diff options
author | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2019-09-16 20:04:00 -0700 |
---|---|---|
committer | jc_gargma <jc_gargma@iserlohn-fortress.net> | 2019-09-16 20:04:00 -0700 |
commit | 6a63e990d87f549e676e4a5288aa724ed5819b13 (patch) | |
tree | 9ca35806bbcf0e16663c57c28e0f442745ed8841 | |
parent | pkgrel (diff) | |
download | linux-ck-6a63e990d87f549e676e4a5288aa724ed5819b13.tar.xz |
Updated to 5.2.15
-rw-r--r-- | 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch (renamed from 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch) | 70 | ||||
-rw-r--r-- | 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch | 57 | ||||
-rw-r--r-- | 0003-Btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch | 145 | ||||
-rw-r--r-- | PKGBUILD | 35 | ||||
-rw-r--r-- | ck_remove-excess-extraversion.patch | 16 | ||||
-rw-r--r-- | config.x86_64 | 2 |
6 files changed, 67 insertions, 258 deletions
diff --git a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch index e7432e3..276bac8 100644 --- a/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch +++ b/0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch @@ -1,23 +1,48 @@ -From e71668257d1353a7bd428ec90f0871b038db813b Mon Sep 17 00:00:00 2001 -From: Serge Hallyn <serge.hallyn@canonical.com> -Date: Fri, 31 May 2013 19:12:12 +0100 -Subject: [PATCH 1/3] add sysctl to disallow unprivileged CLONE_NEWUSER by - default +From 4548790064d9d658127c85c8e318f0f397c63889 Mon Sep 17 00:00:00 2001 +From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> +Date: Mon, 16 Sep 2019 04:53:20 +0200 +Subject: ZEN: Add sysctl and CONFIG to disallow unprivileged CLONE_NEWUSER -Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> -[bwh: Remove unneeded binary sysctl bits] -Signed-off-by: Daniel Micay <danielmicay@gmail.com> +Our default behavior continues to match the vanilla kernel. --- + init/Kconfig | 16 ++++++++++++++++ kernel/fork.c | 15 +++++++++++++++ kernel/sysctl.c | 12 ++++++++++++ - kernel/user_namespace.c | 3 +++ - 3 files changed, 30 insertions(+) + kernel/user_namespace.c | 7 +++++++ + 4 files changed, 50 insertions(+) +diff --git a/init/Kconfig b/init/Kconfig +index bd7d650d4a99..658f9c052151 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1091,6 +1091,22 @@ config USER_NS + + If unsure, say N. + ++config USER_NS_UNPRIVILEGED ++ bool "Allow unprivileged users to create namespaces" ++ default y ++ depends on USER_NS ++ help ++ When disabled, unprivileged users will not be able to create ++ new namespaces. Allowing users to create their own namespaces ++ has been part of several recent local privilege escalation ++ exploits, so if you need user namespaces but are ++ paranoid^Wsecurity-conscious you want to disable this. ++ ++ This setting can be overridden at runtime via the ++ kernel.unprivileged_userns_clone sysctl. ++ ++ If unsure, say Y. ++ + config PID_NS + bool "PID Namespaces" + default y diff --git a/kernel/fork.c b/kernel/fork.c -index b69248e6f0e0..3b1cd11dc6dc 100644 +index 541fd805fb88..ffd57c812153 100644 --- a/kernel/fork.c +++ b/kernel/fork.c -@@ -104,6 +104,11 @@ +@@ -106,6 +106,11 @@ #define CREATE_TRACE_POINTS #include <trace/events/task.h> @@ -29,7 +54,7 @@ index b69248e6f0e0..3b1cd11dc6dc 100644 /* * Minimum number of threads to boot the kernel -@@ -1695,6 +1700,10 @@ static __latent_entropy struct task_struct *copy_process( +@@ -1788,6 +1793,10 @@ static __latent_entropy struct task_struct *copy_process( if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) return ERR_PTR(-EINVAL); @@ -40,7 +65,7 @@ index b69248e6f0e0..3b1cd11dc6dc 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -2528,6 +2537,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -2819,6 +2828,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -54,10 +79,10 @@ index b69248e6f0e0..3b1cd11dc6dc 100644 if (err) goto bad_unshare_out; diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index ba4d9e85feb8..e88b93a850df 100644 +index 078950d9605b..baead3605bbe 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c -@@ -106,6 +106,9 @@ extern int core_uses_pid; +@@ -110,6 +110,9 @@ extern int core_uses_pid; extern char core_pattern[]; extern unsigned int core_pipe_limit; #endif @@ -67,7 +92,7 @@ index ba4d9e85feb8..e88b93a850df 100644 extern int pid_max; extern int pid_max_min, pid_max_max; extern int percpu_pagelist_fraction; -@@ -515,6 +518,15 @@ static struct ctl_table kern_table[] = { +@@ -545,6 +548,15 @@ static struct ctl_table kern_table[] = { .proc_handler = proc_dointvec, }, #endif @@ -84,19 +109,22 @@ index ba4d9e85feb8..e88b93a850df 100644 { .procname = "tainted", diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 923414a246e9..6b9dbc257e34 100644 +index 8eadadc478f9..c36ecd19562c 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c -@@ -26,6 +26,9 @@ +@@ -21,6 +21,13 @@ #include <linux/bsearch.h> #include <linux/sort.h> +/* sysctl */ ++#ifdef CONFIG_USER_NS_UNPRIVILEGED ++int unprivileged_userns_clone = 1; ++#else +int unprivileged_userns_clone; ++#endif + static struct kmem_cache *user_ns_cachep __read_mostly; static DEFINE_MUTEX(userns_state_mutex); -- -2.21.0 - +cgit v1.2.1-1-g437b diff --git a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch b/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch deleted file mode 100644 index dfa89cc..0000000 --- a/0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b30ec6648774140adcbfc9b0e813ecfd0785f79d Mon Sep 17 00:00:00 2001 -From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com> -Date: Thu, 7 Dec 2017 13:50:48 +0100 -Subject: [PATCH 2/3] ZEN: Add CONFIG for unprivileged_userns_clone - -This way our default behavior continues to match the vanilla kernel. ---- - init/Kconfig | 16 ++++++++++++++++ - kernel/user_namespace.c | 4 ++++ - 2 files changed, 20 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index 4592bf7997c0..f3df02990aff 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1004,6 +1004,22 @@ config USER_NS - - If unsure, say N. - -+config USER_NS_UNPRIVILEGED -+ bool "Allow unprivileged users to create namespaces" -+ default y -+ depends on USER_NS -+ help -+ When disabled, unprivileged users will not be able to create -+ new namespaces. Allowing users to create their own namespaces -+ has been part of several recent local privilege escalation -+ exploits, so if you need user namespaces but are -+ paranoid^Wsecurity-conscious you want to disable this. -+ -+ This setting can be overridden at runtime via the -+ kernel.unprivileged_userns_clone sysctl. -+ -+ If unsure, say Y. -+ - config PID_NS - bool "PID Namespaces" - default y -diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c -index 6b9dbc257e34..107b17f0d528 100644 ---- a/kernel/user_namespace.c -+++ b/kernel/user_namespace.c -@@ -27,7 +27,11 @@ - #include <linux/sort.h> - - /* sysctl */ -+#ifdef CONFIG_USER_NS_UNPRIVILEGED -+int unprivileged_userns_clone = 1; -+#else - int unprivileged_userns_clone; -+#endif - - static struct kmem_cache *user_ns_cachep __read_mostly; - static DEFINE_MUTEX(userns_state_mutex); --- -2.22.0 - diff --git a/0003-Btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch b/0003-Btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch deleted file mode 100644 index b6d19c3..0000000 --- a/0003-Btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 45fc8773f47b7cbe56caab0e14abf26d1e044e63 Mon Sep 17 00:00:00 2001 -From: Filipe Manana <fdmanana@suse.com> -Date: Wed, 11 Sep 2019 17:42:00 +0100 -Subject: Btrfs: fix unwritten extent buffers and hangs on future writeback - attempts - -The lock_extent_buffer_io() returns 1 to the caller to tell it everything -went fine and the callers needs to start writeback for the extent buffer -(submit a bio, etc), 0 to tell the caller everything went fine but it does -not need to start writeback for the extent buffer, and a negative value if -some error happened. - -When it's about to return 1 it tries to lock all pages, and if a try lock -on a page fails, and we didn't flush any existing bio in our "epd", it -calls flush_write_bio(epd) and overwrites the return value of 1 to 0 or -an error. The page might have been locked elsewhere, not with the goal -of starting writeback of the extent buffer, and even by some code other -than btrfs, like page migration for example, so it does not mean the -writeback of the extent buffer was already started by some other task, -so returning a 0 tells the caller (btree_write_cache_pages()) to not -start writeback for the extent buffer. Note that epd might currently have -either no bio, so flush_write_bio() returns 0 (success) or it might have -a bio for another extent buffer with a lower index (logical address). - -Since we return 0 with the EXTENT_BUFFER_WRITEBACK bit set on the -extent buffer and writeback is never started for the extent buffer, -future attempts to writeback the extent buffer will hang forever waiting -on that bit to be cleared, since it can only be cleared after writeback -completes. Such hang is reported with a trace like the following: - - [49887.347053] INFO: task btrfs-transacti:1752 blocked for more than 122 seconds. - [49887.347059] Not tainted 5.2.13-gentoo #2 - [49887.347060] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. - [49887.347062] btrfs-transacti D 0 1752 2 0x80004000 - [49887.347064] Call Trace: - [49887.347069] ? __schedule+0x265/0x830 - [49887.347071] ? bit_wait+0x50/0x50 - [49887.347072] ? bit_wait+0x50/0x50 - [49887.347074] schedule+0x24/0x90 - [49887.347075] io_schedule+0x3c/0x60 - [49887.347077] bit_wait_io+0x8/0x50 - [49887.347079] __wait_on_bit+0x6c/0x80 - [49887.347081] ? __lock_release.isra.29+0x155/0x2d0 - [49887.347083] out_of_line_wait_on_bit+0x7b/0x80 - [49887.347084] ? var_wake_function+0x20/0x20 - [49887.347087] lock_extent_buffer_for_io+0x28c/0x390 - [49887.347089] btree_write_cache_pages+0x18e/0x340 - [49887.347091] do_writepages+0x29/0xb0 - [49887.347093] ? kmem_cache_free+0x132/0x160 - [49887.347095] ? convert_extent_bit+0x544/0x680 - [49887.347097] filemap_fdatawrite_range+0x70/0x90 - [49887.347099] btrfs_write_marked_extents+0x53/0x120 - [49887.347100] btrfs_write_and_wait_transaction.isra.4+0x38/0xa0 - [49887.347102] btrfs_commit_transaction+0x6bb/0x990 - [49887.347103] ? start_transaction+0x33e/0x500 - [49887.347105] transaction_kthread+0x139/0x15c - -So fix this by not overwriting the return value (ret) with the result -from flush_write_bio(). We also need to clear the EXTENT_BUFFER_WRITEBACK -bit in case flush_write_bio() returns an error, otherwise it will hang -any future attempts to writeback the extent buffer, and undo all work -done before (set back EXTENT_BUFFER_DIRTY, etc). - -This is a regression introduced in the 5.2 kernel. - -Fixes: 2e3c25136adfb ("btrfs: extent_io: add proper error handling to lock_extent_buffer_for_io()") -Fixes: f4340622e0226 ("btrfs: extent_io: Move the BUG_ON() in flush_write_bio() one level