Merge branch 'next' into temp-c170-development

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2026-04-20 16:02:59 +02:00 · 2022-06-27 13:29:18 +00:00
parent 53eb573f27 f5117ab51d
commit 5503a18d71
10 changed files with 121 additions and 13 deletions
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1810,6 +1810,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -1817,6 +1817,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -1417,6 +1417,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1822,6 +1822,7 @@ CONFIG_UEVENT_HELPER=y
 CONFIG_UEVENT_HELPER_PATH=""
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_DEVTMPFS_SAFE=y
 CONFIG_STANDALONE=y
 CONFIG_PREVENT_FIRMWARE_BUILD=y

@@ -7298,6 +7299,7 @@ CONFIG_CRYPTO_LIB_CHACHA20POLY1305=m
 CONFIG_CRYPTO_LIB_SHA256=y
 # end of Crypto library routines

+CONFIG_LIB_MEMNEQ=y
 CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
--- a/config/rootfiles/oldcore/169/filelists/aarch64/u-boot
+++ b/config/rootfiles/oldcore/169/filelists/aarch64/u-boot
@@ -1 +0,0 @@
-../../../../common/aarch64/u-boot
--- a/config/rootfiles/oldcore/169/filelists/armv6l/u-boot
+++ b/config/rootfiles/oldcore/169/filelists/armv6l/u-boot
@@ -1 +0,0 @@
-../../../../common/armv6l/u-boot
--- a/config/rootfiles/packages/armv6l/python3-msgpack
+++ b/config/rootfiles/packages/armv6l/python3-msgpack
@@ -0,0 +1,12 @@
+usr/lib/python3.10/site-packages/msgpack
+#usr/lib/python3.10/site-packages/msgpack-1.0.3-py3.10.egg-info
+#usr/lib/python3.10/site-packages/msgpack-1.0.3-py3.10.egg-info/PKG-INFO
+#usr/lib/python3.10/site-packages/msgpack-1.0.3-py3.10.egg-info/SOURCES.txt
+#usr/lib/python3.10/site-packages/msgpack-1.0.3-py3.10.egg-info/dependency_links.txt
+#usr/lib/python3.10/site-packages/msgpack-1.0.3-py3.10.egg-info/top_level.txt
+usr/lib/python3.10/site-packages/msgpack/__init__.py
+usr/lib/python3.10/site-packages/msgpack/_cmsgpack.cpython-310-arm-linux-gnueabi.so
+usr/lib/python3.10/site-packages/msgpack/_version.py
+usr/lib/python3.10/site-packages/msgpack/exceptions.py
+usr/lib/python3.10/site-packages/msgpack/ext.py
+usr/lib/python3.10/site-packages/msgpack/fallback.py
--- a/lfs/linux
+++ b/lfs/linux
@@ -143,6 +143,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch

+	# https://bugzilla.ipfire.org/show_bug.cgi?id=12889
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
+
 ifeq "$(BUILD_ARCH)" "armv6l"
 	# Apply Arm-multiarch kernel patches.
 	cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
--- a/lfs/u-boot
+++ b/lfs/u-boot
@@ -24,7 +24,7 @@

 include Config

-VER        = 2022.04
+VER        = 2021.07

 THISAPP    = u-boot-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -35,24 +35,21 @@ SUP_ARCH   = armv6l aarch64

 CFLAGS    := $(patsubst -fstack-protector-strong,,$(CFLAGS))

-ATF_VER    = 2.7
+ATF_VER    = 2.6

 ###############################################################################
 # Top-level Rules
 ###############################################################################

-objects = $(DL_FILE) arm-trusted-firmware-$(ATF_VER).tar.gz arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.gz
+objects = $(DL_FILE) arm-trusted-firmware-$(ATF_VER).tar.gz arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.xz

 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 arm-trusted-firmware-$(ATF_VER).tar.gz = $(DL_FROM)/arm-trusted-firmware-$(ATF_VER).tar.gz
-arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.gz = $(DL_FROM)/arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.gz
+arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.xz = $(DL_FROM)/arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.xz

-# Downloaded from https://ftp.denx.de/pub/u-boot/
-$(DL_FILE)_BLAKE2 = 5d2035130c0631f8f1b7f7963bedf71578a66994e3950eb103a404a08e85686cd971ba51e8172093ccb75d975101024bf2a94d4064763ad57ad8950c11092319
-# Downloaded from https://github.com/ARM-software/arm-trusted-firmware/tags
-arm-trusted-firmware-$(ATF_VER).tar.gz_BLAKE2 = 4fc4d5646e272200d40081902e17f0be32956f451622f011a0d568c8cf26e15ab165fe16a69cf222241f7ba1d443add562d6d382277eb4fb2b49c3918cabdbad
-# Downloaded from https://github.com/skiffos/rk3399-firmware-blobs/tags
-arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.gz_BLAKE2 = d6441f38f5795b1c7d4e15fe9b2fec3632490283d1e8f0a0ce53b7456413e9f455c78f4071f73f664c16813dba97897941d40ef3037a9f60302de158b7f3cd41
+$(DL_FILE)_BLAKE2 = 1a209a604e0f30264781a14ca855bbb777e8f1c031de60d28de397084fc9bfc4a3771ad00ec22f5cdcfa721f22707a533b9b59004ac0b107df927f23dc5ab0a6
+arm-trusted-firmware-$(ATF_VER).tar.gz_BLAKE2 = 1d0caff9ea6d97276d1377483e3f81901c935f9af784b7a735636c75b00106935a7e301c21ecec7b9fd9a97dcf873ac1b12169bf7211dae3d975b78d379eba74
+arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.xz_BLAKE2 = bc5245c1af911eb8ce8def743339102bb46d6aa854fbe916584775479dc97c9a9176c1d1615afc7ede496c7ca9da78db52d9c2eaf1290a4d06e53dbb1933e658

 install : $(TARGET)

@@ -223,7 +220,7 @@ else

 	# Nanopi R4S
 	# arm trusted firmware for rk3399 cannot build without cortex m0 gcc crosscompiler
-	cd $(DIR_APP) && tar axf $(DIR_DL)/arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.gz
+	cd $(DIR_APP) && tar axf $(DIR_DL)/arm-trusted-firmware-$(ATF_VER)-rk3399-binary.tar.xz
 	-mkdir -pv /usr/share/u-boot/nanopi_r4s
 	cd $(DIR_APP) && make CROSS_COMPILE="" nanopi-r4s-rk3399_config
 	cd $(DIR_APP) && sed -i -e 's!^CONFIG_IDENT_STRING=.*!CONFIG_IDENT_STRING=" Nanopi R4S - IPFire.org"!' .config
--- a/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
+++ b/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
@@ -0,0 +1,93 @@
+From 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 22 Dec 2021 17:50:20 +0500
+Subject: devtmpfs: mount with noexec and nosuid
+
+devtmpfs is writable. Add the noexec and nosuid as default mount flags
+to prevent code execution from /dev. The systems who don't use systemd
+and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
+this patch. Other systems are fine with the udev solution.
+
+No sane program should be relying on executing from /dev. So this patch
+reduces the attack surface. It doesn't prevent any specific attack, but
+it reduces the possibility that someone can use /dev as a place to put
+executable code. Chrome OS has been carrying this patch for several
+years. It seems trivial and simple solution to improve the protection of
+/dev when CONFIG_DEVTMPFS_MOUNT=y.
+
+Original patch:
+https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/
+
+Cc: ellyjones@chromium.org
+Cc: Kay Sievers <kay@vrfy.org>
+Cc: Roland Eggner <edvx1@systemanalysen.net>
+Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/Kconfig    | 11 +++++++++++
+ drivers/base/devtmpfs.c | 10 ++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig
+index ffcbe2bc460eb..6f04b831a5c04 100644
+--- a/drivers/base/Kconfig
+++ b/drivers/base/Kconfig
+@@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT
+ 	  rescue mode with init=/bin/sh, even when the /dev directory
+ 	  on the rootfs is completely empty.
+ 
+config DEVTMPFS_SAFE
+	bool "Use nosuid,noexec mount options on devtmpfs"
+	depends on DEVTMPFS
+	help
+	  This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
+	  flags when mounting devtmpfs.
+
+	  Notice: If enabled, things like /dev/mem cannot be mmapped
+	  with the PROT_EXEC flag. This can break, for example, non-KMS
+	  video drivers.
+
+ config STANDALONE
+ 	bool "Select only drivers that don't need compile-time external firmware"
+ 	default y
+diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
+index 8be352ab4ddbf..1e2c2d3882e2c 100644
+--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
+@@ -29,6 +29,12 @@
+ #include <uapi/linux/mount.h>
+ #include "base.h"
+ 
+#ifdef CONFIG_DEVTMPFS_SAFE
+#define DEVTMPFS_MFLAGS       (MS_SILENT | MS_NOEXEC | MS_NOSUID)
+#else
+#define DEVTMPFS_MFLAGS       (MS_SILENT)
+#endif
+
+ static struct task_struct *thread;
+ 
+ static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT);
+@@ -363,7 +369,7 @@ int __init devtmpfs_mount(void)
+ 	if (!thread)
+ 		return 0;
+ 
+-	err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL);
+	err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ 	if (err)
+ 		printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
+ 	else
+@@ -412,7 +418,7 @@ static noinline int __init devtmpfs_setup(void *p)
+ 	err = ksys_unshare(CLONE_NEWNS);
+ 	if (err)
+ 		goto out;
+-	err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL);
+	err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL);
+ 	if (err)
+ 		goto out;
+ 	init_chdir("/.."); /* will traverse into overmounted root */
+-- 
+cgit 
+