From 00e6b3ec8b8668e3f20f51cf18052623848bed72 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Tue, 26 Jul 2016 13:12:35 -0700 Subject: [PATCH] sys-kernel/coreos-*: bump to linux 4.7 --- ....6.4.ebuild => coreos-kernel-4.7.0.ebuild} | 0 ...6.4.ebuild => coreos-modules-4.7.0.ebuild} | 0 ...md64_defconfig-4.6 => amd64_defconfig-4.7} | 1 - ...rm64_defconfig-4.6 => arm64_defconfig-4.7} | 2 - .../sys-kernel/coreos-sources/Manifest | 3 +- ...6.4.ebuild => coreos-sources-4.7.0.ebuild} | 0 .../z0001-Add-secure_modules-call.patch | 20 +++++----- ...R-access-when-module-security-is-ena.patch | 8 ++-- ...-port-access-when-module-security-is.patch | 4 +- ...4-ACPI-Limit-access-to-custom_method.patch | 4 +- ...t-debugfs-interface-when-module-load.patch | 12 +++--- ...-and-dev-kmem-when-module-loading-is.patch | 4 +- ..._rsdp-kernel-parameter-when-module-l.patch | 8 ++-- ...-runtime-if-the-kernel-enforces-modu.patch | 8 ++-- ...-access-when-module-loading-is-restr.patch | 4 +- ...tomatically-enforce-module-signature.patch | 39 +++++++++---------- ...ECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch | 8 ++-- .../z0012-efi-Add-EFI_SECURE_BOOT-bit.patch | 12 +++--- ...able-in-a-signed-modules-environment.patch | 4 +- ...-copy-up-security-hooks-for-unioned-.patch | 22 +++++------ ...Overlayfs-Use-copy-up-security-hooks.patch | 6 +-- ...016-SELinux-Stub-in-copy-up-handling.patch | 10 ++--- ...nux-Handle-opening-of-a-unioned-file.patch | 14 +++---- ...ainst-union-label-for-file-operation.patch | 10 ++--- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 10 ++--- ...te-permissions-on-lower-inodes-on-ov.patch | 16 ++++---- 26 files changed, 112 insertions(+), 117 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.6.4.ebuild => coreos-kernel-4.7.0.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.6.4.ebuild => coreos-modules-4.7.0.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{amd64_defconfig-4.6 => amd64_defconfig-4.7} (99%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/{arm64_defconfig-4.6 => arm64_defconfig-4.7} (99%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.6.4.ebuild => coreos-sources-4.7.0.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0001-Add-secure_modules-call.patch (76%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch (95%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch (96%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0004-ACPI-Limit-access-to-custom_method.patch (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch (82%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch (94%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch (85%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch (86%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch (94%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0010-Add-option-to-automatically-enforce-module-signature.patch (86%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch (84%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch (81%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0015-Overlayfs-Use-copy-up-security-hooks.patch (92%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0016-SELinux-Stub-in-copy-up-handling.patch (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0018-SELinux-Check-against-union-label-for-file-operation.patch (85%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch (82%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.6 => 4.7}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch (84%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.6.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.7.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.6.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.7.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.6.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.7.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.6.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.7.