* [git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. 3a3759c625c593e70a7bea479c11834152681565
@ 2013-12-08 15:08 git
0 siblings, 0 replies; only message in thread
From: git @ 2013-12-08 15:08 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 9633 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, fifteen has been updated
via 3a3759c625c593e70a7bea479c11834152681565 (commit)
via 8a2cf24a1f5de1e236d5514863b1f57cdd343f27 (commit)
from 342a91ae257e461d3d0fe3a2da51a724c6f99a20 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3a3759c625c593e70a7bea479c11834152681565
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Dec 8 16:07:35 2013 +0100
mountkernfs: fix mount of /sys and /proc without initrd.
commit 8a2cf24a1f5de1e236d5514863b1f57cdd343f27
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Sun Dec 8 16:03:25 2013 +0100
kernel: enable grsecurity on rpi kernel.
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.armv5tel-ipfire-rpi | 165 ++++++++++++++++++++++--
lfs/linux | 8 +-
src/initscripts/init.d/mountkernfs | 4 +-
3 files changed, 162 insertions(+), 15 deletions(-)
Difference in files:
diff --git a/config/kernel/kernel.config.armv5tel-ipfire-rpi b/config/kernel/kernel.config.armv5tel-ipfire-rpi
index d343a9d..3f6c8da 100644
--- a/config/kernel/kernel.config.armv5tel-ipfire-rpi
+++ b/config/kernel/kernel.config.armv5tel-ipfire-rpi
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 3.10.11 Kernel Configuration
+# Linux/arm 3.10.22 Kernel Configuration
#
CONFIG_ARM=y
CONFIG_SYS_SUPPORTS_APM_EMULATION=y
@@ -94,7 +94,6 @@ CONFIG_TINY_RCU=y
# CONFIG_IKCONFIG is not set
CONFIG_LOG_BUF_SHIFT=19
# CONFIG_CGROUPS is not set
-# CONFIG_CHECKPOINT_RESTORE is not set
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
@@ -187,6 +186,7 @@ CONFIG_MODULE_FORCE_UNLOAD=y
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
# CONFIG_MODULE_SIG is not set
+CONFIG_STOP_MACHINE=y
CONFIG_BLOCK=y
CONFIG_LBDAF=y
CONFIG_BLK_DEV_BSG=y
@@ -305,7 +305,6 @@ CONFIG_CPU_TLB_V6=y
CONFIG_CPU_HAS_ASID=y
CONFIG_CPU_CP15=y
CONFIG_CPU_CP15_MMU=y
-CONFIG_CPU_USE_DOMAINS=y
#
# Processor Features
@@ -370,7 +369,6 @@ CONFIG_CLEANCACHE=y
CONFIG_FRONTSWAP=y
CONFIG_FORCE_MAX_ZONEORDER=11
CONFIG_ALIGNMENT_TRAP=y
-# CONFIG_UACCESS_WITH_MEMCPY is not set
CONFIG_SECCOMP=y
CONFIG_CC_STACKPROTECTOR=y
@@ -825,7 +823,6 @@ CONFIG_L2TP_IP=m
CONFIG_L2TP_ETH=m
CONFIG_STP=m
CONFIG_GARP=m
-CONFIG_MRP=m
CONFIG_BRIDGE=m
CONFIG_BRIDGE_IGMP_SNOOPING=y
CONFIG_BRIDGE_VLAN_FILTERING=y
@@ -1012,7 +1009,8 @@ CONFIG_HAVE_BPF_JIT=y
# Generic Driver Options
#
CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
-# CONFIG_DEVTMPFS is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
# CONFIG_STANDALONE is not set
# CONFIG_PREVENT_FIRMWARE_BUILD is not set
CONFIG_FW_LOADER=y
@@ -3766,7 +3764,6 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
#
CONFIG_PROC_FS=y
CONFIG_PROC_SYSCTL=y
-CONFIG_PROC_PAGE_MONITOR=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
@@ -3977,7 +3974,6 @@ CONFIG_FRAME_POINTER=y
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
# CONFIG_NOTIFIER_ERROR_INJECTION is not set
# CONFIG_FAULT_INJECTION is not set
-# CONFIG_LATENCYTOP is not set
# CONFIG_DEBUG_PAGEALLOC is not set
CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
@@ -4014,6 +4010,158 @@ CONFIG_EARLY_PRINTK=y
#
# Security options
#
+
+#
+# Grsecurity
+#
+CONFIG_PAX_USERCOPY_SLABS=y
+CONFIG_GRKERNSEC=y
+# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
+CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
+
+#
+# Customize Configuration
+#
+
+#
+# PaX
+#
+CONFIG_PAX=y
+
+#
+# PaX Control
+#
+# CONFIG_PAX_SOFTMODE is not set
+CONFIG_PAX_EI_PAX=y
+CONFIG_PAX_PT_PAX_FLAGS=y
+# CONFIG_PAX_XATTR_PAX_FLAGS is not set
+# CONFIG_PAX_NO_ACL_FLAGS is not set
+CONFIG_PAX_HAVE_ACL_FLAGS=y
+# CONFIG_PAX_HOOK_ACL_FLAGS is not set
+
+#
+# Non-executable pages
+#
+CONFIG_PAX_NOEXEC=y
+CONFIG_PAX_PAGEEXEC=y
+CONFIG_PAX_MPROTECT=y
+# CONFIG_PAX_MPROTECT_COMPAT is not set
+CONFIG_PAX_ELFRELOCS=y
+# CONFIG_PAX_KERNEXEC is not set
+CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""
+
+#
+# Address Space Layout Randomization
+#
+CONFIG_PAX_ASLR=y
+CONFIG_PAX_RANDUSTACK=y
+CONFIG_PAX_RANDMMAP=y
+
+#
+# Miscellaneous hardening features
+#
+CONFIG_PAX_MEMORY_SANITIZE=y
+CONFIG_PAX_MEMORY_STRUCTLEAK=y
+CONFIG_PAX_MEMORY_UDEREF=y
+CONFIG_PAX_REFCOUNT=y
+CONFIG_PAX_USERCOPY=y
+# CONFIG_PAX_LATENT_ENTROPY is not set
+
+#
+# Memory Protections
+#
+# CONFIG_GRKERNSEC_KMEM is not set
+CONFIG_GRKERNSEC_JIT_HARDEN=y
+# CONFIG_GRKERNSEC_PERF_HARDEN is not set
+CONFIG_GRKERNSEC_RAND_THREADSTACK=y
+CONFIG_GRKERNSEC_PROC_MEMMAP=y
+CONFIG_GRKERNSEC_BRUTE=y
+CONFIG_GRKERNSEC_MODHARDEN=y
+CONFIG_GRKERNSEC_HIDESYM=y
+CONFIG_GRKERNSEC_KERN_LOCKOUT=y
+
+#
+# Role Based Access Control Options
+#
+CONFIG_GRKERNSEC_NO_RBAC=y
+# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
+CONFIG_GRKERNSEC_ACL_MAXTRIES=3
+CONFIG_GRKERNSEC_ACL_TIMEOUT=30
+
+#
+# Filesystem Protections
+#
+# CONFIG_GRKERNSEC_PROC is not set
+CONFIG_GRKERNSEC_LINK=y
+# CONFIG_GRKERNSEC_SYMLINKOWN is not set
+CONFIG_GRKERNSEC_FIFO=y
+# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+# CONFIG_GRKERNSEC_ROFS is not set
+CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
+CONFIG_GRKERNSEC_CHROOT=y
+# CONFIG_GRKERNSEC_CHROOT_MOUNT is not set
+CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
+CONFIG_GRKERNSEC_CHROOT_PIVOT=y
+CONFIG_GRKERNSEC_CHROOT_CHDIR=y
+# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set
+CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
+# CONFIG_GRKERNSEC_CHROOT_MKNOD is not set
+CONFIG_GRKERNSEC_CHROOT_SHMAT=y
+CONFIG_GRKERNSEC_CHROOT_UNIX=y
+CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
+CONFIG_GRKERNSEC_CHROOT_NICE=y
+CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
+# CONFIG_GRKERNSEC_CHROOT_CAPS is not set
+CONFIG_GRKERNSEC_CHROOT_INITRD=y
+
+#
+# Kernel Auditing
+#
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+CONFIG_GRKERNSEC_RESLOG=y
+# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
+# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+CONFIG_GRKERNSEC_SIGNAL=y
