diff -pruN 2:3.3.17-6/debian/changelog 2:3.3.17-6ubuntu2/debian/changelog --- 2:3.3.17-6/debian/changelog 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/changelog 2022-02-25 11:57:56.000000000 +0000 @@ -1,3 +1,43 @@ +procps (2:3.3.17-6ubuntu2) jammy; urgency=medium + + * Add basic autopkgtest to validate sysctl-defaults (LP: #1962038) + + -- Lukas Märdian Fri, 25 Feb 2022 12:57:56 +0100 + +procps (2:3.3.17-6ubuntu1) jammy; urgency=low + + * Merge from Debian unstable (LP: #1961805). + Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - Adjust logic due to rc no longer being propagated (LP: #1903351) + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + - Adjust logic due to rc no longer being propagated (LP: #1903351) + - debian/procps.maintscript: handle migration of link-protect.conf from + /etc to /usr. + Dropped changes: + - debian/README.sysctl: Debian has added this information. + - debian/procps.install: debian/protect-links.conf has been re-named to + debian/99-protect-links.conf, so it can be safely installed again + (see LP: #1938585 for background). + + -- Nick Rosbrook Fri, 18 Feb 2022 16:49:15 -0500 + procps (2:3.3.17-6) unstable; urgency=medium * Add reload option for init script Closes: #991151 @@ -7,6 +47,61 @@ procps (2:3.3.17-6) unstable; urgency=me -- Craig Small Thu, 13 Jan 2022 19:46:59 +1100 +procps (2:3.3.17-5ubuntu3) impish; urgency=medium + + * Remove /usr/lib/sysctl.d/protect-links.conf (LP: #1938585) + + -- Dan Streetman Fri, 30 Jul 2021 12:17:48 -0400 + +procps (2:3.3.17-5ubuntu2) impish; urgency=medium + + * Clean up switch statement for ignore_erofs case (LP: #1903351) + + -- William 'jawn-smith' Wilson Tue, 01 Jun 2021 14:10:29 -0500 + +procps (2:3.3.17-5ubuntu1) impish; urgency=low + + * Merge from Debian unstable. + Remaining changes: + - autopkgtest for LP: #1874824. Submitted to debian as bug 988792 + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - Adjust logic due to rc no longer being propagated (LP: #1903351) + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + - Adjust logic due to rc no longer being propagated (LP: #1903351) + - debian/procps.maintscript: handle migration of link-protect.conf from + /etc to /usr. + Justification of dropped patches + - missing_potfiles_in: Debian has now added this code in POTFILES.in + so the patch is no longer needed + - pmap_test: This patch disables some tests that are not causing + any problems. These tests are run in Debian so should be run + in Ubuntu as well + - top_config_file_bwcompat: Debian has applied this code upstream so + the patch is no longer needed + - tar-version: Debian has applied this code upstream so the patch is + no longer needed + - stack_limit: Debian has applied this code upstream so the patch is + no longer needed + + -- William 'jawn-smith' Wilson Wed, 19 May 2021 09:24:31 +0000 + procps (2:3.3.17-5) unstable; urgency=medium * Add break/replace for conflicting manpages-fr-extra Closes: #986276 @@ -47,6 +142,48 @@ procps (2:3.3.17-1) unstable; urgency=me -- Craig Small Tue, 09 Feb 2021 21:50:10 +1100 +procps (2:3.3.16-5ubuntu3) hirsute; urgency=medium + + * Address slowness and crashes with large or unlimited stack limits + (LP: #1874824) + + -- William 'jawn-smith' Wilson Wed, 24 Mar 2021 10:09:08 -0500 + +procps (2:3.3.16-5ubuntu2) groovy; urgency=medium + + * debian/sysctl.d/10-kernel-hardening.conf: + - Add documentation for DMESG_RESTRICT feature, and allow users to + disable by uncommenting kernel.dmesg_restrict=0. (LP: #1886112) + + -- Matthew Ruffell Thu, 23 Jul 2020 16:59:38 +1200 + +procps (2:3.3.16-5ubuntu1) groovy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + - debian/procps.maintscript: handle migration of link-protect.conf from + /etc to /usr. + + -- Steve Langasek Tue, 09 Jun 2020 13:18:24 -0700 + procps (2:3.3.16-5) unstable; urgency=medium * programs report version correctly Closes: #960810 @@ -54,6 +191,35 @@ procps (2:3.3.16-5) unstable; urgency=me -- Craig Small Sun, 17 May 2020 09:45:41 +1000 +procps (2:3.3.16-4ubuntu1) groovy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + - debian/procps.maintscript: handle migration of link-protect.conf from + /etc to /usr. + * 10-link-restrictions.conf: was not correctly dropped in focal, drop it + fully now. + + -- Steve Langasek Fri, 01 May 2020 05:54:27 -0700 + procps (2:3.3.16-4) unstable; urgency=medium * Use correct package version on removing conffile Closes: #951293 @@ -77,6 +243,49 @@ procps (2:3.3.16-2) unstable; urgency=me -- Craig Small Tue, 25 Feb 2020 08:08:40 +1100 +procps (2:3.3.16-1ubuntu2) focal; urgency=medium + + * Fix libprocps.so link target to point to the library we actually ship. + + -- Steve Langasek Wed, 26 Feb 2020 21:52:07 -0800 + +procps (2:3.3.16-1ubuntu1) focal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + - 10-network-security.conf: change the rp_filter default from 1 to 2, + the strict mode isn't compatible with the n-m handling of + captive portals + * Dropped changes, superseded upstream: + - d/p/pgrep-increase-CMDSTRSIZE.patch: Allow long command lines to be + searched. + * Dropped changes, no longer needed: + - 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + - 10-link-restrictions.conf: this is redundant with link-protect.conf + from Debian. + * debian/procps.maintscript: handle migration of link-protect.conf from + /etc to /usr. + + -- Steve Langasek Thu, 13 Feb 2020 22:53:02 -0800 + procps (2:3.3.16-1) unstable; urgency=medium [ Ondřej Nový ] @@ -93,6 +302,51 @@ procps (2:3.3.16-1) unstable; urgency=me -- Craig Small Fri, 07 Feb 2020 19:05:09 +1100 +procps (2:3.3.15-2ubuntu3) eoan; urgency=medium + + * d/p/pgrep-increase-CMDSTRSIZE.patch: + - Allows long command lines to be searched. + eg: Java process with a long classpath. (LP: #1839329) + + -- Eric Desrochers Thu, 08 Aug 2019 16:46:48 +0000 + +procps (2:3.3.15-2ubuntu2) disco; urgency=medium + + * 10-network-security.conf: change the rp_filter default from 1 to 2, + the strict mode isn't compatible with the n-m handling of + captive portals (lp: #1814262) + + -- Sebastien Bacher Thu, 07 Feb 2019 23:46:43 +0100 + +procps (2:3.3.15-2ubuntu1) cosmic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-link-restrictions.conf: even though the Ubuntu + kernel is built with these defaults in place, we want to make sure + that people running stock kernels don't miss out. + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + + -- Balint Reczey Tue, 05 Jun 2018 11:20:00 -0700 + procps (2:3.3.15-2) unstable; urgency=medium * Fix link in libprocps-dev Closes: 900239 @@ -100,6 +354,38 @@ procps (2:3.3.15-2) unstable; urgency=me -- Craig Small Thu, 31 May 2018 19:42:46 +1000 +procps (2:3.3.15-1ubuntu1) cosmic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-link-restrictions.conf: even though the Ubuntu + kernel is built with these defaults in place, we want to make sure + that people running stock kernels don't miss out. + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + * Drop redundant setting of net.ipv4.tcp_syncookies=1, it is now the kernel's default + (LP: #1773157) + * Update README about new commands for reloading configuration (LP: #1719159) + + -- Balint Reczey Fri, 25 May 2018 12:09:30 +0200 + procps (2:3.3.15-1) unstable; urgency=medium * New upstream release Closes: #899170 @@ -145,6 +431,35 @@ procps (2:3.3.12-4) unstable; urgency=me -- Craig Small Sat, 10 Feb 2018 10:59:11 +1100 +procps (2:3.3.12-3ubuntu1) bionic; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-link-restrictions.conf: even though the Ubuntu + kernel is built with these defaults in place, we want to make sure + that people running stock kernels don't miss out. + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter and SYN-flood protection. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + + -- Balint Reczey Wed, 17 Jan 2018 23:35:48 +0100 + procps (2:3.3.12-3) unstable; urgency=medium [ Sven Joachim ] @@ -167,6 +482,44 @@ procps (2:3.3.12-2) unstable; urgency=me -- Craig Small Wed, 13 Jul 2016 21:20:48 +1000 +procps (2:3.3.12-1ubuntu2) yakkety; urgency=medium + + * Remove strtod_nol tests Closes: #830733 + (Cherry-picked from Debian packaging git). + * Only have one installinit override, thanks Sven! Closes: #827423 + (Cherry-picked from Debian packaging git). + + -- Martin Pitt Tue, 12 Jul 2016 08:07:11 +0200 + +procps (2:3.3.12-1ubuntu1) yakkety; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-link-restrictions.conf: even though the Ubuntu + kernel is built with these defaults in place, we want to make sure + that people running stock kernels don't miss out. + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter and SYN-flood protection. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + + -- Martin Pitt Mon, 11 Jul 2016 22:30:18 +0200 + procps (2:3.3.12-1) unstable; urgency=medium [ Helmut Grohne ] @@ -192,6 +545,42 @@ procps (2:3.3.12-1) unstable; urgency=me -- Craig Small Sun, 10 Jul 2016 17:39:28 +1000 +procps (2:3.3.11-3ubuntu1) yakkety; urgency=medium + + [ Martin Pitt ] + * Merge from Debian unstable. Remaining changes: + - debian/sysctl.d (Ubuntu-specific): + + 10-console-messages.conf: stop low-level kernel messages on console. + + 10-kernel-hardening.conf: add the kptr_restrict setting + + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC. + + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults + for IPv6 privacy extensions for interfaces. (LP: #176125, #841353) + + 10-link-restrictions.conf: even though the Ubuntu + kernel is built with these defaults in place, we want to make sure + that people running stock kernels don't miss out. + + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing + critical sync, remount, reboot functions. (LP: #194676, LP: #1025467) + + 10-network-security.conf: enable rp_filter and SYN-flood protection. + + 10-ptrace.conf: describe new PTRACE setting. + + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back. + for armhf, and arm64. + + 10-qemu.conf.s390x for qemu. + + README: describe how this directory is supposed to work. + - debian/upstart (Ubuntu-specific): upstart configuration to replace old + style sysv init script + - debian/rules: Fix cross build + - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for + writing, don't error out. Otherwise package upgrades can fail, + especially in containers. + - ignore_erofs.patch: Same as ignore_eaccess but for the case where + part of /proc is read/only. + + [ Craig Small ] + * Dropped initscript dependency Closes: #804966 + [Taken from Debian packaging git] + + -- Martin Pitt Fri, 20 May 2016 18:09:37 +0200 + procps (2:3.3.11-3) unstable; urgency=medium * New upstream source (from experimental) @@ -1688,3 +2077,4 @@ procps (1.09) experimental; urgency=low (i.e. it will look like this if there is not too much resistance). -- Helmut Geyer Sat, 5 Oct 1996 14:26:57 +0200 + diff -pruN 2:3.3.17-6/debian/compat 2:3.3.17-6ubuntu2/debian/compat --- 2:3.3.17-6/debian/compat 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/compat 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1 @@ +11 diff -pruN 2:3.3.17-6/debian/control 2:3.3.17-6ubuntu2/debian/control --- 2:3.3.17-6/debian/control 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/control 2022-02-25 11:32:20.000000000 +0000 @@ -1,8 +1,9 @@ Source: procps Section: admin Priority: optional -Maintainer: Craig Small -Build-Depends: debhelper-compat (= 13), +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Craig Small +Build-Depends: debhelper (>= 11), dh-exec (>= 0.3), libncurses5-dev, libncursesw5-dev, dejagnu, diff -pruN 2:3.3.17-6/debian/patches/ignore_eaccess.patch 2:3.3.17-6ubuntu2/debian/patches/ignore_eaccess.patch --- 2:3.3.17-6/debian/patches/ignore_eaccess.