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.7 similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.6 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.7 index a78c86f546..8c7da9365d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.6 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.7 @@ -687,7 +687,6 @@ CONFIG_MOUSE_PS2=m # CONFIG_MOUSE_PS2_FOCALTECH is not set CONFIG_INPUT_MISC=y # CONFIG_SERIO_SERPORT is not set -CONFIG_DEVPTS_MULTIPLE_INSTANCES=y # CONFIG_LEGACY_PTYS is not set # CONFIG_DEVKMEM is not set CONFIG_SERIAL_8250=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.6 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.7 similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.6 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.7 index 4c7770d609..938f1f21e7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.6 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.7 @@ -222,7 +222,6 @@ CONFIG_RTL8192CE=m CONFIG_INPUT_EVDEV=y # CONFIG_SERIO_SERPORT is not set CONFIG_SERIO_AMBAKMI=y -CONFIG_DEVPTS_MULTIPLE_INSTANCES=y CONFIG_LEGACY_PTY_COUNT=16 CONFIG_SERIAL_8250=y CONFIG_SERIAL_8250_CONSOLE=y @@ -338,7 +337,6 @@ CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set CONFIG_DEBUG_CREDENTIALS=y # CONFIG_FTRACE is not set -CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_SECURITY=y CONFIG_CRYPTO_ANSI_CPRNG=y CONFIG_MODULE_SIG_KEY="certs/modules.pem" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 3df0ffdb2d..ed75554153 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1 @@ -DIST linux-4.6.tar.xz 89461728 SHA256 a93771cd5a8ad27798f22e9240538dfea48d3a2bf2a6a6ab415de3f02d25d866 SHA512 df5ee40b0ebd89914a900f63c32a481cb4f405d8f792b2d03ea167ce9c5bdf75154c7bd8ecd7ebac77a8dbf2b077c972cbfe6b95163e27c38c1fefc6ddbdfa0b WHIRLPOOL 50ee28a06930ffb29ade1aa5fb4e3bf165ead92cb660dc6771a265cdbc2240713ebf14fe235fa153d8b6e3ab853852ea06c2525209cd7989aa3d6f6fad5b7edf -DIST patch-4.6.4.xz 111624 SHA256 f500a3b841c41420914938d681e258c712fbbd7ebec5fe70f0abc071a1738e47 SHA512 8288af19d5e81e891049a6450224ce0707dc729dadab4802af93ce57e2fb6d400b64dde601ece482ec4db72176837eaa52bbca7ebd7e53191253ff05a7d4fe91 WHIRLPOOL 90b64398a96803899203e638d00bb0e23be1ab859107104f7b670e9af38af543f053442d3424aeb45e1d1fac6cf8e8d5dd0c93b62f55e545c0a856a18631a455 +DIST linux-4.7.tar.xz 90412100 SHA256 5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10 SHA512 e8c02583e17e4fc4214fef694825fcb78c898266f1624deb1cdf56ab5c5fdfa669c5221122a7cf0d502ed6f921ff3797634acd9d294d29e98e3faa8a21920185 WHIRLPOOL e968c89ce714c8d918db6074dabac4b0200c57ff111260313cf5798eeefb8b5b10c1509b64e2ee611a78e81075c588a473b67f9802609b2fef9ebb87ae514d98 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.6.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.6.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0001-Add-secure_modules-call.patch similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0001-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0001-Add-secure_modules-call.patch index 060534b3a2..171fe3c9e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0001-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0001-Add-secure_modules-call.patch @@ -1,4 +1,4 @@ -From c35230624d1464523272de88a5085cd808e2eb97 Mon Sep 17 00:00:00 2001 +From 56c7486c654e67683c23e8769351898dc650f890 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/20] Add secure_modules() call @@ -17,19 +17,19 @@ Signed-off-by: Matthew Garrett 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index 2bb0c30..ab13009 100644 +index 3daf2b3..15843fc 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -630,6 +630,8 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -643,6 +643,8 @@ static inline bool module_requested_async_probing(struct module *module) return module && module->async_probe_requested; } +extern bool secure_modules(void); + - #else /* !CONFIG_MODULES... */ - - /* Given an address, look for it in the exception tables. */ -@@ -746,6 +748,10 @@ static inline bool module_requested_async_probing(struct module *module) + #ifdef CONFIG_LIVEPATCH + static inline bool is_livepatch_module(struct module *mod) + { +@@ -771,6 +773,10 @@ static inline bool module_requested_async_probing(struct module *module) return false; } @@ -41,10 +41,10 @@ index 2bb0c30..ab13009 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 041200c..392ac8c 100644 +index 5f71aa6..3c38496 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4080,3 +4080,13 @@ void module_layout(struct module *mod, +@@ -4199,3 +4199,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 041200c..392ac8c 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 45e822f4d7..6fe45086b3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,4 +1,4 @@ -From de2acb86b00352b3e58c55aa5474970bd52640a5 Mon Sep 17 00:00:00 2001 +From a092193db748a914f777fc4426322d085f6447ba Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is @@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 342b691..2809631 100644 +index d319a9c..6b1884d 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -30,6 +30,7 @@ @@ -49,7 +49,7 @@ index 342b691..2809631 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1102,6 +1109,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1101,6 +1108,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index 2d70e3ba1e..c25969f7d2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,4 +1,4 @@ -From 9822e9d4cc1c380146f6b7b0984a9f03c2d5ee30 Mon Sep 17 00:00:00 2001 +From 665de4d1fe2819dff85c1ae2bb5de77d2dfaf3d5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/20] x86: Lock down IO port access when module security is @@ -68,5 +68,5 @@ index 71025c2..86e5bfa 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0004-ACPI-Limit-access-to-custom_method.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0004-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0004-ACPI-Limit-access-to-custom_method.patch index 87406e9a9c..3fe2301d5c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0004-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0004-ACPI-Limit-access-to-custom_method.patch @@ -1,4 +1,4 @@ -From b2f6e6b53381d5213e128e1266d1a4728bcb1e7f Mon Sep 17 00:00:00 2001 +From ec9e1e7e77567c9a02fe912d77c4ad0b861d35a0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/20] ACPI: Limit access to custom_method @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index d9b233cb4e..3c733d9b7a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,4 +1,4 @@ -From e84e314c9dbc752726045c29a7464a6b6910dd1f Mon Sep 17 00:00:00 2001 +From 25b3c5a56a2f963a6b92be5256eb7d9a118e1ec4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module @@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index a96630d..92bf6b1 100644 +index a26dca3..6ec9cab 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c -@@ -1867,6 +1867,9 @@ static int show_dsts(struct seq_file *m, void *data) +@@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -29,7 +29,7 @@ index a96630d..92bf6b1 100644 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); if (err < 0) -@@ -1883,6 +1886,9 @@ static int show_devs(struct seq_file *m, void *data) +@@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -39,7 +39,7 @@ index a96630d..92bf6b1 100644 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, &retval); -@@ -1907,6 +1913,9 @@ static int show_call(struct seq_file *m, void *data) +@@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data) union acpi_object *obj; acpi_status status; @@ -50,5 +50,5 @@ index a96630d..92bf6b1 100644 1, asus->debug.method_id, &input, &output); -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index fc148db719..ce02da6a19 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,4 +1,4 @@ -From 75bf36f24bd1efeadb16130281207f488e38ad51 Mon Sep 17 00:00:00 2001 +From 30af3497cb4e5af8e602674738c2eb8cd79936e9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is @@ -38,5 +38,5 @@ index 86e5bfa..3264735 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index a5405b03fc..a5907b4b7b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,4 +1,4 @@ -From 301e69031df178a811ddb0745ed910518c36fbbe Mon Sep 17 00:00:00 2001 +From 5fc15323a692410e72e7b7fdafa2a71a7420b8d0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 814d5f8..84ca0b5 100644 +index b108f13..158de7d 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -25,7 +25,7 @@ index 814d5f8..84ca0b5 100644 #include #include -@@ -254,7 +255,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 814d5f8..84ca0b5 100644 #endif -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index 7a09d9bcba..ed0a32a422 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,4 +1,4 @@ -From a92898f1e8f05643870686a48812d2898127cf8e Mon Sep 17 00:00:00 2001 +From bd55d2cfacdd370df7e5a8f03863f59cee591c47 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/kexec.c b/kernel/kexec.c -index ee70aef..755198b 100644 +index 