5.14.8-1 (clr 5.14.8-1078)

This commit is contained in:
Josip Ponjavic 2021-09-29 01:47:47 +02:00
parent 4d8b9e0540
commit d38aabde65
4 changed files with 25 additions and 372 deletions

View file

@ -1,6 +1,6 @@
pkgbase = linux-clear pkgbase = linux-clear
pkgdesc = Clear Linux pkgdesc = Clear Linux
pkgver = 5.13.19 pkgver = 5.14.8
pkgrel = 1 pkgrel = 1
url = https://github.com/clearlinux-pkgs/linux url = https://github.com/clearlinux-pkgs/linux
arch = x86_64 arch = x86_64
@ -12,22 +12,22 @@ pkgbase = linux-clear
makedepends = libelf makedepends = libelf
makedepends = xmlto makedepends = xmlto
options = !strip options = !strip
source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.13.tar.xz source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.14.tar.xz
source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.13.tar.sign source = https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.14.tar.sign
source = https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.13.19.xz source = https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-5.14.8.xz
source = clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=5.13.17-1074 source = clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=5.14.8-1078
source = more-uarches-20210818.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20210818.tar.gz source = more-uarches-20210914.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/20210914.tar.gz
source = pci-enable-overrides-for-missing-acs-capabilities.patch source = 0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/pci_acso/0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch
source = 0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch source = 0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/userns/0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch
validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886 validpgpkeys = ABAF11C65A2970B130ABE3C479BE3E4300411886
validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E validpgpkeys = 647F28654894E3BD457199BE38DBBDC86092693E
sha256sums = 3f6baa97f37518439f51df2e4f3d65a822ca5ff016aa8e60d2cc53b95a6c89d9 sha256sums = 7e068b5e0d26a62b10e5320b25dce57588cbbc6f781c090442138c9c9c3271b2
sha256sums = SKIP sha256sums = SKIP
sha256sums = 6fadc31348a0c0bbce86b067811d1dadae307bbde5b712c688b3193d73f0fb71 sha256sums = 3ad8bc71d6fe35982e75dd60744f775159bc7f2d89fe1458ffe2f6aed03b6bd9
sha256sums = SKIP sha256sums = SKIP
sha256sums = d361171032ec9fce11c53bfbd667d0c3f0cb4004a17329ab195d6dcc5aa88caf sha256sums = b70720e7537a0b6455edaeb198d52151fb3b3c3a91631b8f43d2e71b694da611
sha256sums = 2c98de0814366b041aeee4cbf82b82620c7834bc33752d50f089e8bd7ea5cf5e sha256sums = 1c7aee7bccb1d848887b0cef273518badb09021788b148db1c6168d4c761f1fd
sha256sums = 34614e92ed29d11f5f6150ee8ed6c5ffe7f8f3d99a2fed6aebe40e513749c3ba sha256sums = ece72251dacc37d239a5bbf170629c155cee634c05febd8d654b110077d29f28
pkgname = linux-clear pkgname = linux-clear
pkgdesc = The Clear Linux kernel and modules pkgdesc = The Clear Linux kernel and modules

