diff options
| author |   Anthony G. Basile <blueness@gentoo.org> | 2012-11-13 21:19:12 -0500 |
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2012-11-13 21:19:12 -0500 |
| commit | dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70 (patch) | |
| tree | 34e503cfd75b4cfd4ec7486a62523d989a4e36f6 | |
| parent | Grsec/PaX: 2.9.1-{2.6.32.60,3.2.33,3.6.6}-201211072001 (diff) | |
| download | hardened-patchset-dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70.tar.gz hardened-patchset-dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70.tar.bz2 hardened-patchset-dad447bb6b1815cc9ed8f12cda3c1d37d59c9e70.zip | |
Grsec/PaX: 2.9.1-{2.6.32.60,3.2.33,3.6.6}-201211122213
| -rw-r--r-- | 2.6.32/0000_README | 2 | ||||
| -rw-r--r-- | 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch (renamed from 2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch) | 49 | ||||
| -rw-r--r-- | 3.2.33/0000_README | 6 | ||||
| -rw-r--r-- | 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch (renamed from 3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch) | 49 | ||||
| -rw-r--r-- | 3.2.33/4425-tmpfs-user-namespace.patch | 28 | ||||
| -rw-r--r-- | 3.6.6/0000_README | 6 | ||||
| -rw-r--r-- | 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch (renamed from 3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch) | 49 | ||||
| -rw-r--r-- | 3.6.6/4425-tmpfs-user-namespace.patch | 28 |
8 files changed, 157 insertions, 60 deletions
diff --git a/2.6.32/0000_README b/2.6.32/0000_README index 8bd0698..ac627bb 100644 --- a/2.6.32/0000_README +++ b/2.6.32/0000_README @@ -34,7 +34,7 @@ Patch: 1059_linux-2.6.32.60.patch From: http://www.kernel.org Desc: Linux 2.6.32.59 -Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch +Patch: 4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity diff --git a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch index 82352cf..4b4bbbc 100644 --- a/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211071959.patch +++ b/2.6.32/4420_grsecurity-2.9.1-2.6.32.60-201211122212.patch @@ -84681,10 +84681,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..b50e14d +index 0000000..42c1316 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4187 @@ +@@ -0,0 +1,4198 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -85747,7 +85747,7 @@ index 0000000..b50e14d +} + +static struct acl_subject_label * -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role); ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied); + +static int +copy_user_glob(struct acl_object_label *obj) @@ -85833,13 +85833,18 @@ index 0000000..b50e14d + return ret; + + if (o_tmp->nested) { -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role); ++ int already_copied; ++ ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied); + if (IS_ERR(o_tmp->nested)) + return PTR_ERR(o_tmp->nested); + -+ /* insert into nested subject list */ -+ o_tmp->nested->next = role->hash->first; -+ role->hash->first = o_tmp->nested; ++ /* insert into nested subject list if we haven't copied this one yet ++ to prevent duplicate entries */ ++ if (!already_copied) { ++ o_tmp->nested->next = role->hash->first; ++ role->hash->first = o_tmp->nested; ++ } + } + } + @@ -85958,7 +85963,7 @@ index 0000000..b50e14d +} + +static struct acl_subject_label * -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role) ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied) +{ + struct acl_subject_label *s_tmp = NULL, *s_tmp2; + unsigned int len; @@ -85970,13 +85975,19 @@ index 0000000..b50e14d + unsigned int i_num; + int err; + ++ if (already_copied != NULL) ++ *already_copied = 0; ++ + s_tmp = lookup_subject_map(userp); + + /* we've already copied this subject into the kernel, just return + the reference to it, and don't copy it over again + */ -+ if (s_tmp) ++ if (s_tmp) { ++ if (already_copied != NULL) ++ *already_copied = 1; + return(s_tmp); ++ } + + if ((s_tmp = (struct acl_subject_label *) + acl_alloc(sizeof (struct acl_subject_label))) == NULL) @@ -86062,7 +86073,7 @@ index 0000000..b50e14d + + /* set pointer for parent subject */ + if (s_tmp->parent_subject) { -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role); ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL); + + if (IS_ERR(s_tmp2)) + return s_tmp2; @@ -86146,7 +86157,7 @@ index 0000000..b50e14d + continue; + } + -+ ret = do_copy_user_subj(userp, role); ++ ret = do_copy_user_subj(userp, role, NULL); + + err = PTR_ERR(ret); + if (IS_ERR(ret)) @@ -102648,7 +102659,7 @@ index d4aba4f..0bb4763 100644 seq_printf(m, "%40s %14lu %29s %s\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 4b270e6..5e2eb1b 100644 +index 4b270e6..ca3d254 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -55,6 +55,7 @@ @@ -102742,7 +102753,7 @@ index 4b270e6..5e2eb1b 100644 + p = strstr(mod->args, "grsec_modharden_fs"); + + if (p) { -+ char *endptr = p + strlen("grsec_modharden_fs"); ++ char *endptr = p + sizeof("grsec_modharden_fs") - 1; + /* copy \0 as well */ + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1); + is_fs_load = 1; @@ -103140,7 +103151,7 @@ index 4b270e6..5e2eb1b 100644 + err = -EPERM; + goto cleanup; + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) { -+ p += strlen("grsec_modharden_normal"); ++ p += sizeof("grsec_modharden_normal") - 1; + p2 = strstr(p, "_"); + if (p2) { + *p2 = '\0'; @@ -113604,7 +113615,7 @@ index f900dc3..5e45346 100644 struct nlattr *nla; diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 -index 0000000..b1bac76 +index 0000000..725bece --- /dev/null +++ b/net/netfilter/xt_gradm.c @@ -0,0 +1,51 @@ @@ -113643,13 +113654,13 @@ index 0000000..b1bac76 +}; + +static int __init gradm_mt_init(void) -+{ -+ return xt_register_match(&gradm_mt_reg); ++{ ++ return xt_register_match(&gradm_mt_reg); +} + +static void __exit gradm_mt_exit(void) -+{ -+ xt_unregister_match(&gradm_mt_reg); ++{ ++ xt_unregister_match(&gradm_mt_reg); +} + +module_init(gradm_mt_init); diff --git a/3.2.33/0000_README b/3.2.33/0000_README index 4f37d3a..c03c7c6 100644 --- a/3.2.33/0000_README +++ b/3.2.33/0000_README @@ -50,10 +50,14 @@ Patch: 1032_linux-3.2.33.patch From: http://www.kernel.org Desc: Linux 3.2.33 -Patch: 4420_grsecurity-2.9.1-3.2.33-201211072000.patch +Patch: 4420_grsecurity-2.9.1-3.2.33-201211122213.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity +Patch: 4425-tmpfs-user-namespace.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Enable XATTR_USER_PREFIX namespace on tmpfs + Patch: 4430_grsec-remove-localversion-grsec.patch From: Kerin Millar <kerframil@gmail.com> Desc: Removes grsecurity's localversion-grsec file diff --git a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch index 3d86532..7a220ce 100644 --- a/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211072000.patch +++ b/3.2.33/4420_grsecurity-2.9.1-3.2.33-201211122213.patch @@ -52333,10 +52333,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..ddf281c +index 0000000..7feb2c5 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4202 @@ +@@ -0,0 +1,4213 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -53397,7 +53397,7 @@ index 0000000..ddf281c +} + +static struct acl_subject_label * -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role); ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied); + +static int +copy_user_glob(struct acl_object_label *obj) @@ -53483,13 +53483,18 @@ index 0000000..ddf281c + return ret; + + if (o_tmp->nested) { -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role); ++ int already_copied; ++ ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied); + if (IS_ERR(o_tmp->nested)) + return PTR_ERR(o_tmp->nested); + -+ /* insert into nested subject list */ -+ o_tmp->nested->next = role->hash->first; -+ role->hash->first = o_tmp->nested; ++ /* insert into nested subject list if we haven't copied this one yet ++ to prevent duplicate entries */ ++ if (!already_copied) { ++ o_tmp->nested->next = role->hash->first; ++ role->hash->first = o_tmp->nested; ++ } + } + } + @@ -53608,7 +53613,7 @@ index 0000000..ddf281c +} + +static struct acl_subject_label * -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role) ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied) +{ + struct acl_subject_label *s_tmp = NULL, *s_tmp2; + unsigned int len; @@ -53620,13 +53625,19 @@ index 0000000..ddf281c + unsigned int i_num; + int err; + ++ if (already_copied != NULL) ++ *already_copied = 0; ++ + s_tmp = lookup_subject_map(userp); + + /* we've already copied this subject into the kernel, just return + the reference to it, and don't copy it over again + */ -+ if (s_tmp) ++ if (s_tmp) { ++ if (already_copied != NULL) ++ *already_copied = 1; + return(s_tmp); ++ } + + if ((s_tmp = (struct acl_subject_label *) + acl_alloc(sizeof (struct acl_subject_label))) == NULL) @@ -53712,7 +53723,7 @@ index 0000000..ddf281c + + /* set pointer for parent subject */ + if (s_tmp->parent_subject) { -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role); ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL); + + if (IS_ERR(s_tmp2)) + return s_tmp2; @@ -53796,7 +53807,7 @@ index 0000000..ddf281c + continue; + } + -+ ret = do_copy_user_subj(userp, role); ++ ret = do_copy_user_subj(userp, role, NULL); + + err = PTR_ERR(ret); + if (IS_ERR(ret)) @@ -69087,7 +69098,7 @@ index 91c32a0..