From 2035a9daf90e4f59583561b13ebb4f2f90a0596a Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Tue, 18 Oct 2016 18:16:58 -0700 Subject: [PATCH] sys-kernel/coreos-sources: bump to 4.8.2 --- .../sys-kernel/coreos-sources/Manifest | 4 +- .../coreos-sources-4.7.3.ebuild | 45 ----- .../coreos-sources-4.8.2.ebuild | 46 +++++ ...-copy-up-security-hooks-for-unioned-.patch | 140 --------------- ...Overlayfs-Use-copy-up-security-hooks.patch | 47 ------ ...016-SELinux-Stub-in-copy-up-handling.patch | 55 ------ ...nux-Handle-opening-of-a-unioned-file.patch | 133 --------------- ...ainst-union-label-for-file-operation.patch | 50 ------ ...te-permissions-on-lower-inodes-on-ov.patch | 69 -------- ...fs-provide-copy-up-security-hook-for.patch | 148 ++++++++++++++++ ...mplementation-for-inode_copy_up-hook.patch | 62 +++++++ ...fs-Provide-security-hook-for-copy-up.patch | 129 ++++++++++++++ ...ntation-for-inode_copy_up_xattr-hook.patch | 53 ++++++ ...urity-pointer-to-determine_inode_lab.patch | 73 ++++++++ ...fs-Provide-hook-to-correctly-label-n.patch | 159 ++++++++++++++++++ ...mplement-dentry_create_files_as-hook.patch | 60 +++++++ .../z0008-Add-secure_modules-call.patch} | 14 +- ...-access-when-module-security-is-ena.patch} | 16 +- ...port-access-when-module-security-is.patch} | 10 +- ...-ACPI-Limit-access-to-custom_method.patch} | 4 +- ...-debugfs-interface-when-module-load.patch} | 6 +- ...and-dev-kmem-when-module-loading-is.patch} | 10 +- ...rsdp-kernel-parameter-when-module-l.patch} | 6 +- ...runtime-if-the-kernel-enforces-modu.patch} | 8 +- ...access-when-module-loading-is-restr.patch} | 4 +- ...omatically-enforce-module-signature.patch} | 24 +-- ...CURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch} | 8 +- .../z0019-efi-Add-EFI_SECURE_BOOT-bit.patch} | 12 +- ...ble-in-a-signed-modules-environment.patch} | 8 +- ...ative-path-for-KBUILD_SRC-from-CURD.patch} | 6 +- 30 files changed, 800 insertions(+), 609 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.3.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.2.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0001-Add-secure_modules-call.patch => 4.8/z0008-Add-secure_modules-call.patch} (79%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch => 4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch} (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch => 4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0004-ACPI-Limit-access-to-custom_method.patch => 4.8/z0011-ACPI-Limit-access-to-custom_method.patch} (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch => 4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch} (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch => 4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch} (78%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch => 4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch} (85%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch => 4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch} (81%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch => 4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch => 4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch => 4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch} (78%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch => 4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch} (78%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch => 4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch} (80%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch => 4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch} (84%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 9253cabfe4..b364597593 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ -DIST linux-4.7.tar.xz 90412100 SHA256 5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10 SHA512 e8c02583e17e4fc4214fef694825fcb78c898266f1624deb1cdf56ab5c5fdfa669c5221122a7cf0d502ed6f921ff3797634acd9d294d29e98e3faa8a21920185 WHIRLPOOL e968c89ce714c8d918db6074dabac4b0200c57ff111260313cf5798eeefb8b5b10c1509b64e2ee611a78e81075c588a473b67f9802609b2fef9ebb87ae514d98 -DIST patch-4.7.3.xz 109896 SHA256 826b96e794d325abf430e8d6c3279a21e97e3ec321a3962b9dd6966693b14d88 SHA512 f2cc5d72c3d923dffb7f89e8a90bb30f3a202a4c353cac7dd693c65bfdedb81dd9882223ca1fcb613c75fc8176e4f8e7133566455631acd6b0b85a521cf8ee09 WHIRLPOOL aef2029a1145153700445515f87404ec0fb3c326ddcf22d22e5308c3ec6fc6bb25bbc7ac14506158a8f2f0d3e0e4cec048cb30d768a402ff64923288bad0862e +DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5 +DIST patch-4.8.2.xz 18772 SHA256 edb6e8022172df2b020b53e1cfa32bcde070f3119a6618766066098c46008a9b SHA512 378ee4d328169b6e2475177bef31596d9f586b08ba87eb170c1943e3a1d43749d7b101b6f39886d50bbf1abf0ca8720a567f30a6ac9f5c66afe1f657d4899d25 WHIRLPOOL 9e4292da8f1ce629e95e08caa41c128153b3c477a0edd0540794e8f69fcf8c41e9138f3086b8cdf8cbe0155900d3faf324438b4c93c58ec14248df5726df9a0b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.3.ebuild deleted file mode 100644 index acb91de445..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.3.ebuild +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ - ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ - ${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \ - ${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \ - ${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \ - ${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \ - ${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.2.ebuild new file mode 100644 index 0000000000..1875665f3f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.2.ebuild @@ -0,0 +1,46 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \ + ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \ + ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \ + ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \ + ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \ + ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \ + ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \ + ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch deleted file mode 100644 index 3a9846ee21..