The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).
The LSM allows configuring a whitelist policy of permitted from:to uid
transitions. The policy is enforced upon calls to setuid(2) and related
syscalls.
Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies
A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).
A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).
See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
In 5.0er these function were removed from the public interface also zfs needs
them for AVX/AES-NI support. Without this patch for example throughput on a
encrypted zfs dataset drops to 200 MB/s from 1.2 GB/s. These functions were
removed as their was no user within the linux kernel tree itself.
Newer versions of perf in Linux 5.1+ support disassembling and
annotating eBPF programs inside the kernel. In order to do this, it uses
libbfd's support for bpf disassembly. There are two parts: libopcodes
and libbfd.
The 'perf' build system seems to expect libopcodes/libbfd to go "hand in
hand" -- always together, if one or the other is installed. If the build
system detects libbfd is available, then an import of <dis-asm.h> is
performed, but this fails since it wasn't in the buildInput. Fixing this
should be an easy, backwards-compatible change.
Fixes#60891, allowing linuxPackages_testing.perf to build again
(currently kernel version 5.1.0-rc7).
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Fixes https://github.com/NixOS/nixpkgs/issues/58070, and brings NixOS
into line with Ubuntu/Fedora/Arch/etc.
Tested that all kernels in Nixpkgs that build before this change build
after it.
Mailing list announcement:
the Multipath TCP Kernel v0.94.3 has been released, containing important
bug-fixes (thanks to syzkaller) and perf-improvements.
This release is based on Linux v4.14.105.
Everybody should update to the latest kernel.
Multipath TCP Linux Kernel v0.94.3
=====
Benjamin Hesmans <benjamin.hesmans@uclouvain.be> (1):
[3f01458be8cc] mptcp: checksum corner case
Christoph Paasch <cpaasch@apple.com> (21):
[287af08b7193] mptcp: Trigger sending when new subflow gets established
[a284ba1574f5] mptcp: Reinject data when the write-queue gets purged
[9ac97e3324ec] mptcp: Build-Fix for mptcp_push_pending_frames
[68e3b3cc6204] mptcp: Don't allow TCP_REPAIR on MPTCP-sockets
[6d58ca87a125] mptcp: Rework mptcp_disconnect
[1b142d9b94f9] mptcp: Initialize IPv6-fields even more correctly
[247a77e1d4e0] mptcp: Fully disable MD5SIG
[97543fe0b8b8] mptcp: Reset icsk_bind_hash to NULL to avoid use-after-free in inet_put_port
[d307e46cc3f9] mptcp: Initialize meta_tp after potentially failing instructions
[da42a64cf11e] mptcp: Don't free mpcb when mptcp_alloc_mpcb succeeded
[71b3bf995bcd] mptcp: Prevent circular locking dependency on tcp_close()
[444bf8c76806] mptcp: Ensure proper free'ing of master_sk upon failure
[15afe58a959e] mptcp: Handle error-case for MPTCP-Fastopen
[73db90da684c] mptcp: Unify usage of rcu_read_lock_bh,...
[f266d120c091] mptcp: Fix error-cases in TCP_SYNCOOKIES path
[872427427624] mptcp: Support randomized Timestamps on SYN-Cookies
[c3e29b9cace0] mptcp: Do not lock in tcp_get_info for MPTCP_INFO
[1bc2adaf003d] mptcp: Trigger meta-retransmission always when the timer fired
[a947ef46d5e1] mptcp: Don't update meta-RTO from subflows that are retransmitting
[619d44cae638] mptcp: Reevalute and reschedule meta-level RTO for new subflows
[310b6838cab0] mptcp: Stable Release v0.94.3
Matthieu Baerts <matthieu.baerts@tessares.net> (1):
[34154a943635] mptcp: Build-Fix with CONFIG_MEMCG
How to install (if you have our bintray repositories setup)
=====
The config-file of these pre-compiled images has also been updated with more
complete configurations, including also CONFIG_MEMCG (cfr.:
https://github.com/multipath-tcp/mptcp/issues/321).