+CONFIG_GRKERNSEC_FORKFAIL=y
+# CONFIG_GRKERNSEC_TIME is not set
+CONFIG_GRKERNSEC_PROC_IPADDR=y
+# CONFIG_GRKERNSEC_RWXMAP_LOG is not set
+
+#
+# Executable Protections
+#
+CONFIG_GRKERNSEC_DMESG=y
+CONFIG_GRKERNSEC_HARDEN_PTRACE=y
+CONFIG_GRKERNSEC_PTRACE_READEXEC=y
+CONFIG_GRKERNSEC_SETXID=y
+# CONFIG_GRKERNSEC_TPE is not set
+
+#
+# Network Protections
+#
+CONFIG_GRKERNSEC_RANDNET=y
+CONFIG_GRKERNSEC_BLACKHOLE=y
+CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
+# CONFIG_GRKERNSEC_SOCKET is not set
+
+#
+# Physical Protections
+#
+# CONFIG_GRKERNSEC_DENYUSB is not set
+
+#
+# Sysctl Support
+#
+# CONFIG_GRKERNSEC_SYSCTL is not set
+
+#
+# Logging Options
+#
+CONFIG_GRKERNSEC_FLOODTIME=10
+CONFIG_GRKERNSEC_FLOODBURST=6
CONFIG_KEYS=y
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEYS_DEBUG_PROC_KEYS=y
@@ -4027,7 +4175,6 @@ CONFIG_SECURITY_NETWORK_XFRM=y
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_YAMA is not set
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_DAC=y
diff --git a/lfs/linux b/lfs/linux
index b35813a..1a9f770 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -26,7 +26,7 @@ include Config
VER = 3.10.22
-RPI_PATCHES = linux-3.10.10-c1af7c6
+RPI_PATCHES = linux-3.10.10-grsec-c1af7c6
GRS_PATCHES = grsecurity-2.9.1-3.10.22-ipfire1.patch.xz
THISAPP = linux-$(VER)
@@ -75,7 +75,7 @@ rpi-patches-$(RPI_PATCHES).patch.xz = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).p
$(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES)
$(DL_FILE)_MD5 = d2b030e809d0f03d2d6ddfcc5108d641
-rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = ef9274b3ff5d05daaaa4bdbe86ad00fc
+rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = f55981853573236069db5ad9fb7a4bd9
$(GRS_PATCHES)_MD5 = 2fe9cf094b9069918f66b2b1895431eb
install : $(TARGET)
@@ -122,11 +122,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Grsecurity-patches
ifneq "$(KCFG)" "-headers"
-ifneq "$(KCFG)" "-rpi"
+#ifneq "$(KCFG)" "-rpi"
cd $(DIR_APP) && xz -c -d $(DIR_DL)/$(GRS_PATCHES) | patch -Np1
cd $(DIR_APP) && rm localversion-grsec
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.7-disable-compat_vdso.patch
-endif
+#endif
endif
# Disable pcspeaker autoload
diff --git a/src/initscripts/init.d/mountkernfs b/src/initscripts/init.d/mountkernfs
index 1e5be05..9cbceb4 100644
--- a/src/initscripts/init.d/mountkernfs
+++ b/src/initscripts/init.d/mountkernfs
@@ -21,12 +21,12 @@ case "${1}" in
if ! mountpoint /proc &> /dev/null; then
boot_mesg -n " /proc" ${NORMAL}
- mount -n /proc || failed=1
+ mount -n -t proc /proc /proc || failed=1
fi
if ! mountpoint /sys &> /dev/null; then
boot_mesg -n " /sys" ${NORMAL}
- mount -n /sys || failed=1
+ mount -n -t sysfs /sys /sys || failed=1
fi
boot_mesg "" ${NORMAL}
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-12-08 15:08 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-12-08 15:08 [git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. 3a3759c625c593e70a7bea479c11834152681565 git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox