From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.33/, 2.6.32/, 3.6.6/
Date: Wed, 14 Nov 2012 02:19:55 +0000 (UTC) [thread overview]
Message-ID: <1352859552.dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70.blueness@gentoo> (raw)
commit: dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Nov 14 02:19:12 2012 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Nov 14 02:19:12 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=dad447bb
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.33,3.6.6}-201211122213
---
2.6.32/0000_README | 2 +-
..._grsecurity-2.9.1-2.6.32.60-201211122212.patch} | 49 ++++++++++++--------
3.2.33/0000_README | 6 ++-
...420_grsecurity-2.9.1-3.2.33-201211122213.patch} | 49 ++++++++++++--------
3.2.33/4425-tmpfs-user-namespace.patch | 28 +++++++++++
3.6.6/0000_README | 6 ++-
...4420_grsecurity-2.9.1-3.6.6-201211122213.patch} | 49 ++++++++++++--------
3.6.6/4425-tmpfs-user-namespace.patch | 28 +++++++++++
8 files changed, 157 insertions(+), 60 deletions(-)
diff --git a/2.6.32/0000_README b/2.6.32/0000_README
index 8bd0698..ac627bb 100644
--- a/2.6.32/0000_README
+++ b/2.6.32/0000_README
@@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch
From: http://www.kernel.org
Desc: Linux 2.6.32.59
-Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
+Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
similarity index 99%
rename from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
rename to 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
index 82352cf..4b4bbbc 100644
--- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch
+++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch
@@ -84681,10 +84681,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..b50e14d
+index 0000000..42c1316
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4187 @@
+@@ -0,0 +1,4198 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -85747,7 +85747,7 @@ index 0000000..b50e14d
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
+
+static int
+copy_user_glob(struct acl_object_label *obj)
@@ -85833,13 +85833,18 @@ index 0000000..b50e14d
+ return ret;
+
+ if (o_tmp->nested) {
-+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ int already_copied;
++
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
+ if (IS_ERR(o_tmp->nested))
+ return PTR_ERR(o_tmp->nested);
+
-+ /* insert into nested subject list */
-+ o_tmp->nested->next = role->hash->first;
-+ role->hash->first = o_tmp->nested;
++ /* insert into nested subject list if we haven't copied this one yet
++ to prevent duplicate entries */
++ if (!already_copied) {
++ o_tmp->nested->next = role->hash->first;
++ role->hash->first = o_tmp->nested;
++ }
+ }
+ }
+
@@ -85958,7 +85963,7 @@ index 0000000..b50e14d
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
+{
+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
+ unsigned int len;
@@ -85970,13 +85975,19 @@ index 0000000..b50e14d
+ unsigned int i_num;
+ int err;
+
++ if (already_copied != NULL)
++ *already_copied = 0;
++
+ s_tmp = lookup_subject_map(userp);
+
+ /* we've already copied this subject into the kernel, just return
+ the reference to it, and don't copy it over again
+ */
-+ if (s_tmp)
++ if (s_tmp) {
++ if (already_copied != NULL)
++ *already_copied = 1;
+ return(s_tmp);
++ }
+
+ if ((s_tmp = (struct acl_subject_label *)
+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
@@ -86062,7 +86073,7 @@ index 0000000..b50e14d
+
+ /* set pointer for parent subject */
+ if (s_tmp->parent_subject) {
-+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
+
+ if (IS_ERR(s_tmp2))
+ return s_tmp2;
@@ -86146,7 +86157,7 @@ index 0000000..b50e14d
+ continue;
+ }
+
-+ ret = do_copy_user_subj(userp, role);
++ ret = do_copy_user_subj(userp, role, NULL);
+
+ err = PTR_ERR(ret);
+ if (IS_ERR(ret))
@@ -102648,7 +102659,7 @@ index d4aba4f..0bb4763 100644
seq_printf(m, "%40s %14lu %29s %s\n", name,
stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 4b270e6..5e2eb1b 100644
+index 4b270e6..ca3d254 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -55,6 +55,7 @@
@@ -102742,7 +102753,7 @@ index 4b270e6..5e2eb1b 100644
+ p = strstr(mod->args, "grsec_modharden_fs");
+
+ if (p) {
-+ char *endptr = p + strlen("grsec_modharden_fs");
++ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
+ /* copy \0 as well */
+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
+ is_fs_load = 1;
@@ -103140,7 +103151,7 @@ index 4b270e6..5e2eb1b 100644
+ err = -EPERM;
