[arch-commits] Commit in linux-grsec/trunk (4 files)

Mon Aug 11 09:27:22 UTC 2014

Date: Monday, August 11, 2014 @ 11:27:22
  Author: thestinger
Revision: 117133

upgpkg: linux-grsec 3.15.9.201408110025-1

* rely on grsecurity to disable unprivileged user namespaces

Modified:
  linux-grsec/trunk/PKGBUILD
  linux-grsec/trunk/config
  linux-grsec/trunk/config.x86_64
Deleted:
  linux-grsec/trunk/Revert-userns-Allow-unprivileged-users-to-create-use.patch

------------------------------------------------------------+
 PKGBUILD                                                   |   21 ++---
 Revert-userns-Allow-unprivileged-users-to-create-use.patch |   41 -----------
 config                                                     |    4 -
 config.x86_64                                              |    4 -
 4 files changed, 14 insertions(+), 56 deletions(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2014-08-11 09:10:22 UTC (rev 117132)
+++ PKGBUILD	2014-08-11 09:27:22 UTC (rev 117133)
@@ -7,12 +7,12 @@
 
 pkgbase=linux-grsec
 _srcname=linux-3.15
-_pkgver=3.15.8
+_pkgver=3.15.9
 _grsecver=3.0
-_timestamp=201408040708
+_timestamp=201408110025
 _grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch"
 pkgver=$_pkgver.$_timestamp
-pkgrel=2
+pkgrel=1
 arch=('i686' 'x86_64')
 url=https://grsecurity.net/
 license=('GPL2')
@@ -27,17 +27,15 @@
         # standard config files for mkinitcpio ramdisk
         'linux.preset'
         'change-default-console-loglevel.patch'
-        Revert-userns-Allow-unprivileged-users-to-create-use.patch
         )
 sha256sums=('c3927e87be4040fa8aca1b58663dc0776aaf00485604ff88a623be2f3fb07794'
-            'e25557b19dfebc91e42939aa9a62f7a4d4e36ea2cc659368cded51fb2c703456'
-            'f85023b7d061365a08139743e68082e3f61b178173528a0d9e39c07ddeef0ad6'
+            '31c0bde90d23355540062438aa485418d19b15a7563a1297ff49247954f62417'
+            'ebe1eeefe65dfe12e64941e0727c3cc9c37d2547d3eb8c01031d449be00c1e5f'
             'SKIP'
-            'e7464de4d248176dc6e2dede11acdfa4cb77bed1fbacaf2b8c66ab94164fe383'
-            'aaeea9587701bd8e1a23dfa9e5c32dcda454ce26497175a9ad9f2bd3c260f6ea'
+            '26b9e9cca6aa6984e5375da589588a3a5d00d7e99718c8cf6bf2b9f92920bd5f'
+            'd5e63ad33d42abc9ba054b196fdcfed74389eb30aaa01bcf01917496cc9387fc'
             'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d'
-            'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
-            '1b3651558fcd497c72af3d483febb21fff98cbb9fbcb456da19b24304c40c754')
+            'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182')
 
 _kernelname=${pkgbase#linux}
 
@@ -55,9 +53,6 @@
   # (relevant patch sent upstream: https://lkml.org/lkml/2011/7/26/227)
   patch -p1 -i "${srcdir}/change-default-console-loglevel.patch"
 
-  # Forbid unprivileged user namespaces
-  patch -p1 -i "$srcdir/Revert-userns-Allow-unprivileged-users-to-create-use.patch"
-
   # Add grsecurity patches
   patch -Np1 -i "$srcdir/$_grsec_patch"
   rm localversion-grsec

Deleted: Revert-userns-Allow-unprivileged-users-to-create-use.patch
===================================================================
--- Revert-userns-Allow-unprivileged-users-to-create-use.patch	2014-08-11 09:10:22 UTC (rev 117132)
+++ Revert-userns-Allow-unprivileged-users-to-create-use.patch	2014-08-11 09:27:22 UTC (rev 117133)
@@ -1,41 +0,0 @@
-From e3da68be55914bfeedb8866f191cc0958579611d Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer at fedoraproject.org>
-Date: Wed, 13 Nov 2013 10:21:18 -0500
-Subject: [PATCH] Revert "userns: Allow unprivileged users to create user
- namespaces."
-
-This reverts commit 5eaf563e53294d6696e651466697eb9d491f3946.
-
-Conflicts:
-	kernel/fork.c
----
- kernel/fork.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index f6d11fc..e04c9a7 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -1573,6 +1573,19 @@ long do_fork(unsigned long clone_flags,
- 	long nr;
- 
- 	/*
-+	 * Do some preliminary argument and permissions checking before we
-+	 * actually start allocating stuff
-+	 */
-+	if (clone_flags & CLONE_NEWUSER) {
-+		/* hopefully this check will go away when userns support is
-+		 * complete
-+		 */
-+		if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
-+				!capable(CAP_SETGID))
-+			return -EPERM;
-+	}
-+
-+	/*
- 	 * Determine whether and which event to report to ptracer.  When
- 	 * called from kernel_thread or CLONE_UNTRACED is explicitly
- 	 * requested, no event is reported; otherwise, report if the event
--- 
-1.8.3.1
-

Modified: config
===================================================================
--- config	2014-08-11 09:10:22 UTC (rev 117132)
+++ config	2014-08-11 09:27:22 UTC (rev 117133)
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.8.201408010648-1 Kernel Configuration
+# Linux/x86 3.15.9.201408110025-1 Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -414,6 +414,8 @@
 # CONFIG_X86_MCE_INJECT is not set
 CONFIG_X86_THERMAL_VECTOR=y
 CONFIG_VM86=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX32=y
 CONFIG_TOSHIBA=m
 CONFIG_I8K=m
 CONFIG_X86_REBOOTFIXUPS=y

Modified: config.x86_64
===================================================================
--- config.x86_64	2014-08-11 09:10:22 UTC (rev 117132)
+++ config.x86_64	2014-08-11 09:27:22 UTC (rev 117133)
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.8.201408010648-1 Kernel Configuration
+# Linux/x86 3.15.9.201408110025-1 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -405,6 +405,8 @@
 CONFIG_X86_MCE_THRESHOLD=y
 # CONFIG_X86_MCE_INJECT is not set
 CONFIG_X86_THERMAL_VECTOR=y
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
 CONFIG_I8K=m
 CONFIG_MICROCODE=m
 CONFIG_MICROCODE_INTEL=y


