webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
77af89e59ff9e50b961415d282bbdfe0debf7792
bpfire/lfs/linux
Peter Müller 0664b1720d linux: Amend upstream patch to harden mount points of /dev 
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.

The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.

As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.

Fixes: #12889
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2022-06-25 22:20:48 +00:00

273 lines
11 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 5.15.49
ARM_PATCHES = 5.15-ipfire5
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
CFLAGS =
CXXFLAGS =
HEADERS_ARCH = $(BUILD_PLATFORM)
KERNEL_ARCH = $(BUILD_ARCH)
KERNEL_TARGET = bzImage
ifeq "$(BUILD_ARCH)" "aarch64"
HEADERS_ARCH = arm64
KERNEL_ARCH = arm64
KERNEL_TARGET = Image
endif
ifeq "$(BUILD_ARCH)" "armv6l"
KERNEL_ARCH = arm
KERNEL_TARGET = zImage
endif
ifeq "$(BUILD_ARCH)" "riscv64"
KERNEL_ARCH = riscv
KERNEL_TARGET = Image.gz
endif
VERSUFIX=ipfire$(KCFG)
ifeq "$(TOOLCHAIN)" "1"
TARGET = $(DIR_INFO)/linux-$(VER)-$(VERSUFIX)-tools
HEADERS_PREFIX = $(TOOLS_DIR)
EXTRAMAKE = CROSS_COMPILE=$(CROSSTARGET)-
else
TARGET = $(DIR_INFO)/linux-$(VER)-$(VERSUFIX)
HEADERS_PREFIX = /usr
endif
ifeq "$(KCFG)" ""
LASTKERNEL=1
endif
###############################################################################
# Top-level Rules
###############################################################################
objects =$(DL_FILE) \
arm-multi-patches-$(ARM_PATCHES).patch.xz
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
$(DL_FILE)_BLAKE2 = 0f78d980b2d6ec189865a85f3bf65e015365034f797ffda88077a77162d3bc30aec5f44a5257aa2aee0a97ee12e4c38b796bc8fddbe9f6ff6067b0c17ff0207e
arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
b2 : $(subst %,%_BLAKE2,$(objects))
dist:
@$(PAK)
###############################################################################
# Downloading, checking, b2sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_BLAKE2,$(objects)) :
@$(B2SUM)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) $(DIR_SRC)/linux && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
ln -svf linux-$(VER) $(DIR_SRC)/linux
# Layer7-patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.46-layer7.patch
# DVB Patches
cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pll.patch
# Wlan Patches
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14_ath_user_regd.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8-iwlwifi-noibss_only_on_radar_chan.patch
# Fix igb and e1000e crash
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.1-igb-e1000e_fix_lock_at_update_stats.patch
# cs5535audio spams syslog if no ac97 was present (geos router)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.9.8_cs5535audio_fix_logspam_on_geos.patch
# Fix uevent PHYSDEVDRIVER
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-2.6.32.27_mcs7830-fix-driver-name.patch
# fix Boot with enabled usercopy hardening
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.9-crypto_testmgr_allocate_buffers_with____GFP_COMP.patch
# Patch performance monitoring restrictions to allow further hardening
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-security-perf-allow-further-restriction-of-perf_event_open.patch
# https://bugzilla.ipfire.org/show_bug.cgi?id=12760
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15-NFQUEUE-Hold-RCU-read-lock-while-calling-nf_reinject.patch
# https://bugzilla.ipfire.org/show_bug.cgi?id=12889
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/devtmpfs-mount-with-noexec-and-nosuid.patch
ifeq "$(BUILD_ARCH)" "armv6l"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
endif
ifeq "$(BUILD_ARCH)" "aarch64"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
endif
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-3.14.79-amba-fix.patch
ifeq "$(KCFG)" "-headers"
# Install the header files
cd $(DIR_APP) && make ARCH=$(HEADERS_ARCH) $(EXTRAMAKE) headers
-mkdir -pv $(BUILDROOT)/$(HEADERS_PREFIX)/include
cd $(DIR_APP) && find usr/include -name '.*' -delete
cd $(DIR_APP) && rm usr/include/Makefile
cd $(DIR_APP) && cp -rv usr/include/* $(BUILDROOT)/$(HEADERS_PREFIX)/include
else
# Install ipfire logo
cd $(DIR_APP) && cp -vf $(DIR_SRC)/config/kernel/ipfire_logo.ppm \
drivers/video/logo/logo_linux_clut224.ppm
# Cleanup kernel source
cp $(DIR_SRC)/config/kernel/kernel.config.$(BUILD_ARCH)-$(VERSUFIX) $(DIR_APP)/.config
cd $(DIR_APP) && make oldconfig
cd $(DIR_APP) && make clean
cd $(DIR_APP) && sed -i -e 's/EXTRAVERSION\ =.*/EXTRAVERSION\ =\ -$(VERSUFIX)/' Makefile
# Copy Module signing key configuration
cp -f $(DIR_SRC)/config/kernel/x509.genkey $(DIR_APP)/certs/x509.genkey
# Remove modules folder if exists
rm -rf /lib/modules/$(VER)-$(VERSUFIX)
# Build the kernel
cd $(DIR_APP) && make $(MAKETUNING) $(KERNEL_TARGET) modules
# Install the kernel
cd $(DIR_APP) && cp -v arch/$(KERNEL_ARCH)/boot/$(KERNEL_TARGET) /boot/vmlinuz-$(VER)-$(VERSUFIX)
cd $(DIR_APP) && cp -v System.map /boot/System.map-$(VER)-$(VERSUFIX)
cd $(DIR_APP) && cp -v .config /boot/config-$(VER)-$(VERSUFIX)
cd $(DIR_APP) && make $(MAKETUNING) modules_install
ifeq "$(BUILD_PLATFORM)" "arm"
cd $(DIR_APP) && make $(MAKETUNING) dtbs
mkdir -p /boot/dtb-$(VER)-$(VERSUFIX)
cd $(DIR_APP)/arch/$(KERNEL_ARCH)/boot/dts && for f in $$(find -name "*.dtb"); do \
cp -v --parents $$f /boot/dtb-$(VER)-$(VERSUFIX)/ ; \
chmod 644 /boot/dtb-$(VER)-$(VERSUFIX)/$$f ; \
done
endif
# Recreate source and build links
rm -rf /lib/modules/$(VER)-$(VERSUFIX)/{build,source}
mkdir -p /lib/modules/$(VER)-$(VERSUFIX)/build
ln -sf build /lib/modules/$(VER)-$(VERSUFIX)/source
# Create dirs for extra modules
mkdir -p /lib/modules/$(VER)-$(VERSUFIX)/extra
cd $(DIR_APP) && cp --parents $$(find -type f -name "Makefile*" -o -name "Kconfig*") \
/lib/modules/$(VER)-$(VERSUFIX)/build
cd $(DIR_APP) && cp Module.symvers System.map /lib/modules/$(VER)-$(VERSUFIX)/build
rm -rf /lib/modules/$(VER)-$(VERSUFIX)/build/{Documentation,scripts,include}
cd $(DIR_APP) && cp .config /lib/modules/$(VER)-$(VERSUFIX)/build
cd $(DIR_APP) && cp -a scripts /lib/modules/$(VER)-$(VERSUFIX)/build
find /lib/modules/$(VER)-$(VERSUFIX)/build/scripts -name "*.o" -exec rm -vf {} \;
cd $(DIR_APP) && cp -a --parents arch/$(HEADERS_ARCH)/include /lib/modules/$(VER)-$(VERSUFIX)/build
cd $(DIR_APP) && cp -a include /lib/modules/$(VER)-$(VERSUFIX)/build/include
# Copy module signing key for off tree modules
cd $(DIR_APP) && cp -f certs/signing_key.* /lib/modules/$(VER)-$(VERSUFIX)/build/certs/
# Install objtool
cd $(DIR_APP) && cp -a tools/objtool/objtool \
/lib/modules/$(VER)-$(VERSUFIX)/build/tools/objtool/ || :
cd $(DIR_APP) && cp -a --parents tools/build/{Build,Build.include,fixdep.c} \
tools/scripts/utilities.mak /lib/modules/$(VER)-$(VERSUFIX)/build
# Make sure we can build external modules
touch -r /lib/modules/$(VER)-$(VERSUFIX)/build/Makefile \
/lib/modules/$(VER)-$(VERSUFIX)/build/include/generated/uapi/linux/version.h
touch -r /lib/modules/$(VER)-$(VERSUFIX)/build/.config \
/lib/modules/$(VER)-$(VERSUFIX)/build/autoconf.h
cp /lib/modules/$(VER)-$(VERSUFIX)/build/.config \
/lib/modules/$(VER)-$(VERSUFIX)/build/include/config/auto.conf
# Fix permissions
find /lib/modules/$(VER)-$(VERSUFIX) -name "modules.order" \
-exec chmod 644 {} \;
find /lib/modules/$(VER)-$(VERSUFIX) -name ".*.cmd" -exec rm -f {} \;
ifeq "$(LASTKERNEL)" "1"
# Only do this once
cd $(DIR_APP) && install -m 755 usr/gen_init_cpio /sbin/
# disable drm by install drm to /bin/false because i915 ignore blacklisting
echo install drm /bin/false > /etc/modprobe.d/framebuffer.conf
# Blacklist old framebuffer modules
for f in $$(find /lib/modules/$(VER)-$(VERSUFIX)/kernel/drivers/video/fbdev/ -name *.ko.xz); do \
echo "blacklist $$(basename $$f)" >> /etc/modprobe.d/framebuffer.conf ; \
done
# Blacklist new drm framebuffer modules
for f in $$(find /lib/modules/$(VER)-$(VERSUFIX)/kernel/drivers/gpu/drm -name *.ko.xz); do \
echo "blacklist $$(basename $$f)" >> /etc/modprobe.d/framebuffer.conf ; \
done
sed -i -e "s|.ko.xz||g" /etc/modprobe.d/framebuffer.conf
# Disable ipv6 at runtime
echo "options ipv6 disable_ipv6=1" > /etc/modprobe.d/ipv6.conf
endif
endif
#force new build of external modules and initrd if the kernel was rebuild
-rm -f /usr/src/log/*-kmod-$(VER)-$(VERSUFIX)
-rm -f /usr/src/log/linux-initrd-$(VER)-$(VERSUFIX)
@rm -rf $(DIR_APP) $(DIR_SRC)/linux
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink