summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.SRCINFO22
-rw-r--r--0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch (renamed from 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch)69
-rw-r--r--0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch57
-rw-r--r--PKGBUILD64
-rw-r--r--config9
5 files changed, 94 insertions, 127 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 04e77c6..8460d9d 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,5 +1,5 @@
pkgbase = linux-rt-lts
- pkgver = 4.19.72.26
+ pkgver = 4.19.82.30
pkgrel = 1
url = https://wiki.linuxfoundation.org/realtime/start
arch = x86_64
@@ -15,26 +15,24 @@ pkgbase = linux-rt-lts
makedepends = python-sphinx_rtd_theme
makedepends = xmlto
options = !strip
- source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.xz
- source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.72.tar.sign
- source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.72-rt26.patch.xz
- source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.72-rt26.patch.sign
+ source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.82.tar.xz
+ source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.19.82.tar.sign
+ source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.82-rt30.patch.xz
+ source = https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-4.19.82-rt30.patch.sign
source = config
- source = 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- source = 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
+ source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
validpgpkeys = 8218F88849AAC522E94CF470A5E9288C4FA415FA
validpgpkeys = 64254695FFF0AA4466CC19E67B96E8162A8CF5D1
validpgpkeys = 5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73
validpgpkeys = E644E2F1D45FA0B2EAA02F33109F098506FF0B14
- sha256sums = f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d
+ sha256sums = 58d96d6c2c5ee8288fe9714891e4037a18f457b008e369e33fc744afc2cb595d
sha256sums = SKIP
- sha256sums = 7e360014f510daf6ab886f272531f98d9ae5cb5a55973a9b636346ac45f841f6
+ sha256sums = c299a487a4a0446019b15241e132f6d570910eb18a968309f57b9bc8e44fc23a
sha256sums = SKIP
- sha256sums = e5a6ac3346c359353b3a7491bb77637870328a4bf3f3d57bf434a29b72632600
- sha256sums = 75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc
- sha256sums = 67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d
+ sha256sums = ab71979485ff9771d264c692a1215b5657455e844a16e00656cba0c810a99a81
+ sha256sums = a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2
pkgname = linux-rt-lts
pkgdesc = The Linux-rt-lts kernel and modules
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
index e57df3b..f93022e 100644
--- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
+++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch
@@ -1,22 +1,49 @@
-From 1a47eb71988a919e811ce558f6f58855155c6218 Mon Sep 17 00:00:00 2001
-From: Serge Hallyn <serge.hallyn@canonical.com>
-Date: Fri, 31 May 2013 19:12:12 +0100
-Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
+From 6136ffb3d88e9f044260f8288d2d0a1edd64379e Mon Sep 17 00:00:00 2001
+From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
+Date: Mon, 16 Sep 2019 04:53:20 +0200
+Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
+ CLONE_NEWUSER
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
-[bwh: Remove unneeded binary sysctl bits]
-Signed-off-by: Daniel Micay <danielmicay@gmail.com>
+Our default behavior continues to match the vanilla kernel.
---
+ init/Kconfig | 16 ++++++++++++++++
kernel/fork.c | 15 +++++++++++++++
kernel/sysctl.c | 12 ++++++++++++
- kernel/user_namespace.c | 3 +++
- 3 files changed, 30 insertions(+)
+ kernel/user_namespace.c | 7 +++++++
+ 4 files changed, 50 insertions(+)
+diff --git a/init/Kconfig b/init/Kconfig
+index bd7d650d4a99..658f9c052151 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1091,6 +1091,22 @@ config USER_NS
+
+ If unsure, say N.
+
++config USER_NS_UNPRIVILEGED
++ bool "Allow unprivileged users to create namespaces"
++ default y
++ depends on USER_NS
++ help
++ When disabled, unprivileged users will not be able to create
++ new namespaces. Allowing users to create their own namespaces
++ has been part of several recent local privilege escalation
++ exploits, so if you need user namespaces but are
++ paranoid^Wsecurity-conscious you want to disable this.
++
++ This setting can be overridden at runtime via the
++ kernel.unprivileged_userns_clone sysctl.
++
++ If unsure, say Y.
