[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Selected Debian patches for address@hidden
From: |
Mark H Weaver |
Subject: |
Selected Debian patches for address@hidden |
Date: |
Wed, 09 Aug 2017 15:57:21 -0400 |
Hello Guix,
I'm not necessarily proposing that we apply this patch to 'master', but
since I mentioned in another thread that I'm using this patch on my own
GuixSD system, I thought I would make it available to you all.
Mark
>From 7ddcef480cc3f2cfa8428af9a98bab144ceae925 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <address@hidden>
Date: Fri, 21 Jul 2017 06:13:02 -0400
Subject: [PATCH] DRAFT: gnu: address@hidden: Add selected patches from
Debian.
* gnu/packages/linux.scm (debian-patches-for-linux-libre-4.9): New variable.
(address@hidden): Add debian-patches-for-linux-libre-4.9 to #:patches.
---
gnu/packages/aux-files/linux-libre/4.9-i686.conf | 11 +-
gnu/packages/aux-files/linux-libre/4.9-x86_64.conf | 14 ++-
gnu/packages/linux.scm | 116 ++++++++++++++++++++-
3 files changed, 132 insertions(+), 9 deletions(-)
diff --git a/gnu/packages/aux-files/linux-libre/4.9-i686.conf
b/gnu/packages/aux-files/linux-libre/4.9-i686.conf
index 4f3a9f927..529cfcef2 100644
--- a/gnu/packages/aux-files/linux-libre/4.9-i686.conf
+++ b/gnu/packages/aux-files/linux-libre/4.9-i686.conf
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.0-gnu Kernel Configuration
+# Linux/x86 4.9.38-gnu Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -593,6 +593,7 @@ CONFIG_X86_SMAP=y
CONFIG_X86_INTEL_MPX=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
CONFIG_SECCOMP=y
# CONFIG_HZ_100 is not set
CONFIG_HZ_250=y
@@ -5775,6 +5776,7 @@ CONFIG_LOGO=y
# CONFIG_LOGO_LINUX_MONO is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
# CONFIG_LOGO_LINUX_CLUT224 is not set
+CONFIG_LOGO_LIBRE_CLUT224=y
CONFIG_SOUND=m
CONFIG_SOUND_OSS_CORE=y
# CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
@@ -6038,6 +6040,7 @@ CONFIG_SND_SOC_INTEL_HASWELL=m
CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
+CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m
CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m
CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
@@ -6112,7 +6115,8 @@ CONFIG_SND_SOC_RT5645=m
CONFIG_SND_SOC_RT5651=m
CONFIG_SND_SOC_RT5663=m
CONFIG_SND_SOC_RT5670=m
-# CONFIG_SND_SOC_RT5677_SPI is not set
+CONFIG_SND_SOC_RT5677=m
+CONFIG_SND_SOC_RT5677_SPI=m
CONFIG_SND_SOC_SGTL5000=m
CONFIG_SND_SOC_SI476X=m
CONFIG_SND_SOC_SIGMADSP=m
@@ -8493,7 +8497,6 @@ CONFIG_SCHED_INFO=y
CONFIG_SCHEDSTATS=y
CONFIG_SCHED_STACK_END_CHECK=y
# CONFIG_DEBUG_TIMEKEEPING is not set
-CONFIG_TIMER_STATS=y
#
# Lock Debugging (spinlocks, mutexes, etc...)
@@ -8675,11 +8678,13 @@ CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
+CONFIG_SECURITY_SECURELEVEL=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=0
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
diff --git a/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
b/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
index ca0fcded6..a2ac30e4a 100644
--- a/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
+++ b/gnu/packages/aux-files/linux-libre/4.9-x86_64.conf
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.0-gnu Kernel Configuration
+# Linux/x86 4.9.38-gnu Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -596,6 +596,7 @@ CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
CONFIG_EFI=y
CONFIG_EFI_STUB=y
CONFIG_EFI_MIXED=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
CONFIG_SECCOMP=y
# CONFIG_HZ_100 is not set
CONFIG_HZ_250=y
@@ -868,6 +869,7 @@ CONFIG_COREDUMP=y
CONFIG_IA32_EMULATION=y
# CONFIG_IA32_AOUT is not set
CONFIG_X86_X32=y
+CONFIG_X86_X32_DISABLED=y
CONFIG_COMPAT=y
CONFIG_COMPAT_FOR_U64_ALIGNMENT=y
CONFIG_SYSVIPC_COMPAT=y
@@ -4473,8 +4475,6 @@ CONFIG_USBPCWATCHDOG=m
# Watchdog Pretimeout Governors
#
# CONFIG_WATCHDOG_PRETIMEOUT_GOV is not set
-# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_NOOP is not set
-# CONFIG_WATCHDOG_PRETIMEOUT_DEFAULT_GOV_PANIC is not set
CONFIG_SSB_POSSIBLE=y
#
@@ -5642,6 +5642,7 @@ CONFIG_LOGO=y
# CONFIG_LOGO_LINUX_MONO is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
# CONFIG_LOGO_LINUX_CLUT224 is not set
+CONFIG_LOGO_LIBRE_CLUT224=y
CONFIG_SOUND=m
CONFIG_SOUND_OSS_CORE=y
# CONFIG_SOUND_OSS_CORE_PRECLAIM is not set
@@ -5848,6 +5849,7 @@ CONFIG_SND_SOC_INTEL_HASWELL=m
CONFIG_SND_SOC_INTEL_HASWELL_MACH=m
CONFIG_SND_SOC_INTEL_BXT_DA7219_MAX98357A_MACH=m
CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
+CONFIG_SND_SOC_INTEL_BDW_RT5677_MACH=m
CONFIG_SND_SOC_INTEL_BROADWELL_MACH=m
CONFIG_SND_SOC_INTEL_BYTCR_RT5640_MACH=m
CONFIG_SND_SOC_INTEL_BYTCR_RT5651_MACH=m
@@ -5922,7 +5924,8 @@ CONFIG_SND_SOC_RT5645=m
CONFIG_SND_SOC_RT5651=m
CONFIG_SND_SOC_RT5663=m
CONFIG_SND_SOC_RT5670=m
-# CONFIG_SND_SOC_RT5677_SPI is not set
+CONFIG_SND_SOC_RT5677=m
+CONFIG_SND_SOC_RT5677_SPI=m
CONFIG_SND_SOC_SGTL5000=m
CONFIG_SND_SOC_SI476X=m
CONFIG_SND_SOC_SIGMADSP=m
@@ -8317,7 +8320,6 @@ CONFIG_SCHED_INFO=y
CONFIG_SCHEDSTATS=y
CONFIG_SCHED_STACK_END_CHECK=y
# CONFIG_DEBUG_TIMEKEEPING is not set
-CONFIG_TIMER_STATS=y
#
# Lock Debugging (spinlocks, mutexes, etc...)
@@ -8501,11 +8503,13 @@ CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
+CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
+CONFIG_SECURITY_SECURELEVEL=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=0
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0cb925e31..add56628e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -375,11 +375,125 @@ It has been modified to remove all non-free binary
blobs.")
%intel-compatible-systems
#:configuration-file kernel-config))
+(define debian-patches-for-linux-libre-4.9
+ (let ()
+ (define (debian-patch file-name hash)
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://anonscm.debian.org/cgit/kernel/linux.git/"
+ "plain/debian/patches/"
+ file-name
+ "?h=debian/4.9.30-2%2bdeb9u2"))
+ (sha256 (base32 hash))
+ (file-name (basename file-name))))
+ (list
+ ;; Change some defaults for security reasons
+ (debian-patch
"debian/af_802154-Disable-auto-loading-as-mitigation-against.patch"
+ "1vxi81m5rvvnkgr7nnqs45vb7i8p2cm9vyh0cwg1zvqn3ijxi9ld")
+ (debian-patch
"debian/rds-Disable-auto-loading-as-mitigation-against-local.patch"
+ "0qn4dri48wn9mrwxra3n23yn3ihjzc4h87igb8r80ahbla0fnwfi")
+ (debian-patch
"debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch"
+ "10n43hi5j1h1yk2khlhrdbkfbvy1cj70z6mj9xsji5z3klb35lbq")
+ (debian-patch
"debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch"
+ "18xmy9dkip3sfy9iwhmcaa4k1gy72s1aq94xw4l68ki5w191h6kw")
+ (debian-patch
"debian/fs-enable-link-security-restrictions-by-default.patch"
+ "12p3h33k25bl6ny8xm3gchfijb7d9463xwyn9y9lyap6kv4grzqj")
+
+ ;; Set various features runtime-disabled by default
+ (debian-patch "debian/sched-autogroup-disabled.patch"
+ "0yn8zva4kp4lnzdsrwywcpsw60bdlh053ap65lcr81l38jmfyihx")
+ (debian-patch "debian/yama-disable-by-default.patch"
+ "0xqd14yckirjagd3z91gcv11g9zb1p9x4lvgxsa1zgcpdyv5j70z")
+ (debian-patch
"debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch"
+ "1kjl4vp8v4xs9r94g048j9w3s59g0g86mdrj54dnaazp5wi7cxy5")
+ (debian-patch
"features/all/security-perf-allow-further-restriction-of-perf_event_open.patch"
+ "0wz2jm6rnchzy4qbm7bi5qdp1vk3y377lj5b4dkix0bif0rqdzdf")
+
+ ;; Disable autoloading/probing of various drivers by default
+ (debian-patch "debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch"
+ "1zp39dzd7hh0vxpihvr326ndg2vaicrdllwj3ba45vznfg06a74h")
+ (debian-patch "debian/snd-pcsp-disable-autoload.patch"
+ "136b978v92v82z3dcyrjwib4v830gc8nmi19763phfnw3gvglbpr")
+ (debian-patch "debian/fjes-disable-autoload.patch"
+ "14cxxgjis07587g1q01gsp66rzrlnldpxg1078z2hkx51hgyzggm")
+
+ ;; Taint if dangerous features are used
+ (debian-patch
"debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch"
+ "1l8399ma3nlgd5sj8nhyqlcyfqhw2q2kdys59rs78jbawyh66q25")
+ (debian-patch
"debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch"
+ "0xa108vzyrh3ij64aagj17ji4gp1mrjnmdby269vn2q2f5rcficc")
+
+ ;; Arch features
+ (debian-patch "features/x86/x86-memtest-WARN-if-bad-RAM-found.patch"
+ "0xwl7bjrdzh96pmhjc1g1kk8693fbccgn19pdb4rdpng8nv9gzsn")
+ (debian-patch
"features/x86/x86-make-x32-syscall-support-conditional.patch"
+ "1j23x5xvagwf6r591z9p9ac80mjpvhhzh6jnxjjcjcqiqxwf9m3p")
+
+ ;; Securelevel patchset from mjg59
+ (debian-patch
"features/all/securelevel/add-bsd-style-securelevel-support.patch"
+ "15s7m7rakq9v8b6wizc3zngcalfmx68h9vi35g8bnpyjqjdk2xq3")
+ (debian-patch
"features/all/securelevel/enforce-module-signatures-when-securelevel-is-greate.patch"
+ "1v2ad3hjly5k9kg3l53nk6ssxc3danz6ynh9l22wlwhxlw1fq4gf")
+ (debian-patch
"features/all/securelevel/pci-lock-down-bar-access-when-securelevel-is-enabled.patch"
+ "1rqawcv1bykcxklab9iz942xrvpyhxf673xzqzv7lkzdza8j4nzw")
+ (debian-patch
"features/all/securelevel/x86-lock-down-io-port-access-when-securelevel-is-ena.patch"
+ "1padscg703iww4znhqqazh5lxrlr55a1i05kyg906hkhv4vm5yfb")
+ (debian-patch
