diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.9.0.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.9.0.ebuild index 1a6a9c3550..2fe3d5d496 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.11-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.9.0.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.9.0.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.9.0.ebuild index 5f7ad1c646..763d6d9dfe 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.11-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.9.0.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.8 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.9 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.8 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/amd64_defconfig-4.9 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.8 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.9 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.8 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/arm64_defconfig-4.9 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.8 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.9 similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.8 rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.9 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index bc87882fd5..b776844bbb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1 @@ -DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5 -DIST patch-4.8.11.xz 229384 SHA256 53d84946cbe641a2a74ed6cbdd35840bb4947cefd34a764c31b7dac5cde5c696 SHA512 b77fd9fa3ae1e5f80ffe555ecec7d7f5b60cad3efc81d51f66a486f5d3ce862083a1553fa3e148452fab62a25d2d953abf5c23c7a51fe094b9c0946e09dbc30b WHIRLPOOL 21b7b94d76d058256a548c9339270b9d07b6c90f18de5153cb57a368bd18910cc36e104ae7983d1797bbbb2e62ae06a981ef76aa835239ca5084abf6649741ee +DIST linux-4.9.tar.xz 93192404 SHA256 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a WHIRLPOOL 072505b29972ad120eb25a074217847c9c2813416c4903e605a0433574f5f87616dbea0b1454e4b19acc48107f11274b682958b1d773373156e99f8163e6606a diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild deleted file mode 100644 index 8d618d17d2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \ - ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \ - ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \ - ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \ - ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \ - ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \ - ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \ - ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \ - ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild new file mode 100644 index 0000000000..e2abdc34b2 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild @@ -0,0 +1,39 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch deleted file mode 100644 index 00522c1f94..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 61aa910fc208741c4bff9801566a1ca0a24531d9 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:57 -0400 -Subject: [PATCH 01/22] security, overlayfs: provide copy up security hook for - unioned files - -Provide a security hook to label new file correctly when a file is copied -up from lower layer to upper layer of a overlay/union mount. - -This hook can prepare a new set of creds which are suitable for new file -creation during copy up. Caller will use new creds to create file and then -revert back to old creds and release new creds. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - fs/overlayfs/copy_up.c | 15 +++++++++++++++ - include/linux/lsm_hooks.h | 11 +++++++++++ - include/linux/security.h | 6 ++++++ - security/security.c | 8 ++++++++ - 4 files changed, 40 insertions(+) - -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 767377e..14a892b 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, - struct dentry *upper = NULL; - umode_t mode = stat->mode; - int err; -+ const struct cred *old_creds = NULL; -+ struct cred *new_creds = NULL; - - newdentry = ovl_lookup_temp(workdir, dentry); - err = PTR_ERR(newdentry); -@@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, - if (IS_ERR(upper)) - goto out1; - -+ err = security_inode_copy_up(dentry, &new_creds); -+ if (err < 0) -+ goto out2; -+ -+ if (new_creds) -+ old_creds = override_creds(new_creds); -+ - /* Can't properly set mode on creation because of the umask */ - stat->mode &= S_IFMT; - err = ovl_create_real(wdir, newdentry, stat, link, NULL, true); - stat->mode = mode; -+ -+ if (new_creds) { -+ revert_creds(old_creds); -+ put_cred(new_creds); -+ } -+ - if (err) - goto out2; - -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 101bf19..ba3c842 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -401,6 +401,15 @@ - * @inode contains a pointer to the inode. - * @secid contains a pointer to the location where result will be saved. - * In case of failure, @secid will be set to zero. -+ * @inode_copy_up: -+ * A file is about to be copied up from lower layer to upper layer