View file

@ -1,154 +0,0 @@
From a0a84528e06b99d83046fd16d2fa132c8d20a46c Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <jan.steffens@gmail.com>
Date: Mon, 16 Sep 2019 04:53:20 +0200
Subject: [PATCH] ZEN: Add sysctl and CONFIG to disallow unprivileged
CLONE_NEWUSER
Our default behavior continues to match the vanilla kernel.
---
include/linux/user_namespace.h | 4 ++++
init/Kconfig | 16 ++++++++++++++++
kernel/fork.c | 14 ++++++++++++++
kernel/sysctl.c | 12 ++++++++++++
kernel/user_namespace.c | 7 +++++++
5 files changed, 53 insertions(+)
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 1d08dbbcf..180da8f71 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -112,6 +112,8 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+
static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
{
if (ns)
@@ -145,6 +147,8 @@ extern bool current_in_userns(const struct user_namespace *target_ns);
struct ns_common *ns_get_owner(struct ns_common *ns);
#else
+#define unprivileged_userns_clone 0
+
static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
{
return &init_user_ns;
diff --git a/init/Kconfig b/init/Kconfig
index a61c92066..6a2920f2e 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1195,6 +1195,22 @@ config USER_NS
If unsure, say N.
+config USER_NS_UNPRIVILEGED
+ bool "Allow unprivileged users to create namespaces"
+ default y
+ depends on USER_NS
+ help
+ When disabled, unprivileged users will not be able to create
+ new namespaces. Allowing users to create their own namespaces
+ has been part of several recent local privilege escalation
+ exploits, so if you need user namespaces but are
+ paranoid^Wsecurity-conscious you want to disable this.
+
+ This setting can be overridden at runtime via the
+ kernel.unprivileged_userns_clone sysctl.
+
+ If unsure, say Y.
+
config PID_NS
bool "PID Namespaces"
default y
diff --git a/kernel/fork.c b/kernel/fork.c
index a070caed5..03baafd70 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -98,6 +98,10 @@
#include <linux/io_uring.h>
#include <linux/bpf.h>
+#ifdef CONFIG_USER_NS
+#include <linux/user_namespace.h>
+#endif
+
#include <asm/pgalloc.h>
#include <linux/uaccess.h>
#include <asm/mmu_context.h>
@@ -1871,6 +1875,10 @@ static __latent_entropy struct task_struct *copy_process(
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+ if (!capable(CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -2973,6 +2981,12 @@ int ksys_unshare(unsigned long unshare_flags)
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+ err = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto bad_unshare_out;
+ }
+
err = check_unshare_flags(unshare_flags);
if (err)
goto bad_unshare_out;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index d4a78e08f..0260dfe2d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -103,6 +103,9 @@
#ifdef CONFIG_LOCKUP_DETECTOR
#include <linux/nmi.h>
#endif
+#ifdef CONFIG_USER_NS
+#include <linux/user_namespace.h>
+#endif
#if defined(CONFIG_SYSCTL)
@@ -1896,6 +1899,15 @@ static struct ctl_table kern_table[] = {
.proc_handler = proc_dointvec,
},
#endif
+#ifdef CONFIG_USER_NS
+ {
+ .procname = "unprivileged_userns_clone",
+ .data = &unprivileged_userns_clone,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
+#endif
#ifdef CONFIG_PROC_SYSCTL
{
.procname = "tainted",
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 8d6286372..5ca391b2b 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -21,6 +21,13 @@
#include <linux/bsearch.h>
#include <linux/sort.h>
+/* sysctl */
+#ifdef CONFIG_USER_NS_UNPRIVILEGED
+int unprivileged_userns_clone = 1;
+#else
+int unprivileged_userns_clone;
+#endif
+
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);
--
2.32.0.93.g670b81a890

View file

@ -73,10 +73,10 @@ _use_current=
