This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 505b886d0d8cbe5448a9998ff88c6636b8e50245 (commit) via d5fe33228311d47490536bee370297a7c735f9d6 (commit) via 65ae069c213a7fcd36d7857b15d863804984948d (commit) via fd0a0384f07b399e9cb4cf46b4c5722b809ffe6a (commit) from 3da2a66193ce8e3f92d3c29be95a4076a4fa0274 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 505b886d0d8cbe5448a9998ff88c6636b8e50245 Author: Michael Tremer Date: Sun Sep 9 17:48:14 2018 +0100 core124: Apply changed sysctl.conf Signed-off-by: Michael Tremer commit d5fe33228311d47490536bee370297a7c735f9d6 Author: Peter Müller Date: Thu Aug 16 17:29:58 2018 +0200 do not expose kernel address spaces even to privileged users Change this setting from 1 to 2 so kernel addresses are not displayed even if a user has CAPS_SYSLOG privileges. See also: - https://lwn.net/Articles/420403/ - https://tails.boum.org/contribute/design/kernel_hardening/ Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 65ae069c213a7fcd36d7857b15d863804984948d Author: Michael Tremer Date: Sun Sep 9 17:43:53 2018 +0100 core124: Ship updated rng-tools Signed-off-by: Michael Tremer commit fd0a0384f07b399e9cb4cf46b4c5722b809ffe6a Author: Michael Tremer Date: Sun Sep 9 17:42:17 2018 +0100 rng-tools: Update to 6.4 Also add a patch that keeps RDRAND enabled on i586 Signed-off-by: Michael Tremer Fixes: #11853 ----------------------------------------------------------------------- Summary of changes: config/etc/sysctl.conf | 2 +- config/rootfiles/core/124/filelists/files | 1 + .../{oldcore/121 => core/124}/filelists/rng-tools | 0 config/rootfiles/core/124/update.sh | 4 +++ lfs/rng-tools | 5 ++-- .../rng-tools-6-Enable-RDRAND-for-i586-too.patch | 35 ++++++++++++++++++++++ 6 files changed, 44 insertions(+), 3 deletions(-) copy config/rootfiles/{oldcore/121 => core/124}/filelists/rng-tools (100%) create mode 100644 src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 011c4287e..345f8f52a 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). -kernel.kptr_restrict = 1 +kernel.kptr_restrict = 2 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 diff --git a/config/rootfiles/core/124/filelists/files b/config/rootfiles/core/124/filelists/files index 320d2808d..823355f2b 100644 --- a/config/rootfiles/core/124/filelists/files +++ b/config/rootfiles/core/124/filelists/files @@ -4,6 +4,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/init.d/aws etc/rc.d/init.d/localnet etc/rc.d/init.d/partresize +etc/sysctl.conf opt/pakfire/lib/functions.pl opt/pakfire/pakfire srv/web/ipfire/cgi-bin/firewall.cgi diff --git a/config/rootfiles/core/124/filelists/rng-tools b/config/rootfiles/core/124/filelists/rng-tools new file mode 120000 index 000000000..a7853e41b --- /dev/null +++ b/config/rootfiles/core/124/filelists/rng-tools @@ -0,0 +1 @@ +../../../common/rng-tools \ No newline at end of file diff --git a/config/rootfiles/core/124/update.sh b/config/rootfiles/core/124/update.sh index 471667a12..80eca4ceb 100644 --- a/config/rootfiles/core/124/update.sh +++ b/config/rootfiles/core/124/update.sh @@ -48,8 +48,12 @@ ldconfig /usr/local/bin/update-lang-cache # Start services +/etc/init.d/rngd restart /etc/init.d/ntp restart +# Reload sysctl.conf +sysctl -p + # Remove deprecated GRUB configuration option if [ -e "/etc/default/grub" ]; then sed -e "/^GRUB_FONT/d" -i /etc/default/grub diff --git a/lfs/rng-tools b/lfs/rng-tools index c7a358e56..dc87a3406 100644 --- a/lfs/rng-tools +++ b/lfs/rng-tools @@ -24,7 +24,7 @@ include Config -VER = 6.3.1 +VER = 6.4 THISAPP = rng-tools-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = fe2d38e39ff02d0c7b3585407d51dc64 +$(DL_FILE)_MD5 = 52a8243858503f94eecd4ae0983a9818 install : $(TARGET) @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch cd $(DIR_APP) && ./autogen.sh cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) diff --git a/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch b/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch new file mode 100644 index 000000000..7d45bd0b8 --- /dev/null +++ b/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch @@ -0,0 +1,35 @@ +From 1f023b49959aa58246e6bb7091ba7710116f6915 Mon Sep 17 00:00:00 2001 +From: Michael Tremer +Date: Sun, 9 Sep 2018 17:29:15 +0100 +Subject: [PATCH] Enable RDRAND for i586, too + +IPFire is being compiled for i586 omitting some instructions +for i686. However, RDRAND is available on some systems and +can of course be used. + +Signed-off-by: Michael Tremer + +Pull request sent: https://github.com/nhorman/rng-tools/pull/31 + +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index faba7cc9857e..716175328ff6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -53,8 +53,8 @@ AC_CHECK_TOOLS([AR], [ar gar], :) + + AX_PTHREAD + +-AM_CONDITIONAL([RDRAND], [test $target_cpu = x86_64 -o $target_cpu = i686]) +-AS_IF([test $target_cpu = x86_64 -o $target_cpu = i686], [AC_DEFINE([HAVE_RDRAND],1,[Enable RDRAND])],[]) ++AM_CONDITIONAL([RDRAND], [test $target_cpu = x86_64 -o $target_cpu = i686 -o $target_cpu = i586]) ++AS_IF([test $target_cpu = x86_64 -o $target_cpu = i686 -o $target_cpu = i586], [AC_DEFINE([HAVE_RDRAND],1,[Enable RDRAND])],[]) + + AM_CONDITIONAL([DARN], [test $target_cpu = powerpc64le]) + AS_IF([test $target_cpu = powerpc64le], [AC_DEFINE([HAVE_DARN],1,[Enable DARN])],[]) +-- +2.17.1 + hooks/post-receive -- IPFire 2.x development tree