of -+ * overlay filesystem. Security module can prepare a set of new creds -+ * and modify as need be and return new creds. Caller will switch to -+ * new creds temporarily to create new file and release newly allocated -+ * creds. -+ * @src indicates the union dentry of file that is being copied up. -+ * @new pointer to pointer to return newly allocated creds. -+ * Returns 0 on success or a negative error code on error. - * - * Security hooks for file operations - * -@@ -1425,6 +1434,7 @@ union security_list_options { - int (*inode_listsecurity)(struct inode *inode, char *buffer, - size_t buffer_size); - void (*inode_getsecid)(struct inode *inode, u32 *secid); -+ int (*inode_copy_up) (struct dentry *src, struct cred **new); - - int (*file_permission)(struct file *file, int mask); - int (*file_alloc_security)(struct file *file); -@@ -1696,6 +1706,7 @@ struct security_hook_heads { - struct list_head inode_setsecurity; - struct list_head inode_listsecurity; - struct list_head inode_getsecid; -+ struct list_head inode_copy_up; - struct list_head file_permission; - struct list_head file_alloc_security; - struct list_head file_free_security; -diff --git a/include/linux/security.h b/include/linux/security.h -index 7831cd5..c5b0ccd 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf - int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); - int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); - void security_inode_getsecid(struct inode *inode, u32 *secid); -+int security_inode_copy_up(struct dentry *src, struct cred **new); - int security_file_permission(struct file *file, int mask); - int security_file_alloc(struct file *file); - void security_file_free(struct file *file); -@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) - *secid = 0; - } - -+static inline int security_inode_copy_up(struct dentry *src, struct cred **new) -+{ -+ return 0; -+} -+ - static inline int security_file_permission(struct file *file, int mask) - { - return 0; -diff --git a/security/security.c b/security/security.c -index 4838e7f..f2a7f27 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) - call_void_hook(inode_getsecid, inode, secid); - } - -+int security_inode_copy_up(struct dentry *src, struct cred **new) -+{ -+ return call_int_hook(inode_copy_up, 0, src, new); -+} -+EXPORT_SYMBOL(security_inode_copy_up); -+ - int security_file_permission(struct file *file, int mask) - { - int ret; -@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), - .inode_getsecid = - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), -+ .inode_copy_up = -+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch deleted file mode 100644 index 60f6eb93a1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 591db70df1daa6d3fec150d1ec822ae413385323 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 02/22] selinux: Implementation for inode_copy_up() hook - -A file is being copied up for overlay file system. Prepare a new set of -creds and set create_sid appropriately so that new file is created with -appropriate label. - -Overlay inode has right label for both context and non-context mount -cases. In case of non-context mount, overlay inode will have the label -of lower file and in case of context mount, overlay inode will have -the label from context= mount option. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 13185a6..264ee90 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) - *secid = isec->sid; - } - -+static int selinux_inode_copy_up(struct dentry *src, struct cred **new) -+{ -+ u32 sid; -+ struct task_security_struct *tsec; -+ struct cred *new_creds = *new; -+ -+ if (new_creds == NULL) { -+ new_creds = prepare_creds(); -+ if (!new_creds) -+ return -ENOMEM; -+ } -+ -+ tsec = new_creds->security; -+ /* Get label from overlay inode and set it in create_sid */ -+ selinux_inode_getsecid(d_inode(src), &sid); -+ tsec->create_sid = sid; -+ *new = new_creds; -+ return 0; -+} -+ - /* file security operations */ - - static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), - LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), -+ LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), - - LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch deleted file mode 100644 index e14fcd253e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch +++ /dev/null @@ -1,129 +0,0 @@ -From c4b0abc5ee89f6b6adc9b9aa6712f0403f43df69 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 03/22] security,overlayfs: Provide security hook for copy up - of xattrs for overlay file - -Provide a security hook which is called when xattrs of a file are being -copied up. This hook is called once for each xattr and LSM can return -0 if the security module wants the xattr to be copied up, 1 if the -security module wants the xattr to be discarded on the copy, -EOPNOTSUPP -if the security module does not handle/manage the xattr, or a -errno -upon an error. - -Signed-off-by: David Howells -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - fs/overlayfs/copy_up.c | 7 +++++++ - include/linux/lsm_hooks.h | 10 ++++++++++ - include/linux/security.h | 6 ++++++ - security/security.c | 8 ++++++++ - 4 files changed, 31 insertions(+) - -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 14a892b..8797c72 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -115,6 +115,13 @@ retry: - goto retry; - } - -+ error = security_inode_copy_up_xattr(name); -+ if (error < 0 && error != -EOPNOTSUPP) -+ break; -+ if (error == 1) { -+ error = 0; -+ continue; /* Discard */ -+ } - error = vfs_setxattr(new, name, value, size, 0); - if (error) - break; -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index ba3c842..336b3fb 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -410,6 +410,14 @@ - * @src indicates the union dentry of file that is being copied up. - * @new pointer to pointer to return newly allocated creds. - * Returns 0 on success or a negative error code on error. -+ * @inode_copy_up_xattr: -+ * Filter the xattrs being copied up when a unioned file is copied -+ * up from a lower layer to the union/overlay layer. -+ * @name indicates the name of the xattr. -+ * Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if -+ * security module does not know about attribute or a negative error code -+ * to abort the copy up. Note that the caller is responsible for reading -+ * and writing the xattrs as this hook is merely a filter. - * - * Security hooks for file operations - * -@@ -1435,6 +1443,7 @@ union security_list_options { - size_t buffer_size); - void (*inode_getsecid)(struct inode *inode, u32 *secid); - int (*inode_copy_up) (struct dentry *src, struct cred **new); -+ int (*inode_copy_up_xattr) (const char *name); - - int (*file_permission)(struct file *file, int mask); - int (*file_alloc_security)(struct file *file); -@@ -1707,6 +1716,7 @@ struct security_hook_heads { - struct list_head inode_listsecurity; - struct list_head inode_getsecid; - struct list_head inode_copy_up; -+ struct list_head inode_copy_up_xattr; - struct list_head file_permission; - struct list_head file_alloc_security; - struct list_head file_free_security; -diff --git a/include/linux/security.h b/include/linux/security.h -index c5b0ccd..536fafd 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void - int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); - void security_inode_getsecid(struct inode *inode, u32 *secid); - int security_inode_copy_up(struct dentry *src, struct cred **new); -+int security_inode_copy_up_xattr(const char *name); - int security_file_permission(struct file *file, int mask); - int security_file_alloc(struct file *file); - void security_file_free(struct file *file); -@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new) - return 0; - } - -+static inline int security_inode_copy_up_xattr(const char *name) -+{ -+ return -EOPNOTSUPP; -+} -+ - static inline int security_file_permission(struct file *file, int mask) - { - return 0; -diff --git a/security/security.c b/security/security.c -index f2a7f27..a9e2bb9 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new) - } - EXPORT_SYMBOL(security_inode_copy_up); - -+int security_inode_copy_up_xattr(const char *name) -+{ -+ return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name); -+} -+EXPORT_SYMBOL(security_inode_copy_up_xattr); -+ - int security_file_permission(struct file *file, int mask) - { - int ret; -@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), - .inode_copy_up = - LIST_HEAD_INIT(security_hook_heads.inode_copy_up), -+ .inode_copy_up_xattr = -+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch deleted file mode 100644 index 906d6ddb49..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 0b0daf47ee34e3c2bbb22a7620396461e20daca1 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 04/22] selinux: Implementation for inode_copy_up_xattr() hook - -When a file is copied up in overlay, we have already created file on upper/ -with right label and there is no need to copy up selinux label/xattr from -lower file to upper file. In fact in case of context mount, we don't want -to copy up label as newly created file got its label from context= option. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 264ee90..d30d7b3 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) - return 0; - } - -+static int selinux_inode_copy_up_xattr(const char *name) -+{ -+ /* The copy_up hook above sets the initial context on an inode, but we -+ * don't then want to overwrite it by blindly copying all the lower -+ * xattrs up. Instead, we have to filter out SELinux-related xattrs. -+ */ -+ if (strcmp(name, XATTR_NAME_SELINUX) == 0) -+ return 1; /* Discard */ -+ /* -+ * Any other attribute apart from SELINUX is not claimed, supported -+ * by selinux. -+ */ -+ return -EOPNOTSUPP; -+} -+ - /* file security operations */ - - static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), - LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), -+ LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), - - LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch deleted file mode 100644 index c8f1a07d34..