up") -Reported-by: Zdenek Sojka <zsojka@seznam.cz> -Link: https://lore.kernel.org/linux-btrfs/GpO.2yos.3WGDOLpx6t%7D.1TUDYM@seznam.cz/T/#u -Reported-by: Stefan Priebe - Profihost AG <s.priebe@profihost.ag> -Link: https://lore.kernel.org/linux-btrfs/5c4688ac-10a7-fb07-70e8-c5d31a3fbb38@profihost.ag/T/#t -Reported-by: Drazen Kacar <drazen.kacar@oradian.com> -Link: https://lore.kernel.org/linux-btrfs/DB8PR03MB562876ECE2319B3E579590F799C80@DB8PR03MB5628.eurprd03.prod.outlook.com/ -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204377 -Signed-off-by: Filipe Manana <fdmanana@suse.com> ---- - fs/btrfs/extent_io.c | 35 ++++++++++++++++++++++++++--------- - 1 file changed, 26 insertions(+), 9 deletions(-) - -diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c -index db337e53aab3..93900ff87df7 100644 ---- a/fs/btrfs/extent_io.c -+++ b/fs/btrfs/extent_io.c -@@ -3591,6 +3591,13 @@ void wait_on_extent_buffer_writeback(struct extent_buffer *eb) - TASK_UNINTERRUPTIBLE); - } - -+static void end_extent_buffer_writeback(struct extent_buffer *eb) -+{ -+ clear_bit(EXTENT_BUFFER_WRITEBACK, &eb->bflags); -+ smp_mb__after_atomic(); -+ wake_up_bit(&eb->bflags, EXTENT_BUFFER_WRITEBACK); -+} -+ - /* - * Lock eb pages and flush the bio if we can't the locks - * -@@ -3662,8 +3669,11 @@ static noinline_for_stack int lock_extent_buffer_for_io(struct extent_buffer *eb - - if (!trylock_page(p)) { - if (!flush) { -- ret = flush_write_bio(epd); -- if (ret < 0) { -+ int err; -+ -+ err = flush_write_bio(epd); -+ if (err < 0) { -+ ret = err; - failed_page_nr = i; - goto err_unlock; - } -@@ -3678,16 +3688,23 @@ err_unlock: - /* Unlock already locked pages */ - for (i = 0; i < failed_page_nr; i++) - unlock_page(eb->pages[i]); -+ /* -+ * Clear EXTENT_BUFFER_WRITEBACK and wake up anyone waiting on it. -+ * Also set back EXTENT_BUFFER_DIRTY so future attempts to this eb can -+ * be made and undo everything done before. -+ */ -+ btrfs_tree_lock(eb); -+ spin_lock(&eb->refs_lock); -+ set_bit(EXTENT_BUFFER_DIRTY, &eb->bflags); -+ end_extent_buffer_writeback(eb); -+ spin_unlock(&eb->refs_lock); -+ percpu_counter_add_batch(&fs_info->dirty_metadata_bytes, eb->len, -+ fs_info->dirty_metadata_batch); -+ btrfs_clear_header_flag(eb, BTRFS_HEADER_FLAG_WRITTEN); -+ btrfs_tree_unlock(eb); - return ret; - } - --static void end_extent_buffer_writeback(struct extent_buffer *eb) --{ -- clear_bit(EXTENT_BUFFER_WRITEBACK, &eb->bflags); -- smp_mb__after_atomic(); -- wake_up_bit(&eb->bflags, EXTENT_BUFFER_WRITEBACK); --} -- - static void set_btree_ioerr(struct page *page) - { - struct extent_buffer *eb = (struct extent_buffer *)page->private; --- -cgit v1.2.1-1-g437b - @@ -18,7 +18,7 @@ pkgbase=linux-ck _majver=5.2 -_minver=14 +_minver=15 if [ "$_minver" == "0" ]; then pkgver=${_majver} else @@ -28,7 +28,7 @@ _ckpatchversion=ck1 _ckpatch="patch-${_majver}-${_ckpatchversion}" _gccpatchver='20190822' _srcname=linux-${pkgver} -pkgrel=2 +pkgrel=1 url='https://kernel.org' #url='http://ck.kolivas.org/patches/' arch=('x86_64') @@ -40,10 +40,7 @@ conflicts=('linux-libre') options=('!strip') source=( https://www.kernel.org/pub/linux/kernel/v5.x/linux-$pkgver.tar.