| 1 |
Hello! |
| 2 |
|
| 3 |
Sorry for cross-posting, some part is related to dev, some to hardened |
| 4 |
only. |
| 5 |
|
| 6 |
0. I propose using the versions of "original" patches in the name of the |
| 7 |
applied patches (like 001_originalname), so tracking diffs/updates is |
| 8 |
easier. |
| 9 |
Also, if one original patch is applying cleanly (as the ck/eaacl patches), |
| 10 |
then use the original (numbered with xx0_name) and add the changes as |
| 11 |
separate patches (xx1_name-version, xx2_name-version) |
| 12 |
|
| 13 |
I have compared the patches from hardened with the originals. Please |
| 14 |
comment on the described patches for 2.,3., if they are needed, and |
| 15 |
solution for the warning in 4. |
| 16 |
|
| 17 |
1. O1/Lowlatency/Preemptive from ck (200309132043-ck2) diffed to hardened |
| 18 |
(patch OK) |
| 19 |
|
| 20 |
--- linux-2.4.22.orig/kernel/sched.c Wed Nov 5 12:31:13 2003 |
| 21 |
+++ linux-2.4.22/kernel/sched.c Wed Nov 5 12:31:43 2003 |
| 22 |
@@ -1033,7 +1033,7 @@ |
| 23 |
*/ |
| 24 |
|
| 25 |
#define CAN_MIGRATE_TASK(p,rq,this_cpu) \ |
| 26 |
- ((jiffies - (p)->sleep_timestamp > cache_decay_ticks) && \ |
| 27 |
+ ((jiffies - (p)->sleep_avg > cache_decay_ticks) && \ |
| 28 |
!task_running(rq, p) && \ |
| 29 |
((p)->cpus_allowed & (1UL << (this_cpu)))) |
| 30 |
|
| 31 |
So for our case (use 3 characters, to have enough free slots for addons) |
| 32 |
101_patch-2.4.22-1000-ckbase-0309132043.bz2 |
| 33 |
102_<the_diff_above> |
| 34 |
103_<the_diff_below>, consider applying it. |
| 35 |
Patch needed (O1) |
| 36 |
--- kernel/sys.c.mps Tue Sep 2 15:29:26 2003 |
| 37 |
+++ kernel/sys.c Tue Sep 2 15:30:06 2003 |
| 38 |
@@ -520,7 +520,7 @@ |
| 39 |
} |
| 40 |
} |
| 41 |
|
| 42 |
-static int set_user(uid_t new_ruid, int dumpclear) |
| 43 |
+int set_user(uid_t new_ruid, int dumpclear) |
| 44 |
{ |
| 45 |
struct user_struct *new_user, *old_user; |
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
2. EA/ACL |
| 50 |
for our case |
| 51 |
121_ea+acl+nfsacl-2.4.22-0.8.64.diff.gz |
| 52 |
122_<maybe_the_patch_below> |
| 53 |
The diff is to intrusive, so that I can't say, if you've done changes to |
| 54 |
it, but 0.8.64 is newer then the one applied (see attached eaacl.dif, |
| 55 |
you can reverse apply it, or better, take the original), some bugs |
| 56 |
(intermezzo, nfs) solved |
| 57 |
|
| 58 |
I have though found this diff (and I am not sure if it has to be applied |
| 59 |
(could be related to the eaaclnfs update) |
| 60 |
|
| 61 |
diff -urN linux-2.4.22.orig/mm/vmscan.c linux-2.4.22/mm/vmscan.c |
| 62 |
--- linux-2.4.22.orig/mm/vmscan.c Wed Nov 5 22:33:41 2003 |
| 63 |
+++ linux-2.4.22/mm/vmscan.c Wed Nov 5 22:35:32 2003 |
| 64 |
@@ -642,7 +642,7 @@ |
| 65 |
#ifdef CONFIG_QUOTA |
| 66 |
shrink_dqcache_memory(DEF_PRIORITY, gfp_mask); |
| 67 |
#endif |
| 68 |
- shrink_other_caches(DEF_PRIORITY, gfp_mask); |
| 69 |
+ shrink_other_caches(priority, gfp_mask); |
| 70 |
|
| 71 |
return nr_pages; |
| 72 |
} |
| 73 |
|
| 74 |
3. grsecurity |
| 75 |
Due to the fact that it won't apply after O1 and EA/ACL, it has to be |
| 76 |
changed (well, I prefer patching the original patch and apply cleanly, so |
| 77 |
I track all the changes, if some wants to go this way, I can supply the |
| 78 |
needed patches for grsecurity after O1 scheduler, lowlatency, eaacl) |
| 79 |
If you change the original patch, then name it xxx_origname_gentoo (and |
| 80 |
comment the changes done, for example: changed vfs_create/vfs_mkdir in |
| 81 |
fs/namei.c for POSIX_ACL) |
| 82 |
|
| 83 |
I found this diff between my version and yours |
| 84 |
diff -urN linux-2.4.22.orig/mm/mmap.c linux-2.4.22/mm/mmap.c |
| 85 |
--- linux-2.4.22.orig/mm/mmap.c Wed Nov 5 14:08:53 2003 |
| 86 |
+++ linux-2.4.22/mm/mmap.c Wed Nov 5 14:09:42 2003 |
| 87 |
@@ -1045,7 +1045,7 @@ |
| 88 |
atomic_dec(&file->f_dentry->d_inode->i_writecount); |
| 89 |
} |
| 90 |
remove_shared_vm_struct(mpnt); |
| 91 |
- zap_page_range(mm, st, size, ZPR_COND_RESCHED); /* sys_munmap() */ |
| 92 |
+ zap_page_range(mm, st, size, 0); |
| 93 |
|
| 94 |
/* |
| 95 |
* Fix the mapping, and free the old area if it wasn't reused. |
| 96 |
|
| 97 |
Is this diff necessary? (related to the lowlatency patch from ck) |
| 98 |
|
| 99 |
4. Propolice |
| 100 |
The patch attached is a cleanup of lib/propolice.c (include kernel.h, |
| 101 |
typo), one warning remaining regarding unsupported characters in __guard. |
| 102 |
How to solve this one? |
| 103 |
|
| 104 |
|
| 105 |
Thanks, Peter |
| 106 |
|
| 107 |
-- |
| 108 |
Peter S. Mazinger <ps.m@×××.net> ID: 0xA5F059F2 NIC: IXUYHSKQLI |
| 109 |
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2 |
| 110 |
|
| 111 |
____________________________________________________________________ |
| 112 |
Miert fizetsz az internetert? Korlatlan, ingyenes internet hozzaferes a FreeStarttol. |
| 113 |
Probald ki most! http://www.freestart.hu |
Archives