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 27a7af7125c4984bdb75c2a027d6046744df411c Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 05/22] selinux: Pass security pointer to - determine_inode_label() - -Right now selinux_determine_inode_label() works on security pointer of -current task. Soon I need this to work on a security pointer retrieved -from a set of creds. So start passing in a pointer and caller can decide -where to fetch security pointer from. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d30d7b3..2bf0d00 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1808,13 +1808,13 @@ out: - /* - * Determine the label for an inode that might be unioned. - */ --static int selinux_determine_inode_label(struct inode *dir, -- const struct qstr *name, -- u16 tclass, -- u32 *_new_isid) -+static int -+selinux_determine_inode_label(const struct task_security_struct *tsec, -+ struct inode *dir, -+ const struct qstr *name, u16 tclass, -+ u32 *_new_isid) - { - const struct superblock_security_struct *sbsec = dir->i_sb->s_security; -- const struct task_security_struct *tsec = current_security(); - - if ((sbsec->flags & SE_SBINITIALIZED) && - (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { -@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir, - if (rc) - return rc; - -- rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass, -- &newsid); -+ rc = selinux_determine_inode_label(current_security(), dir, -+ &dentry->d_name, tclass, &newsid); - if (rc) - return rc; - -@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, - u32 newsid; - int rc; - -- rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name, -+ rc = selinux_determine_inode_label(current_security(), -+ d_inode(dentry->d_parent), name, - inode_mode_to_security_class(mode), - &newsid); - if (rc) -@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - sid = tsec->sid; - newsid = tsec->create_sid; - -- rc = selinux_determine_inode_label( -+ rc = selinux_determine_inode_label(current_security(), - dir, qstr, - inode_mode_to_security_class(inode->i_mode), - &newsid); --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch deleted file mode 100644 index 295471503e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 1271cf983fa9292fd7c6dd1b0d2eb1fedecd8cdb Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 06/22] security, overlayfs: Provide hook to correctly label - newly created files - -During a new file creation we need to make sure new file is created with the -right label. New file is created in upper/ so effectively file should get -label as if task had created file in upper/. - -We switched to mounter's creds for actual file creation. Also if there is a -whiteout present, then file will be created in work/ dir first and then -renamed in upper. In none of the cases file will be labeled as we want it to -be. - -This patch introduces a new hook dentry_create_files_as(), which determines -the label/context dentry will get if it had been created by task in upper -and modify passed set of creds appropriately. Caller makes use of these new -creds for file creation. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - fs/overlayfs/dir.c | 10 ++++++++++ - include/linux/lsm_hooks.h | 15 +++++++++++++++ - include/linux/security.h | 12 ++++++++++++ - security/security.c | 11 +++++++++++ - 4 files changed, 48 insertions(+) - -diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c -index 74e6964..adfaa21 100644 ---- a/fs/overlayfs/dir.c -+++ b/fs/overlayfs/dir.c -@@ -492,6 +492,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, - if (override_cred) { - override_cred->fsuid = inode->i_uid; - override_cred->fsgid = inode->i_gid; -+ if (!hardlink) { -+ err = security_dentry_create_files_as(dentry, -+ stat->mode, &dentry->d_name, old_cred, -+ override_cred); -+ if (err) { -+ put_cred(override_cred); -+ goto out_revert_creds; -+ } -+ } - put_cred(override_creds(override_cred)); - put_cred(override_cred); - -@@ -502,6 +511,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, - err = ovl_create_over_whiteout(dentry, inode, stat, - link, hardlink); - } -+out_revert_creds: - revert_creds(old_cred); - if (!err) { - struct inode *realinode = d_inode(ovl_dentry_upper(dentry)); -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 336b3fb..55891c0 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -151,6 +151,16 @@ - * @name name of the last path component used to create file - * @ctx pointer to place the pointer to the resulting context in. - * @ctxlen point to place the length of the resulting context. -+ * @dentry_create_files_as: -+ * Compute a context for a dentry as the inode is not yet available -+ * and set that context in passed in creds so that new files are -+ * created using that context. Context is calculated using the -+ * passed in creds and not the creds of the caller. -+ * @dentry dentry to use in calculating the context. -+ * @mode mode used to determine