### IMPORTANT: Do no edit below this line unless you know what you're doing ### IMPORTANT: Do no edit below this line unless you know what you're doing
_major=5.13 _major=5.14
_minor=19 _minor=8
_srcname=linux-${_major} _srcname=linux-${_major}
_clr=${_major}.17-1074 _clr=${_major}.8-1078
pkgbase=linux-clear pkgbase=linux-clear
pkgver=${_major}.${_minor} pkgver=${_major}.${_minor}
pkgrel=1 pkgrel=1
@ -86,15 +86,15 @@ url="https://github.com/clearlinux-pkgs/linux"
license=('GPL2') license=('GPL2')
makedepends=('bc' 'cpio' 'git' 'kmod' 'libelf' 'xmlto') makedepends=('bc' 'cpio' 'git' 'kmod' 'libelf' 'xmlto')
options=('!strip') options=('!strip')
_gcc_more_v='20210818' _gcc_more_v='20210914'
source=( source=(
"https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.xz" "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.xz"
"https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.sign" "https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-${_major}.tar.sign"
"https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-${pkgver}.xz" "https://cdn.kernel.org/pub/linux/kernel/v5.x/patch-${pkgver}.xz"
"clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=${_clr}" "clearlinux::git+https://github.com/clearlinux-pkgs/linux.git#tag=${_clr}"
"more-uarches-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/$_gcc_more_v.tar.gz" "more-uarches-$_gcc_more_v.tar.gz::https://github.com/graysky2/kernel_compiler_patch/archive/$_gcc_more_v.tar.gz"
'pci-enable-overrides-for-missing-acs-capabilities.patch' "0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/pci_acso/0001-pci-Enable-overrides-for-missing-ACS-capabilities.patch"
'0001-ZEN-Add-sysctl-and-CONFIG-to-disallow-unprivileged-C.patch' "0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch::https://raw.githubusercontent.com/xanmod/linux-patches/e2d48df5def86f498766b22e836a9c2f1bcb3809/linux-5.14.y-xanmod/userns/0001-sysctl-add-sysctl-to-disallow-unprivileged-CLONE_NEW.patch"
) )
export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_HOST=archlinux
@ -185,7 +185,7 @@ prepare() {
# https://github.com/graysky2/kernel_compiler_patch # https://github.com/graysky2/kernel_compiler_patch
# make sure to apply after olddefconfig to allow the next section # make sure to apply after olddefconfig to allow the next section
echo "Patching to enable GCC optimization for other uarchs..." echo "Patching to enable GCC optimization for other uarchs..."
patch -Np1 -i "$srcdir/kernel_compiler_patch-$_gcc_more_v/more-uarches-for-kernel-5.8+.patch" patch -Np1 -i "$srcdir/kernel_compiler_patch-$_gcc_more_v/more-uarches-for-kernel-5.8-5.14.patch"
if [ -n "$_subarch" ]; then if [ -n "$_subarch" ]; then
# user wants a subarch so apply choice defined above interactively via 'yes' # user wants a subarch so apply choice defined above interactively via 'yes'
@ -351,13 +351,13 @@ for _p in "${pkgname[@]}"; do
}" }"
done done
sha256sums=('3f6baa97f37518439f51df2e4f3d65a822ca5ff016aa8e60d2cc53b95a6c89d9' sha256sums=('7e068b5e0d26a62b10e5320b25dce57588cbbc6f781c090442138c9c9c3271b2'
'SKIP' 'SKIP'
'6fadc31348a0c0bbce86b067811d1dadae307bbde5b712c688b3193d73f0fb71' '3ad8bc71d6fe35982e75dd60744f775159bc7f2d89fe1458ffe2f6aed03b6bd9'
'SKIP' 'SKIP'
'd361171032ec9fce11c53bfbd667d0c3f0cb4004a17329ab195d6dcc5aa88caf' 'b70720e7537a0b6455edaeb198d52151fb3b3c3a91631b8f43d2e71b694da611'
'2c98de0814366b041aeee4cbf82b82620c7834bc33752d50f089e8bd7ea5cf5e' '1c7aee7bccb1d848887b0cef273518badb09021788b148db1c6168d4c761f1fd'
'34614e92ed29d11f5f6150ee8ed6c5ffe7f8f3d99a2fed6aebe40e513749c3ba') 'ece72251dacc37d239a5bbf170629c155cee634c05febd8d654b110077d29f28')
validpgpkeys=( validpgpkeys=(
'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds 'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds

View file

@ -1,193 +0,0 @@
From f56f33917f418568141184eb2503ec65309a8255 Mon Sep 17 00:00:00 2001
From: Mark Weiman <mark.weiman@markzz.com>
Date: Thu, 13 Dec 2018 13:15:16 -0500
Subject: [PATCH] pci: Enable overrides for missing ACS capabilities (4.18)
This an updated version of Alex Williamson's patch from:
https://lkml.org/lkml/2013/5/30/513
Original commit message follows:
---
PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that
allows us to control whether transactions are allowed to be redirected
in various subnodes of a PCIe topology. For instance, if two
endpoints are below a root port or downsteam switch port, the
downstream port may optionally redirect transactions between the
devices, bypassing upstream devices. The same can happen internally
on multifunction devices. The transaction may never be visible to the
upstream devices.
One upstream device that we particularly care about is the IOMMU. If
a redirection occurs in the topology below the IOMMU, then the IOMMU
cannot provide isolation between devices. This is why the PCIe spec
encourages topologies to include ACS support. Without it, we have to
assume peer-to-peer DMA within a hierarchy can bypass IOMMU isolation.
Unfortunately, far too many topologies do not support ACS to make this
a steadfast requirement. Even the latest chipsets from Intel are only
sporadically supporting ACS. We have trouble getting interconnect
vendors to include the PCIe spec required PCIe capability, let alone
suggested features.
Therefore, we need to add some flexibility. The pcie_acs_override=
boot option lets users opt-in specific devices or sets of devices to
assume ACS support. The "downstream" option assumes full ACS support
on root ports and downstream switch ports. The "multifunction"
option assumes the subset of ACS features available on multifunction
endpoints and upstream switch ports are supported. The "id:nnnn:nnnn"
option enables ACS support on devices matching the provided vendor
and device IDs, allowing more strategic ACS overrides. These options
may be combined in any order. A maximum of 16 id specific overrides
are available. It's suggested to use the most limited set of options
necessary to avoid completely disabling ACS across the topology.
Note to hardware vendors, we have facilities to permanently quirk
specific devices which enforce isolation but not provide an ACS
capability. Please contact me to have your devices added and save
your customers the hassle of this boot option.
---
.../admin-guide/kernel-parameters.txt | 8 ++
drivers/pci/quirks.c | 102 ++++++++++++++++++
2 files changed, 110 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 0c404cda531a..0d45f0014f4a 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3408,6 +3408,14 @@
nomsi [MSI] If the PCI_MSI kernel config parameter is
enabled, this kernel boot option can be used to
disable the use of MSI interrupts system-wide.
+ pci_acs_override [PCIE] Override missing PCIe ACS support for:
+ downstream
+ All downstream ports - full ACS capabilities
+ multifunction
+ Add multifunction devices - multifunction ACS subset
+ id:nnnn:nnnn
+ Specific device - full ACS capabilities
+ Specified as vid:did (vendor/device ID) in hex
noioapicquirk [APIC] Disable all boot interrupt quirks.
Safety option to keep boot IRQs enabled. This
should never be necessary.
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index c0673a717239..695d99b390f7 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -192,6 +192,106 @@ static int __init pci_apply_final_quirks(void)
}
fs_initcall_sync(pci_apply_final_quirks);
+static bool acs_on_downstream;
+static bool acs_on_multifunction;
+
+#define NUM_ACS_IDS 16
+struct acs_on_id {
+ unsigned short vendor;
+ unsigned short device;
+};
+static struct acs_on_id acs_on_ids[NUM_ACS_IDS];
+static u8 max_acs_id;
+
+static __init int pcie_acs_override_setup(char *p)
+{
+ if (!p)
+ return -EINVAL;
+
+ while (*p) {
+ if (!strncmp(p, "downstream", 10))
+ acs_on_downstream = true;
+ if (!strncmp(p, "multifunction", 13))
+ acs_on_multifunction = true;
+ if (!strncmp(p, "id:", 3)) {
+ char opt[5];
+ int ret;
+ long val;
+
+ if (max_acs_id >= NUM_ACS_IDS - 1) {
+ pr_warn("Out of PCIe ACS override slots (%d)\n",
+ NUM_ACS_IDS);
+ goto next;
+ }
+
+ p += 3;
+ snprintf(opt, 5, "%s", p);
+ ret = kstrtol(opt, 16, &val);
+ if (ret) {
+ pr_warn("PCIe ACS ID parse error %d\n", ret);
+ goto next;
+ }
+ acs_on_ids[max_acs_id].vendor = val;
+ p += strcspn(p, ":");
+ if (*p != ':') {
+ pr_warn("PCIe ACS invalid ID\n");
+ goto next;
+ }
+
+ p++;
+ snprintf(opt, 5, "%s", p);
+ ret = kstrtol(opt, 16, &val);
+ if (ret) {
+ pr_warn("PCIe ACS ID parse error %d\n", ret);
+ goto next;
+ }
+ acs_on_ids[max_acs_id].device = val;
+ max_acs_id++;
+ }
+next:
+ p += strcspn(p, ",");
+ if (*p == ',')
+ p++;
+ }
+
+ if (acs_on_downstream || acs_on_multifunction || max_acs_id)
+ pr_warn("Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n");
+
+ return 0;
+}
+early_param("pcie_acs_override", pcie_acs_override_setup);
+
+static int pcie_acs_overrides(struct pci_dev *dev, u16 acs_flags)
+{
+ int i;
+
+ /* Never override ACS for legacy devices or devices with ACS caps */
+ if (!pci_is_pcie(dev) ||
+ pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS))
+ return -ENOTTY;
+
+ for (i = 0; i < max_acs_id; i++)
+ if (acs_on_ids[i].vendor == dev->vendor &&
+ acs_on_ids[i].device == dev->device)
+ return 1;
+
+switch (pci_pcie_type(dev)) {
+ case PCI_EXP_TYPE_DOWNSTREAM:
+ case PCI_EXP_TYPE_ROOT_PORT:
+ if (acs_on_downstream)
+ return 1;
+ break;
+ case PCI_EXP_TYPE_ENDPOINT:
+ case PCI_EXP_TYPE_UPSTREAM:
+ case PCI_EXP_TYPE_LEG_END:
+ case PCI_EXP_TYPE_RC_END:
+ if (acs_on_multifunction && dev->multifunction)
+ return 1;
+ }
+
+ return -ENOTTY;
+}
+
/*
* Decoding should be disabled for a PCI device during BAR sizing to avoid
* conflict. But doing so may cause problems on host bridge and perhaps other
@@ -4674,6 +4674,8 @@ static const struct pci_dev_acs_enabled {
{ PCI_VENDOR_ID_ZHAOXIN, 0x9083, pci_quirk_mf_endpoint_acs },
/* Zhaoxin Root/Downstream Ports */
{ PCI_VENDOR_ID_ZHAOXIN, PCI_ANY_ID, pci_quirk_zhaoxin_pcie_ports_acs },
+ /* allow acs for any */
+ { PCI_ANY_ID, PCI_ANY_ID, pcie_acs_overrides },
{ 0 }
};
--
2.20.0