ + $(if $(CONFIG_MODVERSIONS),-m) \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ ++ $(if $(CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE),-f) \ + $(if $(KBUILD_MODPOST_WARN),-w) \ + -o $@ + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 50e9baefc4e7..2cbc4e8a6295 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,8 +34,9 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; +-static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; ++static int writable_fptr_count = 0; ++static int writable_fptr_verbose = 0; + /* ignore missing files */ + static int ignore_missing_files; + /* If set to 1, only warn (instead of error) about missing ns imports */ +@@ -1466,10 +1467,13 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- if (mismatch->mismatch == DATA_TO_TEXT) ++ if (mismatch->mismatch == DATA_TO_TEXT) { + writable_fptr_count++; +- else ++ if (!writable_fptr_verbose) ++ return; ++ } else { + sec_mismatch_count++; ++ } + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1592,12 +1596,10 @@ static void report_sec_mismatch(const char *modname, + "we should never get here."); + break; + case DATA_TO_TEXT: +-#if 0 + fprintf(stderr, + "The %s %s:%s references\n" + "the %s %s:%s%s\n", + from, fromsec, fromsym, to, tosec, tosym, to_p); +-#endif + break; + } + fprintf(stderr, "\n"); +@@ -2578,7 +2580,7 @@ int main(int argc, char **argv) + struct dump_list *dump_read_start = NULL; + struct dump_list **dump_read_iter = &dump_read_start; + +- while ((opt = getopt(argc, argv, "ei:mnT:o:awENd:")) != -1) { ++ while ((opt = getopt(argc, argv, "ei:fmnT:o:awENd:")) != -1) { + switch (opt) { + case 'e': + external_module = 1; +@@ -2589,6 +2591,9 @@ int main(int argc, char **argv) + (*dump_read_iter)->file = optarg; + dump_read_iter = &(*dump_read_iter)->next; + break; ++ case 'f': ++ writable_fptr_verbose = 1; ++ break; + case 'm': + modversions = 1; + break; +@@ -2689,9 +2694,11 @@ int main(int argc, char **argv) + } + + free(buf.p); +- if (writable_fptr_count) +- warn("modpost: Found %d writable function pointer(s).\n", +- writable_fptr_count); ++ if (writable_fptr_count && !writable_fptr_verbose) ++ warn("modpost: Found %d writable function pointer%s.\n" ++ "To see full details build your kernel with:\n" ++ "'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'\n", ++ writable_fptr_count, (writable_fptr_count == 1 ? "" : "s")); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch new file mode 100644 index 000000000000..c6c1320cbb47 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch @@ -0,0 +1,103 @@ +From 450df74b366012d501f9924e2960bfbbd90ef22b Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Tue, 7 May 2019 11:46:21 +0200 +Subject: [PATCH 099/113] mm: Fix extra_latent_entropy + +Commit a9cd410a3d29 ("mm/page_alloc.c: memory hotplug: free pages as +higher order") changed `static void __init __free_pages_boot_core()` +into `void __free_pages_core()`, causing the following section mismatch +warning at compile time: + + WARNING: vmlinux.o(.text+0x180fe4): Section mismatch in reference from the function __free_pages_core() to the variable .meminit.data:extra_latent_entropy + The function __free_pages_core() references the variable __meminitdata extra_latent_entropy. + This is often because __free_pages_core lacks a __meminitdata annotation or the annotation of extra_latent_entropy is wrong. + +This commit is an attempt at fixing this issue. I'm not sure it's OK as +we are accessing pages that are still managed by the bootmem allocator. +The prefetching part is not an issue as it only affects struct pages. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/page_alloc.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index ded9e8536285..8730ae4244b9 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1539,6 +1539,25 @@ static void __free_pages_ok(struct page *page, unsigned int order, + local_irq_restore(flags); + } + ++static void __init __gather_extra_latent_entropy(struct page *page, ++ unsigned int nr_pages) ++{ ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++} ++ + void __free_pages_core(struct page *page, unsigned int order) + { + unsigned int nr_pages = 1 << order; +@@ -1558,22 +1577,6 @@ void __free_pages_core(struct page *page, unsigned int order) + } + __ClearPageReserved(p); + set_page_count(p, 0); +- +- if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { +- unsigned long hash = 0; +- size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; +- const unsigned long *data = lowmem_page_address(page); +- +- for (index = 0; index < end; index++) +- hash ^= hash + data[index]; +-#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY +- latent_entropy ^= hash; +- add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +-#else +- add_device_randomness((const void *)&hash, sizeof(hash)); +-#endif +- } +- + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +@@ -1632,6 +1635,7 @@ void __init memblock_free_pages(struct page *page, unsigned long pfn, + { + if (early_page_uninitialised(pfn)) + return; ++ __gather_extra_latent_entropy(page, 1 << order); + __free_pages_core(page, order); + } + +@@ -1723,6 +1727,7 @@ static void __init deferred_free_range(unsigned long pfn, + if (nr_pages == pageblock_nr_pages && + (pfn & (pageblock_nr_pages - 1)) == 0) { + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1 << pageblock_order); + __free_pages_core(page, pageblock_order); + return; + } +@@ -1730,6 +1735,7 @@ static void __init deferred_free_range(unsigned long pfn, + for (i = 0; i < nr_pages; i++, page++, pfn++) { + if ((pfn & (pageblock_nr_pages - 1)) == 0) + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1); + __free_pages_core(page, 0); + } + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..caceb994b8f2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From c731d3e58d447eb72d300f130b66a48775b8b4d0 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 100/113] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index f15109e7b111..94918210ee72 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1174,6 +1174,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 29a30cff5e60..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..8656db00aa59 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From e442bc545ceeeb015be44da758f3229902fc6012 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:02:23 +0200 +Subject: [PATCH 101/113] enable INIT_ON_ALLOC_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index a718487ad717..7e3fe39ed6a4 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE + + config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" ++ default yes + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..54a907c10c08 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 95e5b9d50f068f234e6ce27fc1bbe7ada7f7ddcb Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:03:01 +0200 +Subject: [PATCH 102/113] enable INIT_ON_FREE_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 7e3fe39ed6a4..7dede18f1074 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -203,6 +203,7 @@ config INIT_ON_ALLOC_DEFAULT_ON + + config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" ++ default yes + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch new file mode 100644 index 000000000000..5f6753597eaf --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch @@ -0,0 +1,68 @@ +From e2bfb6622d72c02bc4a497ac713fc0fdf3daa926 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 2 Oct 2019 01:22:17 +0200 +Subject: [PATCH 103/113] add CONFIG for unprivileged_userfaultfd + +When disabled, unprivileged users will not be able to use the userfaultfd +syscall. Userfaultfd provide attackers with a way to stall a kernel +thread in the middle of memory accesses from userspace by initiating an +access on an unmapped page. To avoid various heap grooming and heap +spraying techniques for exploiting use-after-free flaws this should be +disabled by default. + +This setting can be overridden at runtime via the +vm.unprivileged_userfaultfd sysctl. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/userfaultfd.c | 4 ++++ + init/Kconfig | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 000b457ad087..06d35ecdcbc8 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -28,7 +28,11 @@ + #include <linux/security.h> + #include <linux/hugetlb.h> + ++#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED + int sysctl_unprivileged_userfaultfd __read_mostly = 1; ++#else ++int sysctl_unprivileged_userfaultfd __read_mostly; ++#endif + + static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; + +diff --git a/init/Kconfig b/init/Kconfig +index 94918210ee72..970066ca7388 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1747,6 +1747,23 @@ config USERFAULTFD + Enable the userfaultfd() system call that allows to intercept and + handle page faults in userland. + ++config USERFAULTFD_UNPRIVILEGED ++ bool "Allow unprivileged users to use the userfaultfd syscall" ++ depends on USERFAULTFD ++ default n ++ help ++ When disabled, unprivileged users will not be able to use the userfaultfd ++ syscall. Userfaultfd provide attackers with a way to stall a kernel ++ thread in the middle of memory accesses from userspace by initiating an ++ access on an unmapped page. To avoid various heap grooming and heap ++ spraying techniques for exploiting use-after-free flaws this should be ++ disabled by default. ++ ++ This setting can be overridden at runtime via the ++ vm.unprivileged_userfaultfd sysctl. ++ ++ If unsure, say N. ++ + config ARCH_HAS_MEMBARRIER_CALLBACKS + bool + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch new file mode 100644 index 000000000000..419962f522f7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch @@ -0,0 +1,81 @@ +From f59d230fbf354ad25f53576dcb07f6f6e07428e3 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 29 Nov 2019 16:27:14 +0100 +Subject: [PATCH 104/113] slub: Extend init_on_alloc to slab caches with + constructors + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 2 ++ + mm/slub.c | 23 ++++++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 105dba485a7e..2138deacf719 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -630,8 +630,10 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } + static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + { + if (static_branch_unlikely(&init_on_alloc)) { ++#ifndef CONFIG_SLUB + if (c->ctor) + return false; ++#endif + if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) + return flags & __GFP_ZERO; + return true; +diff --git a/mm/slub.c b/mm/slub.c +index c949d918dc7f..cb8abacabfdb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1635,9 +1635,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + * need to show a valid freepointer to check_object(). + * + * Note that doing this for all caches (not just ctor +- * ones, which have s->offset != NULL)) causes a GPF, +- * due to KASAN poisoning and the way set_freepointer() +- * eventually dereferences the freepointer. ++ * ones, which have s->offset >= object_size)) causes a ++ * GPF, due to KASAN poisoning and the way ++ * set_freepointer() eventually dereferences the ++ * freepointer. + */ + set_freepointer(s, object, NULL); + } +@@ -2955,8 +2956,14 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + if (s->ctor) + s->ctor(object); + kasan_poison_object_data(s, object); +- } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) { + memset(object, 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, object); ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } ++ } + + if (object) { + check_canary(s, object, s->random_inactive); +@@ -3416,8 +3423,14 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { + memset(p[j], 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, p[j]); ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } + } + + for (k = 0; k < i; k++) { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..7c62dcaf21a7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From 8bad6133d22f0c4a01e2c133bd3aa7cebbdfb889 Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 105/113] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d4ef5bf94168..34d0d5438108 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 3e5f4f2e705e..791329c77dea 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ef4bdb038a4b..86967b09a8e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6195,7 +6196,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch new file mode 100644 index 000000000000..5d07d0007f01 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch @@ -0,0 +1,27 @@ +From 9a68def74efc52b4ffb88f58d69adf10baebcfa3 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 27 Sep 2020 00:43:48 +0200 +Subject: [PATCH 106/113] kconfig: select DEBUG_FS_ALLOW_NONE by default if + DEBUG_FS is enabled + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 6f5011b629a3..5fce84adc315 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -491,7 +491,7 @@ config DEBUG_FS + choice + prompt "Debugfs default access" + depends on DEBUG_FS +- default DEBUG_FS_ALLOW_ALL ++ default DEBUG_FS_ALLOW_NONE + help + This selects the default access restrictions for debugfs. + It can be overridden with kernel command line option +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..b00e4aef9100 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From aec70576169547d96c355cf178eedcc3df05c5ad Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:35:53 +0100 +Subject: [PATCH 107/113] stop hiding SYSFS_SYSCALL behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 970066ca7388..000d1c837e61 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1450,7 +1450,7 @@ config SGETMASK_SYSCALL + If unsure, leave the default option here. + + config SYSFS_SYSCALL +- bool "Sysfs syscall support" if EXPERT ++ bool "Sysfs syscall support" + default y + help + sys_sysfs is an obsolete system call no longer supported in libc. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch new file mode 100644 index 000000000000..a44ae5cd603c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch @@ -0,0 +1,31 @@ +From d6cdd8b412d47ae0a2d304ac8a72dd1a1612848e Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:36:54 +0100 +Subject: [PATCH 108/113] disable SYSFS_SYSCALL by default + +--- + init/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 000d1c837e61..9d2db9918396 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1451,13 +1451,12 @@ config SGETMASK_SYSCALL + + config SYSFS_SYSCALL + bool "Sysfs syscall support" +- default y + help + sys_sysfs is an obsolete system call no longer supported in libc. + Note that disabling this option is more secure but might break + compatibility with some systems. + +- If unsure say Y here. ++ If unsure say N here. + + config FHANDLE + bool "open by fhandle syscalls" if EXPERT +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch new file mode 100644 index 000000000000..6d9c80265d7b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 4ba88d7fca4212c2fa9434053340ff2307e7f244 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:40:09 +0100 +Subject: [PATCH 109/113] stop hiding UID16 behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 9d2db9918396..eecd7915db04 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1419,7 +1419,7 @@ menuconfig EXPERT + Only use this if you really know what you are doing. + + config UID16 +- bool "Enable 16-bit UID system calls" if EXPERT ++ bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER + default y + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0110-disable-UID16-by-default.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0110-disable-UID16-by-default.patch new file mode 100644 index 000000000000..34fce335a5db --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0110-disable-UID16-by-default.patch @@ -0,0 +1,24 @@ +From e7b3be3e2b158742fc09297e3dcc20a2fcbbdddd Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:41:32 +0100 +Subject: [PATCH 110/113] disable UID16 by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index eecd7915db04..2feea719cc25 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1421,7 +1421,6 @@ menuconfig EXPERT + config UID16 + bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER +- default y + help + This enables the legacy 16-bit UID syscall wrappers. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch new file mode 100644 index 000000000000..10663f7b8b43 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch @@ -0,0 +1,238 @@ +From 17422507f9bf2b9281a186753f9a9699e5979f25 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:48 +0200 +Subject: [PATCH 111/113] dccp: ccid: move timers to struct dccp_sock + +When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason +del_timer_sync can't be used is because this relies on keeping a reference +to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that +during disconnect, the timer should really belong to struct dccp_sock. + +This addresses CVE-2020-16119. + +Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + include/linux/dccp.h | 2 ++ + net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++------------- + net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++---------- + 3 files changed, 41 insertions(+), 23 deletions(-) + +diff --git a/include/linux/dccp.h b/include/linux/dccp.h +index 07e547c02fd8..504afa1a4be6 100644 +--- a/include/linux/dccp.h ++++ b/include/linux/dccp.h +@@ -259,6 +259,7 @@ struct dccp_ackvec; + * @dccps_sync_scheduled - flag which signals "send out-of-band message soon" + * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets + * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing) ++ * @dccps_ccid_timer - used by the CCIDs + * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs) + */ + struct dccp_sock { +@@ -303,6 +304,7 @@ struct dccp_sock { + __u8 dccps_sync_scheduled:1; + struct tasklet_struct dccps_xmitlet; + struct timer_list dccps_xmit_timer; ++ struct timer_list dccps_ccid_timer; + }; + + static inline struct dccp_sock *dccp_sk(const struct sock *sk) +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 3da1f77bd039..dbca1f1e2449 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk) + + static void ccid2_hc_tx_rto_expire(struct timer_list *t) + { +- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer); +- struct sock *sk = hc->sk; +- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct sock *sk = (struct sock *)dp; ++ struct ccid2_hc_tx_sock *hc; ++ bool sender_was_blocked; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ + if (sock_owned_by_user(sk)) { +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5); + goto out; + } + + ccid2_pr_debug("RTO_EXPIRE\n"); + +- if (sk->sk_state == DCCP_CLOSED) +- goto out; +- + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) + if (sender_was_blocked) + dccp_tasklet_schedule(sk); + /* restart backed-off timer */ +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len) + } + #endif + +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + + #ifdef CONFIG_IP_DCCP_CCID2_DEBUG + do { +@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + + /* restart RTO timer if not all outstanding data has been acked */ + if (hc->tx_pipe == 0) +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + else +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk) + hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32; + hc->tx_cwnd_used = 0; + hc->sk = sk; +- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0); ++ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0); + INIT_LIST_HEAD(&hc->tx_av_chunks); + return 0; + } + + static void ccid2_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk); + int i; + +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index b9ee1a4a8955..685f4d046c0d 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc, + + static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + { +- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer); +- struct sock *sk = hc->sk; ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct ccid3_hc_tx_sock *hc; ++ struct sock *sk = (struct sock *)dp; + unsigned long t_nfb = USEC_PER_SEC / 5; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ + if (sock_owned_by_user(sk)) { + /* Try again later. */ + /* XXX: set some sensible MIB */ + goto restart_timer; + } + ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ + ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk, + ccid3_tx_state_name(hc->tx_state)); + +@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi); + + restart_timer: +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb) + return -EBADMSG; + + if (hc->tx_state == TFRC_SSTATE_NO_SENT) { +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies + ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies + + usecs_to_jiffies(TFRC_INITIAL_TIMEOUT))); + hc->tx_last_win_count = 0; + hc->tx_t_last_win_count = now; +@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len) + static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + { + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + struct tfrc_tx_hist_entry *acked; + ktime_t now; + unsigned long t_nfb; +@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + (unsigned int)(hc->tx_x >> 6)); + + /* unschedule no feedback timer */ +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + /* + * As we have calculated new ipi, delta, t_nom it is possible +@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + "expire in %lu jiffies (%luus)\n", + dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb); + +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + } + + static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, +@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, + + static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid_priv(ccid); + + hc->tx_state = TFRC_SSTATE_NO_SENT; + hc->tx_hist = NULL; + hc->sk = sk; +- timer_setup(&hc->tx_no_feedback_timer, ++ timer_setup(&dp->dccps_ccid_timer, + ccid3_hc_tx_no_feedback_timer, 0); + return 0; + } + + static void ccid3_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); + +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + tfrc_tx_hist_purge(&hc->tx_hist); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch new file mode 100644 index 000000000000..ba089cd6f28f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.7/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch @@ -0,0 +1,40 @@ +From 6da0a92685012a4c1809009b79ad3b0f62cae3db Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:49 +0200 +Subject: [PATCH 112/113] Revert "dccp: don't free ccid2_hc_tx_sock struct in + dccp_disconnect()" + +This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. + +This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be +kept, allowing the socket to be reused as a listener socket, and the cloned +socket will free its dccps_hc_tx_ccid, leading to a later use after free, +when the listener socket is closed. + +This addresses CVE-2020-16119. + +Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) +Reported-by: Hadar Manor +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + net/dccp/proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 6d705d90c614..359e848dba6c 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/1500_XATTR_USER_PREFIX.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 000000000000..245dcc29fa56 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,67 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; + diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000000..f0ed144fb17a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 000000000000..394ad48fc20c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Cc: stable@vger.kernel.org +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1 diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 000000000000..433568579cab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,30 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <mpagano@gentoo.org> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: mpagano@gentoo.org + +Reported-by: Phil Stracchino <phils@caerllewys.net> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2920_sign-file-patch-for-libressl.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 000000000000..e6ec017d46c8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/4567_distro-Gentoo-Kconfig.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/4567_distro-Gentoo-Kconfig.patch new file mode 100644 index 000000000000..e754a3e6e459 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/4567_distro-Gentoo-Kconfig.patch @@ -0,0 +1,169 @@ +--- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 ++++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 +@@ -32,3 +32,5 @@ source "lib/Kconfig" + source "lib/Kconfig.debug" + + source "Documentation/Kconfig" ++ ++source "distro/Kconfig" +--- /dev/null 2020-09-24 03:06:47.590000000 -0400 ++++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 +@@ -0,0 +1,158 @@ ++menu "Gentoo Linux" ++ ++config GENTOO_LINUX ++ bool "Gentoo Linux support" ++ ++ default y ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ See the settings that become available for more details and fine-tuning. ++ ++config GENTOO_LINUX_UDEV ++ bool "Linux dynamic and persistent device naming (userspace devfs) support" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select DEVTMPFS ++ select TMPFS ++ select UNIX ++ ++ select MMU ++ select SHMEM ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ Currently this only selects TMPFS, DEVTMPFS and their dependencies. ++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and ++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. ++ ++ Some of these are critical files that need to be available early in the ++ boot process; if not available, it causes sysfs and udev to malfunction. ++ ++ To ensure Gentoo Linux boots, it is best to leave this setting enabled; ++ if you run a custom setup, you could consider whether to disable this. ++ ++config GENTOO_LINUX_PORTAGE ++ bool "Select options required by Portage features" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select CGROUPS ++ select NAMESPACES ++ select IPC_NS ++ select NET_NS ++ select PID_NS ++ select SYSVIPC ++ select UTS_NS ++ ++ help ++ This enables options required by various Portage FEATURES. ++ Currently this selects: ++ ++ CGROUPS (required for FEATURES=cgroup) ++ IPC_NS (required for FEATURES=ipc-sandbox) ++ NET_NS (required for FEATURES=network-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) ++ SYSVIPC (required by IPC_NS) ++ ++ ++ It is highly recommended that you leave this enabled as these FEATURES ++ are, or will soon be, enabled by default. ++ ++menu "Support for init systems, system and service managers" ++ visible if GENTOO_LINUX ++ ++config GENTOO_LINUX_INIT_SCRIPT ++ bool "OpenRC, runit and other script based systems and managers" ++ ++ default y if GENTOO_LINUX ++ ++ depends on GENTOO_LINUX ++ ++ select BINFMT_SCRIPT ++ select CGROUPS ++ select EPOLL ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select SIGNALFD ++ select TIMERFD ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for OpenRC, ++ runit and similar script based systems and managers. ++ ++ If you are unsure about this, it is best to leave this setting enabled. ++ ++config GENTOO_LINUX_INIT_SYSTEMD ++ bool "systemd" ++ ++ default n ++ ++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV ++ ++ select AUTOFS4_FS ++ select BLK_DEV_BSG ++ select BPF_SYSCALL ++ select CGROUP_BPF ++ select CGROUPS ++ select CHECKPOINT_RESTORE ++ select CRYPTO_HMAC ++ select CRYPTO_SHA256 ++ select CRYPTO_USER_API_HASH ++ select DEVPTS_MULTIPLE_INSTANCES ++ select DMIID if X86_32 || X86_64 || X86 ++ select EPOLL ++ select FANOTIFY ++ select FHANDLE ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select IPV6 ++ select NET ++ select NET_NS ++ select PROC_FS ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SIGNALFD ++ select SYSFS ++ select TIMERFD ++ select TMPFS_POSIX_ACL ++ select TMPFS_XATTR ++ select USER_NS ++ ++ select ANON_INODES ++ select BLOCK ++ select EVENTFD ++ select FSNOTIFY ++ select INET ++ select NLATTR ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for systemd; ++ it also enables suggested optional settings, as the package suggests to. ++ ++endmenu ++ ++endmenu diff --git a/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch new file mode 100644 index 000000000000..665fc660b0de --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch @@ -0,0 +1,2203 @@ +--- /dev/null 2021-01-08 13:33:13.190303432 -0500 ++++ b/fs/shiftfs.c 2021-01-08 19:02:40.000000000 -0500 +@@ -0,0 +1,2157 @@ ++#include <linux/btrfs.h> ++#include <linux/capability.h> ++#include <linux/cred.h> ++#include <linux/mount.h> ++#include <linux/fdtable.h> ++#include <linux/file.h> ++#include <linux/fs.h> ++#include <linux/namei.h> ++#include <linux/module.h> ++#include <linux/kernel.h> ++#include <linux/magic.h> ++#include <linux/parser.h> ++#include <linux/security.h> ++#include <linux/seq_file.h> ++#include <linux/statfs.h> ++#include <linux/slab.h> ++#include <linux/user_namespace.h> ++#include <linux/uidgid.h> ++#include <linux/xattr.h> ++#include <linux/posix_acl.h> ++#include <linux/posix_acl_xattr.h> ++#include <linux/uio.h> ++#include <linux/fiemap.h> ++ ++struct shiftfs_super_info { ++ struct vfsmount *mnt; ++ struct user_namespace *userns; ++ /* creds of process who created the super block */ ++ const struct cred *creator_cred; ++ bool mark; ++ unsigned int passthrough; ++ unsigned int passthrough_mark; ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry); ++ ++#define SHIFTFS_PASSTHROUGH_NONE 0 ++#define SHIFTFS_PASSTHROUGH_STAT 1 ++#define SHIFTFS_PASSTHROUGH_IOCTL 2 ++#define SHIFTFS_PASSTHROUGH_ALL \ ++ (SHIFTFS_PASSTHROUGH_STAT | SHIFTFS_PASSTHROUGH_IOCTL) ++ ++static inline bool shiftfs_passthrough_ioctls(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_IOCTL)) ++ return false; ++ ++ return true; ++} ++ ++static inline bool shiftfs_passthrough_statfs(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_STAT)) ++ return false; ++ ++ return true; ++} ++ ++enum { ++ OPT_MARK, ++ OPT_PASSTHROUGH, ++ OPT_LAST, ++}; ++ ++/* global filesystem options */ ++static const match_table_t tokens = { ++ { OPT_MARK, "mark" }, ++ { OPT_PASSTHROUGH, "passthrough=%u" }, ++ { OPT_LAST, NULL } ++}; ++ ++static const struct cred *shiftfs_override_creds(const struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ return override_creds(sbinfo->creator_cred); ++} ++ ++static inline void shiftfs_revert_object_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ revert_creds(oldcred); ++ put_cred(newcred); ++} ++ ++static kuid_t shift_kuid(struct user_namespace *from, struct user_namespace *to, ++ kuid_t kuid) ++{ ++ uid_t uid = from_kuid(from, kuid); ++ return make_kuid(to, uid); ++} ++ ++static kgid_t shift_kgid(struct user_namespace *from, struct user_namespace *to, ++ kgid_t kgid) ++{ ++ gid_t gid = from_kgid(from, kgid); ++ return make_kgid(to, gid); ++} ++ ++static int shiftfs_override_object_creds(const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred, ++ struct dentry *dentry, umode_t mode, ++ bool hardlink) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ if (!hardlink) { ++ int err = security_dentry_create_files_as(dentry, mode, ++ &dentry->d_name, ++ *oldcred, *newcred); ++ if (err) { ++ shiftfs_revert_object_creds(*oldcred, *newcred); ++ return err; ++ } ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static void shiftfs_copyattr(struct inode *from, struct inode *to) ++{ ++ struct user_namespace *from_ns = from->i_sb->s_user_ns; ++ struct user_namespace *to_ns = to->i_sb->s_user_ns; ++ ++ to->i_uid = shift_kuid(from_ns, to_ns, from->i_uid); ++ to->i_gid = shift_kgid(from_ns, to_ns, from->i_gid); ++ to->i_mode = from->i_mode; ++ to->i_atime = from->i_atime; ++ to->i_mtime = from->i_mtime; ++ to->i_ctime = from->i_ctime; ++ i_size_write(to, i_size_read(from)); ++} ++ ++static void shiftfs_copyflags(struct inode *from, struct inode *to) ++{ ++ unsigned int mask = S_SYNC | S_IMMUTABLE | S_APPEND | S_NOATIME; ++ ++ inode_set_flags(to, from->i_flags & mask, mask); ++} ++ ++static void shiftfs_file_accessed(struct file *file) ++{ ++ struct inode *upperi, *loweri; ++ ++ if (file->f_flags & O_NOATIME) ++ return; ++ ++ upperi = file_inode(file); ++ loweri = upperi->i_private; ++ ++ if (!loweri) ++ return; ++ ++ upperi->i_mtime = loweri->i_mtime; ++ upperi->i_ctime = loweri->i_ctime; ++ ++ touch_atime(&file->f_path); ++} ++ ++static int shiftfs_parse_mount_options(struct shiftfs_super_info *sbinfo, ++ char *options) ++{ ++ char *p; ++ substring_t args[MAX_OPT_ARGS]; ++ ++ sbinfo->mark = false; ++ sbinfo->passthrough = 0; ++ ++ while ((p = strsep(&options, ",")) != NULL) { ++ int err, intarg, token; ++ ++ if (!*p) ++ continue; ++ ++ token = match_token(p, tokens, args); ++ switch (token) { ++ case OPT_MARK: ++ sbinfo->mark = true; ++ break; ++ case OPT_PASSTHROUGH: ++ err = match_int(&args[0], &intarg); ++ if (err) ++ return err; ++ ++ if (intarg & ~SHIFTFS_PASSTHROUGH_ALL) ++ return -EINVAL; ++ ++ sbinfo->passthrough = intarg; ++ break; ++ default: ++ return -EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++static void shiftfs_d_release(struct dentry *dentry) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (lowerd) ++ dput(lowerd); ++} ++ ++static struct dentry *shiftfs_d_real(struct dentry *dentry, ++ const struct inode *inode) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (inode && d_inode(dentry) == inode) ++ return dentry; ++ ++ lowerd = d_real(lowerd, inode); ++ if (lowerd && (!inode || inode == d_inode(lowerd))) ++ return lowerd; ++ ++ WARN(1, "shiftfs_d_real(%pd4, %s:%lu): real dentry not found\n", dentry, ++ inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0); ++ return dentry; ++} ++ ++static int shiftfs_d_weak_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_is_negative(lowerd) != d_is_negative(dentry)) ++ return 0; ++ ++ if ((lowerd->d_flags & DCACHE_OP_WEAK_REVALIDATE)) ++ err = lowerd->d_op->d_weak_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static int shiftfs_d_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_unhashed(lowerd) || ++ ((d_is_negative(lowerd) != d_is_negative(dentry)))) ++ return 0; ++ ++ if (flags & LOOKUP_RCU) ++ return -ECHILD; ++ ++ if ((lowerd->d_flags & DCACHE_OP_REVALIDATE)) ++ err = lowerd->d_op->d_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static const struct dentry_operations shiftfs_dentry_ops = { ++ .d_release = shiftfs_d_release, ++ .d_real = shiftfs_d_real, ++ .d_revalidate = shiftfs_d_revalidate, ++ .d_weak_revalidate = shiftfs_d_weak_revalidate, ++}; ++ ++static const char *shiftfs_get_link(struct dentry *dentry, struct inode *inode, ++ struct delayed_call *done) ++{ ++ const char *p; ++ const struct cred *oldcred; ++ struct dentry *lowerd; ++ ++ /* RCU lookup not supported */ ++ if (!dentry) ++ return ERR_PTR(-ECHILD); ++ ++ lowerd = dentry->d_fsdata; ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ p = vfs_get_link(lowerd, done); ++ revert_creds(oldcred); ++ ++ return p; ++} ++ ++static int shiftfs_setxattr(struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_setxattr(lowerd, name, value, size, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(lowerd->d_inode, inode); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *value, size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_getxattr(lowerd, name, value, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static ssize_t shiftfs_listxattr(struct dentry *dentry, char *list, ++ size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_listxattr(lowerd, list, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_removexattr(struct dentry *dentry, const char *name) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_removexattr(lowerd, name); ++ revert_creds(oldcred); ++ ++ /* update c/mtime */ ++ shiftfs_copyattr(lowerd->d_inode, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, size_t size, ++ int flags) ++{ ++ if (!value) ++ return shiftfs_removexattr(dentry, name); ++ return shiftfs_setxattr(dentry, inode, name, value, size, flags); ++} ++ ++static int shiftfs_inode_test(struct inode *inode, void *data) ++{ ++ return inode->i_private == data; ++} ++ ++static int shiftfs_inode_set(struct inode *inode, void *data) ++{ ++ inode->i_private = data; ++ return 0; ++} ++ ++static int shiftfs_create_object(struct inode *diri, struct dentry *dentry, ++ umode_t mode, const char *symlink, ++ struct dentry *hardlink, bool excl) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct cred *newcred; ++ void *loweri_iop_ptr = NULL; ++ umode_t modei = mode; ++ struct super_block *dir_sb = diri->i_sb; ++ struct dentry *lowerd_new = dentry->d_fsdata; ++ struct inode *inode = NULL, *loweri_dir = diri->i_private; ++ const struct inode_operations *loweri_dir_iop = loweri_dir->i_op; ++ struct dentry *lowerd_link = NULL; ++ ++ if (hardlink) { ++ loweri_iop_ptr = loweri_dir_iop->link; ++ } else { ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ loweri_iop_ptr = loweri_dir_iop->mkdir; ++ break; ++ case S_IFREG: ++ loweri_iop_ptr = loweri_dir_iop->create; ++ break; ++ case S_IFLNK: ++ loweri_iop_ptr = loweri_dir_iop->symlink; ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ loweri_iop_ptr = loweri_dir_iop->mknod; ++ break; ++ } ++ } ++ if (!loweri_iop_ptr) { ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ inode_lock_nested(loweri_dir, I_MUTEX_PARENT); ++ ++ if (!hardlink) { ++ inode = new_inode(dir_sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_iput; ++ } ++ ++ /* ++ * new_inode() will have added the new inode to the super ++ * block's list of inodes. Further below we will call ++ * inode_insert5() Which would perform the same operation again ++ * thereby corrupting the list. To avoid this raise I_CREATING ++ * in i_state which will cause inode_insert5() to skip this ++ * step. I_CREATING will be cleared by d_instantiate_new() ++ * below. ++ */ ++ spin_lock(&inode->i_lock); ++ inode->i_state |= I_CREATING; ++ spin_unlock(&inode->i_lock); ++ ++ inode_init_owner(inode, diri, mode); ++ modei = inode->i_mode; ++ } ++ ++ err = shiftfs_override_object_creds(dentry->d_sb, &oldcred, &newcred, ++ dentry, modei, hardlink != NULL); ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ lowerd_link = hardlink->d_fsdata; ++ err = vfs_link(lowerd_link, loweri_dir, lowerd_new, NULL); ++ } else { ++ switch (modei & S_IFMT) { ++ case S_IFDIR: ++ err = vfs_mkdir(loweri_dir, lowerd_new, modei); ++ break; ++ case S_IFREG: ++ err = vfs_create(loweri_dir, lowerd_new, modei, excl); ++ break; ++ case S_IFLNK: ++ err = vfs_symlink(loweri_dir, lowerd_new, symlink); ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ err = vfs_mknod(loweri_dir, lowerd_new, modei, 0); ++ break; ++ default: ++ err = -EINVAL; ++ break; ++ } ++ } ++ ++ shiftfs_revert_object_creds(oldcred, newcred); ++ ++ if (!err && WARN_ON(!lowerd_new->d_inode)) ++ err = -EIO; ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ inode = d_inode(hardlink); ++ ihold(inode); ++ ++ /* copy up times from lower inode */ ++ shiftfs_copyattr(d_inode(lowerd_link), inode); ++ set_nlink(d_inode(hardlink), d_inode(lowerd_link)->i_nlink); ++ d_instantiate(dentry, inode); ++ } else { ++ struct inode *inode_tmp; ++ struct inode *loweri_new = d_inode(lowerd_new); ++ ++ inode_tmp = inode_insert5(inode, (unsigned long)loweri_new, ++ shiftfs_inode_test, shiftfs_inode_set, ++ loweri_new); ++ if (unlikely(inode_tmp != inode)) { ++ pr_err_ratelimited("shiftfs: newly created inode found in cache\n"); ++ iput(inode_tmp); ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ ihold(loweri_new); ++ shiftfs_fill_inode(inode, loweri_new->i_ino, loweri_new->i_mode, ++ 0, lowerd_new); ++ d_instantiate_new(dentry, inode); ++ } ++ ++ shiftfs_copyattr(loweri_dir, diri); ++ if (loweri_iop_ptr == loweri_dir_iop->mkdir) ++ set_nlink(diri, loweri_dir->i_nlink); ++ ++ inode = NULL; ++ ++out_iput: ++ iput(inode); ++ inode_unlock(loweri_dir); ++ ++ return err; ++} ++ ++static int shiftfs_create(struct inode *dir, struct dentry *dentry, ++ umode_t mode, bool excl) ++{ ++ mode |= S_IFREG; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, excl); ++} ++ ++static int shiftfs_mkdir(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ mode |= S_IFDIR; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_link(struct dentry *hardlink, struct inode *dir, ++ struct dentry *dentry) ++{ ++ return shiftfs_create_object(dir, dentry, 0, NULL, hardlink, false); ++} ++ ++static int shiftfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, ++ dev_t rdev) ++{ ++ if (!S_ISFIFO(mode) && !S_ISSOCK(mode)) ++ return -EPERM; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_symlink(struct inode *dir, struct dentry *dentry, ++ const char *symlink) ++{ ++ return shiftfs_create_object(dir, dentry, S_IFLNK, symlink, NULL, false); ++} ++ ++static int shiftfs_rm(struct inode *dir, struct dentry *dentry, bool rmdir) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ struct inode *inode = d_inode(dentry); ++ int err; ++ const struct cred *oldcred; ++ ++ dget(lowerd); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ inode_lock_nested(loweri, I_MUTEX_PARENT); ++ if (rmdir) ++ err = vfs_rmdir(loweri, lowerd); ++ else ++ err = vfs_unlink(loweri, lowerd, NULL); ++ revert_creds(oldcred); ++ ++ if (!err) { ++ d_drop(dentry); ++ ++ if (rmdir) ++ clear_nlink(inode); ++ else ++ drop_nlink(inode); ++ } ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, dir); ++ dput(lowerd); ++ ++ return err; ++} ++ ++static int shiftfs_unlink(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, false); ++} ++ ++static int shiftfs_rmdir(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, true); ++} ++ ++static int shiftfs_rename(struct inode *olddir, struct dentry *old, ++ struct inode *newdir, struct dentry *new, ++ unsigned int flags) ++{ ++ struct dentry *lowerd_dir_old = old->d_parent->d_fsdata, ++ *lowerd_dir_new = new->d_parent->d_fsdata, ++ *lowerd_old = old->d_fsdata, *lowerd_new = new->d_fsdata, ++ *trapd; ++ struct inode *loweri_dir_old = lowerd_dir_old->d_inode, ++ *loweri_dir_new = lowerd_dir_new->d_inode; ++ int err = -EINVAL; ++ const struct cred *oldcred; ++ ++ trapd = lock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ if (trapd == lowerd_old || trapd == lowerd_new) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(old->d_sb); ++ err = vfs_rename(loweri_dir_old, lowerd_old, loweri_dir_new, lowerd_new, ++ NULL, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(loweri_dir_old, olddir); ++ shiftfs_copyattr(loweri_dir_new, newdir); ++ ++out_unlock: ++ unlock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_lookup(struct inode *dir, struct dentry *dentry, ++ unsigned int flags) ++{ ++ struct dentry *new; ++ struct inode *newi; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_parent->d_fsdata; ++ struct inode *inode = NULL, *loweri = lowerd->d_inode; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ new = lookup_one_len(dentry->d_name.name, lowerd, dentry->d_name.len); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ if (IS_ERR(new)) ++ return new; ++ ++ dentry->d_fsdata = new; ++ ++ newi = new->d_inode; ++ if (!newi) ++ goto out; ++ ++ inode = iget5_locked(dentry->d_sb, (unsigned long)newi, ++ shiftfs_inode_test, shiftfs_inode_set, newi); ++ if (!inode) { ++ dput(new); ++ return ERR_PTR(-ENOMEM); ++ } ++ if (inode->i_state & I_NEW) { ++ /* ++ * inode->i_private set by shiftfs_inode_set(), but we still ++ * need to take a reference ++ */ ++ ihold(newi); ++ shiftfs_fill_inode(inode, newi->i_ino, newi->i_mode, 0, new); ++ unlock_new_inode(inode); ++ } ++ ++out: ++ return d_splice_alias(inode, dentry); ++} ++ ++static int shiftfs_permission(struct inode *inode, int mask) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri) { ++ WARN_ON(!(mask & MAY_NOT_BLOCK)); ++ return -ECHILD; ++ } ++ ++ err = generic_permission(inode, mask); ++ if (err) ++ return err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = inode_permission(loweri, mask); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_fiemap(struct inode *inode, ++ struct fiemap_extent_info *fieinfo, u64 start, ++ u64 len) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri->i_op->fiemap) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ if (fieinfo->fi_flags & FIEMAP_FLAG_SYNC) ++ filemap_write_and_wait(loweri->i_mapping); ++ err = loweri->i_op->fiemap(loweri, fieinfo, start, len); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_tmpfile(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ ++ if (!loweri->i_op->tmpfile) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(dir->i_sb); ++ err = loweri->i_op->tmpfile(loweri, lowerd, mode); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct iattr newattr; ++ const struct cred *oldcred; ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ int err; ++ ++ err = setattr_prepare(dentry, attr); ++ if (err) ++ return err; ++ ++ newattr = *attr; ++ newattr.ia_uid = shift_kuid(sb->s_user_ns, sbinfo->userns, attr->ia_uid); ++ newattr.ia_gid = shift_kgid(sb->s_user_ns, sbinfo->userns, attr->ia_gid); ++ ++ /* ++ * mode change is for clearing setuid/setgid bits. Allow lower fs ++ * to interpret this in its own way. ++ */ ++ if (newattr.ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) ++ newattr.ia_valid &= ~ATTR_MODE; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = notify_change(lowerd, &newattr, NULL); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_getattr(const struct path *path, struct kstat *stat, ++ u32 request_mask, unsigned int query_flags) ++{ ++ struct inode *inode = path->dentry->d_inode; ++ struct dentry *lowerd = path->dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct shiftfs_super_info *info = path->dentry->d_sb->s_fs_info; ++ struct path newpath = { .mnt = info->mnt, .dentry = lowerd }; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ const struct cred *oldcred; ++ int err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = vfs_getattr(&newpath, stat, request_mask, query_flags); ++ revert_creds(oldcred); ++ ++ if (err) ++ return err; ++ ++ /* transform the underlying id */ ++ stat->uid = shift_kuid(from_ns, to_ns, stat->uid); ++ stat->gid = shift_kgid(from_ns, to_ns, stat->gid); ++ return 0; ++} ++ ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ ++static int ++shift_acl_ids(struct user_namespace *from, struct user_namespace *to, ++ struct posix_acl *acl) ++{ ++ int i; ++ ++ for (i = 0; i < acl->a_count; i++) { ++ struct posix_acl_entry *e = &acl->a_entries[i]; ++ switch(e->e_tag) { ++ case ACL_USER: ++ e->e_uid = shift_kuid(from, to, e->e_uid); ++ if (!uid_valid(e->e_uid)) ++ return -EOVERFLOW; ++ break; ++ case ACL_GROUP: ++ e->e_gid = shift_kgid(from, to, e->e_gid); ++ if (!gid_valid(e->e_gid)) ++ return -EOVERFLOW; ++ break; ++ } ++ } ++ return 0; ++} ++ ++static void ++shift_acl_xattr_ids(struct user_namespace *from, struct user_namespace *to, ++ void *value, size_t size) ++{ ++ struct posix_acl_xattr_header *header = value; ++ struct posix_acl_xattr_entry *entry = (void *)(header + 1), *end; ++ int count; ++ kuid_t kuid; ++ kgid_t kgid; ++ ++ if (!value) ++ return; ++ if (size < sizeof(struct posix_acl_xattr_header)) ++ return; ++ if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) ++ return; ++ ++ count = posix_acl_xattr_count(size); ++ if (count < 0) ++ return; ++ if (count == 0) ++ return; ++ ++ for (end = entry + count; entry != end; entry++) { ++ switch(le16_to_cpu(entry->e_tag)) { ++ case ACL_USER: ++ kuid = make_kuid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kuid = shift_kuid(from, to, kuid); ++ entry->e_id = cpu_to_le32(from_kuid(&init_user_ns, kuid)); ++ break; ++ case ACL_GROUP: ++ kgid = make_kgid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kgid = shift_kgid(from, to, kgid); ++ entry->e_id = cpu_to_le32(from_kgid(&init_user_ns, kgid)); ++ break; ++ default: ++ break; ++ } ++ } ++} ++ ++static struct posix_acl *shiftfs_get_acl(struct inode *inode, int type) ++{ ++ struct inode *loweri = inode->i_private; ++ const struct cred *oldcred; ++ struct posix_acl *lower_acl, *acl = NULL; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ int size; ++ int err; ++ ++ if (!IS_POSIXACL(loweri)) ++ return NULL; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ lower_acl = get_acl(loweri, type); ++ revert_creds(oldcred); ++ ++ if (lower_acl && !IS_ERR(lower_acl)) { ++ /* XXX: export posix_acl_clone? */ ++ size = sizeof(struct posix_acl) + ++ lower_acl->a_count * sizeof(struct posix_acl_entry); ++ acl = kmemdup(lower_acl, size, GFP_KERNEL); ++ posix_acl_release(lower_acl); ++ ++ if (!acl) ++ return ERR_PTR(-ENOMEM); ++ ++ refcount_set(&acl->a_refcount, 1); ++ ++ err = shift_acl_ids(from_ns, to_ns, acl); ++ if (err) { ++ kfree(acl); ++ return ERR_PTR(err); ++ } ++ } ++ ++ return acl; ++} ++ ++static int ++shiftfs_posix_acl_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *buffer, size_t size) ++{ ++ struct inode *loweri = inode->i_private; ++ int ret; ++ ++ ret = shiftfs_xattr_get(NULL, dentry, inode, handler->name, ++ buffer, size); ++ if (ret < 0) ++ return ret; ++ ++ inode_lock(loweri); ++ shift_acl_xattr_ids(loweri->i_sb->s_user_ns, inode->i_sb->s_user_ns, ++ buffer, size); ++ inode_unlock(loweri); ++ return ret; ++} ++ ++static int ++shiftfs_posix_acl_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct inode *loweri = inode->i_private; ++ int err; ++ ++ if (!IS_POSIXACL(loweri) || !loweri->i_op->set_acl) ++ return -EOPNOTSUPP; ++ if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return value ? -EACCES : 0; ++ if (!inode_owner_or_capable(inode)) ++ return -EPERM; ++ ++ if (value) { ++ shift_acl_xattr_ids(inode->i_sb->s_user_ns, ++ loweri->i_sb->s_user_ns, ++ (void *)value, size); ++ err = shiftfs_setxattr(dentry, inode, handler->name, value, ++ size, flags); ++ } else { ++ err = shiftfs_removexattr(dentry, handler->name); ++ } ++ ++ if (!err) ++ shiftfs_copyattr(loweri, inode); ++ ++ return err; ++} ++ ++static const struct xattr_handler ++shiftfs_posix_acl_access_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_ACCESS, ++ .flags = ACL_TYPE_ACCESS, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++static const struct xattr_handler ++shiftfs_posix_acl_default_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_DEFAULT, ++ .flags = ACL_TYPE_DEFAULT, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++#else /* !CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++#define shiftfs_get_acl NULL ++ ++#endif /* CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++static const struct inode_operations shiftfs_dir_inode_operations = { ++ .lookup = shiftfs_lookup, ++ .mkdir = shiftfs_mkdir, ++ .symlink = shiftfs_symlink, ++ .unlink = shiftfs_unlink, ++ .rmdir = shiftfs_rmdir, ++ .rename = shiftfs_rename, ++ .link = shiftfs_link, ++ .setattr = shiftfs_setattr, ++ .create = shiftfs_create, ++ .mknod = shiftfs_mknod, ++ .permission = shiftfs_permission, ++ .getattr = shiftfs_getattr, ++ .listxattr = shiftfs_listxattr, ++ .get_acl = shiftfs_get_acl, ++}; ++ ++static const struct inode_operations shiftfs_file_inode_operations = { ++ .fiemap = shiftfs_fiemap, ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++ .tmpfile = shiftfs_tmpfile, ++}; ++ ++static const struct inode_operations shiftfs_special_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++}; ++ ++static const struct inode_operations shiftfs_symlink_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_link = shiftfs_get_link, ++ .listxattr = shiftfs_listxattr, ++ .setattr = shiftfs_setattr, ++}; ++ ++static struct file *shiftfs_open_realfile(const struct file *file, ++ struct inode *realinode) ++{ ++ struct file *realfile; ++ const struct cred *old_cred; ++ struct inode *inode = file_inode(file); ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ old_cred = shiftfs_override_creds(inode->i_sb); ++ realfile = open_with_fake_path(&realpath, file->f_flags, realinode, ++ info->creator_cred); ++ revert_creds(old_cred); ++ ++ return realfile; ++} ++ ++#define SHIFTFS_SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT) ++ ++static int shiftfs_change_flags(struct file *file, unsigned int flags) ++{ ++ struct inode *inode = file_inode(file); ++ int err; ++ ++ /* if some flag changed that cannot be changed then something's amiss */ ++ if (WARN_ON((file->f_flags ^ flags) & ~SHIFTFS_SETFL_MASK)) ++ return -EIO; ++ ++ flags &= SHIFTFS_SETFL_MASK; ++ ++ if (((flags ^ file->f_flags) & O_APPEND) && IS_APPEND(inode)) ++ return -EPERM; ++ ++ if (flags & O_DIRECT) { ++ if (!file->f_mapping->a_ops || ++ !file->f_mapping->a_ops->direct_IO) ++ return -EINVAL; ++ } ++ ++ if (file->f_op->check_flags) { ++ err = file->f_op->check_flags(flags); ++ if (err) ++ return err; ++ } ++ ++ spin_lock(&file->f_lock); ++ file->f_flags = (file->f_flags & ~SHIFTFS_SETFL_MASK) | flags; ++ spin_unlock(&file->f_lock); ++ ++ return 0; ++} ++ ++static int shiftfs_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ ++ realfile = shiftfs_open_realfile(file, inode->i_private); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO. */ ++ file->f_mapping = realfile->f_mapping; ++ ++ return 0; ++} ++ ++static int shiftfs_dir_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ const struct cred *oldcred; ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ realfile = dentry_open(&realpath, file->f_flags | O_NOATIME, ++ info->creator_cred); ++ revert_creds(oldcred); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ ++ return 0; ++} ++ ++static int shiftfs_release(struct inode *inode, struct file *file) ++{ ++ struct file *realfile = file->private_data; ++ ++ if (realfile) ++ fput(realfile); ++ ++ return 0; ++} ++ ++static int shiftfs_dir_release(struct inode *inode, struct file *file) ++{ ++ return shiftfs_release(inode, file); ++} ++ ++static loff_t shiftfs_dir_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct file *realfile = file->private_data; ++ ++ return vfs_llseek(realfile, offset, whence); ++} ++ ++static loff_t shiftfs_file_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct inode *realinode = file_inode(file)->i_private; ++ ++ return generic_file_llseek_size(file, offset, whence, ++ realinode->i_sb->s_maxbytes, ++ i_size_read(realinode)); ++} ++ ++/* XXX: Need to figure out what to to about atime updates, maybe other ++ * timestamps too ... ref. ovl_file_accessed() */ ++ ++static rwf_t shiftfs_iocb_to_rwf(struct kiocb *iocb) ++{ ++ int ifl = iocb->ki_flags; ++ rwf_t flags = 0; ++ ++ if (ifl & IOCB_NOWAIT) ++ flags |= RWF_NOWAIT; ++ if (ifl & IOCB_HIPRI) ++ flags |= RWF_HIPRI; ++ if (ifl & IOCB_DSYNC) ++ flags |= RWF_DSYNC; ++ if (ifl & IOCB_SYNC) ++ flags |= RWF_SYNC; ++ ++ return flags; ++} ++ ++static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd) ++{ ++ struct file *realfile; ++ ++ if (file->f_op->open != shiftfs_open && ++ file->f_op->open != shiftfs_dir_open) ++ return -EINVAL; ++ ++ realfile = file->private_data; ++ lowerfd->flags = 0; ++ lowerfd->file = realfile; ++ ++ /* Did the flags change since open? */ ++ if (unlikely(file->f_flags & ~lowerfd->file->f_flags)) ++ return shiftfs_change_flags(lowerfd->file, file->f_flags); ++ ++ return 0; ++} ++ ++static ssize_t shiftfs_read_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_iter_read(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static ssize_t shiftfs_write_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct inode *inode = file_inode(file); ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ inode_lock(inode); ++ /* Update mode */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ret = file_remove_privs(file); ++ if (ret) ++ goto out_unlock; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ file_start_write(lowerfd.file); ++ ret = vfs_iter_write(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ file_end_write(lowerfd.file); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ++ fdput(lowerfd); ++ ++out_unlock: ++ inode_unlock(inode); ++ return ret; ++} ++ ++static int shiftfs_fsync(struct file *file, loff_t start, loff_t end, ++ int datasync) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fsync_range(lowerfd.file, start, end, datasync); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *realfile = file->private_data; ++ const struct cred *oldcred; ++ int ret; ++ ++ if (!realfile->f_op->mmap) ++ return -ENODEV; ++ ++ if (WARN_ON(file != vma->vm_file)) ++ return -EIO; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ vma->vm_file = get_file(realfile); ++ ret = call_mmap(vma->vm_file, vma); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ if (ret) { ++ /* ++ * Drop refcount from new vm_file value and restore original ++ * vm_file value ++ */ ++ vma->vm_file = file; ++ fput(realfile); ++ } else { ++ /* Drop refcount from previous vm_file value */ ++ fput(file); ++ } ++ ++ return ret; ++} ++ ++static long shiftfs_fallocate(struct file *file, int mode, loff_t offset, ++ loff_t len) ++{ ++ struct inode *inode = file_inode(file); ++ struct inode *loweri = inode->i_private; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fallocate(lowerfd.file, mode, offset, len); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_fadvise(struct file *file, loff_t offset, loff_t len, ++ int advice) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fadvise(lowerfd.file, offset, len, advice); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_override_ioctl_creds(int cmd, const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ /* clear all caps to prevent bypassing capable() checks */ ++ cap_clear((*newcred)->cap_bset); ++ cap_clear((*newcred)->cap_effective); ++ cap_clear((*newcred)->cap_inheritable); ++ cap_clear((*newcred)->cap_permitted); ++ ++ if (cmd == BTRFS_IOC_SNAP_DESTROY) { ++ kuid_t kuid_root = make_kuid(sb->s_user_ns, 0); ++ /* ++ * Allow the root user in the container to remove subvolumes ++ * from other users. ++ */ ++ if (uid_valid(kuid_root) && uid_eq(fsuid, kuid_root)) ++ cap_raise((*newcred)->cap_effective, CAP_DAC_OVERRIDE); ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static inline void shiftfs_revert_ioctl_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ return shiftfs_revert_object_creds(oldcred, newcred); ++} ++ ++static inline bool is_btrfs_snap_ioctl(int cmd) ++{ ++ if ((cmd == BTRFS_IOC_SNAP_CREATE) || (cmd == BTRFS_IOC_SNAP_CREATE_V2)) ++ return true; ++ ++ return false; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg, ++ struct btrfs_ioctl_vol_args *v1, ++ struct btrfs_ioctl_vol_args_v2 *v2) ++{ ++ int ret; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ else ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ ++ __close_fd(current->files, fd); ++ kfree(v1); ++ kfree(v2); ++ ++ return ret; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg, ++ struct btrfs_ioctl_vol_args **b1, ++ struct btrfs_ioctl_vol_args_v2 **b2, ++ int *newfd) ++{ ++ int oldfd, ret; ++ struct fd src; ++ struct fd lfd = {}; ++ struct btrfs_ioctl_vol_args *v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *v2 = NULL; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1 = memdup_user(arg, sizeof(*v1)); ++ if (IS_ERR(v1)) ++ return PTR_ERR(v1); ++ oldfd = v1->fd; ++ *b1 = v1; ++ } else { ++ v2 = memdup_user(arg, sizeof(*v2)); ++ if (IS_ERR(v2)) ++ return PTR_ERR(v2); ++ oldfd = v2->fd; ++ *b2 = v2; ++ } ++ ++ src = fdget(oldfd); ++ if (!src.file) ++ return -EINVAL; ++ ++ ret = shiftfs_real_fdget(src.file, &lfd); ++ if (ret) { ++ fdput(src); ++ return ret; ++ } ++ ++ /* ++ * shiftfs_real_fdget() does not take a reference to lfd.file, so ++ * take a reference here to offset the one which will be put by ++ * __close_fd(), and make sure that reference is put on fdput(lfd). ++ */ ++ get_file(lfd.file); ++ lfd.flags |= FDPUT_FPUT; ++ fdput(src); ++ ++ *newfd = get_unused_fd_flags(lfd.file->f_flags); ++ if (*newfd < 0) { ++ fdput(lfd); ++ return *newfd; ++ } ++ ++ fd_install(*newfd, lfd.file); ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1->fd = *newfd; ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ v1->fd = oldfd; ++ } else { ++ v2->fd = *newfd; ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ v2->fd = oldfd; ++ } ++ ++ if (ret) ++ shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2); ++ ++ return ret; ++} ++ ++static long shiftfs_real_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct fd lowerfd; ++ struct cred *newcred; ++ const struct cred *oldcred; ++ int newfd = -EBADF; ++ long err = 0, ret = 0; ++ void __user *argp = (void __user *)arg; ++ struct super_block *sb = file->f_path.dentry->d_sb; ++ struct btrfs_ioctl_vol_args *btrfs_v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *btrfs_v2 = NULL; ++ ++ ret = shiftfs_btrfs_ioctl_fd_replace(cmd, argp, &btrfs_v1, &btrfs_v2, ++ &newfd); ++ if (ret < 0) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_restore; ++ ++ ret = shiftfs_override_ioctl_creds(cmd, sb, &oldcred, &newcred); ++ if (ret) ++ goto out_fdput; ++ ++ ret = vfs_ioctl(lowerfd.file, cmd, arg); ++ ++ shiftfs_revert_ioctl_creds(oldcred, newcred); ++ ++ shiftfs_copyattr(file_inode(lowerfd.file), file_inode(file)); ++ shiftfs_copyflags(file_inode(lowerfd.file), file_inode(file)); ++ ++out_fdput: ++ fdput(lowerfd); ++ ++out_restore: ++ err = shiftfs_btrfs_ioctl_fd_restore(cmd, newfd, argp, ++ btrfs_v1, btrfs_v2); ++ if (!ret) ++ ret = err; ++ ++ return ret; ++} ++ ++static bool in_ioctl_whitelist(int flag, unsigned long arg) ++{ ++ void __user *argp = (void __user *)arg; ++ u64 flags = 0; ++ ++ switch (flag) { ++ case BTRFS_IOC_FS_INFO: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_GETFLAGS: ++ return true; ++ case BTRFS_IOC_SUBVOL_SETFLAGS: ++ if (copy_from_user(&flags, argp, sizeof(flags))) ++ return false; ++ ++ if (flags & ~BTRFS_SUBVOL_RDONLY) ++ return false; ++ ++ return true; ++ case BTRFS_IOC_SNAP_DESTROY: ++ return true; ++ } ++ ++ return false; ++} ++ ++static long shiftfs_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC_GETVERSION: ++ /* fall through */ ++ case FS_IOC_GETFLAGS: ++ /* fall through */ ++ case FS_IOC_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOTTY; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++static long shiftfs_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC32_GETVERSION: ++ /* fall through */ ++ case FS_IOC32_GETFLAGS: ++ /* fall through */ ++ case FS_IOC32_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOIOCTLCMD; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++enum shiftfs_copyop { ++ SHIFTFS_COPY, ++ SHIFTFS_CLONE, ++ SHIFTFS_DEDUPE, ++}; ++ ++static ssize_t shiftfs_copyfile(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, u64 len, ++ unsigned int flags, enum shiftfs_copyop op) ++{ ++ ssize_t ret; ++ struct fd real_in, real_out; ++ const struct cred *oldcred; ++ struct inode *inode_out = file_inode(file_out); ++ struct inode *loweri = inode_out->i_private; ++ ++ ret = shiftfs_real_fdget(file_out, &real_out); ++ if (ret) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file_in, &real_in); ++ if (ret) { ++ fdput(real_out); ++ return ret; ++ } ++ ++ oldcred = shiftfs_override_creds(inode_out->i_sb); ++ switch (op) { ++ case SHIFTFS_COPY: ++ ret = vfs_copy_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_CLONE: ++ ret = vfs_clone_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_DEDUPE: ++ ret = vfs_dedupe_file_range_one(real_in.file, pos_in, ++ real_out.file, pos_out, len, ++ flags); ++ break; ++ } ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode_out); ++ ++ fdput(real_in); ++ fdput(real_out); ++ ++ return ret; ++} ++ ++static ssize_t shiftfs_copy_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ size_t len, unsigned int flags) ++{ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, flags, ++ SHIFTFS_COPY); ++} ++ ++static loff_t shiftfs_remap_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ loff_t len, unsigned int remap_flags) ++{ ++ enum shiftfs_copyop op; ++ ++ if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY)) ++ return -EINVAL; ++ ++ if (remap_flags & REMAP_FILE_DEDUP) ++ op = SHIFTFS_DEDUPE; ++ else ++ op = SHIFTFS_CLONE; ++ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, ++ remap_flags, op); ++} ++ ++static int shiftfs_iterate_shared(struct file *file, struct dir_context *ctx) ++{ ++ const struct cred *oldcred; ++ int err = -ENOTDIR; ++ struct file *realfile = file->private_data; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ err = iterate_dir(realfile, ctx); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++const struct file_operations shiftfs_file_operations = { ++ .open = shiftfs_open, ++ .release = shiftfs_release, ++ .llseek = shiftfs_file_llseek, ++ .read_iter = shiftfs_read_iter, ++ .write_iter = shiftfs_write_iter, ++ .fsync = shiftfs_fsync, ++ .mmap = shiftfs_mmap, ++ .fallocate = shiftfs_fallocate, ++ .fadvise = shiftfs_fadvise, ++ .unlocked_ioctl = shiftfs_ioctl, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .copy_file_range = shiftfs_copy_file_range, ++ .remap_file_range = shiftfs_remap_file_range, ++}; ++ ++const struct file_operations shiftfs_dir_operations = { ++ .open = shiftfs_dir_open, ++ .release = shiftfs_dir_release, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .fsync = shiftfs_fsync, ++ .iterate_shared = shiftfs_iterate_shared, ++ .llseek = shiftfs_dir_llseek, ++ .read = generic_read_dir, ++ .unlocked_ioctl = shiftfs_ioctl, ++}; ++ ++static const struct address_space_operations shiftfs_aops = { ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */ ++ .direct_IO = noop_direct_IO, ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry) ++{ ++ struct inode *loweri; ++ ++ inode->i_ino = ino; ++ inode->i_flags |= S_NOCMTIME; ++ ++ mode &= S_IFMT; ++ inode->i_mode = mode; ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ inode->i_op = &shiftfs_dir_inode_operations; ++ inode->i_fop = &shiftfs_dir_operations; ++ break; ++ case S_IFLNK: ++ inode->i_op = &shiftfs_symlink_inode_operations; ++ break; ++ case S_IFREG: ++ inode->i_op = &shiftfs_file_inode_operations; ++ inode->i_fop = &shiftfs_file_operations; ++ inode->i_mapping->a_ops = &shiftfs_aops; ++ break; ++ default: ++ inode->i_op = &shiftfs_special_inode_operations; ++ init_special_inode(inode, mode, dev); ++ break; ++ } ++ ++ if (!dentry) ++ return; ++ ++ loweri = dentry->d_inode; ++ if (!loweri->i_op->get_link) ++ inode->i_opflags |= IOP_NOFOLLOW; ++ ++ shiftfs_copyattr(loweri, inode); ++ shiftfs_copyflags(loweri, inode); ++ set_nlink(inode, loweri->i_nlink); ++} ++ ++static int shiftfs_show_options(struct seq_file *m, struct dentry *dentry) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo->mark) ++ seq_show_option(m, "mark", NULL); ++ ++ if (sbinfo->passthrough) ++ seq_printf(m, ",passthrough=%u", sbinfo->passthrough); ++ ++ return 0; ++} ++ ++static int shiftfs_statfs(struct dentry *dentry, struct kstatfs *buf) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ struct dentry *root = sb->s_root; ++ struct dentry *realroot = root->d_fsdata; ++ struct path realpath = { .mnt = sbinfo->mnt, .dentry = realroot }; ++ int err; ++ ++ err = vfs_statfs(&realpath, buf); ++ if (err) ++ return err; ++ ++ if (!shiftfs_passthrough_statfs(sbinfo)) ++ buf->f_type = sb->s_magic; ++ ++ return 0; ++} ++ ++static void shiftfs_evict_inode(struct inode *inode) ++{ ++ struct inode *loweri = inode->i_private; ++ ++ clear_inode(inode); ++ ++ if (loweri) ++ iput(loweri); ++} ++ ++static void shiftfs_put_super(struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo) { ++ mntput(sbinfo->mnt); ++ put_cred(sbinfo->creator_cred); ++ kfree(sbinfo); ++ } ++} ++ ++static const struct xattr_handler shiftfs_xattr_handler = { ++ .prefix = "", ++ .get = shiftfs_xattr_get, ++ .set = shiftfs_xattr_set, ++}; ++ ++const struct xattr_handler *shiftfs_xattr_handlers[] = { ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ &shiftfs_posix_acl_access_xattr_handler, ++ &shiftfs_posix_acl_default_xattr_handler, ++#endif ++ &shiftfs_xattr_handler, ++ NULL ++}; ++ ++static inline bool passthrough_is_subset(int old_flags, int new_flags) ++{ ++ if ((new_flags & old_flags) != new_flags) ++ return false; ++ ++ return true; ++} ++ ++static int shiftfs_super_check_flags(unsigned long old_flags, ++ unsigned long new_flags) ++{ ++ if ((old_flags & SB_RDONLY) && !(new_flags & SB_RDONLY)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOSUID) && !(new_flags & SB_NOSUID)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODEV) && !(new_flags & SB_NODEV)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOEXEC) && !(new_flags & SB_NOEXEC)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOATIME) && !(new_flags & SB_NOATIME)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODIRATIME) && !(new_flags & SB_NODIRATIME)) ++ return -EPERM; ++ ++ if (!(old_flags & SB_POSIXACL) && (new_flags & SB_POSIXACL)) ++ return -EPERM; ++ ++ return 0; ++} ++ ++static int shiftfs_remount(struct super_block *sb, int *flags, char *data) ++{ ++ int err; ++ struct shiftfs_super_info new = {}; ++ struct shiftfs_super_info *info = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(&new, data); ++ if (err) ++ return err; ++ ++ err = shiftfs_super_check_flags(sb->s_flags, *flags); ++ if (err) ++ return err; ++ ++ /* Mark mount option cannot be changed. */ ++ if (info->mark || (info->mark != new.mark)) ++ return -EPERM; ++ ++ if (info->passthrough != new.passthrough) { ++ /* Don't allow exceeding passthrough options of mark mount. */ ++ if (!passthrough_is_subset(info->passthrough_mark, ++ info->passthrough)) ++ return -EPERM; ++ ++ info->passthrough = new.passthrough; ++ } ++ ++ return 0; ++} ++ ++static const struct super_operations shiftfs_super_ops = { ++ .put_super = shiftfs_put_super, ++ .show_options = shiftfs_show_options, ++ .statfs = shiftfs_statfs, ++ .remount_fs = shiftfs_remount, ++ .evict_inode = shiftfs_evict_inode, ++}; ++ ++struct shiftfs_data { ++ void *data; ++ const char *path; ++}; ++ ++static void shiftfs_super_force_flags(struct super_block *sb, ++ unsigned long lower_flags) ++{ ++ sb->s_flags |= lower_flags & (SB_RDONLY | SB_NOSUID | SB_NODEV | ++ SB_NOEXEC | SB_NOATIME | SB_NODIRATIME); ++ ++ if (!(lower_flags & SB_POSIXACL)) ++ sb->s_flags &= ~SB_POSIXACL; ++} ++ ++static int shiftfs_fill_super(struct super_block *sb, void *raw_data, ++ int silent) ++{ ++ int err; ++ struct path path = {}; ++ struct shiftfs_super_info *sbinfo_mp; ++ char *name = NULL; ++ struct inode *inode = NULL; ++ struct dentry *dentry = NULL; ++ struct shiftfs_data *data = raw_data; ++ struct shiftfs_super_info *sbinfo = NULL; ++ ++ if (!data->path) ++ return -EINVAL; ++ ++ sb->s_fs_info = kzalloc(sizeof(*sbinfo), GFP_KERNEL); ++ if (!sb->s_fs_info) ++ return -ENOMEM; ++ sbinfo = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(sbinfo, data->data); ++ if (err) ++ return err; ++ ++ /* to mount a mark, must be userns admin */ ++ if (!sbinfo->mark && !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ name = kstrdup(data->path, GFP_KERNEL); ++ if (!name) ++ return -ENOMEM; ++ ++ err = kern_path(name, LOOKUP_FOLLOW, &path); ++ if (err) ++ goto out_free_name; ++ ++ if (!S_ISDIR(path.dentry->d_inode->i_mode)) { ++ err = -ENOTDIR; ++ goto out_put_path; ++ } ++ ++ sb->s_flags |= SB_POSIXACL; ++ ++ if (sbinfo->mark) { ++ struct cred *cred_tmp; ++ struct super_block *lower_sb = path.mnt->mnt_sb; ++ ++ /* to mark a mount point, must root wrt lower s_user_ns */ ++ if (!ns_capable(lower_sb->s_user_ns, CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ /* ++ * this part is visible unshifted, so make sure no ++ * executables that could be used to give suid ++ * privileges ++ */ ++ sb->s_iflags = SB_I_NOEXEC; ++ ++ shiftfs_super_force_flags(sb, lower_sb->s_flags); ++ ++ /* ++ * Handle nesting of shiftfs mounts by referring this mark ++ * mount back to the original mark mount. This is more ++ * efficient and alleviates concerns about stack depth. ++ */ ++ if (lower_sb->s_magic == SHIFTFS_MAGIC) { ++ sbinfo_mp = lower_sb->s_fs_info; ++ ++ /* Doesn't make sense to mark a mark mount */ ++ if (sbinfo_mp->mark) { ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up the passthrough mount options from the ++ * parent mark mountpoint. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough_mark; ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ } else { ++ sbinfo->mnt = mntget(path.mnt); ++ dentry = dget(path.dentry); ++ /* ++ * For a new mark passthrough_mark and passthrough ++ * are identical. ++ */ ++ sbinfo->passthrough_mark = sbinfo->passthrough; ++ ++ cred_tmp = prepare_creds(); ++ if (!cred_tmp) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ /* Don't override disk quota limits or use reserved space. */ ++ cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE); ++ sbinfo->creator_cred = cred_tmp; ++ } ++ } else { ++ /* ++ * This leg executes if we're admin capable in the namespace, ++ * so be very careful. ++ */ ++ err = -EPERM; ++ if (path.dentry->d_sb->s_magic != SHIFTFS_MAGIC) ++ goto out_put_path; ++ ++ sbinfo_mp = path.dentry->d_sb->s_fs_info; ++ if (!sbinfo_mp->mark) ++ goto out_put_path; ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) ++ goto out_put_path; ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up passthrough settings from mark mountpoint so we can ++ * verify when the overlay wants to remount with different ++ * passthrough settings. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough; ++ shiftfs_super_force_flags(sb, path.mnt->mnt_sb->s_flags); ++ } ++ ++ sb->s_stack_depth = dentry->d_sb->s_stack_depth + 1; ++ if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { ++ printk(KERN_ERR "shiftfs: maximum stacking depth exceeded\n"); ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ inode = new_inode(sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ shiftfs_fill_inode(inode, dentry->d_inode->i_ino, S_IFDIR, 0, dentry); ++ ++ ihold(dentry->d_inode); ++ inode->i_private = dentry->d_inode; ++ ++ sb->s_magic = SHIFTFS_MAGIC; ++ sb->s_maxbytes = MAX_LFS_FILESIZE; ++ sb->s_op = &shiftfs_super_ops; ++ sb->s_xattr = shiftfs_xattr_handlers; ++ sb->s_d_op = &shiftfs_dentry_ops; ++ sb->s_root = d_make_root(inode); ++ if (!sb->s_root) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ ++ sb->s_root->d_fsdata = dentry; ++ sbinfo->userns = get_user_ns(dentry->d_sb->s_user_ns); ++ shiftfs_copyattr(dentry->d_inode, sb->s_root->d_inode); ++ ++ dentry = NULL; ++ err = 0; ++ ++out_put_path: ++ path_put(&path); ++ ++out_free_name: ++ kfree(name); ++ ++ dput(dentry); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_mount(struct file_system_type *fs_type, ++ int flags, const char *dev_name, void *data) ++{ ++ struct shiftfs_data d = { data, dev_name }; ++ ++ return mount_nodev(fs_type, flags, &d, shiftfs_fill_super); ++} ++ ++static struct file_system_type shiftfs_type = { ++ .owner = THIS_MODULE, ++ .name = "shiftfs", ++ .mount = shiftfs_mount, ++ .kill_sb = kill_anon_super, ++ .fs_flags = FS_USERNS_MOUNT, ++}; ++ ++static int __init shiftfs_init(void) ++{ ++ return register_filesystem(&shiftfs_type); ++} ++ ++static void __exit shiftfs_exit(void) ++{ ++ unregister_filesystem(&shiftfs_type); ++} ++ ++MODULE_ALIAS_FS("shiftfs"); ++MODULE_AUTHOR("James Bottomley"); ++MODULE_AUTHOR("Seth Forshee <seth.forshee@canonical.com>"); ++MODULE_AUTHOR("Christian Brauner <christian.brauner@ubuntu.com>"); ++MODULE_DESCRIPTION("id shifting filesystem"); ++MODULE_LICENSE("GPL v2"); ++module_init(shiftfs_init) ++module_exit(shiftfs_exit) +--- a/include/uapi/linux/magic.h 2021-01-06 19:08:45.234777659 -0500 ++++ b/include/uapi/linux/magic.h 2021-01-06 19:09:53.900375394 -0500 +@@ -96,4 +96,6 @@ + #define DEVMEM_MAGIC 0x454d444d /* "DMEM" */ + #define Z3FOLD_MAGIC 0x33 + ++#define SHIFTFS_MAGIC 0x6a656a62 ++ + #endif /* __LINUX_MAGIC_H__ */ +--- a/fs/Makefile 2021-01-08 18:08:28.187064015 -0500 ++++ b/fs/Makefile 2021-01-08 18:09:00.788217579 -0500 +@@ -136,3 +136,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/ + obj-$(CONFIG_EROFS_FS) += erofs/ + obj-$(CONFIG_VBOXSF_FS) += vboxsf/ + obj-$(CONFIG_ZONEFS_FS) += zonefs/ ++obj-$(CONFIG_SHIFT_FS) += shiftfs.o +--- a/fs/Kconfig 2021-01-06 19:14:17.709697891 -0500 ++++ b/fs/Kconfig 2021-01-06 19:15:23.413281282 -0500 +@@ -122,6 +122,24 @@ source "fs/autofs/Kconfig" + source "fs/fuse/Kconfig" + source "fs/overlayfs/Kconfig" + ++config SHIFT_FS ++ tristate "UID/GID shifting overlay filesystem for containers" ++ help ++ This filesystem can overlay any mounted filesystem and shift ++ the uid/gid the files appear at. The idea is that ++ unprivileged containers can use this to mount root volumes ++ using this technique. ++ ++config SHIFT_FS_POSIX_ACL ++ bool "shiftfs POSIX Access Control Lists" ++ depends on SHIFT_FS ++ select FS_POSIX_ACL ++ help ++ POSIX Access Control Lists (ACLs) support permissions for users and ++ groups beyond the owner/group/world scheme. ++ ++ If you don't know what Access Control Lists are, say N. ++ + menu "Caches" + + source "fs/fscache/Kconfig" diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch new file mode 100644 index 000000000000..057aa891ea31 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch @@ -0,0 +1,27 @@ +From 974286e968fc8af0c146b87c052a475dfc8b40e3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:22:12 -0400 +Subject: [PATCH 001/113] make DEFAULT_MMAP_MIN_ADDR match LSM_MMAP_MIN_ADDR + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 390165ffbb0f..3b24c9e3535e 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,7 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU +- default 4096 ++ default 32768 if ARM || (ARM64 && COMPAT) ++ default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch new file mode 100644 index 000000000000..77d987309489 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch @@ -0,0 +1,25 @@ +From c18e9f05755c83478207385d1803a0f1f248c3a7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:41 -0400 +Subject: [PATCH 002/113] enable HARDENED_USERCOPY by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99f1d..9446ddf40974 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -154,6 +154,7 @@ config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM ++ default y + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch new file mode 100644 index 000000000000..0f0d48e1c4ee --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch @@ -0,0 +1,24 @@ +From b724844617ce60088b629364d6473657de350d86 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 26 Apr 2018 02:01:26 -0400 +Subject: [PATCH 003/113] disable HARDENED_USERCOPY_FALLBACK by default + +--- + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 9446ddf40974..5c388f7fe09d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -167,7 +167,6 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY +- default y + help + This is a temporary option that allows missing usercopy whitelists + to be discovered via a WARN() to the kernel log, instead of +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch new file mode 100644 index 000000000000..5e79fc61f7b4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 4b06cc11573bee59d5a036eeafd0844393a757a2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:05:15 -0400 +Subject: [PATCH 004/113] enable SECURITY_DMESG_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 5c388f7fe09d..428ad7622370 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -9,7 +9,7 @@ source "security/keys/Kconfig" + + config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" +- default n ++ default y + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0005-set-kptr_restrict-2-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0005-set-kptr_restrict-2-by-default.patch new file mode 100644 index 000000000000..0c80d179674e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0005-set-kptr_restrict-2-by-default.patch @@ -0,0 +1,26 @@ +From 908b1099e40b0dc93f9ad5760b69798e720eaa51 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:06:14 -0400 +Subject: [PATCH 005/113] set kptr_restrict=2 by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 14c9a6af1b23..2501f75bd74d 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -821,7 +821,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, + return pointer_string(buf, end, (const void *)hashval, spec); + } + +-int kptr_restrict __read_mostly; ++int kptr_restrict __read_mostly = 2; + + static noinline_for_stack + char *restricted_pointer(char *buf, char *end, const void *ptr, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch new file mode 100644 index 000000000000..8f3f72bd82fd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch @@ -0,0 +1,25 @@ +From d0577f4883eda6d1e0143a8662f6eb289d2bfc89 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:10:57 -0400 +Subject: [PATCH 006/113] enable DEBUG_LIST by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index c789b39ed527..89c9d6aebf77 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1471,6 +1471,7 @@ menu "Debug kernel data structures" + config DEBUG_LIST + bool "Debug linked list manipulation" + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION ++ default y + help + Enable this to turn on extended checks in the linked-list + walking routines. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch new file mode 100644 index 000000000000..f94973d41070 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch @@ -0,0 +1,25 @@ +From 841bee392cb410d8eb99ccdd34c95c4219b73940 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:21:21 -0400 +Subject: [PATCH 007/113] enable BUG_ON_DATA_CORRUPTION by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 89c9d6aebf77..11068e77d146 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1511,6 +1511,7 @@ config DEBUG_NOTIFIERS + config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select DEBUG_LIST ++ default y + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch new file mode 100644 index 000000000000..250709b4610d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch @@ -0,0 +1,24 @@ +From 4605d3ad238f1aba0cbf9b58ab0c91093045db1b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:39:32 -0500 +Subject: [PATCH 008/113] enable ARM64_SW_TTBR0_PAN by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a6b5b7ef40ae..a145245ec5e7 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1199,6 +1199,7 @@ config RODATA_FULL_DEFAULT_ENABLED + + config ARM64_SW_TTBR0_PAN + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" ++ default y + help + Enabling this option prevents the kernel from accessing + user-space memory directly by pointing TTBR0_EL1 to a reserved +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch new file mode 100644 index 000000000000..3a33157ba2a5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch @@ -0,0 +1,24 @@ +From c33057d586c3c9f6f0ae90c32a79739e2d16ee3a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:33:48 -0500 +Subject: [PATCH 009/113] arm64: enable RANDOMIZE_BASE by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a145245ec5e7..21088a6532d8 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1790,6 +1790,7 @@ config RANDOMIZE_BASE + bool "Randomize the address of the kernel image" + select ARM64_MODULE_PLTS if MODULES + select RELOCATABLE ++ default y + help + Randomizes the virtual address at which the kernel image is + loaded, as a security feature that deters exploit attempts +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch new file mode 100644 index 000000000000..6a981cdb016e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch @@ -0,0 +1,25 @@ +From dcadc43c8133502bb278f4202bf35a6f19fb0651 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 19:43:38 -0400 +Subject: [PATCH 010/113] enable SLAB_FREELIST_RANDOM by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..dcbcb4243316 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1929,6 +1929,7 @@ config SLAB_MERGE_DEFAULT + config SLAB_FREELIST_RANDOM + bool "Randomize slab freelist" + depends on SLAB || SLUB ++ default y + help + Randomizes the freelist order used on creating new pages. This + security feature reduces the predictability of the kernel slab +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch new file mode 100644 index 000000000000..1d3fed15167c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch @@ -0,0 +1,24 @@ +From ffce7ce8f2b09e34208e45e266eb6b08de1afbc0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 20 Aug 2017 15:39:25 -0400 +Subject: [PATCH 011/113] enable SLAB_FREELIST_HARDENED by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index dcbcb4243316..667d1c6c021b 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1938,6 +1938,7 @@ config SLAB_FREELIST_RANDOM + config SLAB_FREELIST_HARDENED + bool "Harden slab freelist metadata" + depends on SLAB || SLUB ++ default y + help + Many kernel heap attacks try to target slab cache metadata and + other infrastructure. This options makes minor performance +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch new file mode 100644 index 000000000000..ddeb4c54e115 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch @@ -0,0 +1,24 @@ +From 84af438b20024e19817dad3fdd971b2adae7cb22 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 8 Jul 2017 02:38:54 -0400 +Subject: [PATCH 012/113] disable SLAB_MERGE_DEFAULT by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 667d1c6c021b..859ab5ae66ff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1914,7 +1914,6 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" +- default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch new file mode 100644 index 000000000000..7ad0b157f5bc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch @@ -0,0 +1,25 @@ +From 2379bfe2ee9e10dd53f8f492a1f424bdd5164960 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 8 May 2017 12:51:54 -0400 +Subject: [PATCH 013/113] enable FORTIFY_SOURCE by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 428ad7622370..3a2c68c7b50f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -191,6 +191,7 @@ config HARDENED_USERCOPY_PAGESPAN + config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE ++ default y + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch new file mode 100644 index 000000000000..9b7e9af34966 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch @@ -0,0 +1,34 @@ +From 92e46037904779bbc8e9f8a4e727ad54c3f98afc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:09:17 -0400 +Subject: [PATCH 014/113] enable PANIC_ON_OOPS by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 11068e77d146..45b169177fb9 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -894,6 +894,7 @@ menu "Debug Oops, Lockups and Hangs" + + config PANIC_ON_OOPS + bool "Panic on Oops" ++ default y + help + Say Y here to enable the kernel to panic when it oopses. This + has the same effect as setting oops=panic on the kernel command +@@ -903,7 +904,7 @@ config PANIC_ON_OOPS + anything erroneous after an oops which could result in data + corruption or other issues. + +- Say N if unsure. ++ Say Y if unsure. + + config PANIC_ON_OOPS_VALUE + int +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch new file mode 100644 index 000000000000..d657e82330b1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch @@ -0,0 +1,26 @@ +From db601eef38d720704b516d3750e05d54fb4b2bde Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 22:39:34 -0400 +Subject: [PATCH 015/113] stop hiding SLUB_DEBUG behind EXPERT + +It can make sense to disable this to reduce attack surface / complexity. +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 859ab5ae66ff..74680a15ceb4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1843,7 +1843,7 @@ config VM_EVENT_COUNTERS + + config SLUB_DEBUG + default y +- bool "Enable SLUB debugging support" if EXPERT ++ bool "Enable SLUB debugging support" + depends on SLUB && SYSFS + help + SLUB has extensive debug support features. Disabling these can +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch new file mode 100644 index 000000000000..8e9511e7a524 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 7d9f59288c36f20141a829832f4df437cded8d95 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:31 -0400 +Subject: [PATCH 016/113] stop hiding X86_16BIT behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 3a5ecb1039bf..d2d5e0cbf85c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1194,7 +1194,7 @@ config VM86 + default X86_LEGACY_VM86 + + config X86_16BIT +- bool "Enable support for 16-bit segments" if EXPERT ++ bool "Enable support for 16-bit segments" + default y + depends on MODIFY_LDT_SYSCALL + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0017-disable-X86_16BIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0017-disable-X86_16BIT-by-default.patch new file mode 100644 index 000000000000..5286c94641cb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0017-disable-X86_16BIT-by-default.patch @@ -0,0 +1,25 @@ +From a46c46f8cfaaed4681165997bf58013552100b55 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:52 -0400 +Subject: [PATCH 017/113] disable X86_16BIT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index d2d5e0cbf85c..ab6e7e2d3cf0 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1195,7 +1195,6 @@ config VM86 + + config X86_16BIT + bool "Enable support for 16-bit segments" +- default y + depends on MODIFY_LDT_SYSCALL + help + This option is required by programs like Wine to run 16-bit +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..503589ae41ef --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From b2ce3c2729882fc65adeb1af97265d47540b140c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:15:52 -0400 +Subject: [PATCH 018/113] stop hiding MODIFY_LDT_SYSCALL behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ab6e7e2d3cf0..7b9df510469b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2392,7 +2392,7 @@ config CMDLINE_OVERRIDE + be set to 'N' under normal conditions. + + config MODIFY_LDT_SYSCALL +- bool "Enable the LDT (local descriptor table)" if EXPERT ++ bool "Enable the LDT (local descriptor table)" + default y + help + Linux can allow user programs to install a per-process x86 +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch new file mode 100644 index 000000000000..e110d6c06dc8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch @@ -0,0 +1,26 @@ +From 262123dbcca9d8f9216a41e385d933627384d426 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:16:16 -0400 +Subject: [PATCH 019/113] disable MODIFY_LDT_SYSCALL by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 7b9df510469b..63e1e9fc18dd 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2393,7 +2393,6 @@ config CMDLINE_OVERRIDE + + config MODIFY_LDT_SYSCALL + bool "Enable the LDT (local descriptor table)" +- default y + help + Linux can allow user programs to install a per-process x86 + Local Descriptor Table (LDT) using the modify_ldt(2) system +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch new file mode 100644 index 000000000000..5d13f6b0f1ce --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch @@ -0,0 +1,25 @@ +From a1eb33a6554f3fcbc6138384b0e7a001c7343add Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 07:08:42 -0400 +Subject: [PATCH 020/113] set LEGACY_VSYSCALL_NONE by default + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 63e1e9fc18dd..4fd082de7420 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2296,7 +2296,7 @@ config COMPAT_VDSO + choice + prompt "vsyscall table for legacy applications" + depends on X86_64 +- default LEGACY_VSYSCALL_XONLY ++ default LEGACY_VSYSCALL_NONE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch new file mode 100644 index 000000000000..139f6925e8c5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 0260bb56f4ee9a34cf29fcbb657553005d4f78b4 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:21:50 +0000 +Subject: [PATCH 021/113] stop hiding AIO behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 74680a15ceb4..8605f3e78e47 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1591,7 +1591,7 @@ config SHMEM + which may be appropriate on small systems without swap. + + config AIO +- bool "Enable AIO support" if EXPERT ++ bool "Enable AIO support" + default y + help + This option enables POSIX asynchronous I/O which may by used +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0022-disable-AIO-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0022-disable-AIO-by-default.patch new file mode 100644 index 000000000000..5574f0b1a3ce --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0022-disable-AIO-by-default.patch @@ -0,0 +1,24 @@ +From 42e5ed9e9ceca1014c91ba9f0ff6450d229c1421 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:24:10 +0000 +Subject: [PATCH 022/113] disable AIO by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 8605f3e78e47..21f0b6926cf3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1592,7 +1592,6 @@ config SHMEM + + config AIO + bool "Enable AIO support" +- default y + help + This option enables POSIX asynchronous I/O which may by used + by some high performance threaded applications. Disabling +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch new file mode 100644 index 000000000000..acb26edc1c6d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch @@ -0,0 +1,32 @@ +From 11b32f6a332d61bfa858311bcb37d934f6d7f7de Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:08:49 -0500 +Subject: [PATCH 023/113] remove SYSVIPC from arm64/x86_64 defconfigs + +--- + arch/arm64/configs/defconfig | 1 - + arch/x86/configs/x86_64_defconfig | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 5cfe3cf6f2ac..f25871361bdc 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1,4 +1,3 @@ +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ_IDLE=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e1939..981ee8c0e330 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -1,5 +1,4 @@ + # CONFIG_LOCALVERSION_AUTO is not set +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ=y +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0024-disable-DEVPORT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0024-disable-DEVPORT-by-default.patch new file mode 100644 index 000000000000..90c3d6156b78 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0024-disable-DEVPORT-by-default.patch @@ -0,0 +1,24 @@ +From a96b01e00822404618c4060faf9421ab63544cd6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:28:10 -0400 +Subject: [PATCH 024/113] disable DEVPORT by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index d229a2d0c017..68178c3a25de 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -391,7 +391,6 @@ config MAX_RAW_DEVS + config DEVPORT + bool "/dev/port character device" + depends on ISA || PCI +- default y + help + Say Y here if you want to support the /dev/port device. The /dev/port + device is similar to /dev/mem, but for I/O ports. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch new file mode 100644 index 000000000000..77b1474a98e8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch @@ -0,0 +1,24 @@ +From 74fb24dc00aebee8ddc59574ef8342ce54b2d019 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:29:45 -0400 +Subject: [PATCH 025/113] disable PROC_VMCORE by default + +--- + fs/proc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig +index c930001056f9..6a0a51b3f593 100644 +--- a/fs/proc/Kconfig ++++ b/fs/proc/Kconfig +@@ -41,7 +41,6 @@ config PROC_KCORE + config PROC_VMCORE + bool "/proc/vmcore support" + depends on PROC_FS && CRASH_DUMP +- default y + help + Exports the dump image of crashed kernel in ELF format. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch new file mode 100644 index 000000000000..6e28781c27b4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch @@ -0,0 +1,24 @@ +From 4b97ae89a581103b5a5a26a0034e493d2b64eb73 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 03:03:46 -0400 +Subject: [PATCH 026/113] disable NFS_DEBUG by default + +--- + fs/nfs/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index e2a488d403a6..ce54c1c693a8 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -195,7 +195,6 @@ config NFS_DEBUG + bool + depends on NFS_FS && SUNRPC_DEBUG + select CRC32 +- default y + + config NFS_DISABLE_UDP_SUPPORT + bool "NFS: Disable NFS UDP protocol support" +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0027-enable-DEBUG_WX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0027-enable-DEBUG_WX-by-default.patch new file mode 100644 index 000000000000..5fc049745ff8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0027-enable-DEBUG_WX-by-default.patch @@ -0,0 +1,25 @@ +From 9315a943b0b0fd40d94b76eda476cbd4f7693493 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:11:11 -0400 +Subject: [PATCH 027/113] enable DEBUG_WX by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 864f129f1937..929d585bd267 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -126,6 +126,7 @@ config DEBUG_WX + depends on ARCH_HAS_DEBUG_WX + depends on MMU + select PTDUMP_CORE ++ default y + help + Generate a warning if any W+X mappings are found at boot. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch new file mode 100644 index 000000000000..9a2de1b0030e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch @@ -0,0 +1,24 @@ +From 19b439e7b96fe26b5aa345df908a6e02d1b77ee9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 13:21:16 -0500 +Subject: [PATCH 028/113] disable LEGACY_PTYS by default + +--- + drivers/tty/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 93fd984eb2f5..d9086484d2de 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -122,7 +122,6 @@ config UNIX98_PTYS + + config LEGACY_PTYS + bool "Legacy (BSD) PTY support" +- default y + help + A pseudo terminal (PTY) is a software device consisting of two + halves: a master and a slave. The slave device behaves identical to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0029-disable-DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0029-disable-DEVMEM-by-default.patch new file mode 100644 index 000000000000..0e045a7034ad --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0029-disable-DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From 8d49fee4a6a9b084d2d3aedf6238a8be32971508 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:41:42 -0500 +Subject: [PATCH 029/113] disable DEVMEM by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 68178c3a25de..2fd45f01e7a2 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -327,7 +327,6 @@ config NSC_GPIO + + config DEVMEM + bool "/dev/mem virtual device support" +- default y + help + Say Y here if you want to support the /dev/mem device. + The /dev/mem device is used to access areas of physical +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch new file mode 100644 index 000000000000..ae2f82894517 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From fe79dac56bb7709ac16d9db6b94db638f46871fd Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:43:49 -0500 +Subject: [PATCH 030/113] enable IO_STRICT_DEVMEM by default + +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 45b169177fb9..a46f21a56125 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1668,6 +1668,7 @@ config STRICT_DEVMEM + config IO_STRICT_DEVMEM + bool "Filter I/O access to /dev/mem" + depends on STRICT_DEVMEM ++ default y + help + If this option is disabled, you allow userspace (root) access to all + io-memory regardless of whether a driver is actively using that +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch new file mode 100644 index 000000000000..86c39680d00f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch @@ -0,0 +1,24 @@ +From 8e5c86e3aebb3e63cad2c209b5522f4ce9fa837e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 18:28:33 -0400 +Subject: [PATCH 031/113] disable COMPAT_BRK by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 21f0b6926cf3..4f5827e10be3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1866,7 +1866,6 @@ config SLUB_MEMCG_SYSFS_ON + + config COMPAT_BRK + bool "Disable heap randomization" +- default y + help + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch new file mode 100644 index 000000000000..bebc2fa93ef3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch @@ -0,0 +1,35 @@ +From d8fd9562afd1ed608c61861bcc8d38ff71989b9b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 16:16:39 -0400 +Subject: [PATCH 032/113] use maximum supported mmap rnd entropy by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 69fe7133c765..8b5c346d5dd8 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -752,7 +752,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -786,7 +786,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch new file mode 100644 index 000000000000..2422db1cf440 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch @@ -0,0 +1,27 @@ +From b9f6696f7f544c426d0301455bd2893b235d74bf Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 10:47:23 -0400 +Subject: [PATCH 033/113] enable protected_{symlinks,hardlinks} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index d4a6dd772303..59ff3ce21026 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -932,8 +932,8 @@ static inline void put_link(struct nameidata *nd) + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0034-enable-SECURITY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0034-enable-SECURITY-by-default.patch new file mode 100644 index 000000000000..3943afaa209f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0034-enable-SECURITY-by-default.patch @@ -0,0 +1,24 @@ +From 4bb7efb0383cd723e479eed08662b6d9250962fa Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:13:48 -0500 +Subject: [PATCH 034/113] enable SECURITY by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 3a2c68c7b50f..fa037a250821 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -23,6 +23,7 @@ config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER ++ default y + help + This allows you to choose different security modules to be + configured into your kernel. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch new file mode 100644 index 000000000000..3d410173bc66 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch @@ -0,0 +1,25 @@ +From e8b7b90260d01aeaac3a084d2a634927a457d93b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:59 -0400 +Subject: [PATCH 035/113] enable SECURITY_YAMA by default + +--- + security/yama/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index a810304123ca..b809050b25d2 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -2,7 +2,7 @@ + config SECURITY_YAMA + bool "Yama support" + depends on SECURITY +- default n ++ default y + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch new file mode 100644 index 000000000000..1fa8bb0066ee --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch @@ -0,0 +1,24 @@ +From f005b8d8b1e067caa741c62deb432bff9c11914c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:14:02 -0500 +Subject: [PATCH 036/113] enable SECURITY_NETWORK by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index fa037a250821..81d0a08736aa 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -49,6 +49,7 @@ config SECURITYFS + config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY ++ default y + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0037-enable-AUDIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0037-enable-AUDIT-by-default.patch new file mode 100644 index 000000000000..af1ecf3fde52 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0037-enable-AUDIT-by-default.patch @@ -0,0 +1,24 @@ +From 361c8a6666553e88e9446241fa75962184aab482 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:15:24 -0500 +Subject: [PATCH 037/113] enable AUDIT by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4f5827e10be3..9b75a4921575 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -419,6 +419,7 @@ config USELIB + config AUDIT + bool "Auditing support" + depends on NET ++ default y + help + Enable auditing infrastructure that can be used with another + kernel subsystem, such as SELinux (which requires this for +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch new file mode 100644 index 000000000000..bf2dc445a333 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch @@ -0,0 +1,25 @@ +From 8fef0408446396f19753e2d264ba0d3ff08794bd Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:16:49 -0500 +Subject: [PATCH 038/113] enable SECURITY_SELINUX by default + +--- + security/selinux/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72538..76d7ed11513c 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -3,7 +3,7 @@ config SECURITY_SELINUX + bool "NSA SELinux Support" + depends on SECURITY_NETWORK && AUDIT && NET && INET + select NETWORK_SECMARK +- default n ++ default y + help + This selects NSA Security-Enhanced Linux (SELinux). + You will also need a policy configuration and a labeled filesystem. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch new file mode 100644 index 000000000000..e466cd459ab4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch @@ -0,0 +1,24 @@ +From b1d534abcf1df8d5bf9d3223df1b083d1a6db3f2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 6 Jan 2018 13:41:11 -0500 +Subject: [PATCH 039/113] enable SYN_COOKIES by default + +--- + net/ipv4/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 87983e70f03f..989e005bf698 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -267,6 +267,7 @@ config IP_PIMSM_V2 + + config SYN_COOKIES + bool "IP: TCP syncookie support" ++ default y + help + Normal TCP/IP networking is open to an attack known as "SYN + flooding". This denial-of-service attack prevents legitimate remote +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch new file mode 100644 index 000000000000..c5cf4885caf2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch @@ -0,0 +1,25 @@ +From 38fadb548be0bd82498f0e1527f5e9cc6f2c33d2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:28:23 -0400 +Subject: [PATCH 040/113] add __read_only for non-init related usage + +--- + include/linux/cache.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/cache.h b/include/linux/cache.h +index d742c57eaee5..f0222c070458 100644 +--- a/include/linux/cache.h ++++ b/include/linux/cache.h +@@ -37,6 +37,8 @@ + #define __ro_after_init __section(".data..ro_after_init") + #endif + ++#define __read_only __ro_after_init ++ + #ifndef ____cacheline_aligned + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) + #endif +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0041-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0041-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..b650ffe06297 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0041-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From 49537988bb2c173387945fe255fcce9f88093e2f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 041/113] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch new file mode 100644 index 000000000000..dfffc75a3802 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch @@ -0,0 +1,67 @@ +From a85fc16a815a4fb004b16c10d0bb27e5812c937d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 03:22:00 -0400 +Subject: [PATCH 042/113] mark kernel_set_to_readonly as __ro_after_init + +This change was extracted from PaX where it's part of KERNEXEC. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 5 ++--- + arch/x86/mm/init_64.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..77192cbc1dd7 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __ro_after_init; + + static void mark_nxdata_nx(void) + { +@@ -852,12 +852,11 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + ++ kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- kernel_set_to_readonly = 1; +- + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..63a0f8097d0a 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __ro_after_init; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,8 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- + kernel_set_to_readonly = 1; ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); + + /* + * The rodata/data/bss/brk section (but not the kernel text!) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch new file mode 100644 index 000000000000..c28f3ed7a896 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch @@ -0,0 +1,57 @@ +From 732f4c3f1f0c80bbd82e81be30f3625850e6ced3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 19:01:58 -0400 +Subject: [PATCH 043/113] mark slub runtime configuration as __ro_after_init + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 34dcc09e2ec9..3ef79a1878ed 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -486,13 +486,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) + * Debug settings: + */ + #if defined(CONFIG_SLUB_DEBUG_ON) +-static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; ++static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; + #else +-static slab_flags_t slub_debug; ++static slab_flags_t slub_debug __ro_after_init; + #endif + +-static char *slub_debug_string; +-static int disable_higher_order_debug; ++static char *slub_debug_string __ro_after_init; ++static int disable_higher_order_debug __ro_after_init; + + /* + * slub is about to manipulate internal object metadata. This memory lies +@@ -3363,9 +3363,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); + * and increases the number of allocations possible without having to + * take the list_lock. + */ +-static unsigned int slub_min_order; +-static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; +-static unsigned int slub_min_objects; ++static unsigned int slub_min_order __ro_after_init; ++static unsigned int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; ++static unsigned int slub_min_objects __ro_after_init; + + /* + * Calculate the order of allocation given an slab object size. +@@ -4883,7 +4883,7 @@ enum slab_stat_type { + #define SO_TOTAL (1 << SL_TOTAL) + + #ifdef CONFIG_MEMCG +-static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); ++static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); + + static int __init setup_slub_memcg_sysfs(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch new file mode 100644 index 000000000000..0c94bb739ffd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch @@ -0,0 +1,38 @@ +From e704f1996111b261ea74a578a8e2e5ccf08b12fa Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:35:35 -0400 +Subject: [PATCH 044/113] add __ro_after_init to slab_nomerge and slab_state + +This was extracted from the PaX patch where it's part of the KERNEXEC +feature as __read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slab_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index f9ccd5dc13f3..bff04048559f 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -30,7 +30,7 @@ + + #include "slab.h" + +-enum slab_state slab_state; ++enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); + struct kmem_cache *kmem_cache; +@@ -61,7 +61,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, + /* + * Merge control. If this is set then no merging of slab caches will occur. + */ +-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); ++static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); + + static int __init setup_slab_nomerge(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch new file mode 100644 index 000000000000..a765ba77f115 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch @@ -0,0 +1,25 @@ +From 9a24bd23c32fcac56d97d36303d1e0a1f1f58191 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 18:51:30 -0400 +Subject: [PATCH 045/113] mark kmem_cache as __ro_after_init + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index bff04048559f..2b73c12d8fce 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -33,7 +33,7 @@ + enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); +-struct kmem_cache *kmem_cache; ++struct kmem_cache *kmem_cache __ro_after_init; + + #ifdef CONFIG_HARDENED_USERCOPY + bool usercopy_fallback __ro_after_init = +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch new file mode 100644 index 000000000000..aa947f766ddd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch @@ -0,0 +1,49 @@ +From 83fb3d0b7f32db39f4ebfdf9b3b2e7eb4dfacdc7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 00:06:16 -0400 +Subject: [PATCH 046/113] mark __supported_pte_mask as __ro_after_init + +These changes were extracted from PaX where it was part of KERNEXEC as +__read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 77192cbc1dd7..bda9596d7a9f 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -546,9 +546,9 @@ static void __init pagetable_init(void) + + #define DEFAULT_PTE_MASK ~(_PAGE_NX | _PAGE_GLOBAL) + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __supported_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __default_kernel_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 63a0f8097d0a..f9eb66b3f152 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -97,9 +97,9 @@ DEFINE_ENTRY(pte, pte, init) + */ + + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = ~0; ++pteval_t __supported_pte_mask __ro_after_init = ~0; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = ~0; ++pteval_t __default_kernel_pte_mask __ro_after_init = ~0; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch new file mode 100644 index 000000000000..8eaf9f2a5ed6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch @@ -0,0 +1,45 @@ +From b9d42d6337abbeff1ba2adba2f710fa73491cede Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:24:28 -0400 +Subject: [PATCH 047/113] mark kobj_ns_type_register as only used for init + +This allows kobj_ns_ops_tbl to be __ro_after_init. + +Extracted from PaX. +--- + include/linux/kobject_ns.h | 2 +- + lib/kobject.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h +index 2b5b64256cf4..8cdce21dce0f 100644 +--- a/include/linux/kobject_ns.h ++++ b/include/linux/kobject_ns.h +@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { + void (*drop_ns)(void *); + }; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); + int kobj_ns_type_registered(enum kobj_ns_type type); + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..5343bbeea5f8 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -1023,9 +1023,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); + + + static DEFINE_SPINLOCK(kobj_ns_type_lock); +-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; ++static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) + { + enum kobj_ns_type type = ops->type; + int error; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch new file mode 100644 index 000000000000..c7cf5d8f6683 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch @@ -0,0 +1,39 @@ +From b1858f0aafb217f14fbc3d13706816cf62016618 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:32:30 -0400 +Subject: [PATCH 048/113] mark open_softirq as only used for init + +--- + include/linux/interrupt.h | 2 +- + kernel/softirq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index ee8299eb1f52..f03b78ae5f0a 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 09229ad82209..0595a8248c4a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(struct softirq_action *)) + { + softirq_vec[nr].action = action; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch new file mode 100644 index 000000000000..1e7383f1e12c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch @@ -0,0 +1,208 @@ +From 19d107515faffc19a6be8192a0d26c1cecb44a53 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:41:11 -0400 +Subject: [PATCH 049/113] remove unused softirq_action callback parameter + +Extracted from PaX. +--- + block/blk-mq.c | 2 +- + include/linux/interrupt.h | 4 ++-- + kernel/rcu/tiny.c | 2 +- + kernel/rcu/tree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 15 +++++++-------- + kernel/time/hrtimer.c | 2 +- + kernel/time/timer.c | 2 +- + lib/irq_poll.c | 2 +- + net/core/dev.c | 4 ++-- + 10 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 2a1eff60c797..75a0077ea1a9 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -569,7 +569,7 @@ EXPORT_SYMBOL(blk_mq_end_request); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static __latent_entropy void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index f03b78ae5f0a..4381b79f76cf 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -554,7 +554,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; + + struct softirq_action + { +- void (*action)(struct softirq_action *); ++ void (*action)(void); + }; + + asmlinkage void do_softirq(void); +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(void)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index aa897c3f2e92..d8976886fd68 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -101,7 +101,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + } + + /* Invoke the RCU callbacks whose grace period has elapsed. */ +-static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) ++static __latent_entropy void rcu_process_callbacks(void) + { + struct rcu_head *next, *list; + unsigned long flags; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 593df7edfe97..3285d81d8a26 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2722,7 +2722,7 @@ static __latent_entropy void rcu_core(void) + queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work); + } + +-static void rcu_core_si(struct softirq_action *h) ++static void rcu_core_si(void) + { + rcu_core(); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index ae7ceba8fd4f..d118be5f18b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10628,7 +10628,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) + * run_rebalance_domains is triggered when needed from the scheduler tick. + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). + */ +-static __latent_entropy void run_rebalance_domains(struct softirq_action *h) ++static __latent_entropy void run_rebalance_domains(void) + { + struct rq *this_rq = this_rq(); + enum cpu_idle_type idle = this_rq->idle_balance ? +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0595a8248c4a..3a21b22227c1 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -295,7 +295,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + kstat_incr_softirqs_this_cpu(vec_nr); + + trace_softirq_entry(vec_nr); +- h->action(h); ++ h->action(); + trace_softirq_exit(vec_nr); + if (unlikely(prev_count != preempt_count())) { + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void __init open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(void)) + { + softirq_vec[nr].action = action; + } +@@ -532,8 +532,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) + } + EXPORT_SYMBOL(__tasklet_hi_schedule); + +-static void tasklet_action_common(struct softirq_action *a, +- struct tasklet_head *tl_head, ++static void tasklet_action_common(struct tasklet_head *tl_head, + unsigned int softirq_nr) + { + struct tasklet_struct *list; +@@ -573,14 +572,14 @@ static void tasklet_action_common(struct softirq_action *a, + } + } + +-static __latent_entropy void tasklet_action(struct softirq_action *a) ++static __latent_entropy void tasklet_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); + } + +-static __latent_entropy void tasklet_hi_action(struct softirq_action *a) ++static __latent_entropy void tasklet_hi_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + + void tasklet_setup(struct tasklet_struct *t, +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 387b4bef7dd1..8fe28c28a906 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1587,7 +1587,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, + } + } + +-static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) ++static __latent_entropy void hrtimer_run_softirq(void) + { + struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); + unsigned long flags; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index c3ad64fb9d8b..217bc49a3856 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1753,7 +1753,7 @@ static inline void __run_timers(struct timer_base *base) + /* + * This function runs timers and the timer-tq in bottom half context. + */ +-static __latent_entropy void run_timer_softirq(struct softirq_action *h) ++static __latent_entropy void run_timer_softirq(void) + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +diff --git a/lib/irq_poll.c b/lib/irq_poll.c +index 2f17b488d58e..b6e7996a0058 100644 +--- a/lib/irq_poll.c ++++ b/lib/irq_poll.c +@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) + } + EXPORT_SYMBOL(irq_poll_complete); + +-static void __latent_entropy irq_poll_softirq(struct softirq_action *h) ++static void __latent_entropy irq_poll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = irq_poll_budget; +diff --git a/net/core/dev.c b/net/core/dev.c +index 38412e70f761..c3cd49e04b7b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4856,7 +4856,7 @@ int netif_rx_any_context(struct sk_buff *skb) + } + EXPORT_SYMBOL(netif_rx_any_context); + +-static __latent_entropy void net_tx_action(struct softirq_action *h) ++static __latent_entropy void net_tx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + +@@ -6803,7 +6803,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + return work; + } + +-static __latent_entropy void net_rx_action(struct softirq_action *h) ++static __latent_entropy void net_rx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch new file mode 100644 index 000000000000..f46699bafe08 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch @@ -0,0 +1,28 @@ +From 950c3a32afc68f47e43dca8a290f2b567cce9996 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:42:33 -0400 +Subject: [PATCH 050/113] mark softirq_vec as __ro_after_init + +Note: __cacheline_aligned_in_smp conflicts with __ro_after_init on x86. + +Extracted from PaX. +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 3a21b22227c1..6a02d63b135a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -52,7 +52,7 @@ DEFINE_PER_CPU_ALIGNED(irq_cpustat_t, irq_stat); + EXPORT_PER_CPU_SYMBOL(irq_stat); + #endif + +-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; ++static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); + + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch new file mode 100644 index 000000000000..5ea770a014cf --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch @@ -0,0 +1,34 @@ +From b67459458ab708acb88246bd47e99d14d168f433 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 17 Sep 2019 18:00:54 +0200 +Subject: [PATCH 051/113] mm: slab: trigger BUG if requested object is not a + slab page + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slab.h b/mm/slab.h +index f9977d6613d6..5adb48bb2e68 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -435,9 +435,13 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) + struct page *page; + + page = virt_to_head_page(obj); ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageSlab(page)); ++#else + if (WARN_ONCE(!PageSlab(page), "%s: Object is not a Slab page!\n", + __func__)) + return NULL; ++#endif + return page->slab_cache; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch new file mode 100644 index 000000000000..4bc5c7b23149 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch @@ -0,0 +1,40 @@ +From 2a0cbd6078c2f728eb635e614123fea3e3c56c89 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:50:53 -0400 +Subject: [PATCH 052/113] bug on kmem_cache_free with the wrong cache + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 5adb48bb2e68..9fef4285514a 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -471,10 +471,15 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) + return s; + + cachep = virt_to_cache(x); +- if (WARN(cachep && cachep != s, +- "%s: Wrong slab cache. %s but object is from %s\n", +- __func__, s->name, cachep->name)) ++ if (cachep && cachep != s) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG(); ++#else ++ WARN(1, "%s: Wrong slab cache. %s but object is from %s\n", ++ __func__, s->name, cachep->name); ++#endif + print_tracking(cachep, x); ++ } + return cachep; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch new file mode 100644 index 000000000000..6f6042b0ae25 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch @@ -0,0 +1,31 @@ +From 42c49b214cfd9f4d8ff017da88d5ca091d697cc1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:57:35 -0400 +Subject: [PATCH 053/113] bug on !PageSlab && !PageCompound in ksize + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slub.c b/mm/slub.c +index 3ef79a1878ed..e5564f339095 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4092,7 +4092,11 @@ size_t __ksize(const void *object) + page = virt_to_head_page(object); + + if (unlikely(!PageSlab(page))) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageCompound(page)); ++#else + WARN_ON(!PageCompound(page)); ++#endif + return page_size(page); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch new file mode 100644 index 000000000000..c93e9dd84fd9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch @@ -0,0 +1,70 @@ +From 53dee269e78531422d96942d6430698bb56f9cf8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 21:54:56 -0400 +Subject: [PATCH 054/113] mm: add support for verifying page sanitization + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/highmem.h | 7 +++++++ + mm/page_alloc.c | 6 ++++++ + security/Kconfig.hardening | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index 14e6202ce47f..4348ad7f5c50 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -284,6 +284,13 @@ static inline void clear_highpage(struct page *page) + kunmap_atomic(kaddr); + } + ++static inline void verify_zero_highpage(struct page *page) ++{ ++ void *kaddr = kmap_atomic(page); ++ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); ++ kunmap_atomic(kaddr); ++} ++ + static inline void zero_user_segments(struct page *page, + unsigned start1, unsigned end1, + unsigned start2, unsigned end2) +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 14b9e83ff9da..84070ae3885e 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2284,6 +2284,12 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags + { + post_alloc_hook(page, order, gfp_flags); + ++ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY) && want_init_on_free()) { ++ int i; ++ for (i = 0; i < (1 << order); i++) ++ verify_zero_highpage(page + i); ++ } ++ + if (!free_pages_prezeroed() && want_init_on_alloc(gfp_flags)) + kernel_init_free_pages(page, 1 << order); + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 269967c4fc1b..3d2f1d2c3d80 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -217,6 +217,13 @@ config INIT_ON_FREE_DEFAULT_ON + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + ++config PAGE_SANITIZE_VERIFY ++ bool "Verify sanitized pages" ++ default y ++ help ++ When init_on_free is enabled, verify that newly allocated pages ++ are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..900382bedd42 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 316d547bf0a079e694dadd5a5afe45d7ce0009e7 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 055/113] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 9fef4285514a..0fcd97a4eb6f 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -641,9 +641,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index e5564f339095..cf24f74e01de 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch new file mode 100644 index 000000000000..91b4c8fa5d11 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch @@ -0,0 +1,116 @@ +From 7f3be659ada7de51848d753bd19426e16e437c01 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 15:58:57 -0400 +Subject: [PATCH 056/113] slub: Add support for verifying slab sanitization + +This is an extension to the sanitization feature in PaX for when +sacricifing more performance for security is acceptable. + +The initial version from Daniel Micay was relying on PAGE_SANITIZE. It +now relies on upstream's init_on_free. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slub.c | 36 ++++++++++++++++++++++++++++++++---- + security/Kconfig.hardening | 8 ++++++++ + 2 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index cf24f74e01de..d42d2709526a 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -127,6 +127,12 @@ static inline bool kmem_cache_debug(struct kmem_cache *s) + return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS); + } + ++static inline bool has_sanitize_verify(struct kmem_cache *s) ++{ ++ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && ++ slab_want_init_on_free(s); ++} ++ + void *fixup_red_left(struct kmem_cache *s, void *p) + { + if (kmem_cache_debug_flags(s, SLAB_RED_ZONE)) +@@ -1571,7 +1577,7 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- if (s->ctor) ++ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ +@@ -1606,7 +1612,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + { + setup_object_debug(s, page, object); + object = kasan_init_slab_obj(s, object); +- if (unlikely(s->ctor)) { ++ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); + s->ctor(object); + kasan_poison_object_data(s, object); +@@ -2897,7 +2903,16 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + + maybe_wipe_obj_freeptr(s, object); + +- if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ if (has_sanitize_verify(s) && object) { ++ /* KASAN hasn't unpoisoned the object yet (this is done in the ++ * post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, object); ++ BUG_ON(memchr_inv(object, 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); +@@ -3337,7 +3352,20 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + local_irq_enable(); + + /* Clear memory outside IRQ disabled fastpath loop */ +- if (unlikely(slab_want_init_on_alloc(flags, s))) { ++ if (has_sanitize_verify(s)) { ++ int j; ++ ++ for (j = 0; j < i; j++) { ++ /* KASAN hasn't unpoisoned the object yet (this is done ++ * in the post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, p[j]); ++ BUG_ON(memchr_inv(p[j], 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + + for (j = 0; j < i; j++) +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 3d2f1d2c3d80..a718487ad717 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -224,6 +224,14 @@ config PAGE_SANITIZE_VERIFY + When init_on_free is enabled, verify that newly allocated pages + are zeroed to detect write-after-free bugs. + ++config SLAB_SANITIZE_VERIFY ++ bool "Verify sanitized SLAB allocations" ++ default y ++ depends on !KASAN ++ help ++ When init_on_free is enabled, verify that newly allocated slab ++ objects are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch new file mode 100644 index 000000000000..aeace7f91463 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch @@ -0,0 +1,264 @@ +From de380b2dd1139fce72b2af1e51bb575e0ef95db2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 16:16:58 -0400 +Subject: [PATCH 057/113] slub: add multi-purpose random canaries + +From the configuration option: + + Place canaries at the end of kernel slab allocations, sacrificing + some performance and memory usage for security. + + Canaries can detect some forms of heap corruption when allocations + are freed and as part of the HARDENED_USERCOPY feature. It provides + basic use-after-free detection for HARDENED_USERCOPY. + + Canaries absorb small overflows (rendering them harmless), mitigate + non-NUL terminated C string overflows on 64-bit via a guaranteed zero + byte and provide basic double-free detection. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slub_def.h | 5 +++ + init/Kconfig | 17 ++++++++++ + mm/slab.h | 2 +- + mm/slub.c | 69 ++++++++++++++++++++++++++++++++++++++-- + 4 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h +index 1be0ed5befa1..c71cf30b5987 100644 +--- a/include/linux/slub_def.h ++++ b/include/linux/slub_def.h +@@ -113,6 +113,11 @@ struct kmem_cache { + unsigned long random; + #endif + ++#ifdef CONFIG_SLAB_CANARY ++ unsigned long random_active; ++ unsigned long random_inactive; ++#endif ++ + #ifdef CONFIG_NUMA + /* + * Defragmentation by allocating from a remote node. +diff --git a/init/Kconfig b/init/Kconfig +index 9b75a4921575..f15109e7b111 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1945,6 +1945,23 @@ config SLAB_FREELIST_HARDENED + sanity-checking than others. This option is most effective with + CONFIG_SLUB. + ++config SLAB_CANARY ++ depends on SLUB ++ depends on !SLAB_MERGE_DEFAULT ++ bool "SLAB canaries" ++ default y ++ help ++ Place canaries at the end of kernel slab allocations, sacrificing ++ some performance and memory usage for security. ++ ++ Canaries can detect some forms of heap corruption when allocations ++ are freed and as part of the HARDENED_USERCOPY feature. It provides ++ basic use-after-free detection for HARDENED_USERCOPY. ++ ++ Canaries absorb small overflows (rendering them harmless), mitigate ++ non-NUL terminated C string overflows on 64-bit via a guaranteed zero ++ byte and provide basic double-free detection. ++ + config SHUFFLE_PAGE_ALLOCATOR + bool "Page allocator randomization" + default SLAB_FREELIST_RANDOM && ACPI_NUMA +diff --git a/mm/slab.h b/mm/slab.h +index 0fcd97a4eb6f..105dba485a7e 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -504,7 +504,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) + * back there or track user information then we can + * only use the space before that information. + */ +- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) ++ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) + return s->inuse; + /* + * Else we can use all the padding etc for the allocation +diff --git a/mm/slub.c b/mm/slub.c +index d42d2709526a..c949d918dc7f 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -569,6 +569,33 @@ static inline unsigned int get_info_end(struct kmem_cache *s) + return s->inuse; + } + ++#ifdef CONFIG_SLAB_CANARY ++static inline unsigned long *get_canary(struct kmem_cache *s, void *object) ++{ ++ return object + get_info_end(s); ++} ++ ++static inline unsigned long get_canary_value(const void *canary, unsigned long value) ++{ ++ return (value ^ (unsigned long)canary) & CANARY_MASK; ++} ++ ++static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ *canary = get_canary_value(canary, value); ++} ++ ++static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ BUG_ON(*canary != get_canary_value(canary, value)); ++} ++#else ++#define set_canary(s, object, value) ++#define check_canary(s, object, value) ++#endif ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { +@@ -576,6 +603,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, + + p = object + get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ p = (void *)p + sizeof(void *); ++ + return p + alloc; + } + +@@ -717,6 +747,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + + off = get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); + +@@ -825,8 +858,9 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * Meta data starts here. + * + * A. Free pointer (if we cannot overwrite object on free) +- * B. Tracking data for SLAB_STORE_USER +- * C. Padding to reach required alignment boundary or at mininum ++ * B. Canary for SLAB_CANARY ++ * C. Tracking data for SLAB_STORE_USER ++ * D. Padding to reach required alignment boundary or at mininum + * one word if debugging is on to be able to detect writes + * before the word boundary. + * +@@ -844,6 +878,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { + unsigned long off = get_info_end(s); /* The end of info */ + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ + off += 2 * sizeof(struct track); +@@ -1567,6 +1604,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + object = next; + next = get_freepointer(s, object); + ++ check_canary(s, object, s->random_active); ++ + if (slab_want_init_on_free(s)) { + /* + * Clear the object and the metadata, but don't touch +@@ -1580,6 +1619,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } ++ ++ set_canary(s, object, s->random_inactive); ++ + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { + /* Move object to the new freelist */ +@@ -1611,6 +1653,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + void *object) + { + setup_object_debug(s, page, object); ++ set_canary(s, object, s->random_inactive); + object = kasan_init_slab_obj(s, object); + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); +@@ -2915,6 +2958,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + ++ if (object) { ++ check_canary(s, object, s->random_inactive); ++ set_canary(s, object, s->random_active); ++ } ++ + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); + + return object; +@@ -3302,7 +3350,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + void **p) + { + struct kmem_cache_cpu *c; +- int i; ++ int i, k; + struct obj_cgroup *objcg = NULL; + + /* memcg and kmem_cache debug support */ +@@ -3372,6 +3420,11 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + memset(p[j], 0, s->object_size); + } + ++ for (k = 0; k < i; k++) { ++ check_canary(s, p[k], s->random_inactive); ++ set_canary(s, p[k], s->random_active); ++ } ++ + /* memcg and kmem_cache debug support */ + slab_post_alloc_hook(s, objcg, flags, size, p); + return i; +@@ -3573,6 +3626,7 @@ static void early_kmem_cache_node_alloc(int node) + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); + init_tracking(kmem_cache_node, n); + #endif ++ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); + n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), + GFP_KERNEL); + page->freelist = get_freepointer(kmem_cache_node, n); +@@ -3753,6 +3807,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + } + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ size += sizeof(void *); ++ + #ifdef CONFIG_SLUB_DEBUG + if (flags & SLAB_STORE_USER) + /* +@@ -3826,6 +3883,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) + #ifdef CONFIG_SLAB_FREELIST_HARDENED + s->random = get_random_long(); + #endif ++#ifdef CONFIG_SLAB_CANARY ++ s->random_active = get_random_long(); ++ s->random_inactive = get_random_long(); ++#endif + + if (!calculate_sizes(s, -1)) + goto error; +@@ -4099,6 +4160,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + offset -= s->red_left_pad; + } + ++ check_canary(s, (void *)ptr - offset, s->random_active); ++ + /* Allow address range falling entirely within usercopy region. */ + if (offset >= s->useroffset && + offset - s->useroffset <= s->usersize && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch new file mode 100644 index 000000000000..e8dcece43d80 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch @@ -0,0 +1,122 @@ +From c3b0b9114701fbdb800a9e6786f56d9b0a6706b8 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: [PATCH 058/113] security,perf: Allow further restriction of + perf_event_open + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +[thibaut.sautereau@ssi.gouv.fr: Adapt to work with the new CAP_PERFMON capability] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + Documentation/admin-guide/sysctl/kernel.rst | 2 ++ + include/linux/perf_event.h | 8 ++++++++ + kernel/events/core.c | 7 ++++++- + security/Kconfig | 9 +++++++++ + tools/perf/Documentation/security.txt | 1 + + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index d4b32cc32bb7..4c20e6ded0af 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -860,6 +860,8 @@ with respect to CAP_PERFMON use cases. + >=1 Disallow CPU event access by users without ``CAP_PERFMON``. + + >=2 Disallow kernel profiling by users without ``CAP_PERFMON``. ++ ++>=3 Disallow use of any event by users without ``CAP_PERFMON``. + === ================================================================== + + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 96450f6fb1de..d020c26b612a 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1312,6 +1312,14 @@ static inline int perf_is_paranoid(void) + return sysctl_perf_event_paranoid > -1; + } + ++static inline int perf_allow_open(struct perf_event_attr *attr) ++{ ++ if (sysctl_perf_event_paranoid > 2 && !perfmon_capable()) ++ return -EACCES; ++ ++ return security_perf_event_open(attr, PERF_SECURITY_OPEN); ++} ++ + static inline int perf_allow_kernel(struct perf_event_attr *attr) + { + if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index c3ba29d058b7..6efbf92763b1 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -407,8 +407,13 @@ static cpumask_var_t perf_online_mask; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -11638,7 +11643,7 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + + /* Do we allow access to perf_event_open(2) ? */ +- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); ++ err = perf_allow_open(&attr); + if (err) + return err; + +diff --git a/security/Kconfig b/security/Kconfig +index 81d0a08736aa..c797326308f1 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +diff --git a/tools/perf/Documentation/security.txt b/tools/perf/Documentation/security.txt +index 4fe3b8b1958f..a7d88cc23a70 100644 +--- a/tools/perf/Documentation/security.txt ++++ b/tools/perf/Documentation/security.txt +@@ -148,6 +148,7 @@ Perf tool provides a message similar to the one below: + >= 0: Disallow raw and ftrace function tracepoint access + >= 1: Disallow CPU event access + >= 2: Disallow kernel profiling ++ >= 3: Disallow use of any event + To make the adjusted perf_event_paranoid setting permanent preserve it + in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch new file mode 100644 index 000000000000..1283f65a4bb6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch @@ -0,0 +1,25 @@ +From 3703b803da0c1839c37c84a7e2c4bcfabeefc16d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 14:45:59 -0400 +Subject: [PATCH 059/113] enable SECURITY_PERF_EVENTS_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index c797326308f1..2348ff7d4e1d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -22,6 +22,7 @@ config SECURITY_DMESG_RESTRICT + config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS ++ default y + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..92affc5e9440 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,124 @@ +From c1221a7247f915c6060d0931962c3a105f2169f9 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 060/113] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/user_namespace.h | 4 ++++ + kernel/fork.c | 11 +++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 4 files changed, 30 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/kernel/fork.c b/kernel/fork.c +index c675fdbd3dce..cba344194fba 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -82,6 +82,7 @@ + #include <linux/perf_event.h> + #include <linux/posix-timers.h> + #include <linux/user-return-notifier.h> ++#include <linux/user_namespace.h> + #include <linux/oom.h> + #include <linux/khugepaged.h> + #include <linux/signalfd.h> +@@ -1863,6 +1864,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2928,6 +2933,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b2cd3dbbb17a..fccf24a08c8a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..29a30cff5e60 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..19cc2e61a9f1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch @@ -0,0 +1,65 @@ +From 2202675d1611a261e7bc437dcfd0310fad16380a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:02:56 -0400 +Subject: [PATCH 061/113] add kmalloc/krealloc alloc_size attributes + +Note that this is overly strict when combined with ksize users accessing +beyond the requested data size. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slab.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/slab.h b/include/linux/slab.h +index dd6897f62010..78f99835b91b 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); + /* + * Common kmalloc functions provided by all allocators + */ +-void * __must_check krealloc(const void *, size_t, gfp_t); ++void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); + void kfree(const void *); + void kfree_sensitive(const void *); + size_t __ksize(const void *); +@@ -386,7 +386,7 @@ static __always_inline unsigned int kmalloc_index(size_t size) + } + #endif /* !CONFIG_SLOB */ + +-void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; ++void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; + void kmem_cache_free(struct kmem_cache *, void *); + +@@ -410,7 +410,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) + } + + #ifdef CONFIG_NUMA +-void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; ++void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; + #else + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -535,7 +535,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) + * Try really hard to succeed the allocation but fail + * eventually. + */ +-static __always_inline void *kmalloc(size_t size, gfp_t flags) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) + { + if (__builtin_constant_p(size)) { + #ifndef CONFIG_SLOB +@@ -557,7 +557,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return __kmalloc(size, flags); + } + +-static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) + { + #ifndef CONFIG_SLOB + if (__builtin_constant_p(size) && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..b48016491327 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch @@ -0,0 +1,47 @@ +From b22ff1dce22f5de367783acad348054380deab09 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:04:03 -0400 +Subject: [PATCH 062/113] add vmalloc alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/vmalloc.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 938eaf9517e2..7c069063c20d 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -102,18 +102,18 @@ static inline void vmalloc_init(void) + static inline unsigned long vmalloc_nr_pages(void) { return 0; } + #endif + +-extern void *vmalloc(unsigned long size); +-extern void *vzalloc(unsigned long size); +-extern void *vmalloc_user(unsigned long size); +-extern void *vmalloc_node(unsigned long size, int node); +-extern void *vzalloc_node(unsigned long size, int node); +-extern void *vmalloc_32(unsigned long size); +-extern void *vmalloc_32_user(unsigned long size); +-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); ++extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, + unsigned long start, unsigned long end, gfp_t gfp_mask, + pgprot_t prot, unsigned long vm_flags, int node, +- const void *caller); ++ const void *caller) __attribute__((alloc_size(1))); + void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, + int node, const void *caller); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch new file mode 100644 index 000000000000..3c39f84a8e7e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch @@ -0,0 +1,26 @@ +From 965e4086296d0dabe7f7bc2d3bb2c8a2c7ae224d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 00:51:33 -0400 +Subject: [PATCH 063/113] add kvmalloc alloc_size attribute + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/mm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index cd5c313729ea..746f6d05bd81 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -759,7 +759,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) + } + #endif + +-extern void *kvmalloc_node(size_t size, gfp_t flags, int node); ++extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); + static inline void *kvmalloc(size_t size, gfp_t flags) + { + return kvmalloc_node(size, flags, NUMA_NO_NODE); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0064-add-percpu-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0064-add-percpu-alloc_size-attributes.patch new file mode 100644 index 000000000000..65e23f4fb196 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0064-add-percpu-alloc_size-attributes.patch @@ -0,0 +1,37 @@ +From 781b646576bc8b918ce8ea2600b265e185076214 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:39:36 -0400 +Subject: [PATCH 064/113] add percpu alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/percpu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/percpu.h b/include/linux/percpu.h +index 5e76af742c80..9a6c682ec127 100644 +--- a/include/linux/percpu.h ++++ b/include/linux/percpu.h +@@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, + pcpu_fc_populate_pte_fn_t populate_pte_fn); + #endif + +-extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); + extern bool is_kernel_percpu_address(unsigned long addr); + +@@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); + extern void __init setup_per_cpu_areas(void); + #endif + +-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); +-extern void __percpu *__alloc_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); ++extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern void free_percpu(void __percpu *__pdata); + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch new file mode 100644 index 000000000000..2ef36eeecfeb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch @@ -0,0 +1,30 @@ +From 86aa62f74961c996e9456cd9b440bea1f15fa46e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:53:59 -0400 +Subject: [PATCH 065/113] add alloc_pages_exact alloc_size attributes + +Edited-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/gfp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index c603237e006c..893378b0262e 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -568,9 +568,9 @@ static inline struct page *alloc_pages(gfp_t gfp_mask, unsigned int order) + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); + extern unsigned long get_zeroed_page(gfp_t gfp_mask); + +-void *alloc_pages_exact(size_t size, gfp_t gfp_mask); ++void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + void free_pages_exact(void *virt, size_t size); +-void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); ++void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(2))); + + #define __get_free_page(gfp_mask) \ + __get_free_pages((gfp_mask), 0) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch new file mode 100644 index 000000000000..3db90e27a1b0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch @@ -0,0 +1,104 @@ +From 2a5625aa2d7cb0a33d9b22150d2eb698abd87733 Mon Sep 17 00:00:00 2001 +From: Emese Revfy <re.emese@gmail.com> +Date: Tue, 31 May 2016 01:34:02 +0200 +Subject: [PATCH 066/113] Add the extra_latent_entropy kernel parameter + +When extra_latent_entropy is passed on the kernel command line, +entropy will be extracted from up to the first 4GB of RAM while the +runtime memory allocator is being initialized. + +Based on work created by the PaX Team. + +Signed-off-by: Emese Revfy <re.emese@gmail.com> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + .../admin-guide/kernel-parameters.txt | 5 ++++ + mm/page_alloc.c | 25 +++++++++++++++++++ + scripts/gcc-plugins/Kconfig | 5 ++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f6a1513dfb76..f399208c873a 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3566,6 +3566,11 @@ + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 84070ae3885e..ded9e8536285 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -70,6 +70,7 @@ + #include <linux/psi.h> + #include <linux/padata.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/sections.h> + #include <asm/tlbflush.h> +@@ -136,6 +137,15 @@ struct pcpu_drain { + static DEFINE_MUTEX(pcpu_drain_mutex); + static DEFINE_PER_CPU(struct pcpu_drain, pcpu_drain); + ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("extra_latent_entropy", setup_extra_latent_entropy); ++ + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY + volatile unsigned long latent_entropy __latent_entropy; + EXPORT_SYMBOL(latent_entropy); +@@ -1549,6 +1559,21 @@ void __free_pages_core(struct page *page, unsigned int order) + __ClearPageReserved(p); + set_page_count(p, 0); + ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++ + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig +index ae19fb0243b9..ad78375ece5e 100644 +--- a/scripts/gcc-plugins/Kconfig ++++ b/scripts/gcc-plugins/Kconfig +@@ -53,6 +53,11 @@ config GCC_PLUGIN_LATENT_ENTROPY + is some slowdown of the boot process (about 0.5%) and fork and + irq processing. + ++ When extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that entropy extracted this way is not cryptographically + secure! + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch new file mode 100644 index 000000000000..86dfd49e25b8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch @@ -0,0 +1,37 @@ +From 4d57f11c9d6279f6d4e221e6e082b7c923f9e9ac Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:45:34 -0400 +Subject: [PATCH 067/113] ata: avoid null pointer dereference on bug + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 61c762961ca8..02a83039c25b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4540,7 +4540,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4557,7 +4557,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch new file mode 100644 index 000000000000..557c46098f89 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch @@ -0,0 +1,28 @@ +From 6b8bf6e5b343b553cb8caa6dffa2aad3572c8aec Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:51:12 -0400 +Subject: [PATCH 068/113] sanity check for negative length in nla_memcpy + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/nlattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 74019c8ebf6b..c480b4e7ffef 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -778,6 +778,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); + if (count > minlen) + memset(dest + minlen, 0, count - minlen); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0069-add-page-destructor-sanity-check.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0069-add-page-destructor-sanity-check.patch new file mode 100644 index 000000000000..6afa1a885583 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0069-add-page-destructor-sanity-check.patch @@ -0,0 +1,71 @@ +From dfbb7797b36dfd522518a6acb5fb71e87f1d16e8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:59:18 -0400 +Subject: [PATCH 069/113] add page destructor sanity check + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Restore get_compound_page_dtor()] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/mm.h | 9 +++++++-- + mm/swap.c | 12 +++++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 746f6d05bd81..a463ffe84eb4 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -894,10 +894,15 @@ static inline void set_compound_page_dtor(struct page *page, + page[1].compound_dtor = compound_dtor; + } + +-static inline void destroy_compound_page(struct page *page) ++static inline compound_page_dtor *get_compound_page_dtor(struct page *page) + { + VM_BUG_ON_PAGE(page[1].compound_dtor >= NR_COMPOUND_DTORS, page); +- compound_page_dtors[page[1].compound_dtor](page); ++ return compound_page_dtors[page[1].compound_dtor]; ++} ++ ++static inline void destroy_compound_page(struct page *page) ++{ ++ (*get_compound_page_dtor(page))(page); + } + + static inline unsigned int compound_order(struct page *page) +diff --git a/mm/swap.c b/mm/swap.c +index 47a47681c86b..762095d95092 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -102,6 +102,8 @@ static void __put_single_page(struct page *page) + + static void __put_compound_page(struct page *page) + { ++ compound_page_dtor *dtor; ++ + /* + * __page_cache_release() is supposed to be called for thp, not for + * hugetlb. This is because hugetlb page does never have PageLRU set +@@ -110,7 +112,15 @@ static void __put_compound_page(struct page *page) + */ + if (!PageHuge(page)) + __page_cache_release(page); +- destroy_compound_page(page); ++ dtor = get_compound_page_dtor(page); ++ if (!PageHuge(page)) ++ BUG_ON(dtor != free_compound_page ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ && dtor != free_transhuge_page ++#endif ++ ); ++ ++ (*dtor)(page); + } + + void __put_page(struct page *page) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch new file mode 100644 index 000000000000..4cfe16b2cab4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch @@ -0,0 +1,52 @@ +From 0add19785f4154b0564b71ac5eaec4fd30b1dc4e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 00:59:48 -0400 +Subject: [PATCH 070/113] PaX shadow cr4 sanity check (essentially a revert) + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/process.c | 1 + + arch/x86/mm/tlb.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 35ad8480c464..edaeeab9df4b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -399,6 +399,7 @@ EXPORT_SYMBOL_GPL(native_write_cr4); + void cr4_update_irqsoff(unsigned long set, unsigned long clear) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + lockdep_assert_irqs_disabled(); + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 145a7ac0c19a..058941e9ae40 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -596,6 +596,7 @@ void speculation_ctrl_update_current(void) + static inline void cr4_toggle_bits_irqsoff(unsigned long mask) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + newval = cr4 ^ mask; + if (newval != cr4) { +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 569ac1d57f55..044d88da4aee 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -1066,6 +1066,7 @@ STATIC_NOPV void native_flush_tlb_global(void) + raw_local_irq_save(flags); + + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* toggle PGE */ + native_write_cr4(cr4 ^ X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0071-add-writable-function-pointer-detection.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0071-add-writable-function-pointer-detection.patch new file mode 100644 index 000000000000..a68cbc7dbf8b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0071-add-writable-function-pointer-detection.patch @@ -0,0 +1,98 @@ +From 14710aff4d3b96836084e35758db7c6d71dc00af Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:53:23 -0400 +Subject: [PATCH 071/113] add writable function pointer detection + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + scripts/mod/modpost.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f882ce0d9327..50e9baefc4e7 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,6 +34,7 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; ++static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; + /* ignore missing files */ + static int ignore_missing_files; +@@ -1007,6 +1008,7 @@ enum mismatch { + ANY_EXIT_TO_ANY_INIT, + EXPORT_TO_INIT_EXIT, + EXTABLE_TO_NON_TEXT, ++ DATA_TO_TEXT + }; + + /** +@@ -1133,6 +1135,12 @@ static const struct sectioncheck sectioncheck[] = { + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, + .mismatch = EXTABLE_TO_NON_TEXT, + .handler = extable_mismatch_handler, ++}, ++/* Do not reference code from writable data */ ++{ ++ .fromsec = { DATA_SECTIONS, NULL }, ++ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, ++ .mismatch = DATA_TO_TEXT + } + }; + +@@ -1320,10 +1328,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (!is_valid_name(elf, sym)) + continue; +- if (sym->st_value == addr) +- return sym; + /* Find a symbol nearby - addr are maybe negative */ + d = sym->st_value - addr; ++ if (d == 0) ++ return sym; + if (d < 0) + d = addr - sym->st_value; + if (d < distance) { +@@ -1458,7 +1466,10 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- sec_mismatch_count++; ++ if (mismatch->mismatch == DATA_TO_TEXT) ++ writable_fptr_count++; ++ else ++ sec_mismatch_count++; + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1580,6 +1591,14 @@ static void report_sec_mismatch(const char *modname, + fatal("There's a special handler for this mismatch type, " + "we should never get here."); + break; ++ case DATA_TO_TEXT: ++#if 0 ++ fprintf(stderr, ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif ++ break; + } + fprintf(stderr, "\n"); + } +@@ -2670,6 +2689,9 @@ int main(int argc, char **argv) + } + + free(buf.p); ++ if (writable_fptr_count) ++ warn("modpost: Found %d writable function pointer(s).\n", ++ writable_fptr_count); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch new file mode 100644 index 000000000000..21bedcdead97 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch @@ -0,0 +1,26 @@ +From 99eb3c3238a237591a86fd5ee77433b4b3651451 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:20:29 -0400 +Subject: [PATCH 072/113] support overriding early audit kernel cmdline + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 68cee3bc8cfe..2059c66f7c9b 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1693,6 +1693,9 @@ static int __init audit_enable(char *str) + + if (audit_default == AUDIT_OFF) + audit_initialized = AUDIT_DISABLED; ++ else if (!audit_ever_enabled) ++ audit_initialized = AUDIT_UNINITIALIZED; ++ + if (audit_set_enabled(audit_default)) + pr_err("audit: error setting audit state (%d)\n", + audit_default); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch new file mode 100644 index 000000000000..2f19ca605301 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch @@ -0,0 +1,135 @@ +From 1484bad409bb3a11522f9666a764829d9b7ef055 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 3 Jun 2017 17:34:13 -0400 +Subject: [PATCH 073/113] FORTIFY_SOURCE intra-object overflow checking + +This adds supporting for detecting buffer overflows from inner objects +for the fortified string family functions. It's comparable to the +_FORTIFY_SOURCE=2 feature in glibc with the additional coverage of +intra-object read overflows for supported functions. + +The mem* family functions are left with only the inter-object overflow +checks as is the case with glibc _FORTIFY_SOURCE=2. + +This feature is currently hidden behind CONFIG_EXPERT because it's a lot +more likely to uncover benign / intended issues and will need a lot of +runtime testing. It's already useful for finding bugs but it may not yet +be a good idea to use it for hardening unless panics for benign issues +are seen as a lesser evil than the vulnerabilities it can catch. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/string.h | 26 ++++++++++++++++---------- + security/Kconfig | 10 ++++++++++ + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index b1f3894a0a3e..4c5564a6ad80 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -264,6 +264,12 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + ++#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING ++#define __string_size(p) __builtin_object_size(p, 1) ++#else ++#define __string_size(p) __builtin_object_size(p, 0) ++#endif ++ + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) + + #ifdef CONFIG_KASAN +@@ -292,7 +298,7 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + if (p_size < size) +@@ -302,7 +308,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (p_size == (size_t)-1) + return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) +@@ -313,7 +319,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || +@@ -328,7 +334,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); +@@ -340,8 +346,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + { + size_t ret; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __real_strlcpy(p, q, size); + ret = strlen(q); +@@ -361,8 +367,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + { + size_t p_len, copy_len; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strncat(p, q, count); + p_len = strlen(p); +@@ -475,8 +481,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) + /* defined after fortified strlen and memcpy to reuse them */ + __FORTIFY_INLINE char *strcpy(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); +diff --git a/security/Kconfig b/security/Kconfig +index 2348ff7d4e1d..f3c995bd79cf 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -208,6 +208,16 @@ config FORTIFY_SOURCE + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + ++config FORTIFY_SOURCE_STRICT_STRING ++ bool "Harden common functions against buffer overflows" ++ depends on FORTIFY_SOURCE ++ depends on EXPERT ++ help ++ Perform stricter overflow checks catching overflows within objects ++ for common C string functions rather than only between objects. ++ ++ This is not yet intended for production use, only bug finding. ++ + config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch new file mode 100644 index 000000000000..70c67d199609 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch @@ -0,0 +1,54 @@ +From ca890869270402dca9eb05e9205755676371a09f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 26 Aug 2017 20:16:03 -0400 +Subject: [PATCH 074/113] Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE + base changes" + +This reverts commit aab425db4279aeb83b7911693f0cccbd3644c9fd. +--- + arch/arm64/include/asm/elf.h | 8 ++------ + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 8d1c8dcb87fd..26d27c7a2c2e 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -124,14 +124,10 @@ + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#ifdef CONFIG_ARM64_FORCE_52BIT +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) +-#else +-#define ELF_ET_DYN_BASE (2 * DEFAULT_MAP_WINDOW_64 / 3) +-#endif /* CONFIG_ARM64_FORCE_52BIT */ ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b9a5d488f1a5..b55054566ece 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -246,11 +246,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- (DEFAULT_MAP_WINDOW / 3 * 2)) ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch new file mode 100644 index 000000000000..0f1289e629df --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch @@ -0,0 +1,118 @@ +From 165087d3c98a3c066f5d043aaf2300a3723a3fdd Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:52:00 -0400 +Subject: [PATCH 075/113] x86_64: move vdso to mmap region from stack region + +This removes the only executable code from the stack region and gives +the vdso the same randomized base as other mmap mappings including the +linker and other shared objects. It results in a sane amount of entropy +being provided and there's little to no advantage in separating this +from the existing executable code there. + +It's sensible for userspace to reserve the initial mmap base as a region +for executable code with a random gap for other mmap allocations, along +with providing randomization within that region. However, there isn't +much the kernel can do to help due to how dynamic linkers load the +shared objects. + +This was extracted from the PaX RANDMMAP feature. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/entry/vdso/vma.c | 48 +----------------------------------- + arch/x86/include/asm/elf.h | 1 - + arch/x86/kernel/sys_x86_64.c | 7 ------ + 3 files changed, 1 insertion(+), 55 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 9185cb1d13b9..543912071557 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -315,55 +315,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) + } + + #ifdef CONFIG_X86_64 +-/* +- * Put the vdso above the (randomized) stack with another randomized +- * offset. This way there is no hole in the middle of address space. +- * To save memory make sure it is still in the same PTE as the stack +- * top. This doesn't give that many random bits. +- * +- * Note that this algorithm is imperfect: the distribution of the vdso +- * start address within a PMD is biased toward the end. +- * +- * Only used for the 64-bit and x32 vdsos. +- */ +-static unsigned long vdso_addr(unsigned long start, unsigned len) +-{ +- unsigned long addr, end; +- unsigned offset; +- +- /* +- * Round up the start address. It can start out unaligned as a result +- * of stack start randomization. +- */ +- start = PAGE_ALIGN(start); +- +- /* Round the lowest possible end address up to a PMD boundary. */ +- end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; +- end -= len; +- +- if (end > start) { +- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); +- addr = start + (offset << PAGE_SHIFT); +- } else { +- addr = start; +- } +- +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- +- return addr; +-} +- + static int map_vdso_randomized(const struct vdso_image *image) + { +- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); +- +- return map_vdso(image, addr); ++ return map_vdso(image, 0); + } + #endif + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b55054566ece..58292600112d 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -398,5 +398,4 @@ struct va_alignment { + } ____cacheline_aligned; + + extern struct va_alignment va_align; +-extern unsigned long align_vdso_addr(unsigned long); + #endif /* _ASM_X86_ELF_H */ +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 504fa5425bce..c4e35a3b3733 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) + return va_align.bits & get_align_mask(); + } + +-unsigned long align_vdso_addr(unsigned long addr) +-{ +- unsigned long align_mask = get_align_mask(); +- addr = (addr + align_mask) & ~align_mask; +- return addr | get_align_bits(); +-} +- + static int __init control_va_addr_alignment(char *str) + { + /* guard against enabling this on other CPU families */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..6ccda18aedf6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From 5fa929857752e67bcbe4f02086d6d5f91b9c2741 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 076/113] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..8214060975ea --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From bf2c4d62c85d47cb10535e47e3a57480899c2351 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 077/113] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch new file mode 100644 index 000000000000..429f17beb4f0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch @@ -0,0 +1,37 @@ +From b90b353977b3dd9bcc4a8cc03d871d4f80c5899c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:02:49 -0400 +Subject: [PATCH 078/113] randomize lower bits of the argument block + +This was based on the PaX RANDUSTACK feature in grsecurity, where all of +the lower bits are randomized. PaX keeps 16-byte alignment. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + fs/exec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index ca89e0e3ef10..4875ded97db5 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -64,6 +64,7 @@ + #include <linux/compat.h> + #include <linux/vmalloc.h> + #include <linux/io_uring.h> ++#include <linux/random.h> + + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -280,6 +281,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + mm->stack_vm = mm->total_vm = 1; + mmap_write_unlock(mm); + bprm->p = vma->vm_end - sizeof(void *); ++ if (randomize_va_space) ++ bprm->p ^= get_random_int() & ~PAGE_MASK; + return 0; + err: + mmap_write_unlock(mm); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch new file mode 100644 index 000000000000..d2facc6bf7f5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch @@ -0,0 +1,38 @@ +From 2453cc9bc446d1189997e53353e2eb65b2c7f514 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 07:19:48 -0400 +Subject: [PATCH 079/113] x86_64: match arm64 brk randomization entropy + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 058941e9ae40..61460d55dd72 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,8 @@ + #include <asm/io_bitmap.h> + #include <asm/proto.h> + #include <asm/frame.h> ++#include <asm/elf.h> ++#include <linux/sizes.h> + + #include "process.h" + +@@ -906,7 +908,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ else ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch new file mode 100644 index 000000000000..09302393e363 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch @@ -0,0 +1,42 @@ +From 5412ee6e62b5169a3a37c8765270865195027dd8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 18:03:30 -0400 +Subject: [PATCH 080/113] support randomizing the lower bits of brk + +This adds support for arch_randomize_brk implementations not performing +page alignment in order to randomize the lower bits of the brk heap. + +This idea is taken from PaX but the approach is different. This reuses +the existing code and avoids forcing early creation of the heap mapping, +avoiding mapping it if it's not used which is the case with many modern +allocators based solely on mmap. + +The malloc implementation can be relied upon to align this as needed to +the requirements it has, so using 16 byte alignment here is unnecessary. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/mmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5c8b4485860d..0e26c225bb53 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -231,6 +231,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + + newbrk = PAGE_ALIGN(brk); + oldbrk = PAGE_ALIGN(mm->brk); ++ /* properly handle unaligned min_brk as an empty heap */ ++ if (min_brk & ~PAGE_MASK) { ++ if (brk == min_brk) ++ newbrk -= PAGE_SIZE; ++ if (mm->brk == min_brk) ++ oldbrk -= PAGE_SIZE; ++ } + if (oldbrk == newbrk) { + mm->brk = brk; + goto success; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..59357a9c9d78 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From f0d7534cbaf120f62f41334f7f3b01e529b3c684 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:22:38 -0400 +Subject: [PATCH 081/113] mm: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ddb6e186dd5..4ca72f952329 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..1ed8e1a47e42 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From eee2a605c76a13aea6710187cb09fbe6d0def6db Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:06 -0400 +Subject: [PATCH 082/113] x86: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 61460d55dd72..0d4c3887229d 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + else +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..977777cdebfe --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 61f5be19830195a204b0c2d911283634c0f202fd Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:39 -0400 +Subject: [PATCH 083/113] mm: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ca72f952329..62ed34dfceb7 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..efad5465cdb7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 26ba83af4fefd05081dcd44a4e26638f1f79290f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:48 -0400 +Subject: [PATCH 084/113] x86: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 0d4c3887229d..161e25d02fd5 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + else +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch new file mode 100644 index 000000000000..4de27b1cacdb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch @@ -0,0 +1,37 @@ +From 86b86a4fc1038ca4cc9f9eb60b978fbbbed02419 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 14:50:54 -0400 +Subject: [PATCH 085/113] x86_64: bound mmap between legacy/modern bases + +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index c4e35a3b3733..e30ec4c750d1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -113,10 +113,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, + } + + *begin = get_mmap_base(1); +- if (in_32bit_syscall()) +- *end = task_size_32bit(); +- else +- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); ++ *end = get_mmap_base(0); + } + + unsigned long +@@ -193,7 +190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = get_mmap_base(1); + info.high_limit = get_mmap_base(0); + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0086-restrict-device-timing-side-channels.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0086-restrict-device-timing-side-channels.patch new file mode 100644 index 000000000000..f3b6f8cf0b9f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0086-restrict-device-timing-side-channels.patch @@ -0,0 +1,174 @@ +From 08e282a4b822839c382fd0b2005adfa63f8c72ae Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 18:26:10 -0400 +Subject: [PATCH 086/113] restrict device timing side channels + +Based on the public grsecurity patches. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/inode.c | 4 ++++ + fs/stat.c | 20 +++++++++++++++----- + include/linux/capability.h | 5 +++++ + include/linux/fs.h | 11 +++++++++++ + include/linux/fsnotify.h | 4 ++++ + kernel/capability.c | 6 ++++++ + kernel/sysctl.c | 9 +++++++++ + 7 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 5eea9912a0b9..f86f383a3e1d 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -116,6 +116,10 @@ int proc_nr_inodes(struct ctl_table *table, int write, + } + #endif + ++/* sysctl */ ++int device_sidechannel_restrict __read_mostly = 1; ++EXPORT_SYMBOL(device_sidechannel_restrict); ++ + static int no_open(struct inode *inode, struct file *file) + { + return -ENXIO; +diff --git a/fs/stat.c b/fs/stat.c +index dacecdda2e79..14173d0f777d 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -43,8 +43,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = i_blocksize(inode); + stat->blocks = inode->i_blocks; +@@ -83,9 +88,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(path, stat, request_mask, +- query_flags); ++ if (inode->i_op->getattr) { ++ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); ++ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..a5b6d4c9acf5 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -208,6 +208,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); + extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); + extern bool capable(int cap); ++extern bool capable_noaudit(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + extern bool ns_capable_setid(struct user_namespace *ns, int cap); +@@ -234,6 +235,10 @@ static inline bool capable(int cap) + { + return true; + } ++static inline bool capable_noaudit(int cap) ++{ ++ return true; ++} + static inline bool ns_capable(struct user_namespace *ns, int cap) + { + return true; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 8bde32cf9711..83d50b0a2a18 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3475,4 +3475,15 @@ static inline int inode_drain_writes(struct inode *inode) + return filemap_write_and_wait(inode->i_mapping); + } + ++extern int device_sidechannel_restrict; ++ ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++ umode_t mode; ++ if (!device_sidechannel_restrict) ++ return false; ++ mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++} ++ + #endif /* _LINUX_FS_H */ +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index f8acddcf54fb..7b109980327f 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -83,10 +83,14 @@ static inline void fsnotify_dentry(struct dentry *dentry, __u32 mask) + static inline int fsnotify_file(struct file *file, __u32 mask) + { + const struct path *path = &file->f_path; ++ struct inode *inode = file_inode(file); + + if (file->f_mode & FMODE_NONOTIFY) + return 0; + ++ if (mask & (FS_ACCESS | FS_MODIFY) && is_sidechannel_device(inode)) ++ return 0; ++ + return fsnotify_parent(path->dentry, mask, path, FSNOTIFY_EVENT_PATH); + } + +diff --git a/kernel/capability.c b/kernel/capability.c +index de7eac903a2a..5602178f3d21 100644 +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -449,6 +449,12 @@ bool capable(int cap) + return ns_capable(&init_user_ns, cap); + } + EXPORT_SYMBOL(capable); ++ ++bool capable_noaudit(int cap) ++{ ++ return ns_capable_noaudit(&init_user_ns, cap); ++} ++EXPORT_SYMBOL(capable_noaudit); + #endif /* CONFIG_MULTIUSER */ + + /** +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index fccf24a08c8a..7fda9f61ea1a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2272,6 +2272,15 @@ static struct ctl_table kern_table[] = { + .extra2 = &two, + }, + #endif ++ { ++ .procname = "device_sidechannel_restrict", ++ .data = &device_sidechannel_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch new file mode 100644 index 000000000000..da1cf4020902 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0087-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch @@ -0,0 +1,95 @@ +From 522650d52ffee85a9ae40453c1f66619227a5a7b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 20:28:32 +0200 +Subject: [PATCH 087/113] sysctl: expose proc_dointvec_minmax_sysadmin as API + function + +Orthogonal to the other sysctl proc functions expose the variant that is +checking CAP_SYS_ADMIN on write for consumption in external subsystem's +sysctl tables. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 51298a4f4623..b835c57330f2 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7fda9f61ea1a..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -890,8 +890,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -899,7 +918,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -1585,6 +1603,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3436,6 +3460,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch new file mode 100644 index 000000000000..149b911caadd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0088-usb-add-toggle-for-disabling-newly-added-USB-devices.patch @@ -0,0 +1,92 @@ +From a7afd6b6c5b38b5816265180932d2eea9f16ac27 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 17:51:48 -0400 +Subject: [PATCH 088/113] usb: add toggle for disabling newly added USB devices + +Based on the public grsecurity patches. + +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/hub.c | 9 +++++++++ + include/linux/usb.h | 3 +++ + kernel/sysctl.c | 14 ++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 17202b2ee063..9385c745d55e 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,6 +5054,9 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + ++/* sysctl */ ++int deny_new_usb __read_mostly = 0; ++ + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +@@ -5114,6 +5117,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + goto done; + return; + } ++ ++ if (deny_new_usb) { ++ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); ++ goto done; ++ } ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 7d72c4e0713c..8e7549e3012a 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,6 +2035,9 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl */ ++extern int deny_new_usb; ++ + #endif /* __KERNEL__ */ + + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..f867606fbd80 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if IS_ENABLED(CONFIG_USB) ++#include <linux/usb.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2305,6 +2308,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, ++#if IS_ENABLED(CONFIG_USB) ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch new file mode 100644 index 000000000000..bb5bf03af05d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0089-usb-implement-dedicated-subsystem-sysctl-tables.patch @@ -0,0 +1,195 @@ +From 36eb0fc6ebe37574ff531f6b0a0010975521e7b8 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 21:08:16 +0200 +Subject: [PATCH 089/113] usb: implement dedicated subsystem sysctl tables + +This moves the usb related sysctl knobs to an own usb local sysctl table +in order to clean up the global sysctl as well as allow the knob to be +exported and referenced appropriately when building the usb components +as dedicated modules. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/Makefile | 1 + + drivers/usb/core/hub.c | 3 --- + drivers/usb/core/sysctl.c | 44 +++++++++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.c | 9 ++++++++ + include/linux/usb.h | 10 ++++++++- + kernel/sysctl.c | 14 ------------- + 6 files changed, 63 insertions(+), 18 deletions(-) + create mode 100644 drivers/usb/core/sysctl.c + +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..fc7a3a9aa72a 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 9385c745d55e..b62b3da81ac4 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,9 +5054,6 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + +-/* sysctl */ +-int deny_new_usb __read_mostly = 0; +- + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..3fa188ac8f67 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,44 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 9b4ac4415f1a..93b4b798bdcc 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -72,6 +72,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -978,6 +981,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1012,6 +1018,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1035,6 +1043,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 8e7549e3012a..653265115e56 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,8 +2035,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + +-/* sysctl */ ++/* sysctl.c */ + extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + + #endif /* __KERNEL__ */ + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index f867606fbd80..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,9 +106,6 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif +-#if IS_ENABLED(CONFIG_USB) +-#include <linux/usb.h> +-#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2308,17 +2305,6 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-#if IS_ENABLED(CONFIG_USB) +- { +- .procname = "deny_new_usb", +- .data = &deny_new_usb, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax_sysadmin, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, +-#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch new file mode 100644 index 000000000000..6b2102a5f66b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0090-hard-wire-legacy-checkreqprot-option-to-0.patch @@ -0,0 +1,133 @@ +From 1f7d9dc07314e48156b5c3e6c25512e642d20628 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 03:26:45 -0500 +Subject: [PATCH 090/113] hard-wire legacy checkreqprot option to 0 + +The userspace API is left intact for compatibility. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + .../admin-guide/kernel-parameters.txt | 11 --------- + security/selinux/Kconfig | 23 ------------------- + security/selinux/hooks.c | 16 +------------ + security/selinux/selinuxfs.c | 12 +--------- + 4 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f399208c873a..282777d18d19 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -518,17 +518,6 @@ + nosocket -- Disable socket memory accounting. + nokmem -- Disable kernel memory accounting. + +- checkreqprot [SELINUX] Set initial checkreqprot flag value. +- Format: { "0" | "1" } +- See security/selinux/Kconfig help text. +- 0 -- check protection applied by kernel (includes +- any implied execute protection). +- 1 -- check protection requested by application. +- Default value is set via a kernel config option. +- Value can be changed at runtime via +- /sys/fs/selinux/checkreqprot. +- Setting checkreqprot to 1 is deprecated. +- + cio_ignore= [S390] + See Documentation/s390/common_io.rst for details. + clk_ignore_unused +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 76d7ed11513c..ae851a826c26 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS + /sys/fs/selinux/avc/cache_stats, which may be monitored via + tools such as avcstat. + +-config SECURITY_SELINUX_CHECKREQPROT_VALUE +- int "NSA SELinux checkreqprot default value" +- depends on SECURITY_SELINUX +- range 0 1 +- default 0 +- help +- This option sets the default value for the 'checkreqprot' flag +- that determines whether SELinux checks the protection requested +- by the application or the protection that will be applied by the +- kernel (including any implied execute for read-implies-exec) for +- mmap and mprotect calls. If this option is set to 0 (zero), +- SELinux will default to checking the protection that will be applied +- by the kernel. If this option is set to 1 (one), SELinux will +- default to checking the protection requested by the application. +- The checkreqprot flag may be changed from the default via the +- 'checkreqprot=' boot parameter. It may also be changed at runtime +- via /sys/fs/selinux/checkreqprot if authorized by policy. +- +- WARNING: this option is deprecated and will be removed in a future +- kernel release. +- +- If you are unsure how to answer this question, answer 0. +- + config SECURITY_SELINUX_SIDTAB_HASH_BITS + int "NSA SELinux sidtab hashtable size" + depends on SECURITY_SELINUX +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index c46312710e73..541c65650c5e 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str) + __setup("selinux=", selinux_enabled_setup); + #endif + +-static unsigned int selinux_checkreqprot_boot = +- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +- +-static int __init checkreqprot_setup(char *str) +-{ +- unsigned long checkreqprot; +- +- if (!kstrtoul(str, 0, &checkreqprot)) { +- selinux_checkreqprot_boot = checkreqprot ? 1 : 0; +- if (checkreqprot) +- pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); +- } +- return 1; +-} +-__setup("checkreqprot=", checkreqprot_setup); ++static const unsigned int selinux_checkreqprot_boot; + + /** + * selinux_secmark_enabled - Check to see if SECMARK is currently enabled +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4bde570d56a2..cc5caffc07fa 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, + static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; + char *page; + ssize_t length; + unsigned int new_value; +@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + return PTR_ERR(page); + + length = -EINVAL; +- if (sscanf(page, "%u", &new_value) != 1) ++ if (sscanf(page, "%u", &new_value) != 1 || new_value) + goto out; + +- if (new_value) { +- char comm[sizeof(current->comm)]; +- +- memcpy(comm, current->comm, sizeof(comm)); +- pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", +- comm, current->pid); +- } +- +- checkreqprot_set(fsi->state, (new_value ? 1 : 0)); + length = count; + out: + kfree(page); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch new file mode 100644 index 000000000000..517e09e41bf9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0091-security-tty-Add-owner-user-namespace-to-tty_struct.patch @@ -0,0 +1,70 @@ +From 33b35283b75eb2d44bcbdabfe9c2aa0d6ce81247 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:37:59 -0400 +Subject: [PATCH 091/113] security: tty: Add owner user namespace to tty_struct + +This patch adds struct user_namespace *owner_user_ns to the tty_struct. +Then it is set to current_user_ns() in the alloc_tty_struct function. + +This is done to facilitate capability checks against the original user +namespace that allocated the tty. + +E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) + +This combined with the use of user namespace's will allow hardening +protections to be built to mitigate container escapes that utilize TTY +ioctls such as TIOCSTI. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +--- + drivers/tty/tty_io.c | 2 ++ + include/linux/tty.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 56ade99ef99f..557356504a81 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -174,6 +174,7 @@ static void free_tty_struct(struct tty_struct *tty) + put_device(tty->dev); + kfree(tty->write_buf); + tty->magic = 0xDEADDEAD; ++ put_user_ns(tty->owner_user_ns); + kfree(tty); + } + +@@ -3014,6 +3015,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + tty->index = idx; + tty_line_name(driver, idx, tty->name); + tty->dev = tty_get_device(tty); ++ tty->owner_user_ns = get_user_ns(current_user_ns()); + + return tty; + } +diff --git a/include/linux/tty.h b/include/linux/tty.h +index eb33d948788c..a205640b4c61 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -14,6 +14,7 @@ + #include <uapi/linux/tty.h> + #include <linux/rwsem.h> + #include <linux/llist.h> ++#include <linux/user_namespace.h> + + + /* +@@ -342,6 +343,7 @@ struct tty_struct { + /* If the tty has a pending do_SAK, queue it here - akpm */ + struct work_struct SAK_work; + struct tty_port *port; ++ struct user_namespace *owner_user_ns; + } __randomize_layout; + + /* Each of a tty's open files has private_data pointing to tty_file_private */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch new file mode 100644 index 000000000000..4b33abaaae9f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0092-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch @@ -0,0 +1,197 @@ +From 6d5b6f8da6b34973dfb163ff3d85075431d65964 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:38:00 -0400 +Subject: [PATCH 092/113] security: tty: make TIOCSTI ioctl require + CAP_SYS_ADMIN + +This introduces the tiocsti_restrict sysctl, whose default is controlled +via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control +restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. + +This patch depends on patch 1/2 + +This patch was inspired from GRKERNSEC_HARDEN_TTY. + +This patch would have prevented +https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following +conditions: +* non-privileged container +* container run inside new user namespace + +Possible effects on userland: + +There could be a few user programs that would be effected by this +change. +See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI> +notable programs are: agetty, csh, xemacs and tcsh + +However, I still believe that this change is worth it given that the +Kconfig defaults to n. This will be a feature that is turned on for the +same reason that people activate it when using grsecurity. Users of this +opt-in feature will realize that they are choosing security over some OS +features like unprivileged TIOCSTI ioctls, as should be clear in the +Kconfig help message. + +Threat Model/Patch Rational: + +>From grsecurity's config for GRKERNSEC_HARDEN_TTY. + + | There are very few legitimate uses for this functionality and it + | has made vulnerabilities in several 'su'-like programs possible in + | the past. Even without these vulnerabilities, it provides an + | attacker with an easy mechanism to move laterally among other + | processes within the same user's compromised session. + +So if one process within a tty session becomes compromised it can follow +that additional processes, that are thought to be in different security +boundaries, can be compromised as a result. When using a program like su +or sudo, these additional processes could be in a tty session where TTY +file descriptors are indeed shared over privilege boundaries. + +This is also an excellent writeup about the issue: +<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/> + +When user namespaces are in use, the check for the capability +CAP_SYS_ADMIN is done against the user namespace that originally opened +the tty. + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/admin-guide/sysctl/kernel.rst | 20 ++++++++++++++++++++ + drivers/tty/tty_io.c | 8 ++++++++ + include/linux/tty.h | 2 ++ + kernel/sysctl.c | 14 ++++++++++++++ + security/Kconfig | 13 +++++++++++++ + 5 files changed, 57 insertions(+) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index 4c20e6ded0af..3cd263f8ac46 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -1385,6 +1385,26 @@ If a value outside of this range is written to ``threads-max`` an + ``EINVAL`` error occurs. + + ++tiocsti_restrict ++================ ++ ++This toggle indicates whether unprivileged users are prevented from using the ++``TIOCSTI`` ioctl to inject commands into other processes which share a tty ++session. ++ ++= ============================================================================ ++0 No restriction, except the default one of only being able to inject commands ++ into one's own tty. ++1 Users must have ``CAP_SYS_ADMIN`` to use the ``TIOCSTI`` ioctl. ++= ============================================================================ ++ ++When user namespaces are in use, the check for ``CAP_SYS_ADMIN`` is done ++against the user namespace that originally opened the tty. ++ ++The kernel config option ``CONFIG_SECURITY_TIOCSTI_RESTRICT`` sets the default ++value of ``tiocsti_restrict``. ++ ++ + traceoff_on_warning + =================== + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 557356504a81..5670bd7442df 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2182,11 +2182,19 @@ static int tty_fasync(int fd, struct file *filp, int on) + * FIXME: may race normal receive processing + */ + ++int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); ++ + static int tiocsti(struct tty_struct *tty, char __user *p) + { + char ch, mbz = 0; + struct tty_ldisc *ld; + ++ if (tiocsti_restrict && ++ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { ++ dev_warn_ratelimited(tty->dev, ++ "Denied TIOCSTI ioctl for non-privileged process\n"); ++ return -EPERM; ++ } + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + if (get_user(ch, p)) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a205640b4c61..116138eb394c 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -353,6 +353,8 @@ struct tty_file_private { + struct list_head list; + }; + ++extern int tiocsti_restrict; ++ + /* tty magic number */ + #define TTY_MAGIC 0x5401 + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..8fd007fbec4c 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if defined CONFIG_TTY ++#include <linux/tty.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2295,6 +2298,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, ++#endif ++#if defined CONFIG_TTY ++ { ++ .procname = "tiocsti_restrict", ++ .data = &tiocsti_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + #endif + { + .procname = "device_sidechannel_restrict", +diff --git a/security/Kconfig b/security/Kconfig +index f3c995bd79cf..c8ea5a6ecce0 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -29,6 +29,19 @@ config SECURITY_PERF_EVENTS_RESTRICT + perf_event_open syscall will be permitted unless it is + changed. + ++config SECURITY_TIOCSTI_RESTRICT ++ bool "Restrict unprivileged use of tiocsti command injection" ++ default n ++ help ++ This enforces restrictions on unprivileged users injecting commands ++ into other processes which share a tty session using the TIOCSTI ++ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. ++ ++ If this option is not selected, no restrictions will be enforced ++ unless the tiocsti_restrict sysctl is explicitly set to (1). ++ ++ If you are unsure how to answer this question, answer N. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch new file mode 100644 index 000000000000..43506fddb151 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0093-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 7fda889c37015dab78d3c8665c70c5f946d5aba3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 23:36:14 -0400 +Subject: [PATCH 093/113] enable SECURITY_TIOCSTI_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index c8ea5a6ecce0..615205c0113b 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -31,7 +31,7 @@ config SECURITY_PERF_EVENTS_RESTRICT + + config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" +- default n ++ default y + help + This enforces restrictions on unprivileged users injecting commands + into other processes which share a tty session using the TIOCSTI +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch new file mode 100644 index 000000000000..902f66e879fd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0094-disable-unprivileged-eBPF-access-by-default.patch @@ -0,0 +1,25 @@ +From 749e2f8490ff5d562a84e84b20bb52969d7952fe Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:07 +0200 +Subject: [PATCH 094/113] disable unprivileged eBPF access by default + +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8f50c9c19f1b..a54c05624647 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); + static DEFINE_IDR(link_idr); + static DEFINE_SPINLOCK(link_idr_lock); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = 1; + + static const struct bpf_map_ops * const bpf_map_types[] = { + #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch new file mode 100644 index 000000000000..0a6ddac7a0a9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0095-enable-BPF-JIT-hardening-by-default-if-available.patch @@ -0,0 +1,25 @@ +From 64a2e5fe17e8d58b47cab7d7f9b9f5e9b84b6525 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:55 +0200 +Subject: [PATCH 095/113] enable BPF JIT hardening by default (if available) + +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 55454d2278b1..de02792dc2fc 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -524,7 +524,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +-int bpf_jit_harden __read_mostly; ++int bpf_jit_harden __read_mostly = 2; + long bpf_jit_limit __read_mostly; + + static void +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch new file mode 100644 index 000000000000..5ec7c63c841f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0096-enable-protected_-fifos-regular-by-default.patch @@ -0,0 +1,27 @@ +From 9aa6c21341add65232ebe418f611fd754ed3e0fb Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 4 Nov 2018 18:48:53 +0100 +Subject: [PATCH 096/113] enable protected_{fifos,regular} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 59ff3ce21026..72f912c68975 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -934,8 +934,8 @@ static inline void put_link(struct nameidata *nd) + + int sysctl_protected_symlinks __read_mostly = 1; + int sysctl_protected_hardlinks __read_mostly = 1; +-int sysctl_protected_fifos __read_mostly; +-int sysctl_protected_regular __read_mostly; ++int sysctl_protected_fifos __read_mostly = 2; ++int sysctl_protected_regular __read_mostly = 2; + + /** + * may_follow_link - Check symlink following for unsafe situations +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch new file mode 100644 index 000000000000..145ccdcdde82 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0097-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch @@ -0,0 +1,70 @@ +From fd17dc980942589f789ef4a83927662e0bf530ce Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 13 Jan 2019 21:42:45 +0100 +Subject: [PATCH 097/113] Revert "mark kernel_set_to_readonly as + __ro_after_init" + + This commit causes CPA conflicts, cf. + https://github.com/anthraxx/linux-hardened/issues/4. + + Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + arch/x86/mm/init_32.c | 5 +++-- + arch/x86/mm/init_64.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index bda9596d7a9f..291b7b4476a9 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly __read_mostly; + + static void mark_nxdata_nx(void) + { +@@ -852,11 +852,12 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + +- kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + ++ kernel_set_to_readonly = 1; ++ + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index f9eb66b3f152..c3d771ffc178 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,10 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- kernel_set_to_readonly = 1; + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + ++ kernel_set_to_readonly = 1; ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch new file mode 100644 index 000000000000..3a77cc33f32f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0098-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch @@ -0,0 +1,129 @@ +From 9ab5b7febcd0cff6d78da4aea73da77defcf098b Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Mon, 6 May 2019 17:07:11 +0200 +Subject: [PATCH 098/113] modpost: Add + CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE + +With 46c7dd56d541 ("modpost: always show verbose warning for section +mismatch"), sec_mismatch_verbose was removed which would have printed +errors for all writable function pointers during compilation if it +hadn't been "#if 0"ed out for quite some time now. + +Let's introduce a new DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE Kconfig +option to cleanly control this linux-hardened functionality. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 3 +++ + scripts/Makefile.modpost | 1 + + scripts/mod/modpost.c | 25 ++++++++++++++++--------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index a46f21a56125..6f5011b629a3 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -374,6 +374,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B + + It is mainly for debug and performance tuning use. + ++config DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE ++ bool "Enable verbose reporting of writable function pointers" ++ + # + # Select this config option from the architecture Kconfig, if it + # is preferred to always offer frame pointers as a config +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..e53b3057d4cb 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -47,6 +47,7 @@ MODPOST = scripts/mod/modpost \ + $(if $(CONFIG_MODVERSIONS),-m) \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ ++ $(if $(CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE),-f) \ + $(if $(KBUILD_MODPOST_WARN),-w) \ + -o $@ + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 50e9baefc4e7..2cbc4e8a6295 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,8 +34,9 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; +-static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; ++static int writable_fptr_count = 0; ++static int writable_fptr_verbose = 0; + /* ignore missing files */ + static int ignore_missing_files; + /* If set to 1, only warn (instead of error) about missing ns imports */ +@@ -1466,10 +1467,13 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- if (mismatch->mismatch == DATA_TO_TEXT) ++ if (mismatch->mismatch == DATA_TO_TEXT) { + writable_fptr_count++; +- else ++ if (!writable_fptr_verbose) ++ return; ++ } else { + sec_mismatch_count++; ++ } + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1592,12 +1596,10 @@ static void report_sec_mismatch(const char *modname, + "we should never get here."); + break; + case DATA_TO_TEXT: +-#if 0 + fprintf(stderr, + "The %s %s:%s references\n" + "the %s %s:%s%s\n", + from, fromsec, fromsym, to, tosec, tosym, to_p); +-#endif + break; + } + fprintf(stderr, "\n"); +@@ -2578,7 +2580,7 @@ int main(int argc, char **argv) + struct dump_list *dump_read_start = NULL; + struct dump_list **dump_read_iter = &dump_read_start; + +- while ((opt = getopt(argc, argv, "ei:mnT:o:awENd:")) != -1) { ++ while ((opt = getopt(argc, argv, "ei:fmnT:o:awENd:")) != -1) { + switch (opt) { + case 'e': + external_module = 1; +@@ -2589,6 +2591,9 @@ int main(int argc, char **argv) + (*dump_read_iter)->file = optarg; + dump_read_iter = &(*dump_read_iter)->next; + break; ++ case 'f': ++ writable_fptr_verbose = 1; ++ break; + case 'm': + modversions = 1; + break; +@@ -2689,9 +2694,11 @@ int main(int argc, char **argv) + } + + free(buf.p); +- if (writable_fptr_count) +- warn("modpost: Found %d writable function pointer(s).\n", +- writable_fptr_count); ++ if (writable_fptr_count && !writable_fptr_verbose) ++ warn("modpost: Found %d writable function pointer%s.\n" ++ "To see full details build your kernel with:\n" ++ "'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'\n", ++ writable_fptr_count, (writable_fptr_count == 1 ? "" : "s")); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch new file mode 100644 index 000000000000..252c654ea8f3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0099-mm-Fix-extra_latent_entropy.patch @@ -0,0 +1,103 @@ +From 8919bc71742af5a856e3ca87a14432e787635f80 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Tue, 7 May 2019 11:46:21 +0200 +Subject: [PATCH 099/113] mm: Fix extra_latent_entropy + +Commit a9cd410a3d29 ("mm/page_alloc.c: memory hotplug: free pages as +higher order") changed `static void __init __free_pages_boot_core()` +into `void __free_pages_core()`, causing the following section mismatch +warning at compile time: + + WARNING: vmlinux.o(.text+0x180fe4): Section mismatch in reference from the function __free_pages_core() to the variable .meminit.data:extra_latent_entropy + The function __free_pages_core() references the variable __meminitdata extra_latent_entropy. + This is often because __free_pages_core lacks a __meminitdata annotation or the annotation of extra_latent_entropy is wrong. + +This commit is an attempt at fixing this issue. I'm not sure it's OK as +we are accessing pages that are still managed by the bootmem allocator. +The prefetching part is not an issue as it only affects struct pages. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/page_alloc.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index ded9e8536285..8730ae4244b9 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1539,6 +1539,25 @@ static void __free_pages_ok(struct page *page, unsigned int order, + local_irq_restore(flags); + } + ++static void __init __gather_extra_latent_entropy(struct page *page, ++ unsigned int nr_pages) ++{ ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++} ++ + void __free_pages_core(struct page *page, unsigned int order) + { + unsigned int nr_pages = 1 << order; +@@ -1558,22 +1577,6 @@ void __free_pages_core(struct page *page, unsigned int order) + } + __ClearPageReserved(p); + set_page_count(p, 0); +- +- if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { +- unsigned long hash = 0; +- size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; +- const unsigned long *data = lowmem_page_address(page); +- +- for (index = 0; index < end; index++) +- hash ^= hash + data[index]; +-#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY +- latent_entropy ^= hash; +- add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +-#else +- add_device_randomness((const void *)&hash, sizeof(hash)); +-#endif +- } +- + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +@@ -1632,6 +1635,7 @@ void __init memblock_free_pages(struct page *page, unsigned long pfn, + { + if (early_page_uninitialised(pfn)) + return; ++ __gather_extra_latent_entropy(page, 1 << order); + __free_pages_core(page, order); + } + +@@ -1723,6 +1727,7 @@ static void __init deferred_free_range(unsigned long pfn, + if (nr_pages == pageblock_nr_pages && + (pfn & (pageblock_nr_pages - 1)) == 0) { + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1 << pageblock_order); + __free_pages_core(page, pageblock_order); + return; + } +@@ -1730,6 +1735,7 @@ static void __init deferred_free_range(unsigned long pfn, + for (i = 0; i < nr_pages; i++, page++, pfn++) { + if ((pfn & (pageblock_nr_pages - 1)) == 0) + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1); + __free_pages_core(page, 0); + } + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..a898efac9f2a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0100-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From 3ff869aea1c77c1c9a09f9407828ae3e9a063e6d Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 100/113] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index f15109e7b111..94918210ee72 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1174,6 +1174,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 29a30cff5e60..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..7db5ebc6d47d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0101-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 1df38669747417519926d9f6f5d83f949ec2a320 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:02:23 +0200 +Subject: [PATCH 101/113] enable INIT_ON_ALLOC_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index a718487ad717..7e3fe39ed6a4 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE + + config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" ++ default yes + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..71693e7a2f90 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0102-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 881f05dcdc890fc10993afddef83037007b99da2 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:03:01 +0200 +Subject: [PATCH 102/113] enable INIT_ON_FREE_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 7e3fe39ed6a4..7dede18f1074 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -203,6 +203,7 @@ config INIT_ON_ALLOC_DEFAULT_ON + + config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" ++ default yes + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch new file mode 100644 index 000000000000..989f2f31580b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0103-add-CONFIG-for-unprivileged_userfaultfd.patch @@ -0,0 +1,68 @@ +From 344b7f74cb36e55f356fe5db6b63979775e6454f Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 2 Oct 2019 01:22:17 +0200 +Subject: [PATCH 103/113] add CONFIG for unprivileged_userfaultfd + +When disabled, unprivileged users will not be able to use the userfaultfd +syscall. Userfaultfd provide attackers with a way to stall a kernel +thread in the middle of memory accesses from userspace by initiating an +access on an unmapped page. To avoid various heap grooming and heap +spraying techniques for exploiting use-after-free flaws this should be +disabled by default. + +This setting can be overridden at runtime via the +vm.unprivileged_userfaultfd sysctl. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/userfaultfd.c | 4 ++++ + init/Kconfig | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 000b457ad087..06d35ecdcbc8 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -28,7 +28,11 @@ + #include <linux/security.h> + #include <linux/hugetlb.h> + ++#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED + int sysctl_unprivileged_userfaultfd __read_mostly = 1; ++#else ++int sysctl_unprivileged_userfaultfd __read_mostly; ++#endif + + static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; + +diff --git a/init/Kconfig b/init/Kconfig +index 94918210ee72..970066ca7388 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1747,6 +1747,23 @@ config USERFAULTFD + Enable the userfaultfd() system call that allows to intercept and + handle page faults in userland. + ++config USERFAULTFD_UNPRIVILEGED ++ bool "Allow unprivileged users to use the userfaultfd syscall" ++ depends on USERFAULTFD ++ default n ++ help ++ When disabled, unprivileged users will not be able to use the userfaultfd ++ syscall. Userfaultfd provide attackers with a way to stall a kernel ++ thread in the middle of memory accesses from userspace by initiating an ++ access on an unmapped page. To avoid various heap grooming and heap ++ spraying techniques for exploiting use-after-free flaws this should be ++ disabled by default. ++ ++ This setting can be overridden at runtime via the ++ vm.unprivileged_userfaultfd sysctl. ++ ++ If unsure, say N. ++ + config ARCH_HAS_MEMBARRIER_CALLBACKS + bool + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch new file mode 100644 index 000000000000..f745cdaa0430 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0104-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch @@ -0,0 +1,81 @@ +From 5de18ec2e1472b6342922f2547ec38abcbe83e95 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 29 Nov 2019 16:27:14 +0100 +Subject: [PATCH 104/113] slub: Extend init_on_alloc to slab caches with + constructors + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 2 ++ + mm/slub.c | 23 ++++++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 105dba485a7e..2138deacf719 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -630,8 +630,10 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } + static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + { + if (static_branch_unlikely(&init_on_alloc)) { ++#ifndef CONFIG_SLUB + if (c->ctor) + return false; ++#endif + if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) + return flags & __GFP_ZERO; + return true; +diff --git a/mm/slub.c b/mm/slub.c +index c949d918dc7f..cb8abacabfdb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1635,9 +1635,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + * need to show a valid freepointer to check_object(). + * + * Note that doing this for all caches (not just ctor +- * ones, which have s->offset != NULL)) causes a GPF, +- * due to KASAN poisoning and the way set_freepointer() +- * eventually dereferences the freepointer. ++ * ones, which have s->offset >= object_size)) causes a ++ * GPF, due to KASAN poisoning and the way ++ * set_freepointer() eventually dereferences the ++ * freepointer. + */ + set_freepointer(s, object, NULL); + } +@@ -2955,8 +2956,14 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + if (s->ctor) + s->ctor(object); + kasan_poison_object_data(s, object); +- } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) { + memset(object, 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, object); ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } ++ } + + if (object) { + check_canary(s, object, s->random_inactive); +@@ -3416,8 +3423,14 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { + memset(p[j], 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, p[j]); ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } + } + + for (k = 0; k < i; k++) { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..98adb638d21b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0105-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From b9a9d9cd514de1675d69c1154fe6f42a2be8a853 Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 105/113] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d4ef5bf94168..34d0d5438108 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 3e5f4f2e705e..791329c77dea 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ef4bdb038a4b..86967b09a8e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6195,7 +6196,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch new file mode 100644 index 000000000000..e73d84265714 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0106-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch @@ -0,0 +1,27 @@ +From 5f1a1382b69e88e270bbfd50cbe079d96232e71f Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 27 Sep 2020 00:43:48 +0200 +Subject: [PATCH 106/113] kconfig: select DEBUG_FS_ALLOW_NONE by default if + DEBUG_FS is enabled + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 6f5011b629a3..5fce84adc315 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -491,7 +491,7 @@ config DEBUG_FS + choice + prompt "Debugfs default access" + depends on DEBUG_FS +- default DEBUG_FS_ALLOW_ALL ++ default DEBUG_FS_ALLOW_NONE + help + This selects the default access restrictions for debugfs. + It can be overridden with kernel command line option +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..05b8f321727a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0107-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 3cb503306cc7b9c13f69662af8bd69393a21b976 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:35:53 +0100 +Subject: [PATCH 107/113] stop hiding SYSFS_SYSCALL behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 970066ca7388..000d1c837e61 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1450,7 +1450,7 @@ config SGETMASK_SYSCALL + If unsure, leave the default option here. + + config SYSFS_SYSCALL +- bool "Sysfs syscall support" if EXPERT ++ bool "Sysfs syscall support" + default y + help + sys_sysfs is an obsolete system call no longer supported in libc. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch new file mode 100644 index 000000000000..9e525a9550c2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0108-disable-SYSFS_SYSCALL-by-default.patch @@ -0,0 +1,31 @@ +From bc2c458dc4f11deebd2f25eb506fdac45c947371 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:36:54 +0100 +Subject: [PATCH 108/113] disable SYSFS_SYSCALL by default + +--- + init/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 000d1c837e61..9d2db9918396 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1451,13 +1451,12 @@ config SGETMASK_SYSCALL + + config SYSFS_SYSCALL + bool "Sysfs syscall support" +- default y + help + sys_sysfs is an obsolete system call no longer supported in libc. + Note that disabling this option is more secure but might break + compatibility with some systems. + +- If unsure say Y here. ++ If unsure say N here. + + config FHANDLE + bool "open by fhandle syscalls" if EXPERT +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch new file mode 100644 index 000000000000..2d4f47f841bd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0109-stop-hiding-UID16-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From f6a6bcc0c3213ef7273f84a789fcf0366fe5d047 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:40:09 +0100 +Subject: [PATCH 109/113] stop hiding UID16 behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 9d2db9918396..eecd7915db04 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1419,7 +1419,7 @@ menuconfig EXPERT + Only use this if you really know what you are doing. + + config UID16 +- bool "Enable 16-bit UID system calls" if EXPERT ++ bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER + default y + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0110-disable-UID16-by-default.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0110-disable-UID16-by-default.patch new file mode 100644 index 000000000000..e9cccabc6f60 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0110-disable-UID16-by-default.patch @@ -0,0 +1,24 @@ +From c511ad98f7d5a51bd6a8a860e657cec62ef72177 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:41:32 +0100 +Subject: [PATCH 110/113] disable UID16 by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index eecd7915db04..2feea719cc25 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1421,7 +1421,6 @@ menuconfig EXPERT + config UID16 + bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER +- default y + help + This enables the legacy 16-bit UID syscall wrappers. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch new file mode 100644 index 000000000000..60c5432e557d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch @@ -0,0 +1,238 @@ +From cb8123e30a020b484018e0eadb0c6c472e9a0d14 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:48 +0200 +Subject: [PATCH 111/113] dccp: ccid: move timers to struct dccp_sock + +When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason +del_timer_sync can't be used is because this relies on keeping a reference +to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that +during disconnect, the timer should really belong to struct dccp_sock. + +This addresses CVE-2020-16119. + +Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + include/linux/dccp.h | 2 ++ + net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++------------- + net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++---------- + 3 files changed, 41 insertions(+), 23 deletions(-) + +diff --git a/include/linux/dccp.h b/include/linux/dccp.h +index 07e547c02fd8..504afa1a4be6 100644 +--- a/include/linux/dccp.h ++++ b/include/linux/dccp.h +@@ -259,6 +259,7 @@ struct dccp_ackvec; + * @dccps_sync_scheduled - flag which signals "send out-of-band message soon" + * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets + * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing) ++ * @dccps_ccid_timer - used by the CCIDs + * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs) + */ + struct dccp_sock { +@@ -303,6 +304,7 @@ struct dccp_sock { + __u8 dccps_sync_scheduled:1; + struct tasklet_struct dccps_xmitlet; + struct timer_list dccps_xmit_timer; ++ struct timer_list dccps_ccid_timer; + }; + + static inline struct dccp_sock *dccp_sk(const struct sock *sk) +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 3da1f77bd039..dbca1f1e2449 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk) + + static void ccid2_hc_tx_rto_expire(struct timer_list *t) + { +- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer); +- struct sock *sk = hc->sk; +- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct sock *sk = (struct sock *)dp; ++ struct ccid2_hc_tx_sock *hc; ++ bool sender_was_blocked; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ + if (sock_owned_by_user(sk)) { +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5); + goto out; + } + + ccid2_pr_debug("RTO_EXPIRE\n"); + +- if (sk->sk_state == DCCP_CLOSED) +- goto out; +- + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) + if (sender_was_blocked) + dccp_tasklet_schedule(sk); + /* restart backed-off timer */ +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len) + } + #endif + +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + + #ifdef CONFIG_IP_DCCP_CCID2_DEBUG + do { +@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + + /* restart RTO timer if not all outstanding data has been acked */ + if (hc->tx_pipe == 0) +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + else +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk) + hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32; + hc->tx_cwnd_used = 0; + hc->sk = sk; +- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0); ++ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0); + INIT_LIST_HEAD(&hc->tx_av_chunks); + return 0; + } + + static void ccid2_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk); + int i; + +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index b9ee1a4a8955..685f4d046c0d 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc, + + static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + { +- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer); +- struct sock *sk = hc->sk; ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct ccid3_hc_tx_sock *hc; ++ struct sock *sk = (struct sock *)dp; + unsigned long t_nfb = USEC_PER_SEC / 5; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ + if (sock_owned_by_user(sk)) { + /* Try again later. */ + /* XXX: set some sensible MIB */ + goto restart_timer; + } + ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ + ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk, + ccid3_tx_state_name(hc->tx_state)); + +@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi); + + restart_timer: +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb) + return -EBADMSG; + + if (hc->tx_state == TFRC_SSTATE_NO_SENT) { +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies + ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies + + usecs_to_jiffies(TFRC_INITIAL_TIMEOUT))); + hc->tx_last_win_count = 0; + hc->tx_t_last_win_count = now; +@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len) + static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + { + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + struct tfrc_tx_hist_entry *acked; + ktime_t now; + unsigned long t_nfb; +@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + (unsigned int)(hc->tx_x >> 6)); + + /* unschedule no feedback timer */ +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + /* + * As we have calculated new ipi, delta, t_nom it is possible +@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + "expire in %lu jiffies (%luus)\n", + dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb); + +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + } + + static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, +@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, + + static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid_priv(ccid); + + hc->tx_state = TFRC_SSTATE_NO_SENT; + hc->tx_hist = NULL; + hc->sk = sk; +- timer_setup(&hc->tx_no_feedback_timer, ++ timer_setup(&dp->dccps_ccid_timer, + ccid3_hc_tx_no_feedback_timer, 0); + return 0; + } + + static void ccid3_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); + +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + tfrc_tx_hist_purge(&hc->tx_hist); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch new file mode 100644 index 000000000000..1fc6524380b2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.8/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch @@ -0,0 +1,40 @@ +From 106d080c901d514eced85e8202dc59aed32ea3c1 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:49 +0200 +Subject: [PATCH 112/113] Revert "dccp: don't free ccid2_hc_tx_sock struct in + dccp_disconnect()" + +This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. + +This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be +kept, allowing the socket to be reused as a listener socket, and the cloned +socket will free its dccps_hc_tx_ccid, leading to a later use after free, +when the listener socket is closed. + +This addresses CVE-2020-16119. + +Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) +Reported-by: Hadar Manor +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + net/dccp/proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 6d705d90c614..359e848dba6c 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/0000_README b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/0000_README new file mode 100644 index 000000000000..e4c8baca988b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/0000_README @@ -0,0 +1,112 @@ +README +-------------------------------------------------------------------------- +This patchset is to be the series of patches for gentoo-sources. +It is designed for cross-compatibility, fixes and stability, with performance +and additional features/driver support being a second. + +Unless otherwise stated and marked as such, this kernel should be suitable for +all environments. + + +Patchset Numbering Scheme +-------------------------------------------------------------------------- + +FIXES +1000-1400 linux-stable +1400-1500 linux-stable queue +1500-1700 security +1700-1800 architecture-related +1800-1900 mm/scheduling/misc +1900-2000 filesystems +2000-2100 networking core +2100-2200 storage core +2200-2300 power management (ACPI, APM) +2300-2400 bus (USB, IEEE1394, PCI, PCMCIA, ...) +2400-2500 network drivers +2500-2600 storage drivers +2600-2700 input +2700-2900 media (graphics, sound, tv) +2900-3000 other +3000-4000 reserved + +FEATURES +4000-4100 network +4100-4200 storage +4200-4300 graphics +4300-4400 filesystem +4400-4500 security enhancement +4500-4600 other + +EXPERIMENTAL +5000-5100 experimental patches (BFQ, ...) + +Individual Patch Descriptions: +-------------------------------------------------------------------------- + +Patch: 1000_linux-5.10.1.patch +From: http://www.kernel.org +Desc: Linux 5.10.1 + +Patch: 1001_linux-5.10.2.patch +From: http://www.kernel.org +Desc: Linux 5.10.2 + +Patch: 1002_linux-5.10.3.patch +From: http://www.kernel.org +Desc: Linux 5.10.3 + +Patch: 1003_linux-5.10.4.patch +From: http://www.kernel.org +Desc: Linux 5.10.4 + +Patch: 1004_linux-5.10.5.patch +From: http://www.kernel.org +Desc: Linux 5.10.5 + +Patch: 1005_linux-5.10.6.patch +From: http://www.kernel.org +Desc: Linux 5.10.6 + +Patch: 1006_linux-5.10.7.patch +From: http://www.kernel.org +Desc: Linux 5.10.7 + +Patch: 1007_linux-5.10.8.patch +From: http://www.kernel.org +Desc: Linux 5.10.8 + +Patch: 1008_linux-5.10.9.patch +From: http://www.kernel.org +Desc: Linux 5.10.9 + +Patch: 1500_XATTR_USER_PREFIX.patch +From: https://bugs.gentoo.org/show_bug.cgi?id=470644 +Desc: Support for namespace user.pax.* on tmpfs. + +Patch: 1510_fs-enable-link-security-restrictions-by-default.patch +From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ +Desc: Enable link security restrictions by default. + +Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch +From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@holtmann.org/raw +Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 + +Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch +From: https://bugs.gentoo.org/710790 +Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino + +Patch: 2920_sign-file-patch-for-libressl.patch +From: https://bugs.gentoo.org/717166 +Desc: sign-file: full functionality with modern LibreSSL + +Patch: 4567_distro-Gentoo-Kconfig.patch +From: Tom Wijsman <TomWij@gentoo.org> +Desc: Add Gentoo Linux support config settings and defaults. + +Patch: 5000_shifts-ubuntu-20.04.patch +From: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal +Desc: UID/GID shifting overlay filesystem for containers + +Patch: 5013_enable-cpu-optimizations-for-gcc10.patch +From: https://github.com/graysky2/kernel_gcc_patch/ +Desc: Kernel patch enables gcc = v10.1+ optimizations for additional CPUs. diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/1500_XATTR_USER_PREFIX.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 000000000000..245dcc29fa56 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,67 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; + diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000000..f0ed144fb17a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 000000000000..394ad48fc20c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Cc: stable@vger.kernel.org +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1 diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 000000000000..433568579cab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,30 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <mpagano@gentoo.org> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: mpagano@gentoo.org + +Reported-by: Phil Stracchino <phils@caerllewys.net> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2920_sign-file-patch-for-libressl.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 000000000000..e6ec017d46c8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/4567_distro-Gentoo-Kconfig.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/4567_distro-Gentoo-Kconfig.patch new file mode 100644 index 000000000000..e754a3e6e459 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/4567_distro-Gentoo-Kconfig.patch @@ -0,0 +1,169 @@ +--- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 ++++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 +@@ -32,3 +32,5 @@ source "lib/Kconfig" + source "lib/Kconfig.debug" + + source "Documentation/Kconfig" ++ ++source "distro/Kconfig" +--- /dev/null 2020-09-24 03:06:47.590000000 -0400 ++++ b/distro/Kconfig 2020-09-24 11:31:29.403150624 -0400 +@@ -0,0 +1,158 @@ ++menu "Gentoo Linux" ++ ++config GENTOO_LINUX ++ bool "Gentoo Linux support" ++ ++ default y ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ See the settings that become available for more details and fine-tuning. ++ ++config GENTOO_LINUX_UDEV ++ bool "Linux dynamic and persistent device naming (userspace devfs) support" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select DEVTMPFS ++ select TMPFS ++ select UNIX ++ ++ select MMU ++ select SHMEM ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ Currently this only selects TMPFS, DEVTMPFS and their dependencies. ++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and ++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. ++ ++ Some of these are critical files that need to be available early in the ++ boot process; if not available, it causes sysfs and udev to malfunction. ++ ++ To ensure Gentoo Linux boots, it is best to leave this setting enabled; ++ if you run a custom setup, you could consider whether to disable this. ++ ++config GENTOO_LINUX_PORTAGE ++ bool "Select options required by Portage features" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select CGROUPS ++ select NAMESPACES ++ select IPC_NS ++ select NET_NS ++ select PID_NS ++ select SYSVIPC ++ select UTS_NS ++ ++ help ++ This enables options required by various Portage FEATURES. ++ Currently this selects: ++ ++ CGROUPS (required for FEATURES=cgroup) ++ IPC_NS (required for FEATURES=ipc-sandbox) ++ NET_NS (required for FEATURES=network-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) ++ SYSVIPC (required by IPC_NS) ++ ++ ++ It is highly recommended that you leave this enabled as these FEATURES ++ are, or will soon be, enabled by default. ++ ++menu "Support for init systems, system and service managers" ++ visible if GENTOO_LINUX ++ ++config GENTOO_LINUX_INIT_SCRIPT ++ bool "OpenRC, runit and other script based systems and managers" ++ ++ default y if GENTOO_LINUX ++ ++ depends on GENTOO_LINUX ++ ++ select BINFMT_SCRIPT ++ select CGROUPS ++ select EPOLL ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select SIGNALFD ++ select TIMERFD ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for OpenRC, ++ runit and similar script based systems and managers. ++ ++ If you are unsure about this, it is best to leave this setting enabled. ++ ++config GENTOO_LINUX_INIT_SYSTEMD ++ bool "systemd" ++ ++ default n ++ ++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV ++ ++ select AUTOFS4_FS ++ select BLK_DEV_BSG ++ select BPF_SYSCALL ++ select CGROUP_BPF ++ select CGROUPS ++ select CHECKPOINT_RESTORE ++ select CRYPTO_HMAC ++ select CRYPTO_SHA256 ++ select CRYPTO_USER_API_HASH ++ select DEVPTS_MULTIPLE_INSTANCES ++ select DMIID if X86_32 || X86_64 || X86 ++ select EPOLL ++ select FANOTIFY ++ select FHANDLE ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select IPV6 ++ select NET ++ select NET_NS ++ select PROC_FS ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SIGNALFD ++ select SYSFS ++ select TIMERFD ++ select TMPFS_POSIX_ACL ++ select TMPFS_XATTR ++ select USER_NS ++ ++ select ANON_INODES ++ select BLOCK ++ select EVENTFD ++ select FSNOTIFY ++ select INET ++ select NLATTR ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for systemd; ++ it also enables suggested optional settings, as the package suggests to. ++ ++endmenu ++ ++endmenu diff --git a/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch new file mode 100644 index 000000000000..665fc660b0de --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/gentoo-patches/5000_shiftfs-ubuntu-20.04.patch @@ -0,0 +1,2203 @@ +--- /dev/null 2021-01-08 13:33:13.190303432 -0500 ++++ b/fs/shiftfs.c 2021-01-08 19:02:40.000000000 -0500 +@@ -0,0 +1,2157 @@ ++#include <linux/btrfs.h> ++#include <linux/capability.h> ++#include <linux/cred.h> ++#include <linux/mount.h> ++#include <linux/fdtable.h> ++#include <linux/file.h> ++#include <linux/fs.h> ++#include <linux/namei.h> ++#include <linux/module.h> ++#include <linux/kernel.h> ++#include <linux/magic.h> ++#include <linux/parser.h> ++#include <linux/security.h> ++#include <linux/seq_file.h> ++#include <linux/statfs.h> ++#include <linux/slab.h> ++#include <linux/user_namespace.h> ++#include <linux/uidgid.h> ++#include <linux/xattr.h> ++#include <linux/posix_acl.h> ++#include <linux/posix_acl_xattr.h> ++#include <linux/uio.h> ++#include <linux/fiemap.h> ++ ++struct shiftfs_super_info { ++ struct vfsmount *mnt; ++ struct user_namespace *userns; ++ /* creds of process who created the super block */ ++ const struct cred *creator_cred; ++ bool mark; ++ unsigned int passthrough; ++ unsigned int passthrough_mark; ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry); ++ ++#define SHIFTFS_PASSTHROUGH_NONE 0 ++#define SHIFTFS_PASSTHROUGH_STAT 1 ++#define SHIFTFS_PASSTHROUGH_IOCTL 2 ++#define SHIFTFS_PASSTHROUGH_ALL \ ++ (SHIFTFS_PASSTHROUGH_STAT | SHIFTFS_PASSTHROUGH_IOCTL) ++ ++static inline bool shiftfs_passthrough_ioctls(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_IOCTL)) ++ return false; ++ ++ return true; ++} ++ ++static inline bool shiftfs_passthrough_statfs(struct shiftfs_super_info *info) ++{ ++ if (!(info->passthrough & SHIFTFS_PASSTHROUGH_STAT)) ++ return false; ++ ++ return true; ++} ++ ++enum { ++ OPT_MARK, ++ OPT_PASSTHROUGH, ++ OPT_LAST, ++}; ++ ++/* global filesystem options */ ++static const match_table_t tokens = { ++ { OPT_MARK, "mark" }, ++ { OPT_PASSTHROUGH, "passthrough=%u" }, ++ { OPT_LAST, NULL } ++}; ++ ++static const struct cred *shiftfs_override_creds(const struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ return override_creds(sbinfo->creator_cred); ++} ++ ++static inline void shiftfs_revert_object_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ revert_creds(oldcred); ++ put_cred(newcred); ++} ++ ++static kuid_t shift_kuid(struct user_namespace *from, struct user_namespace *to, ++ kuid_t kuid) ++{ ++ uid_t uid = from_kuid(from, kuid); ++ return make_kuid(to, uid); ++} ++ ++static kgid_t shift_kgid(struct user_namespace *from, struct user_namespace *to, ++ kgid_t kgid) ++{ ++ gid_t gid = from_kgid(from, kgid); ++ return make_kgid(to, gid); ++} ++ ++static int shiftfs_override_object_creds(const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred, ++ struct dentry *dentry, umode_t mode, ++ bool hardlink) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ if (!hardlink) { ++ int err = security_dentry_create_files_as(dentry, mode, ++ &dentry->d_name, ++ *oldcred, *newcred); ++ if (err) { ++ shiftfs_revert_object_creds(*oldcred, *newcred); ++ return err; ++ } ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static void shiftfs_copyattr(struct inode *from, struct inode *to) ++{ ++ struct user_namespace *from_ns = from->i_sb->s_user_ns; ++ struct user_namespace *to_ns = to->i_sb->s_user_ns; ++ ++ to->i_uid = shift_kuid(from_ns, to_ns, from->i_uid); ++ to->i_gid = shift_kgid(from_ns, to_ns, from->i_gid); ++ to->i_mode = from->i_mode; ++ to->i_atime = from->i_atime; ++ to->i_mtime = from->i_mtime; ++ to->i_ctime = from->i_ctime; ++ i_size_write(to, i_size_read(from)); ++} ++ ++static void shiftfs_copyflags(struct inode *from, struct inode *to) ++{ ++ unsigned int mask = S_SYNC | S_IMMUTABLE | S_APPEND | S_NOATIME; ++ ++ inode_set_flags(to, from->i_flags & mask, mask); ++} ++ ++static void shiftfs_file_accessed(struct file *file) ++{ ++ struct inode *upperi, *loweri; ++ ++ if (file->f_flags & O_NOATIME) ++ return; ++ ++ upperi = file_inode(file); ++ loweri = upperi->i_private; ++ ++ if (!loweri) ++ return; ++ ++ upperi->i_mtime = loweri->i_mtime; ++ upperi->i_ctime = loweri->i_ctime; ++ ++ touch_atime(&file->f_path); ++} ++ ++static int shiftfs_parse_mount_options(struct shiftfs_super_info *sbinfo, ++ char *options) ++{ ++ char *p; ++ substring_t args[MAX_OPT_ARGS]; ++ ++ sbinfo->mark = false; ++ sbinfo->passthrough = 0; ++ ++ while ((p = strsep(&options, ",")) != NULL) { ++ int err, intarg, token; ++ ++ if (!*p) ++ continue; ++ ++ token = match_token(p, tokens, args); ++ switch (token) { ++ case OPT_MARK: ++ sbinfo->mark = true; ++ break; ++ case OPT_PASSTHROUGH: ++ err = match_int(&args[0], &intarg); ++ if (err) ++ return err; ++ ++ if (intarg & ~SHIFTFS_PASSTHROUGH_ALL) ++ return -EINVAL; ++ ++ sbinfo->passthrough = intarg; ++ break; ++ default: ++ return -EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ ++static void shiftfs_d_release(struct dentry *dentry) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (lowerd) ++ dput(lowerd); ++} ++ ++static struct dentry *shiftfs_d_real(struct dentry *dentry, ++ const struct inode *inode) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (inode && d_inode(dentry) == inode) ++ return dentry; ++ ++ lowerd = d_real(lowerd, inode); ++ if (lowerd && (!inode || inode == d_inode(lowerd))) ++ return lowerd; ++ ++ WARN(1, "shiftfs_d_real(%pd4, %s:%lu): real dentry not found\n", dentry, ++ inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0); ++ return dentry; ++} ++ ++static int shiftfs_d_weak_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_is_negative(lowerd) != d_is_negative(dentry)) ++ return 0; ++ ++ if ((lowerd->d_flags & DCACHE_OP_WEAK_REVALIDATE)) ++ err = lowerd->d_op->d_weak_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static int shiftfs_d_revalidate(struct dentry *dentry, unsigned int flags) ++{ ++ int err = 1; ++ struct dentry *lowerd = dentry->d_fsdata; ++ ++ if (d_unhashed(lowerd) || ++ ((d_is_negative(lowerd) != d_is_negative(dentry)))) ++ return 0; ++ ++ if (flags & LOOKUP_RCU) ++ return -ECHILD; ++ ++ if ((lowerd->d_flags & DCACHE_OP_REVALIDATE)) ++ err = lowerd->d_op->d_revalidate(lowerd, flags); ++ ++ if (d_really_is_positive(dentry)) { ++ struct inode *inode = d_inode(dentry); ++ struct inode *loweri = d_inode(lowerd); ++ ++ shiftfs_copyattr(loweri, inode); ++ } ++ ++ return err; ++} ++ ++static const struct dentry_operations shiftfs_dentry_ops = { ++ .d_release = shiftfs_d_release, ++ .d_real = shiftfs_d_real, ++ .d_revalidate = shiftfs_d_revalidate, ++ .d_weak_revalidate = shiftfs_d_weak_revalidate, ++}; ++ ++static const char *shiftfs_get_link(struct dentry *dentry, struct inode *inode, ++ struct delayed_call *done) ++{ ++ const char *p; ++ const struct cred *oldcred; ++ struct dentry *lowerd; ++ ++ /* RCU lookup not supported */ ++ if (!dentry) ++ return ERR_PTR(-ECHILD); ++ ++ lowerd = dentry->d_fsdata; ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ p = vfs_get_link(lowerd, done); ++ revert_creds(oldcred); ++ ++ return p; ++} ++ ++static int shiftfs_setxattr(struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_setxattr(lowerd, name, value, size, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(lowerd->d_inode, inode); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *value, size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_getxattr(lowerd, name, value, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static ssize_t shiftfs_listxattr(struct dentry *dentry, char *list, ++ size_t size) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_listxattr(lowerd, list, size); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_removexattr(struct dentry *dentry, const char *name) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ int err; ++ const struct cred *oldcred; ++ ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = vfs_removexattr(lowerd, name); ++ revert_creds(oldcred); ++ ++ /* update c/mtime */ ++ shiftfs_copyattr(lowerd->d_inode, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, size_t size, ++ int flags) ++{ ++ if (!value) ++ return shiftfs_removexattr(dentry, name); ++ return shiftfs_setxattr(dentry, inode, name, value, size, flags); ++} ++ ++static int shiftfs_inode_test(struct inode *inode, void *data) ++{ ++ return inode->i_private == data; ++} ++ ++static int shiftfs_inode_set(struct inode *inode, void *data) ++{ ++ inode->i_private = data; ++ return 0; ++} ++ ++static int shiftfs_create_object(struct inode *diri, struct dentry *dentry, ++ umode_t mode, const char *symlink, ++ struct dentry *hardlink, bool excl) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct cred *newcred; ++ void *loweri_iop_ptr = NULL; ++ umode_t modei = mode; ++ struct super_block *dir_sb = diri->i_sb; ++ struct dentry *lowerd_new = dentry->d_fsdata; ++ struct inode *inode = NULL, *loweri_dir = diri->i_private; ++ const struct inode_operations *loweri_dir_iop = loweri_dir->i_op; ++ struct dentry *lowerd_link = NULL; ++ ++ if (hardlink) { ++ loweri_iop_ptr = loweri_dir_iop->link; ++ } else { ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ loweri_iop_ptr = loweri_dir_iop->mkdir; ++ break; ++ case S_IFREG: ++ loweri_iop_ptr = loweri_dir_iop->create; ++ break; ++ case S_IFLNK: ++ loweri_iop_ptr = loweri_dir_iop->symlink; ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ loweri_iop_ptr = loweri_dir_iop->mknod; ++ break; ++ } ++ } ++ if (!loweri_iop_ptr) { ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ inode_lock_nested(loweri_dir, I_MUTEX_PARENT); ++ ++ if (!hardlink) { ++ inode = new_inode(dir_sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_iput; ++ } ++ ++ /* ++ * new_inode() will have added the new inode to the super ++ * block's list of inodes. Further below we will call ++ * inode_insert5() Which would perform the same operation again ++ * thereby corrupting the list. To avoid this raise I_CREATING ++ * in i_state which will cause inode_insert5() to skip this ++ * step. I_CREATING will be cleared by d_instantiate_new() ++ * below. ++ */ ++ spin_lock(&inode->i_lock); ++ inode->i_state |= I_CREATING; ++ spin_unlock(&inode->i_lock); ++ ++ inode_init_owner(inode, diri, mode); ++ modei = inode->i_mode; ++ } ++ ++ err = shiftfs_override_object_creds(dentry->d_sb, &oldcred, &newcred, ++ dentry, modei, hardlink != NULL); ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ lowerd_link = hardlink->d_fsdata; ++ err = vfs_link(lowerd_link, loweri_dir, lowerd_new, NULL); ++ } else { ++ switch (modei & S_IFMT) { ++ case S_IFDIR: ++ err = vfs_mkdir(loweri_dir, lowerd_new, modei); ++ break; ++ case S_IFREG: ++ err = vfs_create(loweri_dir, lowerd_new, modei, excl); ++ break; ++ case S_IFLNK: ++ err = vfs_symlink(loweri_dir, lowerd_new, symlink); ++ break; ++ case S_IFSOCK: ++ /* fall through */ ++ case S_IFIFO: ++ err = vfs_mknod(loweri_dir, lowerd_new, modei, 0); ++ break; ++ default: ++ err = -EINVAL; ++ break; ++ } ++ } ++ ++ shiftfs_revert_object_creds(oldcred, newcred); ++ ++ if (!err && WARN_ON(!lowerd_new->d_inode)) ++ err = -EIO; ++ if (err) ++ goto out_iput; ++ ++ if (hardlink) { ++ inode = d_inode(hardlink); ++ ihold(inode); ++ ++ /* copy up times from lower inode */ ++ shiftfs_copyattr(d_inode(lowerd_link), inode); ++ set_nlink(d_inode(hardlink), d_inode(lowerd_link)->i_nlink); ++ d_instantiate(dentry, inode); ++ } else { ++ struct inode *inode_tmp; ++ struct inode *loweri_new = d_inode(lowerd_new); ++ ++ inode_tmp = inode_insert5(inode, (unsigned long)loweri_new, ++ shiftfs_inode_test, shiftfs_inode_set, ++ loweri_new); ++ if (unlikely(inode_tmp != inode)) { ++ pr_err_ratelimited("shiftfs: newly created inode found in cache\n"); ++ iput(inode_tmp); ++ err = -EINVAL; ++ goto out_iput; ++ } ++ ++ ihold(loweri_new); ++ shiftfs_fill_inode(inode, loweri_new->i_ino, loweri_new->i_mode, ++ 0, lowerd_new); ++ d_instantiate_new(dentry, inode); ++ } ++ ++ shiftfs_copyattr(loweri_dir, diri); ++ if (loweri_iop_ptr == loweri_dir_iop->mkdir) ++ set_nlink(diri, loweri_dir->i_nlink); ++ ++ inode = NULL; ++ ++out_iput: ++ iput(inode); ++ inode_unlock(loweri_dir); ++ ++ return err; ++} ++ ++static int shiftfs_create(struct inode *dir, struct dentry *dentry, ++ umode_t mode, bool excl) ++{ ++ mode |= S_IFREG; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, excl); ++} ++ ++static int shiftfs_mkdir(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ mode |= S_IFDIR; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_link(struct dentry *hardlink, struct inode *dir, ++ struct dentry *dentry) ++{ ++ return shiftfs_create_object(dir, dentry, 0, NULL, hardlink, false); ++} ++ ++static int shiftfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, ++ dev_t rdev) ++{ ++ if (!S_ISFIFO(mode) && !S_ISSOCK(mode)) ++ return -EPERM; ++ ++ return shiftfs_create_object(dir, dentry, mode, NULL, NULL, false); ++} ++ ++static int shiftfs_symlink(struct inode *dir, struct dentry *dentry, ++ const char *symlink) ++{ ++ return shiftfs_create_object(dir, dentry, S_IFLNK, symlink, NULL, false); ++} ++ ++static int shiftfs_rm(struct inode *dir, struct dentry *dentry, bool rmdir) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ struct inode *inode = d_inode(dentry); ++ int err; ++ const struct cred *oldcred; ++ ++ dget(lowerd); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ inode_lock_nested(loweri, I_MUTEX_PARENT); ++ if (rmdir) ++ err = vfs_rmdir(loweri, lowerd); ++ else ++ err = vfs_unlink(loweri, lowerd, NULL); ++ revert_creds(oldcred); ++ ++ if (!err) { ++ d_drop(dentry); ++ ++ if (rmdir) ++ clear_nlink(inode); ++ else ++ drop_nlink(inode); ++ } ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, dir); ++ dput(lowerd); ++ ++ return err; ++} ++ ++static int shiftfs_unlink(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, false); ++} ++ ++static int shiftfs_rmdir(struct inode *dir, struct dentry *dentry) ++{ ++ return shiftfs_rm(dir, dentry, true); ++} ++ ++static int shiftfs_rename(struct inode *olddir, struct dentry *old, ++ struct inode *newdir, struct dentry *new, ++ unsigned int flags) ++{ ++ struct dentry *lowerd_dir_old = old->d_parent->d_fsdata, ++ *lowerd_dir_new = new->d_parent->d_fsdata, ++ *lowerd_old = old->d_fsdata, *lowerd_new = new->d_fsdata, ++ *trapd; ++ struct inode *loweri_dir_old = lowerd_dir_old->d_inode, ++ *loweri_dir_new = lowerd_dir_new->d_inode; ++ int err = -EINVAL; ++ const struct cred *oldcred; ++ ++ trapd = lock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ if (trapd == lowerd_old || trapd == lowerd_new) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(old->d_sb); ++ err = vfs_rename(loweri_dir_old, lowerd_old, loweri_dir_new, lowerd_new, ++ NULL, flags); ++ revert_creds(oldcred); ++ ++ shiftfs_copyattr(loweri_dir_old, olddir); ++ shiftfs_copyattr(loweri_dir_new, newdir); ++ ++out_unlock: ++ unlock_rename(lowerd_dir_new, lowerd_dir_old); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_lookup(struct inode *dir, struct dentry *dentry, ++ unsigned int flags) ++{ ++ struct dentry *new; ++ struct inode *newi; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_parent->d_fsdata; ++ struct inode *inode = NULL, *loweri = lowerd->d_inode; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ new = lookup_one_len(dentry->d_name.name, lowerd, dentry->d_name.len); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ if (IS_ERR(new)) ++ return new; ++ ++ dentry->d_fsdata = new; ++ ++ newi = new->d_inode; ++ if (!newi) ++ goto out; ++ ++ inode = iget5_locked(dentry->d_sb, (unsigned long)newi, ++ shiftfs_inode_test, shiftfs_inode_set, newi); ++ if (!inode) { ++ dput(new); ++ return ERR_PTR(-ENOMEM); ++ } ++ if (inode->i_state & I_NEW) { ++ /* ++ * inode->i_private set by shiftfs_inode_set(), but we still ++ * need to take a reference ++ */ ++ ihold(newi); ++ shiftfs_fill_inode(inode, newi->i_ino, newi->i_mode, 0, new); ++ unlock_new_inode(inode); ++ } ++ ++out: ++ return d_splice_alias(inode, dentry); ++} ++ ++static int shiftfs_permission(struct inode *inode, int mask) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri) { ++ WARN_ON(!(mask & MAY_NOT_BLOCK)); ++ return -ECHILD; ++ } ++ ++ err = generic_permission(inode, mask); ++ if (err) ++ return err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = inode_permission(loweri, mask); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_fiemap(struct inode *inode, ++ struct fiemap_extent_info *fieinfo, u64 start, ++ u64 len) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct inode *loweri = inode->i_private; ++ ++ if (!loweri->i_op->fiemap) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ if (fieinfo->fi_flags & FIEMAP_FLAG_SYNC) ++ filemap_write_and_wait(loweri->i_mapping); ++ err = loweri->i_op->fiemap(loweri, fieinfo, start, len); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_tmpfile(struct inode *dir, struct dentry *dentry, ++ umode_t mode) ++{ ++ int err; ++ const struct cred *oldcred; ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = dir->i_private; ++ ++ if (!loweri->i_op->tmpfile) ++ return -EOPNOTSUPP; ++ ++ oldcred = shiftfs_override_creds(dir->i_sb); ++ err = loweri->i_op->tmpfile(loweri, lowerd, mode); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++static int shiftfs_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ struct dentry *lowerd = dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct iattr newattr; ++ const struct cred *oldcred; ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ int err; ++ ++ err = setattr_prepare(dentry, attr); ++ if (err) ++ return err; ++ ++ newattr = *attr; ++ newattr.ia_uid = shift_kuid(sb->s_user_ns, sbinfo->userns, attr->ia_uid); ++ newattr.ia_gid = shift_kgid(sb->s_user_ns, sbinfo->userns, attr->ia_gid); ++ ++ /* ++ * mode change is for clearing setuid/setgid bits. Allow lower fs ++ * to interpret this in its own way. ++ */ ++ if (newattr.ia_valid & (ATTR_KILL_SUID|ATTR_KILL_SGID)) ++ newattr.ia_valid &= ~ATTR_MODE; ++ ++ inode_lock(loweri); ++ oldcred = shiftfs_override_creds(dentry->d_sb); ++ err = notify_change(lowerd, &newattr, NULL); ++ revert_creds(oldcred); ++ inode_unlock(loweri); ++ ++ shiftfs_copyattr(loweri, d_inode(dentry)); ++ ++ return err; ++} ++ ++static int shiftfs_getattr(const struct path *path, struct kstat *stat, ++ u32 request_mask, unsigned int query_flags) ++{ ++ struct inode *inode = path->dentry->d_inode; ++ struct dentry *lowerd = path->dentry->d_fsdata; ++ struct inode *loweri = lowerd->d_inode; ++ struct shiftfs_super_info *info = path->dentry->d_sb->s_fs_info; ++ struct path newpath = { .mnt = info->mnt, .dentry = lowerd }; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ const struct cred *oldcred; ++ int err; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ err = vfs_getattr(&newpath, stat, request_mask, query_flags); ++ revert_creds(oldcred); ++ ++ if (err) ++ return err; ++ ++ /* transform the underlying id */ ++ stat->uid = shift_kuid(from_ns, to_ns, stat->uid); ++ stat->gid = shift_kgid(from_ns, to_ns, stat->gid); ++ return 0; ++} ++ ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ ++static int ++shift_acl_ids(struct user_namespace *from, struct user_namespace *to, ++ struct posix_acl *acl) ++{ ++ int i; ++ ++ for (i = 0; i < acl->a_count; i++) { ++ struct posix_acl_entry *e = &acl->a_entries[i]; ++ switch(e->e_tag) { ++ case ACL_USER: ++ e->e_uid = shift_kuid(from, to, e->e_uid); ++ if (!uid_valid(e->e_uid)) ++ return -EOVERFLOW; ++ break; ++ case ACL_GROUP: ++ e->e_gid = shift_kgid(from, to, e->e_gid); ++ if (!gid_valid(e->e_gid)) ++ return -EOVERFLOW; ++ break; ++ } ++ } ++ return 0; ++} ++ ++static void ++shift_acl_xattr_ids(struct user_namespace *from, struct user_namespace *to, ++ void *value, size_t size) ++{ ++ struct posix_acl_xattr_header *header = value; ++ struct posix_acl_xattr_entry *entry = (void *)(header + 1), *end; ++ int count; ++ kuid_t kuid; ++ kgid_t kgid; ++ ++ if (!value) ++ return; ++ if (size < sizeof(struct posix_acl_xattr_header)) ++ return; ++ if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) ++ return; ++ ++ count = posix_acl_xattr_count(size); ++ if (count < 0) ++ return; ++ if (count == 0) ++ return; ++ ++ for (end = entry + count; entry != end; entry++) { ++ switch(le16_to_cpu(entry->e_tag)) { ++ case ACL_USER: ++ kuid = make_kuid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kuid = shift_kuid(from, to, kuid); ++ entry->e_id = cpu_to_le32(from_kuid(&init_user_ns, kuid)); ++ break; ++ case ACL_GROUP: ++ kgid = make_kgid(&init_user_ns, le32_to_cpu(entry->e_id)); ++ kgid = shift_kgid(from, to, kgid); ++ entry->e_id = cpu_to_le32(from_kgid(&init_user_ns, kgid)); ++ break; ++ default: ++ break; ++ } ++ } ++} ++ ++static struct posix_acl *shiftfs_get_acl(struct inode *inode, int type) ++{ ++ struct inode *loweri = inode->i_private; ++ const struct cred *oldcred; ++ struct posix_acl *lower_acl, *acl = NULL; ++ struct user_namespace *from_ns = loweri->i_sb->s_user_ns; ++ struct user_namespace *to_ns = inode->i_sb->s_user_ns; ++ int size; ++ int err; ++ ++ if (!IS_POSIXACL(loweri)) ++ return NULL; ++ ++ oldcred = shiftfs_override_creds(inode->i_sb); ++ lower_acl = get_acl(loweri, type); ++ revert_creds(oldcred); ++ ++ if (lower_acl && !IS_ERR(lower_acl)) { ++ /* XXX: export posix_acl_clone? */ ++ size = sizeof(struct posix_acl) + ++ lower_acl->a_count * sizeof(struct posix_acl_entry); ++ acl = kmemdup(lower_acl, size, GFP_KERNEL); ++ posix_acl_release(lower_acl); ++ ++ if (!acl) ++ return ERR_PTR(-ENOMEM); ++ ++ refcount_set(&acl->a_refcount, 1); ++ ++ err = shift_acl_ids(from_ns, to_ns, acl); ++ if (err) { ++ kfree(acl); ++ return ERR_PTR(err); ++ } ++ } ++ ++ return acl; ++} ++ ++static int ++shiftfs_posix_acl_xattr_get(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, void *buffer, size_t size) ++{ ++ struct inode *loweri = inode->i_private; ++ int ret; ++ ++ ret = shiftfs_xattr_get(NULL, dentry, inode, handler->name, ++ buffer, size); ++ if (ret < 0) ++ return ret; ++ ++ inode_lock(loweri); ++ shift_acl_xattr_ids(loweri->i_sb->s_user_ns, inode->i_sb->s_user_ns, ++ buffer, size); ++ inode_unlock(loweri); ++ return ret; ++} ++ ++static int ++shiftfs_posix_acl_xattr_set(const struct xattr_handler *handler, ++ struct dentry *dentry, struct inode *inode, ++ const char *name, const void *value, ++ size_t size, int flags) ++{ ++ struct inode *loweri = inode->i_private; ++ int err; ++ ++ if (!IS_POSIXACL(loweri) || !loweri->i_op->set_acl) ++ return -EOPNOTSUPP; ++ if (handler->flags == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode)) ++ return value ? -EACCES : 0; ++ if (!inode_owner_or_capable(inode)) ++ return -EPERM; ++ ++ if (value) { ++ shift_acl_xattr_ids(inode->i_sb->s_user_ns, ++ loweri->i_sb->s_user_ns, ++ (void *)value, size); ++ err = shiftfs_setxattr(dentry, inode, handler->name, value, ++ size, flags); ++ } else { ++ err = shiftfs_removexattr(dentry, handler->name); ++ } ++ ++ if (!err) ++ shiftfs_copyattr(loweri, inode); ++ ++ return err; ++} ++ ++static const struct xattr_handler ++shiftfs_posix_acl_access_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_ACCESS, ++ .flags = ACL_TYPE_ACCESS, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++static const struct xattr_handler ++shiftfs_posix_acl_default_xattr_handler = { ++ .name = XATTR_NAME_POSIX_ACL_DEFAULT, ++ .flags = ACL_TYPE_DEFAULT, ++ .get = shiftfs_posix_acl_xattr_get, ++ .set = shiftfs_posix_acl_xattr_set, ++}; ++ ++#else /* !CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++#define shiftfs_get_acl NULL ++ ++#endif /* CONFIG_SHIFT_FS_POSIX_ACL */ ++ ++static const struct inode_operations shiftfs_dir_inode_operations = { ++ .lookup = shiftfs_lookup, ++ .mkdir = shiftfs_mkdir, ++ .symlink = shiftfs_symlink, ++ .unlink = shiftfs_unlink, ++ .rmdir = shiftfs_rmdir, ++ .rename = shiftfs_rename, ++ .link = shiftfs_link, ++ .setattr = shiftfs_setattr, ++ .create = shiftfs_create, ++ .mknod = shiftfs_mknod, ++ .permission = shiftfs_permission, ++ .getattr = shiftfs_getattr, ++ .listxattr = shiftfs_listxattr, ++ .get_acl = shiftfs_get_acl, ++}; ++ ++static const struct inode_operations shiftfs_file_inode_operations = { ++ .fiemap = shiftfs_fiemap, ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++ .tmpfile = shiftfs_tmpfile, ++}; ++ ++static const struct inode_operations shiftfs_special_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_acl = shiftfs_get_acl, ++ .listxattr = shiftfs_listxattr, ++ .permission = shiftfs_permission, ++ .setattr = shiftfs_setattr, ++}; ++ ++static const struct inode_operations shiftfs_symlink_inode_operations = { ++ .getattr = shiftfs_getattr, ++ .get_link = shiftfs_get_link, ++ .listxattr = shiftfs_listxattr, ++ .setattr = shiftfs_setattr, ++}; ++ ++static struct file *shiftfs_open_realfile(const struct file *file, ++ struct inode *realinode) ++{ ++ struct file *realfile; ++ const struct cred *old_cred; ++ struct inode *inode = file_inode(file); ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ old_cred = shiftfs_override_creds(inode->i_sb); ++ realfile = open_with_fake_path(&realpath, file->f_flags, realinode, ++ info->creator_cred); ++ revert_creds(old_cred); ++ ++ return realfile; ++} ++ ++#define SHIFTFS_SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT) ++ ++static int shiftfs_change_flags(struct file *file, unsigned int flags) ++{ ++ struct inode *inode = file_inode(file); ++ int err; ++ ++ /* if some flag changed that cannot be changed then something's amiss */ ++ if (WARN_ON((file->f_flags ^ flags) & ~SHIFTFS_SETFL_MASK)) ++ return -EIO; ++ ++ flags &= SHIFTFS_SETFL_MASK; ++ ++ if (((flags ^ file->f_flags) & O_APPEND) && IS_APPEND(inode)) ++ return -EPERM; ++ ++ if (flags & O_DIRECT) { ++ if (!file->f_mapping->a_ops || ++ !file->f_mapping->a_ops->direct_IO) ++ return -EINVAL; ++ } ++ ++ if (file->f_op->check_flags) { ++ err = file->f_op->check_flags(flags); ++ if (err) ++ return err; ++ } ++ ++ spin_lock(&file->f_lock); ++ file->f_flags = (file->f_flags & ~SHIFTFS_SETFL_MASK) | flags; ++ spin_unlock(&file->f_lock); ++ ++ return 0; ++} ++ ++static int shiftfs_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ ++ realfile = shiftfs_open_realfile(file, inode->i_private); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO. */ ++ file->f_mapping = realfile->f_mapping; ++ ++ return 0; ++} ++ ++static int shiftfs_dir_open(struct inode *inode, struct file *file) ++{ ++ struct file *realfile; ++ const struct cred *oldcred; ++ struct dentry *lowerd = file->f_path.dentry->d_fsdata; ++ struct shiftfs_super_info *info = inode->i_sb->s_fs_info; ++ struct path realpath = { .mnt = info->mnt, .dentry = lowerd }; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ realfile = dentry_open(&realpath, file->f_flags | O_NOATIME, ++ info->creator_cred); ++ revert_creds(oldcred); ++ if (IS_ERR(realfile)) ++ return PTR_ERR(realfile); ++ ++ file->private_data = realfile; ++ ++ return 0; ++} ++ ++static int shiftfs_release(struct inode *inode, struct file *file) ++{ ++ struct file *realfile = file->private_data; ++ ++ if (realfile) ++ fput(realfile); ++ ++ return 0; ++} ++ ++static int shiftfs_dir_release(struct inode *inode, struct file *file) ++{ ++ return shiftfs_release(inode, file); ++} ++ ++static loff_t shiftfs_dir_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct file *realfile = file->private_data; ++ ++ return vfs_llseek(realfile, offset, whence); ++} ++ ++static loff_t shiftfs_file_llseek(struct file *file, loff_t offset, int whence) ++{ ++ struct inode *realinode = file_inode(file)->i_private; ++ ++ return generic_file_llseek_size(file, offset, whence, ++ realinode->i_sb->s_maxbytes, ++ i_size_read(realinode)); ++} ++ ++/* XXX: Need to figure out what to to about atime updates, maybe other ++ * timestamps too ... ref. ovl_file_accessed() */ ++ ++static rwf_t shiftfs_iocb_to_rwf(struct kiocb *iocb) ++{ ++ int ifl = iocb->ki_flags; ++ rwf_t flags = 0; ++ ++ if (ifl & IOCB_NOWAIT) ++ flags |= RWF_NOWAIT; ++ if (ifl & IOCB_HIPRI) ++ flags |= RWF_HIPRI; ++ if (ifl & IOCB_DSYNC) ++ flags |= RWF_DSYNC; ++ if (ifl & IOCB_SYNC) ++ flags |= RWF_SYNC; ++ ++ return flags; ++} ++ ++static int shiftfs_real_fdget(const struct file *file, struct fd *lowerfd) ++{ ++ struct file *realfile; ++ ++ if (file->f_op->open != shiftfs_open && ++ file->f_op->open != shiftfs_dir_open) ++ return -EINVAL; ++ ++ realfile = file->private_data; ++ lowerfd->flags = 0; ++ lowerfd->file = realfile; ++ ++ /* Did the flags change since open? */ ++ if (unlikely(file->f_flags & ~lowerfd->file->f_flags)) ++ return shiftfs_change_flags(lowerfd->file, file->f_flags); ++ ++ return 0; ++} ++ ++static ssize_t shiftfs_read_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_iter_read(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static ssize_t shiftfs_write_iter(struct kiocb *iocb, struct iov_iter *iter) ++{ ++ struct file *file = iocb->ki_filp; ++ struct inode *inode = file_inode(file); ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ ssize_t ret; ++ ++ if (!iov_iter_count(iter)) ++ return 0; ++ ++ inode_lock(inode); ++ /* Update mode */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ret = file_remove_privs(file); ++ if (ret) ++ goto out_unlock; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_unlock; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ file_start_write(lowerfd.file); ++ ret = vfs_iter_write(lowerfd.file, iter, &iocb->ki_pos, ++ shiftfs_iocb_to_rwf(iocb)); ++ file_end_write(lowerfd.file); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(inode->i_private, inode); ++ ++ fdput(lowerfd); ++ ++out_unlock: ++ inode_unlock(inode); ++ return ret; ++} ++ ++static int shiftfs_fsync(struct file *file, loff_t start, loff_t end, ++ int datasync) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fsync_range(lowerfd.file, start, end, datasync); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ struct file *realfile = file->private_data; ++ const struct cred *oldcred; ++ int ret; ++ ++ if (!realfile->f_op->mmap) ++ return -ENODEV; ++ ++ if (WARN_ON(file != vma->vm_file)) ++ return -EIO; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ vma->vm_file = get_file(realfile); ++ ret = call_mmap(vma->vm_file, vma); ++ revert_creds(oldcred); ++ ++ shiftfs_file_accessed(file); ++ ++ if (ret) { ++ /* ++ * Drop refcount from new vm_file value and restore original ++ * vm_file value ++ */ ++ vma->vm_file = file; ++ fput(realfile); ++ } else { ++ /* Drop refcount from previous vm_file value */ ++ fput(file); ++ } ++ ++ return ret; ++} ++ ++static long shiftfs_fallocate(struct file *file, int mode, loff_t offset, ++ loff_t len) ++{ ++ struct inode *inode = file_inode(file); ++ struct inode *loweri = inode->i_private; ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fallocate(lowerfd.file, mode, offset, len); ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_fadvise(struct file *file, loff_t offset, loff_t len, ++ int advice) ++{ ++ struct fd lowerfd; ++ const struct cred *oldcred; ++ int ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ return ret; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ ret = vfs_fadvise(lowerfd.file, offset, len, advice); ++ revert_creds(oldcred); ++ ++ fdput(lowerfd); ++ return ret; ++} ++ ++static int shiftfs_override_ioctl_creds(int cmd, const struct super_block *sb, ++ const struct cred **oldcred, ++ struct cred **newcred) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ kuid_t fsuid = current_fsuid(); ++ kgid_t fsgid = current_fsgid(); ++ ++ *oldcred = shiftfs_override_creds(sb); ++ ++ *newcred = prepare_creds(); ++ if (!*newcred) { ++ revert_creds(*oldcred); ++ return -ENOMEM; ++ } ++ ++ (*newcred)->fsuid = shift_kuid(sb->s_user_ns, sbinfo->userns, fsuid); ++ (*newcred)->fsgid = shift_kgid(sb->s_user_ns, sbinfo->userns, fsgid); ++ ++ /* clear all caps to prevent bypassing capable() checks */ ++ cap_clear((*newcred)->cap_bset); ++ cap_clear((*newcred)->cap_effective); ++ cap_clear((*newcred)->cap_inheritable); ++ cap_clear((*newcred)->cap_permitted); ++ ++ if (cmd == BTRFS_IOC_SNAP_DESTROY) { ++ kuid_t kuid_root = make_kuid(sb->s_user_ns, 0); ++ /* ++ * Allow the root user in the container to remove subvolumes ++ * from other users. ++ */ ++ if (uid_valid(kuid_root) && uid_eq(fsuid, kuid_root)) ++ cap_raise((*newcred)->cap_effective, CAP_DAC_OVERRIDE); ++ } ++ ++ put_cred(override_creds(*newcred)); ++ return 0; ++} ++ ++static inline void shiftfs_revert_ioctl_creds(const struct cred *oldcred, ++ struct cred *newcred) ++{ ++ return shiftfs_revert_object_creds(oldcred, newcred); ++} ++ ++static inline bool is_btrfs_snap_ioctl(int cmd) ++{ ++ if ((cmd == BTRFS_IOC_SNAP_CREATE) || (cmd == BTRFS_IOC_SNAP_CREATE_V2)) ++ return true; ++ ++ return false; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_restore(int cmd, int fd, void __user *arg, ++ struct btrfs_ioctl_vol_args *v1, ++ struct btrfs_ioctl_vol_args_v2 *v2) ++{ ++ int ret; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ else ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ ++ __close_fd(current->files, fd); ++ kfree(v1); ++ kfree(v2); ++ ++ return ret; ++} ++ ++static int shiftfs_btrfs_ioctl_fd_replace(int cmd, void __user *arg, ++ struct btrfs_ioctl_vol_args **b1, ++ struct btrfs_ioctl_vol_args_v2 **b2, ++ int *newfd) ++{ ++ int oldfd, ret; ++ struct fd src; ++ struct fd lfd = {}; ++ struct btrfs_ioctl_vol_args *v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *v2 = NULL; ++ ++ if (!is_btrfs_snap_ioctl(cmd)) ++ return 0; ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1 = memdup_user(arg, sizeof(*v1)); ++ if (IS_ERR(v1)) ++ return PTR_ERR(v1); ++ oldfd = v1->fd; ++ *b1 = v1; ++ } else { ++ v2 = memdup_user(arg, sizeof(*v2)); ++ if (IS_ERR(v2)) ++ return PTR_ERR(v2); ++ oldfd = v2->fd; ++ *b2 = v2; ++ } ++ ++ src = fdget(oldfd); ++ if (!src.file) ++ return -EINVAL; ++ ++ ret = shiftfs_real_fdget(src.file, &lfd); ++ if (ret) { ++ fdput(src); ++ return ret; ++ } ++ ++ /* ++ * shiftfs_real_fdget() does not take a reference to lfd.file, so ++ * take a reference here to offset the one which will be put by ++ * __close_fd(), and make sure that reference is put on fdput(lfd). ++ */ ++ get_file(lfd.file); ++ lfd.flags |= FDPUT_FPUT; ++ fdput(src); ++ ++ *newfd = get_unused_fd_flags(lfd.file->f_flags); ++ if (*newfd < 0) { ++ fdput(lfd); ++ return *newfd; ++ } ++ ++ fd_install(*newfd, lfd.file); ++ ++ if (cmd == BTRFS_IOC_SNAP_CREATE) { ++ v1->fd = *newfd; ++ ret = copy_to_user(arg, v1, sizeof(*v1)); ++ v1->fd = oldfd; ++ } else { ++ v2->fd = *newfd; ++ ret = copy_to_user(arg, v2, sizeof(*v2)); ++ v2->fd = oldfd; ++ } ++ ++ if (ret) ++ shiftfs_btrfs_ioctl_fd_restore(cmd, *newfd, arg, v1, v2); ++ ++ return ret; ++} ++ ++static long shiftfs_real_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ struct fd lowerfd; ++ struct cred *newcred; ++ const struct cred *oldcred; ++ int newfd = -EBADF; ++ long err = 0, ret = 0; ++ void __user *argp = (void __user *)arg; ++ struct super_block *sb = file->f_path.dentry->d_sb; ++ struct btrfs_ioctl_vol_args *btrfs_v1 = NULL; ++ struct btrfs_ioctl_vol_args_v2 *btrfs_v2 = NULL; ++ ++ ret = shiftfs_btrfs_ioctl_fd_replace(cmd, argp, &btrfs_v1, &btrfs_v2, ++ &newfd); ++ if (ret < 0) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file, &lowerfd); ++ if (ret) ++ goto out_restore; ++ ++ ret = shiftfs_override_ioctl_creds(cmd, sb, &oldcred, &newcred); ++ if (ret) ++ goto out_fdput; ++ ++ ret = vfs_ioctl(lowerfd.file, cmd, arg); ++ ++ shiftfs_revert_ioctl_creds(oldcred, newcred); ++ ++ shiftfs_copyattr(file_inode(lowerfd.file), file_inode(file)); ++ shiftfs_copyflags(file_inode(lowerfd.file), file_inode(file)); ++ ++out_fdput: ++ fdput(lowerfd); ++ ++out_restore: ++ err = shiftfs_btrfs_ioctl_fd_restore(cmd, newfd, argp, ++ btrfs_v1, btrfs_v2); ++ if (!ret) ++ ret = err; ++ ++ return ret; ++} ++ ++static bool in_ioctl_whitelist(int flag, unsigned long arg) ++{ ++ void __user *argp = (void __user *)arg; ++ u64 flags = 0; ++ ++ switch (flag) { ++ case BTRFS_IOC_FS_INFO: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE: ++ return true; ++ case BTRFS_IOC_SNAP_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE: ++ return true; ++ case BTRFS_IOC_SUBVOL_CREATE_V2: ++ return true; ++ case BTRFS_IOC_SUBVOL_GETFLAGS: ++ return true; ++ case BTRFS_IOC_SUBVOL_SETFLAGS: ++ if (copy_from_user(&flags, argp, sizeof(flags))) ++ return false; ++ ++ if (flags & ~BTRFS_SUBVOL_RDONLY) ++ return false; ++ ++ return true; ++ case BTRFS_IOC_SNAP_DESTROY: ++ return true; ++ } ++ ++ return false; ++} ++ ++static long shiftfs_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC_GETVERSION: ++ /* fall through */ ++ case FS_IOC_GETFLAGS: ++ /* fall through */ ++ case FS_IOC_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOTTY; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++static long shiftfs_compat_ioctl(struct file *file, unsigned int cmd, ++ unsigned long arg) ++{ ++ switch (cmd) { ++ case FS_IOC32_GETVERSION: ++ /* fall through */ ++ case FS_IOC32_GETFLAGS: ++ /* fall through */ ++ case FS_IOC32_SETFLAGS: ++ break; ++ default: ++ if (!in_ioctl_whitelist(cmd, arg) || ++ !shiftfs_passthrough_ioctls(file->f_path.dentry->d_sb->s_fs_info)) ++ return -ENOIOCTLCMD; ++ } ++ ++ return shiftfs_real_ioctl(file, cmd, arg); ++} ++ ++enum shiftfs_copyop { ++ SHIFTFS_COPY, ++ SHIFTFS_CLONE, ++ SHIFTFS_DEDUPE, ++}; ++ ++static ssize_t shiftfs_copyfile(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, u64 len, ++ unsigned int flags, enum shiftfs_copyop op) ++{ ++ ssize_t ret; ++ struct fd real_in, real_out; ++ const struct cred *oldcred; ++ struct inode *inode_out = file_inode(file_out); ++ struct inode *loweri = inode_out->i_private; ++ ++ ret = shiftfs_real_fdget(file_out, &real_out); ++ if (ret) ++ return ret; ++ ++ ret = shiftfs_real_fdget(file_in, &real_in); ++ if (ret) { ++ fdput(real_out); ++ return ret; ++ } ++ ++ oldcred = shiftfs_override_creds(inode_out->i_sb); ++ switch (op) { ++ case SHIFTFS_COPY: ++ ret = vfs_copy_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_CLONE: ++ ret = vfs_clone_file_range(real_in.file, pos_in, real_out.file, ++ pos_out, len, flags); ++ break; ++ ++ case SHIFTFS_DEDUPE: ++ ret = vfs_dedupe_file_range_one(real_in.file, pos_in, ++ real_out.file, pos_out, len, ++ flags); ++ break; ++ } ++ revert_creds(oldcred); ++ ++ /* Update size */ ++ shiftfs_copyattr(loweri, inode_out); ++ ++ fdput(real_in); ++ fdput(real_out); ++ ++ return ret; ++} ++ ++static ssize_t shiftfs_copy_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ size_t len, unsigned int flags) ++{ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, flags, ++ SHIFTFS_COPY); ++} ++ ++static loff_t shiftfs_remap_file_range(struct file *file_in, loff_t pos_in, ++ struct file *file_out, loff_t pos_out, ++ loff_t len, unsigned int remap_flags) ++{ ++ enum shiftfs_copyop op; ++ ++ if (remap_flags & ~(REMAP_FILE_DEDUP | REMAP_FILE_ADVISORY)) ++ return -EINVAL; ++ ++ if (remap_flags & REMAP_FILE_DEDUP) ++ op = SHIFTFS_DEDUPE; ++ else ++ op = SHIFTFS_CLONE; ++ ++ return shiftfs_copyfile(file_in, pos_in, file_out, pos_out, len, ++ remap_flags, op); ++} ++ ++static int shiftfs_iterate_shared(struct file *file, struct dir_context *ctx) ++{ ++ const struct cred *oldcred; ++ int err = -ENOTDIR; ++ struct file *realfile = file->private_data; ++ ++ oldcred = shiftfs_override_creds(file->f_path.dentry->d_sb); ++ err = iterate_dir(realfile, ctx); ++ revert_creds(oldcred); ++ ++ return err; ++} ++ ++const struct file_operations shiftfs_file_operations = { ++ .open = shiftfs_open, ++ .release = shiftfs_release, ++ .llseek = shiftfs_file_llseek, ++ .read_iter = shiftfs_read_iter, ++ .write_iter = shiftfs_write_iter, ++ .fsync = shiftfs_fsync, ++ .mmap = shiftfs_mmap, ++ .fallocate = shiftfs_fallocate, ++ .fadvise = shiftfs_fadvise, ++ .unlocked_ioctl = shiftfs_ioctl, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .copy_file_range = shiftfs_copy_file_range, ++ .remap_file_range = shiftfs_remap_file_range, ++}; ++ ++const struct file_operations shiftfs_dir_operations = { ++ .open = shiftfs_dir_open, ++ .release = shiftfs_dir_release, ++ .compat_ioctl = shiftfs_compat_ioctl, ++ .fsync = shiftfs_fsync, ++ .iterate_shared = shiftfs_iterate_shared, ++ .llseek = shiftfs_dir_llseek, ++ .read = generic_read_dir, ++ .unlocked_ioctl = shiftfs_ioctl, ++}; ++ ++static const struct address_space_operations shiftfs_aops = { ++ /* For O_DIRECT dentry_open() checks f_mapping->a_ops->direct_IO */ ++ .direct_IO = noop_direct_IO, ++}; ++ ++static void shiftfs_fill_inode(struct inode *inode, unsigned long ino, ++ umode_t mode, dev_t dev, struct dentry *dentry) ++{ ++ struct inode *loweri; ++ ++ inode->i_ino = ino; ++ inode->i_flags |= S_NOCMTIME; ++ ++ mode &= S_IFMT; ++ inode->i_mode = mode; ++ switch (mode & S_IFMT) { ++ case S_IFDIR: ++ inode->i_op = &shiftfs_dir_inode_operations; ++ inode->i_fop = &shiftfs_dir_operations; ++ break; ++ case S_IFLNK: ++ inode->i_op = &shiftfs_symlink_inode_operations; ++ break; ++ case S_IFREG: ++ inode->i_op = &shiftfs_file_inode_operations; ++ inode->i_fop = &shiftfs_file_operations; ++ inode->i_mapping->a_ops = &shiftfs_aops; ++ break; ++ default: ++ inode->i_op = &shiftfs_special_inode_operations; ++ init_special_inode(inode, mode, dev); ++ break; ++ } ++ ++ if (!dentry) ++ return; ++ ++ loweri = dentry->d_inode; ++ if (!loweri->i_op->get_link) ++ inode->i_opflags |= IOP_NOFOLLOW; ++ ++ shiftfs_copyattr(loweri, inode); ++ shiftfs_copyflags(loweri, inode); ++ set_nlink(inode, loweri->i_nlink); ++} ++ ++static int shiftfs_show_options(struct seq_file *m, struct dentry *dentry) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo->mark) ++ seq_show_option(m, "mark", NULL); ++ ++ if (sbinfo->passthrough) ++ seq_printf(m, ",passthrough=%u", sbinfo->passthrough); ++ ++ return 0; ++} ++ ++static int shiftfs_statfs(struct dentry *dentry, struct kstatfs *buf) ++{ ++ struct super_block *sb = dentry->d_sb; ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ struct dentry *root = sb->s_root; ++ struct dentry *realroot = root->d_fsdata; ++ struct path realpath = { .mnt = sbinfo->mnt, .dentry = realroot }; ++ int err; ++ ++ err = vfs_statfs(&realpath, buf); ++ if (err) ++ return err; ++ ++ if (!shiftfs_passthrough_statfs(sbinfo)) ++ buf->f_type = sb->s_magic; ++ ++ return 0; ++} ++ ++static void shiftfs_evict_inode(struct inode *inode) ++{ ++ struct inode *loweri = inode->i_private; ++ ++ clear_inode(inode); ++ ++ if (loweri) ++ iput(loweri); ++} ++ ++static void shiftfs_put_super(struct super_block *sb) ++{ ++ struct shiftfs_super_info *sbinfo = sb->s_fs_info; ++ ++ if (sbinfo) { ++ mntput(sbinfo->mnt); ++ put_cred(sbinfo->creator_cred); ++ kfree(sbinfo); ++ } ++} ++ ++static const struct xattr_handler shiftfs_xattr_handler = { ++ .prefix = "", ++ .get = shiftfs_xattr_get, ++ .set = shiftfs_xattr_set, ++}; ++ ++const struct xattr_handler *shiftfs_xattr_handlers[] = { ++#ifdef CONFIG_SHIFT_FS_POSIX_ACL ++ &shiftfs_posix_acl_access_xattr_handler, ++ &shiftfs_posix_acl_default_xattr_handler, ++#endif ++ &shiftfs_xattr_handler, ++ NULL ++}; ++ ++static inline bool passthrough_is_subset(int old_flags, int new_flags) ++{ ++ if ((new_flags & old_flags) != new_flags) ++ return false; ++ ++ return true; ++} ++ ++static int shiftfs_super_check_flags(unsigned long old_flags, ++ unsigned long new_flags) ++{ ++ if ((old_flags & SB_RDONLY) && !(new_flags & SB_RDONLY)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOSUID) && !(new_flags & SB_NOSUID)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODEV) && !(new_flags & SB_NODEV)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOEXEC) && !(new_flags & SB_NOEXEC)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NOATIME) && !(new_flags & SB_NOATIME)) ++ return -EPERM; ++ ++ if ((old_flags & SB_NODIRATIME) && !(new_flags & SB_NODIRATIME)) ++ return -EPERM; ++ ++ if (!(old_flags & SB_POSIXACL) && (new_flags & SB_POSIXACL)) ++ return -EPERM; ++ ++ return 0; ++} ++ ++static int shiftfs_remount(struct super_block *sb, int *flags, char *data) ++{ ++ int err; ++ struct shiftfs_super_info new = {}; ++ struct shiftfs_super_info *info = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(&new, data); ++ if (err) ++ return err; ++ ++ err = shiftfs_super_check_flags(sb->s_flags, *flags); ++ if (err) ++ return err; ++ ++ /* Mark mount option cannot be changed. */ ++ if (info->mark || (info->mark != new.mark)) ++ return -EPERM; ++ ++ if (info->passthrough != new.passthrough) { ++ /* Don't allow exceeding passthrough options of mark mount. */ ++ if (!passthrough_is_subset(info->passthrough_mark, ++ info->passthrough)) ++ return -EPERM; ++ ++ info->passthrough = new.passthrough; ++ } ++ ++ return 0; ++} ++ ++static const struct super_operations shiftfs_super_ops = { ++ .put_super = shiftfs_put_super, ++ .show_options = shiftfs_show_options, ++ .statfs = shiftfs_statfs, ++ .remount_fs = shiftfs_remount, ++ .evict_inode = shiftfs_evict_inode, ++}; ++ ++struct shiftfs_data { ++ void *data; ++ const char *path; ++}; ++ ++static void shiftfs_super_force_flags(struct super_block *sb, ++ unsigned long lower_flags) ++{ ++ sb->s_flags |= lower_flags & (SB_RDONLY | SB_NOSUID | SB_NODEV | ++ SB_NOEXEC | SB_NOATIME | SB_NODIRATIME); ++ ++ if (!(lower_flags & SB_POSIXACL)) ++ sb->s_flags &= ~SB_POSIXACL; ++} ++ ++static int shiftfs_fill_super(struct super_block *sb, void *raw_data, ++ int silent) ++{ ++ int err; ++ struct path path = {}; ++ struct shiftfs_super_info *sbinfo_mp; ++ char *name = NULL; ++ struct inode *inode = NULL; ++ struct dentry *dentry = NULL; ++ struct shiftfs_data *data = raw_data; ++ struct shiftfs_super_info *sbinfo = NULL; ++ ++ if (!data->path) ++ return -EINVAL; ++ ++ sb->s_fs_info = kzalloc(sizeof(*sbinfo), GFP_KERNEL); ++ if (!sb->s_fs_info) ++ return -ENOMEM; ++ sbinfo = sb->s_fs_info; ++ ++ err = shiftfs_parse_mount_options(sbinfo, data->data); ++ if (err) ++ return err; ++ ++ /* to mount a mark, must be userns admin */ ++ if (!sbinfo->mark && !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ name = kstrdup(data->path, GFP_KERNEL); ++ if (!name) ++ return -ENOMEM; ++ ++ err = kern_path(name, LOOKUP_FOLLOW, &path); ++ if (err) ++ goto out_free_name; ++ ++ if (!S_ISDIR(path.dentry->d_inode->i_mode)) { ++ err = -ENOTDIR; ++ goto out_put_path; ++ } ++ ++ sb->s_flags |= SB_POSIXACL; ++ ++ if (sbinfo->mark) { ++ struct cred *cred_tmp; ++ struct super_block *lower_sb = path.mnt->mnt_sb; ++ ++ /* to mark a mount point, must root wrt lower s_user_ns */ ++ if (!ns_capable(lower_sb->s_user_ns, CAP_SYS_ADMIN)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ /* ++ * this part is visible unshifted, so make sure no ++ * executables that could be used to give suid ++ * privileges ++ */ ++ sb->s_iflags = SB_I_NOEXEC; ++ ++ shiftfs_super_force_flags(sb, lower_sb->s_flags); ++ ++ /* ++ * Handle nesting of shiftfs mounts by referring this mark ++ * mount back to the original mark mount. This is more ++ * efficient and alleviates concerns about stack depth. ++ */ ++ if (lower_sb->s_magic == SHIFTFS_MAGIC) { ++ sbinfo_mp = lower_sb->s_fs_info; ++ ++ /* Doesn't make sense to mark a mark mount */ ++ if (sbinfo_mp->mark) { ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) { ++ err = -EPERM; ++ goto out_put_path; ++ } ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up the passthrough mount options from the ++ * parent mark mountpoint. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough_mark; ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ } else { ++ sbinfo->mnt = mntget(path.mnt); ++ dentry = dget(path.dentry); ++ /* ++ * For a new mark passthrough_mark and passthrough ++ * are identical. ++ */ ++ sbinfo->passthrough_mark = sbinfo->passthrough; ++ ++ cred_tmp = prepare_creds(); ++ if (!cred_tmp) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ /* Don't override disk quota limits or use reserved space. */ ++ cap_lower(cred_tmp->cap_effective, CAP_SYS_RESOURCE); ++ sbinfo->creator_cred = cred_tmp; ++ } ++ } else { ++ /* ++ * This leg executes if we're admin capable in the namespace, ++ * so be very careful. ++ */ ++ err = -EPERM; ++ if (path.dentry->d_sb->s_magic != SHIFTFS_MAGIC) ++ goto out_put_path; ++ ++ sbinfo_mp = path.dentry->d_sb->s_fs_info; ++ if (!sbinfo_mp->mark) ++ goto out_put_path; ++ ++ if (!passthrough_is_subset(sbinfo_mp->passthrough, ++ sbinfo->passthrough)) ++ goto out_put_path; ++ ++ sbinfo->mnt = mntget(sbinfo_mp->mnt); ++ sbinfo->creator_cred = get_cred(sbinfo_mp->creator_cred); ++ dentry = dget(path.dentry->d_fsdata); ++ /* ++ * Copy up passthrough settings from mark mountpoint so we can ++ * verify when the overlay wants to remount with different ++ * passthrough settings. ++ */ ++ sbinfo->passthrough_mark = sbinfo_mp->passthrough; ++ shiftfs_super_force_flags(sb, path.mnt->mnt_sb->s_flags); ++ } ++ ++ sb->s_stack_depth = dentry->d_sb->s_stack_depth + 1; ++ if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { ++ printk(KERN_ERR "shiftfs: maximum stacking depth exceeded\n"); ++ err = -EINVAL; ++ goto out_put_path; ++ } ++ ++ inode = new_inode(sb); ++ if (!inode) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ shiftfs_fill_inode(inode, dentry->d_inode->i_ino, S_IFDIR, 0, dentry); ++ ++ ihold(dentry->d_inode); ++ inode->i_private = dentry->d_inode; ++ ++ sb->s_magic = SHIFTFS_MAGIC; ++ sb->s_maxbytes = MAX_LFS_FILESIZE; ++ sb->s_op = &shiftfs_super_ops; ++ sb->s_xattr = shiftfs_xattr_handlers; ++ sb->s_d_op = &shiftfs_dentry_ops; ++ sb->s_root = d_make_root(inode); ++ if (!sb->s_root) { ++ err = -ENOMEM; ++ goto out_put_path; ++ } ++ ++ sb->s_root->d_fsdata = dentry; ++ sbinfo->userns = get_user_ns(dentry->d_sb->s_user_ns); ++ shiftfs_copyattr(dentry->d_inode, sb->s_root->d_inode); ++ ++ dentry = NULL; ++ err = 0; ++ ++out_put_path: ++ path_put(&path); ++ ++out_free_name: ++ kfree(name); ++ ++ dput(dentry); ++ ++ return err; ++} ++ ++static struct dentry *shiftfs_mount(struct file_system_type *fs_type, ++ int flags, const char *dev_name, void *data) ++{ ++ struct shiftfs_data d = { data, dev_name }; ++ ++ return mount_nodev(fs_type, flags, &d, shiftfs_fill_super); ++} ++ ++static struct file_system_type shiftfs_type = { ++ .owner = THIS_MODULE, ++ .name = "shiftfs", ++ .mount = shiftfs_mount, ++ .kill_sb = kill_anon_super, ++ .fs_flags = FS_USERNS_MOUNT, ++}; ++ ++static int __init shiftfs_init(void) ++{ ++ return register_filesystem(&shiftfs_type); ++} ++ ++static void __exit shiftfs_exit(void) ++{ ++ unregister_filesystem(&shiftfs_type); ++} ++ ++MODULE_ALIAS_FS("shiftfs"); ++MODULE_AUTHOR("James Bottomley"); ++MODULE_AUTHOR("Seth Forshee <seth.forshee@canonical.com>"); ++MODULE_AUTHOR("Christian Brauner <christian.brauner@ubuntu.com>"); ++MODULE_DESCRIPTION("id shifting filesystem"); ++MODULE_LICENSE("GPL v2"); ++module_init(shiftfs_init) ++module_exit(shiftfs_exit) +--- a/include/uapi/linux/magic.h 2021-01-06 19:08:45.234777659 -0500 ++++ b/include/uapi/linux/magic.h 2021-01-06 19:09:53.900375394 -0500 +@@ -96,4 +96,6 @@ + #define DEVMEM_MAGIC 0x454d444d /* "DMEM" */ + #define Z3FOLD_MAGIC 0x33 + ++#define SHIFTFS_MAGIC 0x6a656a62 ++ + #endif /* __LINUX_MAGIC_H__ */ +--- a/fs/Makefile 2021-01-08 18:08:28.187064015 -0500 ++++ b/fs/Makefile 2021-01-08 18:09:00.788217579 -0500 +@@ -136,3 +136,4 @@ obj-$(CONFIG_EFIVAR_FS) += efivarfs/ + obj-$(CONFIG_EROFS_FS) += erofs/ + obj-$(CONFIG_VBOXSF_FS) += vboxsf/ + obj-$(CONFIG_ZONEFS_FS) += zonefs/ ++obj-$(CONFIG_SHIFT_FS) += shiftfs.o +--- a/fs/Kconfig 2021-01-06 19:14:17.709697891 -0500 ++++ b/fs/Kconfig 2021-01-06 19:15:23.413281282 -0500 +@@ -122,6 +122,24 @@ source "fs/autofs/Kconfig" + source "fs/fuse/Kconfig" + source "fs/overlayfs/Kconfig" + ++config SHIFT_FS ++ tristate "UID/GID shifting overlay filesystem for containers" ++ help ++ This filesystem can overlay any mounted filesystem and shift ++ the uid/gid the files appear at. The idea is that ++ unprivileged containers can use this to mount root volumes ++ using this technique. ++ ++config SHIFT_FS_POSIX_ACL ++ bool "shiftfs POSIX Access Control Lists" ++ depends on SHIFT_FS ++ select FS_POSIX_ACL ++ help ++ POSIX Access Control Lists (ACLs) support permissions for users and ++ groups beyond the owner/group/world scheme. ++ ++ If you don't know what Access Control Lists are, say N. ++ + menu "Caches" + + source "fs/fscache/Kconfig" diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch new file mode 100644 index 000000000000..6d51081a6c82 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch @@ -0,0 +1,27 @@ +From c08148e63cf99a834bdcc61af247e6b6ad40951b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:22:12 -0400 +Subject: [PATCH 001/113] make DEFAULT_MMAP_MIN_ADDR match LSM_MMAP_MIN_ADDR + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 390165ffbb0f..3b24c9e3535e 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,7 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU +- default 4096 ++ default 32768 if ARM || (ARM64 && COMPAT) ++ default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch new file mode 100644 index 000000000000..5e7e86682928 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch @@ -0,0 +1,25 @@ +From b895b1b6a104ad8f4c2c05d8c85040b4b787732a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:41 -0400 +Subject: [PATCH 002/113] enable HARDENED_USERCOPY by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99f1d..9446ddf40974 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -154,6 +154,7 @@ config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM ++ default y + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch new file mode 100644 index 000000000000..5ea45ca688fa --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch @@ -0,0 +1,24 @@ +From 467fa2ec364a40ccb9a7618fa211104bc79c3a7b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 26 Apr 2018 02:01:26 -0400 +Subject: [PATCH 003/113] disable HARDENED_USERCOPY_FALLBACK by default + +--- + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 9446ddf40974..5c388f7fe09d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -167,7 +167,6 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY +- default y + help + This is a temporary option that allows missing usercopy whitelists + to be discovered via a WARN() to the kernel log, instead of +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch new file mode 100644 index 000000000000..402c5a6cd5b0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 593daac6352ec4fceff83c152ba3632ea64d85a8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:05:15 -0400 +Subject: [PATCH 004/113] enable SECURITY_DMESG_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 5c388f7fe09d..428ad7622370 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -9,7 +9,7 @@ source "security/keys/Kconfig" + + config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" +- default n ++ default y + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0005-set-kptr_restrict-2-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0005-set-kptr_restrict-2-by-default.patch new file mode 100644 index 000000000000..c64e04c8bb19 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0005-set-kptr_restrict-2-by-default.patch @@ -0,0 +1,26 @@ +From 967e396861b82f8d0daff25b5a9b2bb008076aec Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:06:14 -0400 +Subject: [PATCH 005/113] set kptr_restrict=2 by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index 14c9a6af1b23..2501f75bd74d 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -821,7 +821,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, + return pointer_string(buf, end, (const void *)hashval, spec); + } + +-int kptr_restrict __read_mostly; ++int kptr_restrict __read_mostly = 2; + + static noinline_for_stack + char *restricted_pointer(char *buf, char *end, const void *ptr, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch new file mode 100644 index 000000000000..208bb4f287c7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch @@ -0,0 +1,25 @@ +From 0febc4111e3e908623ab2489e5cba9446e9213e9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:10:57 -0400 +Subject: [PATCH 006/113] enable DEBUG_LIST by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index c789b39ed527..89c9d6aebf77 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1471,6 +1471,7 @@ menu "Debug kernel data structures" + config DEBUG_LIST + bool "Debug linked list manipulation" + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION ++ default y + help + Enable this to turn on extended checks in the linked-list + walking routines. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch new file mode 100644 index 000000000000..df35827929f9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch @@ -0,0 +1,25 @@ +From f5fa582231e90e6bb094e05a8604cc10bb0a793e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:21:21 -0400 +Subject: [PATCH 007/113] enable BUG_ON_DATA_CORRUPTION by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 89c9d6aebf77..11068e77d146 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1511,6 +1511,7 @@ config DEBUG_NOTIFIERS + config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select DEBUG_LIST ++ default y + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch new file mode 100644 index 000000000000..cd7aef62607d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch @@ -0,0 +1,24 @@ +From 935268b79a412174ac7343954e2adfc10902459e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:39:32 -0500 +Subject: [PATCH 008/113] enable ARM64_SW_TTBR0_PAN by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a6b5b7ef40ae..a145245ec5e7 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1199,6 +1199,7 @@ config RODATA_FULL_DEFAULT_ENABLED + + config ARM64_SW_TTBR0_PAN + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" ++ default y + help + Enabling this option prevents the kernel from accessing + user-space memory directly by pointing TTBR0_EL1 to a reserved +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch new file mode 100644 index 000000000000..b547e6ec6e22 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch @@ -0,0 +1,24 @@ +From f99493c13116246e9ba06383824cce6e856d4e5d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:33:48 -0500 +Subject: [PATCH 009/113] arm64: enable RANDOMIZE_BASE by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index a145245ec5e7..21088a6532d8 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1790,6 +1790,7 @@ config RANDOMIZE_BASE + bool "Randomize the address of the kernel image" + select ARM64_MODULE_PLTS if MODULES + select RELOCATABLE ++ default y + help + Randomizes the virtual address at which the kernel image is + loaded, as a security feature that deters exploit attempts +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch new file mode 100644 index 000000000000..da841868f26d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch @@ -0,0 +1,25 @@ +From ff368e2ff05808d37dec571568c0f50287e4d77c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 19:43:38 -0400 +Subject: [PATCH 010/113] enable SLAB_FREELIST_RANDOM by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 0872a5a2e759..dcbcb4243316 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1929,6 +1929,7 @@ config SLAB_MERGE_DEFAULT + config SLAB_FREELIST_RANDOM + bool "Randomize slab freelist" + depends on SLAB || SLUB ++ default y + help + Randomizes the freelist order used on creating new pages. This + security feature reduces the predictability of the kernel slab +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch new file mode 100644 index 000000000000..7d55ca97f37e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch @@ -0,0 +1,24 @@ +From b59aebba3ceef4122584686d3a2f82b7e7e34176 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 20 Aug 2017 15:39:25 -0400 +Subject: [PATCH 011/113] enable SLAB_FREELIST_HARDENED by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index dcbcb4243316..667d1c6c021b 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1938,6 +1938,7 @@ config SLAB_FREELIST_RANDOM + config SLAB_FREELIST_HARDENED + bool "Harden slab freelist metadata" + depends on SLAB || SLUB ++ default y + help + Many kernel heap attacks try to target slab cache metadata and + other infrastructure. This options makes minor performance +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch new file mode 100644 index 000000000000..b42f315b54de --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch @@ -0,0 +1,24 @@ +From 97af255a10ce384d48a18cdb397bedf852dbe749 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 8 Jul 2017 02:38:54 -0400 +Subject: [PATCH 012/113] disable SLAB_MERGE_DEFAULT by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 667d1c6c021b..859ab5ae66ff 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1914,7 +1914,6 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" +- default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch new file mode 100644 index 000000000000..d50416cabd0e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch @@ -0,0 +1,25 @@ +From 90dc8c5eb2ff066f12771c539f71c2b9cf87b273 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 8 May 2017 12:51:54 -0400 +Subject: [PATCH 013/113] enable FORTIFY_SOURCE by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 428ad7622370..3a2c68c7b50f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -191,6 +191,7 @@ config HARDENED_USERCOPY_PAGESPAN + config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE ++ default y + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch new file mode 100644 index 000000000000..7a26f3e4bcaf --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch @@ -0,0 +1,34 @@ +From 9e0cedb9a03ca4f234554676ae91a47dc2148e09 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:09:17 -0400 +Subject: [PATCH 014/113] enable PANIC_ON_OOPS by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 11068e77d146..45b169177fb9 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -894,6 +894,7 @@ menu "Debug Oops, Lockups and Hangs" + + config PANIC_ON_OOPS + bool "Panic on Oops" ++ default y + help + Say Y here to enable the kernel to panic when it oopses. This + has the same effect as setting oops=panic on the kernel command +@@ -903,7 +904,7 @@ config PANIC_ON_OOPS + anything erroneous after an oops which could result in data + corruption or other issues. + +- Say N if unsure. ++ Say Y if unsure. + + config PANIC_ON_OOPS_VALUE + int +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch new file mode 100644 index 000000000000..841b15deb76f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch @@ -0,0 +1,26 @@ +From e355335e289287e665b996c16df84c007636df2e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 22:39:34 -0400 +Subject: [PATCH 015/113] stop hiding SLUB_DEBUG behind EXPERT + +It can make sense to disable this to reduce attack surface / complexity. +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 859ab5ae66ff..74680a15ceb4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1843,7 +1843,7 @@ config VM_EVENT_COUNTERS + + config SLUB_DEBUG + default y +- bool "Enable SLUB debugging support" if EXPERT ++ bool "Enable SLUB debugging support" + depends on SLUB && SYSFS + help + SLUB has extensive debug support features. Disabling these can +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch new file mode 100644 index 000000000000..ab3cc0ae988d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From da8913e5cd8444478e81fc0199eea97667bd2070 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:31 -0400 +Subject: [PATCH 016/113] stop hiding X86_16BIT behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 3a5ecb1039bf..d2d5e0cbf85c 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1194,7 +1194,7 @@ config VM86 + default X86_LEGACY_VM86 + + config X86_16BIT +- bool "Enable support for 16-bit segments" if EXPERT ++ bool "Enable support for 16-bit segments" + default y + depends on MODIFY_LDT_SYSCALL + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0017-disable-X86_16BIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0017-disable-X86_16BIT-by-default.patch new file mode 100644 index 000000000000..d1ff728f0d80 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0017-disable-X86_16BIT-by-default.patch @@ -0,0 +1,25 @@ +From 04b55cd1dcace045623c8a6f9b8895c88ef84fc9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:52 -0400 +Subject: [PATCH 017/113] disable X86_16BIT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index d2d5e0cbf85c..ab6e7e2d3cf0 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1195,7 +1195,6 @@ config VM86 + + config X86_16BIT + bool "Enable support for 16-bit segments" +- default y + depends on MODIFY_LDT_SYSCALL + help + This option is required by programs like Wine to run 16-bit +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..1922a8338bf4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 9aad5f717e78e14e27f51daef922f86bb8ff3008 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:15:52 -0400 +Subject: [PATCH 018/113] stop hiding MODIFY_LDT_SYSCALL behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ab6e7e2d3cf0..7b9df510469b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2392,7 +2392,7 @@ config CMDLINE_OVERRIDE + be set to 'N' under normal conditions. + + config MODIFY_LDT_SYSCALL +- bool "Enable the LDT (local descriptor table)" if EXPERT ++ bool "Enable the LDT (local descriptor table)" + default y + help + Linux can allow user programs to install a per-process x86 +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch new file mode 100644 index 000000000000..7f1d4061b693 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch @@ -0,0 +1,26 @@ +From 62ab31d8233198ce7f059ef4aa7ad33b36b0bbe7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:16:16 -0400 +Subject: [PATCH 019/113] disable MODIFY_LDT_SYSCALL by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 7b9df510469b..63e1e9fc18dd 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2393,7 +2393,6 @@ config CMDLINE_OVERRIDE + + config MODIFY_LDT_SYSCALL + bool "Enable the LDT (local descriptor table)" +- default y + help + Linux can allow user programs to install a per-process x86 + Local Descriptor Table (LDT) using the modify_ldt(2) system +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch new file mode 100644 index 000000000000..b36fe7105d80 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch @@ -0,0 +1,25 @@ +From ac50dc84da87a3894df39d03be2747b57c749fad Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 07:08:42 -0400 +Subject: [PATCH 020/113] set LEGACY_VSYSCALL_NONE by default + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 63e1e9fc18dd..4fd082de7420 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2296,7 +2296,7 @@ config COMPAT_VDSO + choice + prompt "vsyscall table for legacy applications" + depends on X86_64 +- default LEGACY_VSYSCALL_XONLY ++ default LEGACY_VSYSCALL_NONE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch new file mode 100644 index 000000000000..fbfc43d136ba --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From c918ded1d65dce93c974c5b06a96664a9f88221e Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:21:50 +0000 +Subject: [PATCH 021/113] stop hiding AIO behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 74680a15ceb4..8605f3e78e47 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1591,7 +1591,7 @@ config SHMEM + which may be appropriate on small systems without swap. + + config AIO +- bool "Enable AIO support" if EXPERT ++ bool "Enable AIO support" + default y + help + This option enables POSIX asynchronous I/O which may by used +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0022-disable-AIO-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0022-disable-AIO-by-default.patch new file mode 100644 index 000000000000..05c3bee7b5ba --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0022-disable-AIO-by-default.patch @@ -0,0 +1,24 @@ +From 756ecd7b6e3c0fb46d8bf89a2013327b27da668d Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:24:10 +0000 +Subject: [PATCH 022/113] disable AIO by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 8605f3e78e47..21f0b6926cf3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1592,7 +1592,6 @@ config SHMEM + + config AIO + bool "Enable AIO support" +- default y + help + This option enables POSIX asynchronous I/O which may by used + by some high performance threaded applications. Disabling +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch new file mode 100644 index 000000000000..fe358e24e5bb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch @@ -0,0 +1,32 @@ +From 97969c017205cbf4060c1786c521724a833f95f2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:08:49 -0500 +Subject: [PATCH 023/113] remove SYSVIPC from arm64/x86_64 defconfigs + +--- + arch/arm64/configs/defconfig | 1 - + arch/x86/configs/x86_64_defconfig | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 5cfe3cf6f2ac..f25871361bdc 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1,4 +1,3 @@ +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ_IDLE=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e1939..981ee8c0e330 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -1,5 +1,4 @@ + # CONFIG_LOCALVERSION_AUTO is not set +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ=y +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0024-disable-DEVPORT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0024-disable-DEVPORT-by-default.patch new file mode 100644 index 000000000000..892cc5d4a63f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0024-disable-DEVPORT-by-default.patch @@ -0,0 +1,24 @@ +From 0b9b844d33431c8cc5ee572342fa783a144e2f9f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:28:10 -0400 +Subject: [PATCH 024/113] disable DEVPORT by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index d229a2d0c017..68178c3a25de 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -391,7 +391,6 @@ config MAX_RAW_DEVS + config DEVPORT + bool "/dev/port character device" + depends on ISA || PCI +- default y + help + Say Y here if you want to support the /dev/port device. The /dev/port + device is similar to /dev/mem, but for I/O ports. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch new file mode 100644 index 000000000000..79c6cb420f0f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch @@ -0,0 +1,24 @@ +From 333c60e37e16b27149c5af06b91eddba8eae3e40 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:29:45 -0400 +Subject: [PATCH 025/113] disable PROC_VMCORE by default + +--- + fs/proc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig +index c930001056f9..6a0a51b3f593 100644 +--- a/fs/proc/Kconfig ++++ b/fs/proc/Kconfig +@@ -41,7 +41,6 @@ config PROC_KCORE + config PROC_VMCORE + bool "/proc/vmcore support" + depends on PROC_FS && CRASH_DUMP +- default y + help + Exports the dump image of crashed kernel in ELF format. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch new file mode 100644 index 000000000000..dbf48be81e75 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch @@ -0,0 +1,24 @@ +From 957e4171bbb0432c97b10872c51e84fa121997ce Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 03:03:46 -0400 +Subject: [PATCH 026/113] disable NFS_DEBUG by default + +--- + fs/nfs/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index e2a488d403a6..ce54c1c693a8 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -195,7 +195,6 @@ config NFS_DEBUG + bool + depends on NFS_FS && SUNRPC_DEBUG + select CRC32 +- default y + + config NFS_DISABLE_UDP_SUPPORT + bool "NFS: Disable NFS UDP protocol support" +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0027-enable-DEBUG_WX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0027-enable-DEBUG_WX-by-default.patch new file mode 100644 index 000000000000..bc4c4099f7dd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0027-enable-DEBUG_WX-by-default.patch @@ -0,0 +1,25 @@ +From caea72027aca57069470dc5218ace236188b8f0b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:11:11 -0400 +Subject: [PATCH 027/113] enable DEBUG_WX by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 864f129f1937..929d585bd267 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -126,6 +126,7 @@ config DEBUG_WX + depends on ARCH_HAS_DEBUG_WX + depends on MMU + select PTDUMP_CORE ++ default y + help + Generate a warning if any W+X mappings are found at boot. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch new file mode 100644 index 000000000000..38e02cb2f77e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch @@ -0,0 +1,24 @@ +From c7a6d86985eda3812758d07f7c2ffc54b076478f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 13:21:16 -0500 +Subject: [PATCH 028/113] disable LEGACY_PTYS by default + +--- + drivers/tty/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 93fd984eb2f5..d9086484d2de 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -122,7 +122,6 @@ config UNIX98_PTYS + + config LEGACY_PTYS + bool "Legacy (BSD) PTY support" +- default y + help + A pseudo terminal (PTY) is a software device consisting of two + halves: a master and a slave. The slave device behaves identical to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0029-disable-DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0029-disable-DEVMEM-by-default.patch new file mode 100644 index 000000000000..29e9479fc76b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0029-disable-DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From bffed3709c1980aab2e55b2d8397e948b4a29762 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:41:42 -0500 +Subject: [PATCH 029/113] disable DEVMEM by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 68178c3a25de..2fd45f01e7a2 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -327,7 +327,6 @@ config NSC_GPIO + + config DEVMEM + bool "/dev/mem virtual device support" +- default y + help + Say Y here if you want to support the /dev/mem device. + The /dev/mem device is used to access areas of physical +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch new file mode 100644 index 000000000000..476697f069c6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From 8b568dd1513a5b69cd9d378868291c358c4a0b71 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:43:49 -0500 +Subject: [PATCH 030/113] enable IO_STRICT_DEVMEM by default + +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 45b169177fb9..a46f21a56125 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1668,6 +1668,7 @@ config STRICT_DEVMEM + config IO_STRICT_DEVMEM + bool "Filter I/O access to /dev/mem" + depends on STRICT_DEVMEM ++ default y + help + If this option is disabled, you allow userspace (root) access to all + io-memory regardless of whether a driver is actively using that +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch new file mode 100644 index 000000000000..52e28d4db2b7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch @@ -0,0 +1,24 @@ +From 48c45c757acdd747ab5b1c47100b0476b9b9869e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 18:28:33 -0400 +Subject: [PATCH 031/113] disable COMPAT_BRK by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 21f0b6926cf3..4f5827e10be3 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1866,7 +1866,6 @@ config SLUB_MEMCG_SYSFS_ON + + config COMPAT_BRK + bool "Disable heap randomization" +- default y + help + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch new file mode 100644 index 000000000000..f931f28343e3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch @@ -0,0 +1,35 @@ +From ff5211c87bb6c691cedcec47acbca66339d8e113 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 16:16:39 -0400 +Subject: [PATCH 032/113] use maximum supported mmap rnd entropy by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 69fe7133c765..8b5c346d5dd8 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -752,7 +752,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -786,7 +786,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch new file mode 100644 index 000000000000..cdd2322e5d6a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch @@ -0,0 +1,27 @@ +From 81e0ac7582c94a0a3e95ca71dae0a3a832b54aa1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 10:47:23 -0400 +Subject: [PATCH 033/113] enable protected_{symlinks,hardlinks} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index d4a6dd772303..59ff3ce21026 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -932,8 +932,8 @@ static inline void put_link(struct nameidata *nd) + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0034-enable-SECURITY-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0034-enable-SECURITY-by-default.patch new file mode 100644 index 000000000000..9198fcc8b9d0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0034-enable-SECURITY-by-default.patch @@ -0,0 +1,24 @@ +From 4fee8ec7986f701856c13fc257b6a73ecf1adc1b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:13:48 -0500 +Subject: [PATCH 034/113] enable SECURITY by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 3a2c68c7b50f..fa037a250821 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -23,6 +23,7 @@ config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER ++ default y + help + This allows you to choose different security modules to be + configured into your kernel. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch new file mode 100644 index 000000000000..dfe54cd72d5a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch @@ -0,0 +1,25 @@ +From c9064201bf14d83ccbd5e6fb674b106dc45117c7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:59 -0400 +Subject: [PATCH 035/113] enable SECURITY_YAMA by default + +--- + security/yama/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index a810304123ca..b809050b25d2 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -2,7 +2,7 @@ + config SECURITY_YAMA + bool "Yama support" + depends on SECURITY +- default n ++ default y + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch new file mode 100644 index 000000000000..20cb373b0412 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch @@ -0,0 +1,24 @@ +From c1bffc520a3493d1457463be0be28fca3c9d995b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:14:02 -0500 +Subject: [PATCH 036/113] enable SECURITY_NETWORK by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index fa037a250821..81d0a08736aa 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -49,6 +49,7 @@ config SECURITYFS + config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY ++ default y + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0037-enable-AUDIT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0037-enable-AUDIT-by-default.patch new file mode 100644 index 000000000000..fb630a62b55d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0037-enable-AUDIT-by-default.patch @@ -0,0 +1,24 @@ +From 50995ff90f3b4c0646cf088cfa5bc32b7bea7554 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:15:24 -0500 +Subject: [PATCH 037/113] enable AUDIT by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 4f5827e10be3..9b75a4921575 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -419,6 +419,7 @@ config USELIB + config AUDIT + bool "Auditing support" + depends on NET ++ default y + help + Enable auditing infrastructure that can be used with another + kernel subsystem, such as SELinux (which requires this for +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch new file mode 100644 index 000000000000..c45be54530b6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch @@ -0,0 +1,25 @@ +From 3ba7070144172d142f4126950485ca597c6939a3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:16:49 -0500 +Subject: [PATCH 038/113] enable SECURITY_SELINUX by default + +--- + security/selinux/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72538..76d7ed11513c 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -3,7 +3,7 @@ config SECURITY_SELINUX + bool "NSA SELinux Support" + depends on SECURITY_NETWORK && AUDIT && NET && INET + select NETWORK_SECMARK +- default n ++ default y + help + This selects NSA Security-Enhanced Linux (SELinux). + You will also need a policy configuration and a labeled filesystem. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch new file mode 100644 index 000000000000..672a1ec5a491 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch @@ -0,0 +1,24 @@ +From 0a5d70a559e9754652239f57ca2aadb5b6585bfe Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 6 Jan 2018 13:41:11 -0500 +Subject: [PATCH 039/113] enable SYN_COOKIES by default + +--- + net/ipv4/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 87983e70f03f..989e005bf698 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -267,6 +267,7 @@ config IP_PIMSM_V2 + + config SYN_COOKIES + bool "IP: TCP syncookie support" ++ default y + help + Normal TCP/IP networking is open to an attack known as "SYN + flooding". This denial-of-service attack prevents legitimate remote +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..df9832e31583 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0040-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 18f719b5161dddc75f318861005ff1e4a4ef2db7 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:02:23 +0200 +Subject: [PATCH 040/113] enable INIT_ON_ALLOC_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 269967c4fc1b..1e279f6d7633 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE + + config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" ++ default yes + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..4e982d9b4435 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0041-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 4f0609d264254471d8f2e8127d8b78bdca19624b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:03:01 +0200 +Subject: [PATCH 041/113] enable INIT_ON_FREE_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 1e279f6d7633..2fa447823405 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -203,6 +203,7 @@ config INIT_ON_ALLOC_DEFAULT_ON + + config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" ++ default yes + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch new file mode 100644 index 000000000000..5417d9c2c1ec --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0042-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch @@ -0,0 +1,27 @@ +From b700b765dd26ebe26b35b301399942a244a921d3 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 27 Sep 2020 00:43:48 +0200 +Subject: [PATCH 042/113] kconfig: select DEBUG_FS_ALLOW_NONE by default if + DEBUG_FS is enabled + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index a46f21a56125..4a1a32a059f4 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -488,7 +488,7 @@ config DEBUG_FS + choice + prompt "Debugfs default access" + depends on DEBUG_FS +- default DEBUG_FS_ALLOW_ALL ++ default DEBUG_FS_ALLOW_NONE + help + This selects the default access restrictions for debugfs. + It can be overridden with kernel command line option +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..0516071630e9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0043-stop-hiding-SYSFS_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 6a7dfafae70e0305fc3d75f579386934276df8c8 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:35:53 +0100 +Subject: [PATCH 043/113] stop hiding SYSFS_SYSCALL behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 9b75a4921575..006d4d41e3af 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1434,7 +1434,7 @@ config SGETMASK_SYSCALL + If unsure, leave the default option here. + + config SYSFS_SYSCALL +- bool "Sysfs syscall support" if EXPERT ++ bool "Sysfs syscall support" + default y + help + sys_sysfs is an obsolete system call no longer supported in libc. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch new file mode 100644 index 000000000000..fc26dc353954 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0044-disable-SYSFS_SYSCALL-by-default.patch @@ -0,0 +1,31 @@ +From 96339bb02ae66fd7ed944364d2d2d60937fdc16a Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:36:54 +0100 +Subject: [PATCH 044/113] disable SYSFS_SYSCALL by default + +--- + init/Kconfig | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 006d4d41e3af..3d6b1b23e2db 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1435,13 +1435,12 @@ config SGETMASK_SYSCALL + + config SYSFS_SYSCALL + bool "Sysfs syscall support" +- default y + help + sys_sysfs is an obsolete system call no longer supported in libc. + Note that disabling this option is more secure but might break + compatibility with some systems. + +- If unsure say Y here. ++ If unsure say N here. + + config FHANDLE + bool "open by fhandle syscalls" if EXPERT +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch new file mode 100644 index 000000000000..72da549d2c6e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0045-stop-hiding-UID16-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 784df6727e4ffa2e0eac2fa16cb35564abe3ffec Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:40:09 +0100 +Subject: [PATCH 045/113] stop hiding UID16 behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 3d6b1b23e2db..2b6d0492def5 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1403,7 +1403,7 @@ menuconfig EXPERT + Only use this if you really know what you are doing. + + config UID16 +- bool "Enable 16-bit UID system calls" if EXPERT ++ bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER + default y + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0046-disable-UID16-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0046-disable-UID16-by-default.patch new file mode 100644 index 000000000000..aac19b55adb0 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0046-disable-UID16-by-default.patch @@ -0,0 +1,24 @@ +From 9a68e972e38347a1927e8fbb22611c222a4cbb75 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Tue, 22 Dec 2020 23:41:32 +0100 +Subject: [PATCH 046/113] disable UID16 by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 2b6d0492def5..58df4930995f 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1405,7 +1405,6 @@ menuconfig EXPERT + config UID16 + bool "Enable 16-bit UID system calls" + depends on HAVE_UID16 && MULTIUSER +- default y + help + This enables the legacy 16-bit UID syscall wrappers. + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch new file mode 100644 index 000000000000..4a9800a8e873 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0047-add-__read_only-for-non-init-related-usage.patch @@ -0,0 +1,25 @@ +From c5c4ff5a56e02bd16c034d568f9c60b876822ae4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:28:23 -0400 +Subject: [PATCH 047/113] add __read_only for non-init related usage + +--- + include/linux/cache.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/cache.h b/include/linux/cache.h +index d742c57eaee5..f0222c070458 100644 +--- a/include/linux/cache.h ++++ b/include/linux/cache.h +@@ -37,6 +37,8 @@ + #define __ro_after_init __section(".data..ro_after_init") + #endif + ++#define __read_only __ro_after_init ++ + #ifndef ____cacheline_aligned + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) + #endif +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0048-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0048-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..b02bff45353b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0048-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From 2a61c23a99cf6547dab8335378dadfe41e7418cb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 048/113] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch new file mode 100644 index 000000000000..0254ae87e99c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0049-mark-kernel_set_to_readonly-as-__ro_after_init.patch @@ -0,0 +1,67 @@ +From 754920c103a3ab1c579a3241f16f0e74221cd94f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 03:22:00 -0400 +Subject: [PATCH 049/113] mark kernel_set_to_readonly as __ro_after_init + +This change was extracted from PaX where it's part of KERNEXEC. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 5 ++--- + arch/x86/mm/init_64.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..77192cbc1dd7 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __ro_after_init; + + static void mark_nxdata_nx(void) + { +@@ -852,12 +852,11 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + ++ kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- kernel_set_to_readonly = 1; +- + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..63a0f8097d0a 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __ro_after_init; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,8 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- + kernel_set_to_readonly = 1; ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); + + /* + * The rodata/data/bss/brk section (but not the kernel text!) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch new file mode 100644 index 000000000000..ab744a1e00d8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0050-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch @@ -0,0 +1,70 @@ +From 2405e1d6c15fc42cea726aad766b543ea50e6241 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 13 Jan 2019 21:42:45 +0100 +Subject: [PATCH 050/113] Revert "mark kernel_set_to_readonly as + __ro_after_init" + + This commit causes CPA conflicts, cf. + https://github.com/anthraxx/linux-hardened/issues/4. + + Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + arch/x86/mm/init_32.c | 5 +++-- + arch/x86/mm/init_64.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 77192cbc1dd7..7c055259de3a 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly __read_mostly; + + static void mark_nxdata_nx(void) + { +@@ -852,11 +852,12 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + +- kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + ++ kernel_set_to_readonly = 1; ++ + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 63a0f8097d0a..b5a3fa4033d3 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,10 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- kernel_set_to_readonly = 1; + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + ++ kernel_set_to_readonly = 1; ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch new file mode 100644 index 000000000000..8714f3f736ed --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0051-mark-slub-runtime-configuration-as-__ro_after_init.patch @@ -0,0 +1,57 @@ +From 959e911bb724b2b0fae06af0f70d87562347ac6e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 19:01:58 -0400 +Subject: [PATCH 051/113] mark slub runtime configuration as __ro_after_init + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 3f4303f4b657..7a8d4d37cffb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -486,13 +486,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) + * Debug settings: + */ + #if defined(CONFIG_SLUB_DEBUG_ON) +-static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; ++static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; + #else +-static slab_flags_t slub_debug; ++static slab_flags_t slub_debug __ro_after_init; + #endif + +-static char *slub_debug_string; +-static int disable_higher_order_debug; ++static char *slub_debug_string __ro_after_init; ++static int disable_higher_order_debug __ro_after_init; + + /* + * slub is about to manipulate internal object metadata. This memory lies +@@ -3363,9 +3363,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); + * and increases the number of allocations possible without having to + * take the list_lock. + */ +-static unsigned int slub_min_order; +-static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; +-static unsigned int slub_min_objects; ++static unsigned int slub_min_order __ro_after_init; ++static unsigned int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; ++static unsigned int slub_min_objects __ro_after_init; + + /* + * Calculate the order of allocation given an slab object size. +@@ -4883,7 +4883,7 @@ enum slab_stat_type { + #define SO_TOTAL (1 << SL_TOTAL) + + #ifdef CONFIG_MEMCG +-static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); ++static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); + + static int __init setup_slub_memcg_sysfs(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch new file mode 100644 index 000000000000..e511665a8393 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0052-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch @@ -0,0 +1,38 @@ +From 2ce9b3abeee44fe91a0d1a4b437d6b82b3ec5807 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:35:35 -0400 +Subject: [PATCH 052/113] add __ro_after_init to slab_nomerge and slab_state + +This was extracted from the PaX patch where it's part of the KERNEXEC +feature as __read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slab_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index f9ccd5dc13f3..bff04048559f 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -30,7 +30,7 @@ + + #include "slab.h" + +-enum slab_state slab_state; ++enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); + struct kmem_cache *kmem_cache; +@@ -61,7 +61,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, + /* + * Merge control. If this is set then no merging of slab caches will occur. + */ +-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); ++static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); + + static int __init setup_slab_nomerge(char *str) + { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch new file mode 100644 index 000000000000..e68384a3eded --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0053-mark-kmem_cache-as-__ro_after_init.patch @@ -0,0 +1,25 @@ +From f2da4d4a6b9a51404dbdedc96a31afc679aa4c76 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 18:51:30 -0400 +Subject: [PATCH 053/113] mark kmem_cache as __ro_after_init + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index bff04048559f..2b73c12d8fce 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -33,7 +33,7 @@ + enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); +-struct kmem_cache *kmem_cache; ++struct kmem_cache *kmem_cache __ro_after_init; + + #ifdef CONFIG_HARDENED_USERCOPY + bool usercopy_fallback __ro_after_init = +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch new file mode 100644 index 000000000000..7c638945b1e7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0054-mark-__supported_pte_mask-as-__ro_after_init.patch @@ -0,0 +1,49 @@ +From 2ac41cc0030d5f7d390784265ae75f373d2f2b7b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 00:06:16 -0400 +Subject: [PATCH 054/113] mark __supported_pte_mask as __ro_after_init + +These changes were extracted from PaX where it was part of KERNEXEC as +__read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..291b7b4476a9 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -546,9 +546,9 @@ static void __init pagetable_init(void) + + #define DEFAULT_PTE_MASK ~(_PAGE_NX | _PAGE_GLOBAL) + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __supported_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __default_kernel_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5a3fa4033d3..c3d771ffc178 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -97,9 +97,9 @@ DEFINE_ENTRY(pte, pte, init) + */ + + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = ~0; ++pteval_t __supported_pte_mask __ro_after_init = ~0; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = ~0; ++pteval_t __default_kernel_pte_mask __ro_after_init = ~0; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch new file mode 100644 index 000000000000..330bc26f13fa --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0055-mark-kobj_ns_type_register-as-only-used-for-init.patch @@ -0,0 +1,45 @@ +From d53e0cfc0aefc1a7d0897c5724c61437b8ab01f6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:24:28 -0400 +Subject: [PATCH 055/113] mark kobj_ns_type_register as only used for init + +This allows kobj_ns_ops_tbl to be __ro_after_init. + +Extracted from PaX. +--- + include/linux/kobject_ns.h | 2 +- + lib/kobject.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h +index 2b5b64256cf4..8cdce21dce0f 100644 +--- a/include/linux/kobject_ns.h ++++ b/include/linux/kobject_ns.h +@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { + void (*drop_ns)(void *); + }; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); + int kobj_ns_type_registered(enum kobj_ns_type type); + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..5343bbeea5f8 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -1023,9 +1023,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); + + + static DEFINE_SPINLOCK(kobj_ns_type_lock); +-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; ++static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) + { + enum kobj_ns_type type = ops->type; + int error; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch new file mode 100644 index 000000000000..ed508d5f5d73 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0056-mark-open_softirq-as-only-used-for-init.patch @@ -0,0 +1,39 @@ +From ff1b1e591088960b026c1dbba863260fd1bf5bcc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:32:30 -0400 +Subject: [PATCH 056/113] mark open_softirq as only used for init + +--- + include/linux/interrupt.h | 2 +- + kernel/softirq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index ee8299eb1f52..f03b78ae5f0a 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 09229ad82209..0595a8248c4a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(struct softirq_action *)) + { + softirq_vec[nr].action = action; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch new file mode 100644 index 000000000000..ca059d7d7591 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0057-remove-unused-softirq_action-callback-parameter.patch @@ -0,0 +1,208 @@ +From 02a23dd9c7a518ccee1067f4fd7be7246075ddf3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:41:11 -0400 +Subject: [PATCH 057/113] remove unused softirq_action callback parameter + +Extracted from PaX. +--- + block/blk-mq.c | 2 +- + include/linux/interrupt.h | 4 ++-- + kernel/rcu/tiny.c | 2 +- + kernel/rcu/tree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 15 +++++++-------- + kernel/time/hrtimer.c | 2 +- + kernel/time/timer.c | 2 +- + lib/irq_poll.c | 2 +- + net/core/dev.c | 4 ++-- + 10 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 2a1eff60c797..75a0077ea1a9 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -569,7 +569,7 @@ EXPORT_SYMBOL(blk_mq_end_request); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static __latent_entropy void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index f03b78ae5f0a..4381b79f76cf 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -554,7 +554,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; + + struct softirq_action + { +- void (*action)(struct softirq_action *); ++ void (*action)(void); + }; + + asmlinkage void do_softirq(void); +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(void)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index aa897c3f2e92..d8976886fd68 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -101,7 +101,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + } + + /* Invoke the RCU callbacks whose grace period has elapsed. */ +-static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) ++static __latent_entropy void rcu_process_callbacks(void) + { + struct rcu_head *next, *list; + unsigned long flags; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 593df7edfe97..3285d81d8a26 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2722,7 +2722,7 @@ static __latent_entropy void rcu_core(void) + queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work); + } + +-static void rcu_core_si(struct softirq_action *h) ++static void rcu_core_si(void) + { + rcu_core(); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index ae7ceba8fd4f..d118be5f18b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10628,7 +10628,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) + * run_rebalance_domains is triggered when needed from the scheduler tick. + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). + */ +-static __latent_entropy void run_rebalance_domains(struct softirq_action *h) ++static __latent_entropy void run_rebalance_domains(void) + { + struct rq *this_rq = this_rq(); + enum cpu_idle_type idle = this_rq->idle_balance ? +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0595a8248c4a..3a21b22227c1 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -295,7 +295,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + kstat_incr_softirqs_this_cpu(vec_nr); + + trace_softirq_entry(vec_nr); +- h->action(h); ++ h->action(); + trace_softirq_exit(vec_nr); + if (unlikely(prev_count != preempt_count())) { + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", +@@ -486,7 +486,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void __init open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(void)) + { + softirq_vec[nr].action = action; + } +@@ -532,8 +532,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) + } + EXPORT_SYMBOL(__tasklet_hi_schedule); + +-static void tasklet_action_common(struct softirq_action *a, +- struct tasklet_head *tl_head, ++static void tasklet_action_common(struct tasklet_head *tl_head, + unsigned int softirq_nr) + { + struct tasklet_struct *list; +@@ -573,14 +572,14 @@ static void tasklet_action_common(struct softirq_action *a, + } + } + +-static __latent_entropy void tasklet_action(struct softirq_action *a) ++static __latent_entropy void tasklet_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); + } + +-static __latent_entropy void tasklet_hi_action(struct softirq_action *a) ++static __latent_entropy void tasklet_hi_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + + void tasklet_setup(struct tasklet_struct *t, +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 387b4bef7dd1..8fe28c28a906 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1587,7 +1587,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, + } + } + +-static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) ++static __latent_entropy void hrtimer_run_softirq(void) + { + struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); + unsigned long flags; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index c3ad64fb9d8b..217bc49a3856 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1753,7 +1753,7 @@ static inline void __run_timers(struct timer_base *base) + /* + * This function runs timers and the timer-tq in bottom half context. + */ +-static __latent_entropy void run_timer_softirq(struct softirq_action *h) ++static __latent_entropy void run_timer_softirq(void) + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +diff --git a/lib/irq_poll.c b/lib/irq_poll.c +index 2f17b488d58e..b6e7996a0058 100644 +--- a/lib/irq_poll.c ++++ b/lib/irq_poll.c +@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) + } + EXPORT_SYMBOL(irq_poll_complete); + +-static void __latent_entropy irq_poll_softirq(struct softirq_action *h) ++static void __latent_entropy irq_poll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = irq_poll_budget; +diff --git a/net/core/dev.c b/net/core/dev.c +index 38412e70f761..c3cd49e04b7b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4856,7 +4856,7 @@ int netif_rx_any_context(struct sk_buff *skb) + } + EXPORT_SYMBOL(netif_rx_any_context); + +-static __latent_entropy void net_tx_action(struct softirq_action *h) ++static __latent_entropy void net_tx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + +@@ -6803,7 +6803,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + return work; + } + +-static __latent_entropy void net_rx_action(struct softirq_action *h) ++static __latent_entropy void net_rx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch new file mode 100644 index 000000000000..d7521ab21f83 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0058-mark-softirq_vec-as-__ro_after_init.patch @@ -0,0 +1,28 @@ +From 5897eb27d1526693a60422b1fc35f227bab3f6de Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:42:33 -0400 +Subject: [PATCH 058/113] mark softirq_vec as __ro_after_init + +Note: __cacheline_aligned_in_smp conflicts with __ro_after_init on x86. + +Extracted from PaX. +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 3a21b22227c1..6a02d63b135a 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -52,7 +52,7 @@ DEFINE_PER_CPU_ALIGNED(irq_cpustat_t, irq_stat); + EXPORT_PER_CPU_SYMBOL(irq_stat); + #endif + +-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; ++static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); + + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch new file mode 100644 index 000000000000..a8566bf164b1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0059-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch @@ -0,0 +1,34 @@ +From 28200a5f9b0475dff1ae77082b8c93a0d54dd8b0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 17 Sep 2019 18:00:54 +0200 +Subject: [PATCH 059/113] mm: slab: trigger BUG if requested object is not a + slab page + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slab.h b/mm/slab.h +index f9977d6613d6..5adb48bb2e68 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -435,9 +435,13 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) + struct page *page; + + page = virt_to_head_page(obj); ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageSlab(page)); ++#else + if (WARN_ONCE(!PageSlab(page), "%s: Object is not a Slab page!\n", + __func__)) + return NULL; ++#endif + return page->slab_cache; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch new file mode 100644 index 000000000000..620f5cad9ede --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0060-bug-on-kmem_cache_free-with-the-wrong-cache.patch @@ -0,0 +1,40 @@ +From c2b5b02ca3a38a17b536a74e4b1530fbdd669164 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:50:53 -0400 +Subject: [PATCH 060/113] bug on kmem_cache_free with the wrong cache + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 5adb48bb2e68..9fef4285514a 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -471,10 +471,15 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) + return s; + + cachep = virt_to_cache(x); +- if (WARN(cachep && cachep != s, +- "%s: Wrong slab cache. %s but object is from %s\n", +- __func__, s->name, cachep->name)) ++ if (cachep && cachep != s) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG(); ++#else ++ WARN(1, "%s: Wrong slab cache. %s but object is from %s\n", ++ __func__, s->name, cachep->name); ++#endif + print_tracking(cachep, x); ++ } + return cachep; + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch new file mode 100644 index 000000000000..0a3cc38b1c4c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0061-bug-on-PageSlab-PageCompound-in-ksize.patch @@ -0,0 +1,31 @@ +From 4088d6038cb1378f391dd956e2e5431c95334781 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:57:35 -0400 +Subject: [PATCH 061/113] bug on !PageSlab && !PageCompound in ksize + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slub.c b/mm/slub.c +index 7a8d4d37cffb..391880ea7445 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4092,7 +4092,11 @@ size_t __ksize(const void *object) + page = virt_to_head_page(object); + + if (unlikely(!PageSlab(page))) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageCompound(page)); ++#else + WARN_ON(!PageCompound(page)); ++#endif + return page_size(page); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch new file mode 100644 index 000000000000..807950b20955 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0062-mm-add-support-for-verifying-page-sanitization.patch @@ -0,0 +1,70 @@ +From 1e25cf9c966b3d9ad2045d8b24fff3626c4466c8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 21:54:56 -0400 +Subject: [PATCH 062/113] mm: add support for verifying page sanitization + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/highmem.h | 7 +++++++ + mm/page_alloc.c | 6 ++++++ + security/Kconfig.hardening | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index 14e6202ce47f..4348ad7f5c50 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -284,6 +284,13 @@ static inline void clear_highpage(struct page *page) + kunmap_atomic(kaddr); + } + ++static inline void verify_zero_highpage(struct page *page) ++{ ++ void *kaddr = kmap_atomic(page); ++ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); ++ kunmap_atomic(kaddr); ++} ++ + static inline void zero_user_segments(struct page *page, + unsigned start1, unsigned end1, + unsigned start2, unsigned end2) +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 14b9e83ff9da..84070ae3885e 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2284,6 +2284,12 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags + { + post_alloc_hook(page, order, gfp_flags); + ++ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY) && want_init_on_free()) { ++ int i; ++ for (i = 0; i < (1 << order); i++) ++ verify_zero_highpage(page + i); ++ } ++ + if (!free_pages_prezeroed() && want_init_on_alloc(gfp_flags)) + kernel_init_free_pages(page, 1 << order); + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 2fa447823405..83ad70ae6bc3 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -219,6 +219,13 @@ config INIT_ON_FREE_DEFAULT_ON + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + ++config PAGE_SANITIZE_VERIFY ++ bool "Verify sanitized pages" ++ default y ++ help ++ When init_on_free is enabled, verify that newly allocated pages ++ are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..b8d33136a582 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0063-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 985d592a0130e9256059ffab878e5b4048b60e9a Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 063/113] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 9fef4285514a..0fcd97a4eb6f 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -641,9 +641,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index 391880ea7445..3c2c22488439 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch new file mode 100644 index 000000000000..3cc95809cde1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0064-slub-Add-support-for-verifying-slab-sanitization.patch @@ -0,0 +1,116 @@ +From f362f6adb22cf03806adfd3994da8a21ddcbc597 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 15:58:57 -0400 +Subject: [PATCH 064/113] slub: Add support for verifying slab sanitization + +This is an extension to the sanitization feature in PaX for when +sacricifing more performance for security is acceptable. + +The initial version from Daniel Micay was relying on PAGE_SANITIZE. It +now relies on upstream's init_on_free. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slub.c | 36 ++++++++++++++++++++++++++++++++---- + security/Kconfig.hardening | 8 ++++++++ + 2 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 3c2c22488439..d5427ead7d74 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -127,6 +127,12 @@ static inline bool kmem_cache_debug(struct kmem_cache *s) + return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS); + } + ++static inline bool has_sanitize_verify(struct kmem_cache *s) ++{ ++ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && ++ slab_want_init_on_free(s); ++} ++ + void *fixup_red_left(struct kmem_cache *s, void *p) + { + if (kmem_cache_debug_flags(s, SLAB_RED_ZONE)) +@@ -1571,7 +1577,7 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- if (s->ctor) ++ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ +@@ -1606,7 +1612,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + { + setup_object_debug(s, page, object); + object = kasan_init_slab_obj(s, object); +- if (unlikely(s->ctor)) { ++ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); + s->ctor(object); + kasan_poison_object_data(s, object); +@@ -2897,7 +2903,16 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + + maybe_wipe_obj_freeptr(s, object); + +- if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ if (has_sanitize_verify(s) && object) { ++ /* KASAN hasn't unpoisoned the object yet (this is done in the ++ * post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, object); ++ BUG_ON(memchr_inv(object, 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); +@@ -3337,7 +3352,20 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + local_irq_enable(); + + /* Clear memory outside IRQ disabled fastpath loop */ +- if (unlikely(slab_want_init_on_alloc(flags, s))) { ++ if (has_sanitize_verify(s)) { ++ int j; ++ ++ for (j = 0; j < i; j++) { ++ /* KASAN hasn't unpoisoned the object yet (this is done ++ * in the post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, p[j]); ++ BUG_ON(memchr_inv(p[j], 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + + for (j = 0; j < i; j++) +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 83ad70ae6bc3..7dede18f1074 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -226,6 +226,14 @@ config PAGE_SANITIZE_VERIFY + When init_on_free is enabled, verify that newly allocated pages + are zeroed to detect write-after-free bugs. + ++config SLAB_SANITIZE_VERIFY ++ bool "Verify sanitized SLAB allocations" ++ default y ++ depends on !KASAN ++ help ++ When init_on_free is enabled, verify that newly allocated slab ++ objects are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch new file mode 100644 index 000000000000..14a729677948 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0065-slub-add-multi-purpose-random-canaries.patch @@ -0,0 +1,264 @@ +From e14734f36f6835f5371fab894bfb445056bfa670 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 16:16:58 -0400 +Subject: [PATCH 065/113] slub: add multi-purpose random canaries + +From the configuration option: + + Place canaries at the end of kernel slab allocations, sacrificing + some performance and memory usage for security. + + Canaries can detect some forms of heap corruption when allocations + are freed and as part of the HARDENED_USERCOPY feature. It provides + basic use-after-free detection for HARDENED_USERCOPY. + + Canaries absorb small overflows (rendering them harmless), mitigate + non-NUL terminated C string overflows on 64-bit via a guaranteed zero + byte and provide basic double-free detection. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slub_def.h | 5 +++ + init/Kconfig | 17 ++++++++++ + mm/slab.h | 2 +- + mm/slub.c | 69 ++++++++++++++++++++++++++++++++++++++-- + 4 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h +index 1be0ed5befa1..c71cf30b5987 100644 +--- a/include/linux/slub_def.h ++++ b/include/linux/slub_def.h +@@ -113,6 +113,11 @@ struct kmem_cache { + unsigned long random; + #endif + ++#ifdef CONFIG_SLAB_CANARY ++ unsigned long random_active; ++ unsigned long random_inactive; ++#endif ++ + #ifdef CONFIG_NUMA + /* + * Defragmentation by allocating from a remote node. +diff --git a/init/Kconfig b/init/Kconfig +index 58df4930995f..2af6689d9e71 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1943,6 +1943,23 @@ config SLAB_FREELIST_HARDENED + sanity-checking than others. This option is most effective with + CONFIG_SLUB. + ++config SLAB_CANARY ++ depends on SLUB ++ depends on !SLAB_MERGE_DEFAULT ++ bool "SLAB canaries" ++ default y ++ help ++ Place canaries at the end of kernel slab allocations, sacrificing ++ some performance and memory usage for security. ++ ++ Canaries can detect some forms of heap corruption when allocations ++ are freed and as part of the HARDENED_USERCOPY feature. It provides ++ basic use-after-free detection for HARDENED_USERCOPY. ++ ++ Canaries absorb small overflows (rendering them harmless), mitigate ++ non-NUL terminated C string overflows on 64-bit via a guaranteed zero ++ byte and provide basic double-free detection. ++ + config SHUFFLE_PAGE_ALLOCATOR + bool "Page allocator randomization" + default SLAB_FREELIST_RANDOM && ACPI_NUMA +diff --git a/mm/slab.h b/mm/slab.h +index 0fcd97a4eb6f..105dba485a7e 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -504,7 +504,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) + * back there or track user information then we can + * only use the space before that information. + */ +- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) ++ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) + return s->inuse; + /* + * Else we can use all the padding etc for the allocation +diff --git a/mm/slub.c b/mm/slub.c +index d5427ead7d74..a06d34be763a 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -569,6 +569,33 @@ static inline unsigned int get_info_end(struct kmem_cache *s) + return s->inuse; + } + ++#ifdef CONFIG_SLAB_CANARY ++static inline unsigned long *get_canary(struct kmem_cache *s, void *object) ++{ ++ return object + get_info_end(s); ++} ++ ++static inline unsigned long get_canary_value(const void *canary, unsigned long value) ++{ ++ return (value ^ (unsigned long)canary) & CANARY_MASK; ++} ++ ++static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ *canary = get_canary_value(canary, value); ++} ++ ++static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ BUG_ON(*canary != get_canary_value(canary, value)); ++} ++#else ++#define set_canary(s, object, value) ++#define check_canary(s, object, value) ++#endif ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { +@@ -576,6 +603,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, + + p = object + get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ p = (void *)p + sizeof(void *); ++ + return p + alloc; + } + +@@ -717,6 +747,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + + off = get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); + +@@ -825,8 +858,9 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * Meta data starts here. + * + * A. Free pointer (if we cannot overwrite object on free) +- * B. Tracking data for SLAB_STORE_USER +- * C. Padding to reach required alignment boundary or at mininum ++ * B. Canary for SLAB_CANARY ++ * C. Tracking data for SLAB_STORE_USER ++ * D. Padding to reach required alignment boundary or at mininum + * one word if debugging is on to be able to detect writes + * before the word boundary. + * +@@ -844,6 +878,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { + unsigned long off = get_info_end(s); /* The end of info */ + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ + off += 2 * sizeof(struct track); +@@ -1567,6 +1604,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + object = next; + next = get_freepointer(s, object); + ++ check_canary(s, object, s->random_active); ++ + if (slab_want_init_on_free(s)) { + /* + * Clear the object and the metadata, but don't touch +@@ -1580,6 +1619,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } ++ ++ set_canary(s, object, s->random_inactive); ++ + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { + /* Move object to the new freelist */ +@@ -1611,6 +1653,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + void *object) + { + setup_object_debug(s, page, object); ++ set_canary(s, object, s->random_inactive); + object = kasan_init_slab_obj(s, object); + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); +@@ -2915,6 +2958,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + ++ if (object) { ++ check_canary(s, object, s->random_inactive); ++ set_canary(s, object, s->random_active); ++ } ++ + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); + + return object; +@@ -3302,7 +3350,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + void **p) + { + struct kmem_cache_cpu *c; +- int i; ++ int i, k; + struct obj_cgroup *objcg = NULL; + + /* memcg and kmem_cache debug support */ +@@ -3372,6 +3420,11 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + memset(p[j], 0, s->object_size); + } + ++ for (k = 0; k < i; k++) { ++ check_canary(s, p[k], s->random_inactive); ++ set_canary(s, p[k], s->random_active); ++ } ++ + /* memcg and kmem_cache debug support */ + slab_post_alloc_hook(s, objcg, flags, size, p); + return i; +@@ -3573,6 +3626,7 @@ static void early_kmem_cache_node_alloc(int node) + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); + init_tracking(kmem_cache_node, n); + #endif ++ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); + n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), + GFP_KERNEL); + page->freelist = get_freepointer(kmem_cache_node, n); +@@ -3753,6 +3807,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + } + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ size += sizeof(void *); ++ + #ifdef CONFIG_SLUB_DEBUG + if (flags & SLAB_STORE_USER) + /* +@@ -3826,6 +3883,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) + #ifdef CONFIG_SLAB_FREELIST_HARDENED + s->random = get_random_long(); + #endif ++#ifdef CONFIG_SLAB_CANARY ++ s->random_active = get_random_long(); ++ s->random_inactive = get_random_long(); ++#endif + + if (!calculate_sizes(s, -1)) + goto error; +@@ -4099,6 +4160,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + offset -= s->red_left_pad; + } + ++ check_canary(s, (void *)ptr - offset, s->random_active); ++ + /* Allow address range falling entirely within usercopy region. */ + if (offset >= s->useroffset && + offset - s->useroffset <= s->usersize && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch new file mode 100644 index 000000000000..b21bf0ca48b9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0066-security-perf-Allow-further-restriction-of-perf_even.patch @@ -0,0 +1,122 @@ +From 4448c1ad8e8ba581e5cde9343479c9140c370f40 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: [PATCH 066/113] security,perf: Allow further restriction of + perf_event_open + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +[thibaut.sautereau@ssi.gouv.fr: Adapt to work with the new CAP_PERFMON capability] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + Documentation/admin-guide/sysctl/kernel.rst | 2 ++ + include/linux/perf_event.h | 8 ++++++++ + kernel/events/core.c | 7 ++++++- + security/Kconfig | 9 +++++++++ + tools/perf/Documentation/security.txt | 1 + + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index d4b32cc32bb7..4c20e6ded0af 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -860,6 +860,8 @@ with respect to CAP_PERFMON use cases. + >=1 Disallow CPU event access by users without ``CAP_PERFMON``. + + >=2 Disallow kernel profiling by users without ``CAP_PERFMON``. ++ ++>=3 Disallow use of any event by users without ``CAP_PERFMON``. + === ================================================================== + + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 96450f6fb1de..d020c26b612a 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1312,6 +1312,14 @@ static inline int perf_is_paranoid(void) + return sysctl_perf_event_paranoid > -1; + } + ++static inline int perf_allow_open(struct perf_event_attr *attr) ++{ ++ if (sysctl_perf_event_paranoid > 2 && !perfmon_capable()) ++ return -EACCES; ++ ++ return security_perf_event_open(attr, PERF_SECURITY_OPEN); ++} ++ + static inline int perf_allow_kernel(struct perf_event_attr *attr) + { + if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index c3ba29d058b7..6efbf92763b1 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -407,8 +407,13 @@ static cpumask_var_t perf_online_mask; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -11638,7 +11643,7 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + + /* Do we allow access to perf_event_open(2) ? */ +- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); ++ err = perf_allow_open(&attr); + if (err) + return err; + +diff --git a/security/Kconfig b/security/Kconfig +index 81d0a08736aa..c797326308f1 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +diff --git a/tools/perf/Documentation/security.txt b/tools/perf/Documentation/security.txt +index 4fe3b8b1958f..a7d88cc23a70 100644 +--- a/tools/perf/Documentation/security.txt ++++ b/tools/perf/Documentation/security.txt +@@ -148,6 +148,7 @@ Perf tool provides a message similar to the one below: + >= 0: Disallow raw and ftrace function tracepoint access + >= 1: Disallow CPU event access + >= 2: Disallow kernel profiling ++ >= 3: Disallow use of any event + To make the adjusted perf_event_paranoid setting permanent preserve it + in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch new file mode 100644 index 000000000000..dd345e6b4081 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0067-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch @@ -0,0 +1,25 @@ +From 7fe66b1e27064b49bcc1e4c0e96ab13698346f73 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 14:45:59 -0400 +Subject: [PATCH 067/113] enable SECURITY_PERF_EVENTS_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index c797326308f1..2348ff7d4e1d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -22,6 +22,7 @@ config SECURITY_DMESG_RESTRICT + config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS ++ default y + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..e7710605ba1a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0068-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,124 @@ +From bbe1a03db5c12911149ce15253f622196fc95612 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 068/113] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/user_namespace.h | 4 ++++ + kernel/fork.c | 11 +++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 4 files changed, 30 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/kernel/fork.c b/kernel/fork.c +index c675fdbd3dce..cba344194fba 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -82,6 +82,7 @@ + #include <linux/perf_event.h> + #include <linux/posix-timers.h> + #include <linux/user-return-notifier.h> ++#include <linux/user_namespace.h> + #include <linux/oom.h> + #include <linux/khugepaged.h> + #include <linux/signalfd.h> +@@ -1863,6 +1864,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2928,6 +2933,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b2cd3dbbb17a..fccf24a08c8a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index e703d5d9cbe8..29a30cff5e60 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..bb7d710106cb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0069-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From e22af80c2327bdb0558e73c0e456904f2da1b95a Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 069/113] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 2af6689d9e71..a7b5a4cb7939 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1174,6 +1174,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 29a30cff5e60..5758274feaee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..b2c09bb68f1c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0070-add-kmalloc-krealloc-alloc_size-attributes.patch @@ -0,0 +1,65 @@ +From 8e9daa30852f8a399d6a1c6de2d5bb6902a0b6f6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:02:56 -0400 +Subject: [PATCH 070/113] add kmalloc/krealloc alloc_size attributes + +Note that this is overly strict when combined with ksize users accessing +beyond the requested data size. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slab.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/slab.h b/include/linux/slab.h +index dd6897f62010..78f99835b91b 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); + /* + * Common kmalloc functions provided by all allocators + */ +-void * __must_check krealloc(const void *, size_t, gfp_t); ++void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); + void kfree(const void *); + void kfree_sensitive(const void *); + size_t __ksize(const void *); +@@ -386,7 +386,7 @@ static __always_inline unsigned int kmalloc_index(size_t size) + } + #endif /* !CONFIG_SLOB */ + +-void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; ++void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; + void kmem_cache_free(struct kmem_cache *, void *); + +@@ -410,7 +410,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) + } + + #ifdef CONFIG_NUMA +-void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; ++void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; + #else + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -535,7 +535,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) + * Try really hard to succeed the allocation but fail + * eventually. + */ +-static __always_inline void *kmalloc(size_t size, gfp_t flags) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) + { + if (__builtin_constant_p(size)) { + #ifndef CONFIG_SLOB +@@ -557,7 +557,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return __kmalloc(size, flags); + } + +-static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) + { + #ifndef CONFIG_SLOB + if (__builtin_constant_p(size) && +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..4f0f9ed7d94d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0071-add-vmalloc-alloc_size-attributes.patch @@ -0,0 +1,47 @@ +From 95fa24be751c5fc7febc66ee3d36d67e5c0515db Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:04:03 -0400 +Subject: [PATCH 071/113] add vmalloc alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/vmalloc.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 938eaf9517e2..7c069063c20d 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -102,18 +102,18 @@ static inline void vmalloc_init(void) + static inline unsigned long vmalloc_nr_pages(void) { return 0; } + #endif + +-extern void *vmalloc(unsigned long size); +-extern void *vzalloc(unsigned long size); +-extern void *vmalloc_user(unsigned long size); +-extern void *vmalloc_node(unsigned long size, int node); +-extern void *vzalloc_node(unsigned long size, int node); +-extern void *vmalloc_32(unsigned long size); +-extern void *vmalloc_32_user(unsigned long size); +-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); ++extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, + unsigned long start, unsigned long end, gfp_t gfp_mask, + pgprot_t prot, unsigned long vm_flags, int node, +- const void *caller); ++ const void *caller) __attribute__((alloc_size(1))); + void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, + int node, const void *caller); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch new file mode 100644 index 000000000000..d157ea4b3bc5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0072-add-kvmalloc-alloc_size-attribute.patch @@ -0,0 +1,26 @@ +From f550e63d8cc9eec15dca68c8499df45ebacf4bcb Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 00:51:33 -0400 +Subject: [PATCH 072/113] add kvmalloc alloc_size attribute + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/mm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index cd5c313729ea..746f6d05bd81 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -759,7 +759,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) + } + #endif + +-extern void *kvmalloc_node(size_t size, gfp_t flags, int node); ++extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); + static inline void *kvmalloc(size_t size, gfp_t flags) + { + return kvmalloc_node(size, flags, NUMA_NO_NODE); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0073-add-percpu-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0073-add-percpu-alloc_size-attributes.patch new file mode 100644 index 000000000000..6612f8f70a48 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0073-add-percpu-alloc_size-attributes.patch @@ -0,0 +1,37 @@ +From 8dae82a90632982a88a5e745858f2e10a1862319 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:39:36 -0400 +Subject: [PATCH 073/113] add percpu alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/percpu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/percpu.h b/include/linux/percpu.h +index 5e76af742c80..9a6c682ec127 100644 +--- a/include/linux/percpu.h ++++ b/include/linux/percpu.h +@@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, + pcpu_fc_populate_pte_fn_t populate_pte_fn); + #endif + +-extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); + extern bool is_kernel_percpu_address(unsigned long addr); + +@@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); + extern void __init setup_per_cpu_areas(void); + #endif + +-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); +-extern void __percpu *__alloc_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); ++extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern void free_percpu(void __percpu *__pdata); + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch new file mode 100644 index 000000000000..10f484ee0ad4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0074-add-alloc_pages_exact-alloc_size-attributes.patch @@ -0,0 +1,30 @@ +From 2a79cb5f248d05bd79f440343a7b4e95c2a079b2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:53:59 -0400 +Subject: [PATCH 074/113] add alloc_pages_exact alloc_size attributes + +Edited-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/gfp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index c603237e006c..893378b0262e 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -568,9 +568,9 @@ static inline struct page *alloc_pages(gfp_t gfp_mask, unsigned int order) + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); + extern unsigned long get_zeroed_page(gfp_t gfp_mask); + +-void *alloc_pages_exact(size_t size, gfp_t gfp_mask); ++void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + void free_pages_exact(void *virt, size_t size); +-void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); ++void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(2))); + + #define __get_free_page(gfp_mask) \ + __get_free_pages((gfp_mask), 0) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch new file mode 100644 index 000000000000..c8dc717493ed --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0075-Add-the-extra_latent_entropy-kernel-parameter.patch @@ -0,0 +1,104 @@ +From c4f1400051880e1e85db4753894a5eaa37919a79 Mon Sep 17 00:00:00 2001 +From: Emese Revfy <re.emese@gmail.com> +Date: Tue, 31 May 2016 01:34:02 +0200 +Subject: [PATCH 075/113] Add the extra_latent_entropy kernel parameter + +When extra_latent_entropy is passed on the kernel command line, +entropy will be extracted from up to the first 4GB of RAM while the +runtime memory allocator is being initialized. + +Based on work created by the PaX Team. + +Signed-off-by: Emese Revfy <re.emese@gmail.com> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + .../admin-guide/kernel-parameters.txt | 5 ++++ + mm/page_alloc.c | 25 +++++++++++++++++++ + scripts/gcc-plugins/Kconfig | 5 ++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f6a1513dfb76..f399208c873a 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3566,6 +3566,11 @@ + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 84070ae3885e..ded9e8536285 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -70,6 +70,7 @@ + #include <linux/psi.h> + #include <linux/padata.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/sections.h> + #include <asm/tlbflush.h> +@@ -136,6 +137,15 @@ struct pcpu_drain { + static DEFINE_MUTEX(pcpu_drain_mutex); + static DEFINE_PER_CPU(struct pcpu_drain, pcpu_drain); + ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("extra_latent_entropy", setup_extra_latent_entropy); ++ + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY + volatile unsigned long latent_entropy __latent_entropy; + EXPORT_SYMBOL(latent_entropy); +@@ -1549,6 +1559,21 @@ void __free_pages_core(struct page *page, unsigned int order) + __ClearPageReserved(p); + set_page_count(p, 0); + ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++ + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig +index ae19fb0243b9..ad78375ece5e 100644 +--- a/scripts/gcc-plugins/Kconfig ++++ b/scripts/gcc-plugins/Kconfig +@@ -53,6 +53,11 @@ config GCC_PLUGIN_LATENT_ENTROPY + is some slowdown of the boot process (about 0.5%) and fork and + irq processing. + ++ When extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that entropy extracted this way is not cryptographically + secure! + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch new file mode 100644 index 000000000000..5d6d8b671d38 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0076-ata-avoid-null-pointer-dereference-on-bug.patch @@ -0,0 +1,37 @@ +From 76d2e699fca89323e7f8318d3b84928c81e6ddd3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:45:34 -0400 +Subject: [PATCH 076/113] ata: avoid null pointer dereference on bug + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 61c762961ca8..02a83039c25b 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4540,7 +4540,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4557,7 +4557,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch new file mode 100644 index 000000000000..e0651a45c162 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0077-sanity-check-for-negative-length-in-nla_memcpy.patch @@ -0,0 +1,28 @@ +From a1e40a045158cacd7edd2c5a1affbd5a32ee17ca Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:51:12 -0400 +Subject: [PATCH 077/113] sanity check for negative length in nla_memcpy + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/nlattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index 74019c8ebf6b..c480b4e7ffef 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -778,6 +778,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); + if (count > minlen) + memset(dest + minlen, 0, count - minlen); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0078-add-page-destructor-sanity-check.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0078-add-page-destructor-sanity-check.patch new file mode 100644 index 000000000000..585d2db063c2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0078-add-page-destructor-sanity-check.patch @@ -0,0 +1,71 @@ +From 58595d383421defffcae5c0c1b75bfa05555db44 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:59:18 -0400 +Subject: [PATCH 078/113] add page destructor sanity check + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Restore get_compound_page_dtor()] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/mm.h | 9 +++++++-- + mm/swap.c | 12 +++++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 746f6d05bd81..a463ffe84eb4 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -894,10 +894,15 @@ static inline void set_compound_page_dtor(struct page *page, + page[1].compound_dtor = compound_dtor; + } + +-static inline void destroy_compound_page(struct page *page) ++static inline compound_page_dtor *get_compound_page_dtor(struct page *page) + { + VM_BUG_ON_PAGE(page[1].compound_dtor >= NR_COMPOUND_DTORS, page); +- compound_page_dtors[page[1].compound_dtor](page); ++ return compound_page_dtors[page[1].compound_dtor]; ++} ++ ++static inline void destroy_compound_page(struct page *page) ++{ ++ (*get_compound_page_dtor(page))(page); + } + + static inline unsigned int compound_order(struct page *page) +diff --git a/mm/swap.c b/mm/swap.c +index 47a47681c86b..762095d95092 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -102,6 +102,8 @@ static void __put_single_page(struct page *page) + + static void __put_compound_page(struct page *page) + { ++ compound_page_dtor *dtor; ++ + /* + * __page_cache_release() is supposed to be called for thp, not for + * hugetlb. This is because hugetlb page does never have PageLRU set +@@ -110,7 +112,15 @@ static void __put_compound_page(struct page *page) + */ + if (!PageHuge(page)) + __page_cache_release(page); +- destroy_compound_page(page); ++ dtor = get_compound_page_dtor(page); ++ if (!PageHuge(page)) ++ BUG_ON(dtor != free_compound_page ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ && dtor != free_transhuge_page ++#endif ++ ); ++ ++ (*dtor)(page); + } + + void __put_page(struct page *page) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch new file mode 100644 index 000000000000..1139bfcdee94 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0079-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch @@ -0,0 +1,52 @@ +From a1f711d5c9c22a3ecb704269ab0053fb87f20b6b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 00:59:48 -0400 +Subject: [PATCH 079/113] PaX shadow cr4 sanity check (essentially a revert) + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/process.c | 1 + + arch/x86/mm/tlb.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 35ad8480c464..edaeeab9df4b 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -399,6 +399,7 @@ EXPORT_SYMBOL_GPL(native_write_cr4); + void cr4_update_irqsoff(unsigned long set, unsigned long clear) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + lockdep_assert_irqs_disabled(); + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 145a7ac0c19a..058941e9ae40 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -596,6 +596,7 @@ void speculation_ctrl_update_current(void) + static inline void cr4_toggle_bits_irqsoff(unsigned long mask) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + newval = cr4 ^ mask; + if (newval != cr4) { +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 569ac1d57f55..044d88da4aee 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -1066,6 +1066,7 @@ STATIC_NOPV void native_flush_tlb_global(void) + raw_local_irq_save(flags); + + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* toggle PGE */ + native_write_cr4(cr4 ^ X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0080-add-writable-function-pointer-detection.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0080-add-writable-function-pointer-detection.patch new file mode 100644 index 000000000000..2e32f8a36092 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0080-add-writable-function-pointer-detection.patch @@ -0,0 +1,98 @@ +From af9386b3db772d9d09972ca34530fd1a9d3d9ab1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:53:23 -0400 +Subject: [PATCH 080/113] add writable function pointer detection + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + scripts/mod/modpost.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index f882ce0d9327..50e9baefc4e7 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,6 +34,7 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; ++static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; + /* ignore missing files */ + static int ignore_missing_files; +@@ -1007,6 +1008,7 @@ enum mismatch { + ANY_EXIT_TO_ANY_INIT, + EXPORT_TO_INIT_EXIT, + EXTABLE_TO_NON_TEXT, ++ DATA_TO_TEXT + }; + + /** +@@ -1133,6 +1135,12 @@ static const struct sectioncheck sectioncheck[] = { + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, + .mismatch = EXTABLE_TO_NON_TEXT, + .handler = extable_mismatch_handler, ++}, ++/* Do not reference code from writable data */ ++{ ++ .fromsec = { DATA_SECTIONS, NULL }, ++ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, ++ .mismatch = DATA_TO_TEXT + } + }; + +@@ -1320,10 +1328,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (!is_valid_name(elf, sym)) + continue; +- if (sym->st_value == addr) +- return sym; + /* Find a symbol nearby - addr are maybe negative */ + d = sym->st_value - addr; ++ if (d == 0) ++ return sym; + if (d < 0) + d = addr - sym->st_value; + if (d < distance) { +@@ -1458,7 +1466,10 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- sec_mismatch_count++; ++ if (mismatch->mismatch == DATA_TO_TEXT) ++ writable_fptr_count++; ++ else ++ sec_mismatch_count++; + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1580,6 +1591,14 @@ static void report_sec_mismatch(const char *modname, + fatal("There's a special handler for this mismatch type, " + "we should never get here."); + break; ++ case DATA_TO_TEXT: ++#if 0 ++ fprintf(stderr, ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif ++ break; + } + fprintf(stderr, "\n"); + } +@@ -2670,6 +2689,9 @@ int main(int argc, char **argv) + } + + free(buf.p); ++ if (writable_fptr_count) ++ warn("modpost: Found %d writable function pointer(s).\n", ++ writable_fptr_count); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch new file mode 100644 index 000000000000..be8c63e3b291 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0081-support-overriding-early-audit-kernel-cmdline.patch @@ -0,0 +1,26 @@ +From e69f0ae05bcdffc733a1ae6857ccfcdd3405bcf8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:20:29 -0400 +Subject: [PATCH 081/113] support overriding early audit kernel cmdline + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 68cee3bc8cfe..2059c66f7c9b 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1693,6 +1693,9 @@ static int __init audit_enable(char *str) + + if (audit_default == AUDIT_OFF) + audit_initialized = AUDIT_DISABLED; ++ else if (!audit_ever_enabled) ++ audit_initialized = AUDIT_UNINITIALIZED; ++ + if (audit_set_enabled(audit_default)) + pr_err("audit: error setting audit state (%d)\n", + audit_default); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch new file mode 100644 index 000000000000..8417f43c08da --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0082-FORTIFY_SOURCE-intra-object-overflow-checking.patch @@ -0,0 +1,135 @@ +From cd183c69bbc5c9815e04e78a1c9ab8de0985e706 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 3 Jun 2017 17:34:13 -0400 +Subject: [PATCH 082/113] FORTIFY_SOURCE intra-object overflow checking + +This adds supporting for detecting buffer overflows from inner objects +for the fortified string family functions. It's comparable to the +_FORTIFY_SOURCE=2 feature in glibc with the additional coverage of +intra-object read overflows for supported functions. + +The mem* family functions are left with only the inter-object overflow +checks as is the case with glibc _FORTIFY_SOURCE=2. + +This feature is currently hidden behind CONFIG_EXPERT because it's a lot +more likely to uncover benign / intended issues and will need a lot of +runtime testing. It's already useful for finding bugs but it may not yet +be a good idea to use it for hardening unless panics for benign issues +are seen as a lesser evil than the vulnerabilities it can catch. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/string.h | 26 ++++++++++++++++---------- + security/Kconfig | 10 ++++++++++ + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index b1f3894a0a3e..4c5564a6ad80 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -264,6 +264,12 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + ++#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING ++#define __string_size(p) __builtin_object_size(p, 1) ++#else ++#define __string_size(p) __builtin_object_size(p, 0) ++#endif ++ + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) + + #ifdef CONFIG_KASAN +@@ -292,7 +298,7 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + if (p_size < size) +@@ -302,7 +308,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (p_size == (size_t)-1) + return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) +@@ -313,7 +319,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || +@@ -328,7 +334,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); +@@ -340,8 +346,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + { + size_t ret; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __real_strlcpy(p, q, size); + ret = strlen(q); +@@ -361,8 +367,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + { + size_t p_len, copy_len; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strncat(p, q, count); + p_len = strlen(p); +@@ -475,8 +481,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) + /* defined after fortified strlen and memcpy to reuse them */ + __FORTIFY_INLINE char *strcpy(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); +diff --git a/security/Kconfig b/security/Kconfig +index 2348ff7d4e1d..f3c995bd79cf 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -208,6 +208,16 @@ config FORTIFY_SOURCE + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + ++config FORTIFY_SOURCE_STRICT_STRING ++ bool "Harden common functions against buffer overflows" ++ depends on FORTIFY_SOURCE ++ depends on EXPERT ++ help ++ Perform stricter overflow checks catching overflows within objects ++ for common C string functions rather than only between objects. ++ ++ This is not yet intended for production use, only bug finding. ++ + config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch new file mode 100644 index 000000000000..25b46addd6cd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0083-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch @@ -0,0 +1,54 @@ +From 076b37f37b0ff591c58f0d73ef6da6e79a3b3d1f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 26 Aug 2017 20:16:03 -0400 +Subject: [PATCH 083/113] Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE + base changes" + +This reverts commit aab425db4279aeb83b7911693f0cccbd3644c9fd. +--- + arch/arm64/include/asm/elf.h | 8 ++------ + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 8d1c8dcb87fd..26d27c7a2c2e 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -124,14 +124,10 @@ + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#ifdef CONFIG_ARM64_FORCE_52BIT +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) +-#else +-#define ELF_ET_DYN_BASE (2 * DEFAULT_MAP_WINDOW_64 / 3) +-#endif /* CONFIG_ARM64_FORCE_52BIT */ ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b9a5d488f1a5..b55054566ece 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -246,11 +246,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- (DEFAULT_MAP_WINDOW / 3 * 2)) ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch new file mode 100644 index 000000000000..e42daa3bc863 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0084-x86_64-move-vdso-to-mmap-region-from-stack-region.patch @@ -0,0 +1,118 @@ +From 02274e27e971f3bfd099ee7b938d0531dc7a1fca Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:52:00 -0400 +Subject: [PATCH 084/113] x86_64: move vdso to mmap region from stack region + +This removes the only executable code from the stack region and gives +the vdso the same randomized base as other mmap mappings including the +linker and other shared objects. It results in a sane amount of entropy +being provided and there's little to no advantage in separating this +from the existing executable code there. + +It's sensible for userspace to reserve the initial mmap base as a region +for executable code with a random gap for other mmap allocations, along +with providing randomization within that region. However, there isn't +much the kernel can do to help due to how dynamic linkers load the +shared objects. + +This was extracted from the PaX RANDMMAP feature. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/entry/vdso/vma.c | 48 +----------------------------------- + arch/x86/include/asm/elf.h | 1 - + arch/x86/kernel/sys_x86_64.c | 7 ------ + 3 files changed, 1 insertion(+), 55 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 9185cb1d13b9..543912071557 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -315,55 +315,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) + } + + #ifdef CONFIG_X86_64 +-/* +- * Put the vdso above the (randomized) stack with another randomized +- * offset. This way there is no hole in the middle of address space. +- * To save memory make sure it is still in the same PTE as the stack +- * top. This doesn't give that many random bits. +- * +- * Note that this algorithm is imperfect: the distribution of the vdso +- * start address within a PMD is biased toward the end. +- * +- * Only used for the 64-bit and x32 vdsos. +- */ +-static unsigned long vdso_addr(unsigned long start, unsigned len) +-{ +- unsigned long addr, end; +- unsigned offset; +- +- /* +- * Round up the start address. It can start out unaligned as a result +- * of stack start randomization. +- */ +- start = PAGE_ALIGN(start); +- +- /* Round the lowest possible end address up to a PMD boundary. */ +- end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; +- end -= len; +- +- if (end > start) { +- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); +- addr = start + (offset << PAGE_SHIFT); +- } else { +- addr = start; +- } +- +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- +- return addr; +-} +- + static int map_vdso_randomized(const struct vdso_image *image) + { +- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); +- +- return map_vdso(image, addr); ++ return map_vdso(image, 0); + } + #endif + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b55054566ece..58292600112d 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -398,5 +398,4 @@ struct va_alignment { + } ____cacheline_aligned; + + extern struct va_alignment va_align; +-extern unsigned long align_vdso_addr(unsigned long); + #endif /* _ASM_X86_ELF_H */ +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 504fa5425bce..c4e35a3b3733 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) + return va_align.bits & get_align_mask(); + } + +-unsigned long align_vdso_addr(unsigned long addr) +-{ +- unsigned long align_mask = get_align_mask(); +- addr = (addr + align_mask) & ~align_mask; +- return addr | get_align_bits(); +-} +- + static int __init control_va_addr_alignment(char *str) + { + /* guard against enabling this on other CPU families */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..510c352ac943 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0085-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From ad88f96ed3ec9394614f2a43a184158e838bbd2b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 085/113] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..664cbb9d96dc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0086-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From b755a10376071bb32f3b0707c2c72aad777da3c9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 086/113] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch new file mode 100644 index 000000000000..f6674fee0909 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0087-randomize-lower-bits-of-the-argument-block.patch @@ -0,0 +1,47 @@ +From 45445659726dba25e10f19f31ee9d4fdaca6ba69 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:02:49 -0400 +Subject: [PATCH 087/113] randomize lower bits of the argument block + +This was based on the PaX RANDUSTACK feature in grsecurity, where all of +the lower bits are randomized. PaX keeps 16-byte alignment. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[levente@leventepolyak.net: do not randomize with ADDR_NO_RANDOMIZE personality] +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/exec.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index ca89e0e3ef10..d2a03d32e195 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -34,6 +34,7 @@ + #include <linux/swap.h> + #include <linux/string.h> + #include <linux/init.h> ++#include <linux/sched.h> + #include <linux/sched/mm.h> + #include <linux/sched/coredump.h> + #include <linux/sched/signal.h> +@@ -64,6 +65,7 @@ + #include <linux/compat.h> + #include <linux/vmalloc.h> + #include <linux/io_uring.h> ++#include <linux/random.h> + + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -280,6 +282,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + mm->stack_vm = mm->total_vm = 1; + mmap_write_unlock(mm); + bprm->p = vma->vm_end - sizeof(void *); ++ if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) ++ bprm->p ^= get_random_int() & ~PAGE_MASK; + return 0; + err: + mmap_write_unlock(mm); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch new file mode 100644 index 000000000000..34aaa04326f5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0088-x86_64-match-arm64-brk-randomization-entropy.patch @@ -0,0 +1,38 @@ +From 10bc4e5a26427743e381be6ced0732f5403e933a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 07:19:48 -0400 +Subject: [PATCH 088/113] x86_64: match arm64 brk randomization entropy + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 058941e9ae40..61460d55dd72 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,8 @@ + #include <asm/io_bitmap.h> + #include <asm/proto.h> + #include <asm/frame.h> ++#include <asm/elf.h> ++#include <linux/sizes.h> + + #include "process.h" + +@@ -906,7 +908,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ else ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch new file mode 100644 index 000000000000..ddcaf2565baf --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0089-support-randomizing-the-lower-bits-of-brk.patch @@ -0,0 +1,42 @@ +From faaa4cd5a2c92491cbb7c437b1d6e132e2aa0764 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 18:03:30 -0400 +Subject: [PATCH 089/113] support randomizing the lower bits of brk + +This adds support for arch_randomize_brk implementations not performing +page alignment in order to randomize the lower bits of the brk heap. + +This idea is taken from PaX but the approach is different. This reuses +the existing code and avoids forcing early creation of the heap mapping, +avoiding mapping it if it's not used which is the case with many modern +allocators based solely on mmap. + +The malloc implementation can be relied upon to align this as needed to +the requirements it has, so using 16 byte alignment here is unnecessary. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/mmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 5c8b4485860d..0e26c225bb53 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -231,6 +231,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + + newbrk = PAGE_ALIGN(brk); + oldbrk = PAGE_ALIGN(mm->brk); ++ /* properly handle unaligned min_brk as an empty heap */ ++ if (min_brk & ~PAGE_MASK) { ++ if (brk == min_brk) ++ newbrk -= PAGE_SIZE; ++ if (mm->brk == min_brk) ++ oldbrk -= PAGE_SIZE; ++ } + if (oldbrk == newbrk) { + mm->brk = brk; + goto success; +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..317899e25acc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0090-mm-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 6d2ebb7e809172288d8e45412edf5424f38fc4a8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:22:38 -0400 +Subject: [PATCH 090/113] mm: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ddb6e186dd5..4ca72f952329 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..15e58b0ce70a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0091-x86-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 6db87dd4450d75558fee95d84c6c7cef7481ef41 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:06 -0400 +Subject: [PATCH 091/113] x86: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 61460d55dd72..0d4c3887229d 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + else +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..f43463bd9ce3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0092-mm-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 48afdc21481c65eaa8b56238e0e983f0c2635e65 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:39 -0400 +Subject: [PATCH 092/113] mm: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 4ca72f952329..62ed34dfceb7 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -336,9 +336,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + unsigned long arch_mmap_rnd(void) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..6e2712a21c54 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0093-x86-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 7a7856e97e9e0a8ca341107a8a9d593787687cd4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:48 -0400 +Subject: [PATCH 093/113] x86: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 0d4c3887229d..161e25d02fd5 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -909,9 +909,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + else +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch new file mode 100644 index 000000000000..0c4b52905e2f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0094-x86_64-bound-mmap-between-legacy-modern-bases.patch @@ -0,0 +1,37 @@ +From c30867dd77734d7b2b894878719358c026ee0d05 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 14:50:54 -0400 +Subject: [PATCH 094/113] x86_64: bound mmap between legacy/modern bases + +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index c4e35a3b3733..e30ec4c750d1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -113,10 +113,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, + } + + *begin = get_mmap_base(1); +- if (in_32bit_syscall()) +- *end = task_size_32bit(); +- else +- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); ++ *end = get_mmap_base(0); + } + + unsigned long +@@ -193,7 +190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = get_mmap_base(1); + info.high_limit = get_mmap_base(0); + + /* +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0095-restrict-device-timing-side-channels.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0095-restrict-device-timing-side-channels.patch new file mode 100644 index 000000000000..1de38f564c76 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0095-restrict-device-timing-side-channels.patch @@ -0,0 +1,174 @@ +From 92277813dcd237bafd1ccf1eec8d4ed67d7144b8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 18:26:10 -0400 +Subject: [PATCH 095/113] restrict device timing side channels + +Based on the public grsecurity patches. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/inode.c | 4 ++++ + fs/stat.c | 20 +++++++++++++++----- + include/linux/capability.h | 5 +++++ + include/linux/fs.h | 11 +++++++++++ + include/linux/fsnotify.h | 4 ++++ + kernel/capability.c | 6 ++++++ + kernel/sysctl.c | 9 +++++++++ + 7 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 5eea9912a0b9..f86f383a3e1d 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -116,6 +116,10 @@ int proc_nr_inodes(struct ctl_table *table, int write, + } + #endif + ++/* sysctl */ ++int device_sidechannel_restrict __read_mostly = 1; ++EXPORT_SYMBOL(device_sidechannel_restrict); ++ + static int no_open(struct inode *inode, struct file *file) + { + return -ENXIO; +diff --git a/fs/stat.c b/fs/stat.c +index dacecdda2e79..14173d0f777d 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -43,8 +43,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = i_blocksize(inode); + stat->blocks = inode->i_blocks; +@@ -83,9 +88,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(path, stat, request_mask, +- query_flags); ++ if (inode->i_op->getattr) { ++ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); ++ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..a5b6d4c9acf5 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -208,6 +208,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); + extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); + extern bool capable(int cap); ++extern bool capable_noaudit(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + extern bool ns_capable_setid(struct user_namespace *ns, int cap); +@@ -234,6 +235,10 @@ static inline bool capable(int cap) + { + return true; + } ++static inline bool capable_noaudit(int cap) ++{ ++ return true; ++} + static inline bool ns_capable(struct user_namespace *ns, int cap) + { + return true; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 8bde32cf9711..83d50b0a2a18 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3475,4 +3475,15 @@ static inline int inode_drain_writes(struct inode *inode) + return filemap_write_and_wait(inode->i_mapping); + } + ++extern int device_sidechannel_restrict; ++ ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++ umode_t mode; ++ if (!device_sidechannel_restrict) ++ return false; ++ mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++} ++ + #endif /* _LINUX_FS_H */ +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index f8acddcf54fb..7b109980327f 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -83,10 +83,14 @@ static inline void fsnotify_dentry(struct dentry *dentry, __u32 mask) + static inline int fsnotify_file(struct file *file, __u32 mask) + { + const struct path *path = &file->f_path; ++ struct inode *inode = file_inode(file); + + if (file->f_mode & FMODE_NONOTIFY) + return 0; + ++ if (mask & (FS_ACCESS | FS_MODIFY) && is_sidechannel_device(inode)) ++ return 0; ++ + return fsnotify_parent(path->dentry, mask, path, FSNOTIFY_EVENT_PATH); + } + +diff --git a/kernel/capability.c b/kernel/capability.c +index de7eac903a2a..5602178f3d21 100644 +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -449,6 +449,12 @@ bool capable(int cap) + return ns_capable(&init_user_ns, cap); + } + EXPORT_SYMBOL(capable); ++ ++bool capable_noaudit(int cap) ++{ ++ return ns_capable_noaudit(&init_user_ns, cap); ++} ++EXPORT_SYMBOL(capable_noaudit); + #endif /* CONFIG_MULTIUSER */ + + /** +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index fccf24a08c8a..7fda9f61ea1a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2272,6 +2272,15 @@ static struct ctl_table kern_table[] = { + .extra2 = &two, + }, + #endif ++ { ++ .procname = "device_sidechannel_restrict", ++ .data = &device_sidechannel_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch new file mode 100644 index 000000000000..6b5657c5ab6c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0096-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch @@ -0,0 +1,95 @@ +From d3e518ec4d7ab8115d77a2305b5d50abba3a6808 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 20:28:32 +0200 +Subject: [PATCH 096/113] sysctl: expose proc_dointvec_minmax_sysadmin as API + function + +Orthogonal to the other sysctl proc functions expose the variant that is +checking CAP_SYS_ADMIN on write for consumption in external subsystem's +sysctl tables. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 51298a4f4623..b835c57330f2 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7fda9f61ea1a..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -890,8 +890,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -899,7 +918,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -1585,6 +1603,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3436,6 +3460,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch new file mode 100644 index 000000000000..dd7c0b3ee84d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0097-usb-add-toggle-for-disabling-newly-added-USB-devices.patch @@ -0,0 +1,92 @@ +From 8c4c088f58564e86db268b29dadcff06bc744e60 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 17:51:48 -0400 +Subject: [PATCH 097/113] usb: add toggle for disabling newly added USB devices + +Based on the public grsecurity patches. + +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/hub.c | 9 +++++++++ + include/linux/usb.h | 3 +++ + kernel/sysctl.c | 14 ++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 17202b2ee063..9385c745d55e 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,6 +5054,9 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + ++/* sysctl */ ++int deny_new_usb __read_mostly = 0; ++ + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +@@ -5114,6 +5117,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + goto done; + return; + } ++ ++ if (deny_new_usb) { ++ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); ++ goto done; ++ } ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 7d72c4e0713c..8e7549e3012a 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,6 +2035,9 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl */ ++extern int deny_new_usb; ++ + #endif /* __KERNEL__ */ + + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..f867606fbd80 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if IS_ENABLED(CONFIG_USB) ++#include <linux/usb.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2305,6 +2308,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, ++#if IS_ENABLED(CONFIG_USB) ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch new file mode 100644 index 000000000000..a65ede25d17a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0098-usb-implement-dedicated-subsystem-sysctl-tables.patch @@ -0,0 +1,195 @@ +From 9a1b998f367a932a484bc9e14e027ceb6e3db4eb Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 21:08:16 +0200 +Subject: [PATCH 098/113] usb: implement dedicated subsystem sysctl tables + +This moves the usb related sysctl knobs to an own usb local sysctl table +in order to clean up the global sysctl as well as allow the knob to be +exported and referenced appropriately when building the usb components +as dedicated modules. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/Makefile | 1 + + drivers/usb/core/hub.c | 3 --- + drivers/usb/core/sysctl.c | 44 +++++++++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.c | 9 ++++++++ + include/linux/usb.h | 10 ++++++++- + kernel/sysctl.c | 14 ------------- + 6 files changed, 63 insertions(+), 18 deletions(-) + create mode 100644 drivers/usb/core/sysctl.c + +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..fc7a3a9aa72a 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 9385c745d55e..b62b3da81ac4 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5054,9 +5054,6 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + +-/* sysctl */ +-int deny_new_usb __read_mostly = 0; +- + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..3fa188ac8f67 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,44 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 9b4ac4415f1a..93b4b798bdcc 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -72,6 +72,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -978,6 +981,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1012,6 +1018,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1035,6 +1043,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 8e7549e3012a..653265115e56 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2035,8 +2035,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + +-/* sysctl */ ++/* sysctl.c */ + extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + + #endif /* __KERNEL__ */ + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index f867606fbd80..13b619e46ade 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,9 +106,6 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif +-#if IS_ENABLED(CONFIG_USB) +-#include <linux/usb.h> +-#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2308,17 +2305,6 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-#if IS_ENABLED(CONFIG_USB) +- { +- .procname = "deny_new_usb", +- .data = &deny_new_usb, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax_sysadmin, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, +-#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch new file mode 100644 index 000000000000..d7725a26281d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0099-hard-wire-legacy-checkreqprot-option-to-0.patch @@ -0,0 +1,133 @@ +From f2c881fc8b403d49a7b47a02c0252a2e030dc115 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 03:26:45 -0500 +Subject: [PATCH 099/113] hard-wire legacy checkreqprot option to 0 + +The userspace API is left intact for compatibility. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + .../admin-guide/kernel-parameters.txt | 11 --------- + security/selinux/Kconfig | 23 ------------------- + security/selinux/hooks.c | 16 +------------ + security/selinux/selinuxfs.c | 12 +--------- + 4 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index f399208c873a..282777d18d19 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -518,17 +518,6 @@ + nosocket -- Disable socket memory accounting. + nokmem -- Disable kernel memory accounting. + +- checkreqprot [SELINUX] Set initial checkreqprot flag value. +- Format: { "0" | "1" } +- See security/selinux/Kconfig help text. +- 0 -- check protection applied by kernel (includes +- any implied execute protection). +- 1 -- check protection requested by application. +- Default value is set via a kernel config option. +- Value can be changed at runtime via +- /sys/fs/selinux/checkreqprot. +- Setting checkreqprot to 1 is deprecated. +- + cio_ignore= [S390] + See Documentation/s390/common_io.rst for details. + clk_ignore_unused +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 76d7ed11513c..ae851a826c26 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS + /sys/fs/selinux/avc/cache_stats, which may be monitored via + tools such as avcstat. + +-config SECURITY_SELINUX_CHECKREQPROT_VALUE +- int "NSA SELinux checkreqprot default value" +- depends on SECURITY_SELINUX +- range 0 1 +- default 0 +- help +- This option sets the default value for the 'checkreqprot' flag +- that determines whether SELinux checks the protection requested +- by the application or the protection that will be applied by the +- kernel (including any implied execute for read-implies-exec) for +- mmap and mprotect calls. If this option is set to 0 (zero), +- SELinux will default to checking the protection that will be applied +- by the kernel. If this option is set to 1 (one), SELinux will +- default to checking the protection requested by the application. +- The checkreqprot flag may be changed from the default via the +- 'checkreqprot=' boot parameter. It may also be changed at runtime +- via /sys/fs/selinux/checkreqprot if authorized by policy. +- +- WARNING: this option is deprecated and will be removed in a future +- kernel release. +- +- If you are unsure how to answer this question, answer 0. +- + config SECURITY_SELINUX_SIDTAB_HASH_BITS + int "NSA SELinux sidtab hashtable size" + depends on SECURITY_SELINUX +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index c46312710e73..541c65650c5e 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str) + __setup("selinux=", selinux_enabled_setup); + #endif + +-static unsigned int selinux_checkreqprot_boot = +- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +- +-static int __init checkreqprot_setup(char *str) +-{ +- unsigned long checkreqprot; +- +- if (!kstrtoul(str, 0, &checkreqprot)) { +- selinux_checkreqprot_boot = checkreqprot ? 1 : 0; +- if (checkreqprot) +- pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); +- } +- return 1; +-} +-__setup("checkreqprot=", checkreqprot_setup); ++static const unsigned int selinux_checkreqprot_boot; + + /** + * selinux_secmark_enabled - Check to see if SECMARK is currently enabled +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4bde570d56a2..cc5caffc07fa 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -725,7 +725,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, + static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; + char *page; + ssize_t length; + unsigned int new_value; +@@ -749,18 +748,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + return PTR_ERR(page); + + length = -EINVAL; +- if (sscanf(page, "%u", &new_value) != 1) ++ if (sscanf(page, "%u", &new_value) != 1 || new_value) + goto out; + +- if (new_value) { +- char comm[sizeof(current->comm)]; +- +- memcpy(comm, current->comm, sizeof(comm)); +- pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", +- comm, current->pid); +- } +- +- checkreqprot_set(fsi->state, (new_value ? 1 : 0)); + length = count; + out: + kfree(page); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch new file mode 100644 index 000000000000..6ebf0b4afe2a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0100-security-tty-Add-owner-user-namespace-to-tty_struct.patch @@ -0,0 +1,70 @@ +From 0ace17837639e0479c20df2db8c990fdd644de43 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:37:59 -0400 +Subject: [PATCH 100/113] security: tty: Add owner user namespace to tty_struct + +This patch adds struct user_namespace *owner_user_ns to the tty_struct. +Then it is set to current_user_ns() in the alloc_tty_struct function. + +This is done to facilitate capability checks against the original user +namespace that allocated the tty. + +E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) + +This combined with the use of user namespace's will allow hardening +protections to be built to mitigate container escapes that utilize TTY +ioctls such as TIOCSTI. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +--- + drivers/tty/tty_io.c | 2 ++ + include/linux/tty.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 56ade99ef99f..557356504a81 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -174,6 +174,7 @@ static void free_tty_struct(struct tty_struct *tty) + put_device(tty->dev); + kfree(tty->write_buf); + tty->magic = 0xDEADDEAD; ++ put_user_ns(tty->owner_user_ns); + kfree(tty); + } + +@@ -3014,6 +3015,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + tty->index = idx; + tty_line_name(driver, idx, tty->name); + tty->dev = tty_get_device(tty); ++ tty->owner_user_ns = get_user_ns(current_user_ns()); + + return tty; + } +diff --git a/include/linux/tty.h b/include/linux/tty.h +index eb33d948788c..a205640b4c61 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -14,6 +14,7 @@ + #include <uapi/linux/tty.h> + #include <linux/rwsem.h> + #include <linux/llist.h> ++#include <linux/user_namespace.h> + + + /* +@@ -342,6 +343,7 @@ struct tty_struct { + /* If the tty has a pending do_SAK, queue it here - akpm */ + struct work_struct SAK_work; + struct tty_port *port; ++ struct user_namespace *owner_user_ns; + } __randomize_layout; + + /* Each of a tty's open files has private_data pointing to tty_file_private */ +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch new file mode 100644 index 000000000000..3fab49a7515d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0101-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch @@ -0,0 +1,197 @@ +From 0125da50069de51a0c6baa3744057928bdc98377 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:38:00 -0400 +Subject: [PATCH 101/113] security: tty: make TIOCSTI ioctl require + CAP_SYS_ADMIN + +This introduces the tiocsti_restrict sysctl, whose default is controlled +via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control +restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. + +This patch depends on patch 1/2 + +This patch was inspired from GRKERNSEC_HARDEN_TTY. + +This patch would have prevented +https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following +conditions: +* non-privileged container +* container run inside new user namespace + +Possible effects on userland: + +There could be a few user programs that would be effected by this +change. +See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI> +notable programs are: agetty, csh, xemacs and tcsh + +However, I still believe that this change is worth it given that the +Kconfig defaults to n. This will be a feature that is turned on for the +same reason that people activate it when using grsecurity. Users of this +opt-in feature will realize that they are choosing security over some OS +features like unprivileged TIOCSTI ioctls, as should be clear in the +Kconfig help message. + +Threat Model/Patch Rational: + +>From grsecurity's config for GRKERNSEC_HARDEN_TTY. + + | There are very few legitimate uses for this functionality and it + | has made vulnerabilities in several 'su'-like programs possible in + | the past. Even without these vulnerabilities, it provides an + | attacker with an easy mechanism to move laterally among other + | processes within the same user's compromised session. + +So if one process within a tty session becomes compromised it can follow +that additional processes, that are thought to be in different security +boundaries, can be compromised as a result. When using a program like su +or sudo, these additional processes could be in a tty session where TTY +file descriptors are indeed shared over privilege boundaries. + +This is also an excellent writeup about the issue: +<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/> + +When user namespaces are in use, the check for the capability +CAP_SYS_ADMIN is done against the user namespace that originally opened +the tty. + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/admin-guide/sysctl/kernel.rst | 20 ++++++++++++++++++++ + drivers/tty/tty_io.c | 8 ++++++++ + include/linux/tty.h | 2 ++ + kernel/sysctl.c | 14 ++++++++++++++ + security/Kconfig | 13 +++++++++++++ + 5 files changed, 57 insertions(+) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index 4c20e6ded0af..3cd263f8ac46 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -1385,6 +1385,26 @@ If a value outside of this range is written to ``threads-max`` an + ``EINVAL`` error occurs. + + ++tiocsti_restrict ++================ ++ ++This toggle indicates whether unprivileged users are prevented from using the ++``TIOCSTI`` ioctl to inject commands into other processes which share a tty ++session. ++ ++= ============================================================================ ++0 No restriction, except the default one of only being able to inject commands ++ into one's own tty. ++1 Users must have ``CAP_SYS_ADMIN`` to use the ``TIOCSTI`` ioctl. ++= ============================================================================ ++ ++When user namespaces are in use, the check for ``CAP_SYS_ADMIN`` is done ++against the user namespace that originally opened the tty. ++ ++The kernel config option ``CONFIG_SECURITY_TIOCSTI_RESTRICT`` sets the default ++value of ``tiocsti_restrict``. ++ ++ + traceoff_on_warning + =================== + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 557356504a81..5670bd7442df 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2182,11 +2182,19 @@ static int tty_fasync(int fd, struct file *filp, int on) + * FIXME: may race normal receive processing + */ + ++int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); ++ + static int tiocsti(struct tty_struct *tty, char __user *p) + { + char ch, mbz = 0; + struct tty_ldisc *ld; + ++ if (tiocsti_restrict && ++ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { ++ dev_warn_ratelimited(tty->dev, ++ "Denied TIOCSTI ioctl for non-privileged process\n"); ++ return -EPERM; ++ } + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + if (get_user(ch, p)) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a205640b4c61..116138eb394c 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -353,6 +353,8 @@ struct tty_file_private { + struct list_head list; + }; + ++extern int tiocsti_restrict; ++ + /* tty magic number */ + #define TTY_MAGIC 0x5401 + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 13b619e46ade..8fd007fbec4c 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if defined CONFIG_TTY ++#include <linux/tty.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2295,6 +2298,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, ++#endif ++#if defined CONFIG_TTY ++ { ++ .procname = "tiocsti_restrict", ++ .data = &tiocsti_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + #endif + { + .procname = "device_sidechannel_restrict", +diff --git a/security/Kconfig b/security/Kconfig +index f3c995bd79cf..c8ea5a6ecce0 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -29,6 +29,19 @@ config SECURITY_PERF_EVENTS_RESTRICT + perf_event_open syscall will be permitted unless it is + changed. + ++config SECURITY_TIOCSTI_RESTRICT ++ bool "Restrict unprivileged use of tiocsti command injection" ++ default n ++ help ++ This enforces restrictions on unprivileged users injecting commands ++ into other processes which share a tty session using the TIOCSTI ++ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. ++ ++ If this option is not selected, no restrictions will be enforced ++ unless the tiocsti_restrict sysctl is explicitly set to (1). ++ ++ If you are unsure how to answer this question, answer N. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch new file mode 100644 index 000000000000..7bfcbfd3563e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0102-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From e8fa982737b4cf6b314c4b6d7fb3a51d58842af6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 23:36:14 -0400 +Subject: [PATCH 102/113] enable SECURITY_TIOCSTI_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index c8ea5a6ecce0..615205c0113b 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -31,7 +31,7 @@ config SECURITY_PERF_EVENTS_RESTRICT + + config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" +- default n ++ default y + help + This enforces restrictions on unprivileged users injecting commands + into other processes which share a tty session using the TIOCSTI +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch new file mode 100644 index 000000000000..dbef18e9e1d9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0103-disable-unprivileged-eBPF-access-by-default.patch @@ -0,0 +1,25 @@ +From e3d2bd0527f2e3a9aca7dedd4eb8d5728cbb090f Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:07 +0200 +Subject: [PATCH 103/113] disable unprivileged eBPF access by default + +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8f50c9c19f1b..a54c05624647 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -50,7 +50,7 @@ static DEFINE_SPINLOCK(map_idr_lock); + static DEFINE_IDR(link_idr); + static DEFINE_SPINLOCK(link_idr_lock); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = 1; + + static const struct bpf_map_ops * const bpf_map_types[] = { + #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch new file mode 100644 index 000000000000..d196940dd48b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0104-enable-BPF-JIT-hardening-by-default-if-available.patch @@ -0,0 +1,25 @@ +From 53ca7668ae8d442d56c04eebf3f7ae7640d89d1e Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:55 +0200 +Subject: [PATCH 104/113] enable BPF JIT hardening by default (if available) + +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 55454d2278b1..de02792dc2fc 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -524,7 +524,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +-int bpf_jit_harden __read_mostly; ++int bpf_jit_harden __read_mostly = 2; + long bpf_jit_limit __read_mostly; + + static void +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch new file mode 100644 index 000000000000..b2e06a406db3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0105-enable-protected_-fifos-regular-by-default.patch @@ -0,0 +1,27 @@ +From 645992427421dd1db5ed4d4b93eddb0a8fcf4dd2 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 4 Nov 2018 18:48:53 +0100 +Subject: [PATCH 105/113] enable protected_{fifos,regular} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 59ff3ce21026..72f912c68975 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -934,8 +934,8 @@ static inline void put_link(struct nameidata *nd) + + int sysctl_protected_symlinks __read_mostly = 1; + int sysctl_protected_hardlinks __read_mostly = 1; +-int sysctl_protected_fifos __read_mostly; +-int sysctl_protected_regular __read_mostly; ++int sysctl_protected_fifos __read_mostly = 2; ++int sysctl_protected_regular __read_mostly = 2; + + /** + * may_follow_link - Check symlink following for unsafe situations +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch new file mode 100644 index 000000000000..9d713d00c161 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0106-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch @@ -0,0 +1,129 @@ +From e08ac98884b625a79ad558c0763db8674550a700 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Mon, 6 May 2019 17:07:11 +0200 +Subject: [PATCH 106/113] modpost: Add + CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE + +With 46c7dd56d541 ("modpost: always show verbose warning for section +mismatch"), sec_mismatch_verbose was removed which would have printed +errors for all writable function pointers during compilation if it +hadn't been "#if 0"ed out for quite some time now. + +Let's introduce a new DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE Kconfig +option to cleanly control this linux-hardened functionality. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 3 +++ + scripts/Makefile.modpost | 1 + + scripts/mod/modpost.c | 25 ++++++++++++++++--------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 4a1a32a059f4..5fce84adc315 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -374,6 +374,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B + + It is mainly for debug and performance tuning use. + ++config DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE ++ bool "Enable verbose reporting of writable function pointers" ++ + # + # Select this config option from the architecture Kconfig, if it + # is preferred to always offer frame pointers as a config +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..e53b3057d4cb 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -47,6 +47,7 @@ MODPOST = scripts/mod/modpost \ + $(if $(CONFIG_MODVERSIONS),-m) \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ ++ $(if $(CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE),-f) \ + $(if $(KBUILD_MODPOST_WARN),-w) \ + -o $@ + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 50e9baefc4e7..2cbc4e8a6295 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,8 +34,9 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; +-static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; ++static int writable_fptr_count = 0; ++static int writable_fptr_verbose = 0; + /* ignore missing files */ + static int ignore_missing_files; + /* If set to 1, only warn (instead of error) about missing ns imports */ +@@ -1466,10 +1467,13 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- if (mismatch->mismatch == DATA_TO_TEXT) ++ if (mismatch->mismatch == DATA_TO_TEXT) { + writable_fptr_count++; +- else ++ if (!writable_fptr_verbose) ++ return; ++ } else { + sec_mismatch_count++; ++ } + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1592,12 +1596,10 @@ static void report_sec_mismatch(const char *modname, + "we should never get here."); + break; + case DATA_TO_TEXT: +-#if 0 + fprintf(stderr, + "The %s %s:%s references\n" + "the %s %s:%s%s\n", + from, fromsec, fromsym, to, tosec, tosym, to_p); +-#endif + break; + } + fprintf(stderr, "\n"); +@@ -2578,7 +2580,7 @@ int main(int argc, char **argv) + struct dump_list *dump_read_start = NULL; + struct dump_list **dump_read_iter = &dump_read_start; + +- while ((opt = getopt(argc, argv, "ei:mnT:o:awENd:")) != -1) { ++ while ((opt = getopt(argc, argv, "ei:fmnT:o:awENd:")) != -1) { + switch (opt) { + case 'e': + external_module = 1; +@@ -2589,6 +2591,9 @@ int main(int argc, char **argv) + (*dump_read_iter)->file = optarg; + dump_read_iter = &(*dump_read_iter)->next; + break; ++ case 'f': ++ writable_fptr_verbose = 1; ++ break; + case 'm': + modversions = 1; + break; +@@ -2689,9 +2694,11 @@ int main(int argc, char **argv) + } + + free(buf.p); +- if (writable_fptr_count) +- warn("modpost: Found %d writable function pointer(s).\n", +- writable_fptr_count); ++ if (writable_fptr_count && !writable_fptr_verbose) ++ warn("modpost: Found %d writable function pointer%s.\n" ++ "To see full details build your kernel with:\n" ++ "'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'\n", ++ writable_fptr_count, (writable_fptr_count == 1 ? "" : "s")); + + return err; + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch new file mode 100644 index 000000000000..02142e2a38bc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0107-mm-Fix-extra_latent_entropy.patch @@ -0,0 +1,103 @@ +From c1e92a012a13de1fba54928d6b1a116cb92fb7e2 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Tue, 7 May 2019 11:46:21 +0200 +Subject: [PATCH 107/113] mm: Fix extra_latent_entropy + +Commit a9cd410a3d29 ("mm/page_alloc.c: memory hotplug: free pages as +higher order") changed `static void __init __free_pages_boot_core()` +into `void __free_pages_core()`, causing the following section mismatch +warning at compile time: + + WARNING: vmlinux.o(.text+0x180fe4): Section mismatch in reference from the function __free_pages_core() to the variable .meminit.data:extra_latent_entropy + The function __free_pages_core() references the variable __meminitdata extra_latent_entropy. + This is often because __free_pages_core lacks a __meminitdata annotation or the annotation of extra_latent_entropy is wrong. + +This commit is an attempt at fixing this issue. I'm not sure it's OK as +we are accessing pages that are still managed by the bootmem allocator. +The prefetching part is not an issue as it only affects struct pages. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/page_alloc.c | 38 ++++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index ded9e8536285..8730ae4244b9 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1539,6 +1539,25 @@ static void __free_pages_ok(struct page *page, unsigned int order, + local_irq_restore(flags); + } + ++static void __init __gather_extra_latent_entropy(struct page *page, ++ unsigned int nr_pages) ++{ ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++} ++ + void __free_pages_core(struct page *page, unsigned int order) + { + unsigned int nr_pages = 1 << order; +@@ -1558,22 +1577,6 @@ void __free_pages_core(struct page *page, unsigned int order) + } + __ClearPageReserved(p); + set_page_count(p, 0); +- +- if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { +- unsigned long hash = 0; +- size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; +- const unsigned long *data = lowmem_page_address(page); +- +- for (index = 0; index < end; index++) +- hash ^= hash + data[index]; +-#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY +- latent_entropy ^= hash; +- add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); +-#else +- add_device_randomness((const void *)&hash, sizeof(hash)); +-#endif +- } +- + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + + /* +@@ -1632,6 +1635,7 @@ void __init memblock_free_pages(struct page *page, unsigned long pfn, + { + if (early_page_uninitialised(pfn)) + return; ++ __gather_extra_latent_entropy(page, 1 << order); + __free_pages_core(page, order); + } + +@@ -1723,6 +1727,7 @@ static void __init deferred_free_range(unsigned long pfn, + if (nr_pages == pageblock_nr_pages && + (pfn & (pageblock_nr_pages - 1)) == 0) { + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1 << pageblock_order); + __free_pages_core(page, pageblock_order); + return; + } +@@ -1730,6 +1735,7 @@ static void __init deferred_free_range(unsigned long pfn, + for (i = 0; i < nr_pages; i++, page++, pfn++) { + if ((pfn & (pageblock_nr_pages - 1)) == 0) + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1); + __free_pages_core(page, 0); + } + } +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch new file mode 100644 index 000000000000..135dd02aed87 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0108-add-CONFIG-for-unprivileged_userfaultfd.patch @@ -0,0 +1,68 @@ +From 1069527de358d6210f21da324a9584c2b20b23e2 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 2 Oct 2019 01:22:17 +0200 +Subject: [PATCH 108/113] add CONFIG for unprivileged_userfaultfd + +When disabled, unprivileged users will not be able to use the userfaultfd +syscall. Userfaultfd provide attackers with a way to stall a kernel +thread in the middle of memory accesses from userspace by initiating an +access on an unmapped page. To avoid various heap grooming and heap +spraying techniques for exploiting use-after-free flaws this should be +disabled by default. + +This setting can be overridden at runtime via the +vm.unprivileged_userfaultfd sysctl. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/userfaultfd.c | 4 ++++ + init/Kconfig | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 000b457ad087..06d35ecdcbc8 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -28,7 +28,11 @@ + #include <linux/security.h> + #include <linux/hugetlb.h> + ++#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED + int sysctl_unprivileged_userfaultfd __read_mostly = 1; ++#else ++int sysctl_unprivileged_userfaultfd __read_mostly; ++#endif + + static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; + +diff --git a/init/Kconfig b/init/Kconfig +index a7b5a4cb7939..2feea719cc25 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1745,6 +1745,23 @@ config USERFAULTFD + Enable the userfaultfd() system call that allows to intercept and + handle page faults in userland. + ++config USERFAULTFD_UNPRIVILEGED ++ bool "Allow unprivileged users to use the userfaultfd syscall" ++ depends on USERFAULTFD ++ default n ++ help ++ When disabled, unprivileged users will not be able to use the userfaultfd ++ syscall. Userfaultfd provide attackers with a way to stall a kernel ++ thread in the middle of memory accesses from userspace by initiating an ++ access on an unmapped page. To avoid various heap grooming and heap ++ spraying techniques for exploiting use-after-free flaws this should be ++ disabled by default. ++ ++ This setting can be overridden at runtime via the ++ vm.unprivileged_userfaultfd sysctl. ++ ++ If unsure, say N. ++ + config ARCH_HAS_MEMBARRIER_CALLBACKS + bool + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch new file mode 100644 index 000000000000..c1ef650f0d39 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0109-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch @@ -0,0 +1,81 @@ +From bc963dada9a10f9d859f5585b9561fb7a5bfc26b Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 29 Nov 2019 16:27:14 +0100 +Subject: [PATCH 109/113] slub: Extend init_on_alloc to slab caches with + constructors + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 2 ++ + mm/slub.c | 23 ++++++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 105dba485a7e..2138deacf719 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -630,8 +630,10 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } + static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + { + if (static_branch_unlikely(&init_on_alloc)) { ++#ifndef CONFIG_SLUB + if (c->ctor) + return false; ++#endif + if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) + return flags & __GFP_ZERO; + return true; +diff --git a/mm/slub.c b/mm/slub.c +index a06d34be763a..32cc008ee278 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1635,9 +1635,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + * need to show a valid freepointer to check_object(). + * + * Note that doing this for all caches (not just ctor +- * ones, which have s->offset != NULL)) causes a GPF, +- * due to KASAN poisoning and the way set_freepointer() +- * eventually dereferences the freepointer. ++ * ones, which have s->offset >= object_size)) causes a ++ * GPF, due to KASAN poisoning and the way ++ * set_freepointer() eventually dereferences the ++ * freepointer. + */ + set_freepointer(s, object, NULL); + } +@@ -2955,8 +2956,14 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + if (s->ctor) + s->ctor(object); + kasan_poison_object_data(s, object); +- } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) { + memset(object, 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, object); ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } ++ } + + if (object) { + check_canary(s, object, s->random_inactive); +@@ -3416,8 +3423,14 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { + memset(p[j], 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, p[j]); ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } + } + + for (k = 0; k < i; k++) { +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..c0ed4454afd3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0110-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From f461686078d2f472572e083400419a6af0938ad8 Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 110/113] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d4ef5bf94168..34d0d5438108 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 3e5f4f2e705e..791329c77dea 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index ef4bdb038a4b..86967b09a8e2 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6195,7 +6196,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch new file mode 100644 index 000000000000..afef30230712 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0111-dccp-ccid-move-timers-to-struct-dccp_sock.patch @@ -0,0 +1,238 @@ +From 0149a4586f7ab88cd4feaeed1a6c2be46efaf47c Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:48 +0200 +Subject: [PATCH 111/113] dccp: ccid: move timers to struct dccp_sock + +When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason +del_timer_sync can't be used is because this relies on keeping a reference +to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that +during disconnect, the timer should really belong to struct dccp_sock. + +This addresses CVE-2020-16119. + +Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + include/linux/dccp.h | 2 ++ + net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++------------- + net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++---------- + 3 files changed, 41 insertions(+), 23 deletions(-) + +diff --git a/include/linux/dccp.h b/include/linux/dccp.h +index 07e547c02fd8..504afa1a4be6 100644 +--- a/include/linux/dccp.h ++++ b/include/linux/dccp.h +@@ -259,6 +259,7 @@ struct dccp_ackvec; + * @dccps_sync_scheduled - flag which signals "send out-of-band message soon" + * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets + * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing) ++ * @dccps_ccid_timer - used by the CCIDs + * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs) + */ + struct dccp_sock { +@@ -303,6 +304,7 @@ struct dccp_sock { + __u8 dccps_sync_scheduled:1; + struct tasklet_struct dccps_xmitlet; + struct timer_list dccps_xmit_timer; ++ struct timer_list dccps_ccid_timer; + }; + + static inline struct dccp_sock *dccp_sk(const struct sock *sk) +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 3da1f77bd039..dbca1f1e2449 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk) + + static void ccid2_hc_tx_rto_expire(struct timer_list *t) + { +- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer); +- struct sock *sk = hc->sk; +- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct sock *sk = (struct sock *)dp; ++ struct ccid2_hc_tx_sock *hc; ++ bool sender_was_blocked; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ + if (sock_owned_by_user(sk)) { +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5); + goto out; + } + + ccid2_pr_debug("RTO_EXPIRE\n"); + +- if (sk->sk_state == DCCP_CLOSED) +- goto out; +- + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) + if (sender_was_blocked) + dccp_tasklet_schedule(sk); + /* restart backed-off timer */ +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len) + } + #endif + +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + + #ifdef CONFIG_IP_DCCP_CCID2_DEBUG + do { +@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + + /* restart RTO timer if not all outstanding data has been acked */ + if (hc->tx_pipe == 0) +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + else +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk) + hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32; + hc->tx_cwnd_used = 0; + hc->sk = sk; +- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0); ++ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0); + INIT_LIST_HEAD(&hc->tx_av_chunks); + return 0; + } + + static void ccid2_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk); + int i; + +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index b9ee1a4a8955..685f4d046c0d 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc, + + static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + { +- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer); +- struct sock *sk = hc->sk; ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct ccid3_hc_tx_sock *hc; ++ struct sock *sk = (struct sock *)dp; + unsigned long t_nfb = USEC_PER_SEC / 5; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ + if (sock_owned_by_user(sk)) { + /* Try again later. */ + /* XXX: set some sensible MIB */ + goto restart_timer; + } + ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ + ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk, + ccid3_tx_state_name(hc->tx_state)); + +@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi); + + restart_timer: +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb) + return -EBADMSG; + + if (hc->tx_state == TFRC_SSTATE_NO_SENT) { +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies + ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies + + usecs_to_jiffies(TFRC_INITIAL_TIMEOUT))); + hc->tx_last_win_count = 0; + hc->tx_t_last_win_count = now; +@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len) + static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + { + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + struct tfrc_tx_hist_entry *acked; + ktime_t now; + unsigned long t_nfb; +@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + (unsigned int)(hc->tx_x >> 6)); + + /* unschedule no feedback timer */ +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + /* + * As we have calculated new ipi, delta, t_nom it is possible +@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + "expire in %lu jiffies (%luus)\n", + dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb); + +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + } + + static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, +@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, + + static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid_priv(ccid); + + hc->tx_state = TFRC_SSTATE_NO_SENT; + hc->tx_hist = NULL; + hc->sk = sk; +- timer_setup(&hc->tx_no_feedback_timer, ++ timer_setup(&dp->dccps_ccid_timer, + ccid3_hc_tx_no_feedback_timer, 0); + return 0; + } + + static void ccid3_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); + +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + tfrc_tx_hist_purge(&hc->tx_hist); + } + +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch new file mode 100644 index 000000000000..59521fc6cd29 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.10.9/hardened-patches/0112-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch @@ -0,0 +1,40 @@ +From 81951627594eb1463fbc6b7da8f20410a068e88a Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:49 +0200 +Subject: [PATCH 112/113] Revert "dccp: don't free ccid2_hc_tx_sock struct in + dccp_disconnect()" + +This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. + +This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be +kept, allowing the socket to be reused as a listener socket, and the cloned +socket will free its dccps_hc_tx_ccid, leading to a later use after free, +when the listener socket is closed. + +This addresses CVE-2020-16119. + +Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) +Reported-by: Hadar Manor +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + net/dccp/proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 6d705d90c614..359e848dba6c 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +-- +2.30.0 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/export_kernel_fpu_functions.patch b/sys-kernel/cairn-sources/files/5.9.6/export_kernel_fpu_functions.patch new file mode 100644 index 000000000000..af71d043e612 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/export_kernel_fpu_functions.patch @@ -0,0 +1,43 @@ +From 1e010beda2896bdf3082fb37a3e49f8ce20e04d8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io> +Date: Thu, 2 May 2019 05:28:08 +0100 +Subject: [PATCH] x86/fpu: Export kernel_fpu_{begin,end}() with + EXPORT_SYMBOL_GPL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We need these symbols in zfs as the fpu implementation breaks userspace: + +https://github.com/zfsonlinux/zfs/issues/9346 +Signed-off-by: Jörg Thalheim <joerg@thalheim.io> +--- + arch/x86/kernel/fpu/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c +index 12c70840980e..352538b3bb5d 100644 +--- a/arch/x86/kernel/fpu/core.c ++++ b/arch/x86/kernel/fpu/core.c +@@ -102,7 +102,7 @@ void kernel_fpu_begin(void) + } + __cpu_invalidate_fpregs_state(); + } +-EXPORT_SYMBOL_GPL(kernel_fpu_begin); ++EXPORT_SYMBOL(kernel_fpu_begin); + + void kernel_fpu_end(void) + { +@@ -111,7 +111,7 @@ void kernel_fpu_end(void) + this_cpu_write(in_kernel_fpu, false); + preempt_enable(); + } +-EXPORT_SYMBOL_GPL(kernel_fpu_end); ++EXPORT_SYMBOL(kernel_fpu_end); + + /* + * Save the FPU state (mark it for reload if necessary): +-- +2.23.0 + + diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/0000_README b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/0000_README new file mode 100644 index 000000000000..85e9d90b8053 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/0000_README @@ -0,0 +1,92 @@ +README +-------------------------------------------------------------------------- +This patchset is to be the series of patches for gentoo-sources. +It is designed for cross-compatibility, fixes and stability, with performance +and additional features/driver support being a second. + +Unless otherwise stated and marked as such, this kernel should be suitable for +all environments. + + +Patchset Numbering Scheme +-------------------------------------------------------------------------- + +FIXES +1000-1400 linux-stable +1400-1500 linux-stable queue +1500-1700 security +1700-1800 architecture-related +1800-1900 mm/scheduling/misc +1900-2000 filesystems +2000-2100 networking core +2100-2200 storage core +2200-2300 power management (ACPI, APM) +2300-2400 bus (USB, IEEE1394, PCI, PCMCIA, ...) +2400-2500 network drivers +2500-2600 storage drivers +2600-2700 input +2700-2900 media (graphics, sound, tv) +2900-3000 other +3000-4000 reserved + +FEATURES +4000-4100 network +4100-4200 storage +4200-4300 graphics +4300-4400 filesystem +4400-4500 security enhancement +4500-4600 other + +EXPERIMENTAL +5000-5100 experimental patches (BFQ, ...) + +Individual Patch Descriptions: +-------------------------------------------------------------------------- + +Patch: 1000_linux-5.9.1.patch +From: http://www.kernel.org +Desc: Linux 5.9.1 + +Patch: 1001_linux-5.9.2.patch +From: http://www.kernel.org +Desc: Linux 5.9.2 + +Patch: 1002_linux-5.9.3.patch +From: http://www.kernel.org +Desc: Linux 5.9.3 + +Patch: 1003_linux-5.9.4.patch +From: http://www.kernel.org +Desc: Linux 5.9.4 + +Patch: 1500_XATTR_USER_PREFIX.patch +From: https://bugs.gentoo.org/show_bug.cgi?id=470644 +Desc: Support for namespace user.pax.* on tmpfs. + +Patch: 1510_fs-enable-link-security-restrictions-by-default.patch +From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ +Desc: Enable link security restrictions by default. + +Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch +From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@holtmann.org/raw +Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 + +Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch +From: https://bugs.gentoo.org/710790 +Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino + +Patch: 2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch +From: https://bugs.gentoo.org/721096 +Desc: VIDEO_TVP5150 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #721096. Thanks to Max Steel + +Patch: 2920_sign-file-patch-for-libressl.patch +From: https://bugs.gentoo.org/717166 +Desc: sign-file: full functionality with modern LibreSSL + +Patch: 4567_distro-Gentoo-Kconfig.patch +From: Tom Wijsman <TomWij@gentoo.org> +Desc: Add Gentoo Linux support config settings and defaults. + +Patch: 5013_enable-cpu-optimizations-for-gcc10.patch +From: https://github.com/graysky2/kernel_gcc_patch/ +Desc: Kernel patch enables gcc = v10.1+ optimizations for additional CPUs. diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/1500_XATTR_USER_PREFIX.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/1500_XATTR_USER_PREFIX.patch new file mode 100644 index 000000000000..245dcc29fa56 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/1500_XATTR_USER_PREFIX.patch @@ -0,0 +1,67 @@ +From: Anthony G. Basile <blueness@gentoo.org> + +This patch adds support for a restricted user-controlled namespace on +tmpfs filesystem used to house PaX flags. The namespace must be of the +form user.pax.* and its value cannot exceed a size of 8 bytes. + +This is needed even on all Gentoo systems so that XATTR_PAX flags +are preserved for users who might build packages using portage on +a tmpfs system with a non-hardened kernel and then switch to a +hardened kernel with XATTR_PAX enabled. + +The namespace is added to any user with Extended Attribute support +enabled for tmpfs. Users who do not enable xattrs will not have +the XATTR_PAX flags preserved. + +diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h +index 1590c49..5eab462 100644 +--- a/include/uapi/linux/xattr.h ++++ b/include/uapi/linux/xattr.h +@@ -73,5 +73,9 @@ + #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" + #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + ++/* User namespace */ ++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." ++#define XATTR_PAX_FLAGS_SUFFIX "flags" ++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX + + #endif /* _UAPI_LINUX_XATTR_H */ +--- a/mm/shmem.c 2020-05-04 15:30:27.042035334 -0400 ++++ b/mm/shmem.c 2020-05-04 15:34:57.013881725 -0400 +@@ -3238,6 +3238,14 @@ static int shmem_xattr_handler_set(const + struct shmem_inode_info *info = SHMEM_I(inode); + + name = xattr_full_name(handler, name); ++ ++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { ++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) ++ return -EOPNOTSUPP; ++ if (size > 8) ++ return -EINVAL; ++ } ++ + return simple_xattr_set(&info->xattrs, name, value, size, flags, NULL); + } + +@@ -3253,6 +3261,12 @@ static const struct xattr_handler shmem_ + .set = shmem_xattr_handler_set, + }; + ++static const struct xattr_handler shmem_user_xattr_handler = { ++ .prefix = XATTR_USER_PREFIX, ++ .get = shmem_xattr_handler_get, ++ .set = shmem_xattr_handler_set, ++}; ++ + static const struct xattr_handler *shmem_xattr_handlers[] = { + #ifdef CONFIG_TMPFS_POSIX_ACL + &posix_acl_access_xattr_handler, +@@ -3260,6 +3274,7 @@ static const struct xattr_handler *shmem + #endif + &shmem_security_xattr_handler, + &shmem_trusted_xattr_handler, ++ &shmem_user_xattr_handler, + NULL + }; + diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000000..f0ed144fb17a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/1510_fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,20 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). +--- a/fs/namei.c 2018-09-28 07:56:07.770005006 -0400 ++++ b/fs/namei.c 2018-09-28 07:56:43.370349204 -0400 +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch new file mode 100644 index 000000000000..394ad48fc20c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch @@ -0,0 +1,37 @@ +The encryption is only mandatory to be enforced when both sides are using +Secure Simple Pairing and this means the key size check makes only sense +in that case. + +On legacy Bluetooth 2.0 and earlier devices like mice the encryption was +optional and thus causing an issue if the key size check is not bound to +using Secure Simple Pairing. + +Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections") +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +Cc: stable@vger.kernel.org +--- + net/bluetooth/hci_conn.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 3cf0764d5793..7516cdde3373 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn) + return 0; + } + +- if (hci_conn_ssp_enabled(conn) && +- !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) ++ /* If Secure Simple Pairing is not enabled, then legacy connection ++ * setup is used and no encryption or key sizes can be enforced. ++ */ ++ if (!hci_conn_ssp_enabled(conn)) ++ return 1; ++ ++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags)) + return 0; + + /* The minimum encryption key size needs to be enforced by the +-- +2.20.1 diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch new file mode 100644 index 000000000000..433568579cab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch @@ -0,0 +1,30 @@ +From dc328d75a6f37f4ff11a81ae16b1ec88c3197640 Mon Sep 17 00:00:00 2001 +From: Mike Pagano <mpagano@gentoo.org> +Date: Mon, 23 Mar 2020 08:20:06 -0400 +Subject: [PATCH 1/1] This driver requires REGMAP_I2C to build. Select it by + default in Kconfig. Reported at gentoo bugzilla: + https://bugs.gentoo.org/710790 +Cc: mpagano@gentoo.org + +Reported-by: Phil Stracchino <phils@caerllewys.net> + +Signed-off-by: Mike Pagano <mpagano@gentoo.org> +--- + drivers/hwmon/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig +index 47ac20aee06f..530b4f29ba85 100644 +--- a/drivers/hwmon/Kconfig ++++ b/drivers/hwmon/Kconfig +@@ -1769,6 +1769,7 @@ config SENSORS_TMP421 + config SENSORS_TMP513 + tristate "Texas Instruments TMP513 and compatibles" + depends on I2C ++ select REGMAP_I2C + help + If you say yes here you get support for Texas Instruments TMP512, + and TMP513 temperature and power supply sensor chips. +-- +2.24.1 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch new file mode 100644 index 000000000000..1bc058eea45a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2910_TVP5150-Fix-build-issue-by-selecting-REGMAP-I2C.patch @@ -0,0 +1,10 @@ +--- a/drivers/media/i2c/Kconfig 2020-05-13 12:38:05.102903309 -0400 ++++ b/drivers/media/i2c/Kconfig 2020-05-13 12:38:51.283171977 -0400 +@@ -378,6 +378,7 @@ config VIDEO_TVP514X + config VIDEO_TVP5150 + tristate "Texas Instruments TVP5150 video decoder" + depends on VIDEO_V4L2 && I2C ++ select REGMAP_I2C + select V4L2_FWNODE + help + Support for the Texas Instruments TVP5150 video decoder. diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2920_sign-file-patch-for-libressl.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2920_sign-file-patch-for-libressl.patch new file mode 100644 index 000000000000..e6ec017d46c8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/2920_sign-file-patch-for-libressl.patch @@ -0,0 +1,16 @@ +--- a/scripts/sign-file.c 2020-05-20 18:47:21.282820662 -0400 ++++ b/scripts/sign-file.c 2020-05-20 18:48:37.991081899 -0400 +@@ -41,9 +41,10 @@ + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +-#if defined(LIBRESSL_VERSION_NUMBER) || \ +- OPENSSL_VERSION_NUMBER < 0x10000000L || \ +- defined(OPENSSL_NO_CMS) ++#if defined(OPENSSL_NO_CMS) || \ ++ ( defined(LIBRESSL_VERSION_NUMBER) \ ++ && (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \ ++ OPENSSL_VERSION_NUMBER < 0x10000000L + #define USE_PKCS7 + #endif + #ifndef USE_PKCS7 diff --git a/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/4567_distro-Gentoo-Kconfig.patch b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/4567_distro-Gentoo-Kconfig.patch new file mode 100644 index 000000000000..cb2eaa635734 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/gentoo-patches/4567_distro-Gentoo-Kconfig.patch @@ -0,0 +1,168 @@ +--- a/Kconfig 2020-04-15 11:05:30.202413863 -0400 ++++ b/Kconfig 2020-04-15 10:37:45.683952949 -0400 +@@ -32,3 +32,5 @@ source "lib/Kconfig" + source "lib/Kconfig.debug" + + source "Documentation/Kconfig" ++ ++source "distro/Kconfig" +--- /dev/null 2020-05-13 03:13:57.920193259 -0400 ++++ b/distro/Kconfig 2020-05-13 07:51:36.841663359 -0400 +@@ -0,0 +1,157 @@ ++menu "Gentoo Linux" ++ ++config GENTOO_LINUX ++ bool "Gentoo Linux support" ++ ++ default y ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ See the settings that become available for more details and fine-tuning. ++ ++config GENTOO_LINUX_UDEV ++ bool "Linux dynamic and persistent device naming (userspace devfs) support" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select DEVTMPFS ++ select TMPFS ++ select UNIX ++ ++ select MMU ++ select SHMEM ++ ++ help ++ In order to boot Gentoo Linux a minimal set of config settings needs to ++ be enabled in the kernel; to avoid the users from having to enable them ++ manually as part of a Gentoo Linux installation or a new clean config, ++ we enable these config settings by default for convenience. ++ ++ Currently this only selects TMPFS, DEVTMPFS and their dependencies. ++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and ++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev. ++ ++ Some of these are critical files that need to be available early in the ++ boot process; if not available, it causes sysfs and udev to malfunction. ++ ++ To ensure Gentoo Linux boots, it is best to leave this setting enabled; ++ if you run a custom setup, you could consider whether to disable this. ++ ++config GENTOO_LINUX_PORTAGE ++ bool "Select options required by Portage features" ++ ++ depends on GENTOO_LINUX ++ default y if GENTOO_LINUX ++ ++ select CGROUPS ++ select NAMESPACES ++ select IPC_NS ++ select NET_NS ++ select PID_NS ++ select SYSVIPC ++ select UTS_NS ++ ++ help ++ This enables options required by various Portage FEATURES. ++ Currently this selects: ++ ++ CGROUPS (required for FEATURES=cgroup) ++ IPC_NS (required for FEATURES=ipc-sandbox) ++ NET_NS (required for FEATURES=network-sandbox) ++ PID_NS (required for FEATURES=pid-sandbox) ++ SYSVIPC (required by IPC_NS) ++ ++ ++ It is highly recommended that you leave this enabled as these FEATURES ++ are, or will soon be, enabled by default. ++ ++menu "Support for init systems, system and service managers" ++ visible if GENTOO_LINUX ++ ++config GENTOO_LINUX_INIT_SCRIPT ++ bool "OpenRC, runit and other script based systems and managers" ++ ++ default y if GENTOO_LINUX ++ ++ depends on GENTOO_LINUX ++ ++ select BINFMT_SCRIPT ++ select CGROUPS ++ select EPOLL ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select SIGNALFD ++ select TIMERFD ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for OpenRC, ++ runit and similar script based systems and managers. ++ ++ If you are unsure about this, it is best to leave this setting enabled. ++ ++config GENTOO_LINUX_INIT_SYSTEMD ++ bool "systemd" ++ ++ default n ++ ++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV ++ ++ select AUTOFS4_FS ++ select BLK_DEV_BSG ++ select BPF_SYSCALL ++ select CGROUP_BPF ++ select CGROUPS ++ select CHECKPOINT_RESTORE ++ select CRYPTO_HMAC ++ select CRYPTO_SHA256 ++ select CRYPTO_USER_API_HASH ++ select DEVPTS_MULTIPLE_INSTANCES ++ select DMIID if X86_32 || X86_64 || X86 ++ select EPOLL ++ select FANOTIFY ++ select FHANDLE ++ select FILE_LOCKING ++ select INOTIFY_USER ++ select IPV6 ++ select NET ++ select NET_NS ++ select PROC_FS ++ select SECCOMP ++ select SECCOMP_FILTER ++ select SIGNALFD ++ select SYSFS ++ select TIMERFD ++ select TMPFS_POSIX_ACL ++ select TMPFS_XATTR ++ ++ select ANON_INODES ++ select BLOCK ++ select EVENTFD ++ select FSNOTIFY ++ select INET ++ select NLATTR ++ ++ help ++ The init system is the first thing that loads after the kernel booted. ++ ++ These config settings allow you to select which init systems to support; ++ instead of having to select all the individual settings all over the ++ place, these settings allows you to select all the settings at once. ++ ++ This particular setting enables all the known requirements for systemd; ++ it also enables suggested optional settings, as the package suggests to. ++ ++endmenu ++ ++endmenu diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch new file mode 100644 index 000000000000..28424e31b65d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0001-make-DEFAULT_MMAP_MIN_ADDR-match-LSM_MMAP_MIN_ADDR.patch @@ -0,0 +1,27 @@ +From 2f3ec79118b024c28cc5a3560ad6f1a973eacc7a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:22:12 -0400 +Subject: [PATCH 001/108] make DEFAULT_MMAP_MIN_ADDR match LSM_MMAP_MIN_ADDR + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/Kconfig b/mm/Kconfig +index 6c974888f86f..6800aa460b73 100644 +--- a/mm/Kconfig ++++ b/mm/Kconfig +@@ -321,7 +321,8 @@ config KSM + config DEFAULT_MMAP_MIN_ADDR + int "Low address space to protect from user allocation" + depends on MMU +- default 4096 ++ default 32768 if ARM || (ARM64 && COMPAT) ++ default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch new file mode 100644 index 000000000000..59df388bf481 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0002-enable-HARDENED_USERCOPY-by-default.patch @@ -0,0 +1,25 @@ +From 4e0e554ae2ff18c0720f206b6f68b8db09e50ad5 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:41 -0400 +Subject: [PATCH 002/108] enable HARDENED_USERCOPY by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 7561f6f99f1d..9446ddf40974 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -154,6 +154,7 @@ config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM ++ default y + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch new file mode 100644 index 000000000000..d16e8f4482cb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0003-disable-HARDENED_USERCOPY_FALLBACK-by-default.patch @@ -0,0 +1,24 @@ +From d66eaa57b84e8bfed3a789724484d6c0355010a9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 26 Apr 2018 02:01:26 -0400 +Subject: [PATCH 003/108] disable HARDENED_USERCOPY_FALLBACK by default + +--- + security/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 9446ddf40974..5c388f7fe09d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -167,7 +167,6 @@ config HARDENED_USERCOPY + config HARDENED_USERCOPY_FALLBACK + bool "Allow usercopy whitelist violations to fallback to object size" + depends on HARDENED_USERCOPY +- default y + help + This is a temporary option that allows missing usercopy whitelists + to be discovered via a WARN() to the kernel log, instead of +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch new file mode 100644 index 000000000000..a408fff3f787 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0004-enable-SECURITY_DMESG_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 577be47db10937dc6ea20b462ea6d360facfe7d3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:05:15 -0400 +Subject: [PATCH 004/108] enable SECURITY_DMESG_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index 5c388f7fe09d..428ad7622370 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -9,7 +9,7 @@ source "security/keys/Kconfig" + + config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" +- default n ++ default y + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0005-set-kptr_restrict-2-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0005-set-kptr_restrict-2-by-default.patch new file mode 100644 index 000000000000..ff8c75048308 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0005-set-kptr_restrict-2-by-default.patch @@ -0,0 +1,26 @@ +From a3c80c3482ceb21a99a3e212b627ce835f134570 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:06:14 -0400 +Subject: [PATCH 005/108] set kptr_restrict=2 by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/vsprintf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/vsprintf.c b/lib/vsprintf.c +index afb9521ddf91..fefa444e88db 100644 +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -821,7 +821,7 @@ static char *ptr_to_id(char *buf, char *end, const void *ptr, + return pointer_string(buf, end, (const void *)hashval, spec); + } + +-int kptr_restrict __read_mostly; ++int kptr_restrict __read_mostly = 2; + + static noinline_for_stack + char *restricted_pointer(char *buf, char *end, const void *ptr, +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch new file mode 100644 index 000000000000..cff16bcfcb80 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0006-enable-DEBUG_LIST-by-default.patch @@ -0,0 +1,25 @@ +From 2f4b0eec7cf84f132d0dd9ffad22d6d71cbb282b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:10:57 -0400 +Subject: [PATCH 006/108] enable DEBUG_LIST by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 491789a793ae..808fe4f2739b 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1452,6 +1452,7 @@ menu "Debug kernel data structures" + config DEBUG_LIST + bool "Debug linked list manipulation" + depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION ++ default y + help + Enable this to turn on extended checks in the linked-list + walking routines. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch new file mode 100644 index 000000000000..27e2bf5496e6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0007-enable-BUG_ON_DATA_CORRUPTION-by-default.patch @@ -0,0 +1,25 @@ +From 60323460e5ec1bb2f20a66af9930b2eacedeb0f1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:21:21 -0400 +Subject: [PATCH 007/108] enable BUG_ON_DATA_CORRUPTION by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index 808fe4f2739b..f20d324de27e 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1492,6 +1492,7 @@ config DEBUG_NOTIFIERS + config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select DEBUG_LIST ++ default y + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch new file mode 100644 index 000000000000..e7c1f98778a5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0008-enable-ARM64_SW_TTBR0_PAN-by-default.patch @@ -0,0 +1,24 @@ +From 7960bb447ffa6416525da790eb351cbb3360747b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:39:32 -0500 +Subject: [PATCH 008/108] enable ARM64_SW_TTBR0_PAN by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 6d232837cbee..c0e93b93f593 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1207,6 +1207,7 @@ config RODATA_FULL_DEFAULT_ENABLED + + config ARM64_SW_TTBR0_PAN + bool "Emulate Privileged Access Never using TTBR0_EL1 switching" ++ default y + help + Enabling this option prevents the kernel from accessing + user-space memory directly by pointing TTBR0_EL1 to a reserved +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch new file mode 100644 index 000000000000..3b0461b68f1e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0009-arm64-enable-RANDOMIZE_BASE-by-default.patch @@ -0,0 +1,24 @@ +From f33875502d7834f5d504407b631c9d3a148aa080 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 01:33:48 -0500 +Subject: [PATCH 009/108] arm64: enable RANDOMIZE_BASE by default + +--- + arch/arm64/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index c0e93b93f593..09069bdba117 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -1767,6 +1767,7 @@ config RANDOMIZE_BASE + bool "Randomize the address of the kernel image" + select ARM64_MODULE_PLTS if MODULES + select RELOCATABLE ++ default y + help + Randomizes the virtual address at which the kernel image is + loaded, as a security feature that deters exploit attempts +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch new file mode 100644 index 000000000000..7ea5eec3c699 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0010-enable-SLAB_FREELIST_RANDOM-by-default.patch @@ -0,0 +1,25 @@ +From 1dd0914022c820004ab17392036622424743e08d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 19:43:38 -0400 +Subject: [PATCH 010/108] enable SLAB_FREELIST_RANDOM by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 2a5df1cf838c..32e37bdb8019 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1916,6 +1916,7 @@ config SLAB_MERGE_DEFAULT + config SLAB_FREELIST_RANDOM + bool "Randomize slab freelist" + depends on SLAB || SLUB ++ default y + help + Randomizes the freelist order used on creating new pages. This + security feature reduces the predictability of the kernel slab +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch new file mode 100644 index 000000000000..bb26aa4fffff --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0011-enable-SLAB_FREELIST_HARDENED-by-default.patch @@ -0,0 +1,24 @@ +From ddf4aa12e75d56f33bc225d55c42749e92c96a24 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 20 Aug 2017 15:39:25 -0400 +Subject: [PATCH 011/108] enable SLAB_FREELIST_HARDENED by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 32e37bdb8019..10f6ab320171 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1925,6 +1925,7 @@ config SLAB_FREELIST_RANDOM + config SLAB_FREELIST_HARDENED + bool "Harden slab freelist metadata" + depends on SLAB || SLUB ++ default y + help + Many kernel heap attacks try to target slab cache metadata and + other infrastructure. This options makes minor performance +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch new file mode 100644 index 000000000000..7de7045ac683 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0012-disable-SLAB_MERGE_DEFAULT-by-default.patch @@ -0,0 +1,24 @@ +From e3758e04c921162b801b5bc8e375d0ab4cf6b0a6 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 8 Jul 2017 02:38:54 -0400 +Subject: [PATCH 012/108] disable SLAB_MERGE_DEFAULT by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 10f6ab320171..c6f1bd228ad4 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1901,7 +1901,6 @@ endchoice + + config SLAB_MERGE_DEFAULT + bool "Allow slab caches to be merged" +- default y + help + For reduced kernel memory fragmentation, slab caches can be + merged when they share the same size and other characteristics. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch new file mode 100644 index 000000000000..a2da1f224778 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0013-enable-FORTIFY_SOURCE-by-default.patch @@ -0,0 +1,25 @@ +From 7cd00f7cc8bd6c32440fc42d7f68840f3b52e883 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 8 May 2017 12:51:54 -0400 +Subject: [PATCH 013/108] enable FORTIFY_SOURCE by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 428ad7622370..3a2c68c7b50f 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -191,6 +191,7 @@ config HARDENED_USERCOPY_PAGESPAN + config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE ++ default y + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch new file mode 100644 index 000000000000..3515dc9b661c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0014-enable-PANIC_ON_OOPS-by-default.patch @@ -0,0 +1,34 @@ +From a630fb0048fb9d1a7cfda7555e41aa4725eaae34 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:09:17 -0400 +Subject: [PATCH 014/108] enable PANIC_ON_OOPS by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/Kconfig.debug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index f20d324de27e..d28b7dcebc1c 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -896,6 +896,7 @@ menu "Debug Oops, Lockups and Hangs" + + config PANIC_ON_OOPS + bool "Panic on Oops" ++ default y + help + Say Y here to enable the kernel to panic when it oopses. This + has the same effect as setting oops=panic on the kernel command +@@ -905,7 +906,7 @@ config PANIC_ON_OOPS + anything erroneous after an oops which could result in data + corruption or other issues. + +- Say N if unsure. ++ Say Y if unsure. + + config PANIC_ON_OOPS_VALUE + int +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch new file mode 100644 index 000000000000..8136f50a646d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0015-stop-hiding-SLUB_DEBUG-behind-EXPERT.patch @@ -0,0 +1,26 @@ +From 3c0d4b017b63522cd9b69cf7a20e96ed17f25dfc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 22:39:34 -0400 +Subject: [PATCH 015/108] stop hiding SLUB_DEBUG behind EXPERT + +It can make sense to disable this to reduce attack surface / complexity. +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index c6f1bd228ad4..a8960efee8ce 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1830,7 +1830,7 @@ config VM_EVENT_COUNTERS + + config SLUB_DEBUG + default y +- bool "Enable SLUB debugging support" if EXPERT ++ bool "Enable SLUB debugging support" + depends on SLUB && SYSFS + help + SLUB has extensive debug support features. Disabling these can +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch new file mode 100644 index 000000000000..ed91d3283774 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0016-stop-hiding-X86_16BIT-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 7213aef8a1466dc2f500dda16a1962b37361b264 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:31 -0400 +Subject: [PATCH 016/108] stop hiding X86_16BIT behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index e876b3a087f9..29e424f5f81b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1190,7 +1190,7 @@ config VM86 + default X86_LEGACY_VM86 + + config X86_16BIT +- bool "Enable support for 16-bit segments" if EXPERT ++ bool "Enable support for 16-bit segments" + default y + depends on MODIFY_LDT_SYSCALL + help +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0017-disable-X86_16BIT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0017-disable-X86_16BIT-by-default.patch new file mode 100644 index 000000000000..978bd08a4eee --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0017-disable-X86_16BIT-by-default.patch @@ -0,0 +1,25 @@ +From 123aeacc0816a2b7d77861f130b12e6c06e60136 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:11:52 -0400 +Subject: [PATCH 017/108] disable X86_16BIT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 29e424f5f81b..1498825fe296 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1191,7 +1191,6 @@ config VM86 + + config X86_16BIT + bool "Enable support for 16-bit segments" +- default y + depends on MODIFY_LDT_SYSCALL + help + This option is required by programs like Wine to run 16-bit +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch new file mode 100644 index 000000000000..c8061e5688d6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0018-stop-hiding-MODIFY_LDT_SYSCALL-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 41fd3f51974b4d1d9ab685ef0ebbcfe9b81662b0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:15:52 -0400 +Subject: [PATCH 018/108] stop hiding MODIFY_LDT_SYSCALL behind EXPERT + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 1498825fe296..8a998a971f13 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2403,7 +2403,7 @@ config CMDLINE_OVERRIDE + be set to 'N' under normal conditions. + + config MODIFY_LDT_SYSCALL +- bool "Enable the LDT (local descriptor table)" if EXPERT ++ bool "Enable the LDT (local descriptor table)" + default y + help + Linux can allow user programs to install a per-process x86 +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch new file mode 100644 index 000000000000..67f9e7727e05 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0019-disable-MODIFY_LDT_SYSCALL-by-default.patch @@ -0,0 +1,26 @@ +From 14ea6bd3bc95d344447d869b9814e997e22c2590 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 18:16:16 -0400 +Subject: [PATCH 019/108] disable MODIFY_LDT_SYSCALL by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 8a998a971f13..ece83c20586d 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2404,7 +2404,6 @@ config CMDLINE_OVERRIDE + + config MODIFY_LDT_SYSCALL + bool "Enable the LDT (local descriptor table)" +- default y + help + Linux can allow user programs to install a per-process x86 + Local Descriptor Table (LDT) using the modify_ldt(2) system +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch new file mode 100644 index 000000000000..4f8ff4bf09a2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0020-set-LEGACY_VSYSCALL_NONE-by-default.patch @@ -0,0 +1,25 @@ +From d41ee4748702e2e46127b54d7344e22de81e2ac1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 07:08:42 -0400 +Subject: [PATCH 020/108] set LEGACY_VSYSCALL_NONE by default + +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index ece83c20586d..1c44734759ea 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -2307,7 +2307,7 @@ config COMPAT_VDSO + choice + prompt "vsyscall table for legacy applications" + depends on X86_64 +- default LEGACY_VSYSCALL_XONLY ++ default LEGACY_VSYSCALL_NONE + help + Legacy user code that does not know how to find the vDSO expects + to be able to issue three syscalls by calling fixed addresses in +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch new file mode 100644 index 000000000000..bf9aface052c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0021-stop-hiding-AIO-behind-EXPERT.patch @@ -0,0 +1,25 @@ +From 919990302400c1c7a53ef0fac581e062b362482b Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:21:50 +0000 +Subject: [PATCH 021/108] stop hiding AIO behind EXPERT + +--- + init/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index a8960efee8ce..d5291532fd74 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1581,7 +1581,7 @@ config SHMEM + which may be appropriate on small systems without swap. + + config AIO +- bool "Enable AIO support" if EXPERT ++ bool "Enable AIO support" + default y + help + This option enables POSIX asynchronous I/O which may by used +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0022-disable-AIO-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0022-disable-AIO-by-default.patch new file mode 100644 index 000000000000..ce248022098f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0022-disable-AIO-by-default.patch @@ -0,0 +1,24 @@ +From f01dac0d3b471751b761a46dce33d552b3a82021 Mon Sep 17 00:00:00 2001 +From: Bernhard40 <32568352+Bernhard40@users.noreply.github.com> +Date: Fri, 6 Oct 2017 10:24:10 +0000 +Subject: [PATCH 022/108] disable AIO by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index d5291532fd74..37c7d69a8071 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1582,7 +1582,6 @@ config SHMEM + + config AIO + bool "Enable AIO support" +- default y + help + This option enables POSIX asynchronous I/O which may by used + by some high performance threaded applications. Disabling +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch new file mode 100644 index 000000000000..9a4e7afa9962 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0023-remove-SYSVIPC-from-arm64-x86_64-defconfigs.patch @@ -0,0 +1,32 @@ +From e0fe670cede4937cf9d2a4a01beec81c954cf199 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:08:49 -0500 +Subject: [PATCH 023/108] remove SYSVIPC from arm64/x86_64 defconfigs + +--- + arch/arm64/configs/defconfig | 1 - + arch/x86/configs/x86_64_defconfig | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig +index 6d04b9577b0b..b4455f33b854 100644 +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -1,4 +1,3 @@ +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ_IDLE=y +diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig +index 9936528e1939..981ee8c0e330 100644 +--- a/arch/x86/configs/x86_64_defconfig ++++ b/arch/x86/configs/x86_64_defconfig +@@ -1,5 +1,4 @@ + # CONFIG_LOCALVERSION_AUTO is not set +-CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + CONFIG_AUDIT=y + CONFIG_NO_HZ=y +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0024-disable-DEVPORT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0024-disable-DEVPORT-by-default.patch new file mode 100644 index 000000000000..ab5adfec8635 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0024-disable-DEVPORT-by-default.patch @@ -0,0 +1,24 @@ +From 6333a9382dde221e4cfb3c70c0fcd6f14feba8f9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:28:10 -0400 +Subject: [PATCH 024/108] disable DEVPORT by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index b1bd336761b1..245004d074df 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -390,7 +390,6 @@ config MAX_RAW_DEVS + config DEVPORT + bool "/dev/port character device" + depends on ISA || PCI +- default y + help + Say Y here if you want to support the /dev/port device. The /dev/port + device is similar to /dev/mem, but for I/O ports. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch new file mode 100644 index 000000000000..8dbd12757312 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0025-disable-PROC_VMCORE-by-default.patch @@ -0,0 +1,24 @@ +From f738c8e90836c3b8e8b4b13957aae7fa4f24b306 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 27 May 2017 07:29:45 -0400 +Subject: [PATCH 025/108] disable PROC_VMCORE by default + +--- + fs/proc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig +index c930001056f9..6a0a51b3f593 100644 +--- a/fs/proc/Kconfig ++++ b/fs/proc/Kconfig +@@ -41,7 +41,6 @@ config PROC_KCORE + config PROC_VMCORE + bool "/proc/vmcore support" + depends on PROC_FS && CRASH_DUMP +- default y + help + Exports the dump image of crashed kernel in ELF format. + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch new file mode 100644 index 000000000000..0897b857bbdd --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0026-disable-NFS_DEBUG-by-default.patch @@ -0,0 +1,24 @@ +From e0b6a67a6511cda48e8445bc54666b34de93ccab Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 03:03:46 -0400 +Subject: [PATCH 026/108] disable NFS_DEBUG by default + +--- + fs/nfs/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig +index 88e1763e02f3..71820a515c91 100644 +--- a/fs/nfs/Kconfig ++++ b/fs/nfs/Kconfig +@@ -195,7 +195,6 @@ config NFS_DEBUG + bool + depends on NFS_FS && SUNRPC_DEBUG + select CRC32 +- default y + + config NFS_DISABLE_UDP_SUPPORT + bool "NFS: Disable NFS UDP protocol support" +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0027-enable-DEBUG_WX-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0027-enable-DEBUG_WX-by-default.patch new file mode 100644 index 000000000000..1574f99897b4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0027-enable-DEBUG_WX-by-default.patch @@ -0,0 +1,25 @@ +From b606ccfeb17599f835d5e33e54c296702bf9161d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 12:11:11 -0400 +Subject: [PATCH 027/108] enable DEBUG_WX by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug +index 864f129f1937..929d585bd267 100644 +--- a/mm/Kconfig.debug ++++ b/mm/Kconfig.debug +@@ -126,6 +126,7 @@ config DEBUG_WX + depends on ARCH_HAS_DEBUG_WX + depends on MMU + select PTDUMP_CORE ++ default y + help + Generate a warning if any W+X mappings are found at boot. + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch new file mode 100644 index 000000000000..9f88bffbb8e1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0028-disable-LEGACY_PTYS-by-default.patch @@ -0,0 +1,24 @@ +From 9debee5dd21e4b74998ed79652dd1a8b3655f8e4 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 13:21:16 -0500 +Subject: [PATCH 028/108] disable LEGACY_PTYS by default + +--- + drivers/tty/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig +index 93fd984eb2f5..d9086484d2de 100644 +--- a/drivers/tty/Kconfig ++++ b/drivers/tty/Kconfig +@@ -122,7 +122,6 @@ config UNIX98_PTYS + + config LEGACY_PTYS + bool "Legacy (BSD) PTY support" +- default y + help + A pseudo terminal (PTY) is a software device consisting of two + halves: a master and a slave. The slave device behaves identical to +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0029-disable-DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0029-disable-DEVMEM-by-default.patch new file mode 100644 index 000000000000..c63440cfd64e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0029-disable-DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From 7a65b2ce09ba97cb70c16055befa9803923c9a23 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:41:42 -0500 +Subject: [PATCH 029/108] disable DEVMEM by default + +--- + drivers/char/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 245004d074df..12378eea923d 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -326,7 +326,6 @@ config NSC_GPIO + + config DEVMEM + bool "/dev/mem virtual device support" +- default y + help + Say Y here if you want to support the /dev/mem device. + The /dev/mem device is used to access areas of physical +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch new file mode 100644 index 000000000000..c78ba7f20c0a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0030-enable-IO_STRICT_DEVMEM-by-default.patch @@ -0,0 +1,24 @@ +From d272d426c46ebb7f4f8013418e4168866bab6012 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 5 Jan 2018 12:43:49 -0500 +Subject: [PATCH 030/108] enable IO_STRICT_DEVMEM by default + +--- + lib/Kconfig.debug | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index d28b7dcebc1c..fcc0e42f676f 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -1649,6 +1649,7 @@ config STRICT_DEVMEM + config IO_STRICT_DEVMEM + bool "Filter I/O access to /dev/mem" + depends on STRICT_DEVMEM ++ default y + help + If this option is disabled, you allow userspace (root) access to all + io-memory regardless of whether a driver is actively using that +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch new file mode 100644 index 000000000000..d8614894e0ae --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0031-disable-COMPAT_BRK-by-default.patch @@ -0,0 +1,24 @@ +From b5738a36f247c9371dd5271e2d1997d313ef9e90 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 18:28:33 -0400 +Subject: [PATCH 031/108] disable COMPAT_BRK by default + +--- + init/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 37c7d69a8071..5885c02eacfa 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1853,7 +1853,6 @@ config SLUB_MEMCG_SYSFS_ON + + config COMPAT_BRK + bool "Disable heap randomization" +- default y + help + Randomizing heap placement makes heap exploits harder, but it + also breaks ancient binaries (including anything libc5 based). +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch new file mode 100644 index 000000000000..f73b597a2e2f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0032-use-maximum-supported-mmap-rnd-entropy-by-default.patch @@ -0,0 +1,35 @@ +From ee81aa8ee30a4045d6a435e840558ba30ca3cab3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 16:16:39 -0400 +Subject: [PATCH 032/108] use maximum supported mmap rnd entropy by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/Kconfig b/arch/Kconfig +index 94821e3f94d1..48217118cfa3 100644 +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -697,7 +697,7 @@ config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MIN ++ default ARCH_MMAP_RND_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_BITS + help + This value can be used to select the number of bits to use to +@@ -731,7 +731,7 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MIN ++ default ARCH_MMAP_RND_COMPAT_BITS_MAX + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help + This value can be used to select the number of bits to use to +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch new file mode 100644 index 000000000000..9f9d053c47ac --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0033-enable-protected_-symlinks-hardlinks-by-default.patch @@ -0,0 +1,27 @@ +From ac9127b90ba1fb053fb1f5a8f0640277536614e1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 10:47:23 -0400 +Subject: [PATCH 033/108] enable protected_{symlinks,hardlinks} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index e99e2a9da0f7..85334a0092b0 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -932,8 +932,8 @@ static inline void put_link(struct nameidata *nd) + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0034-enable-SECURITY-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0034-enable-SECURITY-by-default.patch new file mode 100644 index 000000000000..1fb7ad5ae484 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0034-enable-SECURITY-by-default.patch @@ -0,0 +1,24 @@ +From 03088c0c95a532a86003b7fad2dd6b0c5973a839 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:13:48 -0500 +Subject: [PATCH 034/108] enable SECURITY by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index 3a2c68c7b50f..fa037a250821 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -23,6 +23,7 @@ config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER ++ default y + help + This allows you to choose different security modules to be + configured into your kernel. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch new file mode 100644 index 000000000000..718a8581940a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0035-enable-SECURITY_YAMA-by-default.patch @@ -0,0 +1,25 @@ +From f9c687024c99276600f7f9bba5b000d14b01a74b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 29 May 2017 06:17:59 -0400 +Subject: [PATCH 035/108] enable SECURITY_YAMA by default + +--- + security/yama/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/yama/Kconfig b/security/yama/Kconfig +index a810304123ca..b809050b25d2 100644 +--- a/security/yama/Kconfig ++++ b/security/yama/Kconfig +@@ -2,7 +2,7 @@ + config SECURITY_YAMA + bool "Yama support" + depends on SECURITY +- default n ++ default y + help + This selects Yama, which extends DAC support with additional + system-wide security settings beyond regular Linux discretionary +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch new file mode 100644 index 000000000000..40330373a053 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0036-enable-SECURITY_NETWORK-by-default.patch @@ -0,0 +1,24 @@ +From 70a22c04a5baafde1b3af6fda0747f9539a36824 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:14:02 -0500 +Subject: [PATCH 036/108] enable SECURITY_NETWORK by default + +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index fa037a250821..81d0a08736aa 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -49,6 +49,7 @@ config SECURITYFS + config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY ++ default y + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0037-enable-AUDIT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0037-enable-AUDIT-by-default.patch new file mode 100644 index 000000000000..b5b51ee4d4a8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0037-enable-AUDIT-by-default.patch @@ -0,0 +1,24 @@ +From 5c51dd04c292b12cccf451e95a3bab8a0bb023e2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:15:24 -0500 +Subject: [PATCH 037/108] enable AUDIT by default + +--- + init/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 5885c02eacfa..28f20aeebc4d 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -415,6 +415,7 @@ config USELIB + config AUDIT + bool "Auditing support" + depends on NET ++ default y + help + Enable auditing infrastructure that can be used with another + kernel subsystem, such as SELinux (which requires this for +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch new file mode 100644 index 000000000000..6f57b0e4e52f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0038-enable-SECURITY_SELINUX-by-default.patch @@ -0,0 +1,25 @@ +From 93d4454409aa9b7a15028aca7fbde1e47dd09bfc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 02:16:49 -0500 +Subject: [PATCH 038/108] enable SECURITY_SELINUX by default + +--- + security/selinux/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 9e921fc72538..76d7ed11513c 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -3,7 +3,7 @@ config SECURITY_SELINUX + bool "NSA SELinux Support" + depends on SECURITY_NETWORK && AUDIT && NET && INET + select NETWORK_SECMARK +- default n ++ default y + help + This selects NSA Security-Enhanced Linux (SELinux). + You will also need a policy configuration and a labeled filesystem. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch new file mode 100644 index 000000000000..1a6cb6e6c618 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0039-enable-SYN_COOKIES-by-default.patch @@ -0,0 +1,24 @@ +From 0d6a48596e735852bb38d9e48982c50d53155fa2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 6 Jan 2018 13:41:11 -0500 +Subject: [PATCH 039/108] enable SYN_COOKIES by default + +--- + net/ipv4/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 87983e70f03f..989e005bf698 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -267,6 +267,7 @@ config IP_PIMSM_V2 + + config SYN_COOKIES + bool "IP: TCP syncookie support" ++ default y + help + Normal TCP/IP networking is open to an attack known as "SYN + flooding". This denial-of-service attack prevents legitimate remote +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch new file mode 100644 index 000000000000..c9d407084c16 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0040-add-__read_only-for-non-init-related-usage.patch @@ -0,0 +1,25 @@ +From 40e7dbdf09c1f298db398b429ee08c17e44f3b3e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:28:23 -0400 +Subject: [PATCH 040/108] add __read_only for non-init related usage + +--- + include/linux/cache.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/linux/cache.h b/include/linux/cache.h +index 1aa8009f6d06..0d9e2ca40534 100644 +--- a/include/linux/cache.h ++++ b/include/linux/cache.h +@@ -37,6 +37,8 @@ + #define __ro_after_init __attribute__((__section__(".data..ro_after_init"))) + #endif + ++#define __read_only __ro_after_init ++ + #ifndef ____cacheline_aligned + #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES))) + #endif +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0041-make-sysctl-constants-read-only.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0041-make-sysctl-constants-read-only.patch new file mode 100644 index 000000000000..e21f3bc49471 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0041-make-sysctl-constants-read-only.patch @@ -0,0 +1,108 @@ +From e87dd868a07ac390bc4f7a828df4b20290571ac9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 7 May 2017 00:43:03 -0400 +Subject: [PATCH 041/108] make sysctl constants read-only + +Most of this is extracted from the last publicly available version of +the PaX patches where it's part of KERNEXEC as __read_only. It has been +extended to a few more of these constants. +--- + kernel/sysctl.c | 54 ++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 27 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index afad085960b8..b2cd3dbbb17a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -108,33 +108,33 @@ + + /* Constants used for minimum and maximum */ + #ifdef CONFIG_LOCKUP_DETECTOR +-static int sixty = 60; +-#endif +- +-static int __maybe_unused neg_one = -1; +-static int __maybe_unused two = 2; +-static int __maybe_unused four = 4; +-static unsigned long zero_ul; +-static unsigned long one_ul = 1; +-static unsigned long long_max = LONG_MAX; +-static int one_hundred = 100; +-static int two_hundred = 200; +-static int one_thousand = 1000; ++static int sixty __read_only = 60; ++#endif ++ ++static int __maybe_unused neg_one __read_only = -1; ++static int __maybe_unused two __read_only = 2; ++static int __maybe_unused four __read_only = 4; ++static unsigned long zero_ul __read_only; ++static unsigned long one_ul __read_only = 1; ++static unsigned long long_max __read_only = LONG_MAX; ++static int one_hundred __read_only = 100; ++static int two_hundred __read_only = 200; ++static int one_thousand __read_only = 1000; + #ifdef CONFIG_PRINTK +-static int ten_thousand = 10000; ++static int ten_thousand __read_only = 10000; + #endif + #ifdef CONFIG_PERF_EVENTS +-static int six_hundred_forty_kb = 640 * 1024; ++static int six_hundred_forty_kb __read_only = 640 * 1024; + #endif + + /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */ +-static unsigned long dirty_bytes_min = 2 * PAGE_SIZE; ++static unsigned long dirty_bytes_min __read_only = 2 * PAGE_SIZE; + + /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */ +-static int maxolduid = 65535; +-static int minolduid; ++static int maxolduid __read_only = 65535; ++static int minolduid __read_only; + +-static int ngroups_max = NGROUPS_MAX; ++static int ngroups_max __read_only = NGROUPS_MAX; + static const int cap_last_cap = CAP_LAST_CAP; + + /* +@@ -142,7 +142,7 @@ static const int cap_last_cap = CAP_LAST_CAP; + * and hung_task_check_interval_secs + */ + #ifdef CONFIG_DETECT_HUNG_TASK +-static unsigned long hung_task_timeout_max = (LONG_MAX/HZ); ++static unsigned long hung_task_timeout_max __read_only = (LONG_MAX/HZ); + #endif + + #ifdef CONFIG_INOTIFY_USER +@@ -185,19 +185,19 @@ int sysctl_legacy_va_layout; + #endif + + #ifdef CONFIG_SCHED_DEBUG +-static int min_sched_granularity_ns = 100000; /* 100 usecs */ +-static int max_sched_granularity_ns = NSEC_PER_SEC; /* 1 second */ +-static int min_wakeup_granularity_ns; /* 0 usecs */ +-static int max_wakeup_granularity_ns = NSEC_PER_SEC; /* 1 second */ ++static int min_sched_granularity_ns __read_only = 100000; /* 100 usecs */ ++static int max_sched_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ ++static int min_wakeup_granularity_ns __read_only; /* 0 usecs */ ++static int max_wakeup_granularity_ns __read_only = NSEC_PER_SEC; /* 1 second */ + #ifdef CONFIG_SMP +-static int min_sched_tunable_scaling = SCHED_TUNABLESCALING_NONE; +-static int max_sched_tunable_scaling = SCHED_TUNABLESCALING_END-1; ++static int min_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_NONE; ++static int max_sched_tunable_scaling __read_only = SCHED_TUNABLESCALING_END-1; + #endif /* CONFIG_SMP */ + #endif /* CONFIG_SCHED_DEBUG */ + + #ifdef CONFIG_COMPACTION +-static int min_extfrag_threshold; +-static int max_extfrag_threshold = 1000; ++static int min_extfrag_threshold __read_only; ++static int max_extfrag_threshold __read_only = 1000; + #endif + + #endif /* CONFIG_SYSCTL */ +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch new file mode 100644 index 000000000000..d4749980f8ab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0042-mark-kernel_set_to_readonly-as-__ro_after_init.patch @@ -0,0 +1,67 @@ +From 52c57d609db39585c51f1f7445b71d1a7960ff5e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 03:22:00 -0400 +Subject: [PATCH 042/108] mark kernel_set_to_readonly as __ro_after_init + +This change was extracted from PaX where it's part of KERNEXEC. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 5 ++--- + arch/x86/mm/init_64.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 7c055259de3a..77192cbc1dd7 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __read_mostly; ++int kernel_set_to_readonly __ro_after_init; + + static void mark_nxdata_nx(void) + { +@@ -852,12 +852,11 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + ++ kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + +- kernel_set_to_readonly = 1; +- + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index a4ac13cc3fdc..9277ed678ac4 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly; ++int kernel_set_to_readonly __ro_after_init; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,8 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- set_memory_ro(start, (end - start) >> PAGE_SHIFT); +- + kernel_set_to_readonly = 1; ++ set_memory_ro(start, (end - start) >> PAGE_SHIFT); + + /* + * The rodata/data/bss/brk section (but not the kernel text!) +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch new file mode 100644 index 000000000000..d0b6d9d97fd7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0043-mark-slub-runtime-configuration-as-__ro_after_init.patch @@ -0,0 +1,57 @@ +From 17b0e4a577ec6904c55cdbbf22b6339dca7aecb9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 19:01:58 -0400 +Subject: [PATCH 043/108] mark slub runtime configuration as __ro_after_init + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 0cbe67f13946..ae1bd65203cb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -486,13 +486,13 @@ static inline void *restore_red_left(struct kmem_cache *s, void *p) + * Debug settings: + */ + #if defined(CONFIG_SLUB_DEBUG_ON) +-static slab_flags_t slub_debug = DEBUG_DEFAULT_FLAGS; ++static slab_flags_t slub_debug __ro_after_init = DEBUG_DEFAULT_FLAGS; + #else +-static slab_flags_t slub_debug; ++static slab_flags_t slub_debug __ro_after_init; + #endif + +-static char *slub_debug_string; +-static int disable_higher_order_debug; ++static char *slub_debug_string __ro_after_init; ++static int disable_higher_order_debug __ro_after_init; + + /* + * slub is about to manipulate internal object metadata. This memory lies +@@ -3359,9 +3359,9 @@ EXPORT_SYMBOL(kmem_cache_alloc_bulk); + * and increases the number of allocations possible without having to + * take the list_lock. + */ +-static unsigned int slub_min_order; +-static unsigned int slub_max_order = PAGE_ALLOC_COSTLY_ORDER; +-static unsigned int slub_min_objects; ++static unsigned int slub_min_order __ro_after_init; ++static unsigned int slub_max_order __ro_after_init = PAGE_ALLOC_COSTLY_ORDER; ++static unsigned int slub_min_objects __ro_after_init; + + /* + * Calculate the order of allocation given an slab object size. +@@ -4879,7 +4879,7 @@ enum slab_stat_type { + #define SO_TOTAL (1 << SL_TOTAL) + + #ifdef CONFIG_MEMCG +-static bool memcg_sysfs_enabled = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); ++static bool memcg_sysfs_enabled __ro_after_init = IS_ENABLED(CONFIG_SLUB_MEMCG_SYSFS_ON); + + static int __init setup_slub_memcg_sysfs(char *str) + { +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch new file mode 100644 index 000000000000..b533d32f8f69 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0044-add-__ro_after_init-to-slab_nomerge-and-slab_state.patch @@ -0,0 +1,38 @@ +From 1040c8d4c19f2dd3046a1ce87b12806edd5acf98 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:35:35 -0400 +Subject: [PATCH 044/108] add __ro_after_init to slab_nomerge and slab_state + +This was extracted from the PaX patch where it's part of the KERNEXEC +feature as __read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slab_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index f9ccd5dc13f3..bff04048559f 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -30,7 +30,7 @@ + + #include "slab.h" + +-enum slab_state slab_state; ++enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); + struct kmem_cache *kmem_cache; +@@ -61,7 +61,7 @@ static DECLARE_WORK(slab_caches_to_rcu_destroy_work, + /* + * Merge control. If this is set then no merging of slab caches will occur. + */ +-static bool slab_nomerge = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); ++static bool slab_nomerge __ro_after_init = !IS_ENABLED(CONFIG_SLAB_MERGE_DEFAULT); + + static int __init setup_slab_nomerge(char *str) + { +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch new file mode 100644 index 000000000000..208566968384 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0045-mark-kmem_cache-as-__ro_after_init.patch @@ -0,0 +1,25 @@ +From dd0fcc29aa25bb56eab0067346a2eacc55054ef9 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 28 May 2017 18:51:30 -0400 +Subject: [PATCH 045/108] mark kmem_cache as __ro_after_init + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index bff04048559f..2b73c12d8fce 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -33,7 +33,7 @@ + enum slab_state slab_state __ro_after_init; + LIST_HEAD(slab_caches); + DEFINE_MUTEX(slab_mutex); +-struct kmem_cache *kmem_cache; ++struct kmem_cache *kmem_cache __ro_after_init; + + #ifdef CONFIG_HARDENED_USERCOPY + bool usercopy_fallback __ro_after_init = +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch new file mode 100644 index 000000000000..ab35d57bfe76 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0046-mark-__supported_pte_mask-as-__ro_after_init.patch @@ -0,0 +1,49 @@ +From 871936342c067ac17969d961bcacc13b353152fe Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Fri, 12 May 2017 00:06:16 -0400 +Subject: [PATCH 046/108] mark __supported_pte_mask as __ro_after_init + +These changes were extracted from PaX where it was part of KERNEXEC as +__read_only. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/mm/init_32.c | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index 77192cbc1dd7..bda9596d7a9f 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -546,9 +546,9 @@ static void __init pagetable_init(void) + + #define DEFAULT_PTE_MASK ~(_PAGE_NX | _PAGE_GLOBAL) + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __supported_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = DEFAULT_PTE_MASK; ++pteval_t __default_kernel_pte_mask __ro_after_init = DEFAULT_PTE_MASK; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 9277ed678ac4..b5c5923d355d 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -97,9 +97,9 @@ DEFINE_ENTRY(pte, pte, init) + */ + + /* Bits supported by the hardware: */ +-pteval_t __supported_pte_mask __read_mostly = ~0; ++pteval_t __supported_pte_mask __ro_after_init = ~0; + /* Bits allowed in normal kernel mappings: */ +-pteval_t __default_kernel_pte_mask __read_mostly = ~0; ++pteval_t __default_kernel_pte_mask __ro_after_init = ~0; + EXPORT_SYMBOL_GPL(__supported_pte_mask); + /* Used in PAGE_KERNEL_* macros which are reasonably used out-of-tree: */ + EXPORT_SYMBOL(__default_kernel_pte_mask); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch new file mode 100644 index 000000000000..52edc1491e12 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0047-mark-kobj_ns_type_register-as-only-used-for-init.patch @@ -0,0 +1,45 @@ +From 29be4bd4d459ecbc6be38068249e42aeffb6d9df Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:24:28 -0400 +Subject: [PATCH 047/108] mark kobj_ns_type_register as only used for init + +This allows kobj_ns_ops_tbl to be __ro_after_init. + +Extracted from PaX. +--- + include/linux/kobject_ns.h | 2 +- + lib/kobject.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h +index 2b5b64256cf4..8cdce21dce0f 100644 +--- a/include/linux/kobject_ns.h ++++ b/include/linux/kobject_ns.h +@@ -45,7 +45,7 @@ struct kobj_ns_type_operations { + void (*drop_ns)(void *); + }; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops); ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops); + int kobj_ns_type_registered(enum kobj_ns_type type); + const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); + const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..5343bbeea5f8 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -1023,9 +1023,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add); + + + static DEFINE_SPINLOCK(kobj_ns_type_lock); +-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES]; ++static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __ro_after_init; + +-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops) ++int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops) + { + enum kobj_ns_type type = ops->type; + int error; +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch new file mode 100644 index 000000000000..a5fb985be9a1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0048-mark-open_softirq-as-only-used-for-init.patch @@ -0,0 +1,39 @@ +From 8a3bdb595b8e74047d2ba2f46d9bf517bf418c7b Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:32:30 -0400 +Subject: [PATCH 048/108] mark open_softirq as only used for init + +--- + include/linux/interrupt.h | 2 +- + kernel/softirq.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index f9aee3538461..48eebe511a83 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index bf88d7f62433..0d47b25ce9d1 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -485,7 +485,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(struct softirq_action *)) + { + softirq_vec[nr].action = action; + } +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch new file mode 100644 index 000000000000..2e8a0d78b7dc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0049-remove-unused-softirq_action-callback-parameter.patch @@ -0,0 +1,208 @@ +From a62197f4142f0d2159af81b2d8b94a57aacce663 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:41:11 -0400 +Subject: [PATCH 049/108] remove unused softirq_action callback parameter + +Extracted from PaX. +--- + block/blk-mq.c | 2 +- + include/linux/interrupt.h | 4 ++-- + kernel/rcu/tiny.c | 2 +- + kernel/rcu/tree.c | 2 +- + kernel/sched/fair.c | 2 +- + kernel/softirq.c | 15 +++++++-------- + kernel/time/hrtimer.c | 2 +- + kernel/time/timer.c | 2 +- + lib/irq_poll.c | 2 +- + net/core/dev.c | 4 ++-- + 10 files changed, 18 insertions(+), 19 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index ca2fdb58e7af..4fe503a1fa70 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -569,7 +569,7 @@ EXPORT_SYMBOL(blk_mq_end_request); + * Softirq action handler - move entries to local list and loop over them + * while passing them to the queue registered handler. + */ +-static __latent_entropy void blk_done_softirq(struct softirq_action *h) ++static __latent_entropy void blk_done_softirq(void) + { + struct list_head *cpu_list, local_list; + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index 48eebe511a83..c18c0cebc595 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -554,7 +554,7 @@ extern const char * const softirq_to_name[NR_SOFTIRQS]; + + struct softirq_action + { +- void (*action)(struct softirq_action *); ++ void (*action)(void); + }; + + asmlinkage void do_softirq(void); +@@ -569,7 +569,7 @@ static inline void do_softirq_own_stack(void) + } + #endif + +-extern void __init open_softirq(int nr, void (*action)(struct softirq_action *)); ++extern void __init open_softirq(int nr, void (*action)(void)); + extern void softirq_init(void); + extern void __raise_softirq_irqoff(unsigned int nr); + +diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c +index aa897c3f2e92..d8976886fd68 100644 +--- a/kernel/rcu/tiny.c ++++ b/kernel/rcu/tiny.c +@@ -101,7 +101,7 @@ static inline bool rcu_reclaim_tiny(struct rcu_head *head) + } + + /* Invoke the RCU callbacks whose grace period has elapsed. */ +-static __latent_entropy void rcu_process_callbacks(struct softirq_action *unused) ++static __latent_entropy void rcu_process_callbacks(void) + { + struct rcu_head *next, *list; + unsigned long flags; +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index c8f62e2d0276..26af274dacef 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2662,7 +2662,7 @@ static __latent_entropy void rcu_core(void) + trace_rcu_utilization(TPS("End RCU core")); + } + +-static void rcu_core_si(struct softirq_action *h) ++static void rcu_core_si(void) + { + rcu_core(); + } +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 48a6d442b444..bee4d43cf7c4 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10588,7 +10588,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) + * run_rebalance_domains is triggered when needed from the scheduler tick. + * Also triggered for nohz idle balancing (with nohz_balancing_kick set). + */ +-static __latent_entropy void run_rebalance_domains(struct softirq_action *h) ++static __latent_entropy void run_rebalance_domains(void) + { + struct rq *this_rq = this_rq(); + enum cpu_idle_type idle = this_rq->idle_balance ? +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 0d47b25ce9d1..438d26d6c67b 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -295,7 +295,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void) + kstat_incr_softirqs_this_cpu(vec_nr); + + trace_softirq_entry(vec_nr); +- h->action(h); ++ h->action(); + trace_softirq_exit(vec_nr); + if (unlikely(prev_count != preempt_count())) { + pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n", +@@ -485,7 +485,7 @@ void __raise_softirq_irqoff(unsigned int nr) + or_softirq_pending(1UL << nr); + } + +-void __init open_softirq(int nr, void (*action)(struct softirq_action *)) ++void __init open_softirq(int nr, void (*action)(void)) + { + softirq_vec[nr].action = action; + } +@@ -531,8 +531,7 @@ void __tasklet_hi_schedule(struct tasklet_struct *t) + } + EXPORT_SYMBOL(__tasklet_hi_schedule); + +-static void tasklet_action_common(struct softirq_action *a, +- struct tasklet_head *tl_head, ++static void tasklet_action_common(struct tasklet_head *tl_head, + unsigned int softirq_nr) + { + struct tasklet_struct *list; +@@ -572,14 +571,14 @@ static void tasklet_action_common(struct softirq_action *a, + } + } + +-static __latent_entropy void tasklet_action(struct softirq_action *a) ++static __latent_entropy void tasklet_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_vec), TASKLET_SOFTIRQ); + } + +-static __latent_entropy void tasklet_hi_action(struct softirq_action *a) ++static __latent_entropy void tasklet_hi_action(void) + { +- tasklet_action_common(a, this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); ++ tasklet_action_common(this_cpu_ptr(&tasklet_hi_vec), HI_SOFTIRQ); + } + + void tasklet_setup(struct tasklet_struct *t, +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 95b6a708b040..271b5b006393 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1592,7 +1592,7 @@ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now, + } + } + +-static __latent_entropy void hrtimer_run_softirq(struct softirq_action *h) ++static __latent_entropy void hrtimer_run_softirq(void) + { + struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases); + unsigned long flags; +diff --git a/kernel/time/timer.c b/kernel/time/timer.c +index 401fcb9d7388..816dc36d37b2 100644 +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1754,7 +1754,7 @@ static inline void __run_timers(struct timer_base *base) + /* + * This function runs timers and the timer-tq in bottom half context. + */ +-static __latent_entropy void run_timer_softirq(struct softirq_action *h) ++static __latent_entropy void run_timer_softirq(void) + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +diff --git a/lib/irq_poll.c b/lib/irq_poll.c +index 2f17b488d58e..b6e7996a0058 100644 +--- a/lib/irq_poll.c ++++ b/lib/irq_poll.c +@@ -75,7 +75,7 @@ void irq_poll_complete(struct irq_poll *iop) + } + EXPORT_SYMBOL(irq_poll_complete); + +-static void __latent_entropy irq_poll_softirq(struct softirq_action *h) ++static void __latent_entropy irq_poll_softirq(void) + { + struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll); + int rearm = 0, budget = irq_poll_budget; +diff --git a/net/core/dev.c b/net/core/dev.c +index 4906b44af850..8f73c2da81cf 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4840,7 +4840,7 @@ int netif_rx_ni(struct sk_buff *skb) + } + EXPORT_SYMBOL(netif_rx_ni); + +-static __latent_entropy void net_tx_action(struct softirq_action *h) ++static __latent_entropy void net_tx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + +@@ -6732,7 +6732,7 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll) + return work; + } + +-static __latent_entropy void net_rx_action(struct softirq_action *h) ++static __latent_entropy void net_rx_action(void) + { + struct softnet_data *sd = this_cpu_ptr(&softnet_data); + unsigned long time_limit = jiffies + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch new file mode 100644 index 000000000000..8fd6e51f34df --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0050-mark-softirq_vec-as-__ro_after_init.patch @@ -0,0 +1,28 @@ +From 1b385b76b29720a9645798e3a486193a5048cb61 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 01:42:33 -0400 +Subject: [PATCH 050/108] mark softirq_vec as __ro_after_init + +Note: __cacheline_aligned_in_smp conflicts with __ro_after_init on x86. + +Extracted from PaX. +--- + kernel/softirq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/softirq.c b/kernel/softirq.c +index 438d26d6c67b..f6e763451fcd 100644 +--- a/kernel/softirq.c ++++ b/kernel/softirq.c +@@ -52,7 +52,7 @@ DEFINE_PER_CPU_ALIGNED(irq_cpustat_t, irq_stat); + EXPORT_PER_CPU_SYMBOL(irq_stat); + #endif + +-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp; ++static struct softirq_action softirq_vec[NR_SOFTIRQS] __ro_after_init __aligned(PAGE_SIZE); + + DEFINE_PER_CPU(struct task_struct *, ksoftirqd); + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch new file mode 100644 index 000000000000..b7ee0abe728e --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0051-mm-slab-trigger-BUG-if-requested-object-is-not-a-sla.patch @@ -0,0 +1,34 @@ +From 87acb859af25d0925afb0510edf3b1239d0dee3f Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 17 Sep 2019 18:00:54 +0200 +Subject: [PATCH 051/108] mm: slab: trigger BUG if requested object is not a + slab page + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slab.h b/mm/slab.h +index 6dd4b702888a..3016434f640e 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -429,9 +429,13 @@ static inline struct kmem_cache *virt_to_cache(const void *obj) + struct page *page; + + page = virt_to_head_page(obj); ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageSlab(page)); ++#else + if (WARN_ONCE(!PageSlab(page), "%s: Object is not a Slab page!\n", + __func__)) + return NULL; ++#endif + return page->slab_cache; + } + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch new file mode 100644 index 000000000000..d11d75623de4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0052-bug-on-kmem_cache_free-with-the-wrong-cache.patch @@ -0,0 +1,40 @@ +From 79ee25c0ea90a90dec03a36d11140f234ab8f3cc Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:50:53 -0400 +Subject: [PATCH 052/108] bug on kmem_cache_free with the wrong cache + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 3016434f640e..1567964fdaaa 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -465,10 +465,15 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x) + return s; + + cachep = virt_to_cache(x); +- if (WARN(cachep && cachep != s, +- "%s: Wrong slab cache. %s but object is from %s\n", +- __func__, s->name, cachep->name)) ++ if (cachep && cachep != s) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG(); ++#else ++ WARN(1, "%s: Wrong slab cache. %s but object is from %s\n", ++ __func__, s->name, cachep->name); + print_tracking(cachep, x); ++#endif ++ } + return cachep; + } + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch new file mode 100644 index 000000000000..5aca8a8bc0ab --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0053-bug-on-PageSlab-PageCompound-in-ksize.patch @@ -0,0 +1,31 @@ +From 9894a1fddac08a8a1f117575e6a0dfd6aa0d6d8e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 11:57:35 -0400 +Subject: [PATCH 053/108] bug on !PageSlab && !PageCompound in ksize + +At least when CONFIG_BUG_ON_DATA_CORRUPTION is enabled. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/slub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/mm/slub.c b/mm/slub.c +index ae1bd65203cb..f17eaae312e5 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -4088,7 +4088,11 @@ size_t __ksize(const void *object) + page = virt_to_head_page(object); + + if (unlikely(!PageSlab(page))) { ++#ifdef CONFIG_BUG_ON_DATA_CORRUPTION ++ BUG_ON(!PageCompound(page)); ++#else + WARN_ON(!PageCompound(page)); ++#endif + return page_size(page); + } + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch new file mode 100644 index 000000000000..982134bc06a7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0054-mm-add-support-for-verifying-page-sanitization.patch @@ -0,0 +1,70 @@ +From 87cf7b76d836526d0f9e1a70be1c7ad080f13569 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 21:54:56 -0400 +Subject: [PATCH 054/108] mm: add support for verifying page sanitization + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/highmem.h | 7 +++++++ + mm/page_alloc.c | 6 ++++++ + security/Kconfig.hardening | 7 +++++++ + 3 files changed, 20 insertions(+) + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index 14e6202ce47f..4348ad7f5c50 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -284,6 +284,13 @@ static inline void clear_highpage(struct page *page) + kunmap_atomic(kaddr); + } + ++static inline void verify_zero_highpage(struct page *page) ++{ ++ void *kaddr = kmap_atomic(page); ++ BUG_ON(memchr_inv(kaddr, 0, PAGE_SIZE)); ++ kunmap_atomic(kaddr); ++} ++ + static inline void zero_user_segments(struct page *page, + unsigned start1, unsigned end1, + unsigned start2, unsigned end2) +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 3fb35fe6a9e4..c6c0ad37bf59 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -2225,6 +2225,12 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags + { + post_alloc_hook(page, order, gfp_flags); + ++ if (IS_ENABLED(CONFIG_PAGE_SANITIZE_VERIFY) && want_init_on_free()) { ++ int i; ++ for (i = 0; i < (1 << order); i++) ++ verify_zero_highpage(page + i); ++ } ++ + if (!free_pages_prezeroed() && want_init_on_alloc(gfp_flags)) + kernel_init_free_pages(page, 1 << order); + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 269967c4fc1b..3d2f1d2c3d80 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -217,6 +217,13 @@ config INIT_ON_FREE_DEFAULT_ON + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + ++config PAGE_SANITIZE_VERIFY ++ bool "Verify sanitized pages" ++ default y ++ help ++ When init_on_free is enabled, verify that newly allocated pages ++ are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch new file mode 100644 index 000000000000..fef94b4b2f2a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0055-slub-Extend-init_on_free-to-slab-caches-with-constru.patch @@ -0,0 +1,75 @@ +From 55d43ef0ebc59efb446024b207174b4cdd9029a0 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 20 Sep 2019 14:02:42 +0200 +Subject: [PATCH 055/108] slub: Extend init_on_free to slab caches with + constructors + +This is the remaining non-upstream part of SLAB_SANITIZE, which was a +partial port, from Daniel Micay, of the feature from PaX without the +default fast mode based on passing SLAB_NO_SANITIZE in +performance-critical cases that are not particularly security sensitive. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/slab.h | 12 +++++++++--- + mm/slub.c | 14 +++++++++++++- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index 1567964fdaaa..0f8f83971fc1 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -637,9 +637,15 @@ static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + + static inline bool slab_want_init_on_free(struct kmem_cache *c) + { +- if (static_branch_unlikely(&init_on_free)) +- return !(c->ctor || +- (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON))); ++ if (static_branch_unlikely(&init_on_free)) { ++#ifndef CONFIG_SLUB ++ if (c->ctor) ++ return false; ++#endif ++ if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) ++ return false; ++ return true; ++ } + return false; + } + +diff --git a/mm/slub.c b/mm/slub.c +index f17eaae312e5..fe8c235d7b89 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1571,7 +1571,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- ++ if (s->ctor) ++ s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { +@@ -1580,6 +1581,17 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + *head = object; + if (!*tail) + *tail = object; ++ } else if (slab_want_init_on_free(s) && s->ctor) { ++ /* Objects that are put into quarantine by KASAN will ++ * still undergo free_consistency_checks() and thus ++ * need to show a valid freepointer to check_object(). ++ * ++ * Note that doing this for all caches (not just ctor ++ * ones, which have s->offset != NULL)) causes a GPF, ++ * due to KASAN poisoning and the way set_freepointer() ++ * eventually dereferences the freepointer. ++ */ ++ set_freepointer(s, object, NULL); + } + } while (object != old_tail); + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch new file mode 100644 index 000000000000..702da9c1a675 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0056-slub-Add-support-for-verifying-slab-sanitization.patch @@ -0,0 +1,116 @@ +From 77035001a38bc282f475e340b1a8ef767bcbfdc2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 15:58:57 -0400 +Subject: [PATCH 056/108] slub: Add support for verifying slab sanitization + +This is an extension to the sanitization feature in PaX for when +sacricifing more performance for security is acceptable. + +The initial version from Daniel Micay was relying on PAGE_SANITIZE. It +now relies on upstream's init_on_free. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slub.c | 36 ++++++++++++++++++++++++++++++++---- + security/Kconfig.hardening | 8 ++++++++ + 2 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index fe8c235d7b89..3b56a69f58cb 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -127,6 +127,12 @@ static inline bool kmem_cache_debug(struct kmem_cache *s) + return kmem_cache_debug_flags(s, SLAB_DEBUG_FLAGS); + } + ++static inline bool has_sanitize_verify(struct kmem_cache *s) ++{ ++ return IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && ++ slab_want_init_on_free(s); ++} ++ + void *fixup_red_left(struct kmem_cache *s, void *p) + { + if (kmem_cache_debug_flags(s, SLAB_RED_ZONE)) +@@ -1571,7 +1577,7 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + : 0; + memset((char *)object + s->inuse, 0, + s->size - s->inuse - rsize); +- if (s->ctor) ++ if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } + /* If object's reuse doesn't have to be delayed */ +@@ -1606,7 +1612,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + { + setup_object_debug(s, page, object); + object = kasan_init_slab_obj(s, object); +- if (unlikely(s->ctor)) { ++ if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); + s->ctor(object); + kasan_poison_object_data(s, object); +@@ -2894,7 +2900,16 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + + maybe_wipe_obj_freeptr(s, object); + +- if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ if (has_sanitize_verify(s) && object) { ++ /* KASAN hasn't unpoisoned the object yet (this is done in the ++ * post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, object); ++ BUG_ON(memchr_inv(object, 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); +@@ -3333,7 +3348,20 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + local_irq_enable(); + + /* Clear memory outside IRQ disabled fastpath loop */ +- if (unlikely(slab_want_init_on_alloc(flags, s))) { ++ if (has_sanitize_verify(s)) { ++ int j; ++ ++ for (j = 0; j < i; j++) { ++ /* KASAN hasn't unpoisoned the object yet (this is done ++ * in the post-alloc hook), so let's do it temporarily. ++ */ ++ kasan_unpoison_object_data(s, p[j]); ++ BUG_ON(memchr_inv(p[j], 0, s->object_size)); ++ if (s->ctor) ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + + for (j = 0; j < i; j++) +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 3d2f1d2c3d80..a718487ad717 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -224,6 +224,14 @@ config PAGE_SANITIZE_VERIFY + When init_on_free is enabled, verify that newly allocated pages + are zeroed to detect write-after-free bugs. + ++config SLAB_SANITIZE_VERIFY ++ bool "Verify sanitized SLAB allocations" ++ default y ++ depends on !KASAN ++ help ++ When init_on_free is enabled, verify that newly allocated slab ++ objects are zeroed to detect write-after-free bugs. ++ + endmenu + + endmenu +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch new file mode 100644 index 000000000000..7c33605e7a1f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0057-slub-add-multi-purpose-random-canaries.patch @@ -0,0 +1,264 @@ +From 566c24b99229d4036ea95d461831761556f8ce4a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 16:16:58 -0400 +Subject: [PATCH 057/108] slub: add multi-purpose random canaries + +From the configuration option: + + Place canaries at the end of kernel slab allocations, sacrificing + some performance and memory usage for security. + + Canaries can detect some forms of heap corruption when allocations + are freed and as part of the HARDENED_USERCOPY feature. It provides + basic use-after-free detection for HARDENED_USERCOPY. + + Canaries absorb small overflows (rendering them harmless), mitigate + non-NUL terminated C string overflows on 64-bit via a guaranteed zero + byte and provide basic double-free detection. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slub_def.h | 5 +++ + init/Kconfig | 17 ++++++++++ + mm/slab.h | 2 +- + mm/slub.c | 69 ++++++++++++++++++++++++++++++++++++++-- + 4 files changed, 89 insertions(+), 4 deletions(-) + +diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h +index 1be0ed5befa1..c71cf30b5987 100644 +--- a/include/linux/slub_def.h ++++ b/include/linux/slub_def.h +@@ -113,6 +113,11 @@ struct kmem_cache { + unsigned long random; + #endif + ++#ifdef CONFIG_SLAB_CANARY ++ unsigned long random_active; ++ unsigned long random_inactive; ++#endif ++ + #ifdef CONFIG_NUMA + /* + * Defragmentation by allocating from a remote node. +diff --git a/init/Kconfig b/init/Kconfig +index 28f20aeebc4d..7902a8106ddf 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1932,6 +1932,23 @@ config SLAB_FREELIST_HARDENED + sanity-checking than others. This option is most effective with + CONFIG_SLUB. + ++config SLAB_CANARY ++ depends on SLUB ++ depends on !SLAB_MERGE_DEFAULT ++ bool "SLAB canaries" ++ default y ++ help ++ Place canaries at the end of kernel slab allocations, sacrificing ++ some performance and memory usage for security. ++ ++ Canaries can detect some forms of heap corruption when allocations ++ are freed and as part of the HARDENED_USERCOPY feature. It provides ++ basic use-after-free detection for HARDENED_USERCOPY. ++ ++ Canaries absorb small overflows (rendering them harmless), mitigate ++ non-NUL terminated C string overflows on 64-bit via a guaranteed zero ++ byte and provide basic double-free detection. ++ + config SHUFFLE_PAGE_ALLOCATOR + bool "Page allocator randomization" + default SLAB_FREELIST_RANDOM && ACPI_NUMA +diff --git a/mm/slab.h b/mm/slab.h +index 0f8f83971fc1..af30573d6ce6 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -498,7 +498,7 @@ static inline size_t slab_ksize(const struct kmem_cache *s) + * back there or track user information then we can + * only use the space before that information. + */ +- if (s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) ++ if ((s->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_STORE_USER)) || IS_ENABLED(CONFIG_SLAB_CANARY)) + return s->inuse; + /* + * Else we can use all the padding etc for the allocation +diff --git a/mm/slub.c b/mm/slub.c +index 3b56a69f58cb..c6c6685b6f81 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -569,6 +569,33 @@ static inline unsigned int get_info_end(struct kmem_cache *s) + return s->inuse; + } + ++#ifdef CONFIG_SLAB_CANARY ++static inline unsigned long *get_canary(struct kmem_cache *s, void *object) ++{ ++ return object + get_info_end(s); ++} ++ ++static inline unsigned long get_canary_value(const void *canary, unsigned long value) ++{ ++ return (value ^ (unsigned long)canary) & CANARY_MASK; ++} ++ ++static inline void set_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ *canary = get_canary_value(canary, value); ++} ++ ++static inline void check_canary(struct kmem_cache *s, void *object, unsigned long value) ++{ ++ unsigned long *canary = get_canary(s, object); ++ BUG_ON(*canary != get_canary_value(canary, value)); ++} ++#else ++#define set_canary(s, object, value) ++#define check_canary(s, object, value) ++#endif ++ + static struct track *get_track(struct kmem_cache *s, void *object, + enum track_item alloc) + { +@@ -576,6 +603,9 @@ static struct track *get_track(struct kmem_cache *s, void *object, + + p = object + get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ p = (void *)p + sizeof(void *); ++ + return p + alloc; + } + +@@ -717,6 +747,9 @@ static void print_trailer(struct kmem_cache *s, struct page *page, u8 *p) + + off = get_info_end(s); + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + off += 2 * sizeof(struct track); + +@@ -825,8 +858,9 @@ static int check_bytes_and_report(struct kmem_cache *s, struct page *page, + * Meta data starts here. + * + * A. Free pointer (if we cannot overwrite object on free) +- * B. Tracking data for SLAB_STORE_USER +- * C. Padding to reach required alignment boundary or at mininum ++ * B. Canary for SLAB_CANARY ++ * C. Tracking data for SLAB_STORE_USER ++ * D. Padding to reach required alignment boundary or at mininum + * one word if debugging is on to be able to detect writes + * before the word boundary. + * +@@ -844,6 +878,9 @@ static int check_pad_bytes(struct kmem_cache *s, struct page *page, u8 *p) + { + unsigned long off = get_info_end(s); /* The end of info */ + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ off += sizeof(void *); ++ + if (s->flags & SLAB_STORE_USER) + /* We also have user information there */ + off += 2 * sizeof(struct track); +@@ -1567,6 +1604,8 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + object = next; + next = get_freepointer(s, object); + ++ check_canary(s, object, s->random_active); ++ + if (slab_want_init_on_free(s)) { + /* + * Clear the object and the metadata, but don't touch +@@ -1580,6 +1619,9 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + if (!IS_ENABLED(CONFIG_SLAB_SANITIZE_VERIFY) && s->ctor) + s->ctor(object); + } ++ ++ set_canary(s, object, s->random_inactive); ++ + /* If object's reuse doesn't have to be delayed */ + if (!slab_free_hook(s, object)) { + /* Move object to the new freelist */ +@@ -1611,6 +1653,7 @@ static void *setup_object(struct kmem_cache *s, struct page *page, + void *object) + { + setup_object_debug(s, page, object); ++ set_canary(s, object, s->random_inactive); + object = kasan_init_slab_obj(s, object); + if (unlikely(s->ctor) && !has_sanitize_verify(s)) { + kasan_unpoison_object_data(s, object); +@@ -2912,6 +2955,11 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); + ++ if (object) { ++ check_canary(s, object, s->random_inactive); ++ set_canary(s, object, s->random_active); ++ } ++ + slab_post_alloc_hook(s, objcg, gfpflags, 1, &object); + + return object; +@@ -3298,7 +3346,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + void **p) + { + struct kmem_cache_cpu *c; +- int i; ++ int i, k; + struct obj_cgroup *objcg = NULL; + + /* memcg and kmem_cache debug support */ +@@ -3368,6 +3416,11 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + memset(p[j], 0, s->object_size); + } + ++ for (k = 0; k < i; k++) { ++ check_canary(s, p[k], s->random_inactive); ++ set_canary(s, p[k], s->random_active); ++ } ++ + /* memcg and kmem_cache debug support */ + slab_post_alloc_hook(s, objcg, flags, size, p); + return i; +@@ -3569,6 +3622,7 @@ static void early_kmem_cache_node_alloc(int node) + init_object(kmem_cache_node, n, SLUB_RED_ACTIVE); + init_tracking(kmem_cache_node, n); + #endif ++ set_canary(kmem_cache_node, n, kmem_cache_node->random_active); + n = kasan_kmalloc(kmem_cache_node, n, sizeof(struct kmem_cache_node), + GFP_KERNEL); + page->freelist = get_freepointer(kmem_cache_node, n); +@@ -3749,6 +3803,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order) + s->offset = ALIGN(freepointer_area / 2, sizeof(void *)); + } + ++ if (IS_ENABLED(CONFIG_SLAB_CANARY)) ++ size += sizeof(void *); ++ + #ifdef CONFIG_SLUB_DEBUG + if (flags & SLAB_STORE_USER) + /* +@@ -3822,6 +3879,10 @@ static int kmem_cache_open(struct kmem_cache *s, slab_flags_t flags) + #ifdef CONFIG_SLAB_FREELIST_HARDENED + s->random = get_random_long(); + #endif ++#ifdef CONFIG_SLAB_CANARY ++ s->random_active = get_random_long(); ++ s->random_inactive = get_random_long(); ++#endif + + if (!calculate_sizes(s, -1)) + goto error; +@@ -4095,6 +4156,8 @@ void __check_heap_object(const void *ptr, unsigned long n, struct page *page, + offset -= s->red_left_pad; + } + ++ check_canary(s, (void *)ptr - offset, s->random_active); ++ + /* Allow address range falling entirely within usercopy region. */ + if (offset >= s->useroffset && + offset - s->useroffset <= s->usersize && +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch new file mode 100644 index 000000000000..d0462be9573b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0058-security-perf-Allow-further-restriction-of-perf_even.patch @@ -0,0 +1,122 @@ +From dd174e7ef6aa443b37313e1607563cdce1ea4f19 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 11 Jan 2016 15:23:55 +0000 +Subject: [PATCH 058/108] security,perf: Allow further restriction of + perf_event_open + +When kernel.perf_event_open is set to 3 (or greater), disallow all +access to performance events by users without CAP_SYS_ADMIN. +Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that +makes this value the default. + +This is based on a similar feature in grsecurity +(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making +the variable read-only. It also allows enabling further restriction +at run-time regardless of whether the default is changed. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +[thibaut.sautereau@ssi.gouv.fr: Adapt to work with the new CAP_PERFMON capability] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + Documentation/admin-guide/sysctl/kernel.rst | 2 ++ + include/linux/perf_event.h | 8 ++++++++ + kernel/events/core.c | 7 ++++++- + security/Kconfig | 9 +++++++++ + tools/perf/Documentation/security.txt | 1 + + 5 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index d4b32cc32bb7..4c20e6ded0af 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -860,6 +860,8 @@ with respect to CAP_PERFMON use cases. + >=1 Disallow CPU event access by users without ``CAP_PERFMON``. + + >=2 Disallow kernel profiling by users without ``CAP_PERFMON``. ++ ++>=3 Disallow use of any event by users without ``CAP_PERFMON``. + === ================================================================== + + +diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h +index 04a49ccc7beb..0a5808d411fc 100644 +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -1306,6 +1306,14 @@ static inline int perf_is_paranoid(void) + return sysctl_perf_event_paranoid > -1; + } + ++static inline int perf_allow_open(struct perf_event_attr *attr) ++{ ++ if (sysctl_perf_event_paranoid > 2 && !perfmon_capable()) ++ return -EACCES; ++ ++ return security_perf_event_open(attr, PERF_SECURITY_OPEN); ++} ++ + static inline int perf_allow_kernel(struct perf_event_attr *attr) + { + if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 6a1ae6a62d48..a94b124f046c 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -408,8 +408,13 @@ static cpumask_var_t perf_online_mask; + * 0 - disallow raw tracepoint access for unpriv + * 1 - disallow cpu events for unpriv + * 2 - disallow kernel profiling for unpriv ++ * 3 - disallow all unpriv perf event use + */ ++#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT ++int sysctl_perf_event_paranoid __read_mostly = 3; ++#else + int sysctl_perf_event_paranoid __read_mostly = 2; ++#endif + + /* Minimum for 512 kiB + 1 user control page */ + int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ +@@ -11620,7 +11625,7 @@ SYSCALL_DEFINE5(perf_event_open, + return -EINVAL; + + /* Do we allow access to perf_event_open(2) ? */ +- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); ++ err = perf_allow_open(&attr); + if (err) + return err; + +diff --git a/security/Kconfig b/security/Kconfig +index 81d0a08736aa..c797326308f1 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -19,6 +19,15 @@ config SECURITY_DMESG_RESTRICT + + If you are unsure how to answer this question, answer N. + ++config SECURITY_PERF_EVENTS_RESTRICT ++ bool "Restrict unprivileged use of performance events" ++ depends on PERF_EVENTS ++ help ++ If you say Y here, the kernel.perf_event_paranoid sysctl ++ will be set to 3 by default, and no unprivileged use of the ++ perf_event_open syscall will be permitted unless it is ++ changed. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +diff --git a/tools/perf/Documentation/security.txt b/tools/perf/Documentation/security.txt +index 4fe3b8b1958f..a7d88cc23a70 100644 +--- a/tools/perf/Documentation/security.txt ++++ b/tools/perf/Documentation/security.txt +@@ -148,6 +148,7 @@ Perf tool provides a message similar to the one below: + >= 0: Disallow raw and ftrace function tracepoint access + >= 1: Disallow CPU event access + >= 2: Disallow kernel profiling ++ >= 3: Disallow use of any event + To make the adjusted perf_event_paranoid setting permanent preserve it + in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>) + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch new file mode 100644 index 000000000000..c1289813c778 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0059-enable-SECURITY_PERF_EVENTS_RESTRICT-by-default.patch @@ -0,0 +1,25 @@ +From 3c78f2a5b850ebdf963f38aebf44169605ce3bde Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 4 May 2017 14:45:59 -0400 +Subject: [PATCH 059/108] enable SECURITY_PERF_EVENTS_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig b/security/Kconfig +index c797326308f1..2348ff7d4e1d 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -22,6 +22,7 @@ config SECURITY_DMESG_RESTRICT + config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS ++ default y + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch new file mode 100644 index 000000000000..2d3ba559f850 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0060-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch @@ -0,0 +1,124 @@ +From 65e13692f792d1b7110319171e32bbb32ffd3773 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0100 +Subject: [PATCH 060/108] add sysctl to disallow unprivileged CLONE_NEWUSER by + default + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/user_namespace.h | 4 ++++ + kernel/fork.c | 11 +++++++++++ + kernel/sysctl.c | 12 ++++++++++++ + kernel/user_namespace.c | 3 +++ + 4 files changed, 30 insertions(+) + +diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h +index 6ef1c7109fc4..2140091b0b8d 100644 +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -106,6 +106,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type); + + #ifdef CONFIG_USER_NS + ++extern int unprivileged_userns_clone; ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + if (ns) +@@ -139,6 +141,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns); + struct ns_common *ns_get_owner(struct ns_common *ns); + #else + ++#define unprivileged_userns_clone 0 ++ + static inline struct user_namespace *get_user_ns(struct user_namespace *ns) + { + return &init_user_ns; +diff --git a/kernel/fork.c b/kernel/fork.c +index 8934886d1654..748e372165c2 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -82,6 +82,7 @@ + #include <linux/perf_event.h> + #include <linux/posix-timers.h> + #include <linux/user-return-notifier.h> ++#include <linux/user_namespace.h> + #include <linux/oom.h> + #include <linux/khugepaged.h> + #include <linux/signalfd.h> +@@ -1862,6 +1863,10 @@ static __latent_entropy struct task_struct *copy_process( + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2927,6 +2932,12 @@ int ksys_unshare(unsigned long unshare_flags) + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b2cd3dbbb17a..fccf24a08c8a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -103,6 +103,9 @@ + #ifdef CONFIG_LOCKUP_DETECTOR + #include <linux/nmi.h> + #endif ++#ifdef CONFIG_USER_NS ++#include <linux/user_namespace.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -1902,6 +1905,15 @@ static struct ctl_table kern_table[] = { + .proc_handler = proc_dointvec, + }, + #endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 87804e0371fe..2fd16493231b 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -21,6 +21,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..e6b7b48e1248 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0061-add-kmalloc-krealloc-alloc_size-attributes.patch @@ -0,0 +1,65 @@ +From 72c23039fe70b52b494550922f2022baf94cf381 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:02:56 -0400 +Subject: [PATCH 061/108] add kmalloc/krealloc alloc_size attributes + +Note that this is overly strict when combined with ksize users accessing +beyond the requested data size. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/slab.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/linux/slab.h b/include/linux/slab.h +index 24df2393ec03..a87e721d7abf 100644 +--- a/include/linux/slab.h ++++ b/include/linux/slab.h +@@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *); + /* + * Common kmalloc functions provided by all allocators + */ +-void * __must_check krealloc(const void *, size_t, gfp_t); ++void * __must_check krealloc(const void *, size_t, gfp_t) __attribute((alloc_size(2))); + void kfree(const void *); + void kfree_sensitive(const void *); + size_t __ksize(const void *); +@@ -388,7 +388,7 @@ static __always_inline unsigned int kmalloc_index(size_t size) + } + #endif /* !CONFIG_SLOB */ + +-void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc; ++void *__kmalloc(size_t size, gfp_t flags) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags) __assume_slab_alignment __malloc; + void kmem_cache_free(struct kmem_cache *, void *); + +@@ -412,7 +412,7 @@ static __always_inline void kfree_bulk(size_t size, void **p) + } + + #ifdef CONFIG_NUMA +-void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc; ++void *__kmalloc_node(size_t size, gfp_t flags, int node) __assume_kmalloc_alignment __malloc __attribute__((alloc_size(1))); + void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node) __assume_slab_alignment __malloc; + #else + static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node) +@@ -537,7 +537,7 @@ static __always_inline void *kmalloc_large(size_t size, gfp_t flags) + * Try really hard to succeed the allocation but fail + * eventually. + */ +-static __always_inline void *kmalloc(size_t size, gfp_t flags) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc(size_t size, gfp_t flags) + { + if (__builtin_constant_p(size)) { + #ifndef CONFIG_SLOB +@@ -559,7 +559,7 @@ static __always_inline void *kmalloc(size_t size, gfp_t flags) + return __kmalloc(size, flags); + } + +-static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node) ++static __always_inline __attribute__((alloc_size(1))) void *kmalloc_node(size_t size, gfp_t flags, int node) + { + #ifndef CONFIG_SLOB + if (__builtin_constant_p(size) && +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch new file mode 100644 index 000000000000..9b49597853a6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0062-add-vmalloc-alloc_size-attributes.patch @@ -0,0 +1,47 @@ +From 18cc573f3b168fbc81cc849c87deb2e0dd45ec60 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 12:04:03 -0400 +Subject: [PATCH 062/108] add vmalloc alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/vmalloc.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h +index 0221f852a7e1..997313c9068f 100644 +--- a/include/linux/vmalloc.h ++++ b/include/linux/vmalloc.h +@@ -101,18 +101,18 @@ static inline void vmalloc_init(void) + static inline unsigned long vmalloc_nr_pages(void) { return 0; } + #endif + +-extern void *vmalloc(unsigned long size); +-extern void *vzalloc(unsigned long size); +-extern void *vmalloc_user(unsigned long size); +-extern void *vmalloc_node(unsigned long size, int node); +-extern void *vzalloc_node(unsigned long size, int node); +-extern void *vmalloc_32(unsigned long size); +-extern void *vmalloc_32_user(unsigned long size); +-extern void *__vmalloc(unsigned long size, gfp_t gfp_mask); ++extern void *vmalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vzalloc(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vzalloc_node(unsigned long size, int node) __attribute__((alloc_size(1))); ++extern void *vmalloc_32(unsigned long size) __attribute__((alloc_size(1))); ++extern void *vmalloc_32_user(unsigned long size) __attribute__((alloc_size(1))); ++extern void *__vmalloc(unsigned long size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + extern void *__vmalloc_node_range(unsigned long size, unsigned long align, + unsigned long start, unsigned long end, gfp_t gfp_mask, + pgprot_t prot, unsigned long vm_flags, int node, +- const void *caller); ++ const void *caller) __attribute__((alloc_size(1))); + void *__vmalloc_node(unsigned long size, unsigned long align, gfp_t gfp_mask, + int node, const void *caller); + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch new file mode 100644 index 000000000000..363e07b0e5dc --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0063-add-kvmalloc-alloc_size-attribute.patch @@ -0,0 +1,26 @@ +From 1111207702f214b9ffb47ea66fd638bc6dc649f1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 00:51:33 -0400 +Subject: [PATCH 063/108] add kvmalloc alloc_size attribute + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/mm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 16b799a0522c..53f283912755 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -751,7 +751,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) + } + #endif + +-extern void *kvmalloc_node(size_t size, gfp_t flags, int node); ++extern void *kvmalloc_node(size_t size, gfp_t flags, int node) __attribute__((alloc_size(1))); + static inline void *kvmalloc(size_t size, gfp_t flags) + { + return kvmalloc_node(size, flags, NUMA_NO_NODE); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0064-add-percpu-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0064-add-percpu-alloc_size-attributes.patch new file mode 100644 index 000000000000..794b21c51feb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0064-add-percpu-alloc_size-attributes.patch @@ -0,0 +1,37 @@ +From 97d4d355ddbc2b629000a4f7cc66af7e138242c7 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:39:36 -0400 +Subject: [PATCH 064/108] add percpu alloc_size attributes + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/percpu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/percpu.h b/include/linux/percpu.h +index 5e76af742c80..9a6c682ec127 100644 +--- a/include/linux/percpu.h ++++ b/include/linux/percpu.h +@@ -123,7 +123,7 @@ extern int __init pcpu_page_first_chunk(size_t reserved_size, + pcpu_fc_populate_pte_fn_t populate_pte_fn); + #endif + +-extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_reserved_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern bool __is_kernel_percpu_address(unsigned long addr, unsigned long *can_addr); + extern bool is_kernel_percpu_address(unsigned long addr); + +@@ -131,8 +131,8 @@ extern bool is_kernel_percpu_address(unsigned long addr); + extern void __init setup_per_cpu_areas(void); + #endif + +-extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp); +-extern void __percpu *__alloc_percpu(size_t size, size_t align); ++extern void __percpu *__alloc_percpu_gfp(size_t size, size_t align, gfp_t gfp) __attribute__((alloc_size(1))); ++extern void __percpu *__alloc_percpu(size_t size, size_t align) __attribute__((alloc_size(1))); + extern void free_percpu(void __percpu *__pdata); + extern phys_addr_t per_cpu_ptr_to_phys(void *addr); + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch new file mode 100644 index 000000000000..52e19e4d747b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0065-add-alloc_pages_exact-alloc_size-attributes.patch @@ -0,0 +1,30 @@ +From e2b0aac803893c9ae631c9039c3cada7b0b5d423 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 14 May 2017 16:53:59 -0400 +Subject: [PATCH 065/108] add alloc_pages_exact alloc_size attributes + +Edited-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/gfp.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/gfp.h b/include/linux/gfp.h +index 67a0774e080b..4a1269a33856 100644 +--- a/include/linux/gfp.h ++++ b/include/linux/gfp.h +@@ -566,9 +566,9 @@ extern struct page *alloc_pages_vma(gfp_t gfp_mask, int order, + extern unsigned long __get_free_pages(gfp_t gfp_mask, unsigned int order); + extern unsigned long get_zeroed_page(gfp_t gfp_mask); + +-void *alloc_pages_exact(size_t size, gfp_t gfp_mask); ++void *alloc_pages_exact(size_t size, gfp_t gfp_mask) __attribute__((alloc_size(1))); + void free_pages_exact(void *virt, size_t size); +-void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask); ++void * __meminit alloc_pages_exact_nid(int nid, size_t size, gfp_t gfp_mask) __attribute__((alloc_size(2))); + + #define __get_free_page(gfp_mask) \ + __get_free_pages((gfp_mask), 0) +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch new file mode 100644 index 000000000000..48aa4e42bc44 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0066-Add-the-extra_latent_entropy-kernel-parameter.patch @@ -0,0 +1,104 @@ +From 9bfb96a01f707c9489a519967513151be88839fa Mon Sep 17 00:00:00 2001 +From: Emese Revfy <re.emese@gmail.com> +Date: Tue, 31 May 2016 01:34:02 +0200 +Subject: [PATCH 066/108] Add the extra_latent_entropy kernel parameter + +When extra_latent_entropy is passed on the kernel command line, +entropy will be extracted from up to the first 4GB of RAM while the +runtime memory allocator is being initialized. + +Based on work created by the PaX Team. + +Signed-off-by: Emese Revfy <re.emese@gmail.com> +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + .../admin-guide/kernel-parameters.txt | 5 ++++ + mm/page_alloc.c | 25 +++++++++++++++++++ + scripts/gcc-plugins/Kconfig | 5 ++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index dca917ac21d9..166cf32f1fc1 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3530,6 +3530,11 @@ + the specified number of seconds. This is to be used if + your oopses keep scrolling off the screen. + ++ extra_latent_entropy ++ Enable a very simple form of latent entropy extraction ++ from the first 4GB of memory as the bootmem allocator ++ passes the memory pages to the buddy allocator. ++ + pcbit= [HW,ISDN] + + pcd. [PARIDE] +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index c6c0ad37bf59..c7edc1cf5d09 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -70,6 +70,7 @@ + #include <linux/psi.h> + #include <linux/padata.h> + #include <linux/khugepaged.h> ++#include <linux/random.h> + + #include <asm/sections.h> + #include <asm/tlbflush.h> +@@ -108,6 +109,15 @@ struct pcpu_drain { + static DEFINE_MUTEX(pcpu_drain_mutex); + static DEFINE_PER_CPU(struct pcpu_drain, pcpu_drain); + ++bool __meminitdata extra_latent_entropy; ++ ++static int __init setup_extra_latent_entropy(char *str) ++{ ++ extra_latent_entropy = true; ++ return 0; ++} ++early_param("extra_latent_entropy", setup_extra_latent_entropy); ++ + #ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY + volatile unsigned long latent_entropy __latent_entropy; + EXPORT_SYMBOL(latent_entropy); +@@ -1494,6 +1504,21 @@ void __free_pages_core(struct page *page, unsigned int order) + __ClearPageReserved(p); + set_page_count(p, 0); + ++ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { ++ unsigned long hash = 0; ++ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; ++ const unsigned long *data = lowmem_page_address(page); ++ ++ for (index = 0; index < end; index++) ++ hash ^= hash + data[index]; ++#ifdef CONFIG_GCC_PLUGIN_LATENT_ENTROPY ++ latent_entropy ^= hash; ++ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy)); ++#else ++ add_device_randomness((const void *)&hash, sizeof(hash)); ++#endif ++ } ++ + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + set_page_refcounted(page); + __free_pages(page, order); +diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig +index ae19fb0243b9..ad78375ece5e 100644 +--- a/scripts/gcc-plugins/Kconfig ++++ b/scripts/gcc-plugins/Kconfig +@@ -53,6 +53,11 @@ config GCC_PLUGIN_LATENT_ENTROPY + is some slowdown of the boot process (about 0.5%) and fork and + irq processing. + ++ When extra_latent_entropy is passed on the kernel command line, ++ entropy will be extracted from up to the first 4GB of RAM while the ++ runtime memory allocator is being initialized. This costs even more ++ slowdown of the boot process. ++ + Note that entropy extracted this way is not cryptographically + secure! + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch new file mode 100644 index 000000000000..76f5b7864cea --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0067-ata-avoid-null-pointer-dereference-on-bug.patch @@ -0,0 +1,37 @@ +From 8a6250eb475e79440704490401235884414a7151 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:45:34 -0400 +Subject: [PATCH 067/108] ata: avoid null pointer dereference on bug + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index f546a5761c4f..612233e7d387 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4540,7 +4540,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) + struct ata_port *ap; + unsigned int tag; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + ap = qc->ap; + + qc->flags = 0; +@@ -4557,7 +4557,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) + struct ata_port *ap; + struct ata_link *link; + +- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ ++ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ + WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); + ap = qc->ap; + link = qc->dev->link; +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch new file mode 100644 index 000000000000..5a7602701131 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0068-sanity-check-for-negative-length-in-nla_memcpy.patch @@ -0,0 +1,28 @@ +From ca76ac3805c5832106137d57a1ef875146426095 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:51:12 -0400 +Subject: [PATCH 068/108] sanity check for negative length in nla_memcpy + +Extracted from PaX. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + lib/nlattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/nlattr.c b/lib/nlattr.c +index bc5b5cf608c4..5cc8edbbfb5c 100644 +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -723,6 +723,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count) + { + int minlen = min_t(int, count, nla_len(src)); + ++ BUG_ON(minlen < 0); ++ + memcpy(dest, nla_data(src), minlen); + if (count > minlen) + memset(dest + minlen, 0, count - minlen); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0069-add-page-destructor-sanity-check.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0069-add-page-destructor-sanity-check.patch new file mode 100644 index 000000000000..b9085da1e7b9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0069-add-page-destructor-sanity-check.patch @@ -0,0 +1,71 @@ +From 96c91c2e86ead48f819a90a05d3e14d39008db8c Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 15 May 2017 23:59:18 -0400 +Subject: [PATCH 069/108] add page destructor sanity check + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +[thibaut.sautereau@ssi.gouv.fr: Restore get_compound_page_dtor()] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/mm.h | 9 +++++++-- + mm/swap.c | 12 +++++++++++- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/include/linux/mm.h b/include/linux/mm.h +index 53f283912755..c767ada5d877 100644 +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -886,10 +886,15 @@ static inline void set_compound_page_dtor(struct page *page, + page[1].compound_dtor = compound_dtor; + } + +-static inline void destroy_compound_page(struct page *page) ++static inline compound_page_dtor *get_compound_page_dtor(struct page *page) + { + VM_BUG_ON_PAGE(page[1].compound_dtor >= NR_COMPOUND_DTORS, page); +- compound_page_dtors[page[1].compound_dtor](page); ++ return compound_page_dtors[page[1].compound_dtor]; ++} ++ ++static inline void destroy_compound_page(struct page *page) ++{ ++ (*get_compound_page_dtor(page))(page); + } + + static inline unsigned int compound_order(struct page *page) +diff --git a/mm/swap.c b/mm/swap.c +index e7bdf094f76a..19eb67a1cef6 100644 +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -102,6 +102,8 @@ static void __put_single_page(struct page *page) + + static void __put_compound_page(struct page *page) + { ++ compound_page_dtor *dtor; ++ + /* + * __page_cache_release() is supposed to be called for thp, not for + * hugetlb. This is because hugetlb page does never have PageLRU set +@@ -110,7 +112,15 @@ static void __put_compound_page(struct page *page) + */ + if (!PageHuge(page)) + __page_cache_release(page); +- destroy_compound_page(page); ++ dtor = get_compound_page_dtor(page); ++ if (!PageHuge(page)) ++ BUG_ON(dtor != free_compound_page ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ && dtor != free_transhuge_page ++#endif ++ ); ++ ++ (*dtor)(page); + } + + void __put_page(struct page *page) +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch new file mode 100644 index 000000000000..57a7bf529998 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0070-PaX-shadow-cr4-sanity-check-essentially-a-revert.patch @@ -0,0 +1,52 @@ +From 2818868424574dcd492804ea23391c12b127f050 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 00:59:48 -0400 +Subject: [PATCH 070/108] PaX shadow cr4 sanity check (essentially a revert) + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + arch/x86/kernel/cpu/common.c | 1 + + arch/x86/kernel/process.c | 1 + + arch/x86/mm/tlb.c | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 178499f90366..281a779e6b85 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -398,6 +398,7 @@ EXPORT_SYMBOL_GPL(native_write_cr4); + void cr4_update_irqsoff(unsigned long set, unsigned long clear) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + lockdep_assert_irqs_disabled(); + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index ba4593a913fa..46cbfc6d2659 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -596,6 +596,7 @@ void speculation_ctrl_update_current(void) + static inline void cr4_toggle_bits_irqsoff(unsigned long mask) + { + unsigned long newval, cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + + newval = cr4 ^ mask; + if (newval != cr4) { +diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c +index 0951b47e64c1..04c91500e21d 100644 +--- a/arch/x86/mm/tlb.c ++++ b/arch/x86/mm/tlb.c +@@ -1084,6 +1084,7 @@ STATIC_NOPV void native_flush_tlb_global(void) + raw_local_irq_save(flags); + + cr4 = this_cpu_read(cpu_tlbstate.cr4); ++ BUG_ON(cr4 != __read_cr4()); + /* toggle PGE */ + native_write_cr4(cr4 ^ X86_CR4_PGE); + /* write old PGE again and flush TLBs */ +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0071-add-writable-function-pointer-detection.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0071-add-writable-function-pointer-detection.patch new file mode 100644 index 000000000000..20ec7b754cf7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0071-add-writable-function-pointer-detection.patch @@ -0,0 +1,98 @@ +From 5fd9c2071f91476ff265b886f21929af6432b231 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:53:23 -0400 +Subject: [PATCH 071/108] add writable function pointer detection + +Taken from the public PaX patches. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + scripts/mod/modpost.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 69341b36f271..452f1078a333 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,6 +34,7 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; ++static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; + /* ignore missing files */ + static int ignore_missing_files; +@@ -1007,6 +1008,7 @@ enum mismatch { + ANY_EXIT_TO_ANY_INIT, + EXPORT_TO_INIT_EXIT, + EXTABLE_TO_NON_TEXT, ++ DATA_TO_TEXT + }; + + /** +@@ -1133,6 +1135,12 @@ static const struct sectioncheck sectioncheck[] = { + .good_tosec = {ALL_TEXT_SECTIONS , NULL}, + .mismatch = EXTABLE_TO_NON_TEXT, + .handler = extable_mismatch_handler, ++}, ++/* Do not reference code from writable data */ ++{ ++ .fromsec = { DATA_SECTIONS, NULL }, ++ .bad_tosec = { ALL_TEXT_SECTIONS, NULL }, ++ .mismatch = DATA_TO_TEXT + } + }; + +@@ -1320,10 +1328,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (!is_valid_name(elf, sym)) + continue; +- if (sym->st_value == addr) +- return sym; + /* Find a symbol nearby - addr are maybe negative */ + d = sym->st_value - addr; ++ if (d == 0) ++ return sym; + if (d < 0) + d = addr - sym->st_value; + if (d < distance) { +@@ -1458,7 +1466,10 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- sec_mismatch_count++; ++ if (mismatch->mismatch == DATA_TO_TEXT) ++ writable_fptr_count++; ++ else ++ sec_mismatch_count++; + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1580,6 +1591,14 @@ static void report_sec_mismatch(const char *modname, + fatal("There's a special handler for this mismatch type, " + "we should never get here."); + break; ++ case DATA_TO_TEXT: ++#if 0 ++ fprintf(stderr, ++ "The %s %s:%s references\n" ++ "the %s %s:%s%s\n", ++ from, fromsec, fromsym, to, tosec, tosym, to_p); ++#endif ++ break; + } + fprintf(stderr, "\n"); + } +@@ -2670,6 +2689,9 @@ int main(int argc, char **argv) + } + + free(buf.p); ++ if (writable_fptr_count) ++ warn("modpost: Found %d writable function pointer(s).\n", ++ writable_fptr_count); + + return err; + } +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch new file mode 100644 index 000000000000..95868859d9eb --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0072-support-overriding-early-audit-kernel-cmdline.patch @@ -0,0 +1,26 @@ +From f255b53d56bf790dae21cbfcf380de474c79dcb0 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 9 Jul 2017 17:20:29 -0400 +Subject: [PATCH 072/108] support overriding early audit kernel cmdline + +--- + kernel/audit.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/audit.c b/kernel/audit.c +index 7efaece534a9..eae22dac400b 100644 +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1694,6 +1694,9 @@ static int __init audit_enable(char *str) + + if (audit_default == AUDIT_OFF) + audit_initialized = AUDIT_DISABLED; ++ else if (!audit_ever_enabled) ++ audit_initialized = AUDIT_UNINITIALIZED; ++ + if (audit_set_enabled(audit_default)) + pr_err("audit: error setting audit state (%d)\n", + audit_default); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch new file mode 100644 index 000000000000..6fa24d2fb3b5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0073-FORTIFY_SOURCE-intra-object-overflow-checking.patch @@ -0,0 +1,135 @@ +From defd33eb6976aeca988ff7747e8d587c9641c8b5 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 3 Jun 2017 17:34:13 -0400 +Subject: [PATCH 073/108] FORTIFY_SOURCE intra-object overflow checking + +This adds supporting for detecting buffer overflows from inner objects +for the fortified string family functions. It's comparable to the +_FORTIFY_SOURCE=2 feature in glibc with the additional coverage of +intra-object read overflows for supported functions. + +The mem* family functions are left with only the inter-object overflow +checks as is the case with glibc _FORTIFY_SOURCE=2. + +This feature is currently hidden behind CONFIG_EXPERT because it's a lot +more likely to uncover benign / intended issues and will need a lot of +runtime testing. It's already useful for finding bugs but it may not yet +be a good idea to use it for hardening unless panics for benign issues +are seen as a lesser evil than the vulnerabilities it can catch. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + include/linux/string.h | 26 ++++++++++++++++---------- + security/Kconfig | 10 ++++++++++ + 2 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/include/linux/string.h b/include/linux/string.h +index b1f3894a0a3e..4c5564a6ad80 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -264,6 +264,12 @@ void __read_overflow2(void) __compiletime_error("detected read beyond size of ob + void __read_overflow3(void) __compiletime_error("detected read beyond size of object passed as 3rd parameter"); + void __write_overflow(void) __compiletime_error("detected write beyond size of object passed as 1st parameter"); + ++#ifdef CONFIG_FORTIFY_SOURCE_STRICT_STRING ++#define __string_size(p) __builtin_object_size(p, 1) ++#else ++#define __string_size(p) __builtin_object_size(p, 0) ++#endif ++ + #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) + + #ifdef CONFIG_KASAN +@@ -292,7 +298,7 @@ extern char *__underlying_strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (__builtin_constant_p(size) && p_size < size) + __write_overflow(); + if (p_size < size) +@@ -302,7 +308,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) + + __FORTIFY_INLINE char *strcat(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + if (p_size == (size_t)-1) + return __underlying_strcat(p, q); + if (strlcat(p, q, p_size) >= p_size) +@@ -313,7 +319,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) + __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + { + __kernel_size_t ret; +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + + /* Work around gcc excess stack consumption issue */ + if (p_size == (size_t)-1 || +@@ -328,7 +334,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) + extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); + __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) + { +- size_t p_size = __builtin_object_size(p, 0); ++ size_t p_size = __string_size(p); + __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); + if (p_size <= ret && maxlen != ret) + fortify_panic(__func__); +@@ -340,8 +346,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); + __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + { + size_t ret; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __real_strlcpy(p, q, size); + ret = strlen(q); +@@ -361,8 +367,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) + __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) + { + size_t p_len, copy_len; +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strncat(p, q, count); + p_len = strlen(p); +@@ -475,8 +481,8 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) + /* defined after fortified strlen and memcpy to reuse them */ + __FORTIFY_INLINE char *strcpy(char *p, const char *q) + { +- size_t p_size = __builtin_object_size(p, 0); +- size_t q_size = __builtin_object_size(q, 0); ++ size_t p_size = __string_size(p); ++ size_t q_size = __string_size(q); + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + memcpy(p, q, strlen(q) + 1); +diff --git a/security/Kconfig b/security/Kconfig +index 2348ff7d4e1d..f3c995bd79cf 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -208,6 +208,16 @@ config FORTIFY_SOURCE + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + ++config FORTIFY_SOURCE_STRICT_STRING ++ bool "Harden common functions against buffer overflows" ++ depends on FORTIFY_SOURCE ++ depends on EXPERT ++ help ++ Perform stricter overflow checks catching overflows within objects ++ for common C string functions rather than only between objects. ++ ++ This is not yet intended for production use, only bug finding. ++ + config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch new file mode 100644 index 000000000000..52165fa005c3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0074-Revert-mm-revert-x86_64-and-arm64-ELF_ET_DYN_BASE-ba.patch @@ -0,0 +1,54 @@ +From 5794c44fe7f902d68eeb47dd848bf64cd10659c8 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sat, 26 Aug 2017 20:16:03 -0400 +Subject: [PATCH 074/108] Revert "mm: revert x86_64 and arm64 ELF_ET_DYN_BASE + base changes" + +This reverts commit aab425db4279aeb83b7911693f0cccbd3644c9fd. +--- + arch/arm64/include/asm/elf.h | 8 ++------ + arch/x86/include/asm/elf.h | 4 ++-- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 8d1c8dcb87fd..26d27c7a2c2e 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -124,14 +124,10 @@ + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ +-#ifdef CONFIG_ARM64_FORCE_52BIT +-#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) +-#else +-#define ELF_ET_DYN_BASE (2 * DEFAULT_MAP_WINDOW_64 / 3) +-#endif /* CONFIG_ARM64_FORCE_52BIT */ ++#define ELF_ET_DYN_BASE 0x100000000UL + + #ifndef __ASSEMBLY__ + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b9a5d488f1a5..b55054566ece 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -246,11 +246,11 @@ extern int force_personality32; + + /* + * This is the base location for PIE (ET_DYN with INTERP) loads. On +- * 64-bit, this is above 4GB to leave the entire 32-bit address ++ * 64-bit, this is raised to 4GB to leave the entire 32-bit address + * space open for things that want to use the area for 32-bit pointers. + */ + #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ +- (DEFAULT_MAP_WINDOW / 3 * 2)) ++ 0x100000000UL) + + /* This yields a mask that user programs can use to figure out what + instruction set this CPU supports. This could be done in user space, +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch new file mode 100644 index 000000000000..059aab5d7294 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0075-x86_64-move-vdso-to-mmap-region-from-stack-region.patch @@ -0,0 +1,118 @@ +From f4c459e06860057693bc6e32b7c72e350d6c7271 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:52:00 -0400 +Subject: [PATCH 075/108] x86_64: move vdso to mmap region from stack region + +This removes the only executable code from the stack region and gives +the vdso the same randomized base as other mmap mappings including the +linker and other shared objects. It results in a sane amount of entropy +being provided and there's little to no advantage in separating this +from the existing executable code there. + +It's sensible for userspace to reserve the initial mmap base as a region +for executable code with a random gap for other mmap allocations, along +with providing randomization within that region. However, there isn't +much the kernel can do to help due to how dynamic linkers load the +shared objects. + +This was extracted from the PaX RANDMMAP feature. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/entry/vdso/vma.c | 48 +----------------------------------- + arch/x86/include/asm/elf.h | 1 - + arch/x86/kernel/sys_x86_64.c | 7 ------ + 3 files changed, 1 insertion(+), 55 deletions(-) + +diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c +index 9185cb1d13b9..543912071557 100644 +--- a/arch/x86/entry/vdso/vma.c ++++ b/arch/x86/entry/vdso/vma.c +@@ -315,55 +315,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) + } + + #ifdef CONFIG_X86_64 +-/* +- * Put the vdso above the (randomized) stack with another randomized +- * offset. This way there is no hole in the middle of address space. +- * To save memory make sure it is still in the same PTE as the stack +- * top. This doesn't give that many random bits. +- * +- * Note that this algorithm is imperfect: the distribution of the vdso +- * start address within a PMD is biased toward the end. +- * +- * Only used for the 64-bit and x32 vdsos. +- */ +-static unsigned long vdso_addr(unsigned long start, unsigned len) +-{ +- unsigned long addr, end; +- unsigned offset; +- +- /* +- * Round up the start address. It can start out unaligned as a result +- * of stack start randomization. +- */ +- start = PAGE_ALIGN(start); +- +- /* Round the lowest possible end address up to a PMD boundary. */ +- end = (start + len + PMD_SIZE - 1) & PMD_MASK; +- if (end >= TASK_SIZE_MAX) +- end = TASK_SIZE_MAX; +- end -= len; +- +- if (end > start) { +- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); +- addr = start + (offset << PAGE_SHIFT); +- } else { +- addr = start; +- } +- +- /* +- * Forcibly align the final address in case we have a hardware +- * issue that requires alignment for performance reasons. +- */ +- addr = align_vdso_addr(addr); +- +- return addr; +-} +- + static int map_vdso_randomized(const struct vdso_image *image) + { +- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); +- +- return map_vdso(image, addr); ++ return map_vdso(image, 0); + } + #endif + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index b55054566ece..58292600112d 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -398,5 +398,4 @@ struct va_alignment { + } ____cacheline_aligned; + + extern struct va_alignment va_align; +-extern unsigned long align_vdso_addr(unsigned long); + #endif /* _ASM_X86_ELF_H */ +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index 504fa5425bce..c4e35a3b3733 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -52,13 +52,6 @@ static unsigned long get_align_bits(void) + return va_align.bits & get_align_mask(); + } + +-unsigned long align_vdso_addr(unsigned long addr) +-{ +- unsigned long align_mask = get_align_mask(); +- addr = (addr + align_mask) & ~align_mask; +- return addr | get_align_bits(); +-} +- + static int __init control_va_addr_alignment(char *str) + { + /* guard against enabling this on other CPU families */ +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..7d9d58517419 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0076-x86-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,60 @@ +From ae271b87203df1164ee0f851134ec6127d14395d Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 21 May 2017 20:30:44 -0400 +Subject: [PATCH 076/108] x86: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 22 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 28 to 32 bits on 64-bit depending on +kernel configuration and overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/include/asm/elf.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h +index 58292600112d..608cca19cf8c 100644 +--- a/arch/x86/include/asm/elf.h ++++ b/arch/x86/include/asm/elf.h +@@ -330,8 +330,8 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + + #ifdef CONFIG_X86_32 + +-#define __STACK_RND_MASK(is32bit) (0x7ff) +-#define STACK_RND_MASK (0x7ff) ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) + + #define ARCH_DLINFO ARCH_DLINFO_IA32 + +@@ -340,7 +340,11 @@ extern bool mmap_address_hint_valid(unsigned long addr, unsigned long len); + #else /* CONFIG_X86_32 */ + + /* 1GB for 64bit, 8MB for 32bit */ +-#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) ++#ifdef CONFIG_COMPAT ++#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) ++#else ++#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) ++#endif + #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) + + #define ARCH_DLINFO \ +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch new file mode 100644 index 000000000000..038e49a00c3b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0077-arm64-determine-stack-entropy-based-on-mmap-entropy.patch @@ -0,0 +1,51 @@ +From bd8e7f374a6bc54127d2f46206c2d984b24b32c3 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Mon, 22 May 2017 05:06:20 -0400 +Subject: [PATCH 077/108] arm64: determine stack entropy based on mmap entropy + +Stack mapping entropy is currently hard-wired to 11 bits of entropy on +32-bit and 18 bits of entropy on 64-bit. The stack itself gains an extra +8 bits of entropy from lower bit randomization within 16 byte alignment +constraints. The argument block could have all lower bits randomized but +it currently only gets the mapping randomization. + +Rather than hard-wiring values this switches to using the mmap entropy +configuration like the mmap base and executable base, resulting in a +range of 8 to 16 bits on 32-bit and 18 to 24 bits on 64-bit (with 4k +pages and 3 level page tables) depending on kernel configuration and +overridable via the sysctl entries. + +It's worth noting that since these kernel configuration options default +to the minimum supported entropy value, the entropy on 32-bit will drop +from 11 to 8 bits for builds using the defaults. However, following the +configuration seems like the right thing to do regardless. At the very +least, changing the defaults for COMPAT (32-bit processes on 64-bit) +should be considered due to the larger address space compared to real +32-bit. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/arm64/include/asm/elf.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h +index 26d27c7a2c2e..32c1609a1158 100644 +--- a/arch/arm64/include/asm/elf.h ++++ b/arch/arm64/include/asm/elf.h +@@ -185,10 +185,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, + /* 1GB of VA */ + #ifdef CONFIG_COMPAT + #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ +- 0x7ff >> (PAGE_SHIFT - 12) : \ +- 0x3ffff >> (PAGE_SHIFT - 12)) ++ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ ++ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #else +-#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) ++#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) + #endif + + #ifdef __AARCH64EB__ +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch new file mode 100644 index 000000000000..feabe69904ee --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0078-randomize-lower-bits-of-the-argument-block.patch @@ -0,0 +1,37 @@ +From 71dc5addf2903b4952f9ab13e7a1a17f8e8eaa50 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 11 May 2017 16:02:49 -0400 +Subject: [PATCH 078/108] randomize lower bits of the argument block + +This was based on the PaX RANDUSTACK feature in grsecurity, where all of +the lower bits are randomized. PaX keeps 16-byte alignment. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + fs/exec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/exec.c b/fs/exec.c +index 529c3bcefb65..329b7547e35c 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -63,6 +63,7 @@ + #include <linux/compat.h> + #include <linux/vmalloc.h> + #include <linux/io_uring.h> ++#include <linux/random.h> + + #include <linux/uaccess.h> + #include <asm/mmu_context.h> +@@ -279,6 +280,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) + mm->stack_vm = mm->total_vm = 1; + mmap_write_unlock(mm); + bprm->p = vma->vm_end - sizeof(void *); ++ if (randomize_va_space) ++ bprm->p ^= get_random_int() & ~PAGE_MASK; + return 0; + err: + mmap_write_unlock(mm); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch new file mode 100644 index 000000000000..e459f7c03bf2 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0079-x86_64-match-arm64-brk-randomization-entropy.patch @@ -0,0 +1,38 @@ +From f83590680353ca7c06bd3aec5ab9305b9c25a937 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 07:19:48 -0400 +Subject: [PATCH 079/108] x86_64: match arm64 brk randomization entropy + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 46cbfc6d2659..1fd336173293 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,8 @@ + #include <asm/io_bitmap.h> + #include <asm/proto.h> + #include <asm/frame.h> ++#include <asm/elf.h> ++#include <linux/sizes.h> + + #include "process.h" + +@@ -904,7 +906,10 @@ unsigned long arch_align_stack(unsigned long sp) + + unsigned long arch_randomize_brk(struct mm_struct *mm) + { +- return randomize_page(mm->brk, 0x02000000); ++ if (mmap_is_ia32()) ++ return randomize_page(mm->brk, SZ_32M); ++ else ++ return randomize_page(mm->brk, SZ_1G); + } + + /* +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch new file mode 100644 index 000000000000..8811da5865db --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0080-support-randomizing-the-lower-bits-of-brk.patch @@ -0,0 +1,42 @@ +From 0ff0b10e1b5e80e2e41524b562f4d7563ff53406 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 30 May 2017 18:03:30 -0400 +Subject: [PATCH 080/108] support randomizing the lower bits of brk + +This adds support for arch_randomize_brk implementations not performing +page alignment in order to randomize the lower bits of the brk heap. + +This idea is taken from PaX but the approach is different. This reuses +the existing code and avoids forcing early creation of the heap mapping, +avoiding mapping it if it's not used which is the case with many modern +allocators based solely on mmap. + +The malloc implementation can be relied upon to align this as needed to +the requirements it has, so using 16 byte alignment here is unnecessary. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/mmap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/mm/mmap.c b/mm/mmap.c +index 7a8987aa6996..6416ffd17091 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -231,6 +231,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + + newbrk = PAGE_ALIGN(brk); + oldbrk = PAGE_ALIGN(mm->brk); ++ /* properly handle unaligned min_brk as an empty heap */ ++ if (min_brk & ~PAGE_MASK) { ++ if (brk == min_brk) ++ newbrk -= PAGE_SIZE; ++ if (mm->brk == min_brk) ++ oldbrk -= PAGE_SIZE; ++ } + if (oldbrk == newbrk) { + mm->brk = brk; + goto success; +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..2915b9866dca --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0081-mm-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From fba199bea2f3e454d3bfe5a3fa45efabe95f0d1a Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:22:38 -0400 +Subject: [PATCH 081/108] mm: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index 5ef378a2a038..b2f28f1b4531 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -335,9 +335,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + unsigned long arch_mmap_rnd(void) +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch new file mode 100644 index 000000000000..cfa65c381492 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0082-x86-randomize-lower-bits-of-brk.patch @@ -0,0 +1,31 @@ +From 0a8981041f1dfde34aa9989aa1a0fbdc01128be2 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:06 -0400 +Subject: [PATCH 082/108] x86: randomize lower bits of brk + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 1fd336173293..585dc05ea52d 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -907,9 +907,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return randomize_page(mm->brk, SZ_32M); ++ return mm->brk + get_random_long() % SZ_32M; + else +- return randomize_page(mm->brk, SZ_1G); ++ return mm->brk + get_random_long() % SZ_1G; + } + + /* +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..15c87b715355 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0083-mm-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From 7573a1320f3ea43d92124b38009718b40a2742fe Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:39 -0400 +Subject: [PATCH 083/108] mm: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + mm/util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mm/util.c b/mm/util.c +index b2f28f1b4531..282e29f9514a 100644 +--- a/mm/util.c ++++ b/mm/util.c +@@ -335,9 +335,9 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + { + /* Is the current task 32bit ? */ + if (!IS_ENABLED(CONFIG_64BIT) || is_compat_task()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + unsigned long arch_mmap_rnd(void) +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch new file mode 100644 index 000000000000..240f59ce0ce8 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0084-x86-guarantee-brk-gap-is-at-least-one-page.patch @@ -0,0 +1,31 @@ +From b620710372524d39ac6f006a35d15eef901bb4d1 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Thu, 1 Jun 2017 03:23:48 -0400 +Subject: [PATCH 084/108] x86: guarantee brk gap is at least one page + +Per PaX, but for this alternate brk randomization approach. + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + arch/x86/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 585dc05ea52d..2550d99ca683 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -907,9 +907,9 @@ unsigned long arch_align_stack(unsigned long sp) + unsigned long arch_randomize_brk(struct mm_struct *mm) + { + if (mmap_is_ia32()) +- return mm->brk + get_random_long() % SZ_32M; ++ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; + else +- return mm->brk + get_random_long() % SZ_1G; ++ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; + } + + /* +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch new file mode 100644 index 000000000000..cdc579c7c065 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0085-x86_64-bound-mmap-between-legacy-modern-bases.patch @@ -0,0 +1,37 @@ +From 740a78f2200cac29bef0331e63cec86f4c5844ad Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 4 Jul 2017 14:50:54 -0400 +Subject: [PATCH 085/108] x86_64: bound mmap between legacy/modern bases + +--- + arch/x86/kernel/sys_x86_64.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c +index c4e35a3b3733..e30ec4c750d1 100644 +--- a/arch/x86/kernel/sys_x86_64.c ++++ b/arch/x86/kernel/sys_x86_64.c +@@ -113,10 +113,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, + } + + *begin = get_mmap_base(1); +- if (in_32bit_syscall()) +- *end = task_size_32bit(); +- else +- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); ++ *end = get_mmap_base(0); + } + + unsigned long +@@ -193,7 +190,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, + + info.flags = VM_UNMAPPED_AREA_TOPDOWN; + info.length = len; +- info.low_limit = PAGE_SIZE; ++ info.low_limit = get_mmap_base(1); + info.high_limit = get_mmap_base(0); + + /* +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0086-restrict-device-timing-side-channels.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0086-restrict-device-timing-side-channels.patch new file mode 100644 index 000000000000..aa702463ca38 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0086-restrict-device-timing-side-channels.patch @@ -0,0 +1,174 @@ +From 72936fca48566b887c0a5014d924f37084ccf045 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 18:26:10 -0400 +Subject: [PATCH 086/108] restrict device timing side channels + +Based on the public grsecurity patches. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/inode.c | 4 ++++ + fs/stat.c | 20 +++++++++++++++----- + include/linux/capability.h | 5 +++++ + include/linux/fs.h | 11 +++++++++++ + include/linux/fsnotify.h | 4 ++++ + kernel/capability.c | 6 ++++++ + kernel/sysctl.c | 9 +++++++++ + 7 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/fs/inode.c b/fs/inode.c +index 72c4c347afb7..f777be3dce1a 100644 +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -116,6 +116,10 @@ int proc_nr_inodes(struct ctl_table *table, int write, + } + #endif + ++/* sysctl */ ++int device_sidechannel_restrict __read_mostly = 1; ++EXPORT_SYMBOL(device_sidechannel_restrict); ++ + static int no_open(struct inode *inode, struct file *file) + { + return -ENXIO; +diff --git a/fs/stat.c b/fs/stat.c +index 44f8ad346db4..0fd7c369c6b3 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -43,8 +43,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat) + stat->gid = inode->i_gid; + stat->rdev = inode->i_rdev; + stat->size = i_size_read(inode); +- stat->atime = inode->i_atime; +- stat->mtime = inode->i_mtime; ++ if (is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = inode->i_ctime; ++ stat->mtime = inode->i_ctime; ++ } else { ++ stat->atime = inode->i_atime; ++ stat->mtime = inode->i_mtime; ++ } + stat->ctime = inode->i_ctime; + stat->blksize = i_blocksize(inode); + stat->blocks = inode->i_blocks; +@@ -83,9 +88,14 @@ int vfs_getattr_nosec(const struct path *path, struct kstat *stat, + if (IS_DAX(inode)) + stat->attributes |= STATX_ATTR_DAX; + +- if (inode->i_op->getattr) +- return inode->i_op->getattr(path, stat, request_mask, +- query_flags); ++ if (inode->i_op->getattr) { ++ int retval = inode->i_op->getattr(path, stat, request_mask, query_flags); ++ if (!retval && is_sidechannel_device(inode) && !capable_noaudit(CAP_MKNOD)) { ++ stat->atime = stat->ctime; ++ stat->mtime = stat->ctime; ++ } ++ return retval; ++ } + + generic_fillattr(inode, stat); + return 0; +diff --git a/include/linux/capability.h b/include/linux/capability.h +index 1e7fe311cabe..a5b6d4c9acf5 100644 +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -208,6 +208,7 @@ extern bool has_capability_noaudit(struct task_struct *t, int cap); + extern bool has_ns_capability_noaudit(struct task_struct *t, + struct user_namespace *ns, int cap); + extern bool capable(int cap); ++extern bool capable_noaudit(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); + extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + extern bool ns_capable_setid(struct user_namespace *ns, int cap); +@@ -234,6 +235,10 @@ static inline bool capable(int cap) + { + return true; + } ++static inline bool capable_noaudit(int cap) ++{ ++ return true; ++} + static inline bool ns_capable(struct user_namespace *ns, int cap) + { + return true; +diff --git a/include/linux/fs.h b/include/linux/fs.h +index dbbeb52ce5f3..21e1052afd04 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3544,4 +3544,15 @@ static inline int inode_drain_writes(struct inode *inode) + return filemap_write_and_wait(inode->i_mapping); + } + ++extern int device_sidechannel_restrict; ++ ++static inline bool is_sidechannel_device(const struct inode *inode) ++{ ++ umode_t mode; ++ if (!device_sidechannel_restrict) ++ return false; ++ mode = inode->i_mode; ++ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH))); ++} ++ + #endif /* _LINUX_FS_H */ +diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h +index f8acddcf54fb..7b109980327f 100644 +--- a/include/linux/fsnotify.h ++++ b/include/linux/fsnotify.h +@@ -83,10 +83,14 @@ static inline void fsnotify_dentry(struct dentry *dentry, __u32 mask) + static inline int fsnotify_file(struct file *file, __u32 mask) + { + const struct path *path = &file->f_path; ++ struct inode *inode = file_inode(file); + + if (file->f_mode & FMODE_NONOTIFY) + return 0; + ++ if (mask & (FS_ACCESS | FS_MODIFY) && is_sidechannel_device(inode)) ++ return 0; ++ + return fsnotify_parent(path->dentry, mask, path, FSNOTIFY_EVENT_PATH); + } + +diff --git a/kernel/capability.c b/kernel/capability.c +index 7c59b096c98a..92525be26bce 100644 +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -449,6 +449,12 @@ bool capable(int cap) + return ns_capable(&init_user_ns, cap); + } + EXPORT_SYMBOL(capable); ++ ++bool capable_noaudit(int cap) ++{ ++ return ns_capable_noaudit(&init_user_ns, cap); ++} ++EXPORT_SYMBOL(capable_noaudit); + #endif /* CONFIG_MULTIUSER */ + + /** +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index fccf24a08c8a..7fda9f61ea1a 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2272,6 +2272,15 @@ static struct ctl_table kern_table[] = { + .extra2 = &two, + }, + #endif ++ { ++ .procname = "device_sidechannel_restrict", ++ .data = &device_sidechannel_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0087-add-toggle-for-disabling-newly-added-USB-devices.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0087-add-toggle-for-disabling-newly-added-USB-devices.patch new file mode 100644 index 000000000000..33e849d0cfca --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0087-add-toggle-for-disabling-newly-added-USB-devices.patch @@ -0,0 +1,92 @@ +From 848a75b6de753c0f52298fe868fc45e0dbd5a846 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Tue, 16 May 2017 17:51:48 -0400 +Subject: [PATCH 087/108] add toggle for disabling newly added USB devices + +Based on the public grsecurity patches. + +[thibaut.sautereau@ssi.gouv.fr: Adapt to sysctl code refactoring] +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/hub.c | 9 +++++++++ + include/linux/usb.h | 3 +++ + kernel/sysctl.c | 14 ++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 5b768b80d1ee..3eaf85d1c6aa 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5040,6 +5040,9 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + ++/* sysctl */ ++int deny_new_usb __read_mostly = 0; ++ + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +@@ -5100,6 +5103,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + goto done; + return; + } ++ ++ if (deny_new_usb) { ++ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); ++ goto done; ++ } ++ + if (hub_is_superspeed(hub->hdev)) + unit_load = 150; + else +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 20c555db4621..6a8de00d4293 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2026,6 +2026,9 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + ++/* sysctl */ ++extern int deny_new_usb; ++ + #endif /* __KERNEL__ */ + + #endif +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 7fda9f61ea1a..9a7e590b8b28 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -106,6 +106,9 @@ + #ifdef CONFIG_USER_NS + #include <linux/user_namespace.h> + #endif ++#if IS_ENABLED(CONFIG_USB) ++#include <linux/usb.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2281,6 +2284,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, ++#if IS_ENABLED(CONFIG_USB) ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0088-hard-wire-legacy-checkreqprot-option-to-0.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0088-hard-wire-legacy-checkreqprot-option-to-0.patch new file mode 100644 index 000000000000..44a4fc595cbe --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0088-hard-wire-legacy-checkreqprot-option-to-0.patch @@ -0,0 +1,133 @@ +From 9293420636638eaf971220a9ded74c7924f45e83 Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Sun, 25 Feb 2018 03:26:45 -0500 +Subject: [PATCH 088/108] hard-wire legacy checkreqprot option to 0 + +The userspace API is left intact for compatibility. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + .../admin-guide/kernel-parameters.txt | 11 --------- + security/selinux/Kconfig | 23 ------------------- + security/selinux/hooks.c | 16 +------------ + security/selinux/selinuxfs.c | 12 +--------- + 4 files changed, 2 insertions(+), 60 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 166cf32f1fc1..f4d76fadadca 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -518,17 +518,6 @@ + nosocket -- Disable socket memory accounting. + nokmem -- Disable kernel memory accounting. + +- checkreqprot [SELINUX] Set initial checkreqprot flag value. +- Format: { "0" | "1" } +- See security/selinux/Kconfig help text. +- 0 -- check protection applied by kernel (includes +- any implied execute protection). +- 1 -- check protection requested by application. +- Default value is set via a kernel config option. +- Value can be changed at runtime via +- /sys/fs/selinux/checkreqprot. +- Setting checkreqprot to 1 is deprecated. +- + cio_ignore= [S390] + See Documentation/s390/common_io.rst for details. + clk_ignore_unused +diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig +index 76d7ed11513c..ae851a826c26 100644 +--- a/security/selinux/Kconfig ++++ b/security/selinux/Kconfig +@@ -70,29 +70,6 @@ config SECURITY_SELINUX_AVC_STATS + /sys/fs/selinux/avc/cache_stats, which may be monitored via + tools such as avcstat. + +-config SECURITY_SELINUX_CHECKREQPROT_VALUE +- int "NSA SELinux checkreqprot default value" +- depends on SECURITY_SELINUX +- range 0 1 +- default 0 +- help +- This option sets the default value for the 'checkreqprot' flag +- that determines whether SELinux checks the protection requested +- by the application or the protection that will be applied by the +- kernel (including any implied execute for read-implies-exec) for +- mmap and mprotect calls. If this option is set to 0 (zero), +- SELinux will default to checking the protection that will be applied +- by the kernel. If this option is set to 1 (one), SELinux will +- default to checking the protection requested by the application. +- The checkreqprot flag may be changed from the default via the +- 'checkreqprot=' boot parameter. It may also be changed at runtime +- via /sys/fs/selinux/checkreqprot if authorized by policy. +- +- WARNING: this option is deprecated and will be removed in a future +- kernel release. +- +- If you are unsure how to answer this question, answer 0. +- + config SECURITY_SELINUX_SIDTAB_HASH_BITS + int "NSA SELinux sidtab hashtable size" + depends on SECURITY_SELINUX +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index a340986aa92e..8a38f7bf5f9c 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -135,21 +135,7 @@ static int __init selinux_enabled_setup(char *str) + __setup("selinux=", selinux_enabled_setup); + #endif + +-static unsigned int selinux_checkreqprot_boot = +- CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +- +-static int __init checkreqprot_setup(char *str) +-{ +- unsigned long checkreqprot; +- +- if (!kstrtoul(str, 0, &checkreqprot)) { +- selinux_checkreqprot_boot = checkreqprot ? 1 : 0; +- if (checkreqprot) +- pr_warn("SELinux: checkreqprot set to 1 via kernel parameter. This is deprecated and will be rejected in a future kernel release.\n"); +- } +- return 1; +-} +-__setup("checkreqprot=", checkreqprot_setup); ++static const unsigned int selinux_checkreqprot_boot; + + /** + * selinux_secmark_enabled - Check to see if SECMARK is currently enabled +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4781314c2510..7f068515d799 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -641,7 +641,6 @@ static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, + static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) + { +- struct selinux_fs_info *fsi = file_inode(file)->i_sb->s_fs_info; + char *page; + ssize_t length; + unsigned int new_value; +@@ -665,18 +664,9 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, + return PTR_ERR(page); + + length = -EINVAL; +- if (sscanf(page, "%u", &new_value) != 1) ++ if (sscanf(page, "%u", &new_value) != 1 || new_value) + goto out; + +- if (new_value) { +- char comm[sizeof(current->comm)]; +- +- memcpy(comm, current->comm, sizeof(comm)); +- pr_warn_once("SELinux: %s (%d) set checkreqprot to 1. This is deprecated and will be rejected in a future kernel release.\n", +- comm, current->pid); +- } +- +- fsi->state->checkreqprot = new_value ? 1 : 0; + length = count; + out: + kfree(page); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0089-security-tty-Add-owner-user-namespace-to-tty_struct.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0089-security-tty-Add-owner-user-namespace-to-tty_struct.patch new file mode 100644 index 000000000000..1849bcbac874 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0089-security-tty-Add-owner-user-namespace-to-tty_struct.patch @@ -0,0 +1,70 @@ +From d92de92dc47b20773b07a9494ed07d6ba79e1100 Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:37:59 -0400 +Subject: [PATCH 089/108] security: tty: Add owner user namespace to tty_struct + +This patch adds struct user_namespace *owner_user_ns to the tty_struct. +Then it is set to current_user_ns() in the alloc_tty_struct function. + +This is done to facilitate capability checks against the original user +namespace that allocated the tty. + +E.g. ns_capable(tty->owner_user_ns,CAP_SYS_ADMIN) + +This combined with the use of user namespace's will allow hardening +protections to be built to mitigate container escapes that utilize TTY +ioctls such as TIOCSTI. + +See: https://bugzilla.redhat.com/show_bug.cgi?id=1411256 + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +--- + drivers/tty/tty_io.c | 2 ++ + include/linux/tty.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index ceed72c9a88f..0cefcc365f2c 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -174,6 +174,7 @@ static void free_tty_struct(struct tty_struct *tty) + put_device(tty->dev); + kfree(tty->write_buf); + tty->magic = 0xDEADDEAD; ++ put_user_ns(tty->owner_user_ns); + kfree(tty); + } + +@@ -3009,6 +3010,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) + tty->index = idx; + tty_line_name(driver, idx, tty->name); + tty->dev = tty_get_device(tty); ++ tty->owner_user_ns = get_user_ns(current_user_ns()); + + return tty; + } +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a99e9b8e4e31..a880c38f7bbf 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -14,6 +14,7 @@ + #include <uapi/linux/tty.h> + #include <linux/rwsem.h> + #include <linux/llist.h> ++#include <linux/user_namespace.h> + + + /* +@@ -338,6 +339,7 @@ struct tty_struct { + /* If the tty has a pending do_SAK, queue it here - akpm */ + struct work_struct SAK_work; + struct tty_port *port; ++ struct user_namespace *owner_user_ns; + } __randomize_layout; + + /* Each of a tty's open files has private_data pointing to tty_file_private */ +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0090-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0090-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch new file mode 100644 index 000000000000..52c0e4b938ff --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0090-security-tty-make-TIOCSTI-ioctl-require-CAP_SYS_ADMI.patch @@ -0,0 +1,197 @@ +From e88d46849a39bacfdd3488a687d392c543bac7af Mon Sep 17 00:00:00 2001 +From: Matt Brown <matt@nmatt.com> +Date: Mon, 29 May 2017 17:38:00 -0400 +Subject: [PATCH 090/108] security: tty: make TIOCSTI ioctl require + CAP_SYS_ADMIN + +This introduces the tiocsti_restrict sysctl, whose default is controlled +via CONFIG_SECURITY_TIOCSTI_RESTRICT. When activated, this control +restricts all TIOCSTI ioctl calls from non CAP_SYS_ADMIN users. + +This patch depends on patch 1/2 + +This patch was inspired from GRKERNSEC_HARDEN_TTY. + +This patch would have prevented +https://bugzilla.redhat.com/show_bug.cgi?id=1411256 under the following +conditions: +* non-privileged container +* container run inside new user namespace + +Possible effects on userland: + +There could be a few user programs that would be effected by this +change. +See: <https://codesearch.debian.net/search?q=ioctl%5C%28.*TIOCSTI> +notable programs are: agetty, csh, xemacs and tcsh + +However, I still believe that this change is worth it given that the +Kconfig defaults to n. This will be a feature that is turned on for the +same reason that people activate it when using grsecurity. Users of this +opt-in feature will realize that they are choosing security over some OS +features like unprivileged TIOCSTI ioctls, as should be clear in the +Kconfig help message. + +Threat Model/Patch Rational: + +>From grsecurity's config for GRKERNSEC_HARDEN_TTY. + + | There are very few legitimate uses for this functionality and it + | has made vulnerabilities in several 'su'-like programs possible in + | the past. Even without these vulnerabilities, it provides an + | attacker with an easy mechanism to move laterally among other + | processes within the same user's compromised session. + +So if one process within a tty session becomes compromised it can follow +that additional processes, that are thought to be in different security +boundaries, can be compromised as a result. When using a program like su +or sudo, these additional processes could be in a tty session where TTY +file descriptors are indeed shared over privilege boundaries. + +This is also an excellent writeup about the issue: +<http://www.halfdog.net/Security/2012/TtyPushbackPrivilegeEscalation/> + +When user namespaces are in use, the check for the capability +CAP_SYS_ADMIN is done against the user namespace that originally opened +the tty. + +Acked-by: Serge Hallyn <serge@hallyn.com> +Reviewed-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Matt Brown <matt@nmatt.com> +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/admin-guide/sysctl/kernel.rst | 20 ++++++++++++++++++++ + drivers/tty/tty_io.c | 8 ++++++++ + include/linux/tty.h | 2 ++ + kernel/sysctl.c | 14 ++++++++++++++ + security/Kconfig | 13 +++++++++++++ + 5 files changed, 57 insertions(+) + +diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst +index 4c20e6ded0af..3cd263f8ac46 100644 +--- a/Documentation/admin-guide/sysctl/kernel.rst ++++ b/Documentation/admin-guide/sysctl/kernel.rst +@@ -1385,6 +1385,26 @@ If a value outside of this range is written to ``threads-max`` an + ``EINVAL`` error occurs. + + ++tiocsti_restrict ++================ ++ ++This toggle indicates whether unprivileged users are prevented from using the ++``TIOCSTI`` ioctl to inject commands into other processes which share a tty ++session. ++ ++= ============================================================================ ++0 No restriction, except the default one of only being able to inject commands ++ into one's own tty. ++1 Users must have ``CAP_SYS_ADMIN`` to use the ``TIOCSTI`` ioctl. ++= ============================================================================ ++ ++When user namespaces are in use, the check for ``CAP_SYS_ADMIN`` is done ++against the user namespace that originally opened the tty. ++ ++The kernel config option ``CONFIG_SECURITY_TIOCSTI_RESTRICT`` sets the default ++value of ``tiocsti_restrict``. ++ ++ + traceoff_on_warning + =================== + +diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c +index 0cefcc365f2c..e0803cc56190 100644 +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2180,11 +2180,19 @@ static int tty_fasync(int fd, struct file *filp, int on) + * FIXME: may race normal receive processing + */ + ++int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); ++ + static int tiocsti(struct tty_struct *tty, char __user *p) + { + char ch, mbz = 0; + struct tty_ldisc *ld; + ++ if (tiocsti_restrict && ++ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { ++ dev_warn_ratelimited(tty->dev, ++ "Denied TIOCSTI ioctl for non-privileged process\n"); ++ return -EPERM; ++ } + if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) + return -EPERM; + if (get_user(ch, p)) +diff --git a/include/linux/tty.h b/include/linux/tty.h +index a880c38f7bbf..ee272abea5f9 100644 +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -349,6 +349,8 @@ struct tty_file_private { + struct list_head list; + }; + ++extern int tiocsti_restrict; ++ + /* tty magic number */ + #define TTY_MAGIC 0x5401 + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 9a7e590b8b28..890322b0f82e 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -109,6 +109,9 @@ + #if IS_ENABLED(CONFIG_USB) + #include <linux/usb.h> + #endif ++#if defined CONFIG_TTY ++#include <linux/tty.h> ++#endif + + #if defined(CONFIG_SYSCTL) + +@@ -2274,6 +2277,17 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = &two, + }, ++#endif ++#if defined CONFIG_TTY ++ { ++ .procname = "tiocsti_restrict", ++ .data = &tiocsti_restrict, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + #endif + { + .procname = "device_sidechannel_restrict", +diff --git a/security/Kconfig b/security/Kconfig +index f3c995bd79cf..c8ea5a6ecce0 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -29,6 +29,19 @@ config SECURITY_PERF_EVENTS_RESTRICT + perf_event_open syscall will be permitted unless it is + changed. + ++config SECURITY_TIOCSTI_RESTRICT ++ bool "Restrict unprivileged use of tiocsti command injection" ++ default n ++ help ++ This enforces restrictions on unprivileged users injecting commands ++ into other processes which share a tty session using the TIOCSTI ++ ioctl. This option makes TIOCSTI use require CAP_SYS_ADMIN. ++ ++ If this option is not selected, no restrictions will be enforced ++ unless the tiocsti_restrict sysctl is explicitly set to (1). ++ ++ If you are unsure how to answer this question, answer N. ++ + config SECURITY + bool "Enable different security models" + depends on SYSFS +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0091-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0091-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch new file mode 100644 index 000000000000..2a38bd3fe71d --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0091-enable-SECURITY_TIOCSTI_RESTRICT-by-default.patch @@ -0,0 +1,26 @@ +From 902a1b93aef1ae82a5048dfcb771b04b7f8c144e Mon Sep 17 00:00:00 2001 +From: Daniel Micay <danielmicay@gmail.com> +Date: Wed, 3 May 2017 23:36:14 -0400 +Subject: [PATCH 091/108] enable SECURITY_TIOCSTI_RESTRICT by default + +Signed-off-by: Daniel Micay <danielmicay@gmail.com> +--- + security/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/Kconfig b/security/Kconfig +index c8ea5a6ecce0..615205c0113b 100644 +--- a/security/Kconfig ++++ b/security/Kconfig +@@ -31,7 +31,7 @@ config SECURITY_PERF_EVENTS_RESTRICT + + config SECURITY_TIOCSTI_RESTRICT + bool "Restrict unprivileged use of tiocsti command injection" +- default n ++ default y + help + This enforces restrictions on unprivileged users injecting commands + into other processes which share a tty session using the TIOCSTI +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0092-disable-unprivileged-eBPF-access-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0092-disable-unprivileged-eBPF-access-by-default.patch new file mode 100644 index 000000000000..18e0a224bce9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0092-disable-unprivileged-eBPF-access-by-default.patch @@ -0,0 +1,25 @@ +From 743f3fd14d89b0aa346cf398b8fce3ffb06b5890 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:07 +0200 +Subject: [PATCH 092/108] disable unprivileged eBPF access by default + +--- + kernel/bpf/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index b999e7ff2583..b56f552a0054 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -48,7 +48,7 @@ static DEFINE_SPINLOCK(map_idr_lock); + static DEFINE_IDR(link_idr); + static DEFINE_SPINLOCK(link_idr_lock); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = 1; + + static const struct bpf_map_ops * const bpf_map_types[] = { + #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0093-enable-BPF-JIT-hardening-by-default-if-available.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0093-enable-BPF-JIT-hardening-by-default-if-available.patch new file mode 100644 index 000000000000..33a1045ae6c3 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0093-enable-BPF-JIT-hardening-by-default-if-available.patch @@ -0,0 +1,25 @@ +From 7daa2f624dd7155b5df16e40b2a6440459d868ad Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 7 May 2018 20:37:55 +0200 +Subject: [PATCH 093/108] enable BPF JIT hardening by default (if available) + +--- + kernel/bpf/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index ed0b3578867c..d4a980962b95 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -520,7 +520,7 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp) + /* All BPF JIT sysctl knobs here. */ + int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); + int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON); +-int bpf_jit_harden __read_mostly; ++int bpf_jit_harden __read_mostly = 2; + long bpf_jit_limit __read_mostly; + + static void +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0094-enable-protected_-fifos-regular-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0094-enable-protected_-fifos-regular-by-default.patch new file mode 100644 index 000000000000..72520a5055c9 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0094-enable-protected_-fifos-regular-by-default.patch @@ -0,0 +1,27 @@ +From c64a60adb1702290276e6beb95fda9d93de5f87d Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 4 Nov 2018 18:48:53 +0100 +Subject: [PATCH 094/108] enable protected_{fifos,regular} by default + +--- + fs/namei.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 85334a0092b0..9e75da665dc8 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -934,8 +934,8 @@ static inline void put_link(struct nameidata *nd) + + int sysctl_protected_symlinks __read_mostly = 1; + int sysctl_protected_hardlinks __read_mostly = 1; +-int sysctl_protected_fifos __read_mostly; +-int sysctl_protected_regular __read_mostly; ++int sysctl_protected_fifos __read_mostly = 2; ++int sysctl_protected_regular __read_mostly = 2; + + /** + * may_follow_link - Check symlink following for unsafe situations +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0095-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0095-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch new file mode 100644 index 000000000000..1c3824e7da1f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0095-Revert-mark-kernel_set_to_readonly-as-__ro_after_ini.patch @@ -0,0 +1,70 @@ +From 81d0403431ab472b01ef42a4fcaea75ce5423b92 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 13 Jan 2019 21:42:45 +0100 +Subject: [PATCH 095/108] Revert "mark kernel_set_to_readonly as + __ro_after_init" + + This commit causes CPA conflicts, cf. + https://github.com/anthraxx/linux-hardened/issues/4. + + Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + arch/x86/mm/init_32.c | 5 +++-- + arch/x86/mm/init_64.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c +index bda9596d7a9f..291b7b4476a9 100644 +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -828,7 +828,7 @@ void arch_remove_memory(int nid, u64 start, u64 size, + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly __read_mostly; + + static void mark_nxdata_nx(void) + { +@@ -852,11 +852,12 @@ void mark_rodata_ro(void) + unsigned long start = PFN_ALIGN(_text); + unsigned long size = (unsigned long)__end_rodata - start; + +- kernel_set_to_readonly = 1; + set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); + pr_info("Write protecting kernel text and read-only data: %luk\n", + size >> 10); + ++ kernel_set_to_readonly = 1; ++ + #ifdef CONFIG_CPA_DEBUG + pr_info("Testing CPA: Reverting %lx-%lx\n", start, start + size); + set_pages_rw(virt_to_page(start), size >> PAGE_SHIFT); +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index b5c5923d355d..59c7863e8317 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1322,7 +1322,7 @@ int __init deferred_page_init_max_threads(const struct cpumask *node_cpumask) + } + #endif + +-int kernel_set_to_readonly __ro_after_init; ++int kernel_set_to_readonly; + + void mark_rodata_ro(void) + { +@@ -1335,9 +1335,10 @@ void mark_rodata_ro(void) + + printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", + (end - start) >> 10); +- kernel_set_to_readonly = 1; + set_memory_ro(start, (end - start) >> PAGE_SHIFT); + ++ kernel_set_to_readonly = 1; ++ + /* + * The rodata/data/bss/brk section (but not the kernel text!) + * should also be not-executable. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0096-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0096-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch new file mode 100644 index 000000000000..7401884fe8b6 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0096-modpost-Add-CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_.patch @@ -0,0 +1,129 @@ +From d64a9db7443f035f7e478f11d4cf0815ed2aac9f Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Mon, 6 May 2019 17:07:11 +0200 +Subject: [PATCH 096/108] modpost: Add + CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE + +With 46c7dd56d541 ("modpost: always show verbose warning for section +mismatch"), sec_mismatch_verbose was removed which would have printed +errors for all writable function pointers during compilation if it +hadn't been "#if 0"ed out for quite some time now. + +Let's introduce a new DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE Kconfig +option to cleanly control this linux-hardened functionality. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 3 +++ + scripts/Makefile.modpost | 1 + + scripts/mod/modpost.c | 25 ++++++++++++++++--------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index fcc0e42f676f..e2f55be14737 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -376,6 +376,9 @@ config DEBUG_FORCE_FUNCTION_ALIGN_32B + + It is mainly for debug and performance tuning use. + ++config DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE ++ bool "Enable verbose reporting of writable function pointers" ++ + # + # Select this config option from the architecture Kconfig, if it + # is preferred to always offer frame pointers as a config +diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost +index f54b6ac37ac2..e53b3057d4cb 100644 +--- a/scripts/Makefile.modpost ++++ b/scripts/Makefile.modpost +@@ -47,6 +47,7 @@ MODPOST = scripts/mod/modpost \ + $(if $(CONFIG_MODVERSIONS),-m) \ + $(if $(CONFIG_MODULE_SRCVERSION_ALL),-a) \ + $(if $(CONFIG_SECTION_MISMATCH_WARN_ONLY),,-E) \ ++ $(if $(CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE),-f) \ + $(if $(KBUILD_MODPOST_WARN),-w) \ + -o $@ + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 452f1078a333..ec9b3d8574ec 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -34,8 +34,9 @@ static int external_module = 0; + static int warn_unresolved = 0; + /* How a symbol is exported */ + static int sec_mismatch_count = 0; +-static int writable_fptr_count = 0; + static int sec_mismatch_fatal = 0; ++static int writable_fptr_count = 0; ++static int writable_fptr_verbose = 0; + /* ignore missing files */ + static int ignore_missing_files; + /* If set to 1, only warn (instead of error) about missing ns imports */ +@@ -1466,10 +1467,13 @@ static void report_sec_mismatch(const char *modname, + char *prl_from; + char *prl_to; + +- if (mismatch->mismatch == DATA_TO_TEXT) ++ if (mismatch->mismatch == DATA_TO_TEXT) { + writable_fptr_count++; +- else ++ if (!writable_fptr_verbose) ++ return; ++ } else { + sec_mismatch_count++; ++ } + + get_pretty_name(from_is_func, &from, &from_p); + get_pretty_name(to_is_func, &to, &to_p); +@@ -1592,12 +1596,10 @@ static void report_sec_mismatch(const char *modname, + "we should never get here."); + break; + case DATA_TO_TEXT: +-#if 0 + fprintf(stderr, + "The %s %s:%s references\n" + "the %s %s:%s%s\n", + from, fromsec, fromsym, to, tosec, tosym, to_p); +-#endif + break; + } + fprintf(stderr, "\n"); +@@ -2578,7 +2580,7 @@ int main(int argc, char **argv) + struct dump_list *dump_read_start = NULL; + struct dump_list **dump_read_iter = &dump_read_start; + +- while ((opt = getopt(argc, argv, "ei:mnT:o:awENd:")) != -1) { ++ while ((opt = getopt(argc, argv, "ei:fmnT:o:awENd:")) != -1) { + switch (opt) { + case 'e': + external_module = 1; +@@ -2589,6 +2591,9 @@ int main(int argc, char **argv) + (*dump_read_iter)->file = optarg; + dump_read_iter = &(*dump_read_iter)->next; + break; ++ case 'f': ++ writable_fptr_verbose = 1; ++ break; + case 'm': + modversions = 1; + break; +@@ -2689,9 +2694,11 @@ int main(int argc, char **argv) + } + + free(buf.p); +- if (writable_fptr_count) +- warn("modpost: Found %d writable function pointer(s).\n", +- writable_fptr_count); ++ if (writable_fptr_count && !writable_fptr_verbose) ++ warn("modpost: Found %d writable function pointer%s.\n" ++ "To see full details build your kernel with:\n" ++ "'make CONFIG_DEBUG_WRITABLE_FUNCTION_POINTERS_VERBOSE=y'\n", ++ writable_fptr_count, (writable_fptr_count == 1 ? "" : "s")); + + return err; + } +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0097-mm-Fix-extra_latent_entropy.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0097-mm-Fix-extra_latent_entropy.patch new file mode 100644 index 000000000000..2025be17f7ed --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0097-mm-Fix-extra_latent_entropy.patch @@ -0,0 +1,101 @@ +From ae9f5fd6e7211192d1151a8ee395ac08deb8fde6 Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Tue, 7 May 2019 11:46:21 +0200 +Subject: [PATCH 097/108] mm: Fix extra_latent_entropy + +Commit a9cd410a3d29 ("mm/page_alloc.c: memory hotplug: free pages as +higher order") changed `static void __init __free_pages_boot_core()` +into `void __free_pages_core()`, causing the following section mismatch +warning at compile time: + + WARNING: vmlinux.o(.text+0x180fe4): Section mismatch in reference from the function __free_pages_core() to the variable .meminit.data:extra_latent_entropy + The function __free_pages_core() references the variable __meminitdata extra_latent_entropy. + This is often because __free_pages_core lacks a __meminitdata annotation or the annotation of extra_latent_entropy is wrong. + +This commit is an attempt at fixing this issue. I'm not sure it's OK as +we are accessing pages that are still managed by the bootmem allocator. +The prefetching part is not an issue as it only affects struct pages. + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +--- + mm/page_alloc.c | 34 ++++++++++++++++++++-------------- + 1 file changed, 20 insertions(+), 14 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index c7edc1cf5d09..5dfcf80fe597 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1489,21 +1489,9 @@ static void __free_pages_ok(struct page *page, unsigned int order) + local_irq_restore(flags); + } + +-void __free_pages_core(struct page *page, unsigned int order) ++static void __init __gather_extra_latent_entropy(struct page *page, ++ unsigned int nr_pages) + { +- unsigned int nr_pages = 1 << order; +- struct page *p = page; +- unsigned int loop; +- +- prefetchw(p); +- for (loop = 0; loop < (nr_pages - 1); loop++, p++) { +- prefetchw(p + 1); +- __ClearPageReserved(p); +- set_page_count(p, 0); +- } +- __ClearPageReserved(p); +- set_page_count(p, 0); +- + if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) { + unsigned long hash = 0; + size_t index, end = PAGE_SIZE * nr_pages / sizeof hash; +@@ -1518,7 +1506,22 @@ void __free_pages_core(struct page *page, unsigned int order) + add_device_randomness((const void *)&hash, sizeof(hash)); + #endif + } ++} + ++void __free_pages_core(struct page *page, unsigned int order) ++{ ++ unsigned int nr_pages = 1 << order; ++ struct page *p = page; ++ unsigned int loop; ++ ++ prefetchw(p); ++ for (loop = 0; loop < (nr_pages - 1); loop++, p++) { ++ prefetchw(p + 1); ++ __ClearPageReserved(p); ++ set_page_count(p, 0); ++ } ++ __ClearPageReserved(p); ++ set_page_count(p, 0); + atomic_long_add(nr_pages, &page_zone(page)->managed_pages); + set_page_refcounted(page); + __free_pages(page, order); +@@ -1573,6 +1576,7 @@ void __init memblock_free_pages(struct page *page, unsigned long pfn, + { + if (early_page_uninitialised(pfn)) + return; ++ __gather_extra_latent_entropy(page, 1 << order); + __free_pages_core(page, order); + } + +@@ -1664,6 +1668,7 @@ static void __init deferred_free_range(unsigned long pfn, + if (nr_pages == pageblock_nr_pages && + (pfn & (pageblock_nr_pages - 1)) == 0) { + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1 << pageblock_order); + __free_pages_core(page, pageblock_order); + return; + } +@@ -1671,6 +1676,7 @@ static void __init deferred_free_range(unsigned long pfn, + for (i = 0; i < nr_pages; i++, page++, pfn++) { + if ((pfn & (pageblock_nr_pages - 1)) == 0) + set_pageblock_migratetype(page, MIGRATE_MOVABLE); ++ __gather_extra_latent_entropy(page, 1); + __free_pages_core(page, 0); + } + } +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0098-add-CONFIG-for-unprivileged_userns_clone.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0098-add-CONFIG-for-unprivileged_userns_clone.patch new file mode 100644 index 000000000000..1cd1d2ce26e4 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0098-add-CONFIG-for-unprivileged_userns_clone.patch @@ -0,0 +1,66 @@ +From 91a0f99337b611279f2aebfb8bb63aeefe26a2c6 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 31 Jul 2019 20:50:48 +0100 +Subject: [PATCH 098/108] add CONFIG for unprivileged_userns_clone + +When disabled, unprivileged users will not be able to create +new namespaces. Allowing users to create their own namespaces +has been part of several recent local privilege escalation +exploits, so if you need user namespaces but are +paranoid^Wsecurity-conscious you want to disable this. + +By default unprivileged user namespaces are disabled. + +Authored-by: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> +Edited-by: Levente Polyak (anthraxx) <levente@leventepolyak.net> +--- + init/Kconfig | 16 ++++++++++++++++ + kernel/user_namespace.c | 4 ++++ + 2 files changed, 20 insertions(+) + +diff --git a/init/Kconfig b/init/Kconfig +index 7902a8106ddf..1e078c249ad5 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1170,6 +1170,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ depends on USER_NS ++ default n ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say N. ++ + config PID_NS + bool "PID Namespaces" + default y +diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c +index 2fd16493231b..66b5afb0d0ee 100644 +--- a/kernel/user_namespace.c ++++ b/kernel/user_namespace.c +@@ -22,7 +22,11 @@ + #include <linux/sort.h> + + /* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else + int unprivileged_userns_clone; ++#endif + + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0099-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0099-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..ffdeb06e6e6f --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0099-enable-INIT_ON_ALLOC_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From d7a0ef3c0fc78b35f83a5f3313d37f2df829c55b Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:02:23 +0200 +Subject: [PATCH 099/108] enable INIT_ON_ALLOC_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index a718487ad717..7e3fe39ed6a4 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -190,6 +190,7 @@ config STACKLEAK_RUNTIME_DISABLE + + config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" ++ default yes + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0100-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0100-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch new file mode 100644 index 000000000000..1102fd92b16b --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0100-enable-INIT_ON_FREE_DEFAULT_ON-by-default.patch @@ -0,0 +1,24 @@ +From 392418f3836e3c62d77c73e6f440dffd8a6011fe Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Thu, 19 Sep 2019 19:03:01 +0200 +Subject: [PATCH 100/108] enable INIT_ON_FREE_DEFAULT_ON by default + +--- + security/Kconfig.hardening | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening +index 7e3fe39ed6a4..7dede18f1074 100644 +--- a/security/Kconfig.hardening ++++ b/security/Kconfig.hardening +@@ -203,6 +203,7 @@ config INIT_ON_ALLOC_DEFAULT_ON + + config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" ++ default yes + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0101-add-CONFIG-for-unprivileged_userfaultfd.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0101-add-CONFIG-for-unprivileged_userfaultfd.patch new file mode 100644 index 000000000000..007c4f8b0177 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0101-add-CONFIG-for-unprivileged_userfaultfd.patch @@ -0,0 +1,68 @@ +From ec9bd0d03ac6c5d7e7c8350abedd9ab86f69f0eb Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Wed, 2 Oct 2019 01:22:17 +0200 +Subject: [PATCH 101/108] add CONFIG for unprivileged_userfaultfd + +When disabled, unprivileged users will not be able to use the userfaultfd +syscall. Userfaultfd provide attackers with a way to stall a kernel +thread in the middle of memory accesses from userspace by initiating an +access on an unmapped page. To avoid various heap grooming and heap +spraying techniques for exploiting use-after-free flaws this should be +disabled by default. + +This setting can be overridden at runtime via the +vm.unprivileged_userfaultfd sysctl. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + fs/userfaultfd.c | 4 ++++ + init/Kconfig | 17 +++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 0e4a3837da52..a06229d1f8bd 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -28,7 +28,11 @@ + #include <linux/security.h> + #include <linux/hugetlb.h> + ++#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED + int sysctl_unprivileged_userfaultfd __read_mostly = 1; ++#else ++int sysctl_unprivileged_userfaultfd __read_mostly; ++#endif + + static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; + +diff --git a/init/Kconfig b/init/Kconfig +index 1e078c249ad5..d48785ebe7ad 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1734,6 +1734,23 @@ config USERFAULTFD + Enable the userfaultfd() system call that allows to intercept and + handle page faults in userland. + ++config USERFAULTFD_UNPRIVILEGED ++ bool "Allow unprivileged users to use the userfaultfd syscall" ++ depends on USERFAULTFD ++ default n ++ help ++ When disabled, unprivileged users will not be able to use the userfaultfd ++ syscall. Userfaultfd provide attackers with a way to stall a kernel ++ thread in the middle of memory accesses from userspace by initiating an ++ access on an unmapped page. To avoid various heap grooming and heap ++ spraying techniques for exploiting use-after-free flaws this should be ++ disabled by default. ++ ++ This setting can be overridden at runtime via the ++ vm.unprivileged_userfaultfd sysctl. ++ ++ If unsure, say N. ++ + config ARCH_HAS_MEMBARRIER_CALLBACKS + bool + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0102-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0102-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch new file mode 100644 index 000000000000..ea98270d4446 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0102-slub-Extend-init_on_alloc-to-slab-caches-with-constr.patch @@ -0,0 +1,81 @@ +From aa0cb5df59fed2710917522a7504af526812f11f Mon Sep 17 00:00:00 2001 +From: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Date: Fri, 29 Nov 2019 16:27:14 +0100 +Subject: [PATCH 102/108] slub: Extend init_on_alloc to slab caches with + constructors + +Signed-off-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + mm/slab.h | 2 ++ + mm/slub.c | 23 ++++++++++++++++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/mm/slab.h b/mm/slab.h +index af30573d6ce6..91f6312e6ca1 100644 +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -626,8 +626,10 @@ static inline void cache_random_seq_destroy(struct kmem_cache *cachep) { } + static inline bool slab_want_init_on_alloc(gfp_t flags, struct kmem_cache *c) + { + if (static_branch_unlikely(&init_on_alloc)) { ++#ifndef CONFIG_SLUB + if (c->ctor) + return false; ++#endif + if (c->flags & (SLAB_TYPESAFE_BY_RCU | SLAB_POISON)) + return flags & __GFP_ZERO; + return true; +diff --git a/mm/slub.c b/mm/slub.c +index c6c6685b6f81..3d9e980794a2 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1635,9 +1635,10 @@ static inline bool slab_free_freelist_hook(struct kmem_cache *s, + * need to show a valid freepointer to check_object(). + * + * Note that doing this for all caches (not just ctor +- * ones, which have s->offset != NULL)) causes a GPF, +- * due to KASAN poisoning and the way set_freepointer() +- * eventually dereferences the freepointer. ++ * ones, which have s->offset >= object_size)) causes a ++ * GPF, due to KASAN poisoning and the way ++ * set_freepointer() eventually dereferences the ++ * freepointer. + */ + set_freepointer(s, object, NULL); + } +@@ -2952,8 +2953,14 @@ static __always_inline void *slab_alloc_node(struct kmem_cache *s, + if (s->ctor) + s->ctor(object); + kasan_poison_object_data(s, object); +- } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) ++ } else if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) { + memset(object, 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, object); ++ s->ctor(object); ++ kasan_poison_object_data(s, object); ++ } ++ } + + if (object) { + check_canary(s, object, s->random_inactive); +@@ -3412,8 +3419,14 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + } else if (unlikely(slab_want_init_on_alloc(flags, s))) { + int j; + +- for (j = 0; j < i; j++) ++ for (j = 0; j < i; j++) { + memset(p[j], 0, s->object_size); ++ if (s->ctor) { ++ kasan_unpoison_object_data(s, p[j]); ++ s->ctor(p[j]); ++ kasan_poison_object_data(s, p[j]); ++ } ++ } + } + + for (k = 0; k < i; k++) { +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0103-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0103-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch new file mode 100644 index 000000000000..079f14d7a2a1 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0103-net-tcp-add-option-to-disable-TCP-simultaneous-conne.patch @@ -0,0 +1,151 @@ +From 027c88ebd6396f5832e4a6efb1d354007835963f Mon Sep 17 00:00:00 2001 +From: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun, 9 Feb 2020 00:03:41 +0000 +Subject: [PATCH 103/108] net: tcp: add option to disable TCP simultaneous + connect + +This is modified from Brad Spengler/PaX Team's code in the last public +patch of grsecurity/PaX based on my understanding of the code. Changes +or omissions from the original code are mine and don't reflect the +original grsecurity/PaX code. + +TCP simultaneous connect adds a weakness in Linux's implementation of +TCP that allows two clients to connect to each other without either +entering a listening state. The weakness allows an attacker to easily +prevent a client from connecting to a known server provided the source +port for the connection is guessed correctly. + +As the weakness could be used to prevent an antivirus or IPS from +fetching updates, or prevent an SSL gateway from fetching a CRL, it +should be eliminated. + +This creates a net.ipv4.tcp_simult_connect sysctl that when disabled, +disables TCP simultaneous connect. + +Reviewd-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> +Reviewd-by: Levente Polyak <levente@leventepolyak.net> +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + Documentation/networking/ip-sysctl.rst | 18 ++++++++++++++++++ + include/net/tcp.h | 1 + + net/ipv4/Kconfig | 23 +++++++++++++++++++++++ + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + net/ipv4/tcp_input.c | 3 ++- + 5 files changed, 53 insertions(+), 1 deletion(-) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 25e6673a085a..76f1892d65ed 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -665,6 +665,24 @@ tcp_comp_sack_nr - INTEGER + + Default : 44 + ++tcp_simult_connect - BOOLEAN ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an attacker ++ to easily prevent a client from connecting to a known server provided the ++ source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from fetching ++ updates, or prevent an SSL gateway from fetching a CRL, it should be ++ eliminated by disabling this option. Though Linux is one of few operating ++ systems supporting simultaneous connect, it has no legitimate use in ++ practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications for ++ NAT traversal. ++ ++ Default: Value of CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON ++ + tcp_slow_start_after_idle - BOOLEAN + If set, provide RFC2861 behavior and time out the congestion + window after an idle period. An idle period is defined at +diff --git a/include/net/tcp.h b/include/net/tcp.h +index eab6c7510b5b..d54517819eed 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -245,6 +245,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + /* sysctl variables for tcp */ + extern int sysctl_tcp_max_orphans; + extern long sysctl_tcp_mem[3]; ++extern int sysctl_tcp_simult_connect; + + #define TCP_RACK_LOSS_DETECTION 0x1 /* Use RACK to detect losses */ + #define TCP_RACK_STATIC_REO_WND 0x2 /* Use static RACK reo wnd */ +diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig +index 989e005bf698..d1584b4b39f9 100644 +--- a/net/ipv4/Kconfig ++++ b/net/ipv4/Kconfig +@@ -743,3 +743,26 @@ config TCP_MD5SIG + on the Internet. + + If unsure, say N. ++ ++config TCP_SIMULT_CONNECT_DEFAULT_ON ++ bool "Enable TCP simultaneous connect" ++ help ++ Enable TCP simultaneous connect that adds a weakness in Linux's strict ++ implementation of TCP that allows two clients to connect to each other ++ without either entering a listening state. The weakness allows an ++ attacker to easily prevent a client from connecting to a known server ++ provided the source port for the connection is guessed correctly. ++ ++ As the weakness could be used to prevent an antivirus or IPS from ++ fetching updates, or prevent an SSL gateway from fetching a CRL, it ++ should be eliminated by disabling this option. Though Linux is one of ++ few operating systems supporting simultaneous connect, it has no ++ legitimate use in practice and is rarely supported by firewalls. ++ ++ Disabling this may break TCP STUNT which is used by some applications ++ for NAT traversal. ++ ++ This setting can be overridden at runtime via the ++ net.ipv4.tcp_simult_connect sysctl. ++ ++ If unsure, say N. +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 54023a46db04..e2fdd15b23f2 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -588,6 +588,15 @@ static struct ctl_table ipv4_table[] = { + .mode = 0644, + .proc_handler = proc_do_static_key, + }, ++ { ++ .procname = "tcp_simult_connect", ++ .data = &sysctl_tcp_simult_connect, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, + { } + }; + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 9e14bf4fa38f..f14a3ac7f76e 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -82,6 +82,7 @@ + #include <net/mptcp.h> + + int sysctl_tcp_max_orphans __read_mostly = NR_FILE; ++int sysctl_tcp_simult_connect __read_mostly = IS_ENABLED(CONFIG_TCP_SIMULT_CONNECT_DEFAULT_ON); + + #define FLAG_DATA 0x01 /* Incoming frame contained data. */ + #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ +@@ -6131,7 +6132,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, + tcp_paws_reject(&tp->rx_opt, 0)) + goto discard_and_undo; + +- if (th->syn) { ++ if (th->syn && sysctl_tcp_simult_connect) { + /* We see SYN without ACK. It is attempt of + * simultaneous connect with crossed SYNs. + * Particularly, it can be connect to self. +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0104-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0104-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch new file mode 100644 index 000000000000..f046fb628389 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0104-kconfig-select-DEBUG_FS_ALLOW_NONE-by-default-if-DEB.patch @@ -0,0 +1,27 @@ +From 4fd1d74b382fcaf37baa979d2dde7bb6710c22e9 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 27 Sep 2020 00:43:48 +0200 +Subject: [PATCH 104/108] kconfig: select DEBUG_FS_ALLOW_NONE by default if + DEBUG_FS is enabled + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + lib/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug +index e2f55be14737..c52b9ad0ef59 100644 +--- a/lib/Kconfig.debug ++++ b/lib/Kconfig.debug +@@ -493,7 +493,7 @@ config DEBUG_FS + choice + prompt "Debugfs default access" + depends on DEBUG_FS +- default DEBUG_FS_ALLOW_ALL ++ default DEBUG_FS_ALLOW_NONE + help + This selects the default access restrictions for debugfs. + It can be overridden with kernel command line option +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0105-dccp-ccid-move-timers-to-struct-dccp_sock.