resource type. -+ * @name name of the last path component used to create file -+ * @old creds which should be used for context calculation -+ * @new creds to modify - * - * - * Security hooks for inode operations. -@@ -1375,6 +1385,10 @@ union security_list_options { - int (*dentry_init_security)(struct dentry *dentry, int mode, - const struct qstr *name, void **ctx, - u32 *ctxlen); -+ int (*dentry_create_files_as)(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, -+ struct cred *new); - - - #ifdef CONFIG_SECURITY_PATH -@@ -1675,6 +1689,7 @@ struct security_hook_heads { - struct list_head sb_clone_mnt_opts; - struct list_head sb_parse_opts_str; - struct list_head dentry_init_security; -+ struct list_head dentry_create_files_as; - #ifdef CONFIG_SECURITY_PATH - struct list_head path_unlink; - struct list_head path_mkdir; -diff --git a/include/linux/security.h b/include/linux/security.h -index 536fafd..a6c6d5d 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); - int security_dentry_init_security(struct dentry *dentry, int mode, - const struct qstr *name, void **ctx, - u32 *ctxlen); -+int security_dentry_create_files_as(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, -+ struct cred *new); - - int security_inode_alloc(struct inode *inode); - void security_inode_free(struct inode *inode); -@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry, - return -EOPNOTSUPP; - } - -+static inline int security_dentry_create_files_as(struct dentry *dentry, -+ int mode, struct qstr *name, -+ const struct cred *old, -+ struct cred *new) -+{ -+ return 0; -+} -+ - - static inline int security_inode_init_security(struct inode *inode, - struct inode *dir, -diff --git a/security/security.c b/security/security.c -index a9e2bb9..69614f1 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode, - } - EXPORT_SYMBOL(security_dentry_init_security); - -+int security_dentry_create_files_as(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, struct cred *new) -+{ -+ return call_int_hook(dentry_create_files_as, 0, dentry, mode, -+ name, old, new); -+} -+EXPORT_SYMBOL(security_dentry_create_files_as); -+ - int security_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, - const initxattrs initxattrs, void *fs_data) -@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str), - .dentry_init_security = - LIST_HEAD_INIT(security_hook_heads.dentry_init_security), -+ .dentry_create_files_as = -+ LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as), - #ifdef CONFIG_SECURITY_PATH - .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), - .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch deleted file mode 100644 index 219590161a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 2c1808b93b771367bbb8f9617087ac550fee6b25 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 07/22] selinux: Implement dentry_create_files_as() hook - -Calculate what would be the label of newly created file and set that secid -in the passed creds. - -Context of the task which is actually creating file is retrieved from -set of creds passed in. (old->security). - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 2bf0d00..603b600 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, - return security_sid_to_context(newsid, (char **)ctx, ctxlen); - } - -+static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, -+ struct cred *new) -+{ -+ u32 newsid; -+ int rc; -+ struct task_security_struct *tsec; -+ -+ rc = selinux_determine_inode_label(old->security, -+ d_inode(dentry->d_parent), name, -+ inode_mode_to_security_class(mode), -+ &newsid); -+ if (rc) -+ return rc; -+ -+ tsec = new->security; -+ tsec->create_sid = newsid; -+ return 0; -+} -+ - static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, - const char **name, -@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), - - LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), -+ LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), - - LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), - LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch deleted file mode 100644 index 8f569ea75d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b764ba9deb30b2b3b1089e6bd019235d8eeec7f0 Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Tue, 29 Nov 2016 11:15:12 -0800 -Subject: [PATCH 22/22] crypto: rsa - Add Makefile dependencies to fix parallel - builds - -Both asn1 headers are included by rsa_helper.c, so rsa_helper.o -should explicitly depend on them. - -Signed-off-by: David Michael -Signed-off-by: Herbert Xu ---- - crypto/Makefile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/crypto/Makefile b/crypto/Makefile -index 99cc64ac..bd6a029 100644 ---- a/crypto/Makefile -+++ b/crypto/Makefile -@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o - - $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h - $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h -+$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h - clean-files += rsapubkey-asn1.c rsapubkey-asn1.h - clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h - --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch index b1fa4070c8..d029bb88af 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 11eef9a6bb39e76cf94903fd09035a016105ecd3 Mon Sep 17 00:00:00 2001 +From 4854c16b274a6bf1ce79f0479ce4d9514914caa4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 08/22] Add secure_modules() call +Subject: [PATCH 01/14] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -41,10 +41,10 @@ index 0c3207d..c8b4ea0 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 529efae..0332fdd 100644 +index 0e54d5b..085b720 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod, +@@ -4285,3 +4285,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 529efae..0332fdd 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 4909c51ee6..65bc96d24c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ -From e2e5d6241f6deda933501efc2bf8561ac0ee823c Mon Sep 17 00:00:00 2001 +From 98083458fbf75ab8d78f62d0b5b6d83f49b1e09a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 09/22] PCI: Lock down BAR access when module security is +Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index bdbf344036..e88ba27006 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ -From dac8156e6c3b022f9aa7fe74f9633c4b516d836b Mon Sep 17 00:00:00 2001 +From aa4e5d19b6907f481858501b75b05a6d2898d270 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 10/22] x86: Lock down IO port access when module security is +Subject: [PATCH 03/14] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -46,7 +46,7 @@ index 589b319..ab83724 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index a33163d..48a2897 100644 +index 5bb1985..7f1a7ab 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -28,6 +28,7 @@ @@ -57,7 +57,7 @@ index a33163d..48a2897 100644 #include -@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, +@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, unsigned long i = *ppos; const char __user *tmp = buf; @@ -68,5 +68,5 @@ index a33163d..48a2897 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch index 1fe598e87a..62d80f3666 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ -From af958e17249f457db4d717e930d03949a0409ce2 Mon Sep 17 00:00:00 2001 +From fc270da17651b116b0d4ce1998f5cfad25d48eae Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 11/22] ACPI: Limit access to custom_method +Subject: [PATCH 04/14] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 706a0a23c5..4f58ec79ed 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ -From 78eca915fa66229e2a849010183ca05c2f32dcb7 Mon Sep 17 00:00:00 2001 +From c4fe9ea847f1fbd9ecabc5ec8f87020bea65d741 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 12/22] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 7c093a0..21fd6b8 100644 +index ce6ca31..55d2399 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data) @@ -50,5 +50,5 @@ index 7c093a0..21fd6b8 100644 1, asus->debug.method_id, &input, &output); -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index b087f35e6f..560cb109b5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From d012dc5ff32ac9a20c81c2666693d27795246803 Mon Sep 17 00:00:00 2001 +From 6be6524270a0f131a8293f5d4008a364d4a5462f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 13/22] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 48a2897..08a7bff 100644 +index 7f1a7ab..d6a6f05 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -27,9 +27,9 @@ index 48a2897..08a7bff 100644 if (!valid_phys_addr_range(p, count)) return -EFAULT; -@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; +@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + if (!pfn_valid(PFN_DOWN(p))) + return -EIO; + if (secure_modules()) + return -EPERM; @@ -38,5 +38,5 @@ index 48a2897..08a7bff 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index cb3ec192ed..98d091104a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ -From c5afea751f473e5a4c3a3bc9ca6000210cc11d62 Mon Sep 17 00:00:00 2001 +From 1b626fb49ffd2fd4c8b962ce80b4f87164f8f5f6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 14/22] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 4305ee9..fa1bcf0 100644 +index 416953a..4887e34 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -25,7 +25,7 @@ index 4305ee9..fa1bcf0 100644 #include #include -@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 4305ee9..fa1bcf0 100644 #endif -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index 570533f90b..c36a95ac04 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ -From ef69c624f93bfe1f239a3c8fd7c18434315063a4 Mon Sep 17 00:00:00 2001 +From 2ccbff3b3a81d8e16771a065d594e3a7acc2ef23 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 -Subject: [PATCH 15/22] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -35,5 +35,5 @@ index 980936a..a0e4cb3 100644 /* -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index a8e48d9a32..5d4e9997bc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ -From 7328100467c24fb90c510aed529969e50a504fcf