diff --git a/PKGBUILD b/PKGBUILD index 23ec57b..9dccc4d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -640,7 +640,7 @@ case $_basever in 'b6003a066e39b013336bc41b15a836c1beb08417849ce563830c125bcba0cc9b' 'SKIP' '24be2e8863e265195a24d7082804cd4328fd9f0a31b88672c884b9fd42469ed8' - '5786bbcc3f655592958ba7011f9ce361d69211b0478c5b86bd3e600fee3ffd27' + 'e885f7b2c68d6d7ec9050a692aa044fecab3c1dda6908175a6d4e13bf8507ceb' '1e15fc2ef3fa770217ecc63a220e5df2ddbcf3295eb4a021171e7edd4c6cc898' '66a03c246037451a77b4d448565b1d7e9368270c7d02872fbd0b5d024ed0a997' 'f6383abef027fd9a430fd33415355e0df492cdc3c90e9938bf2d98f4f63b32e6' @@ -658,7 +658,7 @@ case $_basever in '9fad4a40449e09522899955762c8928ae17f4cdaa16e01239fd12592e9d58177' '978b197efa56781a1d5651a3649c3d8b926d55748b4b9063788dfe1a861fc1bc' 'd11edf802031e9335e4236ea1bb56d7fff9f6159dbc5f0afe407256b95d601fc' - 'c010206dc3278d2652afebaed9fac58e55e65f65deb0565687faa1dec577494b' + 'b5e0f50ef64c25069987cf4c4ec3501ed5288bc43106c52e3aefddaa7a649c39' '434e4707efc1bc3919597c87d44fa537f7563ae04236479bbf1adb5f410ab69d' '1b656ad96004f27e9dc63d7f430b50d5c48510d6d4cd595a81c24b21adb70313' 'b0319a7dff9c48b2f3e3d3597ee154bf92223149a633a8b7ce4026252db86da6') diff --git a/linux-tkg-config/5.15/config_hardened.x86_64 b/linux-tkg-config/5.15/config_hardened.x86_64 index 1bff868..3117058 100644 --- a/linux-tkg-config/5.15/config_hardened.x86_64 +++ b/linux-tkg-config/5.15/config_hardened.x86_64 @@ -1,15 +1,15 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 5.15.15-hardened1 Kernel Configuration +# Linux/x86 5.15.25-hardened1 Kernel Configuration # -CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.1.0" +CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y -CONFIG_GCC_VERSION=110100 +CONFIG_GCC_VERSION=110200 CONFIG_CLANG_VERSION=0 CONFIG_AS_IS_GNU=y -CONFIG_AS_VERSION=23601 +CONFIG_AS_VERSION=23800 CONFIG_LD_IS_BFD=y -CONFIG_LD_VERSION=23601 +CONFIG_LD_VERSION=23800 CONFIG_LLD_VERSION=0 CONFIG_CC_CAN_LINK=y CONFIG_CC_CAN_LINK_STATIC=y @@ -6445,6 +6445,7 @@ CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 CONFIG_FRAMEBUFFER_CONSOLE=y +# CONFIG_FRAMEBUFFER_CONSOLE_LEGACY_ACCELERATION is not set CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y CONFIG_FRAMEBUFFER_CONSOLE_ROTATION=y CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER=y @@ -10478,3 +10479,4 @@ CONFIG_ARCH_USE_MEMTEST=y # CONFIG_HYPERV_TESTING is not set # end of Kernel Testing and Coverage # end of Kernel hacking + diff --git a/linux-tkg-patches/5.15/0012-linux-hardened.patch b/linux-tkg-patches/5.15/0012-linux-hardened.patch index 71f1046..591a0a0 100644 --- a/linux-tkg-patches/5.15/0012-linux-hardened.patch +++ b/linux-tkg-patches/5.15/0012-linux-hardened.patch @@ -102,13 +102,13 @@ index d91ab28718d4..4ead5cd52644 100644 If set, provide RFC2861 behavior and time out the congestion window after an idle period. An idle period is defined at diff --git a/Makefile b/Makefile -index aed26e228dde..fd511db4d97f 100644 +index c50d4ec83be8..a88b0b67c745 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ VERSION = 5 PATCHLEVEL = 15 - SUBLEVEL = 15 + SUBLEVEL = 25 -EXTRAVERSION = +EXTRAVERSION = -hardened1 NAME = Trick or Treat @@ -242,7 +242,7 @@ index 1f96809606ac..5dc5b06d6955 100644 Linux can allow user programs to install a per-process x86 Local Descriptor Table (LDT) using the modify_ldt(2) system diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig -index e8a7a0af2bda..8e8947dceab4 100644 +index d7298b104a45..f65c7ca3602d 100644 --- a/arch/x86/configs/x86_64_defconfig +++ b/arch/x86/configs/x86_64_defconfig @@ -1,5 +1,4 @@ @@ -502,10 +502,10 @@ index 82de39926a9f..7363072fbcb4 100644 blk_complete_reqs(this_cpu_ptr(&blk_cpu_done)); } diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c -index 4d848cfc406f..94427b7ee3b9 100644 +index 24b67d78cb83..bf5189847efe 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c -@@ -4599,7 +4599,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) +@@ -4600,7 +4600,7 @@ void ata_qc_free(struct ata_queued_cmd *qc) struct ata_port *ap; unsigned int tag; @@ -514,7 +514,7 @@ index 4d848cfc406f..94427b7ee3b9 100644 ap = qc->ap; qc->flags = 0; -@@ -4616,7 +4616,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) +@@ -4617,7 +4617,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc) struct ata_port *ap; struct ata_link *link; @@ -608,10 +608,10 @@ index 18e874b0441e..fc7a3a9aa72a 100644 obj-$(CONFIG_USB) += usbcore.o diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 3bc4a86c3d0a..16c451593031 100644 +index ac6c5ccfe1cb..dd810d902ea1 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c -@@ -5238,6 +5238,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, +@@ -5241,6 +5241,12 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus, goto done; return; } @@ -751,7 +751,7 @@ index 9abc88d7959c..4dae3fd45fdd 100644 { return -ENXIO; diff --git a/fs/namei.c b/fs/namei.c -index 1946d9667790..d34d594154b6 100644 +index 3bb65f48fe1d..046e797c9663 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1020,10 +1020,10 @@ static inline void put_link(struct nameidata *nd) @@ -926,7 +926,7 @@ index 56eba723477e..bf53bd6efdc6 100644 + #endif /* _LINUX_FS_H */ diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h -index 12d3a7d308ab..c20fb1eb3f25 100644 +index a9477c14fad5..41129acd7507 100644 --- a/include/linux/fsnotify.h +++ b/include/linux/fsnotify.h @@ -96,6 +96,9 @@ static inline int fsnotify_file(struct file *file, __u32 mask) @@ -1007,7 +1007,7 @@ index 2b5b64256cf4..8cdce21dce0f 100644 const struct kobj_ns_type_operations *kobj_child_ns_ops(struct kobject *parent); const struct kobj_ns_type_operations *kobj_ns_ops(struct kobject *kobj); diff --git a/include/linux/mm.h b/include/linux/mm.h -index 73a52aba448f..26370aeee4b6 100644 +index 90c2d7f3c7a8..de4d4b976c5e 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -799,7 +799,7 @@ static inline int is_vmalloc_or_module_addr(const void *x) @@ -1062,10 +1062,10 @@ index 5e76af742c80..9a6c682ec127 100644 extern phys_addr_t per_cpu_ptr_to_phys(void *addr); diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h -index 9b60bb89d86a..32116e32809b 100644 +index 6cce33e7e7ac..5eb6522e017f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h -@@ -1320,6 +1320,14 @@ static inline int perf_is_paranoid(void) +@@ -1322,6 +1322,14 @@ static inline int perf_is_paranoid(void) return sysctl_perf_event_paranoid > -1; } @@ -1414,10 +1414,10 @@ index 11f8a845f259..a64ec536890d 100644 bool "Page allocator randomization" default SLAB_FREELIST_RANDOM && ACPI_NUMA diff --git a/kernel/audit.c b/kernel/audit.c -index 4cebadb5f30d..436931ce46a0 100644 +index 94ded5de9131..6b7e12855359 100644 --- a/kernel/audit.c +++ b/kernel/audit.c -@@ -1692,6 +1692,9 @@ static int __init audit_enable(char *str) +@@ -1730,6 +1730,9 @@ static int __init audit_enable(char *str) if (audit_default == AUDIT_OFF) audit_initialized = AUDIT_DISABLED; @@ -1470,7 +1470,7 @@ index 46a361dde042..f0c387f421a0 100644 /** diff --git a/kernel/events/core.c b/kernel/events/core.c -index 2931faf92a76..1638619f1afb 100644 +index b81652fc2cdd..fce3ec1a1e1b 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -414,8 +414,13 @@ static struct kmem_cache *perf_event_cache; @@ -1487,7 +1487,7 @@ index 2931faf92a76..1638619f1afb 100644 /* Minimum for 512 kiB + 1 user control page */ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ -@@ -12010,7 +12015,7 @@ SYSCALL_DEFINE5(perf_event_open, +@@ -12094,7 +12099,7 @@ SYSCALL_DEFINE5(perf_event_open, return -EINVAL; /* Do we allow access to perf_event_open(2) ? */ @@ -1497,7 +1497,7 @@ index 2931faf92a76..1638619f1afb 100644 return err; diff --git a/kernel/fork.c b/kernel/fork.c -index 10885c649ca4..1c4b4598eb55 100644 +index 28aee1a8875b..475372883e06 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -82,6 +82,7 @@ @@ -1519,7 +1519,7 @@ index 10885c649ca4..1c4b4598eb55 100644 /* * Thread groups must share signals as well, and detached threads * can only be started up within the thread group. -@@ -3056,6 +3061,12 @@ int ksys_unshare(unsigned long unshare_flags) +@@ -3055,6 +3060,12 @@ int ksys_unshare(unsigned long unshare_flags) if (unshare_flags & CLONE_NEWNS) unshare_flags |= CLONE_FS; @@ -1546,10 +1546,10 @@ index 340b3f8b090d..e0ef77dc0564 100644 struct rcu_head *next, *list; unsigned long flags; diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c -index 7ae10fab68b8..c60b242913a0 100644 +index 4ca6d5b199e8..82639c274d65 100644 --- a/kernel/rcu/tree.c +++ b/kernel/rcu/tree.c -@@ -2751,7 +2751,7 @@ static __latent_entropy void rcu_core(void) +@@ -2752,7 +2752,7 @@ static __latent_entropy void rcu_core(void) queue_work_on(rdp->cpu, rcu_gp_wq, &rdp->strict_work); } @@ -1559,10 +1559,10 @@ index 7ae10fab68b8..c60b242913a0 100644 rcu_core(); } diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c -index 6f16dfb74246..a01d70fb5697 100644 +index 6420580f2730..b9fe0e786cc6 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c -@@ -10883,7 +10883,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) +@@ -10895,7 +10895,7 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf) * run_rebalance_domains is triggered when needed from the scheduler tick. * Also triggered for nohz idle balancing (with nohz_balancing_kick set). */ @@ -2070,7 +2070,7 @@ index 88dcc5c25225..c903d803fe4e 100644 mm->brk = brk; goto success; diff --git a/mm/page_alloc.c b/mm/page_alloc.c -index 23d3339ac4e8..bf38b6559613 100644 +index 7773bae3b6ed..91e67c6e59ce 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -155,6 +155,15 @@ struct pcpu_drain { @@ -2711,7 +2711,7 @@ index bacabe446906..a3bcc8aef4b4 100644 unsigned long arch_mmap_rnd(void) diff --git a/net/core/dev.c b/net/core/dev.c -index e0878a500aa9..e6d9d916aa2c 100644 +index 33dc2a3ff7d7..657f746d78cd 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -4978,7 +4978,7 @@ int netif_rx_any_context(struct sk_buff *skb) @@ -2792,7 +2792,7 @@ index 6f1e64d49232..96a5a252b750 100644 }; diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index f3b623967436..e6dc036f2c5e 100644 +index 509f577869d4..936f1b007861 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -82,6 +82,7 @@ @@ -2803,7 +2803,7 @@ index f3b623967436..e6dc036f2c5e 100644 #define FLAG_DATA 0x01 /* Incoming frame contained data. */ #define FLAG_WIN_UPDATE 0x02 /* Incoming ACK was a window update. */ -@@ -6253,7 +6254,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, +@@ -6255,7 +6256,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb, tcp_paws_reject(&tp->rx_opt, 0)) goto discard_and_undo; @@ -3112,7 +3112,7 @@ index 9e921fc72538..ae851a826c26 100644 int "NSA SELinux sidtab hashtable size" depends on SECURITY_SELINUX diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 9309e62d46ed..87c3cb8babce 100644 +index baa12d1007c7..6378e2be49fa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -136,21 +136,7 @@ static int __init selinux_enabled_setup(char *str) @@ -3188,10 +3188,10 @@ index 4fe3b8b1958f..a7d88cc23a70 100644 in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = ) diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c -index dbfeceb2546c..53ab8d6b473e 100644 +index c87f9974c0c1..1c9afa8f7064 100644 --- a/tools/perf/util/evsel.c +++ b/tools/perf/util/evsel.c -@@ -2780,6 +2780,7 @@ int evsel__open_strerror(struct evsel *evsel, struct target *target, +@@ -2789,6 +2789,7 @@ int evsel__open_strerror(struct evsel *evsel, struct target *target, ">= 0: Disallow raw and ftrace function tracepoint access\n" ">= 1: Disallow CPU event access\n" ">= 2: Disallow kernel profiling\n"