diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index b776844bbb..9024a97060 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1 +1,2 @@ -DIST linux-4.9.tar.xz 93192404 SHA256 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a WHIRLPOOL 072505b29972ad120eb25a074217847c9c2813416c4903e605a0433574f5f87616dbea0b1454e4b19acc48107f11274b682958b1d773373156e99f8163e6606a +DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5 +DIST patch-4.8.15.xz 268816 SHA256 cdeff3a6e0dc3d6189d1b1d4d6318f0942b9a28409491cf65592879e4c42b1f7 SHA512 d819c86f3fe93ee1d083fdce954ae06a683a22e8b0864da170714c5230c4c2fdecc29270194b1ad8a715b836b493141c8ff2c09e76a84426b7a89ebc31fb9e01 WHIRLPOOL 36ce7b4f47cb0f86991794f9e8df0160c8f38b1153d413082636f31edba2bcbbff2c5584062800b48c9471dbcb77f825f58d509f4641a9e48a1d396216860155 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.15.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.15.ebuild new file mode 100644 index 0000000000..1875665f3f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.15.ebuild @@ -0,0 +1,46 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \ + ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \ + ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \ + ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \ + ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \ + ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \ + ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \ + ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild deleted file mode 100644 index e2abdc34b2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ - ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch new file mode 100644 index 0000000000..adea0cfaaf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch @@ -0,0 +1,148 @@ +From d11e6b12ab72ee6e20a68c57fc9bc15e43488157 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:57 -0400 +Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for + unioned files + +Provide a security hook to label new file correctly when a file is copied +up from lower layer to upper layer of a overlay/union mount. + +This hook can prepare a new set of creds which are suitable for new file +creation during copy up. Caller will use new creds to create file and then +revert back to old creds and release new creds. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + fs/overlayfs/copy_up.c | 15 +++++++++++++++ + include/linux/lsm_hooks.h | 11 +++++++++++ + include/linux/security.h | 6 ++++++ + security/security.c | 8 ++++++++ + 4 files changed, 40 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 767377e..14a892b 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, + struct dentry *upper = NULL; + umode_t mode = stat->mode; + int err; ++ const struct cred *old_creds = NULL; ++ struct cred *new_creds = NULL; + + newdentry = ovl_lookup_temp(workdir, dentry); + err = PTR_ERR(newdentry); +@@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, + if (IS_ERR(upper)) + goto out1; + ++ err = security_inode_copy_up(dentry, &new_creds); ++ if (err < 0) ++ goto out2; ++ ++ if (new_creds) ++ old_creds = override_creds(new_creds); ++ + /* Can't properly set mode on creation because of the umask */ + stat->mode &= S_IFMT; + err = ovl_create_real(wdir, newdentry, stat, link, NULL, true); + stat->mode = mode; ++ ++ if (new_creds) { ++ revert_creds(old_creds); ++ put_cred(new_creds); ++ } ++ + if (err) + goto out2; + +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index 101bf19..ba3c842 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -401,6 +401,15 @@ + * @inode contains a pointer to the inode. + * @secid contains a pointer to the location where result will be saved. + * In case of failure, @secid will be set to zero. ++ * @inode_copy_up: ++ * A file is about to be copied up from lower layer to upper layer of ++ * overlay filesystem. Security module can prepare a set of new creds ++ * and modify as need be and return new creds. Caller will switch to ++ * new creds temporarily to create new file and release newly allocated ++ * creds. ++ * @src indicates the union dentry of file that is being copied up. ++ * @new pointer to pointer to return newly allocated creds. ++ * Returns 0 on success or a negative error code on error. + * + * Security hooks for file operations + * +@@ -1425,6 +1434,7 @@ union security_list_options { + int (*inode_listsecurity)(struct inode *inode, char *buffer, + size_t buffer_size); + void (*inode_getsecid)(struct inode *inode, u32 *secid); ++ int (*inode_copy_up) (struct dentry *src, struct cred **new); + + int (*file_permission)(struct file *file, int mask); + int (*file_alloc_security)(struct file *file); +@@ -1696,6 +1706,7 @@ struct security_hook_heads { + struct list_head inode_setsecurity; + struct list_head inode_listsecurity; + struct list_head inode_getsecid; ++ struct list_head