Mon Sep 17 00:00:00 2001 +From e6dca416cd3110c0029845d0fa20980f4e0c89a6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 16/22] x86: Restrict MSR access when module loading is +Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, @@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644 err = -EFAULT; break; -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch index 8893fbcad0..07035854fc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ -From 30317cca0747b8e31f5e6f45804883bc2e0a8062 Mon Sep 17 00:00:00 2001 +From dd587db145416e321874fb8a222dbd6766321c0f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 17/22] Add option to automatically enforce module signatures +Subject: [PATCH 10/14] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 2a1f0ce..ba2c734 100644 +index bada636..882da2b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1774,6 +1774,16 @@ config EFI_MIXED +@@ -1786,6 +1786,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index 2a1f0ce..ba2c734 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 94dd4a3..1959b82 100644 +index cc69e37..17b3765 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -66,7 +66,7 @@ index 94dd4a3..1959b82 100644 #include "../string.h" #include "eboot.h" -@@ -571,6 +572,36 @@ free_handle: +@@ -537,6 +538,36 @@ static void setup_efi_pci(struct boot_params *params) efi_call_early(free_pool, pci_handle); } @@ -103,7 +103,7 @@ index 94dd4a3..1959b82 100644 static efi_status_t setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height) { -@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c, +@@ -1094,6 +1125,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -129,7 +129,7 @@ index c18ce67..2b3e542 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d5219b1..d635886 100644 +index 9c337b0..f7f369b 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) @@ -163,10 +163,10 @@ index c8b4ea0..8918ef4 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 0332fdd..3f1ea6b 100644 +index 085b720..e0c6216 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod, +@@ -4286,6 +4286,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -181,5 +181,5 @@ index 0332fdd..3f1ea6b 100644 { #ifdef CONFIG_MODULE_SIG -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index a41206dcee..433664e08a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ -From fe523b61b4171c61dd3d8502f82ceca832e07455 Mon Sep 17 00:00:00 2001 +From 0f2a255cf654f8190b7afe64c691d33a01bb8d42 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 18/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 11/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index ba2c734..a5d6b58 100644 +index 882da2b..d666ef8b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1775,7 +1775,8 @@ config EFI_MIXED +@@ -1787,7 +1787,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index ba2c734..a5d6b58 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch index f8b8fc10db..a72e3ebeb0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From e75618eb44390ca1a3c89116218bf95869534d54 Mon Sep 17 00:00:00 2001 +From 4de054ccaffe8b6d6fe584ce3410185f7b96f214 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 19/22] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 12/14] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,7 +13,7 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d635886..5824ae5 100644 +index f7f369b..60dccc2 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) @@ -27,10 +27,10 @@ index d635886..5824ae5 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 0148a30..4b62b48 100644 +index 2d08948..6902c59 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1043,6 +1043,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ @@ -39,5 +39,5 @@ index 0148a30..4b62b48 100644 #ifdef CONFIG_EFI /* -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch index 1ecf2182e4..f6256f5bb9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From e2c1136cd8b9ca7b1bab22d248275f48d1a304ab Mon Sep 17 00:00:00 2001 +From 41b5e0b849955e5eecb90e4f791d725008c97931 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 20/22] hibernate: Disable in a signed modules environment +Subject: [PATCH 13/14] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 33c79b6..d1420be 100644 +index b26dbc4..ab187ad 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -35,5 +35,5 @@ index 33c79b6..d1420be 100644 /** -- -2.7.4 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 51949b46d6..5a309075b2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From 7856850e71d8f561d4fdade202e9ce2992fb78bf Mon Sep 17 00:00:00 2001 +From c40c198ae4798b15647dc55ce71ba28e7eba108a Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 21/22] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 14/14] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 2b1bcba..999c366 100644 +index b103777..7824269 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 2b1bcba..999c366 100644 # Leave processing to above invocation of make -- -2.7.4 +2.7.3