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch +++ /dev/null @@ -1,140 +0,0 @@ -From cf7c941ac72cf28c9ed256ed6f7e77dd451819ec Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Tue, 16 Jun 2015 14:14:31 +0100 -Subject: [PATCH 14/20] Security: Provide copy-up security hooks for unioned - files - -Provide two new security hooks for use with security files that are used when -a file is copied up between layers: - - (1) security_inode_copy_up(). This is called so that the security label on - the destination file can be set appropriately. - - (2) security_inode_copy_up_xattr(). This is called so that each xattr being - copied up can be vetted - including modification and discard. - -Signed-off-by: David Howells ---- - include/linux/lsm_hooks.h | 23 +++++++++++++++++++++++ - include/linux/security.h | 14 ++++++++++++++ - security/security.c | 17 +++++++++++++++++ - 3 files changed, 54 insertions(+) - -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 7ae3976..b585466 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -401,6 +401,24 @@ - * @inode contains a pointer to the inode. - * @secid contains a pointer to the location where result will be saved. - * In case of failure, @secid will be set to zero. -+ * @inode_copy_up: -+ * Appropriately label the destination inode when a unioned file is copied -+ * up from a lower layer to the union/overlay layer. -+ * @src indicates the file that is being copied up. -+ * @dst indicates the file that has being created by the copy up. -+ * Returns 0 on success or a negative error code on error. -+ * @inode_copy_up_xattr: -+ * Filter/modify the xattrs being copied up when a unioned file is copied -+ * up from a lower layer to the union/overlay layer. -+ * @src indicates the file that is being copied up. -+ * @dst indicates the file that has being created by the copy up. -+ * @name indicates the name of the xattr. -+ * @value, *@size indicate the payload of the xattr. -+ * Returns 0 to accept the xattr, 1 to discard the xattr or a negative -+ * error code to abort the copy up. The xattr buffer must be at least -+ * XATTR_SIZE_MAX in capacity and the contents may be modified and *@size -+ * changed appropriately. Note that the caller is responsible for reading -+ * and writing the xattrs as this hook is merely a filter. - * - * Security hooks for file operations - * -@@ -1425,6 +1443,9 @@ union security_list_options { - int (*inode_listsecurity)(struct inode *inode, char *buffer, - size_t buffer_size); - void (*inode_getsecid)(struct inode *inode, u32 *secid); -+ int (*inode_copy_up) (struct dentry *src, struct dentry *dst); -+ int (*inode_copy_up_xattr) (struct dentry *src, struct dentry *dst, -+ const char *name, void *value, size_t *size); - - int (*file_permission)(struct file *file, int mask); - int (*file_alloc_security)(struct file *file); -@@ -1696,6 +1717,8 @@ struct security_hook_heads { - struct list_head inode_setsecurity; - struct list_head inode_listsecurity; - struct list_head inode_getsecid; -+ struct list_head inode_copy_up; -+ struct list_head inode_copy_up_xattr; - struct list_head file_permission; - struct list_head file_alloc_security; - struct list_head file_free_security; -diff --git a/include/linux/security.h b/include/linux/security.h -index 14df373..986265b 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -282,6 +282,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf - int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); - int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); - void security_inode_getsecid(struct inode *inode, u32 *secid); -+int security_inode_copy_up(struct dentry *src, struct dentry *dst); -+int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst, -+ const char *name, void *value, size_t *size); -+ - int security_file_permission(struct file *file, int mask); - int security_file_alloc(struct file *file); - void security_file_free(struct file *file); -@@ -758,6 +762,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) - *secid = 0; - } - -+static inline int security_inode_copy_up(struct dentry *src, struct dentry *dst) -+{ -+ return 0; -+} -+static inline int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst, -+ const char *name, const void *value, size_t *size) -+{ -+ return 0; -+} -+ - static inline int security_file_permission(struct file *file, int mask) - { - return 0; -diff --git a/security/security.c b/security/security.c -index 7095693..77ec85b 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -727,6 +727,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) - call_void_hook(inode_getsecid, inode, secid); - } - -+int security_inode_copy_up(struct dentry *src, struct dentry *dst) -+{ -+ return call_int_hook(inode_copy_up, 0, src, dst); -+} -+EXPORT_SYMBOL(security_inode_copy_up); -+ -+int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst, -+ const char *name, void *value, size_t *size) -+{ -+ return call_int_hook(inode_copy_up_xattr, 0, src, dst, name, value, size); -+} -+EXPORT_SYMBOL(security_inode_copy_up_xattr); -+ - int security_file_permission(struct file *file, int mask) - { - int ret; -@@ -1663,6 +1676,10 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), - .inode_getsecid = - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), -+ .inode_copy_up = -+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up), -+ .inode_copy_up_xattr = -+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch deleted file mode 100644 index 48e3e1a7cd..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 08ff141c7c1887f6f2793b03d7575d46375352c6 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Tue, 16 Jun 2015 14:14:31 +0100 -Subject: [PATCH 15/20] Overlayfs: Use copy-up security hooks - -Use the copy-up security hooks previously provided to allow an LSM to adjust -the security on a newly created copy and to filter the xattrs copied to that -file copy. - -Signed-off-by: David Howells ---- - fs/overlayfs/copy_up.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 80aa6f1..c7ba7b2 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -102,6 +102,14 @@ retry: - value_size = size; - goto retry; - } -+ error = security_inode_copy_up_xattr(old, new, -+ name, value, &size); -+ if (error < 0) -+ break; -+ if (error == 1) { -+ error = 0; -+ continue; /* Discard */ -+ } - - error = vfs_setxattr(new, name, value, size, 0); - if (error) -@@ -265,6 +273,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, - if (err) - goto out2; - -+ err = security_inode_copy_up(lowerpath->dentry, newdentry); -+ if (err < 0) -+ goto out_cleanup; -+ - if (S_ISREG(stat->mode)) { - struct path upperpath; - --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch deleted file mode 100644 index ba269525f6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 5010e474dd5f54f95f54f5ac6d86085084148aca Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 16/20] SELinux: Stub in copy-up handling - -Provide stubs for union/overlay copy-up handling. The xattr copy up stub -discards lower SELinux xattrs rather than letting them be copied up so that -the security label on the copy doesn't get corrupted. - -Signed-off-by: David Howells ---- - security/selinux/hooks.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index a86d537..19719b7 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3270,6 +3270,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) - *secid = isec->sid; - } - -+static int selinux_inode_copy_up(struct dentry *src, struct dentry *dst) -+{ -+ return 0; -+} -+ -+static int selinux_inode_copy_up_xattr(struct dentry *src, struct dentry *dst, -+ const char *name, void *value, -+ size_t *size) -+{ -+ /* The copy_up hook above sets the initial context on an inode, but we -+ * don't then want to overwrite it by blindly copying all the lower -+ * xattrs up. Instead, we have to filter out SELinux-related xattrs. -+ */ -+ if (strcmp(name, XATTR_NAME_SELINUX) == 0) -+ return 1; /* Discard */ -+ return 0; -+} -+ - /* file security operations */ - - static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -6056,6 +6074,8 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), - LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), -+ LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), -+ LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), - - LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch deleted file mode 100644 index caaf7cde5e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 9f1a7fa7a1db75f71d653863fd190e160535d9d1 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 17/20] SELinux: Handle opening of a unioned file - -Handle the opening of a unioned file by trying to derive the label that would -be attached to the union-layer inode if it doesn't exist. - -If the union-layer inode does exist (as it necessarily does in overlayfs, but -not in unionmount), we assume that it has the right label and use that. -Otherwise we try to get it from the superblock. - -If the superblock has a globally-applied label, we use that, otherwise we try -to transition to an appropriate label. This union label is then stored in the -file_security_struct. - -We then perform an additional check to make sure that the calling task is -granted permission by the union-layer inode label to open the file in addition -to a check to make sure that the task is granted permission to open the lower -file with the lower inode label. - -Signed-off-by: David Howells ---- - security/selinux/hooks.c | 69 +++++++++++++++++++++++++++++++++++++++ - security/selinux/include/objsec.h | 1 + - 2 files changed, 70 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 19719b7..74e4f4e 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3603,10 +3603,72 @@ static int selinux_file_receive(struct file *file) - return file_has_perm(cred, file, file_to_av(file)); - } - -+/* -+ * We have a file opened on a unioned file system that falls through to a file -+ * on a lower layer. If there is a union inode, we try to get the label from -+ * that, otherwise we need to get it from the superblock. -+ * -+ * file->f_path points to the union layer and file->f_inode points to the lower -+ * layer. -+ */ -+static int selinux_file_open_union(struct file *file, -+ struct file_security_struct *fsec, -+ const struct cred *cred) -+{ -+ const struct superblock_security_struct *sbsec; -+ const struct inode_security_struct *isec, *dsec, *fisec; -+ const struct task_security_struct *tsec = current_security(); -+ struct common_audit_data ad; -+ struct dentry *union_dentry = file->f_path.dentry; -+ const struct inode *union_inode = d_inode(union_dentry); -+ const struct inode *lower_inode = file_inode(file); -+ struct dentry *dir; -+ int rc; -+ -+ sbsec = union_dentry->d_sb->s_security; -+ -+ if (union_inode) { -+ isec = union_inode->i_security; -+ fsec->union_isid = isec->sid; -+ } else if ((sbsec->flags & SE_SBINITIALIZED) && -+ (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { -+ fsec->union_isid = sbsec->mntpoint_sid; -+ } else { -+ dir = dget_parent(union_dentry); -+ dsec = d_inode(dir)->i_security; -+ -+ rc = security_transition_sid( -+ tsec->sid, dsec->sid, -+ inode_mode_to_security_class(lower_inode->i_mode), -+ &union_dentry->d_name, -+ &fsec->union_isid); -+ dput(dir); -+ if (rc) { -+ pr_warn("%s: security_transition_sid failed, rc=%d (name=%pD)\n", -+ __func__, -rc, file); -+ return rc; -+ } -+ } -+ -+ /* We need to check that the union file is allowed to be opened as well -+ * as checking that the lower file is allowed to be opened. -+ */ -+ if (unlikely(IS_PRIVATE(lower_inode))) -+ return 0; -+ -+ ad.type = LSM_AUDIT_DATA_PATH; -+ ad.u.path = file->f_path; -+ -+ fisec = lower_inode->i_security; -+ return avc_has_perm(cred_sid(cred), fsec->union_isid, fisec->sclass, -+ open_file_to_av(file), &ad); -+} -+ - static int selinux_file_open(struct file *file, const struct cred *cred) - { - struct file_security_struct *fsec; - struct inode_security_struct *isec; -+ int rc; - - fsec = file->f_security; - isec = inode_security(file_inode(file)); -@@ -3627,6 +3689,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) - * new inode label or new policy. - * This check is not redundant - do not remove. - */ -+ -+ if (d_inode(file->f_path.dentry) != file->f_inode) { -+ rc = selinux_file_open_union(file, fsec, cred); -+ if (rc < 0) -+ return rc; -+ } -+ - return file_path_has_perm(cred, file, open_file_to_av(file)); - } - -diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h -index c21e135..1c23b90 100644 ---- a/security/selinux/include/objsec.h -+++ b/security/selinux/include/objsec.h -@@ -59,6 +59,7 @@ struct file_security_struct { - u32 sid; /* SID of open file description */ - u32 fown_sid; /* SID of file owner (for SIGIO) */ - u32 isid; /* SID of inode at the time of file open */ -+ u32 union_isid; /* SID of would-be inodes in union top (or 0) */ - u32 pseqno; /* Policy seqno at the time of file open */ - }; - --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch deleted file mode 100644 index 62b43f1d7b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 4d316639da0c1a3cbe34b33cb7d2821b810020bf Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 18/20] SELinux: Check against union label for file operations - -File operations (eg. read, write) issued against a file that is attached to -the lower layer of a union file needs to be checked against the union-layer -label not the lower layer label. - -The union label is stored in the file_security_struct rather than being -retrieved from one of the inodes. - -Signed-off-by: David Howells ---- - security/selinux/hooks.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 74e4f4e..f6dc6b2 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1755,6 +1755,7 @@ static int file_has_perm(const struct cred *cred, - struct file *file, - u32 av) - { -+ struct inode_security_struct *isec; - struct file_security_struct *fsec = file->f_security; - struct inode *inode = file_inode(file); - struct common_audit_data ad; -@@ -1775,8 +1776,15 @@ static int file_has_perm(const struct cred *cred, - - /* av is zero if only checking access to the descriptor. */ - rc = 0; -- if (av) -- rc = inode_has_perm(cred, inode, av, &ad); -+ if (av && likely(!IS_PRIVATE(inode))) { -+ if (fsec->union_isid) { -+ isec = inode->i_security; -+ rc = avc_has_perm(sid, fsec->union_isid, isec->sclass, -+ av, &ad); -+ } -+ if (!rc) -+ rc = inode_has_perm(cred, inode, av, &ad); -+ } - - out: - return rc; --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch deleted file mode 100644 index 83ebf2b8f5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8a81012508249122343f090c989c46cf15c67480 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 22 Dec 2015 07:43:52 +0000 -Subject: [PATCH 20/20] Don't verify write permissions on lower inodes on - overlayfs - -If a user opens a file r/w on overlayfs, and if the underlying inode is -currently still on the lower fs, right now we're verifying whether selinux -policy permits writes to the selinux context on the underlying inode. This -is suboptimal, since we don't want confined processes to be able to write to -these files if they're able to escape from a container and so don't want to -permit this in policy. Have