diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.6.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.6.ebuild index 9a05b45bc9..090cb5ec8a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.12.6.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.6.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.6.ebuild index 5f7ad1c646..763d6d9dfe 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.12.6.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 2bfa7a3539..bbaa7b09d0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-4.12.tar.xz 99186576 SHA256 a45c3becd4d08ce411c14628a949d08e2433d8cdeca92036c7013980e93858ab SHA512 8e81b41b253e63233e92948941f44c6482acb52aa3a3fd172f03a38a86f2c35b2ad4fd407acd1bc3964673eba344fe104d3a03e3ff4bf9cd1f22bd44263bd728 WHIRLPOOL 3b97da251c2ba4ace4a27b708f2b1dcf94cb1b59aaeded6acb74bd98f0d3e33f1df83670665e4186d99a55daa84c88d539d93e20f0ff18a6d46ef326c48dd375 -DIST patch-4.12.5.xz 106572 SHA256 8eb42889cd1f41a4350a0227e0dae544acdfa0ddf5a5ec671dd9c64ca917c132 SHA512 b9e74f148a0bd76df8c52e6384933b9eddd8477c713b14389a34655538abab70ffa70e99b504a60d0adf1937c771d9bb3879511e6c3666c345d490848eb4f113 WHIRLPOOL bb7737918932ff23d6c1cd98a2c9c5952b57e72870de2df1e89bab16aed25c17f9fd36ed2194b1fb3f1d7593e86dd624ed723f076b244a5aa2192387039e8003 +DIST patch-4.12.6.xz 139284 SHA256 60938af0f95ae794f879294f2393c48077c01bdba851e80b085fdc0418eeca44 SHA512 78d480b3ad51028c129b1e3d63e3179f754bc8ab9987aa8e5815b105c8cb270c88673babee4124431861f769bc6f42c848391b065f7a3e02bec9b6a5290e2836 WHIRLPOOL 7fc728e35dbb5f64fa4328abb99d55e3c449e3e09ba9963475595914f2f575e153e29451364935569bf7a2109b66da0f54976b0853c828941dbd293fa392299e diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.6.ebuild similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.6.ebuild index 97fa614901..0bfd8b5b1d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.12.6.ebuild @@ -44,8 +44,6 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \ ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ - ${PATCH_DIR}/z0025-bonding-commit-link-status-change-after-propose.patch \ - ${PATCH_DIR}/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch \ - ${PATCH_DIR}/z0027-udp-consistently-apply-ufo-or-fragmentation.patch \ - ${PATCH_DIR}/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch \ + ${PATCH_DIR}/z0025-udp-consistently-apply-ufo-or-fragmentation.patch \ + ${PATCH_DIR}/z0026-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index e97c3bb662..f20dc5a934 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From ce3175a0cc48f722fa2cd41722e29059b71bb9a9 Mon Sep 17 00:00:00 2001 +From c151f946444d3dcfb7f8cfdc4870df3a15f42df5 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 01/28] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 01/26] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is @@ -18,7 +18,7 @@ Signed-off-by: David Howells 2 files changed, 2 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 36646f19d40b..87ef54e64842 100644 +index 36646f1..87ef54e 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1190,6 +1190,7 @@ void __init setup_arch(char **cmdline_p) @@ -30,7 +30,7 @@ index 36646f19d40b..87ef54e64842 100644 break; default: diff --git a/include/linux/efi.h b/include/linux/efi.h -index ec36f42a2add..381b3f6670d3 100644 +index ec36f42..381b3f6 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1069,6 +1069,7 @@ extern int __init efi_setup_pcdp_console(char *); @@ -42,5 +42,5 @@ index ec36f42a2add..381b3f6670d3 100644 #ifdef CONFIG_EFI /* -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index 0ac7e1e9d1..2d4076798d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,7 +1,7 @@ -From 9f4e6a47c74ed8a659e0f7498d0c10482c2cfbaf Mon Sep 17 00:00:00 2001 +From ea6016c096ff9456eb6091fc576ec9e9231f4178 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 -Subject: [PATCH 02/28] Add the ability to lock down access to the running +Subject: [PATCH 02/26] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system @@ -21,7 +21,7 @@ Signed-off-by: David Howells create mode 100644 security/lock_down.c diff --git a/include/linux/kernel.h b/include/linux/kernel.h -index 13bc08aba704..282a1684d6e8 100644 +index 13bc08a..282a168 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -276,6 +276,15 @@ extern int oops_may_print(void); @@ -41,7 +41,7 @@ index 13bc08aba704..282a1684d6e8 100644 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res); int __must_check _kstrtol(const char *s, unsigned int base, long *res); diff --git a/include/linux/security.h b/include/linux/security.h -index af675b576645..68bab18ddd57 100644 +index af675b5..68bab18 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1698,5 +1698,16 @@ static inline void free_secdata(void *secdata) @@ -62,7 +62,7 @@ index af675b576645..68bab18ddd57 100644 #endif /* ! __LINUX_SECURITY_H */ diff --git a/security/Kconfig b/security/Kconfig -index 93027fdf47d1..4baac4aab277 100644 +index 93027fd..4baac4a 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -189,6 +189,21 @@ config STATIC_USERMODEHELPER_PATH @@ -88,7 +88,7 @@ index 93027fdf47d1..4baac4aab277 100644 source security/smack/Kconfig source security/tomoyo/Kconfig diff --git a/security/Makefile b/security/Makefile -index f2d71cdb8e19..8c4a43e3d4e0 100644 +index f2d71cd..8c4a43e 100644 --- a/security/Makefile +++ b/security/Makefile @@ -29,3 +29,6 @@ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o @@ -100,7 +100,7 @@ index f2d71cdb8e19..8c4a43e3d4e0 100644 +obj-$(CONFIG_LOCK_DOWN_KERNEL) += lock_down.o diff --git a/security/lock_down.c b/security/lock_down.c new file mode 100644 -index 000000000000..5788c60ff4e1 +index 0000000..5788c60 --- /dev/null +++ b/security/lock_down.c @@ -0,0 +1,40 @@ @@ -145,5 +145,5 @@ index 000000000000..5788c60ff4e1 +} +EXPORT_SYMBOL(kernel_is_locked_down); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index fa09d509aa..25f3055cc4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,7 @@ -From fe6eb63a38a0e5f99d73e4b4cb2f4bbd8f127723 Mon Sep 17 00:00:00 2001 +From e67684f7e503057ad9009e97598e6676306d010e Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 03/28] efi: Lock down the kernel if booted in secure boot mode +Subject: [PATCH 03/26] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also @@ -16,7 +16,7 @@ Signed-off-by: David Howells 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 0efb4c9497bc..4d1c53bb8411 100644 +index 0efb4c9..4d1c53b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1827,6 +1827,18 @@ config EFI_MIXED @@ -39,7 +39,7 @@ index 0efb4c9497bc..4d1c53bb8411 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 87ef54e64842..4c4d758d4be1 100644 +index 87ef54e..4c4d758 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -69,6 +69,7 @@ @@ -65,5 +65,5 @@ index 87ef54e64842..4c4d758d4be1 100644 default: pr_info("Secure boot could not be determined\n"); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index b74ca92629..5313fa01d1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ -From d7e6ff962e25a9a4c7900dcae3c325d68b0b01ad Mon Sep 17 00:00:00 2001 +From be50c7445109a745324a5cceb1da9af2c19a311e Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 -Subject: [PATCH 04/28] Enforce module signatures if the kernel is locked down +Subject: [PATCH 04/26] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify. @@ -12,7 +12,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/module.c b/kernel/module.c -index 4a3665f8f837..3f1de34c6d10 100644 +index 4a3665f..3f1de34 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2777,7 +2777,7 @@ static int module_sig_check(struct load_info *info, int flags) @@ -25,5 +25,5 @@ index 4a3665f8f837..3f1de34c6d10 100644 return err; -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index 849f5e65a4..26709ac048 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,7 +1,7 @@ -From 4c9d9cc8455fc46e6a5171df2367cc89171894e8 Mon Sep 17 00:00:00 2001 +From 102327107d69a66d415f2b87a1ec381659209e1c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 05/28] Restrict /dev/mem and /dev/kmem