diff options
author | Tim Steinbach <tim@nequissimus.com> | 2018-09-03 11:18:11 -0400 |
---|---|---|
committer | Tim Steinbach <tim@nequissimus.com> | 2018-09-03 11:18:11 -0400 |
commit | 5fccac2b8d77a660a968809519710a5bb7838e63 (patch) | |
tree | 1ce25dd58632f6c5a35dfc610ce747a30e4ddc19 | |
parent | eac06ed0702638b7e9a058e5412940474ff872ca (diff) |
kernel: Remove Copperhead
The patches are unmaintained and suggest a false sense of security
-rw-r--r-- | nixos/release.nix | 1 | ||||
-rw-r--r-- | nixos/tests/kernel-copperhead.nix | 19 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/copperhead-4-14.patch | 2864 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/copperhead-4-16.patch | 2571 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-copperhead-lts.nix | 30 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 10 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 10 |
7 files changed, 0 insertions, 5505 deletions
diff --git a/nixos/release.nix b/nixos/release.nix index 1013053b5b3b..17f51d977c98 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -327,7 +327,6 @@ in rec { tests.keymap = callSubTests tests/keymap.nix {}; tests.initrdNetwork = callTest tests/initrd-network.nix {}; tests.kafka = callSubTests tests/kafka.nix {}; - tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {}; tests.kernel-latest = callTest tests/kernel-latest.nix {}; tests.kernel-lts = callTest tests/kernel-lts.nix {}; tests.kubernetes.dns = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/dns.nix {}; diff --git a/nixos/tests/kernel-copperhead.nix b/nixos/tests/kernel-copperhead.nix deleted file mode 100644 index 652fbf055373..000000000000 --- a/nixos/tests/kernel-copperhead.nix +++ /dev/null @@ -1,19 +0,0 @@ -import ./make-test.nix ({ pkgs, ...} : { - name = "kernel-copperhead"; - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ nequissimus ]; - }; - - machine = { pkgs, ... }: - { - boot.kernelPackages = pkgs.linuxPackages_copperhead_lts; - }; - - testScript = - '' - $machine->succeed("uname -a"); - $machine->succeed("uname -s | grep 'Linux'"); - $machine->succeed("uname -a | grep '${pkgs.linuxPackages_copperhead_lts.kernel.modDirVersion}'"); - $machine->succeed("uname -a | grep 'hardened'"); - ''; -}) diff --git a/pkgs/os-specific/linux/kernel/copperhead-4-14.patch b/pkgs/os-specific/linux/kernel/copperhead-4-14.patch deleted file mode 100644 index 78112d164f06..000000000000 --- a/pkgs/os-specific/linux/kernel/copperhead-4-14.patch +++ /dev/null @@ -1,2864 +0,0 @@ -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 0380a45ecf4b..39956a3ef645 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -490,16 +490,6 @@ - nosocket -- Disable socket memory accounting. - nokmem -- Disable kernel memory accounting. - -- checkreqprot [SELINUX] Set initial checkreqprot flag value. -- Format: { "0" | "1" } -- See security/selinux/Kconfig help text. -- 0 -- check protection applied by kernel (includes -- any implied execute protection). -- 1 -- check protection requested by application. -- Default value is set via a kernel config option. -- Value can be changed at runtime via -- /selinux/checkreqprot. -- - cio_ignore= [S390] - See Documentation/s390/CommonIO for details. - clk_ignore_unused -@@ -2899,6 +2889,11 @@ - the specified number of seconds. This is to be used if - your oopses keep scrolling off the screen. - -+ extra_latent_entropy -+ Enable a very simple form of latent entropy extraction -+ from the first 4GB of memory as the bootmem allocator -+ passes the memory pages to the buddy allocator. -+ - pcbit= [HW,ISDN] - - pcd. [PARIDE] -diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt -index 694968c7523c..002d86416ef8 100644 ---- a/Documentation/sysctl/kernel.txt -+++ b/Documentation/sysctl/kernel.txt -@@ -91,6 +91,7 @@ show up in /proc/sys/kernel: - - sysctl_writes_strict - - tainted - - threads-max -+- tiocsti_restrict - - unknown_nmi_panic - - watchdog - - watchdog_thresh -@@ -999,6 +1000,26 @@ available RAM pages threads-max is reduced accordingly. - - ============================================================== - -+tiocsti_restrict: -+ -+This toggle indicates whether unprivileged users are prevented -+from using the TIOCSTI ioctl to inject commands into other processes -+which share a tty session. -+ -+When tiocsti_restrict is set to (0) there are no restrictions(accept -+the default restriction of only being able to injection commands into -+one's own tty). When tiocsti_restrict is set to (1), users must -+have CAP_SYS_ADMIN to use the TIOCSTI ioctl. -+ -+When user namespaces are in use, the check for the capability -+CAP_SYS_ADMIN is done against the user namespace that originally -+opened the tty. -+ -+The kernel config option CONFIG_SECURITY_TIOCSTI_RESTRICT sets the -+default value of tiocsti_restrict. -+ -+============================================================== -+ - unknown_nmi_panic: - - The value in this file affects behavior of handling NMI. When the -diff --git a/Makefile b/Makefile -index 787cf6605209..e4fda5330730 100644 ---- a/Makefile -+++ b/Makefile -@@ -710,6 +710,9 @@ endif - KBUILD_CFLAGS += $(stackp-flag) - - ifeq ($(cc-name),clang) -+ifdef CONFIG_LOCAL_INIT -+KBUILD_CFLAGS += -fsanitize=local-init -+endif - KBUILD_CPPFLAGS += $(call cc-option,-Qunused-arguments,) - KBUILD_CFLAGS += $(call cc-disable-warning, unused-variable) - KBUILD_CFLAGS += $(call cc-disable-warning, format-invalid-specifier) -diff --git a/arch/Kconfig b/arch/Kconfig -index 400b9e1b2f27..4637096f7902 100644 ---- a/arch/Kconfig -+++ b/arch/Kconfig -@@ -440,6 +440,11 @@ config GCC_PLUGIN_LATENT_ENTROPY - is some slowdown of the boot process (about 0.5%) and fork and - irq processing. - -+ When extra_latent_entropy is passed on the kernel command line, -+ entropy will be extracted from up to the first 4GB of RAM while the -+ runtime memory allocator is being initialized. This costs even more -+ slowdown of the boot process. -+ - Note that entropy extracted this way is not cryptographically - secure! - -@@ -533,7 +538,7 @@ config CC_STACKPROTECTOR - choice - prompt "Stack Protector buffer overflow detection" - depends on HAVE_CC_STACKPROTECTOR -- default CC_STACKPROTECTOR_NONE -+ default CC_STACKPROTECTOR_STRONG - help - This option turns on the "stack-protector" GCC feature. This - feature puts, at the beginning of functions, a canary value on -@@ -735,7 +740,7 @@ config ARCH_MMAP_RND_BITS - int "Number of bits to use for ASLR of mmap base address" if EXPERT - range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX - default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT -- default ARCH_MMAP_RND_BITS_MIN -+ default ARCH_MMAP_RND_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_BITS - help - This value can be used to select the number of bits to use to -@@ -769,7 +774,7 @@ config ARCH_MMAP_RND_COMPAT_BITS - int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT - range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX - default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT -- default ARCH_MMAP_RND_COMPAT_BITS_MIN -+ default ARCH_MMAP_RND_COMPAT_BITS_MAX - depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS - help - This value can be used to select the number of bits to use to -@@ -952,6 +957,7 @@ config ARCH_HAS_REFCOUNT - - config REFCOUNT_FULL - bool "Perform full reference count validation at the expense of speed" -+ default y - help - Enabling this switches the refcounting infrastructure from a fast - unchecked atomic_t implementation to a fully state checked -diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig -index 2d5f7aca156d..aa4839a74c6a 100644 ---- a/arch/arm64/Kconfig -+++ b/arch/arm64/Kconfig -@@ -918,6 +918,7 @@ endif - - config ARM64_SW_TTBR0_PAN - bool "Emulate Privileged Access Never using TTBR0_EL1 switching" -+ default y - help - Enabling this option prevents the kernel from accessing - user-space memory directly by pointing TTBR0_EL1 to a reserved -@@ -1044,6 +1045,7 @@ config RANDOMIZE_BASE - bool "Randomize the address of the kernel image" - select ARM64_MODULE_PLTS if MODULES - select RELOCATABLE -+ default y - help - Randomizes the virtual address at which the kernel image is - loaded, as a security feature that deters exploit attempts -diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug -index cc6bd559af85..01d5442d4722 100644 ---- a/arch/arm64/Kconfig.debug -+++ b/arch/arm64/Kconfig.debug -@@ -45,6 +45,7 @@ config ARM64_RANDOMIZE_TEXT_OFFSET - config DEBUG_WX - bool "Warn on W+X mappings at boot" - select ARM64_PTDUMP_CORE -+ default y - ---help--- - Generate a warning if any W+X mappings are found at boot. - -diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig -index 34480e9af2e7..26304242250c 100644 ---- a/arch/arm64/configs/defconfig -+++ b/arch/arm64/configs/defconfig -@@ -1,4 +1,3 @@ --CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_AUDIT=y - CONFIG_NO_HZ_IDLE=y -diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h -index 33be513ef24c..6f0c0e3ef0dd 100644 ---- a/arch/arm64/include/asm/elf.h -+++ b/arch/arm64/include/asm/elf.h -@@ -114,10 +114,10 @@ - - /* - * This is the base location for PIE (ET_DYN with INTERP) loads. On -- * 64-bit, this is above 4GB to leave the entire 32-bit address -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address - * space open for things that want to use the area for 32-bit pointers. - */ --#define ELF_ET_DYN_BASE (2 * TASK_SIZE_64 / 3) -+#define ELF_ET_DYN_BASE 0x100000000UL - - #ifndef __ASSEMBLY__ - -@@ -158,10 +158,10 @@ extern int arch_setup_additional_pages(struct linux_binprm *bprm, - /* 1GB of VA */ - #ifdef CONFIG_COMPAT - #define STACK_RND_MASK (test_thread_flag(TIF_32BIT) ? \ -- 0x7ff >> (PAGE_SHIFT - 12) : \ -- 0x3ffff >> (PAGE_SHIFT - 12)) -+ ((1UL << mmap_rnd_compat_bits) - 1) >> (PAGE_SHIFT - 12) : \ -+ ((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) - #else --#define STACK_RND_MASK (0x3ffff >> (PAGE_SHIFT - 12)) -+#define STACK_RND_MASK (((1UL << mmap_rnd_bits) - 1) >> (PAGE_SHIFT - 12)) - #endif - - #ifdef __AARCH64EB__ -diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c -index 9e773732520c..91359f45b5fc 100644 ---- a/arch/arm64/kernel/process.c -+++ b/arch/arm64/kernel/process.c -@@ -419,9 +419,9 @@ unsigned long arch_align_stack(unsigned long sp) - unsigned long arch_randomize_brk(struct mm_struct *mm) - { - if (is_compat_task()) -- return randomize_page(mm->brk, SZ_32M); -+ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; - else -- return randomize_page(mm->brk, SZ_1G); -+ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; - } - - /* -diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 7483cd514c32..835a86c45fb0 100644 ---- a/arch/x86/Kconfig -+++ b/arch/x86/Kconfig -@@ -1153,8 +1153,7 @@ config VM86 - default X86_LEGACY_VM86 - - config X86_16BIT -- bool "Enable support for 16-bit segments" if EXPERT -- default y -+ bool "Enable support for 16-bit segments" - depends on MODIFY_LDT_SYSCALL - ---help--- - This option is required by programs like Wine to run 16-bit -@@ -2228,7 +2227,7 @@ config COMPAT_VDSO - choice - prompt "vsyscall table for legacy applications" - depends on X86_64 -- default LEGACY_VSYSCALL_EMULATE -+ default LEGACY_VSYSCALL_NONE - help - Legacy user code that does not know how to find the vDSO expects - to be able to issue three syscalls by calling fixed addresses in -@@ -2318,8 +2317,7 @@ config CMDLINE_OVERRIDE - be set to 'N' under normal conditions. - - config MODIFY_LDT_SYSCALL -- bool "Enable the LDT (local descriptor table)" if EXPERT -- default y -+ bool "Enable the LDT (local descriptor table)" - ---help--- - Linux can allow user programs to install a per-process x86 - Local Descriptor Table (LDT) using the modify_ldt(2) system -diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug -index 6293a8768a91..add82e0f1df3 100644 ---- a/arch/x86/Kconfig.debug -+++ b/arch/x86/Kconfig.debug -@@ -101,6 +101,7 @@ config EFI_PGT_DUMP - config DEBUG_WX - bool "Warn on W+X mappings at boot" - select X86_PTDUMP_CORE -+ default y - ---help--- - Generate a warning if any W+X mappings are found at boot. - -diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig -index e32fc1f274d8..d08acc76502a 100644 ---- a/arch/x86/configs/x86_64_defconfig -+++ b/arch/x86/configs/x86_64_defconfig -@@ -1,5 +1,4 @@ - # CONFIG_LOCALVERSION_AUTO is not set --CONFIG_SYSVIPC=y - CONFIG_POSIX_MQUEUE=y - CONFIG_BSD_PROCESS_ACCT=y - CONFIG_TASKSTATS=y -diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c -index 1911310959f8..bba8dbbc07a8 100644 ---- a/arch/x86/entry/vdso/vma.c -+++ b/arch/x86/entry/vdso/vma.c -@@ -203,55 +203,9 @@ static int map_vdso(const struct vdso_image *image, unsigned long addr) - } - - #ifdef CONFIG_X86_64 --/* -- * Put the vdso above the (randomized) stack with another randomized -- * offset. This way there is no hole in the middle of address space. -- * To save memory make sure it is still in the same PTE as the stack -- * top. This doesn't give that many random bits. -- * -- * Note that this algorithm is imperfect: the distribution of the vdso -- * start address within a PMD is biased toward the end. -- * -- * Only used for the 64-bit and x32 vdsos. -- */ --static unsigned long vdso_addr(unsigned long start, unsigned len) --{ -- unsigned long addr, end; -- unsigned offset; -- -- /* -- * Round up the start address. It can start out unaligned as a result -- * of stack start randomization. -- */ -- start = PAGE_ALIGN(start); -- -- /* Round the lowest possible end address up to a PMD boundary. */ -- end = (start + len + PMD_SIZE - 1) & PMD_MASK; -- if (end >= TASK_SIZE_MAX) -- end = TASK_SIZE_MAX; -- end -= len; -- -- if (end > start) { -- offset = get_random_int() % (((end - start) >> PAGE_SHIFT) + 1); -- addr = start + (offset << PAGE_SHIFT); -- } else { -- addr = start; -- } -- -- /* -- * Forcibly align the final address in case we have a hardware -- * issue that requires alignment for performance reasons. -- */ -- addr = align_vdso_addr(addr); -- -- return addr; --} -- - static int map_vdso_randomized(const struct vdso_image *image) - { -- unsigned long addr = vdso_addr(current->mm->start_stack, image->size-image->sym_vvar_start); -- -- return map_vdso(image, addr); -+ return map_vdso(image, 0); - } - #endif - -diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h -index 3a091cea36c5..0931c05a3348 100644 ---- a/arch/x86/include/asm/elf.h -+++ b/arch/x86/include/asm/elf.h -@@ -249,11 +249,11 @@ extern int force_personality32; - - /* - * This is the base location for PIE (ET_DYN with INTERP) loads. On -- * 64-bit, this is above 4GB to leave the entire 32-bit address -+ * 64-bit, this is raised to 4GB to leave the entire 32-bit address - * space open for things that want to use the area for 32-bit pointers. - */ - #define ELF_ET_DYN_BASE (mmap_is_ia32() ? 0x000400000UL : \ -- (DEFAULT_MAP_WINDOW / 3 * 2)) -+ 0x100000000UL) - - /* This yields a mask that user programs can use to figure out what - instruction set this CPU supports. This could be done in user space, -@@ -312,8 +312,8 @@ extern unsigned long get_mmap_base(int is_legacy); - - #ifdef CONFIG_X86_32 - --#define __STACK_RND_MASK(is32bit) (0x7ff) --#define STACK_RND_MASK (0x7ff) -+#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) -+#define STACK_RND_MASK ((1UL << mmap_rnd_bits) - 1) - - #define ARCH_DLINFO ARCH_DLINFO_IA32 - -@@ -322,7 +322,11 @@ extern unsigned long get_mmap_base(int is_legacy); - #else /* CONFIG_X86_32 */ - - /* 1GB for 64bit, 8MB for 32bit */ --#define __STACK_RND_MASK(is32bit) ((is32bit) ? 0x7ff : 0x3fffff) -+#ifdef CONFIG_COMPAT -+#define __STACK_RND_MASK(is32bit) ((is32bit) ? (1UL << mmap_rnd_compat_bits) - 1 : (1UL << mmap_rnd_bits) - 1) -+#else -+#define __STACK_RND_MASK(is32bit) ((1UL << mmap_rnd_bits) - 1) -+#endif - #define STACK_RND_MASK __STACK_RND_MASK(mmap_is_ia32()) - - #define ARCH_DLINFO \ -@@ -380,5 +384,4 @@ struct va_alignment { - } ____cacheline_aligned; - - extern struct va_alignment va_align; --extern unsigned long align_vdso_addr(unsigned long); - #endif /* _ASM_X86_ELF_H */ -diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h -index 704f31315dde..bb82b6344a7b 100644 ---- a/arch/x86/include/asm/tlbflush.h -+++ b/arch/x86/include/asm/tlbflush.h -@@ -253,6 +253,7 @@ static inline void cr4_set_bits(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - if ((cr4 | mask) != cr4) { - cr4 |= mask; - this_cpu_write(cpu_tlbstate.cr4, cr4); -@@ -266,6 +267,7 @@ static inline void cr4_clear_bits(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - if ((cr4 & ~mask) != cr4) { - cr4 &= ~mask; - this_cpu_write(cpu_tlbstate.cr4, cr4); -@@ -278,6 +280,7 @@ static inline void cr4_toggle_bits(unsigned long mask) - unsigned long cr4; - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - cr4 ^= mask; - this_cpu_write(cpu_tlbstate.cr4, cr4); - __write_cr4(cr4); -@@ -386,6 +389,7 @@ static inline void __native_flush_tlb_global(void) - raw_local_irq_save(flags); - - cr4 = this_cpu_read(cpu_tlbstate.cr4); -+ BUG_ON(cr4 != __read_cr4()); - /* toggle PGE */ - native_write_cr4(cr4 ^ X86_CR4_PGE); - /* write old PGE again and flush TLBs */ -diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c -index 48e98964ecad..a94dc690612f 100644 ---- a/arch/x86/kernel/cpu/common.c -+++ b/arch/x86/kernel/cpu/common.c -@@ -1637,7 +1637,6 @@ void cpu_init(void) - wrmsrl(MSR_KERNEL_GS_BASE, 0); - barrier(); - -- x86_configure_nx(); - x2apic_setup(); - - /* -diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c -index 988a98f34c66..dc36d2d9078a 100644 ---- a/arch/x86/kernel/process.c -+++ b/arch/x86/kernel/process.c -@@ -40,6 +40,8 @@ - #include <asm/desc.h> - #include <asm/prctl.h> - #include <asm/spec-ctrl.h> -+#include <asm/elf.h> -+#include <linux/sizes.h> - - /* - * per-CPU TSS segments. Threads are completely 'soft' on Linux, -@@ -719,7 +721,10 @@ unsigned long arch_align_stack(unsigned long sp) - - unsigned long arch_randomize_brk(struct mm_struct *mm) - { -- return randomize_page(mm->brk, 0x02000000); -+ if (mmap_is_ia32()) -+ return mm->brk + get_random_long() % SZ_32M + PAGE_SIZE; -+ else -+ return mm->brk + get_random_long() % SZ_1G + PAGE_SIZE; - } - - /* -diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c -index a63fe77b3217..e1085e76043e 100644 ---- a/arch/x86/kernel/sys_x86_64.c -+++ b/arch/x86/kernel/sys_x86_64.c -@@ -54,13 +54,6 @@ static unsigned long get_align_bits(void) - return va_align.bits & get_align_mask(); - } - --unsigned long align_vdso_addr(unsigned long addr) --{ -- unsigned long align_mask = get_align_mask(); -- addr = (addr + align_mask) & ~align_mask; -- return addr | get_align_bits(); --} -- - static int __init control_va_addr_alignment(char *str) - { - /* guard against enabling this on other CPU families */ -@@ -122,10 +115,7 @@ static void find_start_end(unsigned long addr, unsigned long flags, - } - - *begin = get_mmap_base(1); -- if (in_compat_syscall()) -- *end = task_size_32bit(); -- else -- *end = task_size_64bit(addr > DEFAULT_MAP_WINDOW); -+ *end = get_mmap_base(0); - } - - unsigned long -@@ -206,7 +196,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0, - - info.flags = VM_UNMAPPED_AREA_TOPDOWN; - info.length = len; -- info.low_limit = PAGE_SIZE; -+ info.low_limit = get_mmap_base(1); - info.high_limit = get_mmap_base(0); - - /* -diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c -index 3141e67ec24c..e93173193f60 100644 ---- a/arch/x86/mm/init_32.c -+++ b/arch/x86/mm/init_32.c -@@ -558,7 +558,7 @@ static void __init pagetable_init(void) - permanent_kmaps_init(pgd_base); - } - --pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL); -+pteval_t __supported_pte_mask __ro_after_init = ~(_PAGE_NX | _PAGE_GLOBAL); - EXPORT_SYMBOL_GPL(__supported_pte_mask); - - /* user-defined highmem size */ -@@ -865,7 +865,7 @@ int arch_remove_memory(u64 start, u64 size) - #endif - #endif - --int kernel_set_to_readonly __read_mostly; -+int kernel_set_to_readonly __ro_after_init; - - void set_kernel_text_rw(void) - { -@@ -917,12 +917,11 @@ void mark_rodata_ro(void) - unsigned long start = PFN_ALIGN(_text); - unsigned long size = PFN_ALIGN(_etext) - start; - -+ kernel_set_to_readonly = 1; - set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT); - printk(KERN_INFO "Write protecting the kernel text: %luk\n", - size >> 10); - -- kernel_set_to_readonly = 1; -- - #ifdef CONFIG_CPA_DEBUG - printk(KERN_INFO "Testing CPA: Reverting %lx-%lx\n", - start, start+size); -diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c -index 642357aff216..8bbf93ce3cd2 100644 ---- a/arch/x86/mm/init_64.c -+++ b/arch/x86/mm/init_64.c -@@ -65,7 +65,7 @@ - * around without checking the pgd every time. - */ - --pteval_t __supported_pte_mask __read_mostly = ~0; -+pteval_t __supported_pte_mask __ro_after_init = ~0; - EXPORT_SYMBOL_GPL(__supported_pte_mask); - - int force_personality32; -@@ -1185,7 +1185,7 @@ void __init mem_init(void) - mem_init_print_info(NULL); - } - --int kernel_set_to_readonly; -+int kernel_set_to_readonly __ro_after_init; - - void set_kernel_text_rw(void) - { -@@ -1234,9 +1234,8 @@ void mark_rodata_ro(void) - - printk(KERN_INFO "Write protecting the kernel read-only data: %luk\n", - (end - start) >> 10); -- set_memory_ro(start, (end - start) >> PAGE_SHIFT); -- - kernel_set_to_readonly = 1; -+ set_memory_ro(start, (end - start) >> PAGE_SHIFT); - - /* - * The rodata/data/bss/brk section (but not the kernel text!) -diff --git a/block/blk-softirq.c b/block/blk-softirq.c -index 01e2b353a2b9..9aeddca4a29f 100644 ---- a/block/blk-softirq.c -+++ b/block/blk-softirq.c -@@ -20,7 +20,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done); - * Softirq action handler - move entries to local list and loop over them - * while passing them to the queue registered handler. - */ --static __latent_entropy void blk_done_softirq(struct softirq_action *h) -+static __latent_entropy void blk_done_softirq(void) - { - struct list_head *cpu_list, local_list; - -diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 473f150d6b22..65a65f9824ed 100644 ---- a/drivers/ata/libata-core.c -+++ b/drivers/ata/libata-core.c -@@ -5141,7 +5141,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) - struct ata_port *ap; - unsigned int tag; - -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ - ap = qc->ap; - - qc->flags = 0; -@@ -5158,7 +5158,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) - struct ata_port *ap; - struct ata_link *link; - -- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ -+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */ - WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE)); - ap = qc->ap; - link = qc->dev->link; -diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig -index c28dca0c613d..d4813f0d25ca 100644 ---- a/drivers/char/Kconfig -+++ b/drivers/char/Kconfig -@@ -9,7 +9,6 @@ source "drivers/tty/Kconfig" - - config DEVMEM - bool "/dev/mem virtual device support" -- default y - help - Say Y here if you want to support the /dev/mem device. - The /dev/mem device is used to access areas of physical -@@ -568,7 +567,6 @@ config TELCLOCK - config DEVPORT - bool "/dev/port character device" - depends on ISA || PCI -- default y - help - Say Y here if you want to support the /dev/port device. The /dev/port - device is similar to /dev/mem, but for I/O ports. -diff --git a/drivers/media/dvb-frontends/cx24116.c b/drivers/media/dvb-frontends/cx24116.c -index e105532bfba8..e07d52bb9b62 100644 ---- a/drivers/media/dvb-frontends/cx24116.c -+++ b/drivers/media/dvb-frontends/cx24116.c -@@ -1462,7 +1462,7 @@ static int cx24116_tune(struct dvb_frontend *fe, bool re_tune, - return cx24116_read_status(fe, status); - } - --static int cx24116_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24116_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cx24117.c b/drivers/media/dvb-frontends/cx24117.c -index d37cb7762bd6..97e0feff0ede 100644 ---- a/drivers/media/dvb-frontends/cx24117.c -+++ b/drivers/media/dvb-frontends/cx24117.c -@@ -1555,7 +1555,7 @@ static int cx24117_tune(struct dvb_frontend *fe, bool re_tune, - return cx24117_read_status(fe, status); - } - --static int cx24117_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24117_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cx24120.c b/drivers/media/dvb-frontends/cx24120.c -index 7f11dcc94d85..01da670760ba 100644 ---- a/drivers/media/dvb-frontends/cx24120.c -+++ b/drivers/media/dvb-frontends/cx24120.c -@@ -1491,7 +1491,7 @@ static int cx24120_tune(struct dvb_frontend *fe, bool re_tune, - return cx24120_read_status(fe, status); - } - --static int cx24120_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24120_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cx24123.c b/drivers/media/dvb-frontends/cx24123.c -index 1d59d1d3bd82..41cd0e9ea199 100644 ---- a/drivers/media/dvb-frontends/cx24123.c -+++ b/drivers/media/dvb-frontends/cx24123.c -@@ -1005,7 +1005,7 @@ static int cx24123_tune(struct dvb_frontend *fe, - return retval; - } - --static int cx24123_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cx24123_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/cxd2820r_core.c b/drivers/media/dvb-frontends/cxd2820r_core.c -index f6ebbb47b9b2..3e0d8cbd76da 100644 ---- a/drivers/media/dvb-frontends/cxd2820r_core.c -+++ b/drivers/media/dvb-frontends/cxd2820r_core.c -@@ -403,7 +403,7 @@ static enum dvbfe_search cxd2820r_search(struct dvb_frontend *fe) - return DVBFE_ALGO_SEARCH_ERROR; - } - --static int cxd2820r_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo cxd2820r_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_CUSTOM; - } -diff --git a/drivers/media/dvb-frontends/mb86a20s.c b/drivers/media/dvb-frontends/mb86a20s.c -index e8ac8c3e2ec0..e0f4ba8302d1 100644 ---- a/drivers/media/dvb-frontends/mb86a20s.c -+++ b/drivers/media/dvb-frontends/mb86a20s.c -@@ -2055,7 +2055,7 @@ static void mb86a20s_release(struct dvb_frontend *fe) - kfree(state); - } - --static int mb86a20s_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo mb86a20s_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/dvb-frontends/s921.c b/drivers/media/dvb-frontends/s921.c -index 274544a3ae0e..9ef9b9bc1bd2 100644 ---- a/drivers/media/dvb-frontends/s921.c -+++ b/drivers/media/dvb-frontends/s921.c -@@ -464,7 +464,7 @@ static int s921_tune(struct dvb_frontend *fe, - return rc; - } - --static int s921_get_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo s921_get_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/pci/bt8xx/dst.c b/drivers/media/pci/bt8xx/dst.c -index 7166d2279465..fa682f9fdc4b 100644 ---- a/drivers/media/pci/bt8xx/dst.c -+++ b/drivers/media/pci/bt8xx/dst.c -@@ -1657,7 +1657,7 @@ static int dst_tune_frontend(struct dvb_frontend* fe, - return 0; - } - --static int dst_get_tuning_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo dst_get_tuning_algo(struct dvb_frontend *fe) - { - return dst_algo ? DVBFE_ALGO_HW : DVBFE_ALGO_SW; - } -diff --git a/drivers/media/pci/pt1/va1j5jf8007s.c b/drivers/media/pci/pt1/va1j5jf8007s.c -index f75f69556be7..d913a6050e8c 100644 ---- a/drivers/media/pci/pt1/va1j5jf8007s.c -+++ b/drivers/media/pci/pt1/va1j5jf8007s.c -@@ -98,7 +98,7 @@ static int va1j5jf8007s_read_snr(struct dvb_frontend *fe, u16 *snr) - return 0; - } - --static int va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo va1j5jf8007s_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/media/pci/pt1/va1j5jf8007t.c b/drivers/media/pci/pt1/va1j5jf8007t.c -index 63fda79a75c0..4115c3ccd4a8 100644 ---- a/drivers/media/pci/pt1/va1j5jf8007t.c -+++ b/drivers/media/pci/pt1/va1j5jf8007t.c -@@ -88,7 +88,7 @@ static int va1j5jf8007t_read_snr(struct dvb_frontend *fe, u16 *snr) - return 0; - } - --static int va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe) -+static enum dvbfe_algo va1j5jf8007t_get_frontend_algo(struct dvb_frontend *fe) - { - return DVBFE_ALGO_HW; - } -diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c -index 981b3ef71e47..9883da1da383 100644 ---- a/drivers/misc/lkdtm_core.c -+++ b/drivers/misc/lkdtm_core.c -@@ -78,7 +78,7 @@ static irqreturn_t jp_handle_irq_event(unsigned int irq, - return 0; - } - --static void jp_tasklet_action(struct softirq_action *a) -+static void jp_tasklet_action(void) - { - lkdtm_handler(); - jprobe_return(); -diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig -index b811442c5ce6..4f62a63cbcb1 100644 ---- a/drivers/tty/Kconfig -+++ b/drivers/tty/Kconfig -@@ -122,7 +122,6 @@ config UNIX98_PTYS - - config LEGACY_PTYS - bool "Legacy (BSD) PTY support" -- default y - ---help--- - A pseudo terminal (PTY) is a software device consisting of two - halves: a master and a slave. The slave device behaves identical to -diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c -index 562d31073f9a..2184b9b5485f 100644 ---- a/drivers/tty/tty_io.c -+++ b/drivers/tty/tty_io.c -@@ -171,6 +171,7 @@ static void free_tty_struct(struct tty_struct *tty) - put_device(tty->dev); - kfree(tty->write_buf); - tty->magic = 0xDEADDEAD; -+ put_user_ns(tty->owner_user_ns); - kfree(tty); - } - -@@ -2154,11 +2155,19 @@ static int tty_fasync(int fd, struct file *filp, int on) - * FIXME: may race normal receive processing - */ - -+int tiocsti_restrict = IS_ENABLED(CONFIG_SECURITY_TIOCSTI_RESTRICT); -+ - static int tiocsti(struct tty_struct *tty, char __user *p) - { - char ch, mbz = 0; - struct tty_ldisc *ld; - -+ if (tiocsti_restrict && -+ !ns_capable(tty->owner_user_ns, CAP_SYS_ADMIN)) { -+ dev_warn_ratelimited(tty->dev, -+ "Denied TIOCSTI ioctl for non-privileged process\n"); -+ return -EPERM; -+ } - if ((current->signal->tty != tty) && !capable(CAP_SYS_ADMIN)) - return -EPERM; - if (get_user(ch, p)) -@@ -2841,6 +2850,7 @@ struct tty_struct *alloc_tty_struct(struct tty_driver *driver, int idx) - tty->index = idx; - tty_line_name(driver, idx, tty->name); - tty->dev = tty_get_device(tty); -+ tty->owner_user_ns = get_user_ns(current_user_ns()); - - return tty; - } -diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 442be7f312f6..788557d5c454 100644 ---- a/drivers/usb/core/hub.c -+++ b/drivers/usb/core/hub.c -@@ -38,6 +38,8 @@ - #define USB_VENDOR_GENESYS_LOGIC 0x05e3 - #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND 0x01 - -+extern int deny_new_usb; -+ - /* Protect struct usb_device->state and ->children members - * Note: Both are also protected by ->dev.sem, except that ->state can - * change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */ -@@ -4806,6 +4808,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, - goto done; - return; - } -+ -+ if (deny_new_usb) { -+ dev_err(&port_dev->dev, "denied insert of USB device on port %d\n", port1); -+ goto done; -+ } -+ - if (hub_is_superspeed(hub->hdev)) - unit_load = 150; - else -diff --git a/fs/exec.c b/fs/exec.c -index 0da4d748b4e6..69fcee853363 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -62,6 +62,7 @@ - #include <linux/oom.h> - #include <linux/compat.h> - #include <linux/vmalloc.h> -+#include <linux/random.h> - - #include <linux/uaccess.h> - #include <asm/mmu_context.h> -@@ -321,6 +322,8 @@ static int __bprm_mm_init(struct linux_binprm *bprm) - arch_bprm_mm_init(mm, vma); - up_write(&mm->mmap_sem); - bprm->p = vma->vm_end - sizeof(void *); -+ if (randomize_va_space) -+ bprm->p ^= get_random_int() & ~PAGE_MASK; - return 0; - err: - up_write(&mm->mmap_sem); -diff --git a/fs/namei.c b/fs/namei.c -index 0b46b858cd42..3ae8e72341da 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -902,8 +902,8 @@ static inline void put_link(struct nameidata *nd) - path_put(&last->link); - } - --int sysctl_protected_symlinks __read_mostly = 0; --int sysctl_protected_hardlinks __read_mostly = 0; -+int sysctl_protected_symlinks __read_mostly = 1; -+int sysctl_protected_hardlinks __read_mostly = 1; - - /** - * may_follow_link - Check symlink following for unsafe situations -diff --git a/fs/nfs/Kconfig b/fs/nfs/Kconfig -index 5f93cfacb3d1..cea0d7d3b23e 100644 ---- a/fs/nfs/Kconfig -+++ b/fs/nfs/Kconfig -@@ -195,4 +195,3 @@ config NFS_DEBUG - bool - depends on NFS_FS && SUNRPC_DEBUG - select CRC32 -- default y -diff --git a/fs/pipe.c b/fs/pipe.c -index 8ef7d7bef775..b82f305ec13d 100644 ---- a/fs/pipe.c -+++ b/fs/pipe.c -@@ |