inode_copy_up; + struct list_head file_permission; + struct list_head file_alloc_security; + struct list_head file_free_security; +diff --git a/include/linux/security.h b/include/linux/security.h +index 7831cd5..c5b0ccd 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf + int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); + int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); + void security_inode_getsecid(struct inode *inode, u32 *secid); ++int security_inode_copy_up(struct dentry *src, struct cred **new); + int security_file_permission(struct file *file, int mask); + int security_file_alloc(struct file *file); + void security_file_free(struct file *file); +@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) + *secid = 0; + } + ++static inline int security_inode_copy_up(struct dentry *src, struct cred **new) ++{ ++ return 0; ++} ++ + static inline int security_file_permission(struct file *file, int mask) + { + return 0; +diff --git a/security/security.c b/security/security.c +index 4838e7f..f2a7f27 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) + call_void_hook(inode_getsecid, inode, secid); + } + ++int security_inode_copy_up(struct dentry *src, struct cred **new) ++{ ++ return call_int_hook(inode_copy_up, 0, src, new); ++} ++EXPORT_SYMBOL(security_inode_copy_up); ++ + int security_file_permission(struct file *file, int mask) + { + int ret; +@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = { + LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), + .inode_getsecid = + LIST_HEAD_INIT(security_hook_heads.inode_getsecid), ++ .inode_copy_up = ++ LIST_HEAD_INIT(security_hook_heads.inode_copy_up), + .file_permission = + LIST_HEAD_INIT(security_hook_heads.file_permission), + .file_alloc_security = +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch new file mode 100644 index 0000000000..351970e933 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch @@ -0,0 +1,62 @@ +From 1636c354fe9edec890d5f7abbb0b4c2de7a36b06 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:58 -0400 +Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook + +A file is being copied up for overlay file system. Prepare a new set of +creds and set create_sid appropriately so that new file is created with +appropriate label. + +Overlay inode has right label for both context and non-context mount +cases. In case of non-context mount, overlay inode will have the label +of lower file and in case of context mount, overlay inode will have +the label from context= mount option. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 13185a6..264ee90 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) + *secid = isec->sid; + } + ++static int selinux_inode_copy_up(struct dentry *src, struct cred **new) ++{ ++ u32 sid; ++ struct task_security_struct *tsec; ++ struct cred *new_creds = *new; ++ ++ if (new_creds == NULL) { ++ new_creds = prepare_creds(); ++ if (!new_creds) ++ return -ENOMEM; ++ } ++ ++ tsec = new_creds->security; ++ /* Get label from overlay inode and set it in create_sid */ ++ selinux_inode_getsecid(d_inode(src), &sid); ++ tsec->create_sid = sid; ++ *new = new_creds; ++ return 0; ++} ++ + /* file security operations */ + + static int selinux_revalidate_file_permission(struct file *file, int mask) +@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = { + LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), + LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), + LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), ++ LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), + + LSM_HOOK_INIT(file_permission, selinux_file_permission), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch new file mode 100644 index 0000000000..4403208154 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch @@ -0,0 +1,129 @@ +From 5997ba3c8d8b5b09c78b61e6eb1df387861761bc Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:58 -0400 +Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up + of xattrs for overlay file + +Provide a security hook which is called when xattrs of a file are being +copied up. This hook is called once for each xattr and LSM can return +0 if the security module wants the xattr to be copied up, 1 if the +security module wants the xattr to be discarded on the copy, -EOPNOTSUPP +if the security module does not handle/manage the xattr, or a -errno +upon an error. + +Signed-off-by: David Howells +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + fs/overlayfs/copy_up.c | 7 +++++++ + include/linux/lsm_hooks.h | 10 ++++++++++ + include/linux/security.h | 6 ++++++ + security/security.c | 8 ++++++++ + 4 files changed, 31 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 14a892b..8797c72 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -115,6 +115,13 @@ retry: + goto retry; + } + ++ error = security_inode_copy_up_xattr(name); ++ if (error < 0 && error != -EOPNOTSUPP) ++ break; ++ if (error == 1) { ++ error = 0; ++ continue; /* Discard */ ++ } + error = vfs_setxattr(new, name, value, size, 0); + if (error) + break; +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index ba3c842..336b3fb 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -410,6 +410,14 @@ + * @src indicates the union dentry of file that is being copied up. + * @new pointer to pointer to return newly allocated creds. + * Returns 0 on success or a negative error code on error. ++ * @inode_copy_up_xattr: ++ * Filter the xattrs being copied up when a unioned file is copied ++ * up from a lower layer to the union/overlay layer. ++ * @name indicates the name of the xattr. ++ * Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if ++ * security module does not know about attribute or a negative error code ++ * to abort the copy up. Note that the caller is responsible for reading ++ * and writing the xattrs as this hook is merely a filter. + * + * Security hooks for file operations + * +@@ -1435,6 +1443,7 @@ union security_list_options { + size_t buffer_size); + void (*inode_getsecid)(struct inode *inode, u32 *secid); + int (*inode_copy_up) (struct dentry *src, struct cred **new); ++ int (*inode_copy_up_xattr) (const char *name); + + int (*file_permission)(struct file *file, int mask); + int (*file_alloc_security)(struct file *file); +@@ -1707,6 +1716,7 @@ struct security_hook_heads { + struct list_head inode_listsecurity; + struct list_head inode_getsecid; + struct list_head inode_copy_up; ++ struct list_head inode_copy_up_xattr; + struct list_head file_permission; + struct list_head file_alloc_security; + struct list_head file_free_security; +diff --git a/include/linux/security.h b/include/linux/security.h +index c5b0ccd..536fafd 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void + int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); + void security_inode_getsecid(struct inode *inode, u32 *secid); + int security_inode_copy_up(struct dentry *src, struct cred **new); ++int security_inode_copy_up_xattr(const char *name); + int security_file_permission(struct file *file, int mask); + int security_file_alloc(struct file *file); + void security_file_free(struct file *file); +@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new) + return 0; + } + ++static inline int security_inode_copy_up_xattr(const char *name) ++{ ++ return -EOPNOTSUPP; ++} ++ + static inline int security_file_permission(struct file *file, int mask) + { + return 0; +diff --git a/security/security.c b/security/security.c +index f2a7f27..a9e2bb9 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new) + } + EXPORT_SYMBOL(security_inode_copy_up); + ++int security_inode_copy_up_xattr(const char *name) ++{ ++ return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name); ++} ++EXPORT_SYMBOL(security_inode_copy_up_xattr); ++ + int security_file_permission(struct file *file, int mask) + { + int ret; +@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = { + LIST_HEAD_INIT(security_hook_heads.inode_getsecid), + .inode_copy_up = + LIST_HEAD_INIT(security_hook_heads.inode_copy_up), ++ .inode_copy_up_xattr = ++ LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), + .file_permission = + LIST_HEAD_INIT(security_hook_heads.file_permission), + .file_alloc_security = +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch new file mode 100644 index 0000000000..157329a33b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch @@ -0,0 +1,53 @@ +From b56d9cfb9770c0e2e049061e3c979ea5983c8667 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:58 -0400 +Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook + +When a file is copied up in overlay, we have already created file on upper/ +with right label and there is no need to copy up selinux label/xattr from +lower file to upper file. In fact in case of context mount, we don't want +to copy up label as newly created file got its label from context= option. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 264ee90..d30d7b3 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) + return 0; + } + ++static int selinux_inode_copy_up_xattr(const char *name) ++{ ++ /* The copy_up hook above sets the initial context on an inode, but we ++ * don't then want to overwrite it by blindly copying all the lower ++ * xattrs up. Instead, we have to filter out SELinux-related xattrs. ++ */ ++ if (strcmp(name, XATTR_NAME_SELINUX) == 0) ++ return 1; /* Discard */ ++ /* ++ * Any other attribute apart from SELINUX is not claimed, supported ++ * by selinux. ++ */ ++ return -EOPNOTSUPP; ++} ++ + /* file security operations */ + + static int selinux_revalidate_file_permission(struct file *file, int mask) +@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = { + LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), + LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), + LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), ++ LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), + + LSM_HOOK_INIT(file_permission, selinux_file_permission), + LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch new file mode 100644 index 0000000000..a49bb687ca --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch @@ -0,0 +1,73 @@ +From ac403de65c7441aa3dfa73c733f9d21fe1bb6b5c Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:59 -0400 +Subject: [PATCH 05/21] selinux: Pass security pointer to + determine_inode_label() + +Right now selinux_determine_inode_label() works on security pointer of +current task. Soon I need this to work on a security pointer retrieved +from a set of creds. So start passing in a pointer and caller can decide +where to fetch security pointer from. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index d30d7b3..2bf0d00 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -1808,13 +1808,13 @@ out: + /* + * Determine the label for an inode that might be unioned. + */ +-static int selinux_determine_inode_label(struct inode *dir, +- const struct qstr *name, +- u16 tclass, +- u32 *_new_isid) ++static int ++selinux_determine_inode_label(const struct task_security_struct *tsec, ++ struct inode *dir, ++ const struct qstr *name, u16 tclass, ++ u32 *_new_isid) + { + const struct superblock_security_struct *sbsec = dir->i_sb->s_security; +- const struct task_security_struct *tsec = current_security(); + + if ((sbsec->flags & SE_SBINITIALIZED) && + (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { +@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir, + if (rc) + return rc; + +- rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass, +- &newsid); ++ rc = selinux_determine_inode_label(current_security(), dir, ++ &dentry->d_name, tclass, &newsid); + if (rc) + return rc; + +@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, + u32 newsid; + int rc; + +- rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name, ++ rc = selinux_determine_inode_label(current_security(), ++ d_inode(dentry->d_parent), name, + inode_mode_to_security_class(mode), + &newsid); + if (rc) +@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, + sid = tsec->sid; + newsid = tsec->create_sid; + +- rc = selinux_determine_inode_label( ++ rc = selinux_determine_inode_label(current_security(), + dir, qstr, + inode_mode_to_security_class(inode->i_mode), + &newsid); +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch new file mode 100644 index 0000000000..a585a1dacb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch @@ -0,0 +1,159 @@ +From 1c6d33c0e52ee6ef3ed4ae8a453e39aa71d18583 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:59 -0400 +Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label + newly created files + +During a new file creation we need to make sure new file is created with the +right label. New file is created in upper/ so effectively file should get +label as if task had created file in upper/. + +We switched to mounter's creds for actual file creation. Also if there is a +whiteout present, then file will be created in work/ dir first and then +renamed in upper. In none of the cases file will be labeled as we want it to +be. + +This patch introduces a new hook dentry_create_files_as(), which determines +the label/context dentry will get if it had been created by task in upper +and modify passed set of creds appropriately. Caller makes use of these new +creds for file creation. + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + fs/overlayfs/dir.c | 10 ++++++++++ + include/linux/lsm_hooks.h | 15 +++++++++++++++ + include/linux/security.h | 12 ++++++++++++ + security/security.c | 11 +++++++++++ + 4 files changed, 48 insertions(+) + +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index 74e6964..adfaa21 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -492,6 +492,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, + if (override_cred) { + override_cred->fsuid = inode->i_uid; + override_cred->fsgid = inode->i_gid; ++ if (!hardlink) { ++ err = security_dentry_create_files_as(dentry, ++ stat->mode, &dentry->d_name, old_cred, ++ override_cred); ++ if (err) { ++ put_cred(override_cred); ++ goto out_revert_creds; ++ } ++ } + put_cred(override_creds(override_cred)); + put_cred(override_cred); + +@@ -502,6 +511,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, + err = ovl_create_over_whiteout(dentry, inode, stat, + link, hardlink); + } ++out_revert_creds: + revert_creds(old_cred); + if (!err) { + struct inode *realinode = d_inode(ovl_dentry_upper(dentry)); +diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h +index 336b3fb..55891c0 100644 +--- a/include/linux/lsm_hooks.h ++++ b/include/linux/lsm_hooks.h +@@ -151,6 +151,16 @@ + * @name name of