+ goto cleanup;
+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
-+ p += strlen("grsec_modharden_normal");
++ p += sizeof("grsec_modharden_normal") - 1;
+ p2 = strstr(p, "_");
+ if (p2) {
+ *p2 = '\0';
@@ -113604,7 +113615,7 @@ index f900dc3..5e45346 100644
struct nlattr *nla;
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..b1bac76
+index 0000000..725bece
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
@@ -113643,13 +113654,13 @@ index 0000000..b1bac76
+};
+
+static int __init gradm_mt_init(void)
-+{
-+ return xt_register_match(&gradm_mt_reg);
++{
++ return xt_register_match(&gradm_mt_reg);
+}
+
+static void __exit gradm_mt_exit(void)
-+{
-+ xt_unregister_match(&gradm_mt_reg);
++{
++ xt_unregister_match(&gradm_mt_reg);
+}
+
+module_init(gradm_mt_init);
diff --git a/3.2.33/0000_README b/3.2.33/0000_README
index 4f37d3a..c03c7c6 100644
--- a/3.2.33/0000_README
+++ b/3.2.33/0000_README
@@ -50,10 +50,14 @@ Patch: 1032_linux-3.2.33.patch
From: http://www.kernel.org
Desc: Linux 3.2.33
-Patch: 4420_grsecurity-2.9.1-3.2.33-201211072000.patch
+Patch: 4420_grsecurity-2.9.1-3.2.33-201211122213.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 4425-tmpfs-user-namespace.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Enable XATTR_USER_PREFIX namespace on tmpfs
+
Patch: 4430_grsec-remove-localversion-grsec.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Removes grsecurity's localversion-grsec file
diff --git a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch
similarity index 99%
rename from 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
rename to 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch
index 3d86532..7a220ce 100644
--- a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch
+++ b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch
@@ -52333,10 +52333,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..ddf281c
+index 0000000..7feb2c5
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4202 @@
+@@ -0,0 +1,4213 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -53397,7 +53397,7 @@ index 0000000..ddf281c
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
+
+static int
+copy_user_glob(struct acl_object_label *obj)
@@ -53483,13 +53483,18 @@ index 0000000..ddf281c
+ return ret;
+
+ if (o_tmp->nested) {
-+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ int already_copied;
++
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
+ if (IS_ERR(o_tmp->nested))
+ return PTR_ERR(o_tmp->nested);
+
-+ /* insert into nested subject list */
-+ o_tmp->nested->next = role->hash->first;
-+ role->hash->first = o_tmp->nested;
++ /* insert into nested subject list if we haven't copied this one yet
++ to prevent duplicate entries */
++ if (!already_copied) {
++ o_tmp->nested->next = role->hash->first;
++ role->hash->first = o_tmp->nested;
++ }
+ }
+ }
+
@@ -53608,7 +53613,7 @@ index 0000000..ddf281c
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
+{
+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
+ unsigned int len;
@@ -53620,13 +53625,19 @@ index 0000000..ddf281c
+ unsigned int i_num;
+ int err;
+
++ if (already_copied != NULL)
++ *already_copied = 0;
++
+ s_tmp = lookup_subject_map(userp);
+
+ /* we've already copied this subject into the kernel, just return
+ the reference to it, and don't copy it over again
+ */
-+ if (s_tmp)
++ if (s_tmp) {
++ if (already_copied != NULL)
++ *already_copied = 1;
+ return(s_tmp);
++ }
+
+ if ((s_tmp = (struct acl_subject_label *)
+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
@@ -53712,7 +53723,7 @@ index 0000000..ddf281c
+
+ /* set pointer for parent subject */
+ if (s_tmp->parent_subject) {
-+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
+
+ if (IS_ERR(s_tmp2))
+ return s_tmp2;
@@ -53796,7 +53807,7 @@ index 0000000..ddf281c
+ continue;
+ }
+
-+ ret = do_copy_user_subj(userp, role);
++ ret = do_copy_user_subj(userp, role, NULL);
+
+ err = PTR_ERR(ret);
+ if (IS_ERR(ret))
@@ -69087,7 +69098,7 @@ index 91c32a0..7b88d63 100644
seq_printf(m, "%40s %14lu %29s %pS\n",
name, stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 6c8fa34..0ab39b6 100644
+index 6c8fa34..b289138 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -58,6 +58,7 @@
@@ -69250,7 +69261,7 @@ index 6c8fa34..0ab39b6 100644
+
+ p = strstr(mod->args, "grsec_modharden_fs");
+ if (p) {
-+ char *endptr = p + strlen("grsec_modharden_fs");
++ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
+ /* copy \0 as well */
+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
+ is_fs_load = 1;
@@ -69660,7 +69671,7 @@ index 6c8fa34..0ab39b6 100644
+ err = -EPERM;
+ goto free_modinfo;
+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
-+ p += strlen("grsec_modharden_normal");
++ p += sizeof("grsec_modharden_normal") - 1;
+ p2 = strstr(p, "_");
+ if (p2) {
+ *p2 = '\0';
@@ -80157,7 +80168,7 @@ index 66b2c54..c7884e3 100644
struct nlattr *nla;
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..6905327
+index 0000000..c566332
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
@@ -80196,13 +80207,13 @@ index 0000000..6905327
+};
+
+static int __init gradm_mt_init(void)
-+{
-+ return xt_register_match(&gradm_mt_reg);
++{
++ return xt_register_match(&gradm_mt_reg);
+}
+
+static void __exit gradm_mt_exit(void)
-+{
-+ xt_unregister_match(&gradm_mt_reg);
++{
++ xt_unregister_match(&gradm_mt_reg);
+}
+
+module_init(gradm_mt_init);
diff --git a/3.2.33/4425-tmpfs-user-namespace.patch b/3.2.33/4425-tmpfs-user-namespace.patch
new file mode 100644
index 0000000..a7d2649
--- /dev/null
+++ b/3.2.33/4425-tmpfs-user-namespace.patch
@@ -0,0 +1,28 @@
+Enable XATTR_USER_PREFIX extended attribute namespace for tmpfs
+
+For XATTR_PAX_FLAGS markings to work on a tmpfs filesystem, we
+need to accept XATTR_USER_PREFIX extended attribute namespace
+as valid. In Gentoo and other distros that make use of tmpfs
+for their packaging systems, this makes it possible to pax mark
+executables built in tmpfs before being tarred or otherwised
+packaged.
+
+X-Gentoo-Bug: 432434
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=432434
+Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
+---
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 67afba5..697a181 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1804,7 +1804,8 @@ static int shmem_xattr_validate(const char *name)
+ {
+ struct { const char *prefix; size_t len; } arr[] = {
+ { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
+- { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
++ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN },
++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN }
+ };
+ int i;
+
diff --git a/3.6.6/0000_README b/3.6.6/0000_README
index b78c8e4..306bcfd 100644
--- a/3.6.6/0000_README
+++ b/3.6.6/0000_README
@@ -2,10 +2,14 @@ README
-----------------------------------------------------------------------------
Individual Patch Descriptions:
-----------------------------------------------------------------------------
-Patch: 4420_grsecurity-2.9.1-3.6.6-201211072001.patch
+Patch: 4420_grsecurity-2.9.1-3.6.6-201211122213.patch
From: http://www.grsecurity.net
Desc: hardened-sources base patch from upstream grsecurity
+Patch: 4425-tmpfs-user-namespace.patch
+From: Anthony G. Basile <blueness@gentoo.org>
+Desc: Enable XATTR_USER_PREFIX namespace on tmpfs
+
Patch: 4430_grsec-remove-localversion-grsec.patch
From: Kerin Millar <kerframil@gmail.com>
Desc: Removes grsecurity's localversion-grsec file
diff --git a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch
similarity index 99%
rename from 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
rename to 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch
index e6e5d8f..164e8e9 100644
--- a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch
+++ b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch
@@ -51741,10 +51741,10 @@ index 0000000..1b9afa9
+endif
diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
new file mode 100644
-index 0000000..3d58260
+index 0000000..b736032
--- /dev/null
+++ b/grsecurity/gracl.c
-@@ -0,0 +1,4029 @@
+@@ -0,0 +1,4040 @@
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/sched.h>
@@ -52809,7 +52809,7 @@ index 0000000..3d58260
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
+
+static int
+copy_user_glob(struct acl_object_label *obj)
@@ -52895,13 +52895,18 @@ index 0000000..3d58260
+ return ret;
+
+ if (o_tmp->nested) {
-+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
++ int already_copied;
++
++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
+ if (IS_ERR(o_tmp->nested))
+ return PTR_ERR(o_tmp->nested);
+
-+ /* insert into nested subject list */
-+ o_tmp->nested->next = role->hash->first;
-+ role->hash->first = o_tmp->nested;
++ /* insert into nested subject list if we haven't copied this one yet
++ to prevent duplicate entries */
++ if (!already_copied) {
++ o_tmp->nested->next = role->hash->first;
