[arch-commits] Commit in linux-grsec/trunk (4 files)
Daniel Micay
thestinger at archlinux.org
Sun Jul 27 07:35:11 UTC 2014
Date: Sunday, July 27, 2014 @ 09:35:11
Author: thestinger
Revision: 116408
upgpkg: linux-grsec 3.15.6.201407232200-2
* increase CONFIG_PAX_KERNEXEC_MODULE_TEXT to 12M for the i686 kernel
* enable CONFIG_PAX_MEMORY_UDEREF for the x86_64 kernel + add warning
Modified:
linux-grsec/trunk/PKGBUILD
linux-grsec/trunk/config
linux-grsec/trunk/config.x86_64
linux-grsec/trunk/linux-grsec.install
---------------------+
PKGBUILD | 6 ++---
config | 4 +--
config.x86_64 | 53 ++++++--------------------------------------------
linux-grsec.install | 16 +++++++++++++++
4 files changed, 28 insertions(+), 51 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-07-27 03:41:52 UTC (rev 116407)
+++ PKGBUILD 2014-07-27 07:35:11 UTC (rev 116408)
@@ -11,7 +11,7 @@
_timestamp=201407232200
_grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch"
pkgver=$_pkgver.$_timestamp
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
url=https://grsecurity.net/
license=('GPL2')
@@ -33,8 +33,8 @@
'f2a15b142cd332c57e71ca06097c1fd159fa0d0709389b9fc10b7f78c48f741b'
'90c7a7d4666ae4807eb45b766f73e649e4fcf9fdcb983b710fe33e3f80f7b546'
'SKIP'
- '4df3ada4372716916ef6007fb87dd086ef26cc5d5fb6f6194576735a6b0235d8'
- '7738242314babeed7b633d6115bab438701c84bd336bf2aee1486c852998c1c2'
+ 'e453e2c7f5d3f52032b310a5475932378aea378e9291f84fe0258d64da2a1a1b'
+ 'f77adc49d47a754fbe0fcf9384642f436e569d59aa26c1cfbb85cce0bb8361ae'
'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d'
'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182'
'937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c'
Modified: config
===================================================================
--- config 2014-07-27 03:41:52 UTC (rev 116407)
+++ config 2014-07-27 07:35:11 UTC (rev 116408)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.5.201407170639-2 Kernel Configuration
+# Linux/x86 3.15.6.201407232200-2 Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -6509,7 +6509,7 @@
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
-CONFIG_PAX_KERNEXEC_MODULE_TEXT=4
+CONFIG_PAX_KERNEXEC_MODULE_TEXT=12
#
# Address Space Layout Randomization
Modified: config.x86_64
===================================================================
--- config.x86_64 2014-07-27 03:41:52 UTC (rev 116407)
+++ config.x86_64 2014-07-27 07:35:11 UTC (rev 116408)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 3.15.5.201407170639-2 Kernel Configuration
+# Linux/x86 3.15.6.201407232200-2 Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -357,13 +357,7 @@
CONFIG_PARAVIRT=y
# CONFIG_PARAVIRT_DEBUG is not set
# CONFIG_PARAVIRT_SPINLOCKS is not set
-CONFIG_XEN=y
-CONFIG_XEN_DOM0=y
-CONFIG_XEN_PVHVM=y
-CONFIG_XEN_MAX_DOMAIN_MEMORY=500
-CONFIG_XEN_SAVE_RESTORE=y
-# CONFIG_XEN_DEBUG_FS is not set
-CONFIG_XEN_PVH=y
+# CONFIG_XEN is not set
CONFIG_KVM_GUEST=y
# CONFIG_KVM_DEBUG_FS is not set
CONFIG_PARAVIRT_TIME_ACCOUNTING=y
@@ -521,7 +515,6 @@
#
CONFIG_SUSPEND=y
CONFIG_SUSPEND_FREEZER=y
-CONFIG_HIBERNATE_CALLBACKS=y
CONFIG_PM_SLEEP=y
CONFIG_PM_SLEEP_SMP=y
CONFIG_PM_AUTOSLEEP=y
@@ -632,7 +625,6 @@
CONFIG_PCI=y
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
-CONFIG_PCI_XEN=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
@@ -649,7 +641,6 @@
# CONFIG_PCI_DEBUG is not set
CONFIG_PCI_REALLOC_ENABLE_AUTO=y
CONFIG_PCI_STUB=m
-CONFIG_XEN_PCIDEV_FRONTEND=m
CONFIG_HT_IRQ=y
CONFIG_PCI_ATS=y
CONFIG_PCI_IOV=y
@@ -1475,7 +1466,7 @@
CONFIG_FW_LOADER_USER_HELPER=y
