Merge pull request #1718 from crawford/kernel

coreos-{kernel/sources}: bump to v4.4-coreos

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION="-r1"
+COREOS_SOURCE_REVISION=""
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.4

@@ -66,7 +66,6 @@ CONFIG_SCHED_SMT=y
 CONFIG_PREEMPT_VOLUNTARY=y
 CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
 # CONFIG_X86_16BIT is not set
-CONFIG_MICROCODE=m
 CONFIG_MICROCODE_AMD=y
 CONFIG_X86_MSR=m
 CONFIG_X86_CPUID=m
@@ -219,8 +218,6 @@ CONFIG_NF_CONNTRACK_SIP=m
 CONFIG_NF_CONNTRACK_TFTP=m
 CONFIG_NF_CT_NETLINK=m
 CONFIG_NF_CT_NETLINK_TIMEOUT=m
-CONFIG_NF_CT_NETLINK_HELPER=m
-CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
 CONFIG_NETFILTER_XTABLES=y
 CONFIG_NETFILTER_XT_SET=m
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
@@ -465,7 +462,6 @@ CONFIG_NET_9P_RDMA=m
 # CONFIG_UEVENT_HELPER is not set
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
-CONFIG_FW_LOADER=m
 # CONFIG_FIRMWARE_IN_KERNEL is not set
 CONFIG_CONNECTOR=m
 CONFIG_MTD=m
@@ -477,13 +473,13 @@ CONFIG_BLK_CPQ_CISS_DA=m
 CONFIG_BLK_DEV_LOOP=m
 CONFIG_BLK_DEV_DRBD=m
 CONFIG_BLK_DEV_NBD=m
-CONFIG_BLK_DEV_NVME=m
 CONFIG_BLK_DEV_RAM=m
 CONFIG_ATA_OVER_ETH=m
 CONFIG_XEN_BLKDEV_FRONTEND=m
 CONFIG_XEN_BLKDEV_BACKEND=m
 CONFIG_VIRTIO_BLK=m
 CONFIG_BLK_DEV_RBD=m
+CONFIG_BLK_DEV_NVME=m
 CONFIG_HP_ILO=m
 CONFIG_VMWARE_BALLOON=m
 CONFIG_INTEL_MEI_ME=m
@@ -512,7 +508,6 @@ CONFIG_SCSI_MVSAS_TASKLET=y
 CONFIG_SCSI_ARCMSR=m
 CONFIG_MEGARAID_SAS=m
 CONFIG_SCSI_MPT2SAS=m
-CONFIG_SCSI_MPT3SAS=m
 CONFIG_SCSI_BUSLOGIC=m
 CONFIG_VMWARE_PVSCSI=m
 CONFIG_XEN_SCSI_FRONTEND=m
@@ -617,7 +612,6 @@ CONFIG_IXGBEVF=m
 CONFIG_I40E=m
 CONFIG_I40E_VXLAN=y
 CONFIG_I40EVF=m
-CONFIG_IP1000=m
 CONFIG_JME=m
 CONFIG_SKGE=m
 CONFIG_SKY2=m

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.4

@@ -38,7 +38,6 @@ CONFIG_MODULES=y
 CONFIG_MODULE_UNLOAD=y
 # CONFIG_IOSCHED_DEADLINE is not set
 CONFIG_ARCH_EXYNOS7=y
-CONFIG_ARCH_FSL_LS2085A=y
 CONFIG_ARCH_MEDIATEK=y
 CONFIG_ARCH_QCOM=y
 CONFIG_ARCH_SEATTLE=y

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.0.ebuild

@@ -34,9 +34,8 @@ UNIPATCH_LIST="
         ${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
         ${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
         ${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
-        ${PATCH_DIR}/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \
+        ${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
-        ${PATCH_DIR}/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
+        ${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-        ${PATCH_DIR}/0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+        ${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
-	${PATCH_DIR}/0022-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
 "
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch

@@ -1,24 +0,0 @@
-From 8aabcd5265fa49c0d04a69803f215924501a8f1c Mon Sep 17 00:00:00 2001
-From: Geoff Levand <geoff@infradead.org>
-Date: Wed, 2 Sep 2015 16:08:30 -0700
-Subject: [PATCH 19/21] net/wireless/wl18xx: Add missing MODULE_FIRMWARE
-
-Fixes the output of 'modinfo --field firmware'.
-
-Signed-off-by: Geoff Levand <geoff@infradead.org>
----
- drivers/net/wireless/ti/wl18xx/main.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c
-index abbf054..50cce42 100644
---- a/drivers/net/wireless/ti/wl18xx/main.c
-+++ b/drivers/net/wireless/ti/wl18xx/main.c
-@@ -2115,3 +2115,4 @@ MODULE_PARM_DESC(num_rx_desc_param,
- MODULE_LICENSE("GPL v2");
- MODULE_AUTHOR("Luciano Coelho <coelho@ti.com>");
- MODULE_FIRMWARE(WL18XX_FW_NAME);
-+MODULE_FIRMWARE(WL18XX_CONF_FILE_NAME);
--- 
-2.4.10
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch

@@ -1,4 +1,4 @@
-From 58ac4936ef210d203f9b1b1314c6f08f9df34cdc Mon Sep 17 00:00:00 2001
+From ed3da1ded7b7581a9a1dc2b48f8ddc7975f3ea67 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
 Subject: [PATCH 01/21] Add secure_modules() call
@@ -41,10 +41,10 @@ index 3a19c79..db38634 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 8f051a1..58e636c 100644
+index 38c7bd5..a8f8c64 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4091,3 +4091,13 @@ void module_layout(struct module *mod,
+@@ -4097,3 +4097,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,4 +1,4 @@
-From e2dbd4f7aa5913b660e251f5b657e4e4d47a44d7 Mon Sep 17 00:00:00 2001
+From e797ce01ad3c0faa578734900a7c03ee04c06c08 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
 Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
@@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  3 files changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 9261868..9e99a3c 100644
+index eead54c..bb59ecd 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -30,6 +30,7 @@
@@ -29,7 +29,7 @@ index 9261868..9e99a3c 100644
  #include "pci.h"
  
  static int sysfs_initialized;	/* = 0 */
-@@ -710,6 +711,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+@@ -713,6 +714,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
  	loff_t init_off = off;
  	u8 *data = (u8 *) buf;
  
@@ -39,7 +39,7 @@ index 9261868..9e99a3c 100644
  	if (off > dev->cfg_size)
  		return 0;
  	if (off + count > dev->cfg_size) {
-@@ -1004,6 +1008,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -1007,6 +1011,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
  	resource_size_t start, end;
  	int i;
  
@@ -49,7 +49,7 @@ index 9261868..9e99a3c 100644
  	for (i = 0; i < PCI_ROM_RESOURCE; i++)
  		if (res == &pdev->resource[i])
  			break;
-@@ -1105,6 +1112,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1108,6 +1115,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
  				     struct bin_attribute *attr, char *buf,
  				     loff_t off, size_t count)
  {

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,4 +1,4 @@
-From 122b2c146762195197cf60b98e0a4cbf9da8c8f1 Mon Sep 17 00:00:00 2001
+From e1e4b600d77353180227e93c3dda49ebde147578 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
 Subject: [PATCH 03/21] x86: Lock down IO port access when module security is

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch

@@ -1,4 +1,4 @@
-From fd2f3d4e41bfab8c0fcb854aba457a663dad0848 Mon Sep 17 00:00:00 2001
+From 15647227ed911e525339ece57b4af9d369390bb0 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
 Subject: [PATCH 04/21] ACPI: Limit access to custom_method

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,4 +1,4 @@
-From 2eeca20d2e55fb2d328b4cf7a7ce21422476ecaf Mon Sep 17 00:00:00 2001
+From 5b0f82c10dd93fd281e5f31c01deea1f3e2af1d1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
 Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
@@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index efbc3f0..071171b 100644
+index f96f7b8..01af903 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
-@@ -1868,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data)
+@@ -1870,6 +1870,9 @@ static int show_dsts(struct seq_file *m, void *data)
  	int err;
  	u32 retval = -1;
  
