Date: Sunday, July 27, 2014 @ 09:35:11 Author: thestinger Revision: 116408
upgpkg: linux-grsec 3.15.6.201407232200-2 * increase CONFIG_PAX_KERNEXEC_MODULE_TEXT to 12M for the i686 kernel * enable CONFIG_PAX_MEMORY_UDEREF for the x86_64 kernel + add warning Modified: linux-grsec/trunk/PKGBUILD linux-grsec/trunk/config linux-grsec/trunk/config.x86_64 linux-grsec/trunk/linux-grsec.install ---------------------+ PKGBUILD | 6 ++--- config | 4 +-- config.x86_64 | 53 ++++++-------------------------------------------- linux-grsec.install | 16 +++++++++++++++ 4 files changed, 28 insertions(+), 51 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-07-27 03:41:52 UTC (rev 116407) +++ PKGBUILD 2014-07-27 07:35:11 UTC (rev 116408) @@ -11,7 +11,7 @@ _timestamp=201407232200 _grsec_patch="grsecurity-$_grsecver-$_pkgver-$_timestamp.patch" pkgver=$_pkgver.$_timestamp -pkgrel=1 +pkgrel=2 arch=('i686' 'x86_64') url=https://grsecurity.net/ license=('GPL2') @@ -33,8 +33,8 @@ 'f2a15b142cd332c57e71ca06097c1fd159fa0d0709389b9fc10b7f78c48f741b' '90c7a7d4666ae4807eb45b766f73e649e4fcf9fdcb983b710fe33e3f80f7b546' 'SKIP' - '4df3ada4372716916ef6007fb87dd086ef26cc5d5fb6f6194576735a6b0235d8' - '7738242314babeed7b633d6115bab438701c84bd336bf2aee1486c852998c1c2' + 'e453e2c7f5d3f52032b310a5475932378aea378e9291f84fe0258d64da2a1a1b' + 'f77adc49d47a754fbe0fcf9384642f436e569d59aa26c1cfbb85cce0bb8361ae' 'ca7e718375b3790888756cc0a64a7500cd57dddb9bf7e10a0df22c860d91f74d' 'faced4eb4c47c4eb1a9ee8a5bf8a7c4b49d6b4d78efbe426e410730e6267d182' '937dc895b4f5948381775a75bd198ed2f157a9f356da0ab5a5006f9f1dacde5c' Modified: config =================================================================== --- config 2014-07-27 03:41:52 UTC (rev 116407) +++ config 2014-07-27 07:35:11 UTC (rev 116408) @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.15.5.201407170639-2 Kernel Configuration +# Linux/x86 3.15.6.201407232200-2 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -6509,7 +6509,7 @@ # CONFIG_PAX_ELFRELOCS is not set CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" -CONFIG_PAX_KERNEXEC_MODULE_TEXT=4 +CONFIG_PAX_KERNEXEC_MODULE_TEXT=12 # # Address Space Layout Randomization Modified: config.x86_64 =================================================================== --- config.x86_64 2014-07-27 03:41:52 UTC (rev 116407) +++ config.x86_64 2014-07-27 07:35:11 UTC (rev 116408) @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.15.5.201407170639-2 Kernel Configuration +# Linux/x86 3.15.6.201407232200-2 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -357,13 +357,7 @@ CONFIG_PARAVIRT=y # CONFIG_PARAVIRT_DEBUG is not set # CONFIG_PARAVIRT_SPINLOCKS is not set -CONFIG_XEN=y -CONFIG_XEN_DOM0=y -CONFIG_XEN_PVHVM=y -CONFIG_XEN_MAX_DOMAIN_MEMORY=500 -CONFIG_XEN_SAVE_RESTORE=y -# CONFIG_XEN_DEBUG_FS is not set -CONFIG_XEN_PVH=y +# CONFIG_XEN is not set CONFIG_KVM_GUEST=y # CONFIG_KVM_DEBUG_FS is not set CONFIG_PARAVIRT_TIME_ACCOUNTING=y @@ -521,7 +515,6 @@ # CONFIG_SUSPEND=y CONFIG_SUSPEND_FREEZER=y -CONFIG_HIBERNATE_CALLBACKS=y CONFIG_PM_SLEEP=y CONFIG_PM_SLEEP_SMP=y CONFIG_PM_AUTOSLEEP=y @@ -632,7 +625,6 @@ CONFIG_PCI=y CONFIG_PCI_DIRECT=y CONFIG_PCI_MMCONFIG=y -CONFIG_PCI_XEN=y CONFIG_PCI_DOMAINS=y CONFIG_PCIEPORTBUS=y CONFIG_HOTPLUG_PCI_PCIE=y @@ -649,7 +641,6 @@ # CONFIG_PCI_DEBUG is not set CONFIG_PCI_REALLOC_ENABLE_AUTO=y CONFIG_PCI_STUB=m -CONFIG_XEN_PCIDEV_FRONTEND=m CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y CONFIG_PCI_IOV=y @@ -1475,7 +1466,7 @@ CONFIG_FW_LOADER_USER_HELPER=y # CONFIG_DEBUG_DRIVER is not set # CONFIG_DEBUG_DEVRES is not set -CONFIG_SYS_HYPERVISOR=y +# CONFIG_SYS_HYPERVISOR is not set # CONFIG_GENERIC_CPU_DEVICES is not set CONFIG_GENERIC_CPU_AUTOPROBE=y CONFIG_REGMAP=y @@ -1662,8 +1653,6 @@ CONFIG_CDROM_PKTCDVD_BUFFERS=8 # CONFIG_CDROM_PKTCDVD_WCACHE is not set CONFIG_ATA_OVER_ETH=m -CONFIG_XEN_BLKDEV_FRONTEND=m -CONFIG_XEN_BLKDEV_BACKEND=m CONFIG_VIRTIO_BLK=m # CONFIG_BLK_DEV_HD is not set CONFIG_BLK_DEV_RBD=m @@ -2673,8 +2662,6 @@ CONFIG_IEEE802154_FAKELB=m CONFIG_IEEE802154_AT86RF230=m # CONFIG_IEEE802154_MRF24J40 is not set -CONFIG_XEN_NETDEV_FRONTEND=m -CONFIG_XEN_NETDEV_BACKEND=m CONFIG_VMXNET3=m CONFIG_HYPERV_NET=m CONFIG_ISDN=y @@ -3110,9 +3097,6 @@ # CONFIG_LP_CONSOLE is not set CONFIG_PPDEV=m CONFIG_HVC_DRIVER=y -CONFIG_HVC_IRQ=y -CONFIG_HVC_XEN=y -CONFIG_HVC_XEN_FRONTEND=y CONFIG_VIRTIO_CONSOLE=m CONFIG_IPMI_HANDLER=m # CONFIG_IPMI_PANIC_EVENT is not set @@ -3157,7 +3141,6 @@ CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_ST33_I2C=m -CONFIG_TCG_XEN=m CONFIG_TELCLOCK=m CONFIG_I2C=m CONFIG_I2C_BOARDINFO=y @@ -3604,7 +3587,6 @@ CONFIG_MACHZ_WDT=m CONFIG_SBC_EPX_C3_WATCHDOG=m CONFIG_MEN_A21_WDT=m -CONFIG_XEN_WDT=m # # PCI-based Watchdog Cards @@ -4435,7 +4417,6 @@ CONFIG_FB_UDL=m # CONFIG_FB_GOLDFISH is not set CONFIG_FB_VIRTUAL=m -CONFIG_XEN_FBDEV_FRONTEND=m # CONFIG_FB_METRONOME is not set # CONFIG_FB_MB862XX is not set # CONFIG_FB_BROADSHEET is not set @@ -5333,29 +5314,6 @@ CONFIG_HYPERV=m CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m - -# -# Xen driver support -# -CONFIG_XEN_BALLOON=y -# CONFIG_XEN_SELFBALLOONING is not set -CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y -CONFIG_XEN_SCRUB_PAGES=y -CONFIG_XEN_DEV_EVTCHN=m -CONFIG_XEN_BACKEND=y -CONFIG_XENFS=m -CONFIG_XEN_COMPAT_XENFS=y -CONFIG_XEN_SYS_HYPERVISOR=y -CONFIG_XEN_XENBUS_FRONTEND=y -CONFIG_XEN_GNTDEV=m -CONFIG_XEN_GRANT_DEV_ALLOC=m -CONFIG_SWIOTLB_XEN=y -CONFIG_XEN_TMEM=m -CONFIG_XEN_PCIDEV_BACKEND=m -CONFIG_XEN_PRIVCMD=m -CONFIG_XEN_ACPI_PROCESSOR=m -# CONFIG_XEN_MCE_LOG is not set -CONFIG_XEN_HAVE_PVMMU=y CONFIG_STAGING=y CONFIG_ET131X=m CONFIG_SLICOSS=m @@ -6241,7 +6199,8 @@ # # Grsecurity # -CONFIG_TASK_SIZE_MAX_SHIFT=47 +CONFIG_PAX_PER_CPU_PGD=y +CONFIG_TASK_SIZE_MAX_SHIFT=42 CONFIG_PAX_USERCOPY_SLABS=y CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_CONFIG_AUTO is not set @@ -6278,6 +6237,7 @@ CONFIG_PAX_MPROTECT=y # CONFIG_PAX_MPROTECT_COMPAT is not set # CONFIG_PAX_ELFRELOCS is not set +# CONFIG_PAX_KERNEXEC is not set CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" # @@ -6294,6 +6254,7 @@ CONFIG_PAX_MEMORY_SANITIZE=y CONFIG_PAX_MEMORY_STACKLEAK=y CONFIG_PAX_MEMORY_STRUCTLEAK=y +CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y # CONFIG_PAX_USERCOPY_DEBUG is not set Modified: linux-grsec.install =================================================================== --- linux-grsec.install 2014-07-27 03:41:52 UTC (rev 116407) +++ linux-grsec.install 2014-07-27 07:35:11 UTC (rev 116408) @@ -4,6 +4,17 @@ KERNEL_NAME=-grsec KERNEL_VERSION=3.13.10-1-grsec +_uderef_warning() { + if [[ $(uname -m) = x86_64 ]]; then + cat <<EOF +CONFIG_PAX_MEMORY_UDEREF is now enabled on x86_64 and can be disabled by +passing \`pax_nouderef\` on the kernel line. UDEREF's PCID support on Sandy +Bridge and later is known to have issues with recent kernel versions and can be +disabled by passing \`nopcid\` to use the legacy implementation. +EOF + fi +} + _add_groups() { if getent group tpe-trusted >/dev/null; then groupmod -g 200 -n tpe tpe-trusted @@ -52,6 +63,7 @@ mkinitcpio -p linux${KERNEL_NAME} _add_groups + _uderef_warning } post_upgrade() { @@ -76,6 +88,10 @@ fi _add_groups + + if [[ $(vercmp $2 3.15.6.201407232200-2) -lt 0 ]]; then + _uderef_warning + fi } post_remove() {