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/patches/ignore_eaccess.patch 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,18 @@ +Description: Ignore EACCESS when writing a new setting + If we are running in a container, we're not allowed to write to any + non-namespaced sysctls. +Author: Vincent Fazio +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1157643 + +Index: procps-3.3.16/sysctl.c +=================================================================== +--- procps-3.3.16.orig/sysctl.c ++++ procps-3.3.16/sysctl.c +@@ -459,6 +459,7 @@ static int WriteSetting(const char *sett + case EPERM: + case EROFS: + case EACCES: ++ ignore_failure = true; + xwarnx(_("permission denied on key \"%s\"%s"), outname, (ignore_failure?_(", ignoring"):"")); + break; + default: diff -pruN 2:3.3.17-6/debian/patches/ignore_erofs.patch 2:3.3.17-6ubuntu2/debian/patches/ignore_erofs.patch --- 2:3.3.17-6/debian/patches/ignore_erofs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/patches/ignore_erofs.patch 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,26 @@ +Description: Ignore EROFS when writing a new setting + If we are running in a container, we're not allowed to write to any + non-namespaced sysctls. +Author: Vincent Fazio +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1419554 +Last-Update: 2020-11-06 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: procps-3.3.17-5ubuntu1/sysctl.c +=================================================================== +--- procps-3.3.17-5ubuntu1.orig/sysctl.c ++++ procps-3.3.17-5ubuntu1/sysctl.c +@@ -457,11 +457,12 @@ static int WriteSetting(const char *sett + } + break; + case EPERM: +- case EROFS: + case EACCES: + ignore_failure = true; + xwarnx(_("permission denied on key \"%s\"%s"), outname, (ignore_failure?_(", ignoring"):"")); + break; ++ case EROFS: ++ ignore_failure = true; + default: + xwarn(_("setting key \"%s\"%s"), outname, (ignore_failure?_(", ignoring"):"")); + break; diff -pruN 2:3.3.17-6/debian/patches/series 2:3.3.17-6ubuntu2/debian/patches/series --- 2:3.3.17-6/debian/patches/series 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/patches/series 2022-02-25 11:32:20.000000000 +0000 @@ -3,6 +3,8 @@ remove_strtod_tests watch_hostname_max_define disable_sched_test uptime_test +ignore_eaccess.patch +ignore_erofs.patch ps_checks pwait_rename test_proc_siginfo diff -pruN 2:3.3.17-6/debian/procps.install 2:3.3.17-6ubuntu2/debian/procps.install --- 2:3.3.17-6/debian/procps.install 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/procps.install 2022-02-25 11:32:20.000000000 +0000 @@ -1,6 +1,7 @@ # Files to install for non-kfreebsd and non-hurd systems # I think that just means linux debian/sysctl.conf etc +etc/sysctl.d/* debian/99-protect-links.conf usr/lib/sysctl.d debian/README.sysctl etc/sysctl.d bbin/* bin diff -pruN 2:3.3.17-6/debian/procps.maintscript 2:3.3.17-6ubuntu2/debian/procps.maintscript --- 2:3.3.17-6/debian/procps.maintscript 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/procps.maintscript 2022-02-25 11:32:20.000000000 +0000 @@ -1,2 +1,3 @@ -rm_conffile /etc/sysctl.d/protect-links.conf 2:3.3.16-4~ procps +rm_conffile /etc/sysctl.d/protect-links.conf 2:3.3.16-1ubuntu1~ +rm_conffile /etc/sysctl.d/10-link-restrictions.conf 2:3.3.16-4ubuntu1~ mv_conffile /usr/lib/sysctl.d/protect-links.conf /usr/lib/sysctl.d/99-protect-links.conf 2:3.3.17-6~ procps diff -pruN 2:3.3.17-6/debian/rules 2:3.3.17-6ubuntu2/debian/rules --- 2:3.3.17-6/debian/rules 