when the kernel is +Subject: [PATCH 05/26] Restrict /dev/mem and /dev/kmem when the kernel is locked down Allowing users to write to address space makes it possible for the kernel to @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 593a8818aca9..ba68add9677f 100644 +index 593a881..ba68add 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -179,6 +179,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -39,5 +39,5 @@ index 593a8818aca9..ba68add9677f 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index 4c4d17ed5e..8857c1da63 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,7 +1,7 @@ -From eebae3db37325d6ca57d1b006f904437a59580f6 Mon Sep 17 00:00:00 2001 +From 3f2e52c7b93e8d5b3edfa6439e4519d66602f247 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 06/28] kexec: Disable at runtime if the kernel is locked down +Subject: [PATCH 06/26] kexec: Disable at runtime if the kernel is locked down kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 7 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 980936a90ee6..46de8e6b42f4 100644 +index 980936a..46de8e6 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -194,6 +194,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, @@ -35,5 +35,5 @@ index 980936a90ee6..46de8e6b42f4 100644 * This leaves us room for future extensions. */ -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index 6f9b5240d6..7491a6d8e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,7 +1,7 @@ -From cc3ff81651b05bfeeeda80928837019d67a7b1cc Mon Sep 17 00:00:00 2001 +From 572dfe80789fccbe8b94461bfceabacb40852e07 Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 07/28] Copy secure_boot flag in boot params across kexec +Subject: [PATCH 07/26] Copy secure_boot flag in boot params across kexec reboot Kexec reboot in case secure boot being enabled does not keep the secure @@ -22,7 +22,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index 9d7fd5e6689a..7e6f00ae8322 100644 +index 9d7fd5e..7e6f00a 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -179,6 +179,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, @@ -34,5 +34,5 @@ index 9d7fd5e6689a..7e6f00ae8322 100644 ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index a7de58ca8c..f5082f54ab 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,7 +1,7 @@ -From 11cdd5d6f82dc648da689d0d5df80415aa6ccfdb Mon Sep 17 00:00:00 2001 +From f8779b5166b0ba1efe85923913ebfc6c179be953 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 -Subject: [PATCH 08/28] kexec_file: Disable at runtime if securelevel has been +Subject: [PATCH 08/26] kexec_file: Disable at runtime if securelevel has been set When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image @@ -18,7 +18,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c -index b118735fea9d..f6937eecd1eb 100644 +index b118735..f6937ee 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -268,6 +268,12 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, @@ -35,5 +35,5 @@ index b118735fea9d..f6937eecd1eb 100644 if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index 6c4dda8b84..99e1683cd6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ -From e066547b800fe128b1490bed96ce05485308a4ac Mon Sep 17 00:00:00 2001 +From 0cdbcc1e92c0f61b0e70d414cbee882e591eabe1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 09/28] hibernate: Disable when the kernel is locked down +Subject: [PATCH 09/26] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index a8b978c35a6a..50cca5dcb62f 100644 +index a8b978c..50cca5d 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops; @@ -28,5 +28,5 @@ index a8b978c35a6a..50cca5dcb62f 100644 /** -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index 2e14cf65e9..d1b8c62ac7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ -From 56b9aa60591fcda67ed2343781feae65d4b644e0 Mon Sep 17 00:00:00 2001 +From e24f1a7b1c6cbf19fe62b769b1ad1953e90774b7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 -Subject: [PATCH 10/28] uswsusp: Disable when the kernel is locked down +Subject: [PATCH 10/26] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel @@ -14,7 +14,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/kernel/power/user.c b/kernel/power/user.c -index 22df9f7ff672..e4b926d329b7 100644 +index 22df9f7..e4b926d 100644 --- a/kernel/power/user.c +++ b/kernel/power/user.c @@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) @@ -28,5 +28,5 @@ index 22df9f7ff672..e4b926d329b7 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index d8587b0498..7b0eab6397 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,7 +1,7 @@ -From 376f41a9e72da16e71afae479db0ddfdb3b00648 Mon Sep 17 00:00:00 2001 +From 888408b5e10a8c86d04a1eba78f3e6de8559ff7f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 11/28] PCI: Lock down BAR access when the kernel is locked +Subject: [PATCH 11/26] PCI: Lock down BAR access when the kernel is locked down Any hardware that can potentially generate DMA has to be locked down in @@ -19,7 +19,7 @@ Signed-off-by: David Howells 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 31e99613a12e..559556047d66 100644 +index 31e9961..5595560 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -754,6 +754,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, @@ -53,7 +53,7 @@ index 31e99613a12e..559556047d66 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 098360d7ff81..ef16fccb1923 100644 +index 098360d..ef16fcc 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c @@ -116,6 +116,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf, @@ -86,7 +86,7 @@ index 098360d7ff81..ef16fccb1923 100644 if (fpriv->mmap_state == pci_mmap_io) { diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index 9bf993e1f71e..c09524738ceb 100644 +index 9bf993e..c095247 100644 --- a/drivers/pci/syscall.c +++ b/drivers/pci/syscall.c @@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, @@ -99,5 +99,5 @@ index 9bf993e1f71e..c09524738ceb 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index 3a1827a565..374f4a96b0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,7 +1,7 @@ -From 95073d14a7f72af389cf7ae17967918f5fa69807 Mon Sep 17 00:00:00 2001 +From 34f5006c012e4f072ca4d5739788f14cc8e77518 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 12/28] x86: Lock down IO port access when the kernel is locked +Subject: [PATCH 12/26] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration @@ -20,7 +20,7 @@ Signed-off-by: David Howells 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 9c3cf0944bce..4a613fed94b6 100644 +index 9c3cf09..4a613fe 100644 --- a/arch/x86/kernel/ioport.c +++ b/arch/x86/kernel/ioport.c @@ -30,7 +30,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) @@ -42,7 +42,7 @@ index 9c3cf0944bce..4a613fed94b6 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index ba68add9677f..5e2a260fb89f 100644 +index ba68add..5e2a260 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -768,6 +768,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig) @@ -55,5 +55,5 @@ index ba68add9677f..5e2a260fb89f 100644 } -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index 869b571aed..76e265c7bc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ -From 772e7b9176b7ddcce9cef71b2e79ed705916342f Mon Sep 17 00:00:00 2001 +From 92da241449df225e6c5db92dcc5a416619060ef7 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 -Subject: [PATCH 13/28] x86: Restrict MSR access when the kernel is locked down +Subject: [PATCH 13/26] x86: Restrict MSR access when the kernel is locked down Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index ef688804f80d..fbcce028e502 100644 +index ef68880..fbcce02 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, @@ -40,5 +40,5 @@ index ef688804f80d..fbcce028e502 100644 err = -EFAULT; break; -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index 7e641a0bcd..5639024f13 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,7 +1,7 @@ -From e08b26f76b182ac6e12a6b9d50b493d2fedd34fc Mon Sep 17 00:00:00 2001 +From 4ae96184f96b41f805ea08eb944403f50896c7db Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 