From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 937221389E2 for ; Thu, 27 Nov 2014 12:14:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 931ADE087D; Thu, 27 Nov 2014 12:14:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 26F34E087D for ; Thu, 27 Nov 2014 12:14:15 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C561A3409CD for ; Thu, 27 Nov 2014 12:14:13 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7098AB03C for ; Thu, 27 Nov 2014 12:14:12 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1417090594.5ea4fcf4b5c7892dd72ae3a8c6792b6ed8d68c15.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-patchset:master commit in: 3.17.4/, 3.2.64/, 3.14.25/ X-VCS-Repository: proj/hardened-patchset X-VCS-Files: 3.14.25/0000_README 3.14.25/4420_grsecurity-3.0-3.14.25-201411220954.patch 3.14.25/4420_grsecurity-3.0-3.14.25-201411260106.patch 3.17.4/0000_README 3.17.4/4420_grsecurity-3.0-3.17.4-201411220955.patch 3.17.4/4420_grsecurity-3.0-3.17.4-201411260107.patch 3.2.64/0000_README 3.2.64/4420_grsecurity-3.0-3.2.64-201411220952.patch 3.2.64/4420_grsecurity-3.0-3.2.64-201411260105.patch X-VCS-Directories: 3.17.4/ 3.2.64/ 3.14.25/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 5ea4fcf4b5c7892dd72ae3a8c6792b6ed8d68c15 X-VCS-Branch: master Date: Thu, 27 Nov 2014 12:14:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 93873ee8-e631-4627-90ff-2204a29d2511 X-Archives-Hash: 1a1986f330dd437d2e13b6ff180ad00d commit: 5ea4fcf4b5c7892dd72ae3a8c6792b6ed8d68c15 Author: Anthony G. Basile gentoo org> AuthorDate: Thu Nov 27 12:16:34 2014 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Thu Nov 27 12:16:34 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-patchset.git;a=commit;h=5ea4fcf4 Grsec/PaX: 3.0-{3.2.64,3.14.25,3.17.4}-201411260107 --- 3.14.25/0000_README | 2 +- ...4420_grsecurity-3.0-3.14.25-201411260106.patch} | 137 ++++++++++++++++----- 3.17.4/0000_README | 2 +- ... 4420_grsecurity-3.0-3.17.4-201411260107.patch} | 137 ++++++++++++++++----- 3.2.64/0000_README | 2 +- ... 4420_grsecurity-3.0-3.2.64-201411260105.patch} | 127 ++++++++++++++----- 6 files changed, 318 insertions(+), 89 deletions(-) diff --git a/3.14.25/0000_README b/3.14.25/0000_README index 2a01a49..ad24f16 100644 --- a/3.14.25/0000_README +++ b/3.14.25/0000_README @@ -6,7 +6,7 @@ Patch: 1024_linux-3.14.25.patch From: http://www.kernel.org Desc: Linux 3.14.25 -Patch: 4420_grsecurity-3.0-3.14.25-201411220954.patch +Patch: 4420_grsecurity-3.0-3.14.25-201411260106.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.14.25/4420_grsecurity-3.0-3.14.25-201411220954.patch b/3.14.25/4420_grsecurity-3.0-3.14.25-201411260106.patch similarity index 99% rename from 3.14.25/4420_grsecurity-3.0-3.14.25-201411220954.patch rename to 3.14.25/4420_grsecurity-3.0-3.14.25-201411260106.patch index 5a48407..31289a1 100644 --- a/3.14.25/4420_grsecurity-3.0-3.14.25-201411220954.patch +++ b/3.14.25/4420_grsecurity-3.0-3.14.25-201411260106.patch @@ -101156,10 +101156,30 @@ index 07bd8ed..c574801 100644 } diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c -index bdbf68b..deb4759 100644 +index bdbf68b..f0d9c83 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c -@@ -1543,7 +1543,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) +@@ -69,7 +69,8 @@ + + static struct ipv4_devconf ipv4_devconf = { + .data = { +- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, ++ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0, ++ [IPV4_DEVCONF_RP_FILTER - 1] = 1, + [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1, +@@ -80,7 +81,8 @@ static struct ipv4_devconf ipv4_devconf = { + + static struct ipv4_devconf ipv4_devconf_dflt = { + .data = { +- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, ++ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0, ++ [IPV4_DEVCONF_RP_FILTER - 1] = 1, + [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1, +@@ -1543,7 +1545,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) idx = 0; head = &net->dev_index_head[h]; rcu_read_lock(); @@ -101168,7 +101188,7 @@ index bdbf68b..deb4759 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -1861,7 +1861,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb, +@@ -1861,7 +1863,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb, idx = 0; head = &net->dev_index_head[h]; rcu_read_lock(); @@ -101177,7 +101197,7 @@ index bdbf68b..deb4759 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -2096,7 +2096,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write, +@@ -2096,7 +2098,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write, #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \ DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush) @@ -101186,7 +101206,7 @@ index bdbf68b..deb4759 100644 struct ctl_table_header *sysctl_header; struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX]; } devinet_sysctl = { -@@ -2218,7 +2218,7 @@ static __net_init int devinet_init_net(struct net *net) +@@ -2218,7 +2220,7 @@ static __net_init int devinet_init_net(struct net *net) int err; struct ipv4_devconf *all, *dflt; #ifdef CONFIG_SYSCTL @@ -101195,7 +101215,7 @@ index bdbf68b..deb4759 100644 struct ctl_table_header *forw_hdr; #endif -@@ -2236,7 +2236,7 @@ static __net_init int devinet_init_net(struct net *net) +@@ -2236,7 +2238,7 @@ static __net_init int devinet_init_net(struct net *net) goto err_alloc_dflt; #ifdef CONFIG_SYSCTL @@ -101204,7 +101224,7 @@ index bdbf68b..deb4759 100644 if (tbl == NULL) goto err_alloc_ctl; -@@ -2256,7 +2256,10 @@ static __net_init int devinet_init_net(struct net *net) +@@ -2256,7 +2258,10 @@ static __net_init int devinet_init_net(struct net *net) goto err_reg_dflt; err = -ENOMEM; @@ -101216,7 +101236,7 @@ index bdbf68b..deb4759 100644 if (forw_hdr == NULL) goto err_reg_ctl; net->ipv4.forw_hdr = forw_hdr; -@@ -2272,8 +2275,7 @@ err_reg_ctl: +@@ -2272,8 +2277,7 @@ err_reg_ctl: err_reg_dflt: __devinet_sysctl_unregister(all); err_reg_all: @@ -101661,7 +101681,7 @@ index 2510c02..cfb34fa 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index e21934b..4e7cb58 100644 +index e21934b..fcd69aa 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -101673,7 +101693,16 @@ index e21934b..4e7cb58 100644 EXPORT_SYMBOL_GPL(pingv6_ops); static u16 ping_port_rover; -@@ -348,7 +348,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, +@@ -217,6 +217,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident) + &ipv6_hdr(skb)->daddr)) + continue; + #endif ++ } else { ++ continue; + } + + if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) +@@ -348,7 +350,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, return -ENODEV; } } @@ -101682,7 +101711,7 @@ index e21934b..4e7cb58 100644 scoped); rcu_read_unlock(); -@@ -556,7 +556,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -556,7 +558,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) } #if IS_ENABLED(CONFIG_IPV6) } else if (skb->protocol == htons(ETH_P_IPV6)) { @@ -101691,7 +101720,7 @@ index e21934b..4e7cb58 100644 #endif } -@@ -574,7 +574,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -574,7 +576,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) info, (u8 *)icmph); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -101700,7 +101729,7 @@ index e21934b..4e7cb58 100644 info, (u8 *)icmph); #endif } -@@ -858,7 +858,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -858,7 +860,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, return ip_recv_error(sk, msg, len, addr_len); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -101709,7 +101738,7 @@ index e21934b..4e7cb58 100644 addr_len); #endif } -@@ -916,10 +916,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -916,10 +918,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, } if (inet6_sk(sk)->rxopt.all) @@ -101722,7 +101751,7 @@ index e21934b..4e7cb58 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1111,7 +1111,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1111,7 +1113,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -102375,9 +102404,27 @@ index e1a6393..f634ce5 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 3f0ec06..495548c 100644 +index 3f0ec06..5aad945 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c +@@ -170,7 +170,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { + .hop_limit = IPV6_DEFAULT_HOPLIMIT, + .mtu6 = IPV6_MIN_MTU, + .accept_ra = 1, +- .accept_redirects = 1, ++ .accept_redirects = 0, + .autoconf = 1, + .force_mld_version = 0, + .mldv1_unsolicited_report_interval = 10 * HZ, +@@ -206,7 +206,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { + .hop_limit = IPV6_DEFAULT_HOPLIMIT, + .mtu6 = IPV6_MIN_MTU, + .accept_ra = 1, +- .accept_redirects = 1, ++ .accept_redirects = 0, + .autoconf = 1, + .force_mld_version = 0, + .mldv1_unsolicited_report_interval = 10 * HZ, @@ -598,7 +598,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, idx = 0; head = &net->dev_index_head[h]; @@ -106498,6 +106545,19 @@ index 0865b3e..7235dd4 100644 __ksymtab : { *(SORT(___ksymtab+*)) } __ksymtab_gpl : { *(SORT(___ksymtab_gpl+*)) } __ksymtab_unused : { *(SORT(___ksymtab_unused+*)) } +diff --git a/scripts/package/Makefile b/scripts/package/Makefile +index c5d4733..7c43eb4 100644 +--- a/scripts/package/Makefile ++++ b/scripts/package/Makefile +@@ -46,7 +46,7 @@ rpm-pkg rpm: FORCE + ln -sf $(srctree) $(KERNELPATH) + $(CONFIG_SHELL) $(MKSPEC) >$(objtree)/kernel.spec + $(CONFIG_SHELL) $(srctree)/scripts/setlocalversion --save-scmversion +- tar -cz $(RCS_TAR_IGNORE) -f $(KERNELPATH).tar.gz $(TAR_CONTENT) ++ tar --owner=root --group=root -cz $(RCS_TAR_IGNORE) -f $(KERNELPATH).tar.gz $(TAR_CONTENT) + rm $(KERNELPATH) + rm -f $(objtree)/.scmversion + $(CONFIG_SHELL) $(srctree)/scripts/mkversion > $(objtree)/.tmp_version diff --git a/scripts/package/builddeb b/scripts/package/builddeb index 152d4d2..791684c 100644 --- a/scripts/package/builddeb @@ -106511,13 +106571,22 @@ index 152d4d2..791684c 100644 mkdir -p "$destdir" (cd $srctree; tar -c -f - -T "$objtree/debian/hdrsrcfiles") | (cd $destdir; tar -xf -) diff --git a/scripts/package/mkspec b/scripts/package/mkspec -index 1395760..e4f4ac4 100755 +index 1395760..6ceef68 100755 --- a/scripts/package/mkspec +++ b/scripts/package/mkspec -@@ -82,6 +82,16 @@ echo "" - fi +@@ -121,14 +121,27 @@ echo 'rm -f $RPM_BUILD_ROOT'"/lib/modules/$KERNELRELEASE/{build,source}" + echo "mkdir -p "'$RPM_BUILD_ROOT'"/usr/src/kernels/$KERNELRELEASE" + echo "EXCLUDES=\"$RCS_TAR_IGNORE --exclude .tmp_versions --exclude=*vmlinux* --exclude=*.o --exclude=*.ko --exclude=*.cmd --exclude=Documentation --exclude=firmware --exclude .config.old --exclude .missing-syscalls.d\"" + echo "tar "'$EXCLUDES'" -cf- . | (cd "'$RPM_BUILD_ROOT'"/usr/src/kernels/$KERNELRELEASE;tar xvf -)" +-echo 'cd $RPM_BUILD_ROOT'"/lib/modules/$KERNELRELEASE" +-echo "ln -sf /usr/src/kernels/$KERNELRELEASE build" +-echo "ln -sf /usr/src/kernels/$KERNELRELEASE source" - echo "%install" + echo "" + echo "%clean" + echo 'rm -rf $RPM_BUILD_ROOT' + echo "" ++echo "%pre" +echo 'chmod -f 0500 /boot' +echo 'if [ -d /lib/modules ]; then' +echo 'chmod -f 0500 /lib/modules' @@ -106528,27 +106597,39 @@ index 1395760..e4f4ac4 100755 +echo 'if [ -d /lib64/modules ]; then' +echo 'chmod -f 0500 /lib64/modules' +echo 'fi' - echo 'KBUILD_IMAGE=$(make image_name)' - echo "%ifarch ia64" - echo 'mkdir -p $RPM_BUILD_ROOT/boot/efi $RPM_BUILD_ROOT/lib/modules' -@@ -139,7 +149,7 @@ echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm ++echo "" ++echo "%post devel" ++echo "ln -sf /usr/src/kernels/$KERNELRELEASE /lib/modules/$KERNELRELEASE/build" ++echo "ln -sf /usr/src/kernels/$KERNELRELEASE /lib/modules/$KERNELRELEASE/source" ++echo "" + echo "%post" + echo "if [ -x /sbin/installkernel -a -r /boot/vmlinuz-$KERNELRELEASE -a -r /boot/System.map-$KERNELRELEASE ]; then" + echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm" +@@ -139,11 +152,11 @@ echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm echo "fi" echo "" echo "%files" -echo '%defattr (-, root, root)' +echo '%defattr (400, root, root, 500)' echo "%dir /lib/modules" - echo "/lib/modules/$KERNELRELEASE" +-echo "/lib/modules/$KERNELRELEASE" echo "%exclude /lib/modules/$KERNELRELEASE/build" -@@ -152,7 +162,7 @@ echo '%defattr (-, root, root)' + echo "%exclude /lib/modules/$KERNELRELEASE/source" ++echo "/lib/modules/$KERNELRELEASE" + echo "/lib/firmware/$KERNELRELEASE" + echo "/boot/*" + echo "" +@@ -152,8 +165,7 @@ echo '%defattr (-, root, root)' echo "/usr/include" echo "" echo "%files devel" -echo '%defattr (-, root, root)' +echo '%defattr (400, root, root, 500)' ++echo "%dir /lib/modules/$KERNELRELEASE" echo "/usr/src/kernels/$KERNELRELEASE" - echo "/lib/modules/$KERNELRELEASE/build" - echo "/lib/modules/$KERNELRELEASE/source" +-echo "/lib/modules/$KERNELRELEASE/build" +-echo "/lib/modules/$KERNELRELEASE/source" + echo "" diff --git a/scripts/pnmtologo.c b/scripts/pnmtologo.c index 68bb4ef..2f419e1 100644 --- a/scripts/pnmtologo.c diff --git a/3.17.4/0000_README b/3.17.4/0000_README index 3efa937..3e123ea 100644 --- a/3.17.4/0000_README +++ b/3.17.4/0000_README @@ -2,7 +2,7 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-3.0-3.17.4-201411220955.patch +Patch: 4420_grsecurity-3.0-3.17.4-201411260107.