Merge pull request #2316 from crawford/linux

sys-kernel/coreos-*: bump to v4.9

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.9.0.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION="-r1"
+COREOS_SOURCE_REVISION=""
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.9.0.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION="-r1"
+COREOS_SOURCE_REVISION=""
 inherit coreos-kernel savedconfig
 
 DESCRIPTION="CoreOS Linux kernel modules"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1 @@
-DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5
+DIST linux-4.9.tar.xz 93192404 SHA256 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a WHIRLPOOL 072505b29972ad120eb25a074217847c9c2813416c4903e605a0433574f5f87616dbea0b1454e4b19acc48107f11274b682958b1d773373156e99f8163e6606a
-DIST patch-4.8.11.xz 229384 SHA256 53d84946cbe641a2a74ed6cbdd35840bb4947cefd34a764c31b7dac5cde5c696 SHA512 b77fd9fa3ae1e5f80ffe555ecec7d7f5b60cad3efc81d51f66a486f5d3ce862083a1553fa3e148452fab62a25d2d953abf5c23c7a51fe094b9c0946e09dbc30b WHIRLPOOL 21b7b94d76d058256a548c9339270b9d07b6c90f18de5153cb57a368bd18910cc36e104ae7983d1797bbbb2e62ae06a981ef76aa835239ca5084abf6649741ee

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.11-r1.ebuild

@@ -1,47 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-
-# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
-UNIPATCH_LIST="
-        ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \
-        ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \
-        ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \
-        ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \
-        ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \
-        ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \
-        ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \
-        ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \
-        ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-        ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-        ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \
-        ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-        ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-        ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-        ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-        ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-        ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \
-        ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-        ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
-        ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
-        ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-        ${PATCH_DIR}/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch \
-"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild

@@ -0,0 +1,39 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+
+# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
+UNIPATCH_LIST="
+        ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
+        ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+        ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+        ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
+        ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+        ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+        ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+        ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+        ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+        ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
+        ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+        ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
+        ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
+        ${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch

@@ -1,148 +0,0 @@
-From 61aa910fc208741c4bff9801566a1ca0a24531d9 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:57 -0400
-Subject: [PATCH 01/22] security, overlayfs: provide copy up security hook for
- unioned files
-
-Provide a security hook to label new file correctly when a file is copied
-up from lower layer to upper layer of a overlay/union mount.
-
-This hook can prepare a new set of creds which are suitable for new file
-creation during copy up. Caller will use new creds to create file and then
-revert back to old creds and release new creds.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- fs/overlayfs/copy_up.c    | 15 +++++++++++++++
- include/linux/lsm_hooks.h | 11 +++++++++++
- include/linux/security.h  |  6 ++++++
- security/security.c       |  8 ++++++++
- 4 files changed, 40 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 767377e..14a892b 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	struct dentry *upper = NULL;
- 	umode_t mode = stat->mode;
- 	int err;
-+	const struct cred *old_creds = NULL;
-+	struct cred *new_creds = NULL;
- 
- 	newdentry = ovl_lookup_temp(workdir, dentry);
- 	err = PTR_ERR(newdentry);
-@@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	if (IS_ERR(upper))
- 		goto out1;
- 
-+	err = security_inode_copy_up(dentry, &new_creds);
-+	if (err < 0)
-+		goto out2;
-+
-+	if (new_creds)
-+		old_creds = override_creds(new_creds);
-+
- 	/* Can't properly set mode on creation because of the umask */
- 	stat->mode &= S_IFMT;
- 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
- 	stat->mode = mode;
-+
-+	if (new_creds) {
-+		revert_creds(old_creds);
-+		put_cred(new_creds);
-+	}
-+
- 	if (err)
- 		goto out2;
- 
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 101bf19..ba3c842 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -401,6 +401,15 @@
-  *	@inode contains a pointer to the inode.
-  *	@secid contains a pointer to the location where result will be saved.
-  *	In case of failure, @secid will be set to zero.
-+ * @inode_copy_up:
-+ *	A file is about to be copied up from lower layer to upper layer of
-+ *	overlay filesystem. Security module can prepare a set of new creds
-+ *	and modify as need be and return new creds. Caller will switch to
-+ *	new creds temporarily to create new file and release newly allocated
-+ *	creds.
-+ *	@src indicates the union dentry of file that is being copied up.
-+ *	@new pointer to pointer to return newly allocated creds.
-+ *	Returns 0 on success or a negative error code on error.
-  *
-  * Security hooks for file operations
-  *
-@@ -1425,6 +1434,7 @@ union security_list_options {
- 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
-+	int (*inode_copy_up) (struct dentry *src, struct cred **new);
- 
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1696,6 +1706,7 @@ struct security_hook_heads {
- 	struct list_head inode_setsecurity;
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
-+	struct list_head inode_copy_up;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 7831cd5..c5b0ccd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
- int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
-+int security_inode_copy_up(struct dentry *src, struct cred **new);
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = 0;
- }
- 
-+static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	return 0;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index 4838e7f..f2a7f27 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	call_void_hook(inode_getsecid, inode, secid);
- }
- 
-+int security_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	return call_int_hook(inode_copy_up, 0, src, new);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
- 	.inode_getsecid =
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
-+	.inode_copy_up =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch

@@ -1,62 +0,0 @@
-From 591db70df1daa6d3fec150d1ec822ae413385323 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 02/22] selinux: Implementation for inode_copy_up() hook
-
-A file is being copied up for overlay file system. Prepare a new set of
-creds and set create_sid appropriately so that new file is created with
-appropriate label.
-
-Overlay inode has right label for both context and non-context mount
-cases. In case of non-context mount, overlay inode will have the label
-of lower file and in case of context mount, overlay inode will have
-the label from context= mount option.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 13185a6..264ee90 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = isec->sid;
- }
- 
-+static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	u32 sid;
-+	struct task_security_struct *tsec;
-+	struct cred *new_creds = *new;
-+
-+	if (new_creds == NULL) {
-+		new_creds = prepare_creds();
-+		if (!new_creds)
-+			return -ENOMEM;
-+	}
-+
-+	tsec = new_creds->security;
-+	/* Get label from overlay inode and set it in create_sid */
-+	selinux_inode_getsecid(d_inode(src), &sid);
-+	tsec->create_sid = sid;
-+	*new = new_creds;
-+	return 0;
-+}
-+
- /* file security operations */
- 
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
-+	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
- 
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch

@@ -1,129 +0,0 @@
-From c4b0abc5ee89f6b6adc9b9aa6712f0403f43df69 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 03/22] security,overlayfs: Provide security hook for copy up
- of xattrs for overlay file
-
-Provide a security hook which is called when xattrs of a file are being
-copied up. This hook is called once for each xattr and LSM can return
-0 if the security module wants the xattr to be copied up, 1 if the
-security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
-if the security module does not handle/manage the xattr, or a -errno
-upon an error.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- fs/overlayfs/copy_up.c    |  7 +++++++
- include/linux/lsm_hooks.h | 10 ++++++++++
- include/linux/security.h  |  6 ++++++
- security/security.c       |  8 ++++++++
- 4 files changed, 31 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 14a892b..8797c72 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -115,6 +115,13 @@ retry:
- 			goto retry;
- 		}
- 
-+		error = security_inode_copy_up_xattr(name);
-+		if (error < 0 && error != -EOPNOTSUPP)
-+			break;
-+		if (error == 1) {
-+			error = 0;
-+			continue; /* Discard */
-+		}
- 		error = vfs_setxattr(new, name, value, size, 0);
- 		if (error)
- 			break;
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index ba3c842..336b3fb 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -410,6 +410,14 @@
-  *	@src indicates the union dentry of file that is being copied up.
-  *	@new pointer to pointer to return newly allocated creds.
-  *	Returns 0 on success or a negative error code on error.
-+ * @inode_copy_up_xattr:
-+ *	Filter the xattrs being copied up when a unioned file is copied
-+ *	up from a lower layer to the union/overlay layer.
-+ *	@name indicates the name of the xattr.
-+ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
-+ *	security module does not know about attribute or a negative error code
-+ *	to abort the copy up. Note that the caller is responsible for reading
-+ *	and writing the xattrs as this hook is merely a filter.
-  *
-  * Security hooks for file operations
-  *
-@@ -1435,6 +1443,7 @@ union security_list_options {
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
- 	int (*inode_copy_up) (struct dentry *src, struct cred **new);
-+	int (*inode_copy_up_xattr) (const char *name);
- 
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1707,6 +1716,7 @@ struct security_hook_heads {
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
- 	struct list_head inode_copy_up;
-+	struct list_head inode_copy_up_xattr;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index c5b0ccd..536fafd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
- int security_inode_copy_up(struct dentry *src, struct cred **new);
-+int security_inode_copy_up_xattr(const char *name);
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
- 	return 0;
- }
- 
-+static inline int security_inode_copy_up_xattr(const char *name)
-+{
-+	return -EOPNOTSUPP;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index f2a7f27..a9e2bb9 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
- }
- EXPORT_SYMBOL(security_inode_copy_up);
- 
-+int security_inode_copy_up_xattr(const char *name)
-+{
-+	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up_xattr);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
- 	.inode_copy_up =
- 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
-+	.inode_copy_up_xattr =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch

@@ -1,53 +0,0 @@
-From 0b0daf47ee34e3c2bbb22a7620396461e20daca1 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 04/22] selinux: Implementation for inode_copy_up_xattr() hook
-
-When a file is copied up in overlay, we have already created file on upper/
-with right label and there is no need to copy up selinux label/xattr from
-lower file to upper file. In fact in case of context mount, we don't want
-to copy up label as newly created file got its label from context= option.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 264ee90..d30d7b3 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
- 	return 0;
- }
- 
-+static int selinux_inode_copy_up_xattr(const char *name)
-+{
-+	/* The copy_up hook above sets the initial context on an inode, but we
-+	 * don't then want to overwrite it by blindly copying all the lower
-+	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
-+	 */
-+	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
-+		return 1; /* Discard */
-+	/*
-+	 * Any other attribute apart from SELINUX is not claimed, supported
-+	 * by selinux.
-+	 */
-+	return -EOPNOTSUPP;
-+}
-+
- /* file security operations */
- 
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
- 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
-+	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
- 
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch

@@ -1,73 +0,0 @@
-From 27a7af7125c4984bdb75c2a027d6046744df411c Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 05/22] selinux: Pass security pointer to
- determine_inode_label()
-
-Right now selinux_determine_inode_label() works on security pointer of
-current task. Soon I need this to work on a security pointer retrieved
-from a set of creds. So start passing in a pointer and caller can decide
-where to fetch security pointer from.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index d30d7b3..2bf0d00 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -1808,13 +1808,13 @@ out:
- /*
-  * Determine the label for an inode that might be unioned.
-  */
--static int selinux_determine_inode_label(struct inode *dir,
--					 const struct qstr *name,
--					 u16 tclass,
--					 u32 *_new_isid)
-+static int
-+selinux_determine_inode_label(const struct task_security_struct *tsec,
-+				 struct inode *dir,
-+				 const struct qstr *name, u16 tclass,
-+				 u32 *_new_isid)
- {
- 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
--	const struct task_security_struct *tsec = current_security();
- 
- 	if ((sbsec->flags & SE_SBINITIALIZED) &&
- 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
-@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
- 	if (rc)
- 		return rc;
- 
--	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
--					   &newsid);
-+	rc = selinux_determine_inode_label(current_security(), dir,
-+					   &dentry->d_name, tclass, &newsid);
- 	if (rc)
- 		return rc;
- 
-@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- 	u32 newsid;
- 	int rc;
- 
--	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
-+	rc = selinux_determine_inode_label(current_security(),
-+					   d_inode(dentry->d_parent), name,
- 					   inode_mode_to_security_class(mode),
- 					   &newsid);
- 	if (rc)
-@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- 	sid = tsec->sid;
- 	newsid = tsec->create_sid;
- 
--	rc = selinux_determine_inode_label(
-+	rc = selinux_determine_inode_label(current_security(),
- 		dir, qstr,
- 		inode_mode_to_security_class(inode->i_mode),
- 		&newsid);
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch

@@ -1,159 +0,0 @@
-From 1271cf983fa9292fd7c6dd1b0d2eb1fedecd8cdb Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 06/22] security, overlayfs: Provide hook to correctly label
- newly created files
-
-During a new file creation we need to make sure new file is created with the
-right label. New file is created in upper/ so effectively file should get
-label as if task had created file in upper/.
-
-We switched to mounter's creds for actual file creation. Also if there is a
-whiteout present, then file will be created in work/ dir first and then
-renamed in upper. In none of the cases file will be labeled as we want it to
-be.
-
-This patch introduces a new hook dentry_create_files_as(), which determines
-the label/context dentry will get if it had been created by task in upper
-and modify passed set of creds appropriately. Caller makes use of these new
-creds for file creation.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- fs/overlayfs/dir.c        | 10 ++++++++++
- include/linux/lsm_hooks.h | 15 +++++++++++++++
- include/linux/security.h  | 12 ++++++++++++
- security/security.c       | 11 +++++++++++
- 4 files changed, 48 insertions(+)
-
-diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
-index 74e6964..adfaa21 100644
---- a/fs/overlayfs/dir.c
-+++ b/fs/overlayfs/dir.c
-@@ -492,6 +492,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
- 	if (override_cred) {
- 		override_cred->fsuid = inode->i_uid;
- 		override_cred->fsgid = inode->i_gid;
-+		if (!hardlink) {
-+			err = security_dentry_create_files_as(dentry,
-+					stat->mode, &dentry->d_name, old_cred,
-+					override_cred);
-+			if (err) {
-+				put_cred(override_cred);
-+				goto out_revert_creds;
-+			}
-+		}
- 		put_cred(override_creds(override_cred));
- 		put_cred(override_cred);
- 
-@@ -502,6 +511,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
- 			err = ovl_create_over_whiteout(dentry, inode, stat,
- 							link, hardlink);
- 	}
-+out_revert_creds:
- 	revert_creds(old_cred);
- 	if (!err) {
- 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 336b3fb..55891c0 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -151,6 +151,16 @@
-  *	@name name of the last path component used to create file
-  *	@ctx pointer to place the pointer to the resulting context in.
-  *	@ctxlen point to place the length of the resulting context.
-+ * @dentry_create_files_as:
-+ *	Compute a context for a dentry as the inode is not yet available
-+ *	and set that context in passed in creds so that new files are
-+ *	created using that context. Context is calculated using the
-+ *	passed in creds and not the creds of the caller.
-+ *	@dentry dentry to use in calculating the context.
-+ *	@mode mode used to determine resource type.
-+ *	@name name of the last path component used to create file
-+ * 	@old creds which should be used for context calculation
-+ * 	@new creds to modify
-  *
-  *
-  * Security hooks for inode operations.
-@@ -1375,6 +1385,10 @@ union security_list_options {
- 	int (*dentry_init_security)(struct dentry *dentry, int mode,
- 					const struct qstr *name, void **ctx,
- 					u32 *ctxlen);
-+	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old,
-+					struct cred *new);
- 
- 
- #ifdef CONFIG_SECURITY_PATH
-@@ -1675,6 +1689,7 @@ struct security_hook_heads {
- 	struct list_head sb_clone_mnt_opts;
- 	struct list_head sb_parse_opts_str;
- 	struct list_head dentry_init_security;
-+	struct list_head dentry_create_files_as;
- #ifdef CONFIG_SECURITY_PATH
- 	struct list_head path_unlink;
- 	struct list_head path_mkdir;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 536fafd..a6c6d5d 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
- int security_dentry_init_security(struct dentry *dentry, int mode,
- 					const struct qstr *name, void **ctx,
- 					u32 *ctxlen);
-+int security_dentry_create_files_as(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old,
-+					struct cred *new);
- 
- int security_inode_alloc(struct inode *inode);
- void security_inode_free(struct inode *inode);
-@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry,
- 	return -EOPNOTSUPP;
- }
- 
-+static inline int security_dentry_create_files_as(struct dentry *dentry,
-+						  int mode, struct qstr *name,
-+						  const struct cred *old,
-+						  struct cred *new)
-+{
-+	return 0;
-+}
-+
- 
- static inline int security_inode_init_security(struct inode *inode,
- 						struct inode *dir,
-diff --git a/security/security.c b/security/security.c
-index a9e2bb9..69614f1 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
- }
- EXPORT_SYMBOL(security_dentry_init_security);
- 
-+int security_dentry_create_files_as(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old, struct cred *new)
-+{
-+	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
-+				name, old, new);
-+}
-+EXPORT_SYMBOL(security_dentry_create_files_as);
-+
- int security_inode_init_security(struct inode *inode, struct inode *dir,
- 				 const struct qstr *qstr,
- 				 const initxattrs initxattrs, void *fs_data)
-@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
- 	.dentry_init_security =
- 		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
-+	.dentry_create_files_as =
-+		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
- #ifdef CONFIG_SECURITY_PATH
- 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
- 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch

@@ -1,60 +0,0 @@
-From 2c1808b93b771367bbb8f9617087ac550fee6b25 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 07/22] selinux: Implement dentry_create_files_as() hook
-
-Calculate what would be the label of newly created file and set that secid
-in the passed creds.
-
-Context of the task which is actually creating file is retrieved from
-set of creds passed in. (old->security).
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
----
- security/selinux/hooks.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 2bf0d00..603b600 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
- }
- 
-+static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
-+					  struct qstr *name,
-+					  const struct cred *old,
-+					  struct cred *new)
-+{
-+	u32 newsid;
-+	int rc;
-+	struct task_security_struct *tsec;
-+
-+	rc = selinux_determine_inode_label(old->security,
-+					   d_inode(dentry->d_parent), name,
-+					   inode_mode_to_security_class(mode),
-+					   &newsid);
-+	if (rc)
-+		return rc;
-+
-+	tsec = new->security;
-+	tsec->create_sid = newsid;
-+	return 0;
-+}
-+
- static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- 				       const struct qstr *qstr,
- 				       const char **name,
-@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
- 
- 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
-+	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
- 
- 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
- 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch

@@ -1,30 +0,0 @@
-From b764ba9deb30b2b3b1089e6bd019235d8eeec7f0 Mon Sep 17 00:00:00 2001
-From: David Michael <david.michael@coreos.com>
-Date: Tue, 29 Nov 2016 11:15:12 -0800
-Subject: [PATCH 22/22] crypto: rsa - Add Makefile dependencies to fix parallel
- builds
-
-Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
-should explicitly depend on them.
-
-Signed-off-by: David Michael <david.michael@coreos.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- crypto/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/crypto/Makefile b/crypto/Makefile
-index 99cc64ac..bd6a029 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
- 
- $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
- $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
-+$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
- clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
- clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
- 
--- 
-2.7.4
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch

@@ -1,7 +1,7 @@
-From 11eef9a6bb39e76cf94903fd09035a016105ecd3 Mon Sep 17 00:00:00 2001
+From 4854c16b274a6bf1ce79f0479ce4d9514914caa4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 08/22] Add secure_modules() call
+Subject: [PATCH 01/14] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@@ -41,10 +41,10 @@ index 0c3207d..c8b4ea0 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 529efae..0332fdd 100644
+index 0e54d5b..085b720 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
+@@ -4285,3 +4285,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif
@@ -59,5 +59,5 @@ index 529efae..0332fdd 100644
 +}
 +EXPORT_SYMBOL(secure_modules);
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,7 +1,7 @@
-From e2e5d6241f6deda933501efc2bf8561ac0ee823c Mon Sep 17 00:00:00 2001
+From 98083458fbf75ab8d78f62d0b5b6d83f49b1e09a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 09/22] PCI: Lock down BAR access when module security is
+Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
@@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,7 +1,7 @@
-From dac8156e6c3b022f9aa7fe74f9633c4b516d836b Mon Sep 17 00:00:00 2001
+From aa4e5d19b6907f481858501b75b05a6d2898d270 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 10/22] x86: Lock down IO port access when module security is
+Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
@@ -46,7 +46,7 @@ index 589b319..ab83724 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index a33163d..48a2897 100644
+index 5bb1985..7f1a7ab 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -28,6 +28,7 @@
@@ -57,7 +57,7 @@ index a33163d..48a2897 100644
  
  #include <linux/uaccess.h>
  
-@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
  	unsigned long i = *ppos;
  	const char __user *tmp = buf;
  
@@ -68,5 +68,5 @@ index a33163d..48a2897 100644
  		return -EFAULT;
  	while (count-- > 0 && i < 65536) {
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch

@@ -1,7 +1,7 @@
-From af958e17249f457db4d717e930d03949a0409ce2 Mon Sep 17 00:00:00 2001
+From fc270da17651b116b0d4ce1998f5cfad25d48eae Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 11/22] ACPI: Limit access to custom_method
+Subject: [PATCH 04/14] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
@@ -27,5 +27,5 @@ index c68e724..4277938 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,7 @@
-From 78eca915fa66229e2a849010183ca05c2f32dcb7 Mon Sep 17 00:00:00 2001
+From c4fe9ea847f1fbd9ecabc5ec8f87020bea65d741 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 12/22] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
@@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index 7c093a0..21fd6b8 100644
+index ce6ca31..55d2399 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -50,5 +50,5 @@ index 7c093a0..21fd6b8 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,7 +1,7 @@
-From d012dc5ff32ac9a20c81c2666693d27795246803 Mon Sep 17 00:00:00 2001
+From 6be6524270a0f131a8293f5d4008a364d4a5462f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 13/22] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
@@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 48a2897..08a7bff 100644
+index 7f1a7ab..d6a6f05 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -27,9 +27,9 @@ index 48a2897..08a7bff 100644
  	if (!valid_phys_addr_range(p, count))
  		return -EFAULT;
  
-@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
- 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+ 	if (!pfn_valid(PFN_DOWN(p)))
- 	int err = 0;
+ 		return -EIO;
  
 +	if (secure_modules())
 +		return -EPERM;
@@ -38,5 +38,5 @@ index 48a2897..08a7bff 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,7 @@
-From c5afea751f473e5a4c3a3bc9ca6000210cc11d62 Mon Sep 17 00:00:00 2001
+From 1b626fb49ffd2fd4c8b962ce80b4f87164f8f5f6 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 14/22] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 4305ee9..fa1bcf0 100644
+index 416953a..4887e34 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 4305ee9..fa1bcf0 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC
@@ -35,5 +35,5 @@ index 4305ee9..fa1bcf0 100644
  #endif
  
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,7 +1,7 @@
-From ef69c624f93bfe1f239a3c8fd7c18434315063a4 Mon Sep 17 00:00:00 2001
+From 2ccbff3b3a81d8e16771a065d594e3a7acc2ef23 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 15/22] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
@@ -35,5 +35,5 @@ index 980936a..a0e4cb3 100644
  
  	/*
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,7 +1,7 @@
-From 7328100467c24fb90c510aed529969e50a504fcf Mon Sep 17 00:00:00 2001
+From e6dca416cd3110c0029845d0fa20980f4e0c89a6 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 16/22] x86: Restrict MSR access when module loading is
+Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,
@@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644
  			err = -EFAULT;
  			break;
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,7 @@
-From 30317cca0747b8e31f5e6f45804883bc2e0a8062 Mon Sep 17 00:00:00 2001
+From dd587db145416e321874fb8a222dbd6766321c0f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 17/22] Add option to automatically enforce module signatures
+Subject: [PATCH 10/14] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 2a1f0ce..ba2c734 100644
+index bada636..882da2b 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1774,6 +1774,16 @@ config EFI_MIXED
+@@ -1786,6 +1786,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -55,7 +55,7 @@ index 2a1f0ce..ba2c734 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 94dd4a3..1959b82 100644
+index cc69e37..17b3765 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -66,7 +66,7 @@ index 94dd4a3..1959b82 100644
  
  #include "../string.h"
  #include "eboot.h"
-@@ -571,6 +572,36 @@ free_handle:
+@@ -537,6 +538,36 @@ static void setup_efi_pci(struct boot_params *params)
  	efi_call_early(free_pool, pci_handle);
  }
  
@@ -103,7 +103,7 @@ index 94dd4a3..1959b82 100644
  static efi_status_t
  setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
  {
-@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1094,6 +1125,10 @@ struct boot_params *efi_main(struct efi_config *c,
  	else
  		setup_boot_services32(efi_early);
  
@@ -129,7 +129,7 @@ index c18ce67..2b3e542 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index d5219b1..d635886 100644
+index 9c337b0..f7f369b 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
@@ -163,10 +163,10 @@ index c8b4ea0..8918ef4 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 0332fdd..3f1ea6b 100644
+index 085b720..e0c6216 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod,
+@@ -4286,6 +4286,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  
@@ -181,5 +181,5 @@ index 0332fdd..3f1ea6b 100644
  {
  #ifdef CONFIG_MODULE_SIG
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,7 +1,7 @@
-From fe523b61b4171c61dd3d8502f82ceca832e07455 Mon Sep 17 00:00:00 2001
+From 0f2a255cf654f8190b7afe64c691d33a01bb8d42 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 18/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 11/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index ba2c734..a5d6b58 100644
+index 882da2b..d666ef8b 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1775,7 +1775,8 @@ config EFI_MIXED
+@@ -1787,7 +1787,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE
@@ -26,5 +26,5 @@ index ba2c734..a5d6b58 100644
  	---help---
  	  UEFI Secure Boot provides a mechanism for ensuring that the
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From e75618eb44390ca1a3c89116218bf95869534d54 Mon Sep 17 00:00:00 2001
+From 4de054ccaffe8b6d6fe584ce3410185f7b96f214 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 19/22] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 12/14] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -13,7 +13,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index d635886..5824ae5 100644
+index f7f369b..60dccc2 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
@@ -27,10 +27,10 @@ index d635886..5824ae5 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 0148a30..4b62b48 100644
+index 2d08948..6902c59 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1043,6 +1043,7 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_ARCH_1		7	/* First arch-specific bit */
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
@@ -39,5 +39,5 @@ index 0148a30..4b62b48 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From e2c1136cd8b9ca7b1bab22d248275f48d1a304ab Mon Sep 17 00:00:00 2001
+From 41b5e0b849955e5eecb90e4f791d725008c97931 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 20/22] hibernate: Disable in a signed modules environment
+Subject: [PATCH 13/14] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 33c79b6..d1420be 100644
+index b26dbc4..ab187ad 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -29,6 +29,7 @@
@@ -35,5 +35,5 @@ index 33c79b6..d1420be 100644
  
  /**
 -- 
-2.7.4
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 7856850e71d8f561d4fdade202e9ce2992fb78bf Mon Sep 17 00:00:00 2001
+From c40c198ae4798b15647dc55ce71ba28e7eba108a Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 21/22] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 14/14] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 2b1bcba..999c366 100644
+index b103777..7824269 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@@ -26,5 +26,5 @@ index 2b1bcba..999c366 100644
  
  # Leave processing to above invocation of make
 -- 
-2.7.4
+2.7.3