14/28] asus-wmi: Restrict debugfs interface when the kernel is +Subject: [PATCH 14/26] asus-wmi: Restrict debugfs interface when the kernel is locked down We have no way of validating what all of the Asus WMI methods do on a given @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 6c7d86074b38..57b82cbc9a6b 100644 +index 6c7d860..57b82cb 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1905,6 +1905,9 @@ static int show_dsts(struct seq_file *m, void *data) @@ -51,5 +51,5 @@ index 6c7d86074b38..57b82cbc9a6b 100644 1, asus->debug.method_id, &input, &output); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index af05951b9a..4758afdf66 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,7 +1,7 @@ -From 47a2d3bcc537f52e09d195cd5ae6c1546dfb2cdc Mon Sep 17 00:00:00 2001 +From 1f170f847c8637bf6aa53415a5ada4871fb99352 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 15/28] ACPI: Limit access to custom_method when the kernel is +Subject: [PATCH 15/26] ACPI: Limit access to custom_method when the kernel is locked down custom_method effectively allows arbitrary access to system memory, making @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index c68e72414a67..e4d721c330c0 100644 +index c68e724..e4d721c 100644 --- a/drivers/acpi/custom_method.c +++ b/drivers/acpi/custom_method.c @@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, @@ -29,5 +29,5 @@ index c68e72414a67..e4d721c330c0 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index c406548d6d..857755118d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,7 +1,7 @@ -From 9e4a043b792c4599a313aeb81b548e4a65b85f3f Mon Sep 17 00:00:00 2001 +From 55313fd4ce12323c6b5568e7bf78b260b99858da Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 16/28] acpi: Ignore acpi_rsdp kernel param when the kernel has +Subject: [PATCH 16/26] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down This option allows userspace to pass the RSDP address to the kernel, which @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index db78d353bab1..d4d4ba348451 100644 +index db78d35..d4d4ba3 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void) @@ -28,5 +28,5 @@ index db78d353bab1..d4d4ba348451 100644 #endif -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index 0a417731b1..d285109f9e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,7 +1,7 @@ -From e0ff61fba4dd9e26a6744446a6e133eac094b6ee Mon Sep 17 00:00:00 2001 +From 9d89af85b5aa6a3f4b2b5eed66523dad03a6aba0 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 -Subject: [PATCH 17/28] acpi: Disable ACPI table override if the kernel is +Subject: [PATCH 17/26] acpi: Disable ACPI table override if the kernel is locked down From the kernel documentation (initrd_table_override.txt): @@ -21,7 +21,7 @@ Signed-off-by: David Howells 1 file changed, 5 insertions(+) diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c -index ff425390bfa8..c72bfa97888a 100644 +index ff42539..c72bfa9 100644 --- a/drivers/acpi/tables.c +++ b/drivers/acpi/tables.c @@ -526,6 +526,11 @@ void __init acpi_table_upgrade(void) @@ -37,5 +37,5 @@ index ff425390bfa8..c72bfa97888a 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index 3611693aeb..b7c8d313c8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,7 +1,7 @@ -From 7f0ec497364d309fdddb96ced1a83a9890b86baa Mon Sep 17 00:00:00 2001 +From 07487cd303209f3a99d7eb25e37fa09a4a2c2c73 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 -Subject: [PATCH 18/28] acpi: Disable APEI error injection if the kernel is +Subject: [PATCH 18/26] acpi: Disable APEI error injection if the kernel is locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing @@ -26,7 +26,7 @@ Signed-off-by: David Howells 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c -index ec50c32ea3da..e082718d01c2 100644 +index ec50c32..e082718 100644 --- a/drivers/acpi/apei/einj.c +++ b/drivers/acpi/apei/einj.c @@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2, @@ -40,5 +40,5 @@ index ec50c32ea3da..e082718d01c2 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index 75077af3bb..429d532373 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,7 +1,7 @@ -From 1670abea3f18938e2bd3407c47e6d1b0b66d3bc2 Mon Sep 17 00:00:00 2001 +From c2f660328cd669d2f0d5a46d182f70ad01950009 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 -Subject: [PATCH 19/28] bpf: Restrict kernel image access functions when the +Subject: [PATCH 19/26] bpf: Restrict kernel image access functions when the kernel is locked down There are some bpf functions can be used to read kernel memory: @@ -17,7 +17,7 @@ Signed-off-by: David Howells 1 file changed, 11 insertions(+) diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c -index 460a031c77e5..58eb33d5d6ae 100644 +index 460a031..58eb33d 100644 --- a/kernel/trace/bpf_trace.c +++ b/kernel/trace/bpf_trace.c @@ -65,6 +65,11 @@ BPF_CALL_3(bpf_probe_read, void *, dst, u32, size, const void *, unsafe_ptr) @@ -53,5 +53,5 @@ index 460a031c77e5..58eb33d5d6ae 100644 for (i = 0; i < fmt_size; i++) { if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch index 71002cd201..caf44e943a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,7 +1,7 @@ -From 6c9effad0058286f8bb4d01ac247ef92be727b40 Mon Sep 17 00:00:00 2001 +From c0fc636f2353986110221040b2793d6862314d3f Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 -Subject: [PATCH 20/28] scsi: Lock down the eata driver +Subject: [PATCH 20/26] scsi: Lock down the eata driver When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this @@ -24,7 +24,7 @@ cc: linux-scsi@vger.kernel.org 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/eata.c b/drivers/scsi/eata.c -index 227dd2c2ec2f..5c036d10c18b 100644 +index 227dd2c..5c036d1 100644 --- a/drivers/scsi/eata.c +++ b/drivers/scsi/eata.c @@ -1552,8 +1552,13 @@ static int eata2x_detect(struct scsi_host_template *tpnt) @@ -43,5 +43,5 @@ index 227dd2c2ec2f..5c036d10c18b 100644 #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index 64e4b4aeb0..34a4808cea 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,7 +1,7 @@ -From df81e03770883fd556ba9591ab30e74097f0229f Mon Sep 17 00:00:00 2001 +From fc5badf0296ae38b74c4d8a7a6e703c7e858d12f Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 -Subject: [PATCH 21/28] Prohibit PCMCIA CIS storage when the kernel is locked +Subject: [PATCH 21/26] Prohibit PCMCIA CIS storage when the kernel is locked down Prohibit replacement of the PCMCIA Card Information Structure when the @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 5 insertions(+) diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c -index 55ef7d1fd8da..193e4f7b73b1 100644 +index 55ef7d1..193e4f7 100644 --- a/drivers/pcmcia/cistpl.c +++ b/drivers/pcmcia/cistpl.c @@ -1578,6 +1578,11 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj, @@ -29,5 +29,5 @@ index 55ef7d1fd8da..193e4f7b73b1 100644 if (off) -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch index 479cfcaaa8..e8275b4c4d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,7 +1,7 @@ -From d17a0012c78e29a87b949f30f175267fd91ff525 Mon Sep 17 00:00:00 2001 +From e70949285ce3c7db9d4a11227f1961a83610ec96 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 -Subject: [PATCH 22/28] Lock down TIOCSSERIAL +Subject: [PATCH 22/26] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial @@ -15,7 +15,7 @@ Signed-off-by: David Howells 1 file changed, 6 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c -index 13bfd5dcffce..45fb7689bc1c 100644 +index 13bfd5d..45fb768 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -821,6 +821,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, @@ -32,5 +32,5 @@ index 13bfd5dcffce..45fb7689bc1c 100644 retval = -EPERM; if (change_irq || change_port || -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index c8d07c5454..169ad5f751 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From d21200af07c733bfc29d16883443a5207dd623eb Mon Sep 17 00:00:00 2001 +From eff86357a5494081d560b73c007f6d89da350816 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 