@@ -29,7 +29,7 @@ index efbc3f0..071171b 100644
  	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
  
  	if (err < 0)
-@@ -1884,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data)
+@@ -1886,6 +1889,9 @@ static int show_devs(struct seq_file *m, void *data)
  	int err;
  	u32 retval = -1;
  
@@ -39,7 +39,7 @@ index efbc3f0..071171b 100644
  	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
  				    &retval);
  
-@@ -1908,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data)
+@@ -1910,6 +1916,9 @@ static int show_call(struct seq_file *m, void *data)
  	union acpi_object *obj;
  	acpi_status status;
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,4 +1,4 @@
-From 5ccba0f780b05a21f25c89be27153e00395ed8f2 Mon Sep 17 00:00:00 2001
+From 37f5217e456a13bb92814e515616b0524fbf0a89 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
 Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,4 +1,4 @@
-From 32a959e27631d17f0a7804cc08a145cac50cf00f Mon Sep 17 00:00:00 2001
+From f41415ab2cf92434113fbc97fc856ddd6e8a88da Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
 Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 739a4a6..9ef2a02 100644
+index 32d684a..f8570a0 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 739a4a6..9ef2a02 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,4 +1,4 @@
-From 50bd32982e4a967cf77f1020c191f6d5d3f0c941 Mon Sep 17 00:00:00 2001
+From e227953c81434fb5156dd2504aeee7960c37a0ad Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
 Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
@@ -14,10 +14,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 4c5edc3..5920ebc 100644
+index d873b64..3d09642 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
-@@ -15,6 +15,7 @@
+@@ -17,6 +17,7 @@
  #include <linux/syscalls.h>
  #include <linux/vmalloc.h>
  #include <linux/slab.h>
@@ -25,7 +25,7 @@ index 4c5edc3..5920ebc 100644
  
  #include "kexec_internal.h"
  
-@@ -129,7 +130,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -131,7 +132,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
  	int result;
  
  	/* We only trust the superuser with rebooting the system. */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,4 +1,4 @@
-From c22062005f9c42f27299a5d09bcc8be0b3f465e5 Mon Sep 17 00:00:00 2001
+From 1636adeff714c17d2c9a872e6be9b025df85ef64 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
 Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,4 +1,4 @@
-From e26f71a6701bb47d43247ace523d967d471fc2f0 Mon Sep 17 00:00:00 2001
+From f08b4a4b93bc28efe2d7aab38a6b44592d944dda Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
 Subject: [PATCH 10/21] Add option to automatically enforce module signatures
@@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 96d058a..f7494bd 100644
+index db3622f..5578b6e 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1736,6 +1736,16 @@ config EFI_MIXED
+@@ -1720,6 +1720,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -55,7 +55,7 @@ index 96d058a..f7494bd 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index db51c1f..9dd115a 100644
+index 583d539..ca120ac 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -66,7 +66,7 @@ index db51c1f..9dd115a 100644
  
  #include "../string.h"
  #include "eboot.h"
-@@ -831,6 +832,37 @@ out:
+@@ -847,6 +848,37 @@ out:
  	return status;
  }
  
@@ -104,7 +104,7 @@ index db51c1f..9dd115a 100644
  /*
   * See if we have Graphics Output Protocol
   */
-@@ -1416,6 +1448,10 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1432,6 +1464,10 @@ struct boot_params *efi_main(struct efi_config *c,
  	else
  		setup_boot_services32(efi_early);
  
