diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.6.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.6.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.6 similarity index 99% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.6 index 9d1bc2aab6..4d88cae2d7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.6 @@ -2,7 +2,6 @@ CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y # CONFIG_CROSS_MEMORY_ATTACH is not set -CONFIG_FHANDLE=y CONFIG_AUDIT=y CONFIG_NO_HZ=y CONFIG_HIGH_RES_TIMERS=y @@ -171,7 +170,6 @@ CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m -CONFIG_INET_LRO=m CONFIG_INET_DIAG=m CONFIG_INET_UDP_DIAG=m CONFIG_TCP_CONG_ADVANCED=y @@ -450,7 +448,6 @@ CONFIG_DCB=y CONFIG_OPENVSWITCH=m CONFIG_VSOCKETS=m CONFIG_VMWARE_VMCI_VSOCKETS=m -CONFIG_NETLINK_MMAP=y CONFIG_NETLINK_DIAG=m CONFIG_MPLS_ROUTING=m CONFIG_CGROUP_NET_PRIO=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.6 similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.6 index 944464074b..bfd9b6bd34 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.6 @@ -1,7 +1,6 @@ # CONFIG_LOCALVERSION_AUTO is not set CONFIG_SYSVIPC=y CONFIG_POSIX_MQUEUE=y -CONFIG_FHANDLE=y CONFIG_AUDIT=y CONFIG_NO_HZ_IDLE=y CONFIG_HIGH_RES_TIMERS=y @@ -42,7 +41,6 @@ CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_SHA256=y CONFIG_BLK_DEV_THROTTLING=y # CONFIG_IOSCHED_DEADLINE is not set -CONFIG_ARCH_EXYNOS7=y CONFIG_ARCH_MEDIATEK=y CONFIG_ARCH_QCOM=y CONFIG_ARCH_SEATTLE=y @@ -73,7 +71,6 @@ CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y CONFIG_SYN_COOKIES=y -# CONFIG_INET_LRO is not set CONFIG_NETFILTER=y CONFIG_BRIDGE_NETFILTER=y CONFIG_NF_CONNTRACK=y @@ -263,8 +260,6 @@ CONFIG_MSM_GCC_8916=y CONFIG_MAILBOX=y # CONFIG_IOMMU_SUPPORT is not set CONFIG_ARCH_TEGRA_132_SOC=y -# CONFIG_PHY_EXYNOS_MIPI_VIDEO is not set -# CONFIG_PHY_EXYNOS_DP_VIDEO is not set CONFIG_PHY_XGENE=y CONFIG_EXT2_FS=y CONFIG_EXT3_FS=y @@ -315,7 +310,6 @@ CONFIG_SCHEDSTATS=y CONFIG_DEBUG_CREDENTIALS=y # CONFIG_FTRACE is not set CONFIG_DEBUG_SET_MODULE_RONX=y -CONFIG_DEBUG_RODATA=y CONFIG_DEBUG_ALIGN_RODATA=y CONFIG_SECURITY=y CONFIG_CRYPTO_ANSI_CPRNG=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index acb6519af8..20906d6931 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1 @@ -DIST linux-4.5.tar.xz 88375040 SHA256 a40defb401e01b37d6b8c8ad5c1bbab665be6ac6310cdeed59950c96b31a519c SHA512 cb0d5f30baff37dfea40fbc1119a1482182f95858c883e019ee3f81055c8efbdb9dba7dfc02ebcc4216db38f03ece58688e69efc0fce1dade359af30bd5426de WHIRLPOOL 8faa0b02c5733fc45dbe61f82a7022e9246b9b1665f27541d4afa5d14c310b9dce7a8532dfac8273898edf8c6923654ee2fbcf2cec1ec2a220f4c9f926f2b333 -DIST patch-4.5.4.xz 190944 SHA256 6a9cfe691ac77346c48b7f83375a1880ebb379594de1000acad45da45d711e42 SHA512 56eb7551ba39b087bc0bd8d12e1a2006974ed7640d03751a540ad9f04b7e325efd3488ae3ebbbaddea46dc25dc666ddeccde9969f5ef8fa139088689da7e9147 WHIRLPOOL 19da92049dedeab810b4a3df72f93295ec0288f4d42006310731c74d4f2876b441e2114b84b2937a63d18c9682047a415cb87b36deecc9c4323ce457d9c56ae2 +DIST linux-4.6.tar.xz 89461728 SHA256 a93771cd5a8ad27798f22e9240538dfea48d3a2bf2a6a6ab415de3f02d25d866 SHA512 df5ee40b0ebd89914a900f63c32a481cb4f405d8f792b2d03ea167ce9c5bdf75154c7bd8ecd7ebac77a8dbf2b077c972cbfe6b95163e27c38c1fefc6ddbdfa0b WHIRLPOOL 50ee28a06930ffb29ade1aa5fb4e3bf165ead92cb660dc6771a265cdbc2240713ebf14fe235fa153d8b6e3ab853852ea06c2525209cd7989aa3d6f6fad5b7edf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.4.ebuild deleted file mode 100644 index 3ec4dfc82c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.4.ebuild +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/0001-Add-secure_modules-call.patch \ - ${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ - ${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \ - ${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \ - ${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \ - ${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \ - ${PATCH_DIR}/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.6.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.6.0.ebuild new file mode 100644 index 0000000000..acb91de445 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.6.0.ebuild @@ -0,0 +1,45 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ + ${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \ + ${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \ + ${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \ + ${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \ + ${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ + ${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0001-Add-secure_modules-call.