overlayfs pass down an additional flag when -verifying the permission on lower inodes, and mask off the write bits in -the selinux permissions check if that flag is set. ---- - fs/overlayfs/inode.c | 3 +++ - include/linux/fs.h | 1 + - security/selinux/hooks.c | 9 +++++++++ - 3 files changed, 13 insertions(+) - -diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index d1cdc60..a5b1498 100644 ---- a/fs/overlayfs/inode.c -+++ b/fs/overlayfs/inode.c -@@ -189,6 +189,9 @@ int ovl_permission(struct inode *inode, int mask) - goto out_dput; - } - -+ if (!is_upper) -+ mask |= MAY_OPEN_LOWER; -+ - err = __inode_permission(realinode, mask); - out_dput: - dput(alias); -diff --git a/include/linux/fs.h b/include/linux/fs.h -index dd28814..5988996 100644 ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -84,6 +84,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, - #define MAY_CHDIR 0x00000040 - /* called from RCU mode, don't block */ - #define MAY_NOT_BLOCK 0x00000080 -+#define MAY_OPEN_LOWER 0x00000100 - - /* - * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index f6dc6b2..10081f7 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -2981,6 +2981,15 @@ static int selinux_inode_permission(struct inode *inode, int mask) - u32 audited, denied; - - from_access = mask & MAY_ACCESS; -+ -+ /* -+ * If we're trying to open the lower layer of an overlay mount, don't -+ * worry about write or append permissions - these will be verified -+ * against the upper context -+ */ -+ if (mask & MAY_OPEN_LOWER) -+ mask &= ~(MAY_WRITE|MAY_APPEND); -+ - mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); - - /* No permission to check. Existence test. */ --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch new file mode 100644 index 0000000000..a9fab809c6 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch @@ -0,0 +1,148 @@ +From a893dfc0d7ae1ef27d57ba8585d9d6d079a440d9 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:57 -0400 +Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for + unioned files + +Provide a security hook to label new file correctly when a file is copied +up from lower layer to upper layer of a overlay/union mount. + +This hook can prepare a new set of creds which are suitable for new file +creation during copy up. Caller will use new creds to create file and then +revert back to old creds and release new creds. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + fs/overlayfs/copy_up.c | 15 +++++++++++++++ + include/linux/lsm_hooks.h | 11 +++++++++++ + include/linux/security.h | 6 ++++++ + security/security.c | 8 ++++++++ + 4 files changed, 40 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 43fdc27..e15bc8e 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -248,6 +248,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, + struct dentry *upper = NULL; + umode_t mode = stat->mode; + int err; ++ const struct cred *old_creds = NULL; ++ struct cred *new_creds = NULL; + + newdentry = ovl_lookup_temp(workdir, dentry); + err = PTR_ERR(newdentry); +@@ -260,10 +262,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, + if (IS_ERR(upper)) + goto out1; + ++ err = security_inode_copy_up(dentry, &new_creds); ++ if (err < 0) ++ goto out2; ++ ++ if (new_creds) ++ old_creds = override_creds(new_creds); ++ + /* Can't properly set mode on creation because of the umask */ + stat->mode &= S_IFMT; + err = ovl_create_real(wdir, newdentry, stat, link, NULL, true); + stat->mode = mode; ++ ++ if (new_creds) { ++ revert_creds(old_creds); ++ put_cred(new_creds); ++ } ++ + if (err) + goto out2; + +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index 101bf19..ba3c842 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -401,6 +401,15 @@ + * @inode contains a pointer to the inode. + * @secid contains a pointer to the location where result will be saved. + * In case of failure, @secid will be set to zero. ++ * @inode_copy_up: ++ * A file is about to be copied up from lower layer to upper layer of ++ * overlay filesystem. Security module can prepare a set of new creds ++ * and modify as need be and return new creds. Caller will switch to ++ * new creds temporarily to create new file and release newly allocated ++ * creds. ++ * @src indicates the union dentry of file that is being copied up. ++ * @new pointer to pointer to return newly allocated creds. ++ * Returns 0 on success or a negative error code on error. + * + * Security hooks for file operations + * +@@ -1425,6 +1434,7 @@ union security_list_options { + int (*inode_listsecurity)(struct inode *inode, char *buffer, + size_t buffer_size); + void (*inode_getsecid)(struct inode *inode, u32 *secid); ++ int (*inode_copy_up) (struct dentry *src, struct cred **new); + + int (*file_permission)(struct file *file, int mask); + int (*file_alloc_security)(struct file *file); +@@ -1696,6 +1706,7 @@ struct security_hook_heads { + struct list_head inode_setsecurity; + struct list_head inode_listsecurity; + struct list_head inode_getsecid; ++ struct list_head inode_copy_up; + struct list_head file_permission; + struct list_head file_alloc_security; + struct list_head file_free_security; +diff --git a/include/linux/security.h b/include/linux/security.h +index 7831cd5..c5b0ccd 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf + int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); + int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); + void security_inode_getsecid(struct inode *inode, u32 *secid); ++int security_inode_copy_up(struct dentry *src, struct cred **new); + int security_file_permission(struct file *file, int mask); + int security_file_alloc(struct file *file); + void security_file_free(struct file *file); +@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) + *secid = 0; + } + ++static inline int security_inode_copy_up(struct dentry *src, struct cred **new) ++{ ++ return 0; ++} ++ + static inline int security_file_permission(struct file *file, int mask) + { + return 0; +diff --git a/security/security.c b/security/security.c +index 4838e7f..f2a7f27 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) + call_void_hook(inode_getsecid, inode, secid); + } + ++int security_inode_copy_up(struct dentry *src, struct cred **new) ++{ ++ return call_int_hook(inode_copy_up, 0, src, new); ++} ++EXPORT_SYMBOL(security_inode_copy_up); ++ + int security_file_permission(struct file *file, int mask) + { + int ret; +@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = { + LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), + .inode_getsecid = + LIST_HEAD_INIT(security_hook_heads.inode_getsecid), ++ .inode_copy_up = ++ LIST_HEAD_INIT(security_hook_heads.inode_copy_up), + .file_permission = + LIST_HEAD_INIT(security_hook_heads.file_permission), + .file_alloc_security = +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch new file mode 100644 index 0000000000..0bc52d31fa --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch @@ -0,0 +1,62 @@ +From a9d38a0fd25b5ce5896d0eee704902fa94264edb Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:58 -0400 +Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook + +A file is being copied up for overlay file system. Prepare a new set of +creds and set create_sid appropriately so that new file is created with +appropriate label. + +Overlay inode has right label for both context and non-context mount +cases. In case of non-context mount, overlay inode will have the label +of lower file and in case of context mount, overlay inode will have +the label from context= mount option. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 13185a6..264ee90 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) + *secid = isec->sid; + } + ++static int selinux_inode_copy_up(struct dentry *src, struct cred **new) ++{ ++ u32 sid; ++ struct task_security_struct *tsec; ++ struct cred *new_creds = *new; ++ ++ if (new_creds == NULL) { ++ new_creds = prepare_creds(); ++ if (!new_creds) ++ return -ENOMEM; ++ } ++ ++ tsec = new_creds->security; ++ /* Get label from overlay inode and set it in create_sid */ ++ selinux_inode_getsecid(d_inode(src), &sid); ++ tsec->create_sid = sid; ++ *new = new_creds; ++ return 0; ++} ++ + /* file security operations */ + + static int selinux_revalidate_file_permission(struct file *file, int mask) +@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = { + LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), + LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), + LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), ++ LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), + + LSM_HOOK_INIT(file_permission, selinux_file_permission), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch new file mode 100644 index 0000000000..1f65a260ab --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch @@ -0,0 +1,129 @@ +From 19222362a287b22fa8482a92be9ba749b7497e42 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:58 -0400 +Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up + of xattrs for overlay file + +Provide a security hook which is called when xattrs of a file are being +copied up. This hook is called once for each xattr and LSM can return +0 if the security module wants the xattr to be copied up, 1 if the +security module wants the xattr to be discarded on the copy, -EOPNOTSUPP +if the security module does not handle/manage the xattr, or a -errno +upon an error. + +Signed-off-by: David Howells +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + fs/overlayfs/copy_up.c | 7 +++++++ + include/linux/lsm_hooks.h | 10 ++++++++++ + include/linux/security.h | 6 ++++++ + security/security.c | 8 ++++++++ + 4 files changed, 31 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index e15bc8e..db37a0e 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -105,6 +105,13 @@ retry: + goto retry; + } + ++ error = security_inode_copy_up_xattr(name); ++ if (error < 0 && error != -EOPNOTSUPP) ++ break; ++ if (error == 1) { ++ error = 0; ++ continue; /* Discard */ ++ } + error = vfs_setxattr(new, name, value, size, 0); + if (error) + break; +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index ba3c842..336b3fb 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -410,6 +410,14 @@ + * @src indicates the union dentry of file that is being copied up. + * @new pointer to pointer to return newly allocated creds. + * Returns 0 on success or a negative error code on error. ++ * @inode_copy_up_xattr: ++ * Filter the xattrs being copied up when a unioned file is copied ++ * up from a lower layer to the union/overlay layer. ++ * @name indicates the name of the xattr. ++ * Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if ++ * security module does not know about attribute or a negative error code ++ * to abort the copy up. Note that the caller is responsible for reading ++ * and writing the xattrs as this hook is merely a filter. + * + * Security hooks for file operations + * +@@ -1435,6 +1443,7 @@ union security_list_options { + size_t buffer_size); + void (*inode_getsecid)(struct inode *inode, u32 *secid); + int (*inode_copy_up) (struct dentry *src, struct cred **new); ++ int (*inode_copy_up_xattr) (const char *name); + + int (*file_permission)(struct file *file, int mask); + int (*file_alloc_security)(struct file *file); +@@ -1707,6 +1716,7 @@ struct security_hook_heads { + struct list_head inode_listsecurity; + struct list_head inode_getsecid; + struct list_head inode_copy_up; ++ struct list_head inode_copy_up_xattr; + struct list_head file_permission; + struct list_head file_alloc_security; + struct list_head file_free_security; +diff --git a/include/linux/security.h b/include/linux/security.h +index c5b0ccd..536fafd 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void + int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); + void security_inode_getsecid(struct inode *inode, u32 *secid); + int security_inode_copy_up(struct dentry *src, struct cred **new); ++int security_inode_copy_up_xattr(const char *name); + int security_file_permission(struct file *file, int mask); + int security_file_alloc(struct file *file); + void security_file_free(struct file *file); +@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new) + return 0; + } + ++static inline int security_inode_copy_up_xattr(const char *name) ++{ ++ return -EOPNOTSUPP; ++} ++ + static inline int security_file_permission(struct file *file, int mask) + { + return 0; +diff --git a/security/security.c b/security/security.c +index f2a7f27..a9e2bb9 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new) + } + EXPORT_SYMBOL(security_inode_copy_up); + ++int security_inode_copy_up_xattr(const char *name) ++{ ++ return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name); ++} ++EXPORT_SYMBOL(security_inode_copy_up_xattr); ++ + int security_file_permission(struct file *file, int mask) + { + int ret; +@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = { + LIST_HEAD_INIT(security_hook_heads.inode_getsecid), + .inode_copy_up = + LIST_HEAD_INIT(security_hook_heads.inode_copy_up), ++ .inode_copy_up_xattr = ++ LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), + .file_permission = + LIST_HEAD_INIT(security_hook_heads.file_permission), + .file_alloc_security = +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch new file mode 100644 index 0000000000..2d085086fe --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch @@ -0,0 +1,53 @@ +From 0e7ff4309fbdb793c579336ea16d1b25523476fe Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:58 -0400 +Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook + +When a file is copied up in overlay, we have already created file on upper/ +with right label and there is no need to copy up selinux label/xattr from +lower file to upper file. In fact in case of context mount, we don't want +to copy up label as newly created file got its label from context= option. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 264ee90..d30d7b3 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) + return 0; + } + ++static int selinux_inode_copy_up_xattr(const char *name) ++{ ++ /* The copy_up hook above sets the initial context on an inode, but we ++ * don't then want to overwrite it by blindly copying all the lower ++ * xattrs up. Instead, we have to filter out SELinux-related xattrs. ++ */ ++ if (strcmp(name, XATTR_NAME_SELINUX) == 0) ++ return 1; /* Discard */ ++ /* ++ * Any other attribute apart from SELINUX is not claimed, supported ++ * by selinux. ++ */ ++ return -EOPNOTSUPP; ++} ++ + /* file security operations */ + + static int selinux_revalidate_file_permission(struct file *file, int mask) +@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = { + LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), + LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), + LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), ++ LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), + + LSM_HOOK_INIT(file_permission, selinux_file_permission), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch new file mode 100644 index 0000000000..d2522c9032 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch @@ -0,0 +1,73 @@ +From bb44799820540a69a43ebc49dd8691f3f6b19312 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:59 -0400 +Subject: [PATCH 05/21] selinux: Pass security pointer to + determine_inode_label() + +Right now selinux_determine_inode_label() works on security pointer of +current task. Soon I need this to work on a security pointer retrieved +from a set of creds. So start passing in a pointer and caller can decide +where to fetch security pointer from. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index d30d7b3..2bf0d00 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -1808,13 +1808,13 @@ out: + /* + * Determine the label for an inode that might be unioned. + */ +-static int selinux_determine_inode_label(struct inode *dir, +- const struct qstr *name, +- u16 tclass, +- u32 *_new_isid) ++static int ++selinux_determine_inode_label(const struct task_security_struct *tsec, ++ struct inode *dir, ++ const struct qstr *name, u16 tclass, ++ u32 *_new_isid) + { + const struct superblock_security_struct *sbsec = dir->i_sb->s_security; +- const struct task_security_struct *tsec = current_security(); + + if ((sbsec->flags & SE_SBINITIALIZED) && + (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { +@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir, + if (rc) + return rc; + +- rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass, +- &newsid); ++ rc = selinux_determine_inode_label(current_security(), dir, ++ &dentry->d_name, tclass, &newsid); + if (rc) + return rc; + +@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, + u32 newsid; + int rc; + +- rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name, ++ rc = selinux_determine_inode_label(current_security(), ++ d_inode(dentry->d_parent), name, + inode_mode_to_security_class(mode), + &newsid); + if (rc) +@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, + sid = tsec->sid; + newsid = tsec->create_sid; + +- rc = selinux_determine_inode_label( ++ rc = selinux_determine_inode_label(current_security(), + dir, qstr, + inode_mode_to_security_class(inode->i_mode), + &newsid); +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch new file mode 100644 index 0000000000..83f2530949 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch @@ -0,0 +1,159 @@ +From aca722ec1a3ecda00f0317ff467dbdf0e12d5dbe Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:59 -0400 +Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label + newly created files + +During a new file creation we need to make sure new file is created with the +right label. New file is created in upper/ so effectively file should get +label as if task had created file in upper/. + +We switched to mounter's creds for actual file creation. Also if there is a +whiteout present, then file will be created in work/ dir first and then +renamed in upper. In none of the cases file will be labeled as we want it to +be. + +This patch introduces a new hook dentry_create_files_as(), which determines +the label/context dentry will get if it had been created by task in upper +and modify passed set of creds appropriately. Caller makes use of these new +creds for file creation. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + fs/overlayfs/dir.c | 10 ++++++++++ + include/linux/lsm_hooks.h | 15 +++++++++++++++ + include/linux/security.h | 12 ++++++++++++ + security/security.c | 11 +++++++++++ + 4 files changed, 48 insertions(+) + +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index 1560fdc..b0ffa1d 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -489,6 +489,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, + if (override_cred) { + override_cred->fsuid = inode->i_uid; + override_cred->fsgid = inode->i_gid; ++ if (!hardlink) { ++ err = security_dentry_create_files_as(dentry, ++ stat->mode, &dentry->d_name, old_cred, ++ override_cred); ++ if (err) { ++ put_cred(override_cred); ++ goto out_revert_creds; ++ } ++ } + put_cred(override_creds(override_cred)); + put_cred(override_cred); + +@@ -499,6 +508,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, + err = ovl_create_over_whiteout(dentry, inode, stat, + link, hardlink); + } ++out_revert_creds: + revert_creds(old_cred); + if (!err) { + struct inode *realinode = d_inode(ovl_dentry_upper(dentry)); +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index 336b3fb..55891c0 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -151,6 +151,16 @@ + * @name name of the last path component used to create file + * @ctx pointer to place the pointer to the resulting context in. + * @ctxlen point to place the length of the resulting context. ++ * @dentry_create_files_as: ++ * Compute a context for a dentry as the inode is not yet available ++ * and set that context in passed in creds so that new files are ++ * created using that context. Context is calculated using the ++ * passed in creds and not the creds of the caller. ++ * @dentry dentry to use in calculating the context. ++ * @mode mode used to determine resource type. ++ * @name name of the last path component used to create file ++ * @old creds which should be used for context calculation ++ * @new creds to modify + * + * + * Security hooks for inode operations. +@@ -1375,6 +1385,10 @@ union security_list_options { + int (*dentry_init_security)(struct dentry *dentry, int mode, + const struct qstr *name, void **ctx, + u32 *ctxlen); ++ int (*dentry_create_files_as)(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, ++ struct cred *new); + + + #ifdef CONFIG_SECURITY_PATH +@@ -1675,6 +1689,7 @@ struct security_hook_heads { + struct list_head sb_clone_mnt_opts; + struct list_head sb_parse_opts_str; + struct list_head dentry_init_security; ++ struct list_head dentry_create_files_as; + #ifdef CONFIG_SECURITY_PATH + struct list_head path_unlink; + struct list_head path_mkdir; +diff --git a/include/linux/security.h b/include/linux/security.h +index 536fafd..a6c6d5d 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); + int security_dentry_init_security(struct dentry *dentry, int mode, + const struct qstr *name, void **ctx, + u32 *ctxlen); ++int security_dentry_create_files_as(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, ++ struct cred *new); + + int