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 6c8fa34..0ab39b6 100644 +index 6c8fa34..b289138 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -58,6 +58,7 @@ @@ -69250,7 +69261,7 @@ index 6c8fa34..0ab39b6 100644 + + p = strstr(mod->args, "grsec_modharden_fs"); + if (p) { -+ char *endptr = p + strlen("grsec_modharden_fs"); ++ char *endptr = p + sizeof("grsec_modharden_fs") - 1; + /* copy \0 as well */ + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1); + is_fs_load = 1; @@ -69660,7 +69671,7 @@ index 6c8fa34..0ab39b6 100644 + err = -EPERM; + goto free_modinfo; + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) { -+ p += strlen("grsec_modharden_normal"); ++ p += sizeof("grsec_modharden_normal") - 1; + p2 = strstr(p, "_"); + if (p2) { + *p2 = '\0'; @@ -80157,7 +80168,7 @@ index 66b2c54..c7884e3 100644 struct nlattr *nla; diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 -index 0000000..6905327 +index 0000000..c566332 --- /dev/null +++ b/net/netfilter/xt_gradm.c @@ -0,0 +1,51 @@ @@ -80196,13 +80207,13 @@ index 0000000..6905327 +}; + +static int __init gradm_mt_init(void) -+{ -+ return xt_register_match(&gradm_mt_reg); ++{ ++ return xt_register_match(&gradm_mt_reg); +} + +static void __exit gradm_mt_exit(void) -+{ -+ xt_unregister_match(&gradm_mt_reg); ++{ ++ xt_unregister_match(&gradm_mt_reg); +} + +module_init(gradm_mt_init); diff --git a/3.2.33/4425-tmpfs-user-namespace.patch b/3.2.33/4425-tmpfs-user-namespace.patch new file mode 100644 index 0000000..a7d2649 --- /dev/null +++ b/3.2.33/4425-tmpfs-user-namespace.patch @@ -0,0 +1,28 @@ +Enable XATTR_USER_PREFIX extended attribute namespace for tmpfs + +For XATTR_PAX_FLAGS markings to work on a tmpfs filesystem, we +need to accept XATTR_USER_PREFIX extended attribute namespace +as valid. In Gentoo and other distros that make use of tmpfs +for their packaging systems, this makes it possible to pax mark +executables built in tmpfs before being tarred or otherwised +packaged. + +X-Gentoo-Bug: 432434 +X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=432434 +Signed-off-by: Anthony G. Basile <blueness@gentoo.org> +--- + +diff --git a/mm/shmem.c b/mm/shmem.c +index 67afba5..697a181 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -1804,7 +1804,8 @@ static int shmem_xattr_validate(const char *name) + { + struct { const char *prefix; size_t len; } arr[] = { + { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, +- { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } ++ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }, ++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN } + }; + int i; + diff --git a/3.6.6/0000_README b/3.6.6/0000_README index b78c8e4..306bcfd 100644 --- a/3.6.6/0000_README +++ b/3.6.6/0000_README @@ -2,10 +2,14 @@ README ----------------------------------------------------------------------------- Individual Patch Descriptions: ----------------------------------------------------------------------------- -Patch: 4420_grsecurity-2.9.1-3.6.6-201211072001.patch +Patch: 4420_grsecurity-2.9.1-3.6.6-201211122213.patch From: http://www.grsecurity.net Desc: hardened-sources base patch from upstream grsecurity +Patch: 4425-tmpfs-user-namespace.patch +From: Anthony G. Basile <blueness@gentoo.org> +Desc: Enable XATTR_USER_PREFIX namespace on tmpfs + Patch: 4430_grsec-remove-localversion-grsec.patch From: Kerin Millar <kerframil@gmail.com> Desc: Removes grsecurity's localversion-grsec file diff --git a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch index e6e5d8f..164e8e9 100644 --- a/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211072001.patch +++ b/3.6.6/4420_grsecurity-2.9.1-3.6.6-201211122213.patch @@ -51741,10 +51741,10 @@ index 0000000..1b9afa9 +endif diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c new file mode 100644 -index 0000000..3d58260 +index 0000000..b736032 --- /dev/null +++ b/grsecurity/gracl.c -@@ -0,0 +1,4029 @@ +@@ -0,0 +1,4040 @@ +#include <linux/kernel.h> +#include <linux/module.h> +#include <linux/sched.h> @@ -52809,7 +52809,7 @@ index 0000000..3d58260 +} + +static struct acl_subject_label * -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role); ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied); + +static int +copy_user_glob(struct acl_object_label *obj) @@ -52895,13 +52895,18 @@ index 0000000..3d58260 + return ret; + + if (o_tmp->nested) { -+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role); ++ int already_copied; ++ ++ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied); + if (IS_ERR(o_tmp->nested)) + return PTR_ERR(o_tmp->nested); + -+ /* insert into nested subject list */ -+ o_tmp->nested->next = role->hash->first; -+ role->hash->first = o_tmp->nested; ++ /* insert into nested subject list if we haven't copied this one yet ++ to prevent duplicate entries */ ++ if (!already_copied) { ++ o_tmp->nested->next = role->hash->first; ++ role->hash->first = o_tmp->nested; ++ } + } + } + @@ -53020,7 +53025,7 @@ index 0000000..3d58260 +} + +static struct acl_subject_label * -+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role) ++do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied) +{ + struct acl_subject_label *s_tmp = NULL, *s_tmp2; + unsigned int len; @@ -53032,13 +53037,19 @@ index 0000000..3d58260 + unsigned int i_num; + int err; + ++ if (already_copied != NULL) ++ *already_copied = 0; ++ + s_tmp = lookup_subject_map(userp); + + /* we've already copied this subject into the kernel, just return + the reference to it, and don't copy it over again + */ -+ if (s_tmp) ++ if (s_tmp) { ++ if (already_copied != NULL) ++ *already_copied = 1; + return(s_tmp); ++ } + + if ((s_tmp = (struct acl_subject_label *) + acl_alloc(sizeof (struct acl_subject_label))) == NULL) @@ -53124,7 +53135,7 @@ index 0000000..3d58260 + + /* set pointer for parent subject */ + if (s_tmp->parent_subject) { -+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role); ++ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL); + + if (IS_ERR(s_tmp2)) + return s_tmp2; @@ -53208,7 +53219,7 @@ index 0000000..3d58260 + continue; + } + -+ ret = do_copy_user_subj(userp, role); ++ ret = do_copy_user_subj(userp, role, NULL); + + err = PTR_ERR(ret); + if (IS_ERR(ret)) @@ -68212,7 +68223,7 @@ index 91c32a0..7b88d63 100644 seq_printf(m, "%40s %14lu %29s %pS\n", name, stats->contending_point[i], diff --git a/kernel/module.c b/kernel/module.c -index 9ad9ee9..de7a157 100644 +index 9ad9ee9..f6e05c2 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -58,6 +58,7 @@ @@ -68393,7 +68404,7 @@ index 9ad9ee9..de7a157 100644 + + p = strstr(mod->args, "grsec_modharden_fs"); + if (p) { -+ char *endptr = p + strlen("grsec_modharden_fs"); ++ char *endptr = p + sizeof("grsec_modharden_fs") - 1; + /* copy \0 as well */ + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1); + is_fs_load = 1; @@ -68803,7 +68814,7 @@ index 9ad9ee9..de7a157 100644 + err = -EPERM; + goto free_modinfo; + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) { -+ p += strlen("grsec_modharden_normal"); ++ p += sizeof("grsec_modharden_normal") - 1; + p2 = strstr(p, "_"); + if (p2) { + *p2 = '\0'; @@ -78672,7 +78683,7 @@ index 5cfb5be..217c6d8 100644 if (data_len) { diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c new file mode 100644 -index 0000000..6905327 +index 0000000..c566332 --- /dev/null +++ b/net/netfilter/xt_gradm.c @@ -0,0 +1,51 @@ @@ -78711,13 +78722,13 @@ index 0000000..6905327 +}; + +static int __init gradm_mt_init(void) -+{ -+ return xt_register_match(&gradm_mt_reg); ++{ ++ return xt_register_match(&gradm_mt_reg); +} + +static void __exit gradm_mt_exit(void) -+{ -+ xt_unregister_match(&gradm_mt_reg); ++{ ++ xt_unregister_match(&gradm_mt_reg); +} + +module_init(gradm_mt_init); diff --git a/3.6.6/4425-tmpfs-user-namespace.patch b/3.6.6/4425-tmpfs-user-namespace.patch new file mode 100644 index 0000000..b48d735 --- /dev/null +++ b/3.6.6/4425-tmpfs-user-namespace.patch @@ -0,0 +1,28 @@ +Enable XATTR_USER_PREFIX extended attribute namespace for tmpfs + +For XATTR_PAX_FLAGS markings to work on a tmpfs filesystem, we +need to accept XATTR_USER_PREFIX extended attribute namespace +as valid. In Gentoo and other distros that make use of tmpfs +for their packaging systems, this makes it possible to pax mark +executables built in tmpfs before being tarred or otherwised +packaged. + +X-Gentoo-Bug: 432434 +X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=432434 +Signed-off-by: Anthony G. Basile <blueness@gentoo.org> +--- + +diff --git a/mm/shmem.c b/mm/shmem.c +index 67afba5..697a181 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2208,7 +2208,8 @@ static int shmem_xattr_validate(const char *name) + { + struct { const char *prefix; size_t len; } arr[] = { + { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN }, +- { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN } ++ { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }, ++ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN } + }; + int i; + |