++
+ config PID_NS
+ bool "PID Namespaces"
+ default y
diff --git a/kernel/fork.c b/kernel/fork.c
-index 8ed48ca2cc43..e02823819ab7 100644
+index 541fd805fb88..ffd57c812153 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
-@@ -103,6 +103,11 @@
+@@ -106,6 +106,11 @@
#define CREATE_TRACE_POINTS
#include <trace/events/task.h>
@@ -28,7 +55,7 @@ index 8ed48ca2cc43..e02823819ab7 100644
/*
* Minimum number of threads to boot the kernel
-@@ -1625,6 +1630,10 @@ static __latent_entropy struct task_struct *copy_process(
+@@ -1788,6 +1793,10 @@ static __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
@@ -39,7 +66,7 @@ index 8ed48ca2cc43..e02823819ab7 100644
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
-@@ -2421,6 +2430,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -2819,6 +2828,12 @@ int ksys_unshare(unsigned long unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
@@ -53,10 +80,10 @@ index 8ed48ca2cc43..e02823819ab7 100644
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index 2d9837c0aff4..eb5236c069fc 100644
+index 078950d9605b..baead3605bbe 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
-@@ -105,6 +105,9 @@ extern int core_uses_pid;
+@@ -110,6 +110,9 @@ extern int core_uses_pid;
extern char core_pattern[];
extern unsigned int core_pipe_limit;
#endif
@@ -66,7 +93,7 @@ index 2d9837c0aff4..eb5236c069fc 100644
extern int pid_max;
extern int pid_max_min, pid_max_max;
extern int percpu_pagelist_fraction;
-@@ -519,6 +522,15 @@ static struct ctl_table kern_table[] = {
+@@ -545,6 +548,15 @@ static struct ctl_table kern_table[] = {
.proc_handler = proc_dointvec,
},
#endif
@@ -83,19 +110,23 @@ index 2d9837c0aff4..eb5236c069fc 100644
{
.procname = "tainted",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index e5222b5fb4fe..c941a66e51d1 100644
+index 8eadadc478f9..c36ecd19562c 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
-@@ -26,6 +26,9 @@
+@@ -21,6 +21,13 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
+/* sysctl */
++#ifdef CONFIG_USER_NS_UNPRIVILEGED
++int unprivileged_userns_clone = 1;
++#else
+int unprivileged_userns_clone;
++#endif
+
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);
--
-2.19.0
+2.23.0
diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
deleted file mode 100644
index 7fa619f..0000000
--- a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 1f89ffcbd1b6b6639eb49c521ac0d308a723cd3c Mon Sep 17 00:00:00 2001
-From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
-Date: Thu, 7 Dec 2017 13:50:48 +0100
-Subject: [PATCH 2/2] ZEN: Add CONFIG for unprivileged_userns_clone
-
-This way our default behavior continues to match the vanilla kernel.
----
- init/Kconfig | 16 ++++++++++++++++
- kernel/user_namespace.c | 4 ++++
- 2 files changed, 20 insertions(+)
-
-diff --git a/init/Kconfig b/init/Kconfig
-index 4592bf7997c0..f3df02990aff 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1004,6 +1004,22 @@ config USER_NS
-
- If unsure, say N.
-
-+config USER_NS_UNPRIVILEGED
-+ bool "Allow unprivileged users to create namespaces"
-+ default y
-+ depends on USER_NS
-+ help
-+ When disabled, unprivileged users will not be able to create
-+ new namespaces. Allowing users to create their own namespaces
-+ has been part of several recent local privilege escalation
-+ exploits, so if you need user namespaces but are
-+ paranoid^Wsecurity-conscious you want to disable this.
-+
-+ This setting can be overridden at runtime via the
-+ kernel.unprivileged_userns_clone sysctl.
-+
-+ If unsure, say Y.