4384672..0876783 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -17,6 +17,7 @@ @@ -25,7 +25,7 @@ index ee70aef..755198b 100644 #include "kexec_internal.h" -@@ -131,7 +132,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -189,7 +190,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, int result; /* We only trust the superuser with rebooting the system. */ @@ -35,5 +35,5 @@ index ee70aef..755198b 100644 /* -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index b0ac6438d0..ae5c30d11a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,4 +1,4 @@ -From b68abccfa5c9dca3e8c921139bcd5e794ae8e67c Mon Sep 17 00:00:00 2001 +From 6a2ebbbc4d82f75d98a2f594db23b853abba2333 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is @@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644 err = -EFAULT; break; -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0010-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch index ccecfaf37f..d14fe8548c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0010-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,4 +1,4 @@ -From ec3ce7daf05ab4d0456a06235e5f91f09fc57268 Mon Sep 17 00:00:00 2001 +From 23b33d629abc9fa53f5f1c6422bf7b170c322beb Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 10/20] Add option to automatically enforce module signatures @@ -13,12 +13,12 @@ Signed-off-by: Matthew Garrett --- Documentation/x86/zero-page.txt | 2 ++ arch/x86/Kconfig | 10 ++++++++++ - arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ + arch/x86/boot/compressed/eboot.c | 35 +++++++++++++++++++++++++++++++++++ arch/x86/include/uapi/asm/bootparam.h | 3 ++- arch/x86/kernel/setup.c | 6 ++++++ include/linux/module.h | 6 ++++++ kernel/module.c | 7 +++++++ - 7 files changed, 69 insertions(+), 1 deletion(-) + 7 files changed, 68 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt index 95a4d34..b8527c6 100644 @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 2dc18605..a701d09 100644 +index d9a94da..866d0e9 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1785,6 +1785,16 @@ config EFI_MIXED +@@ -1776,6 +1776,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index 2dc18605..a701d09 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 583d539..ca120ac 100644 +index 52fef60..faa223b 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -66,8 +66,8 @@ index 583d539..ca120ac 100644 #include "../string.h" #include "eboot.h" -@@ -847,6 +848,37 @@ out: - return status; +@@ -571,6 +572,36 @@ free_handle: + efi_call_early(free_pool, pci_handle); } +static int get_secure_boot(void) @@ -100,11 +100,10 @@ index 583d539..ca120ac 100644 + return 1; +} + -+ - /* - * See if we have Graphics Output Protocol - */ -@@ -1432,6 +1464,10 @@ struct boot_params *efi_main(struct efi_config *c, + static efi_status_t + setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height) + { +@@ -1126,6 +1157,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -116,7 +115,7 @@ index 583d539..ca120ac 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 3292543..b61f853 100644 +index c18ce67..2b3e542 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -134,7 +134,8 @@ struct boot_params { @@ -130,10 +129,10 @@ index 3292543..b61f853 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 2367ae0..1a78bf7 100644 +index c4e7b39..bdb9881 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -147,7 +146,7 @@ index 2367ae0..1a78bf7 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index ab13009..e072b84 100644 +index 15843fc..fe5c49d 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); @@ -164,10 +163,10 @@ index ab13009..e072b84 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 392ac8c..676c578 100644 +index 3c38496..ea484f3 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod, +@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -182,5 +181,5 @@ index 392ac8c..676c578 100644 { #ifdef CONFIG_MODULE_SIG -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index 7be20cff8c..8dfd777d3a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,4 +1,4 @@ -From 6c1648fa6c1e91977c502e2f2a5b3c4f09124ce6 Mon Sep 17 00:00:00 2001 +From d1431fc712f301635f392a11045b1a2fe9df7e25 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 11/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index a701d09..fef4036 100644 +index 