From mboxrd@z Thu Jan 1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated.
6d0e3c5a5719ea66a47f1859871808d8b2095fa4
Date: Mon, 03 Oct 2022 21:58:46 +0000
Message-ID: <4MhF8k6YXpz2y1h@people01.haj.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6856602089476438514=="
List-Id: <ipfire-scm.lists.ipfire.org>
--===============6856602089476438514==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 6d0e3c5a5719ea66a47f1859871808d8b2095fa4 (commit)
via 16eb2d5379757076c23b4cdd14a8af595fd9d1bc (commit)
via 25a3d87645609b3deffdc45a153eb2e2696032f9 (commit)
via e79c4372ceb87d3fa91cd440745cb6125c57e23e (commit)
from 9826ac9bc299360a89c7f3f5bf3df0b9dfc05217 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6d0e3c5a5719ea66a47f1859871808d8b2095fa4
Author: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Date: Mon Oct 3 21:58:25 2022 +0000
libseccomp: Bump package version
=20
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
commit 16eb2d5379757076c23b4cdd14a8af595fd9d1bc
Author: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Date: Mon Sep 19 12:35:41 2022 +0000
linux: Enable seccomp filter on ARM
=20
Since last time we checked, the kernel's security features on ARM have
improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch
therefore proposes to give the seccomp filter on both 32- and 64-bit ARM
another try, since it provides significant security benefit to
applications using it.
=20
Due to operational constraints, rootfile changes have been omitted, and
will be conducted, should this patch be approved.
=20
Note to future self: Once this patch is approved, applications using
seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.
=20
Fixes: #12366
Fixes: #12370
Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
commit 25a3d87645609b3deffdc45a153eb2e2696032f9
Author: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Date: Sun Oct 2 14:47:52 2022 +0000
linux: Remove user-space probe support
=20
From the kernels' documentation:
=20
> Uprobes is the user-space counterpart to kprobes: they
> enable instrumentation applications (such as 'perf probe')
> to establish unintrusive probes in user-space binaries and
> libraries, by executing handler functions when the probes
> are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints,
> managed by the kernel and kept transparent to the probed
> application. )
=20
To the best of the authors' understanding, no application on IPFire
needs this functionality, and given its abuse potential, we should
probably not enable it.
=20
As expected, strace functionality is not impaired by this.
=20
Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
commit e79c4372ceb87d3fa91cd440745cb6125c57e23e
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Thu Sep 29 22:35:18 2022 +0200
suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt:=
enabled: yes
=20
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Acked-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 9 ++++-----
config/kernel/kernel.config.armv6l-ipfire | 9 ++++-----
config/kernel/kernel.config.x86_64-ipfire | 5 +----
config/suricata/suricata.yaml | 2 +-
lfs/libseccomp | 2 +-
5 files changed, 11 insertions(+), 16 deletions(-)
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kerne=
l.config.aarch64-ipfire
index 836e2b15f..e2ae8da17 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -645,7 +645,6 @@ CONFIG_CRYPTO_AES_ARM64_BS=3Dm
# CONFIG_KPROBES is not set
CONFIG_JUMP_LABEL=3Dy
CONFIG_STATIC_KEYS_SELFTEST=3Dy
-CONFIG_UPROBES=3Dy
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=3Dy