-+
- config PID_NS
- bool "PID Namespaces"
- default y
-diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index 6b9dbc257e34..107b17f0d528 100644
---- a/kernel/user_namespace.c
-+++ b/kernel/user_namespace.c
-@@ -27,7 +27,11 @@
- #include <linux/sort.h>
-
- /* sysctl */
-+#ifdef CONFIG_USER_NS_UNPRIVILEGED
-+int unprivileged_userns_clone = 1;
-+#else
- int unprivileged_userns_clone;
-+#endif
-
- static struct kmem_cache *user_ns_cachep __read_mostly;
- static DEFINE_MUTEX(userns_state_mutex);
---
-2.22.0
-
diff --git a/PKGBUILD b/PKGBUILD
index 1838683..2ba767e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,13 +1,13 @@
# Maintainer: Joakim Hernberg <jbh@alchemy.lu>
-# Contributor: David Runge <dave@sleepmap.de>
+# Contributor: David Runge <dvzrv@archlinux.org>
# Contributor: Ray Rashif <schiv@archlinux.org>
# Contributor: timbosa <tinny_tim@dodo.com.au>
# Contributor: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
# Contributor: Tobias Powalowski <tpowa@archlinux.org>
# Contributor: Thomas Baechler <thomas@archlinux.org>
-_pkgver=4.19.72
-_rtpatchver=26
+_pkgver=4.19.82
+_rtpatchver=30
pkgbase=linux-rt-lts
pkgver=${_pkgver}.${_rtpatchver}
pkgrel=1
@@ -23,9 +23,8 @@ source=(
"https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_pkgver}.tar.sign"
"https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-rt${_rtpatchver}.patch.xz"
"https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patch-${_pkgver}-rt${_rtpatchver}.patch.sign"
- config # the main kernel config file
- 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch
- 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch
+ 'config'
+ '0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch'
)
validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
@@ -35,13 +34,12 @@ validpgpkeys=(
'5ED9A48FC54C0A22D1D0804CEBC26CDB5A56DE73' # Steven Rostedt
'E644E2F1D45FA0B2EAA02F33109F098506FF0B14' # Thomas Gleixner
)
-sha256sums=('f9fcb6b3bd29115ac55fc154e300c3dce2044502732f6842ad6c25e6f9f51f6d'
+sha256sums=('58d96d6c2c5ee8288fe9714891e4037a18f457b008e369e33fc744afc2cb595d'
'SKIP'
- '7e360014f510daf6ab886f272531f98d9ae5cb5a55973a9b636346ac45f841f6'
+ 'c299a487a4a0446019b15241e132f6d570910eb18a968309f57b9bc8e44fc23a'
'SKIP'
- 'e5a6ac3346c359353b3a7491bb77637870328a4bf3f3d57bf434a29b72632600'
- '75aa8dd708ca5a0137fbf7cddc9cafefe6aac6b8e0638c06c156d412d05af4bc'
- '67aed9742e4281df6f0bd18dc936ae79319fee3763737f158c0e87a6948d100d')
+ 'ab71979485ff9771d264c692a1215b5657455e844a16e00656cba0c810a99a81'
+ 'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2')
export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
@@ -54,7 +52,7 @@ prepare() {
msg "applying patch-${_pkgver}-rt${_rtpatchver}.patch"
patch -Np1 -i "../patch-${_pkgver}-rt${_rtpatchver}.patch"
- msg2 "Setting version..."
+ echo "Setting version..."
scripts/setlocalversion --save-scmversion
echo "-$pkgrel" > localversion.10-pkgrel
echo "${pkgbase#linux}" > localversion.20-pkgname
@@ -64,17 +62,17 @@ prepare() {
src="${src%%::*}"
src="${src##*/}"
[[ $src = *.patch ]] || continue
- msg2 "Applying patch $src..."
+ echo "Applying patch $src..."
patch -Np1 < "../$src"
done
- msg2 "Setting config..."
+ echo "Setting config..."
cp ../config .config
make olddefconfig
# make menuconfig # CLI menu for configuration
make -s kernelrelease > version
- msg2 "Prepared %s version %s" "$pkgbase" "$(<version)"
+ echo "Prepared %s version %s" "$pkgbase" "$(<version)"
}
build() {
@@ -92,7 +90,7 @@ _package() {
local kernver="$(<version)"
local modulesdir="$pkgdir/usr/lib/modules/$kernver"
- msg2 "Installing boot image..."
+ echo "Installing boot image..."
# systemd expects to find the kernel here to allow hibernation
# https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
@@ -100,13 +98,13 @@ _package() {
# Used by mkinitcpio to name the kernel
echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
- msg2 "Installing modules..."
+ echo "Installing modules..."
make INSTALL_MOD_PATH="$pkgdir/usr" modules_install
# remove build and source links
rm "$modulesdir"/{source,build}
- msg2 "Fixing permissions..."
+ echo "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
@@ -116,7 +114,7 @@ _package-headers() {
cd $_srcname
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
- msg2 "Installing build files..."
+ echo "Installing build files..."
install -Dt "$builddir" -m644 .config Makefile Module.symvers System.map \
localversion.* version vmlinux
install -Dt "$builddir/kernel" -m644 kernel/Makefile
@@ -132,7 +130,7 @@ _package-headers() {
# this is gone in v5.3
mkdir "$builddir/.tmp_versions"
- msg2 "Installing headers..."
+ echo "Installing headers..."
cp -t "$builddir" -a include
cp -t "$builddir/arch/x86" -a arch/x86/include
install -Dt "$builddir/arch/x86/kernel" -m644 arch/x86/kernel/asm-offsets.s
@@ -148,10 +146,10 @@ _package-headers() {
install -Dt "$builddir/drivers/media/dvb-frontends" -m644 drivers/media/dvb-frontends/*.h
install -Dt "$builddir/drivers/media/tuners" -m644 drivers/media/tuners/*.h
- msg2 "Installing KConfig files..."