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/rules 2022-02-25 11:32:20.000000000 +0000 @@ -7,11 +7,17 @@ PACKAGE="procps" DEBROOT=$(CURDIR)/debian/tmp DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) configure_flags += --host=$(DEB_HOST_GNU_TYPE) +CROSS = PKG_CONFIG=$(DEB_HOST_GNU_TYPE)-pkg-config \ + ac_cv_func_malloc_0_nonnull=yes \ + ac_cv_func_realloc_0_nonnull=yes +else +CROSS= endif export DEB_BUILD_MAINT_OPTIONS = hardening=+all @@ -24,7 +30,7 @@ endif dh $@ override_dh_auto_configure: - ./configure \ + $(CROSS) ./configure \ $(configure_flags) \ --build=$(DEB_BUILD_GNU_TYPE) \ --disable-silent-rules \ @@ -34,7 +40,9 @@ override_dh_auto_configure: --disable-modern-top \ --prefix=/usr \ --exec-prefix=/ \ - --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) + --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \ + --build=$(DEB_BUILD_GNU_TYPE) \ + --host=$(DEB_HOST_GNU_TYPE) \ override_dh_auto_install: $(autogen-files) @@ -43,6 +51,23 @@ override_dh_auto_install: $(autogen-file mv $(DEBROOT)/bin/kill $(DEBROOT)/bbin/ mv $(DEBROOT)/bin/ps $(DEBROOT)/bbin/ + # Build up sysctl.d + install -d $(DEBROOT)/etc/sysctl.d/ + install --mode 644 -o root -g root debian/sysctl.d/*.conf $(DEBROOT)/etc/sysctl.d/ +ifneq (,$(wildcard debian/sysctl.d/*.conf.$(DEB_HOST_ARCH))) + # If a non-arch-specific default exists, install the arch-specific + # version of the conf in place of it, otherwise, build up a general + # 10-arch-specific.conf file. + for archconf in debian/sysctl.d/*.conf.$(DEB_HOST_ARCH); do \ + conf=$$(basename $$archconf .$(DEB_HOST_ARCH)); \ + if [ -f debian/sysctl.d/$$conf ]; then \ + install --mode 644 -o root -g root $$archconf $(DEBROOT)/etc/sysctl.d/$$conf; \ + else \ + cat $$archconf >> $(DEBROOT)/etc/sysctl.d/10-arch-specific.conf; \ + fi; \ + done +endif + ifeq ($(DEB_HOST_ARCH_OS),linux) # Rename pwait to pidwait as pwait is in extrace (cd $(DEBROOT)/bin && mv pwait pidwait ) diff -pruN 2:3.3.17-6/debian/sysctl.d/10-console-messages.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-console-messages.conf --- 2:3.3.17-6/debian/sysctl.d/10-console-messages.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-console-messages.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,3 @@ + +# the following stops low-level messages on console +kernel.printk = 4 4 1 7 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-ipv6-privacy.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-ipv6-privacy.conf --- 2:3.3.17-6/debian/sysctl.d/10-ipv6-privacy.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-ipv6-privacy.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,12 @@ +# IPv6 Privacy Extensions (RFC 4941) +# --- +# IPv6 typically uses a device's MAC address when choosing an IPv6 address +# to use in autoconfiguration. Privacy extensions allow using a randomly +# generated IPv6 address, which increases privacy. +# +# Acceptable values: +# 0 - don’t use privacy extensions. +# 1 - generate privacy addresses +# 2 - prefer privacy addresses and use them over the normal addresses. +net.ipv6.conf.all.use_tempaddr = 2 +net.ipv6.conf.default.use_tempaddr = 2 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-kernel-hardening.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-kernel-hardening.conf --- 2:3.3.17-6/debian/sysctl.d/10-kernel-hardening.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-kernel-hardening.