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0105-dccp-ccid-move-timers-to-struct-dccp_sock.patch new file mode 100644 index 000000000000..8b5cb4d2cd9c --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0105-dccp-ccid-move-timers-to-struct-dccp_sock.patch @@ -0,0 +1,238 @@ +From 846f85cc271bfd0d6aaa94b5d27a0f74bfb66c3c Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:48 +0200 +Subject: [PATCH 105/108] dccp: ccid: move timers to struct dccp_sock + +When dccps_hc_tx_ccid is freed, ccid timers may still trigger. The reason +del_timer_sync can't be used is because this relies on keeping a reference +to struct sock. But as we keep a pointer to dccps_hc_tx_ccid and free that +during disconnect, the timer should really belong to struct dccp_sock. + +This addresses CVE-2020-16119. + +Fixes: 839a6094140a (net: dccp: Convert timers to use timer_setup()) +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + include/linux/dccp.h | 2 ++ + net/dccp/ccids/ccid2.c | 32 +++++++++++++++++++------------- + net/dccp/ccids/ccid3.c | 30 ++++++++++++++++++++---------- + 3 files changed, 41 insertions(+), 23 deletions(-) + +diff --git a/include/linux/dccp.h b/include/linux/dccp.h +index 07e547c02fd8..504afa1a4be6 100644 +--- a/include/linux/dccp.h ++++ b/include/linux/dccp.h +@@ -259,6 +259,7 @@ struct dccp_ackvec; + * @dccps_sync_scheduled - flag which signals "send out-of-band message soon" + * @dccps_xmitlet - tasklet scheduled by the TX CCID to dequeue data packets + * @dccps_xmit_timer - used by the TX CCID to delay sending (rate-based pacing) ++ * @dccps_ccid_timer - used by the CCIDs + * @dccps_syn_rtt - RTT sample from Request/Response exchange (in usecs) + */ + struct dccp_sock { +@@ -303,6 +304,7 @@ struct dccp_sock { + __u8 dccps_sync_scheduled:1; + struct tasklet_struct dccps_xmitlet; + struct timer_list dccps_xmit_timer; ++ struct timer_list dccps_ccid_timer; + }; + + static inline struct dccp_sock *dccp_sk(const struct sock *sk) +diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c +index 3da1f77bd039..dbca1f1e2449 100644 +--- a/net/dccp/ccids/ccid2.c ++++ b/net/dccp/ccids/ccid2.c +@@ -126,21 +126,26 @@ static void dccp_tasklet_schedule(struct sock *sk) + + static void ccid2_hc_tx_rto_expire(struct timer_list *t) + { +- struct ccid2_hc_tx_sock *hc = from_timer(hc, t, tx_rtotimer); +- struct sock *sk = hc->sk; +- const bool sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct sock *sk = (struct sock *)dp; ++ struct ccid2_hc_tx_sock *hc; ++ bool sender_was_blocked; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ sender_was_blocked = ccid2_cwnd_network_limited(hc); ++ + if (sock_owned_by_user(sk)) { +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + HZ / 5); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + HZ / 5); + goto out; + } + + ccid2_pr_debug("RTO_EXPIRE\n"); + +- if (sk->sk_state == DCCP_CLOSED) +- goto out; +- + /* back-off timer */ + hc->tx_rto <<= 1; + if (hc->tx_rto > DCCP_RTO_MAX) +@@ -166,7 +171,7 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) + if (sender_was_blocked) + dccp_tasklet_schedule(sk); + /* restart backed-off timer */ +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -330,7 +335,7 @@ static void ccid2_hc_tx_packet_sent(struct sock *sk, unsigned int len) + } + #endif + +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + + #ifdef CONFIG_IP_DCCP_CCID2_DEBUG + do { +@@ -700,9 +705,9 @@ static void ccid2_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + + /* restart RTO timer if not all outstanding data has been acked */ + if (hc->tx_pipe == 0) +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + else +- sk_reset_timer(sk, &hc->tx_rtotimer, jiffies + hc->tx_rto); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, jiffies + hc->tx_rto); + done: + /* check if incoming Acks allow pending packets to be sent */ + if (sender_was_blocked && !ccid2_cwnd_network_limited(hc)) +@@ -737,17 +742,18 @@ static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk) + hc->tx_last_cong = hc->tx_lsndtime = hc->tx_cwnd_stamp = ccid2_jiffies32; + hc->tx_cwnd_used = 0; + hc->sk = sk; +- timer_setup(&hc->tx_rtotimer, ccid2_hc_tx_rto_expire, 0); ++ timer_setup(&dp->dccps_ccid_timer, ccid2_hc_tx_rto_expire, 0); + INIT_LIST_HEAD(&hc->tx_av_chunks); + return 0; + } + + static void ccid2_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid2_hc_tx_sock *hc = ccid2_hc_tx_sk(sk); + int i; + +- sk_stop_timer(sk, &hc->tx_rtotimer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + for (i = 0; i < hc->tx_seqbufc; i++) + kfree(hc->tx_seqbuf[i]); +diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c +index b9ee1a4a8955..685f4d046c0d 100644 +--- a/net/dccp/ccids/ccid3.c ++++ b/net/dccp/ccids/ccid3.c +@@ -184,17 +184,24 @@ static inline void ccid3_hc_tx_update_win_count(struct ccid3_hc_tx_sock *hc, + + static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + { +- struct ccid3_hc_tx_sock *hc = from_timer(hc, t, tx_no_feedback_timer); +- struct sock *sk = hc->sk; ++ struct dccp_sock *dp = from_timer(dp, t, dccps_ccid_timer); ++ struct ccid3_hc_tx_sock *hc; ++ struct sock *sk = (struct sock *)dp; + unsigned long t_nfb = USEC_PER_SEC / 5; + + bh_lock_sock(sk); ++ ++ if (inet_sk_state_load(sk) == DCCP_CLOSED) ++ goto out; ++ + if (sock_owned_by_user(sk)) { + /* Try again later. */ + /* XXX: set some sensible MIB */ + goto restart_timer; + } + ++ hc = ccid_priv(dp->dccps_hc_tx_ccid); ++ + ccid3_pr_debug("%s(%p, state=%s) - entry\n", dccp_role(sk), sk, + ccid3_tx_state_name(hc->tx_state)); + +@@ -250,8 +257,8 @@ static void ccid3_hc_tx_no_feedback_timer(struct timer_list *t) + t_nfb = max(hc->tx_t_rto, 2 * hc->tx_t_ipi); + + restart_timer: +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + out: + bh_unlock_sock(sk); + sock_put(sk); +@@ -280,7 +287,7 @@ static int ccid3_hc_tx_send_packet(struct sock *sk, struct sk_buff *skb) + return -EBADMSG; + + if (hc->tx_state == TFRC_SSTATE_NO_SENT) { +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, (jiffies + ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, (jiffies + + usecs_to_jiffies(TFRC_INITIAL_TIMEOUT))); + hc->tx_last_win_count = 0; + hc->tx_t_last_win_count = now; +@@ -354,6 +361,7 @@ static void ccid3_hc_tx_packet_sent(struct sock *sk, unsigned int len) + static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + { + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + struct tfrc_tx_hist_entry *acked; + ktime_t now; + unsigned long t_nfb; +@@ -420,7 +428,7 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + (unsigned int)(hc->tx_x >> 6)); + + /* unschedule no feedback timer */ +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + + /* + * As we have calculated new ipi, delta, t_nom it is possible +@@ -445,8 +453,8 @@ static void ccid3_hc_tx_packet_recv(struct sock *sk, struct sk_buff *skb) + "expire in %lu jiffies (%luus)\n", + dccp_role(sk), sk, usecs_to_jiffies(t_nfb), t_nfb); + +- sk_reset_timer(sk, &hc->tx_no_feedback_timer, +- jiffies + usecs_to_jiffies(t_nfb)); ++ sk_reset_timer(sk, &dp->dccps_ccid_timer, ++ jiffies + usecs_to_jiffies(t_nfb)); + } + + static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, +@@ -488,21 +496,23 @@ static int ccid3_hc_tx_parse_options(struct sock *sk, u8 packet_type, + + static int ccid3_hc_tx_init(struct ccid *ccid, struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid_priv(ccid); + + hc->tx_state = TFRC_SSTATE_NO_SENT; + hc->tx_hist = NULL; + hc->sk = sk; +- timer_setup(&hc->tx_no_feedback_timer, ++ timer_setup(&dp->dccps_ccid_timer, + ccid3_hc_tx_no_feedback_timer, 0); + return 0; + } + + static void ccid3_hc_tx_exit(struct sock *sk) + { ++ struct dccp_sock *dp = dccp_sk(sk); + struct ccid3_hc_tx_sock *hc = ccid3_hc_tx_sk(sk); + +- sk_stop_timer(sk, &hc->tx_no_feedback_timer); ++ sk_stop_timer(sk, &dp->dccps_ccid_timer); + tfrc_tx_hist_purge(&hc->tx_hist); + } + +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0106-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0106-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch new file mode 100644 index 000000000000..11f7672bda7a --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0106-Revert-dccp-don-t-free-ccid2_hc_tx_sock-struct-in-dc.patch @@ -0,0 +1,40 @@ +From edf23432f334176011f33d339a7bb973c55a2f4c Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Date: Tue, 13 Oct 2020 19:18:49 +0200 +Subject: [PATCH 106/108] Revert "dccp: don't free ccid2_hc_tx_sock struct in + dccp_disconnect()" + +This reverts commit 2677d20677314101293e6da0094ede7b5526d2b1. + +This fixes an issue that after disconnect, dccps_hc_tx_ccid will still be +kept, allowing the socket to be reused as a listener socket, and the cloned +socket will free its dccps_hc_tx_ccid, leading to a later use after free, +when the listener socket is closed. + +This addresses CVE-2020-16119. + +Fixes: 2677d2067731 (dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect()) +Reported-by: Hadar Manor +Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> +Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> +--- + net/dccp/proto.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index 6d705d90c614..359e848dba6c 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -279,7 +279,9 @@ int dccp_disconnect(struct sock *sk, int flags) + + dccp_clear_xmit_timers(sk); + ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); + dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0107-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0107-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch new file mode 100644 index 000000000000..13c5a44329b5 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0107-sysctl-expose-proc_dointvec_minmax_sysadmin-as-API-f.patch @@ -0,0 +1,95 @@ +From e74eb005cfeffc8375ef955650997da3e25b116c Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 20:28:32 +0200 +Subject: [PATCH 107/108] sysctl: expose proc_dointvec_minmax_sysadmin as API + function + +Orthogonal to the other sysctl proc functions expose the variant that is +checking CAP_SYS_ADMIN on write for consumption in external subsystem's +sysctl tables. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + include/linux/sysctl.h | 2 ++ + kernel/sysctl.c | 31 ++++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h +index 51298a4f4623..b835c57330f2 100644 +--- a/include/linux/sysctl.h ++++ b/include/linux/sysctl.h +@@ -53,6 +53,8 @@ int proc_douintvec(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_minmax(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_douintvec_minmax(struct ctl_table *table, int write, void *buffer, + size_t *lenp, loff_t *ppos); ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos); + int proc_dointvec_jiffies(struct ctl_table *, int, void *, size_t *, loff_t *); + int proc_dointvec_userhz_jiffies(struct ctl_table *, int, void *, size_t *, + loff_t *); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 890322b0f82e..0435bd5c8ba7 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -896,8 +896,27 @@ static int proc_taint(struct ctl_table *table, int write, + return err; + } + +-#ifdef CONFIG_PRINTK +-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++/** ++ * proc_dointvec_minmax_sysadmin - read a vector of integers with min/max values ++ * checking CAP_SYS_ADMIN on write ++ * @table: the sysctl table ++ * @write: %TRUE if this is a write to the sysctl file ++ * @buffer: the user buffer ++ * @lenp: the size of the user buffer ++ * @ppos: file position ++ * ++ * Reads/writes up to table->maxlen/sizeof(unsigned int) integer ++ * values from/to the user buffer, treated as an ASCII string. ++ * ++ * This routine will ensure the values are within the range specified by ++ * table->extra1 (min) and table->extra2 (max). ++ * ++ * Writing is only allowed when root has CAP_SYS_ADMIN. ++ * ++ * Returns 0 on success, -EPERM on permission failure or -EINVAL on write ++ * when the range check fails. ++ */ ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { + if (write && !capable(CAP_SYS_ADMIN)) +@@ -905,7 +924,6 @@ static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, + + return proc_dointvec_minmax(table, write, buffer, lenp, ppos); + } +-#endif + + /** + * struct do_proc_dointvec_minmax_conv_param - proc_dointvec_minmax() range checking structure +@@ -1591,6 +1609,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write, + return -ENOSYS; + } + ++int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ return -ENOSYS; ++} ++ + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3464,6 +3488,7 @@ EXPORT_SYMBOL(proc_douintvec); + EXPORT_SYMBOL(proc_dointvec_jiffies); + EXPORT_SYMBOL(proc_dointvec_minmax); + EXPORT_SYMBOL_GPL(proc_douintvec_minmax); ++EXPORT_SYMBOL(proc_dointvec_minmax_sysadmin); + EXPORT_SYMBOL(proc_dointvec_userhz_jiffies); + EXPORT_SYMBOL(proc_dointvec_ms_jiffies); + EXPORT_SYMBOL(proc_dostring); +-- +2.29.2 + diff --git a/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0108-usb-implement-dedicated-subsystem-sysctl-tables.patch b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0108-usb-implement-dedicated-subsystem-sysctl-tables.patch new file mode 100644 index 000000000000..08540d8c36d7 --- /dev/null +++ b/sys-kernel/cairn-sources/files/5.9.6/hardened-patches/0108-usb-implement-dedicated-subsystem-sysctl-tables.patch @@ -0,0 +1,185 @@ +From f86102e71f88961555dae4fb9191f99ec1f7d3ac Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Sun, 6 Sep 2020 21:08:16 +0200 +Subject: [PATCH 108/108] usb: implement dedicated subsystem sysctl tables + +This moves the usb related sysctl knobs to an own usb local sysctl table +in order to clean up the global sysctl as well as allow the knob to be +exported and referenced appropriately when building the usb components +as dedicated modules. + +Signed-off-by: Levente Polyak <levente@leventepolyak.net> +--- + drivers/usb/core/Makefile | 1 + + drivers/usb/core/hub.c | 3 --- + drivers/usb/core/sysctl.c | 44 +++++++++++++++++++++++++++++++++++++++ + drivers/usb/core/usb.c | 9 ++++++++ + include/linux/usb.h | 10 ++++++++- + kernel/sysctl.c | 11 ---------- + 6 files changed, 63 insertions(+), 15 deletions(-) + create mode 100644 drivers/usb/core/sysctl.c + +diff --git a/drivers/usb/core/Makefile b/drivers/usb/core/Makefile +index 18e874b0441e..fc7a3a9aa72a 100644 +--- a/drivers/usb/core/Makefile ++++ b/drivers/usb/core/Makefile +@@ -11,6 +11,7 @@ usbcore-y += phy.o port.o + usbcore-$(CONFIG_OF) += of.o + usbcore-$(CONFIG_USB_PCI) += hcd-pci.o + usbcore-$(CONFIG_ACPI) += usb-acpi.o ++usbcore-$(CONFIG_SYSCTL) += sysctl.o + + obj-$(CONFIG_USB) += usbcore.o + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 3eaf85d1c6aa..88911aaef776 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5040,9 +5040,6 @@ static int descriptors_changed(struct usb_device *udev, + return changed; + } + +-/* sysctl */ +-int deny_new_usb __read_mostly = 0; +- + static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, + u16 portchange) + { +diff --git a/drivers/usb/core/sysctl.c b/drivers/usb/core/sysctl.c +new file mode 100644 +index 000000000000..3fa188ac8f67 +--- /dev/null ++++ b/drivers/usb/core/sysctl.c +@@ -0,0 +1,44 @@ ++#include <linux/errno.h> ++#include <linux/init.h> ++#include <linux/kmemleak.h> ++#include <linux/sysctl.h> ++#include <linux/usb.h> ++ ++static struct ctl_table usb_table[] = { ++ { ++ .procname = "deny_new_usb", ++ .data = &deny_new_usb, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax_sysadmin, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE, ++ }, ++ { } ++}; ++ ++static struct ctl_table usb_root_table[] = { ++ { .procname = "kernel", ++ .mode = 0555, ++ .child = usb_table }, ++ { } ++}; ++ ++static struct ctl_table_header *usb_table_header; ++ ++int __init usb_init_sysctl(void) ++{ ++ usb_table_header = register_sysctl_table(usb_root_table); ++ if (!usb_table_header) { ++ pr_warn("usb: sysctl registration failed\n"); ++ return -ENOMEM; ++ } ++ ++ kmemleak_not_leak(usb_table_header); ++ return 0; ++} ++ ++void usb_exit_sysctl(void) ++{ ++ unregister_sysctl_table(usb_table_header); ++} +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index bafc113f2b3e..3ef0735c4349 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -72,6 +72,9 @@ MODULE_PARM_DESC(autosuspend, "default autosuspend delay"); + #define usb_autosuspend_delay 0 + #endif + ++int deny_new_usb __read_mostly = 0; ++EXPORT_SYMBOL(deny_new_usb); ++ + static bool match_endpoint(struct usb_endpoint_descriptor *epd, + struct usb_endpoint_descriptor **bulk_in, + struct usb_endpoint_descriptor **bulk_out, +@@ -990,6 +993,9 @@ static int __init usb_init(void) + usb_debugfs_init(); + + usb_acpi_register(); ++ retval = usb_init_sysctl(); ++ if (retval) ++ goto sysctl_init_failed; + retval = bus_register(&usb_bus_type); + if (retval) + goto bus_register_failed; +@@ -1024,6 +1030,8 @@ static int __init usb_init(void) + bus_notifier_failed: + bus_unregister(&usb_bus_type); + bus_register_failed: ++ usb_exit_sysctl(); ++sysctl_init_failed: + usb_acpi_unregister(); + usb_debugfs_cleanup(); + out: +@@ -1047,6 +1055,7 @@ static void __exit usb_exit(void) + usb_hub_cleanup(); + bus_unregister_notifier(&usb_bus_type, &usb_bus_nb); + bus_unregister(&usb_bus_type); ++ usb_exit_sysctl(); + usb_acpi_unregister(); + usb_debugfs_cleanup(); + idr_destroy(&usb_bus_idr); +diff --git a/include/linux/usb.h b/include/linux/usb.h +index 6a8de00d4293..29f86aa1e7ea 100644 +--- a/include/linux/usb.h ++++ b/include/linux/usb.h +@@ -2026,8 +2026,16 @@ extern void usb_led_activity(enum usb_led_event ev); + static inline void usb_led_activity(enum usb_led_event ev) {} + #endif + +-/* sysctl */ ++/* sysctl.c */ + extern int deny_new_usb; ++#ifdef CONFIG_SYSCTL ++extern int usb_init_sysctl(void); ++extern void usb_exit_sysctl(void); ++#else ++static inline int usb_init_sysctl(void) { return 0; } ++static inline void usb_exit_sysctl(void) { } ++#endif /* CONFIG_SYSCTL */ ++ + + #endif /* __KERNEL__ */ + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 0435bd5c8ba7..2d8b19cbb771 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2322,17 +2322,6 @@ static struct ctl_table kern_table[] = { + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, +-#if IS_ENABLED(CONFIG_USB) +- { +- .procname = "deny_new_usb", +- .data = &deny_new_usb, +- .maxlen = sizeof(int), +- .mode = 0644, +- .proc_handler = proc_dointvec_minmax_sysadmin, +- .extra1 = SYSCTL_ZERO, +- .extra2 = SYSCTL_ONE, +- }, +-#endif + { + .procname = "ngroups_max", + .data = &ngroups_max, +-- +2.29.2 + diff --git a/sys-kernel/calculate-sources/Manifest b/sys-kernel/calculate-sources/Manifest index 9d32cb7276c1..f0f5b93d09d3 100644 --- a/sys-kernel/calculate-sources/Manifest +++ b/sys-kernel/calculate-sources/Manifest @@ -2,6 +2,7 @@ DIST linux-4.19.tar.xz 103117552 BLAKE2B 1dbf16cf410867412d17568fe42bc1e90c03418 DIST linux-5.10.tar.xz 116606704 BLAKE2B b923d7b66309224f42f35f8a5fa219421b0a9362d2adacdadd8d96251f61f7230878ea297a269a7f3b3c56830f0b177e068691e1d7f88501a05653b0a13274d1 SHA512 95bc137d0cf9148da6a9d1f1a878698dc27b40f68e22c597544010a6c591ce1b256f083489d3ff45ff77753289b535135590194d88ef9f007d0ddab3d74de70e DIST linux-5.4.tar.xz 109441440 BLAKE2B 193bc4a3147e147d5529956164ec4912fad5d5c6fb07f909ff1056e57235834173194afc686993ccd785c1ff15804de0961b625f3008cca0e27493efc8f27b13 SHA512 9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f DIST patch-4.19.145.xz 3398080 BLAKE2B 20ae916cdf9a8d2d7642af0316a7fe07b0598f1109c26270e9da9f02b1d8d13cc4aba6cc340a755260f7e417fa33d9d5622b9b11b9e75fb78536dffa221fa474 SHA512 eedf90d3ba9510a091a7d28fe4945535a7f773a75375fe09c15845752ebca37ef27c699ec3a9993f1f01b4820d741da10892a5b76751da8dd0d0e00c6eb65a7b -DIST patch-4.19.167.xz 3731708 BLAKE2B a5bba38bbc355672d7e31016892197b3a518e6bc4f679e3514f8f5a9b34c8e0ee1fdb699152e78b2b86075e51cc856f88a9606a87f5ae62b0c453a6a994b6853 SHA512 639fbf255e0fdb5428fe2b01e306d9021a86082a3d5c99393b28e4505209ac8433e14822f5ba60d7461ee4543311432cea5c2679b8ba421d0f5d6cd9b1ce6497 -DIST patch-5.10.7.xz 272248 BLAKE2B 0b54a1047e97951ff624316c0e0296619ab3d7f8b1f1e3ca8192593661fcb4f6fb35d9d89878e5fed0b2af6027a968fd7af209cb47abf5e5f9ef24aa04510efd SHA512 2f82b0065c2751c5e9dfcf50d6e1d7f1aaf933aba63aede310c6f847114cac2c65d98f1f9dab9481b8a03ded8f95a3e565c279b9b8b935ce810db2349db701cb -DIST patch-5.4.89.xz 2526936 BLAKE2B af7933dd076ec86fcba733adb746ed60af220d3b0a6067f909482f8827ec0bb0dd4e4bfe56debd1a6f2131ff04d7d51c91b192946cf7e16eb25dc6cf5073b9c1 SHA512 5427e114efd8436aac32a003b54ac5529b67b7cc469212e22c0b95e90928420e78d66e179cb831f40aec6b1c11e1e7d2bf7dbac8453ca2e7c736e70319b5b78d +DIST patch-4.19.170.xz 3745272 BLAKE2B 17f9888874cc6765f88b8862f84e85835d2be96e021d5e0d9ed6a252ef8c8f264c7c8ce0fb63a7e94025e1b0e232877817caadb108bea27c96a6547abbac1a84 SHA512 942e0a1acd22c30a716e5aa13eaea6e7bcecdb01cb2706d4062702e4b296fc07442d5cb6c49d65df3231dc4093411f162260b1674201531a119496aa198ff7e2 +DIST patch-5.10.10.xz 345784 BLAKE2B 244fba14b6b6e6832aa705dfbaf082eed6aa798011e5cb482e5eda7516470153116e721a4589fe57a52f1121fb1a32b45976c9c4fb5d7445ccd129e16af3b95d SHA512 94e381026751a8fd0d38a7cb6816327df8bdf0448716f9e170737a4415a89dad9596e3007a90d3cbb2bf39c7ebb7d6c2157a8c1117623fbebfab01736265cf14 +DIST patch-5.10.9.xz 335044 BLAKE2B f0052ce809cbccc32c1681fbc9ff9607a04d2dd735a364231a481841b7c8dac1231f944acc6e0720f9e9953f33945a1b0ab936f2795b534e210437e06df82fae SHA512 d1580e3a1863f3ce69237e35b3fb130fcb9a97a2d306abce51761821ff3db0e6308b5393dc3e0dc1cc4da5f3a4ce79ce2d159c2653084177f66bfcbd982fe04d +DIST patch-5.4.92.xz 2553144 BLAKE2B de3b6c5bb534e3caf71f4e53cbbd64108b97ccbb61e312c7f0e9f946cd9caac62e6733d4c0fcbc619beb2a49ef421d3a560cd4865813587d880de0e2754b412b SHA512 d49e16299e5ad02dc50d5c3d5f56d7989ee670c74376d8f2f02daf579e436272de2398697b0e816193b48ea42575004c2abfd5e2af88b027072c5011a9dae302 diff --git a/sys-kernel/calculate-sources/calculate-sources-4.19.167.ebuild b/sys-kernel/calculate-sources/calculate-sources-4.19.170.ebuild index afdeeb3a5821..afdeeb3a5821 100644 --- a/sys-kernel/calculate-sources/calculate-sources-4.19.167.ebuild +++ b/sys-kernel/calculate-sources/calculate-sources-4.19.170.ebuild diff --git a/sys-kernel/calculate-sources/calculate-sources-5.10.10.ebuild b/sys-kernel/calculate-sources/calculate-sources-5.10.10.ebuild new file mode 100644 index 000000000000..8909ffe7831d --- /dev/null +++ b/sys-kernel/calculate-sources/calculate-sources-5.10.10.ebuild @@ -0,0 +1,24 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI=5 +ETYPE="sources" + +inherit calculate-kernel-8 eutils + +DESCRIPTION="Calculate Linux kernel image" +KEYWORDS="~amd64" +HOMEPAGE="https://www.calculate-linux.org" + +SRC_URI="${KERNEL_URI} ${ARCH_URI}" + +IUSE="fsync uksm" + +src_unpack() { + calculate-kernel-8_src_unpack +} + +pkg_postinst() { + calculate-kernel-8_pkg_postinst +} diff --git a/sys-kernel/calculate-sources/calculate-sources-5.10.7.ebuild b/sys-kernel/calculate-sources/calculate-sources-5.10.9.ebuild index 070972830bfd..070972830bfd 100644 --- a/sys-kernel/calculate-sources/calculate-sources-5.10.7.ebuild +++ b/sys-kernel/calculate-sources/calculate-sources-5.10.9.ebuild diff --git a/sys-kernel/calculate-sources/calculate-sources-5.4.89.ebuild b/sys-kernel/calculate-sources/calculate-sources-5.4.92.ebuild index eafe098926aa..eafe098926aa 100644 --- a/sys-kernel/calculate-sources/calculate-sources-5.4.89.ebuild +++ b/sys-kernel/calculate-sources/calculate-sources-5.4.92.ebuild diff --git a/sys-kernel/debian-sources/Manifest b/sys-kernel/debian-sources/Manifest index 67e139b3dc18..bd142a101600 100644 --- a/sys-kernel/debian-sources/Manifest +++ b/sys-kernel/debian-sources/Manifest @@ -1,4 +1,4 @@ DIST linux_4.19.160-2.debian.tar.xz 2844076 BLAKE2B da9ff565fc9261762321d08306114a01b3994ebef4ca1d01e38814dd7d3acd5072236b95e168f879feabc2690571bd35a4738763eacbd0f5e9d9cc1aee93558b SHA512 a4068b0ed7fb1f50aa33d31e4a42cb2a3419899f9d58a2236b1df2e4ef9865339db872008e8acd0a1790f2a43e2b2ff23765f5b55ee422c521d29bbe94ab3295 DIST linux_4.19.160.orig.tar.xz 107559120 BLAKE2B 32271fb4f086d23cb52f61e9631930ee94b4849509bf0697307f09627dc8f19acd53c25c0f8f5bf0ae488405eb9e0b7d89be4f1fe690e8f80318c14f0a9b8ac5 SHA512 8ef8e69a0d2195fe1bc7bd69870361a40d61269fb28f4838462b4dd9b3df6c6ef0705cb0ace10d530bab6fb8037b87459cee58dfe0d8766b844bad2e83b7768e -DIST linux_5.10.4-1.debian.tar.xz 1292196 BLAKE2B cdfd21063264d24f2e09e60aeb4c8426434b52efd8c96393d6c293ce1df29c8df74d07f56da4f1afc3a549b24bcf6726b9e611bcd5461b2ba0c8dc4c56d70ab3 SHA512 2557d0e7630c1087e5aa7cf2ed93d945511aaaa23b78998a62efc29e241076a4aefbcd478428b39a8f7921a9b3a4083d4c67cf251099d3d4c05574760c11a5f8 -DIST linux_5.10.4.orig.tar.xz 121437192 BLAKE2B eecfd16943f563378ffab61d16a300e4982717b5871472f1a22670bfd45f37c5a2eba6e6eec21aec31cb40ab233d003058e1b86205a207931061194d93fdfc6e SHA512 e88ec745f19cb57a01b99a59205d82e8ef3b267b3fbeb5ec9c0f640f38e926d5e12bdc7ab7bda2c67b8c0317407fe102e2c2f5d2ba592fd367d193ebe336a82f
\ No newline at end of file +DIST linux_5.10.9-1.debian.tar.xz 1300900 BLAKE2B b45d7bc8b26a73b1671931bacdada44395f8eaaad3021cfa84e4fc4915d7ef28204c677347fc99c18484ceefc91ec863de722100d4e4f810590f3754ee64faf2 SHA512 a0d96542017655e93159d0f871ff341ee63146c3069ead5af7a2f76147c2a289590b306e701b9160a2b84f627283e60be2e6aafe424fec68318cf242a5a6fd7b +DIST linux_5.10.9.orig.tar.xz 121452732 BLAKE2B 3c1cb5d1c4d9ff8367d16e39bd2687327ddaffdba418d1874e8a883326fbd75b69c218c70517cc3cd648e0f43314cc338dfd8069f1bcfd5ee06cf848be041653 SHA512 b69754d1543864c2154ec6952a7628f1c093ca6720b9ad6cadce96ff94f53d7f291bbe05564f67ad1e53a9808d6f33335cdf605f8d26b37b2c3090d37b16b4b9 diff --git a/sys-kernel/debian-sources/debian-sources-5.10.4_p1.ebuild b/sys-kernel/debian-sources/debian-sources-5.10.9_p1.ebuild index 7aa5e9993096..7aa5e9993096 100644 --- a/sys-kernel/debian-sources/debian-sources-5.10.4_p1.ebuild +++ b/sys-kernel/debian-sources/debian-sources-5.10.9_p1.ebuild diff --git a/sys-kernel/dummy-sources/Manifest b/sys-kernel/dummy-sources/Manifest new file mode 100644 index 000000000000..4810babedaad --- /dev/null +++ b/sys-kernel/dummy-sources/Manifest @@ -0,0 +1 @@ +EBUILD dummy-sources-9999.ebuild 375 BLAKE2B 57a4c2d8c4ec84c389f0bc6c7491df799d0f2bdcc5cd14fa84cf24e5c59191fd652d4036a4bf5d9c9b5f6d12f75072510045d438d654cc56bd5fe9bdaac5b061 SHA512 687318588551e246851ae89c84881c09ed91332f7ca07f7f83320f89cd817856b0d2d101ebc302e75d1408a8837a460174e3dd7c621d2fec49e57fcaf12baadb diff --git a/sys-kernel/dummy-sources/dummy-sources-9999.ebuild b/sys-kernel/dummy-sources/dummy-sources-9999.ebuild new file mode 100644 index 000000000000..9725e4fd3067 --- /dev/null +++ b/sys-kernel/dummy-sources/dummy-sources-9999.ebuild @@ -0,0 +1,25 @@ +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +DESCRIPTION="A dummy package for linux kernel sources" +HOMEPAGE="https://kernel.org" + +LICENSE="GPL-2" +KEYWORDS="*" + +SRC_URI="" + +SLOT="0" + +IUSE="debug firmware" + +BDEPEND=" + sys-devel/bc + debug? ( dev-util/dwarves ) + virtual/libelf +" + +DEPEND=" + firmware? ( sys-kernel/linux-firmware ) +" diff --git a/sys-kernel/gentoo-kernel-bin/Manifest b/sys-kernel/gentoo-kernel-bin/Manifest index 08a8027c66e9..d27673d43555 100644 --- a/sys-kernel/gentoo-kernel-bin/Manifest +++ b/sys-kernel/gentoo-kernel-bin/Manifest @@ -1,39 +1,24 @@ -DIST gentoo-kernel-5.10.3-1.amd64.xpak 64335555 BLAKE2B d7925d0704dc583e02323dcc67f26663d86d7b0c320de9899df499c4c2a5c117691254a9a705b3851f8cd6ea88e055b4f89274eff280416f271c0dbe129c62e4 SHA512 64dce3f93b21a5b230c77542f394147e48b7c88685df39748e629a069dd2d0a5b7c97117a21ebe0df5a1da6665d9635d5eeeedf6662aea79a31fce181789e2a1 -DIST gentoo-kernel-5.10.3-1.arm64.xpak 59757824 BLAKE2B 1ff8538926e8fee29932fb54a75d15f62580548d71a0d74fa380373aafbd8315bc1a94563affe593414a4dd68d7134254ed6180eb73145e7fce55cc01e6090f3 SHA512 5d25f5ad456972f1773b46583df6ede6ed3e254b6e2c39e317f874c16cc8174de3940c6645ed8593719b3e0a59bd66cd5943539956c0c68971bdb1f5a81b19bc -DIST gentoo-kernel-5.10.3-1.x86.xpak 57278106 BLAKE2B 88a350e8cc7debb6c9c680a202c7b3838feb99f1c9e082c4afb55fcf36a0f7e9983e16f68523c9a5776887571ccd8030f0b407f9aae6eee9cab7043f1c31b368 SHA512 e1e2636490779fac904fef53d9d9152a53877290337fef09b3ba5c6dd77f3443ac4f18b8c30dcbb1dd4adbee8c7ae1da75c5385f2c40b53dd41e695f876bf858 -DIST gentoo-kernel-5.10.4-1.amd64.xpak 64309178 BLAKE2B 29e71d663361078b696011681188e35c1a6445628e6021a44da86794a577aa0f53b3c8f6969a5c67a8e125b83d973a1d5c4b258f46e0bf674c4f29ebab48043b SHA512 03fce3f33af23ff0bf5804abe1d8e85d9e0cd63621552c6696105cdfaf1da1fb97ef67d65fd5a04e7c3f1184a7156b6c0951a860bd7d59839f44460f0d16e5dd -DIST gentoo-kernel-5.10.4-1.arm64.xpak 59692739 BLAKE2B dc35cbeca42a2e80680d5c90f21b549856f55cd6cd4b50e41c483e4171332681c9b93b66c7fb6e5aa6a9aaf06764064b4507b71e0ff0a3a5b80dfee3c850bc4b SHA512 f79be2122b261353cdd8648b1324c215bb3beaea246b402d93cb0b6e9acd6ae080e85fba8f0da2ef7f0889a52b105eb86e6178cf2154918b29ff536665cbb325 -DIST gentoo-kernel-5.10.4-1.x86.xpak 57279783 BLAKE2B f654c7d1b12cbd555fdc28a501a6475d493d9c67c95db14d875a849f593f52587886c5ca44b19fb106679051c56aa0b71036c75f0c20ab36b6ac80ad0193d1eb SHA512 f0225ceef55123ea3d71470c83488793ddc755b3b63d521499731fb12c0c219458565bda44592662412646b2c92729927d97d4dfdc91a6a93a79842826ddd755 -DIST gentoo-kernel-5.10.5-1.amd64.xpak 64334230 BLAKE2B 109f28779275d0f7c6a6d484df7b9bb6fc469778c8e5dd982d699f8c24782a2dc6164f792e862a23e8bf16a21b79c26c0ed2d844b428ceffd1a8c78929927816 SHA512 7d2f2b7621663e0f3e00de4806fd024af905db0310dbe77d672ac4a0952148215272b7528bcc2be067f72a459cb85f3ee1844e45a62a3174296c8a132a614ea9 -DIST gentoo-kernel-5.10.5-1.arm64.xpak 59705377 BLAKE2B 992d171206fb71764e7080c43d67bb8ac6ae82ac68f79f3d1ae0b9ac7ba794889d6dc65f54017fff1d913d5bc158d82dcc60fdd698a51d8de1c97554e54f64cc SHA512 bc7f6d18b98a0549b77d1bd62816d07a72d4e5376e4bc6f746bff00767b76a2c3193368db159a97ef7b16ffd2396d0808856dd6832c17b55ef329c40f76f521a -DIST gentoo-kernel-5.10.5-1.x86.xpak 57311572 BLAKE2B 9dafca35b9f537dfdab64e0ba3bb157f55d5869b1455a8445cef1789507bc719c3b83559f485c14b5d5bc15f0db1034f7e33c7abc4bf17ed05ae100dfe21a2ae SHA512 c8a7feec1adb7428d02badcdfdbb74d31c6f6a373b452eee772a305d933c598a6f4340f71d24cb4a642b90d740e7de3ecc0320d74dbddf1e42773aa78e104912 -DIST gentoo-kernel-5.10.6-1.amd64.xpak 64325745 BLAKE2B 5edba6f4a76ac49cc9e7fb92509df26520541dcf08b4f0fdcec7b1774d1eb755da7a67635c75360025f31b8e01492d1380d9ff4367f56ee83fd736d7793b6b52 SHA512 f64ba6b248a060c49b91c4ed3499fc4358f43eae639a2ed217fe031903d886ee455a90eac359794eb87acb1f5de5f0eb812e9c049594d30b583dfb20731b2294 -DIST gentoo-kernel-5.10.6-1.arm64.xpak 59697158 BLAKE2B d75d604fdd35f6052ff518fa3902ca5e36241adfd95881619f9f4175916d66a9399690d2ca6cd6db883d0c30b9ca5ebd4580f7dbf6c78c38063fb26312897b03 SHA512 2e6b7434d7da9af66a5cfb3602881fe454368e97927f730bb51d2291b604e375f82e757515a88042bf9c180996c7f0f6099b40cca0d88377d7f379ba20b79de6 -DIST gentoo-kernel-5.10.6-1.x86.xpak 57273410 BLAKE2B 1853ffb277f195e371438717370265de4056c3b5d11e9bb30e9b4e04b476392dc797b11f4b57f6da8bcbf27d6b02d15798f1b484bdd64c667328ba7cd8ca272e SHA512 04e75d6986519948d19418aa1343b6c453c162021c1545a4d84c03b1090265c3ed1f00a58133a499701d516b0b436cfe8abb5f07f14b06236522d34213618861 -DIST gentoo-kernel-5.10.7-1.amd64.xpak 64335956 BLAKE2B c0f22c44fc7adf6e013cb52f5aa92c444f5fcde27eb47eb9ed900e04a91beaeab1524d15b42ec3ecafbf3d2db82ff8aca8a3016ae602e5f83882dc42380b7179 SHA512 b5969f1c6fed830dc8e61fc027549c427dd880dfd780477625697aa0f3efdeb3d0723e086abc6a71cc93144993230c1aecc1c29f343aadf7180c3a211fa2094a -DIST gentoo-kernel-5.10.7-1.arm64.xpak 59756733 BLAKE2B d9b6c4e2efc029f4ceafca616fe8f726029e6596188527a1f82a578dbbde4b53008667fadd1d24fe392d341659b64de626868e751ec0aa0e7c815ee9044533fd SHA512 653ec9a703a70e3b93890ffeccc3ca9f25da473e05d0ceb63854eadc386c19822fd66b8637b92d114c22a328c4e5e7dd8eb542f7b3c98128d963e319d9a4204e -DIST gentoo-kernel-5.10.7-1.x86.xpak 57282477 BLAKE2B 743d2bb10de76025510a307f938de4cd6f08849ffd0c6e2d8b1b148d63cb718efd3cceb2e72ceb32a4a940050637683bdb49ec63caee9018d7aaaf4b99a18d81 SHA512 b30a17fbd6852a107a98501b6229b9c62221b2d4aaacc67afb88ab992130c9247b14a538b2f222db6816cbf05be42dc7ae4023b24558d1ae5a4ce15d042f2fba -DIST gentoo-kernel-5.10.8-1.amd64.xpak 64351138 BLAKE2B 7518aea3df5555f97debfd4ce1d3670c4d388b0ee66c865144c87b7d68bc735f0c6861980316357d76b9981169c082bb7fa443bd8c652fabe85ff69280d5455b SHA512 0c9b7790f7fee0f70dc7553bc5a1d279021769be6e975e936942ca468828a3215e75986ec7d05f573f4bb1c90697c52d36ade5c8b2f3f7586c64dc38b4e3e51f -DIST gentoo-kernel-5.10.8-1.x86.xpak 57271496 BLAKE2B f141f9eac74d497327e39456fd346a810334b05e5f3b19ae1cf3b8e27297a412038165ec93a0bea42c46b712ec91bf9b3d51d3c452e7f34dcad0d338fda647a4 SHA512 ec84d1bc50def3bcad74a2f0f8555e120a91f8fd8c2df334faa73f7ef3e00f9ff34815124a124481751609b94e844c4e7946eeb6199abf729058f5c7b4ee0943 +DIST gentoo-kernel-5.10.10-1.amd64.xpak 64334952 BLAKE2B 6dbfc8d8dffdd7d2b9cc7fa1bb60868c87a89a910d46323966cac9cc61e9cb387c29453042eb3f8d3e6f7113c0e72b31a02e1657678bc87f195a658591a85681 SHA512 f2593710e4727c730ddb8dac708ba12c9d8bad88cb8b65f6746ae14b522fc47638ffe019ace5a3c578bd52869bed2e2e6d993912690e96204a26b93c12a19d90 +DIST gentoo-kernel-5.10.10-1.arm64.xpak 59568061 BLAKE2B 4cfc3645d31ab062d9cf69cac9ca76a56ee7f57d4895d455c68e3cf24d7eeb01e120a98257ffca3ff000419497ef5fe3f0da1ef6f31c3ba32c77f8d280a50f53 SHA512 c9cfd6c20471413dd6430437b9a6cbfa7b57259ce822016388dd07c566e042f56155de22d8d06c177e73c16c21d04e247eff663df95aa533b089d05055bb1d3a +DIST gentoo-kernel-5.10.10-1.x86.xpak 57274976 BLAKE2B c606a4df7cb2df25a5d1d2668860791788878c2353e4bafd08f22de105f985aa78c9e494e77d041396bcb88cfdc72f0b6a1bb3d0b1e670e00b17eac163bd001e SHA512 13d3dc2fbfa1526e4f365a9f454ceffd7424004bf98f5d3116877758067bb13991ea107371f63ea46520f909b536460343a2b8f024f73b7b01b228fbfd22733e +DIST gentoo-kernel-5.10.11-1.amd64.xpak 64361874 BLAKE2B 81f33a992539d7cc8f7e35de50515d2bd71268cb4d9bf53236d6abcd49cf5e235032d58cdbaa1d1c670ab63b0af150895ccaf1e830df610179392ed114ab7f98 SHA512 639cd26a0bdb4bdcc6dc6ef36702f8aa37cd0747e93e3b2053e0e66139a3d538f019b795bd0bed48a8236ec3f5c768551a105e4f8396824c614b406cc450722d +DIST gentoo-kernel-5.10.11-1.x86.xpak 57287495 BLAKE2B a23fc6067de63dc97c89e3de9310bca4705c21c407601874b9e8f0c68608eb0752fb1add9f351453882a24e1e89f4ab38635161aa177fb0f8f25bbd8d5ca00e8 SHA512 f522d97ef335dbcd3df0444f101add87e530f141d146f65f1c3e4b5776bb9f701557416263122c505d17510b66060f6f4e5d3c4fbd408f8c90c89f76c844c4e8 +DIST gentoo-kernel-5.10.9-1.amd64.xpak 64344838 BLAKE2B a43bee38c3d4ce1be11d99ee73489cf2d93c794fa06405f7597a7a2fa29c9ef3e64a0f9f34a20467fb730d25682062cba0ad73eb824b34918c5854010bc6cfc7 SHA512 b6c09eac07a3ada4e8ab6573d877ac62ac67858f4b5ad70364e7414fd4d269df88a57dd4fe2bd31a76537fd464b234fac513e898f07969f5d5c6857c8f0fbe65 +DIST gentoo-kernel-5.10.9-1.arm64.xpak 59837992 BLAKE2B 815b3f655ba9f8e8f7f0e000f41575fb752bc50cad2a61af71e83b824ac19f391feb28ae22da0233520629229aed3543ffd3a9f94794c741a8583aaad64d7d4e SHA512 bb1ecbcae01c1cd87bee0a07edb3daf20a9644b89fd3e588180d52e43e6eccc74511e9f74de56b0d729f304683b8ee30ceb1841ad944f9b83222682b2d977e94 +DIST gentoo-kernel-5.10.9-1.x86.xpak 57275255 BLAKE2B b577fbfbf9a470a4383f6d3cf91a26ecb8e41da62807595fded551d52b4629d2f532604e986900c9b8818a48dfbfc87b98deafbffa0c2a96bba8a252446e7675 SHA512 ce5d7bbe47d0c2ec31611580da10af7e4d0ef8979ca14a86c172b75658ef536c25b6336e57aad023de890f806e6e93658d9cf809d3a4f08bb5b2c22b002ae2c8 DIST gentoo-kernel-5.4.80-r1-1.amd64.xpak 61053571 BLAKE2B 24eebf676e1824b01aa6b75963ff8afe25e797afe90440016f4675e8385e1d6b1a04aa662d7c92217af97d56d79f9631a84c2a271b005b5ea7ad71bb8637d941 SHA512 ea99729ee68a44f6b5081e0d81dd7d5abbb50482eda8c4e435d6ee997572362de09d7c813da2ecf1aac4ed299feb73205bcff7d4d359793889690ce07cfb057f DIST gentoo-kernel-5.4.80-r1-1.x86.xpak 52880910 BLAKE2B f94a7bbdcdbd383e919f2542251d2552e50e34264ab495a43d75e28dab881162f2549b48383b32a3b2a813a192b7d9f602eaa8210085733ac123e2246e6a285b SHA512 3b5dd91103461306f4a4ea4554792d4cdabedba6165de119523b927abb2009adc7d554f23110ddeac1a1add69b2d1674b7b87b93b1e1b186a2594174808dd9d2 DIST gentoo-kernel-5.4.83-1.amd64.xpak 61015400 BLAKE2B 73527460e0c430a23c8221f8a736416ef6c3ff0ab93d017096456e72bd6c2c88e2a631bd18b2f995bc929f918e9b5a59aa033119a534a985ae1e33d39ff48790 SHA512 53dbb9fe6d940bd93eeb35c93bb869931f8f423f6c3997433030bede0b0c11dde478e391ff372ff252771a1bb32207cefbfb478f79715ba2ee3910016087bd87 DIST gentoo-kernel-5.4.83-1.arm64.xpak 56245318 BLAKE2B 53e8e3e3bae66539622bf56c175fe2055905c8a39eb89ea084d0622fab366c0b0614a209d2063e7b44005d438c00759b2a5aca0147b83e9bc17b2a321f693d14 SHA512 657118b04169d9b2bf32fc11138573e0ecf16b27155b6f299e477b211885805bb6c9beab22a19d2d9f93c9a57f0d21759e6ff9b3747c9c7dd76a39867b04b1bc DIST gentoo-kernel-5.4.83-1.x86.xpak 52886754 BLAKE2B 2594b014c703f9f960d180bb6b2973027d238a2232ff8c358faf76a78d8ec8835e423fed19ad8afd30225c11e884a93411636407ca5a034c8abaa32635c21089 SHA512 70776892d7cd38d3bcd4cd797a14fb25f72bf0f29c2abd14a21b2361fac062c037b139588554b47727929ae60d331e6bd6ceec0c2f8e8f830adea4ed92279ba7 -DIST gentoo-kernel-5.4.85-1.amd64.xpak 61068176 BLAKE2B c9e321b7f97ee87339409185a675dede6c56cfa5a165cea2d8a4694703e7c204ba0cde1fd68b244aa7a7f23c51b40c2da441854f4051c21fbaf2d5d51778c78d SHA512 de4d6298cc060b81aa883bcbbc211e9ed719d0ac5ea68d96270a088bd1eccaf6b144199b3fa89599a193734272589d7ef03584eb66f439aab8884c3b35681d56 -DIST gentoo-kernel-5.4.85-1.arm64.xpak 56362700 BLAKE2B b3c6050890b71ea42ab17cd8af8d3d6fccf234dc0497f9aec3f61485848b4e16ec50c4c035fb7069a25392d95e51fe61721d732e26a87793360ad4fdbb4b1c3f SHA512 2d83f1e37c2cd2a1ccb9eef447291b129345f55e31a4fb5a1a44c67f554a4dd340df899aa5873e8193e3e95cc8197dd409f782ccbf5b838dfd1b9f2343073fd0 -DIST gentoo-kernel-5.4.85-1.x86.xpak 52887129 BLAKE2B d9944829ed74f043485aa6b790e4c1436db22ef4076a6f2043f887ded980d9c077490c32efaba5511aeb90b5460a959ab5a9d5ac74cbaf626882615237ef85d0 SHA512 f84cef6ccf6f08295265855e4554daca4b736cc7528513fda3f3800e09991cb7d89b1ae3bfc5aee4667bab50ec3d87c5053e4817d00fca162485fb4746c6c6bf -DIST gentoo-kernel-5.4.86-1.amd64.xpak 61047329 BLAKE2B c1f925bf850399ca24068a5ec01b32b48f8f082438a4d349be11489332ad962e015f9dc3c00663cff0a744a8fe776d0ee594c0ef75273efc8b5daface67776d1 SHA512 2b2e6454b964f989175816cc3abe0f4f914ee633f407a189c84de9dc9b67026c876811c2c71ccb8d69f40b0f449505ca2e1001739ba5131c48af64a72670ad50 -DIST gentoo-kernel-5.4.86-1.arm64.xpak 56303650 BLAKE2B c5dceaa814583ff3c2b2ce34353470f6a785a24d9231f1f5e09d63999b5d6ef61c5e21937ffee0a1774a579c8979f7f3d1e81667ad52ca30e4c20a22e6621eb3 SHA512 ddbc5b71286a96a57554e57f8c2a8ab2b71528c999360b00d0aa30d54da17d8327787ffeff6c07febe7126a7a1c30383d871a70539db9d811a58a7f1eb681bb2 -DIST gentoo-kernel-5.4.86-1.x86.xpak 52879557 BLAKE2B 41952050ea87e37ed49629d9282e53213d947a0b3b2fd75413de07de774e0b88eb111b530b06473257bd0a82508463f67291bc6efb4c56c5ab83ae285975b5c5 SHA512 ea8f73b494276ac1cfe8161c60e9117e93a953a3c90296763a065c02994616c1738d560c8dc3afeec4c307b3541968b1e406209f1cac4f7e0b410f2d44fd85da -DIST gentoo-kernel-5.4.87-1.amd64.xpak 61056295 BLAKE2B 070c40817cae858400ad9bca46fa3cf89294b99c4a548105bfdc49b215dfd918d134177ab945a6f4d54a7955ef30f6724c77c972c8675479bf50624ab1952073 SHA512 7efad150bfafb150b3c833fbfe09e3157338279bfa198fcd9844dc6f0dc4285aca1d9ce7f03784ebeca2ed9848e1eea54f9d3c257b515a6b0dbcafc533221f22 -DIST gentoo-kernel-5.4.87-1.arm64.xpak 56293392 BLAKE2B adfaf9562c7aa16fc42181295acdaf5f1125b3c765dc45f4e774971ae8b3a972e0ed3186d81aa895f411635e05888d312e9e9d7cf4183808c2a530b644116508 SHA512 eaa98cc25243f04a3340eab28eb27be7d450bf7347d6a163fd500ca4b376d0f685a40f104cba9a835b287a26745975eb548b52046073bfce451ed3227def41da -DIST gentoo-kernel-5.4.87-1.x86.xpak 52916423 BLAKE2B eae897255a6c9dff88430fb05e0cb656d663ab243b54ae2228548509e0ee11238e8d8f7579514ae5c69107c79d2b31f9561f4aac4e79fc34154215f14b1a8b1e SHA512 456bf680e96dcd0c0c30783a47ba2ff0f7b3543fef7666ce0651d3903945b7a750f7b034940c96cf0d8fcc0b251d1c40b311f77d52ff9596b92141fd691cd152 DIST gentoo-kernel-5.4.88-1.amd64.xpak 61056095 BLAKE2B 67532c81c4c3ae036bcebb30bf08c5371d47ee94adb6d56afd31e3548a82a6e69e2fbf7cf5c4caee42a8a277d1faa609427e9962eba823e49ee82f926fc48f67 SHA512 444ec47f98e0d9344d8ee2083256ea1d83d78f319facee7959564da2d5132a0c26588a1575ac6ccddb15b68f066ebaceda5088c2fba716e6fca29d9e04bf0781 DIST gentoo-kernel-5.4.88-1.arm64.xpak 56317914 BLAKE2B 3bf2420216a8a4f562d03c45010f3592399b2246dafb3dfd15ccea4327650fdd029284406ad6e49894ae3360a2d7ff0661b2be3d7915aac4e17263ae7e816fed SHA512 ddbfde061506388f8224459eb4f73d61dd43692b456556a5fdaf06b4ddb4dcfafb1fac097015ccc7c25640d1e3488a66a30312b26aa4dfaf565e885dd4f679bd DIST gentoo-kernel-5.4.88-1.x86.xpak 52893703 BLAKE2B dec54ce2650c69ef3a558b6ab63c622d4e7051fab003923b7f838fa54e247d712fd8c85dc9d00b3430ed02170f99e29b812777ccbf0b62bacca66f0b4e358e30 SHA512 0267b4bffc0c7f76e9fa72fab6d2d55a5e65e228f7eff7a11cf9dd8b731adba41e36ffc8b0efd33306767f5bd645a690fef40750dfa0b83bf427d3e250eba1e5 -DIST gentoo-kernel-5.4.89-1.amd64.xpak 61058877 BLAKE2B 212ddf9eaa4dcc2633536fec9671fb7931225763a82f2c7eaff109745e6ec3eb7fb82a35604e23d66a881b8b8510ed81458f46aa45535fff2b5c889e435d4b7d SHA512 aabdb8c8541adef9b8c3da26213d5256a6846a5cf375945489bcd3b2c46bba4d6649f2c912deb2cfa8a2495f7cb233ee5b02702c6953d42d6a04fbf93b1814ca -DIST gentoo-kernel-5.4.89-1.arm64.xpak 56269701 BLAKE2B 966bfcdb6fda5680e6e11f85ec04f52b82d9a51822dcd19639e862727846a63e15f7a99fe4d681fc4030a044a525fca06c76e9ba1bf637e04f271e72eb5316f0 SHA512 aab0e8af373b495fd1dd941be8861159d8ee734d7e94d4cad4c06444ec042451324e35e8b1351a401b9fc8dfdad9ee3f108e663259ce054d868ac0918a0f705e -DIST gentoo-kernel-5.4.89-1.x86.xpak 52893729 BLAKE2B 10ab4e0b343cfc5803a72a0328854cb566dbceb44f5b4af3e20d082850ed819ff9e2c44e4cc5e814a55172185466842197553506bc78c89692ca8cabfae26e42 SHA512 a2906c0f4958a8c1baca27da81ec04d10161a92e8c95692fe91bf08572d899221ec07a13d6dd908e984abe9b639f76fb77a5b76382bcaa74f7942f6cf007f573 -DIST gentoo-kernel-5.4.90-1.amd64.xpak 61093793 BLAKE2B 3230b63cfd81a4b9ab3721f3288fe92d87578fed12ee0b9e9ffa677a1373a3c4d62003d47bc08d6e3ca27d8bd121cf904bc59de2267f684ff36e976cb75d3c68 SHA512 430153300290d9900b9418518452b4a0d35fd8ab91c74b48fff52ea35ef0d8fa70212752d3666ac9e3faae8880b0849f7839633858b91656f2541b10ead63861 -DIST gentoo-kernel-5.4.90-1.x86.xpak 52894045 BLAKE2B 53e8bf765625298041c5f2e2d47ac7f9c5f34e40acae62b43a895aaf2285c3a9bc2bdc841ecc9b0da731522fb9fe32e6ff4461ba9ad57a8ea040ff45c96501a1 SHA512 89f51dd4e420dd75063c0b7ea15dec896dfe25cc64dea3bcaf8fd9362b34a6ef57c5155a248f59cc89162c66d81383bcc2194ccd2a23c6bbde457e61ea8b7298 +DIST gentoo-kernel-5.4.91-1.amd64.xpak 61048020 BLAKE2B f2155b5e4cdf3f142eaa1b81bcef529840dd50c0eb7d6cc225216ce5965bd53f00fc7c6334c6c7e6332feac3a3432dcdbc35622d9015cf750fcbb08202bb9c40 SHA512 fecb178c72e37b12d940e924a320802e4bf1a27338a7f07c0f0cca9c45f65b72b9e03eb120da399aad4e9aebf2ca806134de4350b9b8c936665a2845fae88de6 +DIST gentoo-kernel-5.4.91-1.arm64.xpak 56311101 BLAKE2B 3c84a83b22f6449d9e83f81dfd325de0796d1ce7078fa0b61ac11e0d9e3d5e0535719bf4285f4283cd133e4165d3e3b2bd282a21eda881f4857548769124f65e SHA512 b41342608d65e94bc333e388c6b623df00ca6378d50b95d6b27b50be1374ed90196cf4ac6a118b37f3aacfaf0c0aef16399b3c6e6a25871a80d218dd187e404c +DIST gentoo-kernel-5.4.91-1.x86.xpak 52889220 BLAKE2B d58145b5a092981f90f7699d1455a6f8e21bb5b8c15d4dba100aa0512782248d0017adb19edc7fb7a5348649aa76ea285e4f288c1f748d9de18453db505daa54 SHA512 5b1e5563181c1d5fa6593a5547f22670504edea0f9553e0b4e7d43d8a621f46ff4ebe369c95e1d7239c483ee31d99b9395384cb02e49c2eefecac26d475e9ede +DIST gentoo-kernel-5.4.92-1.amd64.xpak 61046219 BLAKE2B 0e4b4db5eb4e15eb66739a7b756a11f194e420020c47eb89c73c7856865e09cda7d065d2b7a6f32cea925e29cc25b07b5cd0447ee17d41a47656d48f49d8828b SHA512 ec22ea8fa8e1de284f5d3408deb152e5de48ac85e197f29738998bb97aa556c910ba133c154e39ac4f50a7d64195b2b093864b3a171418bfabc2509c2c550665 +DIST gentoo-kernel-5.4.92-1.arm64.xpak 56356094 BLAKE2B 0472855af98713a38e1fed96eb64b72c74ba9b29c7713648c25f91fdab3f5a4f28322b1a37090f357417656af82173e3992a34ec1c5ebfc68c0401ab231c5fea SHA512 295808b8c9c00f803a3519a5ce9eaf6ec99979a58b276d988b9fcbf1f2433c5d45b1d223670b4977a921ee4da7176c2a29cc860e129d7b2e7a4b937b5365d98a +DIST gentoo-kernel-5.4.92-1.x86.xpak 52893632 BLAKE2B 74187e0602932a720faa468c68fc215b8ed347b0364bc532dfcb9f34acc6e072a19b9ee2d82e61aaef2d3a67417c582038f967572b5fa264651e542c6ab00af7 SHA512 31606acd96f4b844ecd476f719ea0153d6b187a23c35a593ce9b70c2c9970b0be2a3a0c0eb57ae341d07231e7577a939ddae87d45dce79eb998fe90a13257d0c +DIST gentoo-kernel-5.4.93-1.amd64.xpak 61051190 BLAKE2B 80cb1938d7ef498796df7008f1bb2a8d30d5d69b75d0b0fcb0c7af45867b5aae87860decd4eb41947ed4a7678cbd94f4f7f480a4d38a8050d4751d0c3058490b SHA512 0100f8d88d9ee798fcc9813b1b086c3551feadffa0ef06a08070614a52f5d4ef146e622017e590a5534c1d1c9d502a9f2c72d450724a60c3f77fcb925eb1d93a +DIST gentoo-kernel-5.4.93-1.x86.xpak 52895797 BLAKE2B 069b8e797b479562033dffb19e0772787ee383a22dd4ee5ba2f8d464cba7ee07073198fd2d3b9ecbcfca1ee72900550ee03b2ae52c11eea4b9bec38c5ca5f2e8 SHA512 dd81aa89c9473cb555bca44965e01e39018a06ee6e7de3512b0ee721cf8a462abeb3503b61017b110e6a39167ceacc76e15f61112055ee7dc4645a29d43953a6 diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.4-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.10-r1.ebuild index fa7357082db9..fa7357082db9 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.4-r1.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.10-r1.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.4.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.10.ebuild index 31b6fee9f812..31b6fee9f812 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.4.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.10.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.5.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.11.ebuild index 31b6fee9f812..31b6fee9f812 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.5.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.11.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.3-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.3-r1.ebuild deleted file mode 100644 index 03567d5adc28..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.3-r1.ebuild +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - arm64? ( - https://dev.gentoo.org/~sam/binpkg/arm64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.arm64.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~arm64" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" - -QA_PREBUILT='*' - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.3.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.3.ebuild deleted file mode 100644 index 33d3968c45a9..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.3.ebuild +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~x86" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" - -QA_PREBUILT='*' - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.6-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.6-r1.ebuild deleted file mode 100644 index fa7357082db9..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.6-r1.ebuild +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - arm64? ( - https://dev.gentoo.org/~sam/binpkg/arm64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.arm64.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~arm64" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -QA_PREBUILT='*' - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.7-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.7-r1.ebuild deleted file mode 100644 index fa7357082db9..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.7-r1.ebuild +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - arm64? ( - https://dev.gentoo.org/~sam/binpkg/arm64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.arm64.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~arm64" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -QA_PREBUILT='*' - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.7.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.7.ebuild deleted file mode 100644 index 31b6fee9f812..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.7.ebuild +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~x86" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -QA_PREBUILT='*' - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.8.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.8.ebuild deleted file mode 100644 index 31b6fee9f812..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.8.ebuild +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~x86" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -QA_PREBUILT='*' - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.5-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.9-r1.ebuild index fa7357082db9..fa7357082db9 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.5-r1.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.9-r1.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.6.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.9.ebuild index 31b6fee9f812..31b6fee9f812 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.6.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.10.9.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.85-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.85-r1.ebuild deleted file mode 100644 index 34f4ca186da9..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.85-r1.ebuild +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - arm64? ( - https://dev.gentoo.org/~sam/binpkg/arm64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.arm64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~arm64" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" - -QA_PREBUILT='*' - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.85.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.85.ebuild deleted file mode 100644 index f89e59e7db2b..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.85.ebuild +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~x86" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" - -QA_PREBUILT='*' - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.88-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.88-r1.ebuild index 8ec8fdea9936..1a05b19758a8 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.88-r1.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.88-r1.ebuild @@ -24,7 +24,7 @@ SRC_URI+=" S=${WORKDIR} LICENSE="GPL-2" -KEYWORDS="~arm64" +KEYWORDS="arm64" RDEPEND=" !sys-kernel/gentoo-kernel:${SLOT} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.89-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.89-r1.ebuild deleted file mode 100644 index 8ec8fdea9936..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.89-r1.ebuild +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - arm64? ( - https://dev.gentoo.org/~sam/binpkg/arm64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.arm64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~arm64" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -QA_PREBUILT='*' - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.90.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.90.ebuild deleted file mode 100644 index b8eb2c63573a..000000000000 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.90.ebuild +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-install - -MY_P=${P/-bin/}-1 -DESCRIPTION="Pre-built Linux kernel with genpatches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" - amd64? ( - https://dev.gentoo.org/~mgorny/binpkg/amd64/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.amd64.xpak - ) - x86? ( - https://dev.gentoo.org/~mgorny/binpkg/x86/kernel/sys-kernel/gentoo-kernel/${MY_P}.xpak - -> ${MY_P}.x86.xpak - )" -S=${WORKDIR} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~x86" - -RDEPEND=" - !sys-kernel/gentoo-kernel:${SLOT} - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -QA_PREBUILT='*' - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_unpack() { - ebegin "Unpacking ${MY_P}.${ARCH}.xpak" - tar -x < <(xz -c -d --single-stream "${DISTDIR}/${MY_P}.${ARCH}.xpak") - eend ${?} || die "Unpacking ${MY_P} failed" -} - -src_test() { - kernel-install_test "${PV}" \ - "${WORKDIR}/usr/src/linux-${PV}/$(dist-kernel_get_image_path)" \ - "lib/modules/${PV}" -} - -src_install() { - mv * "${ED}" || die -} diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.86-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.91-r1.ebuild index 8ec8fdea9936..8ec8fdea9936 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.86-r1.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.91-r1.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.86.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.91.ebuild index b8eb2c63573a..b8eb2c63573a 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.86.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.91.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.87-r1.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.92-r1.ebuild index 8ec8fdea9936..8ec8fdea9936 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.87-r1.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.92-r1.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.87.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.92.ebuild index b8eb2c63573a..b8eb2c63573a 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.87.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.92.ebuild diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.89.ebuild b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.93.ebuild index b8eb2c63573a..b8eb2c63573a 100644 --- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.89.ebuild +++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-5.4.93.ebuild diff --git a/sys-kernel/gentoo-kernel/Manifest b/sys-kernel/gentoo-kernel/Manifest index 23b8100c4d71..05c2ec143bdf 100644 --- a/sys-kernel/gentoo-kernel/Manifest +++ b/sys-kernel/gentoo-kernel/Manifest @@ -1,47 +1,32 @@ -DIST genpatches-5.10-10.base.tar.xz 303380 BLAKE2B 61d1378cbde5f4df5ee41d2a3391705279e647410125350a2329c6448357617cc93e1acb7f8af4cb43869ff11b6759caa3652242b52feeb8ce2aa2c36c26260a SHA512 9d9bd200682a6cd92e067024e42bdb80347e7083a698d2aa135de34998a80454130ac82ab49018e538197d35f48fdfb0e60827a219e2d6844e221450b86b9ada -DIST genpatches-5.10-10.extras.tar.xz 1768 BLAKE2B cabeb1ebfbd545382a8bd7fe89ca78d58665848b86a5b25519c2d018720d04253847824d4059308b80edfe137383d26c89491c15be8efe86b95dcc184d3f35e0 SHA512 1e7c37441d3324c961d8d55eda3e43afed64cdbb45f2080673ab888b65b3b93c5f74495d8a3a53197b17f9d07f01cfc84a0b1719e5f3cd93652a512b9be536e4 -DIST genpatches-5.10-5.base.tar.xz 19928 BLAKE2B 6fe55e2d7b32871600fc8d97b644e22797dac42450512c9d35f9d7f1eb72671bdc4e71ae22dbc178d1fed479ce2c8d908e77087da9c9eff90ce0b9536e89d0cf SHA512 dc9f536c40259a584041a72e8aebd6c38e94645ba2a25d05da76c254be0d1d959a45245e9645c876fb44a00887e8730c94c14bd7bb81cc194260f0688fecd3ac -DIST genpatches-5.10-5.extras.tar.xz 1772 BLAKE2B 1c475a58e71f1d029676d627e31859d93970b59d300106dfb24839bec1545dc5f9185ae802c325f5f0f76bdfa9bec27514d8aa9c61388b5ff76b2ada1d742edd SHA512 96aad42f563cb5eab9944b660d51639c2ac30e9c4a5f4742796c5084d22dacf2789226cb7df804aad5b9450f5715945632bae1df6f22183eb6ab38494e16527c -DIST genpatches-5.10-6.base.tar.xz 203736 BLAKE2B 9bc25d288cf6f0b7c8b93518484a3bdb4324627813ad4b03c4a8189637776b6a142bc1168ff34d0e50c539887a17d4ae26647cb508dee64de010407567b9107a SHA512 0314a323a35cd98d736010753dea6a267fefee0d648ca66f5cabafbbd760a6e2424ec86785c1a1d3da7b933afba01a09f13d9af73e2cd1b8303e9912e81cc28e -DIST genpatches-5.10-6.extras.tar.xz 1772 BLAKE2B 955bd5eb78f0f523c1f15855b06e39347287b2135e1d779cf8580fe24614cc3770ba1269d25819025df04e51fababfa7cb8bc1351bbcd3b57e0713b8c5d25f2d SHA512 870baf5a1199ddf38d562d8fd1e018afb8ad3bdcbb73c2ada3f7be01e784379daefd48f757ed25500baa0b54a8ad96fc2f40a96bff00ce439a649003f3e24688 -DIST genpatches-5.10-7.base.tar.xz 227732 BLAKE2B 7986a80960a746e753c551bda8de8803e4a0914873126641e5968e96de075ab36814f004b9adbd54f3ac5bae4b50ac0bcbe26371c2f986b99558ae31cb0e1b09 SHA512 4baf8220a5e95146a3c239a636ca1da3ddc7b0c684e611ab2cb3b762c733b2c4d7d5ae75e741dfd58e5eeb03fb78cb91690f2e021cbff1dd5613baa93bb91351 -DIST genpatches-5.10-7.extras.tar.xz 1768 BLAKE2B 38cadd69b3f773df3b6e8b153922dfbc66c2f5f73b8191eb62c8dd0704fea4e235a0d7fe70b71a70d8642e6a7f90386cdc89b7489d240a4fa32dd3efb6661423 SHA512 8173e42df0bd203ce1d5ba104d8a96458998090763a39b04efef084765da352eccea71275bf80e3bdf9f4a625e2673a4f216b0401612a9f7bf5531a52dddd447 -DIST genpatches-5.10-8.base.tar.xz 239004 BLAKE2B f8786d7a9ed8caa0f28c4324ede0b9c9f43882716e37e2458e015def677877d1f1af508c3bf7377acd0b8d6d3f3892d5ddd252118ea72b0c6ebc967ce0c1a22b SHA512 2664007d4a3d17be2685fa60e6107e4e0721905437234b3d8b3836891d47783ea57af7d6c473370aaa1c4a456ede1ace59a8fc4b506b57f4ec004a8da0a78545 -DIST genpatches-5.10-8.extras.tar.xz 1772 BLAKE2B 9ca607fed14a5bbbb233c1ce60371ad1974c5c9cdf35df031ee2915aef1b573076b9906e926fbfa2eefadf92aeb03da8cf7c1535402c6ed7d3e2ce177eeb100d SHA512 5177810dda3b1529405fe88e74cb1ecb5ebb76823fe5f6a13b87060ea2e6e6698dce7c1de13da5a9bfa5fbe6a57cc7f4bc1450f4e5c9f98f83e4d67a49596514 -DIST genpatches-5.10-9.base.tar.xz 278048 BLAKE2B 4e94ff0fd45befef8629e22676ec54268f35ae6b1436e851fd27013a4a4394709a147ddb6b9ef6b84dc0f7093eecfc72f22757a3dc369447ab30ed0254c3b5ce SHA512 797db3bb4dad59f3c121ce24eb9323a20267933cf93c8a1cc1640da11f779b1d9d85de3631b6ac3e8a0b018be29df703daf5c9afbdbc5a1c6df77331a8aff0bd -DIST genpatches-5.10-9.extras.tar.xz 1772 BLAKE2B c2457ce78f503b2be4e67602674014c9bd6b953817ea5203bcde3e08b9f9c9e13e7243faf9b0a85e45680cd0e2cfe09edf41d91966c6f79c9bdee2c63c274b6d SHA512 c2be9f259bde0e52119f2a1ebc4d225a88abe0498d26d89d9eb8eaa52b4c5c35de79de6d4637fd75fd660e5f6d7fe05d4d7d7ee1af85129f91248b94dc470dcd +DIST genpatches-5.10-11.base.tar.xz 343372 BLAKE2B d844a4ce292477da26bc02743916143cd6851b2ba85229ed37361213580b47b5386f260bde7cb77eb5842f3fd1022b6af64d47dcc3fcf2161be8157380e082bd SHA512 069efa3d348d8a7601c6bf37ec92e3efa692abe4a7ca5dc4bfe30fb76f1b7fe8daf1a0f237d60dcf66a0815e909ac77cb1cc189d46f6fb4884a260f30a4af48b +DIST genpatches-5.10-11.extras.tar.xz 1772 BLAKE2B 8d4c4b94e9bd7c585f56038900256b3ec1ae721b4ed7adb326f393094e5c8960575efdbe2cc14cd219ae0a69cdde5c626d6983741e3f13a39bed3e85f3eb7060 SHA512 90ce771ad84ffbeaeaff6a2827577fc9c9113930dc4fd394300e1a971cc205a1f4805404e1b356dc36b373bfcd9daa95de7a364144f0fbeb0f923209946635fe +DIST genpatches-5.10-12.base.tar.xz 354672 BLAKE2B 4c92a3c4d144e7abb130371a5d12e839d280789b2c44e97fced3a35d25fcc9b084c3e3e8832fc7670a4811da7026963a1c498a0cb2c44cd325ab13aa62a3d142 SHA512 7ee954e44305b4276717aa4a1198ea036fdd1f18e17c95fb0c5e8070acf390c1644dd0499d42ed1464fa7d9cef8d90abbeb6d0e0448c2fefd5a655834a5afa5b +DIST genpatches-5.10-12.extras.tar.xz 1772 BLAKE2B c219ce68835104664a93e78e57c5bce67a3d654666504ae38fc5058d6f8df67c9e37941f549d047b446061f54928230a384d813b4bde2508323facef6502bc16 SHA512 3b2b6ba233226f9c0d54d1dbcbd36133429dba1e0bc7a355fb0794389fd729e8ebcfd1789c4b79529ca4bf48dc50d7b07c1e167ff19d837d67296f36705e7db3 +DIST genpatches-5.10-13.base.tar.xz 407940 BLAKE2B 21566164ea821e5ee95e4b4583395625384347d0e8440b29fa71f4b63365c5481dbb683c84818a5379242a25a59fa85c3caf420be3e6cb8553a43834dcdbfb94 SHA512 0f4e5aa39cc8dd6f2cd62fe5293de1d9fa5a0f6e0dd6da9af52ad68ee8318f995d9095df65b93d6e15994227feb87b5bbcf0403ebe774141045b05bf239dab86 +DIST genpatches-5.10-13.extras.tar.xz 1772 BLAKE2B 29357a93bb6b4e34937e6655bb8cecc4f57edea8a7e7a903dd8196c6f075b27e2b1176a56a998777c850994c5131a2a57266a7fc579a25fc43db9c9aac4dd80b SHA512 e9ed41cc3b81ae7e76fce6bd6df271eb354110252da85e7e90c4d08816babd1262c5c8fbb62fe56dff1fde712abc35ee40c67f9f04e3541920eee78b32074928 DIST genpatches-5.4-81.base.tar.xz 2591356 BLAKE2B 63c0ef166e2691c6747a2b2a8317aeac286ddac1454ae1eba7a34035abeba67ea2627257d17f266fde57da0684f83cb102b465252a3b95075c1442123c2473e4 SHA512 88d4deb9002cfe6aa8a8045770cf5c7ffde8cf9bad324a72296b1a5202c94386807fad53460147420363b3c73613be424bb54000e5cade7baa4df254ef2c61ab DIST genpatches-5.4-81.extras.tar.xz 1772 BLAKE2B 93bedfbb023ab9d3913751cd242a4221b204685751f57d0ac31494fa8f8caf8e5faeb3ae10eed5332016f9a40b20670a6af6c4198eeae1136b14a3b28174beb7 SHA512 8776735a73aad4672d4b857d750f985ff6681f8e565a906106e2cfcd4d7839fa518d8fa19b39a0ac948736a3384656be44aad239ce2516786c797303f492ce01 DIST genpatches-5.4-82.base.tar.xz 2792480 BLAKE2B 39960646116f5f85ee657a29557d8fd9e809ae9bc60aac349c91e7680f2a0565800ba37a478573098dbad41b686336a058985d2925e5046fa68eeaea8df25477 SHA512 6a76eebd7178e2ccc522477f53c36f74e6fd691f87c547dffa2602a516ad9a6a01f05c953e12bbe6ba9aa2ce34b176a6a081a22da40c7d86855e5dfc34098059 DIST genpatches-5.4-82.extras.tar.xz 1772 BLAKE2B 8eff7ca01490badd5dad15497f77bf43c268ccb494db9eb4c18f4f59219f1a5d79ef2a6f35caee87e3c423b0fff1ef94a6d6477e5074397f78e4bd23b9c40d95 SHA512 bdcc7eb08c1cdb599e69b254f55685f7beec83f256518d42c31d0df9a4e1c6376c184145ce47d28e0b688d2166e139445ef5f9f284e817ba9f37eaf812852a88 DIST genpatches-5.4-85.base.tar.xz 2833404 BLAKE2B 56a8a49c1c61693ea344d26fedbb85c2682a16d55dfda57b5bbc5df65d2311c5d92b2d464c6b951b9ef58b04879038ee134e179c1dc4d692308b2eeb3eeb517d SHA512 fa277427a7e5c3c44a681e08ff1570587173a1471de8425013afde212a9aef6e6d68f8e707f52b21d76672a4cd0e6cfdb33c32b78d02908eaa55264517d3d4c1 DIST genpatches-5.4-85.extras.tar.xz 1768 BLAKE2B 5a5e25a02014fd06b8742a2e505f9998d766c6c95d1a515f0c5a6f3b433163c97c1b8ec758be9bff0c017c947fe4c9c1210fd5fb9d1d838f8571ccd9178d251b SHA512 9ca5271fda3619765363f8fdc5e837b0c6bd218de7d956795e9ef01e9000c85d85f0b49479b8d20a33227008ecbb268d9353c622b37f81619329f358b2fcdff7 -DIST genpatches-5.4-87.base.tar.xz 2852988 BLAKE2B a8282ba7fde85ec400b85f1cc2263f7abdf5b518c451fd63c4e878a203c81cc26974cc5c9d324ed289b78d2059ab97a68b8b10a6cfc212db760aa8fbea57cf27 SHA512 1a989b50f901ea09abfa884efa353c102c5b7c143d224f0360b6460d4f8faccb4e1cccc9a6cdce54ff7ddc5cc9f6be725e8e5714d60ab23acb59435859f17ae5 -DIST genpatches-5.4-87.extras.tar.xz 1772 BLAKE2B c7a99559c06cbf8e2cf217655b5003bdab13127d4e7e93d5b67e3d83c31dce3ae6cc1ab6de7adb62c51ff6a91c2d2c4efff1377f7bb516ebac552f398e22df6e SHA512 c57ae9f86e050eeb929358fe1919213410b089d774c521ca2657fad7a6d8da221ba303fb404bdc303526ad6a0a9434c08ff7691454736fddcae2fd978cf506d9 -DIST genpatches-5.4-88.base.tar.xz 2936760 BLAKE2B ef7a26374e0602b3f2e9fff948829dbd756b8edc1ad833cafa49cec3af5cd771dc52777af079ef7ae4f7362453953828c1a7565823cdda0c9d0b4b0d74a57f94 SHA512 4f2bf7e63820df6c616a6122c8dd6812e056fc85d023f708f5f9a0f856ccbbcd4e3aeb3c1247d8ee2650e2d96b0c86c99de5b7d53e8117351d4378198a4ea52f -DIST genpatches-5.4-88.extras.tar.xz 1772 BLAKE2B dd72b20e1fe7f1b5f566c3d588d24cdad04e40d0270c9be60dd14c07c6a4ec9760dc57dc709d78bfb8d91017b6a4d6bf4c45a65dc019e9eaf02e02a56133f145 SHA512 f4e449986ee4c90ac79234d14e0e336d2c8cb74589ad6371067669f94041ee3b848848d2498d27da57ec71b050079f5338a87111af6f8edb3127698d0a39b478 -DIST genpatches-5.4-89.base.tar.xz 2951348 BLAKE2B addc79a7135166b1f210820ccf6ccdc87c6177b71b15a0e0c9338be28cecb45fce0062c3b8d9e704410f1140ab6984d65c8aa9b49008008264d6cb6c7b0b2ba7 SHA512 13755cd0ed2132538272d0fb22d358be078c9838984ec8e5c8e2f45d06b0b09d7e8cf744cbbba25071923dd43e6d6eb6afa0598cadf3a24f231a6b9dc5b8ca43 -DIST genpatches-5.4-89.extras.tar.xz 1772 BLAKE2B ef78f0322ecd34026b6b3a4849032edfb10673613b9ff69ee62b05cd175779d19873712942a728100a28a5bd73b0bd601b94101dccad9d4c7f80b2b044f8e3a0 SHA512 5f1165b201ffdb5bb78e84be19f81adfaf5784adb152f2110a24bc199c933e6de81a3e9a27341a61820245130c7b9f109817580d6a1459b5f22328e8cfbc2ed4 DIST genpatches-5.4-90.base.tar.xz 2956112 BLAKE2B e0ba7a4fed329f452cb754ee4fcd2578a544dbcd7fed57a66cd6a825c4dafcd70d23c4d9571a7ac8de14794ba505816226e5a2b06b8df5d220d4243926edd800 SHA512 bd7fff0edf1635b2de08893a3e1ca5147a86574d87c33c3869c506e232b8c53add688357f7ef2a790185c2df73366610ee5ddd46fe1d88db16c3fb9f43c0a6ca DIST genpatches-5.4-90.extras.tar.xz 1772 BLAKE2B 557c305f86b0b6d5a93c1ca2da7751362f55d385cb4f57df12f15258d5cdcb1a0ad2c99c9ce53ba89b6c27abe761d5033ce54fa97ca6eaacbd845244d6b20d8b SHA512 eb2fc3f76099bd504f8e0cdf3c0aca60aa083b5c055e06fa2560e895278aa7d32f518ab2e671f9d0182e713ec6807552843448a38d633a4051b926ae4fd2adc4 -DIST genpatches-5.4-91.base.tar.xz 2975372 BLAKE2B 6385731a166348210c96f8ad6a8134e5548eb482fcc3a0b40b4421c88c1109bd302f678adf5bc0e5effc574a8574f40e90012bbf31e5087cd0db4f0e8183fd0b SHA512 77b00ca6b7956801b78687c356d4c07320ea5d291c3534c4dad5de2bf9e14ad948050c51191ba0943fdaefa66594acbd6af96ac87f101d205568a5071efaed55 -DIST genpatches-5.4-91.extras.tar.xz 1772 BLAKE2B d7440a80cd6d994cc853f54f5f4c4708f203fd625b99c9b9431cbecc2206dd335f0710dc6364b658e246eaa8e758a65bdb6daa45cd795f06a6f963853a7be04d SHA512 63317305324b862fdd70bb2955504795d4764f9e90fb74953d40ecd8c0201114b1bfe11fea96a97471011b35d72f16234de7c0540f466e8e510a69e7047e3ffd -DIST genpatches-5.4-92.base.tar.xz 2987648 BLAKE2B ffdccfc93b1b759494cd3adf2496e2074e847c46ec1c9dfdab32d3a7dfaf5a334df0391ba7ccb35250c562a529df8ae2784656628e110887b593536ac6b0d3ea SHA512 d2c08ecebcabaeb658407626c71c98201f86cf6510c4906b37f45d0f9fd6677b709fbdd9a1ce16622632c9a2e72a11d93463bdae62c5d8d0655c999223909e51 -DIST genpatches-5.4-92.extras.tar.xz 1768 BLAKE2B 41cca01e9893db97ab1c7bc920d3240b3aec6207ff6516b346a87f24b47811077d7bbbdca49ed267238af4f5eeb2e8e0de03c946fb6f3784a08bdde348a5a64b SHA512 bb88a3c13a4335b93eb1ded903696e63ffa87b0a1dc587f464335fe077623abc36831fe514f33737960328ec765c5c0bf5489e84dff3fc6ae37ab2e1cd61d94e +DIST genpatches-5.4-93.base.tar.xz 3001024 BLAKE2B d5f3020aae1a920a076457cf28ae640e8ab7387652a61db3d631a3494c5cb0e8706d92debb6356768fea992679aefd4bda6d212a9918a714740439811dd3ef6d SHA512 420512b65e20f00fcabf4d122cf5fd166a6cc196a77451f8a06b333ca2cdc189c38654333e565cc555b1f3e9745e9c4b188b98648cd57ccb395ca1259675e4d2 +DIST genpatches-5.4-93.extras.tar.xz 1772 BLAKE2B 0ad1eff5f82120235a1f326176beeaefcf7aa547eecc94ad103a5be1701dd922ae0309431a10233c0df5bf63c5ba970bdec32e6ca782965e369be2fa5a4577dc SHA512 b5415fe59ba41d60a46e0c123abcee0bb72b5a7d7358789947627ae086c7391c09f116a16c32b2475c278ea14d7275932046d686aa4a849942cbf64440506c92 +DIST genpatches-5.4-94.base.tar.xz 3006280 BLAKE2B a8130e4be0b40fd0c82d9da6c3f42d3e45dc0119b7a981a62b0577e16cb73ae7edb76b407ecdaaf0bd53a118164208529d9bde3958c9592cedb3ef04815e64e9 SHA512 bf4b59da586a4f5f4a03b40273cbb6d5e9e49273c9c15fa2d3dd7eb002c0c24db895fa3987c93268c1dbfb1402197192f2f2c42b22f443a50089ce26d0f721a2 +DIST genpatches-5.4-94.extras.tar.xz 1772 BLAKE2B d7f9cbdd2739ff180d7fa1de7ae24f9d0beeed259b00b0a67e6a3e9dfeb7a2e7136c0682af7e50491fa9010ea3e3e03a37cb8eac96047a4d4e58177d64caf72d SHA512 eee973e296444e301a6d9f59e82e39b2d2b1aa6605fe62c54a3710f300bad9e3b3a13c14f16f357a6c8775c50b47d390f537f15030c4fb08a6d81e5ba4008f1d +DIST genpatches-5.4-95.base.tar.xz 3022876 BLAKE2B e935ec5e2cacf478fd8ac2f343d0e582cceddf811ea4d87d5518b946b8b0501e7aff29d406407d3f0d276ea32a616f022789ee1318b282c6fd77b3aaf0d64631 SHA512 4e87014b78683372d525d6409c5c038429423371a1369f2c3b1455e53f5360290dd323ccc24aaeeb4a9e66452e9c87dba439c75192b77e4fc7bc888bc1c4cdac +DIST genpatches-5.4-95.extras.tar.xz 1772 BLAKE2B 29c822d815b565e99441f122bb978db211288f69ec3e3795e2555aa58cc3d2911debaeddcf202ce7be335771310589548a9de82d0500982894b621d0f773d7a3 SHA512 860978d98d7715b1359e0f3e47a0369ee6ef9e1cc4fd4201ad879dcab0aac644f6a951875643ccb70d31b6dad8b23d0b4ca7b32e50739bd87499760829949749 DIST gentoo-kernel-config-5.10.7.tar.gz 1146 BLAKE2B f755581e9f3be3122e5f6e6fc133d3e5c3116d4580b53f95ff5b2cee5150233fe82be5cd45637a9792ae4612be5d2cb4dd954506f97fe82c9e96cb8b772cb342 SHA512 8c64768e83d2552e69a29c6c3f958ef6a1e5a767acd04b3bfcd0cd49453ab5d0aa54fcfee76a8c9d07f72abdbf70380b070e3d1584e7b7d05a6daa3399892f51 DIST gentoo-kernel-config-5.4.77-r1.tar.gz 1289 BLAKE2B 6612741cfbf458f4bd8915b476aac3aa6934e8bbab344da877fa4ad52b6133e01f5d44bf0e5d048e79e56c1a351774135ee55f1aa839b230e2418db7c5d9b123 SHA512 2a09dd85af37447b278847aeaad114ef47470726cec015ed5ee1b54b3080f4b2c48de8b2f7b817eeb4e27c753579cf0820053e22caa762cb1552116d8d69eba0 DIST gentoo-kernel-config-5.4.89.tar.gz 1240 BLAKE2B 50bd2e64eb1a62d2f0d67e02b78da56cb507fd7a5993d663b880c94ecd535898285ed01e00d5d07fc1ba0d044657e776456736d8fdcacecf7ca464979a8a1d06 SHA512 ad31f9895b9dd45edd7f8715516edfc303c23600f243f3ca122c7c554c9fdbe3c3aa62970a24ef7291d7937e04c63c0258f6348e796686902a011c055c1bed01 -DIST gentoo-kernel-config-5.9.8-r1.tar.gz 1198 BLAKE2B 8fc6d432e9d7e1f7f2be75c5741ab18be399066e9837a52023bebfbffe6299eabfa7e8e94822ef205bd443f6d75a75530cf0c3989dc0414a7c3e4ff06d4743bc SHA512 bc554f46ffb8a4422269e5d9b8e9e0c0f1ecd29fd008719f7ab027e87f4b4bb284d7854d1af2e1e5af0784043db79de058b38fd1ff0bf50d3086e8adc6254e1f -DIST kernel-aarch64-fedora.config.5.10.2 223109 BLAKE2B 705c331b559994b437954e4a0d0405d1f084b0689460b79f89a938ac66fdddbfa617b78b2bfb07bf5a085e1d4e8cfe735554031bc1e2b2ceeb6ef680c50b26bd SHA512 e57e6efe8dbd935d9b7438019fd2b8b7e558deac5471816fac6a6228ca95badf74c99a4d479cc3820f62176626c4a2526f9c16523d1e445634168358c2d24232 DIST kernel-aarch64-fedora.config.5.10.7 223162 BLAKE2B 23d78fadc509edd2219ba263266e4a865f98d6aef87ee2e299b81ba86ac36eff580e5c7bdccb0d4a8593afad07136e06171c79e0dd0e072c892a523e6e352933 SHA512 9791c26368173da444ca5ed281effdd5e20f3968f0a65eb607c2741f114443db2bf260d033a28a7f826963b59a8893a1311befcb3eb3609f9b85472e95234bcd DIST kernel-aarch64.config.5.4.21 199104 BLAKE2B 578ad451a76204df2a9bbbe34b5cb27051d2ac5e2c33967f562b01338c43f35da6dc33a4c2cc67ea6c3b32b155729360d3748ec28dcaa750f18449245b2e8a09 SHA512 66e9a437beb350fdc59512c17b8f72c5b5bfacf2b35070d810d77e66f49cf7929026cc28ad44b04a016d61e65d9fb4a10af6996ba09b604bf97e9c467d08f8ff -DIST kernel-i686-fedora.config.5.10.2 205372 BLAKE2B 68a85a8063f6e667b0f7a6923193d86b4ca5a670698aa80f16cae1a06c1cfc9d07343f7bce1c784f9d9a63a3c30e08cc2c948daa7c45f0dadab7dab8779a98e0 SHA512 2aeb490f8797a269abfc485d06a4c8a7f2ac54fc0d0bca4c876369991ff223a43744077281cad5af35235b5db59511cb9e95c83ea634785efe496ceb0f5837bb DIST kernel-i686-fedora.config.5.10.7 205390 BLAKE2B 103131caa856ae9b062b39cb88ad8616a8ebd7aa53b7562399d72ba998a4049a22ab251927bf43a4936127246455c2cdeeee3b7e349e12bb94af8f6dc242d8ea SHA512 58279d0076f7551569e48db45909263c5c494c4349afaff4087682d7dd0ecadc22dde56482b521ce2eec39b1e6110f5c370206e0c8f7045d4419bb164da7e2ec DIST kernel-i686.config.5.4.21 183910 BLAKE2B 185126ffb85718bb73761d01683def80b6f002d7a7a6eddd8e858a30d8eadc863fb378d83a1cd2ed82b3540337fa66ae44475e31fb41ebc46d77005b6f54e5c0 SHA512 6307afc2295902e44fe65b1cccaa7a0260b295a5f21f1d67ec66197bd972bd3f5675b624f08d9da8b224cb3ec987d5c21cbd743599aeab9ac6214bc651f43476 -DIST kernel-ppc64le-fedora.config.5.10.2 192065 BLAKE2B 88c035de25b9a32df1c110177840a2f7171fae7ac7ccd2aaf12720bc8030c3fb073c73b087f57745e531c59502214b1aa79db9f0aea7ef3db60e69f5e83e5a8b SHA512 5579785cadbf99adcee29b16ffd3fa1acafd18ddd37ad1612de19f7c918a472a1dd5cf5ace9ef46bbbbe17b0b091d26617e2f63f2039de90aa521ce0b02a5bc0 DIST kernel-ppc64le-fedora.config.5.10.7 192083 BLAKE2B 71c97c04629a05ac8cb4f4cf1740c60e8a25c71a5c9184cf53f13088073b04b269887ee6e57ff83c8caff61ccbfd6845809e6e3057f1fdfc13d9b913b032c653 SHA512 732f4e93b3074180e86bed865e0b6d487857d5eefcb2436e7c24706be0e41c813b27b2292e6995df2d63e9a9f7721c2d566a50ba06675bfa862ca1fc91dc2af5 DIST kernel-ppc64le.config.5.4.21 172003 BLAKE2B b53887cb44f7c378cb3866780f8e556e19fdb02130d3b0df01d97698d2a91f7d90a200012559f288e962935742c3fdb67dfb6711876fad37862fe55cdca5b5f6 SHA512 82df8d0be47e9eb20bd7db570539bb061d0b6e2101dc78a54596cf4d0b4e0c536041449304ff9240b051ee09b342ea336c5645e9a3b66a5dfb96d7778ff86008 -DIST kernel-x86_64-fedora.config.5.10.2 206317 BLAKE2B 5511c920e1807acf2511db2269064b9d844669d7e7cd7675e9c57c9a3205fb8794926a8305a49733a450768b312b8009734c7c66e8a486b3d870bafaa79f11bb SHA512 eb1c6a5b5fa0fb97155ec909774b6954af3ef375ac18b27d99dbb0037c3c29df06780c1d1abe8c5f4bb7e05d5134b21e50015d5c883d79e820ea046e5e728569 DIST kernel-x86_64-fedora.config.5.10.7 206335 BLAKE2B 1133bf0f58f8073578d048c5905cc4a539f63a01b57fceb225046c4678172861de20419d8cbf42b0f4655c27a6366ddee41343458d577a2685f3d96b2fd444c6 SHA512 8c5d0de931526d3315793e0a1af4c9c2493c09573c4f2233aaa85f0413a912190c14fa8427593fc3956fff61d89c795f7c9b0509bb30936cc8b9976deafeda66 DIST kernel-x86_64.config.5.4.21 184907 BLAKE2B 0eb2b07c14cea7545350fcdf3a94f2a531f0137c502ebda9299cacf44da5385686e2049b480b28bc153c9d413d453cfe682b9655eefe70428cb720f57c7bd200 SHA512 f3b3ee6841555ac3a9cc11536a7d44e1a5a8df2bab14ba341fda7df1ceb0de45cf1c799a1d54a64f2858fd1272d348bb52cf269ffa396878c5402baf2730237f DIST linux-5.10.tar.xz 116606704 BLAKE2B b923d7b66309224f42f35f8a5fa219421b0a9362d2adacdadd8d96251f61f7230878ea297a269a7f3b3c56830f0b177e068691e1d7f88501a05653b0a13274d1 SHA512 95bc137d0cf9148da6a9d1f1a878698dc27b40f68e22c597544010a6c591ce1b256f083489d3ff45ff77753289b535135590194d88ef9f007d0ddab3d74de70e diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.7.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.10.ebuild index 57b838f8aba7..57b838f8aba7 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.7.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.10.ebuild diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.8.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.11.ebuild index 57b838f8aba7..57b838f8aba7 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.8.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.11.ebuild diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.3.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.3.ebuild deleted file mode 100644 index 5ec7b92ee625..000000000000 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.3.ebuild +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build - -MY_P=linux-${PV%.*} -GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 - -DESCRIPTION="Linux kernel built with Gentoo patches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64-fedora.config - -> kernel-x86_64-fedora.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64-fedora.config - -> kernel-aarch64-fedora.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le-fedora.config - -> kernel-ppc64le-fedora.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686-fedora.config - -> kernel-i686-fedora.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" -IUSE="debug" -REQUIRED_USE="arm? ( savedconfig )" - -RDEPEND=" - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves )" - -src_prepare() { - local PATCHES=( - # meh, genpatches have no directory - "${WORKDIR}"/*.patch - ) - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64-fedora.config.${CONFIG_VER}" .config || die - ;; - arm) - return - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64-fedora.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le-fedora.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686-fedora.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.4.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.4.ebuild deleted file mode 100644 index 4ce45ac9ba10..000000000000 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.4.ebuild +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build - -MY_P=linux-${PV%.*} -GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 - -DESCRIPTION="Linux kernel built with Gentoo patches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64-fedora.config - -> kernel-x86_64-fedora.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64-fedora.config - -> kernel-aarch64-fedora.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le-fedora.config - -> kernel-ppc64le-fedora.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686-fedora.config - -> kernel-i686-fedora.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" -IUSE="debug" -REQUIRED_USE="arm? ( savedconfig )" - -RDEPEND=" - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves )" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -src_prepare() { - local PATCHES=( - # meh, genpatches have no directory - "${WORKDIR}"/*.patch - ) - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64-fedora.config.${CONFIG_VER}" .config || die - ;; - arm) - return - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64-fedora.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le-fedora.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686-fedora.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.6.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.6.ebuild deleted file mode 100644 index 4ce45ac9ba10..000000000000 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.6.ebuild +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build - -MY_P=linux-${PV%.*} -GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 - -DESCRIPTION="Linux kernel built with Gentoo patches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64-fedora.config - -> kernel-x86_64-fedora.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64-fedora.config - -> kernel-aarch64-fedora.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le-fedora.config - -> kernel-ppc64le-fedora.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686-fedora.config - -> kernel-i686-fedora.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" -IUSE="debug" -REQUIRED_USE="arm? ( savedconfig )" - -RDEPEND=" - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves )" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -src_prepare() { - local PATCHES=( - # meh, genpatches have no directory - "${WORKDIR}"/*.patch - ) - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64-fedora.config.${CONFIG_VER}" .config || die - ;; - arm) - return - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64-fedora.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le-fedora.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686-fedora.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.5.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.9.ebuild index 4ce45ac9ba10..57b838f8aba7 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.5.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.10.9.ebuild @@ -8,9 +8,9 @@ inherit kernel-build MY_P=linux-${PV%.*} GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) # https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 +CONFIG_VER=5.10.7 +CONFIG_HASH=b238267df7cd80dc3aa6b5b654cbe145367383df +GENTOO_CONFIG_VER=5.10.7 DESCRIPTION="Linux kernel built with Gentoo patches" HOMEPAGE="https://www.kernel.org/" diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.85.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.85.ebuild deleted file mode 100644 index 0c806189a34d..000000000000 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.85.ebuild +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright 2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build - -MY_P=linux-${PV%.*} -GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.4.21 -CONFIG_HASH=2809b7faa6a8cb232cd825096c146b7bdc1e08ea -GENTOO_CONFIG_VER=5.4.77-r1 - -DESCRIPTION="Linux kernel built with Gentoo patches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64.config - -> kernel-x86_64.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64.config - -> kernel-aarch64.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le.config - -> kernel-ppc64le.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686.config - -> kernel-i686.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" -IUSE="debug" - -RDEPEND=" - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves )" - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_prepare() { - local PATCHES=( - # meh, genpatches have no directory - "${WORKDIR}"/*.patch - ) - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64.config.${CONFIG_VER}" .config || die - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - [[ ${ARCH} == x86 ]] && merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/32-bit.config - ) - - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.87.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.87.ebuild deleted file mode 100644 index 8b2996c9a517..000000000000 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.87.ebuild +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build - -MY_P=linux-${PV%.*} -GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.4.21 -CONFIG_HASH=2809b7faa6a8cb232cd825096c146b7bdc1e08ea -GENTOO_CONFIG_VER=5.4.77-r1 - -DESCRIPTION="Linux kernel built with Gentoo patches" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.base.tar.xz - https://dev.gentoo.org/~mpagano/dist/genpatches/${GENPATCHES_P}.extras.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64.config - -> kernel-x86_64.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64.config - -> kernel-aarch64.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le.config - -> kernel-ppc64le.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686.config - -> kernel-i686.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" -IUSE="debug" - -RDEPEND=" - !sys-kernel/vanilla-kernel:${SLOT} - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves )" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_prepare() { - local PATCHES=( - # meh, genpatches have no directory - "${WORKDIR}"/*.patch - ) - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64.config.${CONFIG_VER}" .config || die - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - [[ ${ARCH} == x86 ]] && merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/32-bit.config - ) - - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.88.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.88.ebuild index 8b2996c9a517..dcb89358ca85 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.88.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.88.ebuild @@ -38,7 +38,7 @@ SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.x S=${WORKDIR}/${MY_P} LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" +KEYWORDS="~amd64 arm64 ~ppc64 ~x86" IUSE="debug" RDEPEND=" diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.89.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.91.ebuild index e8748c9098fd..e8748c9098fd 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.89.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.91.ebuild diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.90.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.92.ebuild index e8748c9098fd..e8748c9098fd 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.90.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.92.ebuild diff --git a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.86.ebuild b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.93.ebuild index 8b2996c9a517..e8748c9098fd 100644 --- a/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.86.ebuild +++ b/sys-kernel/gentoo-kernel/gentoo-kernel-5.4.93.ebuild @@ -10,7 +10,7 @@ GENPATCHES_P=genpatches-${PV%.*}-$(( ${PV##*.} + 2 )) # https://koji.fedoraproject.org/koji/packageinfo?packageID=8 CONFIG_VER=5.4.21 CONFIG_HASH=2809b7faa6a8cb232cd825096c146b7bdc1e08ea -GENTOO_CONFIG_VER=5.4.77-r1 +GENTOO_CONFIG_VER=5.4.89 DESCRIPTION="Linux kernel built with Gentoo patches" HOMEPAGE="https://www.kernel.org/" diff --git a/sys-kernel/gentoo-sources/Manifest b/sys-kernel/gentoo-sources/Manifest index 2030902a388e..78145e85aaf1 100644 --- a/sys-kernel/gentoo-sources/Manifest +++ b/sys-kernel/gentoo-sources/Manifest @@ -1,135 +1,81 @@ DIST genpatches-4.14-219.base.tar.xz 4733352 BLAKE2B 3a2c41bcdee77395ae2b19ee4a9e53771795d2b21a9a31c821d20853521f911ceb6f49219fd9c2e65fe0088251aa6cdee2a139e5d3f23f5cd665001e48154822 SHA512 a0837de333740e20a870324638b81708133420e7c9152bb194ef5623f29a38df6b8211686fb13f9b6f3785be8071c1dc3cbc989cae8cecda79db97aaf85d1868 DIST genpatches-4.14-219.experimental.tar.xz 6092 BLAKE2B 7df1ac766e4bda252718f06751aae3181af7bbf68e609562db059577c8d123e816fde728a049a9d1ea3baa4148d9433c5c698c79e61097ec2de2389ea781216f SHA512 1dbee51c8021a3103c64e79684ed810de436d88f3f1883c4d53b1898a55274600da07f452910eece720b0cee1f6a6d32af68760a468a42759bd9b0b15e28eea4 DIST genpatches-4.14-219.extras.tar.xz 3340 BLAKE2B 2a7077ff685b93d393f8c1ef3e7d02fcc3aa69ec209d88cc19339e4a5bf64e29e456f88cd1d49826e4a81537622365cd390884d6a621e358525179c0f97f343e SHA512 e2e32ebb01afdeb67c4556982c9a9abaa26f0fb46d251c07513e191b03429d9c238193345fb4c6b08de315e67d89b28f675da4ef942c30ec4d9ba31d8466a913 -DIST genpatches-4.14-221.base.tar.xz 4750680 BLAKE2B aeb5571c47653ede67e1d67ed9e1ff7c0b17fea0f441bf8e629f54433efe846ad5974b47fddf63ae811a0741544e80de28eaf834a652b59eddbdfa116bb589cf SHA512 be47d6254f62558ac6809b207d2608bc9cb1da26a85d0c029edd92b8fe8e185d4095ff3bd405ae9e1f778fb445b72297e92ec003fffb93b6376efd906a976abe -DIST genpatches-4.14-221.experimental.tar.xz 6088 BLAKE2B 99e0b83c166a1ec9aea2b95f3a5436598b8208b394f82a59a1f7bacf4266425669f5d409831a8c56a229572450f71a41b4dd9648fc5d8c09449b1c1e36f7f8e5 SHA512 da0125d15a8a51f66ff81d996cc06bb2a9c302d2c2558379ce34a1705b2eb691706e475da22ce98b22fc8022182a265015fe8e99c281d8954a228c7682bfde3d -DIST genpatches-4.14-221.extras.tar.xz 3340 BLAKE2B 79c2c05b9c4076c50206e6b518599ddb74ebdbfa9dbdf23d63c255745a2d399129a5501e72012f3b8d6982db55a91ddfc14e590d5e9c5feb95a113f6df46881a SHA512 a969f85e6a6fc7b55f426138738759805cb19a8df3e27c0d1c5b1e6235c61fe3ccff95cd98dbfa2aeca94008673a83be4bd3c1acb693ae3802560b87b1e47d6b -DIST genpatches-4.14-222.base.tar.xz 4757988 BLAKE2B 4f222a5e9f0048ffc23920d45368b8b313506296f103f357207255486884fdff4ca4f239dae1b569e2c99de2531032303ad09c6b9e413b06211db49dc62ac557 SHA512 10f9ea678f63598004e438723c3ad7056efa9ebf3f9053910f4c26c8317bfb143778ff3531ed621d2605badf992daa21cf4decd0aea1b4f5f7e337ead2fc313c -DIST genpatches-4.14-222.experimental.tar.xz 6092 BLAKE2B fc3ac7308e7c9a2d9798a60d896f58a41f49b7590d6b70adcb1ccc09d2c42fc966f1b5f5bdafcdcdc696f273edd71965fe72fda35f400c500de7cc360d8afad6 SHA512 1d28aa070d70803c9c62b8dc6379dfb864a7da126925530975d4dda8526c93910fa78eb496773ab9b21f456e4cb33f9448abdc41f2c1d35e99bd37dc00a797a6 -DIST genpatches-4.14-222.extras.tar.xz 3340 BLAKE2B 8d09a01af12fc314c3979c394dd457e134d5b9248ff6a0f4332f36b6009270fe739ce457530887435f93bdab5a87f8431947c3141c2097e5a9a563b53fdb0e40 SHA512 912b7dd0f5e8060b27532f94b8e3d683ebc240dbf81f83af24cdc198753bc97e571fe5e83a6d028227e86e436bf5afaab7f9ba7ce7cb449e17bd473d9d135bd1 -DIST genpatches-4.14-223.base.tar.xz 4799884 BLAKE2B 174135baa56bb11921b3fab18bcbb60a47b3fedfcd2f07afaebc446fd36b0435a0ee67cb602e8df1e617acb17a4b013420910b11d9df1779be6b84dbc2d7d97a SHA512 68733fa59b7b61386ab7e6706670259b11680a0ab166487b437bc256c030eba9eabdebe89aaa882b03b392cb2b34be7c5f3122064f77bbd056247a73c946f924 -DIST genpatches-4.14-223.experimental.tar.xz 6092 BLAKE2B c499af10532b4d8b5f7e5e2fd1d282fb3e95dbf0411420481e30c5c75d0cadd0f1a5e5fbb27a9656ccf34bcfb225930890f61c0d30ae445a614fb3b00694d1dc SHA512 23249cd3bdc88abb5334c3ce2f3a7c70fb0a040135e03f8217e7f8470ffbb8ff2e0584697bb447401f58c9bc12ac5f7eea0407b9db42cd27fb33bb91d54a0ea7 -DIST genpatches-4.14-223.extras.tar.xz 3340 BLAKE2B 55e87f963c2a316851c1adf9a2aa41adc3326929fae112fa017ab47aeed1e25540012e65bcdb141c04a4cab033010e2f45c0277f522ec87338ffbd3fc76050da SHA512 00c8fab0da8414f5cb0a4ff9a362ac2037801aaff9faa1a64530a530b4fa1a43bf9ec1daaf3e19e85e8c96109498009bc9e1cd411d759d07f4398368d1402f28 -DIST genpatches-4.14-224.base.tar.xz 4809120 BLAKE2B 1c34648829045a079c08a6f80c173ac6690298456d2fd66d9120c26999b01ab842f819792845ec3fa90abf9ef5ff90199e61b7b119a3e2d0fa5f7a15d5131d99 SHA512 3f6599919fc78e3cd69400ad9a21f66861c4f50522a8009c65efc02f3895b527c3fdef2c6c206945fe69d721b31f053f67e3a05117c82fe65e0c7e3c584c1b6c -DIST genpatches-4.14-224.experimental.tar.xz 6088 BLAKE2B 25dc70ded04a67fff849ffde0ad49a4d17701615c7400a58518d49797a9b1550e1d0efcf8b94aaf1e87d56f1673f94b4f72fcf73f3485e7c9712924ad0bb0504 SHA512 30a61f915058ec0be57e8c11626fdeea9f78a005ea92e3de7577a6d9930c97cf942ee6d479bf5923429d2a5597f713c10763358d62a046f24d7ac57ca619fcca -DIST genpatches-4.14-224.extras.tar.xz 3340 BLAKE2B c9eb8f57fb5fb1c596e2c1162249588ca86cf4421c5f7cc3a33102ba694ec849a9afe511756620dbd1560c41786a3f0411d378799ef400561ae2e8e7fa41c85f SHA512 729b30481c78b0519d129989bd3f24b8c9d3bbdd30342b12dc663e1f054326d6a975b10896fcd0f6dfd0080f90352501d48ab657f41d6a64185c7c0d99117c27 DIST genpatches-4.14-225.base.tar.xz 4819872 BLAKE2B f5bf3d4870b155bd88ca80e0b2fa58d85d5b29abbf35ed7d9c9f5032c3c023f0fb50a398896a7159d0c7b2c6a1a2f4305d08f684a64bef9d6c4d5ffaf9805ee7 SHA512 3a96311f51ed2958174b369f549d7e2f705ba5d01fccc28211e4ee915fdbf44c9aac2136ce5ac44cf01be342dadcdc32438d9be3eef53b31c77eba2c64a01938 DIST genpatches-4.14-225.experimental.tar.xz 6084 BLAKE2B 7367e447e62008580611d138e88175965b19bdb698a68c7320d49357e95e15cd2ee031a37085455c7cd544d7b60ea25c712bdf4bf3428b8b3231631a7c897de2 SHA512 4212233753d8dae8124536f0710acd3250975be78bcbd697bf42aea2623f00359201767da334ddfbabb554ad26eafdbafca65cb3f326e5ef8162084104208290 DIST genpatches-4.14-225.extras.tar.xz 3336 BLAKE2B 3f151cbd04ed1b4767e648433997750dc9e1a511736418abad915c48922af37f80907aa968ab2566ad7a307f332e6dee5619d29173a70e6acf2ffaf59c40b73c SHA512 cd05474af1809daeb4e2198fa2415e29f336fb61c8e2b65c93c520dcd47f225b26daf577529c4673efe6aba17070e626a80ce5d0e298e896888ef16a56aa59be DIST genpatches-4.14-226.base.tar.xz 4824692 BLAKE2B 06e014464e4e9b394cf2122f25cfffae949d97698f211e25c029826efe36f696d134f3c0cba0f80d2599fb1dab675f5f004b737785f98a654802b7e28856a5fd SHA512 e10fde32e50f151543ab4739a3e19aa168193fccbd1d91c02946ecf56abfe45e99a442ee060cd16ea7f11e65c1181441c5f61a9c38a633589c754e32d10f4994 DIST genpatches-4.14-226.experimental.tar.xz 6088 BLAKE2B 85ee64c4fba94e2e3a5633af8abc931ee0969de8ab414194b58f80c509847ec6e8b836a193512e73deabdbcef4da0e034b32760b907ea41d7c5fc06154969815 SHA512 fb1e7b6bc51729c987bf346f968354d6a7155a2322a989a3f9ab411f53e5408918e6dd02c4b0a3b6ee18089f4e19f548a3b23faebe65fb063175edd824133399 DIST genpatches-4.14-226.extras.tar.xz 3340 BLAKE2B c427ad8d18fb57bb6c0d47a920bd903f26f5ac0b6c8358640e07d00ef33f54a45523087eed8cd6ef474f2907be9d5ed74e6c0f46994678daeccc2495696432a5 SHA512 311ee330b643ffc3832e45f20f0e762b157645747f85105034a15d4c775e8ba7f67b985d49da55d04f7046f70e0f923957703efcc0aaabe9c658c6debb5f2c4f +DIST genpatches-4.14-227.base.tar.xz 4831676 BLAKE2B 052c6f13209c589fa53a9c57fe39e1b8b6a12070ad075a4d2fee99b22becab8e8642466c1d01f17e5d5492e1a25b804910c77de78e57ec99deba43af13151c3a SHA512 38a5dfb3e870a52821a99e7bc11f10cf549c86fce2d80767e21e5e7f470d3f4fde8ec8dba107224cef351ad0095520c50d640e6741cc81b96b77d3fc4e418fa8 +DIST genpatches-4.14-227.experimental.tar.xz 6084 BLAKE2B abb57683a3f22bdde5e8c4b6cbd9ae239a10ef59d099c5e2ad6006b9bc7139e7b9f8ebfa892b8675cf7a62cc4dc879cf4b9f21a51bebbd32b30ac7989826d24a SHA512 87503496543f94d5b79f71da4c73deba7e771b47af813e4b9023e120b6f356b15655e84e3ab30be06a694245f12dae33e80a8b67da35f784fd6909dbce8f219b +DIST genpatches-4.14-227.extras.tar.xz 3340 BLAKE2B 7921c02980b16c19b19807f776f5f0513619f24621580240065fc119008c92fe16ec4eb7e2b08991e5390559a0ac9a0c2c7a22f77ebaeed362ad6f2b06fbe2c8 SHA512 a02fe59fac681b177fed6a28b9bf1e5d4ba5c7401ec4d783ffc5169037f23fb8d2a5fdc439e3d4eb2c0d8807080c69b470027bbbe1eecb671608d512c83f5364 DIST genpatches-4.19-159.base.tar.xz 4174792 BLAKE2B 1381a2531b6297e1f76af70107c08a3b7b304177b14a1407ffc41a5851a4249ec4adf5ed00539542c97a0c8dc0cffdb20c3681b9da17409cd9d4ac711b353dd8 SHA512 e75991fde39f093c77b4e7f16aca7b24be47e1e438df7a60a97e0db7aa14ae6c0ed868685da0979c10ce9064839adca84c76a6ec87c1fbe41eed7a20788ca776 DIST genpatches-4.19-159.experimental.tar.xz 6980 BLAKE2B 62605b1fe8ad86233bdfb183df2019dc4d6c74243678f5aad08167ae67b8e0dc45be7a33cae59a9c30678c986c9066722dd32ff18ee572d9ee5f7f2f51caae20 SHA512 240ecdaecca79bf417b080f6ea3dd2cad113694d2f49ae7a9910e26250f381721dcac0804b3e983272a5ea66cc1455cf94c668442e98ce5938868fea1913050e DIST genpatches-4.19-159.extras.tar.xz 3312 BLAKE2B 480dfb15464c46ff0cad7447476ec66535c6b32ea9ca822ef7f8911b4db7d389c6bb1d1b80811107afb77e290fd4c887ac1786a95729c58673180324246d655e SHA512 8d55a3f9e1516e32e95719a5c9d5c1018bbcdd8f2412b138a46da1419252d9e088d2f1071a5c44dea969bbf4d93461c58edd17ca1b9ef835addb9bd065eda259 -DIST genpatches-4.19-161.base.tar.xz 4197272 BLAKE2B 4302320718b7c1f64afbd03cd6c234217c50c56f19047a5822fa3d7ed0462dd65f83768cb933a4034308eb16573bf406ba8bc5742e0cfc5dbc1e6a2f0aed3c3b SHA512 cfb81ffd4bdfe26aa8f49ea627f99427b0ef49a121d2f657c40012a75b1ddda164e5e551609eb4b032ad950eb670515fa6373ba997bf030ff727cb353dda9da9 -DIST genpatches-4.19-161.experimental.tar.xz 6976 BLAKE2B a9bc282f1a37effce76f5abd110c933d4bbdea27792f32b9bcd73d4bc43b3348b8b993574b500622819d681df59f0b3539bae1a981ab49bae09f1e4202d6b062 SHA512 c032968d4db4eb6efd522a4f67f5917ad457a99ebfde9c8eee5f47ffbabd7be6d9b391c9581ee73808b6c1965b3011c87085d2f5c221289ab025ebbcce390a43 -DIST genpatches-4.19-161.extras.tar.xz 3316 BLAKE2B d59666d9996383eb96958aa4ab299583196023a61d97071e86ad1b51a428b349b610d07845e2d8ce6563981d8d512dfe726d2f183ec1bcad47e9995a1ce9e599 SHA512 6d2bc20cde1896fa4c8bf9c276f58f9981d84b79baf1729c1a32fd7afb2a6a30b0b64f88fe17c87cd6de29ce891028245b6d388c0ebe95bf6f8f46ce64ce3ee3 -DIST genpatches-4.19-162.base.tar.xz 4205180 BLAKE2B 8a5d9c01b7e361acd9c6b5bff466959db50823bc3aab4f794b3b6d25618e8cd170a1919274ba0e73f55022f55a2560538490e3ed244a60ebebd3a1e7b9c00633 SHA512 e5c7489f54eb4afc0d86d3bc59fadcfc43f1fafd7c0d6d8ea53213d3dddf4170508c8ccc2c88498fa9489431f302de085343866a68397c9e52a4df4ab8875f7d -DIST genpatches-4.19-162.experimental.tar.xz 6972 BLAKE2B 4a1cf973c9e85b642d94a81202d3a0f7725cb51aa8f16078e0e5a2291ea77fe149607177630d6ee0b0d4f8b14abdf30b54ef051c290f2544f5ea40cd97562f5d SHA512 42d9a73c661230462ef127ef01ba90848df181ea05fefee43172d65e3e39a9166919f38492f58fafa68efb39653ff816bd33a6c89e68f642ad081f4fca5cec6e -DIST genpatches-4.19-162.extras.tar.xz 3316 BLAKE2B e5322821a492848aceb2ea926d5814604c811111d84b0c89023dfc5bfefe96d59c807be089df60e74ed48f539cbfab5c435d9da13352a622d2fd978b60d9bead SHA512 d9a844d613f8a22a311b6e55ec9af0929a3bcf93e33c4c5715c699f388b7d0fb909f93e347561f2a45d36687072a141b862225deaa5ab0372dca75b50cef8608 -DIST genpatches-4.19-163.base.tar.xz 4270052 BLAKE2B 4d23c4cef36503dac39b2bc3469dcf85039da78f6d6a4be128ae90e14438f3b7464fcca6b20e448b7287fd786c4992faad4ccd22cd9070370a746b7522deb8ca SHA512 e7d4405c90d26d54891b2b61aadd3a419afaec411358063a230e1880f1e0a19bd6847ad14d6de1a69b04f9f3d6f7f4198ee6052fb619c57c26b34af1797a136d -DIST genpatches-4.19-163.experimental.tar.xz 6984 BLAKE2B 3c13b9518e78b17f0607b8dc61aef22e0638da0f84c04d800eade34a1499972431c27ac4443a91d1ef1a95169b27deada46ab4a809442c5543aa51679a13ab1f SHA512 165f35073b607cd1e7043e4835213c9cf6eec9e5dd00f2176956c2c7abdcbf959130d25c931b2d5ce7dbc4b769710525c4e22ac4c8d0076c7a4911ba69754356 -DIST genpatches-4.19-163.extras.tar.xz 3316 BLAKE2B 2114b7466f4ae8f6dc7e9db660ecf66717729da4c0c84059d0156625b2fa756e3a44aa9213a0c23bcf1b3e85761eb9e71425bf01f3a86f98e7c3c5f32a3496fc SHA512 ea158f8041c781d265b8006e806e55a654707ef1db382ef40296a1517bd88be14931251e5add184159fe700407c0330a75a3faedfe47d1967532b5790cce9a6e -DIST genpatches-4.19-164.base.tar.xz 4277076 BLAKE2B 6e164aa0a486d6c18999b6a879e6b3dffd48ce47226eb45266a99457881ae3647ef2a441e3e12bf0f6d09845ffe1d2441a9ff5f44f84ab53b01beae90763079c SHA512 b826925a911f680ddf5434399c9d3bbea681b72ca195df1e0ac31b992cb03e038e5b9eca9e2d8d0181e25ec02c099d9583b9854525e9f3a0052b89c1bded0384 -DIST genpatches-4.19-164.experimental.tar.xz 6972 BLAKE2B 412936945e0f8227da3912256e659067e978995646b53408c60bafc28c4505f9b187a1439d1cc1771525c4af154b44915a95cc5754043ce426a8bb28aabc77bd SHA512 be02282f4ab5e06bf36f7b653464e02ebeea2e1ba8a9a25af88a12b5ed657bd7c9f623700f71dcc2590e1e3e9b536cf6c66d0b902d555c23bc70b80214ae93de -DIST genpatches-4.19-164.extras.tar.xz 3316 BLAKE2B a31f4245b44d6b29d31a849844335d96974686e1cfe1a6d57529a9138b3faec03be2c6aab73985ec900285bd01faa327c4d327dc0c94731c5740b92d39011ae4 SHA512 aa1a2e36cd14b3a06f1475c4ae2b705006d2ffaf45cb8683f726a35bd7382e9d5981be12862e8797004356f34edbf75235b8236740a9734fd070164f9d97ef18 -DIST genpatches-4.19-165.base.tar.xz 4277856 BLAKE2B ac3310502b5bf72a9177bd5653ff6efad297dd3ca915800f998d4fd0a93b5372715223ba72463d4d008f2f532532bcd09d1204d63120b1db43519a94281de2dc SHA512 873bb28e2aa86b50bfc061ee687c9dd67f16d653e8be647e11c78974328e96442738067175f0b3397ba1413b0f9938a7bded02a9f554d1c6aa823f95357ae6a1 -DIST genpatches-4.19-165.experimental.tar.xz 6972 BLAKE2B 6b03f19a7d4f02103f68a6acf973b0a50934e1728b0223b73396e4283fba12ff04e9f74fa9d85c3adcf581081ecdc1cd7d97a2f75155f719856c38460f4ba8fc SHA512 195bde65614307a90e92425bcb0e6e9a1f069f140e44730f5d613f9de6384882cedd1a4face7011e1cd0cfba3f86c90592f1b6f6435cf4a8abc7b1b819ebe698 -DIST genpatches-4.19-165.extras.tar.xz 3316 BLAKE2B 9ef527f21f6b1000897e1f56968b0932c640892ebc067b89cc52d10cf7b82d83000b96a8a6ce6f1b461407d0cdb26a129905ab8682a47b48444a2149585c46c2 SHA512 0222f1743e631bac1a2b31014b4e905ef2f0a771cef158082c207b79a0579c34c16911fb0a47620d388ea739be39843c9e0278a8369859a3ab68ab59b0e52a56 -DIST genpatches-4.19-166.base.tar.xz 4295056 BLAKE2B e6291c80346bf00482ad22f4a140ce3b719ada10df83fa60546de08e23256fe99456c74292e852e89e1068960f540113d24f1b13baa63344b6da8cf95570547d SHA512 04fea592ef9ccfc6a320ae6ac26d60441afd2ffa322fdf4564ffb44853fa3a1ad5bc6d458926b292eb7b1cd16eaed804408eb58edaa484e4a7688c8db088375a -DIST genpatches-4.19-166.experimental.tar.xz 6976 BLAKE2B ee3c7b45d4e4c15225bb535ec808930b29bcbf5a3a7a3191a703777a558db5b9e944422c18d1187e6ff54d667c837dc8a4c568511372b5ce3b1ec1b6ab635688 SHA512 153f949b28e03eddf5c536caa82a3663235564a2f355cf60617f2589332ff3fe870ae0763d7f93e049ec975770f78cc7eed08f5b4653218f24c67dff76f24fff -DIST genpatches-4.19-166.extras.tar.xz 3316 BLAKE2B 8d2b5d282c31e2d66d56994e0f5ea29975128244c04c12041eaae2da924d1f15317ef9ec4705694a230868b90946df1bfcf924fedd79e7332ae7bf3cef148090 SHA512 c362ce04be34269c1b79aed2dc92aff05d7f8dc2740df3129a7f34bfd8b8c48c1c22ff0a204c1aed61f02eaab9f5f6e098a66d3b6ef81276c1a985a5ac65ce03 DIST genpatches-4.19-167.base.tar.xz 4302532 BLAKE2B f43c9e993395762203cff0846b91bf475e5d9c72dbede62a6cc6c545f5ecef8369788f0813e3eb052fe66d9adeaa62c9e7f9666e4140bc9aa54c4a364c5a18d5 SHA512 6d9dd2b1d10c2c81f495f8c3ceb3dd365b1649cc63200fa9bf407ac1afbdf8895dad0855d050384fd427132c1827c3be10697c401824460189a6ae2bb0a937cb DIST genpatches-4.19-167.experimental.tar.xz 6972 BLAKE2B 4e70a4784b6c485517cfe2b75418ccf7df3f3d40e501ce11edd978b6c1593426b39a7a2241f50c4a7ae63158e7d939f62da57b4c18197675ae05ead5a379d87b SHA512 258bd39888c4156dab864539e7438c7abf7b4ae8113815d1b115a76d13821c3d761c5632f23f8a317bf67cd13e0ee8bb888ee94f98a7799a16484424c2c034db DIST genpatches-4.19-167.extras.tar.xz 3316 BLAKE2B bed1495c2beb33aed0814d93a739663b35c3d7012c185ed81c0af44e2e4a8024923b4ad47228a59103e1bff397314695ed975e740f85afbd8304549234cc7de7 SHA512 53e245d970b92c01cf74f72918e386cabd1214b9531734a7656709e50ee7c900b5b428ced4085306fdae72d56eebe162b945da3e4094cd41ef2eb7daca3ed157 +DIST genpatches-4.19-168.base.tar.xz 4309240 BLAKE2B 5940bc82e8139091bf61c8062d110700a394cf3bcd212de7235e17767db47e7f6665498477c956e59c91d67160ba15d1cf5ff1a2e23c5aecb4374e1872522eb2 SHA512 4e60c57d7fb9f5e2a0396d7818521c914e8d5d24cf796f0f10e3e0bc9ab33712780d05a1c86f1e538cc08d67164ac9c5041d000108442bd22ea737dcdf8898ce +DIST genpatches-4.19-168.experimental.tar.xz 6980 BLAKE2B 47e764768bdbcfd53f6eeb0c33b50a2f2d5d83ecbb32e2ab9fc0e941bcc9dceb4dfe682d5027f83d79ba0cede9c9dcfddc3f2e763241fd8aac1ad129cd6d12fa SHA512 aa0d945be8881d2808a64077bccb4386a6945418f41375bed11bfe0bf37d7de7a67c45eaaabf957b2025bd0a10cf0680c58c745fa511e73e6e3b954ee9aa570c +DIST genpatches-4.19-168.extras.tar.xz 3316 BLAKE2B 015a2122b25ee086b371dfe7d5e5c7846c52cb2778491c79ec9b556dea0dbe317dcddc2b614c3cab92fd341e77c994fbe9ce61adaa1f4c416d44e8f09c2c1e5d SHA512 693dddac91c2300f0f27da0a686997b30350b3ddee590c2be2e9cb92e6fe14cdbf3428bdd421df84838c26f714c9a05888b097ba5380a8b8fd3f334a28d12199 +DIST genpatches-4.19-169.base.tar.xz 4312680 BLAKE2B 3f93e38654ac3afe57e8ca74e66e7f8b9730bdaf4b668c4f38a117a3dfed84fe537755f108c4e23762683a5e64b5fe8fc96a647100c9b7b6ce9909dc11b73580 SHA512 e8dc17c522d36109da6fe647965616f7c75dc964afd4f0d0be38630bd95f43dcb388ac22cf499c48a16feb755d4e9bee9bfeb9424b85b65eba10fb2fbf64cb37 +DIST genpatches-4.19-169.experimental.tar.xz 6980 BLAKE2B fd8b3a34a804ce8c1619422a347d1c8fc9118701b7e03066cbe58062da6b4dfee37067fe1f9094e77724eec2efc7cf99d08f0f327d4306fe9f387274918aeb9f SHA512 400563053492ef87e6301b771636162611285a8b44174dc84a5c988c797cf6bc4615ce5348f75487139f4c03b189bf3a8f2c0327ea81dac904bfe406b119bf61 +DIST genpatches-4.19-169.extras.tar.xz 3316 BLAKE2B 79436bc140d54d68128d2f356fcd26e136127d8e985ef4922c39834cebe1faf270342df8cb466f2af21582afa989e2ee1ca17894e6c81c233722557009ca9a9a SHA512 3444295b661f66745a9d994b17df20d14c01b7c00b9e00afbf5f7e97569ebfa5103998265426bfb3b0af815eb107beb6fa36e5726d36a65447082e20a1d5e919 +DIST genpatches-4.19-170.base.tar.xz 4322008 BLAKE2B f4502ea57b9beab77b856a94d0221d8fa8100d1b5abced54a192d78b50acee203631ee6906b07d42b615bd278055851ced8056ff8ce6b4e5afedabfcd0361c16 SHA512 3c9147279be62e673337e8767f58bba40a452f7b00e9985f061f29bc5207a712504625b54758882c30f23325f7d8100bcf18a931bd046e4fcb23dd2ded87a502 +DIST genpatches-4.19-170.experimental.tar.xz 6972 BLAKE2B 7ee5acfd2c193e5d7fd251790862fb0f9e331a90f37117f55d11c10e0eb82023581be067196ca6a3246977261edbd064210e5f486acc8cde423c011e9b4dd8d3 SHA512 8e4da47d10a58e86dd592310d420015471ab345727e2ade9bc37bf5f16a648ff0b6a58dd3aacadb2d55fc559b912eba1f94dd72f8604b888588e77ec3f502d73 +DIST genpatches-4.19-170.extras.tar.xz 3316 BLAKE2B 9710f67fbca0ad2561a40a6f3ba9b3f650c5e05e2763cc50c3ef60b5893e76901b9386e01209e25b76099accdc510c6d23cd908f59e5c9f4550cdfebbe0589d8 SHA512 907eca914fe2b381d800f1f45b342084c7277d9f5051134117971ff6d7a4ac40a054079f163bf83a1e330b4cca33fec73665beccf70303c20fc6a3c6065d5eca DIST genpatches-4.4-248.base.tar.xz 3950896 BLAKE2B 86c1c74e41d3b450079492d26ffb773e9c78bd69e128869ad90938adb35e00efdc55f6ae2eaf5d163fbfbc592f6556d4cabcfdb83b7c874203fa02698986632f SHA512 266467cd2a82e51ba8d388540b260e86c058de48761c083e6a6c3dd37f7e2c6b2d4a3901b030e69d0eb7a5b13b323e141764ea79a9d5637d7a3568c6672218b6 DIST genpatches-4.4-248.experimental.tar.xz 83320 BLAKE2B 1f30185954ad3247e5cded8074f4a28350116d3ce1006b717de63842d9cd5cbef8241ce29e3ec52aaeb0fcd08082502a722ad2b618a26778d2553d9999530c72 SHA512 e5b5401e6a47c34a5eb495f317f4db9aac2c43676e07798d385b947db179e41e6e462fa0ef577100ed21a8a7491e7387df77a8c1e7250ce45e887e65a9d1bcf0 DIST genpatches-4.4-248.extras.tar.xz 1788 BLAKE2B 3526b5cc83cb4c9fef68c4613d23c44acdfe84e89b46a3d50df90b91536077ce76973993eb6469947150faa2302ac1739ee9824264903a80edf8c24f763b7553 SHA512 e7e63456442b7fc51b3f3c1aec0512e0598d6e85cf5e0a2ca2c2046e86f754932900dd59b4f5510cec2a782f4c806c5b979cea8b13ae2fe455604efb478ac985 -DIST genpatches-4.4-249.base.tar.xz 3956436 BLAKE2B 3856750716046101dd6ff4096bc6c9c42b64f2dd0e8ac27d48da990ab4d143ff8f1065ea57de0f9345e01f654021cd416cb765421c5bbf799062baf65fbc6e1b SHA512 9b482260c043a176becec6469a7ba383a50de11b29a42ed33417258e8a95ee1bcef1836d2e3d8206a4da3a1bf7107f2e5e187b0859fcd674b7167e2c75ec5de8 -DIST genpatches-4.4-249.experimental.tar.xz 83284 BLAKE2B 0f77215e35d4a2e2e50d75f6b7e2f39ba18e4a5eb3e36fffd35ebfd306c91b74a2abf75f1b035dac9d34c2e7c5c66051dd25b05d5d9a70c3631f651efea7b7a8 SHA512 6faf18e1d7f82243ca14c0083d9c5b4aaa8057672562c1f49de528c7c6c89a66b5178186cebe7c23c17ba85fd5cd37b50087acc8c9336d5b69f878c3570a45b8 -DIST genpatches-4.4-249.extras.tar.xz 1788 BLAKE2B 5f5492ab8614466053b5d09f7445a9b051775136620f1c12d423ae6d4c0052f92d456320ceb4eac1253bcb0d759e3c50e19cb67ce3ef6560a20edcddab5ee2cc SHA512 577c5f842d33774b522a40b810dfead1eb484e109a2b1cbb3fab84a080b566a565dbca86d481e0250688b9317abeae4e84c9bcbbbec9821c9696f77c21eba06a -DIST genpatches-4.4-250.base.tar.xz 3965008 BLAKE2B 820bbaa5c8b3bde5bdb8a665e0d1a300e5a23ec5962bb1ca175fa9565ff7f819fe911d778975a4f81fe20e8fe3ea306075e3e556c7a0113217a5ecc76f897e9a SHA512 eab25daa5b7ee22344981760fbadb39cd878c777a27be3b621e015066762c8313f8265612e23899b5b0e416a125fc8c102d2fb9be556fa8ac34f0eaa154d64c9 -DIST genpatches-4.4-250.experimental.tar.xz 83300 BLAKE2B a536b3e7a2ae9390d89631ee35082fd27b46400ebc766929211db8ec9d105968dee1c100b68bbd26f857f77079e7880a3f6ad67626204c0ed9b345463302c10f SHA512 c3121d2a644f5e5a12e371db3f9a7512a7e073a99bbb5f6162fbf91e25089c2908203b5861c79e3b786b0649d0cc915d16613ce494cee5d383a4be7501d5fea3 -DIST genpatches-4.4-250.extras.tar.xz 1792 BLAKE2B 092abb9a6802de32aa3b6e0e5b136817931886c2eee23c1972d79680110372bee8f7387bd783b02e2837cfe6c02ae2ee6c16640130f061a0bf4557799c80e58b SHA512 660ed03c99099d18d9a238f6d14778079dcb2cda0a7ae86886167e8f8e23876f5122608ab564afa764b03e5234d6395f67379ebae6391285b12475e5d142ca7a -DIST genpatches-4.4-251.base.tar.xz 3985628 BLAKE2B db6c9f14c1b78490371d98330d435386515d6434268fb3a749a1c38c51505eb15770b13653dd06f0aaadba3da07af49070f0c1022824c45a03aa020cbfe92837 SHA512 1de09682e67afa4fc356d4dd69c3ad10bdfa3f5361c3415ffa61dd8f0579e7f7fc53d0d08b8da853b18f23e5071756ba5cf6f856e39ababe6602f865eaf56ecb -DIST genpatches-4.4-251.experimental.tar.xz 83296 BLAKE2B ccd1bf4f50a7a11e328a6427364b3a66f1074a6b93ec3e97042fe26e2363804602a4e665be994cdab8ce0ba9cf0aa88eb53056fb095aa0656860f70df4d7e062 SHA512 0ce96235aaab497b519105e53e64d5c7fef6313ad3425b4f53c7a03471bd07ee513fa7504e74c7889219aa3a966d5c4578b436abbb6981c74d120f2f5edf1299 -DIST genpatches-4.4-251.extras.tar.xz 1788 BLAKE2B e49647e9e790af454dfa0aea7f518770419335188d127185835f78cea55d1d634314a1a5acba0b1182a2d9d3b49f29592c0ea09fecd2d81e26696a621746f450 SHA512 dde27a1529bdfd762b8a48dc0e6888e590f4f25d56e2bf900c290c620d184d55257f22d775a1956b9add5148fc913c159251d6a6d65a8b07e12d13e0e58baf5b -DIST genpatches-4.4-252.base.tar.xz 3989956 BLAKE2B 728008360f1d32ffb9fccd7630b02f71e52441110735af22678aff59cec5a7fb4b81140f8c6bfcf5ae82bbb341ce2f6c2cfd24ffc415f517fe753b8e3ec32b3e SHA512 9d8665559eb6ce57a20b574d2a8b022c7480d3505af56d18d7d10c4558f3e2494d9ce340a49681999a8bf7fcab603407476fb16b0fdaa0cd2b775246c8bf7260 -DIST genpatches-4.4-252.experimental.tar.xz 83300 BLAKE2B 15ec80fa0ae2d860eeff6e0568897b9da9e80f050c597b69599b61b1ad6d875a48970c5cfe6299011655518915cf50a0e9611c06e382388a6c3b4642a2b19f7c SHA512 840acc98b7a3a2ab6a054b49e484f6ae6d987fd7c3744a2defbf7c9b1c48a50b2bd662ae1b3b4ae2e08b97c73396b6e5fc80bf7140604fde37e525cb6bc28ede -DIST genpatches-4.4-252.extras.tar.xz 1788 BLAKE2B ba01cc4f032cffbaa374db8db440f78536a7b82002ef11d61e6afd52f743a3c46b0e0067e475124320ede56d9318e375762d28fbac935e097e27fabfe404c73f SHA512 e0ace645180c39958b1d994230b4a0b9c2da1e355905b4b344d69aa9d7679faea9d53b820b198352261c47bfaa240e794010a229ce3248bfb75650d1bd1109ca DIST genpatches-4.4-253.base.tar.xz 3995836 BLAKE2B 018bb03a58335d66b28d1405d25c17e83a624e7a192560016ca799c616e031031464f5a58d1beb874ef54e4993814ca316b1f3cce747baad92c605906cc1cc47 SHA512 0b3f164ae34618dd3b7f800dd3ec1258de20ce2705294f86f34d2af49d3329f1d095fb027918e2530ccd06f14c0d08011afc56104db9837e65122a23d4397c21 DIST genpatches-4.4-253.experimental.tar.xz 83260 BLAKE2B b5a198ce4b5a4803a64beba8e76227da1b11fe9b3eb289e132171c5b70eb78a845f3c915ec09f4feac66fcf7059dbf2d94f5fe6d3c91ab3d1292b5897ee15167 SHA512 367205bd834081fc5869dc38a607fc63b804c9a8d80093099753a6987ffcf0cdde16826560cc06841d4f23e03279cd1559d76a619f38b4dfbcdf4e7fc077f62f DIST genpatches-4.4-253.extras.tar.xz 1792 BLAKE2B 38044d9cee57fa820ee618e96f99ffe6e66addc43b795e582e05a168c51fde20057930889fb317c7571b79d3a2f50de63e1169969723572707e056568848888c SHA512 7ddfa7cf2f498c9128d22c1dbd71e65e36d41738a395c83bc310e2efe547e537934b25e70609e4a119904adea09828b5b721faecaef69210e4bba09f89dc38b8 DIST genpatches-4.4-254.base.tar.xz 4000472 BLAKE2B 544bb06a81bfea361f55aafe8d94c02724e09ba248197249a0dee8415cc60bd12ee43ea88a9d17b00dca66523af56aef8ec473631fb8c4e38f6d3d3c615c7f90 SHA512 911c851bf913dd2e35b29bd2454b8653fdc7ce20b859fb76d78d7e1b25946c5945091a52c208653982e19650c8fe58c24a62bcde64d1a6b1a4491eb1f3ad34bd DIST genpatches-4.4-254.experimental.tar.xz 83284 BLAKE2B 7df0f3fff7bcde301f456ef547a9bb2c306c1a17ca90f700a1f4f9da490ca708a981eae8c0ed8825905eaacfda8366c423d72ee33989fe51ec288f8b6d407bd0 SHA512 81aa1792931e3fbff146f8e089721ad01e4a2696ecbcd6b8e0788607f1ff273767b25494635ac79b4d5dc8a2f4edd1103315c79526fd545e4c4f8a0585488b04 DIST genpatches-4.4-254.extras.tar.xz 1792 BLAKE2B 981fb3ea47b9f5642552688a61efe7533453ad61d88e239e64d117850c91d4f5d6a30fd9d29db163010bac34abdfd80e457765db6c1034f85d8f5c2a202a1ff1 SHA512 9d20cb140ab7fde7410b4e908289053f88988f626c8a5a70b59d1a66b95849d07b80da9d6a5e08e5a8819a394ea61a7369a57ec3b2b382044481858f7a4e7d54 +DIST genpatches-4.4-255.base.tar.xz 4005524 BLAKE2B 9c938bf3c93fc4261723717f866a46d2ae6db068642ad510c5a3dfa3d4800b307b50586e8301bef53fe2b41b248a6ab3b6f7c72490c5ce8de05a8d7b43001135 SHA512 3b2474c3fa5a017fc68ddc32e8540b1b8d39cee68919d4d9e603ee804e8f0a4e35d22822c156fab7470fe5b0ca7367840cc4869fcdf1c400db46789187803c3a +DIST genpatches-4.4-255.experimental.tar.xz 83296 BLAKE2B 41a4d270b0a97849c792e48b6fb00e53504d42ed783fdf82e031c3dc012a3f6717a308dece8e1d8e0707ea6aa75141065c5fe2dc14cc823e8d345c69299984f8 SHA512 0ea4ac981a70e1f56eb8b59e5496e13f218a4d471a407572da50e4f015ddb7358a015c8106a9685b511da6245f70ead4be29a2aa1d339c6ff62bce9b2cbce31d +DIST genpatches-4.4-255.extras.tar.xz 1788 BLAKE2B 4bef240656562de76e2b22a5975dd3ed27dc57168eba30f78e34191ef06351cd6406a5c849b0a4f534577183d7b3945eec4dbdce3ad5a496ef7d783d1a3eb369 SHA512 56fb66fae36ac32efca12a7c28b9dbb24afc37f2ae389f4c64f107e962c005c8c8a5f7413fa87743d7a2bbaf98c0d6ab055b8038f8a4823441fa116cb40c1bd5 DIST genpatches-4.9-250.base.tar.xz 4423652 BLAKE2B 028223b668bc00d1bfbd4bcdd5dd201f9fab0c9a4ce68f5e107c1de83320c88865826eca0f38b5aaf25c96e2d66a76f0d305b73bd659197898818515275d48f5 SHA512 f10dc4626b1863177d1dbc5e1283c8848b84e6ab10b3208291a0679a3023c5f7d34cfbcc6091f7fcdb71e34f02afba3e7685e24b1f38730c88197c621e41fe08 DIST genpatches-4.9-250.experimental.tar.xz 106372 BLAKE2B 409a0fdfc2246e57f461abfea86f76694ee835215e0ed816e1c445c2e5bb3439ccd47414315f81e9cc791f7206b12ce45c9f46892e9152341194e15d0a44a090 SHA512 63f8d3e6dd777fbb8ed0dad1b67e0405926fdb0c1e40d3c9bae63494de87a3cdba37e41f20cbd7ed109eba6a933125bc6354814f5539c20c377be449cfac3b48 DIST genpatches-4.9-250.extras.tar.xz 3340 BLAKE2B 14cb6c6993c772cc8fd2a4a63f7fce94d850a926c74ac954aebf66e3bbb5db1c20001c264056a8f49561d21e754048963464226d56a0c10eb03cb59384420487 SHA512 a1eac658ade3bc0ecd6c98d1e0fc82f006e75ad4147ba0f2facc58e647bef731098527ff77d1d817f7605c0acdf3dd3f536464953fa2af27c32eba2863065db5 -DIST genpatches-4.9-251.base.tar.xz 4434572 BLAKE2B 0c9f5fc9f1b4ab2ade7a56815f1ba59a2a345578e10d5abe47259638063f7fbebf412c921a53df81bb16705ff904d5a568bdf2172236db027ac65a2cf5c22cc0 