sys-kernel/coreos-sources: bump to 4.8.2

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1,2 @@
-DIST linux-4.7.tar.xz 90412100 SHA256 5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10 SHA512 e8c02583e17e4fc4214fef694825fcb78c898266f1624deb1cdf56ab5c5fdfa669c5221122a7cf0d502ed6f921ff3797634acd9d294d29e98e3faa8a21920185 WHIRLPOOL e968c89ce714c8d918db6074dabac4b0200c57ff111260313cf5798eeefb8b5b10c1509b64e2ee611a78e81075c588a473b67f9802609b2fef9ebb87ae514d98
+DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5
-DIST patch-4.7.3.xz 109896 SHA256 826b96e794d325abf430e8d6c3279a21e97e3ec321a3962b9dd6966693b14d88 SHA512 f2cc5d72c3d923dffb7f89e8a90bb30f3a202a4c353cac7dd693c65bfdedb81dd9882223ca1fcb613c75fc8176e4f8e7133566455631acd6b0b85a521cf8ee09 WHIRLPOOL aef2029a1145153700445515f87404ec0fb3c326ddcf22d22e5308c3ec6fc6bb25bbc7ac14506158a8f2f0d3e0e4cec048cb30d768a402ff64923288bad0862e
+DIST patch-4.8.2.xz 18772 SHA256 edb6e8022172df2b020b53e1cfa32bcde070f3119a6618766066098c46008a9b SHA512 378ee4d328169b6e2475177bef31596d9f586b08ba87eb170c1943e3a1d43749d7b101b6f39886d50bbf1abf0ca8720a567f30a6ac9f5c66afe1f657d4899d25 WHIRLPOOL 9e4292da8f1ce629e95e08caa41c128153b3c477a0edd0540794e8f69fcf8c41e9138f3086b8cdf8cbe0155900d3faf324438b4c93c58ec14248df5726df9a0b

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.7.3.ebuild

@@ -1,45 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-
-# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
-UNIPATCH_LIST="
-        ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
-        ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-        ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-        ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
-        ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-        ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-        ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-        ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-        ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-        ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
-        ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-        ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
-        ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
-        ${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
-        ${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \
-        ${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \
-        ${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \
-        ${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \
-        ${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-        ${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
-"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.2.ebuild

@@ -0,0 +1,46 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+
+# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
+UNIPATCH_LIST="
+        ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \
+        ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \
+        ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \
+        ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \
+        ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \
+        ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \
+        ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \
+        ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \
+        ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+        ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+        ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \
+        ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+        ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+        ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+        ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+        ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+        ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \
+        ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+        ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
+        ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
+        ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch

@@ -1,140 +0,0 @@
-From cf7c941ac72cf28c9ed256ed6f7e77dd451819ec Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 14/20] Security: Provide copy-up security hooks for unioned
- files
-
-Provide two new security hooks for use with security files that are used when
-a file is copied up between layers:
-
- (1) security_inode_copy_up().  This is called so that the security label on
-     the destination file can be set appropriately.
-
- (2) security_inode_copy_up_xattr().  This is called so that each xattr being
-     copied up can be vetted - including modification and discard.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- include/linux/lsm_hooks.h | 23 +++++++++++++++++++++++
- include/linux/security.h  | 14 ++++++++++++++
- security/security.c       | 17 +++++++++++++++++
- 3 files changed, 54 insertions(+)
-
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 7ae3976..b585466 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -401,6 +401,24 @@
-  *	@inode contains a pointer to the inode.
-  *	@secid contains a pointer to the location where result will be saved.
-  *	In case of failure, @secid will be set to zero.
-+ * @inode_copy_up:
-+ *	Appropriately label the destination inode when a unioned file is copied
-+ *	up from a lower layer to the union/overlay layer.
-+ *	@src indicates the file that is being copied up.
-+ *	@dst indicates the file that has being created by the copy up.
-+ *	Returns 0 on success or a negative error code on error.
-+ * @inode_copy_up_xattr:
-+ *	Filter/modify the xattrs being copied up when a unioned file is copied
-+ *	up from a lower layer to the union/overlay layer.
-+ *	@src indicates the file that is being copied up.
-+ *	@dst indicates the file that has being created by the copy up.
-+ *	@name indicates the name of the xattr.
-+ *	@value, *@size indicate the payload of the xattr.
-+ *	Returns 0 to accept the xattr, 1 to discard the xattr or a negative
-+ *	error code to abort the copy up.  The xattr buffer must be at least
-+ *	XATTR_SIZE_MAX in capacity and the contents may be modified and *@size
-+ *	changed appropriately.  Note that the caller is responsible for reading
-+ *	and writing the xattrs as this hook is merely a filter.
-  *
-  * Security hooks for file operations
-  *
-@@ -1425,6 +1443,9 @@ union security_list_options {
- 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
-+	int (*inode_copy_up) (struct dentry *src, struct dentry *dst);
-+	int (*inode_copy_up_xattr) (struct dentry *src, struct dentry *dst,
-+				    const char *name, void *value, size_t *size);
- 
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1696,6 +1717,8 @@ struct security_hook_heads {
- 	struct list_head inode_setsecurity;
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
-+	struct list_head inode_copy_up;
-+	struct list_head inode_copy_up_xattr;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 14df373..986265b 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -282,6 +282,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
- int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
-+int security_inode_copy_up(struct dentry *src, struct dentry *dst);
-+int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,
-+				 const char *name, void *value, size_t *size);
-+
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -758,6 +762,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = 0;
- }
- 
-+static inline int security_inode_copy_up(struct dentry *src, struct dentry *dst)
-+{
-+	return 0;
-+}
-+static inline int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,
-+					       const char *name, const void *value, size_t *size)
-+{
-+	return 0;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index 7095693..77ec85b 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -727,6 +727,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	call_void_hook(inode_getsecid, inode, secid);
- }
- 
-+int security_inode_copy_up(struct dentry *src, struct dentry *dst)
-+{
-+	return call_int_hook(inode_copy_up, 0, src, dst);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up);
-+
-+int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,
-+				 const char *name, void *value, size_t *size)
-+{
-+	return call_int_hook(inode_copy_up_xattr, 0, src, dst, name, value, size);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up_xattr);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1663,6 +1676,10 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
- 	.inode_getsecid =
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
-+	.inode_copy_up =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
-+	.inode_copy_up_xattr =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.7.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0015-Overlayfs-Use-copy-up-security-hooks.patch