++ role->hash->first = o_tmp->nested;
++ }
+ }
+ }
+
@@ -53020,7 +53025,7 @@ index 0000000..3d58260
+}
+
+static struct acl_subject_label *
-+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
+{
+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
+ unsigned int len;
@@ -53032,13 +53037,19 @@ index 0000000..3d58260
+ unsigned int i_num;
+ int err;
+
++ if (already_copied != NULL)
++ *already_copied = 0;
++
+ s_tmp = lookup_subject_map(userp);
+
+ /* we've already copied this subject into the kernel, just return
+ the reference to it, and don't copy it over again
+ */
-+ if (s_tmp)
++ if (s_tmp) {
++ if (already_copied != NULL)
++ *already_copied = 1;
+ return(s_tmp);
++ }
+
+ if ((s_tmp = (struct acl_subject_label *)
+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
@@ -53124,7 +53135,7 @@ index 0000000..3d58260
+
+ /* set pointer for parent subject */
+ if (s_tmp->parent_subject) {
-+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
+
+ if (IS_ERR(s_tmp2))
+ return s_tmp2;
@@ -53208,7 +53219,7 @@ index 0000000..3d58260
+ continue;
+ }
+
-+ ret = do_copy_user_subj(userp, role);
++ ret = do_copy_user_subj(userp, role, NULL);
+
+ err = PTR_ERR(ret);
+ if (IS_ERR(ret))
@@ -68212,7 +68223,7 @@ index 91c32a0..7b88d63 100644
seq_printf(m, "%40s %14lu %29s %pS\n",
name, stats->contending_point[i],
diff --git a/kernel/module.c b/kernel/module.c
-index 9ad9ee9..de7a157 100644
+index 9ad9ee9..f6e05c2 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -58,6 +58,7 @@
@@ -68393,7 +68404,7 @@ index 9ad9ee9..de7a157 100644
+
+ p = strstr(mod->args, "grsec_modharden_fs");
+ if (p) {
-+ char *endptr = p + strlen("grsec_modharden_fs");
++ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
+ /* copy \0 as well */
+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
+ is_fs_load = 1;
@@ -68803,7 +68814,7 @@ index 9ad9ee9..de7a157 100644
+ err = -EPERM;
+ goto free_modinfo;
+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
-+ p += strlen("grsec_modharden_normal");
++ p += sizeof("grsec_modharden_normal") - 1;
+ p2 = strstr(p, "_");
+ if (p2) {
+ *p2 = '\0';
@@ -78672,7 +78683,7 @@ index 5cfb5be..217c6d8 100644
if (data_len) {
diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
new file mode 100644
-index 0000000..6905327
+index 0000000..c566332
--- /dev/null
+++ b/net/netfilter/xt_gradm.c
@@ -0,0 +1,51 @@
@@ -78711,13 +78722,13 @@ index 0000000..6905327
+};
+
+static int __init gradm_mt_init(void)
-+{
-+ return xt_register_match(&gradm_mt_reg);
++{
++ return xt_register_match(&gradm_mt_reg);
+}
+
+static void __exit gradm_mt_exit(void)
-+{
-+ xt_unregister_match(&gradm_mt_reg);
++{
++ xt_unregister_match(&gradm_mt_reg);
+}
+
+module_init(gradm_mt_init);
diff --git a/3.6.6/4425-tmpfs-user-namespace.patch b/3.6.6/4425-tmpfs-user-namespace.patch
new file mode 100644
index 0000000..b48d735
--- /dev/null
+++ b/3.6.6/4425-tmpfs-user-namespace.patch
@@ -0,0 +1,28 @@
+Enable XATTR_USER_PREFIX extended attribute namespace for tmpfs
+
+For XATTR_PAX_FLAGS markings to work on a tmpfs filesystem, we
+need to accept XATTR_USER_PREFIX extended attribute namespace
+as valid. In Gentoo and other distros that make use of tmpfs
+for their packaging systems, this makes it possible to pax mark
+executables built in tmpfs before being tarred or otherwised
+packaged.
+
+X-Gentoo-Bug: 432434
+X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=432434
+Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
+---
+
+diff --git a/mm/shmem.c b/mm/shmem.c
+index 67afba5..697a181 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2208,7 +2208,8 @@ static int shmem_xattr_validate(const char *name)
+ {
+ struct { const char *prefix; size_t len; } arr[] = {
+ { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
+- { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
++ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN },
++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN }
+ };
+ int i;
+
next reply other threads:[~2012-11-14 2:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-14 2:19 Anthony G. Basile [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-11-08 12:12 [gentoo-commits] proj/hardened-patchset:master commit in: 3.2.33/, 2.6.32/, 3.6.6/ Anthony G. Basile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1352859552.dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70.blueness@gentoo \
--to=blueness@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox