summaryrefslogtreecommitdiff
path: root/sys-fs
diff options
context:
space:
mode:
authorThomas Sachau <tommy@gentoo.org>2010-06-22 16:58:38 +0000
committerThomas Sachau <tommy@gentoo.org>2010-06-22 16:58:38 +0000
commit4e4e287ea0b09b502bae6685fb8d90c80c092d84 (patch)
tree6fdff40ce42404568f05c6b7c10df9571e831112 /sys-fs
parentMerge svnserve.confd and svnserve.confd2. (diff)
downloadgentoo-2-4e4e287ea0b09b502bae6685fb8d90c80c092d84.tar.gz
gentoo-2-4e4e287ea0b09b502bae6685fb8d90c80c092d84.tar.bz2
gentoo-2-4e4e287ea0b09b502bae6685fb8d90c80c092d84.zip
Fix bug 321653, bug 323029 and a compile error with hardened-sources
(Portage version: 2.2_rc67-r8/cvs/Linux x86_64)
Diffstat (limited to 'sys-fs')
-rw-r--r--sys-fs/aufs2/ChangeLog6
-rw-r--r--sys-fs/aufs2/aufs2-0_p20100524.ebuild9
-rw-r--r--sys-fs/aufs2/files/pax.patch135
3 files changed, 146 insertions, 4 deletions
diff --git a/sys-fs/aufs2/ChangeLog b/sys-fs/aufs2/ChangeLog
index ecc4580a3946..844c3735026a 100644
--- a/sys-fs/aufs2/ChangeLog
+++ b/sys-fs/aufs2/ChangeLog
@@ -1,6 +1,10 @@
# ChangeLog for sys-fs/aufs2
# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-fs/aufs2/ChangeLog,v 1.22 2010/06/05 22:55:07 tommy Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-fs/aufs2/ChangeLog,v 1.23 2010/06/22 16:58:38 tommy Exp $
+
+ 22 Jun 2010; Thomas Sachau (Tommy[D]) <tommy@gentoo.org>
+ aufs2-0_p20100524.ebuild, +files/pax.patch:
+ Fix bug 321653, bug 323029 and a compile error with hardened-sources
05 Jun 2010; Thomas Sachau (Tommy[D]) <tommy@gentoo.org>
aufs2-0_p20100524.ebuild:
diff --git a/sys-fs/aufs2/aufs2-0_p20100524.ebuild b/sys-fs/aufs2/aufs2-0_p20100524.ebuild
index 866165127999..d968ae862c1a 100644
--- a/sys-fs/aufs2/aufs2-0_p20100524.ebuild
+++ b/sys-fs/aufs2/aufs2-0_p20100524.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-fs/aufs2/aufs2-0_p20100524.ebuild,v 1.2 2010/06/05 22:55:07 tommy Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-fs/aufs2/aufs2-0_p20100524.ebuild,v 1.3 2010/06/22 16:58:38 tommy Exp $
EAPI="2"
@@ -13,7 +13,7 @@ SRC_URI="mirror://gentoo/${P}.tar.bz2"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~amd64 ~x86"
-IUSE="debug inotify kernel-patch nfs ramfs"
+IUSE="debug inotify hardened kernel-patch nfs ramfs"
DEPEND="dev-vcs/git"
RDEPEND="!sys-fs/aufs"
@@ -65,6 +65,9 @@ src_prepare() {
if use ramfs; then
sed -i "s:RAMFS =:RAMFS = y:g" config.mk || die
fi
+ if use hardened ; then
+ epatch "${FILESDIR}"/pax.patch
+ fi
cd "${WORKDIR}"/${PN}-util
sed -i "/LDFLAGS += -static -s/d" Makefile || die
@@ -86,7 +89,7 @@ src_install() {
docinto design
dodoc design/*.txt || die
cd "${WORKDIR}"/${PN}-util
- emake DESTDIR="${D}" install || die
+ emake DESTDIR="${D}" KDIR=${KV_DIR} install || die
docinto
newdoc README README-utils || die
}
diff --git a/sys-fs/aufs2/files/pax.patch b/sys-fs/aufs2/files/pax.patch
new file mode 100644
index 000000000000..df53004daddb
--- /dev/null
+++ b/sys-fs/aufs2/files/pax.patch
@@ -0,0 +1,135 @@
+commit 584bf002ec62a333840b87193b93ee5a521063f7
+Author: J. R. Okajima <hooanon05@yahoo.co.jp>
+Date: Thu May 27 11:28:41 2010 +0900
+
+ aufs: dynop supports grsec/pax patch
+
+ The grsec/pax patches make member of struct brabra_operation 'const.'
+ I don't understand why they need these 'const'. They modifies some of
+ structures, but other structures.
+ What do they want to protect from what?
+
+ The keyword 'const' is essentially a feature of C language and it never
+ modifes the behaviour of software. It just prohibits the assignment (or
+ modification) to a variable which is expected not to be modified.
+ In other word, it is a feature for programmers and doesn't enhance the
+ security level. Actually programmers can bypass 'const' easily by
+ indirect assignment as this patch does.
+
+ Also the grsec/pax patches modifies some assignments to the member
+ of struct brabra_operation in mainline kernel, but they don't make the
+ confirmation fot that. For example, they replaced these assignments by
+ declaring a structure statically.
+
+ - /* inherit and extend fuse_dev_operations */
+ - cuse_channel_fops = fuse_dev_operations;
+ - cuse_channel_fops.owner = THIS_MODULE;
+ - cuse_channel_fops.open = cuse_channel_open;
+ - cuse_channel_fops.release = cuse_channel_release;
+
+ +static const struct file_operations cuse_channel_fops = {
+ + .owner = THIS_MODULE,
+ + .llseek = no_llseek,
+ + .read = do_sync_read,
+ + .aio_read = fuse_dev_read,
+ + .write = do_sync_write,
+ + .aio_write = fuse_dev_write,
+ + .poll = fuse_dev_poll,
+ + .open = cuse_channel_open,
+ + .release = cuse_channel_release,
+ + .fasync = fuse_dev_fasync,
+ +};
+
+ By this modification, there exists major possible future problem I am
+ afraid. _If_ fuse_dev_operations is modified, then this code needs to
+ follow the change. But it is hard to detect such modification since
+ there is no trick to do so. Generally it is recommended to put code such
+ like this.
+
+ ----------------------------------------------------------------------
+ int n;
+ n++;
+ BUG_ON(super.member != derive.member);
+ } while (0);
+
+ n++; /* owner */
+ MakeSure(fuse_dev_operations, cuse_channel_fops, llseek);
+ MakeSure(fuse_dev_operations, cuse_channel_fops, read);
+ :::
+ BUG_ON(n != sizeof(cuse_channel_fops)/sizeof(cuse_channel_fops.owner));
+ ----------------------------------------------------------------------
+
+ This piece of code ensures two things.
+ - cuse_channel_fops correctly inherits fuse_dev_operations, eg. all
+ members are equivalent except the overrided ones.
+ - if some members are added or deleted from struct file_operations, it
+ should be detected by a debugging feature, the variable 'n'.
+
+ Without such trick, I am afraid the simple modification is a regression.
+
+ Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
+
+diff --git a/fs/aufs/dynop.c b/fs/aufs/dynop.c
+index 12ea894..109d3bb 100644
+--- a/fs/aufs/dynop.c
++++ b/fs/aufs/dynop.c
+@@ -146,11 +146,22 @@ void au_dy_put(struct au_dykey *key)
+ #define DyDbgInc(cnt) do {} while (0)
+ #endif
+
++#define AuGrsecPaxPtr(func, dst, src) do { \
++ union { \
++ const void *o; \
++ char **p; \
++ } u; \
++ BUILD_BUG_ON(sizeof(u.o) != sizeof(&dst.func)); \
++ BUILD_BUG_ON(sizeof(*u.p) != sizeof(src.func)); \
++ u.o = (void *)&dst.func; \
++ *u.p = (void *)src.func; \
++} while (0)
++
+ #define DySet(func, dst, src, h_op, h_sb) do { \
+ DyDbgInc(cnt); \
+ if (h_op->func) { \
+ if (src.func) \
+- dst.func = src.func; \
++ AuGrsecPaxPtr(func, dst, src); \
+ else \
+ AuDbg("%s %s\n", au_sbtype(h_sb), #func); \
+ } \
+@@ -159,7 +170,7 @@ void au_dy_put(struct au_dykey *key)
+ #define DySetForce(func, dst, src) do { \
+ AuDebugOn(!src.func); \
+ DyDbgInc(cnt); \
+- dst.func = src.func; \
++ AuGrsecPaxPtr(func, dst, src); \
+ } while (0)
+
+ #define DySetAop(func) \
+@@ -297,14 +308,21 @@ out:
+ */
+ static void dy_adx(struct au_dyaop *dyaop, int do_dx)
+ {
++ union {
++ void *direct_IO, *get_xip_mem;
++ } grsec_pax_dummy = {
++ .get_xip_mem = NULL
++ };
++
+ if (!do_dx) {
+- dyaop->da_op.direct_IO = NULL;
+- dyaop->da_op.get_xip_mem = NULL;
++ AuGrsecPaxPtr(direct_IO, dyaop->da_op, grsec_pax_dummy);
++ AuGrsecPaxPtr(get_xip_mem, dyaop->da_op, grsec_pax_dummy);
+ } else {
+- dyaop->da_op.direct_IO = aufs_aop.direct_IO;
+- dyaop->da_op.get_xip_mem = aufs_aop.get_xip_mem;
++ AuGrsecPaxPtr(direct_IO, dyaop->da_op, aufs_aop);
++ AuGrsecPaxPtr(get_xip_mem, dyaop->da_op, aufs_aop);
+ if (!dyaop->da_get_xip_mem)
+- dyaop->da_op.get_xip_mem = NULL;
++ AuGrsecPaxPtr(get_xip_mem, dyaop->da_op,
++ grsec_pax_dummy);
+ }
+ }
+