the last path component used to create file + * @ctx pointer to place the pointer to the resulting context in. + * @ctxlen point to place the length of the resulting context. ++ * @dentry_create_files_as: ++ * Compute a context for a dentry as the inode is not yet available ++ * and set that context in passed in creds so that new files are ++ * created using that context. Context is calculated using the ++ * passed in creds and not the creds of the caller. ++ * @dentry dentry to use in calculating the context. ++ * @mode mode used to determine resource type. ++ * @name name of the last path component used to create file ++ * @old creds which should be used for context calculation ++ * @new creds to modify + * + * + * Security hooks for inode operations. +@@ -1375,6 +1385,10 @@ union security_list_options { + int (*dentry_init_security)(struct dentry *dentry, int mode, + const struct qstr *name, void **ctx, + u32 *ctxlen); ++ int (*dentry_create_files_as)(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, ++ struct cred *new); + + + #ifdef CONFIG_SECURITY_PATH +@@ -1675,6 +1689,7 @@ struct security_hook_heads { + struct list_head sb_clone_mnt_opts; + struct list_head sb_parse_opts_str; + struct list_head dentry_init_security; ++ struct list_head dentry_create_files_as; + #ifdef CONFIG_SECURITY_PATH + struct list_head path_unlink; + struct list_head path_mkdir; +diff --git a/include/linux/security.h b/include/linux/security.h +index 536fafd..a6c6d5d 100644 +--- a/include/linux/security.h ++++ b/include/linux/security.h +@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); + int security_dentry_init_security(struct dentry *dentry, int mode, + const struct qstr *name, void **ctx, + u32 *ctxlen); ++int security_dentry_create_files_as(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, ++ struct cred *new); + + int security_inode_alloc(struct inode *inode); + void security_inode_free(struct inode *inode); +@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry, + return -EOPNOTSUPP; + } + ++static inline int security_dentry_create_files_as(struct dentry *dentry, ++ int mode, struct qstr *name, ++ const struct cred *old, ++ struct cred *new) ++{ ++ return 0; ++} ++ + + static inline int security_inode_init_security(struct inode *inode, + struct inode *dir, +diff --git a/security/security.c b/security/security.c +index a9e2bb9..69614f1 100644 +--- a/security/security.c ++++ b/security/security.c +@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode, + } + EXPORT_SYMBOL(security_dentry_init_security); + ++int security_dentry_create_files_as(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, struct cred *new) ++{ ++ return call_int_hook(dentry_create_files_as, 0, dentry, mode, ++ name, old, new); ++} ++EXPORT_SYMBOL(security_dentry_create_files_as); ++ + int security_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, + const initxattrs initxattrs, void *fs_data) +@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = { + LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str), + .dentry_init_security = + LIST_HEAD_INIT(security_hook_heads.dentry_init_security), ++ .dentry_create_files_as = ++ LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as), + #ifdef CONFIG_SECURITY_PATH + .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), + .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch new file mode 100644 index 0000000000..a43eff0110 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch @@ -0,0 +1,60 @@ +From 0dc3b4757e8d178699bdced13db4344f25d6ae91 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 19 Jul 2016 14:34:59 -0400 +Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook + +Calculate what would be the label of newly created file and set that secid +in the passed creds. + +Context of the task which is actually creating file is retrieved from +set of creds passed in. (old->security). + +Signed-off-by: Vivek Goyal +Acked-by: Stephen Smalley +--- + security/selinux/hooks.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 2bf0d00..603b600 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, + return security_sid_to_context(newsid, (char **)ctx, ctxlen); + } + ++static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, ++ struct qstr *name, ++ const struct cred *old, ++ struct cred *new) ++{ ++ u32 newsid; ++ int rc; ++ struct task_security_struct *tsec; ++ ++ rc = selinux_determine_inode_label(old->security, ++ d_inode(dentry->d_parent), name, ++ inode_mode_to_security_class(mode), ++ &newsid); ++ if (rc) ++ return rc; ++ ++ tsec = new->security; ++ tsec->create_sid = newsid; ++ return 0; ++} ++ + static int selinux_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, + const char **name, +@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = { + LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), + + LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), ++ LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), + + LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), + LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch index d029bb88af..4640e824d8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 4854c16b274a6bf1ce79f0479ce4d9514914caa4 Mon Sep 17 00:00:00 2001 +From 4d5d28f5cf718a264334717d2078057a81e20d31 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 01/14] Add secure_modules() call +Subject: [PATCH 08/21] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -41,10 +41,10 @@ index 0c3207d..c8b4ea0 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 0e54d5b..085b720 100644 +index 529efae..0332fdd 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4285,3 +4285,13 @@ void module_layout(struct module *mod, +@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 0e54d5b..085b720 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 65bc96d24c..45ecbb864a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ -From 98083458fbf75ab8d78f62d0b5b6d83f49b1e09a Mon Sep 17 00:00:00 2001 +From 386785a5e9165fda60acc91e2a1b5ebe3f36aaa5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is +Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch index e88ba27006..c5f5548ee0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ -From aa4e5d19b6907f481858501b75b05a6d2898d270 Mon Sep 17 00:00:00 2001 +From fcf2ade3fef45be5eabaeaf76a7eccd42be9410f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 03/14] x86: Lock down IO port access when module security is +Subject: [PATCH 10/21] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -46,7 +46,7 @@ index 589b319..ab83724 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 5bb1985..7f1a7ab 100644 +index a33163d..48a2897 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -28,6 +28,7 @@ @@ -57,7 +57,7 @@ index 5bb1985..7f1a7ab 100644 #include -@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, +@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, unsigned long i = *ppos; const char __user *tmp = buf; @@ -68,5 +68,5 @@ index 5bb1985..7f1a7ab 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch index 62d80f3666..409923d6c7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ -From fc270da17651b116b0d4ce1998f5cfad25d48eae Mon Sep 17 00:00:00 2001 +From 8ea1fcb7288fd735600383d1548b3bad48fd57e4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 04/14] ACPI: Limit access to custom_method +Subject: [PATCH 11/21] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 4f58ec79ed..10a9e38634 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ -From c4fe9ea847f1fbd9ecabc5ec8f87020bea65d741 Mon Sep 17 00:00:00 2001 +From 30a3b4dd7d179236e982c1dd9efab6fe321f65b7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index ce6ca31..55d2399 100644 +index 7c093a0..21fd6b8 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data) @@ -50,5 +50,5 @@ index ce6ca31..55d2399 100644 1, asus->debug.method_id, &input, &output); -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 560cb109b5..ee93c69526 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From 6be6524270a0f131a8293f5d4008a364d4a5462f Mon Sep 17 00:00:00 2001 +From efef5e7bcb83c4103155ab6bfd0c75afb9c87cbc Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 7f1a7ab..d6a6f05 100644 +index 48a2897..08a7bff 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -27,9 +27,9 @@ index 7f1a7ab..d6a6f05 100644 if (!valid_phys_addr_range(p, count)) return -EFAULT; -@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - if (!pfn_valid(PFN_DOWN(p))) - return -EIO; +@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; + if (secure_modules()) + return -EPERM; @@ -38,5 +38,5 @@ index 7f1a7ab..d6a6f05 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 98d091104a..047eaf3277 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ -From 1b626fb49ffd2fd4c8b962ce80b4f87164f8f5f6 Mon Sep 17 00:00:00 2001 +From 177ac262dbddf8af35b815a36e466fabae8e282b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 416953a..4887e34 100644 +index 4305ee9..fa1bcf0 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -25,7 +25,7 @@ index 416953a..4887e34 100644 #include #include -@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 416953a..4887e34 100644 #endif -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index c36a95ac04..c65564552f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ -From 2ccbff3b3a81d8e16771a065d594e3a7acc2ef23 Mon Sep 17 00:00:00 2001 +From 48b5a959e24ff9355c1eff83500e8da6b90fe209 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 -Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -35,5 +35,5 @@ index 980936a..a0e4cb3 100644 /* -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 5d4e9997bc..f78ec7537d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ -From e6dca416cd3110c0029845d0fa20980f4e0c89a6 Mon Sep 17 00:00:00 2001 +From a301f23e8243dca15d24c868c95249390cb8f584 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is +Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, @@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644 err = -EFAULT; break; -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch index 07035854fc..395a610813 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ -From dd587db145416e321874fb8a222dbd6766321c0f Mon Sep 17 00:00:00 2001 +From 03115eb920c605c2307884dfbda90755ddddc435 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/14] Add option to automatically enforce module signatures +Subject: [PATCH 17/21] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index bada636..882da2b 100644 +index 2a1f0ce..ba2c734 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1786,6 +1786,16 @@ config EFI_MIXED +@@ -1774,6 +1774,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index bada636..882da2b 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index cc69e37..17b3765 100644 +index 94dd4a3..1959b82 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -66,7 +66,7 @@ index cc69e37..17b3765 100644 #include "../string.h" #include "eboot.h" -@@ -537,6 +538,36 @@ static void setup_efi_pci(struct boot_params *params) +@@ -571,6 +572,36 @@ free_handle: efi_call_early(free_pool, pci_handle); } @@ -103,7 +103,7 @@ index cc69e37..17b3765 100644 static efi_status_t setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height) { -@@ -1094,6 +1125,10 @@ struct boot_params *efi_main(struct efi_config *c, +@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -129,7 +129,7 @@ index c18ce67..2b3e542 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 9c337b0..f7f369b 100644 +index d5219b1..d635886 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) @@ -163,10 +163,10 @@ index c8b4ea0..8918ef4 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 085b720..e0c6216 100644 +index 0332fdd..3f1ea6b 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4286,6 +4286,13 @@ void module_layout(struct module *mod, +@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -181,5 +181,5 @@ index 085b720..e0c6216 100644 { #ifdef CONFIG_MODULE_SIG -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index 433664e08a..b57153925b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ -From 0f2a255cf654f8190b7afe64c691d33a01bb8d42 Mon Sep 17 00:00:00 2001 +From 3e2d384de2f01d665130e782d3aad795da426ea6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 11/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 882da2b..d666ef8b 100644 +index ba2c734..a5d6b58 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1787,7 +1787,8 @@ config EFI_MIXED +@@ -1775,7 +1775,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index 882da2b..d666ef8b 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch index a72e3ebeb0..ee92995e61 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From 4de054ccaffe8b6d6fe584ce3410185f7b96f214 Mon Sep 17 00:00:00 2001 +From 1c1054b69bddc281c51c1095482998ad88e32728 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 12/14] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,7 +13,7 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index f7f369b..60dccc2 100644 +index d635886..5824ae5 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) @@ -27,10 +27,10 @@ index f7f369b..60dccc2 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 2d08948..6902c59 100644 +index 0148a30..4b62b48 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1043,6 +1043,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ @@ -39,5 +39,5 @@ index 2d08948..6902c59 100644 #ifdef CONFIG_EFI /* -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch index f6256f5bb9..1af536845c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From 41b5e0b849955e5eecb90e4f791d725008c97931 Mon Sep 17 00:00:00 2001 +From 5b4d1673d29bb51a85244d02c0310ac0b3670ad6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 13/14] hibernate: Disable in a signed modules environment +Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index b26dbc4..ab187ad 100644 +index 33c79b6..d1420be 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -35,5 +35,5 @@ index b26dbc4..ab187ad 100644 /** -- -2.7.3 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 5a309075b2..b3feb49994 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From c40c198ae4798b15647dc55ce71ba28e7eba108a Mon Sep 17 00:00:00 2001 +From 624e36cc7632f8faca23e186c80a8e174706c3f5 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 14/14] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index b103777..7824269 100644 +index c7f0e79..9635349 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index b103777..7824269 100644 # Leave processing to above invocation of make -- -2.7.3 +2.10.2