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,25 @@ +# These settings are specific to hardening the kernel itself from attack +# from userspace, rather than protecting userspace from other malicious +# userspace things. +# +# +# When an attacker is trying to exploit the local kernel, it is often +# helpful to be able to examine where in memory the kernel, modules, +# and data structures live. As such, kernel addresses should be treated +# as sensitive information. +# +# Many files and interfaces contain these addresses (e.g. /proc/kallsyms, +# /proc/modules, etc), and this setting can censor the addresses. A value +# of "0" allows all users to see the kernel addresses. A value of "1" +# limits visibility to the root user, and "2" blocks even the root user. +kernel.kptr_restrict = 1 + +# Access to the kernel log buffer can be especially useful for an attacker +# attempting to exploit the local kernel, as kernel addresses and detailed +# call traces are frequently found in kernel oops messages. Setting +# dmesg_restrict to "0" allows all users to view the kernel log buffer, +# and setting it to "1" restricts access to those with CAP_SYSLOG. +# +# dmesg_restrict defaults to 1 via CONFIG_SECURITY_DMESG_RESTRICT, only +# uncomment the following line to disable. +# kernel.dmesg_restrict = 0 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-magic-sysrq.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-magic-sysrq.conf --- 2:3.3.17-6/debian/sysctl.d/10-magic-sysrq.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-magic-sysrq.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,26 @@ +# The magic SysRq key enables certain keyboard combinations to be +# interpreted by the kernel to help with debugging. The kernel will respond +# to these keys regardless of the current running applications. +# +# In general, the magic SysRq key is not needed for the average Ubuntu +# system, and having it enabled by default can lead to security issues on +# the console such as being able to dump memory or to kill arbitrary +# processes including the running screen lock. +# +# Here is the list of possible values: +# 0 - disable sysrq completely +# 1 - enable all functions of sysrq +# >1 - enable certain functions by adding up the following values: +# 2 - enable control of console logging level +# 4 - enable control of keyboard (SAK, unraw) +# 8 - enable debugging dumps of processes etc. +# 16 - enable sync command +# 32 - enable remount read-only +# 64 - enable signalling of processes (term, kill, oom-kill) +# 128 - allow reboot/poweroff +# 256 - allow nicing of all RT tasks +# +# For example, to enable both control of console logging level and +# debugging dumps of processes: kernel.sysrq = 10 +# +kernel.sysrq = 176 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-network-security.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-network-security.conf --- 2:3.3.17-6/debian/sysctl.d/10-network-security.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-network-security.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,6 @@ + +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks. +net.ipv4.conf.default.rp_filter=2 +net.ipv4.conf.all.rp_filter=2 + diff -pruN 2:3.3.17-6/debian/sysctl.d/10-ptrace.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-ptrace.conf --- 2:3.3.17-6/debian/sysctl.d/10-ptrace.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-ptrace.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,22 @@ +# The PTRACE system is used for debugging. With it, a single user process +# can attach to any other dumpable process owned by the same user. In the +# case of malicious software, it is possible to use PTRACE to access +# credentials that exist in memory (re-using existing SSH connections, +# extracting GPG agent information, etc). +# +# A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits +# PTRACE only to direct child processes (e.g. "gdb name-of-program" and +# "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" +# do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so +# "sudo strace -fp $PID" will work as before. For more details see: +# https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace +# +# For applications launching crash handlers that need PTRACE, exceptions can +# be registered by the debugee by declaring in the segfault handler +# specifically which process will be using PTRACE on the debugee: +# prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); +# +# In general, PTRACE is not needed for the average running Ubuntu system. +# To that end, the default is to set the PTRACE scope to "1". This value +# may not be appropriate for developers or servers with only admin accounts. +kernel.yama.ptrace_scope = 1 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-qemu.conf.s390x 2:3.3.17-6ubuntu2/debian/sysctl.d/10-qemu.conf.s390x --- 2:3.3.17-6/debian/sysctl.d/10-qemu.conf.s390x 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-qemu.conf.s390x 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,2 @@ +# for qemu-system +vm.allocate_pgste = 1 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-zeropage.conf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-zeropage.conf --- 2:3.3.17-6/debian/sysctl.d/10-zeropage.conf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-zeropage.conf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,9 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +vm.mmap_min_addr = 65536 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-zeropage.conf.arm64 2:3.3.17-6ubuntu2/debian/sysctl.d/10-zeropage.conf.arm64 --- 2:3.3.17-6/debian/sysctl.d/10-zeropage.conf.arm64 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-zeropage.conf.arm64 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,11 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +# +# ARM-specific default: +vm.mmap_min_addr = 32768 diff -pruN 2:3.3.17-6/debian/sysctl.d/10-zeropage.conf.armhf 2:3.3.17-6ubuntu2/debian/sysctl.d/10-zeropage.conf.armhf --- 2:3.3.17-6/debian/sysctl.d/10-zeropage.conf.armhf 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/sysctl.d/10-zeropage.conf.armhf 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,11 @@ +# Protect the zero page of memory from userspace mmap to prevent kernel +# NULL-dereference attacks against potential future kernel security +# vulnerabilities. (Added in kernel 2.6.23.) +# +# While this default is built into the Ubuntu kernel, there is no way to +# restore the kernel default if the value is changed during runtime; for +# example via package removal (e.g. wine, dosemu). Therefore, this value +# is reset to the secure default each time the sysctl values are loaded. +# +# ARM-specific default: +vm.mmap_min_addr = 32768 diff -pruN 2:3.3.17-6/debian/tests/control 2:3.3.17-6ubuntu2/debian/tests/control --- 2:3.3.17-6/debian/tests/control 2022-01-13 08:46:59.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/tests/control 2022-02-25 11:40:40.000000000 +0000 @@ -1,3 +1,4 @@ -Tests: version +Tests: version, stack-limit Restrictions: superficial +Tests: sysctl-defaults diff -pruN 2:3.3.17-6/debian/tests/stack-limit 2:3.3.17-6ubuntu2/debian/tests/stack-limit --- 2:3.3.17-6/debian/tests/stack-limit 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/tests/stack-limit 2022-02-25 11:32:20.000000000 +0000 @@ -0,0 +1,8 @@ +#!/bin/bash + +set -e + +# set the stack size to unlimited and then run pgrep +ulimit -S -s unlimited + +pgrep bash diff -pruN 2:3.3.17-6/debian/tests/sysctl-defaults 2:3.3.17-6ubuntu2/debian/tests/sysctl-defaults --- 2:3.3.17-6/debian/tests/sysctl-defaults 1970-01-01 00:00:00.000000000 +0000 +++ 2:3.3.17-6ubuntu2/debian/tests/sysctl-defaults 2022-02-25 11:57:56.000000000 +0000 @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +# defined in /etc/sysctl.d/10-magic-sysrq.conf +sysctl kernel.sysrq | grep "= 176" && echo "OK" + +# defined in /etc/sysctl.d/10-network-security.conf +sysctl net.ipv4.conf.all.rp_filter | grep "= 2" && echo "OK"