security_inode_alloc(struct inode *inode); + void security_inode_free(struct inode *inode); +@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry, + return -EOPNOTSUPP; + } + ++static inline int security_dentry_create_files_as(struct dentry *dentry, ++ int mode, struct qstr *name, ++ const struct cred *old, ++ struct cred *new) ++{ ++ return 0; ++} ++ + + static inline int security_inode_init_security(struct inode *inode, + struct inode *dir, +diff --git a/security/security.c b/security/security.c +index a9e2bb9..69614f1 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode, + } + EXPORT_SYMBOL(security_dentry_init_security); + ++int security_dentry_create_files_as(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, struct cred *new) ++{ ++ return call_int_hook(dentry_create_files_as, 0, dentry, mode, ++ name, old, new); ++} ++EXPORT_SYMBOL(security_dentry_create_files_as); ++ + int security_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, + const initxattrs initxattrs, void *fs_data) +@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = { + LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str), + .dentry_init_security = + LIST_HEAD_INIT(security_hook_heads.dentry_init_security), ++ .dentry_create_files_as = ++ LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as), + #ifdef CONFIG_SECURITY_PATH + .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), + .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch new file mode 100644 index 0000000000..276783ed1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch @@ -0,0 +1,60 @@ +From e51df9a13fba7a385d97a4cd696dc6e488f617ba Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:59 -0400 +Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook + +Calculate what would be the label of newly created file and set that secid +in the passed creds. + +Context of the task which is actually creating file is retrieved from +set of creds passed in. (old->security). + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 2bf0d00..603b600 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, + return security_sid_to_context(newsid, (char **)ctx, ctxlen); + } + ++static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, ++ struct cred *new) ++{ ++ u32 newsid; ++ int rc; ++ struct task_security_struct *tsec; ++ ++ rc = selinux_determine_inode_label(old->security, ++ d_inode(dentry->d_parent), name, ++ inode_mode_to_security_class(mode), ++ &newsid); ++ if (rc) ++ return rc; ++ ++ tsec = new->security; ++ tsec->create_sid = newsid; ++ return 0; ++} ++ + static int selinux_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, + const char **name, +@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = { + LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), + + LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), ++ LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), + + LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), + LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0001-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch index 171fe3c9e9..d6d3a95fc7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0001-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 56c7486c654e67683c23e8769351898dc650f890 Mon Sep 17 00:00:00 2001 +From b47ebff1c49b5d05d1265fc1115c76bc947864b4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 01/20] Add secure_modules() call +Subject: [PATCH 08/21] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index 3daf2b3..15843fc 100644 +index 0c3207d..c8b4ea0 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -643,6 +643,8 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -629,6 +629,8 @@ static inline bool module_requested_async_probing(struct module *module) return module && module->async_probe_requested; } @@ -29,7 +29,7 @@ index 3daf2b3..15843fc 100644 #ifdef CONFIG_LIVEPATCH static inline bool is_livepatch_module(struct module *mod) { -@@ -771,6 +773,10 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -750,6 +752,10 @@ static inline bool module_requested_async_probing(struct module *module) return false; } @@ -41,10 +41,10 @@ index 3daf2b3..15843fc 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 5f71aa6..3c38496 100644 +index 529efae..0332fdd 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4199,3 +4199,13 @@ void module_layout(struct module *mod, +@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 6fe45086b3..09374e3cc5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ -From a092193db748a914f777fc4426322d085f6447ba Mon Sep 17 00:00:00 2001 +From e168029a84e7306ea580caace7437fa4da8fbc6f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is +Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from @@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index d319a9c..6b1884d 100644 +index bcd10c7..a950301 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -30,6 +30,7 @@ @@ -29,7 +29,7 @@ index d319a9c..6b1884d 100644 #include "pci.h" static int sysfs_initialized; /* = 0 */ -@@ -711,6 +712,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, +@@ -716,6 +717,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; @@ -39,7 +39,7 @@ index d319a9c..6b1884d 100644 if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -1002,6 +1006,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -1007,6 +1011,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; @@ -49,7 +49,7 @@ index d319a9c..6b1884d 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1101,6 +1108,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1106,6 +1113,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -60,7 +60,7 @@ index d319a9c..6b1884d 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 3f155e7..4265ea0 100644 +index 2408abe..59f321c 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, @@ -85,7 +85,7 @@ index 3f155e7..4265ea0 100644 ret = pci_domain_nr(dev->bus); @@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; - int i, ret; + int i, ret, write_combine; - if (!capable(CAP_SYS_RAWIO)) + if (!capable(CAP_SYS_RAWIO) || secure_modules()) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch index c25969f7d2..974a11536a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ -From 665de4d1fe2819dff85c1ae2bb5de77d2dfaf3d5 Mon Sep 17 00:00:00 2001 +From ec05aec348c19934baf6f8767b10d7a38cf41764 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 03/20] x86: Lock down IO port access when module security is +Subject: [PATCH 10/21] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -46,10 +46,10 @@ index 589b319..ab83724 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 71025c2..86e5bfa 100644 +index a33163d..48a2897 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c -@@ -27,6 +27,7 @@ +@@ -28,6 +28,7 @@ #include #include #include @@ -57,7 +57,7 @@ index 71025c2..86e5bfa 100644 #include -@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, +@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, unsigned long i = *ppos; const char __user *tmp = buf; diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0004-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch index 3fe2301d5c..88d5242cf8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0004-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ -From ec9e1e7e77567c9a02fe912d77c4ad0b861d35a0 Mon Sep 17 00:00:00 2001 +From ae584135ba044ef69640b22f53fe337a12cbe52f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 04/20] ACPI: Limit access to custom_method +Subject: [PATCH 11/21] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 3c733d9b7a..c4c67225eb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ -From 25b3c5a56a2f963a6b92be5256eb7d9a118e1ec4 Mon Sep 17 00:00:00 2001 +From 9727ba09f56eb7873736d2cc2ecef42722b098b9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index a26dca3..6ec9cab 100644 +index 7c093a0..21fd6b8 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index ce02da6a19..a2bfba3c2b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From 30af3497cb4e5af8e602674738c2eb8cd79936e9 Mon Sep 17 00:00:00 2001 +From 0fbd3b71c764f791bed5ad56e4fe3a4c0e557ebe Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 86e5bfa..3264735 100644 +index 48a2897..08a7bff 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c -@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, +@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, if (p != *ppos) return -EFBIG; @@ -27,7 +27,7 @@ index 86e5bfa..3264735 100644 if (!valid_phys_addr_range(p, count)) return -EFAULT; -@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, +@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index a5907b4b7b..b1133513cb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ -From 5fc15323a692410e72e7b7fdafa2a71a7420b8d0 Mon Sep 17 00:00:00 2001 +From a7fc0717f49a6a06e20ea24406eefeb8497b1666 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index b108f13..158de7d 100644 +index 4305ee9..fa1bcf0 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index ed0a32a422..f34bd05cb7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ -From bd55d2cfacdd370df7e5a8f03863f59cee591c47 Mon Sep 17 00:00:00 2001 +From 3819061fb96f6cfe79c5827ccb1350274431a626 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 -Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 4384672..0876783 100644 +index 980936a..a0e4cb3 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -17,6 +17,7 @@ @@ -25,7 +25,7 @@ index 4384672..0876783 100644 #include "kexec_internal.h" -@@ -189,7 +190,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -190,7 +191,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, int result; /* We only trust the superuser with rebooting the system. */ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index ae5c30d11a..32a92742e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ -From 6a2ebbbc4d82f75d98a2f594db23b853abba2333 Mon Sep 17 00:00:00 2001 +From 9e0d3ed7ba55087b28dd1d05d187772a2aca995c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is +Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch index d14fe8548c..4fca348c0a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0010-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ -From 23b33d629abc9fa53f5f1c6422bf7b170c322beb Mon Sep 17 00:00:00 2001 +From 1992d30251849cdeda09d423c9d55db6105b02ad Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/20] Add option to automatically enforce module signatures +Subject: [PATCH 17/21] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index d9a94da..866d0e9 100644 +index 2a1f0ce..ba2c734 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1776,6 +1776,16 @@ config EFI_MIXED +@@ -1774,6 +1774,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index d9a94da..866d0e9 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 52fef60..faa223b 100644 +index 94dd4a3..1959b82 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -103,7 +103,7 @@ index 52fef60..faa223b 100644 static efi_status_t setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height) { -@@ -1126,6 +1157,10 @@ struct boot_params *efi_main(struct efi_config *c, +@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -129,10 +129,10 @@ index c18ce67..2b3e542 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index c4e7b39..bdb9881 100644 +index 98c9cd6..8979719 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -146,10 +146,10 @@ index c4e7b39..bdb9881 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index 15843fc..fe5c49d 100644 +index c8b4ea0..8918ef4 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table \ struct notifier_block; @@ -163,10 +163,10 @@ index 15843fc..fe5c49d 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 3c38496..ea484f3 100644 +index 0332fdd..3f1ea6b 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod, +@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index 8dfd777d3a..5bba9f5e61 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ -From d1431fc712f301635f392a11045b1a2fe9df7e25 Mon Sep 17 00:00:00 2001 +From 1dc121c43321cec056018f3a9b0be1905b4b3a98 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 11/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 866d0e9..5b8b8c3 100644 +index ba2c734..a5d6b58 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1777,7 +1777,8 @@ config EFI_MIXED +@@ -1775,7 +1775,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch index 6058f2289f..bdd57ea0d6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From 735f74a5d4919c155481ee8aca9074c5d53f4029 Mon Sep 17 00:00:00 2001 +From 3bbee9070feb5ecd3c4f4003564a47fc6b321aee Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 12/20] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index bdb9881..a666b6c 100644 +index 8979719..4a49a2a 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,10 +27,10 @@ index bdb9881..a666b6c 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index f196dd0..3b3909f 100644 +index 0148a30..4b62b48 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch index cb7cc97c2b..3ed913e26c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0013-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From d0c5883f7885f8b8d1dd617ab6e7f4015bbd0419 Mon Sep 17 00:00:00 2001 +From a046628a71b1a9e37252895898630ac176b62ddd Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 13/20] hibernate: Disable in a signed modules environment +Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index fca9254..ffd8644 100644 +index 33c79b6..d1420be 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -25,7 +25,7 @@ index fca9254..ffd8644 100644 #include #include "power.h" -@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops; +@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops; bool hibernation_available(void) { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 67e5cece4c..fada25747e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From 7c61363beb72419f1dca56e156c794d114d5f9f9 Mon Sep 17 00:00:00 2001 +From a356477aced4eea60222b222509600839835dcbd Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 19/20] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 66da9a3..4d55d38 100644 +index bf6e44a..b4fe56d 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make