CONFIG_HAVE_KPROBES=3Dy
CONFIG_HAVE_KRETPROBES=3Dy
@@ -681,7 +680,9 @@ CONFIG_HAVE_CMPXCHG_DOUBLE=3Dy
CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=3Dy
CONFIG_HAVE_ARCH_SECCOMP=3Dy
CONFIG_HAVE_ARCH_SECCOMP_FILTER=3Dy
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=3Dy
+CONFIG_SECCOMP_FILTER=3Dy
+# CONFIG_SECCOMP_CACHE_DEBUG is not set
CONFIG_HAVE_ARCH_STACKLEAK=3Dy
CONFIG_HAVE_STACKPROTECTOR=3Dy
CONFIG_STACKPROTECTOR=3Dy
@@ -8154,9 +8155,7 @@ CONFIG_TRACER_SNAPSHOT=3Dy
CONFIG_BRANCH_PROFILE_NONE=3Dy
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
# CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=3Dy
-CONFIG_DYNAMIC_EVENTS=3Dy
-CONFIG_PROBE_EVENTS=3Dy
+# CONFIG_UPROBE_EVENTS is not set
CONFIG_FTRACE_MCOUNT_RECORD=3Dy
CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=3Dy
# CONFIG_SYNTH_EVENTS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel=
.config.armv6l-ipfire
index ae611fc6f..54260aec1 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -738,7 +738,6 @@ CONFIG_AS_VFP_VMRS_FPINST=3Dy
# CONFIG_KPROBES is not set
CONFIG_JUMP_LABEL=3Dy
CONFIG_STATIC_KEYS_SELFTEST=3Dy
-CONFIG_UPROBES=3Dy
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=3Dy
CONFIG_ARCH_USE_BUILTIN_BSWAP=3Dy
CONFIG_HAVE_KPROBES=3Dy
@@ -765,7 +764,9 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=3Dy
CONFIG_ARCH_WANT_IPC_PARSE_VERSION=3Dy
CONFIG_HAVE_ARCH_SECCOMP=3Dy
CONFIG_HAVE_ARCH_SECCOMP_FILTER=3Dy
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=3Dy
+CONFIG_SECCOMP_FILTER=3Dy
+# CONFIG_SECCOMP_CACHE_DEBUG is not set
CONFIG_HAVE_STACKPROTECTOR=3Dy
CONFIG_STACKPROTECTOR=3Dy
CONFIG_STACKPROTECTOR_STRONG=3Dy
@@ -8129,9 +8130,7 @@ CONFIG_BRANCH_PROFILE_NONE=3Dy
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
# CONFIG_PROFILE_ALL_BRANCHES is not set
# CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=3Dy
-CONFIG_DYNAMIC_EVENTS=3Dy
-CONFIG_PROBE_EVENTS=3Dy
+# CONFIG_UPROBE_EVENTS is not set
CONFIG_FTRACE_MCOUNT_RECORD=3Dy
CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=3Dy
# CONFIG_SYNTH_EVENTS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel=
.config.x86_64-ipfire
index d005f98d4..bb4655a99 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -671,7 +671,6 @@ CONFIG_GENERIC_ENTRY=3Dy
CONFIG_JUMP_LABEL=3Dy
CONFIG_STATIC_KEYS_SELFTEST=3Dy
# CONFIG_STATIC_CALL_SELFTEST is not set
-CONFIG_UPROBES=3Dy
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=3Dy
CONFIG_ARCH_USE_BUILTIN_BSWAP=3Dy
CONFIG_USER_RETURN_NOTIFIER=3Dy
@@ -7594,9 +7593,7 @@ CONFIG_TRACER_SNAPSHOT=3Dy
CONFIG_BRANCH_PROFILE_NONE=3Dy
# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
# CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=3Dy
-CONFIG_DYNAMIC_EVENTS=3Dy
-CONFIG_PROBE_EVENTS=3Dy
+# CONFIG_UPROBE_EVENTS is not set
CONFIG_FTRACE_MCOUNT_RECORD=3Dy
CONFIG_FTRACE_MCOUNT_USE_CC=3Dy
# CONFIG_SYNTH_EVENTS is not set
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 03a7a83af..fb4f9426b 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -371,7 +371,7 @@ app-layer:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
# MQTT, disabled by default.
mqtt:
- # enabled: no
+ enabled: yes
# max-msg-length: 1mb
krb5:
enabled: yes
diff --git a/lfs/libseccomp b/lfs/libseccomp
index ada345c2f..c00ca3907 100644
--- a/lfs/libseccomp
+++ b/lfs/libseccomp
@@ -34,7 +34,7 @@ DL_FROM =3D $(URL_IPFIRE)
DIR_APP =3D $(DIR_SRC)/$(THISAPP)
TARGET =3D $(DIR_INFO)/$(THISAPP)
PROG =3D libseccomp
-PAK_VER =3D 8
+PAK_VER =3D 9
=20
DEPS =3D
=20
hooks/post-receive
--
IPFire 2.x development tree
--===============6856602089476438514==--