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0001-Add-secure_modules-call.patch index 03e2d19b5e..060534b3a2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0001-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 02edef7def11ef45c9dca82382f4d5037b359ce6 Mon Sep 17 00:00:00 2001 +From c35230624d1464523272de88a5085cd808e2eb97 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 01/21] Add secure_modules() call +Subject: [PATCH 01/20] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -41,10 +41,10 @@ index 2bb0c30..ab13009 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 794ebe8..7dfb91b 100644 +index 041200c..392ac8c 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4112,3 +4112,13 @@ void module_layout(struct module *mod, +@@ -4080,3 +4080,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 794ebe8..7dfb91b 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 4896cc53f3..45e822f4d7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ -From 4f9bf3ce823a63e72687fa331bdcfd9050f00b54 Mon Sep 17 00:00:00 2001 +From de2acb86b00352b3e58c55aa5474970bd52640a5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is +Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from @@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 95d9e7b..0e249f1 100644 +index 342b691..2809631 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -30,6 +30,7 @@ @@ -39,7 +39,7 @@ index 95d9e7b..0e249f1 100644 if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -1002,6 +1006,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; @@ -49,7 +49,7 @@ index 95d9e7b..0e249f1 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1098,6 +1105,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1102,6 +1109,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index d5a6ead5aa..2d70e3ba1e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ -From fbcd2f7543b10fb9ff7075eab04aafc8ced67761 Mon Sep 17 00:00:00 2001 +From 9822e9d4cc1c380146f6b7b0984a9f03c2d5ee30 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 03/21] x86: Lock down IO port access when module security is +Subject: [PATCH 03/20] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 37dae79..1ecc03c 100644 +index 589b319..ab83724 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -15,6 +15,7 @@ @@ -36,7 +36,7 @@ index 37dae79..1ecc03c 100644 return -EPERM; /* -@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) +@@ -108,7 +109,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) return -EINVAL; /* Trying to gain more privileges? */ if (level > old) { @@ -44,9 +44,9 @@ index 37dae79..1ecc03c 100644 + if (!capable(CAP_SYS_RAWIO) || secure_modules()) return -EPERM; } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 4f6f94c..9d53d66 100644 +index 71025c2..86e5bfa 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -27,6 +27,7 @@ @@ -68,5 +68,5 @@ index 4f6f94c..9d53d66 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0004-ACPI-Limit-access-to-custom_method.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0004-ACPI-Limit-access-to-custom_method.patch index 5c3b13ace3..87406e9a9c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0004-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ -From c84966668b5d607812d3f3788dcfa7fbcab400a3 Mon Sep 17 00:00:00 2001 +From b2f6e6b53381d5213e128e1266d1a4728bcb1e7f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 04/21] ACPI: Limit access to custom_method +Subject: [PATCH 04/20] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 705c896545..d9b233cb4e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ -From aafea7dbb04999694c5d7514a8ade6dffc80b6a8 Mon Sep 17 00:00:00 2001 +From e84e314c9dbc752726045c29a7464a6b6910dd1f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -50,5 +50,5 @@ index a96630d..92bf6b1 100644 1, asus->debug.method_id, &input, &output); -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index e79fa00dfb..fc148db719 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From e1a26d978277b78e5f0f393018cecc2e6f6660ab Mon Sep 17 00:00:00 2001 +From 75bf36f24bd1efeadb16130281207f488e38ad51 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 9d53d66..918f43a 100644 +index 86e5bfa..3264735 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -38,5 +38,5 @@ index 9d53d66..918f43a 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 77d34137af..a5405b03fc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ -From 2d464f9da317e687e5fa03b7a079ad811192f491 Mon Sep 17 00:00:00 2001 +From 301e69031df178a811ddb0745ed910518c36fbbe Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 67da6fb..e027761 100644 +index 814d5f8..84ca0b5 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -35,5 +35,5 @@ index 67da6fb..e027761 100644 #endif -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index 4d4adec179..7a09d9bcba 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ -From e6288d2d10780371525b4fadaabc8c2d5ac87ad8 Mon Sep 17 00:00:00 2001 +From a92898f1e8f05643870686a48812d2898127cf8e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 -Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -35,5 +35,5 @@ index ee70aef..755198b 100644 /* -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 08dbf62f04..b0ac6438d0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ -From 0cf91ec9a013fe36fc934519e02d5ac3a281b907 Mon Sep 17 00:00:00 2001 +From b68abccfa5c9dca3e8c921139bcd5e794ae8e67c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is +Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, @@ -15,7 +15,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 64f9616..7fde015 100644 +index 7f3550a..963ba40 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -40,5 +40,5 @@ index 64f9616..7fde015 100644 err = -EFAULT; break; -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0010-Add-option-to-automatically-enforce-module-signature.patch index 3f0b5763be..ccecfaf37f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ -From 6e0533e9784929c426d8b9b8566f28d7b79aa109 Mon Sep 17 00:00:00 2001 +From ec3ce7daf05ab4d0456a06235e5f91f09fc57268 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/21] Add option to automatically enforce module signatures +Subject: [PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index c46662f..a10f771 100644 +index 2dc18605..a701d09 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1754,6 +1754,16 @@ config EFI_MIXED +@@ -1785,6 +1785,16 @@ config EFI_MIXED If unsure, say N. @@ -130,10 +130,10 @@ index 3292543..b61f853 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d3d80e6..94eb7dd 100644 +index 2367ae0..1a78bf7 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1145,6 +1145,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -164,10 +164,10 @@ index ab13009..e072b84 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 7dfb91b..6eb3c6c 100644 +index 392ac8c..676c578 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4113,6 +4113,13 @@ void module_layout(struct module *mod, +@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -182,5 +182,5 @@ index 7dfb91b..6eb3c6c 100644 { #ifdef CONFIG_MODULE_SIG -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index d400ebe478..7be20cff8c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ -From 635479012d1f2ecc3109f8d026286ed54e429e89 Mon Sep 17 00:00:00 2001 +From 6c1648fa6c1e91977c502e2f2a5b3c4f09124ce6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 11/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index a10f771..36a2818 100644 +index a701d09..fef4036 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1755,7 +1755,8 @@ config EFI_MIXED +@@ -1786,7 +1786,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index a10f771..36a2818 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch index 53b9c66123..f8597bb304 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From a3ac48fab6c056a4857dcb1adea99871d5846cd8 Mon Sep 17 00:00:00 2001 +From d1440220844d8a0cca8168526fc2d6a74787283c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 12/20] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 94eb7dd..7c9fc347 100644 +index 1a78bf7..564921b 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1147,7 +1147,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1148,7 +1148,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,10 +27,10 @@ index 94eb7dd..7c9fc347 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 47be3ad..9bf95e8 100644 +index 1626474..2bd4516 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1009,6 +1009,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ @@ -39,5 +39,5 @@ index 47be3ad..9bf95e8 100644 #ifdef CONFIG_EFI /* -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0013-hibernate-Disable-in-a-signed-modules-environment.patch index e01c7b5fa4..602366bbf7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From 4483ccc2fb447291aaafe690570437e72b54a396 Mon Sep 17 00:00:00 2001 +From df84f18e06e61f63e4e7847d455a3601b15a941a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment +Subject: [PATCH 13/20] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index b7342a2..8a6b218 100644 +index fca9254..ffd8644 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -35,5 +35,5 @@ index b7342a2..8a6b218 100644 /** -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch index 4fcfe4a986..27590e9878 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch @@ -1,7 +1,7 @@ -From 5b5cf4e83fc167101790192e8f6711fb9f879101 Mon Sep 17 00:00:00 2001 +From 21bb922ca499884980a7a98992bb0b00c05c223a Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 -Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned +Subject: [PATCH 14/20] Security: Provide copy-up security hooks for unioned files Provide two new security hooks for use with security files that are used when @@ -21,7 +21,7 @@ Signed-off-by: David Howells 3 files changed, 54 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 71969de..f5b7267 100644 +index cdee11c..adef596 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -401,6 +401,24 @@ @@ -49,7 +49,7 @@ index 71969de..f5b7267 100644 * * Security hooks for file operations * -@@ -1425,6 +1443,9 @@ union security_list_options { +@@ -1424,6 +1442,9 @@ union security_list_options { int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); void (*inode_getsecid)(struct inode *inode, u32 *secid); @@ -59,7 +59,7 @@ index 71969de..f5b7267 100644 int (*file_permission)(struct file *file, int mask); int (*file_alloc_security)(struct file *file); -@@ -1694,6 +1715,8 @@ struct security_hook_heads { +@@ -1695,6 +1716,8 @@ struct security_hook_heads { struct list_head inode_setsecurity; struct list_head inode_listsecurity; struct list_head inode_getsecid; @@ -69,10 +69,10 @@ index 71969de..f5b7267 100644 struct list_head file_alloc_security; struct list_head file_free_security; diff --git a/include/linux/security.h b/include/linux/security.h -index 4824a4c..1f9ea40 100644 +index 157f0cb..449f1b0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h -@@ -274,6 +274,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf +@@ -276,6 +276,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); void security_inode_getsecid(struct inode *inode, u32 *secid); @@ -83,7 +83,7 @@ index 4824a4c..1f9ea40 100644 int security_file_permission(struct file *file, int mask); int security_file_alloc(struct file *file); void security_file_free(struct file *file); -@@ -740,6 +744,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) +@@ -744,6 +748,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) *secid = 0; } @@ -101,7 +101,7 @@ index 4824a4c..1f9ea40 100644 { return 0; diff --git a/security/security.c b/security/security.c -index e8ffd92..f1a1dbf 100644 +index 3644b03..8548340 100644 --- a/security/security.c +++ b/security/security.c @@ -726,6 +726,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) @@ -124,7 +124,7 @@ index e8ffd92..f1a1dbf 100644 int security_file_permission(struct file *file, int mask) { int ret; -@@ -1660,6 +1673,10 @@ struct security_hook_heads security_hook_heads = { +@@ -1662,6 +1675,10 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), .inode_getsecid = LIST_HEAD_INIT(security_hook_heads.inode_getsecid), @@ -136,5 +136,5 @@ index e8ffd92..f1a1dbf 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0015-Overlayfs-Use-copy-up-security-hooks.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0015-Overlayfs-Use-copy-up-security-hooks.patch index e3f4c8c2e4..8e3a91451b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0015-Overlayfs-Use-copy-up-security-hooks.patch @@ -1,7 +1,7 @@ -From eabd104a61199840d5dfe65a8a6eb353fc112600 Mon Sep 17 00:00:00 2001 +From 4eac8c9deb0ffddf8d71b6783675087a4ee6b436 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 -Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks +Subject: [PATCH 15/20] Overlayfs: Use copy-up security hooks Use the copy-up security hooks previously provided to allow an LSM to adjust the security on a newly created copy and to filter the xattrs copied to that @@ -13,10 +13,10 @@ Signed-off-by: David Howells 1 file changed, 12 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index d894e7c..41ca95d 100644 +index cc514da..a181c7c 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c -@@ -70,6 +70,14 @@ retry: +@@ -102,6 +102,14 @@ retry: value_size = size; goto retry; } @@ -31,7 +31,7 @@ index d894e7c..41ca95d 100644 error = vfs_setxattr(new, name, value, size, 0); if (error) -@@ -233,6 +241,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, +@@ -265,6 +273,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, if (err) goto out2; @@ -41,7 +41,7 @@ index d894e7c..41ca95d 100644 + if (S_ISREG(stat->mode)) { struct path upperpath; - ovl_path_upper(dentry, &upperpath); + -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0016-SELinux-Stub-in-copy-up-handling.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0016-SELinux-Stub-in-copy-up-handling.patch index bc4f358da9..5e6db46176 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0016-SELinux-Stub-in-copy-up-handling.patch @@ -1,7 +1,7 @@ -From 798fc50146e1c819932435bb2e0d92ef180fad81 Mon Sep 17 00:00:00 2001 +From f3798692115e472f7d508d725f8952b29250370e Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 16/21] SELinux: Stub in copy-up handling +Subject: [PATCH 16/20] SELinux: Stub in copy-up handling Provide stubs for union/overlay copy-up handling. The xattr copy up stub discards lower SELinux xattrs rather than letting them be copied up so that @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 20 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index f1ab715..d361b74 100644 +index 912deee..b4e3e63 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3253,6 +3253,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) @@ -51,5 +51,5 @@ index f1ab715..d361b74 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0017-SELinux-Handle-opening-of-a-unioned-file.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0017-SELinux-Handle-opening-of-a-unioned-file.patch index 8a28f9ac2f..d8012feafc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0017-SELinux-Handle-opening-of-a-unioned-file.patch @@ -1,7 +1,7 @@ -From 7c5c4e06a08f0f397e44bd88e8aff169fa407af6 Mon Sep 17 00:00:00 2001 +From 518b46aa4f4d0198593c2ffd9a3927db686d3c43 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file +Subject: [PATCH 17/20] SELinux: Handle opening of a unioned file Handle the opening of a unioned file by trying to derive the label that would be attached to the union-layer inode if it doesn't exist. @@ -26,7 +26,7 @@ Signed-off-by: David Howells 2 files changed, 70 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d361b74..7186928 100644 +index b4e3e63..e5d0e2d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3584,10 +3584,72 @@ static int selinux_file_receive(struct file *file) @@ -129,5 +129,5 @@ index a2ae054..54cce84 100644 }; -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0018-SELinux-Check-against-union-label-for-file-operation.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0018-SELinux-Check-against-union-label-for-file-operation.patch index da56ea3323..dbba09fa24 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0018-SELinux-Check-against-union-label-for-file-operation.patch @@ -1,7 +1,7 @@ -From 92ca3f0e63d46f131f75f57ef2b6a44bd8acd2ab Mon Sep 17 00:00:00 2001 +From c847761aacd96fb03f6493ffc800ef9310d34ef7 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 18/21] SELinux: Check against union label for file operations +Subject: [PATCH 18/20] SELinux: Check against union label for file operations File operations (eg. read, write) issued against a file that is attached to the lower layer of a union file needs to be checked against the union-layer @@ -16,7 +16,7 @@ Signed-off-by: David Howells 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 7186928..a44cca7 100644 +index e5d0e2d..c3f94dd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1745,6 +1745,7 @@ static int file_has_perm(const struct cred *cred, @@ -46,5 +46,5 @@ index 7186928..a44cca7 100644 out: return rc; -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 7a853c56ed..4cf82f3c17 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From cb9ecb801b14c59df0a34717eb7ff4e5caff44e4 Mon Sep 17 00:00:00 2001 +From 1ef23e9e2c7d6d47ceeaf74d685d951ef109db7a Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 19/20] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 7b3ecdc..7d950e4 100644 +index 0f9cb36..44097a4 100644 --- a/Makefile +++ b/Makefile @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 7b3ecdc..7d950e4 100644 # Leave processing to above invocation of make -- -2.7.3 +2.8.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch index 18b6daab5d..e0e2862f08 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.6/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch @@ -1,7 +1,7 @@ -From a19700db885d083eebff877f9b14e387d824f812 Mon Sep 17 00:00:00 2001 +From 6a65a70406567cf4c1264e9baa54b37844c3d5e1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Dec 2015 07:43:52 +0000 -Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on +Subject: [PATCH 20/20] Don't verify write permissions on lower inodes on overlayfs If a user opens a file r/w on overlayfs, and if the underlying inode is @@ -33,10 +33,10 @@ index a4ff5d0..6ba3443 100644 out_dput: dput(alias); diff --git a/include/linux/fs.h b/include/linux/fs.h -index ae68100..fb6e94b 100644 +index 70e61b5..ba1ed95 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h -@@ -83,6 +83,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); +@@ -85,6 +85,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); #define MAY_CHDIR 0x00000040 /* called from RCU mode, don't block */ #define MAY_NOT_BLOCK 0x00000080 @@ -45,7 +45,7 @@ index ae68100..fb6e94b 100644 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index a44cca7..f5ca93c 100644 +index c3f94dd..37f438c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2967,6 +2967,15 @@ static int selinux_inode_permission(struct inode *inode, int mask) @@ -65,5 +65,5 @@ index a44cca7..f5ca93c 100644 /* No permission to check. Existence test. */ -- -2.7.3 +2.8.2