1 |
commit: 86d8d1264cf8a1f897ca565d2b5b08c375f67f01 |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Mar 27 19:42:09 2016 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 27 19:42:09 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=86d8d126 |
7 |
|
8 |
Forward port 1500_XATTR_USER_PREFIX.patch to 4.5 kernels |
9 |
|
10 |
0000_README | 4 ++++ |
11 |
1500_XATTR_USER_PREFIX.patch | 54 ++++++++++++++++++++++++++++++++++++++++++++ |
12 |
2 files changed, 58 insertions(+) |
13 |
|
14 |
diff --git a/0000_README b/0000_README |
15 |
index 1eb82e8..8e70e78 100644 |
16 |
--- a/0000_README |
17 |
+++ b/0000_README |
18 |
@@ -43,6 +43,10 @@ EXPERIMENTAL |
19 |
Individual Patch Descriptions: |
20 |
-------------------------------------------------------------------------- |
21 |
|
22 |
+Patch: 1500_XATTR_USER_PREFIX.patch |
23 |
+From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
24 |
+Desc: Support for namespace user.pax.* on tmpfs. |
25 |
+ |
26 |
Patch: 1510_fs-enable-link-security-restrictions-by-default.patch |
27 |
From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ |
28 |
Desc: Enable link security restrictions by default. |
29 |
|
30 |
diff --git a/1500_XATTR_USER_PREFIX.patch b/1500_XATTR_USER_PREFIX.patch |
31 |
new file mode 100644 |
32 |
index 0000000..cc15cd5 |
33 |
--- /dev/null |
34 |
+++ b/1500_XATTR_USER_PREFIX.patch |
35 |
@@ -0,0 +1,54 @@ |
36 |
+From: Anthony G. Basile <blueness@g.o> |
37 |
+ |
38 |
+This patch adds support for a restricted user-controlled namespace on |
39 |
+tmpfs filesystem used to house PaX flags. The namespace must be of the |
40 |
+form user.pax.* and its value cannot exceed a size of 8 bytes. |
41 |
+ |
42 |
+This is needed even on all Gentoo systems so that XATTR_PAX flags |
43 |
+are preserved for users who might build packages using portage on |
44 |
+a tmpfs system with a non-hardened kernel and then switch to a |
45 |
+hardened kernel with XATTR_PAX enabled. |
46 |
+ |
47 |
+The namespace is added to any user with Extended Attribute support |
48 |
+enabled for tmpfs. Users who do not enable xattrs will not have |
49 |
+the XATTR_PAX flags preserved. |
50 |
+ |
51 |
+diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h |
52 |
+index e4629b9..6958086 100644 |
53 |
+--- a/include/uapi/linux/xattr.h |
54 |
++++ b/include/uapi/linux/xattr.h |
55 |
+@@ -63,5 +63,9 @@ |
56 |
+ #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" |
57 |
+ #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT |
58 |
+ |
59 |
++/* User namespace */ |
60 |
++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax." |
61 |
++#define XATTR_PAX_FLAGS_SUFFIX "flags" |
62 |
++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX |
63 |
+ |
64 |
+ #endif /* _UAPI_LINUX_XATTR_H */ |
65 |
+diff --git a/mm/shmem.c b/mm/shmem.c |
66 |
+index 1c44af7..f23bb1b 100644 |
67 |
+--- a/mm/shmem.c |
68 |
++++ b/mm/shmem.c |
69 |
+@@ -2201,6 +2201,7 @@ static const struct xattr_handler *shmem_xattr_handlers[] = { |
70 |
+ static int shmem_xattr_validate(const char *name) |
71 |
+ { |
72 |
+ struct { const char *prefix; size_t len; } arr[] = { |
73 |
++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN}, |
74 |
+ { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, |
75 |
+ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } |
76 |
+ }; |
77 |
+@@ -2256,6 +2257,12 @@ static int shmem_setxattr(struct dentry *dentry, const char *name, |
78 |
+ if (err) |
79 |
+ return err; |
80 |
+ |
81 |
++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) { |
82 |
++ if (strcmp(name, XATTR_NAME_PAX_FLAGS)) |
83 |
++ return -EOPNOTSUPP; |
84 |
++ if (size > 8) |
85 |
++ return -EINVAL; |
86 |
++ } |
87 |
+ return simple_xattr_set(&info->xattrs, name, value, size, flags); |
88 |
+ } |
89 |
+ |