@@ -1,47 +0,0 @@
-From 08ff141c7c1887f6f2793b03d7575d46375352c6 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 15/20] Overlayfs: Use copy-up security hooks
-
-Use the copy-up security hooks previously provided to allow an LSM to adjust
-the security on a newly created copy and to filter the xattrs copied to that
-file copy.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- fs/overlayfs/copy_up.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 80aa6f1..c7ba7b2 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -102,6 +102,14 @@ retry:
- 			value_size = size;
- 			goto retry;
- 		}
-+		error = security_inode_copy_up_xattr(old, new,
-+						     name, value, &size);
-+		if (error < 0)
-+			break;
-+		if (error == 1) {
-+			error = 0;
-+			continue; /* Discard */
-+		}
- 
- 		error = vfs_setxattr(new, name, value, size, 0);
- 		if (error)
-@@ -265,6 +273,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	if (err)
- 		goto out2;
- 
-+	err = security_inode_copy_up(lowerpath->dentry, newdentry);
-+	if (err < 0)
-+		goto out_cleanup;
-+
- 	if (S_ISREG(stat->mode)) {
- 		struct path upperpath;
- 
--- 
-2.7.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0016-SELinux-Stub-in-copy-up-handling.patch

@@ -1,55 +0,0 @@
-From 5010e474dd5f54f95f54f5ac6d86085084148aca Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 16/20] SELinux: Stub in copy-up handling
-
-Provide stubs for union/overlay copy-up handling.  The xattr copy up stub
-discards lower SELinux xattrs rather than letting them be copied up so that
-the security label on the copy doesn't get corrupted.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/selinux/hooks.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index a86d537..19719b7 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3270,6 +3270,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = isec->sid;
- }
- 
-+static int selinux_inode_copy_up(struct dentry *src, struct dentry *dst)
-+{
-+	return 0;
-+}
-+
-+static int selinux_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,
-+				       const char *name, void *value,
-+				       size_t *size)
-+{
-+	/* The copy_up hook above sets the initial context on an inode, but we
-+	 * don't then want to overwrite it by blindly copying all the lower
-+	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
-+	 */
-+	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
-+		return 1; /* Discard */
-+	return 0;
-+}
-+
- /* file security operations */
- 
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6056,6 +6074,8 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
-+	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
-+	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
- 
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.7.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0017-SELinux-Handle-opening-of-a-unioned-file.patch

@@ -1,133 +0,0 @@
-From 9f1a7fa7a1db75f71d653863fd190e160535d9d1 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 17/20] SELinux: Handle opening of a unioned file
-
-Handle the opening of a unioned file by trying to derive the label that would
-be attached to the union-layer inode if it doesn't exist.
-
-If the union-layer inode does exist (as it necessarily does in overlayfs, but
-not in unionmount), we assume that it has the right label and use that.
-Otherwise we try to get it from the superblock.
-
-If the superblock has a globally-applied label, we use that, otherwise we try
-to transition to an appropriate label.  This union label is then stored in the
-file_security_struct.
-
-We then perform an additional check to make sure that the calling task is
-granted permission by the union-layer inode label to open the file in addition
-to a check to make sure that the task is granted permission to open the lower
-file with the lower inode label.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/selinux/hooks.c          | 69 +++++++++++++++++++++++++++++++++++++++
- security/selinux/include/objsec.h |  1 +
- 2 files changed, 70 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 19719b7..74e4f4e 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3603,10 +3603,72 @@ static int selinux_file_receive(struct file *file)
- 	return file_has_perm(cred, file, file_to_av(file));
- }
- 
-+/*
-+ * We have a file opened on a unioned file system that falls through to a file
-+ * on a lower layer.  If there is a union inode, we try to get the label from
-+ * that, otherwise we need to get it from the superblock.
-+ *
-+ * file->f_path points to the union layer and file->f_inode points to the lower
-+ * layer.
-+ */
-+static int selinux_file_open_union(struct file *file,
-+				   struct file_security_struct *fsec,
-+				   const struct cred *cred)
-+{
-+	const struct superblock_security_struct *sbsec;
-+	const struct inode_security_struct *isec, *dsec, *fisec;
-+	const struct task_security_struct *tsec = current_security();
-+	struct common_audit_data ad;
-+	struct dentry *union_dentry = file->f_path.dentry;
-+	const struct inode *union_inode = d_inode(union_dentry);
-+	const struct inode *lower_inode = file_inode(file);
-+	struct dentry *dir;
-+	int rc;
-+
-+	sbsec = union_dentry->d_sb->s_security;
-+
-+	if (union_inode) {
-+		isec = union_inode->i_security;
-+		fsec->union_isid = isec->sid;
-+	} else if ((sbsec->flags & SE_SBINITIALIZED) &&
-+		   (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
-+		fsec->union_isid = sbsec->mntpoint_sid;
-+	} else {
-+		dir = dget_parent(union_dentry);
-+		dsec = d_inode(dir)->i_security;
-+
-+		rc = security_transition_sid(
-+			tsec->sid, dsec->sid,
-+			inode_mode_to_security_class(lower_inode->i_mode),
-+			&union_dentry->d_name,
-+			&fsec->union_isid);
-+		dput(dir);
-+		if (rc) {
-+			pr_warn("%s:  security_transition_sid failed, rc=%d (name=%pD)\n",
-+				__func__, -rc, file);
-+			return rc;
-+		}
-+	}
-+
-+	/* We need to check that the union file is allowed to be opened as well
-+	 * as checking that the lower file is allowed to be opened.
-+	 */
-+	if (unlikely(IS_PRIVATE(lower_inode)))
-+		return 0;
-+
-+	ad.type = LSM_AUDIT_DATA_PATH;
-+	ad.u.path = file->f_path;
-+
-+	fisec = lower_inode->i_security;
-+	return avc_has_perm(cred_sid(cred), fsec->union_isid, fisec->sclass,
-+			    open_file_to_av(file), &ad);
-+}
-+
- static int selinux_file_open(struct file *file, const struct cred *cred)
- {
- 	struct file_security_struct *fsec;
- 	struct inode_security_struct *isec;
-+	int rc;
- 
- 	fsec = file->f_security;
- 	isec = inode_security(file_inode(file));
-@@ -3627,6 +3689,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
- 	 * new inode label or new policy.
- 	 * This check is not redundant - do not remove.
- 	 */
-+
-+	if (d_inode(file->f_path.dentry) != file->f_inode) {
-+		rc = selinux_file_open_union(file, fsec, cred);
-+		if (rc < 0)
-+			return rc;
-+	}
-+
- 	return file_path_has_perm(cred, file, open_file_to_av(file));
- }
- 
-diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
-index c21e135..1c23b90 100644
---- a/security/selinux/include/objsec.h
-+++ b/security/selinux/include/objsec.h
-@@ -59,6 +59,7 @@ struct file_security_struct {
- 	u32 sid;		/* SID of open file description */
- 	u32 fown_sid;		/* SID of file owner (for SIGIO) */
- 	u32 isid;		/* SID of inode at the time of file open */
-+	u32 union_isid;		/* SID of would-be inodes in union top (or 0) */
- 	u32 pseqno;		/* Policy seqno at the time of file open */
- };
- 
--- 
-2.7.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0018-SELinux-Check-against-union-label-for-file-operation.patch

@@ -1,50 +0,0 @@
-From 4d316639da0c1a3cbe34b33cb7d2821b810020bf Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 18/20] SELinux: Check against union label for file operations
-
-File operations (eg. read, write) issued against a file that is attached to
-the lower layer of a union file needs to be checked against the union-layer
-label not the lower layer label.
-
-The union label is stored in the file_security_struct rather than being
-retrieved from one of the inodes.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/selinux/hooks.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 74e4f4e..f6dc6b2 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -1755,6 +1755,7 @@ static int file_has_perm(const struct cred *cred,
- 			 struct file *file,
- 			 u32 av)
- {
-+	struct inode_security_struct *isec;
- 	struct file_security_struct *fsec = file->f_security;
- 	struct inode *inode = file_inode(file);
- 	struct common_audit_data ad;
-@@ -1775,8 +1776,15 @@ static int file_has_perm(const struct cred *cred,
- 
- 	/* av is zero if only checking access to the descriptor. */
- 	rc = 0;
--	if (av)
--		rc = inode_has_perm(cred, inode, av, &ad);
-+	if (av && likely(!IS_PRIVATE(inode))) {
-+		if (fsec->union_isid) {
-+			isec = inode->i_security;
-+			rc = avc_has_perm(sid, fsec->union_isid, isec->sclass,
-+					  av, &ad);
-+		}
-+		if (!rc)
-+			rc = inode_has_perm(cred, inode, av, &ad);
-+	}
- 
- out:
- 	return rc;
--- 
-2.7.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.7/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch

@@ -1,69 +0,0 @@
-From 8a81012508249122343f090c989c46cf15c67480 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@coreos.com>
-Date: Tue, 22 Dec 2015 07:43:52 +0000
-Subject: [PATCH 20/20] Don't verify write permissions on lower inodes on
- overlayfs
-
-If a user opens a file r/w on overlayfs, and if the underlying inode is
-currently still on the lower fs, right now we're verifying whether selinux
-policy permits writes to the selinux context on the underlying inode. This
-is suboptimal, since we don't want confined processes to be able to write to
-these files if they're able to escape from a container and so don't want to
-permit this in policy. Have overlayfs pass down an additional flag when
-verifying the permission on lower inodes, and mask off the write bits in
-the selinux permissions check if that flag is set.
----
- fs/overlayfs/inode.c     | 3 +++
- include/linux/fs.h       | 1 +
- security/selinux/hooks.c | 9 +++++++++
- 3 files changed, 13 insertions(+)
-
-diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index d1cdc60..a5b1498 100644
---- a/fs/overlayfs/inode.c
-+++ b/fs/overlayfs/inode.c
-@@ -189,6 +189,9 @@ int ovl_permission(struct inode *inode, int mask)
- 			goto out_dput;
- 	}
- 
-+	if (!is_upper)
-+		mask |= MAY_OPEN_LOWER;
-+
- 	err = __inode_permission(realinode, mask);
- out_dput:
- 	dput(alias);
-diff --git a/include/linux/fs.h b/include/linux/fs.h
-index dd28814..5988996 100644
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -84,6 +84,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
- #define MAY_CHDIR		0x00000040
- /* called from RCU mode, don't block */
- #define MAY_NOT_BLOCK		0x00000080
-+#define MAY_OPEN_LOWER		0x00000100
- 
- /*
-  * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index f6dc6b2..10081f7 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -2981,6 +2981,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
- 	u32 audited, denied;
- 
- 	from_access = mask & MAY_ACCESS;
-+
-+	/*
-+	 * If we're trying to open the lower layer of an overlay mount, don't
-+	 * worry about write or append permissions - these will be verified
-+	 * against the upper context
-+	 */
-+	if (mask & MAY_OPEN_LOWER)
-+		mask &= ~(MAY_WRITE|MAY_APPEND);
-+
- 	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
- 
- 	/* No permission to check.  Existence test. */
--- 
-2.7.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch

@@ -0,0 +1,148 @@
+From a893dfc0d7ae1ef27d57ba8585d9d6d079a440d9 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:57 -0400
+Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for
+ unioned files
+
+Provide a security hook to label new file correctly when a file is copied
+up from lower layer to upper layer of a overlay/union mount.
+
+This hook can prepare a new set of creds which are suitable for new file
+creation during copy up. Caller will use new creds to create file and then
+revert back to old creds and release new creds.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ fs/overlayfs/copy_up.c    | 15 +++++++++++++++
+ include/linux/lsm_hooks.h | 11 +++++++++++
+ include/linux/security.h  |  6 ++++++
+ security/security.c       |  8 ++++++++
+ 4 files changed, 40 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 43fdc27..e15bc8e 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -248,6 +248,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+ 	struct dentry *upper = NULL;
+ 	umode_t mode = stat->mode;
+ 	int err;
++	const struct cred *old_creds = NULL;
++	struct cred *new_creds = NULL;
+ 
+ 	newdentry = ovl_lookup_temp(workdir, dentry);
+ 	err = PTR_ERR(newdentry);
+@@ -260,10 +262,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+ 	if (IS_ERR(upper))
+ 		goto out1;
+ 
++	err = security_inode_copy_up(dentry, &new_creds);
++	if (err < 0)
++		goto out2;
++
++	if (new_creds)
++		old_creds = override_creds(new_creds);
++
+ 	/* Can't properly set mode on creation because of the umask */
+ 	stat->mode &= S_IFMT;
+ 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
+ 	stat->mode = mode;
++
++	if (new_creds) {
++		revert_creds(old_creds);
++		put_cred(new_creds);
++	}
++
+ 	if (err)
+ 		goto out2;
+ 
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 101bf19..ba3c842 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -401,6 +401,15 @@
+  *	@inode contains a pointer to the inode.
+  *	@secid contains a pointer to the location where result will be saved.
+  *	In case of failure, @secid will be set to zero.
++ * @inode_copy_up:
++ *	A file is about to be copied up from lower layer to upper layer of
++ *	overlay filesystem. Security module can prepare a set of new creds
++ *	and modify as need be and return new creds. Caller will switch to
++ *	new creds temporarily to create new file and release newly allocated
++ *	creds.
++ *	@src indicates the union dentry of file that is being copied up.
++ *	@new pointer to pointer to return newly allocated creds.
++ *	Returns 0 on success or a negative error code on error.
+  *
+  * Security hooks for file operations
+  *
+@@ -1425,6 +1434,7 @@ union security_list_options {
+ 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
+ 					size_t buffer_size);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
++	int (*inode_copy_up) (struct dentry *src, struct cred **new);
+ 
+ 	int (*file_permission)(struct file *file, int mask);
+ 	int (*file_alloc_security)(struct file *file);
+@@ -1696,6 +1706,7 @@ struct security_hook_heads {
+ 	struct list_head inode_setsecurity;
+ 	struct list_head inode_listsecurity;
+ 	struct list_head inode_getsecid;
++	struct list_head inode_copy_up;
+ 	struct list_head file_permission;
+ 	struct list_head file_alloc_security;
+ 	struct list_head file_free_security;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 7831cd5..c5b0ccd 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
+ int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
+ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
++int security_inode_copy_up(struct dentry *src, struct cred **new);
+ int security_file_permission(struct file *file, int mask);
+ int security_file_alloc(struct file *file);
+ void security_file_free(struct file *file);
+@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+ 	*secid = 0;
+ }
+ 
++static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	return 0;
++}
++
+ static inline int security_file_permission(struct file *file, int mask)
+ {
+ 	return 0;
+diff --git a/security/security.c b/security/security.c
+index 4838e7f..f2a7f27 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
+ 	call_void_hook(inode_getsecid, inode, secid);
+ }
+ 
++int security_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	return call_int_hook(inode_copy_up, 0, src, new);
++}
++EXPORT_SYMBOL(security_inode_copy_up);
++
+ int security_file_permission(struct file *file, int mask)
+ {
+ 	int ret;
+@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
+ 	.inode_getsecid =
+ 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
++	.inode_copy_up =
++		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
+ 	.file_permission =
+ 		LIST_HEAD_INIT(security_hook_heads.file_permission),
+ 	.file_alloc_security =
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch

@@ -0,0 +1,62 @@
+From a9d38a0fd25b5ce5896d0eee704902fa94264edb Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:58 -0400
+Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook
+
+A file is being copied up for overlay file system. Prepare a new set of
+creds and set create_sid appropriately so that new file is created with
+appropriate label.
+
+Overlay inode has right label for both context and non-context mount
+cases. In case of non-context mount, overlay inode will have the label
+of lower file and in case of context mount, overlay inode will have
+the label from context= mount option.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 13185a6..264ee90 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+ 	*secid = isec->sid;
+ }
+ 
++static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	u32 sid;
++	struct task_security_struct *tsec;
++	struct cred *new_creds = *new;
++
++	if (new_creds == NULL) {
++		new_creds = prepare_creds();
++		if (!new_creds)
++			return -ENOMEM;
++	}
++
++	tsec = new_creds->security;
++	/* Get label from overlay inode and set it in create_sid */
++	selinux_inode_getsecid(d_inode(src), &sid);
++	tsec->create_sid = sid;
++	*new = new_creds;
++	return 0;
++}
++
+ /* file security operations */
+ 
+ static int selinux_revalidate_file_permission(struct file *file, int mask)
+@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
+ 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+ 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
++	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
+ 
+ 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
+ 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch

@@ -0,0 +1,129 @@
+From 19222362a287b22fa8482a92be9ba749b7497e42 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:58 -0400
+Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up
+ of xattrs for overlay file
+
+Provide a security hook which is called when xattrs of a file are being
+copied up. This hook is called once for each xattr and LSM can return
+0 if the security module wants the xattr to be copied up, 1 if the
+security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
+if the security module does not handle/manage the xattr, or a -errno
+upon an error.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ fs/overlayfs/copy_up.c    |  7 +++++++
+ include/linux/lsm_hooks.h | 10 ++++++++++
+ include/linux/security.h  |  6 ++++++
+ security/security.c       |  8 ++++++++
+ 4 files changed, 31 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index e15bc8e..db37a0e 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -105,6 +105,13 @@ retry:
+ 			goto retry;
+ 		}
+ 
++		error = security_inode_copy_up_xattr(name);
++		if (error < 0 && error != -EOPNOTSUPP)
++			break;
++		if (error == 1) {
++			error = 0;
++			continue; /* Discard */
++		}
+ 		error = vfs_setxattr(new, name, value, size, 0);
+ 		if (error)
+ 			break;
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index ba3c842..336b3fb 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -410,6 +410,14 @@
+  *	@src indicates the union dentry of file that is being copied up.
+  *	@new pointer to pointer to return newly allocated creds.
+  *	Returns 0 on success or a negative error code on error.
++ * @inode_copy_up_xattr:
++ *	Filter the xattrs being copied up when a unioned file is copied
++ *	up from a lower layer to the union/overlay layer.
++ *	@name indicates the name of the xattr.
++ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
++ *	security module does not know about attribute or a negative error code
++ *	to abort the copy up. Note that the caller is responsible for reading
++ *	and writing the xattrs as this hook is merely a filter.
+  *
+  * Security hooks for file operations
+  *
+@@ -1435,6 +1443,7 @@ union security_list_options {
+ 					size_t buffer_size);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
+ 	int (*inode_copy_up) (struct dentry *src, struct cred **new);
++	int (*inode_copy_up_xattr) (const char *name);
+ 
+ 	int (*file_permission)(struct file *file, int mask);
+ 	int (*file_alloc_security)(struct file *file);
+@@ -1707,6 +1716,7 @@ struct security_hook_heads {
+ 	struct list_head inode_listsecurity;
+ 	struct list_head inode_getsecid;
+ 	struct list_head inode_copy_up;
++	struct list_head inode_copy_up_xattr;
+ 	struct list_head file_permission;
+ 	struct list_head file_alloc_security;
+ 	struct list_head file_free_security;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index c5b0ccd..536fafd 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
+ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
+ int security_inode_copy_up(struct dentry *src, struct cred **new);
++int security_inode_copy_up_xattr(const char *name);
+ int security_file_permission(struct file *file, int mask);
+ int security_file_alloc(struct file *file);
+ void security_file_free(struct file *file);
+@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
+ 	return 0;
+ }
+ 
++static inline int security_inode_copy_up_xattr(const char *name)
++{
++	return -EOPNOTSUPP;
++}
++
+ static inline int security_file_permission(struct file *file, int mask)
+ {
+ 	return 0;
+diff --git a/security/security.c b/security/security.c
+index f2a7f27..a9e2bb9 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
+ }
+ EXPORT_SYMBOL(security_inode_copy_up);
+ 
++int security_inode_copy_up_xattr(const char *name)
++{
++	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
++}
++EXPORT_SYMBOL(security_inode_copy_up_xattr);
++
+ int security_file_permission(struct file *file, int mask)
+ {
+ 	int ret;
+@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
+ 	.inode_copy_up =
+ 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
++	.inode_copy_up_xattr =
++		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
+ 	.file_permission =
+ 		LIST_HEAD_INIT(security_hook_heads.file_permission),
+ 	.file_alloc_security =
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch

@@ -0,0 +1,53 @@
+From 0e7ff4309fbdb793c579336ea16d1b25523476fe Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:58 -0400
+Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook
+
+When a file is copied up in overlay, we have already created file on upper/
+with right label and there is no need to copy up selinux label/xattr from
+lower file to upper file. In fact in case of context mount, we don't want
+to copy up label as newly created file got its label from context= option.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 264ee90..d30d7b3 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
+ 	return 0;
+ }
+ 
++static int selinux_inode_copy_up_xattr(const char *name)
++{
++	/* The copy_up hook above sets the initial context on an inode, but we
++	 * don't then want to overwrite it by blindly copying all the lower
++	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
++	 */
++	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
++		return 1; /* Discard */
++	/*
++	 * Any other attribute apart from SELINUX is not claimed, supported
++	 * by selinux.
++	 */
++	return -EOPNOTSUPP;
++}
++
+ /* file security operations */
+ 
+ static int selinux_revalidate_file_permission(struct file *file, int mask)
+@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+ 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
+ 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
++	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
+ 
+ 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
+ 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch

@@ -0,0 +1,73 @@
+From bb44799820540a69a43ebc49dd8691f3f6b19312 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:59 -0400
+Subject: [PATCH 05/21] selinux: Pass security pointer to
+ determine_inode_label()
+
+Right now selinux_determine_inode_label() works on security pointer of
+current task. Soon I need this to work on a security pointer retrieved
+from a set of creds. So start passing in a pointer and caller can decide
+where to fetch security pointer from.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index d30d7b3..2bf0d00 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1808,13 +1808,13 @@ out:
+ /*
+  * Determine the label for an inode that might be unioned.
+  */
+-static int selinux_determine_inode_label(struct inode *dir,
+-					 const struct qstr *name,
+-					 u16 tclass,
+-					 u32 *_new_isid)
++static int
++selinux_determine_inode_label(const struct task_security_struct *tsec,
++				 struct inode *dir,
++				 const struct qstr *name, u16 tclass,
++				 u32 *_new_isid)
+ {
+ 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+-	const struct task_security_struct *tsec = current_security();
+ 
+ 	if ((sbsec->flags & SE_SBINITIALIZED) &&
+ 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
+@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
+ 	if (rc)
+ 		return rc;
+ 
+-	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
+-					   &newsid);
++	rc = selinux_determine_inode_label(current_security(), dir,
++					   &dentry->d_name, tclass, &newsid);
+ 	if (rc)
+ 		return rc;
+ 
+@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ 	u32 newsid;
+ 	int rc;
+ 
+-	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
++	rc = selinux_determine_inode_label(current_security(),
++					   d_inode(dentry->d_parent), name,
+ 					   inode_mode_to_security_class(mode),
+ 					   &newsid);
+ 	if (rc)
+@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ 	sid = tsec->sid;
+ 	newsid = tsec->create_sid;
+ 
+-	rc = selinux_determine_inode_label(
++	rc = selinux_determine_inode_label(current_security(),
+ 		dir, qstr,
+ 		inode_mode_to_security_class(inode->i_mode),
+ 		&newsid);
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch

@@ -0,0 +1,159 @@
+From aca722ec1a3ecda00f0317ff467dbdf0e12d5dbe Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:59 -0400
+Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label
+ newly created files
+
+During a new file creation we need to make sure new file is created with the
+right label. New file is created in upper/ so effectively file should get
+label as if task had created file in upper/.
+
+We switched to mounter's creds for actual file creation. Also if there is a
+whiteout present, then file will be created in work/ dir first and then
+renamed in upper. In none of the cases file will be labeled as we want it to
+be.
+
+This patch introduces a new hook dentry_create_files_as(), which determines
+the label/context dentry will get if it had been created by task in upper
+and modify passed set of creds appropriately. Caller makes use of these new
+creds for file creation.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ fs/overlayfs/dir.c        | 10 ++++++++++
+ include/linux/lsm_hooks.h | 15 +++++++++++++++
+ include/linux/security.h  | 12 ++++++++++++
+ security/security.c       | 11 +++++++++++
+ 4 files changed, 48 insertions(+)
+
+diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
+index 1560fdc..b0ffa1d 100644
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -489,6 +489,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+ 	if (override_cred) {
+ 		override_cred->fsuid = inode->i_uid;
+ 		override_cred->fsgid = inode->i_gid;
++		if (!hardlink) {
++			err = security_dentry_create_files_as(dentry,
++					stat->mode, &dentry->d_name, old_cred,
++					override_cred);
++			if (err) {
++				put_cred(override_cred);
++				goto out_revert_creds;
++			}
++		}
+ 		put_cred(override_creds(override_cred));
+ 		put_cred(override_cred);
+ 
+@@ -499,6 +508,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+ 			err = ovl_create_over_whiteout(dentry, inode, stat,
+ 							link, hardlink);
+ 	}
++out_revert_creds:
+ 	revert_creds(old_cred);
+ 	if (!err) {
+ 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 336b3fb..55891c0 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -151,6 +151,16 @@
+  *	@name name of the last path component used to create file
+  *	@ctx pointer to place the pointer to the resulting context in.
+  *	@ctxlen point to place the length of the resulting context.
++ * @dentry_create_files_as:
++ *	Compute a context for a dentry as the inode is not yet available
++ *	and set that context in passed in creds so that new files are
++ *	created using that context. Context is calculated using the
++ *	passed in creds and not the creds of the caller.
++ *	@dentry dentry to use in calculating the context.
++ *	@mode mode used to determine resource type.
++ *	@name name of the last path component used to create file
++ * 	@old creds which should be used for context calculation
++ * 	@new creds to modify
+  *
+  *
+  * Security hooks for inode operations.
+@@ -1375,6 +1385,10 @@ union security_list_options {
+ 	int (*dentry_init_security)(struct dentry *dentry, int mode,
+ 					const struct qstr *name, void **ctx,
+ 					u32 *ctxlen);
++	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old,
++					struct cred *new);
+ 
+ 
+ #ifdef CONFIG_SECURITY_PATH
+@@ -1675,6 +1689,7 @@ struct security_hook_heads {
+ 	struct list_head sb_clone_mnt_opts;
+ 	struct list_head sb_parse_opts_str;
+ 	struct list_head dentry_init_security;
++	struct list_head dentry_create_files_as;
+ #ifdef CONFIG_SECURITY_PATH
+ 	struct list_head path_unlink;
+ 	struct list_head path_mkdir;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 536fafd..a6c6d5d 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
+ int security_dentry_init_security(struct dentry *dentry, int mode,
+ 					const struct qstr *name, void **ctx,
+ 					u32 *ctxlen);
++int security_dentry_create_files_as(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old,
++					struct cred *new);
+ 
+ int security_inode_alloc(struct inode *inode);
+ void security_inode_free(struct inode *inode);
+@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry,
+ 	return -EOPNOTSUPP;
+ }
+ 
++static inline int security_dentry_create_files_as(struct dentry *dentry,
++						  int mode, struct qstr *name,
++						  const struct cred *old,
++						  struct cred *new)
++{
++	return 0;
++}
++
+ 
+ static inline int security_inode_init_security(struct inode *inode,
+ 						struct inode *dir,
+diff --git a/security/security.c b/security/security.c
+index a9e2bb9..69614f1 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
+ }
+ EXPORT_SYMBOL(security_dentry_init_security);
+ 
++int security_dentry_create_files_as(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old, struct cred *new)
++{
++	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
++				name, old, new);
++}
++EXPORT_SYMBOL(security_dentry_create_files_as);
++
+ int security_inode_init_security(struct inode *inode, struct inode *dir,
+ 				 const struct qstr *qstr,
+ 				 const initxattrs initxattrs, void *fs_data)
+@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
+ 	.dentry_init_security =
+ 		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
++	.dentry_create_files_as =
++		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
+ #ifdef CONFIG_SECURITY_PATH
+ 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
+ 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch

@@ -0,0 +1,60 @@
+From e51df9a13fba7a385d97a4cd696dc6e488f617ba Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:59 -0400
+Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook
+
+Calculate what would be the label of newly created file and set that secid
+in the passed creds.
+
+Context of the task which is actually creating file is retrieved from
+set of creds passed in. (old->security).
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 2bf0d00..603b600 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+ }
+ 
++static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
++					  struct qstr *name,
++					  const struct cred *old,
++					  struct cred *new)
++{
++	u32 newsid;
++	int rc;
++	struct task_security_struct *tsec;
++
++	rc = selinux_determine_inode_label(old->security,
++					   d_inode(dentry->d_parent), name,
++					   inode_mode_to_security_class(mode),
++					   &newsid);
++	if (rc)
++		return rc;
++
++	tsec = new->security;
++	tsec->create_sid = newsid;
++	return 0;
++}
++
+ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ 				       const struct qstr *qstr,
+ 				       const char **name,
+@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
+ 
+ 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
++	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
+ 
+ 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
+ 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch

@@ -1,7 +1,7 @@
-From 56c7486c654e67683c23e8769351898dc650f890 Mon Sep 17 00:00:00 2001
+From b47ebff1c49b5d05d1265fc1115c76bc947864b4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/20] Add secure_modules() call
+Subject: [PATCH 08/21] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  2 files changed, 16 insertions(+)
 
 diff --git a/include/linux/module.h b/include/linux/module.h
-index 3daf2b3..15843fc 100644
+index 0c3207d..c8b4ea0 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -643,6 +643,8 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -629,6 +629,8 @@ static inline bool module_requested_async_probing(struct module *module)
  	return module && module->async_probe_requested;
  }
  
@@ -29,7 +29,7 @@ index 3daf2b3..15843fc 100644
  #ifdef CONFIG_LIVEPATCH
  static inline bool is_livepatch_module(struct module *mod)
  {
-@@ -771,6 +773,10 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -750,6 +752,10 @@ static inline bool module_requested_async_probing(struct module *module)
  	return false;
  }
  
@@ -41,10 +41,10 @@ index 3daf2b3..15843fc 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 5f71aa6..3c38496 100644
+index 529efae..0332fdd 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4199,3 +4199,13 @@ void module_layout(struct module *mod,
+@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,7 +1,7 @@
-From a092193db748a914f777fc4426322d085f6447ba Mon Sep 17 00:00:00 2001
+From e168029a84e7306ea580caace7437fa4da8fbc6f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
+Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
@@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  3 files changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index d319a9c..6b1884d 100644
+index bcd10c7..a950301 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -30,6 +30,7 @@
@@ -29,7 +29,7 @@ index d319a9c..6b1884d 100644
  #include "pci.h"
  
  static int sysfs_initialized;	/* = 0 */
-@@ -711,6 +712,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+@@ -716,6 +717,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
  	loff_t init_off = off;
  	u8 *data = (u8 *) buf;
  
@@ -39,7 +39,7 @@ index d319a9c..6b1884d 100644
  	if (off > dev->cfg_size)
  		return 0;
  	if (off + count > dev->cfg_size) {
-@@ -1002,6 +1006,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -1007,6 +1011,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
  	resource_size_t start, end;
  	int i;
  
@@ -49,7 +49,7 @@ index d319a9c..6b1884d 100644
  	for (i = 0; i < PCI_ROM_RESOURCE; i++)
  		if (res == &pdev->resource[i])
  			break;
-@@ -1101,6 +1108,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1106,6 +1113,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
  				     struct bin_attribute *attr, char *buf,
  				     loff_t off, size_t count)
  {
@@ -60,7 +60,7 @@ index d319a9c..6b1884d 100644
  }
  
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 3f155e7..4265ea0 100644
+index 2408abe..59f321c 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
 @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@@ -85,7 +85,7 @@ index 3f155e7..4265ea0 100644
  		ret = pci_domain_nr(dev->bus);
 @@ -233,7 +239,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma)
  	struct pci_filp_private *fpriv = file->private_data;
- 	int i, ret;
+ 	int i, ret, write_combine;
  
 -	if (!capable(CAP_SYS_RAWIO))
 +	if (!capable(CAP_SYS_RAWIO) || secure_modules())

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,7 +1,7 @@
-From 665de4d1fe2819dff85c1ae2bb5de77d2dfaf3d5 Mon Sep 17 00:00:00 2001
+From ec05aec348c19934baf6f8767b10d7a38cf41764 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
+Subject: [PATCH 10/21] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
@@ -46,10 +46,10 @@ index 589b319..ab83724 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 71025c2..86e5bfa 100644
+index a33163d..48a2897 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
-@@ -27,6 +27,7 @@
+@@ -28,6 +28,7 @@
  #include <linux/export.h>
  #include <linux/io.h>
  #include <linux/uio.h>
@@ -57,7 +57,7 @@ index 71025c2..86e5bfa 100644
  
  #include <linux/uaccess.h>
  
-@@ -577,6 +578,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
  	unsigned long i = *ppos;
  	const char __user *tmp = buf;
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch

@@ -1,7 +1,7 @@
-From ec9e1e7e77567c9a02fe912d77c4ad0b861d35a0 Mon Sep 17 00:00:00 2001
+From ae584135ba044ef69640b22f53fe337a12cbe52f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/20] ACPI: Limit access to custom_method
+Subject: [PATCH 11/21] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,7 @@
-From 25b3c5a56a2f963a6b92be5256eb7d9a118e1ec4 Mon Sep 17 00:00:00 2001
+From 9727ba09f56eb7873736d2cc2ecef42722b098b9 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
@@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index a26dca3..6ec9cab 100644
+index 7c093a0..21fd6b8 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,7 +1,7 @@
-From 30af3497cb4e5af8e602674738c2eb8cd79936e9 Mon Sep 17 00:00:00 2001
+From 0fbd3b71c764f791bed5ad56e4fe3a4c0e557ebe Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
@@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 86e5bfa..3264735 100644
+index 48a2897..08a7bff 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
-@@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
+@@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
  	if (p != *ppos)
  		return -EFBIG;
  
@@ -27,7 +27,7 @@ index 86e5bfa..3264735 100644
  	if (!valid_phys_addr_range(p, count))
  		return -EFAULT;
  
-@@ -513,6 +516,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
  	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
  	int err = 0;
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,7 @@
-From 5fc15323a692410e72e7b7fdafa2a71a7420b8d0 Mon Sep 17 00:00:00 2001
+From a7fc0717f49a6a06e20ea24406eefeb8497b1666 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index b108f13..158de7d 100644
+index 4305ee9..fa1bcf0 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -40,6 +40,7 @@

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,7 +1,7 @@
-From bd55d2cfacdd370df7e5a8f03863f59cee591c47 Mon Sep 17 00:00:00 2001
+From 3819061fb96f6cfe79c5827ccb1350274431a626 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
@@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 4384672..0876783 100644
+index 980936a..a0e4cb3 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
 @@ -17,6 +17,7 @@
@@ -25,7 +25,7 @@ index 4384672..0876783 100644
  
  #include "kexec_internal.h"
  
-@@ -189,7 +190,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -190,7 +191,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
  	int result;
  
  	/* We only trust the superuser with rebooting the system. */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,7 +1,7 @@
-From 6a2ebbbc4d82f75d98a2f594db23b853abba2333 Mon Sep 17 00:00:00 2001
+From 9e0d3ed7ba55087b28dd1d05d187772a2aca995c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
+Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,7 @@
-From 23b33d629abc9fa53f5f1c6422bf7b170c322beb Mon Sep 17 00:00:00 2001
+From 1992d30251849cdeda09d423c9d55db6105b02ad Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/20] Add option to automatically enforce module signatures
+Subject: [PATCH 17/21] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index d9a94da..866d0e9 100644
+index 2a1f0ce..ba2c734 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1776,6 +1776,16 @@ config EFI_MIXED
+@@ -1774,6 +1774,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -55,7 +55,7 @@ index d9a94da..866d0e9 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 52fef60..faa223b 100644
+index 94dd4a3..1959b82 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -103,7 +103,7 @@ index 52fef60..faa223b 100644
  static efi_status_t
  setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
  {
-@@ -1126,6 +1157,10 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c,
  	else
  		setup_boot_services32(efi_early);
  
@@ -129,10 +129,10 @@ index c18ce67..2b3e542 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index c4e7b39..bdb9881 100644
+index 98c9cd6..8979719 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -146,10 +146,10 @@ index c4e7b39..bdb9881 100644
  	 * Parse the ACPI tables for possible boot-time SMP configuration.
  	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index 15843fc..fe5c49d 100644
+index c8b4ea0..8918ef4 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
+@@ -260,6 +260,12 @@ extern const typeof(name) __mod_##type##__##name##_device_table		\
  
  struct notifier_block;
  
@@ -163,10 +163,10 @@ index 15843fc..fe5c49d 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 3c38496..ea484f3 100644
+index 0332fdd..3f1ea6b 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
+@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,7 +1,7 @@
-From d1431fc712f301635f392a11045b1a2fe9df7e25 Mon Sep 17 00:00:00 2001
+From 1dc121c43321cec056018f3a9b0be1905b4b3a98 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 11/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 866d0e9..5b8b8c3 100644
+index ba2c734..a5d6b58 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1777,7 +1777,8 @@ config EFI_MIXED
+@@ -1775,7 +1775,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From 735f74a5d4919c155481ee8aca9074c5d53f4029 Mon Sep 17 00:00:00 2001
+From 3bbee9070feb5ecd3c4f4003564a47fc6b321aee Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 12/20] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index bdb9881..a666b6c 100644
+index 8979719..4a49a2a 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
  
  #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
  	if (boot_params.secure_boot) {
@@ -27,10 +27,10 @@ index bdb9881..a666b6c 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index f196dd0..3b3909f 100644
+index 0148a30..4b62b48 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_ARCH_1		7	/* First arch-specific bit */
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From d0c5883f7885f8b8d1dd617ab6e7f4015bbd0419 Mon Sep 17 00:00:00 2001
+From a046628a71b1a9e37252895898630ac176b62ddd Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 13/20] hibernate: Disable in a signed modules environment
+Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index fca9254..ffd8644 100644
+index 33c79b6..d1420be 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -29,6 +29,7 @@
@@ -25,7 +25,7 @@ index fca9254..ffd8644 100644
  #include <trace/events/power.h>
  
  #include "power.h"
-@@ -66,7 +67,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
+@@ -67,7 +68,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
  
  bool hibernation_available(void)
  {

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 7c61363beb72419f1dca56e156c794d114d5f9f9 Mon Sep 17 00:00:00 2001
+From a356477aced4eea60222b222509600839835dcbd Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 19/20] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 66da9a3..4d55d38 100644
+index bf6e44a..b4fe56d 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make