23/28] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 23/26] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 382e967b0792..e5aa82292663 100644 +index c8d80b5..6bafb67 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 382e967b0792..e5aa82292663 100644 # Leave processing to above invocation of make -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch index f7a4c59f73..9c8e7ad17a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ -From 94f8291a354361a902bfaa9aefc9de9cbbe8bacb Mon Sep 17 00:00:00 2001 +From 2b2a0f2afd2f05b3f8e9e61561ce176d881c384a Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 24/28] Add arm64 coreos verity hash +Subject: [PATCH 24/26] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- @@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kernel/efi-header.S b/arch/arm64/kernel/efi-header.S -index 613fc3000677..fdaf86c78332 100644 +index 613fc30..fdaf86c 100644 --- a/arch/arm64/kernel/efi-header.S +++ b/arch/arm64/kernel/efi-header.S @@ -103,6 +103,11 @@ section_table: @@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644 /* * The debug table is referenced via its Relative Virtual Address (RVA), -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch deleted file mode 100644 index fac3ecd68e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-bonding-commit-link-status-change-after-propose.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0d1fedc72064771c52e3bd8947b9a52b81f239fb Mon Sep 17 00:00:00 2001 -From: WANG Cong -Date: Tue, 25 Jul 2017 09:44:25 -0700 -Subject: [PATCH 25/28] bonding: commit link status change after propose - -Commit de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") -moves link status commitment into bond_mii_monitor(), but it still relies -on the return value of bond_miimon_inspect() as the hint. We need to return -non-zero as long as we propose a link status change. - -Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") -Reported-by: Benjamin Gilbert -Tested-by: Benjamin Gilbert -Cc: Mahesh Bandewar -Signed-off-by: Cong Wang -Acked-by: Mahesh Bandewar -Signed-off-by: David S. Miller ---- - drivers/net/bonding/bond_main.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 8ab6bdbe1682..0eab2fdff8d7 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -2047,6 +2047,7 @@ static int bond_miimon_inspect(struct bonding *bond) - continue; - - bond_propose_link_state(slave, BOND_LINK_FAIL); -+ commit++; - slave->delay = bond->params.downdelay; - if (slave->delay) { - netdev_info(bond->dev, "link status down for %sinterface %s, disabling it in %d ms\n", -@@ -2085,6 +2086,7 @@ static int bond_miimon_inspect(struct bonding *bond) - continue; - - bond_propose_link_state(slave, BOND_LINK_BACK); -+ commit++; - slave->delay = bond->params.updelay; - - if (slave->delay) { --- -2.13.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-udp-consistently-apply-ufo-or-fragmentation.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-udp-consistently-apply-ufo-or-fragmentation.patch index c7a5e62582..2cf033d843 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0027-udp-consistently-apply-ufo-or-fragmentation.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0025-udp-consistently-apply-ufo-or-fragmentation.patch @@ -1,7 +1,7 @@ -From 0f444da98d55b1d78467778c2db2a0fdf7a11f9d Mon Sep 17 00:00:00 2001 +From c0e5883e09e5a226baadb06d790e5b20c3d3a547 Mon Sep 17 00:00:00 2001 From: Willem de Bruijn Date: Fri, 14 Jul 2017 10:19:00 -0700 -Subject: [PATCH 27/28] udp: consistently apply ufo or fragmentation +Subject: [PATCH 25/26] udp: consistently apply ufo or fragmentation When iteratively building a UDP datagram with MSG_MORE and that datagram exceeds MTU, consistently choose UFO or fragmentation. @@ -22,7 +22,7 @@ Signed-off-by: Willem de Bruijn 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index 532b36e9ce2a..e5948c0c9759 100644 +index 532b36e..e5948c0 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -964,11 +964,12 @@ static int __ip_append_data(struct sock *sk, @@ -50,10 +50,10 @@ index 