"features/all/securelevel/restrict-dev-mem-and-dev-kmem-when-securelevel-is-se.patch"
+ "10il8z5cxcdrryihskfm1qwdy1i71bnf2smzy4xq3hcyy7bv484x")
+ (debian-patch
"features/all/securelevel/acpi-limit-access-to-custom_method-if-securelevel-is.patch"
+ "0pdaghyisvwym5b5i0vvcfm0ihwki5207ca27qly7dy76pzajb2i")
+ (debian-patch
"features/all/securelevel/acpi-ignore-acpi_rsdp-kernel-parameter-when-securele.patch"
+ "0dks5bihlag0yylg7qkv8vmhyspjqlh6i6jnkf54b0gx14fs54h9")
+ (debian-patch
"features/all/securelevel/kexec-disable-at-runtime-if-securelevel-has-been-set.patch"
+ "18406qv89pf1riishqsv7yhgg2wbm4mq4x1hgan87m6jk6wh4hkd")
+ (debian-patch
"features/all/securelevel/uswsusp-disable-when-securelevel-is-set.patch"
+ "1hy8l18ppn0zi652656nr5mcz46mq7xi89b5zmc852cm0lvqxazq")
+ (debian-patch
"features/all/securelevel/x86-restrict-msr-access-when-securelevel-is-set.patch"
+ "1s6nvwglb0hyrp64kwk1rxpzc6gfd5926mvmk3b8rq04g7a615pk")
+ (debian-patch
"features/all/securelevel/asus-wmi-restrict-debugfs-interface-when-securelevel.patch"
+ "0fm8hn62d2ik3739x9mi56xrywpmqpyzwp3jfpfp8ha0izaqrm6y")
+ (debian-patch
"features/all/securelevel/add-option-to-automatically-set-securelevel-when-in-.patch"
+ "040862b35nfw5qb4xnz53wrm9kvwim8wijh033ysr490xn6grlvp")
+ (debian-patch
"features/all/securelevel/efi-disable-secure-boot-if-shim-is-in-insecure-mode.patch"
+ "1rc7m5aj92ny3adzm2852x2x4bpd61zamp0sc1na5mhcd96qs724")
+ (debian-patch
"features/all/securelevel/hibernate-disable-when-securelevel-is-set.patch"
+ "0fw42j1g505qmx910cwqynpvs43rb2vkwwx4n8d2vy27272f534b")
+ (debian-patch
"features/all/securelevel/kexec-uefi-copy-secure_boot-flag-in-boot-params-acro.patch"
+ "16p53qsmywcl7p97gx40lc0i8ki9b5m22az2p9g4yzhg75z37w9c")
+ (debian-patch
"features/all/securelevel/acpi-disable-acpi-table-override-if-securelevel-is-s.patch"
+ "1yj9k8lxpm2xjhi3hrgl30777ldcjlfabl8ihaiyq54mzncxc3jl")
+ (debian-patch
"features/all/securelevel/acpi-disable-apei-error-injection-if-securelevel-is-.patch"
+ "0cssqxx8brn0pq8i9brjv014f9j98msq37p7y64aahchhfvkc6xv")
+ (debian-patch
"features/all/securelevel/enable-cold-boot-attack-mitigation.patch"
+ "005ghbfxznybhzcslwf3pl2mxmklm659xfq4i3afaybnf6gs7xjs")
+ (debian-patch
"features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled.patch"
+ "1jy9f2lbw6lzq4241fc22dham4pry95j5kk2m3yg7kjw6ciz4bik")
+ ;; same for arm64
+ (debian-patch
"features/all/securelevel/arm64-efi-disable-secure-boot-if-shim-is-in-insecure.patch"
+ "0vnc0yy4ksqfv22xziy8alycv0173n0y3ldgqbpccmgcxqwlgrsw")
+ (debian-patch
"features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.patch"
+ "15a2y4zy9jifv3d4pwkhzdyz2ki5iqjkx2z0hp6bg02d5m6khps2")
+
+ ;; Security fixes
+ (debian-patch "debian/i386-686-pae-pci-set-pci-nobios-by-default.patch"
+ "0d4gxrqj41vmgf2i5jx79za8rbvr3w5xkwjizz60dbfgjaq58zhr")
+ (debian-patch "debian/time-mark-timer_stats-as-broken.patch"
+ "0m0na1ihxj71h96c128g8pnks85125jlx5pbr6w5585ak4zbnp3y")
+ (debian-patch
"bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch"
+ "0qf8a3ggvvdhph9gvbfbh1645d60xclxwlnhhxpgakih6c60h6dn")
+ (debian-patch "bugfix/all/sunrpc-refactor-svc_set_num_threads.patch"
+ "1fgcpf1cqi4j4br29snlzl48cz62dyg0fyrxihn2v3zapfpf9yhv")
+ (debian-patch "bugfix/all/nfsv4-fix-callback-server-shutdown.patch"
+ "00cwa4kkjjffh813n9j2m3541fg08hrvcnr5d2bz68bc2rijvpn3"))))
+
(define-public linux-libre-4.9
(make-linux-libre "4.9.41"
"1mkx7rvcny8b0yjkzd8zc53d15h1w8y75m0x6jx0dz3r9y3k0nql"
%intel-compatible-systems
- #:configuration-file kernel-config))
+ #:configuration-file kernel-config
+ #:patches
+ (cons %boot-logo-patch
+ debian-patches-for-linux-libre-4.9)))
(define-public linux-libre-4.4
(make-linux-libre "4.4.80"
--
2.14.0
- Selected Debian patches for address@hidden,
Mark H Weaver <=