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.17.4/4420_grsecurity-3.0-3.17.4-201411220955.patch b/3.17.4/4420_grsecurity-3.0-3.17.4-201411260107.patch similarity index 99% rename from 3.17.4/4420_grsecurity-3.0-3.17.4-201411220955.patch rename to 3.17.4/4420_grsecurity-3.0-3.17.4-201411260107.patch index 8d9a284..3dfb83f 100644 --- a/3.17.4/4420_grsecurity-3.0-3.17.4-201411220955.patch +++ b/3.17.4/4420_grsecurity-3.0-3.17.4-201411260107.patch @@ -102058,10 +102058,30 @@ index 32755cb..236d827 100644 return -ENOMEM; } diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c -index 214882e..f958b50 100644 +index 214882e..ec032f6 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c -@@ -1548,7 +1548,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) +@@ -69,7 +69,8 @@ + + static struct ipv4_devconf ipv4_devconf = { + .data = { +- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, ++ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0, ++ [IPV4_DEVCONF_RP_FILTER - 1] = 1, + [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1, +@@ -80,7 +81,8 @@ static struct ipv4_devconf ipv4_devconf = { + + static struct ipv4_devconf ipv4_devconf_dflt = { + .data = { +- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, ++ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0, ++ [IPV4_DEVCONF_RP_FILTER - 1] = 1, + [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1, +@@ -1548,7 +1550,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb) idx = 0; head = &net->dev_index_head[h]; rcu_read_lock(); @@ -102070,7 +102090,7 @@ index 214882e..f958b50 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -1866,7 +1866,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb, +@@ -1866,7 +1868,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb, idx = 0; head = &net->dev_index_head[h]; rcu_read_lock(); @@ -102079,7 +102099,7 @@ index 214882e..f958b50 100644 net->dev_base_seq; hlist_for_each_entry_rcu(dev, head, index_hlist) { if (idx < s_idx) -@@ -2101,7 +2101,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write, +@@ -2101,7 +2103,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write, #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \ DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush) @@ -102088,7 +102108,7 @@ index 214882e..f958b50 100644 struct ctl_table_header *sysctl_header; struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX]; } devinet_sysctl = { -@@ -2233,7 +2233,7 @@ static __net_init int devinet_init_net(struct net *net) +@@ -2233,7 +2235,7 @@ static __net_init int devinet_init_net(struct net *net) int err; struct ipv4_devconf *all, *dflt; #ifdef CONFIG_SYSCTL @@ -102097,7 +102117,7 @@ index 214882e..f958b50 100644 struct ctl_table_header *forw_hdr; #endif -@@ -2251,7 +2251,7 @@ static __net_init int devinet_init_net(struct net *net) +@@ -2251,7 +2253,7 @@ static __net_init int devinet_init_net(struct net *net) goto err_alloc_dflt; #ifdef CONFIG_SYSCTL @@ -102106,7 +102126,7 @@ index 214882e..f958b50 100644 if (tbl == NULL) goto err_alloc_ctl; -@@ -2271,7 +2271,10 @@ static __net_init int devinet_init_net(struct net *net) +@@ -2271,7 +2273,10 @@ static __net_init int devinet_init_net(struct net *net) goto err_reg_dflt; err = -ENOMEM; @@ -102118,7 +102138,7 @@ index 214882e..f958b50 100644 if (forw_hdr == NULL) goto err_reg_ctl; net->ipv4.forw_hdr = forw_hdr; -@@ -2287,8 +2290,7 @@ err_reg_ctl: +@@ -2287,8 +2292,7 @@ err_reg_ctl: err_reg_dflt: __devinet_sysctl_unregister(all); err_reg_all: @@ -102563,7 +102583,7 @@ index 2510c02..cfb34fa 100644 pr_err("Unable to proc dir entry\n"); return -ENOMEM; diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index a3c59a0..ec620a50 100644 +index a3c59a0..2e88bfd 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -59,7 +59,7 @@ struct ping_table { @@ -102575,7 +102595,16 @@ index a3c59a0..ec620a50 100644 EXPORT_SYMBOL_GPL(pingv6_ops); static u16 ping_port_rover; -@@ -348,7 +348,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, +@@ -217,6 +217,8 @@ static struct sock *ping_lookup(struct net *net, struct sk_buff *skb, u16 ident) + &ipv6_hdr(skb)->daddr)) + continue; + #endif ++ } else { ++ continue; + } + + if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) +@@ -348,7 +350,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk, return -ENODEV; } } @@ -102584,7 +102613,7 @@ index a3c59a0..ec620a50 100644 scoped); rcu_read_unlock(); -@@ -556,7 +556,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -556,7 +558,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) } #if IS_ENABLED(CONFIG_IPV6) } else if (skb->protocol == htons(ETH_P_IPV6)) { @@ -102593,7 +102622,7 @@ index a3c59a0..ec620a50 100644 #endif } -@@ -574,7 +574,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) +@@ -574,7 +576,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info) info, (u8 *)icmph); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -102602,7 +102631,7 @@ index a3c59a0..ec620a50 100644 info, (u8 *)icmph); #endif } -@@ -858,7 +858,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -858,7 +860,7 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, return ip_recv_error(sk, msg, len, addr_len); #if IS_ENABLED(CONFIG_IPV6) } else if (family == AF_INET6) { @@ -102611,7 +102640,7 @@ index a3c59a0..ec620a50 100644 addr_len); #endif } -@@ -916,10 +916,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, +@@ -916,10 +918,10 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, } if (inet6_sk(sk)->rxopt.all) @@ -102624,7 +102653,7 @@ index a3c59a0..ec620a50 100644 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags) ip_cmsg_recv(msg, skb); #endif -@@ -1111,7 +1111,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, +@@ -1111,7 +1113,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f, from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)), 0, sock_i_ino(sp), atomic_read(&sp->sk_refcnt), sp, @@ -103242,9 +103271,27 @@ index 6156f68..d6ab46d 100644 return -ENOMEM; } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 3e118df..27b16cf 100644 +index 3e118df..288a0d1 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c +@@ -171,7 +171,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { + .hop_limit = IPV6_DEFAULT_HOPLIMIT, + .mtu6 = IPV6_MIN_MTU, + .accept_ra = 1, +- .accept_redirects = 1, ++ .accept_redirects = 0, + .autoconf = 1, + .force_mld_version = 0, + .mldv1_unsolicited_report_interval = 10 * HZ, +@@ -208,7 +208,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { + .hop_limit = IPV6_DEFAULT_HOPLIMIT, + .mtu6 = IPV6_MIN_MTU, + .accept_ra = 1, +- .accept_redirects = 1, ++ .accept_redirects = 0, + .autoconf = 1, + .force_mld_version = 0, + .mldv1_unsolicited_report_interval = 10 * HZ, @@ -604,7 +604,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb, idx = 0; head = &net->dev_index_head[h]; @@ -107471,6 +107518,19 @@ index 0865b3e..7235dd4 100644 __ksymtab : { *(SORT(___ksymtab+*)) } __ksymtab_gpl : { *(SORT(___ksymtab_gpl+*)) } __ksymtab_unused : { *(SORT(___ksymtab_unused+*)) } +diff --git a/scripts/package/Makefile b/scripts/package/Makefile +index 99ca6e7..3a1a1a1 100644 +--- a/scripts/package/Makefile ++++ b/scripts/package/Makefile +@@ -46,7 +46,7 @@ rpm-pkg rpm: FORCE + ln -sf $(srctree) $(KERNELPATH) + $(CONFIG_SHELL) $(MKSPEC) >$(objtree)/kernel.spec + $(CONFIG_SHELL) $(srctree)/scripts/setlocalversion --save-scmversion +- tar -cz $(RCS_TAR_IGNORE) -f $(KERNELPATH).tar.gz $(TAR_CONTENT) ++ tar --owner=root --group=root -cz $(RCS_TAR_IGNORE) -f $(KERNELPATH).tar.gz $(TAR_CONTENT) + rm $(KERNELPATH) + rm -f $(objtree)/.scmversion + $(CONFIG_SHELL) $(srctree)/scripts/mkversion > $(objtree)/.tmp_version diff --git a/scripts/package/builddeb b/scripts/package/builddeb index 7c0e6e4..bf2c90e 100644 --- a/scripts/package/builddeb @@ -107484,13 +107544,22 @@ index 7c0e6e4..bf2c90e 100644 mkdir -p "$destdir" (cd $srctree; tar -c -f - -T -) < "$objtree/debian/hdrsrcfiles" | (cd $destdir; tar -xf -) diff --git a/scripts/package/mkspec b/scripts/package/mkspec -index 1395760..e4f4ac4 100755 +index 1395760..6ceef68 100755 --- a/scripts/package/mkspec +++ b/scripts/package/mkspec -@@ -82,6 +82,16 @@ echo "" - fi +@@ -121,14 +121,27 @@ echo 'rm -f $RPM_BUILD_ROOT'"/lib/modules/$KERNELRELEASE/{build,source}" + echo "mkdir -p "'$RPM_BUILD_ROOT'"/usr/src/kernels/$KERNELRELEASE" + echo "EXCLUDES=\"$RCS_TAR_IGNORE --exclude .tmp_versions --exclude=*vmlinux* --exclude=*.o --exclude=*.ko --exclude=*.cmd --exclude=Documentation --exclude=firmware --exclude .config.old --exclude .missing-syscalls.d\"" + echo "tar "'$EXCLUDES'" -cf- . | (cd "'$RPM_BUILD_ROOT'"/usr/src/kernels/$KERNELRELEASE;tar xvf -)" +-echo 'cd $RPM_BUILD_ROOT'"/lib/modules/$KERNELRELEASE" +-echo "ln -sf /usr/src/kernels/$KERNELRELEASE build" +-echo "ln -sf /usr/src/kernels/$KERNELRELEASE source" - echo "%install" + echo "" + echo "%clean" + echo 'rm -rf $RPM_BUILD_ROOT' + echo "" ++echo "%pre" +echo 'chmod -f 0500 /boot' +echo 'if [ -d /lib/modules ]; then' +echo 'chmod -f 0500 /lib/modules' @@ -107501,27 +107570,39 @@ index 1395760..e4f4ac4 100755 +echo 'if [ -d /lib64/modules ]; then' +echo 'chmod -f 0500 /lib64/modules' +echo 'fi' - echo 'KBUILD_IMAGE=$(make image_name)' - echo "%ifarch ia64" - echo 'mkdir -p $RPM_BUILD_ROOT/boot/efi $RPM_BUILD_ROOT/lib/modules' -@@ -139,7 +149,7 @@ echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm ++echo "" ++echo "%post devel" ++echo "ln -sf /usr/src/kernels/$KERNELRELEASE /lib/modules/$KERNELRELEASE/build" ++echo "ln -sf /usr/src/kernels/$KERNELRELEASE /lib/modules/$KERNELRELEASE/source" ++echo "" + echo "%post" + echo "if [ -x /sbin/installkernel -a -r /boot/vmlinuz-$KERNELRELEASE -a -r /boot/System.map-$KERNELRELEASE ]; then" + echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm" +@@ -139,11 +152,11 @@ echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm echo "fi" echo "" echo "%files" -echo '%defattr (-, root, root)' +echo '%defattr (400, root, root, 500)' echo "%dir /lib/modules" - echo "/lib/modules/$KERNELRELEASE" +-echo "/lib/modules/$KERNELRELEASE" echo "%exclude /lib/modules/$KERNELRELEASE/build" -@@ -152,7 +162,7 @@ echo '%defattr (-, root, root)' + echo "%exclude /lib/modules/$KERNELRELEASE/source" ++echo "/lib/modules/$KERNELRELEASE" + echo "/lib/firmware/$KERNELRELEASE" + echo "/boot/*" + echo "" +@@ -152,8 +165,7 @@ echo '%defattr (-, root, root)' echo "/usr/include" echo "" echo "%files devel" -echo '%defattr (-, root, root)' +echo '%defattr (400, root, root, 500)' ++echo "%dir /lib/modules/$KERNELRELEASE" echo "/usr/src/kernels/$KERNELRELEASE" - echo "/lib/modules/$KERNELRELEASE/build" - echo "/lib/modules/$KERNELRELEASE/source" +-echo "/lib/modules/$KERNELRELEASE/build" +-echo "/lib/modules/$KERNELRELEASE/source" + echo "" diff --git a/scripts/pnmtologo.c b/scripts/pnmtologo.c index 4718d78..9220d58 100644 --- a/scripts/pnmtologo.c diff --git a/3.2.64/0000_README b/3.2.64/0000_README index c5a1f90..d632471 100644 --- a/3.2.64/0000_README +++ b/3.2.64/0000_README @@ -174,7 +174,7 @@ Patch: 1063_linux-3.2.64.patch From: http://www.kernel.org Desc: Linux 3.2.64 -Patch: 4420_grsecurity-3.0-3.2.64-201411220952.patch +Patch: 4420_grsecurity-3.0-3.2.64-201411260105.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/3.2.64/4420_grsecurity-3.0-3.2.64-201411220952.patch b/3.2.64/4420_grsecurity-3.0-3.2.64-201411260105.patch similarity index 99% rename from 3.2.64/4420_grsecurity-3.0-3.2.64-201411220952.patch rename to 3.2.64/4420_grsecurity-3.0-3.2.64-201411260105.patch index d9f5bed..206ef20 100644 --- a/3.2.64/4420_grsecurity-3.0-3.2.64-201411220952.patch +++ b/3.2.64/4420_grsecurity-3.0-3.2.64-201411260105.patch @@ -1727,6 +1727,20 @@ index e51b1e8..32a3113 100644 KM_TYPE_NR }; +diff --git a/arch/arm/include/asm/memory.h b/arch/arm/include/asm/memory.h +index a8997d7..f0a29154 100644 +--- a/arch/arm/include/asm/memory.h ++++ b/arch/arm/include/asm/memory.h +@@ -268,7 +268,8 @@ static inline __deprecated void *bus_to_virt(unsigned long x) + #define ARCH_PFN_OFFSET PHYS_PFN_OFFSET + + #define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT) +-#define virt_addr_valid(kaddr) ((unsigned long)(kaddr) >= PAGE_OFFSET && (unsigned long)(kaddr) < (unsigned long)high_memory) ++#define virt_addr_valid(kaddr) (((unsigned long)(kaddr) >= PAGE_OFFSET && (unsigned long)(kaddr) < (unsigned long)high_memory) \ ++ && pfn_valid(__pa(kaddr) >> PAGE_SHIFT) ) + + /* + * Optional coherency support. Currently used only by selected diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h index 53426c6..c7baff3 100644 --- a/arch/arm/include/asm/outercache.h @@ -103176,10 +103190,30 @@ index 59a7041..060976d 100644 return NF_HOOK(NFPROTO_ARP, NF_ARP_IN, skb, dev, NULL, arp_process); diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c -index e41c40f..fbed7a7 100644 +index e41c40f..f476dfd6 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c -@@ -827,9 +827,9 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) +@@ -68,7 +68,8 @@ + + static struct ipv4_devconf ipv4_devconf = { + .data = { +- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, ++ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0, ++ [IPV4_DEVCONF_RP_FILTER - 1] = 1, + [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1, +@@ -77,7 +78,8 @@ static struct ipv4_devconf ipv4_devconf = { + + static struct ipv4_devconf ipv4_devconf_dflt = { + .data = { +- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1, ++ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0, ++ [IPV4_DEVCONF_RP_FILTER - 1] = 1, + [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1, + [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1, +@@ -827,9 +829,9 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg) if (!ifa) { ret = -ENOBUFS; ifa = inet_alloc_ifa(); @@ -103191,7 +103225,7 @@ index e41c40f..fbed7a7 100644 if (colon) memcpy(ifa->ifa_label, ifr.ifr_name, IFNAMSIZ); else -@@ -1584,7 +1584,7 @@ static int ipv4_doint_and_flush(ctl_table *ctl, int write, +@@ -1584,7 +1586,7 @@ static int ipv4_doint_and_flush(ctl_table *ctl, int write, #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \ DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush) @@ -103200,7 +103234,7 @@ index e41c40f..fbed7a7 100644 struct ctl_table_header *sysctl_header; struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX]; char *dev_name; -@@ -1729,7 +1729,7 @@ static __net_init int devinet_init_net(struct net *net) +@@ -1729,7 +1731,7 @@ static __net_init int devinet_init_net(struct net *net) int err; struct ipv4_devconf *all, *dflt; #ifdef CONFIG_SYSCTL @@ -103209,7 +103243,7 @@ index e41c40f..fbed7a7 100644 struct ctl_table_header *forw_hdr; #endif -@@ -1747,7 +1747,7 @@ static __net_init int devinet_init_net(struct net *net) +@@ -1747,7 +1749,7 @@ static __net_init int devinet_init_net(struct net *net) goto err_alloc_dflt; #ifdef CONFIG_SYSCTL @@ -103218,7 +103252,7 @@ index e41c40f..fbed7a7 100644 if (tbl == NULL) goto err_alloc_ctl; -@@ -1767,7 +1767,10 @@ static __net_init int devinet_init_net(struct net *net) +@@ -1767,7 +1769,10 @@ static __net_init int devinet_init_net(struct net *net) goto err_reg_dflt; err = -ENOMEM; @@ -103230,7 +103264,7 @@ index e41c40f..fbed7a7 100644 if (forw_hdr == NULL) goto err_reg_ctl; net->ipv4.forw_hdr = forw_hdr; -@@ -1783,8 +1786,7 @@ err_reg_ctl: +@@ -1783,8 +1788,7 @@ err_reg_ctl: err_reg_dflt: __devinet_sysctl_unregister(all); err_reg_all: @@ -103240,7 +103274,7 @@ index e41c40f..fbed7a7 100644 err_alloc_ctl: #endif if (dflt != &ipv4_devconf_dflt) -@@ -1811,7 +1813,7 @@ static __net_exit void devinet_exit_net(struct net *net) +@@ -1811,7 +1815,7 @@ static __net_exit void devinet_exit_net(struct net *net) kfree(net->ipv4.devconf_all); } @@ -104614,9 +104648,27 @@ index a0b4c5d..a5818a1 100644 } diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 3afdd78..cf4a70f 100644 +index 3afdd78..2f630fb 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c +@@ -169,7 +169,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { + .hop_limit = IPV6_DEFAULT_HOPLIMIT, + .mtu6 = IPV6_MIN_MTU, + .accept_ra = 1, +- .accept_redirects = 1, ++ .accept_redirects = 0, + .autoconf = 1, + .force_mld_version = 0, + .dad_transmits = 1, +@@ -204,7 +204,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { + .hop_limit = IPV6_DEFAULT_HOPLIMIT, + .mtu6 = IPV6_MIN_MTU, + .accept_ra = 1, +- .accept_redirects = 1, ++ .accept_redirects = 0, + .autoconf = 1, + .dad_transmits = 1, + .rtr_solicits = MAX_RTR_SOLICITATIONS, @@ -2160,7 +2160,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg) p.iph.ihl = 5; p.iph.protocol = IPPROTO_IPV6; @@ -109662,6 +109714,19 @@ index 0865b3e..7235dd4 100644 __ksymtab : { *(SORT(___ksymtab+*)) } __ksymtab_gpl : { *(SORT(___ksymtab_gpl+*)) } __ksymtab_unused : { *(SORT(___ksymtab_unused+*)) } +diff --git a/scripts/package/Makefile b/scripts/package/Makefile +index bc6aa00..51086c8 100644 +--- a/scripts/package/Makefile ++++ b/scripts/package/Makefile +@@ -45,7 +45,7 @@ rpm-pkg rpm: $(objtree)/kernel.spec FORCE + $(MAKE) clean + $(PREV) ln -sf $(srctree) $(KERNELPATH) + $(CONFIG_SHELL) $(srctree)/scripts/setlocalversion --save-scmversion +- $(PREV) tar -cz $(RCS_TAR_IGNORE) -f $(KERNELPATH).tar.gz $(KERNELPATH)/. ++ $(PREV) tar --owner=root --group=root -cz $(RCS_TAR_IGNORE) -f $(KERNELPATH).tar.gz $(KERNELPATH)/. + $(PREV) rm $(KERNELPATH) + rm -f $(objtree)/.scmversion + set -e; \ diff --git a/scripts/package/builddeb b/scripts/package/builddeb index bee55f6..4108c4b 100644 --- a/scripts/package/builddeb @@ -109675,7 +109740,7 @@ index bee55f6..4108c4b 100644 mkdir -p "$destdir" (cd $srctree; tar -c -f - -T "$objtree/debian/hdrsrcfiles") | (cd $destdir; tar -xf -) diff --git a/scripts/package/mkspec b/scripts/package/mkspec -index 4bf17dd..e4f4ac4 100755 +index 4bf17dd..6ceef68 100755 --- a/scripts/package/mkspec +++ b/scripts/package/mkspec @@ -1,7 +1,7 @@ @@ -109703,20 +109768,10 @@ index 4bf17dd..e4f4ac4 100755 if ! $PREBUILT; then echo "%prep" -@@ -74,15 +82,27 @@ echo "" +@@ -74,15 +82,17 @@ echo "" fi echo "%install" -+echo 'chmod -f 0500 /boot' -+echo 'if [ -d /lib/modules ]; then' -+echo 'chmod -f 0500 /lib/modules' -+echo 'fi' -+echo 'if [ -d /lib32/modules ]; then' -+echo 'chmod -f 0500 /lib32/modules' -+echo 'fi' -+echo 'if [ -d /lib64/modules ]; then' -+echo 'chmod -f 0500 /lib64/modules' -+echo 'fi' +echo 'KBUILD_IMAGE=$(make image_name)' echo "%ifarch ia64" echo 'mkdir -p $RPM_BUILD_ROOT/boot/efi $RPM_BUILD_ROOT/lib/modules' @@ -109734,7 +109789,7 @@ index 4bf17dd..e4f4ac4 100755 echo "%ifarch ia64" echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEASE" echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/" -@@ -95,7 +115,7 @@ echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/vmlinuz-$KERNELRELEASE" +@@ -95,7 +105,7 @@ echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/vmlinuz-$KERNELRELEASE" echo "%endif" echo "%endif" @@ -109743,7 +109798,7 @@ index 4bf17dd..e4f4ac4 100755 echo 'cp System.map $RPM_BUILD_ROOT'"/boot/System.map-$KERNELRELEASE" echo 'cp .config $RPM_BUILD_ROOT'"/boot/config-$KERNELRELEASE" -@@ -107,18 +127,43 @@ echo 'mv vmlinux.bz2 $RPM_BUILD_ROOT'"/boot/vmlinux-$KERNELRELEASE.bz2" +@@ -107,18 +117,55 @@ echo 'mv vmlinux.bz2 $RPM_BUILD_ROOT'"/boot/vmlinux-$KERNELRELEASE.bz2" echo 'mv vmlinux.orig vmlinux' echo "%endif" @@ -109751,14 +109806,27 @@ index 4bf17dd..e4f4ac4 100755 +echo "mkdir -p "'$RPM_BUILD_ROOT'"/usr/src/kernels/$KERNELRELEASE" +echo "EXCLUDES=\"$RCS_TAR_IGNORE --exclude .tmp_versions --exclude=*vmlinux* --exclude=*.o --exclude=*.ko --exclude=*.cmd --exclude=Documentation --exclude=firmware --exclude .config.old --exclude .missing-syscalls.d\"" +echo "tar "'$EXCLUDES'" -cf- . | (cd "'$RPM_BUILD_ROOT'"/usr/src/kernels/$KERNELRELEASE;tar xvf -)" -+echo 'cd $RPM_BUILD_ROOT'"/lib/modules/$KERNELRELEASE" -+echo "ln -sf /usr/src/kernels/$KERNELRELEASE build" -+echo "ln -sf /usr/src/kernels/$KERNELRELEASE source" + echo "" echo "%clean" echo 'rm -rf $RPM_BUILD_ROOT' echo "" ++echo "%pre" ++echo 'chmod -f 0500 /boot' ++echo 'if [ -d /lib/modules ]; then' ++echo 'chmod -f 0500 /lib/modules' ++echo 'fi' ++echo 'if [ -d /lib32/modules ]; then' ++echo 'chmod -f 0500 /lib32/modules' ++echo 'fi' ++echo 'if [ -d /lib64/modules ]; then' ++echo 'chmod -f 0500 /lib64/modules' ++echo 'fi' ++echo "" ++echo "%post devel" ++echo "ln -sf /usr/src/kernels/$KERNELRELEASE /lib/modules/$KERNELRELEASE/build" ++echo "ln -sf /usr/src/kernels/$KERNELRELEASE /lib/modules/$KERNELRELEASE/source" ++echo "" +echo "%post" +echo "if [ -x /sbin/installkernel -a -r /boot/vmlinuz-$KERNELRELEASE -a -r /boot/System.map-$KERNELRELEASE ]; then" +echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm" @@ -109772,10 +109840,10 @@ index 4bf17dd..e4f4ac4 100755 -echo '%defattr (-, root, root)' +echo '%defattr (400, root, root, 500)' echo "%dir /lib/modules" - echo "/lib/modules/$KERNELRELEASE" --echo "/lib/firmware" +echo "%exclude /lib/modules/$KERNELRELEASE/build" +echo "%exclude /lib/modules/$KERNELRELEASE/source" + echo "/lib/modules/$KERNELRELEASE" +-echo "/lib/firmware" +echo "/lib/firmware/$KERNELRELEASE" echo "/boot/*" echo "" @@ -109785,9 +109853,8 @@ index 4bf17dd..e4f4ac4 100755 echo "" +echo "%files devel" +echo '%defattr (400, root, root, 500)' ++echo "%dir /lib/modules/$KERNELRELEASE" +echo "/usr/src/kernels/$KERNELRELEASE" -+echo "/lib/modules/$KERNELRELEASE/build" -+echo "/lib/modules/$KERNELRELEASE/source" +echo "" diff --git a/scripts/pnmtologo.c b/scripts/pnmtologo.c index 5c11312..72742b5 100644