{xz,sign} - 0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - 0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch - 0003-Btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch - ck_remove-excess-extraversion.patch + 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch linux-ck-patch-${_majver}-${_ckpatchversion}.xz::http://ck.kolivas.org/patches/5.0/${_majver}/${_majver}-${_ckpatchversion}/${_ckpatch}.xz graysky_bdver2-hotfix.patch kernel_gcc_patch-${_gccpatchver}.tar.gz::https://github.com/graysky2/kernel_gcc_patch/archive/${_gccpatchver}.tar.gz @@ -54,18 +51,15 @@ source=( 90-linux.hook # pacman hook for initramfs regeneration linux.preset # standard config files for mkinitcpio ramdisk ) -sha256sums=('c64d36477fee6a864a734ec417407768e60040a13f144c33208fa9622fd0ce8c' +sha256sums=('eb561009da8106b463b1e1a16ab0f75cdef564784f49177148f5f92c32380c4a' 'SKIP' - '91fafa76bf9cb32159ac7f22191b3589278b91e65bc4505cf2fc6013b8037bf3' - '63e4378e69e2f23ed87af32a4951477a6d82d4ac0de2295db46502c8120da9d9' - '940719452e133a7350dd5efea974190af07eb365a6a60d117b76efca4ca53e7a' - '152c551bd03e92d6458b0d9f352c97eb058014ab019fa213167a6f8178bd6d71' + 'e862ecd2cb0b20e1859ec3e47616457a9a3acb111cd5a86094f9ed1dbd7f42ac' 'f1abc13a8d859fbf6350040e45d7f04ad551a6d39f113ba96fbbd820118c0e36' 'c5405139aa0a90a6f68f6a13e066a2bd0600c970f9f525cd3aa114b044a7f73b' '8c11086809864b5cef7d079f930bd40da8d0869c091965fa62e95de9a0fe13b5' 'e7ebf050c22bcec0028c0b3c79fd6d3913b0370ecc6a23dfe78ce475630cf503' '0f81d6e4158b7beeb0eb514f1b9401f7e23699cb0f7b0d513e25dae1815daaeb' - '8f2974e3c204c6a7c0a64e1048ec56cb8aebb65d6383453008dfe8e3049e177e' + 'eb5aa60f85a2fbf62cff64215bc819913e160e48b39d0a03f72542db5d4d33ad' 'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21' '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919' 'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65') @@ -85,16 +79,14 @@ prepare() { # patch -Np1 < ../patch-${_majver}-${_pkgver} # fi + # Hotfixes msg2 "Applying hotfixes" - patch -p1 -i ../0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch - patch -p1 -i ../0002-ZEN-Add-CONFIG-for-unprivileged_userns_clone.patch - patch -p1 -i ../0003-Btrfs-fix-unwritten-extent-buffers-and-hangs-on-future-writeback-attempts.patch + patch -p1 -i ../0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-CLONE_NEWUSER.patch - # ck hotfixes - msg2 "Applying ck patch hotfixes" - patch -p1 -i ../ck_remove-excess-extraversion.patch "$srcdir/linux-ck-patch-5.2-ck1" + # fix naming schema in EXTRAVERSION of ck patch set + sed -i -re "s/^(.EXTRAVERSION).*$/\1 = /" "../linux-ck-patch-${_majver}-${_ckpatchversion}" # ck patch msg2 "Applying ck patch" @@ -133,6 +125,13 @@ prepare() { cp ../config.x86_64 .config fi + # https://bbs.archlinux.org/viewtopic.php?pid=1824594#p1824594 + sed -i -e 's/# CONFIG_PSI_DEFAULT_DISABLED is not set/CONFIG_PSI_DEFAULT_DISABLED=y/' ./.config + + # https://bbs.archlinux.org/viewtopic.php?pid=1863567#p1863567 + sed -i -e 's/CONFIG_LATENCYTOP=y/# CONFIG_LATENCYTOP is not set/' \ + -i -e 's/CONFIG_SCHED_DEBUG=y/# CONFIG_SCHED_DEBUG is not set/' ./.config + make olddefconfig make menuconfig diff --git a/ck_remove-excess-extraversion.patch b/ck_remove-excess-extraversion.patch deleted file mode 100644 index a923f71..0000000 --- a/ck_remove-excess-extraversion.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/linux-ck-patch-5.2-ck1 -+++ b/linux-ck-patch-5.2-ck1 -@@ -833,13 +833,0 @@ ----- a/Makefile --+++ b/Makefile --@@ -15,6 +15,10 @@ NAME = Bobtail Squid -- PHONY := _all -- _all: -- --+CKVERSION = -ck1 --+CKNAME = MuQSS Powered --+EXTRAVERSION := $(EXTRAVERSION)$(CKVERSION) --+ -- # We are using a recursive build, so we need to do a little thinking -- # to get the ordering right. -- # diff --git a/config.x86_64 b/config.x86_64 index abec627..0f36f7d 100644 --- a/config.x86_64 +++ b/config.x86_64 @@ -114,7 +114,7 @@ CONFIG_TASK_DELAY_ACCT=y CONFIG_TASK_XACCT=y CONFIG_TASK_IO_ACCOUNTING=y CONFIG_PSI=y -CONFIG_PSI_DEFAULT_DISABLED=y +# CONFIG_PSI_DEFAULT_DISABLED is not set # end of CPU/Task time and stats accounting CONFIG_CPU_ISOLATION=y |