866d0e9..5b8b8c3 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1786,7 +1786,8 @@ config EFI_MIXED +@@ -1777,7 +1777,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index a701d09..fef4036 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch index f8597bb304..6058f2289f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,4 +1,4 @@ -From d1440220844d8a0cca8168526fc2d6a74787283c Mon Sep 17 00:00:00 2001 +From 735f74a5d4919c155481ee8aca9074c5d53f4029 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 12/20] efi: Add EFI_SECURE_BOOT bit @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 1a78bf7..564921b 100644 +index bdb9881..a666b6c 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1148,7 +1148,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,10 +27,10 @@ index 1a78bf7..564921b 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 1626474..2bd4516 100644 +index f196dd0..3b3909f 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1009,6 +1009,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ @@ -39,5 +39,5 @@ index 1626474..2bd4516 100644 #ifdef CONFIG_EFI /* -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0013-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch index 602366bbf7..cb7cc97c2b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0013-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,4 +1,4 @@ -From df84f18e06e61f63e4e7847d455a3601b15a941a Mon Sep 17 00:00:00 2001 +From d0c5883f7885f8b8d1dd617ab6e7f4015bbd0419 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 Subject: [PATCH 13/20] hibernate: Disable in a signed modules environment @@ -35,5 +35,5 @@ index fca9254..ffd8644 100644 /** -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch index 27590e9878..3a9846ee21 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch @@ -1,4 +1,4 @@ -From 21bb922ca499884980a7a98992bb0b00c05c223a Mon Sep 17 00:00:00 2001 +From cf7c941ac72cf28c9ed256ed6f7e77dd451819ec Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 Subject: [PATCH 14/20] Security: Provide copy-up security hooks for unioned @@ -21,7 +21,7 @@ Signed-off-by: David Howells 3 files changed, 54 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index cdee11c..adef596 100644 +index 7ae3976..b585466 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -401,6 +401,24 @@ @@ -49,7 +49,7 @@ index cdee11c..adef596 100644 * * Security hooks for file operations * -@@ -1424,6 +1442,9 @@ union security_list_options { +@@ -1425,6 +1443,9 @@ union security_list_options { int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); void (*inode_getsecid)(struct inode *inode, u32 *secid); @@ -59,7 +59,7 @@ index cdee11c..adef596 100644 int (*file_permission)(struct file *file, int mask); int (*file_alloc_security)(struct file *file); -@@ -1695,6 +1716,8 @@ struct security_hook_heads { +@@ -1696,6 +1717,8 @@ struct security_hook_heads { struct list_head inode_setsecurity; struct list_head inode_listsecurity; struct list_head inode_getsecid; @@ -69,10 +69,10 @@ index cdee11c..adef596 100644 struct list_head file_alloc_security; struct list_head file_free_security; diff --git a/include/linux/security.h b/include/linux/security.h -index 157f0cb..449f1b0 100644 +index 14df373..986265b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h -@@ -276,6 +276,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf +@@ -282,6 +282,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); void security_inode_getsecid(struct inode *inode, u32 *secid); @@ -83,7 +83,7 @@ index 157f0cb..449f1b0 100644 int security_file_permission(struct file *file, int mask); int security_file_alloc(struct file *file); void security_file_free(struct file *file); -@@ -744,6 +748,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +@@ -758,6 +762,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) *secid = 0; } @@ -101,10 +101,10 @@ index 157f0cb..449f1b0 100644 { return 0; diff --git a/security/security.c b/security/security.c -index 3644b03..8548340 100644 +index 7095693..77ec85b 100644 --- a/security/security.c +++ b/security/security.c -@@ -726,6 +726,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) +@@ -727,6 +727,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) call_void_hook(inode_getsecid, inode, secid); } @@ -124,7 +124,7 @@ index 3644b03..8548340 100644 int security_file_permission(struct file *file, int mask) { int ret; -@@ -1662,6 +1675,10 @@ struct security_hook_heads security_hook_heads = { +@@ -1663,6 +1676,10 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), .inode_getsecid = LIST_HEAD_INIT(security_hook_heads.inode_getsecid), @@ -136,5 +136,5 @@ index 3644b03..8548340 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0015-Overlayfs-Use-copy-up-security-hooks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch index 8e3a91451b..48e3e1a7cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0015-Overlayfs-Use-copy-up-security-hooks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch @@ -1,4 +1,4 @@ -From 4eac8c9deb0ffddf8d71b6783675087a4ee6b436 Mon Sep 17 00:00:00 2001 +From 08ff141c7c1887f6f2793b03d7575d46375352c6 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 Subject: [PATCH 15/20] Overlayfs: Use copy-up security hooks @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 12 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index cc514da..a181c7c 100644 +index 80aa6f1..c7ba7b2 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -102,6 +102,14 @@ retry: @@ -43,5 +43,5 @@ index cc514da..a181c7c 100644 struct path upperpath; -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0016-SELinux-Stub-in-copy-up-handling.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch index 5e6db46176..ba269525f6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0016-SELinux-Stub-in-copy-up-handling.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch @@ -1,4 +1,4 @@ -From f3798692115e472f7d508d725f8952b29250370e Mon Sep 17 00:00:00 2001 +From 5010e474dd5f54f95f54f5ac6d86085084148aca Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 16/20] SELinux: Stub in copy-up handling @@ -13,10 +13,10 @@ Signed-off-by: David Howells 1 file changed, 20 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 912deee..b4e3e63 100644 +index a86d537..19719b7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -3253,6 +3253,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) +@@ -3270,6 +3270,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) *secid = isec->sid; } @@ -41,7 +41,7 @@ index 912deee..b4e3e63 100644 /* file security operations */ static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -5996,6 +6014,8 @@ static struct security_hook_list selinux_hooks[] = { +@@ -6056,6 +6074,8 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), @@ -51,5 +51,5 @@ index 912deee..b4e3e63 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0017-SELinux-Handle-opening-of-a-unioned-file.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch index d8012feafc..caaf7cde5e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0017-SELinux-Handle-opening-of-a-unioned-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch @@ -1,4 +1,4 @@ -From 518b46aa4f4d0198593c2ffd9a3927db686d3c43 Mon Sep 17 00:00:00 2001 +From 9f1a7fa7a1db75f71d653863fd190e160535d9d1 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 17/20] SELinux: Handle opening of a unioned file @@ -26,10 +26,10 @@ Signed-off-by: David Howells 2 files changed, 70 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index b4e3e63..e5d0e2d 100644 +index 19719b7..74e4f4e 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -3584,10 +3584,72 @@ static int selinux_file_receive(struct file *file) +@@ -3603,10 +3603,72 @@ static int selinux_file_receive(struct file *file) return file_has_perm(cred, file, file_to_av(file)); } @@ -102,7 +102,7 @@ index b4e3e63..e5d0e2d 100644 fsec = file->f_security; isec = inode_security(file_inode(file)); -@@ -3608,6 +3670,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) +@@ -3627,6 +3689,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) * new inode label or new policy. * This check is not redundant - do not remove. */ @@ -117,10 +117,10 @@ index b4e3e63..e5d0e2d 100644 } diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h -index a2ae054..54cce84 100644 +index c21e135..1c23b90 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h -@@ -60,6 +60,7 @@ struct file_security_struct { +@@ -59,6 +59,7 @@ struct file_security_struct { u32 sid; /* SID of open file description */ u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ @@ -129,5 +129,5 @@ index a2ae054..54cce84 100644 }; -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0018-SELinux-Check-against-union-label-for-file-operation.