@@ -130,10 +130,10 @@ index 3292543..b61f853 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 37c8ea8..eddb9aa 100644
+index d2bbe34..a35c42f 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1143,6 +1143,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -164,10 +164,10 @@ index db38634..4b8df91 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 58e636c..6dd2bb3 100644
+index a8f8c64..3eb8c74 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4092,6 +4092,13 @@ void module_layout(struct module *mod,
+@@ -4098,6 +4098,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,4 +1,4 @@
-From 9ee65888bd6c5e88a589090583a5cffebaf4dcab Mon Sep 17 00:00:00 2001
+From 9bfe6c0b8200244a9517979dc06d3d7bcf8fde4a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
 Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index f7494bd..3a5e694 100644
+index 5578b6e..da9ae8a 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1737,7 +1737,8 @@ config EFI_MIXED
+@@ -1721,7 +1721,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,4 +1,4 @@
-From 445832078f9062e87f67480b19107a69e34c071e Mon Sep 17 00:00:00 2001
+From 1b435189fb66e031edc4df509576448a96b4c3ff Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
 Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index eddb9aa..49be9a2 100644
+index a35c42f..e96398f 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
  
  #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
  	if (boot_params.secure_boot) {
@@ -27,14 +27,14 @@ index eddb9aa..49be9a2 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 85ef051..de3e450 100644
+index 569b5a8..4dc970e 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -959,6 +959,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *);
- #define EFI_PARAVIRT		6	/* Access is via a paravirt interface */
  #define EFI_ARCH_1		7	/* First arch-specific bit */
  #define EFI_DBG			8	/* Print additional debug info at runtime */
-+#define EFI_SECURE_BOOT		9	/* Are we in Secure Boot mode? */
+ #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
++#define EFI_SECURE_BOOT		10	/* Are we in Secure Boot mode? */
  
  #ifdef CONFIG_EFI
  /*

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,4 +1,4 @@
-From 7c42fe9368c8a9a56edc949f77eea9214e297448 Mon Sep 17 00:00:00 2001
+From e62a3871237bb79ef5e51b112eff7d940cf06020 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
 Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 690f78f..037303a 100644
+index b7342a2..8a6b218 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -29,6 +29,7 @@

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch

@@ -1,4 +1,4 @@
-From 3b1392d4ea14b7724a2166d79c9b505809715d0e Mon Sep 17 00:00:00 2001
+From 70aadec167cb84865c6e85c1eccc218a024f86ef Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
 Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch

@@ -1,4 +1,4 @@
-From 0b21929c1e4e111d33ac3271bc638bf6bdab3885 Mon Sep 17 00:00:00 2001
+From 2e1d35fb4b10cafc0dac63436f94fda8b4e738ee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
 Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
@@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 12 insertions(+)
 
 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 871fcb6..865f80a 100644
+index 0a89834..f59e1d8 100644
 --- a/fs/overlayfs/copy_up.c
 +++ b/fs/overlayfs/copy_up.c
 @@ -58,6 +58,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
@@ -31,7 +31,7 @@ index 871fcb6..865f80a 100644
  		error = vfs_setxattr(new, name, value, size, 0);
  		if (error)
  			goto out_free_value;
-@@ -223,6 +231,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+@@ -222,6 +230,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
  	if (err)
  		goto out2;
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch

@@ -1,4 +1,4 @@
-From 2961980326ed02cc918c7d19e54704bd0bf34aa9 Mon Sep 17 00:00:00 2001
+From df782b85901bc5a1e1d5c90895b0166cb7ba6260 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
@@ -13,10 +13,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 20 insertions(+)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index e4369d8..7c1a44d 100644
+index d0cfaa9..d062209 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -3190,6 +3190,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
+@@ -3188,6 +3188,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
  	*secid = isec->sid;
  }
  

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch

@@ -1,4 +1,4 @@
-From 05a4a6e58b029d892c9ea5d561ca4c57c07c380a Mon Sep 17 00:00:00 2001
+From ce05f979bd98e5f267330f47d9a26bbb138dc54f Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
@@ -26,10 +26,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 70 insertions(+)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 7c1a44d..522b070 100644
+index d062209..5f0a11f 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -3520,10 +3520,72 @@ static int selinux_file_receive(struct file *file)
+@@ -3518,10 +3518,72 @@ static int selinux_file_receive(struct file *file)
  	return file_has_perm(cred, file, file_to_av(file));
  }
  