532b36e9ce2a..e5948c0c9759 100644 (rt->dst.dev->features & NETIF_F_UFO)) { if (skb->ip_summed != CHECKSUM_PARTIAL) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 1699acb2fa2c..90e8c3d57423 100644 +index be03067..365d510 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c -@@ -1390,11 +1390,12 @@ static int __ip6_append_data(struct sock *sk, +@@ -1386,11 +1386,12 @@ static int __ip6_append_data(struct sock *sk, */ cork->length += length; @@ -70,5 +70,5 @@ index 1699acb2fa2c..90e8c3d57423 100644 hh_len, fragheaderlen, exthdrlen, transhdrlen, mtu, flags, fl6); -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch index 7594ce20b3..b5235a6510 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0028-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch @@ -1,7 +1,7 @@ -From af6054f1bf2facd5f44e4f3652f5f86ea81e7c06 Mon Sep 17 00:00:00 2001 +From 4ebbab6018792779607c8e1c17786bfeb573a210 Mon Sep 17 00:00:00 2001 From: Willem de Bruijn Date: Fri, 4 Aug 2017 12:48:20 -0400 -Subject: [PATCH 28/28] net-packet: fix race in packet_set_ring on +Subject: [PATCH 26/26] net-packet: fix race in packet_set_ring on PACKET_RESERVE PACKET_RESERVE reserves headroom in memory mapped packet ring frames. @@ -31,7 +31,7 @@ Signed-off-by: Willem de Bruijn 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index e3eeed19cc7a..b2df3bae2de7 100644 +index 0880e0a..b84110e 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3705,14 +3705,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv @@ -59,5 +59,5 @@ index e3eeed19cc7a..b2df3bae2de7 100644 case PACKET_LOSS: { -- -2.13.4 +2.10.2 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch deleted file mode 100644 index 2697bdcd6c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.12/z0026-virtio_net-fix-truesize-for-mergeable-buffers.patch +++ /dev/null @@ -1,59 +0,0 @@ -From b24f16f597586d794bb66c08f09b4e83579da916 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Mon, 31 Jul 2017 21:49:49 +0300 -Subject: [PATCH 26/28] virtio_net: fix truesize for mergeable buffers - -Seth Forshee noticed a performance degradation with some workloads. -This turns out to be due to packet drops. Euan Kemp noticed that this -is because we drop all packets where length exceeds the truesize, but -for some packets we add in extra memory without updating the truesize. -This in turn was kept around unchanged from ab7db91705e95 ("virtio-net: -auto-tune mergeable rx buffer size for improved performance"). That -commit had an internal reason not to account for the extra space: not -enough bits to do it. No longer true so let's account for the allocated -length exactly. - -Many thanks to Seth Forshee for the report and bisecting and Euan Kemp -for debugging the issue. - -Fixes: 680557cf79f8 ("virtio_net: rework mergeable buffer handling") -Reported-by: Euan Kemp -Tested-by: Euan Kemp -Reported-by: Seth Forshee -Tested-by: Seth Forshee -Signed-off-by: Michael S. Tsirkin ---- - drivers/net/virtio_net.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index 6633dd4bb649..acb754eb1ccb 100644 ---- a/drivers/net/virtio_net.c -+++ b/drivers/net/virtio_net.c -@@ -889,21 +889,20 @@ static int add_recvbuf_mergeable(struct virtnet_info *vi, - - buf = (char *)page_address(alloc_frag->page) + alloc_frag->offset; - buf += headroom; /* advance address leaving hole at front of pkt */ -- ctx = (void *)(unsigned long)len; - get_page(alloc_frag->page); - alloc_frag->offset += len + headroom; - hole = alloc_frag->size - alloc_frag->offset; - if (hole < len + headroom) { - /* To avoid internal fragmentation, if there is very likely not - * enough space for another buffer, add the remaining space to -- * the current buffer. This extra space is not included in -- * the truesize stored in ctx. -+ * the current buffer. - */ - len += hole; - alloc_frag->offset += hole; - } - - sg_init_one(rq->sg, buf, len); -+ ctx = (void *)(unsigned long)len; - err = virtqueue_add_inbuf_ctx(rq->vq, rq->sg, 1, buf, ctx, gfp); - if (err < 0) - put_page(virt_to_head_page(buf)); --- -2.13.4 -