SHA512 f597d8b1f5c210bb20535305905659f413d4cee679fa26e8532e8f381773de72dcaaaa99a27fcbdbb704a6c503c93223b06f84e1b75d2b4449c06b08e58159b4 -DIST genpatches-4.9-251.experimental.tar.xz 106444 BLAKE2B dcc9f7ae1534498de0d1c0d33dd0c0ddca071d16a720001609272b6698c92ba74015eee01d1429e46118c467c1772e2db77d1700a5d68896ec637dab1dfda0cd SHA512 0b50fea309d5f1b6c0c80ae153ce3247a0e0837c5bc7872b0a7403a6142dc522e17fa0b3ccc0d34e911dc0a6cf6de57e4d311dd90d4c8199d08ac0ff95aef843 -DIST genpatches-4.9-251.extras.tar.xz 3340 BLAKE2B 3c539c1e45ab2f01cd74883fc997c7d38a32312ea4643f53b429f93251f3f8d531fb72ea6f8c2bdb99b7ffd742e020e5b4d1ad7b9f4dfc3636b9b5bd291411e2 SHA512 83be80e466a3936eb8f99a654b4d5ae1fb057a8805ade3a81a199f27b57dab13b46268c432fba07012d451829cc63d04f04d6a908b49ea7ab2878c192e071f81 -DIST genpatches-4.9-252.base.tar.xz 4445040 BLAKE2B 71c1cd51d02b47c8484b7d394471bfe25ed94406d5894a20f8190cbeaa4575931f8262ec773b80e469aed2758dd40dab18dcd7c55bc48789c8adaa2496bef28a SHA512 d5473bc19e3ee0b19d4fac84fe0d18744aa80b8898e128b757ec69202d0272c77769b2381a96d66d251f49ee067fbbe04685d2a26f155a13b06ab292babf7d73 -DIST genpatches-4.9-252.experimental.tar.xz 106372 BLAKE2B 9cb2511bf248e447d65e32f5d4887f54912fef8094969dbe23b2a549273587b0d78d2422611e677b63f20fc316e1fcbb06325b93fe105ccacdf9dfaa91508620 SHA512 c889f8ecb1629b7f9c8e214696d17405b403332565553cfb8b0009a39c87a40fc9de3e8519e29b1adb20c7cf82ea387fc9b94bea02bfe535e1306091b4310390 -DIST genpatches-4.9-252.extras.tar.xz 3340 BLAKE2B b95706a8fa234bac2c42aa71f820adb68c8f805f6e0c9ada6724a78b27918683c700ce30f21ef3510379870d039dc69879f8454399938525a0571f46bf611f3a SHA512 be5a3ef3bf9adeca5d5cbb2f53e20d24006630b0bc545176d2a06cc40714f74c62a1d443842ddd003d3214aa743b83acc21d138ca2228820311646f66aa105aa -DIST genpatches-4.9-253.base.tar.xz 4470972 BLAKE2B 0b4c68a7137de55b82bb6bb8ca3b296011d28a42f8b60ff144e64bbb3b7c034eb248ccfff7f645780efd2ded941f35163c6ed438bb78c5630d1b04d24027ad9f SHA512 f7986fe77b06bd9db6eded25b5d366b433c3f2790b093ddadd96fa65ddb4a35f89ba17875082a3b882ca866c65e1e2fa3b378482e5d25f68f0f606ce9e0fc936 -DIST genpatches-4.9-253.experimental.tar.xz 106384 BLAKE2B 1f62c0f9e8bf1fef8a21776593b10894762347ff8e39c890411389d3b032d482a85475becfb32a0aa6b5c3a06742ee2ae30fe022ac9c36e2d3e9fc3b0d1577bd SHA512 062e62aae4bde7f2f61c0b813dbcf1a53436bc96e31ffbda34c7eca5f4e0a73f672ff5ee04e85b6865368ab4616611a953c879e4c279f56cf9246e6841b941e9 -DIST genpatches-4.9-253.extras.tar.xz 3340 BLAKE2B 50f8fb3721e768a56d673249da6cd93c1e5e119e3fd501652469df8194dcbf8edd132119aec22fde8f15d5ab9d13d41f293c38d4edc48ca11d2071e8ce7ef0c6 SHA512 3299dc0523afaf56491e1bcc5d3116ca7e376292ab8a83f38887f9d6a734177098b201451d6150087bceeffb2577f33d6e893a6c7e51f3ef2bd99ce587c3cf8b -DIST genpatches-4.9-254.base.tar.xz 4479060 BLAKE2B e9e51d7bc524d733b685f75a3d9aaefd89a1eb7edbe7a318323caa16e3ff6913f7644b812ad3f548ca23758b72cef78df6d7e0a14e597b4bc3de6aa65c414744 SHA512 ffb27d3c79b0a80dc8df86a5f7d097e196ff8b3c97a556924dd038907fb2235e557085a3f9dca01096366072ebb5e77b3d497c5c7941a691bae1e561fdf4a46a -DIST genpatches-4.9-254.experimental.tar.xz 106392 BLAKE2B af7b1ddf98ee98592692841a744faf2057010bd592ece51e47225448fc590335ce3ace8e1aeb323046ffe06eb68ed78176235cd758a75ee32f6501b11ac6a5e5 SHA512 c95579d0ffce9fc1c857e7e5f2d13bde512abcab99f43d39bc11b5a7d7ee757fa44e10f074b3ce4c938d2c77f2f8219c22ea08275b129fd927f5b22fb886f7df -DIST genpatches-4.9-254.extras.tar.xz 3340 BLAKE2B 2a2684aa4e8d33b3846f42d89515d88d3ce3d8d196943382c187eaeccbc76b6bdc55032f43753696a77893823a85b2611b1a43172eccd1959d336f74ebbe2f29 SHA512 9efb9de94487e03a58b9e62b880ee7379a2c140efb966e0ae54a16d4f5d2415dc796ad72d96b8376073dfd04dbd702860e7c732045df9adde4814c36990b4ab4 DIST genpatches-4.9-255.base.tar.xz 4486212 BLAKE2B 78f14a525a2bafa11408ae34fd30af4c93459875e41905070133d413377247a2405f5c83c04fdbe18f5044a6f2b450a8cfbecc0dfd9496bd26f2b8b350cb4d38 SHA512 a235dedd73c6102dbe6fcd2c6dd1737647de991eed2c92a385c3b79bc6719e0078219ed04403b09d36d3152058210e2a1209f9c1f856599aa616f0e846ea99fa DIST genpatches-4.9-255.experimental.tar.xz 106392 BLAKE2B 96ea1a34e5edf9866c47cb9dd190442062ce94cd2cd0723e37a746b10aff6143d88e6a8afb4b8f458f92a03f20f94ce98f4fdd2557dce76c5a1af5b0da9c3e99 SHA512 86f1b6960489e3d7977f79d8c826441a81587d21f3534383d0e6cabe6e1ec8fd6ed0449dc9b58f60e74b427179bc139983699be4b3df7deb7dc44c1adcb18de6 DIST genpatches-4.9-255.extras.tar.xz 3336 BLAKE2B 896f9f51ba73a601c6d2b7c16398c9c475147b03712429223d4998f36dddcc24f06cd6903f1a469ed9092b99cc1dc00a5b5ca611931816b838aa33f913a7cbe6 SHA512 dd99c9e2e5d9f6c4b17d395223d395da1688e62afa021f7c5ce0959011dbbc7bb71a8ca5f3c8766568da73fd5a82371554ab92277d79baa0454b1d069ad50c7d DIST genpatches-4.9-256.base.tar.xz 4492036 BLAKE2B 651238a0ab334f295e5bbc80b306529b4d0e90294e673376a52ad3ee6d0ea391440c4d22d71935c6d19a861e7d7b1792a6e4a96a0f906ae4eda566d8765fc9d2 SHA512 acbc6bdf424514821a695118492bd9a5fa2accae7ef387acf50363d56763f1e14cd4ab3427450bed804ad86a15b3412f6615a7f215410cdcd67bcd00beb91719 DIST genpatches-4.9-256.experimental.tar.xz 106372 BLAKE2B e0de68aa4f0e98f2ac59b4cb379e737eaa8c6055673dfcc1f197b2ca30fbda257b035adfe27cddac5d8c57b0f42c46a9166b4c4eb8c0305b86212d253ee0d223 SHA512 c76f7c490a8f97c312d09a480adebe049c8553fa43b26ae1508bb1c491d507cd2741b7a590c90a6f11f1536523719c8a6c0a7c2d4fc60d647779a64d3db54542 DIST genpatches-4.9-256.extras.tar.xz 3336 BLAKE2B d760dd5d8b5985fb0d26b4ebc3b7f98f16e876ec1bee39fe207d5dc4ca6d8750a9d6e5626c3f0ed9305955b16c5b78c610ea2120d5b742a73b9849196b64090c SHA512 c96add4e4b9285844fe3b7a8cd4cd9b59f07326699e84a5d3c9df19e023f0bc3cd156d8448d233743f57f851a7a1bde4855e8cc275df41131e402baf22903f4b +DIST genpatches-4.9-257.base.tar.xz 4497684 BLAKE2B c18c0545a739235dbc4e31714b820b6131ebc1bf2db05956d41210af724799f1d0ee8daa4e3acfe5a3378f9ebea017403e33ae86521243f54abee054bf01b75e SHA512 76b34da6c80be68bc3626800126797b09d6ae2272abe2687f8f30c87d9fc83e7739e8b664cd2304f89f8bc4d18fb72fb4db5a79b38ec75613fdd367f6ebab2e8 +DIST genpatches-4.9-257.experimental.tar.xz 106376 BLAKE2B a2ea68bb783a4e8b63faa6cc4e5c67179748202a680e28c47287e80a9476db4b3094dea772a3252ab5939a3168687ac782a84a8d57840758fc58b75ed206c256 SHA512 542a0a8d62e26c8852a56b32c6e949c38b25a93ddb7f968f4ee79c5e4abd28d6ecbcab0341da89d988657dce8f9f526710063daac0306abff8eebdee9a8806ee +DIST genpatches-4.9-257.extras.tar.xz 3340 BLAKE2B 81e5d485d49dec56444164cecdc5fd2b2449e140366871a488bc944c216eae5aac720a311609a63c91bd7f861515acb468bafd74e217269221bf403e01260e3c SHA512 3941a439ddb67ed6e824fa60da0cf4568b8d01511ec3fa3d12e80fb9be5c33e1087d0b3ba0a8e39cf92e512dbee6b1f5d51e402a86f826b0956d8acf0c0b6b48 DIST genpatches-5.10-10.base.tar.xz 303380 BLAKE2B 61d1378cbde5f4df5ee41d2a3391705279e647410125350a2329c6448357617cc93e1acb7f8af4cb43869ff11b6759caa3652242b52feeb8ce2aa2c36c26260a SHA512 9d9bd200682a6cd92e067024e42bdb80347e7083a698d2aa135de34998a80454130ac82ab49018e538197d35f48fdfb0e60827a219e2d6844e221450b86b9ada DIST genpatches-5.10-10.experimental.tar.xz 17524 BLAKE2B e0d44619d202267e4d999b0066e1475661534ca0e0a4b50bab7f3cfc7959210b6830b13e03b534553be1f80adb4e5f53c0bc7bfe181839982821670be8827176 SHA512 61114072025d7a3af31a07f7000b125c410c3431f88cf43f92244dd9af4d33d090bcce7a675df220a3215b6e68e219ed8a186f49b4e9caf49717cdf67c100cc8 DIST genpatches-5.10-10.extras.tar.xz 1768 BLAKE2B cabeb1ebfbd545382a8bd7fe89ca78d58665848b86a5b25519c2d018720d04253847824d4059308b80edfe137383d26c89491c15be8efe86b95dcc184d3f35e0 SHA512 1e7c37441d3324c961d8d55eda3e43afed64cdbb45f2080673ab888b65b3b93c5f74495d8a3a53197b17f9d07f01cfc84a0b1719e5f3cd93652a512b9be536e4 -DIST genpatches-5.10-4.base.tar.xz 9592 BLAKE2B de49027b8581bf08527c53a952c5bcbb39433ff6f0c5f8d435d10e0db3d616c788d353afe9821861887188aadecb2bcef7786406545430ea5b5221cc0f124afd SHA512 a4ebeb7906358e79d6e9a661cded6f891280ba41aa85eba443f641cb77da22b0466d5f9084c1eaeb7d38d160d21ef608f96582aecfdd7bd3eb84be02eaca4004 -DIST genpatches-5.10-4.experimental.tar.xz 6092 BLAKE2B de802501c7d03a9a15ddab0369342a4acc4057f8d6bc05b0a2a5bb47172ceb9753edbbd52eb87ec7a00f3673da860b78f84eda74ae0f6ad36e8bdff5a52920c0 SHA512 7e5780be2fc188d71f69b1467ae3a090e4eac75decdb2dcbd088565634a77c76c52e22ca57f5464489fc6daf239b25f1de0adf8519364b7e8443cdcf27e0bf52 -DIST genpatches-5.10-4.extras.tar.xz 1772 BLAKE2B 7eb441df822692ec63edb58d6553b5f3c8e540b3ea8612d10f02c7004888f56a84c6223ff069304916bc6d70d7f7e4f6bed41c60c866498e515ce527baf543e7 SHA512 b0e9e111b09ab159de2a2cd5f960e2f947d5a9fb0d47244fa684f63af6ba009a66cd3cd4d83c9b48e6582537ad6ff649bf3528891d8599cd28672a2c3852f7f9 -DIST genpatches-5.10-5.base.tar.xz 19928 BLAKE2B 6fe55e2d7b32871600fc8d97b644e22797dac42450512c9d35f9d7f1eb72671bdc4e71ae22dbc178d1fed479ce2c8d908e77087da9c9eff90ce0b9536e89d0cf SHA512 dc9f536c40259a584041a72e8aebd6c38e94645ba2a25d05da76c254be0d1d959a45245e9645c876fb44a00887e8730c94c14bd7bb81cc194260f0688fecd3ac -DIST genpatches-5.10-5.experimental.tar.xz 6088 BLAKE2B 55f6c0227174cf65f87b67608b77ef2ca10cb217f0b5e9f48ca703d52c5bdd4fd6db117b037628ec04bef6f201f20b5b385527c1bb2e202265f08d7977c8bc38 SHA512 dde441df469ed0f9df75e72699c6a73238b6f24593799a8a0c82c597d94f779980cb04f6fe6ae7b7e91b8f406c05e60af1a26118537f2ece3cbcda9863ee0b55 -DIST genpatches-5.10-5.extras.tar.xz 1772 BLAKE2B 1c475a58e71f1d029676d627e31859d93970b59d300106dfb24839bec1545dc5f9185ae802c325f5f0f76bdfa9bec27514d8aa9c61388b5ff76b2ada1d742edd SHA512 96aad42f563cb5eab9944b660d51639c2ac30e9c4a5f4742796c5084d22dacf2789226cb7df804aad5b9450f5715945632bae1df6f22183eb6ab38494e16527c -DIST genpatches-5.10-6.base.tar.xz 203736 BLAKE2B 9bc25d288cf6f0b7c8b93518484a3bdb4324627813ad4b03c4a8189637776b6a142bc1168ff34d0e50c539887a17d4ae26647cb508dee64de010407567b9107a SHA512 0314a323a35cd98d736010753dea6a267fefee0d648ca66f5cabafbbd760a6e2424ec86785c1a1d3da7b933afba01a09f13d9af73e2cd1b8303e9912e81cc28e -DIST genpatches-5.10-6.experimental.tar.xz 6092 BLAKE2B a2249c36866f2419dbab785d8ad6afe578373bb70526fa3919e067f68bf69183b1ae3694ff561474eaff6e4547378adf60dc8001dd595720cfcb2e5c461794e7 SHA512 44e25603b0912b8cfc39cd856e36ae3368a9f9c26da7b918816d10a9a784b96af45e70f922e91dc19f0ddcc4f0bfce0e7d65f59d2e2e76792d4c2ff881dfb3f8 -DIST genpatches-5.10-6.extras.tar.xz 1772 BLAKE2B 955bd5eb78f0f523c1f15855b06e39347287b2135e1d779cf8580fe24614cc3770ba1269d25819025df04e51fababfa7cb8bc1351bbcd3b57e0713b8c5d25f2d SHA512 870baf5a1199ddf38d562d8fd1e018afb8ad3bdcbb73c2ada3f7be01e784379daefd48f757ed25500baa0b54a8ad96fc2f40a96bff00ce439a649003f3e24688 -DIST genpatches-5.10-7.base.tar.xz 227732 BLAKE2B 7986a80960a746e753c551bda8de8803e4a0914873126641e5968e96de075ab36814f004b9adbd54f3ac5bae4b50ac0bcbe26371c2f986b99558ae31cb0e1b09 SHA512 4baf8220a5e95146a3c239a636ca1da3ddc7b0c684e611ab2cb3b762c733b2c4d7d5ae75e741dfd58e5eeb03fb78cb91690f2e021cbff1dd5613baa93bb91351 -DIST genpatches-5.10-7.experimental.tar.xz 6084 BLAKE2B bca6ab1a3232687813156718167d6af4c49df67163dbd9eed12a300af7e9828921d752fada4b07d4a593965c5175232e5a0f0faccd6fed5b00b49b9c64d736b9 SHA512 a51179b1fa50663ca94ed3a8ac0be066b110a83952583d9f43b42f6d28eb542db0369f777446e8425a5a85508dac0c4650c17046274af58b754eaaae811a0d26 -DIST genpatches-5.10-7.extras.tar.xz 1768 BLAKE2B 38cadd69b3f773df3b6e8b153922dfbc66c2f5f73b8191eb62c8dd0704fea4e235a0d7fe70b71a70d8642e6a7f90386cdc89b7489d240a4fa32dd3efb6661423 SHA512 8173e42df0bd203ce1d5ba104d8a96458998090763a39b04efef084765da352eccea71275bf80e3bdf9f4a625e2673a4f216b0401612a9f7bf5531a52dddd447 -DIST genpatches-5.10-8.base.tar.xz 239004 BLAKE2B f8786d7a9ed8caa0f28c4324ede0b9c9f43882716e37e2458e015def677877d1f1af508c3bf7377acd0b8d6d3f3892d5ddd252118ea72b0c6ebc967ce0c1a22b SHA512 2664007d4a3d17be2685fa60e6107e4e0721905437234b3d8b3836891d47783ea57af7d6c473370aaa1c4a456ede1ace59a8fc4b506b57f4ec004a8da0a78545 -DIST genpatches-5.10-8.experimental.tar.xz 17528 BLAKE2B 06003d75d3f6ff6ee42a6e2c2e2c042782f72648c021c91d4ab84189335959b9256fd3e03f4efe9009fd70f4e20ea4203f83d167f2d9ad3047348e7e6f7bf291 SHA512 50d095fcc8563ffa4796cc6c654ec796c2f6a0b1385ac2ab6817412109b109d5100c3e500e14ed39813977edacebe79ca4d19656d17c40d28419a7191dd9b7a8 -DIST genpatches-5.10-8.extras.tar.xz 1772 BLAKE2B 9ca607fed14a5bbbb233c1ce60371ad1974c5c9cdf35df031ee2915aef1b573076b9906e926fbfa2eefadf92aeb03da8cf7c1535402c6ed7d3e2ce177eeb100d SHA512 5177810dda3b1529405fe88e74cb1ecb5ebb76823fe5f6a13b87060ea2e6e6698dce7c1de13da5a9bfa5fbe6a57cc7f4bc1450f4e5c9f98f83e4d67a49596514 -DIST genpatches-5.10-9.base.tar.xz 278048 BLAKE2B 4e94ff0fd45befef8629e22676ec54268f35ae6b1436e851fd27013a4a4394709a147ddb6b9ef6b84dc0f7093eecfc72f22757a3dc369447ab30ed0254c3b5ce SHA512 797db3bb4dad59f3c121ce24eb9323a20267933cf93c8a1cc1640da11f779b1d9d85de3631b6ac3e8a0b018be29df703daf5c9afbdbc5a1c6df77331a8aff0bd -DIST genpatches-5.10-9.experimental.tar.xz 17520 BLAKE2B 9d0ac6b94fc72d90ac05a6fe17c895598e32efa17615849eed6b1c971946cc41f6ae64035c9b824cd39e2672a7b7664c92ed9429d1ba592194a5a1bb33ad5e2c SHA512 9db8c11a7cdce8d436ce0269893317f1e15ece71ed227f9442b1a4ce02b691bbca225efb4694faec555adf228d99d705f4684986cc8f99572f82d6d0347c5b24 -DIST genpatches-5.10-9.extras.tar.xz 1772 BLAKE2B c2457ce78f503b2be4e67602674014c9bd6b953817ea5203bcde3e08b9f9c9e13e7243faf9b0a85e45680cd0e2cfe09edf41d91966c6f79c9bdee2c63c274b6d SHA512 c2be9f259bde0e52119f2a1ebc4d225a88abe0498d26d89d9eb8eaa52b4c5c35de79de6d4637fd75fd660e5f6d7fe05d4d7d7ee1af85129f91248b94dc470dcd +DIST genpatches-5.10-11.base.tar.xz 343372 BLAKE2B d844a4ce292477da26bc02743916143cd6851b2ba85229ed37361213580b47b5386f260bde7cb77eb5842f3fd1022b6af64d47dcc3fcf2161be8157380e082bd SHA512 069efa3d348d8a7601c6bf37ec92e3efa692abe4a7ca5dc4bfe30fb76f1b7fe8daf1a0f237d60dcf66a0815e909ac77cb1cc189d46f6fb4884a260f30a4af48b +DIST genpatches-5.10-11.experimental.tar.xz 17520 BLAKE2B 657af869b0c897695834caf87dd99ff4b95358a081b08dba7b3c4c7dcd61f6d1f7fb9038e4ff093bfa26373dfbc81cfb69a674752d067acc043dea05d3d8b820 SHA512 57ac770e33f1f56f66daa1a6c1d2b8fb6104642d3ab21abacfca8bdb92c945d2aea64a3d383d72a19813621ea086e6c0f1b3aae4b918a9d9f1d21581a4fcc7e2 +DIST genpatches-5.10-11.extras.tar.xz 1772 BLAKE2B 8d4c4b94e9bd7c585f56038900256b3ec1ae721b4ed7adb326f393094e5c8960575efdbe2cc14cd219ae0a69cdde5c626d6983741e3f13a39bed3e85f3eb7060 SHA512 90ce771ad84ffbeaeaff6a2827577fc9c9113930dc4fd394300e1a971cc205a1f4805404e1b356dc36b373bfcd9daa95de7a364144f0fbeb0f923209946635fe +DIST genpatches-5.10-12.base.tar.xz 354672 BLAKE2B 4c92a3c4d144e7abb130371a5d12e839d280789b2c44e97fced3a35d25fcc9b084c3e3e8832fc7670a4811da7026963a1c498a0cb2c44cd325ab13aa62a3d142 SHA512 7ee954e44305b4276717aa4a1198ea036fdd1f18e17c95fb0c5e8070acf390c1644dd0499d42ed1464fa7d9cef8d90abbeb6d0e0448c2fefd5a655834a5afa5b +DIST genpatches-5.10-12.experimental.tar.xz 17520 BLAKE2B a67d4e2049278f677004813fc1cc144e4e84ae58e6a52bc41534a7794a2a52bbffcaefd91665a6c91cdf47c445971e756063833792c0fcaaf6516c61c3f1b93b SHA512 8b79c3056dc5015bb7219d7eefc13ebdea1a70f8d970f16a5eaa3b32d63ac25575fdadc9da627be92f457f23824e0a2be8560a8dd1bb69cca692c4f69be10d84 +DIST genpatches-5.10-12.extras.tar.xz 1772 BLAKE2B c219ce68835104664a93e78e57c5bce67a3d654666504ae38fc5058d6f8df67c9e37941f549d047b446061f54928230a384d813b4bde2508323facef6502bc16 SHA512 3b2b6ba233226f9c0d54d1dbcbd36133429dba1e0bc7a355fb0794389fd729e8ebcfd1789c4b79529ca4bf48dc50d7b07c1e167ff19d837d67296f36705e7db3 +DIST genpatches-5.10-13.base.tar.xz 407940 BLAKE2B 21566164ea821e5ee95e4b4583395625384347d0e8440b29fa71f4b63365c5481dbb683c84818a5379242a25a59fa85c3caf420be3e6cb8553a43834dcdbfb94 SHA512 0f4e5aa39cc8dd6f2cd62fe5293de1d9fa5a0f6e0dd6da9af52ad68ee8318f995d9095df65b93d6e15994227feb87b5bbcf0403ebe774141045b05bf239dab86 +DIST genpatches-5.10-13.experimental.tar.xz 17520 BLAKE2B 0f3241b311dd4c58e707f313395b56030a1c4f5b5912daef903de47172757167c53dad2236cbc69598d9549fc369d6575508e7a0553d1ed3d9581b5ddd020007 SHA512 383cbe2fad5a4453ff603e41f10fd7ba4b68b7529e92eebb7977888d9d822133815f1bcba7ae5902f7ff70cdc2997e3a1a023f07847fe6604ee386ef0b09602f +DIST genpatches-5.10-13.extras.tar.xz 1772 BLAKE2B 29357a93bb6b4e34937e6655bb8cecc4f57edea8a7e7a903dd8196c6f075b27e2b1176a56a998777c850994c5131a2a57266a7fc579a25fc43db9c9aac4dd80b SHA512 e9ed41cc3b81ae7e76fce6bd6df271eb354110252da85e7e90c4d08816babd1262c5c8fbb62fe56dff1fde712abc35ee40c67f9f04e3541920eee78b32074928 DIST genpatches-5.4-82.base.tar.xz 2792480 BLAKE2B 39960646116f5f85ee657a29557d8fd9e809ae9bc60aac349c91e7680f2a0565800ba37a478573098dbad41b686336a058985d2925e5046fa68eeaea8df25477 SHA512 6a76eebd7178e2ccc522477f53c36f74e6fd691f87c547dffa2602a516ad9a6a01f05c953e12bbe6ba9aa2ce34b176a6a081a22da40c7d86855e5dfc34098059 DIST genpatches-5.4-82.experimental.tar.xz 6704 BLAKE2B 4dcaa6977e25a2d9327d043a15115eba34a802bfa80d532ff2ae3c1495a861d4a4a85ad102e69558d247ae9a0effbf4628e8963f435b949eeffd35f735ea49bc SHA512 4fba72e9efc3dd11fe934be4820703f2f8268c5479dcdae1183104a6b1c2c22715b4529d6e8a4f65d8e46d52b12ab47e3d2eee8dda038af5cac7b799263e84d2 DIST genpatches-5.4-82.extras.tar.xz 1772 BLAKE2B 8eff7ca01490badd5dad15497f77bf43c268ccb494db9eb4c18f4f59219f1a5d79ef2a6f35caee87e3c423b0fff1ef94a6d6477e5074397f78e4bd23b9c40d95 SHA512 bdcc7eb08c1cdb599e69b254f55685f7beec83f256518d42c31d0df9a4e1c6376c184145ce47d28e0b688d2166e139445ef5f9f284e817ba9f37eaf812852a88 -DIST genpatches-5.4-86.base.tar.xz 2842360 BLAKE2B a5056a63d5c63621f0b728fbe7249b63097006a62892d4f347202327d17c1cd8e5efe5f7f134be2f01e2020e1628fcff37f9639b2fbf84f451c2b814c65c9257 SHA512 509110cf81bdf0e28dbd7affeac89d516059b50e368c4b75b70596c279b972f66cdcec430b577bfc22fa0251f2502c03b01a4dd325901654d921d908b2066f0a -DIST genpatches-5.4-86.experimental.tar.xz 6704 BLAKE2B d5f14f25c7459927b95e6fa3b0d9a2214ed7f467ffa98b4c0ab9fd4aa1ecaae21b0c090ac9a5542fbe59ab65f53a55b33dc91dbfa3fc976d5b74bcd783c740bf SHA512 d324085eb4385afdf58252f9919461e85cfcd45464957f012d0a6a798656fddc6a738b755b4d0d9e427f06e76d07050b31010ff416e15a248af186088477d69e -DIST genpatches-5.4-86.extras.tar.xz 1772 BLAKE2B a5efc07916c932bdb150744f7675d4ab255c62563a2b88798cc3c9b7aaab21a06fe4d94fdd0ee49de48a2f41460fec8610613ea460fd5df5df50578b12d060cf SHA512 39a4effcda32cc194daeb3d9429bd857cbbb803079d40f0968a0741ca3f753f22b27084eaad052d8c9cfb8aba3c01e37b91930e33dae08e2a8e9f74cd7697cbe -DIST genpatches-5.4-87.base.tar.xz 2852988 BLAKE2B a8282ba7fde85ec400b85f1cc2263f7abdf5b518c451fd63c4e878a203c81cc26974cc5c9d324ed289b78d2059ab97a68b8b10a6cfc212db760aa8fbea57cf27 SHA512 1a989b50f901ea09abfa884efa353c102c5b7c143d224f0360b6460d4f8faccb4e1cccc9a6cdce54ff7ddc5cc9f6be725e8e5714d60ab23acb59435859f17ae5 -DIST genpatches-5.4-87.experimental.tar.xz 6696 BLAKE2B 0719a6fd2cc4918789a5894e4a943b472bc41473a6f323b9e225725447684a6753fa6ed3fe659222ead5131c6479d5bb9543b6c9d6b7e39c189cb0b37d644a54 SHA512 05373823fcc9e1db0e6e54386c34d6fe728c08413af0e6fe842b6fb4b2b4491ff898320f2294e7641b17c4afb9b5ef82ba3b9d2710bebf5bd8adb413beb347e9 -DIST genpatches-5.4-87.extras.tar.xz 1772 BLAKE2B c7a99559c06cbf8e2cf217655b5003bdab13127d4e7e93d5b67e3d83c31dce3ae6cc1ab6de7adb62c51ff6a91c2d2c4efff1377f7bb516ebac552f398e22df6e SHA512 c57ae9f86e050eeb929358fe1919213410b089d774c521ca2657fad7a6d8da221ba303fb404bdc303526ad6a0a9434c08ff7691454736fddcae2fd978cf506d9 -DIST genpatches-5.4-88.base.tar.xz 2936760 BLAKE2B ef7a26374e0602b3f2e9fff948829dbd756b8edc1ad833cafa49cec3af5cd771dc52777af079ef7ae4f7362453953828c1a7565823cdda0c9d0b4b0d74a57f94 SHA512 4f2bf7e63820df6c616a6122c8dd6812e056fc85d023f708f5f9a0f856ccbbcd4e3aeb3c1247d8ee2650e2d96b0c86c99de5b7d53e8117351d4378198a4ea52f -DIST genpatches-5.4-88.experimental.tar.xz 6700 BLAKE2B e115b8ed51a63aad7c1a090e3b7dc427abae1d4bb636d2118c75b28a20e3a7eb4ef28ef1017ceaa86f4b0c22b560a51d27f29e5a70c7ef6b50dcadea3a1ba076 SHA512 887c99f106c64645184b6841155ece11a21a6ab24d43e6c118fd6d08d25c58888d5d59bd637630d5c5beb84fda5272f15e9e2188b95efa746af5811c87756948 -DIST genpatches-5.4-88.extras.tar.xz 1772 BLAKE2B dd72b20e1fe7f1b5f566c3d588d24cdad04e40d0270c9be60dd14c07c6a4ec9760dc57dc709d78bfb8d91017b6a4d6bf4c45a65dc019e9eaf02e02a56133f145 SHA512 f4e449986ee4c90ac79234d14e0e336d2c8cb74589ad6371067669f94041ee3b848848d2498d27da57ec71b050079f5338a87111af6f8edb3127698d0a39b478 -DIST genpatches-5.4-89.base.tar.xz 2951348 BLAKE2B addc79a7135166b1f210820ccf6ccdc87c6177b71b15a0e0c9338be28cecb45fce0062c3b8d9e704410f1140ab6984d65c8aa9b49008008264d6cb6c7b0b2ba7 SHA512 13755cd0ed2132538272d0fb22d358be078c9838984ec8e5c8e2f45d06b0b09d7e8cf744cbbba25071923dd43e6d6eb6afa0598cadf3a24f231a6b9dc5b8ca43 -DIST genpatches-5.4-89.experimental.tar.xz 6700 BLAKE2B cbf33b95013bef60590a59b08e93a68e834ff32ffef4738a933937b69a5b4bba1d7275d66c5350e40bc1e5b3345bd487ec96d92f198cf023064cbb07f91ba42a SHA512 f0cb4c20ef27a928629002f205319f783625ac19a688f26569750daa5b69d5f0ed73d821ca59c884d9d37ec6d1c433324a08e96193d60a2cc8d9f9f520ddb869 -DIST genpatches-5.4-89.extras.tar.xz 1772 BLAKE2B ef78f0322ecd34026b6b3a4849032edfb10673613b9ff69ee62b05cd175779d19873712942a728100a28a5bd73b0bd601b94101dccad9d4c7f80b2b044f8e3a0 SHA512 5f1165b201ffdb5bb78e84be19f81adfaf5784adb152f2110a24bc199c933e6de81a3e9a27341a61820245130c7b9f109817580d6a1459b5f22328e8cfbc2ed4 -DIST genpatches-5.4-90.base.tar.xz 2956112 BLAKE2B e0ba7a4fed329f452cb754ee4fcd2578a544dbcd7fed57a66cd6a825c4dafcd70d23c4d9571a7ac8de14794ba505816226e5a2b06b8df5d220d4243926edd800 SHA512 bd7fff0edf1635b2de08893a3e1ca5147a86574d87c33c3869c506e232b8c53add688357f7ef2a790185c2df73366610ee5ddd46fe1d88db16c3fb9f43c0a6ca -DIST genpatches-5.4-90.experimental.tar.xz 18084 BLAKE2B e69f9623435aeb845f1f23609dc80c70f7ecc87857334aac38ff55fc5e484296ca1b3d3ac61c28f5d418ac3411b965c7be0a74b8f625dbf388c959be8330eaf9 SHA512 79eebfc4248724b76f85e13e795388bc4d336df94e7dabc1175331e71c053603e81bdfb207251599a9f99ca24398fb8ebf2f57871ef8519085715f031202b20a -DIST genpatches-5.4-90.extras.tar.xz 1772 BLAKE2B 557c305f86b0b6d5a93c1ca2da7751362f55d385cb4f57df12f15258d5cdcb1a0ad2c99c9ce53ba89b6c27abe761d5033ce54fa97ca6eaacbd845244d6b20d8b SHA512 eb2fc3f76099bd504f8e0cdf3c0aca60aa083b5c055e06fa2560e895278aa7d32f518ab2e671f9d0182e713ec6807552843448a38d633a4051b926ae4fd2adc4 -DIST genpatches-5.4-91.base.tar.xz 2975372 BLAKE2B 6385731a166348210c96f8ad6a8134e5548eb482fcc3a0b40b4421c88c1109bd302f678adf5bc0e5effc574a8574f40e90012bbf31e5087cd0db4f0e8183fd0b SHA512 77b00ca6b7956801b78687c356d4c07320ea5d291c3534c4dad5de2bf9e14ad948050c51191ba0943fdaefa66594acbd6af96ac87f101d205568a5071efaed55 -DIST genpatches-5.4-91.experimental.tar.xz 18092 BLAKE2B 22093a71ff96573de34bbbb53609723c544b110dd501878828b046252926e89c1cf57a1701c4790ec0f38d4e82561e723fd0a33ee7078ae570bcd1e9aa9cca91 SHA512 488e6ecaf7b87ec7b1d0b6b652355afef6e7abd425798421066a69816b8fdd5f5f990769c892dc56132c8a5d3f7ebb80e7c16eaf9fc85a4e8933361dbe113a9d -DIST genpatches-5.4-91.extras.tar.xz 1772 BLAKE2B d7440a80cd6d994cc853f54f5f4c4708f203fd625b99c9b9431cbecc2206dd335f0710dc6364b658e246eaa8e758a65bdb6daa45cd795f06a6f963853a7be04d SHA512 63317305324b862fdd70bb2955504795d4764f9e90fb74953d40ecd8c0201114b1bfe11fea96a97471011b35d72f16234de7c0540f466e8e510a69e7047e3ffd DIST genpatches-5.4-92.base.tar.xz 2987648 BLAKE2B ffdccfc93b1b759494cd3adf2496e2074e847c46ec1c9dfdab32d3a7dfaf5a334df0391ba7ccb35250c562a529df8ae2784656628e110887b593536ac6b0d3ea SHA512 d2c08ecebcabaeb658407626c71c98201f86cf6510c4906b37f45d0f9fd6677b709fbdd9a1ce16622632c9a2e72a11d93463bdae62c5d8d0655c999223909e51 DIST genpatches-5.4-92.experimental.tar.xz 18084 BLAKE2B 8341edc51d259311407055d080b7759b5895c7899724ac19f49ef18115a6eaf0192606fc8b63edb37770e8daed75e3d69d9b0395238a1ae3b1da391af2f6c39d SHA512 4d77cf39d5bc8dba49c1a430b4f0e5570db24e7f91fe3bdaf9661be98432c5b8bc492f3ecc24e4495c880601fa563af2dc538684ce3c31daabd31fb55a253ec2 DIST genpatches-5.4-92.extras.tar.xz 1768 BLAKE2B 41cca01e9893db97ab1c7bc920d3240b3aec6207ff6516b346a87f24b47811077d7bbbdca49ed267238af4f5eeb2e8e0de03c946fb6f3784a08bdde348a5a64b SHA512 bb88a3c13a4335b93eb1ded903696e63ffa87b0a1dc587f464335fe077623abc36831fe514f33737960328ec765c5c0bf5489e84dff3fc6ae37ab2e1cd61d94e +DIST genpatches-5.4-93.base.tar.xz 3001024 BLAKE2B d5f3020aae1a920a076457cf28ae640e8ab7387652a61db3d631a3494c5cb0e8706d92debb6356768fea992679aefd4bda6d212a9918a714740439811dd3ef6d SHA512 420512b65e20f00fcabf4d122cf5fd166a6cc196a77451f8a06b333ca2cdc189c38654333e565cc555b1f3e9745e9c4b188b98648cd57ccb395ca1259675e4d2 +DIST genpatches-5.4-93.experimental.tar.xz 18084 BLAKE2B be9a54735db9f489daf3d739edf8ea52d28212400f70635c480debe46a47b029c2e364a83be897c28a013539ed4340cf1730daa1b2aea862a11bc3435b3e7cfc SHA512 cd61fd88df270a49fdce6cb4362ec4aa73b101fb26a83a5a0361133775702a59c9c19abc5ed201dd697054bca66d233f0289d0174abf663de8f18a92baaff301 +DIST genpatches-5.4-93.extras.tar.xz 1772 BLAKE2B 0ad1eff5f82120235a1f326176beeaefcf7aa547eecc94ad103a5be1701dd922ae0309431a10233c0df5bf63c5ba970bdec32e6ca782965e369be2fa5a4577dc SHA512 b5415fe59ba41d60a46e0c123abcee0bb72b5a7d7358789947627ae086c7391c09f116a16c32b2475c278ea14d7275932046d686aa4a849942cbf64440506c92 +DIST genpatches-5.4-94.base.tar.xz 3006280 BLAKE2B a8130e4be0b40fd0c82d9da6c3f42d3e45dc0119b7a981a62b0577e16cb73ae7edb76b407ecdaaf0bd53a118164208529d9bde3958c9592cedb3ef04815e64e9 SHA512 bf4b59da586a4f5f4a03b40273cbb6d5e9e49273c9c15fa2d3dd7eb002c0c24db895fa3987c93268c1dbfb1402197192f2f2c42b22f443a50089ce26d0f721a2 +DIST genpatches-5.4-94.experimental.tar.xz 18092 BLAKE2B 9f404c2ec62147ad30cd50c3d47727f254fdf3fb6c291a4c97ffc4ca260f979cde0d907ddc27fccd013dea871016fbec70a8cd21da86ba1422d9bcfcfe28b9fe SHA512 2496144bd1b7210290837c88c63b5ee648fb935deae76354101097f30ed2e50a02ae666ba9451aa8c658999ac72fd52c0bf3091348301093aa7ebf74a271ab7b +DIST genpatches-5.4-94.extras.tar.xz 1772 BLAKE2B d7f9cbdd2739ff180d7fa1de7ae24f9d0beeed259b00b0a67e6a3e9dfeb7a2e7136c0682af7e50491fa9010ea3e3e03a37cb8eac96047a4d4e58177d64caf72d SHA512 eee973e296444e301a6d9f59e82e39b2d2b1aa6605fe62c54a3710f300bad9e3b3a13c14f16f357a6c8775c50b47d390f537f15030c4fb08a6d81e5ba4008f1d +DIST genpatches-5.4-95.base.tar.xz 3022876 BLAKE2B e935ec5e2cacf478fd8ac2f343d0e582cceddf811ea4d87d5518b946b8b0501e7aff29d406407d3f0d276ea32a616f022789ee1318b282c6fd77b3aaf0d64631 SHA512 4e87014b78683372d525d6409c5c038429423371a1369f2c3b1455e53f5360290dd323ccc24aaeeb4a9e66452e9c87dba439c75192b77e4fc7bc888bc1c4cdac +DIST genpatches-5.4-95.experimental.tar.xz 18096 BLAKE2B 5e37e20fc56f19d06ca044028507115a61d322e0cc4b31919824052243a23a1516077c0744d1f8377fc4d44b091fc0901714ec34f469a5a93f3364d1994943ed SHA512 3bae5d5b4844c2cf9085cd060c217ed249ce1476a1220c531bf1ffec3f88612bdc34027946fe9739ae8a6ea06677c75cdd5d491dc0475b41f0c18f5c085c024a +DIST genpatches-5.4-95.extras.tar.xz 1772 BLAKE2B 29c822d815b565e99441f122bb978db211288f69ec3e3795e2555aa58cc3d2911debaeddcf202ce7be335771310589548a9de82d0500982894b621d0f773d7a3 SHA512 860978d98d7715b1359e0f3e47a0369ee6ef9e1cc4fd4201ad879dcab0aac644f6a951875643ccb70d31b6dad8b23d0b4ca7b32e50739bd87499760829949749 DIST linux-4.14.tar.xz 100770500 BLAKE2B 85dc4aa953fe65e273a24473d8de98e4f204f97c43be9fc87cf5be01f796f94cfde5c8f9c84619751f1cac51f83ce0b4681fb19c5f2965a72d4a94fe5577846a SHA512 77e43a02d766c3d73b7e25c4aafb2e931d6b16e870510c22cef0cdb05c3acb7952b8908ebad12b10ef982c6efbe286364b1544586e715cf38390e483927904d8 DIST linux-4.19.tar.xz 103117552 BLAKE2B 1dbf16cf410867412d17568fe42bc1e90c034183b654d270b650621ff7664a321950943d0639205bc1ee7ef6210be170c1f2c785a042ed8a4ec5e3a486d890e0 SHA512 ab67cc746b375a8b135e8b23e35e1d6787930d19b3c26b2679787d62951cbdbc3bb66f8ededeb9b890e5008b2459397f9018f1a6772fdef67780b06a4cb9f6f4 DIST linux-4.4.tar.xz 87295988 BLAKE2B f260f1858994f5d481fd078c86e51bddbc958f7c5d1586f60dced772e1b1107ecf3aae0558c3e6f39c36f7d3aa1e6cd1e5c64ec9d6f2218f47b98413da6466fb SHA512 13c8459933a8b80608e226a1398e3d1848352ace84bcfb7e6a4a33cb230bbe1ab719d4b58e067283df91ce5311be6d2d595fc8c19e2ae6ecc652499415614b3e diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.14.211.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.14.211.ebuild deleted file mode 100644 index 661b8d4c3137..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.14.211.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="221" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.14.212.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.14.212.ebuild deleted file mode 100644 index 6d51c99dbe84..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.14.212.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="222" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.14.213.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.14.213.ebuild deleted file mode 100644 index 7cc2cf7430e1..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.14.213.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="223" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.14.214.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.14.217.ebuild index a0f1ee60b41b..879fc627bddc 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.14.214.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-4.14.217.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="224" +K_GENPATCHES_VER="227" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.19.162.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.19.162.ebuild deleted file mode 100644 index 0e20d16a8654..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.19.162.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="161" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.19.163.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.19.163.ebuild deleted file mode 100644 index 65a8a46399b2..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.19.163.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="162" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.19.164.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.19.164.ebuild deleted file mode 100644 index 08bb01a52cee..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.19.164.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="163" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.19.165.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.19.169.ebuild index c54395454d6e..f10f4e927f86 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.19.165.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-4.19.169.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="164" +K_GENPATCHES_VER="168" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.19.166.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.19.170.ebuild index e9f62dccadd9..2ebe02a94adb 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.19.166.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-4.19.170.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="165" +K_GENPATCHES_VER="169" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.19.167.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.19.171.ebuild index dc0c2991108f..8bc4bab20978 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.19.167.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-4.19.171.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="166" +K_GENPATCHES_VER="170" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.4.247.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.4.247.ebuild deleted file mode 100644 index 635f5610488d..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.4.247.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="249" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.4.248.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.4.248.ebuild deleted file mode 100644 index ebaabbdfda1d..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.4.248.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="250" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.4.249.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.4.249.ebuild deleted file mode 100644 index ddf941762081..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.4.249.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="251" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.4.250.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.4.250.ebuild deleted file mode 100644 index 2cb7c6bad0f5..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.4.250.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="252" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.4.253.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.4.253.ebuild new file mode 100644 index 000000000000..4856aa05c1d6 --- /dev/null +++ b/sys-kernel/gentoo-sources/gentoo-sources-4.4.253.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +K_WANT_GENPATCHES="base extras experimental" +K_GENPATCHES_VER="255" + +inherit kernel-2 +detect_version +detect_arch + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" +IUSE="experimental" + +DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" +SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" + +pkg_postinst() { + kernel-2_pkg_postinst + einfo "For more info on this patchset, and how to report problems, see:" + einfo "${HOMEPAGE}" +} + +pkg_postrm() { + kernel-2_pkg_postrm +} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.9.247.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.9.247.ebuild deleted file mode 100644 index ddf941762081..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.9.247.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="251" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.9.248.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.9.248.ebuild deleted file mode 100644 index f3f529cdadc1..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.9.248.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="252" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.9.249.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.9.249.ebuild deleted file mode 100644 index cd43e3fd18c8..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.9.249.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="253" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.9.250.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.9.250.ebuild deleted file mode 100644 index 909eda897d23..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-4.9.250.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="254" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-4.9.253.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-4.9.253.ebuild new file mode 100644 index 000000000000..ae2e976eace7 --- /dev/null +++ b/sys-kernel/gentoo-sources/gentoo-sources-4.9.253.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +K_WANT_GENPATCHES="base extras experimental" +K_GENPATCHES_VER="257" + +inherit kernel-2 +detect_version +detect_arch + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" +IUSE="experimental" + +DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" +SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" + +pkg_postinst() { + kernel-2_pkg_postinst + einfo "For more info on this patchset, and how to report problems, see:" + einfo "${HOMEPAGE}" +} + +pkg_postrm() { + kernel-2_pkg_postrm +} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.10.5.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.10.10.ebuild index a63072715cde..56efe9fc96f9 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.10.5.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-5.10.10.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="7" +K_GENPATCHES_VER="12" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.10.6.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.10.11.ebuild index 36a2286e05e0..e9b97bd5aeb5 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.10.6.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-5.10.11.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="8" +K_GENPATCHES_VER="13" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.10.2.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.10.2.ebuild deleted file mode 100644 index ed268766401f..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.10.2.ebuild +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="4" -K_NODRYRUN="1" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.10.3.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.10.3.ebuild deleted file mode 100644 index 395a65af17c2..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.10.3.ebuild +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="5" -K_NODRYRUN="1" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.10.4.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.10.4.ebuild deleted file mode 100644 index 5ecc00b5ad78..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.10.4.ebuild +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="6" -K_NODRYRUN="1" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.10.7.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.10.9.ebuild index a041391eb57b..b3115878befc 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.10.7.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-5.10.9.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="9" +K_GENPATCHES_VER="11" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.84.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.84.ebuild deleted file mode 100644 index 5cf3edb685f2..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.4.84.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="86" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.85.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.85.ebuild deleted file mode 100644 index 56c231afbc8e..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.4.85.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="87" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.86.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.86.ebuild deleted file mode 100644 index 682b6bc6bf26..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.4.86.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="88" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.88.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.88.ebuild deleted file mode 100644 index 9c3c84e84233..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.4.88.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="90" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.89.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.89.ebuild deleted file mode 100644 index 4eb39c8817bd..000000000000 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.4.89.ebuild +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" -ETYPE="sources" -K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="91" - -inherit kernel-2 -detect_version -detect_arch - -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" -HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" -IUSE="experimental" - -DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" -SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" - -pkg_postinst() { - kernel-2_pkg_postinst - einfo "For more info on this patchset, and how to report problems, see:" - einfo "${HOMEPAGE}" -} - -pkg_postrm() { - kernel-2_pkg_postrm -} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.87.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.91.ebuild index 2cd780b3b776..46d0bbb4d5d7 100644 --- a/sys-kernel/gentoo-sources/gentoo-sources-5.4.87.ebuild +++ b/sys-kernel/gentoo-sources/gentoo-sources-5.4.91.ebuild @@ -4,7 +4,7 @@ EAPI="6" ETYPE="sources" K_WANT_GENPATCHES="base extras experimental" -K_GENPATCHES_VER="89" +K_GENPATCHES_VER="93" inherit kernel-2 detect_version diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.92.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.92.ebuild new file mode 100644 index 000000000000..5e1e5cc45049 --- /dev/null +++ b/sys-kernel/gentoo-sources/gentoo-sources-5.4.92.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +K_WANT_GENPATCHES="base extras experimental" +K_GENPATCHES_VER="94" + +inherit kernel-2 +detect_version +detect_arch + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" +IUSE="experimental" + +DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" +SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" + +pkg_postinst() { + kernel-2_pkg_postinst + einfo "For more info on this patchset, and how to report problems, see:" + einfo "${HOMEPAGE}" +} + +pkg_postrm() { + kernel-2_pkg_postrm +} diff --git a/sys-kernel/gentoo-sources/gentoo-sources-5.4.93.ebuild b/sys-kernel/gentoo-sources/gentoo-sources-5.4.93.ebuild new file mode 100644 index 000000000000..f77c5f2a22d7 --- /dev/null +++ b/sys-kernel/gentoo-sources/gentoo-sources-5.4.93.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +K_WANT_GENPATCHES="base extras experimental" +K_GENPATCHES_VER="95" + +inherit kernel-2 +detect_version +detect_arch + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86" +HOMEPAGE="https://dev.gentoo.org/~mpagano/genpatches" +IUSE="experimental" + +DESCRIPTION="Full sources including the Gentoo patchset for the ${KV_MAJOR}.${KV_MINOR} kernel tree" +SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI}" + +pkg_postinst() { + kernel-2_pkg_postinst + einfo "For more info on this patchset, and how to report problems, see:" + einfo "${HOMEPAGE}" +} + +pkg_postrm() { + kernel-2_pkg_postrm +} diff --git a/sys-kernel/git-sources/Manifest b/sys-kernel/git-sources/Manifest index 25a0d245a18a..0ccba9bc20f7 100644 --- a/sys-kernel/git-sources/Manifest +++ b/sys-kernel/git-sources/Manifest @@ -2,3 +2,5 @@ DIST linux-5.10.tar.xz 116606704 BLAKE2B b923d7b66309224f42f35f8a5fa219421b0a936 DIST patch-5.11-rc1.patch 74495974 BLAKE2B a8a7cae289cb1421597f9c69f07624259a828374de469c120e6c0c3b6857b3242012150fd70d982a994c99d04265ee0f3cf4a2e1c53e00e88b8a4c3a8c77b005 SHA512 4d582b28903a6b529a59b45f18d8b426090d876f90829a4560b07afd72cca9f3160413882d6168f9bcad3273a478b09b9a8dfe746ec9d4ab8cf42f4a7563c2fd DIST patch-5.11-rc2.patch 74560270 BLAKE2B 1e4ac4ce26e20aa6b48c88af114f6303c6d89ce28b64eb98085ac24a2c7747e706ec988cc5dcaf2fa46f9589a66d721d7808ed39e52da3fffa6f24e2fa01df86 SHA512 a4b0145be9066e9602efe8fc7b6f57f71832b31d4dda9ae4368d0ff95aaf9fec7a238d6c2b1e91c31a4b88feabf41118513891384181043b91cda1211a40fad8 DIST patch-5.11-rc3.patch 75045235 BLAKE2B d159e9e4bedcf6838e0b81462b53445955e59edd266e25cd001d163af36ad56de06dae5496e14663db860805825402959189ce15a80bdb561134d78ff5616b5d SHA512 5fd19e81144ebf489d5a6833b95a21f94c8b0f8d66e85d1c94acdeba008f8705367e03c411c80a61c4c0df30ddfbadcb65ba835014dad6e79c130b756fe518df +DIST patch-5.11-rc4.patch 75392493 BLAKE2B efc6b837641883d1ed7e165d5ba08a36ec85c3bfce49f4f8a0ed09d39df6ecf5844908c13a0bd2792c3dd2a57073dae211934f681482d3a04c0a3589a0776f68 SHA512 072cca3d9bc343b791278258102186646fb46f4808680c71cbe55ba3574448711aaa85b34e8f664a354d69d1665759c196ed37e23f1c0285851b0d2538ff173d +DIST patch-5.11-rc5.patch 75678864 BLAKE2B 8f8afe6935e2d9616981a87c753cc517772f9b0e29d027518fda903f2bd068b0c376ccd668bab489b155875589962211a430880d44945d1faa6d53bd06b5deb2 SHA512 7665e1bd8c58567af774a85065c28a8ded29520eaca4b6ff367ab99a6ce26091e1097949baf23455b5d20e04b9214410dea3d3812b81e91701f6eb40a6d52df8 diff --git a/sys-kernel/git-sources/git-sources-5.11_rc4.ebuild b/sys-kernel/git-sources/git-sources-5.11_rc4.ebuild new file mode 100644 index 000000000000..d3797acbcee8 --- /dev/null +++ b/sys-kernel/git-sources/git-sources-5.11_rc4.ebuild @@ -0,0 +1,40 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +UNIPATCH_STRICTORDER="yes" +K_NOUSENAME="yes" +K_NOSETEXTRAVERSION="yes" +K_NOUSEPR="yes" +K_SECURITY_UNSUPPORTED="1" +K_BASE_VER="5.10" +K_EXP_GENPATCHES_NOUSE="1" +K_FROM_GIT="yes" +ETYPE="sources" +CKV="${PVR/-r/-git}" + +# only use this if it's not an _rc/_pre release +[ "${PV/_pre}" == "${PV}" ] && [ "${PV/_rc}" == "${PV}" ] && OKV="${PV}" +inherit kernel-2 +detect_version + +DESCRIPTION="The very latest -git version of the Linux kernel" +HOMEPAGE="https://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="" + +K_EXTRAEINFO="This kernel is not supported by Gentoo due to its unstable and +experimental nature. If you have any issues, try a matching vanilla-sources +ebuild -- if the problem is not there, please contact the upstream kernel +developers at https://bugzilla.kernel.org and on the linux-kernel mailing list to +report the problem so it can be fixed in time for the next kernel release." + +RDEPEND="" +DEPEND="${RDEPEND} + >=sys-devel/patch-2.7.5" + +pkg_postinst() { + postinst_sources +} diff --git a/sys-kernel/git-sources/git-sources-5.11_rc5.ebuild b/sys-kernel/git-sources/git-sources-5.11_rc5.ebuild new file mode 100644 index 000000000000..d3797acbcee8 --- /dev/null +++ b/sys-kernel/git-sources/git-sources-5.11_rc5.ebuild @@ -0,0 +1,40 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +UNIPATCH_STRICTORDER="yes" +K_NOUSENAME="yes" +K_NOSETEXTRAVERSION="yes" +K_NOUSEPR="yes" +K_SECURITY_UNSUPPORTED="1" +K_BASE_VER="5.10" +K_EXP_GENPATCHES_NOUSE="1" +K_FROM_GIT="yes" +ETYPE="sources" +CKV="${PVR/-r/-git}" + +# only use this if it's not an _rc/_pre release +[ "${PV/_pre}" == "${PV}" ] && [ "${PV/_rc}" == "${PV}" ] && OKV="${PV}" +inherit kernel-2 +detect_version + +DESCRIPTION="The very latest -git version of the Linux kernel" +HOMEPAGE="https://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sparc ~x86" +IUSE="" + +K_EXTRAEINFO="This kernel is not supported by Gentoo due to its unstable and +experimental nature. If you have any issues, try a matching vanilla-sources +ebuild -- if the problem is not there, please contact the upstream kernel +developers at https://bugzilla.kernel.org and on the linux-kernel mailing list to +report the problem so it can be fixed in time for the next kernel release." + +RDEPEND="" +DEPEND="${RDEPEND} + >=sys-devel/patch-2.7.5" + +pkg_postinst() { + postinst_sources +} diff --git a/sys-kernel/pf-sources/Manifest b/sys-kernel/pf-sources/Manifest index 110f81dbc330..0ee39f39c156 100644 --- a/sys-kernel/pf-sources/Manifest +++ b/sys-kernel/pf-sources/Manifest @@ -13,4 +13,5 @@ DIST pf-sources-5.10_p5.patch 3767157 BLAKE2B 7ea53839532d97225bbb95cd0e56c5e81d DIST pf-sources-5.10_p6.patch 3863592 BLAKE2B 5ce92850e459f9ea9bdd19d4375f13a7554adbdcd3ed2b2c77c1e138c6cb508554ab8701398f77485f9551ad6422fd14e4f7ba708d607d9a107ccd818c42f560 SHA512 44398b4bcef521267ed4b9dc56281cff2587680498f68130361bab8de8bf164601bc95642493dcbb08eaf43ffca3b333ab2a12db825e7f52eb0171bb191bbaea DIST pf-sources-5.10_p7.patch 4104263 BLAKE2B a53f381c255aa242955d7401496b5b21fba743c2a4d3d0c31a06d67c15806e1672c8910f165140ddc1aff6958e93d2871c50e64b81afeff50f1982bd854c9c19 SHA512 583f48a8fba4cc62b60a17a0274ada2f17bd8a75b16b0e9e27fa9536e743bfbba57c561a544a7c8b7a87e65059aa01e92259c9c55dc46544445d5026b06fcd82 DIST pf-sources-5.10_p8.patch 4232466 BLAKE2B efe977028da96031c2834af65fc7da943ad0d7d0155a54e614a61ae825672b147dca31491487c8bb500aac9db869e303d3ced6a30bdd9f6fdf4bf0a0d93dc9c3 SHA512 bf64e4a12627f5c0b39dba44f815d7a42758a9e0a79fb341c535ed2b64e99068c8fdc1b8e3ae6656e815280337715b2b19d084fb589a5c60a1e5ab8e2153e27a +DIST pf-sources-5.10_p9.patch 4509136 BLAKE2B a0bd46d0e6f833849736da492e89fbc3885bf3b96db0f1cbd03525e5d60a2a8f224851f92c73f51224565ba27517ab3310af8b853fa03fedc55d8f035bda0389 SHA512 45ad1097dc270a347be598c053bc19d0a830f86e124e317c5bdf3682ed41c523ed80d277ae94ca6ecee247792254b8f16b9c9ad5c90288dec9ab6d4cb5f0d272 DIST pf-sources-5.9_p7.patch 3027972 BLAKE2B 9247ea63b30f9d42d79303b73a900d468a71e703333932f7f15ae697cdba52c46358297023e037226c219fad5df912fb5d21e6f4b7190556ca799fa84924480e SHA512 c69e14f59bf98944b3329c65b7e2c271d74a756bc8c890130bf3cc68b4b96d31f1c33c4edb128580fcaefeb6e42dd04b1eb3d7f071b2d58bc764d26322bda8cd diff --git a/sys-kernel/pf-sources/pf-sources-5.10_p9.ebuild b/sys-kernel/pf-sources/pf-sources-5.10_p9.ebuild new file mode 100644 index 000000000000..223e79a03a51 --- /dev/null +++ b/sys-kernel/pf-sources/pf-sources-5.10_p9.ebuild @@ -0,0 +1,66 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +# Define what default functions to run +ETYPE="sources" + +# No 'experimental' USE flag provided, but we still want to use genpatches +K_EXP_GENPATCHES_NOUSE="1" + +# Just get basic genpatches, -pf patch set already includes vanilla-linux updates +K_GENPATCHES_VER="1" + +# -pf already sets EXTRAVERSION to kernel Makefile +K_NOSETEXTRAVERSION="1" + +# Not supported by the Gentoo security team +K_SECURITY_UNSUPPORTED="1" + +# We want the very basic patches from gentoo-sources, experimental patch is +# already included in pf-sources +K_WANT_GENPATCHES="base extras" + +inherit kernel-2 optfeature +detect_version + +DESCRIPTION="Linux kernel fork that includes the pf-kernel patchset and Gentoo's genpatches" +HOMEPAGE="https://gitlab.com/post-factum/pf-kernel/-/wikis/README + https://dev.gentoo.org/~mpagano/genpatches/" +SRC_URI="${KERNEL_URI} + https://github.com/pfactum/pf-kernel/compare/v${PV/_p*/}...v${PV/_p*/}-pf${PV/*_p/}.diff -> ${P}.patch + https://dev.gentoo.org/~mpagano/genpatches/tarballs/genpatches-${PV/_p*/}-${K_GENPATCHES_VER}.base.tar.xz + https://dev.gentoo.org/~mpagano/genpatches/tarballs/genpatches-${PV/_p*/}-${K_GENPATCHES_VER}.extras.tar.xz" + +KEYWORDS="~amd64 ~ppc ~ppc64 ~x86" + +S="${WORKDIR}/linux-${PVR}-pf" + +PATCHES=( "${DISTDIR}/${P}.patch" ) + +K_EXTRAEINFO="For more info on pf-sources and details on how to report problems, + see: ${HOMEPAGE}." + +pkg_setup() { + ewarn "" + ewarn "${PN} is *not* supported by the Gentoo Kernel Project in any way." + ewarn "If you need support, please contact the pf developers directly." + ewarn "Do *not* open bugs in Gentoo's bugzilla unless you have issues with" + ewarn "the ebuilds. Thank you." + ewarn "" + + kernel-2_pkg_setup +} + +src_prepare() { + # kernel-2_src_prepare doesn't apply PATCHES(). + default +} + +pkg_postinst() { + kernel-2_pkg_postinst + + elog "Optional features:" + optfeature "Userspace KSM helper" sys-process/uksmd +} diff --git a/sys-kernel/rt-sources/Manifest b/sys-kernel/rt-sources/Manifest index 7a86a17da507..e938f560ef1f 100644 --- a/sys-kernel/rt-sources/Manifest +++ b/sys-kernel/rt-sources/Manifest @@ -20,20 +20,28 @@ DIST patch-4.14.206-rt99.patch.xz 239588 BLAKE2B bb1147d18a5e3aaddb6f00acca00cc7 DIST patch-4.14.206.xz 3995304 BLAKE2B 28b9577ee7bb1f0e935482023ea660f788f0aabbe0e3be743075cdfa4fe263c1d1c50e99a7f7a27fd670820756c5a8c60667a1687666a4b29df790dc37360481 SHA512 5382e138db14e9c6e053ac76ae3d3ce6114ebaf4d0b0588a297bcd358be8c60df35535cf97ac0ae62e9f58673a3ad3fd07de5c2ffb6f0a638624f05cea209bc6 DIST patch-4.14.209-rt101.patch.xz 239648 BLAKE2B bcf031dda4567960c1070a5510a77a8012aba378424101dd692709bca72d55d148b1ccdafd786fa5782335b47eae56b2f487d2cbc88ea20cb8ffa5a04ecec38a SHA512 3caa061e7228b270ed388c6e6c94714ce5c972ec584a6a97691458f9bbd01521bd1fc5207c41f0ad73b4587113d59a347439e1fea3b64fc1fafd8ca89e2578d9 DIST patch-4.14.209.xz 4032252 BLAKE2B 56b26eaa2a6d657a539e22816cafba817de6acde4b691114e86e3ac86dbfd5b43f4965733f86b47b6c5eaf627f6c3e521aa5ff586c472273259816c8365d3522 SHA512 1dee831b07a07db7b28d85018b4d31be2c98f606c8c56ce5ec5fe21bb5422b6d06325de4370bc5b2150662f2d78d631578e6e7d3c206743dbfbc270577adb663 +DIST patch-4.14.214-rt104.patch.xz 239668 BLAKE2B 15ae88e1ea0cd4744a691cedf8b6e013f5368fb200661480033fe1b7dacd414b2de79867bb65e0e0ef309ad537b7196830c5c20904ca144e2814067ffa493024 SHA512 2d082c55d0432d703a61c170b83cc85ccce992f97e231a270b3b27482b80623ac13989f077c645d678775b38bdbf9076ef97daf5f820b1a129c0ad30fc913031 +DIST patch-4.14.214.xz 4091072 BLAKE2B 988dba7a74b48e50f344021ae091f1a9f6b31db3766a1f2e912c29a8fe3d772f798bf313537d9c28fe946d2f8e092fffc13c86d8d7c2e3bbcf78628465fbaaff SHA512 8ea4cc08bbca884871140908a764153bbc48c1e8226b6a8991516554f6ef81c776eb234571fdb28f316306d412d5531cce8617948a3995853c8f914eb909f497 DIST patch-4.19.148-rt64.patch.xz 166984 BLAKE2B 9697dd9c551c71a5727b9b6d8fcff6d8dd828f8c385e9d5f0e6254ac20132677787e9ab111e25be679e1b73f345683f5c4d78b99c24b8f92ffa3bb8176195131 SHA512 e73b346f0b89aa0c9ffcf7e525cd7505bbe4e139760e7ac9b0f85aab82e39ec7ae3191bf81642587b338b6f325f91701f0136f03d62262ba839effe6371f2ec3 DIST patch-4.19.148.xz 3434156 BLAKE2B 8737101044c2dc5400b64c61f9589a10b0af3eb862cd439098eeb6d2cd0645676f93093549494584789e38786dc19d1843fc5136187797abe6b3bd6713aae721 SHA512 a8790ae1925d1622f469e975e5da3baaca6204d324f5c981159d19011f77df51a600ea76e1d6da6f2bac6e9c1c2cf1b64f0df5e7e288800ca7451195be6146a7 DIST patch-4.19.160-rt69.patch.xz 167252 BLAKE2B 6de67d2a8de6ad7151c82831f143046b7b9f1602f83c1db13a063ca92aaee224b6e3601e54542fa88275f8f860027d613950f2e63969ccb1e6868f4c1f724f8f SHA512 5405b41f78d8d38513ce5608fbc16f5e93e3028554cfb103312806eb84dc60f9cf56c415f7b07720abc6dd36a4e05e975039b5a57c1bfd2bac97f679fcd02b09 DIST patch-4.19.160.xz 3638736 BLAKE2B 8a31b8f6b4edcd42d1947e7f04dc8da0447b0568e9beae767c446b0aa5c0bd1f335a5feabc31de5ac659560a61aba91e77e6a243bea037bf83f5b4c25aeb52c4 SHA512 beb8fcc81a595c50bf2168624aed651c2d7b30c7ada6ddfc8585db1e5d477c336e7c5334e137350405f2aa1e3d4e21950d0e47de4fc58ee5542eae942c7ffb55 +DIST patch-4.19.165-rt70.patch.xz 167252 BLAKE2B 3bd01ae7eaf3a3ae5927b3707ebb8955fec6617b67c4385a8c4f9275febf95995bbffc93c64ce46b3bf63d4ac08b0ffa7939020ab79aa5cd220cf10dc5eddc7e SHA512 0e377013088227516b04152fa8c616c91742d8e7f8e390dc2809f87db3dc5dc2a5b30a92c170d4fdd54fe1e351153acb309745246d440474ed52cae6fe483b9a +DIST patch-4.19.165.xz 3718612 BLAKE2B 3fc93a4ff91ecb802e1f9e40858701a1bbb80a08a5c49efc90c6f867872c970504dec6fd4f32b9dc7e9bdbac23b42e579b1d7b4651928b0348faafa245b45b26 SHA512 0de845f4768fabbc796b97223d79b3be25c8c3dcffcf1948450afe11c4070ac16aecdcbf6c17020dff5f88ff5d198c956f8357198ee27eccf994f81ee4a08260 DIST patch-4.4.240-rt209.patch.xz 195156 BLAKE2B e05926078feb42e2ffe399322f5af983c65cde172b125e9d48fe6c48fada9d3574306b82e584a74adc2375cc666a45e0aa820c94b6d88489a3926538335fb301 SHA512 1396b23ac6e354d9b98edf75aea6c8000b059c4249ee391829179e88852152780c23087b814b550c184940cbcd236dc2e4b43ff13c02e8c1aa04a1ea124556cb DIST patch-4.4.240.xz 3341984 BLAKE2B f4f2cb343e399236a93bbfdc5b9bd033bcb5fac99aaaa3f23bedf2b9e5f00e21d82b741dc4005dbb088da1980dbd4e671c5627bdf87c6c61b9981f442d1d83d9 SHA512 b45fe43ac354f2bb70db06948b3ddc8555f28bcacfdd86534482ae379654f91008fbb03c65ee3850d117b2d7b2f655d93352f08b7c289c0142e5fd584b7aad06 DIST patch-4.4.245-rt211.patch.xz 195108 BLAKE2B 223b00f7560a0ec71bae3a2f271818a3a8f26461d224b32e037c385a7c78dc5c2aa2b4444d78b1d8cdd2dc6fe39fc1a0bb282ae8857b22258fc6cfbe25170aec SHA512 7c4843cf2863c38fba5b039c3d55b709984911e0b768ffa65cca85a7becc3b1d2ea72b0c6282003b27aea506a86209defff42eef2780aadfad4110bba8fe6f4f DIST patch-4.4.245.xz 3395688 BLAKE2B fe64d7e839cc5e2113322b2084d289f3f1ff64833e05e7053285817b056c7303445939952299ebdb27a7b7c1c8417f474cca5201b75134fb90da1ab55d808a77 SHA512 85bc54f20b59cca9bb8549e00a58c065f9f990ea2ab0ebc78f10c5c3accc37473aa26cf69239aee282e9c8e84df4d6d13888ae8b228e81a32cb2227a49f984ef +DIST patch-4.4.249-rt212.patch.xz 195172 BLAKE2B a2c8dc6946f232068030c5e4d58dde55610a797b971cf4d7a60552d83a60861d3329c86d59673fcbea15aeecf8d2e479278588981db63bc2846ce36756a28169 SHA512 52e2b2b79882e4667957a323df4010fc35e69142baa9f1c84480a3beafd7c9eb6ce927887d2d825dbd360ef8d35ed9d6150ffb4cb863b794c637b7df53d713a2 +DIST patch-4.4.249.xz 3426840 BLAKE2B 80230e488bea4899d489ca1710b487e59c13668d46850ef7418b85c8bad3adea382a07672449d7ecc2b16e23dbffd6a25fd2616faab0b30965216551b75ae42c SHA512 5fb31aeb0792105aeb98d6313879fc211c3053234a13cfccd20a36e3bfa485a584f01f3bf068f1bf0529f8adc34e10296b5144dfe48472fc0998571ae41626dd DIST patch-4.9.240-rt155.patch.xz 175372 BLAKE2B 807205cf1b22c5da138fac0772c881e1c162ff66f6872fe497b643105573db5bc48c98947f65e6e945b46ffb865c4abe9c2ce9aacb093d7a4ccdd686e6573e04 SHA512 b50feb8ee9aa7dd8af1fd01dc0beda4a0a71305229145a6b21797bd63e3683085c2893c4ccdd67ac451c66c44c758303b2792516413b69f844441956280df4ae DIST patch-4.9.240.xz 3707752 BLAKE2B 58cf04060dc286f38895bea9339d124983a37878f687b71d38c28aa1123a3e0889f46d4e96605d3ae69257a8d7ec824b85a835e463214445c363065c4be5ae8e SHA512 b18824b1cc70020ef0f4000b4c152297a7424b31075aa001274319a0b8e3d6b6407193a903b3af56bfe8b0dc12be68673188de90aaa14ba13670c0669a8e7557 DIST patch-4.9.247-rt162.patch.xz 175304 BLAKE2B 5c481b074b9ca70bb3b978f079190d161951dea48d71c537b6d1c32ce5fc9fbffff2c8a339931dd7084b1a0445d557c1ab666bb0e8ca6d5c846b408e3c71f870 SHA512 91da91e4540883464bdcfbd764d8531dafcc49fcebb748fa91c158f218f26b8d5424d4723e3b6ba8e5f9c81246e5ffa3addd652a6ec013c7131deb7d9cc673f5 DIST patch-4.9.247.xz 3788468 BLAKE2B a866ac523f2612b384794cf07a18ed1a414c8d34c501fb02a7e40792e73bdc576c65e7ec77fab3f04cee4dbd4534f45811c729a6bc17f044ed2196a0fe6877a8 SHA512 4af0e2c93e70af1119f28ea68f3ed1a56226fc0e00d0ec8d12e42498623afe74cfbcd44db3087bfb7748b7148deb3836c7924369e6e6102809a40084bf242a1d DIST patch-5.10.1-rt20.patch.xz 166124 BLAKE2B 323d7764bc65e97d8a764f04db15481c8799147a6e8a6a23c8cde20a67ae15421c81ada328f71bcca01ce99a02c53e35daec6a7f3b5b682b40ce6a756c44a38b SHA512 20545a16adf746690930a67dab11fba15f225f07c0c018296b01b0acb7d9f4e12862fc53668992c318d671f506513436f8f9e1d174f761ee31e75bbc3d27514e DIST patch-5.10.1.xz 940 BLAKE2B 3f3feb8c2ce909bcceda525bd7c8aed0949b53cebd2094d0a4af2342bfe7d1f78ab341d64fb91c89a2cd3a78f5fcf8bade4b75ca22e18c4a42c5e1cfcfe66cd5 SHA512 4fa17c2525cf67f71bcdd232cd98f1a00cf9596987e73909ef9638b9e74886c4d752375ba1b9b8020f544b2d6fac23630fc090111a4e79b880dbb81629bd1503 +DIST patch-5.10.4-rt22.patch.xz 164244 BLAKE2B e28485e4fb87a7237fafa0853da05c8c7a92d4e1de0a53387837897abb2204f63b9cf9b6a2c1798f09b32a72fac65fcdbcbf97775d38ef85ed61020484a47a21 SHA512 d925b83b257b68001dc284bb9bb690e5a1b0643b464d3e4fcf2c00ec3b23e12584a0f5186a877226fa5c8126db9e2f45abf3957dea020c28cee20780a8ba03a0 +DIST patch-5.10.4.xz 199992 BLAKE2B b79c50e4f52dfef44ddf137e1f69c47b0172771543afe6598cbcc263330634414d992e32e2be33e7682bc4c2f229a6f7a08a5ff02ebbda682a11cb70dbc01b56 SHA512 893733c9b9290f7a91bfb31ca9baa762a6460665b59efad6ee194b67807ae3990cf44464a32ea4a7e9620b58d7810ff15a30a7d92f0bf1b14cff3b5730fce49c DIST patch-5.4.70-rt40.patch.xz 182032 BLAKE2B 0f911652bedb74d40bfd42a2ef0e0b7309c31152f6d94a8cb6c91e0a16e8f5af007de6f3e41145b8c1248aba34f3ee90e024b40558de073419bb70e4d12749d9 SHA512 9a325cbeaa783ddfc3e0ceafecebcf55caf65245d3beeac652db9793af064a0ab49608b2c39371ea33b058ae90fc427aeb6a300e27a716482f31a1c2226b6439 DIST patch-5.4.70.xz 2131576 BLAKE2B 6d9dab0ec5dc84f1487d179355cf497ad9e16b7a22b69a931dab206e8617cfe52fd09a88ec8fe9070f9735c9f5cbb825c61aa6501d3851c8d2925f849146629a SHA512 a87fffe500b7f0355fe49077b4d80359b31e0721d824ba95135ba851d1b1b747ea9dfd0bc15e6133bc93132df60c4ca9ee99830acb0309866f02f9c88b7784f9 DIST patch-5.4.84-rt47.patch.xz 182616 BLAKE2B d37a562eb0dc9d0f60277e9e76479165d67187e6194f8f81bd45e7b176cbb0de2920ae5d34302c335eb16579a79b471eb52d9e78472ebdbb12979aa9602b9c9e SHA512 9135aeb5184790a41022fad6e0676fc7ee12a38aa67b87c839bc2da6ce1ccff2a46f757ad8ff22d8071dd98c9321841b8e908c549d995f0298f478814be7e6e9 diff --git a/sys-kernel/rt-sources/rt-sources-4.14.214_p104.ebuild b/sys-kernel/rt-sources/rt-sources-4.14.214_p104.ebuild new file mode 100644 index 000000000000..806c4452612e --- /dev/null +++ b/sys-kernel/rt-sources/rt-sources-4.14.214_p104.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +KEYWORDS="~amd64 ~arm64" + +HOMEPAGE="https://www.kernel.org/pub/linux/kernel/projects/rt/" + +inherit eapi7-ver + +CKV="$(ver_cut 1-3)" +K_SECURITY_UNSUPPORTED="1" +K_DEBLOB_AVAILABLE="1" +RT_PATCHSET="${PV/*_p}" + +inherit kernel-2 +detect_version + +K_BRANCH_ID="${KV_MAJOR}.${KV_MINOR}" +RT_FILE="patch-${K_BRANCH_ID}.${KV_PATCH}-rt${RT_PATCHSET}.patch.xz" +RT_URI="https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/${RT_FILE} \ + https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/older/${RT_FILE}" + +DESCRIPTION="Full Linux ${K_BRANCH_ID} kernel sources with the CONFIG_PREEMPT_RT patch" +SRC_URI="${KERNEL_URI} ${RT_URI}" + +KV_FULL="${PVR/_p/-rt}" +S="${WORKDIR}/linux-${KV_FULL}" + +UNIPATCH_LIST="${DISTDIR}/${RT_FILE}" +UNIPATCH_STRICTORDER="yes" + +src_prepare() { + default + + # 627796 + sed \ + "s/default PREEMPT_NONE/default PREEMPT_RT_FULL/g" \ + -i "${S}/kernel/Kconfig.preempt" || die "sed failed" +} + +pkg_postinst() { + kernel-2_pkg_postinst + ewarn + ewarn "${PN} are *not* supported by the Gentoo Kernel Project in any way." + ewarn "If you need support, please contact the RT project developers directly." + ewarn "Do *not* open bugs in Gentoo's bugzilla unless you have issues with" + ewarn "the ebuilds." + ewarn +} + +K_EXTRAEINFO="For more info on rt-sources and details on how to report problems, see: \ +${HOMEPAGE}." diff --git a/sys-kernel/rt-sources/rt-sources-4.19.165_p70.ebuild b/sys-kernel/rt-sources/rt-sources-4.19.165_p70.ebuild new file mode 100644 index 000000000000..806c4452612e --- /dev/null +++ b/sys-kernel/rt-sources/rt-sources-4.19.165_p70.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +KEYWORDS="~amd64 ~arm64" + +HOMEPAGE="https://www.kernel.org/pub/linux/kernel/projects/rt/" + +inherit eapi7-ver + +CKV="$(ver_cut 1-3)" +K_SECURITY_UNSUPPORTED="1" +K_DEBLOB_AVAILABLE="1" +RT_PATCHSET="${PV/*_p}" + +inherit kernel-2 +detect_version + +K_BRANCH_ID="${KV_MAJOR}.${KV_MINOR}" +RT_FILE="patch-${K_BRANCH_ID}.${KV_PATCH}-rt${RT_PATCHSET}.patch.xz" +RT_URI="https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/${RT_FILE} \ + https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/older/${RT_FILE}" + +DESCRIPTION="Full Linux ${K_BRANCH_ID} kernel sources with the CONFIG_PREEMPT_RT patch" +SRC_URI="${KERNEL_URI} ${RT_URI}" + +KV_FULL="${PVR/_p/-rt}" +S="${WORKDIR}/linux-${KV_FULL}" + +UNIPATCH_LIST="${DISTDIR}/${RT_FILE}" +UNIPATCH_STRICTORDER="yes" + +src_prepare() { + default + + # 627796 + sed \ + "s/default PREEMPT_NONE/default PREEMPT_RT_FULL/g" \ + -i "${S}/kernel/Kconfig.preempt" || die "sed failed" +} + +pkg_postinst() { + kernel-2_pkg_postinst + ewarn + ewarn "${PN} are *not* supported by the Gentoo Kernel Project in any way." + ewarn "If you need support, please contact the RT project developers directly." + ewarn "Do *not* open bugs in Gentoo's bugzilla unless you have issues with" + ewarn "the ebuilds." + ewarn +} + +K_EXTRAEINFO="For more info on rt-sources and details on how to report problems, see: \ +${HOMEPAGE}." diff --git a/sys-kernel/rt-sources/rt-sources-4.4.249_p212.ebuild b/sys-kernel/rt-sources/rt-sources-4.4.249_p212.ebuild new file mode 100644 index 000000000000..806c4452612e --- /dev/null +++ b/sys-kernel/rt-sources/rt-sources-4.4.249_p212.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +KEYWORDS="~amd64 ~arm64" + +HOMEPAGE="https://www.kernel.org/pub/linux/kernel/projects/rt/" + +inherit eapi7-ver + +CKV="$(ver_cut 1-3)" +K_SECURITY_UNSUPPORTED="1" +K_DEBLOB_AVAILABLE="1" +RT_PATCHSET="${PV/*_p}" + +inherit kernel-2 +detect_version + +K_BRANCH_ID="${KV_MAJOR}.${KV_MINOR}" +RT_FILE="patch-${K_BRANCH_ID}.${KV_PATCH}-rt${RT_PATCHSET}.patch.xz" +RT_URI="https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/${RT_FILE} \ + https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/older/${RT_FILE}" + +DESCRIPTION="Full Linux ${K_BRANCH_ID} kernel sources with the CONFIG_PREEMPT_RT patch" +SRC_URI="${KERNEL_URI} ${RT_URI}" + +KV_FULL="${PVR/_p/-rt}" +S="${WORKDIR}/linux-${KV_FULL}" + +UNIPATCH_LIST="${DISTDIR}/${RT_FILE}" +UNIPATCH_STRICTORDER="yes" + +src_prepare() { + default + + # 627796 + sed \ + "s/default PREEMPT_NONE/default PREEMPT_RT_FULL/g" \ + -i "${S}/kernel/Kconfig.preempt" || die "sed failed" +} + +pkg_postinst() { + kernel-2_pkg_postinst + ewarn + ewarn "${PN} are *not* supported by the Gentoo Kernel Project in any way." + ewarn "If you need support, please contact the RT project developers directly." + ewarn "Do *not* open bugs in Gentoo's bugzilla unless you have issues with" + ewarn "the ebuilds." + ewarn +} + +K_EXTRAEINFO="For more info on rt-sources and details on how to report problems, see: \ +${HOMEPAGE}." diff --git a/sys-kernel/rt-sources/rt-sources-5.10.4_p22.ebuild b/sys-kernel/rt-sources/rt-sources-5.10.4_p22.ebuild new file mode 100644 index 000000000000..bc5ac5cc1941 --- /dev/null +++ b/sys-kernel/rt-sources/rt-sources-5.10.4_p22.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" +ETYPE="sources" +KEYWORDS="~amd64 ~arm64" + +HOMEPAGE="https://www.kernel.org/pub/linux/kernel/projects/rt/" + +inherit eapi7-ver + +CKV="$(ver_cut 1-3)" +K_SECURITY_UNSUPPORTED="1" +K_DEBLOB_AVAILABLE="1" +RT_PATCHSET="${PV/*_p}" + +inherit kernel-2 +detect_version + +K_BRANCH_ID="${KV_MAJOR}.${KV_MINOR}" +RT_FILE="patch-${K_BRANCH_ID}.${KV_PATCH}-rt${RT_PATCHSET}.patch.xz" +RT_URI="https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/${RT_FILE} \ + https://www.kernel.org/pub/linux/kernel/projects/rt/${K_BRANCH_ID}/older/${RT_FILE}" + +DESCRIPTION="Full Linux ${K_BRANCH_ID} kernel sources with the CONFIG_PREEMPT_RT patch" +SRC_URI="${KERNEL_URI} ${RT_URI}" + +KV_FULL="${PVR/_p/-rt}" +S="${WORKDIR}/linux-${KV_FULL}" + +UNIPATCH_LIST="${DISTDIR}/${RT_FILE}" +UNIPATCH_STRICTORDER="yes" + +src_prepare() { + default + + # 627796 + sed \ + "s/default PREEMPT_NONE/default PREEMPT_RT/g" \ + -i "${S}/kernel/Kconfig.preempt" || die "sed failed" +} + +pkg_postinst() { + kernel-2_pkg_postinst + ewarn + ewarn "${PN} are *not* supported by the Gentoo Kernel Project in any way." + ewarn "If you need support, please contact the RT project developers directly." + ewarn "Do *not* open bugs in Gentoo's bugzilla unless you have issues with" + ewarn "the ebuilds." + ewarn +} + +K_EXTRAEINFO="For more info on rt-sources and details on how to report problems, see: \ +${HOMEPAGE}." diff --git a/sys-kernel/vanilla-kernel/Manifest b/sys-kernel/vanilla-kernel/Manifest index 62d7c5932488..a971367729db 100644 --- a/sys-kernel/vanilla-kernel/Manifest +++ b/sys-kernel/vanilla-kernel/Manifest @@ -1,44 +1,29 @@ DIST gentoo-kernel-config-5.10.7.tar.gz 1146 BLAKE2B f755581e9f3be3122e5f6e6fc133d3e5c3116d4580b53f95ff5b2cee5150233fe82be5cd45637a9792ae4612be5d2cb4dd954506f97fe82c9e96cb8b772cb342 SHA512 8c64768e83d2552e69a29c6c3f958ef6a1e5a767acd04b3bfcd0cd49453ab5d0aa54fcfee76a8c9d07f72abdbf70380b070e3d1584e7b7d05a6daa3399892f51 DIST gentoo-kernel-config-5.4.77-r1.tar.gz 1289 BLAKE2B 6612741cfbf458f4bd8915b476aac3aa6934e8bbab344da877fa4ad52b6133e01f5d44bf0e5d048e79e56c1a351774135ee55f1aa839b230e2418db7c5d9b123 SHA512 2a09dd85af37447b278847aeaad114ef47470726cec015ed5ee1b54b3080f4b2c48de8b2f7b817eeb4e27c753579cf0820053e22caa762cb1552116d8d69eba0 DIST gentoo-kernel-config-5.4.89.tar.gz 1240 BLAKE2B 50bd2e64eb1a62d2f0d67e02b78da56cb507fd7a5993d663b880c94ecd535898285ed01e00d5d07fc1ba0d044657e776456736d8fdcacecf7ca464979a8a1d06 SHA512 ad31f9895b9dd45edd7f8715516edfc303c23600f243f3ca122c7c554c9fdbe3c3aa62970a24ef7291d7937e04c63c0258f6348e796686902a011c055c1bed01 -DIST gentoo-kernel-config-5.9.8-r1.tar.gz 1198 BLAKE2B 8fc6d432e9d7e1f7f2be75c5741ab18be399066e9837a52023bebfbffe6299eabfa7e8e94822ef205bd443f6d75a75530cf0c3989dc0414a7c3e4ff06d4743bc SHA512 bc554f46ffb8a4422269e5d9b8e9e0c0f1ecd29fd008719f7ab027e87f4b4bb284d7854d1af2e1e5af0784043db79de058b38fd1ff0bf50d3086e8adc6254e1f -DIST kernel-aarch64-fedora.config.5.10.2 223109 BLAKE2B 705c331b559994b437954e4a0d0405d1f084b0689460b79f89a938ac66fdddbfa617b78b2bfb07bf5a085e1d4e8cfe735554031bc1e2b2ceeb6ef680c50b26bd SHA512 e57e6efe8dbd935d9b7438019fd2b8b7e558deac5471816fac6a6228ca95badf74c99a4d479cc3820f62176626c4a2526f9c16523d1e445634168358c2d24232 DIST kernel-aarch64-fedora.config.5.10.7 223162 BLAKE2B 23d78fadc509edd2219ba263266e4a865f98d6aef87ee2e299b81ba86ac36eff580e5c7bdccb0d4a8593afad07136e06171c79e0dd0e072c892a523e6e352933 SHA512 9791c26368173da444ca5ed281effdd5e20f3968f0a65eb607c2741f114443db2bf260d033a28a7f826963b59a8893a1311befcb3eb3609f9b85472e95234bcd DIST kernel-aarch64.config.5.4.21 199104 BLAKE2B 578ad451a76204df2a9bbbe34b5cb27051d2ac5e2c33967f562b01338c43f35da6dc33a4c2cc67ea6c3b32b155729360d3748ec28dcaa750f18449245b2e8a09 SHA512 66e9a437beb350fdc59512c17b8f72c5b5bfacf2b35070d810d77e66f49cf7929026cc28ad44b04a016d61e65d9fb4a10af6996ba09b604bf97e9c467d08f8ff -DIST kernel-i686-fedora.config.5.10.2 205372 BLAKE2B 68a85a8063f6e667b0f7a6923193d86b4ca5a670698aa80f16cae1a06c1cfc9d07343f7bce1c784f9d9a63a3c30e08cc2c948daa7c45f0dadab7dab8779a98e0 SHA512 2aeb490f8797a269abfc485d06a4c8a7f2ac54fc0d0bca4c876369991ff223a43744077281cad5af35235b5db59511cb9e95c83ea634785efe496ceb0f5837bb DIST kernel-i686-fedora.config.5.10.7 205390 BLAKE2B 103131caa856ae9b062b39cb88ad8616a8ebd7aa53b7562399d72ba998a4049a22ab251927bf43a4936127246455c2cdeeee3b7e349e12bb94af8f6dc242d8ea SHA512 58279d0076f7551569e48db45909263c5c494c4349afaff4087682d7dd0ecadc22dde56482b521ce2eec39b1e6110f5c370206e0c8f7045d4419bb164da7e2ec DIST kernel-i686.config.5.4.21 183910 BLAKE2B 185126ffb85718bb73761d01683def80b6f002d7a7a6eddd8e858a30d8eadc863fb378d83a1cd2ed82b3540337fa66ae44475e31fb41ebc46d77005b6f54e5c0 SHA512 6307afc2295902e44fe65b1cccaa7a0260b295a5f21f1d67ec66197bd972bd3f5675b624f08d9da8b224cb3ec987d5c21cbd743599aeab9ac6214bc651f43476 -DIST kernel-ppc64le-fedora.config.5.10.2 192065 BLAKE2B 88c035de25b9a32df1c110177840a2f7171fae7ac7ccd2aaf12720bc8030c3fb073c73b087f57745e531c59502214b1aa79db9f0aea7ef3db60e69f5e83e5a8b SHA512 5579785cadbf99adcee29b16ffd3fa1acafd18ddd37ad1612de19f7c918a472a1dd5cf5ace9ef46bbbbe17b0b091d26617e2f63f2039de90aa521ce0b02a5bc0 DIST kernel-ppc64le-fedora.config.5.10.7 192083 BLAKE2B 71c97c04629a05ac8cb4f4cf1740c60e8a25c71a5c9184cf53f13088073b04b269887ee6e57ff83c8caff61ccbfd6845809e6e3057f1fdfc13d9b913b032c653 SHA512 732f4e93b3074180e86bed865e0b6d487857d5eefcb2436e7c24706be0e41c813b27b2292e6995df2d63e9a9f7721c2d566a50ba06675bfa862ca1fc91dc2af5 DIST kernel-ppc64le.config.5.4.21 172003 BLAKE2B b53887cb44f7c378cb3866780f8e556e19fdb02130d3b0df01d97698d2a91f7d90a200012559f288e962935742c3fdb67dfb6711876fad37862fe55cdca5b5f6 SHA512 82df8d0be47e9eb20bd7db570539bb061d0b6e2101dc78a54596cf4d0b4e0c536041449304ff9240b051ee09b342ea336c5645e9a3b66a5dfb96d7778ff86008 -DIST kernel-x86_64-fedora.config.5.10.2 206317 BLAKE2B 5511c920e1807acf2511db2269064b9d844669d7e7cd7675e9c57c9a3205fb8794926a8305a49733a450768b312b8009734c7c66e8a486b3d870bafaa79f11bb SHA512 eb1c6a5b5fa0fb97155ec909774b6954af3ef375ac18b27d99dbb0037c3c29df06780c1d1abe8c5f4bb7e05d5134b21e50015d5c883d79e820ea046e5e728569 DIST kernel-x86_64-fedora.config.5.10.7 206335 BLAKE2B 1133bf0f58f8073578d048c5905cc4a539f63a01b57fceb225046c4678172861de20419d8cbf42b0f4655c27a6366ddee41343458d577a2685f3d96b2fd444c6 SHA512 8c5d0de931526d3315793e0a1af4c9c2493c09573c4f2233aaa85f0413a912190c14fa8427593fc3956fff61d89c795f7c9b0509bb30936cc8b9976deafeda66 DIST kernel-x86_64.config.5.4.21 184907 BLAKE2B 0eb2b07c14cea7545350fcdf3a94f2a531f0137c502ebda9299cacf44da5385686e2049b480b28bc153c9d413d453cfe682b9655eefe70428cb720f57c7bd200 SHA512 f3b3ee6841555ac3a9cc11536a7d44e1a5a8df2bab14ba341fda7df1ceb0de45cf1c799a1d54a64f2858fd1272d348bb52cf269ffa396878c5402baf2730237f -DIST linux-5.10.3.tar.sign 989 BLAKE2B 24cb9883b4006c91e4fce03e5a35db072b95622a9bfa3730e04684f4bd80e7c76f34b40d6cddfd996371cc9fd1d11a8b61acca8959e31d17de16d9a94e058186 SHA512 d0b79d11a1007fddbf455098139624290275d4b9fd490e53b82b3f22f1ab564c9a36ebb9705f95107f40d6d91ba7a49ed233531e0e112072dc62c7ad5f824ba4 -DIST linux-5.10.3.tar.xz 116591740 BLAKE2B 0a8603991e9de4b50c2a0c9b7f96d2d169a41567f81bfc8bfd3d41edd45a948d2a672236c9651d701f16f0cb619c39996c9cc883647bacb2cefb33100e072d98 SHA512 3b1fb09f5ffd53e36eaceda6aa97c976d7fd2ffda4e13ce05ecf625c32bbdc0643eee7bc4e43230482dcd328a57669d6d6c7551fa4592d5f3c1a8924bb5a012b -DIST linux-5.10.4.tar.sign 989 BLAKE2B d29e97723b686c4ef8fcb4b087908cba5ff73b42c08a78d8e042c18e3b44edf926b05385b90d586cc00a6b8913854e4e06c362c9e63ad4fd2563f072c3faf179 SHA512 c4c93f6ed2052180669760516427378aa361dd32f06e94a8735b298bb1abb7f7101efc15b6203a0f1a0e71a7ffbf949ccd21d00a32b3f02cc0b1ea3eefdf6a68 -DIST linux-5.10.4.tar.xz 116612908 BLAKE2B 57f6d719451aacfd298452703ae02e6188885500e8cdf18fffa6b9967b0934a23cd378ab4c49b76ccb2f7a9012d6aa7ff1349d488cb31e40924be2f27b244cec SHA512 aab782786cc06b5f1872bbb88c4f55a73d222f8ecf1ab8f5b7d96de2160b11b4407e02a44b206d2c00e395ba0662aa5a038b8e10d185621a0b33c576b523b490 -DIST linux-5.10.5.tar.sign 989 BLAKE2B 376175dc06bdef26ba4d6ad1503d983cd2b49e4b49a5d575fda0f492ff7ad57a05b8485bea452804f13263f0e6d50e63021d7d67fc0cc18429b6b09942965bc7 SHA512 f917e71683247f8c04045c41ea50dc6b49aa17434d12d82c698b1153e9c625c7e6cf7aadd0d9a7f83bf743d26bd879228c8fdc101bc46838a6f075e7e646021c -DIST linux-5.10.5.tar.xz 116604852 BLAKE2B 25b71eb091ea6526a7ebfef5bc201b76d612e5138b6b3caa708f90e76196c30d1865c223e2084a118a3883a9620d47c9576b1ab7db2c8d9c0f204dda7c640eab SHA512 f3462c8ee26c34a8ee344fa146f6f3aeceab03ef1cff83f3b831251f52aa70823d67085030a37b7fea21b305e20bcd7616d16557a7b5bd757b8f84d9805413da -DIST linux-5.10.6.tar.sign 989 BLAKE2B 3ae45a240fd1072e177c4638b8da2147b7a76e1908d0b60bc3998bbaea387a32fa05520189c050d7ea1c8abbc5d46fe8dfc5621dbaf35278cd859f662b1585dc SHA512 99e3963b9b26828a9c4bfdad8a52722253e183d2aacabb537868819f9896b4e1666825d48ca6690fd356cf8c410a3e6c9309f5f52e5bf14369ca448323f2b7f7 -DIST linux-5.10.6.tar.xz 116617788 BLAKE2B 2da9e47f6524ecb50db9f515b9f281f08fbcb323f6e4ddb225c2b2f6379787c37efee25589e49286e13ff663c414a422b680912739400afab89f0ebaf741d33b SHA512 fbf4442b9acda111de40de59a5809a6609edc12896a2067f1a7c8cabee7458e6705ad40d3f6734ac39f2c71cfe6db3161a79c830236470632b743a384f721384 -DIST linux-5.10.7.tar.sign 989 BLAKE2B b6c0f9ede022691159e3b8d85f1ac96435485e05b68420e84050970eea94570c04ebbe4e1a6bc5b67944aa693271e4fbe19a95c85e61fedd6b0e1dbe59ea0aed SHA512 37808aaffc5f249368704bf5df1e12c42ca77041dc2ca2baf0eb52fe7128c999570ba78aa1c326939d189e33b24b8997b16888f5f2869b6fdf915b70cb58c5d9 -DIST linux-5.10.7.tar.xz 116616036 BLAKE2B c3a222cf56350a3778bd825ba8434d27266412ffe921429be189d51fa97ec66b6aaf336bfd67c20d44828e4b150afade9659b341e9c499f63d6dc01fc2a4fb03 SHA512 d639ee7ddd8071b1b54354e68034508bd32a3d2b8eb50ab4aa0f64f3beac9d4ce4f7940ba1848f9903ee827f7cad1a2625185eb4071b0f348bc4639af6f41d9a -DIST linux-5.10.8.tar.sign 989 BLAKE2B 5f4194a7199daac1bb9d967b81cf6e9107d7064065cd2df4ea9ca195195c2924e8f314ca0a0c33a0c373cc59ae7d64536faef5a2193e18102d4e89c5694c474f SHA512 cc4da89a8e12aff5a933d92642146789bea700ec2cffd5e32b555bb0dc700819f59df5cc807cd2acad3b54ff13a6080a5c0874b8fa3e6dab049c87aa43712e65 -DIST linux-5.10.8.tar.xz 116625448 BLAKE2B 1bea3293bb036639d5dd72aba9ca078e1cf94c3752d48abd6462c65038ca5808ee976919623ccb64356756b2cc766a014e57483e8e1418a089236522a0e0a56e SHA512 13ea7cf81db43059466c1558bd80175a6c2090496786fe9220c165958d19781d5501104f41f8207e0239a101611a1faa38b203dd1e8890964494ef8518f5f21e +DIST linux-5.10.10.tar.sign 991 BLAKE2B 7b9aa801aeb243c0434172d29fc7e79bc8965c19cef0c7e51d9f00c51f7d8aa2bbcbddcba54d924c0d7538d1dbb638ac3b45043ed212df0e3e92471ea0067f08 SHA512 3045e4c78aeb224c3b320b1104f1429bb742d79b8fab4d4b7b1e3711bcc1dbbe1219b81371857207121300cb99606a1695b6c9f707bf755bb7a4b4630c6486d9 +DIST linux-5.10.10.tar.xz 116625516 BLAKE2B 180f0dd063eab9542fd799c54dd335c4f310bea739048800ab3222526cb1ea7cc4ef43d2a2c27ed0e37a776f5c77540c33795aa63297704d9e215735a1a98606 SHA512 05a3f91470e1402510f10d9ad8b04350be7aa1232fec5083e5bb59e16cae8168b1f117b15508fc0dd345d7f8d20a43029a48ebcf54278596b778c37d2f966ca7 +DIST linux-5.10.11.tar.sign 991 BLAKE2B 8ac1b11f90ddde889d6b76e37048804efcf0357dd8cca975b2f2c1df811c69d8108d6c51a92023dda503ce50f4d9b9e5f633e3f22ca62c9b475901fb35a3cd18 SHA512 252f7fb5397d8766a07bd98f05a6a53ca5b606ff2172b3604ecb9f9c6d240ba2b7aec8956d85967bf6de67117a595100be81153376b62fab0fdb0edccd9833be +DIST linux-5.10.11.tar.xz 116619904 BLAKE2B f2ffb77efeab44e5ac74f275f1c728618a0893c752018946a3908a34dca2797982efb6646df1350f31c9cab2b780aca871dff82b63e2ec59e3bfcdafa0457581 SHA512 251cdb885190769551c7c51476113e53ca11ea32f0234491ece3cfffe9f1c15e517dbba1c8f3c0d1a41351e2c14ccfff94aa00301a0c8a4a86b2569b1dd70ca5 +DIST linux-5.10.9.tar.sign 989 BLAKE2B 4573f4a502d7b86924051da635af393a0d61628fb88f01d14ec5a8b454974b707f547c60bcf965f73af92e850f496c659847142058e61951065db4e2e40cf8e6 SHA512 0a1700731809dd615a8d692a9be195564d6f0edbf722e72d8fd36cecbe4c3dbbcc26e3a194ab08945445a883d5ef3f491f5358d715537240a430bd750179f5f9 +DIST linux-5.10.9.tar.xz 116619508 BLAKE2B faedb4032fd709d3f0089d706232ec0dcfdf3817223aa910112e6cd58bffea20a3127fee407a465fa3b4db1a54050fabd839809c404492820216fadae70885b9 SHA512 63271212f300a58a5c2826052928aa980994fff6af553f801b0d2a1ae05e3b55788cc46fa26c97f330bab74068a93df58ce768f21fc5edd1481c841b975e56cf DIST linux-5.4.80.tar.sign 989 BLAKE2B 7d0fa889c353c83eeb38d4868de3736baf6dd668db2b6660472b85dd6f9fffa83350954da80bd8e6441b54aa15324d68734ca863b0b1980b92a7b3a58073037e SHA512 54b7a124065020a69702fbc4ec82359c728ba32e8cafb7ba083d12974914c8309cc6b33b85769d87f91cbb2583b7c0a20d019d1b3808f32f07dda0ec795e8906 DIST linux-5.4.80.tar.xz 109626784 BLAKE2B b395b0326162ca6d9b9a59966e641eb1df63dbd402c8287b276c915478819132e201ae68fcbab2fbae353591ff4f38951a643b6a2e1283a551ab8464c21a2abc SHA512 ba400e61ce4e55a8bf391b45df15bb71f43f42de1f2cf2c19468f503b102ec1269589908fa186bfff946baf031ae1531f30ab420605a078439508898e5fdfb37 DIST linux-5.4.83.tar.sign 989 BLAKE2B 0c1c9737b51eb02747146498475436682fec4d0e97c6e90e840682878eff34aeffa6970eac0ce117ce18bb8ca2e15fc1a9b0bfb83e021b710fa10dd713437c32 SHA512 be2564571dc109611e802d5dfe1d69339d375bb01259d46888c18ef03979401d9943721131c10609a8a07f14cfe0b990e558e15c7d89a2eccc71e86d620cf4c0 DIST linux-5.4.83.tar.xz 109638356 BLAKE2B 0287ca87cc09702a3ce9c83494a3f49712aab4f805cab560fdee29cecb18f9ef132c9f8352793705b371f0faf60fd24f357448a8323ba1c1a2d0ab832b5bac8d SHA512 0b40ffb66fc5b3f35a0c187ffeea0df3dd90644490298fe78ad1fef210f1c72e4b0c33aafc6b1d0959c915a6a0d3ec57ae8a36f8b28486965a8ef158674b1ec3 -DIST linux-5.4.85.tar.sign 989 BLAKE2B 90ecac8f32d7c22af508b3233768065cc4626b6702d745fcc29f7063402dd5132c6c25e986c6465a4e4d0ddf27013d08736b2b51d2cce975aa919c745865d466 SHA512 a02d4ad9987c40436cda720e781f8bd0a41341564fe907e6618b8ed5149e9d2fa026f2b99cbee24d3d5862452ef140f3eba8f63f316900392726ac14d552ee29 -DIST linux-5.4.85.tar.xz 109636476 BLAKE2B adc66aa3a2a901ed4d7450cc46efe4cef48536e03d19519b9f3f7015930489a9499b60ab8b66624bb54cf5c25aee0d3c39023c979615c0adf3edb5c89f5d595b SHA512 a1b188952ba81d9c4a19442035f9595292b443632fc17b1d976d2de11626287bdb75db1f50858c6224cff8665e3501619799c199c19b32283e7b6ea5683fd1a5 -DIST linux-5.4.86.tar.sign 989 BLAKE2B 03cd85aecb55488abcd7c09ce0f2d4a83e99267fe9ee1e36aaf66e4ea947275e373ac1f3e95f11049da58f760cc38ec240ee777aadc825f75aabce3645f00022 SHA512 b65b4a2ea90c2e907b247254dd73529e4098158ed29d9b31dba9c1d4a0e14f2e9b36c9e4870e764e0bc7bd0c884c40e9f420fbf43aedd75f21794cfca04b705e -DIST linux-5.4.86.tar.xz 109648392 BLAKE2B 6c46810bce8902794849dfbab686b9c63ceea726d0a58351901d67c50370ed75d325095c0f426706c664f81a315621adae2f7080752e40e5a29b67ea67626005 SHA512 3cb6d81434ed7c340f67530f1bc9cadff81a916ecccc421833e3c70de0c72d1b3790c0ccae228a0ead591b2ccf1abf7fec0299565590e7f08889b509af141952 -DIST linux-5.4.87.tar.sign 989 BLAKE2B e3cc133ad3edc6d9cc8e0f5aa8d1405c5fd7d37d3b34bac28404d9a75a6fa0d4d8d06c4914fa6606f5d80a0ef742a02422a45cb727fb9d9824a37ad002459337 SHA512 4c2a83b8aba30199b11e5ee1f7546aa0572b7121867d23ae8635868bec8ba86ea0473908fdf08246a589e353e4088c9065d28c6210a29be8e0dab9888b02e430 -DIST linux-5.4.87.tar.xz 109641324 BLAKE2B 0618c30298460d1d2de3062542782e8c3bf842fb36a0341391eb0e3bd9217b8478bef7474b9bb7dd4f6eaf360d215905b558326e9fabf887fb6a335a3c1ca4ab SHA512 6041678c79ec3568462a329b8ba0c1bd7f59bda594a621d597917a84838a394804da547b3b772416fbebcd59f5274761a40a52d22abb9820ea190d37bcb30b40 DIST linux-5.4.88.tar.sign 989 BLAKE2B a3757a095bb72f810847a45e0dcb7401ba264317cbe6ca4a6cad5503ae5836d77795ac26f00c3ceb9166e188904dd074fcaab0080c42413115f9849222c0b8ee SHA512 f91fe3552b889a0aabf0678876221bb5cc0632485e279d75fa25008a9f409711db63ffdd782653302e522ff04f4ed2e0b34d0e5d2dd7d8c2265f370740269165 DIST linux-5.4.88.tar.xz 109644692 BLAKE2B 002e09b5a4571a6967979cc7907cbd7f064ef8bb38045cabd73de09735157798db058ac0150cd53b83fdcf69740ec0a2034868626d028aab24d01b86bb8577c6 SHA512 85cfc22c93c40dce1032a909c7af4f7f26e0b9506469a401f8d9b569de6e3f6fe177dbfe7044fd8a786358fae4b4a1df10a08b3cef3a3e0d541ce4f750511346 -DIST linux-5.4.89.tar.sign 989 BLAKE2B 6a18738bf3d05b8eec8937604680d2d836b75df6df80c6ab3fc950ea32a366ff05a8f5401c856d4e01a4dcafb7f9a865a23415acdec4aae89a8820f9c7a2646a SHA512 51e8cbd7c3add6b91029a963b79c14c80cdc968d4795cb0f4e805fc8e511e0dc05e1d07c7b78addaf982ae8e7f7864aeaa926110c77ea20a00bd42c55f39017c -DIST linux-5.4.89.tar.xz 109646912 BLAKE2B 598c524ea324dfa77abeaf0117ed9587c9e1d4d9c7b2db60d46c3e374b31e72374df095aa08e66372a62aba9bf5ebfd489c335557fa0e837ff4b0ab198228cb2 SHA512 b69793a9ad0807db409593bee12dd4998b21bdf43a4b07d212818f7f6b916cfadd4a599007f1989fc49425367cd5ba5094fc35e075bb796b2efb7502813e657e -DIST linux-5.4.90.tar.sign 989 BLAKE2B 5ccde60f966806468ea1a839cbab030dbdeff530a5ef76e64ba1d9d861ae3b5dba3c773d5f56c14e103662e57ec3c4984d21935a27ecc01451d3837d77548a3c SHA512 f4b71ee6298f2d54f5f51b0b6fca6d5adf41c7139cac1ffd16b8ebc516b12ae9b0be123f0edeae777f46f7820bd4ab2118a5d6a847d70b054409e49c66da30f8 -DIST linux-5.4.90.tar.xz 109650236 BLAKE2B d40a447bea1b77eb9ebac798c1d35e4ce63a2babb54675da5ebff3d954f8ce6c40dc367b019e2280463e7d7813035374461d0cb4dbd80c9574cc752486e86f6f SHA512 4be07d786b74958ce27d6aaf196dd9b920f1e25dc93dd18edaace0fb86f7d0570bd7b594afb27c0502b23533fee22ae825200c37bcbfd10aa54140bea1dfc5e4 +DIST linux-5.4.91.tar.sign 989 BLAKE2B 9eb7b9e7201ce69e6779a501e6f6e4a862cec1606150a55961a238d6031ed4b4f5d75b7b16dc2ddf9c4be0984fee53ad264d4b6f2bee2ef8e4a4740f23ca5846 SHA512 d2fbbff77bfd2f927d62f14a47587894b0de479de25c01aafcb74d3a52928992303600a8435ccc7025f33731e9dfd437842b707603e30a2192f6eff5f043478a +DIST linux-5.4.91.tar.xz 109653720 BLAKE2B 5b017547953aded31e54a69c2609dfae6e516b50b10d58fe1aeedbbd93652de33aac737a688b284889bf6d0ee2d5d6551eae73a693ddbf45d9d9fdd0663268d1 SHA512 81d02edc9b4ea416e630064904187e981bd607ac9ae795e19935f53bd91a48d0371ba2786693f6c0f26245752113eb8009bcdf7d04664982eb6343584732c22b +DIST linux-5.4.92.tar.sign 989 BLAKE2B 6140d9b3511b2736d1984390997ac4de59d5b4d760283e52b7024e5d6f243499699b08ee2b6a0297bed052ddb5ad77780dc5c4aa1cca03b8fc6c97f610a5bae3 SHA512 e90ca0faf9e7bd6b76187a2bb0f9edee2aa14fb26c0508cd9e55d90ddd973ae1535a39a143f7d5cd4a8081428de874b09b0fda4c2dfac9e639ede0854fb6d3df +DIST linux-5.4.92.tar.xz 109644104 BLAKE2B 9808a44f886bb4d3d48a2e622ca6cdd53e8756d2d85135a46abafde9e37fca2448411080b8b1dcb3c0df85fcf40cf409dddf2dcf9140b186cd8b43d1a21a18b4 SHA512 ad61b167001b3119056c316261d76ae1d7ce16562f3c47599da460a0d2860f1f38a581dbdb72fd0f941bc8a0245522b6856893a3be7d7d5b03775521e168b0b9 +DIST linux-5.4.93.tar.sign 989 BLAKE2B 0c689529e483c971526bb20bab3d5a63e63c18a48d773c30c8d7131606d97b5ee5be0df8e83d34b41230e9239ab108d175912585bf482252352074b7cf9e8354 SHA512 5b273851ccf9bab4ae3a840348fa91e817cb46ed2fa6159bf6289c8eb03a3075c3b06cb31da4a8d2ef6a6d3a9048d4738c4bd73c9c35b3c44b4ecbf09868b6d6 +DIST linux-5.4.93.tar.xz 109661584 BLAKE2B 78f0369835ba737fadb4145fab290408c163c74293fbb29d6e7e28eb7a4f505f90786394509ad955d76d68b8ace919cb2d297fa765efece13aaf9c3e4c056db7 SHA512 b60839ae4efe4563396897723e5cf644e9f15f058efc72b7eb3b91ac42a6190863fa9f7023bbff4f1339a6d542555af34fffe7fb278ca7efb0922585ad27922e diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.7.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.10.ebuild index 51afd5f766b8..51afd5f766b8 100644 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.7.ebuild +++ b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.10.ebuild diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.8.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.11.ebuild index 51afd5f766b8..51afd5f766b8 100644 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.8.ebuild +++ b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.11.ebuild diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.3.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.3.ebuild deleted file mode 100644 index cc953811ce28..000000000000 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.3.ebuild +++ /dev/null @@ -1,98 +0,0 @@ -# Copyright 2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build verify-sig - -MY_P=linux-${PV} -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 - -DESCRIPTION="Linux kernel built from vanilla upstream sources" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - verify-sig? ( - https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.sign - ) - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64-fedora.config - -> kernel-x86_64-fedora.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64-fedora.config - -> kernel-aarch64-fedora.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le-fedora.config - -> kernel-ppc64le-fedora.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686-fedora.config - -> kernel-i686-fedora.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" -IUSE="debug" -REQUIRED_USE=" - arm? ( savedconfig )" - -RDEPEND=" - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves ) - verify-sig? ( app-crypt/openpgp-keys-kernel )" - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/kernel.org.asc - -src_unpack() { - if use verify-sig; then - einfo "Unpacking linux-${PV}.tar.xz ..." - verify-sig_verify_detached - "${DISTDIR}"/linux-${PV}.tar.sign \ - < <(xz -cd "${DISTDIR}"/linux-${PV}.tar.xz | tee >(tar -x)) - assert "Unpack failed" - unpack "gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz" - else - default - fi -} - -src_prepare() { - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64-fedora.config.${CONFIG_VER}" .config || die - ;; - arm) - return - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64-fedora.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le-fedora.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686-fedora.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.5.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.5.ebuild deleted file mode 100644 index e7583aa0f3ea..000000000000 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.5.ebuild +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build verify-sig - -MY_P=linux-${PV} -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 - -DESCRIPTION="Linux kernel built from vanilla upstream sources" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - verify-sig? ( - https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.sign - ) - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64-fedora.config - -> kernel-x86_64-fedora.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64-fedora.config - -> kernel-aarch64-fedora.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le-fedora.config - -> kernel-ppc64le-fedora.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686-fedora.config - -> kernel-i686-fedora.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" -IUSE="debug" -REQUIRED_USE=" - arm? ( savedconfig )" - -RDEPEND=" - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves ) - verify-sig? ( app-crypt/openpgp-keys-kernel )" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/kernel.org.asc - -src_unpack() { - if use verify-sig; then - einfo "Unpacking linux-${PV}.tar.xz ..." - verify-sig_verify_detached - "${DISTDIR}"/linux-${PV}.tar.sign \ - < <(xz -cd "${DISTDIR}"/linux-${PV}.tar.xz | tee >(tar -x)) - assert "Unpack failed" - unpack "gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz" - else - default - fi -} - -src_prepare() { - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64-fedora.config.${CONFIG_VER}" .config || die - ;; - arm) - return - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64-fedora.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le-fedora.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686-fedora.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.6.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.6.ebuild deleted file mode 100644 index e7583aa0f3ea..000000000000 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.6.ebuild +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build verify-sig - -MY_P=linux-${PV} -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 - -DESCRIPTION="Linux kernel built from vanilla upstream sources" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - verify-sig? ( - https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.sign - ) - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64-fedora.config - -> kernel-x86_64-fedora.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64-fedora.config - -> kernel-aarch64-fedora.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le-fedora.config - -> kernel-ppc64le-fedora.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686-fedora.config - -> kernel-i686-fedora.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~x86" -IUSE="debug" -REQUIRED_USE=" - arm? ( savedconfig )" - -RDEPEND=" - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves ) - verify-sig? ( app-crypt/openpgp-keys-kernel )" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/kernel.org.asc - -src_unpack() { - if use verify-sig; then - einfo "Unpacking linux-${PV}.tar.xz ..." - verify-sig_verify_detached - "${DISTDIR}"/linux-${PV}.tar.sign \ - < <(xz -cd "${DISTDIR}"/linux-${PV}.tar.xz | tee >(tar -x)) - assert "Unpack failed" - unpack "gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz" - else - default - fi -} - -src_prepare() { - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64-fedora.config.${CONFIG_VER}" .config || die - ;; - arm) - return - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64-fedora.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le-fedora.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686-fedora.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.4.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.9.ebuild index e7583aa0f3ea..51afd5f766b8 100644 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.4.ebuild +++ b/sys-kernel/vanilla-kernel/vanilla-kernel-5.10.9.ebuild @@ -7,9 +7,9 @@ inherit kernel-build verify-sig MY_P=linux-${PV} # https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.10.2 -CONFIG_HASH=b40ee468dab9a27cca8b91fef64d1d43ce0ed1b2 -GENTOO_CONFIG_VER=5.9.8-r1 +CONFIG_VER=5.10.7 +CONFIG_HASH=b238267df7cd80dc3aa6b5b654cbe145367383df +GENTOO_CONFIG_VER=5.10.7 DESCRIPTION="Linux kernel built from vanilla upstream sources" HOMEPAGE="https://www.kernel.org/" diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.85.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.85.ebuild deleted file mode 100644 index 7f4ea0861252..000000000000 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.85.ebuild +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build verify-sig - -MY_P=linux-${PV} -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.4.21 -CONFIG_HASH=2809b7faa6a8cb232cd825096c146b7bdc1e08ea -GENTOO_CONFIG_VER=5.4.77-r1 - -DESCRIPTION="Linux kernel built from vanilla upstream sources" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - verify-sig? ( - https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.sign - ) - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64.config - -> kernel-x86_64.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64.config - -> kernel-aarch64.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le.config - -> kernel-ppc64le.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686.config - -> kernel-i686.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm64 ~x86" -IUSE="debug" - -RDEPEND=" - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves ) - verify-sig? ( app-crypt/openpgp-keys-kernel )" - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/kernel.org.asc - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_unpack() { - if use verify-sig; then - einfo "Unpacking linux-${PV}.tar.xz ..." - verify-sig_verify_detached - "${DISTDIR}"/linux-${PV}.tar.sign \ - < <(xz -cd "${DISTDIR}"/linux-${PV}.tar.xz | tee >(tar -x)) - assert "Unpack failed" - unpack "gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz" - else - default - fi -} - -src_prepare() { - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64.config.${CONFIG_VER}" .config || die - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - [[ ${ARCH} == x86 ]] && merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/32-bit.config - ) - - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.87.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.87.ebuild deleted file mode 100644 index 70f1e31be56d..000000000000 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.87.ebuild +++ /dev/null @@ -1,106 +0,0 @@ -# Copyright 2020-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit kernel-build verify-sig - -MY_P=linux-${PV} -# https://koji.fedoraproject.org/koji/packageinfo?packageID=8 -CONFIG_VER=5.4.21 -CONFIG_HASH=2809b7faa6a8cb232cd825096c146b7bdc1e08ea -GENTOO_CONFIG_VER=5.4.77-r1 - -DESCRIPTION="Linux kernel built from vanilla upstream sources" -HOMEPAGE="https://www.kernel.org/" -SRC_URI+=" https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.xz - https://github.com/mgorny/gentoo-kernel-config/archive/v${GENTOO_CONFIG_VER}.tar.gz - -> gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz - verify-sig? ( - https://cdn.kernel.org/pub/linux/kernel/v$(ver_cut 1).x/${MY_P}.tar.sign - ) - amd64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-x86_64.config - -> kernel-x86_64.config.${CONFIG_VER} - ) - arm64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-aarch64.config - -> kernel-aarch64.config.${CONFIG_VER} - ) - ppc64? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-ppc64le.config - -> kernel-ppc64le.config.${CONFIG_VER} - ) - x86? ( - https://src.fedoraproject.org/rpms/kernel/raw/${CONFIG_HASH}/f/kernel-i686.config - -> kernel-i686.config.${CONFIG_VER} - )" -S=${WORKDIR}/${MY_P} - -LICENSE="GPL-2" -KEYWORDS="~amd64 ~arm64 ~x86" -IUSE="debug" - -RDEPEND=" - !sys-kernel/vanilla-kernel-bin:${SLOT}" -BDEPEND=" - debug? ( dev-util/dwarves ) - verify-sig? ( app-crypt/openpgp-keys-kernel )" -PDEPEND=" - >=virtual/dist-kernel-${PV}" - -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/kernel.org.asc - -pkg_pretend() { - ewarn "Starting with 5.4.52, Distribution Kernels are switching from Arch" - ewarn "Linux configs to Fedora. Please keep a backup kernel just in case." - - kernel-install_pkg_pretend -} - -src_unpack() { - if use verify-sig; then - einfo "Unpacking linux-${PV}.tar.xz ..." - verify-sig_verify_detached - "${DISTDIR}"/linux-${PV}.tar.sign \ - < <(xz -cd "${DISTDIR}"/linux-${PV}.tar.xz | tee >(tar -x)) - assert "Unpack failed" - unpack "gentoo-kernel-config-${GENTOO_CONFIG_VER}.tar.gz" - else - default - fi -} - -src_prepare() { - default - - # prepare the default config - case ${ARCH} in - amd64) - cp "${DISTDIR}/kernel-x86_64.config.${CONFIG_VER}" .config || die - ;; - arm64) - cp "${DISTDIR}/kernel-aarch64.config.${CONFIG_VER}" .config || die - ;; - ppc64) - cp "${DISTDIR}/kernel-ppc64le.config.${CONFIG_VER}" .config || die - ;; - x86) - cp "${DISTDIR}/kernel-i686.config.${CONFIG_VER}" .config || die - ;; - *) - die "Unsupported arch ${ARCH}" - ;; - esac - - local merge_configs=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/base.config - ) - use debug || merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/no-debug.config - ) - [[ ${ARCH} == x86 ]] && merge_configs+=( - "${WORKDIR}/gentoo-kernel-config-${GENTOO_CONFIG_VER}"/32-bit.config - ) - - kernel-build_merge_configs "${merge_configs[@]}" -} diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.89.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.91.ebuild index f8ec23f5913a..f8ec23f5913a 100644 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.89.ebuild +++ b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.91.ebuild diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.90.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.92.ebuild index f8ec23f5913a..f8ec23f5913a 100644 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.90.ebuild +++ b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.92.ebuild diff --git a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.86.ebuild b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.93.ebuild index 70f1e31be56d..f8ec23f5913a 100644 --- a/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.86.ebuild +++ b/sys-kernel/vanilla-kernel/vanilla-kernel-5.4.93.ebuild @@ -9,7 +9,7 @@ MY_P=linux-${PV} # https://koji.fedoraproject.org/koji/packageinfo?packageID=8 CONFIG_VER=5.4.21 CONFIG_HASH=2809b7faa6a8cb232cd825096c146b7bdc1e08ea -GENTOO_CONFIG_VER=5.4.77-r1 +GENTOO_CONFIG_VER=5.4.89 DESCRIPTION="Linux kernel built from vanilla upstream sources" HOMEPAGE="https://www.kernel.org/" diff --git a/sys-kernel/vanilla-sources/Manifest b/sys-kernel/vanilla-sources/Manifest index 00e49336751a..8484210a1da3 100644 --- a/sys-kernel/vanilla-sources/Manifest +++ b/sys-kernel/vanilla-sources/Manifest @@ -4,9 +4,9 @@ DIST linux-4.4.tar.xz 87295988 BLAKE2B f260f1858994f5d481fd078c86e51bddbc958f7c5 DIST linux-4.9.tar.xz 93192404 BLAKE2B 83ae310b17d47f1f18d6d28537c31e10f3e60458c5954c4611158ca99e71cc0da2e051272eabf27d5887df4a7cb4a5dd66ff993077c11d2221e92d300a0b48d7 SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a DIST linux-5.10.tar.xz 116606704 BLAKE2B b923d7b66309224f42f35f8a5fa219421b0a9362d2adacdadd8d96251f61f7230878ea297a269a7f3b3c56830f0b177e068691e1d7f88501a05653b0a13274d1 SHA512 95bc137d0cf9148da6a9d1f1a878698dc27b40f68e22c597544010a6c591ce1b256f083489d3ff45ff77753289b535135590194d88ef9f007d0ddab3d74de70e DIST linux-5.4.tar.xz 109441440 BLAKE2B 193bc4a3147e147d5529956164ec4912fad5d5c6fb07f909ff1056e57235834173194afc686993ccd785c1ff15804de0961b625f3008cca0e27493efc8f27b13 SHA512 9f60f77e8ab972b9438ac648bed17551c8491d6585a5e85f694b2eaa4c623fbc61eb18419b2656b6795eac5deec0edaa04547fc6723fbda52256bd7f3486898f -DIST patch-4.14.216.xz 4101572 BLAKE2B 614b2653087bc1535e31071403c98a53bc7bd56bb1cac971a52e5f940d389568e0dd571af05814992a4ed1d25eb693fe19d0f241bb500e3f1ec6bc92cbf15b65 SHA512 e16cd2aa38a4c8e7522079e2acf43cd4f666fec6fdff3d2e888107b7c1df0ade19b9ecb0fcd0cf9c8e14508e75c95d207dfa0fd3089e1bb3e3240b0b6be03466 -DIST patch-4.19.168.xz 3738200 BLAKE2B 9fde60b5163c5246b116069626f125d9c81e6b84ec660c8eb83e6ef9e282d73231af6f28cdee3dc119f48157c39bfac01c60e5111e1d4bcefcee0b07af681ed9 SHA512 bcda20f0b340498d85d4f35b271eef9974dfd166514e1617ceabfba96a229ff3cccff66445a61ed9f4cf25eb4a1daa838a830f9d919aa78f26b7da5b8fc4664f -DIST patch-4.4.252.xz 3437184 BLAKE2B 8208f5b6e2534bbc5edfe10ec6181e06c8c38f0d1cb3e5a1691060d045c4f1019112cde5d5d7ea39845a3a980ee99e5e7e791dadb6d4276f383f312d3ce81eba SHA512 087077c709038cd450dc70dd52ea5e44c91e9300f13b21cd7fb83b42f00a6bad94ed3c6145ab677e295055469401881ac4edadd22c5092b8764db47d6e913286 -DIST patch-4.9.252.xz 3831008 BLAKE2B 6607586b237008a4f0b3dfbacc10f8694be748e610fe2894e8a6ef88a684e2372f6cfff1644e8b2e3b15d5b9ec013ac8a63c05b8e156789515efdfce5f593723 SHA512 a16fb676060a2cf11c5ccfb16c990a7b8dd83356f81a8bdd56af5d841720905456742d8ea885be9bf205be71f907a258806a1fc4b2282b5f1989eb1a9eceec4e -DIST patch-5.10.8.xz 296188 BLAKE2B a670d287a48be8c2f347fe38953cce0634f1ad621460ba296d35649e5e50b3d5f5fe92b058228c5221418d90b0198d8068b756f080bd551e0ee3899c8548afa2 SHA512 1680ae6f248d29bef2e9a37a40bda40ff17757a02d469b1d9c097ec5898cd4c5c4c46f8e7c9e5be0df9b56422e97364f675774a5c921f9dc05719cfc5d76735a -DIST patch-5.4.90.xz 2537360 BLAKE2B 26b20652cebc901e347ee837c47d3adb47cf3e20d8503eed802375c8162109accb25f0e4557af70d183d05b5ccea670d2ab787874d3d3928d8c3704db512e86a SHA512 1850ea73f37f56265564d43eba053d95ca557dfe77ed7f0656afa8153c7649d34037433cd549f67c08c538f8f5dfd62190e63f93e650eb0eeb537cf533f161b5 +DIST patch-4.14.217.xz 4106940 BLAKE2B 930de71fe545f3dc2af80edaa494342fcf89e26ebf97ff84edba378a933cc3e2cfb2ad80f05447ac5b7ca6ee24b58755e6197cb4b94ffff0520abbc49712de5a SHA512 24487e5e314605c1ab951915973738743968e16d2a995862a1e8351ccb61426c8f224ace0d5fd0365e6a0f1b3b89a4ed16d49b3dae63b92cb92dfd772d233f13 +DIST patch-4.19.171.xz 3751372 BLAKE2B 26198342b647c8a181d6d630d4e7f3aee3cfdb0ef86eb951f856f2e962974de9b65188b7028d3e2ad11689a5dff652f32ca4452be2e86cfb8bbd5a1b883c1a3c SHA512 ed95b5715cffa4cd7f6aeed6cf87de54a033fc9cafc966c8431bf2bbd604fcd53c0b6a16d9125d54dde691162b92ff075704ed0409f6f85b81e2160b70db09ea +DIST patch-4.4.253.xz 3440768 BLAKE2B ce0019b49d1aa2c28344e9ac2cb34eea99abb6ed7addb8b8f6a250a0c0db6049308a5d0b535107045772b4a6db35eea521f397e74cb0d68c309a2fcf4724d0a0 SHA512 afd751bac58ff27fa95e8cc89c2583bae9705f28b385d5cf9c2bcc15969c9aceb43101fb132b713d315e9d4e28f3d8fd48c0b505d723f2839d6eeffb5b12e855 +DIST patch-4.9.253.xz 3835280 BLAKE2B 0959e853dce563f20e97b2480e024179427a11a0cc84362ee41fa7e96941ecd18876067c01362744b91afedcfbe1f07f01ea0906c2dd6253927c16bcfa2e75b7 SHA512 b3c063803cd6d16c457c54bd9388c2a48bbff8f2fc37d2cf7687fdf433e3e0578d90a71199661efb514e409a78b865335b74bcecde3c5730f90568f86427abf7 +DIST patch-5.10.11.xz 397188 BLAKE2B 1d3b2e263a5baa3a575f3892851ab74daf1617121cb81d3cbdc678a594d4c49c3cb6b1d9b929af93266a2a2facbcbb8e41721fbfaf935360cab7a2885271de47 SHA512 313696af4792f9a314e7acedabd7f2c08e9605b274d94e4c92f36e69c42ecb506c35463f8224879d4a94536c973b8488b799d5f7e450cb792a04381eb88c8e66 +DIST patch-5.4.93.xz 2566968 BLAKE2B bd2d25c2155395392ed422b66b00901528929ffff97fb72eb145b242655c5e4b60018997755cef0f4ab8b85c4e988e4459959e80311b1601ed08d5544888c59c SHA512 68219675a0c5b3cb709fdfc366120a4a847a533d531b5ad578ee8c9ca91159663177461efd0c8a0b0d2690dd44e08f6c37a17f3bbf7d474f94bfbce0b317a012 diff --git a/sys-kernel/vanilla-sources/vanilla-sources-4.14.216.ebuild b/sys-kernel/vanilla-sources/vanilla-sources-4.14.217.ebuild index 7083facc514b..7083facc514b 100644 --- a/sys-kernel/vanilla-sources/vanilla-sources-4.14.216.ebuild +++ b/sys-kernel/vanilla-sources/vanilla-sources-4.14.217.ebuild diff --git a/sys-kernel/vanilla-sources/vanilla-sources-4.19.168.ebuild b/sys-kernel/vanilla-sources/vanilla-sources-4.19.171.ebuild index 7083facc514b..7083facc514b 100644 --- a/sys-kernel/vanilla-sources/vanilla-sources-4.19.168.ebuild +++ b/sys-kernel/vanilla-sources/vanilla-sources-4.19.171.ebuild diff --git a/sys-kernel/vanilla-sources/vanilla-sources-4.4.252.ebuild b/sys-kernel/vanilla-sources/vanilla-sources-4.4.253.ebuild index 7083facc514b..7083facc514b 100644 --- a/sys-kernel/vanilla-sources/vanilla-sources-4.4.252.ebuild +++ b/sys-kernel/vanilla-sources/vanilla-sources-4.4.253.ebuild diff --git a/sys-kernel/vanilla-sources/vanilla-sources-4.9.252.ebuild b/sys-kernel/vanilla-sources/vanilla-sources-4.9.253.ebuild index 7083facc514b..7083facc514b 100644 --- a/sys-kernel/vanilla-sources/vanilla-sources-4.9.252.ebuild +++ b/sys-kernel/vanilla-sources/vanilla-sources-4.9.253.ebuild diff --git a/sys-kernel/vanilla-sources/vanilla-sources-5.10.8.ebuild b/sys-kernel/vanilla-sources/vanilla-sources-5.10.11.ebuild index 7083facc514b..7083facc514b 100644 --- a/sys-kernel/vanilla-sources/vanilla-sources-5.10.8.ebuild +++ b/sys-kernel/vanilla-sources/vanilla-sources-5.10.11.ebuild diff --git a/sys-kernel/vanilla-sources/vanilla-sources-5.4.90.ebuild b/sys-kernel/vanilla-sources/vanilla-sources-5.4.93.ebuild index 7083facc514b..7083facc514b 100644 --- a/sys-kernel/vanilla-sources/vanilla-sources-5.4.90.ebuild +++ b/sys-kernel/vanilla-sources/vanilla-sources-5.4.93.ebuild diff --git a/sys-kernel/zen-sources/Manifest b/sys-kernel/zen-sources/Manifest index 6befbb6338c2..a99496add2bf 100644 --- a/sys-kernel/zen-sources/Manifest +++ b/sys-kernel/zen-sources/Manifest @@ -1,5 +1,5 @@ -DIST genpatches-5.9-1.base.tar.xz 4004 BLAKE2B 8a4577d42262fa901186acc60d28221d00e5c9140886705f018d9989f818d96ee4d9a6586b292e7b1d945bea9e2408e3161a73e0999defe1b7f99d0a339eb7be SHA512 d6ba1051f9561aa30d7b196336c34930285d613e8119b152f1d6cc447cb22db5ac07c25f89d4ceddf58c9370c42699d0250a31449be2da3c591896b0c87d8718 -DIST genpatches-5.9-1.extras.tar.xz 1764 BLAKE2B 32d29f0448aef113ba9c9591c5d3b671d00d07abde9f35f365b48168887913bb2da95a8a52b852453307cabb111115a26178be4cbcc016e53a26a31f783a9df7 SHA512 df007dc98c1acdd31773f7dcf8aeb22812aa55e5593e8509b6a8762f2dcf06c95d69ad7cdce992e7a5fe730754bef26242acdc4e4da51ee29206fabb86c9cb0e -DIST linux-5.9.tar.xz 115507140 BLAKE2B e8d11472d63a9f8409ca12a2e8c97c6963a3d4516b5a398b627d6ece565584526f9b5a1377a2fa4bd184c09c7db94c987428bc5d52df0c788464a67e9e8d6dcb SHA512 d3d92ce4246bad74c9a784212f160d98449b1e8793970c2c308276568d852b8effe0528686bdb87d55d691f09a826abf7938d69bdd4759ce65ddd5c05ffe4eca -DIST v5.9.11-zen2.patch.xz 745552 BLAKE2B de7f45152bdf7c5d53705f71e1e37728d9af75be33b6a4d646e0ab1a080a66aed99ab6d6c771ad8f7b0f56e031d3f6e0b37ce082efdb1ab45b1943963c477f78 SHA512 032c83130e4f0f5ceb4e9dddcb375f066c784482e91e7860b2e8a48971c232839c1e92b470f00b56ccc9eea854a129fa12d409bade045d6e5c1bc2499a7eeafe -DIST v5.9.13-zen1.patch.xz 806084 BLAKE2B 93706195979daad6037fdb3be9c1dbad516fb4db2c59076e0e80f43092c25e950b53e8e315cd748a4c235968a4aa6653f182ecce86fb38193666a4cc2484e086 SHA512 6b78e36f222cd756a42f66017999d128c0b5fc9ebce929548d5812f0dd0284ec2f097d53f680e24ec81cfdd437361a894955851e037c32f415f0578afc2b401c +DIST genpatches-5.10-1.base.tar.xz 3840 BLAKE2B 08ac1f83dc9a1cfc1d4cf0a3a5ab4c9d4686a80348247ec7cd1da6e49db92d6932a1864113f2631d5528a4ba732945b2afe73d03061bd3c532b3d1e4d9571999 SHA512 04356093c4df6a7ee0876b89be5b90f8bc90c920628e5fe69b5787ce82e003be05eaac142310f10f32d0549a6676af846734ae4ac188c2b96c2eca2cb0a6f4b0 +DIST genpatches-5.10-1.extras.tar.xz 1768 BLAKE2B e99d5d2137d5752845ba8284a0dd57620851c3620603e871973af5841b54e9bfdde92ea2408ddedb55355f2c954c80641b06098060043916d2483e10cfb8293a SHA512 0034e5ab57cccb2e969a3b9e1f674614ca853779c552c37be9c5afb0a37112bf8f2c30e1b21832d56320c70c1d622081b60369c6a86fa737a23c3ed953267453 +DIST linux-5.10.tar.xz 116606704 BLAKE2B b923d7b66309224f42f35f8a5fa219421b0a9362d2adacdadd8d96251f61f7230878ea297a269a7f3b3c56830f0b177e068691e1d7f88501a05653b0a13274d1 SHA512 95bc137d0cf9148da6a9d1f1a878698dc27b40f68e22c597544010a6c591ce1b256f083489d3ff45ff77753289b535135590194d88ef9f007d0ddab3d74de70e +DIST v5.10.10-zen1.patch.xz 538040 BLAKE2B 2c0ceaebd78107adf1f062a866a6ecb7cc7defcf7eb00ac9287974a6417da2431100c5bc3b23ee4ad47a2478c31c5843de32b73b64ab7928c8df019aec2fb77f SHA512 ee719511e43fa0c799a8b342254125f10cf88fd32999d63d8eb904e76b45d53af22722dd14fd3c36556713a39569266d69551278939b752580360c52ea6a3750 +DIST v5.10.6-zen1.patch.xz 387460 BLAKE2B 0e42109335d0c8d7344b8afc3addbe20c92952eea536df4db0152607dcc97d7de142124f9cb0c22c52af01bd6c117cdc69c51f36725c0f2ab2d51165a2390a28 SHA512 3ba03f703521083e629911ebf980545daa34d73aba30aed8e7355eb315d89728f322df0a3791663fa5fbe398bbd1d10951518d81126e077cf50c9fa1d34563dd diff --git a/sys-kernel/zen-sources/zen-sources-5.9.13.ebuild b/sys-kernel/zen-sources/zen-sources-5.10.10.ebuild index c3dce435487e..ef149d6a6a93 100644 --- a/sys-kernel/zen-sources/zen-sources-5.9.13.ebuild +++ b/sys-kernel/zen-sources/zen-sources-5.10.10.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="6" diff --git a/sys-kernel/zen-sources/zen-sources-5.9.11.ebuild b/sys-kernel/zen-sources/zen-sources-5.10.6.ebuild index 8649fd3feb1e..ef149d6a6a93 100644 --- a/sys-kernel/zen-sources/zen-sources-5.9.11.ebuild +++ b/sys-kernel/zen-sources/zen-sources-5.10.6.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="6" @@ -18,10 +18,10 @@ IUSE="" DESCRIPTION="The Zen Kernel Live Sources" -ZEN_URI="https://github.com/zen-kernel/zen-kernel/releases/download/v${PV}-zen2/v${PV}-zen2.patch.xz" +ZEN_URI="https://github.com/zen-kernel/zen-kernel/releases/download/v${PV}-zen1/v${PV}-zen1.patch.xz" SRC_URI="${KERNEL_URI} ${GENPATCHES_URI} ${ARCH_URI} ${ZEN_URI}" -UNIPATCH_LIST="${DISTDIR}/v${PV}-zen2.patch.xz" +UNIPATCH_LIST="${DISTDIR}/v${PV}-zen1.patch.xz" UNIPATCH_STRICTORDER="yes" K_EXTRAEINFO="For more info on zen-sources, and for how to report problems, see: \ |