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch index dbba09fa24..62b43f1d7b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0018-SELinux-Check-against-union-label-for-file-operation.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch @@ -1,4 +1,4 @@ -From c847761aacd96fb03f6493ffc800ef9310d34ef7 Mon Sep 17 00:00:00 2001 +From 4d316639da0c1a3cbe34b33cb7d2821b810020bf Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 18/20] SELinux: Check against union label for file operations @@ -16,10 +16,10 @@ Signed-off-by: David Howells 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index e5d0e2d..c3f94dd 100644 +index 74e4f4e..f6dc6b2 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -1745,6 +1745,7 @@ static int file_has_perm(const struct cred *cred, +@@ -1755,6 +1755,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { @@ -27,7 +27,7 @@ index e5d0e2d..c3f94dd 100644 struct file_security_struct *fsec = file->f_security; struct inode *inode = file_inode(file); struct common_audit_data ad; -@@ -1765,8 +1766,15 @@ static int file_has_perm(const struct cred *cred, +@@ -1775,8 +1776,15 @@ static int file_has_perm(const struct cred *cred, /* av is zero if only checking access to the descriptor. */ rc = 0; @@ -46,5 +46,5 @@ index e5d0e2d..c3f94dd 100644 out: return rc; -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 4cf82f3c17..67e5cece4c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,4 +1,4 @@ -From 1ef23e9e2c7d6d47ceeaf74d685d951ef109db7a Mon Sep 17 00:00:00 2001 +From 7c61363beb72419f1dca56e156c794d114d5f9f9 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 Subject: [PATCH 19/20] kbuild: derive relative path for KBUILD_SRC from CURDIR @@ -12,13 +12,13 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 0f9cb36..44097a4 100644 +index 66da9a3..4d55d38 100644 --- a/Makefile +++ b/Makefile -@@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make +@@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @: - sub-make: FORCE + sub-make: - $(Q)$(MAKE) -C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR) \ + $(Q)$(MAKE) -C $(KBUILD_OUTPUT) \ + KBUILD_SRC=$(shell realpath --relative-to=$(KBUILD_OUTPUT) $(CURDIR)) \ @@ -26,5 +26,5 @@ index 0f9cb36..44097a4 100644 # Leave processing to above invocation of make -- -2.8.2 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch index e0e2862f08..83ebf2b8f5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch @@ -1,4 +1,4 @@ -From 6a65a70406567cf4c1264e9baa54b37844c3d5e1 Mon Sep 17 00:00:00 2001 +From 8a81012508249122343f090c989c46cf15c67480 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Dec 2015 07:43:52 +0000 Subject: [PATCH 20/20] Don't verify write permissions on lower inodes on @@ -19,10 +19,10 @@ the selinux permissions check if that flag is set. 3 files changed, 13 insertions(+) diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index a4ff5d0..6ba3443 100644 +index d1cdc60..a5b1498 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c -@@ -163,6 +163,9 @@ int ovl_permission(struct inode *inode, int mask) +@@ -189,6 +189,9 @@ int ovl_permission(struct inode *inode, int mask) goto out_dput; } @@ -33,10 +33,10 @@ index a4ff5d0..6ba3443 100644 out_dput: dput(alias); diff --git a/include/linux/fs.h b/include/linux/fs.h -index 70e61b5..ba1ed95 100644 +index dd28814..5988996 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h -@@ -85,6 +85,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); +@@ -84,6 +84,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, #define MAY_CHDIR 0x00000040 /* called from RCU mode, don't block */ #define MAY_NOT_BLOCK 0x00000080 @@ -45,10 +45,10 @@ index 70e61b5..ba1ed95 100644 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index c3f94dd..37f438c 100644 +index f6dc6b2..10081f7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -2967,6 +2967,15 @@ static int selinux_inode_permission(struct inode *inode, int mask) +@@ -2981,6 +2981,15 @@ static int selinux_inode_permission(struct inode *inode, int mask) u32 audited, denied; from_access = mask & MAY_ACCESS; @@ -65,5 +65,5 @@ index c3f94dd..37f438c 100644 /* No permission to check. Existence test. */ -- -2.8.2 +2.7.3