Updated to 4.14.17.a

4 files changed, 7 insertions, 149 deletions

diff --git a/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch b/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
deleted file mode 100644
index 60ead71..0000000
--- a/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Sun, 3 Dec 2017 12:12:45 -0800
-Subject: [PATCH] netfilter: nfnetlink_cthelper: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, nfnl_cthelper_list is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    $ nfct helper list
-    nfct v1.4.4: netlink error: Operation not permitted
-    $ vpnns -- nfct helper list
-    {
-            .name = ftp,
-            .queuenum = 0,
-            .l3protonum = 2,
-            .l4protonum = 6,
-            .priv_data_len = 24,
-            .status = enabled,
-    };
-
-Add capable() checks in nfnetlink_cthelper, as this is cleaner than
-trying to generalize the solution.
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
-index 41628b393673..d33ce6d5ebce 100644
---- a/net/netfilter/nfnetlink_cthelper.c
-+++ b/net/netfilter/nfnetlink_cthelper.c
-@@ -17,6 +17,7 @@
- #include <linux/types.h>
- #include <linux/list.h>
- #include <linux/errno.h>
-+#include <linux/capability.h>
- #include <net/netlink.h>
- #include <net/sock.h>
- 
-@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth;
- 	int ret = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
- 		return -EINVAL;
- 
-@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth;
- 	bool tuple_set = false;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
- 		struct netlink_dump_control c = {
- 			.dump = nfnl_cthelper_dump_table,
-@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
- 	struct nfnl_cthelper *nlcth, *n;
- 	int j = 0, ret;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (tb[NFCTH_NAME])
- 		helper_name = nla_data(tb[NFCTH_NAME]);
- 
--- 
-2.15.1
-
diff --git a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch b/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
deleted file mode 100644
index 992c336..0000000
--- a/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@chromium.org>
-Date: Tue, 5 Dec 2017 15:42:41 -0800
-Subject: [PATCH] netfilter: xt_osf: Add missing permission checks
-
-The capability check in nfnetlink_rcv() verifies that the caller
-has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
-However, xt_osf_fingers is shared by all net namespaces on the
-system.  An unprivileged user can create user and net namespaces
-in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
-check:
-
-    vpnns -- nfnl_osf -f /tmp/pf.os
-
-    vpnns -- nfnl_osf -f /tmp/pf.os -d
-
-These non-root operations successfully modify the systemwide OS
-fingerprint list.  Add new capable() checks so that they can't.
-
-Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
----
- net/netfilter/xt_osf.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
-index 36e14b1f061d..a34f314a8c23 100644
---- a/net/netfilter/xt_osf.c
-+++ b/net/netfilter/xt_osf.c
-@@ -19,6 +19,7 @@
- #include <linux/module.h>
- #include <linux/kernel.h>
- 
-+#include <linux/capability.h>
- #include <linux/if.h>
- #include <linux/inetdevice.h>
- #include <linux/ip.h>
-@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *kf = NULL, *sf;
- 	int err = 0;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
-@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
- 	struct xt_osf_finger *sf;
- 	int err = -ENOENT;
- 
-+	if (!capable(CAP_NET_ADMIN))
-+		return -EPERM;
-+
- 	if (!osf_attrs[OSF_ATTR_FINGER])
- 		return -EINVAL;
- 
--- 
-2.15.1
-
diff --git a/PKGBUILD b/PKGBUILD
index ab1f9fc..3074342 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -5,7 +5,7 @@
 
 pkgbase=linux-libre-hardened
 _majver=4.14
-_minver=15
+_minver=17
 _fullver=${_majver}.${_minver}
 _basever=${_majver}-gnu
 _pkgver=${_fullver}-gnu
@@ -32,24 +32,20 @@ source=(https://linux-libre.fsfla.org/pub/linux-libre/releases/${_basever}/linux
         drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch
 
         CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch
-        CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch
-        CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch
 )
 sha256sums=('70f0098d823472402619a053211532423d15bfef628de7f49616014c81658278'
             'SKIP'
-            '49fe7fff699ec3301b346eedf36fb7cb7999103a2a71e7e18992718a2243958b'
+            'a7569d770004cefbcf98d6d70ce3c9012463d13491dd8678391bdb97faafb790'
             'SKIP'
-            'a9058fbc7ece8cc1920bc3659201c69ecd078de7b87e19a9977e66d9acd007ee'
+            '77b6c3188a029d3a03164b2ca75bcd9781ea8a32b1e021114667e4a39c1b4bd1'
             'SKIP'
-            '4ed436afcc0f707c1c827f720f5ed90f609593fb1a73f8d7fae2413020cc43e1'
+            '50184a1ffa47bf180952175968d22c0153ba2e916f55563858c2614e1f249213'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
             '294c928b8252112d621df1d13fbfeade13f28ddea034d44e89db41b66d2b7d45'
             'c08d12c699398ef88b764be1837b9ee11f2efd3188bd1bf4e8f85dfbeee58148'
-            '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9'
-            'b833ad4354fcd2cc6ee60c971088f77aa5b06a58fce346c40268c0b05b1e8cb5'
-            '72efa781c8ee1175a8865e6a12568aaf3bac4b76d4285819c6a75a3e5fe41435')
+            '6be803c62b7ce41f1b4de6c867715398812b1c1a3e68a0078512f2872e2a3fa9')
 validpgpkeys=(
               '474402C8C582DAFBE389C427BCB7CF877E7D47A7' # Alexandre Oliva
               '65EEFE022108E2B708CBFCF7F9E712E59AF5F22A' # Daniel Micay
@@ -67,8 +63,6 @@ prepare() {
 
   # Hotfixes
   patch -p1 -i "${srcdir}/CVE-2017-8824-dccp-use-after-free-in-DCCP-code.patch"
-  patch -p1 -i "${srcdir}/CVE-2017-17448-netfilter-nfnetlink_cthelper-Add-missing-permission-checks.patch"
-  patch -p1 -i "${srcdir}/CVE-2017-17450-netfilter-xt_osf-Add-missing-permission-checks.patch"
   patch -p1 -i "${srcdir}/drm-i915-edp-Only-use-the-alternate-fixed-mode-if-its-asked-for.patch"
   patch -p1 -i "${srcdir}/xfrm-Fix-stack-out-of-bounds-read-on-socket-policy-lookup.patch"
 
diff --git a/config.x86_64 b/config.x86_64
index 8b3eb9b..cf98540 100644
--- a/config.x86_64
+++ b/config.x86_64
@@ -197,6 +197,7 @@ CONFIG_RD_LZO=y
 CONFIG_RD_LZ4=y
 CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
+# CONFIG_LOCAL_SANITIZE is not set
 CONFIG_SYSCTL=y
 CONFIG_ANON_INODES=y
 CONFIG_HAVE_UID16=y
@@ -227,6 +228,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y