@@ -102,7 +102,7 @@ index 7c1a44d..522b070 100644
  
  	fsec = file->f_security;
  	isec = file_inode(file)->i_security;
-@@ -3544,6 +3606,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
+@@ -3542,6 +3604,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
  	 * new inode label or new policy.
  	 * This check is not redundant - do not remove.
  	 */

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch

@@ -1,4 +1,4 @@
-From a83ff91c3c60b97c9fe67774c5d16cda5bca51ea Mon Sep 17 00:00:00 2001
+From f60b70463bb7493f60a27ac2d06058da87b062d9 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 18/21] SELinux: Check against union label for file operations
@@ -16,7 +16,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 522b070..ecc883b 100644
+index 5f0a11f..e33019e 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
 @@ -1682,6 +1682,7 @@ static int file_has_perm(const struct cred *cred,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch

@@ -1,7 +1,7 @@
-From a82edeacb552264a4ab7b8470bbbb3b39622fea0 Mon Sep 17 00:00:00 2001
+From 116f798bcf3fd2ce4965cb15ec44c8180f0428c1 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Mon, 19 Oct 2015 17:53:12 -0700
-Subject: [PATCH 20/21] overlayfs: use a minimal buffer in ovl_copy_xattr
+Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
 
 Rather than always allocating the high-order XATTR_SIZE_MAX buffer
 which is costly and prone to failure, only allocate what is needed and
@@ -13,7 +13,7 @@ Fixes https://github.com/coreos/bugs/issues/489
  1 file changed, 22 insertions(+), 9 deletions(-)
 
 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 865f80a..749bf00 100644
+index f59e1d8..fff40c4 100644
 --- a/fs/overlayfs/copy_up.c
 +++ b/fs/overlayfs/copy_up.c
 @@ -22,8 +22,8 @@

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 4457d5192a097a4cc002d3d7941f973bf65fa258 Mon Sep 17 00:00:00 2001
+From 6f682c2c88f74b45c3692a994d90ed51412b932b Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 2070d16..f825807 100644
+index 70dea02..987d283 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch

@@ -1,7 +1,8 @@
-From 3f2106fe2342d05f79dcef78da4cccc22c572b3b Mon Sep 17 00:00:00 2001
+From 06ccab87d8c415e51bcf69e34bb27712bad8398f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 22 Dec 2015 07:43:52 +0000
-Subject: [PATCH] Don't verify write permissions on lower inodes on overlayfs
+Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
+ overlayfs
 
 If a user opens a file r/w on overlayfs, and if the underlying inode is
 currently still on the lower fs, right now we're verifying whether selinux
@@ -18,10 +19,10 @@ the selinux permissions check if that flag is set.
  3 files changed, 13 insertions(+)
 
 diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index ec0c2a0..3d66617 100644
+index 4060ffd..b6f02f2 100644
 --- a/fs/overlayfs/inode.c
 +++ b/fs/overlayfs/inode.c
-@@ -128,6 +128,9 @@ int ovl_permission(struct inode *inode, int mask)
+@@ -125,6 +125,9 @@ int ovl_permission(struct inode *inode, int mask)
  			goto out_dput;
  	}
  
@@ -32,7 +33,7 @@ index ec0c2a0..3d66617 100644
  out_dput:
  	dput(alias);
 diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 72d8a84..585042b 100644
+index 3aa5142..5712013 100644
 --- a/include/linux/fs.h
 +++ b/include/linux/fs.h
 @@ -82,6 +82,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
@@ -44,10 +45,10 @@ index 72d8a84..585042b 100644
  /*
   * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index ecc883b..47be196 100644
+index e33019e..48746ee 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -2907,6 +2907,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
+@@ -2904,6 +2904,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
  	u32 audited, denied;
  
  	from_access = mask & MAY_ACCESS;
@@ -64,5 +65,5 @@ index ecc883b..47be196 100644
  
  	/* No permission to check.  Existence test. */
 -- 
-2.5.0
+2.4.10