+ echo "Installing KConfig files..."
find . -name 'Kconfig*' -exec install -Dm644 {} "$builddir/{}" \;
- msg2 "Removing unneeded architectures..."
+ echo "Removing unneeded architectures..."
local arch
for arch in "$builddir"/arch/*/; do
[[ $arch = */x86/ ]] && continue
@@ -159,16 +157,16 @@ _package-headers() {
rm -r "$arch"
done
- msg2 "Removing documentation..."
+ echo "Removing documentation..."
rm -r "$builddir/Documentation"
- msg2 "Removing broken symlinks..."
+ echo "Removing broken symlinks..."
find -L "$builddir" -type l -printf 'Removing %P\n' -delete
- msg2 "Removing loose objects..."
+ echo "Removing loose objects..."
find "$builddir" -type f -name '*.o' -printf 'Removing %P\n' -delete
- msg2 "Stripping build tools..."
+ echo "Stripping build tools..."
local file
while read -rd '' file; do
case "$(file -bi "$file")" in
@@ -183,11 +181,11 @@ _package-headers() {
esac
done < <(find "$builddir" -type f -perm -u+x ! -name vmlinux -print0)
- msg2 "Adding symlink..."
+ echo "Adding symlink..."
mkdir -p "$pkgdir/usr/src"
ln -sr "$builddir" "$pkgdir/usr/src/$pkgbase"
- msg2 "Fixing permissions..."
+ echo "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
@@ -197,14 +195,14 @@ _package-docs() {
cd $_srcname
local builddir="$pkgdir/usr/lib/modules/$(<version)/build"
- msg2 "Installing documentation..."
+ echo "Installing documentation..."
mkdir -p "$builddir"
cp -t "$builddir" -a Documentation
- msg2 "Removing doctrees..."
+ echo "Removing doctrees..."
rm -r "$builddir/Documentation/output/.doctrees"
- msg2 "Moving HTML docs..."
+ echo "Moving HTML docs..."
local src dst
while read -rd '' src; do
dst="$builddir/Documentation/${src#$builddir/Documentation/output/}"
@@ -213,11 +211,11 @@ _package-docs() {
rmdir -p --ignore-fail-on-non-empty "${src%/*}"
done < <(find "$builddir/Documentation/output" -type f -print0)
- msg2 "Adding symlink..."
+ echo "Adding symlink..."
mkdir -p "$pkgdir/usr/share/doc"
ln -sr "$builddir/Documentation" "$pkgdir/usr/share/doc/$pkgbase"
- msg2 "Fixing permissions..."
+ echo "Fixing permissions..."
chmod -Rc u=rwX,go=rX "$pkgdir"
}
diff --git a/config b/config
index 4ee3536..febec2b 100644
--- a/config
+++ b/config
@@ -1,13 +1,13 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.19.72 Kernel Configuration
+# Linux/x86 4.19.82 Kernel Configuration
#
#
-# Compiler: gcc (GCC) 9.1.0
+# Compiler: gcc (GCC) 9.2.0
#
CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=90100
+CONFIG_GCC_VERSION=90200
CONFIG_CLANG_VERSION=0
CONFIG_CC_HAS_ASM_GOTO=y
CONFIG_IRQ_WORK=y
@@ -2061,7 +2061,6 @@ CONFIG_REGMAP_SPMI=m
CONFIG_REGMAP_W1=m
CONFIG_REGMAP_MMIO=y
CONFIG_REGMAP_IRQ=y
-CONFIG_REGMAP_SOUNDWIRE=m
CONFIG_DMA_SHARED_BUFFER=y
# CONFIG_DMA_FENCE_TRACE is not set
@@ -7021,7 +7020,6 @@ CONFIG_USB_EMI62=m
CONFIG_USB_EMI26=m
CONFIG_USB_ADUTUX=m
CONFIG_USB_SEVSEG=m
-CONFIG_USB_RIO500=m
CONFIG_USB_LEGOTOWER=m
CONFIG_USB_LCD=m
CONFIG_USB_CYPRESS_CY7C63=m
@@ -8097,7 +8095,6 @@ CONFIG_SOUNDWIRE=y
#
# SoundWire Devices
#
-CONFIG_SOUNDWIRE_BUS=m
CONFIG_SOUNDWIRE_CADENCE=m
CONFIG_SOUNDWIRE_INTEL=m