bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-12 20:16:49 +02:00

Author	SHA1	Message	Date
Arne Fitzenreiter	8c43d1481a	kernel: update to 6.6.15 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-02-02 07:52:09 +00:00
Arne Fitzenreiter	0722f42ed2	kernel: update to 6.6.13 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-21 19:10:22 +01:00
Peter Müller	bca096b453	linux: Forbid legacy TIOCSTI usage To quote from the kernel documentation: > Historically the kernel has allowed TIOCSTI, which will push > characters into a controlling TTY. This continues to be used > as a malicious privilege escalation mechanism, and provides no > meaningful real-world utility any more. Its use is considered > a dangerous legacy operation, and can be disabled on most > systems. > > Say Y here only if you have confirmed that your system's > userspace depends on this functionality to continue operating > normally. > > Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can > use TIOCSTI even when this is set to N. > > This functionality can be changed at runtime with the > dev.tty.legacy_tiocsti sysctl. This configuration option sets > the default value of the sysctl. This patch therefore proposes to no longer allow legacy TIOCSTI usage in IPFire, given its security implications and the apparent lack of legitimate usage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2024-01-16 15:46:37 +00:00
Arne Fitzenreiter	a93525c0ca	kernel: update to 6.6.12 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-16 12:41:08 +01:00
Arne Fitzenreiter	19e66d7e2b	kernel: update to 6.6.11 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-11 10:30:13 +01:00
Arne Fitzenreiter	a2af8c7186	kernel: aarch64: enable CONFIG_SHADOW_CALL_STACK Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-10 06:26:25 +00:00
Arne Fitzenreiter	d303f7c154	kernel: update to 6.6.10 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-07 16:08:31 +01:00
Arne Fitzenreiter	3920ba127f	kernel: update to 6.6.9 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2024-01-02 09:54:10 +01:00
Arne Fitzenreiter	bf92e55968	kernel: update to 6.6.8 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-21 13:50:59 +01:00
Arne Fitzenreiter	0108697131	kernel: update to 6.6.6 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-12 21:12:37 +01:00
Arne Fitzenreiter	5109f8ee7f	kernel: update to 6.6.5 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-08 16:12:17 +01:00
Arne Fitzenreiter	a7c9eca495	kernel: update to 6.6.4 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:17:40 +00:00
Arne Fitzenreiter	941190cb3a	kernel: update to 6.6.3 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-12-05 17:17:35 +00:00
Arne Fitzenreiter	95f9d9350d	kernel: update to 6.6.2 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-12-05 17:15:48 +00:00
Arne Fitzenreiter	8a37e7f0e3	kernel: update to 6.1.61 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-11-03 14:27:58 +00:00
Arne Fitzenreiter	cfe911bab5	kernel: update to 6.1.60 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-27 08:43:35 +00:00
Arne Fitzenreiter	cce398bca5	kernel: update to 6.1.59 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Arne Fitzenreiter	2b834ef42a	kernel: update to 6.1.58 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-25 11:01:30 +00:00
Peter Müller	7f8b75f8ba	linux: Set default IOMMU handling to "strict" on 64-bit ARM This has been our default setting on x86_64 for quite some time now, which is why this patch aligns the aarch64 kernel configuration to that value. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-20 08:44:26 +00:00
Peter Müller	447d0bf51e	linux: Disable io_uring This subsystem has been a frequent source of security vulnerabilities affecting the Linux kernel; as a result, Google announced on June 14, 2023, that they would disable it in their environment as widely as possible. IPFire does not depend on the availability of io_uring. Therefore, disable this subsystem as well in order to preemptively cut attack surface. See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-20 08:44:26 +00:00
Arne Fitzenreiter	554e339b9e	kernel: update to 6.1.57 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-13 08:13:12 +00:00
Arne Fitzenreiter	e275a07b67	kernel: update to 6.1.56 this also builds the dtb files on riscv64 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-10-09 08:13:02 +00:00
Arne Fitzenreiter	e5ad33d9ee	kernel: update 6.1.53 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:29 +00:00
Arne Fitzenreiter	14bd32221e	kernel: update to 6.1.52 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-09-28 09:29:23 +00:00
Arne Fitzenreiter	162a068448	kernel: update to 6.1.45 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-08-11 23:25:37 +02:00
Arne Fitzenreiter	50c07b4938	kernel: update to 6.1.41 fix for CVE-2023-20593 (Zenbleed) Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-26 16:01:20 +00:00
Arne Fitzenreiter	719864d37e	kernel: update to 6.1.40 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-25 10:39:22 +00:00
Arne Fitzenreiter	f2d5cb7c99	kernel: update to 6.1.39 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-21 09:34:12 +00:00
Peter Müller	e08399ddd3	linux: Trigger a BUG() when corruption of kernel data structures is detected Given that this will merely log such an incident, this can be safely enabled. Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-07-13 14:20:48 +00:00
Arne Fitzenreiter	f7447b1b8e	kernel: update to 6.1.38 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-13 14:20:18 +00:00
Arne Fitzenreiter	1a44c7a638	kernel: update to 6.1.37 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-07-09 14:57:38 +00:00
Arne Fitzenreiter	25aa552258	kernel: update to 6.1.30 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-30 09:21:34 +00:00
Arne Fitzenreiter	c6c78f8e11	kernel: update to 6.1.29 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-19 12:05:52 +00:00
Arne Fitzenreiter	6a005bd9aa	kernel: update to 6.1.28 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-16 18:53:01 +00:00
Arne Fitzenreiter	6a0c5ef65a	kernel: update to 6.1.27 the layer7 patch is rebased to apply without fuzzing. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-05-03 05:07:17 +00:00
Adolf Belka	15041d628c	kernel.config.aarch64-ipfire: Fix bug#12856 - Add Armada 38X RTC module to be loadable. Fixes: Bug#12856 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>	2023-04-19 09:34:06 +00:00
Peter Müller	6aa0837d24	linux: Update to 6.1.24 Compiling the kernel has automatically introduced CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to be confused with its stackleak counterpart). However, according to related documentation, this neither introduces a security nor performance disadvantage. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2023-04-19 09:33:38 +00:00
Peter Müller	1296cdc40b	linux: Align kernel configurations after merging 6.1 branch Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-18 23:09:22 +00:00
Arne Fitzenreiter	3e066f550b	kernel: update rootfiles and config Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2023-01-15 09:19:25 +00:00
Arne Fitzenreiter	6535255270	kernel: update to 6.1.3 the kernel-6.1.x series should be the next lts series...	2023-01-08 10:08:33 +00:00
Peter Müller	5f2d660967	linux: Align ARM rootfiles and configurations Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-05 10:11:01 +00:00
Peter Müller	f46f939827	linux: Update configuration files and x86_64 rootfile Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2023-01-04 21:26:43 +00:00
Mathew McBride	8399123461	linux: enable options for NXP Layerscape This change enables support for NXP's QorIQ/Layerscape platforms, specifically the Traverse Technologies Ten64 (LS1088A). Signed-off-by: Mathew McBride <matt@traverse.com.au> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>	2022-10-04 14:45:19 +00:00
Peter Müller	16eb2d5379	linux: Enable seccomp filter on ARM Since last time we checked, the kernel's security features on ARM have improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch therefore proposes to give the seccomp filter on both 32- and 64-bit ARM another try, since it provides significant security benefit to applications using it. Due to operational constraints, rootfile changes have been omitted, and will be conducted, should this patch be approved. Note to future self: Once this patch is approved, applications using seccomp (OpenSSH, Tor) need to be updated/shipped on ARM. Fixes: #12366 Fixes: #12370 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-10-03 21:57:47 +00:00
Peter Müller	25a3d87645	linux: Remove user-space probe support From the kernels' documentation: > Uprobes is the user-space counterpart to kprobes: they > enable instrumentation applications (such as 'perf probe') > to establish unintrusive probes in user-space binaries and > libraries, by executing handler functions when the probes > are hit by user-space applications. > > ( These probes come in the form of single-byte breakpoints, > managed by the kernel and kept transparent to the probed > application. ) To the best of the authors' understanding, no application on IPFire needs this functionality, and given its abuse potential, we should probably not enable it. As expected, strace functionality is not impaired by this. Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-10-03 16:52:09 +00:00
Peter Müller	abb185bf5a	linux: Align configurations and rootfiles for ARM Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-09-21 13:36:59 +00:00
Peter Müller	d33651d74f	linux: Prepare CONFIG_DEBUG_FS disabling on non-x86_64 architectures Signed-off-by: Peter Müller <peter.mueller@ipfire.org>	2022-09-20 14:30:28 +00:00
Peter Müller	fe803a3f89	Revert "linux: Enable randstruct on ARM as well" This reverts commit `f38e8a35c2`. (Thank you, Arne!)	2022-08-09 10:43:05 +00:00
Peter Müller	26a91db187	Revert "Revert "linux: Do not allow slab caches to be merged"" This reverts commit `1695af3862`. https://lists.ipfire.org/pipermail/development/2022-August/014112.html	2022-08-09 09:29:42 +00:00
Peter Müller	4865b7f6b8	Revert "Revert "kernel: update to 5.15.59"" This reverts commit `f25f1b55af`.	2022-08-08 13:17:30 +00:00

1 2 3 4

163 Commits