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_DEBUG_DEVRES is not set
-CONFIG_SYS_HYPERVISOR=y
+# CONFIG_SYS_HYPERVISOR is not set
# CONFIG_GENERIC_CPU_DEVICES is not set
CONFIG_GENERIC_CPU_AUTOPROBE=y
CONFIG_REGMAP=y
@@ -1662,8 +1653,6 @@
CONFIG_CDROM_PKTCDVD_BUFFERS=8
# CONFIG_CDROM_PKTCDVD_WCACHE is not set
CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
CONFIG_VIRTIO_BLK=m
# CONFIG_BLK_DEV_HD is not set
CONFIG_BLK_DEV_RBD=m
@@ -2673,8 +2662,6 @@
CONFIG_IEEE802154_FAKELB=m
CONFIG_IEEE802154_AT86RF230=m
# CONFIG_IEEE802154_MRF24J40 is not set
-CONFIG_XEN_NETDEV_FRONTEND=m
-CONFIG_XEN_NETDEV_BACKEND=m
CONFIG_VMXNET3=m
CONFIG_HYPERV_NET=m
CONFIG_ISDN=y
@@ -3110,9 +3097,6 @@
# CONFIG_LP_CONSOLE is not set
CONFIG_PPDEV=m
CONFIG_HVC_DRIVER=y
-CONFIG_HVC_IRQ=y
-CONFIG_HVC_XEN=y
-CONFIG_HVC_XEN_FRONTEND=y
CONFIG_VIRTIO_CONSOLE=m
CONFIG_IPMI_HANDLER=m
# CONFIG_IPMI_PANIC_EVENT is not set
@@ -3157,7 +3141,6 @@
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TCG_ST33_I2C=m
-CONFIG_TCG_XEN=m
CONFIG_TELCLOCK=m
CONFIG_I2C=m
CONFIG_I2C_BOARDINFO=y
@@ -3604,7 +3587,6 @@
CONFIG_MACHZ_WDT=m
CONFIG_SBC_EPX_C3_WATCHDOG=m
CONFIG_MEN_A21_WDT=m
-CONFIG_XEN_WDT=m
#
# PCI-based Watchdog Cards
@@ -4435,7 +4417,6 @@
CONFIG_FB_UDL=m
# CONFIG_FB_GOLDFISH is not set
CONFIG_FB_VIRTUAL=m
-CONFIG_XEN_FBDEV_FRONTEND=m
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
# CONFIG_FB_BROADSHEET is not set
@@ -5333,29 +5314,6 @@
CONFIG_HYPERV=m
CONFIG_HYPERV_UTILS=m
CONFIG_HYPERV_BALLOON=m
-
-#
-# Xen driver support
-#
-CONFIG_XEN_BALLOON=y
-# CONFIG_XEN_SELFBALLOONING is not set
-CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y
-CONFIG_XEN_SCRUB_PAGES=y
-CONFIG_XEN_DEV_EVTCHN=m
-CONFIG_XEN_BACKEND=y
-CONFIG_XENFS=m
-CONFIG_XEN_COMPAT_XENFS=y
-CONFIG_XEN_SYS_HYPERVISOR=y
-CONFIG_XEN_XENBUS_FRONTEND=y
-CONFIG_XEN_GNTDEV=m
-CONFIG_XEN_GRANT_DEV_ALLOC=m
-CONFIG_SWIOTLB_XEN=y
-CONFIG_XEN_TMEM=m
-CONFIG_XEN_PCIDEV_BACKEND=m
-CONFIG_XEN_PRIVCMD=m
-CONFIG_XEN_ACPI_PROCESSOR=m
-# CONFIG_XEN_MCE_LOG is not set
-CONFIG_XEN_HAVE_PVMMU=y
CONFIG_STAGING=y
CONFIG_ET131X=m
CONFIG_SLICOSS=m
@@ -6241,7 +6199,8 @@
#
# Grsecurity
#
-CONFIG_TASK_SIZE_MAX_SHIFT=47
+CONFIG_PAX_PER_CPU_PGD=y
+CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
@@ -6278,6 +6237,7 @@
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
+# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
#
@@ -6294,6 +6254,7 @@
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
Modified: linux-grsec.install
===================================================================
--- linux-grsec.install 2014-07-27 03:41:52 UTC (rev 116407)
+++ linux-grsec.install 2014-07-27 07:35:11 UTC (rev 116408)
@@ -4,6 +4,17 @@
KERNEL_NAME=-grsec
KERNEL_VERSION=3.13.10-1-grsec
+_uderef_warning() {
+ if [[ $(uname -m) = x86_64 ]]; then
+ cat <<EOF
+CONFIG_PAX_MEMORY_UDEREF is now enabled on x86_64 and can be disabled by
+passing \`pax_nouderef\` on the kernel line. UDEREF's PCID support on Sandy
+Bridge and later is known to have issues with recent kernel versions and can be
+disabled by passing \`nopcid\` to use the legacy implementation.
+EOF
+ fi
+}
+
_add_groups() {
if getent group tpe-trusted >/dev/null; then
groupmod -g 200 -n tpe tpe-trusted
@@ -52,6 +63,7 @@
mkinitcpio -p linux${KERNEL_NAME}
_add_groups
+ _uderef_warning
}
post_upgrade() {
@@ -76,6 +88,10 @@
fi
_add_groups
+
+ if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then
+ _uderef_warning
+ fi
}
post_remove() {
More information about the arch-commits
mailing list